You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: learn-pr/wwl-sci/security-copilot-exercises/includes/8-explore-embedded-defender-xdr.md
+2-4Lines changed: 2 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -3,7 +3,6 @@ In this exercise, you investigate an incident in Microsoft Defender XDR. As part
3
3
> [!NOTE]
4
4
> The environment for this exercise is a simulation generated from the product. As a limited simulation, links on a page may not be enabled and text-based inputs that fall outside of the specified script may not be supported. A pop-up message displays stating, "This feature is not available within the simulation." When this occurs, select OK and continue the exercise steps.
5
5
>
6
-
>
7
6
>:::image type="content" source="../media/simulation-pop-up-error.png" alt-text="Screenshot of pop-up screen indicating that this feature isn't available within the simulation.":::
8
7
9
8
@@ -14,7 +13,7 @@ For this exercise, you're logged in as Avery Howard and have the Copilot owner r
14
13
This exercise should take approximately **30** minutes to complete.
15
14
16
15
> [!NOTE]
17
-
> When a lab instruction calls for opening a link to the simulated environment, it's recommended that you open the link in a new browser window so that you can simultaneously view the instructions and the exercise environment. To do so, select the right mouse key and select the option.
16
+
> When a lab instruction calls for opening a link to the simulated environment, we recommended that you open the link in a new browser window so that you can simultaneously view the instructions and the exercise environment. To do so, select the right mouse key and select the option.
18
17
19
18
#### Task: Explore Incident summary and guided responses
20
19
@@ -44,7 +43,7 @@ This exercise should take approximately **30** minutes to complete.
44
43
45
44
1. There's much information on the page, so to get a better view of this alert, select **Open alert page**. It's on the third panel on the alert page, next to the incident graph and below the alert title.
46
45
47
-
1. On the top of the page, is card for the device **parkcity-win10v**. Select the ellipses and note the options. Select **Summarize**. Copilot generates a **Device summary**. It's worth nothing that there are many ways you can access device summary and this way is just one convenient method. The summary shows the device is a VM, identifies the owner of the device, it shows its compliance status against Intune policies, and more.
46
+
1. On the top of the page, is card for the device parkcity-win10v. Select the ellipses and note the options. Select **Summarize**. Copilot generates a **Device summary**. It's worth nothing that there are many ways you can access device summary and this way is just one convenient method. The summary shows the device is a VM, identifies the owner of the device, it shows its compliance status against Intune policies, and more.
48
47
49
48
1. Next to the device card is a card for the owner of the device. Select **parkcity\jonaw**. The third panel on the page updates from showing details of the alert to providing information about the user. In this case, *Jonathan Wolcott*, an account executive, whose Insider risk severity is classified as *High*. These details aren't surprising given what you learned from the Copilot incident and alert summaries. Select **Summarize** to obtain an identity summary generated by Copilot.
50
49
@@ -88,7 +87,6 @@ This task is complex and requires the involvement of more senior analysts. In th
88
87
1. Select the ellipses next to Copilot's Incident summary and select **Open in Security Copilot**.
89
88
90
89
1. Copilot opens in the standalone experience and shows the incident summary. You can also run more prompts. In this case, you run the promptbook for an incident. Select the **prompt icon**.
91
-
<!--- 1. Select **See all promptbooks**. Not functional in the simulation -->
92
90
1. Select the **Microsoft 365 Defender incident investigation** promptbook.
93
91
1. The promptbook page opens and asks for the Defender Incident ID. Enter **185856**, then select the **Submit** button.
94
92
1. Review the information provided. When you pivot to the standalone experience and run the promptbook, the investigation is able to invoke capabilities from a broader set security solution, beyond just Defender XDR, based on the plugins enabled.
0 commit comments