Introduction to Microsoft security solutions

Topics covered will include network and platform capabilities of Azure, Azure security management, and Sentinel. You’ll learn about threat protection with Microsoft Defender XDR and Microsoft 365 security management.

Microsoft Security Copilot

a cloud-based, AI-powered security analysis tool that enables analysts to process security signals and respond to threats at a machine speed that far surpasses human capabilities, thus revolutionizing the way organizations approach cybersecurity.

Session

A particular conversation within Copilot. Copilot maintains context within a session.

Prompt

A specific statement or question within a session. A user enters a prompt in the prompt bar.

Capability

A function Copilot uses to solve part of a problem. A capability may sometimes be referred to as a skill.

Plugin

A collection of capabilities by a particular resource.

Workspace

Copilot workspaces are separate Copilot work environments within the tenant in which your Copilot instance is operating.

Agents

Microsoft Security Copilot agents are AI-powered tools that autonomously manage security and IT tasks, enhancing threat response, reducing manual workloads, and improving efficiency across cybersecurity operations at scale.

Orchestrator

Copilot’s system for composing capabilities together to answer a user’s prompt

What is the prompt bar used for?

To enter natural language input that tells Copilot what insights to generate from security data.

What are promptbooks?

Collections of preselected prompts and suggestions to guide effective use of Copilot.

Why are workspaces useful?

They allow cost mapping, compliance with geo-specific regulations, and efficient resource allocation.

What is the difference between capabilities and plugins?

Capabilities are individual functions; plugins are bundles of capabilities tied to a resource.

Why are workspaces important?

They allow separation of environments for compliance, geo-specific regulations, and efficient resource allocation. (room in a house)

How do agents differ from Copilot itself?

Agents are specialized assistants that act autonomously, while Copilot orchestrates and guides interactions.

Describe how Microsoft Security Copilot processes prompt requests

includes seven steps - submit a prompt, orchestrator, build context, plugins, responding, response, receives response

What is the first step in Copilot’s prompt process?

The user submits a prompt in the prompt bar.

What is the role of the orchestrator?

It composes capabilities together, determines context, and builds a plan to answer the prom

What happens during the build context stage?

Copilot executes the plan to gather the required data context for the prompt.

How do plugins contribute to the process?

Copilot reasons over plugins and data sources to provide intelligent insights.

What is the responding step?

Copilot combines data and context, then uses its LLM to compose a human-readable response.

What happens before the response is sent to the user?

Copilot formats and reviews the response as part of Microsoft’s responsible AI commitment.

What is the final step in the process?

The user receives the response from Copilot.

What is the process log?

A visible log showing which capability was used and confirming safety checks were applied.

What are the four key elements of an effective prompt?

• Goal, Context, Expectations, Source.

What does Goal mean in a prompt?

The specific security-related information you need.

What does Context mean in a prompt?

Why you need the information or how you’ll use it (e.g., timeframe, report).

What does Expectations mean in a prompt?

The format or audience you want the response tailored to (e.g., table, summary, diagram).

What does Source mean in a prompt?

Known information, data sources, or plugins Copilot should use.

Why is specificity important in prompts?

Clear, concise, and detailed prompts lead to more useful responses.

What is an example of improving a basic prompt

Basic: “Summarize incident 15134.” Better: “Summarize incident 15134 in Microsoft Defender XDR into a paragraph for my manager and list entities involved.”

Why should prompts use positive instructions?

Copilot is geared toward action, so telling it what to do is more effective than saying what not to do.

How should you address Copilot in prompts?

Directly as “You” (e.g., “You should…” or “You must…”).

What is the first step to enable Security Copilot?

Identify your customer category (E5/E7 vs non-E5/E7).

How is Security Copilot provisioned for Microsoft 365 E5/E7 customers?

Automatically via zero‑click activation with a 7‑day advance notification.

What must non‑E5/E7 customers do to use Copilot?

Manually provision Security Compute Units (SCUs).

What is an SCU?

A unit of computing power used to run Copilot in standalone or embedded experiences. Security Compute Units (SCUs)

Describe how to enable Microsoft Security Copilot

1. Identify your customer category

2. Provision Copilot capacity (if required)

3. Set up the default environment

4. Assign role permissions

What are the two capacity models for SCUs?

Provisioned capacity (billed hourly) and overage capacity (billed on usage).

What roles are required to provision capacity?

Azure owner/contributor at resource group level and Security Administrator (or higher).

What are the two ways to provision SCUs?

Through Security Copilot wizard or via Azure portal.

What is the recommended SCU setup for exploration?

Three SCUs with unlimited overage.

What does the usage monitoring dashboard provide?

Visibility into SCU usage, plugins employed, session initiators, with up to 90 days of data.

What settings are configured in the default environment setup?

SCU capacity, data storage location, prompt evaluation geo, Purview audit logging, data sharing options, plugin settings.

Which data centers host Security Copilot?

EU, UK, US, Australia/New Zealand, Japan, Canada, South America.

What are the two Security Copilot roles?

Copilot owner and Copilot contributor.

Which Microsoft Entra roles inherit Copilot owner access?

Billing Administrator, Compliance Administrator, Global Administrator, Intune Administrator, Security Administrator.

Which Microsoft Purview roles inherit Copilot owner access?

Compliance Administrator, Data Governance Administrator, Organization Management.

What is the “Recommended Microsoft Security roles group”?

A bundle of Entra roles that can be added to the Contributor role for quick access.

How do plugins enforce access?

They require service‑specific roles (e.g., Sentinel Reader, Intune Endpoint Security Manager).

.

Which component of Microsoft Security Copilot is responsible for composing capabilities together to answer a user's prompt effectively?

Orchestrator

How does Microsoft Security Copilot enhance threat detection through integration with existing tools?

By using plugins to connect with Microsoft's security products and open-source intelligence feeds.

Microsoft Security Copilot has generated an incident report for a recent security breach. How can you verify that the insights in the report are generated from trusted sources?

Check the process log for the capabilities used

Which plugin in Microsoft Security Copilot should be used to define and manage security policies within an organization?

A security analyst finds that Microsoft Security Copilot's response is not detailed enough. Which approach should the analyst take to improve the prompt's effectiveness?

Include specific expectations and context in the prompt.

What is the role of the orchestrator in Microsoft Security Copilot's prompt processing?

To compose capabilities together to respond to a user's prompt.

How should a security analyst craft a prompt for analyzing suspicious scripts using Microsoft Security Copilot?

Include the script details and request a summary with potential threat indicators.

What is a crucial step when creating a prompt for Microsoft Security Copilot to generate a report for a non-technical audience?

Specify the format and language tone appropriate for the audience.

What does a 'plugin' represent in Microsoft Security Copilot?

A collection of capabilities by a particular resource to integrate with data sources.

What is the goal of a Distributed Denial of Service (DDoS) attack?

To overwhelm application or server resources, making them unresponsive or slow for genuine users.

What are the three most frequent types of DDoS attacks?

Volumetric attacks, Protocol attacks, Resource (application) layer attacks.

What does Azure DDoS Protection do?

Analyzes network traffic, discards attack traffic, and forwards legitimate traffic to its destination.

At which OSI layers does Azure DDoS Protection operate?

Layers 3 (network) and 4 (transport).

Volumetric attacks

flood the network layer with seemingly legitimate traffic, overwhelming the available bandwidth. Legitimate traffic can't get through.

Protocol attacks

Protocol attacks render a target inaccessible by exhausting server resources with false protocol requests that exploit weaknesses in layer 3 (network) and layer 4 (transport) protocols.

Resource (application) layer attacks

These attacks target web application packets, to disrupt the transmission of data between hosts.

What are the key benefits of Azure DDoS Protection?

Always-on traffic monitoring, adaptive real-time tuning, analytics/metrics/alerting.

What are the two tiers of Azure DDoS Protection?

DDoS Network Protection and DDoS IP Protection.

Why add Azure DDoS Protection if Azure already has default infrastructure protection?

Default protection has higher thresholds and no telemetry; Azure DDoS Protection provides dedicated monitoring and application-specific thresholds.

DDoS IP Protection:

is a pay-per-protected IP model. It contains the same core engineering features as DDoS Network Protection, but doesn't include the value-added services—such as DDoS rapid response support, cost protection, and discounts on WAF—that are part of DDoS Network Protection.

DDoS Network Protection:

provides enhanced DDoS mitigation features to defend against DDoS attacks. It's automatically tuned to help protect your specific Azure resources in a virtual network. Protection is simple to enable on any new or existing virtual network, and it requires no application or resource changes.

How can you achieve multi-layered protection against DDoS attacks?

Combine Azure DDoS Protection (layers 3 & 4) with a Web Application Firewall (layer 7).

What telemetry does Azure DDoS Protection provide?

Attack analytics, metrics, and alerting before, during, and after attacks.

What is DDoS rapid response (DRR)?

Expert support available during active attacks for investigation and post-attack analysis.

What are best practices for DDoS protection?

Combine DDoS Protection with WAF, design for resilience, enable telemetry/alerting, and plan for incidents.

Firewall

A security system that establishes a barrier between trusted and untrusted networks, controlling traffic based on rules.

Azure Firewall

A cloud-native, stateful firewall service that provides network security for Azure Virtual Network resources.

Stateful Firewall

A firewall that tracks active connections and makes decisions based on the state of traffic flows.

SNAT (Source Network Address Translation)

Translates private IP addresses to public IP addresses for outbound traffic.

DNAT (Destination Network Address Translation)

Translates public IP addresses to private IP addresses for inbound traffic.

Why deploy Azure Firewall in a hub virtual network?

To provide centralized control of traffic across VNets and subscriptions.

Azure Firewall is offered in three tiers

Basic, Standard, and Premium

Azure Firewall Basic

Designed for small and medium-sized businesses (SMBs). It provides essential threat protection at an affordable price. Azure Firewall Basic supports Threat Intelligence in alert mode only and uses a fixed-scale unit with two virtual machine backend instances. It's recommended for environments with an estimated throughput of 250 Mbps.

Azure Firewall Standard:

Provides layer 3 through layer 7 filtering and threat intelligence feeds directly from Microsoft Cyber Security. It alerts you to and blocks traffic to or from known malicious IP addresses and domains, updating in real time to protect against new and emerging threats. This is the most commonly used tier for production enterprise environments.

Azure Firewall Premium

Provides advanced capabilities, including signature-based intrusion detection and prevention system (IDPS) for rapid attack detection. IDPS identifies specific patterns—such as byte sequences in network traffic or known malicious instruction sequences used by malware. With over 67,000 signatures in more than 50 categories, updated in real time, Azure Firewall Premium protects against new and emerging exploits such as malware, phishing, coin mining, and Trojan attacks. Premium is designed for highly sensitive and regulated environments.

How does Azure Firewall use threat intelligence?

It alerts and blocks traffic from known malicious IPs and domains using Microsoft’s Threat Intelligence feed.

What is Azure Firewall Manager?

A centralized management service for administering multiple Azure Firewalls across subscriptions.

How does Azure Firewall support monitoring?

It integrates with Azure Monitor, Log Analytics, and Event Hubs for traffic analytics and auditing.

What is the purpose of a Web Application Firewall (WAF)?

To provide centralized protection for web applications against common exploits and vulnerabilities

Why is centralized WAF protection beneficial?

It simplifies security management, improves response time to threats, and allows patching vulnerabilities in one place instead of each app individually.

Which type of DDoS attacks does Azure WAF protect against?

Application-layer DDoS attacks, such as HTTP floods (Layer 7).

What types of attacks are covered by the Open Web Application Security Project (OWASP) core rule set in WAF?

SQL injection, Cross-site scripting (XSS), HTTP floods, and Remote file inclusion

What is SQL injection?

An attack where malicious SQL code is inserted into input fields to manipulate or extract data from a backend database.

What is Cross-site scripting (XSS)?

An attack where malicious scripts are injected into web pages, stealing session tokens or sensitive data from users’ browsers.

What is Remote File Inclusion?

An attack tricking a web app into including a malicious remote file, which executes on the server and grants unauthorized access.

What are the deployment options for Azure WAF?

Azure Application Gateway, Application Gateway for Containers, Azure Front Door, and Azure Content Delivery Network (CDN)

What is Azure Application Gateway WAF best suited for?

Regional protection with deep HTTP packet inspection and complex routing decisions.

What does Azure Front Door WAF provide?

Global protection, blocking attacks closer to the source for distributed applications.

How does Azure WAF integrate with Microsoft Security Copilot?

It enables deep investigation of WAF events using natural language prompts, helping analyze logs and attack vectors quickly.

What is network segmentation?

Dividing a network into smaller segments to group related assets, isolate resources, and enforce governance policies.

Why is network segmentation important for security?

It supports Zero Trust and defense in depth by containing attackers, preventing lateral movement, and securing communication paths.