Share via

Use Microsoft Security Copilot with Data Security Posture Management

Use Microsoft Security Copilot and Data Security Posture Management (DSPM) to quickly explore the details and get answers about unprotected sensitive data assets and potentially risky user activities in your organization. Data security insights come from scanned data across Data Loss Prevention (DLP), Information Protection, and Insider Risk Management solutions in Microsoft Purview.

Tip

If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Microsoft Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview trials hub. Learn details about signing up and trial terms.

Get started with Copilot

After you configure DSPM, onboard your organization to Security Copilot, and complete the automated scanning, use Security Copilot featured promptbooks and the new prompt gallery to help you get started. Promptbooks are a built-in sequence of prompts that help you quickly learn more about your data security posture. Choose from the following Security Copilot promptbooks or built-in prompts in the Copilot Prompt Gallery:

Risky user investigation promptbook

This promptbook is a six-prompt sequence that helps you investigate users handling sensitive data and shows their data activities, anomalies, and related alerts. By providing the User Principal Name (UPN) for a user and a duration (in days), this promptbook automatically runs the following prompts in order:

  1. Show all sensitive data activities performed by <upn> in the last <duration> days
  2. Was <upn> involved in any potential sensitive data exfiltration (for example, email forwarding, external file sharing, USB transfers, cloud uploads) in the last <duration> days?
  3. Summarize <upn>'s sensitive data interactions over the last <duration> days, highlighting the most accessed classifiers, labels, SharePoint sites, common upload domains, and primary email recipient domains and users.
  4. Did <upn> exhibit unusual behavior or take uncommon actions like excessive access or downloads in the last <duration> days?
  5. Are there any alerts associated with <upn> in the last <duration> days, and what is the user's current risk level?
  6. What actions can be taken to prevent <upn> from leaking sensitive data? Include policies, data loss prevention controls, and access restriction strategies.

Sensitive data protection promptbook

This promptbook is a sequence of six prompts that helps you identify and protect sensitive data across your organization. It suggests recommended policy changes and data loss prevention rules. By using the full name of the trainable classifier, sensitivity label, or sensitive information type (SIT) and a duration in days, this promptbook automatically runs the following prompts in order:

  1. Where is data labeled as <label_or_classifier_or_SIT> stored?
  2. Provide an overview of activities involving <label_or_classifier_or_SIT> data in the last <duration> days.
  3. Identify instances where <label_or_classifier_or_SIT> data was transferred outside of the organization in the last <duration> days.
  4. Who are the top five users with the most <label_or_classifier_or_SIT> data exfiltration in the last <duration> days?
  5. Are there any alerts for users who interacted with <label_or_classifier_or_SIT> data in the last <duration> days?
  6. How can I prevent unauthorized transfers of <label_or_classifier_or_SIT> data?

To get started with Security Copilot promptbooks, complete the following steps:

  1. Go to the Microsoft Purview portal and sign in with the credentials for a user account assigned DSPM permissions.

  2. Select the Data Security Posture Management solution card, then select Overview in the left nav.

  3. Select one of the suggested prompts for Security Copilot:

    • Risky user investigation promptbook
    • Sensitive data protection promptbook

  4. Enter the requested inputs for the user, classifier, sensitivity label, or SIT and duration in days.

  5. Select Submit.

The promptbook responses automatically scope insight data and provide quick answers in a separate flyout pane. You can select additional built-in prompts to automatically update and generate new responses in the flyout pane. Select New chat to clear previous responses to suggested prompts. Create additional custom prompts directly in Copilot to generate responses from AI-driven analytics based on the scanning results from your organization.

Data Security Posture Management also offers built-in prompts to help you investigate sensitive areas, potentially risky users, potentially suspicious activity, and more in your organization. To view these built-in Copilot prompts, select View more in prompt gallery in the Get started with Security Copilot featured promptbooks section on the Overview page. You can customize the built-in prompt or immediately run the prompt directly in Copilot.

Select built-in Copilot prompts from the following categories:

  • Alerts and policies
  • Data at risk
  • Potentially risky users
  • Potentially suspicious activity
  • Sensitive data

Tips for custom Copilot prompts in DSPM

For an enhanced experience with Copilot in DSPM, use the following tips for higher accuracy in Copilot responses:

  • Always include the user's UPN for questions involving a specific user.
  • Always specify the complete name for the sensitive info type or label for questions involving a specific type of sensitive info type or label.
  • Clearly list the sorting criteria for questions for top users, activities, and alerts.
  • Always specify the date period for questions for data in a specific date period. If you don't specify a date period, only data from the last 10 days from current date is included. The maximum lookback is 30 days from the current date.
  • Put all items (classifiers or labels) in single quotes in your prompt.
  • Use "/" as a separator for any path (for example, a file path) in a user prompt.
  • Scope the prompt to a single intent for higher accuracy of responses. Break complex prompts into single intent questions and enter the prompts one by one.
  • Make questions self-contained. Avoid referring to previous questions or responses.
  • Avoid using generic terms.
  • Support prompts for data security across Information Protection, DLP, Insider Risk Management, or from public documentation.

For more information on creating Security Copilot prompts, see Create effective prompts.

Using Copilot in other solutions

Security Copilot is also available directly in other Purview solutions to help you quickly find answers for specific scenarios or to generate insights scoped to specific solution areas that aren't related to unprotected assets.