Learn how to create, test, share, and manage custom Promptbooks in Microsoft Security Copilot to standardise SOC workflows for consistent, repeatable investigations across every shift.
Promptbooks in Microsoft Security Copilot are reusable, multi-step prompt sequences that automate common SOC workflows. Rather than manually typing a series of investigation prompts every time an incident occurs, analysts can execute a single Promptbook that runs an entire sequence of prompts. producing consistent, high-quality outputs regardless of who triggers the investigation.
In this lab, you will create custom Promptbooks for three critical SOC scenarios:
By the end of this lab you will have a library of production-ready Promptbooks that your SOC team can use immediately to accelerate investigations and ensure no critical step is missed.
Scenario: Contoso Financial Services operates a 24/7 SOC with three analyst shifts. Despite having documented runbooks, triage quality varies significantly between shifts. Shift A produces detailed, thorough reports while Shift C frequently misses lateral movement analysis and IOC extraction. New analysts require 4–6 weeks of shadowing before they can perform independent triage.
The Problem:
The Solution: By deploying custom Promptbooks in Security Copilot, Contoso standardises every investigation workflow. Every analyst. regardless of experience level. executes the same comprehensive prompt sequences. The Promptbooks encode the investigation patterns of the organisation’s best analysts, ensuring that critical steps like MITRE mapping, lateral movement checks, and business impact assessment are never skipped.
Measured Outcomes: After deploying Promptbooks, Contoso reduced mean time to triage by 62%, eliminated inter-shift quality variance, and cut new analyst onboarding time from 6 weeks to 10 days.
Promptbooks eliminate human variability in investigations, ensuring every analyst follows the same thorough process and reducing the risk of missed indicators. Instead of manually typing 5–8 prompts per incident, analysts execute a single Promptbook, cutting triage time from 45 minutes to under 15 minutes while producing more comprehensive outputs. For regulated industries, Promptbooks provide an auditable, consistent investigation methodology that satisfies compliance requirements. And when senior analysts encode their expertise into Promptbooks, that institutional knowledge remains with the organisation. new analysts immediately benefit from the accumulated wisdom of experienced team members.
Before creating custom Promptbooks, start by exploring the library of Microsoft-provided Promptbooks. These serve as excellent templates and demonstrate best practices for prompt sequencing.
Examine the following built-in Promptbooks and take note of their structure:
<<incident_id>> parameter.<<CVE_ID>> as an input parameter.12345).Every Promptbook consists of five key components. Understanding these components is essential before you begin creating your own.
| Component | Description | Example |
|---|---|---|
| Name | A descriptive, concise name for the Promptbook | Incident Triage · Full Assessment |
| Description | Explains the purpose and expected output | Performs a comprehensive incident investigation including IOC extraction and remediation recommendations |
| Tags | Categories for filtering and organisation | Triage, Incident Response, SOC Tier 1 |
| Input Parameters | Dynamic values that analysts supply at runtime | <<incident_id>>, <<user_upn>> |
| Prompt Sequence | Ordered list of prompts that execute sequentially | 5 prompts building from summary to remediation |
Each prompt in a Promptbook executes within the same Security Copilot session. This means:
Parameters use double angle brackets to define placeholders that analysts fill in at runtime:
// SECURITY COPILOT PROMPTBOOK PARAMETER SYNTAX
// Parameters use double angle brackets <<name>> as runtime placeholders
// When an analyst runs the Promptbook, Copilot prompts for each value
// Parameter names should be descriptive to guide correct input
<<incident_id>> → Analyst enters: 45821 // Defender XDR incident number
<<user_upn>> → Analyst enters: john.doe@contoso.com // Entra ID user principal name
<<sender_address>> → Analyst enters: phish@malicious-domain.com // Reported phishing sender
<<CVE_ID>> → Analyst enters: CVE-2024-21887 // NVD vulnerability identifier<<incident_id>> is clearer than <<id>>. You can also add a description to each parameter when creating the Promptbook.Now you will create your first custom Promptbook. a comprehensive incident triage workflow with five sequential prompts that guide an analyst through a complete investigation.
Add the following five prompts in order. Each prompt builds on the context established by the previous one:
// PROMPTBOOK STEP 1: Incident Summary
// PARAMETER: <<incident_id>> - Defender XDR incident number (e.g., 45821)
// PLUGIN: Microsoft Defender XDR (queries incidents, alerts, entity graph)
// OUTPUT: Structured summary with severity, entities, and MITRE ATT&CK mapping
Summarise incident <<incident_id>> including severity, status, affected entities
(users, devices, IP addresses, mailboxes), and all associated MITRE ATT&CK techniques.
Present the information in a structured format with clear sections.// PROMPTBOOK STEP 2: Attack Vector Analysis
// PLUGIN: Microsoft Defender XDR (alert timeline, process tree, network events)
// PURPOSE: Identify how the attacker got in and how far they progressed
// WHY: Session context carries the incident from Step 1 - no need to re-specify
// OUTPUT: Initial access method, lateral movement map, chronological event timeline
Based on the incident above, what was the initial access vector? Has there been
evidence of lateral movement to other devices or accounts? Include a timeline of
key events from initial access to the most recent activity.// PROMPTBOOK STEP 3: IOC Extraction
// PLUGINS: Defender XDR (evidence) + MDTI (threat intelligence verdicts)
// PURPOSE: Extract all IOCs for blocking, hunting, and TI sharing
// OUTPUT: Table with IOC Type | Value | Context | TI Verdict columns
// TIP: Use extracted IOCs to update block lists and create detection rules
List all Indicators of Compromise (IOCs) associated with this incident. Include
IP addresses, domain names, file hashes (SHA-256), URLs, email addresses, and
any registry keys or file paths. Format as a table with columns: IOC Type,
Value, Context, and Threat Intelligence Verdict.// PROMPTBOOK STEP 4: Business Impact Assessment
// PLUGINS: Defender XDR (entities) + Entra ID (role data) + Purview (data classification)
// PURPOSE: Translate technical findings into business risk for leadership reporting
// OUTPUT: Affected critical assets, data exposure risk, regulatory implications
What is the business impact of this incident? Which critical assets are affected?
Assess data exposure risk, operational impact, and potential regulatory implications.
Include whether any privileged accounts or sensitive data repositories were accessed.// PROMPTBOOK STEP 5: Remediation Recommendations
// PLUGIN: Microsoft Defender XDR (available response actions)
// PURPOSE: Generate actionable remediation plan with team assignments and urgency
// OUTPUT: Prioritised action list with responsible team, urgency, and Defender actions
// NOTE: Defender actions (isolate device, disable account) can be executed directly
Generate recommended containment and remediation actions in priority order. For each
action, specify: the action to take, which team is responsible (SOC, IT Ops, Identity),
urgency level (Immediate, Short-term, Long-term), and any relevant Microsoft Defender
actions that can be taken directly (e.g., isolate device, disable account, block IOC).Phishing is the most common attack vector in enterprise environments. This Promptbook standardises how your SOC investigates reported phishing emails, ensuring no step is missed.
<<email_subject>>, <<sender_address>>, <<recipient>>// PROMPTBOOK STEP 1: Sender Reputation Check
// PARAMETER: <<sender_address>> - email address of the reported phishing sender
// PLUGINS: Defender for Office 365 (email auth) + MDTI (domain reputation)
// OUTPUT: SPF/DKIM/DMARC results, domain age, TI matches, first-time sender flag
Analyse the sender <<sender_address>> for reputation and threat intelligence.
Check if this sender or domain has been previously flagged as malicious, check
SPF/DKIM/DMARC authentication results, and determine if this is a first-time
sender to our organisation. Include any threat intelligence matches.// PROMPTBOOK STEP 2: Similar Email Analysis (Blast Radius)
// PARAMETERS: <<email_subject>> - subject line; <<sender_address>> - sender email
// PLUGIN: Defender for Office 365 (email trace, delivery actions)
// PURPOSE: Determine how many users were targeted by this phishing campaign
// OUTPUT: Recipient list with delivery status (inbox/quarantined/blocked)
Search for similar emails in our environment with subject containing
"<<email_subject>>" or from sender <<sender_address>> in the last 7 days.
How many users received this email? List all recipients and whether the
email was delivered to inbox, quarantined, or blocked.// PROMPTBOOK STEP 3: Malicious Content Analysis
// PARAMETERS: <<recipient>> - target user; <<sender_address>> - sender
// PLUGINS: MDO (Safe Links, Safe Attachments detonation) + MDTI (URL reputation)
// PURPOSE: Analyse URLs for credential harvesting and attachments for malware
// OUTPUT: URL reputation, redirect chain, attachment file type/hash/detonation verdict
Analyse the content of the email sent to <<recipient>> from <<sender_address>>.
Are there any URLs in the email? If so, check their reputation and whether they
redirect to credential harvesting pages. Are there any attachments? If so, what
are their file types, hashes, and detonation verdicts?// PROMPTBOOK STEP 4: Affected Users Assessment
// PLUGINS: MDO (click/open telemetry) + Entra ID (sign-in anomalies, OAuth)
// PURPOSE: Identify which users interacted with the phish and check for compromise
// OUTPUT: Users who clicked/opened, credential submission evidence, compromise signs
For all users who received this phishing email, determine: Did anyone click on
URLs in the email? Did anyone open attachments? Did anyone submit credentials
on a linked page? Have any affected user accounts shown signs of compromise
since receiving the email (anomalous sign-ins, mail forwarding rules, OAuth grants)?// PROMPTBOOK STEP 5: Response Recommendations
// PLUGIN: Defender for Office 365 (available admin actions)
// PURPOSE: Generate a prioritised phishing response plan with MDO-specific actions
// OUTPUT: 4-tier action plan: containment, user remediation, hardening, detection
// NOTE: MDO actions include: block sender, purge emails, submit to Microsoft
Based on this phishing investigation, provide prioritised response actions:
1. Immediate containment actions (block sender, purge emails, revoke sessions)
2. User remediation (password resets, MFA re-registration, user notification)
3. Environment hardening (mail flow rules, safe links policy updates)
4. Detection improvements (new alert rules, IOC additions to block lists)
Include specific Microsoft Defender for Office 365 actions where applicable.When an account is suspected of being compromised, analysts need a fast, thorough assessment. This Promptbook automates the complete user compromise investigation workflow.
<<user_upn>>// PROMPTBOOK STEP 1: User Risk Profile
// PARAMETER: <<user_upn>> - Entra ID UPN of the suspected compromised user
// PLUGINS: Microsoft Entra ID (risk, roles, MFA) + Audit logs (recent changes)
// OUTPUT: Risk level, role memberships, MFA status, recent account changes
Provide a comprehensive risk profile for user <<user_upn>> from Microsoft Entra ID.
Include: current risk level, risk detections history, assigned roles and group
memberships, MFA registration status, and whether this is a privileged account.
Also list any recent changes to the account (password resets, role assignments,
group membership changes).// PROMPTBOOK STEP 2: Sign-in Anomaly Analysis
// PLUGIN: Microsoft Entra ID (sign-in logs, Identity Protection risk detections)
// PURPOSE: Identify impossible travel, unfamiliar devices, and credential abuse
// TIMEFRAME: Past 14 days for comprehensive anomaly detection
// OUTPUT: Timeline of suspicious sign-in events with location, device, and risk flags
Analyse recent sign-in activity for this user over the past 14 days. Identify any
anomalies including: sign-ins from unusual locations or IP addresses, impossible
travel scenarios, sign-ins from unfamiliar devices or browsers, failed MFA
challenges, sign-ins using legacy authentication protocols, and any token replay
activity. Present a timeline of suspicious events.// PROMPTBOOK STEP 3: Device Posture Check
// PLUGINS: Intune (compliance) + Defender for Endpoint (risk level, alerts)
// PURPOSE: Check if the user's devices are compromised or non-compliant
// OUTPUT: Device list with compliance status, MDE risk, alerts, OS patch level
List all devices associated with this user. For each device, check: compliance
status in Intune, risk level in Microsoft Defender for Endpoint, any active
alerts or incidents, last seen timestamp, and OS patch level. Flag any devices
that are non-compliant or have active threats.// PROMPTBOOK STEP 4: OAuth and Application Consent Review
// PLUGINS: Defender for Cloud Apps (OAuth consents) + Exchange Online (mail rules)
// PURPOSE: Detect attacker persistence via malicious OAuth apps or mail forwarding
// KEY SIGNALS: Mail.Read/ReadWrite permissions, unverified publishers, inbox rules
// OUTPUT: List of suspicious consents and mail rules flagged as potential persistence
Review all OAuth application consents granted by this user. Identify any suspicious
or overprivileged consents, especially: apps with Mail.Read or Mail.ReadWrite
permissions, apps granted in the last 30 days, apps from unverified publishers,
and any inbox rules or mail forwarding rules configured on the user's mailbox.
Flag anything that could indicate persistence by an attacker.// PROMPTBOOK STEP 5: Containment Recommendations (Verdict)
// PURPOSE: Synthesise all prior steps into a compromise verdict and action plan
// OUTPUT: Compromise verdict (Yes/No) with confidence level, 4-step remediation plan
// NOTE: Actions include Defender responses (revoke sessions, disable account)
Based on the complete assessment above, provide a verdict: Is this account likely
compromised? If yes, provide prioritised containment actions:
1. Immediate actions (revoke sessions, reset password, disable account if needed)
2. Persistence removal (revoke OAuth consents, remove mail rules, re-register MFA)
3. Scope assessment (check if compromised account was used to attack others)
4. Recovery steps (re-enable account securely, user communication, monitoring period)
Include the confidence level of your assessment and any gaps in available data.Testing with real data is essential to validate that your Promptbooks produce actionable, high-quality output. In this step, you will run each Promptbook and refine the prompts based on the results.
Based on your test results, refine prompts using these strategies:
While Promptbooks execute prompts sequentially, you can design prompts that intelligently adapt based on the context established by earlier prompts. This creates a pseudo-conditional investigation flow.
Since each prompt in a Promptbook has access to the full context of previous outputs, you can write prompts that conditionally focus on different areas based on findings:
// CONDITIONAL PROMPT PATTERN: Lateral Movement Branch
// PURPOSE: Adapts investigation depth based on findings from earlier prompts
// HOW IT WORKS: Copilot evaluates session context and follows the matching branch
// IF lateral movement found → generates detailed movement map with techniques
// IF no lateral movement → assesses risk and credential exposure instead
If the previous analysis identified lateral movement, provide a detailed
lateral movement map showing source device, destination devices, techniques
used (e.g., PsExec, WMI, RDP), and timestamps. If no lateral movement was
detected, analyse whether the attacker has the credentials and access
required to attempt lateral movement and assess the risk.You can reference outputs from earlier prompts using natural language references. Security Copilot maintains session context, so these patterns work reliably:
// CROSS-PROMPT VARIABLE REFERENCES
// Security Copilot maintains full session context across all Promptbook steps
// Use natural language references to carry forward entities and findings
// Prompt 3 can reference Prompt 1's output:
// WHY: IOCs extracted in Step 1 are automatically available in subsequent steps
"For each IOC identified in the incident summary above, check if it appears
in any other incidents in the last 30 days."
// Prompt 4 can reference Prompt 2 and 3:
// WHY: Combines attack vector (Step 2) with IOCs (Step 3) for scope assessment
"Considering the attack vector and IOCs identified above, which other
devices or users in our environment may be at risk?"Use conditional language patterns to make prompts adaptive:
// ADAPTIVE SEVERITY-BASED INVESTIGATION PROMPT
// PURPOSE: Adjusts report depth and audience based on incident severity from prior steps
// HIGH/CRITICAL → Executive CISO briefing with financial and regulatory impact
// MEDIUM → SOC manager report with shift handoff notes
// LOW → Brief summary confirming automated remediation status
Based on the incident severity and business impact assessed above:
- If this is a high/critical severity incident affecting privileged accounts
or critical assets, provide an executive summary suitable for CISO briefing,
including estimated financial impact and regulatory notification requirements.
- If this is a medium severity incident, provide a standard incident report
suitable for the SOC manager with next-shift handoff notes.
- If this is a low severity incident, provide a brief summary and confirm
whether automated remediation has been applied or manual action is needed.Once you have tested and refined your Promptbooks, the next step is sharing them with your SOC team so all analysts can benefit from standardised workflows.
| Role | Can Create | Can Share | Can Run | Can Edit |
|---|---|---|---|---|
| Copilot Owner | ✅ | ✅ | ✅ | ✅ (all) |
| Copilot Contributor | ✅ | ✅ | ✅ | ✅ (own) |
| Copilot Reader | ❌ | ❌ | ✅ (shared) | ❌ |
Establish consistent conventions so your team can quickly find the right Promptbook:
[Category] · [Specific Purpose] (e.g., “Phishing · Email Investigation”, “Identity · Compromise Assessment”).Exporting Promptbooks as JSON enables backup, version control, cross-tenant sharing, and disaster recovery. This step covers the complete import/export workflow.
IncidentTriage-FullAssessment-v2.1.json.The exported JSON contains the complete Promptbook definition:
// PROMPTBOOK EXPORT JSON SCHEMA
// PURPOSE: Backup, version control, and cross-tenant sharing of Promptbooks
// FORMAT: JSON file downloaded from Security Copilot portal via Export menu
{
"name": "Incident Triage · Full Assessment", // Display name in Promptbook library
"description": "Performs a comprehensive five-step incident triage...",
"tags": ["Triage", "Incident Response", "SOC Tier 1"], // Filterable categories
"inputs": [ // Runtime parameters
{
"name": "incident_id", // Maps to <<incident_id>> in prompts
"description": "The Defender XDR incident ID to investigate",
"type": "string" // Always string type for parameters
}
],
"prompts": [ // Ordered prompt sequence
{
"order": 1, // Execution order (sequential)
"content": "Summarise incident <<incident_id>> including..."
},
{
"order": 2, // Inherits session context from prompt 1
"content": "Based on the incident above, what was the initial..."
}
]
}One of the most valuable Promptbooks for any 24/7 SOC is a shift handoff report. This Promptbook generates a comprehensive end-of-shift summary that ensures the incoming team has full situational awareness.
<<shift_hours>> (e.g., “last 8 hours”)// SHIFT HANDOFF STEP 1: Incident Summary
// PARAMETER: <<shift_hours>> - time window (e.g., "last 8 hours")
// PLUGIN: Microsoft Defender XDR + Microsoft Sentinel (incident listing)
// OUTPUT: Categorised incident list (New/Updated/Resolved) with counts
List all security incidents created or updated in the <<shift_hours>>. For each
incident, include: incident ID, title, severity, current status, assigned analyst,
and a one-line summary. Separate into three categories: New incidents, Updated
incidents, and Resolved incidents. Show counts for each category.// SHIFT HANDOFF STEP 2: Actions Taken
// PLUGIN: Defender XDR (response action log)
// PURPOSE: Document all containment/remediation actions performed during this shift
// OUTPUT: Summary of devices isolated, accounts disabled, IOCs blocked, escalations
For all incidents worked during this shift, summarise the key actions taken:
devices isolated, accounts disabled, IOCs blocked, escalations made, and any
communication sent to stakeholders. Highlight any containment actions that are
still in progress or pending verification.// SHIFT HANDOFF STEP 3: Pending Items
// PURPOSE: Generate a prioritised checklist for the incoming shift
// OUTPUT: Categorised open items - active investigations, pending approvals,
// unverified containment actions, and scheduled follow-ups
Identify all open items that require attention from the incoming shift:
1. Incidents still under investigation (include current status and next steps)
2. Pending approvals or escalations awaiting response
3. Containment actions that need verification
4. Scheduled follow-ups with affected users or teams
Present as a prioritised checklist the incoming shift can action immediately.// SHIFT HANDOFF STEP 4: Threat Landscape Update
// PARAMETER: <<shift_hours>> - same time window as Step 1
// PLUGINS: MDTI (threat campaigns, CVEs) + Microsoft Advisories
// PURPOSE: Brief the incoming shift on emerging threats and advisories
// OUTPUT: Active campaigns, new CVEs affecting the environment, security advisories
Provide a brief threat landscape summary for the incoming shift: Are there any
active threat campaigns targeting our industry? Any new CVEs published that
affect our environment? Any Microsoft security advisories issued in the
<<shift_hours>>? Flag anything that may require proactive hunting or patching.// SHIFT HANDOFF STEP 5: Priority Recommendations
// PURPOSE: Synthesise all handoff data into a top-5 action list for the incoming shift
// OUTPUT: Numbered briefing list with action, urgency reason, incident context, and ETA
// TIP: Run this Promptbook 15 min before shift change for a structured verbal briefing
Based on everything above, provide the top 5 priority recommendations for the
incoming shift, ranked by urgency. For each recommendation, specify:
- What needs to be done
- Why it's urgent
- The relevant incident ID or context
- Estimated time to complete
Format as a numbered list suitable for a shift handoff briefing.Once your Promptbooks are deployed and shared with the team, you need to monitor their adoption, SCU consumption, and effectiveness to continuously improve them.
Security Copilot provides usage analytics that help you understand how Promptbooks are being used:
Each Promptbook run consumes SCUs. Track consumption to manage costs:
Quantitative metrics only tell part of the story. Establish a feedback loop with your analysts:
Establish a quarterly Promptbook review cycle:
Congratulations! You have built a library of custom Promptbooks that standardise critical SOC workflows. Here is a summary of what you accomplished and where to go next.
In this lab you:
If you created test Promptbooks that are not intended for production use:
Learn to use Security Copilot for threat intelligence analysis, actor profiling, and vulnerability impact assessment across your environment.
Explore Copilot embedded in Defender XDR, Sentinel, Entra, Intune, and Purview. Apply Zero Trust principles with Conditional Access, least privilege roles, PIM, and phased deployment.
| Resource | Description |
|---|---|
| Using promptbooks | Official guide to running and managing Promptbooks in Microsoft Security Copilot |
| Build custom promptbooks | Step-by-step guide to creating custom Promptbooks with parameters and prompt sequences |
| Prompting tips | Best practices for writing effective prompts that produce high-quality, actionable outputs |
| Plugin overview | Overview of available plugins that extend Security Copilot capabilities for use in Promptbooks |