P
AI for Cybersecurity Analyst

Use Microsoft Security Copilot to Query Your Security Data in Plain English

Tool:Microsoft Security Copilot
AI Feature:Natural Language Security Investigation
Time:10-15 minutes
Difficulty:Beginner

What This Does

Security Copilot lets you ask questions about your Microsoft security environment — Sentinel, Defender, Entra ID — in plain English, without knowing complex query syntax. You type a question; it runs the query and explains the results.

Before You Start

  • Your organization has Microsoft Security Copilot licensed (check with your manager or IT admin)
  • You have access to Microsoft Sentinel or Microsoft Defender XDR
  • You're logged into your work Microsoft account

Steps

1. Open Microsoft Security Copilot

Go to securitycopilot.microsoft.com and sign in with your work credentials. You'll see the main Copilot prompt interface — a text box in the center of the screen, similar to ChatGPT.

What you should see: A clean interface with a prompt bar and some example prompts below it.

2. Connect your security data sources

Click the "Sources" icon (looks like a plug/connector) in the upper right of the prompt bar. Verify that Microsoft Sentinel, Microsoft Defender XDR, and Entra ID are toggled on. If they're grayed out, your admin needs to enable those integrations.

Troubleshooting: If you don't see your Sentinel workspace, your admin may need to configure the Copilot connector in Sentinel settings first.

3. Ask your first investigation question

Type a plain-language question in the prompt bar. You don't need to know SPL or KQL — just ask what you want to know.

Good starting questions:

  • "Show me all failed sign-ins for user john.smith@company.com in the last 24 hours"
  • "Which devices contacted external IP 185.220.101.47 in the last 7 days?"
  • "Summarize the highest-severity incidents in Sentinel from the past week"

What you should see: Copilot generates and runs the query, then returns results with an AI-generated explanation of what it found.

4. Drill down on interesting results

Click on any result to expand it, or ask a follow-up question in the same session. For example: "That login — what other activity did this user account have in the last 24 hours?" Security Copilot maintains context across your conversation in a session.

5. Generate a summary for your ticket

Ask: "Summarize this investigation in 3 bullet points I can paste into a ServiceNow ticket." You'll get a concise, formatted summary ready to copy.

Real Example

Scenario: You get a high-severity Sentinel alert for a suspicious login from an unusual location for a finance employee.

What you type: "User sarah.chen@company.com had a login from Singapore at 2am EST. What other activity does her account show in the last 48 hours? Any other anomalies?"

What you get: Copilot queries Sentinel and Entra ID sign-in logs simultaneously, then returns: a timeline of her recent logins, any MFA failures, devices she's logged into, and a risk summary. It flags if the Singapore login is a known VPN endpoint or a new location.

Tips

  • Keep questions specific — "suspicious logins last week" is vague; "failed logins for jsmith in the last 24 hours" gets better results
  • Use it for your morning SOC brief: "What are the top 5 incidents from last night that need attention today?"
  • When Copilot can't find something, rephrase your question or try querying a different time range

Tool interfaces change — if a button has moved, look for similar AI/magic/smart options in the same menu area.