Module 5: Mitigate Threats Using Microsoft Security Copilot
Modules 1-4 taught you to investigate threats manually — triaging alerts, writing KQL queries, tracing attack chains across data sources, and building investigation timelines. Module 5 introduces the AI-assisted layer that accelerates every one of those skills.
Microsoft Security Copilot is a generative AI assistant purpose-built for security operations. It does not replace the investigation skills you learned in Modules 1-4 — it amplifies them. When you investigate a complex incident involving 15 correlated alerts across Defender XDR, Entra ID, and Sentinel, Copilot can summarise the incident in seconds, explain what each alert means, generate the KQL queries you would normally write by hand, and produce an investigation report draft. The analyst’s expertise is still essential — you must evaluate Copilot’s output, validate the KQL it generates, verify the investigation conclusions, and make the response decisions. But the time from alert to conclusion drops from hours to minutes.
The SC-200 exam added Security Copilot objectives in 2024-2025 and continues to expand coverage. The exam tests your ability to use Copilot for incident investigation, understand the embedded experiences in Microsoft security products, and evaluate the quality and accuracy of Copilot’s output.
Complete Modules 1-4 before starting this module. Copilot's value depends on your ability to evaluate its output — if you cannot assess whether a KQL query is correct, whether an incident summary captures the right details, or whether a recommended response action is appropriate, Copilot's output is unreliable. The investigation skills from Modules 1-4 are the foundation. Copilot is the accelerator.
What you will be able to do after completing this module
After completing this module, you will understand generative AI fundamentals as they apply to security operations — what LLMs can and cannot do, the role of grounding data in producing accurate responses, and the difference between standalone and embedded Copilot experiences. You will use Security Copilot’s standalone experience to investigate incidents, analyse scripts, generate KQL queries, and produce investigation reports. You will use the embedded Copilot experiences in Defender XDR (incident summary, guided response, script analysis), Sentinel (KQL generation, workbook queries, hunting), Entra ID (risk assessment), Purview (investigation assistance), and Defender for Cloud (alert explanation). You will apply effective prompting techniques including promptbooks (pre-built investigation workflows) and session management. And you will understand the governance, plugin architecture, and data security model that determines what Copilot can access and how its output should be handled.
How this module is structured
5.1 — Generative AI for Security Operations. The foundation: what LLMs are, how they work at a conceptual level, why grounding matters for security output accuracy, and the realistic capabilities and limitations of AI-assisted investigation.
5.2 — Security Copilot Architecture and Setup. The standalone portal, Security Compute Units (SCUs), plugin architecture, data sources, and the setup process for enabling Copilot in your organisation.
5.3 — Prompting Security Copilot: Techniques and Promptbooks. How to write effective prompts, the elements of a good security prompt, system capabilities, promptbooks (pre-built investigation sequences), and session management.
5.4 — Embedded Copilot in Defender XDR. The inline Copilot experience in the Defender portal: incident summary, alert explanation, guided response, script analysis, and KQL query generation in Advanced Hunting.
5.5 — Embedded Copilot in Sentinel. Copilot in the Sentinel experience: KQL query generation, analytics rule assistance, hunting query creation, and workbook query help.
5.6 — Embedded Copilot in Entra, Purview, and Defender for Cloud. Copilot capabilities in identity risk assessment, compliance investigation, and cloud security alert explanation.
5.7 — Incident Investigation with Security Copilot. Worked investigation using Copilot as an assistant: from initial alert through investigation timeline to IR report, demonstrating where Copilot adds value and where analyst expertise is irreplaceable.
5.8 — Threat Hunting and KQL Generation with Copilot. Using Copilot to generate hunting hypotheses, translate natural language to KQL, explain complex queries, and iterate on detection logic.
5.9 — Copilot Governance, Plugins, and Data Security. Role-based access, data residency, plugin management, usage monitoring, and the organisational policies around AI-assisted investigation.
5.10 — Cross-Product Investigation: Copilot-Assisted Workflow. Our addition. A complete investigation using Copilot across Defender XDR, Sentinel, and Entra ID — comparing the manual workflow (Modules 1-4) with the Copilot-assisted workflow to demonstrate the acceleration.
5.11 — Module Summary. Key takeaways, skills checklist, SC-200 exam objectives covered.
5.12 — Check My Knowledge. 20 scenario-based questions covering all subsections.