Sending Security Copilot Promptbook Responses via Email

Promptbooks in Security Copilot (a.k.a. Copilot for Security) is a powerful tool: it allows you to save and reuse lists of effective prompts whenever you need to perform the same repetitive queries and investigations. For example, you may want to use the promptbooks made available natively by Microsoft or create your own custom ones to better understand a certain topic (such as a CVE, a threat actor profile, etc.) or to have a deep view of security incidents in your SIEM/XDR by looking also at all the relevant evidence that can be retrieved from external informed systems (Device Management & Identity Management platforms, Threat Intelligence sources, etc.).

Starting the execution of a promptbook is typically a manual task to be accomplished in the Security Copilot dedicated portal. Recently, Microsoft has added the possibility to start promptbooks from Azure Logic Apps.

Wouldn't it be useful to have the full output of a promptbook sent in a nicely formatted HTML email to the interested audience? This capability can be valuable in different scenarios. Here are just a couple of examples:

• Having a periodic report sent to the CISO and/or other management roles.
• Having a report on the status of open incidents sent to the incoming security operators in a SOC at shift change time.
• Having an incident investigation, automated with the help of Generative AI, sent to the interested audience.

Surely, you will have ideas that may better fit your needs or your customer's needs!

Recently, I needed to send the result of a custom promptbook by email. Instead of creating an automation specific to that promptbook, I created an Azure Logic App that can send the response of any promptbook by email. This Logic App has the following additional features:

• It allows you to use a HTML template to encapsulate each prompt and response within a nicely formatted graphical frame. The template is a parameter and can be easily replaced with your own preferred template.
• For each prompt's response, if it finds markdown characters, it converts the response to HTML by calling Security Copilot again (adding markdown content within an HTML email body wouldn't give a nice result!).
• It allows you to specify whether there are prompts within the promptbook that should not be included in the email body and/or if the text of some prompts should be replaced in the email for the sake of readability
• It handles the different possible situations that can occur when repeatedly calling Security Copilot: no capacity available, capacity temporarily exhausted, prompt not matching existing skills, etc.

You can deploy the Logic App from here: cfs/CfS-SendPromptbookResultsByEmail at main · stefanpems/cfs

In this video, I show you how to deploy, configure, and use it. I also demonstrate how to clone the deployed Logic App and modify it to use as a Playbook in Microsoft Sentinel for different kinds of automations.

Here below you can see a few screenshots of emails sent by this Logic App when calling different native promptbooks in Security Copilot. More examples are in the video.

Example of CVE investigation

Example of Threat Actor Investigation

Example of Microsoft Defender XDR Incident Investigation

Example of email customization

I hope that you can find it useful!