Update readme.md

Azure · Apr 3, 2024 · 5eee718 · 5eee718
1 parent 66ba1c2
commit 5eee718
Showing 1 changed file with 4 additions and 7 deletions.
diff --git a/Customer Guides/Prompting Tips for Copilot For Security/readme.md b/Customer Guides/Prompting Tips for Copilot For Security/readme.md
@@ -18,10 +18,7 @@
 
 
 Following best practices above, listed below are good and bad examples of prompts intended to support various security-related use cases. 
-Prompt 1: Create a Defender KQL query to hunt for hexidecimal strings associated with the svchost.exe process.
-
-Prompt 2: What threat actor groups tend to use this svchost.exe process?
-
-Prompt 3: What are the TTPs associated with these threat actor groups?
-
-Prompt 4: Please create a table to list the MITRE ATT&CK techniques associated with each threat actor group as unique rows. List each MITRE ATT&CK technique associated with each threat actor group in column 1  “MITRE ATT&CK technique” and which threat actor groups used that technique in column 2, “Threat Actor Group(s)”.
+|                | **Bad**                                              | **Good**                                                                                                                                 | **Better**                                                                                                                                                                                                                       | **Best**                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
+|----------------|------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| **Incident Summary** | Provide an incident summary.                         | Provide a summary for incident 19247 from Defender catered to a non-technical executive audience.                                        | Provide a summary for incident 19247 from Defender catered to a non-technical executive audience. List the entities of the incident in a table providing context from MDTI.                                                     | Provide a summary for incident 19247 from Defender catered to a non-technical executive audience. List the entities of the incident in a table which includes the following headers: “Entity”, “Entity Type”, “MDTI reputation”. Within entity, list the entity associated with the incident or incident’s alerts. Within Entity Type, list what type of entity it is. For example, domain name, IP address, URL, hash. Within the MDTI reputation, enrich the entity against MDTI’s Copilot reputation skill. |
+| **KQL Query for Hexadecimal Strings** | Create a KQL query to hunt for hexadecimal strings. | Create a KQL query to hunt for hexadecimal strings associated with svchost.exe process.                                                  | Prompt 1: Create a Defender KQL query to hunt for hexadecimal strings associated with the svchost.exe process. <br>Prompt 2: What threat actor groups tend to use this svchost.exe process?<br>Prompt 3: What are the TTPs associated with these threat actor groups?<br>Prompt 4: Please create a table to list the MITRE ATT&CK techniques associated with each threat actor group as unique rows. List each MITRE ATT&CK technique associated with each threat actor group in column 1 “MITRE ATT&CK technique” and which threat actor groups used that technique in column 2, “Threat Actor Group(s)”. | Prompt 1: Create a Defender KQL query to hunt for hexadecimal strings associated with the svchost.exe process.<br>Prompt 2: What threat actor groups tend to use this svchost.exe process?<br>Prompt 3: What are the TTPs associated with these threat actor groups?<br>Prompt 4: Please create a table to list the MITRE ATT&CK techniques associated with each threat actor group as unique rows. List each MITRE ATT&CK technique associated with each threat actor group in column 1 “MITRE ATT&CK technique” and which threat actor groups used that technique in column 2, “Threat Actor Group(s)”.<br>...<br>Prompt 11: Based on the incident comments (or wherever you document your postmortem steps), have these recommendations been followed?<br>[Save this as a custom promptbook] |