Rod’s Blog

Share this post

Rod’s Blog
Rod’s Blog
Copilot for Security Better Prompts: Sentinel Incident Title Over Object ID
Copy link
Facebook
Email
Notes
More

Copilot for Security Better Prompts: Sentinel Incident Title Over Object ID

Be Direct. Be Specific.

Rod Trent
Jun 11, 2024
1

Share this post

Rod’s Blog
Rod’s Blog
Copilot for Security Better Prompts: Sentinel Incident Title Over Object ID
Copy link
Facebook
Email
Notes
More
Share

Directing Copilot for Security to reply with the exact information you need and in the way you need it is important. It saves time, saves compute, and eliminates unnecessary prompt strings.

For example, the following is a good prompt:

Show me Sentinel incidents that were closed as a false positive.

…and it will produce the information based on the request. The responses will be in the most direct, efficient way. If you’ve worked with Copilot for Security with Microsoft Sentinel for any length of time, you know that results are based on object IDs. As you can see in the following results example, the IncidentName’s object ID is unrecognizable. Locating this actual Incident in the Microsoft Sentinel console will take extra time.

How much better would it be if the IncidentName was the actual human readable title name of the Incident and the results had more valuable details?

A better prompt will be:

Show me Sentinel incidents that were closed as a false positive. Supply the Incident number, Incident Title, and the time they were created.

As you can see the next results example, this new (better) prompt provides exactly what you asked. It includes the time it was created, the actual Incident number, and the full Incident title as it’s shown in the Microsoft Sentinel console.

Be direct. Be specific.

Want to learn how to prompt better? Check out the ever-evolving Developing Better Prompts for Copilot for Security workshop.

You can grab these prompts from the following GitHub repo location: https://github.com/rod-trent/Copilot-for-Security/blob/main/Prompts/Plugins/Sentinel.md

[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[ Subscribe to the Bi-weekly Copilot for Security Newsletter]

[Subscribe to the Weekly Microsoft Sentinel Newsletter]

[Subscribe to the Weekly Microsoft Defender Newsletter]

[Subscribe to the Weekly Azure OpenAI Newsletter]

[Learn KQL with the Must Learn KQL series and book]

[Learn AI Security with the Must Learn AI Security series and book]

Rod’s Blog is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

1

Share this post

Rod’s Blog
Rod’s Blog
Copilot for Security Better Prompts: Sentinel Incident Title Over Object ID
Copy link
Facebook
Email
Notes
More
Share

Discussion about this post

No posts

Ready for more?

© 2025 Rod Trent
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great culture

Share

Copy link
Facebook
Email
Notes
More