vinayaklatthe

Guidance for Microsoft Security Copilot agents — autonomous, purpose-built AI agents (e.g., phishing triage, alert triage, conditional access optimization, vulnerability remediation) that work within Security Copilot. Covers available agents, identity/permissions, and supervision. WHEN: Security Copilot agents, autonomous SOC agent, phishing triage agent, alert triage agent, agent identity, supervise AI agent, agentic security, Copilot agent permissions, automate phishing triage, AI agent for SOC, autonomous alert triage, hands-off triage of high-volume alerts. DO NOT USE for basic Security Copilot setup, SCU provisioning, or promptbooks (use security-copilot).

Guidance for cloud and SaaS security posture management - combining Defender for Cloud CSPM (IaaS/PaaS) and Defender for Cloud Apps SSPM (SaaS) to assess and harden posture across cloud and SaaS apps. Covers Secure Score, MCSB, attack-path analysis, SSPM recommendations, and governance. WHEN: cloud security posture, SaaS security posture management, SSPM, CSPM, secure cloud apps, posture recommendations, harden SaaS configuration, app security posture, multicloud and SaaS hardening, harden Microsoft 365 SaaS settings, find misconfigured Salesforce or ServiceNow settings, SaaS app misconfiguration. DO NOT USE for IaaS/PaaS workload threat protection plans (use defender-for-cloud-hardening) or for SaaS threat detection only (use defender-for-cloud-apps).

Guidance for Microsoft Priva — privacy risk management and subject rights requests. Covers Priva Privacy Risk Management and Priva Subject Rights Requests to find privacy risks and fulfill data subject requests (GDPR/CCPA). WHEN: Microsoft Priva, privacy risk management, subject rights request, DSAR, data subject request, GDPR fulfillment, privacy risk policies, data minimization, overexposed personal data.

Guidance for responding to and recovering from a significant identity/tenant compromise - regaining administrative control, evicting the adversary in a single coordinated action, and hardening to prevent reentry. Covers trusted foundation (PAW), containment, eviction, identity recovery (krbtgt, federation), and post-eviction hardening. WHEN: compromise recovery, incident response, regain control after breach, evict attacker, tenant compromise, rebuild trust, ransomware recovery, post-breach hardening, kick out adversary, emergency response, attacker is in our tenant right now, ransomware hit our organisation, regain admin access after a breach, adversary has domain admin or Global Admin. DO NOT USE for routine SOC investigation (use defender-xdr / sentinel) or for preventive hardening with no active compromise (use security-architecture / entra-id).

Guidance for Microsoft Security Copilot - the generative-AI security platform that helps analysts investigate, hunt, summarise, and respond using natural language, plugins, promptbooks, and embedded experiences. Covers SCU provisioning, plugins, promptbooks, governance, and the standalone vs embedded experience choice. WHEN: Microsoft Security Copilot, AI for SOC, security copilot units SCU, promptbooks, Copilot plugins, natural language investigation, summarise incident with AI, Copilot for Security setup, how do I use AI in my SOC, explain a KQL query with AI, summarise an alert for a stakeholder. DO NOT USE when the goal is configuring autonomous triage or remediation agents (use security-copilot-agents).

Guidance for designing BitLocker drive encryption for Windows endpoints managed via Microsoft Intune — encryption policy, silent enablement, recovery key escrow to Entra ID, TPM, pre-boot authentication trade-offs, and BitLocker To Go for removable media. Covers compliance integration with Conditional Access and recovery workflows. WHEN: BitLocker, disk encryption, Windows encryption policy, BitLocker recovery key, silent BitLocker enablement, Intune disk encryption, TPM 2.0, escrow recovery key, encrypt endpoints, XTS-AES, BitLocker To Go, pre-boot authentication, removable drive encryption. DO NOT USE for general Intune device management (use intune-device-mgmt), Linux/macOS encryption (use intune-device-mgmt FileVault), or Azure disk encryption (use azure-key-vault).

Guidance for Windows Hello for Business (WHfB) — passwordless, phishing-resistant authentication using a PIN or biometric backed by an asymmetric key or certificate. Covers trust model selection (cloud Kerberos trust default for hybrid; key trust legacy; certificate trust niche), prerequisites (Entra join, MFA registration, Entra Kerberos for cloud Kerberos trust), Intune-based provisioning, multi-factor unlock, and Conditional Access authentication strengths. WHEN: Windows Hello for Business, WHfB, passwordless Windows, biometric sign-in, PIN sign-in, cloud Kerberos trust, key trust, certificate trust, hybrid sign-in, Entra Kerberos, multi-factor unlock, FIDO2 vs Hello, Hello provisioning. DO NOT USE for FIDO2 security keys (use entra-id), CA policy authoring (use conditional-access-mfa), or Intune compliance baseline (use intune-device-mgmt).

Guidance for selecting the right Azure RBAC role with least privilege - mapping required actions to built-in roles, deciding when a custom role is needed, scoping assignments correctly, and choosing between control-plane and data-plane roles. Covers scope levels (management group → resource), groups vs direct assignment, and PIM for privileged roles. WHEN: which Azure role, least privilege role, Azure RBAC role selection, built-in vs custom role, scope role assignment, role for managed identity, data plane role, assign minimal permissions, RBAC design, control plane vs data plane, Storage Blob Data Reader vs Reader. DO NOT USE for Entra ID directory roles (use entra-id) or for Microsoft 365 admin roles (use m365-govern-manage).