{ "id": "ab8ed2f5-024b-4239-8e39-833c3178baa2", "created_at": "2026-04-06T00:10:07.182438Z", "updated_at": "2026-04-10T03:33:41.893503Z", "deleted_at": null, "sha1_hash": "a32ea9221eb48b457cb14789beb97cd7d873e0e9", "title": "Security Copilot Promptbook: Threat Actor Profile", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3806651, "plain_text": "Security Copilot Promptbook: Threat Actor Profile\r\nBy Brandon Dixon\r\nPublished: 2024-01-03 · Archived: 2026-04-05 15:37:58 UTC\r\nAutomation\r\nDiscover how Security Copilot transforms threat actor data into actionable intelligence for effective cyber defense\r\nstrategies.\r\nMost attacks, whether complex or simple, motivated by different reasons, typically share one common element: a\r\nperson controlling the keyboard. While automation can assist in the initial stages of a compromise, the execution\r\nof objectives generally involves another individual at a workstation, much like yourself. Humans, being habitual,\r\noften struggle to completely conceal their digital traces, no matter how cautious they are. These digital\r\nbreadcrumbs are what security researchers track to attribute attacks and gain insight into their adversaries. By\r\nhttps://applied-gai-in-security.ghost.io/security-copilot-promptbook-threat-actor-profile/\r\nPage 1 of 10\n\ncomprehending the tactics, techniques, and procedures (TTPs) used, defenders can gain an advantage in staying\r\nahead.\r\nThreat naming is a core part of the security industry and broader adversary understanding. Public and private\r\nsectors organizations use the insights and information at their disposal to help form profiles of who is or might\r\ntarget their business. What used to be reserved mostly within the government is now very mainstream and part of\r\nday-to-day security operations. This explosion of information about threat actors, their tools and the vulnerabilities\r\nthey exploit can be difficult to keep up with and organize. Between different actor names to complex campaign\r\ntracking, organizations can struggle to understand which threat actors matter to them and how to best\r\noperationalize the data.\r\nIn this post, I will demonstrate leveraging generative AI to go from threat actor name, all the way to a fleshed out\r\nprofile within a matter of minutes using Security Copilot and the Threat Actor Profile promptbook. The example\r\nactor we will use is Storm-0216, a reference back to the previous promptbook on automating a vulnerability\r\nimpact assessment posting. All the threat intelligence information is being sourced from Microsoft Defender\r\nThreat Intelligence which is included with Security Copilot.\r\nPromptbook Demonstration\r\nEtt fel inträffade.\r\nDet går inte att köra\r\nJavaScript.\r\nFor those who prefer to see more of a live demonstration, I put together a brief video explaining the basic controls\r\nwithin Security Copilot and myself walking through the Promptbook that's been created.\r\nPrompt Walkthrough\r\nhttps://applied-gai-in-security.ghost.io/security-copilot-promptbook-threat-actor-profile/\r\nPage 2 of 10\n\nSummarize the threat actor\r\nThe first step within this Promptbook is to ask for a profile of the named threat I want to know more about. Storm-0216 was an attractive target as the group was making use of a recent vulnerability I had used in my previous\r\npromptbook example. The prompt is simple and open, generating an executive summary and filling in whatever\r\nelse Security Copilot knows about the threat. Normally, I like to refine prompts to deliver specific results, but an\r\nopen prompt like this allows us to seed the session with useful context that can be helpful later.\r\nWithin the initial summary, I see accurate information and a preview of the jargon across the industry. This group\r\ngoes by other names like Twisted Spider and UNC2198. They also make use of several different tools and\r\nbackdoors, each with their own unique names and explanations. Knowing nothing about this group, this response\r\nis a helpful start to get acquainted, though it's a bit overwhelming. In the next prompts, I will narrow in on key\r\nareas and transform this data into something an organization could better operationalize.\r\nhttps://applied-gai-in-security.ghost.io/security-copilot-promptbook-threat-actor-profile/\r\nPage 3 of 10\n\nSummarize the actor TTPs and align against MITRE ATT\u0026CK framework.\r\nHere, our prompt is more specific, both in the request and the format. I've asked Security Copilot to align what it\r\nknows about Storm-0216 within the MITRE ATT\u0026CK framework. Without specifying this, I get useful results,\r\nbut they are less organized and difficult to parse. I really like this alignment as the ATT\u0026CK framework is\r\nleveraging across multiple solutions and companies, giving defenders a common taxonomy to reference. By\r\nrequesting that data be mapped to this framework, it becomes more actionable.\r\nFor the format, I specify a bullet list and explicitly request the name and number of the MITRE technique along\r\nwith a brief summary. Without this level of detail, I find that the responses will vary across each Promptbook run\r\nwhich isn't ideal, though very much a normal outcome when using generative AI. Finally, there's a request to link\r\neach technique to its given MITRE page for deeper explanation. I find this helpful as a quick reference to learn\r\nmore. This view could alternatively be expressed as a table, though the bullet list is easier to consume.\r\nhttps://applied-gai-in-security.ghost.io/security-copilot-promptbook-threat-actor-profile/\r\nPage 4 of 10\n\nList and summarize threat articles associated with the threat actor.\r\nThis prompt performs a basic look-up within the database of curated and OSINT aggregated intelligence from\r\nMicrosoft Defender Threat Intelligence. The prompt is simple and to the point. Provide any articles that include\r\nthe threat actor references and summarize them with links. Those with limited understanding of the actor can\r\nquickly browse recent reporting with the option to dive further into the details of each case. As indicated in the\r\nfinal bullet point, there's mention of several other related ransomware threat actors including Storm-0464, Storm-0506, and Storm-0826. These are all great candidates to run back through this same Promptbook to further our\r\nunderstanding of a broader ransomware ecosystem.\r\nhttps://applied-gai-in-security.ghost.io/security-copilot-promptbook-threat-actor-profile/\r\nPage 5 of 10\n\nIn this prompt, I shift back to more of a detailed prompt. Using the previous context formed from our broader\r\nsession, I have Security Copilot outline mitigations and defense methods, starting with more specific first and\r\nending with generic. This instruction is more open given the nature of the Promptbook, though could be tuned to\r\nan organization by incorporating technology leveraged or specific control-points of interest. I've instructed to\r\nfocus on specific to generic as I've observed the model will often mix the both and while the generic is useful, it's\r\nnot always the most actionable.\r\nFor the format, I've requested a table and included headers with a small amount of instruction. The response gives\r\nme what I want and while it's generic due to the structure of the request, it's worth appreciating how these\r\nseemingly generic steps are punctuated with threat actor specific reasons. Advising an organization to apply least\r\nprivilege principles is much more impactful when given the note that a known ransomeware group will exploit\r\nthis to move laterally and potentially wreak havoc on your organization. The former should be able to stand alone,\r\nbut if that were true, ransomware wouldn't be as prolific.\r\nhttps://applied-gai-in-security.ghost.io/security-copilot-promptbook-threat-actor-profile/\r\nPage 6 of 10\n\nAs a final step within this Promptbook, I ask Security Copilot for an executive report on the threat actor based on\r\nthe session details. I request a metadata section that outlines common data seen across industry threat profiles\r\nincluding aliases, suspect origin country, industry targets, vulnerabilities exploited and tools leveraged. Below that\r\nis an executive summary formatted bullet points, followed by several narrative sections. This prompt could be\r\nfurther expanded to format the profile in the exact way an organization consumes data, but as it's written, it does a\r\ngreat first-pass.\r\nFollow-on Questions\r\nThe end of a Promptbook doesn't mean the end of the session. In fact, I'd argue it's the beginning! Now that we\r\nhave a grounded session containing a bunch of information about this threat actor, what additional follow-up\r\nquestions could we ask? Here's a few that immediately come to mind for myself based on my past analyst\r\nexperience.\r\nhttps://applied-gai-in-security.ghost.io/security-copilot-promptbook-threat-actor-profile/\r\nPage 7 of 10\n\nProvide a threat actor profile on all of the other actors associated with ransomware.\r\nProvide vulnerability impact assessments on all mentioned CVEs known to be exploited by the group.\r\nWhat other threat actors commonly target \u003cyour industry\u003e?\r\nSummarize [Cobalt Strike, Impacket, DWAgent, Rclone, GOST, chisel] tools leveraged by this threat actor.\r\nInclude ways to detect these tools within my environment, specifically using network signatures in Zeek\r\nformat.\r\nOperationalizing this Work\r\nhttps://applied-gai-in-security.ghost.io/security-copilot-promptbook-threat-actor-profile/\r\nPage 8 of 10\n\nBuilding an understanding of a threat actor, specifically one that may be exploiting a ubiquitous vulnerability or\r\none that delivers ransomeware, requires expertise, access to quality intelligence and most importantly, time. The\r\nThreat Actor Profile Promptbook in Security Copilot, paired with Defender Threat Intelligence, saves analysts\r\nhttps://applied-gai-in-security.ghost.io/security-copilot-promptbook-threat-actor-profile/\r\nPage 9 of 10\n\nhours of work and gives them a stronger foundation to operate from. Generative AI brings an actionable\r\ncomponent to this information and allows for the reporting to be tailored to your organization.\r\nOne way to operationalize this Promptbook would be to identify which threat actors commonly target your\r\nindustry and attach this Promptbook to run on a weekly basis. Results from the Promptbook could be reformatted\r\nto meet your needs and merged into a knowledge base for future reference. You can leverage the out-of-the-box\r\nSecurity Copilot version of this Promptbook or design your own to match your specific needs.\r\nWhat I enjoy most about this Promptbook is the fact that it of course runs well on any Microsoft named threat, but\r\nit will also take alternative aliases from other company naming conventions and function on those as well. Years\r\nago, when I did espionage research, I had to use a spreadsheet as a \"rosetta stone\" of threat actor names. I am\r\nhopeful that solutions such as this can begin to replace those older methods and allow defenders to focus on what\r\nmatters most in their organization.\r\nSource: https://applied-gai-in-security.ghost.io/security-copilot-promptbook-threat-actor-profile/\r\nhttps://applied-gai-in-security.ghost.io/security-copilot-promptbook-threat-actor-profile/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://applied-gai-in-security.ghost.io/security-copilot-promptbook-threat-actor-profile/" ], "report_names": [ "security-copilot-promptbook-threat-actor-profile" ], "threat_actors": [ { "id": "e9f85280-337c-4321-b872-0919f8ef64a6", "created_at": "2022-10-25T16:07:24.261761Z", "updated_at": "2026-04-10T02:00:04.914455Z", "deleted_at": null, "main_name": "TA2101", "aliases": [ "Gold Village", "Maze Team", "TA2101", "Twisted Spider" ], "source_name": "ETDA:TA2101", "tools": [ "7-Zip", "Agentemis", "BokBot", "Buran", "ChaCha", "Cobalt Strike", "CobaltStrike", "Egregor", "IceID", "IcedID", "Mimikatz", "PsExec", "SharpHound", "VegaLocker", "WinSCP", "cobeacon", "nmap" ], "source_id": "ETDA", "reports": null }, { "id": "f994aa54-3581-460a-9c1f-5ca6b1af4aa1", "created_at": "2024-08-20T02:00:04.537819Z", "updated_at": "2026-04-10T02:00:03.686083Z", "deleted_at": null, "main_name": "Storm-0506", "aliases": [], "source_name": "MISPGALAXY:Storm-0506", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7a28a922-23e0-4406-a014-7db6ad9fc41e", "created_at": "2025-03-04T02:00:03.000021Z", "updated_at": "2026-04-10T02:00:03.814159Z", "deleted_at": null, "main_name": "Storm-0826", "aliases": [], "source_name": "MISPGALAXY:Storm-0826", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c3c864b3-fac9-4d56-8500-7c06c829fbf8", "created_at": "2023-01-06T13:46:39.071873Z", "updated_at": "2026-04-10T02:00:03.203749Z", "deleted_at": null, "main_name": "TA2101", "aliases": [ "GOLD VILLAGE", "Storm-0216", "DEV-0216", "UNC2198", "TUNNEL SPIDER", "Maze Team", "TWISTED SPIDER" ], "source_name": "MISPGALAXY:TA2101", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434207, "ts_updated_at": 1775792021, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a32ea9221eb48b457cb14789beb97cd7d873e0e9.pdf", "text": "https://archive.orkl.eu/a32ea9221eb48b457cb14789beb97cd7d873e0e9.txt", "img": "https://archive.orkl.eu/a32ea9221eb48b457cb14789beb97cd7d873e0e9.jpg" } }