1. Home
Feeling StupidKeyboard Layout
5.0 Troubleshooting Practice

Practise troubleshooting with Copilot

Prompt Copilot to walk through the six-step troubleshooting method for realistic IT support scenarios.

How to rehearse troubleshooting with Copilot

  1. Pick real-world security incidents and gather initial facts (alerts, log entries, affected systems, timeline).
  2. Prompt Copilot to follow the CompTIA CySA+ (v3) incident response methodology, requesting its reasoning stage by stage.
  3. Challenge Copilot’s suggestions, add missing steps, and compare with official procedures.
  4. Document the final plan, including prevention tips and user communication notes.
  5. Replay the scenario with variations (different root causes, new constraints) to deepen instincts.

Stage 1: Frame the scenario

  • Describe the environment, alert, and indicators: "Enterprise network, multiple failed RDP attempts from external IP, user account lockouts."
  • Note recent changes (policy updates, new firewall rules) and what has already been investigated.
  • State the goal of the session: determine if incident is malicious, assess scope, create incident report.

Prompt starter: "A SIEM alert shows 50+ failed RDP login attempts from a foreign IP targeting admin accounts. Walk through the CompTIA CySA+ (v3) incident response process with me. Ask clarifying questions when needed."

Stage 2: Step-by-step investigation

Use chain-of-thought prompting to force Copilot to articulate each troubleshooting phase. Capture its reasoning in your notes so you can critique it later.

  1. Ask Copilot to identify probable attack vectors, referencing relevant logs, threat intelligence, or security controls.
  2. Request investigation steps with justification ("Check firewall logs to identify source patterns and correlate with threat feeds").
  3. Evaluate Copilot's proposed containment and remediation against official guidance-flag anything unsafe or incomplete.

Stage 3: Validate and document

  • Confirm the response plan includes containment, eradication, and recovery steps (e.g., block IP, reset credentials, monitor for 72 hours).
  • Ask Copilot for an executive summary and a detailed incident report entry.
  • Capture lessons learned and updates to detection rules and playbooks.

Prompt: "Summarise the incident response session above into: 1) Incident report, 2) Executive summary, 3) Lessons learned and recommendations."

Stage 4: Run variations

Immediately rerun the scenario with a twist to stretch your analysis skills. For example, change the attack vector (phishing instead of brute force), affect different systems (database instead of endpoints), or introduce constraints (limited logging, encrypted traffic).

  • Use role-based prompting so Copilot plays the incident commander or senior analyst questioning your decisions.
  • Request alternative attack scenarios to ensure you're not tunnel-visioning.
  • Note any gaps for lab practice or further reading on threat intelligence.

Practice lab

  1. Pick three incidents to rehearse: one malware infection, one unauthorized access attempt, one data exfiltration scenario.
  2. For each, run the full workflow-scenario framing, Copilot walkthrough, validation, documentation.
  3. Compare Copilot's approach with CompTIA CySA+ (v3) incident response framework. Where did it excel? Where did it skip steps?
  4. Adjust your prompts to close gaps (e.g., "Always include chain of custody and forensic preservation steps").

Next steps

Finish the module by compiling your Copilot study portfolio.

Continue to 6.0