Blogs by Ashwin

  Scenario A Security Operations Center (SOC) analyst should examine the assigned alerts and incidents to determine if an actual action is required. Use the information in the incident-related alerts to direct the procedure. In order to better understand what to do next, contextual information should be gathered frequently. Now, one can decide whether to escalate or resolve the issue after fully comprehending the underlying alerts and gaining insight from the involved entities.  Steps Start with Security Copilot. Retrieve the latest assigned Microsoft Defender XDR incident and summarize the alerts associated with it. Prompt used: What is the latest active Defender incident assigned to me ? Summarize it, including the alerts associated with it.  Focus in on specific entities to get more information about them.  Prompt used: Elaborate on the details of this alert including the entities involved.  Get more information to guide next steps. What type of actions might...

  Investigate and Remediate Security Threats Get incident context to swiftly distill complicated security alerts into actionable summaries and expedite remediate with detailed response instructions.  SOC- Get practical, step-by-step incident response instructions that cover containment, investigation, remediation, and triage.  Investigate admins- Simplify incident resolution by rapidly condensing important data, such as sign-logs, user roles, and risk factors, to assist analysts in comprehending the extent as well as details of possible compromise. CISO- Get the most recent, condensed threat intelligence from open source and Microsoft that offers contextual information on pertinent exposures, threat actors, tools, and tactics. Build KQL Queries or Analyze Suspicious Scripts Use natural language translation to remove the need to manually write query-language scripts or reverse-engineer malware scripts so that all team members can work on technical tasks. TI Analyst- Create...

  Introduction After setting up the Security Copilot, the prompts can be used. Prompts are the primary input Security Copilot required to generate answers that can help in security-related tasks. Promptbooks are a series of prompts that have been put together to accomplish a specific security-related task.  Use the Prompts and Promptbooks Library Security Copilot's prompts and promptbooks library enables you to quickly leverage the platform's capabilities in a way that fits your role. The purpose of these prompts and promptbooks is to walk you through the features and capabilities that are the most pertinent to your line of work. In order to help you expedite your work and increase your productivity, the curated prompts and promptbooks offer simple access to role-based examples that get you prompting quickly. Apply Filters To locate the prompts and promptbooks that are most relevant, filters can be applied.  Using a variety of filters can refine search results to better f...

  Introduction Copilot uses active Microsoft plugins to access security-related data on behalf of authentication. To access the Security Copilot platform, a group or individual must be assigned specific Security Copilot roles.  Security Copilot RBAC roles are not Microsoft Entra roles. Security Copilot roles are defined and managed within Copilot and only grant access to Security Copilot features. Microsoft Entra RBAC grants access across Microsoft portfolio of products including services that contain security data. These roles are managed through the Microsoft Entra admin center.  Azure RBAC controls access to Azure resources like Security Capacity Units (SCU) in a resource group, or Microsoft Sentinel enabled workspaces.  Access Security Copilot platform Configure Security Copilot RBAC to control user access to the Security Copilot platform once Security Copilot has been onboarded. Next, use conditional access policies to further strengthen the security coverage....

  Introduction The generative AI security product called Security Copilot enables IT and security professionals to process signals, evaluate risk exposure, and react to cyberthreats at the speed and scale of artificial intelligence. However firstly, one has to understand the requirements needed to get started with it. Minimum Requirements Subscription- In order to purchase security compute units, one must have an Azure subscription. Security compute units- For Microsoft Copilot to operate reliably and consistently, security compute units are the necessary resource units. Security Copilot is billed on an hourly basis and is offered in a provisioned capacity model. Security Compute Units (SCUs) can be provisioned and scaled up or down at any time. Instead of using 60-minute increments, billing is calculated in hourly blocks with a minimum of one hour. Regardless of start or end times, any usage that occurs within the same hour is billed as a full SCU.  Capacity- In Security Copi...

  Introduction Every connection and resource request is handled by Zero Trust security approach as if it came from a malicious actor and an uncontrolled network. No matter the source of the request or resource it uses, Zero Trust encourages us to "never trust, always verify."  In order to apply Zero Trust principles for Microsoft Security Copilot five layers of protection should be applied. The five steps are discussed below: Step 1: Deploy or validate identity and access policies for admin and SecOps staff The first step is to stop bad actors from gaining access to Security Copilot so they can't use it to quickly learn about cyberattacks.  Users must change their passwords when high-risk activity is identified, and their accounts must use multifactor authentication (MFA) to prevent access from being compromised by simple password guessing.  Intune management and device compliance policies must be followed by devices.  These recommendations align with the Specia...