Blogs by Ashwin

  Introduction Security Copilot supports a number of non-Microsoft plugins and has a large number of default plugins. Adding or developing own plugin is another way to increase Security Copilot's functionality. Developers and users can create plugins on the Security Copilot platform that can be used to carry out specific tasks.  Preinstalled Plugins Learn how to use the plugins safely so that when Security Copilot is reacting to the commands, it can be used to gather information or take action. Any plugin can be used according to the services a company use.  Click on the plugin button to see which plugins Security Copilot can be used. Check for the plugins that are toggled on. Security Copilot can automatically use the available plugins without any extra setup.  Microsoft Plugins Security Copilot grants access to additional Microsoft services that are already available for a company via the on-behalf-of authentication flow. Some of them are as follows: Azure AI Searc...

  About Junior, entry-level, or Tier-1 analysts can benefit from Security Copilot's assistance in more effectively and efficiently evaluating as well as handling situations. This use case includes remediation and incident analysis.  Steps Let's assume, the high-severity event named Multistage incident including initial access and lateral movement on many endpoints reported by several sources correlates to 25 alarms from different Microsoft security solutions in a Microsoft Defender XDR incident queue. Four people, three devices, and one email account are all involved. To view the attack story, navigate to the incident page. A summary of the incident and a few actions under guided reaction are automatically generated at the Security Copilot pane on the right side of the attack tale.  Read Security Copilot's summary to gain a general understanding of what happened. Choose Copy to clipboard from the options menu to copy the incident summary and then paste it into a different...

  Scenario Security Analysts are usually assigned the responsibility of looking into alerts and obtaining relevant information related to an incident. To ascertain the possible impact on the organization, they correlate data from various sources and perform root cause analyses. According to the situation analysts might have to look at malware, reverse engineer files or scripts, analyze logs, and look into URLs they saw. Knowing what remediation actions to take and how to communicate important findings to stakeholders in order to keep them updated on the incident's current status are crucial aspects of an investigation.  Steps: Start investigating in Microsoft Defender XDR. Analyze the suspicious script. Extend the investigation in Security Copilot via natural language prompts and more plugins. To gain a more comprehensive understanding of the incident, use Security Copilot to gather more information about suspicious activity seen in the command line script.  Prompt used:...

  Scenario A Security Operations Center (SOC) analyst should examine the assigned alerts and incidents to determine if an actual action is required. Use the information in the incident-related alerts to direct the procedure. In order to better understand what to do next, contextual information should be gathered frequently. Now, one can decide whether to escalate or resolve the issue after fully comprehending the underlying alerts and gaining insight from the involved entities.  Steps Start with Security Copilot. Retrieve the latest assigned Microsoft Defender XDR incident and summarize the alerts associated with it. Prompt used: What is the latest active Defender incident assigned to me ? Summarize it, including the alerts associated with it.  Focus in on specific entities to get more information about them.  Prompt used: Elaborate on the details of this alert including the entities involved.  Get more information to guide next steps. What type of actions might...

  Investigate and Remediate Security Threats Get incident context to swiftly distill complicated security alerts into actionable summaries and expedite remediate with detailed response instructions.  SOC- Get practical, step-by-step incident response instructions that cover containment, investigation, remediation, and triage.  Investigate admins- Simplify incident resolution by rapidly condensing important data, such as sign-logs, user roles, and risk factors, to assist analysts in comprehending the extent as well as details of possible compromise. CISO- Get the most recent, condensed threat intelligence from open source and Microsoft that offers contextual information on pertinent exposures, threat actors, tools, and tactics. Build KQL Queries or Analyze Suspicious Scripts Use natural language translation to remove the need to manually write query-language scripts or reverse-engineer malware scripts so that all team members can work on technical tasks. TI Analyst- Create...

  Introduction After setting up the Security Copilot, the prompts can be used. Prompts are the primary input Security Copilot required to generate answers that can help in security-related tasks. Promptbooks are a series of prompts that have been put together to accomplish a specific security-related task.  Use the Prompts and Promptbooks Library Security Copilot's prompts and promptbooks library enables you to quickly leverage the platform's capabilities in a way that fits your role. The purpose of these prompts and promptbooks is to walk you through the features and capabilities that are the most pertinent to your line of work. In order to help you expedite your work and increase your productivity, the curated prompts and promptbooks offer simple access to role-based examples that get you prompting quickly. Apply Filters To locate the prompts and promptbooks that are most relevant, filters can be applied.  Using a variety of filters can refine search results to better f...

  Introduction Copilot uses active Microsoft plugins to access security-related data on behalf of authentication. To access the Security Copilot platform, a group or individual must be assigned specific Security Copilot roles.  Security Copilot RBAC roles are not Microsoft Entra roles. Security Copilot roles are defined and managed within Copilot and only grant access to Security Copilot features. Microsoft Entra RBAC grants access across Microsoft portfolio of products including services that contain security data. These roles are managed through the Microsoft Entra admin center.  Azure RBAC controls access to Azure resources like Security Capacity Units (SCU) in a resource group, or Microsoft Sentinel enabled workspaces.  Access Security Copilot platform Configure Security Copilot RBAC to control user access to the Security Copilot platform once Security Copilot has been onboarded. Next, use conditional access policies to further strengthen the security coverage....

  Introduction The generative AI security product called Security Copilot enables IT and security professionals to process signals, evaluate risk exposure, and react to cyberthreats at the speed and scale of artificial intelligence. However firstly, one has to understand the requirements needed to get started with it. Minimum Requirements Subscription- In order to purchase security compute units, one must have an Azure subscription. Security compute units- For Microsoft Copilot to operate reliably and consistently, security compute units are the necessary resource units. Security Copilot is billed on an hourly basis and is offered in a provisioned capacity model. Security Compute Units (SCUs) can be provisioned and scaled up or down at any time. Instead of using 60-minute increments, billing is calculated in hourly blocks with a minimum of one hour. Regardless of start or end times, any usage that occurs within the same hour is billed as a full SCU.  Capacity- In Security Copi...