Microsoft Security Copilot Logic Apps Connector

By Ashwin Venugopal -

 





Introduction

The Logic Apps connector for Microsoft Security Copilot enables you to interact with Copilot through an Azure Logic Apps workflow. The connector exposes two connector actions: 
  1. Submit a Security Copilot prompt- Provide a natural language prompt to initiate a new investigation with Security Copilot. Once finished, the evaluation outcome will subsequently be returned to your workflow. 
  2. Submit a Security Copilot promptbook- Using a promptbook, initiate an evaluation of a new Security Copilot promptbook and send the results back to your Azure Logic Apps workflow. 

Prerequisites

  • Tenant- Make sure that the tenant administrator grants access to Microsoft Security Copilot prior to utilizing the connector. 

  • User Authentication- This connector is limited to delegated permissions using the OAuth Authorization Code flow. The individual who creates the connection to the connector while designing the Azure Logic Apps workflow needs to have access to Microsoft Security Copilot. 

  • Data Access for Enhanced Interaction- The ability of the authenticated user to access information from many remote security products is crucial for tasks like collecting Multifactor Authentication (MFA) details and reviewing Defender incident reports, among other things.

Submit a Security Copilot Prompt

  1. Create and set up a new Logic Apps workflow in the Azure portal.
  2. Configure the initial trigger step and proceed to search for the Copilot action "Submit a Security Copilot prompt."
  3. Fill in the parameters on the Copilot action.

Submit a Security Copilot Promptbook

  1. Create a new Azure Logic Apps workflow in the Azure portal.
  2. After setting up the Azure Logic App and configuring the initial trigger step, proceed to search for the Security Copilot action. 
  3. After selecting the new Security Copilot action, proceed to fill the asked information.

Conclusion

This blog provides an introduction to the connector action and its properties to get started integrating Security Copilot in your automation workflows.































Comments

Post a Comment

Popular posts from this blog

Deployment (Part 3)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 2, please click  here Microsoft Monitoring Agent (MMA) MMA is used across multiple Microsoft solutions and has undergone a few name changes as its features and functionality have evolved. If it is being considered to be used, then following areas should be covered during a Microsoft Sentinel deployment project: Consider the timelines and the strategy for a migration to AMA (Azure Monitor Agent) before the MMA end-of-life.  Consider the central deployment and management methodology for MMA. Determine which endpoints are in scope for deployment as these affect the log ingestion volume significantly.  Azure Monitor Agent (AMA) Organizations with MMA as the main Microsoft Sentinel agent should start planning the migration to AMA as soon as possible to avoid a rushed migration. One of the main advantages of AMA is the ability to control the log collection policy centrally and apply different policies against different...
Read more

Deployment (Part 1)

By Ashwin Venugopal -
Image
  To read part 2, please click  here To read part 3, please click  here Azure Resources Microsoft Sentinel needs following resources to be created: Subscription (if a dedicated subscription(s) will be used) Resource group(s) Log Analytics workspace(s) Automation rules/playbook Alert rules Workbooks Microsoft Sentinel offers hundreds of alert rules, workbooks, and automation playbook templates along with hunting scripts. The templates can be used to activate/deploy schedule alerts, create customized dashboards, create automation playbooks and perform threat-hunting activities. Generally, once deployed, the resources created have to be adjusted to match the existing environment, configure local credentials, etc. Methods of deployment: Manual- Administrator can manually configures the Microsoft Sentinel resources with the help of Azure portal. Any manual process has the inherent risks of human operator error, lack of compliance with potential change control procedures, and u...
Read more

Design Planning (Part 3)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 2, please click  here Complex Organizational Structures SIEM can be an expensive security control, hence, it is common multiple businesses to contribute to the overall expense. Various organizational units may require a level of access to specific dashboards or sets of data. Microsoft Sentinel offers the ability to assign table-level permissions and limit the level of access to the minimum required to perform requisite job functions.  Role-based Access Control (RBAC) Requirements Microsoft Sentinel offers an extensive list of Azure built-in roles that can be used to provide granular access according to the job requirements and permitted level of access. Some of them are various Microsoft Sentinel dedicated roles: Microsoft Sentinel Contributor- Can perform all engineering-related configuration, such as creating alert rules, configuring data connectors, and additional similar tasks.  Microsoft Sentinel Reader- Can...
Read more