Table of Contents
What is Copilot for Security?
Microsoft Copilot for Security shatters traditional security software limitations. It leverages cutting-edge large language models (LLMs) from Open AI, along with vast security data and threat intelligence (encompassing a staggering 78 trillion daily security signals), to empower security teams with unmatched speed and scale.
So that’s super-clear, AI helps us humans, so we don’t have to become robots.
But this is the only confusion I have 😶 is it #c4s or #cfs ?
Features
Copilot for Security simplifies several key security tasks through the power of generative AI.
Use Case | Description | Benefit |
---|---|---|
Incident Summarization | Leverages AI to condense complex security alerts into clear, actionable summaries. | Improves communication, reduces response times, and streamlines decision-making. |
Impact Analysis | Analyzes security incidents using AI to assess potential impact. | Provides insights into affected systems and data for effective prioritization of response efforts. |
Reverse Engineering of Scripts | Eliminates manual work by automatically translating complex scripts into natural language with explanations. | Enables all analysts to understand attacker actions, extract indicators of compromise, and link them to relevant entities. |
Guided Response | Offers step-by-step guidance for incident response, including triage, investigation, containment, and remediation. | Provides actionable steps with relevant deep links, allowing for faster and more effective response. |
Security Copilot: Standalone vs. Embedded Experiences
Security Copilot empowers not only veteran security analysts, but also new members of the security and IT team. It offers two distinct ways to leverage its capabilities: through an immersive standalone portal or as embedded experiences within existing security products. The choice between these options depends on your team’s preference:
- Centralized View (Standalone): Ideal for teams who prioritize a holistic view. The standalone portal allows pulling data from multiple tools into one location, facilitating faster incident troubleshooting and remediation within Security Copilot. This approach fosters enriched cross-product guidance by providing a broader context for investigations.
- Seamless Integration (Embedded): This option emphasizes familiarity. Security Copilot guidance is seamlessly integrated within the existing security products your team already uses, providing a familiar and intuitive experience. This allows them to leverage Copilot’s assistance without switching between different applications.
So there is two interfaces for it, check ✅
Permissions
By default, Everyone has Copilot contributor access. Consider replacing this broad access with specific users or groups.
Capability | Copilot owner | Copilot contributor |
---|---|---|
Create sessions | Yes | Yes |
Manage personal custom plugins | Yes | Default No |
Allow contributors to manage personal custom plugins | Yes | No |
Allow contributors to publish custom plugins for the tenant | Yes | No |
Upload files | Yes | Yes |
Run promptbooks | Yes | Yes |
Manage personal promptbooks | Yes | Yes |
Share promptbooks with tenant | Yes | Yes |
Update data sharing and feedback options | Yes | No |
Capacity management | Yes* | No |
Data evaluation | Yes | No |
View usage dashboard | Yes | No |
Select language | Yes | Yes |
Be sure to check them permissions admins! ✅
Custom plugins
Every Copilot for Security plugin requires a YAML or JSON formatted manifest file (for example: plugin.yaml
or plugin.json
) which describes metadata about the skill set and how to invoke the skills.
A manifest consists of two required top level keys, Descriptor
and SkillGroups
, each with sub-key or value pairs, and required/optional fields depending on the skill format.
Prompt requests flow
When you ask Copilot a question (called a prompt), it works its magic to deliver the most relevant and helpful answer. The following diagram breaks down this process to show you what happens behind the scenes.
And to create accurate prompts, the machine works better with good inputs! ✅
Learning Resources
Ah, yes Rod has always excellent sources for us to upskill our game.
And SOCAutomators with the help from Andrea
If you want upskill the game with LLM and Copilot for Security, be sure to check The Circle Community which is run by Elli
And even more from Learn
Don’t forget those videos, see here for Tanium 🤖
Add that automation with them plugins ✅
Pricing and Considerations
Consumption-Based Model: Copilot for Security offers a pay-as-you-go pricing structure based on usage, at approximately $4 per SCU/hr (Security Compute Unit).
Minimum Annual Cost: To ensure continuous operation, a minimum annual cost of $35,040 USD applies or maybe not! 🔥
Read this article from Rogier ✅
And this from Pierre to learn how to Deploy and Destroy (Love it!) with Bicep and GitHub Actions
Human-AI Collaboration Focus: Copilot for Security functions as a partner, augmenting human capabilities rather than replacing them. It’s a robot, so you don’t have to be.
What is a SCU?
Copilot for Security utilizes Security Compute Units (SCUs) to gauge the computational resources required for specific workloads. An SCU roughly translates to processing around ten workflows daily. The pricing structure for SCUs remains consistent across all regions, encompassing both the standalone and embedded deployment options.
Benefits of Copilot for Security
- Enhanced Efficiency: Experience up to a 26% reduction in response times, as reported in randomized control trials.
- Improved Threat Hunting: Gain valuable AI-powered recommendations to proactively identify threats.
- Empowered Security Teams: Free up senior analysts for strategic tasks while equipping junior analysts with advanced capabilities.
- Broad Applicability: Copilot for Security extends its value beyond SOC analysts, benefiting a wider range of security professionals.
Further Exploration
Randomized Controlled Trial Results: Delve into the findings of the randomized controlled trial for Copilot for Security https://www.microsoft.com/en-us/security/blog/2023/12/06/microsoft-security-copilot-drives-new-product-integrations-at-microsoft-ignite-to-empower-security-and-it-teams/
Integrations: Discover how Copilot for Security seamlessly integrates with various Microsoft security products for a holistic defense strategy:
- Azure AI Search plugin in Microsoft Copilot for Security (Preview)
- Microsoft Copilot in Microsoft Defender
- Microsoft Copilot in Microsoft Entra
- Access your Microsoft Intune data in Copilot for Security
- Microsoft Copilot for Security and Defender EASM
- Microsoft Copilot for Security and Microsoft Defender Threat Intelligence
- Microsoft Copilot for Security in Microsoft Purview
Benefits Beyond SOC Analysts
While SOC analysts significantly benefit from Copilot for Security, its value extends to a broader range of security professionals:
- DLP Analysts: Summarize DLP alerts and analyze DLP policy configurations https://learn.microsoft.com/en-us/purview/copilot-in-purview-overview
- Insider Risk Analysts: Summarize Insider Risk Management alerts and gain context around users with risky behavior https://techcommunity.microsoft.com/t5/security-compliance-and-identity/empower-data-security-teams-to-proactively-manage-insider-risks/ba-p/3975623
- IT Admins: Create device configuration profiles in Intune and leverage data-driven configuration troubleshooting and remediation https://learn.microsoft.com/en-us/mem/intune/copilot/copilot-devices
- eDiscovery Analysts: Generate Keyword Query Language from NL in eDiscovery and summarize evidence collected https://techcommunity.microsoft.com/t5/security-compliance-and-identity/the-next-era-of-ediscovery-embracing-advanced-capabilities-for-a/ba-p/3980511
- Identity Access Management Admins: Discover high risk users, overprivileged access, suspicious sign-ins in Entra https://learn.microsoft.com/en-us/entra/fundamentals/copilot-security-entra?bc=%2Fsecurity-copilot%2Fbreadcrumb%2Ftoc.json&toc=%2Fsecurity-copilot%2Ftoc.json#summerize-a-users-risk-level
Read here for the full documentation from Learn
ATLAS Matrix
You all know of MITRE ATT&CK® framework but have you heard of Atlas, no? Well let me introduce it to you.
ATLAS (Adversarial Threat Landscape for Artificial-Intelligence Systems) is a globally accessible, living knowledge base of adversary tactics and techniques against Al-enabled systems based on real-world attack observations and realistic demonstrations from Al red teams and security groups.
Closure
By leveraging Copilot for Security, security teams can significantly enhance their efficiency, effectiveness, and overall security posture.
Copilot for Security isn’t just a tool; it’s an intelligent partner that augments human expertise, allowing your security team to operate at an unprecedented level of efficiency and effectiveness 🤖
Even after all this, the only confusion I have 😶 is the Hashtag #c4s or #cfs ?