February 8, 2025February 8, 2025 Security Copilot refresh Table of Contents Introduction My first Security Copilot post was published aboout a year ago (Dec 3,2023). Security Copilot came to generally available (GA) on April 1st, 2024 and it have since then developed a lot. And the developing continues.This AI-powered security solution is designed to help security and IT professionals respond to threats more quickly, process signals at machine speed, and assess risk exposure in minutes.Some key features include:Investigating and remediating security threats: Provides step-by-step response guidance.Building and reverse-engineering scripts: Translates technical tasks into natural language.Exploring risks and managing security posture: Offers prioritized risks and actionable insights.Troubleshooting IT issues: Synthesizes relevant information rapidly.It integrates seamlessly with other Microsoft Security products like Microsoft Defender XDR, Microsoft Sentinel, EntraID, Microsoft Intune and many more. Now ten months after its general availability, Security Copilot continues to introduce new feature enhancements that strengthen its position as the leading gen-AI tool for security.The Security Copilot has developed a lot within a year. It has now 12 Microsoft managed plugins and 34 non-managed plugins. It’s also possible to build own plugins. Check here current integrations. The portal usage If you start the fresh SCU session you can see this when you enter the securitycopilot.microsoft.com URL (othewise you might have 90 days session memory) AFTER creating the session or accepting the previous made SCU resource in Azure. You can try prompts based by your role, featured product plugin or you can try ready made promptbooks. Security Copilot main page. Click to enlarge. Roles to choose In prompts screen you can select from these roles what to use and the view changes based on role. Role selection in Security Copilot For example if you choose “Threat Intel Analyst” you can see these ready made prompts etc. Threat Intel Analyst prompts in Security Copilot. Clöick to enlarge. Product plugins to choose And the plugin dropbox shows more than could capture. And if I chose “Purview” it looked like this Ready made Purview plugin prompts. Click to enlarge. Example case with Purview This is an example case to show how this Security Copilot work in portal and in embedded way. We have this “medium severity DLP alert with ID 3e6607b8-8ff6-7180-a400-08dd44e0e150”.The summary of alert in portal looks like this: Click to enlarge. The embedded experience The embedded usage means that you can use Security Copilot functions within the other portals like:Defender XDR (security.microsoft.com)Purview (purview.microsoft.com)EntraID (entra.microsoft.com) (public preview)Intune (intune.microsoft.com) (public preview)Defender for Cloud (via Azure portal) (limited public preview)Yet there are many more to come.But anyway let’s continue our example case. Let’s look the same alert in Purview portal with embedded experience. Security Copilot in Purview. Click to enlarge. Other new settings Logging audit data in Microsoft Purview If turned on, Security Copilot will process and store admin actions, user actions, and system responses using Microsoft Purview. Data will be stored in the data region where your Microsoft 365 data is stored. Learn more about Microsoft Purview’s data residency Purview and Audit log is one kind solution. You can find more about Purview audit log activities here but in the picture below is what security copilot answered. Purview with Security Copilot. Usage monitoring The usage monitoring dashboard provides a comprehensive view into various data dimensions to help you keep track of security compute unit usage in Security Copilot. You’ll have visibility into the number of units used, the specific plugins employed during sessions, and the initiators of those sessions. The dashboard also allows you to apply filters and export usage data seamlessly. The dashboard includes up to 90 days of data, offering a robust window into recent activity. Source: MS Learn Trainings & documents Microsoft Security Copilot Flight School Microsoft Security Copilot Flight School is a series of videos where you can learn different topics about Security Copilot. MS Learn training path There is a training path for Security Copilot in MS Learn with title MS Learn documentation The Security Copilot documentation is found in MS Learn. Latest updates What’s new in Microsoft Security Copilot? | Microsoft Learn (click here to see them all)December 2024:Security Copilot Adoption Hub: A new feature providing useful links to training, videos, GitHub repository for sample plugins, and other technical readiness information.Persona-based Prompt Library: A redesign of the standalone portal landing page with recommended starter prompts to help users get started quickly.Usage Dashboard: Improved filtering capabilities and numeric rendering of usage data on exportable Excel sheets.November 2024:Microsoft Entra Integration: Users can now engage with Security Copilot directly in the Microsoft Entra Admin Center for identity context and insights.Aviatrix Plugin: Partnership with Aviatrix to leverage Microsoft Defender Threat Intelligence for firewall policy enforcement.CheckPhish Plugin: Allows users to analyze URLs for potential phishing threats and other security risks.October 2024:Data Retrieval POST Operations for API Plugins: Enhancements to API plugins for better data retrieval. Conclusions The Security Copilot has developed a lot within a year. It has now 12 Microsoft managed plugins and 34 non-managed plugins. It’s also possible to build own plugins. I personally like this embedded experience. But of course some settings needs to make somewhere so would it be better to make in Azure where you also create the SCU resource. I’m not sure.Enabling / disabling the service is quite tricky if you have just random use because you have to remember to delete (unless you have not build automation to Azure) the SCU resource from Azure if you don’t want to use it because otherwise your Azure bill will keep growing.I would like to see some kind of start/stop function in the future like several Azure products. Anyway I still think this is a good add-on for the security operation teams. But there’s more to come… Share on Social Media x facebook linkedinwhatsapp Discover more from Jussi Metso Subscribe to get the latest posts sent to your email. Type your email… Subscribe AI SECURITY
AI Few words about AI Security September 28, 2024September 29, 2024 Hello all. we have a new sector in Security business. It’s called AI Security. I will reveal some of it in this post. Read More
SECURITY Azure Confidential Computing August 27, 2023February 22, 2025 Table of Contents What is Azure Confidential Computing (ACC)? In short Azure Confidential computing protects… Read More
AI AI LLM attacks & how – Part 2 January 18, 2025January 18, 2025 Here’s the second part of my Microsoft AI Summit Finland speak written in blog mode. Read More