Although Microsoft only just recently introduced Copilot, an OpenAI-based chatbot for Office, Microsoft quickly followed that up with Security Copilot.
Like its Office counterpart, Security Copilot is essentially a chatbot. However, whereas the initial Copilot release focuses on Office, Security Copilot is all about enterprise security. Security Copilot ingests the data from various security tools and aims to help security pros make sense of what’s happening in the organization’s environment.
You can use Security Copilot’s simple chat interface to ask questions such as the following:
- What are some trending threats?
- How can I improve my security posture?
- Which alerts are being triggered the most?
- What are the security incidents that are still unresolved?
- Can you give me a summary of the Log4J vulnerability?
As useful as it is to use natural-language queries to examine your organization’s security, Security Copilot provides additional features that might prove even more valuable.
Security Copilot’s Import Feature Simplifies Incident Identification
One such feature is the ability to import data. Even though the Security Copilot interface is essentially just a text box, you can drag and drop files to the text box, thereby allowing Security Copilot to analyze the file.
Incidentally, you aren’t just limited to working with files. You can also provide Security Copilot with URLs and code snippets.
To give you a more concrete example of why this feature is so useful, consider a recent Microsoft demo. In the demo, the presenter dragged a JSON-based log file to the Security Copilot interface, then asked if the file contains any malicious activity related to a suspicious login event detected by Microsoft Sentinel.
You can see a screen capture from the demo in Figure 1.
Figure 1. You can drag and drop files to Security Copilot.
Some may think of this functionality as nothing more than log parsing. However, when you parse a security log to identify an incident, you generally must know what you are looking for (relevant event IDs, etc.). Security Copilot makes it so you don’t need to have a detailed understanding of the events within the log file. You can just tell Security Copilot what you are looking for, and it will then identify which items within the file are relevant.
Although Microsoft used a log file in its Security Copilot demo, presumably you could ask Security Copilot questions about a variety of file types.
How Prompt Books Help Automate Incident Response
Another compelling feature is Prompt Book. A Prompt Book is essentially a collection of steps or automation that can be executed from within Security Copilot.
For example, in the Microsoft demo referenced above, a Prompt Book was created to reverse-engineer a malicious PowerShell script. Because the required steps are saved to a Prompt Book, Microsoft can make that functionality available for anyone to use, even if they have no experience in reverse-engineering code.
In Figure 2, you can see the Prompt Book shown in the demo. The Prompt Book is designed to reverse-engineer a script, explain the script’s capabilities, and produce a visual that explains the entire incident surrounding the script.
Figure 2. This Prompt Book reverse-engineers a script and produces a visual outlining the incident surrounding the script.
Figure 3 illustrates the first step that is performed when executing this Prompt Book. As you can see, Security Copilot has analyzed the script and found that it is designed to download an executable called DoorBreach.exe.
Figure 3. Security Copilot has analyzed the script in question.
Next, this Prompt Book creates a flow chart that shows the full progression of the exploit. It shows which user triggered the exploit and from where. Figure 4 shows that a user named Devon Torres worked from Workstation8, used OneNote, and opened a file called SalesLeads(1).onepkg. That package launched WSScript.exe, which in turn launched PowerShell and invoked the malicious script. That script then launched an executable that established a connection to a remote server and the domain controller.
Figure 4. Security Copilot has created a visual of the incident.
Because Security Copilot is new, it is difficult to know for sure how well it will work in the real world. Even so, Microsoft’s recent Security Copilot demo looks extremely promising.
About the author
Brien Posey is a bestselling technology author, speaker, and 21x Microsoft MVP. In addition to his ongoing work in IT, Posey has trained as a commercial astronaut candidate in preparation to fly on a mission to study polar mesospheric clouds from space.
