Rod’s Blog

Share this post

Brief: MDTI and Copilot for Security

rodtrent.substack.com

Brief: MDTI and Copilot for Security

Accessing and using Microsoft's threat intelligence via natural language

Rod Trent
Mar 08, 2024
2
Share this post

Brief: MDTI and Copilot for Security

rodtrent.substack.com
Share

What is Copilot for Security?

Copilot for Security is a natural language interface that enables customers to access, operate on, and integrate Microsoft’s raw and finished threat intelligence within Defender XDR. Copilot for Security allows you to use natural language commands and queries to retrieve and analyze threat intelligence data and content from Microsoft Defender for Threat Intelligence (MDTI).

What is MDTI?

MDTI is a comprehensive threat intelligence service that provides customers with access to Microsoft’s threat intelligence data and content. MDTI offers a variety of data sets and content types, such as indicators of compromise (IOCs), threat articles, intel profiles, threat actor groups, malware families, and attack techniques. MDTI also provides customers with contextual information and analysis on the latest threats and trends, as well as actionable recommendations and guidance.

Rod’s Blog is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

How to use MDTI through Copilot for Security?

MDTI powers Copilot for Security via a wide range of Threat Intelligence skills and promptbooks. Skills are natural language commands that allow you to retrieve and operate on MDTI data and content. Promptbooks are pre-defined workflows that combine multiple skills and correlate MDTI data and content with other security information from Defender XDR, such as incidents and hunting activities. You can use MDTI skills and promptbooks through both the standalone and embedded Copilot for Security experiences.

·         The standalone Copilot for Security experience is a web-based application that you can access from any browser. You can use the standalone Copilot for Security to interact with MDTI data and content directly, without leaving the Copilot for Security interface.

·         The embedded Copilot for Security experience is a natural language interface that is integrated within the Defender XDR portal. You can use the embedded Copilot for Security to interact with MDTI data and content in the context of your Defender XDR activities, such as investigating incidents, hunting for threats, or creating alerts. You can also use the embedded Copilot for Security to enrich your Defender XDR data with MDTI data and content, and vice versa.

Examples of MDTI skills and promptbooks

Here are some examples of how you can use MDTI skills and promptbooks through Copilot for Security:

·         You can use the Get indicator details skill to retrieve information on a specific indicator, such as an IP address or a domain name. For example, you can type Get indicator details for 8.8.8.8 and Copilot for Security will return the MDTI data and content related to that IP address, such as its geolocation, reputation, associated threat actor groups, and related incidents.

·         You can use the Get threat article skill to retrieve a threat article that provides an overview and analysis of a specific threat or trend. For example, you can type Get threat article for SolarWinds and Copilot for Security will return the MDTI threat article that covers the SolarWinds supply chain compromise, including its background, impact, indicators, and mitigation recommendations.

·         You can use the Get intel profile skill to retrieve an intel profile that provides a comprehensive and in-depth view of a specific threat actor group, malware family, or attack technique. For example, you can type Get intel profile for APT28 and Copilot for Security will return the MDTI intel profile that covers the APT28 threat actor group, including its aliases, objectives, capabilities, tactics, techniques, and procedures (TTPs), and associated indicators.

·         You can use the Correlate incident with MDTI promptbook to correlate a Defender XDR incident with MDTI data and content and provide additional context and insights on the incident. For example, you can type Correlate incident 1234 with MDTI and Copilot for Security will run a series of skills that will return the MDTI data and content related to the incident, such as the indicators involved, the threat actor groups associated, the threat articles relevant, and the intel profiles applicable.

·         You can use the Correlate MDTI with hunting promptbook to correlate MDTI data and content with your hunting activities in Defender XDR and provide additional data and content for your hunting queries. For example, you can type Correlate MDTI with hunting for domains with low reputation and Copilot for Security will run a series of skills that will return the MDTI data and content related to your hunting query, such as the domains with low reputation, the threat actor groups associated, the threat articles relevant, and the intel profiles applicable.

Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Microsoft Sentinel Newsletter]

[Subscribe to the Weekly Microsoft Defender Newsletter]

[Subscribe to the Weekly Azure OpenAI Newsletter]

[Learn KQL with the Must Learn KQL series and book]

[Learn AI Security with the Must Learn AI Security series and book]

Rod’s Blog is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

2
Share this post

Brief: MDTI and Copilot for Security

rodtrent.substack.com
Share

Discussion about this post

No posts

Ready for more?

© 2024 Rod Trent
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great culture
Share