Monitor Copilot for Security with Microsoft Sentinel
Unifying the unified
The CfSAllinOne plugin for Copilot for Security is a custom plugin built on several KQL queries and tied to a Log Analytics workspace for Microsoft Sentinel. The plugin can be used with non-Sentinel environments, but that requires the effort of creating a new Log Analytics workspace and then manually adding the specific Diag Settings (logs) that supplies the specific data.
See: Using a non-Sentinel Log Analytics Workspace with Copilot for Security
But powering this plugin is a series of KQL queries that can actually all be used separately. They can be used to manually query for Copilot for Security activity in the Logs blade of Microsoft Sentinel but also turned into Analytics Rules in Microsoft Sentinel so that when the specific activity occurs, you can be notified through the Microsoft Sentinel or Defender XDR consoles or use a Playbook to notify you in other ways.
Grab the most current queries from the GitHub repo…
All the queries: https://github.com/rod-trent/Copilot-for-Security/tree/main/Other/Queries
Tips:
When creating Analytics Rules from the queries, keep a few things in mind…
Unless obviously critical, set the Severity at Informational so you don’t freakout your security team.
Adjust the queries so they all look for occurrences in the last 24 hours, i.e., | where TimeGenerated >= ago(24h)
Make sure to set the Entity mapping in the Analytics Rule and set the maps as close and sensible as possible.
4. Enable Alert Grouping. Some of the alerts can be noisy.
NOTE: There’s work being done for more data about more Copilot for Security activities so this repository of KQL queries will be updated often.
[Want to discuss this further? Hit me up on Twitter or LinkedIn]
[Subscribe to the RSS feed for this blog]
[ Subscribe to the Bi-weekly Copilot for Security Newsletter]
[Subscribe to the Weekly SIEM and XDR Newsletter]
[Learn KQL with the Must Learn KQL series and book]
[Learn AI Security with the Must Learn AI Security series and book]
** Need a Tech break?? Sure, we all do! Check out my fiction novels: Sword of the Shattered Kingdoms: Ancient Crystal of Eldoria and WW2045: Alien Revenge and Isolde Frostbane: Legacy of the Ice Priestess and Mistaken for Dead: Rebellion of the Reanimated.