The Ways Microsoft Security Copilot Can Enhance Security Operations with Microsoft Defender

Defender-ized

Microsoft Security Copilot is a generative AI-powered security solution that helps increase the efficiency and capabilities of defenders to improve security outcomes at machine speed and scale, while remaining compliant to responsible AI principles. Security Copilot provides a natural language, assistive copilot experience that helps support security professionals in end-to-end scenarios such as incident response, threat hunting, intelligence gathering, and posture management. The solution leverages the full power of OpenAI architecture to generate a response to a user prompt by using security-specific plugins, including organization-specific information, authoritative sources, and global threat intelligence. By using plugins as data point sources, security professionals have wider visibility into threats and gain more context and have the opportunity to extend the solution’s functionalities.

Security Copilot seamlessly integrates with products in the Microsoft Security portfolio such as Microsoft 365 Defender, Microsoft Sentinel, Microsoft Intune, as well as other third-party services such as ServiceNow. In this article, we will explore how Security Copilot can enhance security operations with Microsoft Defender, a comprehensive and integrated security solution that protects endpoints, identities, email, and cloud apps from advanced threats.

Triage alerts with enriched threat intelligence

One of the use cases of Security Copilot is to triage alerts with enriched threat intelligence. Security Copilot can swiftly summarize information about an alert by enhancing alert details with context from data sources, assess its impact, and provide guidance to analysts on how to take remediation steps with guided suggestions. For example, if an analyst receives an alert from Microsoft Defender for Endpoint about a suspicious file execution, they can use Security Copilot to get more information about the file, such as its hash, reputation, origin, and behavior. Security Copilot can also provide information on the affected device, such as its hostname, IP address, operating system, and user. Security Copilot can then suggest possible actions to contain and remediate the threat, such as isolating the device, blocking the file, or running a full scan.

Hunt for threats with natural language queries

Another use case of Security Copilot is to hunt for threats with natural language queries. Security Copilot can help analysts perform threat hunting tasks by translating natural language queries into advanced hunting queries that can be executed on Microsoft Defender products, such as Microsoft Defender for Endpoint, Microsoft Defender for Office 365, and Microsoft Defender for Identity. For example, if an analyst wants to find devices that have communicated with a known malicious domain, they can use Security Copilot to generate a query that can be run on Microsoft Defender for Endpoint to get a list of devices, users, and processes that have made DNS requests to that domain. Security Copilot can also provide information on the malicious domain, such as its category, reputation, and associated indicators of compromise.

Generate reports and summaries with AI

A third use case of Security Copilot is to generate reports and summaries with AI. Security Copilot can generate ready-to-share executive summaries or reports on security investigations, publicly disclosed vulnerabilities, or threat actors and their campaigns. For example, if an analyst wants to create a report on the SolarWinds supply chain attack, they can use Security Copilot to get a concise and comprehensive overview of the attack, such as its timeline, impact, attribution, mitigation, and lessons learned. Security Copilot can also provide information on the threat actor behind the attack, such as their name, aliases, objectives, tactics, techniques, and procedures. Security Copilot can also generate reports and summaries in different formats and styles, such as bullet points, paragraphs, or slides.

…

Microsoft Security Copilot is a powerful and innovative security solution that can enhance security operations with Microsoft Defender by providing natural language, assistive copilot experience that helps support security professionals in various scenarios. Security Copilot can help analysts triage alerts, hunt for threats, and generate reports and summaries with AI, while leveraging security-specific plugins and integrating with Microsoft Security products and services. Security Copilot is currently available as an invite-only paid preview program for commercial customers. To learn more about Security Copilot, visit Microsoft Security Copilot.

---

[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Microsoft Sentinel Newsletter]

[Subscribe to the Weekly Microsoft Defender Newsletter]

[Subscribe to the Weekly Azure OpenAI Newsletter]

[Learn KQL with the Must Learn KQL series and book]

[Learn AI Security with the Must Learn AI Security series and book]