Microsoft releasing a game changing feature?
Microsoft Security Co-pilot feature maybe the biggest change to Security monitoring for some time.
Microsoft has released some information around the upcoming feature “Security Co-pilot“ that is coming to Sentinel. Security Co-Pilot is currently in an early access program that is an invite-only paid preview. All the information in this post has been discussed in the Microsoft learn documentation global accessible here:
https://learn.microsoft.com/en-us/security-copilot/microsoft-security-copilot
What is Microsoft Security Copilot?
Assistive copilot experience helps support security professionals in end-to-end scenarios such as incident response, threat hunting, intelligence gathering, and posture management. Copilot integrates with Microsoft security tools such as Microsoft 365 Defender, Microsoft Sentinel, Microsoft Intune, as well as other third-party services such as ServiceNow.
Below is a data flow on how the Microsoft Security Copilot is used via prompts from the Microsoft security tools:
(Source: https://learn.microsoft.com/en-us/security-copilot/microsoft-security-copilot)
What can Microsoft Security Copilot do?
There looks to be a few different tasks Copilot can offer:
Summarize incidents in Microsoft 365 Defender
Incidents containing up to 100 alerts can be summarized into one incident summary. An incident summary, depending on the availability of the data, includes the following:
The time and date when an attack started.
The entity or asset where the attack started.
A summary of timelines of how the attack unfolded.
The assets involved in the attack.
Indicators of compromise (IOCs).
Names of threat actors involved.
(Source: https://learn.microsoft.com/en-us/microsoft-365/security/defender/security-copilot-m365d-incident-summary?view=o365-worldwide)
Analyze scripts and codes in Microsoft 365 Defender
Through AI-powered investigation capabilities from Microsoft Security Copilot embedded in Microsoft 365 Defender, security teams can speed up their analysis of malicious or suspicious scripts and codes within PowerShell, batch, and bash.
The script analysis capability of Security Copilot in Microsoft 365 Defender provides security teams added capacity to inspect scripts and codes without using external tools. This capability also reduces complexity of analysis, minimizing challenges and allowing security teams to quickly assess and identify a script as malicious or benign.
(Source: https://learn.microsoft.com/en-us/microsoft-365/security/defender/security-copilot-m365d-script-analysis?view=o365-worldwide)
Guided responses in Microsoft 365 Defender
Security Copilot and Microsoft 365 Defender use AI and machine learning capabilities to contextualize an incident and learn from previous investigations to generate appropriate response actions.
Responding to incidents in Microsoft 365 Defender often requires familiarity with the portal's available actions to stop attacks. In addition, new incident responders might have different ideas of where and how to start responding to incidents. The guided response capability of Security Copilot in Microsoft 365 Defender allows incident response teams at all levels to confidently and quickly apply response actions to resolve incidents with ease.
(Source: https://learn.microsoft.com/en-us/microsoft-365/security/defender/security-copilot-m365d-guided-response?view=o365-worldwide)
Generate kql in Microsoft 365 Defender
Threat hunters or security analysts who are not yet familiar with or have yet to learn KQL can make a request or ask a question in natural language (for instance, Get all alerts involving user admin123). Security Copilot then generates a KQL query that corresponds to the request using the advanced hunting data schema.
This feature reduces the time it takes to write a hunting query from scratch so that threat hunters and security analysts can focus on hunting and investigating threats.
Incident Reports with Security Copilot
Microsoft Security Copilot in Microsoft 365 Defender assists security operations teams with writing incident reports efficiently. Utilizing Security Copilot's AI-powered data processing, security teams can immediately create incident reports with a click of a button in Microsoft 365 Defender.
A comprehensive and clear incident report is an essential reference for security teams and security operations management. However, writing a comprehensive report with the important details present can be a time-consuming task for security operations teams as it involves collecting, organizing, and summarizing incident information from multiple sources. Security teams can now instantly create an extensive incident report within the portal.
(Source: https://learn.microsoft.com/en-us/microsoft-365/security/defender/security-copilot-m365d-create-incident-report?view=o365-worldwide )
Initial thoughts from reading this documentation
As i have been only able to read about the features, my opinions will be formed only from the documentation. This is subject to change as this is a brand new feature that is being released by Microsoft.
Majority of the features listed will help all security operation teams reduce time to respond/time to resolve as junior or senior level security analysts will not need to waste time collecting all the information and then inferring what this means, Security Copilot will be able to do a lot of the leg work during an investigation. Copilot also helps with identifying the remediation actions that can be completed using the defender tooling to again to reduce time to respond.
I believe all the features listed would be of use to all MSSPs but also to smaller internal security teams that are trying to juggle multiple roles at the same time. However, as we all know AI can be quite costly when referring to Large Language Models (LLM), which is what Security Copilot uses. So if the cost of enabling this feature is very high this may cause smaller companies not to add this tool to their arsenal as their budgets may not be as big as large MSSPs.
Overall i am all for this change, AI looks to impact all our jobs and hopefully for the better. This new feature from Microsoft will be a game changer for sure!
Let me know your thoughts about this new feature?