Although Microsoft only recently introduced Copilot, an OpenAI-based chatbot for Office, Microsoft quickly followed that up with Security Copilot.
Like its Office counterpart, Security Copilot is first and foremost a chatbot. However, while the initial release of Copilot focuses on Office, Security Copilot is about enterprise security. Security Copilot ingests data from various security tools and aims to help security professionals understand what is happening in a corporate environment.
You can use Security Copilot’s simple chat interface to ask questions such as:
- What are common threats?
- How can I improve my security situation?
- Which alerts are triggered the most?
- What are the unresolved security incidents?
- Can you give me a summary of the vulnerability in Log4J?
While it’s useful to use natural language queries to analyze your organization’s security, Security Copilot provides additional features that may be more useful.
Safety Co-Pilot import feature simplifies problem determination
One of these features is the ability to import data. Although Security Copilot’s interface is simply a text box, you can drag and drop files into the text box, allowing Security Copilot to analyze the file.
By the way, you are not limited to working only with files. You can also provide Security Copilot with URLs and code snippets.
To give you a more concrete example of how useful this feature is, consider Microsoft’s latest demo. In the demo, the presenter pulled a JSON-based log file into the Security Copilot interface and then asked if the file contained malicious activity related to a suspicious login event detected by Microsoft Sentinel.
You can see a screenshot of the demo in Figure 1.
Figure 1. You can drag and drop files to Security Copilot.
Some people may think this function is nothing more than log analysis. However, when analyzing a security log to identify an incident, you usually need to know what to look for (associated event IDs, etc.). Security Copilot makes sure that you don’t need to have a detailed understanding of the events in the log file. You can simply tell Security Copilot what to look for, and then it will select the relevant items from the file.
Although Microsoft used a log file in its Security Copilot demo, it is assumed that you can ask Security Copilot about various file types.
How quickbooks help automate incident response
Another great feature is instant booking. A spotbook is basically a set of steps or automations that can be performed from Security Copilot.
For example, in the Microsoft demo referenced above, a book dedicated to reverse engineering a malicious PowerShell script was created. Since the required steps are recorded in a prompt notepad, Microsoft can make this feature available to anyone, even if they have no experience with reverse engineering code.
In Figure 2, you can see the instant book featured in the demo. The Instant Book was designed to reverse engineer the script, explain the capabilities of the script, and produce a visual that would explain the entire incident surrounding the script.
Figure 2. This instant writer disassembles the script and produces a visual image that identifies the incident surrounding the script.
Figure 3 shows the first step that is performed when implementing this snapshot book. As you can see, Security Copilot analyzed the script and discovered that it is designed to download an executable file called DoorBreach.exe.
Picture 3. Security Copilot has analyzed the script in question.
Then, this snapshot book generates a flowchart showing the full progress of the exploit. It shows which user triggered the exploit and from where. Figure 4 shows a user named Devon Torres working from Workstation8, using OneNote, and opening a file named SalesLeads(1).onepkg. This package launched WSScript.exe, which in turn launched PowerShell and called the malicious script. This script then launched an executable file which established a connection to a remote server and domain controller.
Figure 4. The safety co-pilot created a visual of the accident.
Since Security Copilot is new, it’s hard to know for sure how well it will perform in the real world. However, a recent demo of Microsoft’s Security Copilot looks very promising.
About the Author
Brien Posey is a bestselling technology author, speaker and 21x Microsoft MVP. In addition to his ongoing work in information technology, Busey trained as a commercial astronaut in preparation for flying on a mission to study atmospheric polar clouds from space.
