Exploring Security Copilot Prompts with Examples
In this blog post, we delve into the powerful capabilities of Microsoft Security Copilot by exploring various prompts and their practical applications. We'll demonstrate how to retrieve critical information, such as which VM registry has been modified and which VMs are experiencing continuous access attempts from attackers, all managed by Microsoft Defender for Endpoint. Initially, we'll write a Kusto Query Language (KQL) query to gather the necessary details. Then, we'll showcase how effortlessly the same task can be accomplished using a Security Copilot prompt. This comparison highlights the efficiency and user-friendliness of Security Copilot, making it an invaluable tool for security management. Let's get started.
Example 1: AV Exclusion Modification
Suppose someone with admin access to their device has modified the AV exclusion list to bypass AV scanning for a certain path, app, or process. You are tasked with listing all such device names. In this example, we have only one VM named 'VM01', so we will see only one output. However, in a real-life scenario, there could be many such devices.
To achieve this, we need to write a Kusto Query Language (KQL) query. This requires knowledge of KQL, as well as an understanding of the data source and schema of Microsoft Defender for Endpoint. Below is the query that will show all the devices with modified Defender exclusions.
After running the above query, the result showed that the exclusion list for the endpoint named VM01 has been modified.
The same task can be achieved without writing a KQL query or having knowledge of the Defender for Endpoint schema and data source by using Microsoft Security Copilot. Security Copilot accepts natural language prompts, processes them, and generates the KQL query for us behind the scenes. Below is an example of a prompt where we entered "show which device registry has been modified." Although this prompt is quite basic and not the most refined, Security Copilot still responded with accurate results.
Here, we are getting the same result that we obtained from the KQL query. Additionally, Security Copilot displays the KQL query it used to generate the result.
It also provides the option to download the output as an Excel file, as shown below.
Example 2: DDOS Attack on the VM
Since the RDP port is open for this VM, there are many bad actors attempting to gain access. You have been tasked with listing the devices experiencing continuous failed logon attempts. Additionally, you need to identify the usernames being used and their IP addresses. Below is a simple query that lists devices with these details. While we can make the query more complex by including device type, timestamp, etc., we are keeping it simple as we have only one device in this example.
The output below shows that there are numerous failed logon attempts using different usernames from various remote IP addresses.
Let's achieve the same task using the Security Copilot prompt, eliminating the need to write any KQL query. The prompt is "show MDE managed device failed logon attempts on Defender for Endpoint portal." While the English in this prompt could be refined for clarity, it effectively serves its purpose.
It shows the exact result as we got using KQL, along with the query used by Security Copilot behind the scenes.
Detailed output in Excel: Here, we can see bad actors from multiple IP addresses using various usernames to try and access VM01. You can locate the IP addresses to identify the sources of the DDOS attack.
Conclusion
In this post, we've explored the very basic of powerful capabilities of Microsoft Security Copilot by comparing traditional Kusto Query Language (KQL) queries with the intuitive prompts offered by Security Copilot. Through practical examples, we've demonstrated how Security Copilot simplifies the process of retrieving and managing security data, making it an invaluable tool for security professionals.
By leveraging Security Copilot prompts, you can streamline your security operations, enhance efficiency, and gain deeper insights into your security posture. Whether you're managing endpoints, analyzing threats, or ensuring compliance, Security Copilot provides a user-friendly and effective solution.
We encourage you to experiment with different prompts and fully explore the capabilities of Security Copilot to optimize your security management workflows. Embrace the future of security management with Microsoft Security Copilot and experience the benefits of a more integrated and responsive security environment.
If you have any questions or need further assistance, feel free to reach out to Twitter @sakaldeep, LinkedIn https://www.linkedin.com/in/sakaldeep/. Happy securing!