Using parameterized functions with KQL-based custom plugins in Microsoft Security Copilot
In this blog, I will walk through how you can build functions based on a Microsoft Sentinel Log Analytics workspace for use in custom KQL-based plugins for Security Copilot. The same approach can be used for Azure Data Explorer and Defender XDR, so long as you follow the specific guidance for either platform. A link to those steps is provided in the Additional Resources section at the end of this blog. But first, it’s helpful to clarify what parameterized functions are and why they are important in the context of Security Copilot KQL-based plugins. Parameterized functions accept input details (variables) such as lookback periods or entities, allowing you to dynamically alter parts of a query without rewriting the entire logic Parameterized functions are important in the context of Security Copilot plugins because of: Dynamic prompt completion: Security Copilot plugins often accept user input (e.g., usernames, time ranges, IPs). Parameterized functions allow these inputs to be consistently injected into KQL queries without rebuilding query logic. Plugin reusability: By using parameters, a single function can serve multiple investigation scenarios (e.g., checking sign-ins, data access, or alerts for any user or timeframe) instead of hardcoding different versions. Maintainability and modularity: Parameterized functions centralize query logic, making it easier to update or enhance without modifying every instance across the plugin spec. To modify the logic, just edit the function in Log Analytics, test it then save it- without needing to change the plugin at all or re-upload it into Security Copilot. It also significantly reduces the need to ensure that the query part of the YAML is perfectly indented and tabbed as is required by the Open API specification, you only need to worry about formatting a single line vs several-potentially hundreds. Validation: Separating query logic from input parameters improves query reliability by avoiding the possibility of malformed queries. No matter what the input is, it's treated as a value, not as part of the query logic. Plugin Spec mapping: OpenAPI-based Security Copilot plugins can map user-provided inputs directly to function parameters, making the interaction between user intent and query execution seamless. Practical example In this case, we have a 139-line KQL query that we will reduce to exactly one line that goes into the KQL plugin. In other cases, this number could be even higher. Without using functions, this entire query would have to form part of the plugin Note: The rest of this blog assumes you are familiar with KQL custom plugins-how they work and how to upload them into Security Copilot. CloudAppEvents | where RawEventData.TargetDomain has_any ( 'grok.com', 'x.ai', 'mistral.ai', 'cohere.ai', 'perplexity.ai', 'huggingface.co', 'adventureai.gg', 'ai.google/discover/palm2', 'ai.meta.com/llama', 'ai2006.io', 'aibuddy.chat', 'aidungeon.io', 'aigcdeep.com', 'ai-ghostwriter.com', 'aiisajoke.com', 'ailessonplan.com', 'aipoemgenerator.org', 'aissistify.com', 'ai-writer.com', 'aiwritingpal.com', 'akeeva.co', 'aleph-alpha.com/luminous', 'alphacode.deepmind.com', 'analogenie.com', 'anthropic.com/index/claude-2', 'anthropic.com/index/introducing-claude', 'anyword.com', 'app.getmerlin.in', 'app.inferkit.com', 'app.longshot.ai', 'app.neuro-flash.com', 'applaime.com', 'articlefiesta.com', 'articleforge.com', 'askbrian.ai', 'aws.amazon.com/bedrock/titan', 'azure.microsoft.com/en-us/products/ai-services/openai-service', 'bard.google.com', 'beacons.ai/linea_builds', 'bearly.ai', 'beatoven.ai', 'beautiful.ai', 'beewriter.com', 'bettersynonyms.com', 'blenderbot.ai', 'bomml.ai', 'bots.miku.gg', 'browsegpt.ai', 'bulkgpt.ai', 'buster.ai', 'censusgpt.com', 'chai-research.com', 'character.ai', 'charley.ai', 'charshift.com', 'chat.lmsys.org', 'chat.mymap.ai', 'chatbase.co', 'chatbotgen.com', 'chatgpt.com', 'chatgptdemo.net', 'chatgptduo.com', 'chatgptspanish.org', 'chatpdf.com', 'chattab.app', 'claid.ai', 'claralabs.com', 'claude.ai/login', 'clipdrop.co/stable-diffusion', 'cmdj.app', 'codesnippets.ai', 'cohere.com', 'cohesive.so', 'compose.ai', 'contentbot.ai', 'contentvillain.com', 'copy.ai', 'copymatic.ai', 'copymonkey.ai', 'copysmith.ai', 'copyter.com', 'coursebox.ai', 'coverler.com', 'craftly.ai', 'crammer.app', 'creaitor.ai', 'dante-ai.com', 'databricks.com', 'deepai.org', 'deep-image.ai', 'deepreview.eu', 'descrii.tech', 'designs.ai', 'docgpt.ai', 'dreamily.ai', 'editgpt.app', 'edwardbot.com', 'eilla.ai', 'elai.io', 'elephas.app', 'eleuther.ai', 'essayailab.com', 'essay-builder.ai', 'essaygrader.ai', 'essaypal.ai', 'falconllm.tii.ae', 'finechat.ai', 'finito.ai', 'fireflies.ai', 'firefly.adobe.com', 'firetexts.co', 'flowgpt.com', 'flowrite.com', 'forethought.ai', 'formwise.ai', 'frase.io', 'freedomgpt.com', 'gajix.com', 'gemini.google.com', 'genei.io', 'generatorxyz.com', 'getchunky.io', 'getgptapi.com', 'getliner.com', 'getsmartgpt.com', 'getvoila.ai', 'gista.co', 'github.com/features/copilot', 'giti.ai', 'gizzmo.ai', 'glasp.co', 'gliglish.com', 'godinabox.co', 'gozen.io', 'gpt.h2o.ai', 'gpt3demo.com', 'gpt4all.io', 'gpt-4chan+)', 'gpt6.ai', 'gptassistant.app', 'gptfy.co', 'gptgame.app', 'gptgo.ai', 'gptkit.ai', 'gpt-persona.com', 'gpt-ppt.neftup.app', 'gptzero.me', 'grammarly.com', 'hal9.com', 'headlime.com', 'heimdallapp.org', 'helperai.info', 'heygen.com', 'heygpt.chat', 'hippocraticai.com', 'huggingface.co/spaces/tiiuae/falcon-180b-demo', 'humanpal.io', 'hypotenuse.ai', 'ichatwithgpt.com', 'ideasai.com', 'ingestai.io', 'inkforall.com', 'inputai.com/chat/gpt-4', 'instantanswers.xyz', 'instatext.io', 'iris.ai', 'jasper.ai', 'jigso.io', 'kafkai.com', 'kibo.vercel.app', 'kloud.chat', 'koala.sh', 'krater.ai', 'lamini.ai', 'langchain.com', 'laragpt.com', 'learn.xyz', 'learnitive.com', 'learnt.ai', 'letsenhance.io', 'letsrevive.app', 'lexalytics.com', 'lgresearch.ai', 'linke.ai', 'localbot.ai', 'luis.ai', 'lumen5.com', 'machinetranslation.com', 'magicstudio.com', 'magisto.com', 'mailshake.com/ai-email-writer', 'markcopy.ai', 'meetmaya.world', 'merlin.foyer.work', 'mieux.ai', 'mightygpt.com', 'mosaicml.com', 'murf.ai', 'myaiteam.com', 'mygptwizard.com', 'narakeet.com', 'nat.dev', 'nbox.ai', 'netus.ai', 'neural.love', 'neuraltext.com', 'newswriter.ai', 'nextbrain.ai', 'noluai.com', 'notion.so', 'novelai.net', 'numind.ai', 'ocoya.com', 'ollama.ai', 'openai.com', 'ora.ai', 'otterwriter.com', 'outwrite.com', 'pagelines.com', 'parallelgpt.ai', 'peppercontent.io', 'perplexity.ai', 'personal.ai', 'phind.com', 'phrasee.co', 'play.ht', 'poe.com', 'predis.ai', 'premai.io', 'preppally.com', 'presentationgpt.com', 'privatellm.app', 'projectdecember.net', 'promptclub.ai', 'promptfolder.com', 'promptitude.io', 'qopywriter.ai', 'quickchat.ai/emerson', 'quillbot.com', 'rawshorts.com', 'read.ai', 'rebecc.ai', 'refraction.dev', 'regem.in/ai-writer', 'regie.ai', 'regisai.com', 'relevanceai.com', 'replika.com', 'replit.com', 'resemble.ai', 'resumerevival.xyz', 'riku.ai', 'rizzai.com', 'roamaround.app', 'rovioai.com', 'rytr.me', 'saga.so', 'sapling.ai', 'scribbyo.com', 'seowriting.ai', 'shakespearetoolbar.com', 'shortlyai.com', 'simpleshow.com', 'sitegpt.ai', 'smartwriter.ai', 'sonantic.io', 'soofy.io', 'soundful.com', 'speechify.com', 'splice.com', 'stability.ai', 'stableaudio.com', 'starryai.com', 'stealthgpt.ai', 'steve.ai', 'stork.ai', 'storyd.ai', 'storyscapeai.app', 'storytailor.ai', 'streamlit.io/generative-ai', 'summari.com', 'synesthesia.io', 'tabnine.com', 'talkai.info', 'talkpal.ai', 'talktowalle.com', 'team-gpt.com', 'tethered.dev', 'texta.ai', 'textcortex.com', 'textsynth.com', 'thirdai.com/pocketllm', 'threadcreator.com', 'thundercontent.com', 'tldrthis.com', 'tome.app', 'toolsaday.com/writing/text-genie', 'to-teach.ai', 'tutorai.me', 'tweetyai.com', 'twoslash.ai', 'typeright.com', 'typli.ai', 'uminal.com', 'unbounce.com/product/smart-copy', 'uniglobalcareers.com/cv-generator', 'usechat.ai', 'usemano.com', 'videomuse.app', 'vidext.app', 'virtualghostwriter.com', 'voicemod.net', 'warmer.ai', 'webllm.mlc.ai', 'wellsaidlabs.com', 'wepik.com', 'we-spots.com', 'wordplay.ai', 'wordtune.com', 'workflos.ai', 'woxo.tech', 'wpaibot.com', 'writecream.com', 'writefull.com', 'writegpt.ai', 'writeholo.com', 'writeme.ai', 'writer.com', 'writersbrew.app', 'writerx.co', 'writesonic.com', 'writesparkle.ai', 'writier.io', 'yarnit.app', 'zevbot.com', 'zomani.ai' ) | extend sit = parse_json(tostring(RawEventData.SensitiveInfoTypeData)) | mv-expand sit | summarize Event_Count = count() by tostring(sit.SensitiveInfoTypeName), CountryCode, City, UserId = tostring(RawEventData.UserId), TargetDomain = tostring(RawEventData.TargetDomain), ActionType = tostring(RawEventData.ActionType), IPAddress = tostring(RawEventData.IPAddress), DeviceType = tostring(RawEventData.DeviceType), FileName = tostring(RawEventData.FileName), TimeBin = bin(TimeGenerated, 1h) | extend SensitivityScore = case(tostring(sit_SensitiveInfoTypeName) in~ ("U.S. Social Security Number (SSN)", "Credit Card Number", "EU Tax Identification Number (TIN)","Amazon S3 Client Secret Access Key","All Credential Types"), 90, tostring(sit_SensitiveInfoTypeName) in~ ("All Full names"), 40, tostring(sit_SensitiveInfoTypeName) in~ ("Project Obsidian", "Phone Number"), 70, tostring(sit_SensitiveInfoTypeName) in~ ("IP"), 50,10 ) | join kind=leftouter ( IdentityInfo | where TimeGenerated > ago(lookback) | extend AccountUpn = tolower(AccountUPN) ) on $left.UserId == $right.AccountUpn | join kind=leftouter ( BehaviorAnalytics | where TimeGenerated > ago(lookback) | extend AccountUpn = tolower(UserPrincipalName) ) on $left.UserId == $right.AccountUpn //| where BlastRadius == "High" //| where RiskLevel == "High" | where Department == User_Dept | summarize arg_max(TimeGenerated, *) by sit_SensitiveInfoTypeName, CountryCode, City, UserId, TargetDomain, ActionType, IPAddress, DeviceType, FileName, TimeBin, Department, SensitivityScore | summarize sum(Event_Count) by sit_SensitiveInfoTypeName, CountryCode, City, UserId, Department, TargetDomain, ActionType, IPAddress, DeviceType, FileName, TimeBin, BlastRadius, RiskLevel, SourceDevice, SourceIPAddress, SensitivityScore With parameterized functions, follow these steps to simplify the plugin that will be built based on the query above Define the variable/parameters upfront in the query (BEFORE creating the parameters in the UI). This will put the query in a “temporary” unusable state because the parameters will cause syntax problems in this state. However, since the plan is to run the query as a function this is ok Create the parameters in the Log Analytics UI Give the function a name and define the parameters exactly as they show up in the query in step 1 above. In this example, we are defining two parameters: lookback – to store the lookback period to be passed to the time filter and User_Dept to the user’s department. 3. Test the query. Note the order of parameter definition in the UI. i.e. first the User_Dept THEN the lookback period. You can interchange them if you like but this will determine how you submit the query using the function. If the User_Dept parameter was defined first then it needs to come first when executing the function. See the below screenshot. Switching them will result in the wrong parameter being passed to the query and consequently 0 results will be returned. Effect of switched parameters: To edit the function, follow the steps below: Navigate to the Logs menu for your Log Analytics workspace then select the function icon Once satisfied with the query and function, build your spec file for the Security Copilot plugin. Note the parameter definition and usage in the sections highlighted in red below And that’s it, from 139 unwieldy KQL lines to one very manageable one! You are welcome 😊 Let’s now put it through its paces once uploaded into Security Copilot. We start by executing the plugin using its default settings via the direct skill invocation method. We see indeed that the prompt returns results based on the default values passed as parameters to the function: Next, we still use direct skill invocation, but this time specify our own parameters: Lastly, we test it out with a natural language prompt: tment Tip: The function does not execute successfully if the default summarize function is used without creating a variable i.e. If the summarize count() command is used in your query, it results in a system-defined output variable named count_. To bypass this issue, ensure to use a user-defined variable such as Event_Count as shown in line 77 below: Conclusion In conclusion, leveraging parameterized functions within KQL-based custom plugins in Microsoft Security Copilot can significantly streamline your data querying and analysis capabilities. By encapsulating reusable logic, improving query efficiency, and ensuring maintainability, these functions provide an efficient approach for tapping into data stored across Microsoft Sentinel, Defender XDR and Azure Data Explorer clusters. Start integrating parameterized functions into your KQL-based Security Copilot plugins today and let us have your feedback. Additional Resources Using parameterized functions in Microsoft Defender XDR Using parameterized functions with Azure Data Explorer Functions in Azure Monitor log queries - Azure Monitor | Microsoft Learn Kusto Query Language (KQL) plugins in Microsoft Security Copilot | Microsoft Learn Harnessing the power of KQL Plugins for enhanced security insights with Copilot for Security | Microsoft Community HubBusting myths on Microsoft Security Copilot
This blog aims to dispel common misconceptions surrounding Microsoft Security Copilot, a cutting-edge tool designed to enhance cybersecurity measures. By addressing these myths, we hope to provide clarity on how this innovative solution can be leveraged to strengthen your organization's security.Automate cybersecurity at scale with Microsoft Security Copilot agents
When we introduced Microsoft Security Copilot last year, we set out to transform the way defenders approach cybersecurity. As one of the industry's first generative AI solutions for security and IT teams, Security Copilot is empowering teams to catch what others miss, respond faster, and strengthen team expertise in an evolving threat landscape. Customers like Eastman are already seeing the impact. “I’m finding that I can ask [Security Copilot] about attack factors that I’ve never seen before and get answers much faster”, said David Yates, Senior Cybersecurity Analyst at Eastman. “That helps me to make a better decision and respond faster to an attacker.” A recent study of Copilot users showed that using Security Copilot reduced mean time to resolution by 30%, helping accelerate response times and minimizing the impact of security incidents. But as defenders evolve, so have attackers. Adversaries are now leveraging AI to launch more sophisticated attacks with unprecedented speed and scale. Security and IT teams – already overwhelmed by a huge volume of alerts, data, and threats – are struggling to keep up. Traditional automation, while useful, lacks the flexibility and adaptability to keep up. Today, we’re taking the next leap forward in generative AI-powered cybersecurity. I am thrilled to introduce agents in Microsoft Security Copilot. AI-powered agents represent the natural evolution of Security Copilot, going beyond AI assistant capabilities. They autonomously manage high-volume security and IT tasks, seamlessly integrated with Microsoft Security solutions and partner solutions. Purpose-built for security, these agents learn from feedback, adapt to organizational workflows with your team fully in-control, and operate securely within Microsoft’s Zero-Trust framework. Delivering powerful automation across threat protection, identity management, data security, and IT operations, these agents empower teams to accelerate responses, prioritize risks, and drive efficiency at scale. By reducing manual workloads, they enhance operational effectiveness and strengthen overall security posture – allowing defenders to stay ahead. To bring this automation to life, we’re introducing six security agents from Microsoft and five security agents from partners which will be available for preview in April. Empowering security and IT teams with Security Copilot agents Our goal is to provide generative AI-powered security for everyone. Integrating Copilot with Microsoft Security products helps IT and security teams benefit from increased speed and accuracy. Now, you can use embedded Security Copilot agents with capabilities specific to use cases for your role in the products you know and love: Phishing Triage Agent SOC analysts often face the challenge of managing hundreds of user-submitted phishing alerts each week, with each alert taking up to 30 minutes for manual triage. This process requires meticulous sifting through submissions to find the needle in the haystack – the genuine threat amidst all the noise. Security Copilot solves this challenge with an AI-powered agent embedded in Microsoft Defender, that works in the background to autonomously triage user-submitted phishing incidents. Powered by advanced multi-modal AI tools, it determines whether an alert is a genuine phishing attempt or a false alarm with exceptional precision. The agent not only delivers natural language explanations for its decisions but also dynamically refines its detection capabilities based on analyst feedback. By alleviating the burden of reactive work, it empowers SOC analysts to focus on proactive security measures, ultimately strengthening the organization's overall security posture. Learn more about the Phishing Triage Agent here. Alert Triage Agents for Data Loss Prevention and Insider Risk Management Data security admins regularly struggle to manage the volume of alerts they receive daily, addressing only about 60% of them due to time and resource constraints1. The Alert Triage Agents in Microsoft Purview Data Loss Prevention (DLP) and Insider Risk Management (IRM) identify the alerts that pose the greatest risk to your organization and should be prioritized first. These agents analyze the content and potential intent involved in an alert, based on the organization’s chosen parameters and selected policies, to categorize alerts based on the impact they have on sensitive data. Additionally, they provide a comprehensive explanation on the logic behind that categorization, allowing admins to analyze a risk in just a few minutes. These agents empower data security teams to focus on the most important alerts and concentrate on the critical threats, with a dynamic process that takes inputs from data security admins in natural language and fine-tunes the triage results to better match the organizations’ priorities. The agent learns from this feedback, using that rationale to calibrate the prioritization of future alerts in DLP and IRM. Learn more about the Alert Triage Agents for DLP and IRM here. Conditional Access Optimization Agent As organizations grow, identity and IT admins must continuously ensure that access policies adapt to new employees, contractors, SaaS apps, and more – keeping security intact without adding complexity. But as their environments evolve, keeping Conditional Access (CA) policies up to date becomes increasingly difficult. New users and apps can slip through, and exclusions can go unaddressed, creating security risks. Even with routine reviews, manually auditing policies and adjusting coverage can take days or weeks –yet gaps can still go unnoticed. The CA Optimization Agent in Microsoft Entra changes that for admins, automating the detection and resolution of policy drift. This agent continuously monitors for newly created users and applications, analyzing their alignment with existing CA policies, and proactively detects security gaps in real time. Unlike static automation, it recommends optimizations and provides one-click fixes, helping admins refine policy coverage effortlessly while ensuring a strong, adaptive security posture. Learn more about the CA Optimization Agent here. Vulnerability Remediation Agent Managing security vulnerabilities is a growing challenge for organizations, as the volume of CVEs and limited resources make it difficult to prioritize and implement critical fixes effectively. Microsoft Intune is designed for organizations that need a modern, cloud-powered approach to endpoint management, one that not only simplifies IT operations but strengthens security in an evolving threat landscape. IT admins require more than just visibility into vulnerabilities; they need a proactive, risk-based security strategy that continuously assesses risk and automates remediation to minimize exposure. That’s why Intune is introducing the Vulnerability Remediation Agent—a solution built to help organizations stay ahead of emerging threats. By leveraging Microsoft Defender Vulnerability Management, the agent automatically identifies, evaluates, and prioritizes vulnerabilities. It continuously monitors newly published threats, assesses their risk levels, and offers clear, actionable recommendations for remediation. With continuous vulnerability detection, risk-based prioritization and guided remediation, the agent reduces exposure time while freeing up IT teams to focus on strategic initiatives. This is the first step toward designing vulnerability remediation at scale. A future, comprehensive approach will work across device platforms, address vulnerabilities in third-party applications, and remediate using configuration changes. Learn more about the Vulnerability Remediation Agent here. Threat Intelligence Briefing Agent Cyber Threat Intelligence analysts often face data overload and resource constraints when sourcing the threat intelligence needed to help their organizations understand, prioritize, and respond to critical threats. Crafting a threat intelligence briefing for security teams and executives can take hours—or even days—due to the constant evolution of both the threat landscape and an organization’s attack surface. The Threat Intelligence Briefing Agent in Security Copilot dramatically expedites this process. It automatically curates up-to-date, context-specific intelligence tailored to your organization’s unique profile and attack surface. Operating autonomously in the background, it taps into Microsoft’s extensive threat intelligence resources (including Microsoft Defender Threat Intelligence and Microsoft Defender External Surface Management) to deliver prioritized reports in just 4-5 minutes. This tool not only cuts down on manual effort but also highlights the most pressing threats and provides actionable recommendations, ensuring your team stays well-informed and ready to respond. Learn more about the Threat Intelligence Briefing Agent here. Extending agentic capabilities with partner solutions We are grateful to our partners who continue to play a vital role in empowering everyone to confidently adopt safe and responsible AI. Our growing partner ecosystem seamlessly integrates Security Copilot with established tools across various applications. Today, I am pleased to share five new upcoming agents in partner solutions, with many more to come. Privacy Breach Response Agent by OneTrust analyzes a data breach based on type of data, geographic jurisdiction, and regulatory requirements to generate guidance for the privacy team on how to meet those requirements. Network Supervisor Agent by Aviatrix determines why a VPN, Gateway, or Site2Cloud connection is down and provides information about the failure. SecOps Tooling Agent by BlueVoyant assesses your security operations center (SOC) and state of controls to make recommendations to optimize security operations to improve controls, efficacy, and compliance. Alert Triage Agent by Tanium provides analysts with necessary context to quickly and confidently make a decision on each alert. Task Optimizer Agent by Fletch helps organizations forecast and prioritize the most critical threat alerts to reduce alert fatigue and improve security. Learn more about our partner integrations at aka.ms/partnerintegrations. Get Started with Security Copilot Agents Microsoft Security Copilot agents will be available in preview starting April 2025. To get started with Security Copilot, check out the website for more information. Already using Security Copilot? Make sure you’re signed up for the Security Copilot Customer Connection Program (CCP) to receive the latest updates and features—join today at aka.ms/JoinCCP. Learn more about the latest innovations at the Microsoft Secure digital event on April 9, 2025. Register now. With agents, Security Copilot continues to lead the way in AI-powered cybersecurity, helping organizations defend against threats faster, smarter, and with greater confidence.Introducing more consumption flexibility with Security Copilot enhancements
In today’s rapidly evolving cybersecurity landscape, efficiently managing security and IT operations is more critical than ever. Organizations need scalable and flexible solutions that offer robust protection. Last year, we launched Microsoft Security Copilot, a generative AI-powered assistant designed to help security and IT teams operate at the speed and scale of AI. Since then, organizations have used Copilot to enhance their security and IT workflows, with companies like QNET reporting a 60% increase in efficiency post-adoption —enabling teams to detect and respond to threats faster than ever before. To further enhance customer flexibility and scalability, we are now supplementing the existing provisioned pricing structure for Security Copilot with the addition of an overage Security Compute Unit (SCU). This update ensures that organizations can confidently scale their Security Copilot workloads dynamically beyond their provisioned capacity, while maintaining cost predictability and control. Ensure uninterrupted Security Copilot assistance Security is a mission-critical necessity, and unexpected threats or workload spikes can arise at any time, demanding a pricing model that is both flexible and scalable to ensure uninterrupted protection. Previously, precise usage estimation was required to avoid throttled workloads. Now, enabling overage SCUs ensures organizations can handle unforeseen security demands without disruption. Security Copilot users can continue using their provisioned SCUs for regular workloads, while overage SCUs provide additional capacity when needed. This hybrid approach allows customers to establish a base fixed SCU provisioned capacity and set a maximum overage limit. Customers only pay for overage SCUs used when they consume beyond their provisioned SCU allocation, ensuring scalability and support during unexpected demand spikes without incurring unnecessary costs. Additionally, they have the option to set an upper limit on overage SCUs, which provides better budget predictability. Get granular insights with the usage dashboard The in-product usage dashboard has also been updated to help organizations track and manage SCU consumption effectively. The dashboard offers detailed insights into SCU usage, allowing admins to monitor consumption against provisioned SCUs, track overage SCU usage, and review granular details such as session initiators, IDs, categories, and experience. The dashboard ensures organizations have the visibility needed to optimize usage while maintaining budget control. The combination of provisioned and overage SCU provides organizations with peace of mind, knowing that critical security operations always have the necessary resources when they’re needed most. Get Started with Overage SCUs today As cyber risks continue to grow, having the right tools to manage security efficiently, cost-effectively, and at-scale is crucial. With this latest enhancement, Microsoft Security Copilot is equipping organizations with the scalability and flexibility needed to secure their environment with confidence. Overage SCUs are generally available today. Existing customers can immediately enable overage SCUs or set a limit on maximum usage in Security Copilot. Learn more about Security Copilot pricing here, and calculate your estimated maximum spend per month using the pricing calculator. Sign up for a free Azure subscription to get started with Security Copilot today.Securely integrate On-Prem and Self-Hosted VM instances of Splunk with Microsoft Security Copilot
By leveraging Microsoft Entra ID Application Proxy and Azure Application Gateway with Web Application Firewall (WAF), you can securely connect on-premises or self-hosted Splunk instances to Microsoft Security Copilot—enabling seamless log analysis and threat investigation without exposing Splunk to the internet. This approach extends Security Copilot’s reach beyond SaaS applications, broadening the context needed for effective investigations across hybrid environments.Boost SOC automation with AI: Speed up incident triage with Security Copilot and Microsoft Sentinel
The Solution This solution leverages AI and automation to speed up incident triage by providing automated response to an incident while infusing AI reasoning into the triage process, allowing the analyst to gain quick context about the gravity of the incident, detailed information about each entity involved and any executed processes. It then goes on to recommend mitigation steps, leading to faster MTTR (Mean Time To Respond). Below are key highlights of the solution: Accelerated triage: One of the scenarios in which analysts could spend a considerable amount of time is when the incident includes, for example, a process name that they have never encountered before. This challenge is compounded when the process execution includes command line elements. In this situation Security Copilot steps in to provide a rapid analysis of the process and associated command line elements and presenting the output to the analyst in a much faster fashion than they would be able to do without AI’s contribution. Similarly, in the case of the device entity Copilot taps into Microsoft Intune to bring in a summary of OS information, compliance status and hardware information, etc., thereby accelerating triage. Additionally, the reality in the SOC is that incidents do not happen at convenient times, several incidents can be triggered at the same time, requiring analysts to triage them as quickly as possible. This is where AI and automation become a force multiplier. Having the logic app trigger automatically upon incident creating and performing the core triage tasks saves the analysts precious time that they would have spent having to manually triage several incidents that could trigger at the same time. Insight consolidation: The Logic App brings together context from multiple sources, spanning across both first and third-party. In this example we are tapping into AbuseIPDB as a third-party enrichment source. The logic app offers this flexibility, giving customers the option to being in enrichment data from third party or custom sources and have Security Copilot build a holistic narrative for the triage summary. In doing so it helps the analyst get as much context as possible without needing to pivot into multiple security tools. Streamlined incident management: Incident comments in Microsoft Sentinel are automatically updated, providing investigators with up-to-date information and reducing manual effort. These comments are also automatically synchronized to Defender XDR portal and are therefore also accessible from that interface. The automated incident investigation summary is structured with the following details: Incident overview – Details matching those used to define the analytics rule Incident description – A summary including the key highlights of the incident Analysis on incident entities – AI-powered analysis of the IP, Account, Host and Process details as extracted from the incident Possible mitigation steps – Depending on the nature of the incident, provide suggested mitigation steps for the incident Conclusion Below is a snapshot of the logic App steps: Sample output Once attached to the selected analytics rules and the associated incident is created, you can expect output the incident to be enriched in a manner similar to what is shown here below and then added as a comment to the triggered Microsoft Sentinel incident Security Copilot skills used Skill Description ProcessAnalyzer Scrutinizes process names and command lines, providing detailed insights into potentially malicious activities. GetEntraUserDetails Retrieves comprehensive user information GetIntineDevices Facilitates the extraction of device details from Intune, ensuring that all devices associated with an incident are thoroughly examined AbuseIPDB Preforms IP address reputation checks, helping to identify and mitigate threats from suspicious IP addresses Deployment prerequisites Before deploying the Logic App, ensure the following prerequisites are met: The user or service principal deploying this logic app should have the Contributor role on the Azure Resource Group that will host the logic App. Microsoft Security Copilot should be enabled in the Azure tenant. The user should have access to Microsoft Security Copilot to submit prompts by authenticating to the Microsoft Copilot for Security connector within the logic app. Microsoft Sentinel is configured and generates incidents. Obtain an AbuseIPDB API key to perform IP address reputation analysis. Follow below link to our Security Copilot GitHub repo to obtain the solution: SecurityCopilot-Sentinel-Incident-Investigation automation on GitHub Conclusion The integration of AI and automation in the Security Operations Center (SOC) through tools like Security Copilot and Logic Apps in Microsoft Sentinel significantly enhances incident triage and management. By leveraging these technologies, organizations can achieve faster, more consistent, and reliable incident handling, ultimately strengthening their overall security posture. Additional resources Overview - Azure Logic Apps | Microsoft Learn Logic Apps connectors in Microsoft Security Copilot | Microsoft Learn Microsoft Sentinel - Cloud-native SIEM Solution | Microsoft Azure Microsoft Security Copilot | Microsoft SecurityHunt for identity-based threats with Security Copilot and Microsoft Sentinel
Enter Microsoft Sentinel and Security Copilot, a powerful duo that brings great value to your security operations. Microsoft Sentinel's User and Entity Behavior Analytics (UEBA) capabilities are designed to distill anomalies from vast amounts of raw data, providing clear and actionable insights. By leveraging advanced machine learning algorithms, Sentinel UEBA can identify unusual patterns and behaviors that may indicate potential security threats, allowing for proactive threat detection and response. On its part, Security Copilot further enhances this capability by offering investigators and threat hunters a head start by analyzing the inputs from Sentinel UEBA and helping the analyst prioritize their investigation or hunting efforts. This streamlines the investigation process, enabling security teams to proactively and quickly identify potential threats. In this blog we will showcase how Microsoft Sentinel UEBA can narrow down a set of anomalies associated with high blast radius users and how Security Copilot speeds up the investigation process, offering AI-enriched insights and recommendations through a Security Copilot Promptbook. This Promptbook brings together insights from 1 st party (built-in Microsoft plugins), 3 rd party plugins from ISVs and custom plugins leveraging the extensibility of the Security Copilot platform. The Microsoft Sentinel UEBA data is brought into the Security Copilot session via custom KQL plugin. Summary of requirements # Artefact Link 1 High Blast Radius User investigation custom plugin Security-Copilot/Plugins/Community Based Plugins/Microsoft Sentinel Custom Plugin Scenarios/High Blast Radius User investigation at plugins-blastradius · inwafula/Security-Copilot 2 AbuseIPDB plugin AbuseIPDB and Microsoft Security Copilot | Microsoft Learn 3 Microsoft Intune Microsoft Copilot in Intune features overview | Microsoft Learn 4 Cybersixgill Threat Intelligence Cybersixgill and Microsoft Security Copilot | Microsoft Learn 5 Rare process running as a service detection Security-Copilot/Plugins/Community Based Plugins/Microsoft Defender XDR Custom Plugin Scenarios/RareProcess at plugins-blastradius · inwafula/Security-Copilot 6 Promptbook Security-Copilot/Promptbook samples/High Blast Radius User investigation.md at main · Azure/Security-Copilot Below is a snapshot of the promptbook we shall step through and call out the highlights: The first prompt serves to make the connection between Security Copilot and Sentinel by executing a custom KQL plugin that will identify high blast radius users as computed by Sentinel UEBA on the user's relative position within Entra ID as well as the Azure roles assigned to the user. The higher the user is in the organization and the more impactful their Azure permissions are, the higher the blast radius. In this run we see that Copilot has come back with 17 users who fit the description of being “high blast radius” users, however, we want to narrow down to which particular user we should prioritize. Once this information is brought into the Security Copilot session, we can begin to apply the power of AI over it and glean some insights that will help us quickly prioritize which identity to focus on and get useful guidance along the way. The output below is in response to the second prompt which tasks Security Copilot with analyzing all the users that came back from the first prompt as being high blast radius users but go a step further and identify which specific one we should prioritize: The third prompt gathers reputation information about the IP used for anomalous activities, the fourth examines the user's device, while the fifth extends the investigation beyond the Entra ID tenant into the deep and dark web using Cybersixgill, a Bitsight company plugin for a comprehensive view of the threat exposure landscape. *Note: This is a simulated breach for demo purposes, not an actual one The 6 th prompt reaches into Intune to obtain information about the compliance state of the device while the 7 th uses data from Microsoft Defender XDR to check for any unusual processes that may have been executed on the device, additional context needed to paint a holistic picture of the gravity of the incident. The final prompt brings it all together by summarizing the investigation, suggesting a verdict, recommending follow-up actions and providing an explanation of Copilot’s reasoning for both. Below is the final output from this Promptbook’s run: Jan 6, 3:39 PM Investigation Summary User: Ismat Bekarevich (OPS) User Principal Name: isbe54@woodgrove.ms Blast Radius: High Recent Anomalous Activity: Logon from IP address 2601:xxxxx:7273:958b:e655:xxxx:b98c (City, United States) Group Memberships: AWS Admins, On-prem Admins, Azure ATP contosodemos2 Viewers, AAD DC Administrators Assigned Roles: Global Administrator Risk State: Remediated Credentials Compromised: Yes (Breach Date: 2024-11-26, Source: telegram) IP Address: 2601:xxxxx:c182:7273:958b:e655:xxxx:b98c Abuse Confidence Score: 0 (No known malicious activity) ISP: Comcast Cable Communications, LLC Country: United States Devices Assigned CPC-isbe5-L1BOV o Compliance Status: Compliant o Compliance Policies: Default Device Compliance Policy, Defender for Endpoint - Device Risk o Rare Processes Executed: None over the past 7 days DESKTOP-VSA7FBL o Compliance Status: Noncompliant o Compliance Issues: Default Device Compliance Policy, Defender for Endpoint - Device Risk Demo’s MacBook Pro (2) o Compliance Status: Compliant WoodgroveVM02 o Compliance Status: Compliant Verdict Threat Hunting Required: Yes Reasons: High Blast Radius: The user has significant access and potential impact within the organization. Compromised Credentials: The user's credentials have been compromised, posing a potential security risk. Noncompliant Device: One of the user's devices (DESKTOP-VSA7FBL) is noncompliant with critical security policies. Suggested Follow-Up Actions Monitor User Activity: Continuously monitor the user's activities for any further anomalies or suspicious behavior. Review and Remediate Noncompliant Device: Investigate and address the compliance issues on the device DESKTOP-VSA7FBL. Credential Reset: Perform a credential reset for the user to mitigate the risk of compromised credentials. Conditional Access Policies: Ensure that appropriate conditional access policies are in place to limit access from potentially risky locations or devices. Security Awareness Training: Provide the user with security awareness training to prevent future credential compromises. Conclusion Together, Security Copilot and Microsoft Sentinel provide a comprehensive security solution that empowers organizations to stay ahead of identity-based attacks, among others. By combining the strengths of both platforms, you can achieve greater efficiencies in your security operations. Try it out and give us your feedback and recommendations for further improvement. Additional resources Microsoft Security Copilot | Microsoft Security Microsoft Sentinel - Cloud-native SIEM Solution | Microsoft Azure Microsoft Sentinel UEBA reference | Microsoft Learn AbuseIPDB - IP address abuse reports - Making the Internet safer, one IP at a time Advanced Dark Web Threat Intelligence Platform | Cybersixgill Microsoft Digital Defense Report: 600 million cyberattacks per day around the globeLeveraging ASIM-based KQL plugins in Microsoft Security Copilot for investigation scenarios
Microsoft Security Copilot enhances the capabilities of Microsoft Sentinel by providing an AI-driven assistant that can help interpret complex hunting query outputs in Log Analytics. One of the standout features of Security Copilot is its support for KQL-based custom plugins to put the power of customization in the customers’ hands by allowing them to leverage new or existing hunting queries to bring additional context into Security Copilot sessions. ASIM-based queries further strengthen this value proposition by building detection logic on top of normalized, source agnostic data. Advanced Information Security Model (ASIM) In the ever-evolving landscape of cybersecurity, the need for robust and adaptable security models is paramount. Microsoft Sentinel's Advanced Information Security Model (ASIM) is designed to address this need by providing a comprehensive framework for normalizing and analyzing security data across various sources. Key Benefits of ASIM Cross-Source Detection: ASIM enables the creation of analytics rules that work across multiple data sources, allowing for comprehensive threat detection. For example, it can detect brute force attacks across on-premises and cloud systems. In this scenario we are tapping into the Network Sessions schema which brings together data from up to 16 distinct sources, such as Palo Alto, CISCO, Fortinet, Checkpoint and Zscaler among others. Source-Agnostic Content: Content created using ASIM automatically applies to any source that supports the model, even if the source is added after the content is created. This makes the solution more durable as an enterprise organization can add more security solutions, while leveraging the same queries Simplified Querying: By using ASIM views in queries, users can ensure they are querying all relevant normalized information in a consistent and well-documented schema. Support for custom logs: ASIM makes it possible to support custom logs in built-in content. This means that an ASIM-based KQL plugin will support any source that you normalize, without the need to modify the plug-in. Leveraging Security Copilot with ASIM-based KQL-Based Custom Plugins One of the key benefits of ASIM is that it allows us to build detection or hunting queries that are source-agnostic. For example, building a rule based on the Network Sessions schema of ASIM, we can unify alerts from as many normalized sources as are present into just one rule, making the building, usage and maintenance of the rule much more efficient. In this scenario we are leveraging a rule based on the Network Sessions schema to investigate potential beaconing activity, ingest filtered events into Security Copilot and correlate those events with additional 1 st and third-party data to aid in reaching a verdict about an investigation. By using custom plugins, Security Copilot can automate the interpretation of complex investigation tasks by contributing AI insights across the process, leading to a quicker and better reasoned conclusion, especially for the less experienced analysts. Sample ASIM Query to detect network beaconing activity In this instance the raw query output is relatively complex to decipher and requires the analyst to dig into the details of the output to reach a conclusion about what the output indicates or why the results may indicate suspicious activity. Security Copilot to the rescue When Security Copilot is brought into the picture it can quickly analyze the above output and present a verdict and an explanation that is easy and quick to comprehend. Let’s see how: To conduct the investigation, we step through this promptbook while highlighting the prompts that collectively augment the analyst during the investigation: 1. As a first step, the threat analyst will want to retrieve the data from Sentinel to investigate its details. This can be in a threat hunting or incident investigation scenario: 2. The second prompt returns the AI-generated verdict and explanation of the query output 3. Device investigation In this step we identify the source device using the ASIM query and investigate it for its posture and any relevant suspicious activity 4. Finally, Security Copilot stitches together all the findings correlated from multiple sources and following the summarization prompt, produces the below output: Session Summary from final prompt Investigation Summary Network Beaconing Activity Detected: Potential network beaconing activity over the past 7 days. Details: Regular communication between 172.31.44.214 and 40.78.253.213 with a frequent time delta of 60 seconds. Beacon Percentages: High, often close to or at 100%. MITRE Tactics and Techniques: Tactic: Command and Control Techniques: T1071 - Application Layer Protocol T1571 - Non Standard Port Destination IP Information IP Address: 40.78.253.213 Organization: Microsoft Corporation Location: Moses Lake, Washington, US Potential Risks: Despite being associated with a reputable organization, the regular communication pattern suggests potential C2 activity. Device Information Device Name: EC2AMAZ-9MDSBS4 Operating System: Windows 10.0.20348.2031 Management State: Managed Compliance State: Unknown Manufacturer: Xen Model: HVM domU Device Registration State: Registered Rare Processes Executed: No rare processes executed on the device over the past 7 days. Opinion and Recommendations Further Investigation Needed Yes, further investigation is needed due to the following reasons: Suspicious Network Activity: The regular and frequent communication pattern between the source and destination IPs is indicative of potential beaconing activity, which is a common sign of a compromised system communicating with a C2 server. Unknown Compliance State: The compliance state of the device is unknown, which raises concerns about whether the device adheres to security policies and standards. Areas to Focus On Network Traffic Analysis: Conduct a deeper analysis of the network traffic to confirm the nature of the communication and identify any additional indicators of compromise. Device Compliance Check: Verify the compliance state of the device and ensure it meets all security policies and standards. Endpoint Security: Investigate the endpoint security measures in place on the device to detect and mitigate any potential threats. These steps are crucial to ensure the security and integrity of the network and devices involved. Tip Even though the query behind the first prompt is hardcoded, the flexibility of AI allows us to ask ad hoc questions without altering the KQL query that retrieves the original records. For example, the initial prompt can be modified to meet slightly different retrieval criteria as shown below: Conclusion In this scenario we see how Security Copilot addresses the challenge of tool fragmentation and Mean Time to Resolution by bringing together insights from multiple sources, cutting across 1st party, 3rd party and custom plugins, adding AI enrichment and providing a recommendation, all in a little over two and half minutes. Try out the solution and let us have your feedback on how we can make it better. Plugin manifests The custom plugins used in this scenario can be found in our official GitHub repo under following links. Feel free to reuse these plugins or adapt them to your specific requirements ASIM plugin Rare process plugin Additional resources Normalization and the Advanced Security Information Model (ASIM) | Microsoft Learn Kusto Query Language (KQL) plugins in Microsoft Security Copilot | Microsoft Learn What’s New: Introducing Microsoft Sentinel Network Session Essentials solution | Microsoft Community Hub Microsoft Security Copilot in Microsoft Defender Threat Intelligence - Microsoft Defender | Microsoft LearnUse LogicApps and Copilot for Security to auto-process ISAC Emails
Information Sharing and Analysis Center (ISAC) is an organization that provides a central resource for gathering information on and related threats to critical infrastructure and plays a critical role in safeguarding industries from emerging threats. By bridging the gap between private and public sectors, ISACs provide timely and actionable intelligence on vulnerabilities that impact critical infrastructure. However, manually processing the ISAC threat bulletins can be overwhelming and slow, leaving security teams scrambling to respond in time. This document explores how leveraging automation through Logic Apps and Microsoft's Copilot for Security can streamline ISAC email processing, empowering organizations to respond to vulnerabilities faster and more effectively.
