Identity forensics with Copilot for Security Identity Analyst Plugin by info.odysseyx@gmail.com October 24, 2024 written by info.odysseyx@gmail.com October 24, 2024 0 comment 9 views 9 outline This is a step-by-step guided walkthrough on how to use custom KQL. Copilot for security plugins Describe identity SOC and forensics use cases and how they can help you implement consistent security policies for all users, employees, frontline workers, customers, and partners, as well as apps, devices, and workloads across multi-cloud and hybrid. Use case summary Monitor and manage identities using the Copilot for Security custom Identity Analyst plugin: User Risk Assessment: Monitor user risk levels based on activity. This may include login attempts from unfamiliar locations, repeated failed login attempts, or other suspicious behavior. Login Monitoring: Tracks user login activity. This includes successful logins, failed attempts, and the location and device used to log in. Unusual login activity may be a sign of a potential security threat. Monitor administrator activity: Administrator accounts have a high level of access and can be prime targets for attackers. Monitor administrator activity, especially activities related to changes to security settings, user permissions, or access controls. Monitor application usage: Monitor application usage within your organization. Unusual application activity, such as a high number of downloads or increased usage outside of regular business hours, may indicate a potential security issue. Privileged Identity Management: Monitor the lifecycle of privileged identities within your organization. This includes creating, modifying, and deleting privileged accounts. Access review: Regularly review user access to various resources within your organization. This helps reduce the risk of insider threats by ensuring users have access to only the resources they need for their work. This guide provides high-level steps to get started using the new tool. Let’s start by adding a custom plugin. We recommend that organizations first test this in a development environment. installation To obtain and install the custom Identity Analyst plugin for Copilot for Security, follow these steps: Go to securitycopilot.microsoft.com. Download the IdentitySecurityAnalyst.yml file from: here. Select the plugin icon in the bottom left corner. 4. Select the upload plugin under Custom Upload. 5. Select the Copilot for Security plugin and upload the IdentitySecurityAnalyst.yml file. 6. Click add 7. You will now see the plugin under Customization. Make sure it’s enabled. The custom package contains the following prompt: Let’s get started with more use cases that leverage Copilot for Security capabilities. User Risk Assessment Get user risk level based on activity. This may include login attempts from unfamiliar locations, repeated failed login attempts, or other suspicious behavior. Copilot for Security sells the relevant skill in the prompt system function, allowing you to call the plugin directly or type ‘/IdentityGetUserRiskAssesment’ as shown below. Sample results are as follows: User login activity Get user login activity. This includes successful logins, failed attempts, and the location and device used to log in. Unusual login activity may be a sign of a potential security threat. Copilot for Security sells the relevant technology in the prompt system function, allowing you to call the plugin directly, type ‘/IdentityGetSignInMonitoring’ or prompt ‘Get user sign-in activity using Identity analysis plugin’. Monitor administrator activity Get admin activity monitoring logs. Administrator accounts have a high level of access and can be prime targets for attackers. Monitor all administrator activities, especially those related to changes to security settings, user permissions, or access controls. Copilot for Security sells that skill in the prompt system function, allowing you to call the plugin directly, type ‘/IdentityGetAdminActivityMonitoring’ or prompt ‘Get Admin Activity Monitoring using the Identity Analysis plugin’. Monitor application usage Get application usage monitoring logs to monitor application usage within your organization. Unusual application activity, such as a high number of downloads or increased usage outside of regular business hours, may indicate a potential security issue. Copilot for Security sells that skill in the prompt system function, allowing you to call the plugin directly, type ‘/IdentityGetApplicationUsageMonitoring’, or prompt ‘Get application usage monitoring using the Identity analysis plugin’. Privileged Identity Management (PIM) Monitoring Import Privileged Identity Management logs to monitor the lifecycle of privileged identities within your organization. This includes creating, modifying, and deleting privileged accounts. Copilot for Security sells that skill in the prompt system feature, allowing you to call the plugin directly or prompt for it by typing ‘/IdentityPIMMonitoring’ or ‘Get Privileged Identity Management Monitoring using Identity Analysis Plugin’. Access screening monitoring Pull access review logs to regularly review user access to various resources within your organization. This helps reduce the risk of insider threats by ensuring users have access to only the resources they need for their work. Copilot for Security sells that skill in the prompt system function, allowing you to call the plugin directly, type ‘/IdentityAccessReviewMonitoring’ or prompt ‘Get Access Review Monitoring using Identity Analysis plugin’. conclusion This plugin is based on KQL, providing a relatively simple and scalable way to leverage the existing repository of proven KQL queries within the Microsoft security ecosystem. One suggestion is that you can customize your custom KQL plugin YML file and create the time range like this: It is used as an input parameter to Copilot for Security instead of a specific hard-coded input. You can then use KQL as a foundation to bring AI enrichment to the security data that already exists within your Microsoft identity. Learn more about the Microsoft Copilot for Security custom plugin. https://learn.microsoft.com/en-us/copilot/security/plugin-kql. Give it a try and give us your feedback so we can continue to improve our products for your benefit. Source link Share 0 FacebookTwitterPinterestEmail info.odysseyx@gmail.com previous post The Future of AI: Distillation Just Got Easier, part 3 next post Building a WhatsApp AI bot for customer support You may also like Bots now dominate the web, and this is a problem February 4, 2025 DIPSEC and HI-STECS GLOBAL AI Race February 4, 2025 DEPSEC SUCCESS TICTOKE CAN RUNNING TO PUPPENSE TO RESTITE January 29, 2025 China’s AI Application DEPSEC Technology Spreads on the market January 28, 2025 What is a real -life Skynet in creating the Stargate project? January 27, 2025 Tech Mix Key to Saving Ailing Federal Broadband Program: RPT January 22, 2025 Leave a Comment Cancel Reply Save my name, email, and website in this browser for the next time I comment.