Identity forensics with Copilot for Security Identity Analyst Plugin by info.odysseyx@gmail.com October 24, 2024 written by info.odysseyx@gmail.com October 24, 2024 0 comment 7 views 7 outline This is a step-by-step guided walkthrough on how to use custom KQL. Copilot for security plugins Describe identity SOC and forensics use cases and how they can help you implement consistent security policies for all users, employees, frontline workers, customers, and partners, as well as apps, devices, and workloads across multi-cloud and hybrid. Use case summary Monitor and manage identities using the Copilot for Security custom Identity Analyst plugin: User Risk Assessment: Monitor user risk levels based on activity. This may include login attempts from unfamiliar locations, repeated failed login attempts, or other suspicious behavior. Login Monitoring: Tracks user login activity. This includes successful logins, failed attempts, and the location and device used to log in. Unusual login activity may be a sign of a potential security threat. Monitor administrator activity: Administrator accounts have a high level of access and can be prime targets for attackers. Monitor administrator activity, especially activities related to changes to security settings, user permissions, or access controls. Monitor application usage: Monitor application usage within your organization. Unusual application activity, such as a high number of downloads or increased usage outside of regular business hours, may indicate a potential security issue. Privileged Identity Management: Monitor the lifecycle of privileged identities within your organization. This includes creating, modifying, and deleting privileged accounts. Access review: Regularly review user access to various resources within your organization. This helps reduce the risk of insider threats by ensuring users have access to only the resources they need for their work. This guide provides high-level steps to get started using the new tool. Let’s start by adding a custom plugin. We recommend that organizations first test this in a development environment. installation To obtain and install the custom Identity Analyst plugin for Copilot for Security, follow these steps: Go to securitycopilot.microsoft.com. Download the IdentitySecurityAnalyst.yml file from: here. Select the plugin icon in the bottom left corner. 4. Select the upload plugin under Custom Upload. 5. Select the Copilot for Security plugin and upload the IdentitySecurityAnalyst.yml file. 6. Click add 7. You will now see the plugin under Customization. Make sure it’s enabled. The custom package contains the following prompt: Let’s get started with more use cases that leverage Copilot for Security capabilities. User Risk Assessment Get user risk level based on activity. This may include login attempts from unfamiliar locations, repeated failed login attempts, or other suspicious behavior. Copilot for Security sells the relevant skill in the prompt system function, allowing you to call the plugin directly or type ‘/IdentityGetUserRiskAssesment’ as shown below. Sample results are as follows: User login activity Get user login activity. This includes successful logins, failed attempts, and the location and device used to log in. Unusual login activity may be a sign of a potential security threat. Copilot for Security sells the relevant technology in the prompt system function, allowing you to call the plugin directly, type ‘/IdentityGetSignInMonitoring’ or prompt ‘Get user sign-in activity using Identity analysis plugin’. Monitor administrator activity Get admin activity monitoring logs. Administrator accounts have a high level of access and can be prime targets for attackers. Monitor all administrator activities, especially those related to changes to security settings, user permissions, or access controls. Copilot for Security sells that skill in the prompt system function, allowing you to call the plugin directly, type ‘/IdentityGetAdminActivityMonitoring’ or prompt ‘Get Admin Activity Monitoring using the Identity Analysis plugin’. Monitor application usage Get application usage monitoring logs to monitor application usage within your organization. Unusual application activity, such as a high number of downloads or increased usage outside of regular business hours, may indicate a potential security issue. Copilot for Security sells that skill in the prompt system function, allowing you to call the plugin directly, type ‘/IdentityGetApplicationUsageMonitoring’, or prompt ‘Get application usage monitoring using the Identity analysis plugin’. Privileged Identity Management (PIM) Monitoring Import Privileged Identity Management logs to monitor the lifecycle of privileged identities within your organization. This includes creating, modifying, and deleting privileged accounts. Copilot for Security sells that skill in the prompt system feature, allowing you to call the plugin directly or prompt for it by typing ‘/IdentityPIMMonitoring’ or ‘Get Privileged Identity Management Monitoring using Identity Analysis Plugin’. Access screening monitoring Pull access review logs to regularly review user access to various resources within your organization. This helps reduce the risk of insider threats by ensuring users have access to only the resources they need for their work. Copilot for Security sells that skill in the prompt system function, allowing you to call the plugin directly, type ‘/IdentityAccessReviewMonitoring’ or prompt ‘Get Access Review Monitoring using Identity Analysis plugin’. conclusion This plugin is based on KQL, providing a relatively simple and scalable way to leverage the existing repository of proven KQL queries within the Microsoft security ecosystem. One suggestion is that you can customize your custom KQL plugin YML file and create the time range like this: It is used as an input parameter to Copilot for Security instead of a specific hard-coded input. You can then use KQL as a foundation to bring AI enrichment to the security data that already exists within your Microsoft identity. Learn more about the Microsoft Copilot for Security custom plugin. https://learn.microsoft.com/en-us/copilot/security/plugin-kql. Give it a try and give us your feedback so we can continue to improve our products for your benefit. Source link Share 0 FacebookTwitterPinterestEmail info.odysseyx@gmail.com previous post The Future of AI: Distillation Just Got Easier, part 3 next post Building a WhatsApp AI bot for customer support You may also like A good Los Angeles rebuild with fire-resistant houses January 20, 2025 2024 PC shipments increase with strong refresh cycle, Win10 ends January 15, 2025 Biden Battered Over AI Diffusion Policy January 14, 2025 The best thing about CES 2025 January 13, 2025 Meta Scrap fact-checker, eases content restrictions January 8, 2025 2025 Cyber Security Predictions Influenced by AI January 7, 2025 Leave a Comment Cancel Reply Save my name, email, and website in this browser for the next time I comment.