The Security Copilot team is consistently improving the threat intelligence (TI) experience for customers. At Microsoft Ignite 2024, we're thrilled to unveil two out-of-the-box promptbooks that create guided experiences for cyberthreat intelligence and SOC analysts for investigating and responding to threats affecting their organization, simplifying complex workflows and making difficult, repetitive tasks easier to do for all experience levels.
Below, we’ll cover each of these promptbooks in more detail:
Threat 'Intelligence 360' report on MDTI article
With Security Copilot able to tap into powerful threat intelligence from more sources, customers get a much more holistic view of threats, better understand how they impact the organization, have more recommendations and guidance to respond faster and more effectively. This promptbook shows customers the full impact a threat covered in a Microsoft Defender Threat Intelligence article has on their organization to streamline and accelerate response.
These prompts help map content from the article back to CVE and vulnerability data related to their organization’s attacks surface, surface related incidents, and provide recommendations for remediation. Below, we’ll examine what an analyst sees when they run the 'Threat Intelligence 360 Report' promptbook for the MDTI article “Attack Abuses Victim Resources to Reap Rewards from Titan Network.”
The first step of the promptbook pulls up all indicators of compromise (IoCs) added to the article by Microsoft researchers. Below, you can see the prompt return a list of IoCs that includes two IP addresses and several URLs:
Copilot extracts the IoCs from the MDTI article.
The next step of the promptbook asks Security Copilot to create a KQL query to hunt across the organization’s network for activity related to the indicators from the article. In the example below, Security Copilot created a query for IPV4 indicators in the article returned by Security Copilot. The promptbook will create KQL queries for every indicator type and return all relevant intelligence.
KQL query to hunt for malicious domains referenced in the article on the network.
The promptbook will then search for Defender incidents related to the article. In this example, it returns four incidents that contain indicators or tactics, techniques, and procedures (TTPs) that are covered in the article. Grouping the incidents by activity make them easy to reference for incident responders and provide important context and a clear path forward for cyberthreat intel analysts' investigation.
Related incidents involving the IoCs and TTPs covered in the MDTI article
Finally, the promptbook shows the analyst details of the CVEs listed in the articles and its impact to the organization by listing their organization's vulnerable assets and resources to help them understand how their attack surface is exposed and the steps they need to take to address and remediate the vulnerabilities:
List of impacted assets from Threat Analytics.
Overall, this information rapidly summarizes a threat analyzed in a threat intelligence article so analysts can quickly and efficiently understand the nuances of the threat and its impact to the organization.
Impact of external article
This promptbook shows analysts the impact of an external threat intelligence article from a third-party source (not found in Microsoft products) on their organization. This promptbook extracts indicators from the article to check against all Microsoft’s intelligence to show all relevant information and the impact on the organization.
Below, the analyst deploys this promptbook to better understand a threat intelligence article from a third-party source about the latest campaigns leveraging the 'Silent Skimmer':
IoCs extracted from third-party article
Next, the promptbook takes the indicators extracted from the article and queries Microsoft's compendium of threat intelligence to show all related content and data to give analysts a broader understanding of the threat activity. Below, the promptbook checks each IoC's reputation against Microsoft Threat Intelligence. The analyst can see that several of the indicators from the article are known to be malicious to Microsoft and are associated with several Microsoft threat intelligence articles in MDTI:
Microsoft reputation scoring for each third-party IoC
After uncovering related intelligence, the promptbook asks Security Copilot to create KQL queries to automatically hunt across the network for the malicious indicators from the article, as well as the ones newly surfaced in Microsoft threat intelligence. In the example below, it’s searching for the file hashes listed in the article:
KQL query automatically generated by the promptbook to hunt across the network for threat activity covered in the article
Finally, the promptbook asks Security Copilot to create a table showing any reference in Microsoft threat intelligence to the indicators mentioned in the article, as well as any devices in the customer organization that are affected by CVEs listed in the article based on Threat Analytics data:
Query automatically generated to show the impact of this third-party article to the organization from data in Threat Analytics and MDVM.
These powerful new promptbooks will create guided experiences for a variety of personas, simplifying complex workflows and making difficult, repetitive tasks easier to do.
Conclusion
Microsoft delivers leading threat intelligence built on visibility across the global threat landscape made possible protecting Azure and other large cloud environments, managing billions of endpoints and emails, and maintaining a continuously updated graph of the internet. By processing an astonishing 78 trillion security signals daily, Microsoft can deliver threat intelligence in Copilot for Security providing an all-encompassing view of attack vectors across various platforms, ensuring customers have comprehensive threat detection and remediation.
If you are interested in learning more about MDTI and how it can help you unmask and neutralize modern adversaries and cyberthreats such as ransomware, and to explore the features and benefits of MDTI please visit the MDTI product web page. To learn more about Security Copilot, visit the Tech Community page here.
Learn more about Microsoft Security Copilot in Microsoft Defender Threat Intelligence here.
Learn more about other Microsoft threat intelligence innovations launching at Ignite here.
Also, be sure to contact our sales team to request a demo or a quote. Learn how you can begin using MDTI with the purchase of just one Security Copilot SCU here.
Microsoft
