Blog Post

Microsoft Defender XDR Blog
5 MIN READ

Security Copilot: A game changer for modern SOC

chaitra_satish's avatar
Nov 19, 2024

Learn more about our recent innovations that significantly improve the efficiency and effectiveness of SOC teams.

In today's rapidly evolving threat landscape, Security Operations Centers (SOCs) face relentless pressure to swiftly and accurately detect, investigate, and respond to security incidents. As frontline defenders of an organization’s cybersecurity, security analysts need real-time intelligent insights to boost investigation and response. Microsoft Security Copilot empowers security teams with gen AI-powered capabilities that streamline workflows, automate tasks and upskill teams, enhancing overall SOC efficiency. A recent study showed customers could achieve 30% reduction in MTTR for security incidents.

We are committed to continuously improving our products based on valuable customer feedback. By listening to our users and understanding their needs, we have enhanced numerous features and introduced new skills that significantly improve the efficiency and effectiveness of SOC teams.

AI-powered insights to accelerate investigation and response

When SOC analysts investigate and respond to incidents, Security Copilot offers a comprehensive description of the attack, affected systems, and event timelines, paired with clear, actionable steps for swift remediation and mitigation. Some of our recent innovations include:

  • Enhancement!  The Microsoft Sentinel Incident Summary, available in the Copilot standalone experience has been enhanced and now aligns with the Defender incident summaries, offering detailed, step-by-step descriptions of the attack. The summary includes key information such as the attack's start time, timelines, involved assets, indicators of compromise (IOCs), kill chain steps, and a direct link to the incident page. These improvements enable you to request a summary of a Microsoft Sentinel incident from either the standalone or the unified security operations platform embedded experience.
Figure 1: Microsoft Sentinel incident summary in standalone experience
  • Enhancement! Users can request Copilot to list incidents in Defender and/or Microsoft Sentinel through a prompt in the standalone portal, filtering by assignment, classification, creation time, determination, last update time, severity, and status.
Figure 2: List of incidents

In addition, users can also retrieve a list of entities for a specified incident. 

Figure 3: List of entities for an incident

These enhancements allow analysts to efficiently retrieve incidents and entities on demand and apply additional filters for more targeted actions.

  • Enhancement! A recent enhancement to Guided Response enables security analysts to easily communicate with end users, a common activity in the SOC that is particularly helpful for incident triage. Copilot now dynamically generates text for analysts to use, describing the observed user activity under investigation. Analysts can contact the user directly via Teams using the readily available Guided Response recommendation button or copy the generated text to their preferred communication tool.
Figure 4: Dynamicallygenerated text for analysts to use

This allows for quick and efficient communication with end users, accelerating the incident investigation process and saving the analyst from the tedious task of crafting the message with all the necessary information about the incident.

  • New! During incident investigations, analysts commonly review details about participating assets and entities. In addition to the already available insightful Device Summary, the new Identity Summary provides a comprehensive overview of user identities, highlighting behavioral anomalies and potential misconfigurations. This feature is crucial for SOC analysts as it offers clear, contextual insights into identity-related activities, enabling quicker identification and resolution of security issues. By summarizing key information such as login locations, role changes, and authentication methods, the Identity Summary helps analysts understand the full scope of identity behaviors and risks

Figure 5: Identity Summary

  • Enhancement! The script and file analysis features in Security Copilot simplify complex investigations by translating what a script does into natural language and streamlining the analysis of multiple executable files. With the new addition of relevant MITRE ATT&CK techniques to the analysis, SOC analysts can quickly understand the attack tactics and techniques used by adversaries and provide faster and better response.

Figure 6: MITRE techniques used

  • Enhancement! The Security Copilot incident report compiles all response activities into a detailed report of the security incident. It includes what happened, the actions taken, by whom and when, and the reason for classification. Initially, the incident report gathered its data from Defender and Microsoft Sentinel, including incident management actions like status changes and assignments, comments from the activity log, actions and playbooks performed on entities within the incident, and more. To further streamline report sharing and provide a more holistic view, the incident report now also integrates with the third-party case management system ServiceNow to include in the report incident investigation and remediation steps logged in ServiceNow tickets. This integration requires the bidirectional connector between Microsoft Sentinel and ServiceNow to be installed.

Strengthen your security with improved Threat Intelligence content

Copilot integrated with Threat Intelligence empowers security teams with comprehensive information about threat actors, threat tools, indicators of compromise (IOCs) related to vulnerabilities and incidents, providing contextual threat intelligence directly from Microsoft Defender Threat Intelligence (Defender TI) to detect, analyze, and respond to threats more effectively. At Ignite, customers will see exciting enhancements to this experience, including:

  • New! The ten new MDTI indicator skills can leverage the full corpus of raw and finished threat intelligence in MDTI to link any IoC (indicator of compromise) to all related data and content, providing critical context to attacks and enabling advanced research and preemptive hunting capabilities, including threat infrastructure chaining and analysis, offering defenders a head start on adversaries.
Figure 7: Gain critical context with MDTI
  • Enhancement! Copilot can now leverage vulnerability and asset intelligence from Microsoft Defender External Attack Surface Management (MDEASM), Defender Vulnerability Management (MDVM), and Threat Analytics for a more complete view of vulnerabilities and a better understanding of how known threats covered in Microsoft threat intelligence impact the organization. This capability helps customers prioritize vulnerabilities and have an in-depth understanding of the impact of this vulnerability on the organization.
Figure 8: Overview of vulnerability

Improved Copilot sidecar with better user control

The recent updates to the Copilot side panel in the embedded experience provide more flexibility, allowing you to open or close Copilot based on your preference. This helps optimize screen space while investigating incidents or entities, using Advanced Hunting, or navigating the Threat Intelligence pages. Once you close the Copilot side panel in any of these scenarios, it will remember your preference and stay closed.

Figure 9: Close Copilot based on preference

You can reopen the Copilot panel anytime for AI-powered insights to aid your SOC workflows. Microsoft recommends keeping the Copilot panel open to ensure you are receiving real time insights to stay ahead of threats.

Figure 10: Reopen Copilot panel

Looking forward

Security Copilot is revolutionizing the way security teams operate by providing advanced AI-driven capabilities that not only enhance their efficiency and effectiveness but also empowers them to stay ahead of threats and protect their organizations at the speed and scale of AI. Microsoft is committed to delivering industry-leading innovation with precise insights for faster and more effective threat detection and response. We are working closely with our customers to collect feedback and will continue to add more functionality. As always, we would love to hear your thoughts.  

Resources

Microsoft Copilot in Microsoft Defender - Microsoft Defender XDR | Microsoft Learn

Microsoft Copilot for Security | Microsoft Security

Microsoft Copilot for Security - Pricing | Microsoft Azure

What’s new in Defender: How Copilot for Security can transform your SOC | Microsoft Community Hub

Operationalizing Microsoft Security Copilot to Reinvent SOC Productivity

What’s New at Ignite: Unified Threat Intelligence Experience in Copilot

 

 

 

Published Nov 19, 2024
Version 1.0
No CommentsBe the first to comment