Hunt for identity-based threats with Security Copilot and Microsoft Sentinel

Inwafula

Microsoft

Jan 20, 2025

In today's digital landscape, identity-based attacks continue to be a major concern for organizations worldwide. According to Microsoft’s 2024 Digital Defense Report, identity and social engineering attacks have continued to rise, accounting for a substantial portion of all cyberattacks. These attacks have not only increased in frequency but have also become more sophisticated, leveraging advanced techniques to bypass traditional security measures. This underscores the urgent need for robust security measures that can effectively detect and mitigate these threats.

Enter Microsoft Sentinel and Security Copilot, a powerful duo that brings great value to your security operations. Microsoft Sentinel's User and Entity Behavior Analytics (UEBA) capabilities are designed to distill anomalies from vast amounts of raw data, providing clear and actionable insights. By leveraging advanced machine learning algorithms, Sentinel UEBA can identify unusual patterns and behaviors that may indicate potential security threats, allowing for proactive threat detection and response.

On its part, Security Copilot further enhances this capability by offering investigators and threat hunters a head start by analyzing the inputs from Sentinel UEBA and helping the analyst prioritize their investigation or hunting efforts. This streamlines the investigation process, enabling security teams to proactively and quickly identify potential threats.

In this blog we will showcase how Microsoft Sentinel UEBA can narrow down a set of anomalies associated with high blast radius users and how Security Copilot speeds up the investigation process, offering AI-enriched insights and recommendations through a Security Copilot Promptbook. This Promptbook brings together insights from 1^st party (built-in Microsoft plugins), 3^rd party plugins from ISVs and custom plugins leveraging the extensibility of the Security Copilot platform. The Microsoft Sentinel UEBA data is brought into the Security Copilot session via custom KQL plugin.

Summary of requirements

#	Artefact	Link
1	High Blast Radius User investigation custom plugin	Security-Copilot/Plugins/Community Based Plugins/Microsoft Sentinel Custom Plugin Scenarios/High Blast Radius User investigation at plugins-blastradius · inwafula/Security-Copilot
2	AbuseIPDB plugin	AbuseIPDB and Microsoft Security Copilot \| Microsoft Learn
3	Microsoft Intune	Microsoft Copilot in Intune features overview \| Microsoft Learn
4	Cybersixgill Threat Intelligence	Cybersixgill and Microsoft Security Copilot \| Microsoft Learn
5	Rare process running as a service detection	Security-Copilot/Plugins/Community Based Plugins/Microsoft Defender XDR Custom Plugin Scenarios/RareProcess at plugins-blastradius · inwafula/Security-Copilot
6	Promptbook	Security-Copilot/Promptbook samples/High Blast Radius User investigation.md at main · Azure/Security-Copilot

Below is a snapshot of the promptbook we shall step through and call out the highlights:

Figure 1: Promptbook showing all the plugins it relies on and all the prompts it contains

The first prompt serves to make the connection between Security Copilot and Sentinel by executing a custom KQL plugin that will identify high blast radius users as computed by Sentinel UEBA on the user's relative position within Entra ID as well as the Azure roles assigned to the user. The higher the user is in the organization and the more impactful their Azure permissions are, the higher the blast radius. In this run we see that Copilot has come back with 17 users who fit the description of being “high blast radius” users, however, we want to narrow down to which particular user we should prioritize.

Figure 2: Promptbook output of the first prompt in the promptbook

Once this information is brought into the Security Copilot session, we can begin to apply the power of AI over it and glean some insights that will help us quickly prioritize which identity to focus on and get useful guidance along the way. The output below is in response to the second prompt which tasks Security Copilot with analyzing all the users that came back from the first prompt as being high blast radius users but go a step further and identify which specific one we should prioritize:

Figure 3: Output of the second prompt

The third prompt gathers reputation information about the IP used for anomalous activities, the fourth examines the user's device, while the fifth extends the investigation beyond the Entra ID tenant into the deep and dark web using Cybersixgill, a Bitsight company plugin for a comprehensive view of the threat exposure landscape.

Figure 4: Output from the execution of the prompt against the Cybersixgill plugin

*Note: This is a simulated breach for demo purposes, not an actual one

The 6^th prompt reaches into Intune to obtain information about the compliance state of the device while the 7^th uses data from Microsoft Defender XDR to check for any unusual processes that may have been executed on the device, additional context needed to paint a holistic picture of the gravity of the incident.

The final prompt brings it all together by summarizing the investigation, suggesting a verdict, recommending follow-up actions and providing an explanation of Copilot’s reasoning for both. Below is the final output from this Promptbook’s run:

Jan 6, 3:39 PM

Investigation Summary

User: Ismat Bekarevich (OPS)

User Principal Name: isbe54@woodgrove.ms
Blast Radius: High
Recent Anomalous Activity: Logon from IP address 2601:xxxxx:7273:958b:e655:xxxx:b98c (City, United States)
Group Memberships: AWS Admins, On-prem Admins, Azure ATP contosodemos2 Viewers, AAD DC Administrators
Assigned Roles: Global Administrator
Risk State: Remediated
Credentials Compromised: Yes (Breach Date: 2024-11-26, Source: telegram)

IP Address: 2601:xxxxx:c182:7273:958b:e655:xxxx:b98c

Abuse Confidence Score: 0 (No known malicious activity)
ISP: Comcast Cable Communications, LLC
Country: United States

Devices Assigned

CPC-isbe5-L1BOV

o Compliance Status: Compliant

o Compliance Policies: Default Device Compliance Policy, Defender for Endpoint - Device Risk

o Rare Processes Executed: None over the past 7 days

DESKTOP-VSA7FBL

o Compliance Status: Noncompliant

o Compliance Issues: Default Device Compliance Policy, Defender for Endpoint - Device Risk

Demo’s MacBook Pro (2)

o Compliance Status: Compliant

WoodgroveVM02

o Compliance Status: Compliant

Verdict

Threat Hunting Required: Yes

Reasons:

High Blast Radius: The user has significant access and potential impact within the organization.
Compromised Credentials: The user's credentials have been compromised, posing a potential security risk.
Noncompliant Device: One of the user's devices (DESKTOP-VSA7FBL) is noncompliant with critical security policies.

Suggested Follow-Up Actions

Monitor User Activity: Continuously monitor the user's activities for any further anomalies or suspicious behavior.
Review and Remediate Noncompliant Device: Investigate and address the compliance issues on the device DESKTOP-VSA7FBL.
Credential Reset: Perform a credential reset for the user to mitigate the risk of compromised credentials.
Conditional Access Policies: Ensure that appropriate conditional access policies are in place to limit access from potentially risky locations or devices.
Security Awareness Training: Provide the user with security awareness training to prevent future credential compromises.

Conclusion

Together, Security Copilot and Microsoft Sentinel provide a comprehensive security solution that empowers organizations to stay ahead of identity-based attacks, among others. By combining the strengths of both platforms, you can achieve greater efficiencies in your security operations. Try it out and give us your feedback and recommendations for further improvement.