Leveraging ASIM-based KQL plugins in Microsoft Security Copilot for investigation scenarios

Microsoft Security Copilot enhances the capabilities of Microsoft Sentinel by providing an AI-driven assistant that can help interpret complex hunting query outputs in Log Analytics. One of the standout features of Security Copilot is its support for KQL-based custom plugins to put the power of customization in the customers’ hands by allowing them to leverage new or existing hunting queries to bring additional context into Security Copilot sessions. ASIM-based queries further strengthen this value proposition by building detection logic on top of normalized, source agnostic data.

Advanced Information Security Model (ASIM)

In the ever-evolving landscape of cybersecurity, the need for robust and adaptable security models is paramount. Microsoft Sentinel's Advanced Information Security Model (ASIM) is designed to address this need by providing a comprehensive framework for normalizing and analyzing security data across various sources.

Key Benefits of ASIM

1. Cross-Source Detection: ASIM enables the creation of analytics rules that work across multiple data sources, allowing for comprehensive threat detection. For example, it can detect brute force attacks across on-premises and cloud systems. In this scenario we are tapping into the Network Sessions schema which brings together data from up to 16 distinct sources, such as Palo Alto, CISCO, Fortinet, Checkpoint and Zscaler among others.
2. Source-Agnostic Content: Content created using ASIM automatically applies to any source that supports the model, even if the source is added after the content is created. This makes the solution more durable as an enterprise organization can add more security solutions, while leveraging the same queries
3. Simplified Querying: By using ASIM views in queries, users can ensure they are querying all relevant normalized information in a consistent and well-documented schema.
4. Support for custom logs: ASIM makes it possible to support custom logs in built-in content. This means that an ASIM-based KQL plugin will support any source that you normalize, without the need to modify the plug-in.

Leveraging Security Copilot with ASIM-based KQL-Based Custom Plugins

One of the key benefits of ASIM is that it allows us to build detection or hunting queries that are source-agnostic. For example, building a rule based on the Network Sessions schema of ASIM, we can unify alerts from as many normalized sources as are present into just one rule, making the building, usage and maintenance of the rule much more efficient.

In this scenario we are leveraging a rule based on the Network Sessions schema to investigate potential beaconing activity, ingest filtered events into Security Copilot and correlate those events with additional 1^st and third-party data to aid in reaching a verdict about an investigation. By using custom plugins, Security Copilot can automate the interpretation of complex investigation tasks by contributing AI insights across the process, leading to a quicker and better reasoned conclusion, especially for the less experienced analysts.

Sample ASIM Query to detect network beaconing activity

In this instance the raw query output is relatively complex to decipher and requires the analyst to dig into the details of the output to reach a conclusion about what the output indicates or why the results may indicate suspicious activity.

Figure 1: Sample run of the ASIM-based query that powers this plugin

Security Copilot to the rescue

When Security Copilot is brought into the picture it can quickly analyze the above output and present a verdict and an explanation that is easy and quick to comprehend. Let’s see how:

To conduct the investigation, we step through this promptbook while highlighting the prompts that collectively augment the analyst during the investigation:

Figure 2: A screenshot listing all the prompts within the ASIM-Network beaconing investigation

1. As a first step, the threat analyst will want to retrieve the data from Sentinel to investigate its details. This can be in a threat hunting or incident investigation scenario:

Figure 3: Screenshot of the output of the first prompt in the promptbook

2. The second prompt returns the AI-generated verdict and explanation of the query output

Figure 4: Output of the second prompt in the promptbook, showing an explanation of Security Copilot's reasoning over the records returned from the first prompt

3. Device investigation

In this step we identify the source device using the ASIM query and investigate it for its posture and any relevant suspicious activity

Figure 5: Partial output of results from the third prompt, summarizing AI-derived insights from the Intune plugin

Figure 6: Additional data from the output of the prompt that invoked the Intune plugin to return insights about the device involved in the incident

4. Finally, Security Copilot stitches together all the findings correlated from multiple sources and following the summarization prompt, produces the below output:

Figure 7: Final output of the prompt, summarizing all the findings from the session

Session Summary from final prompt

Investigation Summary

Network Beaconing Activity

• Detected: Potential network beaconing activity over the past 7 days.
• Details: Regular communication between 172.31.44.214 and 40.78.253.213 with a frequent time delta of 60 seconds.
• Beacon Percentages: High, often close to or at 100%.
• MITRE Tactics and Techniques:
• Tactic: Command and Control
• Techniques:
• T1071 - Application Layer Protocol
• T1571 - Non Standard Port

Destination IP Information

• IP Address: 40.78.253.213
• Organization: Microsoft Corporation
• Location: Moses Lake, Washington, US
• Potential Risks: Despite being associated with a reputable organization, the regular communication pattern suggests potential C2 activity.

Device Information

• Device Name: EC2AMAZ-9MDSBS4
• Operating System: Windows 10.0.20348.2031
• Management State: Managed
• Compliance State: Unknown
• Manufacturer: Xen
• Model: HVM domU
• Device Registration State: Registered

Rare Processes

• Executed: No rare processes executed on the device over the past 7 days.

Opinion and Recommendations

Further Investigation Needed

Yes, further investigation is needed due to the following reasons:

1. Suspicious Network Activity: The regular and frequent communication pattern between the source and destination IPs is indicative of potential beaconing activity, which is a common sign of a compromised system communicating with a C2 server.
2. Unknown Compliance State: The compliance state of the device is unknown, which raises concerns about whether the device adheres to security policies and standards.

Areas to Focus On

1. Network Traffic Analysis: Conduct a deeper analysis of the network traffic to confirm the nature of the communication and identify any additional indicators of compromise.
2. Device Compliance Check: Verify the compliance state of the device and ensure it meets all security policies and standards.
3. Endpoint Security: Investigate the endpoint security measures in place on the device to detect and mitigate any potential threats.

These steps are crucial to ensure the security and integrity of the network and devices involved.

Tip

Even though the query behind the first prompt is hardcoded, the flexibility of AI allows us to ask ad hoc questions without altering the KQL query that retrieves the original records. For example, the initial prompt can be modified to meet slightly different retrieval criteria as shown below:

Figure 8: Ann example of an alternate prompt, showing how the query parameters can me altered in natural language without modifying the underlying KQL query

Conclusion

In this scenario we see how Security Copilot addresses the challenge of tool fragmentation and Mean Time to Resolution by bringing together insights from multiple sources, cutting across 1st party, 3rd party and custom plugins, adding AI enrichment and providing a recommendation, all in a little over two and half minutes. Try out the solution and let us have your feedback on how we can make it better.

Plugin manifests

The custom plugins used in this scenario can be found in our official GitHub repo under following links. Feel free to reuse these plugins or adapt them to your specific requirements

ASIM plugin

Rare process plugin

Additional resources

Normalization and the Advanced Security Information Model (ASIM) | Microsoft Learn

Kusto Query Language (KQL) plugins in Microsoft Security Copilot | Microsoft Learn

What’s New: Introducing Microsoft Sentinel Network Session Essentials solution | Microsoft Community Hub

Microsoft Security Copilot in Microsoft Defender Threat Intelligence - Microsoft Defender | Microsoft Learn