Blog Post

Microsoft Security Copilot Blog
4 MIN READ

Identity forensics with Copilot for Security Identity Analyst Plugin

Hesham_Saad's avatar
Hesham_Saad
Icon for Microsoft rankMicrosoft
Oct 24, 2024

Overview

This is a step-by-step guided walkthrough of how to use a custom KQL Copilot for Security plugin for Identity SOC and forensics use cases and how it helps in implementing a consistent security policy for every user, employee, frontline worker, customer, and partner as well as apps, devices, and workloads across multi-cloud and hybrid.

 

Use case summary

Monitoring and governing Identities using Copilot for Security custom Identity Analyst Plugin:

  1. User Risk Assessment: Monitor user risk levels based on their activities. This could include sign-in attempts from unfamiliar locations, repeated failed sign-in attempts, or other suspicious behavior.
  2. Sign-in Monitoring: Track user sign-in activities. This includes successful sign-ins, failed attempts, and the location and device used for sign-in. Unusual sign-in activity could be a sign of a potential security threat.
  3. Admin Activity Monitoring: Admin accounts have high-level access and can be a prime target for attackers. Monitor admin activities, especially those involving changes to security settings, user privileges, or access controls.
  4. Application Usage Monitoring: Keep an eye on the usage of applications within your organization. Unusual application activity, such as a high number of downloads or an increase in usage outside of normal business hours, could indicate a potential security issue.
  5. Privileged Identity Management: Monitor the lifecycle of privileged identities within your organization. This includes the creation, modification, and deletion of privileged accounts.
  6. Access Review: Regularly review user access to various resources within your organization. This can help ensure that users only have access to the resources they need for their job functions, reducing the risk of insider threats.

 

In this guide, we will provide high-level steps to get started using the new tooling. We will start by adding the custom plugin and it's recommended for organizations to test this in their dev environment first.

 

Installation

  1. Use the following steps to obtain and install the custom Identity Analyst Plugin for Copilot for Security: Go to securitycopilot.microsoft.com
  2. Download the IdentitySecurityAnalyst.yml file from here.
  3. Select the plugins icon down in the left corner.

 

 

4. Under Custom upload, select upload plugin

 

 

5. Select the Copilot for Security plugin and upload the IdentitySecurityAnalyst.yml file

 

 

6. Click Add

7. Under Custom you will now see the plug-in. Ensure it is enabled.

 

 

The custom package contains the following prompts:

 

 

Let us get started with more use cases leveraging Copilot for Security capabilities:

 

User Risk Assessment

Fetches the user risk levels based on their activities. This could include sign-in attempts from unfamiliar locations, repeated failed sign-in attempts, or other suspicious behavior.

 

In Copilot for Security, you can either directly invoke the plugin via selling the concerned skill under prompt–system capabilities or type ‘/IdentityGetUserRiskAssesment’ as shown below:

 

 

A sample result will be:

 

 

User Sign-In Activities

Fetches user sign-in activities. This includes successful sign-ins, failed attempts, and the location and device used for sign-in. Unusual sign-in activity could be a sign of a potential security threat.

 

In Copilot for Security, you can either directly invoke the plugin via selling the concerned skill under prompt–system capabilities or type ‘/IdentityGetSignInMonitoring’  or prompt with ‘Get users signin activities using Identity analyst plugin’.

 

Admin Activities Monitoring

Fetches Admin Activity Monitoring logs. Admin accounts have high-level access and can be a prime target for attackers. Monitor all admin activities, especially those involving changes to security settings, user privileges, or access controls.

 

In Copilot for Security, you can either directly invoke the plugin via selling the concerned skill under prompt–system capabilities or type ‘/IdentityGetAdminActivityMonitoring’  or prompt with ‘Get admin activities monitoring using Identity analyst plugin’. 

 

Applications Usage Monitoring

Fetches Application Usage Monitoring logs to keep an eye on the usage of applications within your organization. Unusual application activity, such as a high number of downloads or an increase in usage outside of normal business hours, could indicate a potential security issue.

 

In Copilot for Security, you can either directly invoke the plugin via selling the concerned skill under prompt–system capabilities or type ‘/IdentityGetApplicationUsageMonitoring’  or prompt with ‘Get application usage monitoring using Identity analyst plugin’.

 

Privileged Identity Management (PIM) Monitoring

Fetches Privileged Identity Management logs to monitor the lifecycle of privileged identities within your organization. This includes the creation, modification, and deletion of privileged accounts.

 

In Copilot for Security, you can either directly invoke the plugin via selling the concerned skill under prompt–system capabilities or type ‘/IdentityPIMMonitoring or prompt with ‘Get Privileged Identity Management monitoring using Identity analyst plugin’. 

 

Access Review Monitoring

Fetches Access Review logs to regularly review user access to various resources within your organization. This can help ensure that users only have access to the resources they need for their job functions, reducing the risk of insider threats.

 

In Copilot for Security, you can either directly invoke the plugin via selling the concerned skill under prompt–system capabilities or type ‘/IdentityAccessReviewMonitoring or prompt with ‘Get Access Review monitoring using Identity analyst plugin’. 

 

Conclusion

This plugin is based on KQL that presents a relatively simple and scalable way to leverage the existing repositories of proven KQL queries within the Microsoft security ecosystem, One of the suggestions is you can customize the Custom KQL plugin YML file and make the time range to be as input parameter from Copilot for Security instead of specific hard-coded input. These can then be used as a basis to bring AI enrichment onto security data already present within Microsoft Identity for more details on Microsoft Copilot for Security custom plugins via KQL please visit  https://learn.microsoft.com/en-us/copilot/security/plugin-kql. Give it a go and give us your feedback so we can continuously improve the product for your benefit.

Updated Oct 24, 2024
Version 1.0
  • Jason_Revill's avatar
    Jason_Revill
    Copper Contributor

    Many thanks for the Plugin. Initial tests have had some good results. One piece of feedback is that I've found it to be extremely hungry from an SCU perspective. One prompt for Get User Risk Assessment is driving north of 3 SCUs. This is something to consider in case it can be further optimised.👍