Blog Post

Microsoft Defender XDR Blog
3 MIN READ

New Security Copilot skill: Identity Summary

DanaIris's avatar
DanaIris
Icon for Microsoft rankMicrosoft
Sep 24, 2024

“Can you summarize Defender insights about this user over the last two days?” Microsoft’s latest innovation for Copilot for Security, simplifies SOC teams’ investigation with the new Identity Summary feature within Defender XDR.

 

Today, we are excited to share details on the new Identity Summary skill, available within the Microsoft Defender XDR and Copilot for Security portals, it provides a natural language summary of user behavioral anomalies and potential misconfigurations. This blog highlights how the summary can uncover discrepancies and security gaps, enabling timely actions to enhance your organization’s overall security posture.

 

The new Identity Summary is a powerful tool for security teams, offering a clear and comprehensive view of identities. By providing insights into identity behavior and misconfigurations, this feature helps organizations quickly identify and resolve potential security issues. 

Integrating this feature into your security practices will enhance visibility into identity activities, strengthening your organization’s defenses against evolving cybersecurity threats. 

 

To trigger this skill within the Defender Experience simply navigate to a user page and the Identity Summary will automatically trigger within the left side pane as shown below. 

 

 

 

 

In the Copilot for Security portal, we need to create a prompt that specifies we are seeking security information. Something like, “What can Defender tell me about _____________ over the past _______ days?” effectively signals to Copilot that it should focus on Defender data and will prompt the skill to produce something like the image below. 

 

 

The summary itself is structured into several sections, which will be displayed by Copilot based on their relevance. For example, If the investigation does not reveal any failed login events, that section will be omitted. The images below offer a couple examples of potential Identity summaries.

Two Identity Summary examples as they would appear in Defender XDR.

 

Key features of the identity summary: 

Within the Defender XDR portal, the Identity Summary covers the last 30 days while the Copilot for Security portal can pull insights from up to 120 days in the past, per investigation.

Below is the complete list of insights available in the summary:

  1. Login locations: Security Copilot surfaces insights from login data, and analyzes users reported and actual locations, highlighting any discrepancies, which could indicate potential security threats or misconfigurations. It also flags concurrent logins from distant locations that may indicate credential misuse or an actual security issue that is worth checking.
  2. Roles changes: This section tracks changes in role assignments, analyzing their relevance to the user’s job and department, to identify inappropriate permissions or suspicious activities. Also, Copilot analyzes the changes frequency, offering deeper insights into appropriate permission levels and potentially suspicious activities.
  3. Devices: You may see a list of devices managed by Intune which are associated with the user. This can include details on the enrollment status and compliance. You may also see a list of signed-in devices, which help you identify any unfamiliar and potentially unmanaged or unauthorized devices. This section in the summary complements, rather than replaces, the Intune Device summary. While the Intune Device summary provides an in-depth view of a single device, this section in Identity Summary offers a broader, user-centric perspective on the usage of all the user's devices.
  4. Failed login attempts: Copilot will flag failed login attempts in this specific section for easier investigation.
  5. Authentication: Here you will see details on the authentication methods used by the user for accessing applications. You may recognize potential security gaps, such as missing multi-factor authentication.
  6. Entra risk - If relevant, this section will provide visibility into the identities risk profile by surfacing Entra ID risk level associated with that identity. 
  7. Contact Information: The summary includes essential contact details for both the identity and their manager. This facilitates quick communication and enables follow-up actions if anomalies or issues given by Identity Summary previous sections need to be addressed.

 

Microsoft Defender for Identity invites you to provide feedback on your experience with the Identity summary. Your feedback, including feature requests, will be directly communicated to our product managers and relevant engineers to help refine and enhance the tool.

 

*Please note that the screenshots do not correspond to real identity identifiers or data.*

Updated Oct 29, 2024
Version 3.0
No CommentsBe the first to comment