This is a step-by-step guided walkthrough of how to use the custom Copilot for Security pack for Microsoft Data Security and how it can empower your organization to understand the cyber security risks in a context that allows them to achieve more. By focusing on the information and organizational context to reflect the real impact/value of investments and incidents in cyber. We are working to add this to our native toolset as well, we will update once ready.
Prerequisites
- License requirements for Microsoft Purview Information Protection depend on the scenarios and features you use. To understand your licensing requirements and options for Microsoft Purview Information Protection, see the Information Protection sections from Microsoft 365 guidance for security & compliance and the related PDF download for feature-level licensing requirements. You also need to be licensed for Microsoft Copilot for Security, more information here.
- Consider setting up Azure AI Search to ingest policy documents, so that they can be part of the process.
Step-by-step guided walkthrough
In this guide we will provide high-level steps to get started using the new tooling. We will start by adding the custom plugin.
- Go to securitycopilot.microsoft.com
- Download the DataSecurityAnalyst.yml file from here.
- Select the plugins icon down in the left corner.
- Under Custom upload, select upload plugin.
- Select the Copilot for Security plugin and upload the DataSecurityAnalyst.yml file.
- Click Add
- Under Custom you will now see the plug-in
The custom package contains the following prompts
Under DLP you will find this if you type /DLP
Under Sensitive you will find this if you type sensitive
Let us get started using this together with the Copilot for Security capabilities
- Anomalies detection sample.
- Access to sensitive information by compromised accounts.
- Document accessed by possible compromised accounts.
- CVE or proximity to ISP/IPTags.
- Tune Exchange DLP policies sample.
- Purview unlabelled operations.
- Applications accessing sensitive content.
- Hosts that are internet accessible accessing sensitive content
- Exchange incident sample prompt book.
- SharePoint sample prompt book.
Anomalies detection sample
The DLP anomaly is checking data from the past 30 days and inspect on a 30m interval for possible anomalies. Using a timeseries decomposition model.
The sensitivity content anomaly is using a slightly different model due to the amount of data. It is based on the diffpatterns function that compares week 3,4 with week 1,2.
Access to sensitive information by compromised accounts.
This example is checking the alerts reported against users with sensitive information that they have accessed.
Who has accessed a Sensitive e-mail and from where?
We allow for organizations to input message subject or message Id to identify who has opened a message. Note this only works for internal recipients.
You can also ask the plugin to list any emails classified as Sensitive being accessed from a specific network or affected of a specific CVE.
Document accessed by possible compromised accounts.
You can use the plugin to check if compromised accounts have been accessing a specific document.
CVE or proximity to ISP/IPTags
This is a sample where you can check how much sensitive information that is exposed to a CVE as an example. You can pivot this based on ISP as well.
Tune Exchange DLP policies sample.
If you want to tune your Exchange, Teams, SharePoint, Endpoint or OCR rules and policies you can ask Copilot for Security for suggestions.
How many of the operations in your different departments are unlabelled? Are any of the departments standing out?
In this context you can also use Copilot for Security to deliver recommendations and highlight what the benefit of sensitivity labels are bringing.
Applications accessing sensitive content.
What applications have been used to access sensitive content? The plugin supports asking for applications being used to access sensitive content. This can be a fairly long list of applications, you can add filters in the code to filter out common applications.
If you want to zoom into what type of content a specific application is accessing.
What type of network connectivity has been made from this application?
Or what if you get concerned about the process that has been used and want to validate the SHA256?
Hosts that are internet accessible accessing sensitive content
Another threat vector could be that some of your devices are accessible to the Internet and sensitive content is being processed. Check for processing of secrets and other sensitive information.
Promptbooks are a valuable resource for accomplishing specific security-related tasks. Consider them as a way to practically implement your standard operating procedure (SOP) for certain incidents. By following the SOP, you can identify the various dimensions in an incident in a standardized way and summarize the outcome. For more information on prompt books please see this documentation.
Exchange incident sample prompt book
Note: The above detail is currently only available using Sentinel, we are working on Defender integration.
Posts part of this series
- Cyber Security in a context that allows your organization to achieve more
https://techcommunity.microsoft.com/t5/security-compliance-and-identity/cyber-security-in-a-context-that-allows-your-organization-to/ba-p/4120041 - Guided walkthrough of the Microsoft Purview extended report experience https://techcommunity.microsoft.com/t5/security-compliance-and-identity/guided-walkthrough-of-the-microsoft-purview-extended-report/ba-p/4121083
- How to build the Microsoft Purview extended report experience https://techcommunity.microsoft.com/t5/security-compliance-and-identity/how-to-build-the-microsoft-purview-extended-report-experience/ba-p/4122028
Microsoft
