00:00:00
[Music]
00:00:04
today is finally the day Microsoft is
00:00:06
releasing co-pilot for security in this
00:00:08
video I want to show you how to get
00:00:10
started so how to provision SCU secure
00:00:13
compute units so that your analysts can
00:00:15
make use of this new technology in your
00:00:17
sock to enhance and expedite their
00:00:21
analysis and their threat hunting all
00:00:24
right so let's get started all right
00:00:25
very importantly I want to get started
00:00:27
by where can you access it and
00:00:30
how can you set it up there's two ways
00:00:32
the first one you're seeing on screen
00:00:34
right now this is the Azure portal so
00:00:36
just navigate to Azure or portal.
00:00:39
azure.com and then enter the service
00:00:41
co-pilot for security so you see
00:00:44
co-pilot for security compute
00:00:46
capabilities all right so this is what
00:00:49
we want to set up now in the in this
00:00:51
space we can set up our secure compute
00:00:54
unit and get started this way or the
00:00:57
alternative and preferred method uh is
00:01:01
the Standalone portal which is currently
00:01:04
accessed through this URL that you're
00:01:06
seeing on screen right here security
00:01:08
Coop pilot. microsoft.com and that's
00:01:10
important because this portal is
00:01:13
essentially the same where your analysts
00:01:15
will be leveraging the Standalone
00:01:17
version of copal for security and what's
00:01:19
the difference between setting up an
00:01:20
Azure versus the Standalone well if you
00:01:23
do it in Azure you'll have to take a a
00:01:25
second step to get it all set up uh from
00:01:28
within this portal so it's a it's a
00:01:30
two-step if you do it from portal.
00:01:32
azure.com however if you set it up and
00:01:34
provision it from here you're going to
00:01:36
be straight up uh sent to the tour
00:01:39
overview of the platform right after you
00:01:41
finish up the provisioning so it's same
00:01:44
experience but there's one more step for
00:01:47
if you do it through Azure so anyway
00:01:49
let's go ahead and try and set it up I'm
00:01:51
going to do it through Azure first so
00:01:53
let's go ahead and create a resource let
00:01:55
me go ahead and enter my subscription
00:01:57
Choosing My Resource Group I created a
00:01:59
dedicated Resource Group for it then I
00:02:01
type in a capacity name so this is the
00:02:04
name that the copilot SCU will be
00:02:06
assigned and then I have to choose the
00:02:08
prompt evaluation location at launch
00:02:10
there will be four of them you can see
00:02:11
them on screen Australia UK United
00:02:13
States or Europe and as you choose them
00:02:16
you see that the capacity region here at
00:02:18
the bottom changes if uh for whatever
00:02:20
reason that uh region capacity has
00:02:23
reached its limit you might want to turn
00:02:26
on this checkbox right here which states
00:02:28
that if that region is busy your prompt
00:02:30
will be sent to another region just
00:02:32
follow whatever your compliance
00:02:34
requirements required of you and then
00:02:36
finally at the bottom you can see the
00:02:38
security compute units so just choose
00:02:40
from starting with one how many you want
00:02:42
from 1 to 100 one SCU per hour doesn't
00:02:46
mean that you'll have only one um
00:02:49
analyst utilizing this service per hour
00:02:52
but rather it's a shared resource it's a
00:02:54
provision resource so you're actually
00:02:55
paying per hour so at any hour that it's
00:02:58
turned on you're going to be consuming
00:02:59
giv me $4 USD per that resource and how
00:03:03
many analysts can use it well how many
00:03:06
uh that secure compute unit can be
00:03:09
consumed you might run out of scus in
00:03:13
that one hour if you only have one of
00:03:15
them and if you have multiple analysts
00:03:17
so just be mindful of that now the
00:03:19
platform will tell us if you're running
00:03:21
out of scus so that you can increase
00:03:23
them at any point in time and that's
00:03:24
totally feasible totally doable you can
00:03:27
increase and after you've used it for
00:03:29
what whatever reason and whatever
00:03:30
incidents are responding to you can
00:03:32
decrease them back to one uh if that's
00:03:34
your uh default requirement there I also
00:03:37
really recommend you have a look at the
00:03:38
terms and conditions this is the
00:03:39
Microsoft legal agreement have a look at
00:03:42
that if you um have the need to do so
00:03:45
let me go ahead and click on next it's
00:03:46
going to validate everything there you
00:03:48
go it's accepted some of these resources
00:03:50
let's go ahead and create it okay the
00:03:52
deployment is complete through Azure so
00:03:54
now if I go ahead as you can see here
00:03:56
the next steps it tells me that I need
00:03:58
to finish set St in copilot for security
00:04:01
and this is a required step this is
00:04:03
exactly what I mentioned before if you
00:04:04
do it through Azure you're going to have
00:04:06
to jump into the Standalone portal like
00:04:08
this so let me go ahead and click on
00:04:10
this as you can see it's pivoting to the
00:04:13
the Standalone portal which I showed
00:04:14
before um so it's exactly what I had
00:04:17
shown you and at this stage it knows
00:04:20
that I've already set up in Azure so
00:04:23
very quickly let me shift back to the
00:04:25
previous page I had on standard alone
00:04:27
right so just as small caveat if I
00:04:30
hadn't set it up in Azure I would have
00:04:31
to go through this setup right here it
00:04:33
is the same information that I entered
00:04:35
in Azure just through this portal but I
00:04:38
would have continued the setup right
00:04:40
from this portal without the need to
00:04:42
click on that finish setup and without
00:04:44
having to open a second tab so that's
00:04:47
the only difference there between
00:04:48
setting it up um through portal.
00:04:50
azure.com or through the Standalone
00:04:53
portal let me close this page go back to
00:04:55
the page where I pivoted from Azure and
00:04:58
at this stage I need to to select the
00:05:00
capacity I'd like to use this is what
00:05:02
powers co-pilot as you can see so this
00:05:04
is the
00:05:05
exact capacity that I had created just
00:05:09
now and you can see here this was
00:05:11
created in Azure portal let's go ahead
00:05:13
and click on continue now this here is
00:05:15
telling me that my customer dat will be
00:05:16
stored in the United States this is
00:05:18
because my well customer account is set
00:05:20
up with this um in it this is just
00:05:24
because of my account the way my account
00:05:25
is set up now we're prompted I'm
00:05:27
prompted for a potential help to improve
00:05:30
co-pilot by sharing statistics and usage
00:05:33
uh I will leave these on as I'm always
00:05:36
up for improvement okay so at this point
00:05:38
I'm being asked about who can access
00:05:40
co-pilots there's essentially two types
00:05:42
of access contributors those are your
00:05:44
analysts people who just need to chat
00:05:47
and talk to co-pilot but not manage
00:05:50
capacity not manage an administer who
00:05:52
has access to it so these are
00:05:54
contributors so think of your analysts
00:05:56
so contributors just need to access
00:05:58
copilot based on their permission to
00:05:59
Microsoft security um Solutions and
00:06:03
products as for owners well owners can
00:06:05
manage access from role assignment page
00:06:08
and there's two owners two roles in
00:06:11
Azure that are owners Global admin so ga
00:06:14
and sa Security administrator okay and
00:06:17
there's a lot more details in terms of
00:06:19
access that you can get out of the
00:06:21
official documentation I highly
00:06:22
recommend you have a look at that um but
00:06:25
for your reference let me open it up
00:06:27
here in terms of Authentication and
00:06:30
access so this is the page that talks
00:06:32
about what authentication or how
00:06:35
authentication Works in co-pilot for
00:06:37
security what I want to bring your
00:06:39
attention to is what kind of access each
00:06:41
role gives out to co-pilot and this is
00:06:44
important because once again uh you do
00:06:47
not want to give everyone Global admin
00:06:49
rights so that they can run prompts uh
00:06:51
run prompt books manage plugins
00:06:53
configure settings you don't need to do
00:06:55
that because if I scroll down here at
00:06:57
the bottom you can see that Security
00:06:58
administrator can do everything that GA
00:07:02
can do in uh copal for security without
00:07:05
the extended uh tenant level
00:07:08
capabilities that GA gives it gives them
00:07:10
out you right so Security administrator
00:07:11
is the preferred method for owners and
00:07:14
people who are managing your your sock
00:07:15
in your service uh and then for anyone
00:07:18
just managing your incident security
00:07:21
operator or security reader will be
00:07:23
enough in order to run prompts and run
00:07:25
prompt books all right so this is what I
00:07:27
wanted to highlight there in terms of
00:07:28
access
00:07:30
all right with this said let's go ahead
00:07:32
and click on continue for the access and
00:07:34
apparently I'm all set there you go so
00:07:36
from this point onward it's I'm told
00:07:38
that I can share the security copile
00:07:39
microsoft.com to my colleagues and I can
00:07:42
manage billing in the Azure portal all
00:07:44
right let's go ahead and finish this up
00:07:46
this is it magical this is the homepage
00:07:50
of co-pilot in the Standalone mode right
00:07:53
so oh what do you mean by Standalone
00:07:56
doesn't make any sense well Standalone
00:07:58
means everything you need to do from
00:08:00
compil it can be done from here right
00:08:02
and that's important because as you can
00:08:03
see here on this page on the left hand
00:08:06
side in the hamburger menu we can have a
00:08:09
look here at um what capacities and what
00:08:11
I can do as part of uh this service so I
00:08:14
can have a look at older sessions so
00:08:17
every incident and each and every
00:08:19
incident that I get access to that uh
00:08:21
copile generates a summary for it
00:08:22
generates a session right so that
00:08:24
session can be continued if I want to
00:08:26
dive deeper into that incident if I want
00:08:28
to continue chatting with pilot in the
00:08:30
context of that incident so these are
00:08:32
sessions each session and I'm going to
00:08:35
have a look at that and show you that
00:08:36
later but each session will then be able
00:08:39
to be shared to my colleagues so if I'm
00:08:42
part of a sock team and I want to share
00:08:44
my uh investigation chat with my co my
00:08:47
peers and colleagues I can just share
00:08:50
the session with them now they will have
00:08:51
access to the entire chat of the
00:08:53
sessions so be mindful of that so that's
00:08:55
a great way to manage sessions there and
00:08:56
you can keep a track uh track record of
00:08:58
all your session here on the left hand
00:09:00
side here we also have the prompt book
00:09:02
now prompt books are essentially
00:09:04
programmatic ways to execute prompts so
00:09:08
you take in a value from the analyst so
00:09:11
imagine we're hunting for a specific cve
00:09:14
ID so the prompt book is Catered for a
00:09:17
vulnerability right so that's the field
00:09:19
that the analyst is going to enter in
00:09:20
the prompt book and then the prompt book
00:09:22
will have a list of pre-made and
00:09:25
template prompts that they're going to
00:09:27
be entered sequentially so that that
00:09:29
your analyst don't have to know the
00:09:32
process by heart so they don't have to
00:09:34
do that and to know all the process uh
00:09:37
themselves but rather they can rely on
00:09:38
the expertise of a senior uh analyst or
00:09:41
a senior researcher who has done that
00:09:43
for them and created a prompt book for
00:09:46
that investigation right so it's a
00:09:48
workflow it's essentially the automation
00:09:50
of specific tasks that co-pilot can run
00:09:53
for you and that is exciting let me open
00:09:55
one of them up here for you so the
00:09:57
threat actor profile so you can see the
00:09:59
input here it's a field so this field is
00:10:02
entered by your analyst so this is the
00:10:04
only field that is required so that we
00:10:06
run this prompt book called threat actor
00:10:08
profile and the tags is threat actor
00:10:11
there are five prompts in here and
00:10:13
Microsoft created it so if I open it up
00:10:15
I can see what are the these pre-made
00:10:18
prompts and as you can see it's it's
00:10:20
programmatic right so when we think of
00:10:22
hey we're getting a value an input from
00:10:24
my user such as thread actor name and
00:10:26
we're entering that in this template
00:10:29
prompt
00:10:29
that is so helpful because now now we
00:10:32
don't need to think about what I need to
00:10:34
do next in my investigation process in
00:10:36
in in my my organization right so that's
00:10:38
also been document that's already been
00:10:39
documented in as part of promp books so
00:10:41
I can copy this uh duplicate right and
00:10:44
create a variant of it or I can start a
00:10:46
new session that's going to start from
00:10:48
this prompt book for example but not
00:10:50
only can I start sessions from this
00:10:52
prompt book but whenever I'm in an
00:10:54
incident in the Standalone version I can
00:10:56
actually manually quickly and
00:10:59
voluntarily uh access all of these
00:11:01
prompt books as part of my session my
00:11:03
conversation with co-pilot so this is uh
00:11:06
the uh benefit as you can see here it's
00:11:08
extendable right so we can see there are
00:11:09
different organizations here Microsoft
00:11:11
my organization and my prompt book so my
00:11:14
colleagues can make their own prop books
00:11:16
share in my organization and so on so
00:11:18
forth the last thing I want to cover
00:11:19
here of course we have owner settings
00:11:21
rooll assignment let me open up rer
00:11:23
owner settings there we go I can see the
00:11:24
subscription ID row Source ID I can have
00:11:26
a look at the uh OP 10 uh ch changes
00:11:29
that I've made there and I can see the
00:11:32
secure compute units assigned to my
00:11:33
tenant so I can change this here uh when
00:11:36
I click on change there we go I can
00:11:38
mainly add two three and apply and so on
00:11:40
so forth I can manage billing in Azure
00:11:43
I'm going to have a look at that later
00:11:44
but I can see the usage as well so when
00:11:46
I see the usage I can see how many
00:11:48
prompts I have sent or how many portions
00:11:51
of that seu have been consumed by my
00:11:53
agents this is important I'm going to
00:11:54
I'm going to have a look at that uh soon
00:11:57
okay and lastly we have settings so
00:11:58
these are just user experience settings
00:12:01
change the way it looks uh change time
00:12:03
zone potentially as you can see here and
00:12:05
files who can upload files and uh
00:12:08
potentially response the bug options as
00:12:10
well great so from here if I want to get
00:12:12
started with co-pilot I can just start a
00:12:14
new session so if I scroll down you can
00:12:16
see the prompt U experience here and the
00:12:19
prompt experience has a couple buttons
00:12:21
here so the rightmost button is to
00:12:25
submit the prompt so after I enter
00:12:26
information here I can submit the prompt
00:12:28
the second L to right most is the
00:12:30
sources so these are the plugins so if I
00:12:32
click on them I can see what plugins I
00:12:36
can enable as part of my service so I
00:12:38
can see that by default this was just
00:12:40
created right I have Defender thread
00:12:42
intelligence enabled so that's part of
00:12:44
the service so we get Evergreen and
00:12:46
always up to-date thread intelligence
00:12:49
because of this plugin we also get the
00:12:51
fender xdr Microsoft entra in tune
00:12:54
Sentinel which is in preview as you can
00:12:56
see here if I click on the settings I'm
00:12:58
going to be able to to enter the default
00:13:00
workspace name for Sentinel um and the
00:13:03
default Resource Group name as well for
00:13:05
uh incident investigation within
00:13:07
co-pilot I'm going to set this up a
00:13:10
little later and as I scroll down
00:13:11
further down you can see other so these
00:13:13
are provided by third party so
00:13:16
essentially other providers and testers
00:13:18
have created their own plugins for
00:13:20
copilot for security that you'll be able
00:13:22
to leverage here so we can see sare
00:13:24
respond created this plugin for
00:13:26
automated C response and threat analysis
00:13:28
for example
00:13:29
net scope reporting API endpoints tum is
00:13:32
using that to or provided something to
00:13:35
Valance security uh to help fix sess
00:13:39
risks so each plugin will have their own
00:13:41
capabilities and their own use cases uh
00:13:44
and they're all in preview at the moment
00:13:47
but just be mindful of that and you can
00:13:48
add your own plugin as well so you can
00:13:50
create your own plugin utilizing copilot
00:13:53
for security Uh custom um information or
00:13:56
even an open AI plugin based on uh the
00:13:59
Json file that is utilized by open AI
00:14:03
plugins as well so just think about the
00:14:05
capabilities and the extensibility of
00:14:06
this platform that's really impressive
00:14:09
if I want to ground some of my answers
00:14:12
into my own files I can do that too
00:14:14
right so I can upload files like
00:14:16
internal policies as you can see here
00:14:19
and even organization knowledge that
00:14:21
will inform co-pilot uh of responses
00:14:24
right so when when we prompt we can
00:14:26
specify the file name or a loaded files
00:14:30
and co-pilot will leverage them for the
00:14:33
answer and only me as a user will be
00:14:36
able to see my uploaded files as you can
00:14:38
see here so just helps me enhance the
00:14:42
capabilities of co-pilot based on my own
00:14:45
organization of course you would you
00:14:47
would do that under your own processes
00:14:48
and understanding the need to do
00:14:51
so awesome so those are all sources and
00:14:54
how you can extend co-pilot by a lot of
00:14:56
different ways and then lastly we have
00:14:58
prompt
00:14:59
right here on the right hand side
00:15:01
prompts is prompt books right so
00:15:02
everything I showed you before is there
00:15:04
so we can essentially trigger a prompt
00:15:06
book right from here we don't have to go
00:15:08
through the prompt book page to do that
00:15:10
just can trigger them from here we can
00:15:11
choose one of them you can see all the
00:15:13
steps for the prompt book and you can
00:15:15
enter the input that is required for
00:15:18
that particular prompt book this
00:15:19
particular one I'm looking at the fender
00:15:22
incident ID for
00:15:23
example but not only that uh what I find
00:15:26
really valuable is the system
00:15:29
capabilities right so this when I click
00:15:32
on see all system capabilities I can see
00:15:35
everything and every action that the
00:15:36
platform can do for me and it's pretty
00:15:39
extensive and it's categorized so I can
00:15:41
see under incident analysis what are the
00:15:43
capabilities of co-pilot for security it
00:15:45
incident analysis what about
00:15:46
investigation boom these are here
00:15:48
knowledge base and so on so forth
00:15:50
Microsoft Defender threat intelligence
00:15:52
so those are known to be uh capabilities
00:15:56
of the platform here um just of the box
00:15:59
right right out of the box but you can
00:16:01
of course extend this by multiple ways
00:16:03
be that with a plugin that you create or
00:16:06
with a prompt book that you
00:16:08
automate so let me go ahead and make a
00:16:10
first first prompt there we go so I
00:16:12
entered my question what should I be
00:16:14
worried about in my environment today so
00:16:17
right off the bat it starts a new
00:16:19
session and it starts um evaluating the
00:16:22
results and as you can see I love that
00:16:24
it it's pretty transparent in what it
00:16:27
expects out of you right good input put
00:16:29
because good input requires good output
00:16:32
right so there are good practices to
00:16:35
prompting right so you have to be very
00:16:37
mindful of what are good prompts for
00:16:39
example uh have a goal in mind be
00:16:42
specific right so security related
00:16:44
information that you need enter that in
00:16:46
the prompt also context if you know
00:16:49
you're going to need information for a
00:16:51
specific platform enter the platform for
00:16:53
example State what is the higher
00:16:55
severity uh incident in the fender 365
00:16:58
to day for
00:17:00
example expectations right so format or
00:17:03
target audience you wanted the response
00:17:05
tailored to especially if you're um
00:17:08
creating and generating a report for an
00:17:10
executive for example state so make it
00:17:13
clear uh and lastly Source if there's a
00:17:16
known information data source or PL
00:17:18
plug-in that Microsoft uh co-pilot could
00:17:21
use make it and list it right so these
00:17:23
are good practices for prompting that
00:17:26
you should know about back to the
00:17:28
platform so what has been the response
00:17:30
all right so this experience right here
00:17:32
is something I've been showing to some
00:17:33
of my customers lately so this is the
00:17:35
session for co-pilot and let's take the
00:17:38
time to actually take it in and
00:17:40
understand what's being shown to us so
00:17:43
this is a prompt I can select the prompt
00:17:46
why can I select it because when I
00:17:47
select it I can delete them I can
00:17:49
resubmit the prompt to get a different
00:17:51
answer maybe if that didn't satisfy me
00:17:54
but I can pin that prompt to a pinboard
00:17:58
when I'm going through through a lengthy
00:18:00
incident I might find uh or have prompts
00:18:03
that I want to save for posterity so
00:18:05
save them because when you share the
00:18:08
sessions between teams you're going to
00:18:10
be able to see that and that's going to
00:18:11
be valuable for you and you can create a
00:18:14
prompt book out of this uh particular
00:18:17
prompt as well right on the right hand
00:18:19
side here we have a couple buttons we
00:18:21
have the share button so I can share
00:18:23
this session with a colleague of mine so
00:18:25
I can add their email or name and I can
00:18:28
copy uh the link for example and share
00:18:30
that to them but I can also open the pin
00:18:33
board I have nothing pinned but if I had
00:18:36
pin this uh prompt here it will show up
00:18:39
in here in a matter of a few seconds
00:18:41
there we go summarizing the session and
00:18:44
you can see the pinned item is in there
00:18:46
boom that's the pin
00:18:48
board awesome so this is how you can
00:18:50
interact it with it uh on the right hand
00:18:52
side you can perform some of the actions
00:18:54
that uh you can at the bottom one at the
00:18:56
top when you select it for example you
00:18:58
can addit the prompt you can resubmit
00:18:59
the prompt or delete the prompt and of
00:19:01
course I can consume the prompt on the
00:19:03
center of the screen so for example if I
00:19:05
spend the steps and this is brilliant
00:19:07
because when we're looking into how
00:19:09
generative AI works we have to
00:19:11
understand um how the orchestrator of
00:19:14
copil for security works and of course
00:19:16
what steps it took in order to come out
00:19:19
with an output and this makes it really
00:19:21
clear so what should I be word in my
00:19:23
environment today well this is a pretty
00:19:24
generic question I didn't follow the
00:19:26
best practices cuz I didn't tell it what
00:19:28
platform to look at I didn't uh was not
00:19:30
specific I didn't I was not specific to
00:19:32
the goal because I didn't say hey what
00:19:35
uh vulnerability should I be wored in my
00:19:37
environment or what incidents should I
00:19:39
be worried in my environment these would
00:19:40
be better profits but I was very generic
00:19:42
and intentionally because at this time I
00:19:44
can show you that it automated Auto
00:19:48
auton oh my God in its own mind it
00:19:51
actually chose to uh select Defender
00:19:54
threat intelligence as the plugin that
00:19:56
it needs to prompt to answer my query
00:19:59
intelligently right so it's done so and
00:20:01
you can see here the reasoning behind it
00:20:03
based on your prompt any other prompts
00:20:05
and responses in this session and Co
00:20:07
co-pilot capabilities it's decided that
00:20:09
Defender threat intelligence is the best
00:20:11
option to go here so it looked up thread
00:20:13
information so it's found thread
00:20:15
analytics information from the fender
00:20:16
xdr portal so it's looked at uh create
00:20:19
created incidents information created
00:20:21
and alerts counts and then it prepared
00:20:23
my response going through safety checks
00:20:25
that I've explained in previous videos
00:20:27
as well once it's done so it's actually
00:20:28
coming up with a report here recent
00:20:30
threats that I should be aware of so
00:20:32
cves what a vulnerability affecting
00:20:34
gaming Services service providers um and
00:20:37
why is that because it's it's looking at
00:20:39
alerts that I have in my environment I
00:20:41
don't have any any but I have
00:20:42
misconfigured devices who might be
00:20:44
affected by this particular
00:20:45
vulnerability uh it's also looking at an
00:20:47
actor profile here uh looking at again
00:20:51
alert counts misconfigured devices
00:20:52
vulnerable devices to this particular
00:20:55
threat based on the threat analytics
00:20:56
that is created by the fender xdr and so
00:20:58
it's also looking at a particular to
00:21:00
Tool there for us after you consume this
00:21:03
you can see at the bottom the feedback
00:21:05
option right so how is this response and
00:21:07
that's important part of the product
00:21:08
because generative AI this is all about
00:21:10
human intelligence not AI per se right
00:21:14
it's about enhancing the human so this
00:21:17
here um was a good good answer uh so but
00:21:20
how is this how is this response does it
00:21:22
look right uh accurately and and
00:21:25
factually yep it does look right
00:21:26
factually uh I can validate everything I
00:21:28
think versus my threat analytics um
00:21:31
report and make sure that there's no
00:21:32
alert counts that match any of these and
00:21:35
so on so forth if I need if if it needs
00:21:37
Improvement I could provide some uh
00:21:40
feedback here or if it's inappropriate I
00:21:42
could state so too and provide evidence
00:21:45
of why that is now this is all of the Su
00:21:48
uh some of the information you can get
00:21:50
out of it but if I want to be more
00:21:52
specific follow good
00:21:54
practices I can just go ahead and ask it
00:21:56
so let me go be specific and ask what is
00:21:59
the highest severity incident in my
00:22:01
Defender XTR portal so let me go ahead
00:22:03
and ask it oh and one thing I didn't
00:22:05
mention before but for each and every
00:22:06
step it actually tells us how how long
00:22:08
it took the platform to actually process
00:22:11
each step and that's important as well
00:22:13
because secure compute units about time
00:22:16
to process and how complex your queries
00:22:18
are so when we look at the time the
00:22:21
amount of time that your prompt has
00:22:23
needed in order to be processed by the
00:22:25
platform it also means how much you're
00:22:27
paying for each and every question
00:22:28
you're making all right so for this
00:22:30
particular question I I specifically
00:22:33
called out the fender xdr good prompting
00:22:35
so there we go so at this at this stage
00:22:37
it actually chose the fender xdr uh it
00:22:40
processed prepared it and everything
00:22:41
else and at this stage it actually tells
00:22:43
me with accuracy right so I know for a
00:22:46
fact that this is actual true Defender
00:22:49
xdr has a send cat send cat hack tool
00:22:51
detected in in one of my endpoints uh
00:22:53
it's stating that resolved that's high
00:22:55
severity when it was created when was
00:22:58
upd ated so a couple days ago and the
00:23:01
incident web URL so let me go ahead and
00:23:03
click on it it's also telling me at the
00:23:04
at the bottom here the results of it
00:23:06
please not that the incident has been
00:23:07
resolved it's always good practice to
00:23:08
review the incident details to ensure
00:23:10
all the necessary remediation steps have
00:23:11
been taken there we go so I just clicked
00:23:13
on incident and I'm going to validate
00:23:15
because I'm a thorough Analyst at this
00:23:17
point I'm pivoting to the sent cat
00:23:20
incident which is absolutely factual and
00:23:22
I can see here the uh endpoint name the
00:23:24
um URL or whatever file was identified
00:23:28
as mili and so on and so forth now this
00:23:30
here is the defender xdr portal which
00:23:33
you must be aware of uh if you're
00:23:35
following me for a little while and what
00:23:37
is important here is that I pivoted from
00:23:39
I pivoted from the Standalone to the uh
00:23:42
Defender xdr portal and Defender xdr
00:23:44
portal also has another capability
00:23:47
integrated with copilot here so this is
00:23:49
just been enabled as soon as I created
00:23:52
that s cuu secure compute unit right and
00:23:54
that is very important because the uh
00:23:56
embedded experience
00:23:59
this is the second way to consume cile
00:24:01
the embedded
00:24:02
experience is always integrated into
00:24:04
incidents for all my analysts so if I
00:24:07
logged in as a different user here as
00:24:08
part of my sock so a different analyst
00:24:10
is looking at their incidents they're
00:24:12
going to see these co-pilot and beded
00:24:14
experience too and that's going to be
00:24:16
beneficial to them as well and at the
00:24:18
same time they'll be consuming your sccu
00:24:21
as well be mindful of that now there you
00:24:24
go so for each and every incident that I
00:24:27
open up as you can see here the embedded
00:24:30
experience will generate an incident
00:24:32
summary and attempt to generate guided
00:24:35
response if that is relevant for that
00:24:37
incident okay so for example as you can
00:24:40
see here there's a summary and there's a
00:24:42
guide in response I can I could go ahead
00:24:44
and look it all up and and validate it's
00:24:46
actual it's all factual true but I'm
00:24:49
sure it will be now for the incident
00:24:51
piece I want to open up a different
00:24:53
incident to highlight something else so
00:24:55
I'm opening up a second incident and
00:24:57
just as I open it up you can see here
00:25:00
yet another incident summary is being
00:25:02
generated automatically and another
00:25:04
guided response and I'm purposely
00:25:07
generating this for you because I want
00:25:08
to show you what that guided response
00:25:10
looks like it has buttons so that we can
00:25:12
interact with it and the incident
00:25:14
summary well it's just an incident
00:25:15
summary just makes it easier for your um
00:25:18
incident an analyst or incident manager
00:25:21
to understand what they're dealing with
00:25:22
uh currently and why it's taking so long
00:25:24
for your analysts to resolve that that
00:25:27
complex uh incident now it takes a
00:25:29
little time right as you can see here
00:25:30
there you go it's just generated the
00:25:31
incident summary it tells me uh in
00:25:33
chronological order if what happened uh
00:25:36
and the guid response well it had an
00:25:38
issue so I could attempt to regenerate
00:25:40
let me go ahead and click on it see if
00:25:41
it will work and while it's doing so
00:25:43
what I want to show you it's the
00:25:44
embedded experience options here so at
00:25:46
the top we have the generate incident
00:25:49
report button which when I click on it
00:25:51
it's going to generate yet another
00:25:53
incidental report a little more thorough
00:25:55
than the summary and enter the settings
00:25:57
I can get have look at the uh learn more
00:25:59
section I can close the embedded
00:26:01
experience so it close the the the fly
00:26:04
out here or there we go there's no
00:26:06
actions recommend right so this quick
00:26:08
note there or lastly what what I can do
00:26:11
is also do this here there is the
00:26:13
ellipses icon there for the incident
00:26:15
summary and when I click on it I can
00:26:17
copy this information to the clipboard I
00:26:19
can regenerate this incident summary or
00:26:22
I can pivot again to the Standalone
00:26:24
version of co-pilot for security Now
00:26:27
this last this last button here is
00:26:29
really important if your sock is
00:26:31
primarily driven by the defender XR
00:26:34
portal because they'll be consuming it
00:26:36
co-pilot for security in the embedded
00:26:38
experience okay so they'll be just using
00:26:40
Defender xdr and at one point they will
00:26:42
want to talk to co-pilot they want to
00:26:45
dive deeper into it that's where they'll
00:26:47
come in here open and co-pilot for
00:26:49
security and it will keep that session
00:26:52
or keep that investigation uh
00:26:55
conversation going so it's opening up
00:26:57
here the compiled for security interface
00:27:00
and as you can see yep it's continuing
00:27:02
that incident summary that it had
00:27:04
generated now notice and this is
00:27:06
important how the top here we have the
00:27:08
icon here for uh essentially prompts
00:27:11
right so every time we open up an
00:27:13
incident in Co in Defender xdr co-pilot
00:27:16
for security runs this prompt book
00:27:18
called get Defender incident right it's
00:27:20
generating an
00:27:21
automated response to generate the
00:27:23
incident there and as you can see I can
00:27:26
continue the conversation here so if I
00:27:28
wanted to I could ask about more about
00:27:30
uh the specific threat or the specific
00:27:34
machine so let me let me ask about the
00:27:36
specific machine so I'm asking what is
00:27:37
the risk score of the machine uh Caldera
00:27:41
right so this here is an open-ended
00:27:44
question because I should have called
00:27:45
out today I want I want this information
00:27:47
from InTune for example for my device
00:27:49
manager or I want this information from
00:27:51
Defender for endpoint should have been
00:27:54
more specific but I wasn't but at this
00:27:56
point there we go it chose in tune so is
00:27:58
now checking for checking for the
00:27:59
information of that manage device
00:28:02
preparing my response let's see what it
00:28:04
tells me uh it's telling me that it
00:28:06
couldn't be retrieved uh and oh there
00:28:09
you go that's important please ensure
00:28:10
that device is ENT joined if I go ahead
00:28:12
and check that on entra that device is
00:28:15
not entra joined and I can validate this
00:28:17
because I know it's it's a fact I set it
00:28:19
up this a couple days
00:28:21
ago let's go ahead and do that so I'm
00:28:23
opening up InTune and I'm checking my
00:28:25
devices checking my windows devices
00:28:28
and I can see that yeah absolutely that
00:28:31
device is not listed here because it's
00:28:33
not anra joined it's not joined to my
00:28:35
organization so therefore I cannot check
00:28:38
the risk because it's not joined to my
00:28:40
organization so there you go already
00:28:43
co-pilot told me and showed me how I can
00:28:45
improve my environment be sure that the
00:28:48
device is entra joined um they're
00:28:50
important there so that I can better
00:28:52
control the risk better control the
00:28:53
device uh that
00:28:55
way all right so this here is a look at
00:28:59
the session now let me go back and see
00:29:02
what sessions have been created for me
00:29:04
right so on the hamburger menu let's go
00:29:05
to my sessions so you're going to see a
00:29:07
lot of sessions here right so and this
00:29:09
is everything that I've been showing to
00:29:10
you in this video right so it started
00:29:13
with the uh first prompt I made what
00:29:15
should I be wearing my environment today
00:29:17
very open-ended not the best prompt uh
00:29:19
but then there you go user
00:29:20
recommendations for the incident uh 118
00:29:23
and from that point I pivoted to the
00:29:25
embedded version of Defender xdr portal
00:29:28
and as you can see here there's a couple
00:29:30
a couple sessions that are created
00:29:31
whenever I open up a Defender xdr
00:29:34
incident right so it always generate the
00:29:36
incident summary session so consumes an
00:29:38
seu but that same view also generates
00:29:41
another prompt or
00:29:43
another session which is guided response
00:29:46
right and the same thing happened when I
00:29:48
opened up that other other incident it
00:29:50
generated two sessions because each
00:29:52
session equates to a specific Pro prompt
00:29:55
book that I can continue the
00:29:57
conversation from and each of these
00:29:59
sessions they will have their own cons
00:30:02
consumption of scus for example so
00:30:05
that's that's helpful to understand how
00:30:06
copilot is working on the back back
00:30:09
background so this here is my resource
00:30:10
that I just created copilot for security
00:30:13
if I click on it I can see update
00:30:15
security compute units there we go I can
00:30:18
see the update security compute
00:30:21
units um minimum is one so I can delete
00:30:24
it from here uh there you go as you can
00:30:27
see here that's pretty helpful but since
00:30:29
this is a demonstration environment what
00:30:31
I want to do is actually get rid of it
00:30:33
um so what I want to do is actually just
00:30:36
delete it you go ahead and delete this
00:30:38
what it tells me is that the resource
00:30:40
and their internal internal data is
00:30:41
going to be deleted and that's fine it
00:30:44
does keep uh incident data for a little
00:30:47
while for a few days so that's mindful
00:30:49
for you to have in in mind but there we
00:30:52
go with this I'm attempting to delete it
00:30:55
so it should not be charged in my
00:30:57
demonstration department and there we go
00:30:59
it executed the delete command and as of
00:31:02
now I don't have any SCU provision no
00:31:05
secure compute unit provision so I'm not
00:31:07
going to be charged for the next hour of
00:31:09
copal for security
00:31:10
so there we go so hopefully you found
00:31:13
this video useful you've seen me spin up
00:31:16
an seu seeing how the outof the boox
00:31:18
plugins work have a look at the prompt
00:31:20
books what the capabilities are at a
00:31:22
very very high level right so it's a
00:31:24
15,000 ft kind of view of it um but but
00:31:28
at the end I deprovisioned it in order
00:31:30
to ensure that my lab environment costs
00:31:33
don't go through the roof but there you
00:31:34
go so hopefully found this educational
00:31:37
and helpful if you like this kind of
00:31:39
video make sure you leave a like comment
00:31:41
let me know your thoughts about copilot
00:31:43
cuz I want to be checking it out further
00:31:45
uh myself at a later time all right with
00:31:48
that all said see you next
00:31:51
[Music]
00:31:55
time
