It's live, Getting started with Copilot for Security | Getting Started, Demo, Overview

00:31:57
https://www.youtube.com/watch?v=Kk5n2CdQCf4

Summary

TLDRMicrosoft's Copilot for Security is designed to enhance threat analysis and incident response in Security Operations Centers (SOCs). The video provides step-by-step instructions on how to provision Secure Compute Units (SCUs) and access Copilot through the Azure portal or a standalone portal. It explains the differences between using Azure and the standalone portal, including the provision process and subsequent steps required. Cost considerations include a per-hour charge for SCUs. Access roles for Copilot include contributors, who engage with the service, and owners, such as Global Admins and Security Administrators, who manage access. Custom plugins and prompt books streamline complex tasks and can be created to automate workflows. In the Defender XDR portal, the Embedded Experience offers functionality like incident summaries and guided responses. The setup process involves carefully choosing resources and regions, and users are encouraged to check licensing terms. The video also highlights the functionality of the prompt book, collaborative session sharing, and copilot's software extensions. Throughout, the importance of integrating with security compliance requirements is emphasized.

Takeaways

  • 🚀 Overview of Copilot for Security release by Microsoft.
  • 👨‍💻 How to provision Secure Compute Units (SCUs).
  • 🌐 Access Copilot via Azure or standalone portal.
  • ⚙️ Prompt books automate and simplify workflow processes.
  • 🔍 Embedded Experience integrates Copilot in Defender XDR portal.
  • 💼 Roles: Contributors and Owners manage access.
  • 💰 SCUs are billed at $4 per hour usage.
  • 🔗 Custom plugins can be created for extended capabilities.
  • 📝 Upload files to improve Copilot's informed responses.
  • 📊 Transparency in usage and session tracking.

Timeline

  • 00:00:00 - 00:05:00

    Microsoft is launching Copilot for security, aimed at enhancing analysts' efficiency in Security Operations Centers (SOC). The video guides on how to start by provisioning Secure Compute Units (SCU) via Azure portal or a Standalone portal, detailing the steps and preferences of each method. Setting up in Azure requires an additional step but provides a seamless experience post-provisioning.

  • 00:05:00 - 00:10:00

    Once the SCU is set up, users can assign access as contributors or owners, each with different roles and capabilities. Security administrators are favored for certain admin tasks, avoiding unnecessary global admin rights distribution. The importance of understanding role-based access and authentication management is stressed, directing to official Microsoft documentation for in-depth knowledge.

  • 00:10:00 - 00:15:00

    The video demonstrates the Copilot Standalone portal usage, focusing on session management and prompt books that automate investigative tasks. Prompt books provide a structured approach for analysts, utilizing community contributions and pre-defined sequences to streamline threat inquiries. It highlights extensibility through custom or pre-configured prompt books.

  • 00:15:00 - 00:20:00

    Prompt books allow for detailed investigation processes to be executed programmatically. The video shows an example with a 'threat actor profile' prompt book, showcasing its utility in operational efficiency by allowing analysts to focus on input details rather than procedural steps. Managing investigations efficiently by saving and sharing sessions is demonstrated.

  • 00:20:00 - 00:25:00

    Extensions and settings within Copilot include integration with third-party plugins and the customization of user experiences. Users can upload internal files to ground their querries, enhancing personalized responses. The video emphasizes the extensibility and adaptability of Copilot to fit organizational needs while managing resources and costs wisely.

  • 00:25:00 - 00:31:57

    Finally, Copilot's interaction with Defender XDR portal is explained, showcasing the embedded experience that links to the Copilot's standalone functionalities. It automates incident summaries and guided responses, with a focus on efficiency and shared session capabilities. The video concludes with a deployment overview and steps to manage costs effectively during experimentation in lab environments.

Show more

Mind Map

Video Q&A

  • What is Copilot for Security?

    Copilot for Security is a tool by Microsoft to enhance threat analysis and hunting for security operations centers (SOCs).

  • How can I access Copilot for Security?

    You can access it through the Azure portal or the standalone portal at securitycopilot.microsoft.com.

  • What are Secure Compute Units (SCUs)?

    SCUs are a provisioned resource enabling shared access among analysts, and users are charged per hour of usage.

  • What is the difference between Azure setup and standalone portal setup?

    Setting up via Azure requires an additional step to complete setup in the standalone portal, while setting up directly from the standalone portal allows direct access to the full platform.

  • What type of access roles are available for Copilot for Security?

    Access roles include contributors, who can interact with Copilot, and owners, like Global Admin and Security Administrators, who can manage access.

  • What are prompt books in Copilot for Security?

    Prompt books are programmatic ways to execute predefined prompts, helping automate investigation workflows.

  • How much does each SCU cost?

    The cost is $4 USD per hour for each SCU.

  • Can I create custom plugins for Copilot for Security?

    Yes, users can create custom plugins utilizing Copilot for Security, or use open AI plugins.

  • What is the Embedded Experience?

    The Embedded Experience integrates Copilot directly into incidents in the Defender XDR portal, generating summaries and guided responses.

  • Can files be uploaded to inform Copilot responses?

    Yes, internal policies and organizational knowledge files can be uploaded to enhance responses, but only the uploader can view these files.

View more video summaries

Get instant access to free YouTube video summaries powered by AI!
Subtitles
en
Auto Scroll:
  • 00:00:00
    [Music]
  • 00:00:04
    today is finally the day Microsoft is
  • 00:00:06
    releasing co-pilot for security in this
  • 00:00:08
    video I want to show you how to get
  • 00:00:10
    started so how to provision SCU secure
  • 00:00:13
    compute units so that your analysts can
  • 00:00:15
    make use of this new technology in your
  • 00:00:17
    sock to enhance and expedite their
  • 00:00:21
    analysis and their threat hunting all
  • 00:00:24
    right so let's get started all right
  • 00:00:25
    very importantly I want to get started
  • 00:00:27
    by where can you access it and
  • 00:00:30
    how can you set it up there's two ways
  • 00:00:32
    the first one you're seeing on screen
  • 00:00:34
    right now this is the Azure portal so
  • 00:00:36
    just navigate to Azure or portal.
  • 00:00:39
    azure.com and then enter the service
  • 00:00:41
    co-pilot for security so you see
  • 00:00:44
    co-pilot for security compute
  • 00:00:46
    capabilities all right so this is what
  • 00:00:49
    we want to set up now in the in this
  • 00:00:51
    space we can set up our secure compute
  • 00:00:54
    unit and get started this way or the
  • 00:00:57
    alternative and preferred method uh is
  • 00:01:01
    the Standalone portal which is currently
  • 00:01:04
    accessed through this URL that you're
  • 00:01:06
    seeing on screen right here security
  • 00:01:08
    Coop pilot. microsoft.com and that's
  • 00:01:10
    important because this portal is
  • 00:01:13
    essentially the same where your analysts
  • 00:01:15
    will be leveraging the Standalone
  • 00:01:17
    version of copal for security and what's
  • 00:01:19
    the difference between setting up an
  • 00:01:20
    Azure versus the Standalone well if you
  • 00:01:23
    do it in Azure you'll have to take a a
  • 00:01:25
    second step to get it all set up uh from
  • 00:01:28
    within this portal so it's a it's a
  • 00:01:30
    two-step if you do it from portal.
  • 00:01:32
    azure.com however if you set it up and
  • 00:01:34
    provision it from here you're going to
  • 00:01:36
    be straight up uh sent to the tour
  • 00:01:39
    overview of the platform right after you
  • 00:01:41
    finish up the provisioning so it's same
  • 00:01:44
    experience but there's one more step for
  • 00:01:47
    if you do it through Azure so anyway
  • 00:01:49
    let's go ahead and try and set it up I'm
  • 00:01:51
    going to do it through Azure first so
  • 00:01:53
    let's go ahead and create a resource let
  • 00:01:55
    me go ahead and enter my subscription
  • 00:01:57
    Choosing My Resource Group I created a
  • 00:01:59
    dedicated Resource Group for it then I
  • 00:02:01
    type in a capacity name so this is the
  • 00:02:04
    name that the copilot SCU will be
  • 00:02:06
    assigned and then I have to choose the
  • 00:02:08
    prompt evaluation location at launch
  • 00:02:10
    there will be four of them you can see
  • 00:02:11
    them on screen Australia UK United
  • 00:02:13
    States or Europe and as you choose them
  • 00:02:16
    you see that the capacity region here at
  • 00:02:18
    the bottom changes if uh for whatever
  • 00:02:20
    reason that uh region capacity has
  • 00:02:23
    reached its limit you might want to turn
  • 00:02:26
    on this checkbox right here which states
  • 00:02:28
    that if that region is busy your prompt
  • 00:02:30
    will be sent to another region just
  • 00:02:32
    follow whatever your compliance
  • 00:02:34
    requirements required of you and then
  • 00:02:36
    finally at the bottom you can see the
  • 00:02:38
    security compute units so just choose
  • 00:02:40
    from starting with one how many you want
  • 00:02:42
    from 1 to 100 one SCU per hour doesn't
  • 00:02:46
    mean that you'll have only one um
  • 00:02:49
    analyst utilizing this service per hour
  • 00:02:52
    but rather it's a shared resource it's a
  • 00:02:54
    provision resource so you're actually
  • 00:02:55
    paying per hour so at any hour that it's
  • 00:02:58
    turned on you're going to be consuming
  • 00:02:59
    giv me $4 USD per that resource and how
  • 00:03:03
    many analysts can use it well how many
  • 00:03:06
    uh that secure compute unit can be
  • 00:03:09
    consumed you might run out of scus in
  • 00:03:13
    that one hour if you only have one of
  • 00:03:15
    them and if you have multiple analysts
  • 00:03:17
    so just be mindful of that now the
  • 00:03:19
    platform will tell us if you're running
  • 00:03:21
    out of scus so that you can increase
  • 00:03:23
    them at any point in time and that's
  • 00:03:24
    totally feasible totally doable you can
  • 00:03:27
    increase and after you've used it for
  • 00:03:29
    what whatever reason and whatever
  • 00:03:30
    incidents are responding to you can
  • 00:03:32
    decrease them back to one uh if that's
  • 00:03:34
    your uh default requirement there I also
  • 00:03:37
    really recommend you have a look at the
  • 00:03:38
    terms and conditions this is the
  • 00:03:39
    Microsoft legal agreement have a look at
  • 00:03:42
    that if you um have the need to do so
  • 00:03:45
    let me go ahead and click on next it's
  • 00:03:46
    going to validate everything there you
  • 00:03:48
    go it's accepted some of these resources
  • 00:03:50
    let's go ahead and create it okay the
  • 00:03:52
    deployment is complete through Azure so
  • 00:03:54
    now if I go ahead as you can see here
  • 00:03:56
    the next steps it tells me that I need
  • 00:03:58
    to finish set St in copilot for security
  • 00:04:01
    and this is a required step this is
  • 00:04:03
    exactly what I mentioned before if you
  • 00:04:04
    do it through Azure you're going to have
  • 00:04:06
    to jump into the Standalone portal like
  • 00:04:08
    this so let me go ahead and click on
  • 00:04:10
    this as you can see it's pivoting to the
  • 00:04:13
    the Standalone portal which I showed
  • 00:04:14
    before um so it's exactly what I had
  • 00:04:17
    shown you and at this stage it knows
  • 00:04:20
    that I've already set up in Azure so
  • 00:04:23
    very quickly let me shift back to the
  • 00:04:25
    previous page I had on standard alone
  • 00:04:27
    right so just as small caveat if I
  • 00:04:30
    hadn't set it up in Azure I would have
  • 00:04:31
    to go through this setup right here it
  • 00:04:33
    is the same information that I entered
  • 00:04:35
    in Azure just through this portal but I
  • 00:04:38
    would have continued the setup right
  • 00:04:40
    from this portal without the need to
  • 00:04:42
    click on that finish setup and without
  • 00:04:44
    having to open a second tab so that's
  • 00:04:47
    the only difference there between
  • 00:04:48
    setting it up um through portal.
  • 00:04:50
    azure.com or through the Standalone
  • 00:04:53
    portal let me close this page go back to
  • 00:04:55
    the page where I pivoted from Azure and
  • 00:04:58
    at this stage I need to to select the
  • 00:05:00
    capacity I'd like to use this is what
  • 00:05:02
    powers co-pilot as you can see so this
  • 00:05:04
    is the
  • 00:05:05
    exact capacity that I had created just
  • 00:05:09
    now and you can see here this was
  • 00:05:11
    created in Azure portal let's go ahead
  • 00:05:13
    and click on continue now this here is
  • 00:05:15
    telling me that my customer dat will be
  • 00:05:16
    stored in the United States this is
  • 00:05:18
    because my well customer account is set
  • 00:05:20
    up with this um in it this is just
  • 00:05:24
    because of my account the way my account
  • 00:05:25
    is set up now we're prompted I'm
  • 00:05:27
    prompted for a potential help to improve
  • 00:05:30
    co-pilot by sharing statistics and usage
  • 00:05:33
    uh I will leave these on as I'm always
  • 00:05:36
    up for improvement okay so at this point
  • 00:05:38
    I'm being asked about who can access
  • 00:05:40
    co-pilots there's essentially two types
  • 00:05:42
    of access contributors those are your
  • 00:05:44
    analysts people who just need to chat
  • 00:05:47
    and talk to co-pilot but not manage
  • 00:05:50
    capacity not manage an administer who
  • 00:05:52
    has access to it so these are
  • 00:05:54
    contributors so think of your analysts
  • 00:05:56
    so contributors just need to access
  • 00:05:58
    copilot based on their permission to
  • 00:05:59
    Microsoft security um Solutions and
  • 00:06:03
    products as for owners well owners can
  • 00:06:05
    manage access from role assignment page
  • 00:06:08
    and there's two owners two roles in
  • 00:06:11
    Azure that are owners Global admin so ga
  • 00:06:14
    and sa Security administrator okay and
  • 00:06:17
    there's a lot more details in terms of
  • 00:06:19
    access that you can get out of the
  • 00:06:21
    official documentation I highly
  • 00:06:22
    recommend you have a look at that um but
  • 00:06:25
    for your reference let me open it up
  • 00:06:27
    here in terms of Authentication and
  • 00:06:30
    access so this is the page that talks
  • 00:06:32
    about what authentication or how
  • 00:06:35
    authentication Works in co-pilot for
  • 00:06:37
    security what I want to bring your
  • 00:06:39
    attention to is what kind of access each
  • 00:06:41
    role gives out to co-pilot and this is
  • 00:06:44
    important because once again uh you do
  • 00:06:47
    not want to give everyone Global admin
  • 00:06:49
    rights so that they can run prompts uh
  • 00:06:51
    run prompt books manage plugins
  • 00:06:53
    configure settings you don't need to do
  • 00:06:55
    that because if I scroll down here at
  • 00:06:57
    the bottom you can see that Security
  • 00:06:58
    administrator can do everything that GA
  • 00:07:02
    can do in uh copal for security without
  • 00:07:05
    the extended uh tenant level
  • 00:07:08
    capabilities that GA gives it gives them
  • 00:07:10
    out you right so Security administrator
  • 00:07:11
    is the preferred method for owners and
  • 00:07:14
    people who are managing your your sock
  • 00:07:15
    in your service uh and then for anyone
  • 00:07:18
    just managing your incident security
  • 00:07:21
    operator or security reader will be
  • 00:07:23
    enough in order to run prompts and run
  • 00:07:25
    prompt books all right so this is what I
  • 00:07:27
    wanted to highlight there in terms of
  • 00:07:28
    access
  • 00:07:30
    all right with this said let's go ahead
  • 00:07:32
    and click on continue for the access and
  • 00:07:34
    apparently I'm all set there you go so
  • 00:07:36
    from this point onward it's I'm told
  • 00:07:38
    that I can share the security copile
  • 00:07:39
    microsoft.com to my colleagues and I can
  • 00:07:42
    manage billing in the Azure portal all
  • 00:07:44
    right let's go ahead and finish this up
  • 00:07:46
    this is it magical this is the homepage
  • 00:07:50
    of co-pilot in the Standalone mode right
  • 00:07:53
    so oh what do you mean by Standalone
  • 00:07:56
    doesn't make any sense well Standalone
  • 00:07:58
    means everything you need to do from
  • 00:08:00
    compil it can be done from here right
  • 00:08:02
    and that's important because as you can
  • 00:08:03
    see here on this page on the left hand
  • 00:08:06
    side in the hamburger menu we can have a
  • 00:08:09
    look here at um what capacities and what
  • 00:08:11
    I can do as part of uh this service so I
  • 00:08:14
    can have a look at older sessions so
  • 00:08:17
    every incident and each and every
  • 00:08:19
    incident that I get access to that uh
  • 00:08:21
    copile generates a summary for it
  • 00:08:22
    generates a session right so that
  • 00:08:24
    session can be continued if I want to
  • 00:08:26
    dive deeper into that incident if I want
  • 00:08:28
    to continue chatting with pilot in the
  • 00:08:30
    context of that incident so these are
  • 00:08:32
    sessions each session and I'm going to
  • 00:08:35
    have a look at that and show you that
  • 00:08:36
    later but each session will then be able
  • 00:08:39
    to be shared to my colleagues so if I'm
  • 00:08:42
    part of a sock team and I want to share
  • 00:08:44
    my uh investigation chat with my co my
  • 00:08:47
    peers and colleagues I can just share
  • 00:08:50
    the session with them now they will have
  • 00:08:51
    access to the entire chat of the
  • 00:08:53
    sessions so be mindful of that so that's
  • 00:08:55
    a great way to manage sessions there and
  • 00:08:56
    you can keep a track uh track record of
  • 00:08:58
    all your session here on the left hand
  • 00:09:00
    side here we also have the prompt book
  • 00:09:02
    now prompt books are essentially
  • 00:09:04
    programmatic ways to execute prompts so
  • 00:09:08
    you take in a value from the analyst so
  • 00:09:11
    imagine we're hunting for a specific cve
  • 00:09:14
    ID so the prompt book is Catered for a
  • 00:09:17
    vulnerability right so that's the field
  • 00:09:19
    that the analyst is going to enter in
  • 00:09:20
    the prompt book and then the prompt book
  • 00:09:22
    will have a list of pre-made and
  • 00:09:25
    template prompts that they're going to
  • 00:09:27
    be entered sequentially so that that
  • 00:09:29
    your analyst don't have to know the
  • 00:09:32
    process by heart so they don't have to
  • 00:09:34
    do that and to know all the process uh
  • 00:09:37
    themselves but rather they can rely on
  • 00:09:38
    the expertise of a senior uh analyst or
  • 00:09:41
    a senior researcher who has done that
  • 00:09:43
    for them and created a prompt book for
  • 00:09:46
    that investigation right so it's a
  • 00:09:48
    workflow it's essentially the automation
  • 00:09:50
    of specific tasks that co-pilot can run
  • 00:09:53
    for you and that is exciting let me open
  • 00:09:55
    one of them up here for you so the
  • 00:09:57
    threat actor profile so you can see the
  • 00:09:59
    input here it's a field so this field is
  • 00:10:02
    entered by your analyst so this is the
  • 00:10:04
    only field that is required so that we
  • 00:10:06
    run this prompt book called threat actor
  • 00:10:08
    profile and the tags is threat actor
  • 00:10:11
    there are five prompts in here and
  • 00:10:13
    Microsoft created it so if I open it up
  • 00:10:15
    I can see what are the these pre-made
  • 00:10:18
    prompts and as you can see it's it's
  • 00:10:20
    programmatic right so when we think of
  • 00:10:22
    hey we're getting a value an input from
  • 00:10:24
    my user such as thread actor name and
  • 00:10:26
    we're entering that in this template
  • 00:10:29
    prompt
  • 00:10:29
    that is so helpful because now now we
  • 00:10:32
    don't need to think about what I need to
  • 00:10:34
    do next in my investigation process in
  • 00:10:36
    in in my my organization right so that's
  • 00:10:38
    also been document that's already been
  • 00:10:39
    documented in as part of promp books so
  • 00:10:41
    I can copy this uh duplicate right and
  • 00:10:44
    create a variant of it or I can start a
  • 00:10:46
    new session that's going to start from
  • 00:10:48
    this prompt book for example but not
  • 00:10:50
    only can I start sessions from this
  • 00:10:52
    prompt book but whenever I'm in an
  • 00:10:54
    incident in the Standalone version I can
  • 00:10:56
    actually manually quickly and
  • 00:10:59
    voluntarily uh access all of these
  • 00:11:01
    prompt books as part of my session my
  • 00:11:03
    conversation with co-pilot so this is uh
  • 00:11:06
    the uh benefit as you can see here it's
  • 00:11:08
    extendable right so we can see there are
  • 00:11:09
    different organizations here Microsoft
  • 00:11:11
    my organization and my prompt book so my
  • 00:11:14
    colleagues can make their own prop books
  • 00:11:16
    share in my organization and so on so
  • 00:11:18
    forth the last thing I want to cover
  • 00:11:19
    here of course we have owner settings
  • 00:11:21
    rooll assignment let me open up rer
  • 00:11:23
    owner settings there we go I can see the
  • 00:11:24
    subscription ID row Source ID I can have
  • 00:11:26
    a look at the uh OP 10 uh ch changes
  • 00:11:29
    that I've made there and I can see the
  • 00:11:32
    secure compute units assigned to my
  • 00:11:33
    tenant so I can change this here uh when
  • 00:11:36
    I click on change there we go I can
  • 00:11:38
    mainly add two three and apply and so on
  • 00:11:40
    so forth I can manage billing in Azure
  • 00:11:43
    I'm going to have a look at that later
  • 00:11:44
    but I can see the usage as well so when
  • 00:11:46
    I see the usage I can see how many
  • 00:11:48
    prompts I have sent or how many portions
  • 00:11:51
    of that seu have been consumed by my
  • 00:11:53
    agents this is important I'm going to
  • 00:11:54
    I'm going to have a look at that uh soon
  • 00:11:57
    okay and lastly we have settings so
  • 00:11:58
    these are just user experience settings
  • 00:12:01
    change the way it looks uh change time
  • 00:12:03
    zone potentially as you can see here and
  • 00:12:05
    files who can upload files and uh
  • 00:12:08
    potentially response the bug options as
  • 00:12:10
    well great so from here if I want to get
  • 00:12:12
    started with co-pilot I can just start a
  • 00:12:14
    new session so if I scroll down you can
  • 00:12:16
    see the prompt U experience here and the
  • 00:12:19
    prompt experience has a couple buttons
  • 00:12:21
    here so the rightmost button is to
  • 00:12:25
    submit the prompt so after I enter
  • 00:12:26
    information here I can submit the prompt
  • 00:12:28
    the second L to right most is the
  • 00:12:30
    sources so these are the plugins so if I
  • 00:12:32
    click on them I can see what plugins I
  • 00:12:36
    can enable as part of my service so I
  • 00:12:38
    can see that by default this was just
  • 00:12:40
    created right I have Defender thread
  • 00:12:42
    intelligence enabled so that's part of
  • 00:12:44
    the service so we get Evergreen and
  • 00:12:46
    always up to-date thread intelligence
  • 00:12:49
    because of this plugin we also get the
  • 00:12:51
    fender xdr Microsoft entra in tune
  • 00:12:54
    Sentinel which is in preview as you can
  • 00:12:56
    see here if I click on the settings I'm
  • 00:12:58
    going to be able to to enter the default
  • 00:13:00
    workspace name for Sentinel um and the
  • 00:13:03
    default Resource Group name as well for
  • 00:13:05
    uh incident investigation within
  • 00:13:07
    co-pilot I'm going to set this up a
  • 00:13:10
    little later and as I scroll down
  • 00:13:11
    further down you can see other so these
  • 00:13:13
    are provided by third party so
  • 00:13:16
    essentially other providers and testers
  • 00:13:18
    have created their own plugins for
  • 00:13:20
    copilot for security that you'll be able
  • 00:13:22
    to leverage here so we can see sare
  • 00:13:24
    respond created this plugin for
  • 00:13:26
    automated C response and threat analysis
  • 00:13:28
    for example
  • 00:13:29
    net scope reporting API endpoints tum is
  • 00:13:32
    using that to or provided something to
  • 00:13:35
    Valance security uh to help fix sess
  • 00:13:39
    risks so each plugin will have their own
  • 00:13:41
    capabilities and their own use cases uh
  • 00:13:44
    and they're all in preview at the moment
  • 00:13:47
    but just be mindful of that and you can
  • 00:13:48
    add your own plugin as well so you can
  • 00:13:50
    create your own plugin utilizing copilot
  • 00:13:53
    for security Uh custom um information or
  • 00:13:56
    even an open AI plugin based on uh the
  • 00:13:59
    Json file that is utilized by open AI
  • 00:14:03
    plugins as well so just think about the
  • 00:14:05
    capabilities and the extensibility of
  • 00:14:06
    this platform that's really impressive
  • 00:14:09
    if I want to ground some of my answers
  • 00:14:12
    into my own files I can do that too
  • 00:14:14
    right so I can upload files like
  • 00:14:16
    internal policies as you can see here
  • 00:14:19
    and even organization knowledge that
  • 00:14:21
    will inform co-pilot uh of responses
  • 00:14:24
    right so when when we prompt we can
  • 00:14:26
    specify the file name or a loaded files
  • 00:14:30
    and co-pilot will leverage them for the
  • 00:14:33
    answer and only me as a user will be
  • 00:14:36
    able to see my uploaded files as you can
  • 00:14:38
    see here so just helps me enhance the
  • 00:14:42
    capabilities of co-pilot based on my own
  • 00:14:45
    organization of course you would you
  • 00:14:47
    would do that under your own processes
  • 00:14:48
    and understanding the need to do
  • 00:14:51
    so awesome so those are all sources and
  • 00:14:54
    how you can extend co-pilot by a lot of
  • 00:14:56
    different ways and then lastly we have
  • 00:14:58
    prompt
  • 00:14:59
    right here on the right hand side
  • 00:15:01
    prompts is prompt books right so
  • 00:15:02
    everything I showed you before is there
  • 00:15:04
    so we can essentially trigger a prompt
  • 00:15:06
    book right from here we don't have to go
  • 00:15:08
    through the prompt book page to do that
  • 00:15:10
    just can trigger them from here we can
  • 00:15:11
    choose one of them you can see all the
  • 00:15:13
    steps for the prompt book and you can
  • 00:15:15
    enter the input that is required for
  • 00:15:18
    that particular prompt book this
  • 00:15:19
    particular one I'm looking at the fender
  • 00:15:22
    incident ID for
  • 00:15:23
    example but not only that uh what I find
  • 00:15:26
    really valuable is the system
  • 00:15:29
    capabilities right so this when I click
  • 00:15:32
    on see all system capabilities I can see
  • 00:15:35
    everything and every action that the
  • 00:15:36
    platform can do for me and it's pretty
  • 00:15:39
    extensive and it's categorized so I can
  • 00:15:41
    see under incident analysis what are the
  • 00:15:43
    capabilities of co-pilot for security it
  • 00:15:45
    incident analysis what about
  • 00:15:46
    investigation boom these are here
  • 00:15:48
    knowledge base and so on so forth
  • 00:15:50
    Microsoft Defender threat intelligence
  • 00:15:52
    so those are known to be uh capabilities
  • 00:15:56
    of the platform here um just of the box
  • 00:15:59
    right right out of the box but you can
  • 00:16:01
    of course extend this by multiple ways
  • 00:16:03
    be that with a plugin that you create or
  • 00:16:06
    with a prompt book that you
  • 00:16:08
    automate so let me go ahead and make a
  • 00:16:10
    first first prompt there we go so I
  • 00:16:12
    entered my question what should I be
  • 00:16:14
    worried about in my environment today so
  • 00:16:17
    right off the bat it starts a new
  • 00:16:19
    session and it starts um evaluating the
  • 00:16:22
    results and as you can see I love that
  • 00:16:24
    it it's pretty transparent in what it
  • 00:16:27
    expects out of you right good input put
  • 00:16:29
    because good input requires good output
  • 00:16:32
    right so there are good practices to
  • 00:16:35
    prompting right so you have to be very
  • 00:16:37
    mindful of what are good prompts for
  • 00:16:39
    example uh have a goal in mind be
  • 00:16:42
    specific right so security related
  • 00:16:44
    information that you need enter that in
  • 00:16:46
    the prompt also context if you know
  • 00:16:49
    you're going to need information for a
  • 00:16:51
    specific platform enter the platform for
  • 00:16:53
    example State what is the higher
  • 00:16:55
    severity uh incident in the fender 365
  • 00:16:58
    to day for
  • 00:17:00
    example expectations right so format or
  • 00:17:03
    target audience you wanted the response
  • 00:17:05
    tailored to especially if you're um
  • 00:17:08
    creating and generating a report for an
  • 00:17:10
    executive for example state so make it
  • 00:17:13
    clear uh and lastly Source if there's a
  • 00:17:16
    known information data source or PL
  • 00:17:18
    plug-in that Microsoft uh co-pilot could
  • 00:17:21
    use make it and list it right so these
  • 00:17:23
    are good practices for prompting that
  • 00:17:26
    you should know about back to the
  • 00:17:28
    platform so what has been the response
  • 00:17:30
    all right so this experience right here
  • 00:17:32
    is something I've been showing to some
  • 00:17:33
    of my customers lately so this is the
  • 00:17:35
    session for co-pilot and let's take the
  • 00:17:38
    time to actually take it in and
  • 00:17:40
    understand what's being shown to us so
  • 00:17:43
    this is a prompt I can select the prompt
  • 00:17:46
    why can I select it because when I
  • 00:17:47
    select it I can delete them I can
  • 00:17:49
    resubmit the prompt to get a different
  • 00:17:51
    answer maybe if that didn't satisfy me
  • 00:17:54
    but I can pin that prompt to a pinboard
  • 00:17:58
    when I'm going through through a lengthy
  • 00:18:00
    incident I might find uh or have prompts
  • 00:18:03
    that I want to save for posterity so
  • 00:18:05
    save them because when you share the
  • 00:18:08
    sessions between teams you're going to
  • 00:18:10
    be able to see that and that's going to
  • 00:18:11
    be valuable for you and you can create a
  • 00:18:14
    prompt book out of this uh particular
  • 00:18:17
    prompt as well right on the right hand
  • 00:18:19
    side here we have a couple buttons we
  • 00:18:21
    have the share button so I can share
  • 00:18:23
    this session with a colleague of mine so
  • 00:18:25
    I can add their email or name and I can
  • 00:18:28
    copy uh the link for example and share
  • 00:18:30
    that to them but I can also open the pin
  • 00:18:33
    board I have nothing pinned but if I had
  • 00:18:36
    pin this uh prompt here it will show up
  • 00:18:39
    in here in a matter of a few seconds
  • 00:18:41
    there we go summarizing the session and
  • 00:18:44
    you can see the pinned item is in there
  • 00:18:46
    boom that's the pin
  • 00:18:48
    board awesome so this is how you can
  • 00:18:50
    interact it with it uh on the right hand
  • 00:18:52
    side you can perform some of the actions
  • 00:18:54
    that uh you can at the bottom one at the
  • 00:18:56
    top when you select it for example you
  • 00:18:58
    can addit the prompt you can resubmit
  • 00:18:59
    the prompt or delete the prompt and of
  • 00:19:01
    course I can consume the prompt on the
  • 00:19:03
    center of the screen so for example if I
  • 00:19:05
    spend the steps and this is brilliant
  • 00:19:07
    because when we're looking into how
  • 00:19:09
    generative AI works we have to
  • 00:19:11
    understand um how the orchestrator of
  • 00:19:14
    copil for security works and of course
  • 00:19:16
    what steps it took in order to come out
  • 00:19:19
    with an output and this makes it really
  • 00:19:21
    clear so what should I be word in my
  • 00:19:23
    environment today well this is a pretty
  • 00:19:24
    generic question I didn't follow the
  • 00:19:26
    best practices cuz I didn't tell it what
  • 00:19:28
    platform to look at I didn't uh was not
  • 00:19:30
    specific I didn't I was not specific to
  • 00:19:32
    the goal because I didn't say hey what
  • 00:19:35
    uh vulnerability should I be wored in my
  • 00:19:37
    environment or what incidents should I
  • 00:19:39
    be worried in my environment these would
  • 00:19:40
    be better profits but I was very generic
  • 00:19:42
    and intentionally because at this time I
  • 00:19:44
    can show you that it automated Auto
  • 00:19:48
    auton oh my God in its own mind it
  • 00:19:51
    actually chose to uh select Defender
  • 00:19:54
    threat intelligence as the plugin that
  • 00:19:56
    it needs to prompt to answer my query
  • 00:19:59
    intelligently right so it's done so and
  • 00:20:01
    you can see here the reasoning behind it
  • 00:20:03
    based on your prompt any other prompts
  • 00:20:05
    and responses in this session and Co
  • 00:20:07
    co-pilot capabilities it's decided that
  • 00:20:09
    Defender threat intelligence is the best
  • 00:20:11
    option to go here so it looked up thread
  • 00:20:13
    information so it's found thread
  • 00:20:15
    analytics information from the fender
  • 00:20:16
    xdr portal so it's looked at uh create
  • 00:20:19
    created incidents information created
  • 00:20:21
    and alerts counts and then it prepared
  • 00:20:23
    my response going through safety checks
  • 00:20:25
    that I've explained in previous videos
  • 00:20:27
    as well once it's done so it's actually
  • 00:20:28
    coming up with a report here recent
  • 00:20:30
    threats that I should be aware of so
  • 00:20:32
    cves what a vulnerability affecting
  • 00:20:34
    gaming Services service providers um and
  • 00:20:37
    why is that because it's it's looking at
  • 00:20:39
    alerts that I have in my environment I
  • 00:20:41
    don't have any any but I have
  • 00:20:42
    misconfigured devices who might be
  • 00:20:44
    affected by this particular
  • 00:20:45
    vulnerability uh it's also looking at an
  • 00:20:47
    actor profile here uh looking at again
  • 00:20:51
    alert counts misconfigured devices
  • 00:20:52
    vulnerable devices to this particular
  • 00:20:55
    threat based on the threat analytics
  • 00:20:56
    that is created by the fender xdr and so
  • 00:20:58
    it's also looking at a particular to
  • 00:21:00
    Tool there for us after you consume this
  • 00:21:03
    you can see at the bottom the feedback
  • 00:21:05
    option right so how is this response and
  • 00:21:07
    that's important part of the product
  • 00:21:08
    because generative AI this is all about
  • 00:21:10
    human intelligence not AI per se right
  • 00:21:14
    it's about enhancing the human so this
  • 00:21:17
    here um was a good good answer uh so but
  • 00:21:20
    how is this how is this response does it
  • 00:21:22
    look right uh accurately and and
  • 00:21:25
    factually yep it does look right
  • 00:21:26
    factually uh I can validate everything I
  • 00:21:28
    think versus my threat analytics um
  • 00:21:31
    report and make sure that there's no
  • 00:21:32
    alert counts that match any of these and
  • 00:21:35
    so on so forth if I need if if it needs
  • 00:21:37
    Improvement I could provide some uh
  • 00:21:40
    feedback here or if it's inappropriate I
  • 00:21:42
    could state so too and provide evidence
  • 00:21:45
    of why that is now this is all of the Su
  • 00:21:48
    uh some of the information you can get
  • 00:21:50
    out of it but if I want to be more
  • 00:21:52
    specific follow good
  • 00:21:54
    practices I can just go ahead and ask it
  • 00:21:56
    so let me go be specific and ask what is
  • 00:21:59
    the highest severity incident in my
  • 00:22:01
    Defender XTR portal so let me go ahead
  • 00:22:03
    and ask it oh and one thing I didn't
  • 00:22:05
    mention before but for each and every
  • 00:22:06
    step it actually tells us how how long
  • 00:22:08
    it took the platform to actually process
  • 00:22:11
    each step and that's important as well
  • 00:22:13
    because secure compute units about time
  • 00:22:16
    to process and how complex your queries
  • 00:22:18
    are so when we look at the time the
  • 00:22:21
    amount of time that your prompt has
  • 00:22:23
    needed in order to be processed by the
  • 00:22:25
    platform it also means how much you're
  • 00:22:27
    paying for each and every question
  • 00:22:28
    you're making all right so for this
  • 00:22:30
    particular question I I specifically
  • 00:22:33
    called out the fender xdr good prompting
  • 00:22:35
    so there we go so at this at this stage
  • 00:22:37
    it actually chose the fender xdr uh it
  • 00:22:40
    processed prepared it and everything
  • 00:22:41
    else and at this stage it actually tells
  • 00:22:43
    me with accuracy right so I know for a
  • 00:22:46
    fact that this is actual true Defender
  • 00:22:49
    xdr has a send cat send cat hack tool
  • 00:22:51
    detected in in one of my endpoints uh
  • 00:22:53
    it's stating that resolved that's high
  • 00:22:55
    severity when it was created when was
  • 00:22:58
    upd ated so a couple days ago and the
  • 00:23:01
    incident web URL so let me go ahead and
  • 00:23:03
    click on it it's also telling me at the
  • 00:23:04
    at the bottom here the results of it
  • 00:23:06
    please not that the incident has been
  • 00:23:07
    resolved it's always good practice to
  • 00:23:08
    review the incident details to ensure
  • 00:23:10
    all the necessary remediation steps have
  • 00:23:11
    been taken there we go so I just clicked
  • 00:23:13
    on incident and I'm going to validate
  • 00:23:15
    because I'm a thorough Analyst at this
  • 00:23:17
    point I'm pivoting to the sent cat
  • 00:23:20
    incident which is absolutely factual and
  • 00:23:22
    I can see here the uh endpoint name the
  • 00:23:24
    um URL or whatever file was identified
  • 00:23:28
    as mili and so on and so forth now this
  • 00:23:30
    here is the defender xdr portal which
  • 00:23:33
    you must be aware of uh if you're
  • 00:23:35
    following me for a little while and what
  • 00:23:37
    is important here is that I pivoted from
  • 00:23:39
    I pivoted from the Standalone to the uh
  • 00:23:42
    Defender xdr portal and Defender xdr
  • 00:23:44
    portal also has another capability
  • 00:23:47
    integrated with copilot here so this is
  • 00:23:49
    just been enabled as soon as I created
  • 00:23:52
    that s cuu secure compute unit right and
  • 00:23:54
    that is very important because the uh
  • 00:23:56
    embedded experience
  • 00:23:59
    this is the second way to consume cile
  • 00:24:01
    the embedded
  • 00:24:02
    experience is always integrated into
  • 00:24:04
    incidents for all my analysts so if I
  • 00:24:07
    logged in as a different user here as
  • 00:24:08
    part of my sock so a different analyst
  • 00:24:10
    is looking at their incidents they're
  • 00:24:12
    going to see these co-pilot and beded
  • 00:24:14
    experience too and that's going to be
  • 00:24:16
    beneficial to them as well and at the
  • 00:24:18
    same time they'll be consuming your sccu
  • 00:24:21
    as well be mindful of that now there you
  • 00:24:24
    go so for each and every incident that I
  • 00:24:27
    open up as you can see here the embedded
  • 00:24:30
    experience will generate an incident
  • 00:24:32
    summary and attempt to generate guided
  • 00:24:35
    response if that is relevant for that
  • 00:24:37
    incident okay so for example as you can
  • 00:24:40
    see here there's a summary and there's a
  • 00:24:42
    guide in response I can I could go ahead
  • 00:24:44
    and look it all up and and validate it's
  • 00:24:46
    actual it's all factual true but I'm
  • 00:24:49
    sure it will be now for the incident
  • 00:24:51
    piece I want to open up a different
  • 00:24:53
    incident to highlight something else so
  • 00:24:55
    I'm opening up a second incident and
  • 00:24:57
    just as I open it up you can see here
  • 00:25:00
    yet another incident summary is being
  • 00:25:02
    generated automatically and another
  • 00:25:04
    guided response and I'm purposely
  • 00:25:07
    generating this for you because I want
  • 00:25:08
    to show you what that guided response
  • 00:25:10
    looks like it has buttons so that we can
  • 00:25:12
    interact with it and the incident
  • 00:25:14
    summary well it's just an incident
  • 00:25:15
    summary just makes it easier for your um
  • 00:25:18
    incident an analyst or incident manager
  • 00:25:21
    to understand what they're dealing with
  • 00:25:22
    uh currently and why it's taking so long
  • 00:25:24
    for your analysts to resolve that that
  • 00:25:27
    complex uh incident now it takes a
  • 00:25:29
    little time right as you can see here
  • 00:25:30
    there you go it's just generated the
  • 00:25:31
    incident summary it tells me uh in
  • 00:25:33
    chronological order if what happened uh
  • 00:25:36
    and the guid response well it had an
  • 00:25:38
    issue so I could attempt to regenerate
  • 00:25:40
    let me go ahead and click on it see if
  • 00:25:41
    it will work and while it's doing so
  • 00:25:43
    what I want to show you it's the
  • 00:25:44
    embedded experience options here so at
  • 00:25:46
    the top we have the generate incident
  • 00:25:49
    report button which when I click on it
  • 00:25:51
    it's going to generate yet another
  • 00:25:53
    incidental report a little more thorough
  • 00:25:55
    than the summary and enter the settings
  • 00:25:57
    I can get have look at the uh learn more
  • 00:25:59
    section I can close the embedded
  • 00:26:01
    experience so it close the the the fly
  • 00:26:04
    out here or there we go there's no
  • 00:26:06
    actions recommend right so this quick
  • 00:26:08
    note there or lastly what what I can do
  • 00:26:11
    is also do this here there is the
  • 00:26:13
    ellipses icon there for the incident
  • 00:26:15
    summary and when I click on it I can
  • 00:26:17
    copy this information to the clipboard I
  • 00:26:19
    can regenerate this incident summary or
  • 00:26:22
    I can pivot again to the Standalone
  • 00:26:24
    version of co-pilot for security Now
  • 00:26:27
    this last this last button here is
  • 00:26:29
    really important if your sock is
  • 00:26:31
    primarily driven by the defender XR
  • 00:26:34
    portal because they'll be consuming it
  • 00:26:36
    co-pilot for security in the embedded
  • 00:26:38
    experience okay so they'll be just using
  • 00:26:40
    Defender xdr and at one point they will
  • 00:26:42
    want to talk to co-pilot they want to
  • 00:26:45
    dive deeper into it that's where they'll
  • 00:26:47
    come in here open and co-pilot for
  • 00:26:49
    security and it will keep that session
  • 00:26:52
    or keep that investigation uh
  • 00:26:55
    conversation going so it's opening up
  • 00:26:57
    here the compiled for security interface
  • 00:27:00
    and as you can see yep it's continuing
  • 00:27:02
    that incident summary that it had
  • 00:27:04
    generated now notice and this is
  • 00:27:06
    important how the top here we have the
  • 00:27:08
    icon here for uh essentially prompts
  • 00:27:11
    right so every time we open up an
  • 00:27:13
    incident in Co in Defender xdr co-pilot
  • 00:27:16
    for security runs this prompt book
  • 00:27:18
    called get Defender incident right it's
  • 00:27:20
    generating an
  • 00:27:21
    automated response to generate the
  • 00:27:23
    incident there and as you can see I can
  • 00:27:26
    continue the conversation here so if I
  • 00:27:28
    wanted to I could ask about more about
  • 00:27:30
    uh the specific threat or the specific
  • 00:27:34
    machine so let me let me ask about the
  • 00:27:36
    specific machine so I'm asking what is
  • 00:27:37
    the risk score of the machine uh Caldera
  • 00:27:41
    right so this here is an open-ended
  • 00:27:44
    question because I should have called
  • 00:27:45
    out today I want I want this information
  • 00:27:47
    from InTune for example for my device
  • 00:27:49
    manager or I want this information from
  • 00:27:51
    Defender for endpoint should have been
  • 00:27:54
    more specific but I wasn't but at this
  • 00:27:56
    point there we go it chose in tune so is
  • 00:27:58
    now checking for checking for the
  • 00:27:59
    information of that manage device
  • 00:28:02
    preparing my response let's see what it
  • 00:28:04
    tells me uh it's telling me that it
  • 00:28:06
    couldn't be retrieved uh and oh there
  • 00:28:09
    you go that's important please ensure
  • 00:28:10
    that device is ENT joined if I go ahead
  • 00:28:12
    and check that on entra that device is
  • 00:28:15
    not entra joined and I can validate this
  • 00:28:17
    because I know it's it's a fact I set it
  • 00:28:19
    up this a couple days
  • 00:28:21
    ago let's go ahead and do that so I'm
  • 00:28:23
    opening up InTune and I'm checking my
  • 00:28:25
    devices checking my windows devices
  • 00:28:28
    and I can see that yeah absolutely that
  • 00:28:31
    device is not listed here because it's
  • 00:28:33
    not anra joined it's not joined to my
  • 00:28:35
    organization so therefore I cannot check
  • 00:28:38
    the risk because it's not joined to my
  • 00:28:40
    organization so there you go already
  • 00:28:43
    co-pilot told me and showed me how I can
  • 00:28:45
    improve my environment be sure that the
  • 00:28:48
    device is entra joined um they're
  • 00:28:50
    important there so that I can better
  • 00:28:52
    control the risk better control the
  • 00:28:53
    device uh that
  • 00:28:55
    way all right so this here is a look at
  • 00:28:59
    the session now let me go back and see
  • 00:29:02
    what sessions have been created for me
  • 00:29:04
    right so on the hamburger menu let's go
  • 00:29:05
    to my sessions so you're going to see a
  • 00:29:07
    lot of sessions here right so and this
  • 00:29:09
    is everything that I've been showing to
  • 00:29:10
    you in this video right so it started
  • 00:29:13
    with the uh first prompt I made what
  • 00:29:15
    should I be wearing my environment today
  • 00:29:17
    very open-ended not the best prompt uh
  • 00:29:19
    but then there you go user
  • 00:29:20
    recommendations for the incident uh 118
  • 00:29:23
    and from that point I pivoted to the
  • 00:29:25
    embedded version of Defender xdr portal
  • 00:29:28
    and as you can see here there's a couple
  • 00:29:30
    a couple sessions that are created
  • 00:29:31
    whenever I open up a Defender xdr
  • 00:29:34
    incident right so it always generate the
  • 00:29:36
    incident summary session so consumes an
  • 00:29:38
    seu but that same view also generates
  • 00:29:41
    another prompt or
  • 00:29:43
    another session which is guided response
  • 00:29:46
    right and the same thing happened when I
  • 00:29:48
    opened up that other other incident it
  • 00:29:50
    generated two sessions because each
  • 00:29:52
    session equates to a specific Pro prompt
  • 00:29:55
    book that I can continue the
  • 00:29:57
    conversation from and each of these
  • 00:29:59
    sessions they will have their own cons
  • 00:30:02
    consumption of scus for example so
  • 00:30:05
    that's that's helpful to understand how
  • 00:30:06
    copilot is working on the back back
  • 00:30:09
    background so this here is my resource
  • 00:30:10
    that I just created copilot for security
  • 00:30:13
    if I click on it I can see update
  • 00:30:15
    security compute units there we go I can
  • 00:30:18
    see the update security compute
  • 00:30:21
    units um minimum is one so I can delete
  • 00:30:24
    it from here uh there you go as you can
  • 00:30:27
    see here that's pretty helpful but since
  • 00:30:29
    this is a demonstration environment what
  • 00:30:31
    I want to do is actually get rid of it
  • 00:30:33
    um so what I want to do is actually just
  • 00:30:36
    delete it you go ahead and delete this
  • 00:30:38
    what it tells me is that the resource
  • 00:30:40
    and their internal internal data is
  • 00:30:41
    going to be deleted and that's fine it
  • 00:30:44
    does keep uh incident data for a little
  • 00:30:47
    while for a few days so that's mindful
  • 00:30:49
    for you to have in in mind but there we
  • 00:30:52
    go with this I'm attempting to delete it
  • 00:30:55
    so it should not be charged in my
  • 00:30:57
    demonstration department and there we go
  • 00:30:59
    it executed the delete command and as of
  • 00:31:02
    now I don't have any SCU provision no
  • 00:31:05
    secure compute unit provision so I'm not
  • 00:31:07
    going to be charged for the next hour of
  • 00:31:09
    copal for security
  • 00:31:10
    so there we go so hopefully you found
  • 00:31:13
    this video useful you've seen me spin up
  • 00:31:16
    an seu seeing how the outof the boox
  • 00:31:18
    plugins work have a look at the prompt
  • 00:31:20
    books what the capabilities are at a
  • 00:31:22
    very very high level right so it's a
  • 00:31:24
    15,000 ft kind of view of it um but but
  • 00:31:28
    at the end I deprovisioned it in order
  • 00:31:30
    to ensure that my lab environment costs
  • 00:31:33
    don't go through the roof but there you
  • 00:31:34
    go so hopefully found this educational
  • 00:31:37
    and helpful if you like this kind of
  • 00:31:39
    video make sure you leave a like comment
  • 00:31:41
    let me know your thoughts about copilot
  • 00:31:43
    cuz I want to be checking it out further
  • 00:31:45
    uh myself at a later time all right with
  • 00:31:48
    that all said see you next
  • 00:31:51
    [Music]
  • 00:31:55
    time
Tags
  • Microsoft
  • Copilot
  • Security
  • Azure
  • SCU
  • Portal
  • Plugins
  • Prompt Books
  • Workflow
  • Threat Analysis