Microsoft Copilot for Security experiences | Microsoft Learn<\/a><\/p>\n\n\n\nAll performed prompts\/ sessions will be visible in the My Session view in the standalone experience: <\/p>\n\n\n\n <\/figure>\n\n\n\nPromptbooks<\/h2>\n\n\n\n With the use of promptbooks, it is possible to multiple prompts. For example; Microsoft 365 Defender incident investigation will run the following steps: <\/p>\n\n\n\n
\nSummarize Defender incident<\/li>\n\n\n\n Tell me about the entities associated with that incident<\/li>\n\n\n\n What are the reputation scores for the IPv4 address on that incident<\/li>\n\n\n\n Show the authentication methods setup for each user involved in that incident<\/li>\n\n\n\n If a user is listed in the incident details. , show which device they have used recently and indicate whether they are compliant with policies<\/li>\n\n\n\n If any devices are listed in the previous output, show details from Intune on the one that checked in most recently. Especially indicate if it is current on all operating system updates<\/li>\n\n\n\n Write an executive report summarizing this investigation. It should be suited for a non-technical audience<\/li>\n<\/ol>\n\n\n\n <\/figure>\n\n\n\nFirst, it will check the plugins needed for the promptbook<\/p>\n\n\n\n <\/figure>\n\n\n\nAfter the initial plugin connection – it will start the prompts. This will take some time in case the incident includes multiple alert evidence and data. <\/p>\n\n\n\n <\/figure>\n\n\n\n <\/figure>\n\n\n\nThe incident includes 42 alerts and is based on human-operated ransomware including attack disruption. <\/p>\n\n\n\n
To give an example of the alert summarize the context: (attack disruption via hands-on keyboard attack via compromised account)<\/p>\n\n\n\n <\/figure>\n\n\n\nSummarize example of the incident<\/span><\/p>\n\n\n\nDefender incident 621, which is of Informational severity, comprises a total of 42 alerts. Here are some of the alerts from the incident:<\/p>\n\n\n\n
\nA High severity alert was triggered on 2024-05-17 at 08:56:56 UTC. The alert description indicates that a group membership was changed for user BillY. This user created or modified an account that later performed malicious activity relating to the Cloud App ‘Active Directory’.<\/li>\n\n\n\n A Medium severity alert was triggered on 2024-05-17 at 08:57:17 UTC. The alert description suggests possible lateral movement relating to IP ‘192.168.2.5’, impacting Machine ‘dclab-5’.<\/li>\n\n\n\n Another Medium severity alert was triggered on 2024-05-17 at 08:57:24 UTC. The alert description indicates that user ‘sysop’ added ‘BillY’ to the sensitive Domain Admins group. This event is considered suspicious as it involves additions to sensitive groups. The alert impacted 2 Users ‘sysop’, ‘BillY’, on Machine ‘DC01’.<\/li>\n\n\n\n A High severity alert was triggered on 2024-05-17 at 09:07:11 UTC. The alert description suggests a compromised account conducting a hands-on-keyboard attack. This attack involved 6 Files including ‘cmd.exe’, ‘UzafPlXU.bat’, IP ‘192.168.2.8’, 5 Processes including ‘cmd.exe’ running as ‘SYSTEM’, ‘rundll32.exe’ running as ‘SYSTEM’, 4 Registry Key including ‘SYSTEM\\ControlSet001\\Services\\EceCnKdy’, ‘SYSTEM\\ControlSet001\\Services\\3zzOujsH’ impacting 2 Users ‘LocalSystem’, ‘BillY’, on Machine ‘dclab-5’.<\/li>\n\n\n\n A High severity alert was triggered on 2024-05-17 at 09:07:39 UTC. The alert description indicates a process memory dump involving 5 Processes including ‘cmd.exe’ running as ‘SYSTEM’, ‘services.exe’ running as ‘SYSTEM’ impacting User ‘BillY’, on Machine ‘dclab-5’.<\/li>\n\n\n\n Another High severity alert was triggered on 2024-05-17 at 09:07:39 UTC. The alert description suggests a compromised account conducting a hands-on-keyboard attack. This attack involved 4 Files including ‘tYKVfiZg.bat’, ‘DrDBYWRM.bat’, IP ‘192.168.2.8’, 2 Processes ‘lsass.exe’ running as ‘SYSTEM’, ‘services.exe’ running as ‘SYSTEM’, 4 Registry Key including ‘SYSTEM\\ControlSet001\\Services\\XbUYzFTU’, ‘SYSTEM\\ControlSet001\\Services\\LyTIxexv’ impacting 2 Users ‘LocalSystem’, ‘BillY’, on Machine ‘dc01’.<\/li>\n\n\n\n An Informational severity alert was triggered on 2024-05-17 at 09:17:18 UTC. The alert description indicates that lateral movement using RDP was blocked impacting User ‘billy’, on Machine ‘dc01’.<\/li>\n\n\n\n Another Informational severity alert was triggered on 2024-05-17 at 09:18:39 UTC. The alert description suggests that lateral movement using remote logon by contained user ‘billy’ was blocked on multiple devices relating to IP ‘192.168.2.7’ impacting User ‘billy’, on Machine ‘dc01’.<\/li>\n<\/ol>\n\n\n\nIn summary, the incident ‘Hands-on keyboard attack was launched from a compromised account (attack disruption)’ occurred between 2024-05-17 08:56:56 UTC and 2024-05-17 09:18:39 UTC. It triggered an automatic Attack Disruption action. The incident involved Credential Access, Lateral Movement, and Persistence tactics. The incident began with user ‘BillY’ modifying an account in the ‘Active Directory’ cloud app that later performed malicious activity. This was followed by possible lateral movement detected on the device ‘dclab-5’ (Windows10) involving the IP 192.168.2.5. User ‘sysop’ added ‘BillY’ to the sensitive ‘Domain Admins’ group on the machine ‘DC01’, indicating suspicious additions to sensitive groups. A hands-on-keyboard attack was detected on ‘dclab-5’ (Windows10) involving the ‘cmd.exe’ and ‘rundll32.exe’ processes running as ‘SYSTEM’, and impacting users ‘LocalSystem’ and ‘BillY’. Finally, lateral movement using remote logon by the contained user ‘billy’ was blocked on multiple devices, including ‘dc01’ (WindowsServer2019), involving the IP 192.168.2.7<\/p>\n\n\n\n
Prompt: Write an executive report summarizing this investigation. It should be suited for a non-technical audience.<\/p>\n\n\n\n <\/figure>\n\n\n\nSummarize example for non-technical audience<\/span><\/p>\n\n\n\nThe incident titled “Hands-on keyboard attack was launched from a compromised account (attack disruption)” was first logged on May 17, 2024, and closed on May 31, 2024. This incident was of informational severity and triggered an automatic Attack Disruption action.<\/p>\n\n\n\n
The incident began when a user named ‘BillY’ made changes to group membership and created or modified an account in the ‘Active Directory’ Cloud App. This account later performed malicious activity. This event was classified under the ‘Credential Access’ tactic.<\/p>\n\n\n\n
Following this, there were several instances of lateral movement detected. The first instance involved a device named ‘dclab-5’, which runs on Windows 10, and was associated with the IP address 192.168.2.5. Later, a hands-on-keyboard attack was detected on the same device, involving multiple files and processes, including ‘cmd.exe’ and ‘rundll32.exe’, both running as SYSTEM. The attack also involved the IP 192.168.2.8 and impacted the ‘LocalSystem’ and ‘BillY’ users.<\/p>\n\n\n\n
Another user named ‘sysop’ added ‘BillY’ to the sensitive ‘Domain Admins’ group on a machine named ‘DC01’. This event was classified under the ‘Persistence’ tactic as it indicated suspicious additions to sensitive groups.<\/p>\n\n\n\n
Further lateral movement was detected on a device named ‘dc01’, which runs on Windows Server 2019. This involved multiple files, processes, and registry keys, and impacted the ‘LocalSystem’ and ‘BillY’ users. Later, lateral movement using RDP was blocked on the same device, impacting a user named ‘billy’. Finally, lateral movement using remote logon by the contained user was blocked on multiple devices involving IP 192.168.2.7, impacting user ‘billy’ on ‘dc01’.<\/p>\n\n\n\n
In response to the incident, an attack disruption action was triggered. This action disabled a potentially compromised user account in Active Directory to prevent it from accessing resources. The same account was contained by the attack disruption. Later on, the containment on the account was released by the attack disruption.<\/p>\n\n\n\n
As of now, the incident remains unclassified, and no follow-up actions have been taken yet.<\/p>\n\n\n\n
Usage<\/h2>\n\n\n\n The usage of Copilot for Security can be configured with the use of usage monitoring. In the monitoring view, it is visible to see how many units have been used in the past hours. In the below screenshot, you can see the usage is 3.1 and all units are used and 3 units are activated.<\/p>\n\n\n\n <\/figure>\n\n\n\nPrompts are not available to run when there is a high usage. The following message is visible: <\/p>\n\n\n\n
“Due to your organization\u2019s high usage, Copilot can\u2019t respond to requests. Contact a Security Administrator to increase the allowed usage, or try again later”<\/em><\/p>\n\n\n\n <\/figure>\n\n\n\n \n\n\n\n