Let’s Get Started with Security Copilot – EMS Route

Why Security Copilot?

Copilot is everywhere these days. I often make this joke, Is there a Copilot for Copilot? Maybe a dull joke. But jokes aside, Copilot continues proving that this is the way forward for everything Microsoft. AI technology is inevitable, and using it in the responsible way is the right thing to do. As all the other Copilots do, Security Copilot specifically looks at your Security Landscape (surprise!) and helps you to look at your security workloads in a new way, understand threats, remediate them, and keep up with the latest trends. Now when I say “Your Security Workloads” – that carries a huge weight, as you know. Providing top class security in an organization is not an easy thing with today’s threat landscape. But Security Copilot can surely simplify the workloads if properly adopted.

Can I do the same without standing up Security Copilot?

Absolutely. The work that you and the teams are doing at the moment can be continued without enabling Security Copilot. However, when you talk about responding to incidents, having to triage incidents, constructing scripts to automate your workloads, running KQL queries to deep dive into incidents, analyse malicious payloads and attack paths, Security Copilot can offer guidance and to make faster decisions to fight against all thing malicious as it works across the Microsoft Security stack.

Below is from one of the Microsoft Infographics.

Pricing? Permissions?

This is and will be one of the major questions for sure. I want to discuss this in a new article.

Same as permissions, RBAC and etc., which will be very interesting topics when setting up the capability in your tenant.

Security Copilot Architecture

Below is the Security Copilot Architecture at a high level to give you some sort of an understanding of how the new kid on the block comes into the scene and connects with other components that we know and love. My goal is not to go through the LLM and the OpenAI processes behind the Security Copilot, but to showcase the usage of this in your daily work responsibilities.

Some Primary Use Cases

As Microsoft has indicated in its documents, there are some primary use cases for Security Copilot. In this blog post series, I would love to explore these and discuss more

• Investigate and remediate security threats
  Gain context for incidents to quickly triage complex security alerts into actionable summaries and remediate quicker with step-by-step response guidance

• Build KQL queries or analyze suspicious scripts
  Eliminate the need to manually write query-language scripts or reverse engineer malware scripts with natural language translation to enable every team member to execute technical tasks

• Understand risks and manage security posture of the organization
  Get a broad picture of your environment with prioritized risks to uncover opportunities to improve posture more easily

• Troubleshoot IT issues faster
  Synthesize relevant information rapidly and receive actionable insights to identify and resolve IT issues quickly

• Define and manage security policies
  Define a new policy, cross-reference it with others for conflicts, and summarize existing policies to manage complex organizational context quickly and easily

• Configure secure lifecycle workflows
  Build groups and set access parameters with step-by-step guidance to ensure a seamless configuration to prevent security vulnerabilities

• Develop reports for stakeholders
  Get a clear and concise report that summarizes the context and environment, open issues, and protective measures prepared for the tone and language of the report’s audience