Identity forensics with Copilot for Security Identity Analyst Plugin

  • Thread starter Thread starter Hesham_Saad
  • Start date Start date
H

Hesham_Saad

Overview

This is a step-by-step guided walkthrough of how to use a custom KQL Copilot for Security plugin for Identity SOC and forensics use cases and how it helps in implementing a consistent security policy for every user, employee, frontline worker, customer, and partner as well as apps, devices, and workloads across multi-cloud and hybrid.



Use case summary

Monitoring and governing Identities using Copilot for Security custom Identity Analyst Plugin:

  1. User Risk Assessment: Monitor user risk levels based on their activities. This could include sign-in attempts from unfamiliar locations, repeated failed sign-in attempts, or other suspicious behavior.
  2. Sign-in Monitoring: Track user sign-in activities. This includes successful sign-ins, failed attempts, and the location and device used for sign-in. Unusual sign-in activity could be a sign of a potential security threat.
  3. Admin Activity Monitoring: Admin accounts have high-level access and can be a prime target for attackers. Monitor admin activities, especially those involving changes to security settings, user privileges, or access controls.
  4. Application Usage Monitoring: Keep an eye on the usage of applications within your organization. Unusual application activity, such as a high number of downloads or an increase in usage outside of normal business hours, could indicate a potential security issue.
  5. Privileged Identity Management: Monitor the lifecycle of privileged identities within your organization. This includes the creation, modification, and deletion of privileged accounts.
  6. Access Review: Regularly review user access to various resources within your organization. This can help ensure that users only have access to the resources they need for their job functions, reducing the risk of insider threats.



In this guide, we will provide high-level steps to get started using the new tooling. We will start by adding the custom plugin and it's recommended for organizations to test this in their dev environment first.



Installation

  1. Use the following steps to obtain and install the custom Identity Analyst Plugin for Copilot for Security: Go to securitycopilot.microsoft.com
  2. Download the IdentitySecurityAnalyst.yml file from here.
  3. Select the plugins icon down in the left corner.



Hesham_Saad_0-1729753036021.png



4. Under Custom upload, select upload plugin



Hesham_Saad_1-1729753082167.png



5. Select the Copilot for Security plugin and upload the IdentitySecurityAnalyst.yml file



Hesham_Saad_2-1729753082168.png



6. Click Add

7. Under Custom you will now see the plug-in. Ensure it is enabled.



Hesham_Saad_3-1729753148850.png



The custom package contains the following prompts:



Hesham_Saad_4-1729753176835.png



Let us get started with more use cases leveraging Copilot for Security capabilities:



User Risk Assessment

Fetches the user risk levels based on their activities. This could include sign-in attempts from unfamiliar locations, repeated failed sign-in attempts, or other suspicious behavior.



In Copilot for Security, you can either directly invoke the plugin via selling the concerned skill under prompt–system capabilities or type ‘/IdentityGetUserRiskAssesment’ as shown below:



Hesham_Saad_5-1729753226289.png



A sample result will be:



Hesham_Saad_6-1729753248334.png



User Sign-In Activities

Fetches user sign-in activities. This includes successful sign-ins, failed attempts, and the location and device used for sign-in. Unusual sign-in activity could be a sign of a potential security threat.



In Copilot for Security, you can either directly invoke the plugin via selling the concerned skill under prompt–system capabilities or type ‘/IdentityGetSignInMonitoring’ or prompt with ‘Get users signin activities using Identity analyst plugin’.



Admin Activities Monitoring

Fetches Admin Activity Monitoring logs. Admin accounts have high-level access and can be a prime target for attackers. Monitor all admin activities, especially those involving changes to security settings, user privileges, or access controls.



In Copilot for Security, you can either directly invoke the plugin via selling the concerned skill under prompt–system capabilities or type ‘/IdentityGetAdminActivityMonitoring’ or prompt with ‘Get admin activities monitoring using Identity analyst plugin’.



Applications Usage Monitoring

Fetches Application Usage Monitoring logs to keep an eye on the usage of applications within your organization. Unusual application activity, such as a high number of downloads or an increase in usage outside of normal business hours, could indicate a potential security issue.



In Copilot for Security, you can either directly invoke the plugin via selling the concerned skill under prompt–system capabilities or type ‘/IdentityGetApplicationUsageMonitoring’ or prompt with ‘Get application usage monitoring using Identity analyst plugin’.



Privileged Identity Management (PIM) Monitoring

Fetches Privileged Identity Management logs to monitor the lifecycle of privileged identities within your organization. This includes the creation, modification, and deletion of privileged accounts.



In Copilot for Security, you can either directly invoke the plugin via selling the concerned skill under prompt–system capabilities or type ‘/IdentityPIMMonitoring or prompt with ‘Get Privileged Identity Management monitoring using Identity analyst plugin’.



Access Review Monitoring

Fetches Access Review logs to regularly review user access to various resources within your organization. This can help ensure that users only have access to the resources they need for their job functions, reducing the risk of insider threats.



In Copilot for Security, you can either directly invoke the plugin via selling the concerned skill under prompt–system capabilities or type ‘/IdentityAccessReviewMonitoring or prompt with ‘Get Access Review monitoring using Identity analyst plugin’.



Conclusion

This plugin is based on KQL that presents a relatively simple and scalable way to leverage the existing repositories of proven KQL queries within the Microsoft security ecosystem, One of the suggestions is you can customize the Custom KQL plugin YML file and make the time range to be as input parameter from Copilot for Security instead of specific hard-coded input. These can then be used as a basis to bring AI enrichment onto security data already present within Microsoft Identity for more details on Microsoft Copilot for Security custom plugins via KQL please visit Kusto Query Language (KQL) plugins in Microsoft Copilot for Security. Give it a go and give us your feedback so we can continuously improve the product for your benefit.

Continue reading...
 
Back
Top