Learn how to customize and optimize Copilot for Security with the custom Data Security plugin

[Guest Jon Nordström]

This is a step-by-step guided walkthrough of how to use the custom Copilot for Security pack for Microsoft Data Security and how it can empower your organization to understand the cyber security risks in a context that allows them to achieve more. By focusing on the information and organizational context to reflect the real impact/value of investments and incidents in cyber. We are working to add this to our native toolset as well, we will update once ready.

 

 

 

Prerequisites

 

• License requirements for Microsoft Purview Information Protection depend on the scenarios and features you use. To understand your licensing requirements and options for Microsoft Purview Information Protection, see the Information Protection sections from Microsoft 365 guidance for security & compliance and the related PDF download for feature-level licensing requirements. You also need to be licensed for Microsoft Copilot for Security, more information here.
  
• Consider setting up Azure AI Search to ingest policy documents, so that they can be part of the process.
  

 

 

 

Step-by-step guided walkthrough

 

In this guide we will provide high-level steps to get started using the new tooling. We will start by adding the custom plugin.

 

1. Go to securitycopilot.microsoft.com
   
2. Download the DataSecurityAnalyst.yml file from here.
   
3. Select the plugins icon down in the left corner.
   

 

[ATTACH type=full" alt="JonNordstrm_0-1713791147737.png]63435[/ATTACH]

 

 

 

1. Under Custom upload, select upload plugin.
   

 

[ATTACH type=full" alt="JonNordstrm_1-1713791147745.png]63436[/ATTACH]

 

 

 

1. Select the Copilot for Security plugin and upload the DataSecurityAnalyst.yml file.
   

 

[ATTACH type=full" alt="JonNordstrm_2-1713791147749.png]63437[/ATTACH]

 

 

 

1. Click Add
   
2. Under Custom you will now see the plug-in
   

 

[ATTACH type=full" alt="JonNordstrm_3-1713791147750.png]63438[/ATTACH]

 

 

 

 

 

The custom package contains the following prompts

 

Under DLP you will find this if you type /DLP

 

 

 

[ATTACH type=full" alt="JonNordstrm_4-1713791147758.png]63439[/ATTACH]

 

 

 

 

 

Under Sensitive you will find this if you type sensitive

 

 

 

[ATTACH type=full" alt="JonNordstrm_5-1713791147767.png]63440[/ATTACH]

 

 

 

Let us get started using this together with the Copilot for Security capabilities

 

• Anomalies detection sample.
  
• Access to sensitive information by compromised accounts.
  
• Document accessed by possible compromised accounts.
  
• CVE or proximity to ISP/IPTags.
  
• Tune Exchange DLP policies sample.
  
• Purview unlabelled operations.
  
• Applications accessing sensitive content.
  
• Hosts that are internet accessible accessing sensitive content
  
• Exchange incident sample prompt book.
  
• SharePoint sample prompt book.
  

 

Anomalies detection sample

 

The DLP anomaly is checking data from the past 30 days and inspect on a 30m interval for possible anomalies. Using a timeseries decomposition model.

 

 

 

[ATTACH type=full" alt="JonNordstrm_0-1713794451225.png]63441[/ATTACH]

 

 

 

The sensitivity content anomaly is using a slightly different model due to the amount of data. It is based on the diffpatterns function that compares week 3,4 with week 1,2.

 

 

 

[ATTACH type=full" alt="JonNordstrm_1-1713794620074.png]63442[/ATTACH]

 

 

 

Access to sensitive information by compromised accounts.

 

This example is checking the alerts reported against users with sensitive information that they have accessed.

 

 

 

[ATTACH type=full" alt="JonNordstrm_2-1713794838205.png]63443[/ATTACH]

 

[HEADING=2] [/HEADING]

 

Who has accessed a Sensitive e-mail and from where?

 

We allow for organizations to input message subject or message Id to identify who has opened a message. Note this only works for internal recipients.

 

 

 

[ATTACH type=full" alt="JonNordstrm_3-1713794932861.png]63444[/ATTACH]

 

 

 

You can also ask the plugin to list any emails classified as Sensitive being accessed from a specific network or affected of a specific CVE.

 

 

 

[ATTACH type=full" alt="JonNordstrm_10-1713791147801.png]63445[/ATTACH]

 

[HEADING=2] [/HEADING]

 

Document accessed by possible compromised accounts.

 

You can use the plugin to check if compromised accounts have been accessing a specific document.

 

 

 

[ATTACH type=full" alt="JonNordstrm_11-1713791147806.png]63446[/ATTACH]

 

[HEADING=2] [/HEADING]

 

CVE or proximity to ISP/IPTags

 

This is a sample where you can check how much sensitive information that is exposed to a CVE as an example. You can pivot this based on ISP as well.

 

 

 

[ATTACH type=full" alt="JonNordstrm_0-1713795319975.png]63447[/ATTACH]

 

 

 

Tune Exchange DLP policies sample.

 

If you want to tune your Exchange, Teams, SharePoint, Endpoint or OCR rules and policies you can ask Copilot for Security for suggestions.

 

 

 

[ATTACH type=full" alt="JonNordstrm_13-1713791147819.png]63448[/ATTACH]

 

 

 

Purview unlabelled operations

 

How many of the operations in your different departments are unlabelled? Are any of the departments standing out?

 

 

 

[ATTACH type=full" alt="JonNordstrm_14-1713791147842.png]63449[/ATTACH]

 

 

 

In this context you can also use Copilot for Security to deliver recommendations and highlight what the benefit of sensitivity labels are bringing.

 

 

 

[ATTACH type=full" alt="JonNordstrm_15-1713791147861.png]63450[/ATTACH]

 

 

 

 

 

Applications accessing sensitive content.

 

What applications have been used to access sensitive content? The plugin supports asking for applications being used to access sensitive content. This can be a fairly long list of applications, you can add filters in the code to filter out common applications.

 

 

 

[ATTACH type=full" alt="JonNordstrm_16-1713791147868.png]63451[/ATTACH]

 

 

 

If you want to zoom into what type of content a specific application is accessing.

 

 

 

[ATTACH type=full" alt="JonNordstrm_17-1713791147876.png]63452[/ATTACH]

 

 

 

What type of network connectivity has been made from this application?

 

 

 

[ATTACH type=full" alt="JonNordstrm_1-1713795957292.png]63453[/ATTACH]

 

 

 

Or what if you get concerned about the process that has been used and want to validate the SHA256?

 

 

 

[ATTACH type=full" alt="JonNordstrm_19-1713791147887.png]63454[/ATTACH]

 

 

 

 

 

Hosts that are internet accessible accessing sensitive content

 

Another threat vector could be that some of your devices are accessible to the Internet and sensitive content is being processed. Check for processing of secrets and other sensitive information.

 

 

 

[ATTACH type=full" alt="JonNordstrm_2-1713796212776.png]63455[/ATTACH]

 

 

 

 

 

Promptbooks

 

Promptbooks are a valuable resource for accomplishing specific security-related tasks. Consider them as a way to practically implement your standard operating procedure (SOP) for certain incidents. By following the SOP, you can identify the various dimensions in an incident in a standardized way and summarize the outcome. For more information on prompt books please see this documentation.

 

 

 

Exchange incident sample prompt book

 

 

 

[ATTACH type=full" alt="JonNordstrm_21-1713791147894.png]63456[/ATTACH]

 

 

 

[ATTACH type=full" alt="JonNordstrm_0-1713855135569.png]63457[/ATTACH]

 

 

 

[ATTACH type=full" alt="JonNordstrm_1-1713855341307.png]63458[/ATTACH]

 

 

 

Note: The above detail is currently only available using Sentinel, we are working on Defender integration.

 

 

 

[ATTACH type=full" alt="JonNordstrm_3-1713855588028.png]63459[/ATTACH]

 

 

 

 

 

[ATTACH type=full" alt="JonNordstrm_4-1713855701088.png]63460[/ATTACH]

 

 

 

[ATTACH type=full" alt="JonNordstrm_5-1713855792749.png]63461[/ATTACH]

 

 

 

[ATTACH type=full" alt="JonNordstrm_6-1713855936122.png]63462[/ATTACH]

 

 

 

SharePoint sample prompt book

 

[ATTACH type=full" alt="JonNordstrm_28-1713791147951.png]63463[/ATTACH]

 

 

 

[ATTACH type=full" alt="JonNordstrm_7-1713856107627.png]63464[/ATTACH]

 

 

 

[ATTACH type=full" alt="JonNordstrm_8-1713856185445.png]63465[/ATTACH]

 

 

 

[ATTACH type=full" alt="JonNordstrm_9-1713856281126.png]63466[/ATTACH]

 

 

 

[ATTACH type=full" alt="JonNordstrm_32-1713791147978.png]63467[/ATTACH]

 

 

 

[ATTACH type=full" alt="JonNordstrm_10-1713856446267.png]63468[/ATTACH]

 

 

 

[ATTACH type=full" alt="JonNordstrm_11-1713856606803.png]63469[/ATTACH]

 

 

 

[ATTACH type=full" alt="JonNordstrm_12-1713856723307.png]63470[/ATTACH]

 

 

 

Posts part of this series

 

• Cyber Security in a context that allows your organization to achieve more
  Cybersecurity in a context that allows your organization to achieve more
  
• Guided walkthrough of the Microsoft Purview extended report experience https://techcommunity.microsoft.com/t5/security-compliance-and-identity/guided-walkthrough-of-the-microsoft-purview-extended-report/ba-p/4121083
  
• How to build the Microsoft Purview extended report experience How to build the Microsoft Purview extended report experience
  

 

Continue reading...