Share via

Concern regarding copilot for security

Anonymous
2024-11-09T16:06:06+00:00

I would like to know by using copilot for security in XDR whether we will able to get the details of malware behaviour,eg: if a malware is detected in a device is it possible to get registry changes or process creation which can happen according to the behaviour of the malware?

Microsoft 365 and Office | Microsoft 365 Defender | Other | Other

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments

Answer accepted by question author

  1. Anonymous
    2024-11-13T04:50:28+00:00

    Dear Aak,

    Thanks for your quick reply and I appreciate your evaluation. Regarding your new question, if you mean providing possible scenarios to help analysts with research for "specific malware".

    Microsoft Copilot can indeed be integrated with security systems, especially through tools such as Microsoft Defender for XDR (Extended Detection and Response). When specific malware is detected on a device, Copilot can provide potential security incident scenarios and details of suspicious activities so that SOC analysts can dig deeper and confirm threats. For example, when specific malware is detected, Copilot provides a detailed attack overview, including affected assets and attack timeline, to help SOC analysts dig deeper and confirm violations or attacks.

    Regarding the fact that you mentioned that you could not find the exact document, in fact, as a community agent, we do not have the exact document related to this issue. The above content is the result of analyzing the official article. I hope they are helpful to you.

    Best Wishes

    Pyke.D | Microsoft Community Support Specialist

    1 person found this answer helpful.
    0 comments

Answer accepted by question author

  1. Anonymous
    2024-11-13T02:47:15+00:00

    Dear Aak,

    Thanks for your quick reply, sorry for some misunderstandings about your question. I noticed that you marked me as "not helpful", I apologize for not replying to you in time, we are community agents, we also have time to rest, this is the reason why I didn't reply to you in time yesterday. Now I understand your question, I will reorganize my reply.

    In terms of security, you are concerned about whether specific changes to the system are recorded after malware is detected, such as registry modifications, process creation, etc.

    For the Microsoft Defender XDR (Extended Detection and Response) feature, it can indeed help detect and record some key system changes, such as registry changes and process creation, especially after malware detection. This type of system activity monitoring is part of XDR, and through these monitoring logs, it can better assist in analyzing and confirming potential security incidents.

    Specifically for Copilot for Security, although it can help automate some security tasks, such as running scripts and commands to block malicious processes or isolate infected systems, whether it fully records every detailed registry change and process creation may depend on the specific policy configuration and logging mechanism. If clear evidence of an attack is required (such as specific registry key changes and process events), it is recommended to ensure that XDR has corresponding event logging and regularly check these records to obtain complete attack chain information.

    Microsoft Defender XDR is a unified enterprise defense suite that integrates the capabilities of Copilot for Security into its portal, empowering security teams to efficiently handle attack investigations

    I hope my reply is helpful to you. If you have any questions, please feel free to let me know. Looking forward to hearing from you.

    Best Wishes

    Pyke.D | Microsoft Community Support Specialist

    1 person found this answer helpful.
    0 comments

5 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2024-11-13T04:17:30+00:00

    Hi

    It is much appreciated and thanks for the timely response 😊

    Just one more concern regarding the same as I couldn't find exact docs from MS related to the topic we are discussing

    Whether integrated with copilot for security whether it will give the possible scenarios can happen when the particular malware is detected right on a particular device for SOC analyst to deep dive?

    0 comments
  2. Anonymous
    2024-11-12T03:31:57+00:00

    Thanks it makes sense.

    I was asking for whether copilot for security will capture the registry changes and process creation after the malware is detected? It seems like in summary you have mentioned the capability of copilot to run some scripts and commands that may include modifying the registry and creating stop processes.

    But my ask is whether they will give details of changes that occur after the detection of malware to confirm the breach/ attack ? please confirm the same

    0 comments
  3. Anonymous
    2024-11-10T08:53:06+00:00

    Dear Aak_1007,

    Hello! Welcome to the Microsoft Community. I'm glad to be able to assist you.

    I understand you want to know about the features of Copilot For XDR. I will try to explain it to you.

    The integration of Microsoft Copilot in Microsoft Defender is designed to help security teams respond to cyberattacks faster and more effectively by combining AI with human expertise. Copilot provides a variety of features, including automatic summaries of events, guided responses to specific events, and the ability to analyze suspicious files and scripts, thereby improving the efficiency and response capabilities of security teams.

    • Microsoft Copilot provides security teams with integrated AI tools to improve the speed and efficiency of incident response.
    • Copilot can automatically summarize events to help users quickly understand the context and key details of the attack.
    • Through guided response capabilities, Copilot can recommend appropriate solutions for specific incidents.
    • Copilot simplifies the analysis process of malicious scripts and reduces the time required for investigation.
    • Users can generate device information summaries to quickly assess the security status of devices related to the incident.
    • Copilot quickly analyzes suspicious files and provides detailed detection information and related certificates.
    • Security teams can use natural language to generate KQL queries for more flexible threat hunting.

    References: Microsoft Copilot in Microsoft Defender - Microsoft Defender XDR | Microsoft Learn

    Microsoft Defender XDR is a unified enterprise defense platform that can efficiently coordinate detection, prevention, investigation, and response. Its Copilot plug-in integrates artificial intelligence technology to enhance the security team's ability to handle attack incidents, enabling them to quickly understand attack situations, analyze complex files, and conduct efficient threat hunting. In addition, the plug-in also has the functions of generating KQL queries and creating incident reports, which greatly optimizes the security management process.

    • Microsoft Defender XDR provides comprehensive protection against complex attacks and integrates multiple security features.
    • The Copilot plug-in applies AI technology to security investigations, improving the efficiency of incident handling.
    • The incident summary function can quickly summarize and organize incident information to help security teams respond in a timely manner.
    • By guiding responses, security teams can effectively investigate and resolve security incidents.
    • The script analysis function helps evaluate potential security threats and optimize cross-departmental collaboration.
    • The ability to generate KQL queries enables users to conduct threat hunting and analysis more accurately.
    • The device summary function provides insights into device status for easy monitoring of security status.

    References: Microsoft Copilot for Security Defender XDR Plugin Overview

    In summary, using Copilot for Security in Microsoft Defender XDR, you can get detailed information about malware behavior. Copilot can quickly analyze suspicious files and provide detailed information including detection information, related file certificates, API call lists, and strings found in the file. This information can help you understand the behavior patterns of malware. Similarly, this shows that Copilot can analyze scripts and command lines. But there is no clear description of registry changes or process creation that may occur when malware is detected on the device.

    I think Copilot can run some scripts and commands that may include modifying the registry and creating stop processes as you mentioned. But hopefully you can understand that this is my speculation based on these articles as I have not found any articles that clearly show that Copilot can make registry changes or process creation based on the behavior of the malware.

    I hope the above information is helpful. If you have any questions about this, feel free to let me know and I'd be happy to continue helping you.

    Best Wishes

    Pyke.D | Microsoft Community Support Specialist

    0 comments