Logic Apps connectors in Microsoft Security Copilot

Important

The information in this article only applies to the Microsoft Security Copilot Early Access Program, an invite-only paid preview program for commercial customers. Some information in this article relates to a prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

The Security Copilot Logic Apps connector allows you to call into Security Copilot from a Logic Apps workflow. This document provides an introduction to the new connector actions you can leverage as well as sample use cases you can deploy to automate investigations such as on Sentinel incidents, email phishing, and others.

The first iteration of the Logic Apps connector exposes two actions:

  • Evaluate Prompt - Given a natural language prompt, this action will invoke a new evaluation within Security Copilot and return the output to your logic app workflow. The user can provide an optional sessionId, which will include relevant session context for the evaluation performed. If the sessionId is omitted, the action will create a new session.

  • Evaluate Direct Skill - Given a natural language prompt, a skill name, and the skill required inputs, invoke a new evaluation and return its output. Use this action when you know the exact security copilot skill that is required for the task. This action also allows the option to provide a sessionId.

Both the "Evaluate Prompt" and "Evaluate Direct Skill" actions allow the user to set an optional sessionId to execute the evaluation within the context of an existing session. If omitted, a new session will be created for the investigation.

Authentication

Currently, Security Copilot Logic Apps connector only supports delegated permissions through the Authorization Code flow. The user that establishes connection to the connector actions when designing the logic app must have access to the security copilot product. Their identity will be used to request the access token used to call the security copilot APIs enabling this client capability.

Quick Start

  • Create new logic app in the Azure portal.

    • The security copilot connector is available in both "Standard" and "Consumption" plan types.
  • Search for "securitycopilot" connector under the Standard tab.

    Logic Apps Connector Search

  • Add the desired action to your workflow.

    Logic Apps Connector Search Actions

  • "Evaluations - Evaluate prompt content with optional session context" will allow for evaluating a natural language prompt. Leverage dynamic content within logic app to dynamically generate the prompt passed in.

    Logic Apps Connector Search Evaluations

  • "Evaluations - Evaluate a prompt invoking a specific security copilot skill" will allow for directly calling a skill. Current version of the connector requires to enter skillInputs in json format. There is ongoing work to make this an optional field.

    Evaluations prompt content

  • To retain session context across multiple connector evaluations, pass along the sessionId from previous actions using logic app dynamic content.

    Retain session context