You dont have javascript enabled! Please enable it! Stay Ahead Of Threats: Investigate Defender XDR Incident With Copilot For Security - CHARBEL NEMNOM - MVP | MCT | CCSP | CISM - Cloud & CyberSecurity

Stay Ahead of Threats: Investigate Defender XDR Incident with Copilot for Security

7 Min. Read

Your organization has recently onboarded Microsoft Copilot for Security into their tenant, and as a Security Analyst, you have been asked to investigate a Defender XDR incident.

In this article, we will see how Microsoft Copilot for Security accelerates investigation workflow, helping you understand the threats your organization is facing.

Copilot for Security

Maybe those who have been under a rock inside a cave have not seen all the broadcasting, marketing, and everything else that has been going on around Copilot for Security. Microsoft announced Copilot for Security in GA on April 1st, 2024, with many new capabilities.

Copilot for Security is many things for many different organizations; it is NOT a copilot for Microsoft Defender, a copilot for Microsoft Sentinel, or a copilot for Incident. It goes well outside the bounds of that SOC analyst role into many different personas. Copilot for Security’s potential is limitless. Let creativity and imagination lead the way.

We want to make sure we always drive personas and use cases across Copilot for Security, knowing that it spans into Microsoft Defender, the Microsoft security stack, Microsoft Sentinel (SIEM/SOAR) solution, Microsoft Entra identity and access management, Microsoft Intune for the management stack, Microsoft Priva for privacy, and Microsoft Purview for compliance.

Microsoft Threat Intelligence
Microsoft Threat Intelligence

The personas continue to expand as more plugins become available, both by Microsoft for first-party and third-party partners. Some of the ones that people don’t often think about are eDiscovery analysts, IT and system administrators, compliance administrators, and analysts.

In this walkthrough guide, we will show you how to investigate a Defender XDR incident using Copilot for Security and demonstrate its integration with different Microsoft first-party plugins.


To follow this guide, you need to have the following:

1) Azure subscription — If you don’t have an Azure subscription, you can create one here for free.

2) Microsoft Copilot for Security enabled — Copilot for Security capacity is billed monthly via a new Security Compute Unit (SCU) at the rate of “$4 per SCU per hour”. Microsoft recommends provisioning 3 SCUs ($4 X 3 = $12 per hour) to start Copilot for Security exploration. If we do a quick math, this will land at 730h X $4 (1 SCU as a minimum) = $2,920/Month. There is no free trial for Copilot for Security.

As a side note, we know there are many “guides” that discuss the provisioning/de-provisioning/repeating regarding the capacity plan to reduce cost. We advise you not to perform repeated provisioning/de-provisioning processes throughout the 24 hours because Microsoft hasn’t ever stated this repeated process as “supported.”

How to scope Copilot for Security SCUs: You can use the Azure pricing calculator, which now has Copilot for Security, to price your SCU metrics (Copilot for Security Pricing Calculator). Another tip is to track the team’s prompt usage per hour compared to the Copilot for Security usage monitoring dashboard. This will give you an estimated idea of how many prompts the team can generate per hour and how many SCUs they need to scale up.

Related: Check how to set up Copilot for Security Capacity.

3) To create Copilot for Security capacity, you must be an Azure Owner or Contributor, at least at the resource group level. You must also have a Global Administrator or Security Administrator role to set up the default environment.

  • Contributors can access Copilot, but Copilot responses will vary based on existing user permissions to Microsoft Security products. After setup, Owners can manage access from the role assignment page. Using security groups instead of individual users to assign Copilot for Security roles is highly recommended, which reduces administrative complexity. Learn more about Copilot for Security access.

Important! — For those that might not be aware, when you provision Copilot for Security for the first time, the group “everyone” is automatically added to the Contributor role, as shown in the figure below. This needs to be changed immediately since the Contributor role provides much access to areas with Copilot for Security. Microsoft decided to enable the embedded experience for everyone, but it can catch administrators off guard and prevent them from realizing what a Contributor role gives you.

Check the support documentation for what permissions the role Contributor gives in Copilot for Security (Understand authentication in Microsoft Copilot for Security), and see the screenshot below about what groups have defaulted to the Contributor role and the Owner role in Copilot for Security.

Copilot for Security – Role assignment
Copilot for Security – Role assignment

4) Microsoft Defender XDR license—Check the licensing requirements if you don’t have Defender XDR. Then, ensure the Microsoft Defender XDR plugin is enabled in Copilot for Security, as shown in the figure below, and you have the proper permission to access Defender XDR incident data.

Microsoft Defender XDR plugin
Microsoft Defender XDR plugin

5) Microsoft Intune license (Optional)—If you don’t have an Intune license, check the licensing requirements. Then, ensure the Microsoft Intune plugin is enabled in Copilot for Security, and you have the proper permission to access it.

6) Microsoft Defender Threat Intelligence plugin enabled in Copilot for Security.

  • As a side note, when you provision just one Copilot for Security Compute Unit (SCU), you get Microsoft Defender Threat Intelligence (MDTI) with unlimited access to the powerful operational, tactical, and strategic threat intelligence, which costs $50k per seat value per year, at NO extra cost as part of Copilot for Security integration. This high-fidelity intelligence compendium, informed by over 78 trillion security signals and developed with Microsoft’s team of 10,000+ security experts, quickly helps security teams identify and neutralize cyber-attackers.

Assuming you have all the prerequisites, let’s look at how to investigate a Defender XDR incident.

Investigate Defender XDR Incident

You were given a Microsoft Defender XDR incident to investigate. We will use a grouping of Copilot skills called a promptbook. The skills build upon each other to help you analyze and understand something. In our case, it’s a Microsoft Defender XDR incident.

Microsoft Defender XDR incident investigation
Microsoft Defender XDR incident investigation

We have selected the Microsoft Defender XDR incident investigation prompt book and entered the incident ID <17741>.

Copilot for Security will now run a series of prompts to help us enumerate the aspects of this incident. This will save time and provide some additional insights to help guide the investigation. This will pull in all the information associated with the incident and give us an idea of what we are facing.

Investigate Microsoft Defender XDR incident
Investigate the Microsoft Defender XDR incident

After a very short time, we see the incident involved a suspicious PowerShell Command, which identified some entities from the script. As security analysts, we might be able to understand the entities involved in this incident.

Stay Ahead of Threats: Investigate Defender XDR Incident with Copilot for Security 1

The next prompt identified the computer, user, IP address, and URL. All this information might be stored across multiple systems and, therefore, might require different trips to different interfaces to collect it. However, Copilot for Security has created one big list that allows us to understand the context of the session quickly.

Stay Ahead of Threats: Investigate Defender XDR Incident with Copilot for Security 2

But at this point, we do not know anything about these entities. Since the IP address is external to our organization, we might want to know its reputation score. We want to know if this is a true positive or a false positive incident. Is the IP address malicious or not?

We can see that Copilot has already determined the IP address’s reputation score by leveraging the integration with Microsoft Defender Threat Intelligence (MDTI). It is 100% Malicious, not a false positive, and is known to be associated with the Threat Actor Silk Typhoon and a penetration testing tool used by the threat actor Cobalt Strike. Under Rules, it has given links that we can click on to learn more about Cobalt Strike and the threat actor Silk Typhoon.

Stay Ahead of Threats: Investigate Defender XDR Incident with Copilot for Security 3

As we progress further in the prompt book, we need to understand more about how the user’s authentication methods they are using and if they have Multi-Factor Authentication (MFA) enabled. The reason why the Prompt book asks this question is to see if we are dealing with something that’s tied to a nation-state actor like we are and if it is a true positive. If the user identity has MFA enabled, the user identity may not be compromised because authentication will require the real user to approve the sign from their approved trusted device.

Copilot for Security has listed the individual’s authentication methods and indicates whether they have MFA enabled. The figure below shows that Copilot for Security has extracted the right identity from the previous incident prompt that we received.

We see the authentication methods set up for this user, including an explanation at the bottom. As shown in the figure below, the user has multiple account methods enabled, including Microsoft Authenticator and Windows Hello for Business, which provide these MFA capabilities.

Stay Ahead of Threats: Investigate Defender XDR Incident with Copilot for Security 4

So, as security analysts, we now know that we’re dealing with likely a true positive, and the user identity at least has MFA, so it may not be compromised.

Our next question in the investigation should be to identify the users’ devices and whether those devices comply with the organization’s policies. For example, a policy might require users to authenticate after enabling the screen saver. Copilot for Security has not found any compliance or policy issues on the user’s device associated with this incident.

Stay Ahead of Threats: Investigate Defender XDR Incident with Copilot for Security 5

The next question is to understand the operating systems the users’ devices are running and whether they are up to date on all their updates. This is important because if a device is not patched for vulnerabilities, a threat actor could exploit a vulnerability to gain access to the device. We can see that the device is running Windows 11 (OS Version: 10.0.22621.1992) and is current on all its patches.

Stay Ahead of Threats: Investigate Defender XDR Incident with Copilot for Security 6

Finally, we will have Copilot for Security write an executive report summarizing the steps we took in this investigation, written for a non-technical audience.

What is great about this skill is that it does not add more work to the analyst. It just enhances their capabilities, allowing them to know more, work faster, and understand the threats and risks the organization is facing.

Stay Ahead of Threats: Investigate Defender XDR Incident with Copilot for Security 7

The last thing that we could do is select all of the prompts and pin them to a pinboard, which we can then open and access at any time.

Stay Ahead of Threats: Investigate Defender XDR Incident with Copilot for Security 8

We can open the pinboard and view a summary of all our actions in this investigation. This is incredibly valuable to the security analyst because the Copilot for Security fully investigated the Defender XDR incident, documented the questions and responses, and summarized the analysis.

If we were a junior analyst and thought we needed to escalate this, we could share this session or export the report to a more senior security analyst. The session or report would immediately get them up to speed with what efforts were needed without having them replicate our steps.

Stay Ahead of Threats: Investigate Defender XDR Incident with Copilot for Security 9

This is super valuable because it expands the capabilities of an organization’s staff and ultimately saves precious time and resources. Being able to react quickly and make decisive, precise decisions will help protect the organization and reduce overall risk and exposure.

That’s it, there you have it. Happy Defender XDR Incident Investigation Using Copilot for Security!

In Conclusion

The adoption of Microsoft Copilot for Security has revolutionized the incident investigation workflow for security analysts. By leveraging its capabilities, security teams can efficiently investigate threats and gain insights into their organizations’ risks. The seamless integration with Microsoft Defender XDR and other security solutions streamlines the investigative process, enabling analysts to delve deeper into incidents and make informed decisions swiftly.

With Copilot for Security, organizations can effectively enhance their security posture and mitigate risks. By empowering analysts with advanced tools and insights, Copilot for Security accelerates incident response and strengthens the organization’s overall security posture.

As organizations continue to navigate the evolving threat landscape, embracing innovative solutions like Microsoft Copilot for Security becomes imperative. By harnessing its capabilities, security teams can stay ahead of emerging threats and protect their digital assets effectively.

In summary, Microsoft Copilot for Security is a valuable asset in the arsenal of security professionals, empowering them to safeguard organizations against cybersecurity threats proactively.

Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

Photo of author
About the Author
Charbel Nemnom
Charbel Nemnom is a Senior Cloud Architect with 21+ years of IT experience. As a Swiss Certified Information Security Manager (ISM), CCSP, CISM, Microsoft MVP, and MCT, he excels in optimizing mission-critical enterprise systems. His extensive practical knowledge spans complex system design, network architecture, business continuity, and cloud security, establishing him as an authoritative and trustworthy expert in the field. Charbel frequently writes about Cloud, Cybersecurity, and IT Certifications.

How to Safely Disable Security Defaults in Microsoft Entra ID: A Step-by-Step Guide

How to Restrict Non-Admin Users from Creating Tenants in Microsoft Entra ID: A Step-by-Step Guide


Let us know what you think, or ask a question...