Skip to content

Latest commit

 

History

History
106 lines (66 loc) · 5.79 KB

advanced-hunting-security-copilot.md

File metadata and controls

106 lines (66 loc) · 5.79 KB
title description search.appverid ms.service ms.subservice f1.keywords ms.author author ms.localizationpriority manager audience ms.collection ms.custom ms.topic ms.date appliesto
Microsoft Security Copilot in advanced hunting
Learn how Microsoft Security Copilot advanced hunting (NL2KQL) plugin can generate a KQL query for you.
met150
defender-xdr
adv-hunting
NOCSH
maccruz
schmurky
medium
dansimp
ITPro
m365-security
tier1
security-copilot
magic-ai-copilot
cx-ti
cx-ah
how-to
10/17/2024
Microsoft Defender
Microsoft Defender XDR
Microsoft Sentinel in the Microsoft Defender portal

Microsoft Security Copilot in advanced hunting

Applies to:

  • Microsoft Defender
  • Microsoft Defender XDR

Security Copilot in advanced hunting

Microsoft Security Copilot in Microsoft Defender comes with a query assistant capability in advanced hunting.

Threat hunters or security analysts who aren't yet familiar with or have yet to learn KQL can make a request or ask a question in natural language (for instance, Get all alerts involving user admin123). Security Copilot then generates a KQL query that corresponds to the request using the advanced hunting data schema.

This feature reduces the time it takes to write a hunting query from scratch so that threat hunters and security analysts can focus on hunting and investigating threats.

Users with access to Security Copilot have access to this capability in advanced hunting.

Note

The advanced hunting capability is also available in the Security Copilot standalone experience through the Microsoft Defender XDR plugin. Know more about preinstalled plugins in Security Copilot.

Try your first request

  1. Open the advanced hunting page from the navigation bar in Microsoft Defender XDR. The Security Copilot side pane for advanced hunting appears at the right hand side.

    :::image type="content" source="/defender/media/advanced-hunting-security-copilot-pane.png" alt-text="Screenshot of the Copilot pane in advanced hunting." lightbox="/defender/media/advanced-hunting-security-copilot-pane-big.png":::

    You can also reopen Copilot by selecting Copilot at the top of the query editor.

  2. In the Copilot prompt bar, ask any threat hunting query that you want to run and press :::image type="icon" source="media/Send.png" border="false"::: or Enter .

    :::image type="content" source="/defender/media/advanced-hunting-security-copilot-query.png" alt-text="Screenshot that shows prompt bar in the Security Copilot for advanced hunting." lightbox="/defender/media/advanced-hunting-security-copilot-query-big.png":::

  3. Copilot generates a KQL query from your text instruction or question. While Copilot is generating, you can cancel the query generation by selecting Stop generating.

    Screenshot of Security Copilot in advanced hunting generating a response.

  4. Review the generated query. You can then choose to run the query by selecting Add and run.

    Screenshot of Copilot button showing Add the query to query editor and run.

    The generated query then appears as the last query in the query editor and runs automatically.

    If you need to make further tweaks, select Add to editor.

    Screenshot of Security Copilot in advanced hunting showing the Add to editor option.

    The generated query appears in the query editor as the last query, where you can edit it before running using the regular Run query above the query editor.

  5. You can provide feedback about the generated response by selecting the feedback icon Screenshot of feedback icon. and choosing Confirm, Off-target, or Potentially harmful.

Tip

Providing feedback is an important way to let the Security Copilot team know how well the query assistant was able to help in generating a useful KQL query. Feel free to articulate what could have made the query better, what adjustments you had to make before running the generated KQL query, or share the KQL query that you eventually used.

Note

In the unified Microsoft Defender portal, you can prompt Security Copilot to generate advanced hunting queries for both Defender XDR and Microsoft Sentinel tables. Not all Microsoft Sentinel tables are currently supported, but support for these tables can be expected in the future.

Query sessions

You can start your first session anytime by asking a question in the Copilot side pane in advanced hunting. Your session contains the requests you made using your user account. Closing the side pane or refreshing the advanced hunting page doesn't discard the session. You can still access the generated queries should you need them.

Select the chat bubble icon (New chat) to discard the current session.

Screenshot of Security Copilot in advanced hunting showing the new chat icon.

Modify settings

Select the ellipses in the Copilot side pane to choose whether or not to automatically add and run the generated query in advanced hunting.

Screenshot of Security Copilot in advanced hunting showing the settings ellipses icon.

Deselecting the Run generated query automatically setting gives you the option of running the generated query automatically (Add and run) or adding the generated query to the query editor for further modification (Add to editor).