As part of Microsoft’s Copilot for Security Partner Private Preview, Difenda has had the opportunity to test and prototype multiple custom skills and integrations in the Copilot environment. As featured on our recent Copilot for Security Webinar, these skills and integrations are designed to support and streamline incident response processes. 

Today, scoping and triage can take up to 46 hours with typical response processes. Based on the work that Difenda and Microsoft have done to date with Copilot for Security, we can reduce that down to about 20 minutes. 

In this blog, we’ll walk through a high-level overview of our 4 Copilot for Security custom skills and integrations. All of these skills operate with the enhanced capabilities of Difenda AIRO.

Copilot for Security Custom Skills: SOC Invoke

Imagine facing a multi-stage incident requiring rapid response and precise action. With Copilot, our team has developed a custom skill that automates incident summary generation from Sentinel data.  

This automated playbook calls data from Sentinel to Copilot, providing quick, high-level incident summaries. Analysts can then pivot to the Defender portal through the embedded copilot experience, to assess incidents.  

Using the embedded experience, we have also automated the sync between our case management platform and Microsoft Sentinel to ensure consistent and up-to-date information is shared with differing teams, live.  

With the SOC Invoke skill, we have also automated the creation of customer records to accelerate incident engagement. This ensures quick access to high-level information, empowering analysts to make informed decisions swiftly. 

Case Management Set Up

Organizing and managing case infrastructure is critical for effective incident management. This Copilot integration simplifies this process by automating the setup of case folders and associated infrastructure. This ensures that every incident is handled with the utmost precision and efficiency, right from the start. 

Leveraging Copilo within our case management list, we automate a task specifically dedicated to creating case folders and related infrastructure. Traditionally, such tasks would fall under the domain of level three teams, but by simplifying and automating through Copilot, we’ve enhanced our workflow significantly. 

When activated, Copilot for Security quickly orchestrates various actions. It establishes a secure Teams channel for seamless team communication, disseminates high-level case information, and provides a summary of key details. This summary serves as a starting point for research and response team members, ensuring they have all necessary information at their fingertips. 

As a result, your SOC team is now fully engaged and working through the incident. 

This integrated approach optimizes triage, ensuring efficient incident management. Plus, the automated closure of tasks reflects the efficiency brought about by Copilot’s prompt execution. 

Copilot for Security Custom Skills: Artifact Collection

Forensic investigations often hinge on the collection and analysis of digital artifacts. Difenda’s Artifact Collection custom skill seamlessly deploys collection agents and manages data flow between endpoints, Sentinel, and your case management platform. This ensures that critical evidence is gathered promptly and accurately, enabling thorough investigations. 

It will then deploy a collection agent to the target asset using automation. 

As this process unfolds, the agent and artifacts are captured locally, ready for further examination. The initiation of the upload process then ensures seamless integration into your designated folder.  

The development of this skill highlights the potential for broader accessibility for artifact collection. Traditionally a senior analyst role, with Copilot for Security, a wider range of team members can participate in these tasks. 

RIR Chatbot

Communication is key during incident response, and natural language processing can significantly enhance collaboration and decision-making. Our Copilot-powered RIR Chatbot provides real-time insights and recommendations through intuitive natural language interactions.  

This custom integration enables Copilot for Security to not only provide answers but also offer contextual understanding. Enriching your interactions with natural language responses. 

Copilot seamlessly retrieves pertinent information about incident data such as “deployed firewalls” from diverse data sources, including case management records. From task status updates to specific queries about the incident, the RIR Chatbot streamlines communication and fosters collaboration among team members. 

Still prototyping, we’re exploring Copilot’s capacity to provide general information about incidents and offer recommendations on handling them.  

This approach extends beyond mere features and functions, aiming to enhance our ability to protect our customers amid challenges like attack volume, speed, workforce constraints, and budget limitations. By combining Copilot with robust security controls and technologies, we’re poised to address these concerns effectively. 

In summary, our journey with Copilot demonstrates its transformative potential in security operations. As we navigate its capabilities and unearth new efficiencies, we’re positioned to elevate our response to evolving threats, leveraging Copilot as a key ally in safeguarding our customers’ interests. 


Are You Microsoft Copilot for Security Ready?