Monitoring security events with Enterprise Security and Microsoft Copilot for Security
As a security analyst, you typically begin your day reading the morning security news. Last night, a new vulnerability was announced that targeted the Windows Winmgmt.exe service. The vulnerability is so serious that news of it also reached the Wall Street Journal.
Knowing that your SOC manager will ask about this when they arrive in the office shortly, you need to find out quickly if this vulnerability presents risks in your environment. You want to use Microsoft Copilot for Security with your Splunk Enterprise Security implementation to quickly tell if there are risk notables you need to address, what risk scores are being presented, the severity of your risk events, and learn other helpful information about how the vulnerability appears in your environment.
Solution
Microsoft Copilot for Security is a security assistant that works alongside you to provide responses to your security-related queries, giving information to help you make informed decisions about your security posture.
The integration of the Splunk platform with Microsoft Copilot for Security allows users to:
- Search for Splunk events in any given index(es)
- Search for Splunk:
- Fired Alerts
- Saved Searches
- Saved Search History
- Saved Search Suppression State
- Search Jobs
- Alert Actions
- Search Job Results
- Create Splunk Search Jobs
- Acknowledge Splunk Saved Searches
- Dispatch Splunk Saved Searches
- Create Splunk Saved Search Jobs
Integration
To integrate Microsoft Copilot for Security with the Splunk platform, after you log into Microsoft Copilot for Security, at the bottom of your screen you’ll see the following prompt. Click Sources.
A dialog box will appear where you can manage the different plugins. Scroll down until you see “Copilot for Security Plugin for Splunk (Preview)” and click Set Up.
Next, a form will appear where you can define your URL, Index, username, and password. Go to your publicly accessible Splunk search head (in Splunk platform or Splunk Enterprise Security) to copy and paste the URL. Ensure you include port number 8089 as shown in the following example picture.
- You should set up allowlists on the management port (8089) or this capability will not work. Click on this text to see a list of CIDR addresses to allow depending on the region your Microsoft Copilot for Security instance resides within.
-
Region
Egress IP address
Australia East 20.11.74.175 Brazil South 191.238.130.134 Canada Central 20.116.134.152 Canada East 20.175.50.202 Central India 4.186.8.21 East US 172.214.69.122 East US 2 20.161.169.251 France Central 20.74.104.201 Germany West Central 20.113.96.178 Japan East 20.194.211.209 Korea Central 20.214.118.54 North Europe 4.209.34.70 South Africa North 40.127.1.203 South Central US 52.171.67.223 Southeast Asia 52.148.119.140 Sweden Central 20.240.144.165 Switzerland North 20.250.88.28 UAE North 40.120.109.202 UK South 172.165.89.204 West Central US 52.161.136.233 West Europe 20.101.244.100 West US 40.112.221.98 West US 2 52.250.80.149 West US 3 20.125.66.45
For the Splunk Search Index field, you can specific the index(es) you will allow Microsoft Copilot for Security to query. This field also supports the OR operator. You can also list Splunk Enterprise Security indexes such as index=notable OR index=risk
. index=*
is also supported; however you should be aware of performance implications that can occur when running an ad-hoc search that contains index=*
.
Lastly, create a local Splunk account containing a username and password and enter it in the Username and Password fields. This user needs access to the index(es) specified and any of the other supported actions listed at the beginning of this article, for example, creating search jobs.
Querying Microsoft Copilot for Security
Now that you have completed the integration, you can query Microsoft Copilot for Security in natural language to learn more about winmgmt.exe and whether it's of concern in your environment. The following screenshot shows an example of the kind of queries you can perform and the results you can obtain.
Next steps
Depending on your department or role, other use cases for your Splunk Enterprise Security and Microsoft Copilot for Security integration that you might want to explore include:
- CISO and executive team:
- Provide security tool recommendation to cover gaps
- Explain threat actor motivations
- Upskill teams
- Cloud security and DevSecOps teams:
- Understand findings from cloud security posture management toolset
- Translate cloud specific terminology
- Assist with coding sanitized inputs
- Incident response team / Security analysts:
- Enhance SPL or detection creation
- Reduce investigation on "boring" tasks
- Map activity to MITRE
- Threat intelligence team:
- Attribute threat intelligence to incidents
- Identify exploitable zero days
- Summarize reports
If you need help implementing this use case, BlueVoyant can help. BlueVoyant combines internal and external cyber defense capabilities into an outcomes-based cloud-native solution by continuously monitoring your network, endpoints, attack surface, and supply chain, as well as the clear, deep, and dark web for threats. The full-spectrum cyber defense solution illuminates, validates, and quickly remediates threats to protect your enterprise. BlueVoyant leverages both machine-learning-driven automation and human-led expertise to deliver industry-leading cybersecurity to more than 900 clients across the globe.
The user- and community-generated information, content, data, text, graphics, images, videos, documents and other materials made available on Splunk Lantern is Community Content as provided in the terms and conditions of the Splunk Website Terms of Use, and it should not be implied that Splunk warrants, recommends, endorses or approves of any of the Community Content, nor is Splunk responsible for the availability or accuracy of such. Splunk specifically disclaims any liability and any actions resulting from your use of any information provided on Splunk Lantern.