With the announcement of Security Copilot Units (SCUs) being included with E5 licensing, this is a great opportunity to start your AI journey in your SOC. Like it or not, AI is transforming the way people work, speeding up daily workflows and providing more robust insights. If your blue team isn’t making use of AI, it’s time to get started (see our recent blog about ideas on how to train your team). That doesn’t mean you have to deploy a fully autonomous AI solution that takes action on your behalf.  We are just as cautious and speculative around AI taking action without humans in the loop, instead, work within your risk tolerance and look at using AI for research, enrichment and guidance, building trust as you refine the solutions.

Even if you are undecided on an overall platform, you can still leverage Security Copilot to start thinking about how to better incorporate AI into your team. The platform you ultimately go with could even be one like SRA’s SCALR AI, that integrates with Security Copilot, allowing for the best of multiple worlds. Regardless of the platform you choose, now is the time to start the exploration process. This is the first in a series of blogs aimed at looking at three stepping stones to start making better use of AI in your environment.

• Prompts
• Prebuilt Agent Deployments
• Custom Agents/Tools

Prompts

First up in this series we will dive into prompts, which are arguably the easiest way to start using AI. Traditionally, this has been through people interacting in an ad-hoc and non-standardized fashion. Some analysts may interact with a Gemini asking about a particular threat, a security engineer may utilize Copilot to find a new rule, or a SOC analyst may use ChatGPT to help summarize their findings.

The first recommended method for making use of your new Security Copilot licenses is to standardize all the ad-hoc AI use. Develop processes and build AI into your analyst’s workflows. Ensuring a consistent environment, with consistent plug-ins and data models will aid in more consistent results, and speed adoption as analysts beginning seeing the benefits across different work streams.

There are three ways to make use of prompts and maximize their benefit in your organization:

• Publish an internal list of helpful prompts as part of your SOC’s runbooks
• Develop promptbooks your team can run in specific scenarios
• Utilize Logic Apps to create workflows that stitch together prompts and promptbooks.

Ad-Hoc Prompt Usage

Identifying a set of prompts that have been tested and approved for specific scenarios allow your analysts to help bring some consistency with a nondeterministic system that is AI. A simple way to incorporate this is publishing prompts within your runbooks that push your team members to use specific prompts to help investigating all or part of an incident.

These prompts can be collected by polling your current team for how they use AI and a process can be put in place to help test new prompts prior to inclusion into your runbooks.

Promptbooks

Promptbooks are an easy way to string together multiple prompts for one use case. Why can’t you just craft one prompt to do it all? The easy answer to this is, the more specific and focused you can make your prompt, the more likely you are to get a higher quality result. Creating one long prompt could result in inconsistent or unexpected results, thus crafting small, but focused prompts and stringing them together gives a higher quality output.

A good example use case is Microsoft’s Check impact of an external threat article promptbook, that can take an article, distill it’s IOCs, and create KQL to hunt for them. It strings six prompts, to help answer a typical question one might see from a C-level who hears a news story.

Any series of related prompts will do, for instance one could prompt AI to look at your vulnerability data, find the asset with the highest priority vulnerabilities and craft a tailored email to the asset owner to explain how and why to remediate. Each prompt is targeted to one step of a workflow, and builds on the previous.

This is a good second step to take after identifying prompts that work well for you. Promptbooks speed up the investigative process, as one overall prompt is submitted, rather than your analysts needing to copy and paste multiple prompts. They also allow you to have high quality responses for complex problems.

Logic Apps

Logic Apps have always been a great low code/no code pay-as-you-go/affordable option for SOAR. Their easy integration with Security Copilot for both prompts and promptbooks allow you to add more complexity to workflows and a level of automation to your AI usage in SOC. For every incident fired, you could already have several prompts return responses as comments in your incident before your analysts start their investigation. Logic Apps also allow for complex workflow generation that incorporate tools and integrations that can feed AI or vice versa.

Logic App Example:

When an incident is triggered, a quick check against a reliable and high-quality threat intelligence database can be an easy triage checkpoint. The pictured Logic App below will check IOCs against a threat intelligence database and if there are matches, isolate the host involved before posting a comment back to the incident. This is all completely doable without AI, however it becomes vastly easier to configure and implement by implementing prompts instead of configuring queries or complex API integrations.

The flow starts by gathering individual IOCs and putting them into different arrays, specific to the type of IOC.

We then utilize two prompts to carry out the rest of the work.

The two main prompts we utilize:

1. Threat Intel Check

This prompt will hit Security Copilot to check if any of the IOCs we feed it, are a 70 or higher in the Microsoft Defender Threat Intelligence database. We send the IOCs in JSON format, as structured inputs can be really beneficial to any workflow, AI and human alike.

2. Host Isolation

This prompt could not be simpler. It utilizes SRA’s Crowpilot agent to isolate a host.

Using crowpilot, block the IOCs returned in the previous prompt.

The screenshots above show an alternative flow for the host isolation portion of the Logic App. The Security Copilot prompt to the Crowpilot integration that interfaces with CrowdStrike is an example of how AI can simplify your workflows. Instead of multiple calls to an API, having to manage authentication keys, and plan for the output format for each API call, etc. you simply need to ask Security Copilot the simplest of requests, and it handles all of the complexity for you.

Summary

Prompts, promptbooks and Logic Apps are all simple ways to start your AI journey in SOC. They allow you to better understand how to use AI, what areas of your investigative and response processes could best utilize AI and spark interest by your analysts to help identify simple, painful and repetitive tasks.

Some areas to target for workflow development and AI inclusion:

• Daily incident summaries  –
• using KQL you can run queries to help gain visibility into what has been happening the previous day or week across the entire SOC. This can provide more visibility to upper management or give analysts a broader view of incidents across the SOC they may not have been aware of. An example Logic App for this scenario can be found directly in our SRA GitHub: Daily SOC Summary Logic App.
• Advanced Hunting Queries – For every investigation, ask Security Copilot what other queries you can use to help find the specific attack. This can help provide new and varying ways to detect attacks, creating a more robust investigation. One can also utilize it as a starting point for threat hunting.
• Incident Investigation Promptbook – Jump start your investigations by have Security Copilot run the incident, checking entities, IPs, past alerts, etc.
• Incident Quality Analysis – Craft a prompt that will analyze every closed incident for specific criteria to ensure consistent notes, and analysis is taking place for every incident. Utilizing “few shot learning” by giving several good and bad examples to help AI learn prior to crafting it’s response.

Prompts, promptbooks and Logic Apps are an excellent way to slowly start incorporating AI into your workflows, creating faster, more consistent and more robust investigations. Stay tuned for the next part of the series where we take a look at using prebuilt agents.