Demo - Using Security Copilot to investigate a Sentinel Incident

A Security Analyst by the name of John was task to investigate incident ID 255 on Microsoft Sentinel, John proceeds to both Sentinel and Defender XDR Portal to look at this incident.

1. Incident summary
2. Script analysis
3. KQL query for investigation
4. Incident report, assessment and recommendation

1. Incident summary
John needs a quick overview of incident ID 255 and ask Copilot for assistance
Result: Copilot provided John with an understanding of the incident background with findings

2. Script analysis
John do not understand the suspected malicious script that was run and ask Copilot for assistance
Results: Copilot provided an explanation on the breakdown of the suspected script run

3. KQL query for investigation
John was not well-verse in using KQL language and needs to ask Copilot for assistance.
Results: Copilot provided the needed KQL queries to assist John to search for the intended results

4. Incident report, assessment and recommendation
John needs to write a report, an incident assessment, a set of recommendations to do next and an incident timeline of the incident. He ask Copilot for assistance
Results: Copilot provided an incident report with an incident assessment, incident timeline, supporting evidence and a set of proposed recommendation.