Understanding Sentinel password spray data with Copilot for Microsoft 365

In this article, I will shared how to use the password spray data obtained from Micrososoft Sentinel and convert to Excel data for Copilot usage. Password spray is just one use case for SecOps, potentially any security data extracted out from MS Sentinel or DefenderXDR we can use Copilot for Microsoft 365 to analyze the data by simply using prompts to get more insight to your security data. Work smartly to understand your security log data set! ??

A typical MS Sentinel query on password spray:

SigninLogs
| where TimeGenerated > ago(1d)
| where ResultType == "50126" 
// ResultType == "50053" - Account is locked because user tried to sign in too many times with an incorrect user ID or password.
// ResultType == "50053" - Sign-in was blocked because it came from an IP address with malicious activity
// ResultType == "50126" - Invalid username or password or Invalid on-premise username or password.
| extend City = tostring(LocationDetails.city)
| extend State = tostring(LocationDetails.state)
| extend Country = tostring(LocationDetails.countryOrRegion)
| project TimeGenerated, UserPrincipalName, ResultType, ResultDescription, Country, State, City, AppDisplayName, ClientAppUsed, UserAgent        

1. Click the Export -> CSV (All columns) button and save as passwordspray.csv

2. Open passwordspray.csv with Excel and saved as PasswordSpray.xlsx on your OneDrive or Microsoft 365 SharePoint locations with AutoSave turned on. (Prerequisite for Copilot)

3. On PasswordSpray.xlsx, Insert -> Table, select all the cells with all data and click OK. (As shown below)

4. Once the table cell is selected, you can go back to Home and hit the Copilot icon. (As shown below)

For example: You can use the prompt "Show data insights", key it as copilot prompt.

Copilot start analyzing the password spray countries and present the data. You can click the "Add to Sheet" button to view the statistics table like below.

From the data we can observed CN, KR and RU are the ones in the top attack countries where APT origins are associated.

Next we try the prompt "Show data insights on City", key it as copilot prompt.

Even though CN is the country where most password spray is coming from, the city that is conducting the most password spray is Voorburg.

We can also use the prompt "Which UserPrincipalName has multiple city entries" (As shown below). This data depicts the user that have been spray most and from different city locations. Instead of city we can replace prompt with country to see the source of attack and its magnitude. You can create prompts to detect slow spray which some APT does to evade detections.

As you can see if you have the appropriate log data extracted from MS Sentinel SIEM, you can use Copilot for Excel to analyze the data and generate the insights based on your prompts. This help SOC manager to understand the SIEM data more effectively and he/she can put up the additional defense control and detections to deter adversary attacks. Remember, Copilot works best when you provide context and details in your prompts. Feel free to refine your requests to get even better results! ??

#Microsoft #Sentinel #DefenderXDR #Copilot #Threatanalysis #Copilot #AI