Extend Copilot for Security with your own plugins

by | Jun 8, 2024 | Security Copilot | 0 comments

Copilot for Security can be customized using plugins, which significantly enhance its utility for diverse cybersecurity organizations. Given that cybersecurity operations vary widely, the ability to tailor Copilot for Security through plugins ensures it delivers more relevant and accurate responses. Custom plugins can provide enriched context and integrate various data sources, thereby improving the system’s overall effectiveness.

Copilot for Security comes with a variety of built-in plugins that can be easily enabled and configured. These pre-built plugins integrate with popular Microsoft services such as Microsoft Sentinel, Defender, and Log Analytics but also products of third parties, providing immediate functionality and value without requiring extensive setup. Users can quickly turn these plugins on or off and personalize their settings to meet specific organizational needs.

Hi Copilot for Security, what type of custom plugins do you support?

As a security assistant, I can be extended using the following types of plugins:
  • API Plugins: These plugins enable integration with various external systems and services via APIs. They facilitate data retrieval, interaction with third-party security tools, and automation of tasks through predefined interfaces.
  • GPT Plugins: Leveraging OpenAI’s GPT capabilities, these plugins allow for advanced natural language processing and generation. They enhance the assistant’s ability to understand complex queries, generate detailed reports, and provide natural language responses that are more intuitive and contextually relevant.
  • Kusto Query Language (KQL) Plugins: These plugins are used to execute complex queries on data stored in Microsoft Sentinel, Log Analytics, or other Kusto databases. They help in retrieving specific insights, performing detailed security analytics, and generating custom reports based on sophisticated queries.

Explore the built-in plugins

Copilot for security comes with a great set of built-in plugins. By default not all plugins are enabled, so having a look at your plugin settings is recommended.

There is a large list of plugins available. By clicking on the plugin icon in the prompt field, you get access to your plugin settings.  

To optimize the performance of Copilot for Security, it is advisable to enable only the plugins for applications and tools that you plan to use and have configured correctly. Copilot for Security evaluates each prompt and determines the necessary plugin. By restricting the number of active plugins to those you actively use, you reduce the chances of Copilot selecting an incorrect plugin, thereby enhancing accuracy and efficiency in its responses.

How do plugins work?

Each prompt is executed using a flow. This flow will determine what plugin is required and preprocesses the prompt (using the plugin) before handing it over to the large language model. The response of the large language model undergoes post processing before it is presented to you. Here is a detailed overview of the prompt proces:

  • The process begins when a user enters a prompt into Microsoft Security Copilot. These prompts are typically derived from security products and can include queries for data, requests for analysis, or commands to perform specific security actions.
  • Microsoft Security Copilot preprocesses the input prompt using a technique called grounding. This process involves refining the prompt to make it more specific, ensuring that the response provided is relevant and actionable. Grounding enhances the clarity and context of the prompt before it is processed further.

    During the grounding phase, Copilot for Security may access various plugins to gather initial contextual information and improve the specificity of the prompt. These plugins help in preprocessing by connecting to relevant data sources and services, providing the necessary context to the language model.

  • Once the prompt is grounded and preprocessed, it is sent to the language model. The language model, enhanced by the contextual information provided by the plugins, generates a response based on the refined prompt.
  • After receiving the response from the language model, Copilot for Security performs post-processing to further refine the output. This post-processing step may involve accessing additional plugins to gather more contextual information or to validate the response. This ensures that the final output is accurate, relevant, and actionable.
  • The refined response is then delivered back to the user. The user can review and assess the response, and if needed, provide further prompts for clarification or additional information.

Creating a custom plugin

Let’s create a GPT plugin! These are among the easiest plugins to start with when extending Copilot for Security. Using human language we can add extra instructions to Copilot for Security.

To begin, I will use the YAML manifest from Microsoft Learn. You can find the detailed instructions and template here.

Here’s a step-by-step guide:

  1. Get the YAML Manifest: Visit the provided link and copy the YAML manifest template into your development environment. I use Visual Studio Code for this purpose.

  2. Modify the Manifest: Paste the YAML manifest into a new file in Visual Studio Code. Replace the placeholder content with your custom content. For example, in the screenshot attached to this blog post, I’ve created a plugin designed to provide additional instructions on how to triage a cybersecurity incident.

  3. Customize the Plugin: Tailor the content of the plugin to fit your specific needs. This might involve defining new commands, setting up the necessary API calls, or integrating with other security tools your organization uses.

Upload your plugin

After saving your plugin, you can easily upload it to Copilot for Security. Here’s how:

  1. Locate the Upload Feature: Open the plugin management window where the built-in plugins are displayed. Scroll down to the “Custom” section, where you will find an option to add a new plugin.

  2. Add Your Plugin: Click on the “Add Plugin” button. This will open a new view where you can upload your custom plugin.

  3. Select Plugin Format: In the new view, choose the format “Copilot for Security Plugin”. Then, select your saved plugin file from your system and click “Add” to upload it.

  4. Manage Your Plugin: Once the upload is complete, your plugin will appear in the “Custom” section of the plugin management window. Here, you can enable or disable the plugin as needed.

Test your plugin

Congratulations with your first plugin! Lets test it. 

Now that you’ve successfully created and uploaded your first plugin, it’s time to test it.

Testing your plugin can vary depending on its specific functionality. For my plugin, which provides triage instructions for a cybersecurity incident, I will use the following prompt:

“I have an incident with IP address 8.8.8.8 and user someone@azurevlog.com. Can we triage this incident?”

Here’s how the process works:

  1. Execute the Prompt: Enter the prompt into Copilot for Security. This prompt includes specific details such as an IP address and a user email, which the plugin will use to provide tailored triage instructions.

  2. Plugin Invocation: The information in the plugin’s manifest determines when and how the plugin should be invoked. The manifest describes the plugin’s purpose and the criteria for its use. Based on this information, Copilot for Security decides which plugins to activate for the given prompt.

  3. Response Generation: Once the appropriate plugin is activated, it processes the prompt and generates a response. This response should provide detailed instructions or actions to triage the specified incident.

By following these steps, you can test and validate the functionality of your custom plugin, ensuring it works as intended within Microsoft Security Copilot.

If the plugin does not give the output you expected, adjust the manifest and try again.

Conclusion

Customizing Microsoft Copilot for Security with plugins offers a powerful way to enhance its functionality and tailor it to your organization’s specific needs. By leveraging API, GPT, and KQL plugins, you can integrate external systems, improve natural language processing, and execute complex queries to gain deeper insights into your security landscape.

Creating and managing these plugins is straightforward, thanks to the detailed guidance provided by Microsoft. Starting with a simple GPT plugin, you can quickly see the benefits of extending Copilot’s capabilities. The process of uploading and enabling custom plugins ensures that your security assistant is equipped with the most relevant tools and data sources, thereby improving response accuracy and efficiency.

Testing your custom plugins is an essential step to validate their functionality and ensure they meet your specific requirements. By following best practices in plugin development and management, you can maintain a robust and secure environment, leveraging the full potential of Microsoft Security Copilot.

In conclusion, the ability to customize Copilot for Security with plugins not only enhances its immediate utility but also future-proofs your security operations by integrating evolving technologies and data sources. This adaptability is crucial in the ever-changing landscape of cybersecurity, providing your organization with the tools needed to stay ahead of threats and maintain a strong security posture.

Getting started with Copilot for Security Plugins

I have created a video that gets you started with Copilot for Security Plugins, watch it here!

Submit a Comment

Your email address will not be published. Required fields are marked *