Microsoft Security Copilot in Defender EASM
Microsoft Defender External Attack Surface Management (Defender EASM) continuously discovers and maps your digital attack surface to provide an external view of your online infrastructure. This visibility enables security and IT teams to identify unknowns, prioritize risk, eliminate threats, and extend vulnerability and exposure control beyond the firewall. Attack Surface Insights are generated by analyzing vulnerability and infrastructure data to showcase the key areas of concern for your organization.
Defender EASM’s integration with Microsoft Security Copilot enables users to interact with Microsoft’s discovered attack surfaces. These attack surfaces allow users to quickly understand their externally facing infrastructure and relevant, critical risks to their organization. They provide insight into specific areas of risk, including vulnerabilities, compliance, and security hygiene. For more information about Microsoft Security Copilot, go to What is Microsoft Security Copilot. For more information on the embedded Microsoft Security Copilot experience, refer to Query your attack surface with Defender EASM using Microsoft Copilot in Azure.
Know before you begin
If you're new to Microsoft Security Copilot, you should familiarize yourself with it by reading these articles:
- What is Microsoft Security Copilot?
- Microsoft Security Copilot experiences
- Get started with Microsoft Security Copilot
- Understand authentication in Microsoft Security Copilot
- Prompting in Microsoft Security Copilot
Microsoft Security Copilot integration in Defender EASM
Microsoft Security Copilot can surface insights from Defender EASM about an organization's attack surface. You can use the system features built into Microsoft Security Copilot, and use prompts to get more information. This information can help you understand your security posture and mitigate vulnerabilities.
This article introduces you to Microsoft Security Copilot and includes sample prompts that can help Defender EASM users.
Key features
The EASM Security Copilot integration can help you with:
Providing a snapshot of your external attack surface and generating insights into potential risks
This allows users to get a quick view of their external attack surface by analyzing internet-available information combined with Microsoft's proprietary discovery algorithm. It provides an easy-to-understand natural language explanation of the organization's externally facing assets, such as hosts, domains, webpages, and IP addresses, and highlights the critical risks associated with them.
Prioritizing remediation efforts based on asset risk and CVEs
EASM allows security teams to prioritize their remediation efforts by understanding which assets and Common Vulnerabilities and Exposures (CVEs) pose the greatest risk in their environment. It does this by analyzing vulnerability and infrastructure data to showcase key areas of concern, providing a natural language explanation of the risks and recommended actions.
Leveraging Security Copilot to surface insights
Users can leverage Security Copilot to ask about insights in natural language to extract insights from Defender EASM about their organization's attack surface. This includes querying details such as the number of insecure SSL certificates, ports detected, and specific vulnerabilities impacting the attack surface.
Expediting Attack Surface Curation
Utilize Security Copilot to curate your attack surface with labels, external IDs, and state modifications for a set of assets. This process speeds up curation, allowing you to organize your inventory faster and more efficiently.
Enable the Microsoft Security Copilot integration in Defender EASM
Prerequisites
- Access to Microsoft Security Copilot, with permissions to activate new connections.
Copilot for Security connection
Access Microsoft Security Copilot and ensure you're authenticated.
Select the plugins icon on the upper-right side of the prompt input bar.
Locate Defender External Attack Surface Management under the “Microsoft” section and toggle on to connect.
If you would like Microsoft Security Copilot to pull data from your Microsoft Defender External Attack Surface Resource, click on the gear to open the plugin settings, and fill out the fields from your resource’s “Essentials” section on the Overview blade.
Note
Customers can still use Defender EASM skills if they have not purchased Defender EASM. See the Plugin capabilities reference section for more information.
Sample Defender EASM prompts
Microsoft Security Copilot operates primarily with natural language prompts. When querying information from Defender EASM, you submit a prompt that guides Microsoft Security Copilot to select the Defender EASM plugin and invoke the relevant capability.
For success with Copilot prompts, we recommend the following:
Ensure that you reference the company name in your first prompt. Unless otherwise specified, all future prompts will provide data about the initially specified company.
Be clear and specific with your prompts. You might get better results if you include specific asset names or metadata values (for example, CVE IDs) in your prompts.
It might also help to add Defender EASM to your prompt, like:
- According to Defender EASM, what are my expired domains?
- Tell me about Defender EASM high priority attack surface insights.
Experiment with different prompts and variations to see what works best for your use case. Chat AI models vary, so iterate and refine your prompts based on the results you receive.
Microsoft Security Copilot saves your prompt sessions. To see the previous sessions, in Microsoft Security Copilot, go to the menu > My sessions.
For a walkthrough on Microsoft Security Copilot, including the pin and share feature, go to Navigating Microsoft Security Copilot.
For more information on writing Microsoft Security Copilot prompts, go to Microsoft Security Copilot prompting tips.
Plugin capabilities reference
| Capability | Description | Inputs | Behaviors |
|---|---|---|---|
| Get Attack Surface summary | Returns the attack surface summary for either the customer’s Defender EASM resource or a given company name. | Example inputs: • Get attack surface for LinkedIn. • Get my attack surface. • What is the attack surface for Microsoft? • What is my attack surface? • What are the externally facing assets for Azure? • What are my externally facing assets? Optional Inputs: • CompanyName |
If your plugin is configured to an active Defender EASM resource and no other company is specified: • Return attack surface summary for the customer’s Defender EASM resource. If another company name is provided: • If no exact for match for company name, returns a list of possible matches. • If there's an exact match, return the attack surface summary for the given company name. |
| Get Attack Surface insights | Returns the attack surface insights for either the customer’s Defender EASM resource or a given company name. | Example inputs: • Get high priority attack surface insights for LinkedIn. • Get my high priority attack surface insights. • Get low priority attack surface insights for Microsoft. • Get low priority attack surface insights. • Do I have high priority vulnerabilities in my external attack surface for Azure? Required inputs: • PriorityLevel - the priority level must be 'high', 'medium' or 'low' (if not provided, it defaults to ‘high’) Optional Inputs: • CompanyName - the company name |
If your plugin is configured to an active Defender EASM resource and no other company is specified: • Return attack surface insights for the customer’s Defender EASM resource. If another company name is provided: • If no exact for match for company name, returns a list of possible matches. • If there's an exact match, return the attack surface insights for the given company name. |
| Get assets affected by CVE | Returns the assets affected by a CVE for either the customer’s Defender EASM resource or a given company name. | Example inputs: • Get assets affected by CVE-2023-0012 for LinkedIn. • Which assets are affected by CVE-2023-0012 for Microsoft? • Is Azure’s external attack surface impacted by CVE-2023-0012? • Get assets affected by CVE-2023-0012 for my attack surface. • Which of my assets are affected by CVE-2023-0012? • Is my external attack surface impacted by CVE-2023-0012? Required inputs: • CveId Optional inputs: • CompanyName |
If your plugin is configured to an active Defender EASM resource and no other company is specified: • If plugin settings aren't filled out, fail graciously and remind customers. • If plugin settings are filled out, return the assets affected by a CVE for the customer’s Defender EASM resource. If another company name is provided: • If no exact for match for company name, returns a list of possible matches. • If there's an exact match, return the assets affected by a CVE for the given company name. |
| Get assets affected by CVSS | Returns the assets affected by a CVSS score for either the customer’s Defender EASM resource or a given company name. | Example inputs: • Get assets affected by high priority CVSS's in LinkedIn’s attack surface. • How many assets have critical CVSS's for Microsoft? • Which assets have critical CVSS's for Azure? • Get assets affected by high priority CVSS's in my attack surface. • How many of my assets have critical CVSS's? • Which of my assets have critical CVSS's for? Required inputs: • CvssPriority (the CVSS priority must be critical, high, medium or low. Optional inputs: • CompanyName |
If your plugin is configured to an active Defender EASM resource and no other company is specified: • If plugin settings aren't filled out, fail graciously and remind customers. • If plugin settings are filled out, return the assets affected by a CVSS score for the customer’s Defender EASM resource. If another company name is provided: • If no exact for match for company name, returns a list of possible matches. • If there's an exact match, return the assets affected by a CVSS score for the given company name. |
| Get expired domains | Returns the number of expired domains for either the customer’s Defender EASM resource or a given company name. | Example inputs: • How many domains are expired in LinkedIn’s attack surface? • How many assets are using expired domains for Microsoft? • How many domains are expired in my attack surface? • How many of my assets are using expired domains for Microsoft? Optional inputs: • CompanyName |
If your plugin is configured to an active Defender EASM resource and no other company is specified: • return the number of expired domains for the customer’s Defender EASM resource If another company name is provided: • If no exact for match for company name, returns a list of possible matches. • If there's an exact match, return the number of expired domains for the given company name. |
| Get expired certificates | Returns the number of expired SSL certificates for either the customer’s Defender EASM resource or a given company name. | Example inputs: • How many SSL certificates are expired for LinkedIn? • How many assets are using expired SSL certificates for Microsoft? • How many SSL certificates are expired for my attack surface? • What are my expired SSL certificates? Optional inputs: • CompanyName |
If your plugin is configured to an active Defender EASM resource and no other company is specified: • return the number of SSL certificates for the customer’s Defender EASM resource. If another company name is provided: • If no exact for match for company name, returns a list of possible matches. • If there's an exact match, return the number of SSL certificates for the given company name. |
| Get SHA1 certificates | Returns the number of SHA1 SSL certificates for either the customer’s Defender EASM resource or a given company name. | Example inputs: • How many SSL SHA1 certificates are present for LinkedIn? • How many assets are using SSL SHA1 for Microsoft? • How many SSL SHA1 certificates are present for my attack surface? • How many of my assets are using SSL SHA1? Optional inputs: • CompanyName |
If your plugin is configured to an active Defender EASM resource and no other company is specified: • return the number of SHA1 SSL certificates for the customer’s Defender EASM resource If another company name is provided: • If no exact for match for company name, returns a list of possible matches. • If there's an exact match, return the number of SHA1 SSL certificates for the given company name. |
| Translate Natural Language to Defender EASM Query | Translates any natural language question into a Defender EASM query and returns the assets that match the query. | Example Inputs: • What assets are using jQuery version 3.1.0? • Get the hosts with port 80 open in my attack surface. • find all the page, host and asn assets in my inventory with an ip address that is IP X, IP Y, or IP Z. • Which of my assets have a registrant email of "name@example.com" |
If your plugin is configured to an active Defender EASM resource: • return the assets matching with the translated query. |
Switching between resource and company data
Even though we have added resource integration for our skills, we still support pulling data from prebuilt attack surfaces for specific companies. To improve Security Copilot’s accuracy in determining when a customer wants to pull from their attack surface or a prebuilt, company attack surface, we recommend using “my”, “my attack surface”, etc. to convey they want to use their resource and “their”, “{specific company name}”, etc. to convey they want a prebuilt attack surface. While this does improve the experience in a single session, we strongly recommend having two separate sessions to avoid any confusion.
Provide feedback
Your feedback on Microsoft Security Copilot generally, and the Defender EASM plugin specifically, is vital to guide current and planned development on the product. The optimal way to provide this feedback is directly in the product, using the feedback buttons at the bottom of each completed prompt. Select "Looks right," "Needs improvement" or "Inappropriate". We recommend “Looks right” when the result matches expectations, “Needs improvement” when it doesn't, and “Inappropriate” when the result is harmful in some way.
Whenever possible, and especially when the result is “Needs improvement,” please write a few words explaining what we can do to improve the outcome. This also applies when you expected Microsoft Security Copilot to invoke the Defender EASM plugin, but another plugin was selected instead.
Privacy and data security in Microsoft Security Copilot
When you interact with Microsoft Security Copilot to get Defender EASM data, Copilot pulls that data from Defender EASM. The prompts, the data that's retrieved, and the output shown in the prompt results is processed and stored within the Microsoft Security Copilot service.
For more information about data privacy in Microsoft Security Copilot, go to Privacy and data security in Microsoft Security Copilot.