In 2012, a child’s drawing of her appointment with a physician was published in the Journal of the American Medical Association (JAMA). In the brightly colored sketch, the girl is sitting on the exam table accompanied by her mother and siblings. To those of us working in healthcare, her doctor is the most notable part of the image. He is sitting at his desk, typing on the computer — with his back to the patient.

This drawing, published alongside an article titled “The Cost of Technology,” is emblematic of the unintended consequences of healthcare innovation. With more tools for physicians to use and greater demands on their time, technology can easily become a barrier between the clinician and the patient. For example, in 2023 approximately 53% of physicians surveyed by Medscape reported feeling burned out, and 23% reported feeling depressed. Long working hours, bureaucratic demands and loss of work-life balance due to administrative requirements are leading causes. Our mission has always been to help clinicians turn their chairs around by providing the support they need to fully focus their attention on delivering care.

Fast-forward to today, and we’ve translated that goal into reality. After establishing the ambient technology category, we introduced DAX Copilot, the first generative AI voice-enabled solution, which has been generally available for one year, and we’re seeing remarkable momentum. Part of a proven and extensible platform, DAX Copilot leverages health systems’ existing investments in the trusted family of Dragon Medical solutions, which is used by more than 600,000 clinicians worldwide.

DAX Copilot combines proven conversational and ambient AI with generative AI to automatically convert multiparty conversations into specialty-specific standardized draft clinical summaries that integrate with existing workflows. DAX Copilot was the first ambient solution to be integrated into the Epic electronic health record (EHR) workflow and allows clinicians to seamlessly document patient visits directly within the EHR. Across the country, more than 400 organizations have already embraced its revolutionary capabilities, streamlining administrative tasks and lightening clinicians’ documentation workloads.

This transformative year has highlighted many of the ways we’re helping empower healthcare teams today and bringing joy back to practicing medicine for thousands of clinicians.

Improving Access to Care — and Enhancing Documentation Quality

DAX Copilot is helping Northwestern Medicine in Chicago improve patient access to care, with physicians using the solution in at least 50% of patient encounters and able to see an average of 11.3 additional patients per month. DAX Copilot users at Northwestern Medicine also report spending an average of 24% less time on notes and a 17% decrease in ‘pajama time,’ working on administrative tasks late into the night.

“Northwestern Medicine is committed to providing a superior work environment that promotes well-being, and implementing DAX Copilot will allow our physicians to spend more quality time with our patients, focusing on their needs rather than on paperwork and data entry,” says Dr. Gaurava Agarwal, chief wellness executive, Northwestern Medicine.

Overlake Medical Center & Clinics in Bellevue, Washington, deployed DAX Copilot to help reduce after-hours documentation time and equip its clinicians with tools to manage escalating demands. A pilot with 30 Overlake clinicians saw a significant reduction in time spent on notes outside of scheduled hours. Users also reported other important benefits: 81% said DAX Copilot had reduced their cognitive burden and 77% said the solution had improved the quality of their documentation.

At Atrium Health, “DAX Copilot is enabling a better clinician experience,” says Dr. Matthew Anderson, senior medical director of primary care at Atrium Health. “Most of our surveyed users are reporting a positive impact on their day-to-day schedule, being able to increase the number of patients they are able to see and even spending more time with them.”

Enhancing Clinician Well-being

Atrium Health isn’t alone in finding that the time saved on documentation with DAX Copilot is having a positive impact on clinicians’ quality of life. “I finally have weekends back,” says Dr. Christy Chan, a family medicine physician at Overlake. “I used to always have to worry that there was something I had to do — get back onto the EMR, log back in — but I actually have some weekends back.”

Clinicians at Novant Health are experiencing similar benefits. “DAX Copilot has done an amazing thing for the physicians and clinicians who are currently using it,” says Dr. Aram Alexanian, a family physician at Novant Health. “When you hear a comment like ‘I am now able to do things with my daughter in the evenings and weekends that I couldn’t do before,’ nothing satisfies us more than knowing the impact DAX is having on our clinicians.”

DAX Copilot can accurately identify different voices in the room during pediatric visits, differentiating between parents and children to accurately capture the patient exam note for the physician to review and approve.

Community Health Network places a major focus on clinician well-being and implementing DAX Copilot has had a major impact on its clinicians’ ability to close notes before they leave for the day. “Since we have implemented DAX Copilot, I have not left clinic with an open note,” says Dr. Patrick McGill, chief transformation officer for Community Health Network. “We have seen improved access, improved numbers of patients, but overall, it’s really the clinician satisfaction that we’ve seen. In one word, DAX Copilot is transformative. It transforms how we’re able to deliver care and how we’re able to document it. It also transforms the patient experience.”

“DAX Copilot has made my professional life easier. My patients have also benefited from my using Nuance DAX during our appointments. I can be right there with the patient and not furiously writing notes. I cannot thank you enough,” said Anita M. Kelsey, M.D., Duke Health.

Transforming the Patient Experience 

Dr. Dominick Lanzo, an orthopedic surgeon at Greater Baltimore Medical Center, agrees. “Once I introduced the DAX Copilot program, it completely transformed the patient experience, and it’s turned out to be incredibly accurate with regards to the history of present illness and the physical exam,” he says. “It’s made my practice much more efficient. I can see more patients, my notes are more accurate, and they’re done in a timely fashion by the end of the afternoon.”

For Dr. Alison Pomykala, an internal medicine specialist at Baptist Medical Group, the integration of DAX Copilot with the Epic EHR is particularly valuable. “The thing I like most about DAX Copilot embedded in the Epic workflow is I’m able to focus more on the patient and I’m spending less time in the exam room typing on the computer,” she says.

“I think the interface is wonderful with Epic. It has been great to see the notes coming up basically in real time on the Epic system. That’s also helped with other things: where we needed to generate a note quickly for referrals, for insurance pre-certifications, for imaging studies, or to have a complete note ready for a patient that we’re sending to the hospital.”

“At our academic health system, integrating DAX Copilot has revolutionized patient care,” says Dr. Anthony Mazzarelli, co-president and CEO at Cooper University Health Care. “By automating clinical documentation through ambient voice technology, it has significantly reduced administrative workloads. This allows our physicians to focus on real-time patient interactions, leading to better care outcomes and increased job satisfaction. DAX Copilot has not only improved efficiency but has also empowered our team to spend more time where it matters most — caring for patients.”

It’s a privilege to see this industry-leading solution make a meaningful difference for the clinicians who are already on board — but the work never stops. The Microsoft healthcare team is determined to continue solving some of the industry’s most complex challenges, and harnessing the power and potential of AI is how we’ll achieve that. We will continue to be leaders in innovation, collaborating across our ecosystem of incredible customers, partners and Microsoft researchers to bring real impact to clinical settings.

DAX Copilot is an innovative solution that goes beyond documentation, offering unique features such as orders, problem-based charting and pre-charting capabilities. For example, recent updates to DAX Copilot include a robust set of features, such as the ability to customize documentation style and formatting, as well as automatically create referral letters, diagnostic evidence, after-visit summaries and encounter summaries. The solution also now offers AI coaching to help users improve the quality and completeness of their notes. Also, the new Summarized Evidence capability offers a comprehensive and sophisticated approach that helps clinicians validate and trust the note output by combining insights that go beyond evidence linking, helping clinicians validate the note.

Importantly, when creating technologies that can change the world, Microsoft believes organizations need to ensure that the technology is used responsibly. Microsoft is committed to creating responsible AI by design that is guided by a core set of principles: fairness, reliability and safety, privacy and security, inclusiveness, transparency and accountability.

DAX Copilot is helping restore the human connection at the heart of medicine. We’re excited to drive this solution forward and expand its reach to more clinicians over the coming year and beyond.

Today, the solution can be used across ambulatory specialties, in-office primary care and urgent care, telehealth and emergency medicine. And we are scaling the solution’s availability and capabilities to even more care settings, such as nursing and geographies.

If you’d like to learn how DAX Copilot can help transform healthcare at your organization, please visit: the DAX Copilot website.

The post A year of DAX Copilot: Healthcare innovation that refocuses on the clinician-patient connection appeared first on The Official Microsoft Blog.

In 2012, a child’s drawing of her appointment with a physician was published in the Journal of the American Medical Association (JAMA). In the brightly colored sketch, the girl is sitting on the exam table accompanied by her mother and siblings. To those of us working in healthcare, her doctor is the most notable part…
The post A year of DAX Copilot: Healthcare innovation that refocuses on the clinician-patient connection appeared first on The Official Microsoft Blog.Read More

let ignoreAddresses = datatable(address:string) [@’email address removed for privacy reasons’,@’email address removed for privacy reasons’];
let ignoreSpamSubjects = datatable(address:string) [@’ignored subject 1′,@’ignored subject 2′];
// Time range needs to be set in the UI dropdown in order for LatestDeliveryLocation filter to work (i.e., live table vs streaming API).
EmailEvents
| where SenderFromDomain in~ (_getEXOAcceptedDomains)
| where DetectionMethods has_any(‘URL detonation reputation’, ‘URL malicious reputation’) and not(RecipientEmailAddress in~ (ignoreAddresses) or SenderFromAddress in~ (ignoreAddresses))
| where not (Subject has_any (ignoreSpamSubjects))
| where (parse_json( AuthenticationDetails).DMARC =~ ‘Pass’ and EmailDirection =~ ‘Inbound’) or (EmailDirection =~ ‘Intra-org’)
| where (LatestDeliveryLocation in~ (‘Quarantine’, ‘Junk folder’) and not (LatestDeliveryAction =~ ‘Quarantine release’)) and parse_json(ConfidenceLevel).Phish in~ (‘Normal’,’High’)
| join kind=inner (
EmailUrlInfo
| summarize Urls = make_list(Url) by NetworkMessageId
) on NetworkMessageId

I’ve got the above query saved as a detection rule, which works fine except for one thing – the emails are never present in the Evidence tab of the generated incidents.  Meanwhile the Recipients show up in the Mailbox and User assets as I’m using Entity mapping to mapping the RecipientEmailAddress / RecipientObjectId to those 2 entity types.  The only thing I can find about Emails is that for Actions to be possible on the Emails in the query results – “The columns NetworkMessageId and RecipientEmailAddress must be present in the output results of the query to apply actions to email messages.” (ref) – which is being satisfied.

The Evidence available is the IP of the sender, and an empty email cluster, like this:

In the incident above there are 2 emails, and the 4 assets are the user and mailbox for each of the 2 emails’ Recipient.  I can successfully just use the query manually to find and manage those emails, but a big part of the goal with these detection rules, at least in my opinion, is to be able to easily manage the evidence.  In this exact case, I’m looking for inbound emails coming from our own Accepted Domains in the SenderFromAddress, which pass DMARC, but are in Quarantine, detected as Phish.  The idea is to watch out for false positives due to URL detonation reputation since most of the messages fitting this criteria are coming in from various emailing services (e.g., Constant Contact, MailChimp, SendGrid, etc.) and these services tend to end up on the reputation lists a few times per month.

Just wondering if there are any tricks anyone knows about to help me populate the emails into my resulting incidents.

​let ignoreAddresses = datatable(address:string) [@’email address removed for privacy reasons’,@’email address removed for privacy reasons’];
let ignoreSpamSubjects = datatable(address:string) [@’ignored subject 1′,@’ignored subject 2′];
// Time range needs to be set in the UI dropdown in order for LatestDeliveryLocation filter to work (i.e., live table vs streaming API).
EmailEvents
| where SenderFromDomain in~ (_getEXOAcceptedDomains)
| where DetectionMethods has_any(‘URL detonation reputation’, ‘URL malicious reputation’) and not(RecipientEmailAddress in~ (ignoreAddresses) or SenderFromAddress in~ (ignoreAddresses))
| where not (Subject has_any (ignoreSpamSubjects))
| where (parse_json( AuthenticationDetails).DMARC =~ ‘Pass’ and EmailDirection =~ ‘Inbound’) or (EmailDirection =~ ‘Intra-org’)
| where (LatestDeliveryLocation in~ (‘Quarantine’, ‘Junk folder’) and not (LatestDeliveryAction =~ ‘Quarantine release’)) and parse_json(ConfidenceLevel).Phish in~ (‘Normal’,’High’)
| join kind=inner (
EmailUrlInfo
| summarize Urls = make_list(Url) by NetworkMessageId
) on NetworkMessageIdI’ve got the above query saved as a detection rule, which works fine except for one thing – the emails are never present in the Evidence tab of the generated incidents.  Meanwhile the Recipients show up in the Mailbox and User assets as I’m using Entity mapping to mapping the RecipientEmailAddress / RecipientObjectId to those 2 entity types.  The only thing I can find about Emails is that for Actions to be possible on the Emails in the query results – “The columns NetworkMessageId and RecipientEmailAddress must be present in the output results of the query to apply actions to email messages.” (ref) – which is being satisfied. The Evidence available is the IP of the sender, and an empty email cluster, like this:In the incident above there are 2 emails, and the 4 assets are the user and mailbox for each of the 2 emails’ Recipient.  I can successfully just use the query manually to find and manage those emails, but a big part of the goal with these detection rules, at least in my opinion, is to be able to easily manage the evidence.  In this exact case, I’m looking for inbound emails coming from our own Accepted Domains in the SenderFromAddress, which pass DMARC, but are in Quarantine, detected as Phish.  The idea is to watch out for false positives due to URL detonation reputation since most of the messages fitting this criteria are coming in from various emailing services (e.g., Constant Contact, MailChimp, SendGrid, etc.) and these services tend to end up on the reputation lists a few times per month. Just wondering if there are any tricks anyone knows about to help me populate the emails into my resulting incidents.  Read More

​

It seems that Copilot in edge is now upgrading to Enterprise Data protection standards, does any one have a complete list of what is currently not available as a feature during the upgrade. and how long will this upgrade process last. 

​It seems that Copilot in edge is now upgrading to Enterprise Data protection standards, does any one have a complete list of what is currently not available as a feature during the upgrade. and how long will this upgrade process last.   Read More

​

Viva Engage is key to understanding culture, knowledge, community and engagement at organizations. Topics in Viva Engage help categorize conversations, making it easier to find and follow discussions on specific subjects. Anyone can add topics to their posts, which then appear as tags, and these topics can be followed for updates connecting everyone to the things they care about most.

‘Topic subscriptions’ is a new feature available to all Viva Engage users which allows them to receive notifications for Viva Engage topics they follow. Users will receive an Engage bell notification whenever a new post is tagged with a topic they are subscribed to or that topic is added to an existing post.

Note: Topic subscriptions are an additional step from following a topic. When a user follows a topic, they do not receive notifications but may receive content with that topic in their Engage Digest. However, by subscribing to a topic, they would receive a notification for that topic.

How to make the most of topic subscriptions

Topics can help users in your organization easily categorize information and keep employees informed and up-to-date. Here’s how to help your organization make the most out of topic subscriptions:

As a subject matter expert, subscribe to topics in your areas of expertise and encourage others to post using that topic so questions are answered quickly.
Corporate communicators can track topics most important to campaigns, leadership and strategic messaging.
Encourage employees to subscribe to work related topics or interests including company events, Employee Resource Groups, learning opportunities or social gatherings.
Show different teams and functions how topics are used to share insights, articles, and reports on industry trends. Employees interested in staying ahead in their field can subscribe to these topics to stay informed.

Where can users subscribe to topics?

Topic page: All Viva Engage users can subscribe to a topic on the topic page. This page is accessible from the Viva Engage search engine results page (SERP) and when a user clicks on a topic tag in Engage.
Discover more topics page: Premium Viva Engage users can subscribe to a topic in the discover more topics page in the Answers tab. Find the, “Discover more topics link,” in the right rail at the bottom of the Topics to follow section.

Note: Users can subscribe to a topic after following that topic.

Unsubscribing from the topic page

To unsubscribe, click on the blue bell to unsubscribe. It then changes to an unfilled bell icon which indicates that you are no longer subscribed to that topic.

Note: A user can unfollow a topic in the overflow menu, and that automatically unsubscribes them:

Notifications from topic subscriptions

Today, users receive notifications in Viva Engage for topics that they are subscribed to. In the future they will also receive notifications in Teams and Outlook. These workflows are currently a priority on our roadmap.

Subscribing to topics in Viva Engage helps users stay informed on things they care about, encourages collaboration, personalizes content based on topic subscriptions and fosters overall engagement. To learn more about topics in Viva Engage check out our support article.

​Microsoft Tech Community – Latest Blogs –Read More 

Hi,

I have several lists that have some columns set with conditional formatting based the list input, all works fine but the colour palette is very limited, is there a way to add colours to the options available to use?

I have the RGB Colour Codes I want to add but how do I do it?

​Hi,I have several lists that have some columns set with conditional formatting based the list input, all works fine but the colour palette is very limited, is there a way to add colours to the options available to use?I have the RGB Colour Codes I want to add but how do I do it?  Read More

​

In a typical SOC environment, Tier 1 analysts are responsible for reviewing incoming security incidents. They’re in charge of investigating and resolving non-critical alerts, including the identification of false positives. When a critical incident is detected, the Tier 1 analyst must quickly escalate it to the Tier 2 or 3 team for a more thorough investigation. In this case study, you will take on the role of a Tier 1 analyst and discover how Copilot for Security can support you throughout the investigation. It is a tool designed to enable you to assess and manage incidents with greater efficiency and effectiveness.

Let’s use a security incident in the Microsoft Defender XDR portal for our case study. As shown in the next screen capture, this high-severity incident involves three devices, four users and one email account. It consists of a correlation of 25 alerts generated by different Microsoft security solutions. This incident, titled ‘Multi-stage incident involving Initial access & Lateral movement on multiple endpoints reported by multiple sources’ appears complex, extensive, and intimidating.

As soon as you start examining this incident in the Microsoft Defender XDR portal, Copilot for Security is already present on the incident page, as shown in the next diagram. It automatically creates a summary of the incident, providing a clear overview of the attack. Additionally, it offers tailored guidance for responding to the incident through its Guided Response feature, which is also accessible on the incident page.

Rather than sifting through all 25 alerts in the incident to understand the attack, let’s review the summary provided by Copilot for Security first. You can copy the incident summary for further review using Copilot’s “Copy to clipboard” option. This feature is illustrated in the next screenshot.

For your reference, here is the full incident summary copied from Copilot:

The high severity incident ‘Multi-stage incident involving Initial access & Lateral movement on multiple endpoints reported by multiple sources’ occurred between 2024-08-06 17:15:43 UTC and 2024-08-11 00:01:42 UTC. It was tagged as Credential Phish and Lateral Movement.

InitialAccess: The incident began at 2024-08-06 17:15:43 UTC when user ‘kdickens’ clicked on a malicious URL ‘hxxps://fm06722326.mangodune-7572a721.eastus.azurecontainerapps.io/’.
Discovery: At 2024-08-06 17:16:17 UTC, a suspicious sequence of exploration activities were detected on ‘mb-winclient’ (Windows 10), involving the processes ‘whoami.exe’, ‘powershell.exe‘ (running as SYSTEM), and impacting users ‘pgustavo’ and ‘kdickens’.
DefenseEvasion: At 2024-08-06 17:16:20 UTC, a process was injected with potentially malicious code on ‘mb-winclient’ (Windows 10), involving the files ‘ContosoADFSadmincreds.ps1‘, ‘Midnight161.ps1‘, and impacting users ‘pgustavo’ and ‘kdickens’.
Execution: At 2024-08-06 17:16:20 UTC, a malicious PowerShell Cmdlet was invoked on ‘mb-winclient’ (Windows 10), involving the files ‘ContosoADFSadmincreds.ps1‘, ‘Midnight161.ps1‘, and impacting users ‘pgustavo’ and ‘kdickens’.
CredentialAccess: At 2024-08-06 17:17:07 UTC, a suspected DCSync attack (replication of directory services) was detected on ‘mb-winclient’ (Windows 10), impacting user ‘pgustavo’.
LateralMovement: At 2024-08-06 17:17:09 UTC, an ongoing hands-on-keyboard attack via Impacket toolkit was detected on ‘mb-adfs’ (Windows Server 2022), involving the processes ‘lsass.exe’ (running as SYSTEM), ‘powershell.exe‘ (running as SYSTEM), and impacting users ‘LocalSystem’ and ‘adfsadmin’.
Persistence: At 2024-08-06 17:17:10 UTC, suspicious service creation was detected on ‘mb-adfs’ (Windows Server 2022), involving the process ‘services.exe’ (running as SYSTEM), and impacting user ‘adfsadmin’.
CredentialAccess: At 2024-08-06 17:18:20 UTC, an ADFS private key extraction attempt was detected on ‘mb-adfs’ (Windows Server 2022), impacting user ‘adfsadmin’.
DefenseEvasion: At 2024-08-11 00:01:42 UTC, an attempt to hide the use of a dual-purpose tool was detected on ‘mb-adfs’ (Windows Server 2022), involving the file ‘jyglecpm.1v0.exe‘, and impacting user ‘adfsadmin’.

As seen from the incident summary, Copilot for Security provides an overview of the incident that helps you to quickly understand the scope and impact of the attack. It groups the suspicious events into distinct attack stages, outlining the attack’s progression from initial access to lateral movement and persistent access. Each stage is detailed with specific timestamps and a concise summary of the events. In a typical investigation, the security analyst would need to create a similar incident outline manually. With Copilot, this process is now automated and much faster.

After reviewing the incident summary, it’s clear that this is a highly involved incident with multiple sophisticated attacks. As a Tier 1 analyst, your goal is to quickly assess the attacks, rule out the false positives, determine the impact of the incident, and decide whether it needs to be escalated. Let’s dive into some of the incident investigations and see how Copilot for Security can assist throughout the process.

Initial Access, Discovery, and Defense Evasion

The initial access occurs when the attacker gains entry into the target system or network. In this case, the attacker employs a common attack tactic by tricking the user to click on a malicious link, to establish the initial foothold within the user’s corporate network. The following excerpt is from the incident summary generated by Copilot.

InitialAccess: The incident began at 2024-08-06 17:15:43 UTC when user ‘kdickens’ clicked on a malicious URL ‘hxxps://fm06722326.mangodune-7572a721.eastus.azurecontainerapps.io/’.

Once an attacker gains access to the corporate network, he/she needs to gather information about the environment. For instance, running the Windows process “whoami.exe” to gather details about the current user’s identity and environment. Executing “whoami /groups” shows the groups to which the current user belongs, revealing user’s access level and permissions within the system. This process is documented during the Discovery phase.

Discovery: At 2024-08-06 17:16:17 UTC, a suspicious sequence of exploration activities were detected on ‘mb-winclient’ (Windows 10), involving the processes ‘whoami.exe’, ‘powershell.exe‘ (running as SYSTEM), and impacting users ‘pgustavo’ and ‘kdickens’.

So far, the attack techniques encountered are standard and frequently observed. For a Tier 1 analyst, these techniques are familiar and well-known, making the investigation relatively simple.

However, starting from the Defense Evasion phase, things may get a bit tricky. You see a process injection event in the alert:

DefenseEvasion: At 2024-08-06 17:16:20 UTC, a process was injected with potentially malicious code on ‘mb-winclient’ (Windows 10), involving the files ‘ContosoADFSadmincreds.ps1‘, ‘Midnight161.ps1‘, and impacting users ‘pgustavo’ and ‘kdickens’.

What might “a process was injected with potentially malicious code” indicate? What’s a process injection? Let’s consult with Copilot for Security.

You can switch from the embedded experience of Copilot to its standalone mode. This allows you to ask Copilot more questions using its prompt feature. In the Microsoft Defender XDR portal, you may have noticed that there is an ellipsis right inside the Copilot pane. It offers several options for you, including the one “Open in Copilot for Security”. Selecting this option enables you to switch from the Copilot’s embedded experience to its standalone mode. This is shown in the next screen capture.

The “Open in Copilot for Security” feature also allows you to continue your current Copilot session in the standalone experience, preserving any ongoing work or context from the embedded experience. In this standalone mode, you can use the prompt feature to ask additional questions or seek further information, as shown in the next screenshot:

Prompt to Copilot for Security: Can you tell me more about DefenseEvasion: a process was injected with potentially malicious code on ‘mb-winclient’ (Windows10), involving the files ‘ContosoADFSadmincreds.ps1’, ‘Midnight161.ps1’

The response from Copilot provides an overview of process injection and its characteristics:

The term “process injection” typically refers to a technique used by attackers to execute arbitrary code in the address space of a separate live process. This technique improves the stealth and evasion capabilities of malware since the execution of the malicious code does not result in the creation of a new process, making it harder to detect.

The full Copilot response is displayed in the next screen capture:

The process injection overview may still be somewhat abstract. You can follow up with Copilot for a more detailed description using a prompt seen in the next screen capture.

The next diagram presents a portion of the response from Copilot for Security. With this response from Copilot, you have a better understanding of process injection.

The information from Copilot adds more context and insights for this alert, enabling you, the Tier 1 analyst, to start a more thorough investigation immediately.

Back to the Microsoft Defender XDR portal, analysts typically leverage the Defender for Endpoint Timeline feature to investigate the event that might have triggered the alert “A process was injected with potentially malicious code.” The next screenshot shows that in the Timeline, Defender XDR recorded a device event, “powershell.exe executed a script,”. This event led Defender for Endpoint to immediately detect and report “powershell.exe process contains suspicious patterns in AMSI content related to ‘Process Injection’ and other techniques.” This then leads to the triggering of the process injection alert.

Defender XDR also provides the detailed PowerShell process commands that you can ask Copilot to analyze, as shown in the next screen capture.

With Copilot’s information on process injection, and combining the details from the device events, especially that the PowerShell script was executed from the user’s downloads directory, it’s clear that this is likely a malicious attack rather than a false positive. The use of a more advanced technique of process injection suggests that this case should be escalated to the Tier 2 team for further investigation.

In Defender XDR’s Timeline feature, security analysts typically review device events that occurred around the time the security alert was triggered to identify any additional malicious activity. This process is both time-consuming and labor-intensive. But now Copilot for Security can handle the heavy lifting for you. Let’s return to the Copilot standalone environment and use its prompt feature to accomplish this. 

The prompt seen in the next screenshot instructs Copilot for Security to use a Defender KQL query to retrieve all device process events from around the time of the process injection activity. It then asks Copilot to analyze these events for any signs of suspicious activity.

As shown in the next screen capture, Copilot has flagged a few events that are worth investigating further.

You can ask Copilot for Security to further investigate these events with additional prompts in Copilot’s standalone experience.

This investigation may take some time to finish. However, as a Tier 1 analyst, you have concluded that these are likely malicious events involving sophisticated attack techniques. The Tier 2 team will need to carry out a more in-depth investigation. In the meantime, you can move on to the next set of security alerts.

Credential Access

In the incident summary, Copilot for Security also mentions a suspected DCSync attack as part of Credential Access activity:

CredentialAccess: At 2024-08-06 17:17:07 UTC, a suspected DCSync attack (replication of directory services) was detected on ‘mb-winclient’ (Windows 10), impacting user ‘pgustavo’.

What is a DCSync attack? Rather than spending a lot of time researching it online, you can leverage Copilot for Security’s standalone experience to quickly get an idea of what it is and how it works. 

Prompt to Copilot for Security: In your incident summary, you mentioned that “At 2024-08-06 17:17:07 UTC, a suspected DCSync attack (replication of directory services) was detected on ‘mb-winclient’ (Windows 10), impacting user ‘pgustavo’.” What’s a DCSync attack? Can you provide its TTPs?

The next screenshot displays the question you can ask Copilot, along with some of its responses.

Copilot for Security first provides an overview of the DCSync attack with some specific examples. It then walks you through the steps involved in a typical DCSync attack, as seen in the next snapshot.

After reviewing the information provided by Copilot for Security, you should have a better understanding of the key aspects of a DCSync attack and how it operates. If there are more questions or if further clarification is needed, you can always use Copilot’s prompt feature to gain additional insights.

Once you have a solid understanding of the DCSync attack, you can apply this knowledge to assist the security incident investigation. Back in the Defender XDR portal, when you examine the alert story for the “suspected DCSync attack” alert, you’ll likely notice something is off when the end user sends a replication request to a domain controller, as seen in the screen capture.

You can confirm your suspicion with Copilot by entering the following prompt in Copilot’s standalone mode:

Is it common for a regular user on a Windows 10 device to send a replication request to a DC?

As seen in the next screen capture, Copilot for Security confirms that “it is not common for a regular user on a Windows 10 device to send a replication request to a Domain Controller (DC). In a typical Active Directory environment, only Domain Controllers replicate data amongst themselves.”

At this point, you likely can confirm this is a true security incident, not a false positive. Given the nature of the attack, it will require further investigation by the Tier 2 team.

Without the help from Copilot for Security, researching and confirming whether suspicious behavior is truly malicious can be time-consuming and labor-intensive. However, with Copilot for Security, it is faster and more straightforward to confirm malicious activities. Additionally, its provided explanations offer more context, helping the Tier 1 analyst to assess the impact and severity of the incident. This enables the analyst to quickly decide if the incident needs to be escalated to the Tier 2 team or not.

Lateral Movement

In this same security incident, there is an alert for “an ongoing hands-on-keyboard attack via Impacket toolkit”:

LateralMovement: At 2024-08-06 17:17:09 UTC, an ongoing hands-on-keyboard attack via Impacket toolkit was detected on ‘mb-adfs’ (Windows Server 2022), involving the processes ‘lsass.exe’ (running as SYSTEM), ‘powershell.exe‘ (running as SYSTEM), and impacting users ‘LocalSystem’ and ‘adfsadmin’.

While the description of the Impacket toolkit in the Microsoft Defender XDR portal is helpful, but for more detailed insight, you can turn to Copilot for Security’s standalone experience and ask:

Can you tell me more about the Impacket tool? Where is it used most often? How is it exploited by attackers?

Copilot provides a more thorough description of this toolkit:

It’s worth noting that in Copilot’s description of the toolkit, it was emphasized that while Impacket is a legitimate tool, it can also be exploited by attackers. Copilot included several simple examples to illustrate this:

While Impacket is a legitimate tool with many valid uses, it can also be exploited by attackers due to its powerful capabilities. For example, attackers can use Impacket to move laterally across a network, execute commands on remote systems, or extract sensitive information such as password hashes.

Copilot for Security then highlighted a specific attack scenario, pointing out that Impacket can be used to carry out a DCSync attack. And, as the Tier 1 analyst, you have just confirmed that a DCSync attack is involved in the same security incident.

It’s also worth mentioning that while using Copilot for Security, it captures the sequence of your prompts and responses in a session. A session is a distinct interaction period with Copilot for Security, during which Copilot retains the context of the conversation. This allows it to provide relevant answers to subsequent requests, ensuring that the conversation flows logically, and that each response builds upon the previous ones.

Persistence

As we proceed with the incident summary generated by Copilot for Security, the next security alert is a suspicious service creation event occurred during the persistence stage:

Persistence: At 2024-08-06 17:17:10 UTC, suspicious service creation was detected on ‘mb-adfs’ (Windows Server 2022), involving the process ‘services.exe’ (running as SYSTEM), and impacting user ‘adfsadmin’.

If you start examining this alert in the Microsoft Defender XDR portal, you will notice that Defender for Identity and Defender for Endpoint EDR all generated similar alerts, likely for the same suspicious event, as seen in the next screen capture:

Let’s first take a look at “suspicious service creation” alert triggered in Defender for Identity, as shown next:

The service path listed in the alert looks suspicious and it is encoded. Let’s use the following prompt to consult Copilot and understand its purpose.

Can you decode then tell me more about this service path: %COMSPEC% /C “powershell.exe -EncodedCommand QwA6AFwAUwBjAHIAaQBwAHQAcwBcAFIAZQBuAGEAbQBlAFAAbwB3AGUAcgBzAGgAZQBsAGwALgBwAHMAMQA=”

The next screen capture displays the response from Copilot for Security:

Copilot for Security provides a detailed breakdown of the service path. It identifies the encoded command as base64 encoding and decodes it for you. It then concludes with a summary: “this service path is used to execute the RenamePowershell.ps1 PowerShell script located in the C:Scripts directory. The use of base64 encoding can often be a technique to obfuscate the actual command being run, which could be a sign of malicious activity.”

This information is helpful. Let’s continue examining the other related security alerts. The “suspicious service registration” alert triggered in Defender for Endpoint likely pertains to the same suspicious activity that was just looked at. This alert provides a little bit more information and mentions “services.exe modified service image file”, as shown next.  

Using the following prompt, let’s see what Copilot for Security can find out:

Can you explain in more detail about the following event: services.exe modified service image file from to %COMSPEC% /C “powershell.exe -EncodedCommand QwA6AFwAUwBjAHIAaQBwAHQAcwBcAFIAZQBuAGEAbQBlAFAAbwB3AGUAcgBzAGgAZQBsAGwALgBwAHMAMQA=” for service WDUAPJKVADPWOQLFGQSH

The screenshot shown next displays Copilot’s response.

Copilot’s findings for this “suspicious service registration” alert closely align with its analysis on the “suspicious service creation” alert triggered in Defender for Identity. This confirms the suspicion that the two alerts from different security solutions are both reporting the same malicious activity. However, because the Defender for Endpoint alert points out a “services.exe modified service image file” and this detail was included in the prompt, Copilot for Security can now provide additional insights in its analysis that weren’t present in the previous report. You now have a clear picture of this malicious activity: the services.exe process has been set to run RenamePowershell.ps1 whenever the WDUAPJKVADPWOQLFGQSH service is started. For your reference, the following snippet is taken from Copilot’s last response:

It’s worth noting that changes to service image file paths, especially those involving scripts or unusual locations, can be a sign of malicious activity. In this case, the services.exe process has been instructed to launch a PowerShell script whenever the WDUAPJKVADPWOQLFGQSH service is started, which is unusual behavior and could potentially be malicious.

This example also highlights the importance of effective prompting. The more specific information you provide to Copilot, the more relevant and precise responses you’re likely to receive.

In addition, this example highlights the Microsoft Defender XDR’s capability to integrate and correlate data across various Defender solutions. When different Defender tools detect the same malicious activity, they each generate separate alerts. Microsoft Defender XDR then aggregates these alerts into a unified incident. This correlation helps to provide a comprehensive view of the threat.

Credential Access

Let’s review one more alert from the incident summary provided by Copilot for Security: suspicious credential access event involving an ADFS private key extraction:

CredentialAccess: At 2024-08-06 17:18:20 UTC, an ADFS private key extraction attempt was detected on ‘mb-adfs’ (Windows Server 2022), impacting user ‘adfsadmin’.

You will use Copilot for Security to again get a better understanding of the alert. In the Microsoft Defender XDR portal, the device Timeline very often shows the events that led to the alert being triggered. For this security alert, the device event, “jyglecpm.1v0.exe ran an LDAP query“, triggered the alert “ADFS private key extraction attempt”, as seen in the next screenshot. To further investigate this device event, one option is to utilize Copilot for Security to analyze the command line for jyglecpm.1v0.exe. You can perform this directly within the Microsoft Defender XDR portal leveraging the embedded experience of Copilot for Security. Alternatively, in standalone mode, you can paste the command line into the Copilot prompt and request for analysis.

As shown in the next screen capture, Copilot for Security offers a detailed analysis of the command line through its embedded experience. 

From the Copilot analysis excerpt shown below, you can sense something isn’t right when jyglecpm.1v0.exe performed the LDAP query:

The provided command line script executes a file named “jyglecpm.1v0.exe” in a hidden window. It then uses the ‘-encodedCommand’ parameter to run a base64-encoded command. The base64 string decodes to a PowerShell script located at ‘C:ScriptsExportADFSTokenSigningCert.ps1’. This suggests that the script is likely used to execute a hidden process and then run a PowerShell script, possibly for malicious purposes.

To further investigate, you can first get a sense of what are the normal LDAP operations by prompting Copilot with the following questions in its standalone experience:

The next screenshot displays the information provided back by Copilot:

Based on Copilot’s explanation, you quickly gain an understanding of LDAP and how it operates. LDAP queries are typically initiated by client applications or services that need to access data stored in a directory service. For instance, an email client might perform an LDAP query to retrieve the email addresses of users within an organization.

Now you may be wondering, why would an unfamiliar and rarely seen process like “jyglecpm.1v0.exe” need to run an LDAP query to access data in a directory service? It is especially suspicious with its encoded command line. Let’s continue to consult Copilot with the prompt shown in the next screenshot:

Copilot for Security, leveraging its vast amount of knowledge, comments: “The command line script you provided does not appear to be a normal LDAP operation. It executes …” The full response from Copilot is displayed in the next screen capture:

Without the assistance of Copilot for Security, determining whether a behavior is truly malicious can be time-consuming and labor-intensive. Traditional methods typically involve extensive manual research, multiple clicks, and complex navigation through various user interface elements. Analysts often need to sift through many data points and conduct in-depth analyses to assess the severity of threats, which can delay the identification of true risks.

However, with Copilot for Security, this process becomes significantly more efficient and straightforward. Analysts can quickly ask specific questions about suspicious behavior rather than spending extended periods researching online. By providing additional context and explanations directly within the platform, Copilot enables Tier 1 analysts to quickly understand the nature and severity of an incident. This instant clarity allows analysts to make informed decisions and determine whether escalation to Tier 2 or 3 teams is necessary, thus accelerating threat response and reducing the overall time spent on investigation.

​Microsoft Tech Community – Latest Blogs –Read More 

Hi,

I would like to do internal audits for ISO 27001:2022 using Compliance Manager. I’m having problems adding evidence like a Security policy if the service Microsoft 365 is active. 

​Hi,I would like to do internal audits for ISO 27001:2022 using Compliance Manager. I’m having problems adding evidence like a Security policy if the service Microsoft 365 is active.   Read More

​

Is there a cost management option in the Azure portal for customers/partners to see in Azure Gov CSP?  

​Is there a cost management option in the Azure portal for customers/partners to see in Azure Gov CSP?    Read More

​