MicrosoftDocs
diff --git a/‎articles/external-attack-surface-management/easm-copilot.md
Lines changed: 41 additions & 80 deletions b/‎articles/external-attack-surface-management/easm-copilot.md
Lines changed: 41 additions & 80 deletions
diff --git a/‎articles/external-attack-surface-management/media/copilot-4.png
71.7 KB b/‎articles/external-attack-surface-management/media/copilot-4.png
71.7 KB
diff --git a/‎articles/external-attack-surface-management/media/copilot-5.png
6.11 KB b/‎articles/external-attack-surface-management/media/copilot-5.png
6.11 KB
diff --git a/‎articles/external-attack-surface-management/media/copilot-6.png
72.8 KB b/‎articles/external-attack-surface-management/media/copilot-6.png
72.8 KB
@@ -14,11 +14,10 @@ ms.localizationpriority: high
 
 # Microsoft Security Copilot (preview) and Defender EASM
 
-> [!IMPORTANT]
-> The information in this article applies to the Microsoft Security Copilot Early Access Program, which is an invite-only paid preview program. Some information in this article relates to prereleased product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided in this article.
+Microsoft Defender External Attack Surface Management (Defender EASM) continuously discovers and maps your digital attack surface to provide an external view of your online infrastructure. This visibility enables security and IT teams to identify unknowns, prioritize risk, eliminate threats, and extend vulnerability and exposure control beyond the firewall. Attack Surface Insights are generated by analyzing vulnerability and infrastructure data to showcase the key areas of concern for your organization. 
 
+Defender EASM’s integration with Copilot for Security enables users to interact with Microsoft’s discovered attack surfaces. These attack surfaces allow users to quickly understand their externally facing infrastructure and relevant, critical risks to their organization. They provide insight into specific areas of risk, including vulnerabilities, compliance, and security hygiene. For more information about Copilot for Security, go to [What is Microsoft Security Copilot?](/security-copilot/microsoft-security-copilot).
 
-Security Copilot is a cloud-based AI platform that provides a natural language copilot experience. It can help support security professionals in different scenarios, like incident response, threat hunting, and intelligence gathering. For more information about what it can do, go to [What is Microsoft Security Copilot?](/security-copilot/microsoft-security-copilot).
 
 **Security Copilot integrates with Defender EASM**.
 
@@ -27,120 +26,82 @@ Security Copilot can surface insights from Defender EASM about an organization's
 This article introduces you to Security Copilot and includes sample prompts that can help Defender EASM users.
 
 
+## Connect Copilot to Defender EASM 
 
-## Know before you begin
-
-- Ensure that you reference the company name in your first prompt. Unless otherwise specified, all future prompts will provide data about the initially specified company. 
-
-- Be clear and specific with your prompts. You might get better results if you include specific asset names or metadata values (e.g. CVE IDs) in your prompts.
-
-  It might also help to add **Defender EASM** to your prompt, like:
-
-  - **According to Defender EASM, what are my expired domains?**
-  - **Tell me about Defender EASM high priority attack surface insights.**
-
-- Experiment with different prompts and variations to see what works best for your use case. Chat AI models vary, so iterate and refine your prompts based on the results you receive.
-
-- Security Copilot saves your prompt sessions. To see the previous sessions, in Security Copilot, go to the menu > **My investigations**:
-
-   ![Screenshot that shows the Microsoft Security Copilot menu and My investigations with previous sessions.](media/copilot-1.png)
-
-
-  For a walkthrough on Security Copilot, including the pin and share feature, go to [Navigating Microsoft Security Copilot](/security-copilot/navigating-security-copilot).
-
-For more information on writing Security Copilot prompts, go to [Microsoft Security Copilot prompting tips](/security-copilot/prompting-tips).
+### Prerequisites
 
+* Access to Copilot for Security, with permissions to activate new connections.
 
+### Copilot  for Security connection 
 
-## Open Security Copilot
+1. Access [Copilot for Security](https://securitycopilot.microsoft.com/) and ensure you're authenticated.
+2. Select the plugins icon on the upper-right side of the prompt input bar.
 
-1. Go to [Microsoft Security Copilot](https://go.microsoft.com/fwlink/?linkid=2247989) and sign in with your credentials.
-2. By default, Defender EASM should be enabled. To confirm, select **plugins** (bottom left corner):
+    ![Screenshot that shows the plugins icon.](media/copilot-2.png)
 
-    ![Screenshot that shows the plugins that are available, enabled, and disabled in Microsoft Security Copilot.](media/copilot-2.png)
+3. Locate Defender External Attack Surface Management under the “Microsoft” section and toggle on to connect.
 
+    ![Screenshot that shows Defender EASM activated in Copilot.](media/copilot-4.png)
 
-    In **My plugins**, confirm Defender EASM is on. Close **Plugins**.
+4. If you would like Copilot for Security to pull data from your Microsoft Defender External Attack Surface Resource, click on the gear to open the plugin settings, and fill out the fields from your resource’s “Essentials” section on the Overview blade.
 
-    > [!NOTE]
-    > Some roles can enable or disable plugins, like Defender EASM. For more information, go to [Manage plugins in Microsoft Security Copilot](/security-copilot/manage-plugins).
+  [ ![Screenshot that shows the Defender EASM fields that must be configured in Copilot.](media/copilot-6.png) ](media/copilot-6.png#lightbox) 
 
-3. Enter your prompt.
 
+> [!NOTE] 
+> Customers can still use Defender EASM skills if they have not purchased Defender EASM. See the Plugin capabilities reference section for more information. 
 
 
-## Built-in system features
 
-In Security Copilot, there are built in system features. These features can get data from the different plugins that are enabled.
 
-To view the list of built-in system capabilities for Defender EASM, use the following steps:
+## Getting started 
 
-1. In the prompt, enter **/**.
-2. Select **See all system capabilities**.
-3. In the Defender EASM section, you can:
+Copilot for Security operates primarily with natural language prompts. When querying information from Defender EASM, you submit a prompt that guides Copilot for Security to select the Defender EASM plugin and invoke the relevant capability.  
+For success with Copilot prompts, we recommend the following: 
 
-    - Get attack surface summary.
-    - Get attack surface insights.
-    - Get assets affected by CVEs by priority or CVE ID.
-    - Get assets by CVSS score.
-    - Get expired domains.
-    - Get expired SSL certificates.
-    - Get SHA1 certificates. 
-
-
-
-## Sample prompts for Defender EASM?
-
-There are many prompts you can use to get information about your Defender EASM data. This section lists some ideas and examples.
-
-### General information about your attack surface 
-
-Get **general information** about your Defender EASM data, like an attack surface summary or insights about your inventory. 
+- Ensure that you reference the company name in your first prompt. Unless otherwise specified, all future prompts will provide data about the initially specified company. 
 
-**Sample prompts**:
+- Be clear and specific with your prompts. You might get better results if you include specific asset names or metadata values (for example, CVE IDs) in your prompts.
 
-- Get the external attack surface for my organization. 
-- What are the high priority attack surface insights for my organization? 
+  It might also help to add **Defender EASM** to your prompt, like:
 
+  - **According to Defender EASM, what are my expired domains?**
+  - **Tell me about Defender EASM high priority attack surface insights.**
 
+- Experiment with different prompts and variations to see what works best for your use case. Chat AI models vary, so iterate and refine your prompts based on the results you receive.
 
-### CVE vulnerability data 
+- Security Copilot saves your prompt sessions. To see the previous sessions, in Security Copilot, go to the menu > **My sessions**. 
 
-Get details on **CVEs that are applicable to your inventory**.
 
-**Sample prompts**:
+  For a walkthrough on Security Copilot, including the pin and share feature, go to [Navigating Microsoft Security Copilot](/security-copilot/navigating-security-copilot).
 
-- Is my external attack surface impacted by CVE-2023-21709?
-- Get assets affected by high priority CVSS's in my attack surface.
-- How many assets have critical CVSS's for my organization? 
+For more information on writing Security Copilot prompts, go to [Microsoft Security Copilot prompting tips](/security-copilot/prompting-tips).
 
 
 
-### Domain and SSL certificate posture
+## Plugin capabilities reference 
 
-Get information about **domain and SSL certificate posture**, like expired domains and usage of SHA1 certificates.
+| Capability        | Description                     | Inputs                | Behaviors                              |
+| ----------------- | ------------------------------- | --------------------- | -------------------------------------- |
+| Get Attack Surface summary | Returns the attack surface summary for either the customer’s Defender EASM resource or a given company name. | **Example inputs:** <br> • Get attack surface for LinkedIn.   <br> • Get my attack surface.  <br> • What is the attack surface for Microsoft?   <br> • What is my attack surface?  <br> • What are the externally facing assets for Azure?  <br> • What are my externally facing assets?  <br> <br>  **Optional Inputs:** <br> • CompanyName | If your plugin is configured to an active Defender EASM resource and no other company is specified:  <br> • Return attack surface summary for the customer’s Defender EASM resource. <br><br> If another company name is provided: <br> • If no exact for match for company name, returns a list of possible matches.  <br> • If there's an exact match, return the attack surface summary for the given company name. |
+| Get Attack Surface insights | Returns the attack surface insights for either the customer’s Defender EASM resource or a given company name.  | **Example inputs:** <br> • Get high priority attack surface insights for LinkedIn. <br> • Get my high priority attack surface insights.  <br> • Get low priority attack surface insights for Microsoft.  <br> • Get low priority attack surface insights.  <br> • Do I have high priority vulnerabilities in my external attack surface for Azure?  <br><br> **Required inputs:** <br> • PriorityLevel - the priority level must be 'high', 'medium' or 'low' (if not provided, it defaults to ‘high’)  <br><br>**Optional Inputs:** <br> • CompanyName - the company name  | If your plugin is configured to an active Defender EASM resource and no other company is specified:  <br> • Return attack surface insights for the customer’s Defender EASM resource.  <br><br> If another company name is provided: <br> • If no exact for match for company name, returns a list of possible matches. <br> • If there's an exact match, return the attack surface insights for the given company name.  |
+| Get assets affected by CVE | Returns the assets affected by a CVE for either the customer’s Defender EASM resource or a given company name.  | **Example inputs:** <br><br> • Get assets affected by CVE-2023-0012 for LinkedIn.  <br> • Which assets are affected by CVE-2023-0012 for Microsoft?  <br> • Is Azure’s external attack surface impacted by CVE-2023-0012?  <br> • Get assets affected by CVE-2023-0012 for my attack surface.  <br> • Which of my assets are affected by CVE-2023-0012?  <br> • Is my external attack surface impacted by CVE-2023-0012?  <br><br>**Required inputs:** <br> • CveId <br><br> **Optional inputs:** <br> • CompanyName | If your plugin is configured to an active Defender EASM resource and no other company is specified:  <br> • If plugin settings aren't filled out, fail graciously and remind customers.  <br> • If plugin settings are filled out, return the assets affected by a CVE for the customer’s Defender EASM resource. <br><br> If another company name is provided: <br> • If no exact for match for company name, returns a list of possible matches.  <br> • If there's an exact match, return the assets affected by a CVE for the given company name.  |
+| Get assets affected by CVSS | Returns the assets affected by a CVSS score for either the customer’s Defender EASM resource or a given company name.  | **Example inputs:** <br> • Get assets affected by high priority CVSS's in LinkedIn’s attack surface. <br> • How many assets have critical CVSS's for Microsoft?  <br> • Which assets have critical CVSS's for Azure?  <br> • Get assets affected by high priority CVSS's in my attack surface.  <br> • How many of my assets have critical CVSS's?  <br> • Which of my assets have critical CVSS's for?  <br><br> **Required inputs:** <br> • CvssPriority (the CVSS priority must be critical, high, medium or low. <br><br> **Optional inputs:** <br> • CompanyName | If your plugin is configured to an active Defender EASM resource and no other company is specified:    <br> • If plugin settings aren't filled out, fail graciously and remind customers.  <br> •  If plugin settings are filled out, return the assets affected by a CVSS score for the customer’s Defender EASM resource. <br><br> If another company name is provided: <br> • If no exact for match for company name, returns a list of possible matches.  <br> • If there's an exact match, return the assets affected by a CVSS score for the given company name.  | 
+| Get expired domains | Returns the number of expired domains for either the customer’s Defender EASM resource or a given company name.  | **Example inputs:** <br> • How many domains are expired in LinkedIn’s attack surface?    <br> • How many assets are using expired domains for Microsoft?   <br> • How many domains are expired in my attack surface?    <br> • How many of my assets are using expired domains for Microsoft?  <br><br> **Optional inputs:**  <br> • CompanyName | If your plugin is configured to an active Defender EASM resource and no other company is specified: <br> • return the number of expired domains for the customer’s Defender EASM resource  <br><br>  If another company name is provided:  <br> • If no exact for match for company name, returns a list of possible matches.  <br> • If there's an exact match, return the number of expired domains for the given company name.  |
+| Get expired certificates | Returns the number of expired SSL certificates for either the customer’s Defender EASM resource or a given company name.  | **Example inputs:**  <br> • How many SSL certificates are expired for LinkedIn?   <br> • How many assets are using expired SSL certificates for Microsoft?  <br> • How many SSL certificates are expired for my attack surface?   <br> • What are my expired SSL certificates?   <br><br> **Optional inputs:** <br> • CompanyName |  If your plugin is configured to an active Defender EASM resource and no other company is specified:  <br> • return the number of SSL certificates for the customer’s Defender EASM resource. <br><br> If another company name is provided: <br> • If no exact for match for company name, returns a list of possible matches.  <br> • If there's an exact match, return the number of SSL certificates for the given company name.  |
+| Get SHA1 certificates | Returns the number of SHA1 SSL certificates for either the customer’s Defender EASM resource or a given company name.  | **Example inputs:** <br> • How many SSL SHA1 certificates are present for LinkedIn?   <br> • How many assets are using SSL SHA1 for Microsoft?  <br> • How many SSL SHA1 certificates are present for my attack surface?   <br> • How many of my assets are using SSL SHA1?  <br><br> **Optional inputs:** <br> • CompanyName |  If your plugin is configured to an active Defender EASM resource and no other company is specified:  <br> • return the number of SHA1 SSL certificates for the customer’s Defender EASM resource <br><br>  If another company name is provided: <br> • If no exact for match for company name, returns a list of possible matches.  <br> • If there's an exact match, return the number of SHA1 SSL certificates for the given company name.  | 
 
-**Sample prompts**:
 
-- How many domains are expired in my organization's attack surface?
-- How many SSL certificates are expired for my organization?
-- How many assets are using SSL SHA1 for my organization?
-- Get list of expired SSL certificates.
+## Switching between Resource Data and Company Data 
 
+Even though we have added resource integration for our skills, we still support pulling data from prebuilt attack surfaces for specific companies. To improve Copilot for Security’s accuracy in determining when a customer wants to pull from their attack surface or a prebuilt, company attack surface, we recommend using “my”, “my attack surface”, etc. to convey they want to use their resource and “their”, “{specific company name}”, etc. to convey they want a prebuilt attack surface. While this does improve the experience in a single session, we strongly recommend having two separate sessions to avoid any confusion. 
 
 
 ## Provide feedback
 
-Your feedback on the Defender EASM integration with Security Copilot helps with development. To provide feedback, in Security Copilot, use the feedback buttons at the bottom of each completed prompt. Your options are "Looks Right," "Needs Improvement" and "Inappropriate." 
-
-
-Your options:
-
-- **Confirm**: The results match expectations.
-- **Off-target**: The results don't match expectations.
-- **Report**: The results are harmful in some way.
+Your feedback on Copilot for Security generally, and the Defender EASM plugin specifically, is vital to guide current and planned development on the product. The optimal way to provide this feedback is directly in the product, using the feedback buttons at the bottom of each completed prompt. Select "Looks right," "Needs improvement" or "Inappropriate". We recommend “Looks right” when the result matches expectations, “Needs improvement” when it doesn't, and “Inappropriate” when the result is harmful in some way.  
 
-Whenever possible, and when the result is **Off-target**, write a few words explaining what can be done to improve the outcome. If you entered Defender EASM-specific prompts and the results aren't EASM related, then include that information.
+Whenever possible, and especially when the result is “Needs improvement,” please write a few words explaining what we can do to improve the outcome. This also applies when you expected Copilot for Security to invoke the Defender EASM plugin, but another plugin was selected instead.