You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: learn-pr/wwl-sci/security-copilot-exercises/includes/9a-explore-embedded-entra.md
+9-7Lines changed: 9 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -24,12 +24,13 @@ You're an identity admin with Woodgrove. You believe there are some users at the
24
24
1. From the menu on the left, scroll down and open the **Protection** menu.
25
25
1. Select **Identity Protection** from the submenu.
26
26
27
-
- We want to use the Dashboard to look at the Number of high risk users chart. Notice there have been risky users detected.
27
+
- We want to use the Dashboard to look at the **Number of high risk users chart**. Notice there are more than 100 risky user activities detected.
28
+
- We'll come back to this report in a couple of minutes.
28
29
29
30
1. Let’s do some research on potential Risky Users.
30
31
1. Select the **Copilot** button from the top right of the screen.
31
32
1. Take a moment to review the sample prompts that are provided in Copilot.
32
-
1. Enter the prompt **Show me my most recent risky users** and select the arrow.
33
+
1. Enter the prompt **Show me my most risky users** and select the arrow.
33
34
34
35
- Note, the user we were concerned about (Serena) is in the list.
35
36
@@ -38,10 +39,10 @@ You're an identity admin with Woodgrove. You believe there are some users at the
38
39
1. Select **Serena Markunaite** from the list of Risky Users.
39
40
40
41
- This opens a Copilot autogenerated user risk summary. You now see a specific reason why Serena is at elevated risk.
41
-
- Also note there are recommendations on what to do.
42
+
- Also note the **What to do** recommendations.
42
43
43
44
1. We need to dig a little deeper and see if we can track this risky user behavior. Have they performed activities outside of their normal usage?
44
-
1. In the Copilot dialog, enter the prompt **Show me the signins for the user one day before and after the alert**.
45
+
1. In the Copilot dialog, enter the prompt **Show me the sign-ins for the Serena one day before and after the alert**.
45
46
46
47
- Note the failed user sign in attempt then some immediate successful attempts from an alternate IP-address. Looks like suspicious behavior.
47
48
- Just resetting a password or MFA may not be enough if an attacker has logged into the system. Let’s check to see if any changes have been made to the MFA settings recently.
@@ -54,12 +55,13 @@ You're an identity admin with Woodgrove. You believe there are some users at the
54
55
1. Ask copilot for recommendations with the prompt **What should I do to remediate this attacker-in-the-middle threat?**.
55
56
1. Scroll up in the copilot window to review the entire response.
56
57
57
-
- Copilot response includes ways to remediate the current issues. However, notice that you're also provided with recommendations to secure for future attacks.
58
+
- Copilot response includes ways to remediate the current issues. All of these items are great to stop to current potential breach, but won't stop future attempts. What can we do?
59
+
-**Reminder** - In the **Risky User Details** provided **What to do** recommendations to secure for future attacks.
58
60
59
61
1. There's a suggestion to use **Conditional Access policies to protect this user**. Use Copilot for find out more.
60
62
1. Enter the prompt **Can I use risk based conditional access policy to automate response to these detections?**
61
63
62
-
- Note that you can use Conditional Access policies.
64
+
- Note that you can use Conditional Access policies. The same as the previous recommendations we got.
63
65
64
66
1. Ask Copilot to give you step by step instructions to set this up with the prompt **How would I create a sign in risk based conditional access policy for this user?**.
65
67
@@ -73,7 +75,7 @@ You're an identity admin with Woodgrove. You believe there are some users at the
73
75
74
76
#### Task: Using Security Copilot in Microsoft Entra to troubleshoot access
75
77
76
-
You're an identity admin with Woodgrove. You're a member of the helpdesk and have been asked to look into a trouble ticket that was submitted by a remote employee who often works at secure customer locations. The employee reports that they are unable to authenticate when working from a customer’s secure location that that doesn’t allow users to bring any external devices including mobile devices and laptops. As an identity admin, you know that the authentication process is set up to always use phone-based MFA, but you want to investigate the user's sign in attempts. Copilot can help investigate and research how to quickly resolve the user sign in challenge. The user is Khamala Ervello..
78
+
You're an identity admin with Woodgrove. You're a member of the helpdesk and have been asked to look into a trouble ticket that was submitted by a remote employee who often works at secure customer locations. The employee reports that they are unable to authenticate when working from a customer’s secure location that that doesn’t allow users to bring any external devices including mobile devices and laptops. As an identity admin, you know that the authentication process is set up to always use phone-based MFA, but you want to investigate the user's sign in attempts. Copilot can help investigate and research how to quickly resolve the user sign in challenge. The user is Khamala Ervello.
77
79
78
80
1. Open the simulated environment by selecting this link: **[Microsoft Entra admin center](https://app.highlights.guide/start/c07ee752-8668-4ff3-a53f-202ff9a945ef?token=045faae1-1078-4eac-bf56-e12472eddaf9&azure-portal=true)**.
79
81
1. Select the **Security Copilot** button in the upper right of the screen.
0 commit comments