Skip to main content

How to develop a MITRE ATT&CK Microsoft Copilot bot, Integrate it with Teams and Monitor it with Microsoft Sentinel.

Introduction

Hi defenders, At Microsoft Ignite 2023, Microsoft introduced Microsoft Copilot for Microsoft 365 that uses Large Language Models (LLMs) and your enterprise data to provide powerful intelligent assistance capabilities. In this blog we are going to explore how to use Microsoft Copilot Studio to develop your first Copilot, integrate it with Microsoft Teams and Monitor it with Microsoft Sentinel.

1- Create the MITRE ATT&CK Copilot

Let’s start by creating a Microsoft Copilot Studio. Visit https://www.microsoft.com/en-us/copilot/microsoft-copilot-studio and click on “Try free”

To create an account, use your Work or School email address:

Now you are ready to create your first Copilot.

Click on "+ Create a copilot".Enter the following pieces of information and click on “Create”

You can edit advanced options such as the Copilot icon etc

Congratulations, your first Copilot is ready.

You can start testing it right away. Select MITRE ATT&CK Copilot and try to ask some questions about it.

Now publish the Copilot

You can explore the copilot web demo directly by clicking on “demo website

2- Integrate MITRE ATT&CK Copilot with Microsoft Teams

Once the copilot is published now, it is time to integrate it with Teams. Click on “Go to channel” and select Microsoft Teams

Click on “Open bot”

Or you can download it from “Availability options” and upload it to Teams. Click on “Download zip

Then open Microsoft Teams, select “Apps” and click on “Upload an app”. Upload the copilot app.

Click on the first option:

Then add the application

Once the app is uploaded and added you can interact with it directly in Teams.

3- Monitor the copilot with Microsoft Sentinel

Once the copilot is active within Teams, we are going to monitor its activities with Microsoft Sentinel. First, create a new azure Application Insight

Click on the newly created Application Insights

Copy the connection string

Go back to Microsoft Copilot Studio and click on “Copilot Details” in Settings and paste the connection string in Advanced bot details

After a few minutes you will start receiving the bot events. Events will be stored in a table “customEvents”. You can explore it by going to Logs

Once we have events, it is time to develop a Microsoft Sentinel Workbook. Go to Microsoft Sentinel and create a new Workbook

You can name it for example, Microsoft Copilots Workbook

Click on code icon and paste the following workbook code: https://github.com/chihebchebbi/MITRE-ATTACK-Microsoft-Copilot-Workbook/blob/main/MITRE_ATT%26CK_Copilot_Workboook.json

And save the workbook. Now you can monitor the copilot events in Microsoft Sentinel.