Device Query With Copilot for security (Public Preview)

mg

Introduction to Device Query

Device Query is a powerful feature within Intune Advanced Analytics that allows for real-time queries on devices. However, this feature is currently only supported on Windows 10 and later versions, with no support for other operating systems.

The Challenge of Device Queries

While Device Query sounds like a great tool, extracting the information you need requires effort. You must create KQL (Kusto Query Language) queries to retrieve the desired data. On the interface, you will find table names and properties on the left side, but unlike the Security Portal’s advanced threat hunting feature, there is no option to double-click on properties to generate a basic query. Everything needs to be done manually, which can be daunting for those unfamiliar with KQL.

Enter Copilot

Recognizing this challenge, Microsoft has introduced Device Query with Copilot. This integration aims to simplify the process by leveraging Copilot’s capabilities. However, it’s important to note that this convenience comes at a cost, as you will need Copilot for Security Compute Units to use this feature.

Initial Setup Copilot for security

Getting started with Copilot for security in Azure involves a few key steps. This guide will walk you through the process of setting up your Copilot security capacity, from selecting your Azure subscription to configuring the necessary settings.

  • Go to Microsoft Security Copilot.
  • Upon reaching the site, you’ll be prompted to start creating a Copilot security capacity.
  • Select the appropriate Azure subscription that you wish to use for this setup.
  • Choose an existing resource group from your Azure resources or create a new one if needed.
  • Provide a unique and identifiable name for your Copilot capacity.
  • Select the desired region where you want this capacity to be deployed. Consider factors such as data residency and compliance requirements when selecting the region.
  • Decide on the number of compute units. While the minimum advised units are 3, for demonstration purposes, you can opt for just 1 to manage costs effectively.
  • Review the configuration and ensure all details are correct.
  • Continue through the setup process by following the on-screen instructions until you reach the final page.
  • On the final page, review the setup summary and click “Finish” to complete the creation of your Copilot security capacity.

This setup will integrate a powerful AI-driven security assistant into your Azure environment, enhancing your security management and response capabilities.

Enable Intune Copilot

Now we only need to enable the intune copilot follow the steps below

  • On the homepage of Security Copilot, scroll down until you find the chat box.
  • Click the “Source” button located to the left of the arrow button to enable sources.
  • Search for “Microsoft Intune” in the sources and enable it.

Double check if copilot for intune is enabled

  • Go to https://intune.microsoft.com
  • Navigate to the “Tenant Administration” section on the left side.
  • Look for the “Copilot (Preview)” option.
  • In the tab, you will see that Copilot for Intune is enabled.

Copilot resource in Azure

  • Navigate to the Azure portal.
  • Open the resource group you used to create the Copilot capacity.
  • Within the resource group, locate your Copilot resource.

how to cancel Copilot for Security:

  • Simply remove this resource from the resource group.
  • This action will stop the associated costs of Copilot.

Device Query with Copilot for Security

Simple Question

Like you can see below if you ask copilot a simple straight forward question it will give you the answer you are looking for 80% of time in my testing.
In this case i asked if it could check if defender was running. it gave me the query as a response you then have 3 option

  • How was this Query Generated
    • This will give you more info how copilot generated the query
  • Add to editor
    • Add the query to the editor gives you the chance to adapt the query before running it on the endpoint
  • Add and Run
    • Like you would expect takes the query copilot generated and runs it on the endpoint

History

When running a query in the Copilot pane, it automatically closes. If you need to fine-tune your query, reopening the pane won’t display your previous chat history, which can be frustrating.

Here’s a workaround until Microsoft implements session history:

  • Open two tabs for the device query.
  • Use the first tab to ask your questions and interact with Copilot.
  • Use the second tab to run the queries based on the responses from the first tab.

This method allows you to maintain a continuous flow of your chat history while making the necessary adjustments to your queries.

Multi table Question

When asking Copilot multi-table questions, even if they are precise, it currently cannot provide accurate answers. To get the required information, you are better off breaking down your query into multiple smaller, specific questions.

For example, in my experience, I asked for the disk size, device model, and manufacturer. Initially, Copilot failed to give me the correct query. However, by asking more focused, smaller questions, I eventually got the required information. This approach helped navigate through the issues I encountered.

Copilot & Chat GPT

I was curious about how ChatGPT and Copilot would handle my question. Initially, I asked without providing the background information about Device Query and the table details, which resulted in some KQL queries that were not relevant to my needs. However, when I included the background information, they generated some excellent queries.

Make sure to provide ChatGPT or Copilot with the content from the following pages before asking your questions.

Device query in Microsoft Intune | Microsoft Learn
Intune data platform schema | Microsoft Learn

Please note that the information you provide to ChatGPT is not protected with the same level of security and privacy as it is when using Microsoft Copilot. Microsoft Copilot operates within the secure environment of Microsoft 365, ensuring that your data remains private and compliant with enterprise-level security standards. In contrast, ChatGPT does not have the same security protocols, so it is important to avoid sharing sensitive or confidential information when using this platform.

Conclusion

My thoughts on Device Query with Copilot are mixed. It’s a promising tool for first-line support engineers, simplifying troubleshooting without needing deep KQL knowledge, which makes it more accessible and efficient.

However, it’s still in an early preview stage and needs refinement. During my testing, Copilot could generate useful queries about 80% of the time, but manual fine-tuning was often necessary. The inability to retain chat history is a significant drawback, and using two tabs as a workaround isn’t ideal.

The costs are also a concern. Device Query is already a premium feature, and the additional expense of a Security Copilot license can be a barrier, especially for organizations with tight budgets. Monitoring Azure spending and setting budget warnings is crucial to avoid unexpected costs.

To improve its utility, Microsoft should provide example queries and support for multi-device queries. While it has some challenges, the concept behind Device Query with Copilot is promising. With further development and user-friendly features, it could become a valuable tool for IT support teams, enhancing device management and troubleshooting efficiency.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *