Table of Contents
KQL and Sentinel are Core Security Components, Even in an AI World
The December 7 post on Microsoft’s security blog is titled “New Microsoft Purview features use AI to help secure and govern all your data.” In reality, the post lays out two truths for Microsoft 365 tenant administrators. First, Microsoft wants to ingest security logs from multiple workloads and applications, including non-Microsoft sources, so that they can apply AI technology to sorting gems of security insight from logs. Although Microsoft doesn’t say so explicitly, I assume that Sentinel is the preferred destination for this data (Sentinel is listed as a key component on the Security Copilot page).
The Need to Learn KQL
Second, while AI will “Empower and advance the work of junior staff” and “alleviate tedious tasks for senior staff” in terms of chasing down potential issues in security data, it seems clear that some level of competence with KQL (Kusto Query Language) is a good thing to attain. Being able to query security logs with KQL, including Office 365 audit data and the Microsoft Graph activity log (preview) is becoming a core skill, even with AI. KQL is something I need to brush up on and improve the queries I can construct (Figure 1), maybe over the holiday period.
A good amount of information about KQL is available online, starting with Microsoft’s documentation. There’s also the “Must Learn KQL” initiative headed up by Rod Trent. Rod is now with Microsoft, but previously I worked with him at Penton Communications. He’s a good guy. Rod makes his KQL material available online and a paperback is also available.
A new book called the “Definitive guide to KQL (for operations, defending, and threat hunting)” is due for publication in March 2024. Let’s hope that the author team has a chance to incorporate topics like Security Copilot in that text.
Security Copilot Licenses
We don’t know yet how much Security Copilot licenses will cost or the licensing requirement. At this point, I assume that only those who use Security Copilot to analyze and interrogate security log data will need licenses, but I have been surprised by twists in Microsoft licensing before. Hopefully, Microsoft will keep things simple and arrive at a reasonable figure for a per-month license.
This raises the question of what is a reasonable price? Given the specialized nature of the analysis and the high value gained by finding security threats faster and more reliability, I don’t know, but I suspect that a Security Copilot license will be more than the $30 charged for Microsoft 365 Copilot. Is $50/month too much? Well, considering how much the salary and benefits for a security analyst are, $600 for an annual Security Copilot license doesn’t seem unreasonable, especially if its capabilities are anywhere close to what Microsoft claims (“Summarize vast data signals into key insights to cut through the noise, detect cyberthreats before they cause harm, and reinforce your security posture.”)
If customers follow Microsoft guidance and ingest data into Sentinel to make the information available to Security Copilot, there’s a bill for Azure log storage to be paid too. Tenants will have to pay attention to optimizing log storage to avoid large charges accruing against their Azure subscription. Obviously, as data from more logs flow into Azure storage, the higher those charges will be.
KQL is Important, Even with AI
I’m sure that AI processes will take on more of the hard work involved in sorting through security logs in the next few years. The key thing to keep in mind is that the AI is a digital helper driven by human directions rather than a source of truth that solves all problems. For the time being, human intelligence and insight will matter more than most AI interactions. And that’s why I’m focusing more on KQL.
So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across Office 365. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.