XBOW integration with Microsoft Security tools

Enterprise only
Public preview

The XBOW integration for Microsoft Sentinel and Microsoft Security Copilot lets you bring pentesting data directly into your log analytics workspace, query it alongside your telemetry data, and run assessments using natural language.

Overview

The XBOW integration allows you to:

Ask complex questions about the correlation between vulnerabilities and attacks on an application.
Request pentests of applications using natural language.
Use the security knowledge stored in your workspace to define pentest objectives, for example, to find variants of a known vulnerability.

Prerequisites

Microsoft Sentinel
Microsoft Security Copilot
Azure subscription with Sentinel workspace
XBOW Console account with the organization administrator role

Components

The integration has three components: a Sentinel solution and two AI agents for Security Copilot. Install all three for the full integration. The XBOW Sentinel Connector and the XBOW Pentest Manager Agent can also be installed independently. The XBOW Pentest Analysis Agent requires the XBOW Sentinel Connector and cannot be installed on its own.

XBOW Sentinel Connector

This solution includes:

A data connector you can deploy to import XBOW penetration testing data into custom tables in a Log Analytics workspace in Microsoft Sentinel
Four template rules you can use to create rules that generate alerts from XBOW data

Benefits of installing this connector:

You can explore your pentesting results alongside all the other data you have about your application.
It’s easier to see patterns when you can query all your security data at once.
You can generate Sentinel alerts for critical, high, medium, and low risk XBOW findings, allowing you to manage all your alerts in one location.

XBOW Pentest Analysis Agent

This agent runs inside Microsoft Security Copilot to help security analysts investigate the XBOW data added by the XBOW Sentinel Connector.

Benefits of using this agent to analyze XBOW pentesting data:

The agent has skills for querying XBOW data and correlating it with security telemetry data stored in the Log Analytics workspace.
You can ask complex questions using natural language and find insights that might otherwise remain hidden.
The agent can correlate security alerts with exploitation attempts, assess risk impact, and provide actionable threat intelligence from XBOW custom tables, Azure resources, and application logs.

XBOW Pentest Manager Agent

This agent runs inside Microsoft Security Copilot so you can run XBOW pentesting directly from Microsoft Security Copilot.

Benefits of using this agent to run tests in XBOW Console:

No need to context switch and authenticate with a different site when you want to run a pentest.
Use natural language to run a pentest assessment of an application.
The agent uses contextual data to target the most vulnerable areas of an application, such as server setup, recent attacks, and known vulnerabilities.

The agent has access to detailed information about each application such as server setup, recent attacks seen in logs, or data about critical vulnerabilities in other applications. You can use this information to run pentests that target the most vulnerable areas of an application.

SCU use by the XBOW agents

When you chat with the two XBOW agents, you use Microsoft Security Copilot and consume Security Compute Units (SCU). See Microsoft Security Copilot Security Compute Units and capacity in Microsoft Learn.

The SCU consumption for each request varies according to the complexity of the request.

For the XBOW Pentest Analysis agent, SCU use also depends on the size of your environment, the quantity of security telemetry available, and the number of pentest findings. See Query XBOW findings using Security Copilot.