Query XBOW findings using Security Copilot

Enterprise only
Public preview

After you set up the XBOW integration for Microsoft Sentinel, you can ask Security Copilot questions about the results of your XBOW pentests.

You ask questions in natural language and Security Copilot determines which skills provided by the XBOW Pentest Analysis agent to use. This makes it easy to get answers to complex questions quickly — Security Copilot generates the necessary Kusto queries for you.

Prerequisites

Deploy the XBOW Sentinel Connector
Install the XBOW Pentest Analysis agent
Run pentests on some of the applications in your Sentinel workspace, either from XBOW Console or using Security Copilot. See Run an assessment from Security Copilot
The XBOW identifier for your organization. You can find this in the URL when you are authenticated with XBOW Console. The URL has the form https://console.xbow.com/v2/organizations/ORG-ID/assets.

Extending Security Copilot skills

The XBOW Pentest Analysis agent knows the schemas of the three XBOW data tables: XbowAssets_CL, XbowFindings_CL, and XbowAssessments_CL. It also extends Security Copilot with pentesting-specific skills.

Each skill contains information to help Security Copilot interpret user questions about the results of pentesting and how the results relate to other data stored in Microsoft Sentinel for that asset or application. The agent has access to a wide range of templated KQL queries for expected user questions.

XBOW analysis skills

The XBOW Pentest Analysis agent is a read-only agent. It can provide insights and analysis but cannot take remediation actions.

Query XBOW data: Query custom tables XbowFindings_CL (findings) and XbowAssets_CL (assets) to retrieve security data from the XBOW platform.
Correlate with Sentinel security events: Cross-reference XBOW findings with Sentinel SecurityAlert, WAF blocks, application logs, and Azure activity logs.
Find evidence of exploitation: Search for production logs showing actual exploitation attempts corresponding to XBOW findings.
Impact assessment: Assess the impact of unremediated findings based on asset criticality and internet exposure.
Incident enrichment: Provide comprehensive context with device, user, file, and network telemetry.

Estimated SCU consumption

Each question you ask the agent uses Security Compute Units (SCU). See Microsoft Security Copilot Security Compute Units and capacity in Microsoft Learn.

The SCU consumption for each request varies according to the complexity of the request and the amount of data processed.

Estimated consumption for simple requests about pentesting data:

~1 – 1.5 SCUs for a small resource group with limited pentest findings
~2 – 3 SCUs for a resource group with multiple applications and many pentest findings
~3 – 4 SCUs for a large resource group with many applications and associated pentest findings

If you ask the agent to correlate pentest results with telemetry data, or to find evidence of exploitation, this increases the work required and the number of SCUs used.

Example questions

The following are example questions to get you started.

Query XBOW data

How many high-risk XBOW results were found last week?

The agent runs a KQL query on the XbowFindings_CL table then reports all the critical and high-risk pentest findings detected in the last 7 days with a summary.
What applications have we tested using XBOW so far?

The agent uses KQL to retrieve data from the XbowAssets_CL table then reports the full list of applications, ordered by name.
What are the last 10 pentest findings for XYZ application?

The agent uses KQL to get the 10 most recently detected findings from the XbowFindings_CL table.

Correlate with Sentinel security events

Have there been any configuration changes to MY-APPLICATION since we ran the last XBOW pentest?

The agent searches Azure activity logs for configuration changes to resources related to XBOW assessments for MY-APPLICATION. The agent lists all configuration changes made to each resource since the last XBOW assessment was run.

Find evidence of exploitation

Find SQL injection alerts with evidence of exploitation.

The agent searches Azure App Service HTTP logs (AppServiceHTTPLogs, W3CIISLog) for exploitation attempts against the application. Logs are searched for evidence of SQL injection attacks based on request patterns. This data is then correlated with XBOW findings for the application to determine whether any of the XBOW SQL injection results have been actively exploited.

You can also use this approach for XSS, RCE, or path traversal attacks.