Merge pull request #58 from rod-trent/patch-17

Create SCU_All-in-One.yaml
Azure · May 21, 2024 · 137683e · 137683e
2 parents 18d9268 + d93054d
commit 137683e
Showing 1 changed file with 19 additions and 0 deletions.
diff --git a/Plugins/Community Based Plugins/SCU_All-in-One/SCU_All-in-One.yaml b/Plugins/Community Based Plugins/SCU_All-in-One/SCU_All-in-One.yaml
@@ -0,0 +1,19 @@
+Descriptor:
+  Name: CfSAllinOne
+  DisplayName: Copilot for Security Activity
+  Description: Looks for Copilot for Security Activity including SCU creation, changes and deletion and Standalone experience logins. Will be updated when new activities are discovered.
+
+SkillGroups:
+  - Format: KQL
+    Skills:
+      - Name: CfSAllinOne
+        DisplayName: Copilot for Security Activity
+        Description: Looks for Copilot for Security Activity including SCU creation, changes and deletion and Standalone experience logins. Will be updated when new activities are discovered.
+        Settings:
+          Target: Sentinel
+          TenantId: <your_tenant_ID>
+          SubscriptionId: <your_sub_ID>
+          ResourceGroupName: <your_RG>
+          WorkspaceName: <your_Sentinel_WS>
+          Template: |-
+            let CfS_Logins = SigninLogs | where AppDisplayName == "Medeina Portal" | project TimeGenerated, Identity, Caller=UserPrincipalName, AppDisplayName, OperationName; let SCU_Changes = AzureActivity | where ResourceProviderValue == "MICROSOFT.SECURITYCOPILOT" | extend resourceName = tostring(parse_json(Properties).resource) | extend resourceGroupName = tostring(parse_json(Properties).resourceGroup) | extend resourceActivity = tostring(parse_json(Properties).message) | where resourceActivity == "Microsoft.SecurityCopilot/capacities/write"| project Caller, CallerIpAddress, resourceName, resourceGroupName, resourceActivity, TimeGenerated; let SCU_Deleted = AzureActivity | where ResourceProviderValue == "MICROSOFT.SECURITYCOPILOT" | extend resourceName = tostring(parse_json(Properties).resource) | extend resourceGroupName = tostring(parse_json(Properties).resourceGroup) | extend resourceActivity = tostring(parse_json(Properties).message) | where resourceActivity == "Microsoft.SecurityCopilot/capacities/delete" | project Caller, resourceName, resourceGroupName, resourceActivity, TimeGenerated; union CfS_Logins, SCU_Changes, SCU_Deleted