From c8c7aabfb04349769f12cdd2ea2688b1d1abad13 Mon Sep 17 00:00:00 2001 From: shrutiailani <121015823+shrutiailani@users.noreply.github.com> Date: Wed, 13 Aug 2025 15:57:41 +0200 Subject: [PATCH 1/7] Create Microsoft Security Exposure Management.yaml Plugin submission for Microsoft Security Exposure Management. This is version 1, more skills to be added in subsequent versions. --- ...icrosoft Security Exposure Management.yaml | 92 +++++++++++++++++++ 1 file changed, 92 insertions(+) create mode 100644 Plugins/Community Based Plugins/Microsoft Security Exposure Management.yaml diff --git a/Plugins/Community Based Plugins/Microsoft Security Exposure Management.yaml b/Plugins/Community Based Plugins/Microsoft Security Exposure Management.yaml new file mode 100644 index 00000000..914abab1 --- /dev/null +++ b/Plugins/Community Based Plugins/Microsoft Security Exposure Management.yaml @@ -0,0 +1,92 @@ +Descriptor: + Name: Microsoft Exposure Management + DisplayName: Microsoft Exposure Management + Description: This KQL plugin integrates capabilities of Microsoft Security Exposure Management (MSEM) with Security Copilot to show exposed devices. The situational awareness from MSEM and the quick and consistent retrieval capabilities of SCP, MSEM and SCP empower the SOC Engineers with a natural-language front door into exposure insights and attack paths, this combination also opens the door to include MSEM content, and the reasoning over this content in Security Copilot prompts, in prompt books and allows the use of this content in automation scenarios that leverage security copilot. The two skills of the plugins correspond to the following two use cases:1) Obtain exposure of an asset hosted on a particular cloud platform by your organization ; 2) Obtain exposure of an asset belonging to a specific user . As a user you could also specify the exposure level for which you want to extract the data, in each of the above use cases. + + SupportedAuthTypes: + - None + +##################################################################################### +# SkillGroups can be a single type (KQL, GPT, API) or contain a mix +##################################################################################### + +SkillGroups: + - Format: KQL + + Skills: + - Name: GetExposedDevicesByCloudPlatform + DisplayName: Get exposed Devices by Cloud Platform and exposure level. + Description: For a specific cloud platform (aka "Azure" or "GCP" or "AWS") or a list of cloud platform of the device separated by commas, semi-colons, or using the word 'or', get a list of devices + based on the exposure level specified by the user (aka "Low" or "Medium" or "High") or a list of exposures separated by commas. + DescriptionForModel: For a specific cloud platform of the device (aka "Azure" or "GCP" or "AWS") or a list of cloud platform of the device separated by commas, get a list of devices based on the exposure level specified by the user (aka "Low" or "Medium" or "High") or a list of exposures separated by commas. The results will be returned as a response to the query containing multiple entries, the user needs to be shown the below details from the response about each device DeviceName, DeviceId, ExposureLevel, CloudPlatforms, OSPlatform, OSArchitecture. + VERY IMPORTANT - Never truncate the list of devices retrieved by launching the KQL query related to this skill. Also if the user wants to search on premises then the value for CloudPlatforms should be blank in the query + + ExamplePrompts: + - Get all the devices exposed on Azure platform + - Get all the devices exposed on AWS platform + - Get all the devices exposed on GCP platform + - Get all the devices with exposure level High on Azure platform + - Get all the devices with exposure level Medium on Azure platform + - Get all the devices with exposure level Low on Azure platform + - Get all the devices with exposure level High on AWS platform + - Get all the devices with exposure level Medium on AWS platform + - Get all the devices with exposure level Low on AWS platform + - Get all the devices with exposure level High on GCP platform + - Get all the devices with exposure level Medium on GCP platform + - Get all the devices with exposure level Low on GCP platform + + Inputs: + - Name: inputExposureLevel + Description: provide the exposure level you want to consider - e.g. High, Medium, Low (only one level) + Required: true + - Name: inputCloudPlatforms + Description: provide the cloud platform of the device you want to consider - e.g. Azure or GCP or AWS + Required: false + + Settings: + Target: Defender + Template: |- + let userExposureLevel='{{inputExposureLevel}}'; + let userCloudPlatform='{{inputCloudPlatforms}}'; + DeviceInfo + | where ExposureLevel in (userExposureLevel) + | where + (CloudPlatforms == '' and isempty(userCloudPlatform)) or + (CloudPlatforms != '' and CloudPlatforms contains userCloudPlatform) + | project DeviceName, DeviceId, ExposureLevel, CloudPlatforms, OSPlatform, OSArchitecture, TimeGenerated + + - Name: GetExposedDevicesByUser + DisplayName: Get exposed devices by UPN and optionally exposure level + Description: For a specific user UPN (aka "user" or "UPN") or a list of users separated by commas, get a list of devices + based on the exposure level specified by the user (aka "Low" or "Medium" or "High") or a list of exposures separated by commas. + DescriptionForModel: For a specific user UPN (aka "user" or "UPN") or a list of users separated by commas, get a list of devices + based on the exposure level specified by the user (aka "Low" or "Medium" or "High") or a list of exposures separated by commas. + The results will be returned as a response to the query containing multiple entries, the user needs to be shown the below details from the response about each device UPN, DeviceName, DeviceId, ExposureLevel, CloudPlatforms, OSPlatform, OSArchitecture. + VERY IMPORTANT - Never truncate the list of devices retrieved by launching the KQL query related to this skill. Also if the user wants to search on premises then the value for CloudPlatforms should be blank in the query. + + ExamplePrompts: + - Get all the devices with exposure level High belonging to user john.doe@contoso.com + - Get all the devices with exposure level Medium belonging to user john.doe@contoso.com + - Get all the devices with exposure level Low belonging to user john.doe@contoso.com + + Inputs: + - Name: inputExposureLevel + Description: provide the exposure level you want to consider - e.g. High, Medium, Low + Required: false + - Name: inputUPN + Description: provide the user primary name (UPN) + Required: true + Settings: + Target: Defender + Template: |- + let userExposureLevel='{{inputExposureLevel}}'; + let userUPN='{{inputUPN}}'; + IntuneDevices + | where UPN contains userUPN + | project DeviceName = tolower(DeviceName) + | join kind=inner ( + DeviceInfo + | where ExposureLevel == "Medium" + | project DeviceName = tolower(DeviceName), DeviceId,ExposureLevel, CloudPlatforms, OSPlatform, OSArchitecture, TimeGenerated + ) on DeviceName + From 54f258d68907360b4b8e9f2f397a4108f1d2c3c4 Mon Sep 17 00:00:00 2001 From: anashadidi-msft Date: Wed, 13 Aug 2025 18:14:09 +0400 Subject: [PATCH 2/7] Rename Plugins/Community Based Plugins/Microsoft Security Exposure Management.yaml to Plugins/Community Based Plugins/Microsoft Security Exposure Management/Microsoft Security Exposure Management.yaml Created the Microsoft Security Exposure Management Plugin for Security Copilot. This is version 1.0 --- .../Microsoft Security Exposure Management.yaml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename Plugins/Community Based Plugins/{ => Microsoft Security Exposure Management}/Microsoft Security Exposure Management.yaml (100%) diff --git a/Plugins/Community Based Plugins/Microsoft Security Exposure Management.yaml b/Plugins/Community Based Plugins/Microsoft Security Exposure Management/Microsoft Security Exposure Management.yaml similarity index 100% rename from Plugins/Community Based Plugins/Microsoft Security Exposure Management.yaml rename to Plugins/Community Based Plugins/Microsoft Security Exposure Management/Microsoft Security Exposure Management.yaml From fb1d9bdce297f230302efe3d310599166e006eb4 Mon Sep 17 00:00:00 2001 From: anashadidi-msft Date: Thu, 28 Aug 2025 16:34:55 +0400 Subject: [PATCH 3/7] Update Microsoft Security Exposure Management.yaml Updated as per the recommendation received on 27 Aug --- ...icrosoft Security Exposure Management.yaml | 20 +++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/Plugins/Community Based Plugins/Microsoft Security Exposure Management/Microsoft Security Exposure Management.yaml b/Plugins/Community Based Plugins/Microsoft Security Exposure Management/Microsoft Security Exposure Management.yaml index 914abab1..ecab96b2 100644 --- a/Plugins/Community Based Plugins/Microsoft Security Exposure Management/Microsoft Security Exposure Management.yaml +++ b/Plugins/Community Based Plugins/Microsoft Security Exposure Management/Microsoft Security Exposure Management.yaml @@ -1,7 +1,15 @@ Descriptor: Name: Microsoft Exposure Management DisplayName: Microsoft Exposure Management - Description: This KQL plugin integrates capabilities of Microsoft Security Exposure Management (MSEM) with Security Copilot to show exposed devices. The situational awareness from MSEM and the quick and consistent retrieval capabilities of SCP, MSEM and SCP empower the SOC Engineers with a natural-language front door into exposure insights and attack paths, this combination also opens the door to include MSEM content, and the reasoning over this content in Security Copilot prompts, in prompt books and allows the use of this content in automation scenarios that leverage security copilot. The two skills of the plugins correspond to the following two use cases:1) Obtain exposure of an asset hosted on a particular cloud platform by your organization ; 2) Obtain exposure of an asset belonging to a specific user . As a user you could also specify the exposure level for which you want to extract the data, in each of the above use cases. + Description: > + This KQL plugin integrates capabilities of Microsoft Security Exposure Management (MSEM) with Security Copilot to show exposed devices. + MSEM provides situational awareness, while Security Copilot (SCP) offers quick and consistent retrieval capabilities. + Together, MSEM and SCP empower SOC Engineers with a natural-language front door into exposure insights and attack paths. + This combination also enables the inclusion of MSEM content and reasoning over this content in Security Copilot prompts, prompt books, and automation scenarios that leverage Security Copilot. + The two skills of the plugin correspond to the following use cases - + 1) Obtain exposure of an asset hosted on a particular cloud platform by your organization. + 2) Obtain exposure of an asset belonging to a specific user. + In each of the above use cases, you can also specify the exposure level for which you want to extract the data. SupportedAuthTypes: - None @@ -37,10 +45,10 @@ SkillGroups: Inputs: - Name: inputExposureLevel - Description: provide the exposure level you want to consider - e.g. High, Medium, Low (only one level) + Description: Provide the exposure level you want to consider - e.g. High, Medium, Low (only one level) Required: true - Name: inputCloudPlatforms - Description: provide the cloud platform of the device you want to consider - e.g. Azure or GCP or AWS + Description: Provide the cloud platform of the device you want to consider - e.g. Azure or GCP or AWS Required: false Settings: @@ -71,10 +79,10 @@ SkillGroups: Inputs: - Name: inputExposureLevel - Description: provide the exposure level you want to consider - e.g. High, Medium, Low + Description: Provide the exposure level you want to consider - e.g. High, Medium, Low Required: false - Name: inputUPN - Description: provide the user primary name (UPN) + Description: Provide the user primary name (UPN) Required: true Settings: Target: Defender @@ -86,7 +94,7 @@ SkillGroups: | project DeviceName = tolower(DeviceName) | join kind=inner ( DeviceInfo - | where ExposureLevel == "Medium" + | where ExposureLevel == userExposureLevel or isempty(userExposureLevel) | project DeviceName = tolower(DeviceName), DeviceId,ExposureLevel, CloudPlatforms, OSPlatform, OSArchitecture, TimeGenerated ) on DeviceName From b00cf09ef0e9c7e5e94072d6c754ead274dffb60 Mon Sep 17 00:00:00 2001 From: anashadidi-msft Date: Thu, 28 Aug 2025 16:51:42 +0400 Subject: [PATCH 4/7] Update Microsoft Security Exposure Management.yaml Updated the yaml file as per recommendations received on 27 Aug --- .../Microsoft Security Exposure Management.yaml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/Plugins/Community Based Plugins/Microsoft Security Exposure Management/Microsoft Security Exposure Management.yaml b/Plugins/Community Based Plugins/Microsoft Security Exposure Management/Microsoft Security Exposure Management.yaml index ecab96b2..4e06ee81 100644 --- a/Plugins/Community Based Plugins/Microsoft Security Exposure Management/Microsoft Security Exposure Management.yaml +++ b/Plugins/Community Based Plugins/Microsoft Security Exposure Management/Microsoft Security Exposure Management.yaml @@ -2,14 +2,14 @@ Descriptor: Name: Microsoft Exposure Management DisplayName: Microsoft Exposure Management Description: > - This KQL plugin integrates capabilities of Microsoft Security Exposure Management (MSEM) with Security Copilot to show exposed devices. - MSEM provides situational awareness, while Security Copilot (SCP) offers quick and consistent retrieval capabilities. - Together, MSEM and SCP empower SOC Engineers with a natural-language front door into exposure insights and attack paths. - This combination also enables the inclusion of MSEM content and reasoning over this content in Security Copilot prompts, prompt books, and automation scenarios that leverage Security Copilot. - The two skills of the plugin correspond to the following use cases - - 1) Obtain exposure of an asset hosted on a particular cloud platform by your organization. - 2) Obtain exposure of an asset belonging to a specific user. - In each of the above use cases, you can also specify the exposure level for which you want to extract the data. + This KQL plugin integrates capabilities of Microsoft Security Exposure Management (MSEM) with Security Copilot to show exposed devices. + MSEM provides situational awareness, while Security Copilot (SCP) offers quick and consistent retrieval capabilities. + Together, MSEM and SCP empower SOC Engineers with a natural-language front door into exposure insights and attack paths. + This combination also enables the inclusion of MSEM content and reasoning over this content in Security Copilot prompts, prompt books, and automation scenarios that leverage Security Copilot. + The two skills of the plugin correspond to the following use cases - + 1) Obtain exposure of an asset hosted on a particular cloud platform by your organization. + 2) Obtain exposure of an asset belonging to a specific user. + In each of the above use cases, you can also specify the exposure level for which you want to extract the data. SupportedAuthTypes: - None From 888cff7687bce6150f4cf317a0c226a49118a54c Mon Sep 17 00:00:00 2001 From: Sean Kwach Wasonga <67633117+KwachSean@users.noreply.github.com> Date: Tue, 2 Sep 2025 11:28:41 +0300 Subject: [PATCH 5/7] Update Plugins/Community Based Plugins/Microsoft Security Exposure Management/Microsoft Security Exposure Management.yaml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .../Microsoft Security Exposure Management.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Plugins/Community Based Plugins/Microsoft Security Exposure Management/Microsoft Security Exposure Management.yaml b/Plugins/Community Based Plugins/Microsoft Security Exposure Management/Microsoft Security Exposure Management.yaml index 4e06ee81..b94e202f 100644 --- a/Plugins/Community Based Plugins/Microsoft Security Exposure Management/Microsoft Security Exposure Management.yaml +++ b/Plugins/Community Based Plugins/Microsoft Security Exposure Management/Microsoft Security Exposure Management.yaml @@ -57,7 +57,7 @@ SkillGroups: let userExposureLevel='{{inputExposureLevel}}'; let userCloudPlatform='{{inputCloudPlatforms}}'; DeviceInfo - | where ExposureLevel in (userExposureLevel) + | where ExposureLevel == userExposureLevel | where (CloudPlatforms == '' and isempty(userCloudPlatform)) or (CloudPlatforms != '' and CloudPlatforms contains userCloudPlatform) From 5e4063c10d7b7cd3c05ba724a419b70c5b33f475 Mon Sep 17 00:00:00 2001 From: Sean Kwach Wasonga <67633117+KwachSean@users.noreply.github.com> Date: Tue, 2 Sep 2025 11:28:48 +0300 Subject: [PATCH 6/7] Update Plugins/Community Based Plugins/Microsoft Security Exposure Management/Microsoft Security Exposure Management.yaml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .../Microsoft Security Exposure Management.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Plugins/Community Based Plugins/Microsoft Security Exposure Management/Microsoft Security Exposure Management.yaml b/Plugins/Community Based Plugins/Microsoft Security Exposure Management/Microsoft Security Exposure Management.yaml index b94e202f..dc1ae560 100644 --- a/Plugins/Community Based Plugins/Microsoft Security Exposure Management/Microsoft Security Exposure Management.yaml +++ b/Plugins/Community Based Plugins/Microsoft Security Exposure Management/Microsoft Security Exposure Management.yaml @@ -90,7 +90,7 @@ SkillGroups: let userExposureLevel='{{inputExposureLevel}}'; let userUPN='{{inputUPN}}'; IntuneDevices - | where UPN contains userUPN + | where UPN == userUPN | project DeviceName = tolower(DeviceName) | join kind=inner ( DeviceInfo From 5e54024c965a92f9b6f3fd3f8b8f6ef496d915f8 Mon Sep 17 00:00:00 2001 From: Sean Kwach Wasonga <67633117+KwachSean@users.noreply.github.com> Date: Tue, 2 Sep 2025 11:28:57 +0300 Subject: [PATCH 7/7] Update Plugins/Community Based Plugins/Microsoft Security Exposure Management/Microsoft Security Exposure Management.yaml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .../Microsoft Security Exposure Management.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Plugins/Community Based Plugins/Microsoft Security Exposure Management/Microsoft Security Exposure Management.yaml b/Plugins/Community Based Plugins/Microsoft Security Exposure Management/Microsoft Security Exposure Management.yaml index dc1ae560..ce9764cb 100644 --- a/Plugins/Community Based Plugins/Microsoft Security Exposure Management/Microsoft Security Exposure Management.yaml +++ b/Plugins/Community Based Plugins/Microsoft Security Exposure Management/Microsoft Security Exposure Management.yaml @@ -59,8 +59,7 @@ SkillGroups: DeviceInfo | where ExposureLevel == userExposureLevel | where - (CloudPlatforms == '' and isempty(userCloudPlatform)) or - (CloudPlatforms != '' and CloudPlatforms contains userCloudPlatform) + (CloudPlatforms != '' and (CloudPlatforms contains userCloudPlatform or isempty(userCloudPlatform))) | project DeviceName, DeviceId, ExposureLevel, CloudPlatforms, OSPlatform, OSArchitecture, TimeGenerated - Name: GetExposedDevicesByUser