Copilot for Security Plugin: Copilot for Security Portal Logins
This plugin enables you to track how many logins there have been to the Copilot for Security standalone experience and who did it.
This plugin enables you to track how many logins there have been to the Copilot for Security standalone experience and who did it.
Get the plugin file: https://github.com/rod-trent/Copilot-for-Security/blob/main/Plugins/CfSLogins.yaml
What’s inside the yaml file:
Descriptor:
Name: CfSLogins
DisplayName: Copilot for Security Portal Logins
Description: Identifies Copilot for Security Portal logins in the last 3 days
SkillGroups:
- Format: KQL
Skills:
- Name: CfSLogins
DisplayName: Copilot for Security Portal Logins
Description: Identifies Copilot for Security Portal logins in the last 3 days
Settings:
Target: Sentinel
TenantId: <your_tenant_ID>
SubscriptionId: <your_subscription_ID>
ResourceGroupName: <your_RG_name>
WorkspaceName: <your_WS_name>
Template: |-
SigninLogs | where TimeGenerated >= ago(3d) | where AppDisplayName == "Medeina Portal" | project TimeGenerated, Identity, UserPrincipalName, AppDisplayName, OperationName
Note that you’ll need to adjust the items in BOLD with your own environment details.
Examples prompts:
Have there been any logins to the Copilot for Security portal recently?
How many times has <username> logged into the Copilot for Security portal in the last 3 days?
What was the most recent login to the Copilot for Security portal?
Have there been any logins to the Copilot for Security portal in the last 10 minutes?
The KQL query that is being utilized by the plugin:
SigninLogs
| where TimeGenerated >= ago(3d)
| where AppDisplayName == "Medeina Portal"
| project TimeGenerated, Identity, UserPrincipalName, AppDisplayName, OperationName
To install this in your own Copilot for Security instance, see: Add custom plugins
[Want to discuss this further? Hit me up on Twitter or LinkedIn]
[Subscribe to the RSS feed for this blog]
[ Subscribe to the Bi-weekly Copilot for Security Newsletter]
[Subscribe to the Weekly Microsoft Sentinel Newsletter]
[Subscribe to the Weekly Microsoft Defender Newsletter]
[Subscribe to the Weekly Azure OpenAI Newsletter]
[Learn KQL with the Must Learn KQL series and book]
[Learn AI Security with the Must Learn AI Security series and book]