Rod’s Blog

Share this post

Rod’s Blog
Rod’s Blog
Copilot for Security Activity All-in-One Custom Plugin
Copy link
Facebook
Email
Notes
More

Copilot for Security Activity All-in-One Custom Plugin

This plugin combines previous plugins into a single, all-in-one effort to capture and respond with Copilot for Security activity.

Rod Trent
May 02, 2024

Share this post

Rod’s Blog
Rod’s Blog
Copilot for Security Activity All-in-One Custom Plugin
Copy link
Facebook
Email
Notes
More
Share

This plugin combines previous plugins into a single, all-in-one effort to capture and respond with Copilot for Security activity. This plugin will be updated as additional monitoring activity is made available and identified.

UPDATED June 18, 2024: see version history below

Get the plugin file: https://github.com/rod-trent/Copilot-for-Security/tree/main/Plugins/CfSAllinOne

Rod’s Blog is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

What’s inside the yaml file:

Descriptor:
  Name: CfSAllinOne
  DisplayName: Copilot for Security Activity
  Description: Looks for all Copilot for Security Activity including SCU creation, changes and deletion and Standalone and embedded experience logins. Will be updated when new activities are discovered.

SkillGroups:
  - Format: KQL
    Skills:
      - Name: CfSAllinOne
        DisplayName: Copilot for Security Activity
        Description: Looks for all Copilot for Security Activity including SCU creation, changes and deletion and Standalone and embedded experience logins. Will be updated when new activities are discovered.
        Settings:
          Target: Sentinel
          TenantId: <your_tenant_ID>
          SubscriptionId: <your_sub_ID>
          ResourceGroupName: <your_RG>
          WorkspaceName: <your_Sentinel_WS>
          Template: |-
            let CfS_Logins = SigninLogs | where AppDisplayName == "Medeina Portal" | project TimeGenerated, Identity, Caller=UserPrincipalName, AppDisplayName, OperationName; let SCU_Changes = AzureActivity | where ResourceProviderValue == "MICROSOFT.SECURITYCOPILOT" | extend resourceName = tostring(parse_json(Properties).resource) | extend resourceGroupName = tostring(parse_json(Properties).resourceGroup) | extend resourceActivity = tostring(parse_json(Properties).message) | where resourceActivity == "Microsoft.SecurityCopilot/capacities/write"| project Caller, CallerIpAddress, resourceName, resourceGroupName, resourceActivity, TimeGenerated; let Bad_Login = BehaviorAnalytics| where ActivityInsights.App == "Medeina Portal"| where ActivityInsights.Resource == "Medeina Service"| where ActivityType == "FailedLogOn"| project UserName, UserPrincipalName, ActionType, EventSource, SourceIPAddress, SourceIPLocation;let SCU_Deleted = AzureActivity | where ResourceProviderValue == "MICROSOFT.SECURITYCOPILOT" | extend resourceName = tostring(parse_json(Properties).resource) | extend resourceGroupName = tostring(parse_json(Properties).resourceGroup) | extend resourceActivity = tostring(parse_json(Properties).message) | where resourceActivity == "Microsoft.SecurityCopilot/capacities/delete" | project Caller, resourceName, resourceGroupName, resourceActivity, TimeGenerated; let Intune_Activity = AADNonInteractiveUserSignInLogs | where AppDisplayName == "Microsoft Intune portal extension" | extend city_ = tostring(parse_json(LocationDetails).city) | extend countryOrRegion_ = tostring(parse_json(LocationDetails).countryOrRegion) | extend latitude_ = tostring(parse_json(tostring(parse_json(LocationDetails).geoCoordinates)).latitude) | extend longitude_ = tostring(parse_json(tostring(parse_json(LocationDetails).geoCoordinates)).longitude) | extend state_ = tostring(parse_json(LocationDetails).state) | project TimeGenerated, Identity, UserType, UserPrincipalName, city_, countryOrRegion_, state_, latitude_, longitude_, ResourceDisplayName, AppDisplayName, ProcessingTimeInMs; let Defender_XDR = AADNonInteractiveUserSignInLogs | where AppDisplayName == "Microsoft 365 Security and Compliance Center" | where ResourceDisplayName has "Medeina" | extend city_ = tostring(parse_json(LocationDetails).city) | extend countryOrRegion_ = tostring(parse_json(LocationDetails).countryOrRegion) | extend latitude_ = tostring(parse_json(tostring(parse_json(LocationDetails).geoCoordinates)).latitude) | extend longitude_ = tostring(parse_json(tostring(parse_json(LocationDetails).geoCoordinates)).longitude) | extend state_ = tostring(parse_json(LocationDetails).state) | project TimeGenerated, Identity, UserType, UserPrincipalName, city_, countryOrRegion_, state_, latitude_, longitude_, ResourceDisplayName, AppDisplayName, ProcessingTimeInMs; let Failed_MFA = SigninLogs | where TimeGenerated >= ago(24h) | where AppDisplayName == "Medeina Portal" | where ResultType == "50074" | extend city = LocationDetails.city | extend state = LocationDetails.state | extend region = LocationDetails.countryOrRegion | extend latitude = parse_json(tostring(LocationDetails.geoCoordinates)).latitude | extend longitude = parse_json(tostring(LocationDetails.geoCoordinates)).longitude | project UserDisplayName, UserPrincipalName, UserType, city, state, region, latitude, longitude, AADTenantId; union CfS_Logins, SCU_Changes, SCU_Deleted, Bad_Login, Intune_Activity, Defender_XDR, Failed_MFA

Note that you’ll need to adjust the items in BOLD with your own environment details.

Specifically, this section:

          TenantId: <your_tenant_ID>
          SubscriptionId: <your_sub_ID>
          ResourceGroupName: <your_RG>
          WorkspaceName: <your_Sentinel_WS>

Examples prompts:

  1. Use Copilot for Security Activity and tell me if someone has logged into Copilot for Security today.

  2. Has anyone changed the SCUs in the last 30 days?

  3. Summarize Copilot for Security activity in the last 3 days.

  4. Has anyone used the Intune extension for Copilot for Security recently?

  5. Has anyone used Defender XDR for Copilot for Security recently?

  6. Use Copilot for Security Activity to tell me the range of processing time for SCU operations.

  7. Use Copilot for Security Activity and tell me if anyone has failed the MFA login for Copilot for Security.

  8. Use Copilot for Security Activity and summarize Copilot for Security activity in the last 24 hours.

The KQL query that is being utilized by the plugin:

let CfS_Logins = SigninLogs | where AppDisplayName == "Medeina Portal" | project TimeGenerated, Identity, Caller=UserPrincipalName, AppDisplayName, OperationName; let SCU_Changes = AzureActivity | where ResourceProviderValue == "MICROSOFT.SECURITYCOPILOT" | extend resourceName = tostring(parse_json(Properties).resource) | extend resourceGroupName = tostring(parse_json(Properties).resourceGroup) | extend resourceActivity = tostring(parse_json(Properties).message) | where resourceActivity == "Microsoft.SecurityCopilot/capacities/write"| project Caller, CallerIpAddress, resourceName, resourceGroupName, resourceActivity, TimeGenerated; let Bad_Login = BehaviorAnalytics| where ActivityInsights.App == "Medeina Portal"| where ActivityInsights.Resource == "Medeina Service"| where ActivityType == "FailedLogOn"| project UserName, UserPrincipalName, ActionType, EventSource, SourceIPAddress, SourceIPLocation;let SCU_Deleted = AzureActivity | where ResourceProviderValue == "MICROSOFT.SECURITYCOPILOT" | extend resourceName = tostring(parse_json(Properties).resource) | extend resourceGroupName = tostring(parse_json(Properties).resourceGroup) | extend resourceActivity = tostring(parse_json(Properties).message) | where resourceActivity == "Microsoft.SecurityCopilot/capacities/delete" | project Caller, resourceName, resourceGroupName, resourceActivity, TimeGenerated; let Intune_Activity = AADNonInteractiveUserSignInLogs | where AppDisplayName == "Microsoft Intune portal extension" | extend city_ = tostring(parse_json(LocationDetails).city) | extend countryOrRegion_ = tostring(parse_json(LocationDetails).countryOrRegion) | extend latitude_ = tostring(parse_json(tostring(parse_json(LocationDetails).geoCoordinates)).latitude) | extend longitude_ = tostring(parse_json(tostring(parse_json(LocationDetails).geoCoordinates)).longitude) | extend state_ = tostring(parse_json(LocationDetails).state) | project TimeGenerated, Identity, UserType, UserPrincipalName, city_, countryOrRegion_, state_, latitude_, longitude_, ResourceDisplayName, AppDisplayName, ProcessingTimeInMs; let Defender_XDR = AADNonInteractiveUserSignInLogs | where AppDisplayName == "Microsoft 365 Security and Compliance Center" | where ResourceDisplayName has "Medeina" | extend city_ = tostring(parse_json(LocationDetails).city) | extend countryOrRegion_ = tostring(parse_json(LocationDetails).countryOrRegion) | extend latitude_ = tostring(parse_json(tostring(parse_json(LocationDetails).geoCoordinates)).latitude) | extend longitude_ = tostring(parse_json(tostring(parse_json(LocationDetails).geoCoordinates)).longitude) | extend state_ = tostring(parse_json(LocationDetails).state) | project TimeGenerated, Identity, UserType, UserPrincipalName, city_, countryOrRegion_, state_, latitude_, longitude_, ResourceDisplayName, AppDisplayName, ProcessingTimeInMs; let Failed_MFA = SigninLogs | where TimeGenerated >= ago(24h) | where AppDisplayName == "Medeina Portal" | where ResultType == "50074" | extend city = LocationDetails.city | extend state = LocationDetails.state | extend region = LocationDetails.countryOrRegion | extend latitude = parse_json(tostring(LocationDetails.geoCoordinates)).latitude | extend longitude = parse_json(tostring(LocationDetails.geoCoordinates)).longitude | project UserDisplayName, UserPrincipalName, UserType, city, state, region, latitude, longitude, AADTenantId; union CfS_Logins, SCU_Changes, SCU_Deleted, Bad_Login, Intune_Activity, Defender_XDR, Failed_MFA

To install this in your own Copilot for Security instance, see: Add custom plugins

Version History

  • May 2, 2024 - initial release. Includes: SCU creation, SCU changes, and SCU deletion. Standalone experience logins.

  • May 28, 2024 - Now includes failed login to the Copilot for Security service.

  • June 5, 2024 - Added the ability to show who has used the Microsoft Intune extension recently. Includes things like: user, location, processing time (in ms).

  • June 5, 2024 - Added the ability to show who has used the CfS capability in the Defender unified console.

  • June 18, 2024 - Added the ability to show who has failed MFA authentication to the Standalone experience.

[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[ Subscribe to the Bi-weekly Copilot for Security Newsletter]

[Subscribe to the Weekly Microsoft Sentinel Newsletter]

[Subscribe to the Weekly Microsoft Defender Newsletter]

[Subscribe to the Weekly Azure OpenAI Newsletter]

[Learn KQL with the Must Learn KQL series and book]

[Learn AI Security with the Must Learn AI Security series and book]

Rod’s Blog is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

Share this post

Rod’s Blog
Rod’s Blog
Copilot for Security Activity All-in-One Custom Plugin
Copy link
Facebook
Email
Notes
More
Share

Discussion about this post

No posts

Ready for more?

© 2024 Rod Trent
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great culture

Share

Copy link
Facebook
Email
Notes
More