Rod’s Blog

Share this post

Copilot for Security Custom Plugin to Track SCU Changes

rodtrent.substack.com

Copilot for Security Custom Plugin to Track SCU Changes

Know about SCU changes directly in Copilot for Security.

Rod Trent
Apr 08, 2024
1
Share this post

Copilot for Security Custom Plugin to Track SCU Changes

rodtrent.substack.com
Share

In addition to setting alerts in Microsoft Sentinel or Azure Monitor, or manually watching the Usage Monitoring screens to know when Copilot for Security capacity changes, you can use a custom plugin.

The plugin download: https://github.com/rod-trent/Copilot-for-Security/blob/main/Plugins/KQL_Plugin_SCU_Changes.yaml

Rod’s Blog is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

The yaml file:

Descriptor:
  Name: SCUChanges
  DisplayName: SCU Changes
  Description: Looks for SCU changes in the last 3 days

SkillGroups:
  - Format: KQL
    Skills:
      - Name: SCUChanges
        DisplayName: SCU Changes
        Description: Looks for SCU changes in the last 3 days
        Settings:
          Target: Sentinel
          TenantId: <your_tenant_ID>
          SubscriptionId: <your_sub_ID>
          ResourceGroupName: <your_RG>
          WorkspaceName: <your_Sentinel_WS>
          Template: |-
            AzureActivity | where TimeGenerated >= ago(3d) | where ResourceProviderValue == "MICROSOFT.SECURITYCOPILOT" | extend resourceName = tostring(parse_json(Properties).resource) | extend resourceGroupName = tostring(parse_json(Properties).resourceGroup) | extend resourceActivity = tostring(parse_json(Properties).message) | where resourceActivity == "Microsoft.SecurityCopilot/capacities/write"| distinct Caller, CallerIpAddress, resourceName, resourceGroupName, resourceActivity

As with the Trusted Users custom plugin, you’ll need to adjust the items in bold with your own environment information before you Add a Custom Plugin.

The custom plugin is a KQL based plugin that queries against the AzureActivity table.

Query:

AzureActivity 
| where TimeGenerated >= ago(3d) 
| where ResourceProviderValue == "MICROSOFT.SECURITYCOPILOT" 
| extend resourceName = tostring(parse_json(Properties).resource) 
| extend resourceGroupName = tostring(parse_json(Properties).resourceGroup) 
| extend resourceActivity = tostring(parse_json(Properties).message) 
| where resourceActivity == "Microsoft.SecurityCopilot/capacities/write"
| distinct Caller, CallerIpAddress, resourceName, resourceGroupName, resourceActivity

The session prompt to use: Have there been any SCU Changes recently?

The query checks against the last 3 days. You can adjust in the query in the custom plugin yaml file to whatever time range is most appropriate for your environment.

Based on the results, you’ll receive one of the following results.

No new SCUs

Yes, SCUs were changed recently

Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Microsoft Sentinel Newsletter]

[Subscribe to the Weekly Microsoft Defender Newsletter]

[Subscribe to the Weekly Azure OpenAI Newsletter]

[Learn KQL with the Must Learn KQL series and book]

[Learn AI Security with the Must Learn AI Security series and book]

Rod’s Blog is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

1
Share this post

Copilot for Security Custom Plugin to Track SCU Changes

rodtrent.substack.com
Share

Discussion about this post

No posts

Ready for more?

© 2024 Rod Trent
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great culture
Share