Azure · rod-trent · Jun 5, 2024
diff --git a/Plugins/Community Based Plugins/SCU_All-in-One/SCU_All-in-One.yaml b/Plugins/Community Based Plugins/SCU_All-in-One/SCU_All-in-One.yaml
@@ -1,19 +1,19 @@
 Descriptor:
  Name: CfSAllinOne
  DisplayName: Copilot for Security Activity
- Description: Looks for Copilot for Security Activity including SCU creation, changes and deletion and Standalone experience logins. Will be updated when new activities are discovered.
+ Description: Looks for Copilot for Security Activity including SCU creation, changes and deletion and Standalone and embedded experience activity and logins. Will be updated when new activities are discovered.
 
 SkillGroups:
  - Format: KQL
  Skills:
  - Name: CfSAllinOne
  DisplayName: Copilot for Security Activity
- Description: Looks for Copilot for Security Activity including SCU creation, changes and deletion and Standalone experience logins. Will be updated when new activities are discovered.
+ Description: Looks for Copilot for Security Activity including SCU creation, changes and deletion and Standalone and embedded experience activity and logins. Will be updated when new activities are discovered.
  Settings:
  Target: Sentinel
  TenantId: <your_tenant_ID>
  SubscriptionId: <your_sub_ID>
  ResourceGroupName: <your_RG>
  WorkspaceName: <your_Sentinel_WS>
  Template: |-
- let CfS_Logins = SigninLogs | where AppDisplayName == "Medeina Portal" | project TimeGenerated, Identity, Caller=UserPrincipalName, AppDisplayName, OperationName; let SCU_Changes = AzureActivity | where ResourceProviderValue == "MICROSOFT.SECURITYCOPILOT" | extend resourceName = tostring(parse_json(Properties).resource) | extend resourceGroupName = tostring(parse_json(Properties).resourceGroup) | extend resourceActivity = tostring(parse_json(Properties).message) | where resourceActivity == "Microsoft.SecurityCopilot/capacities/write"| project Caller, CallerIpAddress, resourceName, resourceGroupName, resourceActivity, TimeGenerated; let SCU_Deleted = AzureActivity | where ResourceProviderValue == "MICROSOFT.SECURITYCOPILOT" | extend resourceName = tostring(parse_json(Properties).resource) | extend resourceGroupName = tostring(parse_json(Properties).resourceGroup) | extend resourceActivity = tostring(parse_json(Properties).message) | where resourceActivity == "Microsoft.SecurityCopilot/capacities/delete" | project Caller, resourceName, resourceGroupName, resourceActivity, TimeGenerated; union CfS_Logins, SCU_Changes, SCU_Deleted
+ let CfS_Logins = SigninLogs | where AppDisplayName == "Medeina Portal" | project TimeGenerated, Identity, Caller=UserPrincipalName, AppDisplayName, OperationName; let SCU_Changes = AzureActivity | where ResourceProviderValue == "MICROSOFT.SECURITYCOPILOT" | extend resourceName = tostring(parse_json(Properties).resource) | extend resourceGroupName = tostring(parse_json(Properties).resourceGroup) | extend resourceActivity = tostring(parse_json(Properties).message) | where resourceActivity == "Microsoft.SecurityCopilot/capacities/write"| project Caller, CallerIpAddress, resourceName, resourceGroupName, resourceActivity, TimeGenerated; let Bad_Login = BehaviorAnalytics| where ActivityInsights.App == "Medeina Portal"| where ActivityInsights.Resource == "Medeina Service"| where ActivityType == "FailedLogOn"| project UserName, UserPrincipalName, ActionType, EventSource, SourceIPAddress, SourceIPLocation;let SCU_Deleted = AzureActivity | where ResourceProviderValue == "MICROSOFT.SECURITYCOPILOT" | extend resourceName = tostring(parse_json(Properties).resource) | extend resourceGroupName = tostring(parse_json(Properties).resourceGroup) | extend resourceActivity = tostring(parse_json(Properties).message) | where resourceActivity == "Microsoft.SecurityCopilot/capacities/delete" | project Caller, resourceName, resourceGroupName, resourceActivity, TimeGenerated; let Intune_Activity = AADNonInteractiveUserSignInLogs | where AppDisplayName == "Microsoft Intune portal extension" | extend city_ = tostring(parse_json(LocationDetails).city) | extend countryOrRegion_ = tostring(parse_json(LocationDetails).countryOrRegion) | extend latitude_ = tostring(parse_json(tostring(parse_json(LocationDetails).geoCoordinates)).latitude) | extend longitude_ = tostring(parse_json(tostring(parse_json(LocationDetails).geoCoordinates)).longitude) | extend state_ = tostring(parse_json(LocationDetails).state) | project TimeGenerated, Identity, UserType, UserPrincipalName, city_, countryOrRegion_, state_, latitude_, longitude_, ResourceDisplayName, AppDisplayName, ProcessingTimeInMs; let Defender_XDR = AADNonInteractiveUserSignInLogs | where AppDisplayName == "Microsoft 365 Security and Compliance Center" | where ResourceDisplayName has "Medeina" | extend city_ = tostring(parse_json(LocationDetails).city) | extend countryOrRegion_ = tostring(parse_json(LocationDetails).countryOrRegion) | extend latitude_ = tostring(parse_json(tostring(parse_json(LocationDetails).geoCoordinates)).latitude) | extend longitude_ = tostring(parse_json(tostring(parse_json(LocationDetails).geoCoordinates)).longitude) | extend state_ = tostring(parse_json(LocationDetails).state) | project TimeGenerated, Identity, UserType, UserPrincipalName, city_, countryOrRegion_, state_, latitude_, longitude_, ResourceDisplayName, AppDisplayName, ProcessingTimeInMs;union CfS_Logins, SCU_Changes, SCU_Deleted, Bad_Login, Intune_Activity, Defender_XDR