diff --git a/Monitoring/IngestSecurityCopilotAuditlogs/IngestSecurityCopilotAuditLogs.zip b/Monitoring/IngestSecurityCopilotAuditlogs/IngestSecurityCopilotAuditLogs.zip deleted file mode 100644 index 89c17e3e..00000000 Binary files a/Monitoring/IngestSecurityCopilotAuditlogs/IngestSecurityCopilotAuditLogs.zip and /dev/null differ diff --git a/Monitoring/IngestSecurityCopilotAuditlogs/IngestSecurityCopilotAuditLogs/AzFunctionCopilotforSecurity/function.json b/Monitoring/IngestSecurityCopilotAuditlogs/IngestSecurityCopilotAuditLogs/AzFunctionCopilotforSecurity/function.json deleted file mode 100644 index e14ab16c..00000000 --- a/Monitoring/IngestSecurityCopilotAuditlogs/IngestSecurityCopilotAuditLogs/AzFunctionCopilotforSecurity/function.json +++ /dev/null @@ -1,10 +0,0 @@ -{ - "bindings": [ - { - "name": "Timer", - "type": "timerTrigger", - "direction": "in", - "schedule": "%Schedule%" - } - ] -} diff --git a/Monitoring/IngestSecurityCopilotAuditlogs/IngestSecurityCopilotAuditLogs/AzFunctionCopilotforSecurity/run.ps1 b/Monitoring/IngestSecurityCopilotAuditlogs/IngestSecurityCopilotAuditLogs/AzFunctionCopilotforSecurity/run.ps1 deleted file mode 100644 index 3de98dc8..00000000 --- a/Monitoring/IngestSecurityCopilotAuditlogs/IngestSecurityCopilotAuditLogs/AzFunctionCopilotforSecurity/run.ps1 +++ /dev/null @@ -1,335 +0,0 @@ -# Input bindings are passed in via param block. -param($Timer) - -# Get the current universal time in the default string format -$currentUTCtime = (Get-Date).ToUniversalTime() - -# The 'IsPastDue' porperty is 'true' when the current function invocation is later than scheduled. -if ($Timer.IsPastDue) { - Write-Host "PowerShell timer is running late!" -} - -# Write an information log with the current time. -Write-Host "PowerShell timer trigger function ran! TIME: $currentUTCtime" - -# Main -if ($env:MSI_SECRET -and (Get-Module -ListAvailable Az.Accounts)){ - Connect-AzAccount -Identity -} - -#region Environment Variables - -$Office365ContentTypes = "Audit.General" -$Office365RecordTypes = "261,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325" -$Office365CustomLog = "SecurityCopilot_Audit" -$LAWorkspaceId = $env:workspaceID -$LAWorkspaceKey = $env:workspaceKey -$AADAppClientId = $env:clientID -$AADAppClientSecret = $env:clientSecret -$AADAppClientDomain = $env:domain -$AADAppPublisher = $env:publisher -$AzureTenantId = $env:tenantGuid -$LAUri = $env:LAUri -$AzureAADLoginUri = $env:AzureAADLoginUri -$OfficeLoginUri = $env:OfficeLoginUri -$azstoragestring = $env:WEBSITE_CONTENTAZUREFILECONNECTIONSTRING -$storageAccountTableName = "cfsauditlogsexecutions" -#endregion - -if (-Not [string]::IsNullOrEmpty($LAUri)){ - if($LAUri.Trim() -notmatch 'https:\/\/([\w\-]+)\.ods\.opinsights\.azure.([a-zA-Z\.]+)$') - { - Write-Error -Message "CopilotforSecurity: Invalid Log Analytics Uri." -ErrorAction Stop - Exit - } -} - -function Write-OMSLogfile { -<# -.SYNOPSIS -Inputs a hashtable, date and workspace type and writes it to a Log Analytics Workspace. -.DESCRIPTION -Given a value pair hash table, this function will write the data to an OMS Log Analytics workspace. -Certain variables, such as Customer ID and Shared Key are specific to the OMS workspace data is being written to. -This function will not write to multiple OMS workspaces. Build-signature and post-analytics function from Microsoft documentation -at https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-data-collector-api -.PARAMETER DateTime -date and time for the log. DateTime value -.PARAMETER Type -Name of the logfile or Log Analytics "Type". Log Analytics will append _CL at the end of custom logs String Value -.PARAMETER LogData -A series of key, value pairs that will be written to the log. Log file are unstructured but the key should be consistent -withing each source. -.INPUTS -The parameters of data and time, type and logdata. Logdata is converted to JSON to submit to Log Analytics. -.OUTPUTS -The Function will return the HTTP status code from the Post method. Status code 200 indicates the request was received. -.NOTES -Version: 2.0 -Author: Travis Roberts -Creation Date: 7/9/2018 -Purpose/Change: Crating a stand alone function. -.EXAMPLE -This Example will log data to the "LoggingTest" Log Analytics table -$type = 'LoggingTest' -$dateTime = Get-Date -$data = @{ - ErrorText = 'This is a test message' - ErrorNumber = 1985 -} -$returnCode = Write-OMSLogfile $dateTime $type $data -Verbose -write-output $returnCode -#> - [cmdletbinding()] - Param( - [Parameter(Mandatory = $true, Position = 0)] - [datetime]$dateTime, - [parameter(Mandatory = $true, Position = 1)] - [string]$type, - [Parameter(Mandatory = $true, Position = 2)] - [psobject]$logdata, - [Parameter(Mandatory = $true, Position = 3)] - [string]$CustomerID, - [Parameter(Mandatory = $true, Position = 4)] - [string]$SharedKey - ) - - Write-Verbose -Message "DateTime: $dateTime" - Write-Verbose -Message ('DateTimeKind:' + $dateTime.kind) - Write-Verbose -Message "Type: $type" - write-Verbose -Message "LogData: $logdata" - - #region Supporting Functions - - # Function to create the auth signature - function Build-signature ($CustomerID, $SharedKey, $Date, $ContentLength, $method, $ContentType, $resource) { - $xheaders = 'x-ms-date:' + $Date - $stringToHash = $method + "`n" + $contentLength + "`n" + $contentType + "`n" + $xHeaders + "`n" + $resource - $bytesToHash = [text.Encoding]::UTF8.GetBytes($stringToHash) - $keyBytes = [Convert]::FromBase64String($SharedKey) - $sha256 = New-Object System.Security.Cryptography.HMACSHA256 - $sha256.key = $keyBytes - $calculateHash = $sha256.ComputeHash($bytesToHash) - $encodeHash = [convert]::ToBase64String($calculateHash) - $authorization = 'SharedKey {0}:{1}' -f $CustomerID,$encodeHash - return $authorization - } - - # Function to create and post the request - function Post-LogAnalyticsData ($CustomerID, $SharedKey, $Body, $Type) { - $method = "POST" - $ContentType = 'application/json' - $resource = '/api/logs' - $rfc1123date = ($dateTime).ToString('r') - $ContentLength = $Body.Length - $signature = Build-signature ` - -customerId $CustomerID ` - -sharedKey $SharedKey ` - -date $rfc1123date ` - -contentLength $ContentLength ` - -method $method ` - -contentType $ContentType ` - -resource $resource - - # Compatible with previous version and supports both Azure Commercial and Azure Gov - if ([string]::IsNullOrEmpty($LAUri)){ - $uri = "https://" + $CustomerId + ".ods.opinsights.azure.com" + $resource + "?api-version=2016-04-01" - } - else - { - $uri = $LAURI + $resource + "?api-version=2016-04-01" - } - - $headers = @{ - "Authorization" = $signature; - "Log-Type" = $type; - "x-ms-date" = $rfc1123date - "time-generated-field" = $dateTime - } - $response = Invoke-WebRequest -Uri $uri -Method $method -ContentType $ContentType -Headers $headers -Body $body - Write-Verbose -message ('Post Function Return Code ' + $response.statuscode) - return $response.statuscode - } - - #endregion - - #Submit the data - $returnCode = Post-LogAnalyticsData -CustomerID $CustomerID -SharedKey $SharedKey -Body $logdata -Type $type - Write-Verbose -Message "Post Statement Return Code $returnCode" - return $returnCode -} - -function Get-AuthToken { - [cmdletbinding()] - Param( - [Parameter(Mandatory = $true, Position = 0)] - [string]$ClientID, - [parameter(Mandatory = $true, Position = 1)] - [string]$ClientSecret, - [Parameter(Mandatory = $true, Position = 2)] - [string]$tenantdomain, - [Parameter(Mandatory = $true, Position = 3)] - [string]$TenantGUID - ) - - $body = @{grant_type="client_credentials";resource=$OfficeLoginUri;client_id=$ClientID;client_secret=$ClientSecret} - $oauth = Invoke-RestMethod -Method Post -Uri $AzureAADLoginUri/$tenantdomain/oauth2/token?api-version=1.0 -Body $body - $headerParams = @{'Authorization'="$($oauth.token_type) $($oauth.access_token)"} - - return $headerParams -} - - -function SendToLogA { - [cmdletbinding()] - Param( - [Parameter(Mandatory = $true, Position = 0)] - [string]$o365Data, - [parameter(Mandatory = $true, Position = 1)] - [string]$customLogName - ) - #Test Size; Log A limit is 30MB - $tempdata = @() - $tempDataSize = 0 - - if ((($o365Data | Convertto-json -depth 20).Length) -gt 25MB) { - Write-Host "Upload is over 25MB, needs to be split" - foreach ($record in $o365Data) { - $tempdata += $record - $tempDataSize += ($record | ConvertTo-Json -depth 20).Length - if ($tempDataSize -gt 25MB) { - Write-OMSLogfile -dateTime (Get-Date) -type $customLogName -logdata $tempdata -CustomerID $LAWorkspaceId -SharedKey $LAWorkspaceKey - write-Host "Sending data = $TempDataSize" - $tempdata = $null - $tempdata = @() - $tempDataSize = 0 - } - } - Write-Host "Sending left over data = $Tempdatasize" - Write-OMSLogfile -dateTime (Get-Date) -type $customLogName -logdata $o365Data -CustomerID $LAWorkspaceId -SharedKey $LAWorkspaceKey - } - Else { - #Send to Log A as is - Write-OMSLogfile -dateTime (Get-Date) -type $customLogName -logdata $o365Data -CustomerID $LAWorkspaceId -SharedKey $LAWorkspaceKey - } -} - -function Convert-ObjectToHashTable { - [CmdletBinding()] - param - ( - [parameter(Mandatory=$true,ValueFromPipeline=$true)] - [pscustomobject] $Object - ) - $HashTable = @{} - $ObjectMembers = Get-Member -InputObject $Object -MemberType *Property - foreach ($Member in $ObjectMembers) - { - $HashTable.$($Member.Name) = $Object.$($Member.Name) - } - return $HashTable -} - -function Get-O365Data{ - [cmdletbinding()] - Param( - [Parameter(Mandatory = $true, Position = 0)] - [string]$startTime, - [parameter(Mandatory = $true, Position = 1)] - [string]$endTime, - [Parameter(Mandatory = $true, Position = 2)] - [psobject]$headerParams, - [parameter(Mandatory = $true, Position = 3)] - [string]$tenantGuid - ) - #List Available Content - $contentTypes = $Office365ContentTypes.split(",") - #Loop for each content Type like Audit.General; - - #API front end for GCC-High is “manage.office365.us” instead of the commercial “manage.office.com”. - if ($OfficeLoginUri.split('.')[2] -eq "us") { - $OfficeLoginUri = "https://manage.office365.us" - } - - #Loop for each content Type like Audit.General; DLP.ALL - foreach($contentType in $contentTypes){ - $contentType = $contentType.Trim() - $listAvailableContentUri = "$OfficeLoginUri/api/v1.0/$tenantGUID/activity/feed/subscriptions/content?contentType=$contentType&PublisherIdentifier=$AADAppPublisher&startTime=$startTime&endTime=$endTime" - - Write-Output $listAvailableContentUri - - do { - #List Available Content - $contentResult = Invoke-RestMethod -Method GET -Headers $headerParams -Uri $listAvailableContentUri - Write-Output $contentResult.Count - #Loop for each Content - foreach($obj in $contentResult){ - #Retrieve Content - $data = Invoke-RestMethod -Method GET -Headers $headerParams -Uri ($obj.contentUri) - Write-Output $data.Count - #Loop through each Record in the Content - foreach($event in $data){ - #Filtering for Recrord types - #Get all Record Types - if($Office365RecordTypes -eq "0"){ - #We dont need Cloud App Security Alerts due to MCAS connector - if(($event.Source) -ne "Cloud App Security"){ - $ht = Convert-ObjectToHashTable $event - $ht = $ht | ConvertTo-Json -Depth 5 - SendToLogA $ht $Office365CustomLog - } - } - else { - #Get only certain record types - $types = ($Office365RecordTypes).split(",") - if(($event.RecordType) -in $types){ - $ht = Convert-ObjectToHashTable $event - $ht = $ht | ConvertTo-Json -Depth 5 - SendToLogA $ht $Office365CustomLog - } - - } - } - } - - #Handles Pagination - $nextPageResult = Invoke-WebRequest -Method GET -Headers $headerParams -Uri $listAvailableContentUri - If($null -ne ($nextPageResult.Headers.NextPageUrl)){ - $nextPage = $true - $listAvailableContentUri = $nextPageResult.Headers.NextPageUrl - } - Else { - $nextPage = $false - } - } until ($nextPage -eq $false) - } - - #add last run time to ensure no missed packages - $endTime = $currentUTCtime | Get-Date -Format yyyy-MM-ddTHH:mm:ss - Add-AzTableRow -table $o365TimeStampTbl -PartitionKey "CFSAudit" -RowKey "lastExecutionEndTime" -property @{"lastExecutionEndTimeValue"=$endTime} -UpdateExisting -} - -$storageAccountContext = New-AzStorageContext -ConnectionString $azstoragestring -$StorageTable = Get-AzStorageTable -Name $storageAccountTableName -Context $storageAccountContext -ErrorAction Ignore - -if($null -eq $StorageTable.Name){ - $startTime = $currentUTCtime.AddSeconds(-300) | Get-Date -Format yyyy-MM-ddTHH:mm:ss - New-AzStorageTable -Name $storageAccountTableName -Context $storageAccountContext - $o365TimeStampTbl = (Get-AzStorageTable -Name $storageAccountTableName -Context $storageAccountContext.Context).cloudTable - Add-AzTableRow -table $o365TimeStampTbl -PartitionKey "CFSAudit" -RowKey "lastExecutionEndTime" -property @{"lastExecutionEndTimeValue"=$startTime} -UpdateExisting -} -Else { - $o365TimeStampTbl = (Get-AzStorageTable -Name $storageAccountTableName -Context $storageAccountContext.Context).cloudTable -} -# retrieve the last execution values -$lastExecutionEndTime = Get-azTableRow -table $o365TimeStampTbl -partitionKey "CFSAudit" -RowKey "lastExecutionEndTime" -ErrorAction Ignore - -$lastlogTime = $($lastExecutionEndTime.lastExecutionEndTimeValue) -$startTime = $lastlogTime | Get-Date -Format yyyy-MM-ddTHH:mm:ss -$endTime = $currentUTCtime | Get-Date -Format yyyy-MM-ddTHH:mm:ss - -$headerParams = Get-AuthToken $AADAppClientId $AADAppClientSecret $AADAppClientDomain $AzureTenantId -Get-O365Data $startTime $endTime $headerParams $AzureTenantId - -# Write an information log with the current time. -Write-Host "PowerShell timer trigger function ran! TIME: $currentUTCtime" \ No newline at end of file diff --git a/Monitoring/IngestSecurityCopilotAuditlogs/IngestSecurityCopilotAuditLogs/host.json b/Monitoring/IngestSecurityCopilotAuditlogs/IngestSecurityCopilotAuditLogs/host.json deleted file mode 100644 index 686939c7..00000000 --- a/Monitoring/IngestSecurityCopilotAuditlogs/IngestSecurityCopilotAuditLogs/host.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "version": "2.0", - "functionTimeout": "00:30:00", - "logging": { - "applicationInsights": { - "samplingSettings": { - "isEnabled": true, - "excludedTypes": "Request" - } - } - }, - "extensionBundle": { - "id": "Microsoft.Azure.Functions.ExtensionBundle", - "version": "[3.*, 4.0.0)" - }, - "managedDependency": { - "enabled": true - } -} diff --git a/Monitoring/IngestSecurityCopilotAuditlogs/IngestSecurityCopilotAuditLogs/profile.ps1 b/Monitoring/IngestSecurityCopilotAuditlogs/IngestSecurityCopilotAuditLogs/profile.ps1 deleted file mode 100644 index e5240652..00000000 --- a/Monitoring/IngestSecurityCopilotAuditlogs/IngestSecurityCopilotAuditLogs/profile.ps1 +++ /dev/null @@ -1,22 +0,0 @@ -# Azure Functions profile.ps1 -# -# This profile.ps1 will get executed every "cold start" of your Function App. -# "cold start" occurs when: -# -# * A Function App starts up for the very first time -# * A Function App starts up after being de-allocated due to inactivity -# -# You can define helper functions, run commands, or specify environment variables -# NOTE: any variables defined that are not environment variables will get reset after the first execution - -# Authenticate with Azure PowerShell using MSI. -# Remove this if you are not planning on using MSI or Azure PowerShell. -if ($env:MSI_SECRET -and (Get-Module -ListAvailable Az.Accounts)) { - Disable-AzContextAutosave -Scope Process | Out-Null - Connect-AzAccount -Identity -} - -# Uncomment the next line to enable legacy AzureRm alias in Azure PowerShell. -# Enable-AzureRmAlias - -# You can also define functions or aliases that can be referenced in any of your PowerShell functions. diff --git a/Monitoring/IngestSecurityCopilotAuditlogs/IngestSecurityCopilotAuditLogs/requirements.psd1 b/Monitoring/IngestSecurityCopilotAuditlogs/IngestSecurityCopilotAuditLogs/requirements.psd1 deleted file mode 100644 index 77d6f664..00000000 --- a/Monitoring/IngestSecurityCopilotAuditlogs/IngestSecurityCopilotAuditLogs/requirements.psd1 +++ /dev/null @@ -1,7 +0,0 @@ -# This file enables modules to be automatically managed by the Functions service. -# See https://aka.ms/functionsmanageddependency for additional information. -# -@{ - 'Az' = '6.*' - 'AzTable' = '2.*' -} \ No newline at end of file diff --git a/Monitoring/IngestSecurityCopilotAuditlogs/README.md b/Monitoring/IngestSecurityCopilotAuditlogs/README.md index 7ec4b1c2..e3fa13c8 100644 --- a/Monitoring/IngestSecurityCopilotAuditlogs/README.md +++ b/Monitoring/IngestSecurityCopilotAuditlogs/README.md @@ -1,89 +1,29 @@ -# Ingest Security Copilot Audit logs -This function app is designed to ingest Security Copilot Audit logs +# Ingest Copilot for Security Audit logs +Auditing is a critical feature in any security solution, providing visibility into user activities and system events, detect usage and activities anomalies, and ensure compliance with regulatory requirements. By sending Copilot for Security audit logs into your cloud native SIEM - Microsoft Sentinel, users can gain deeper insights into their Security Copilot usage and take proactive measures to mitigate risks -The Azure Function App uses a PowerShell script to collect Security Copilot Audit logs and ingests into a custom table (CFS_Audit). The secrets for the required connections are stored in Azure Key Vault. -***Note***: Custom Logs are a billable data source. +# Prerequisites +### Enable the audit log capability in Security Copilot +During the first run experience, a Security Administrator is given the option of opting into allowing Microsoft Purview to access, process, copy and store admin actions, user actions, and Copilot responses. For more information, see Get started with Security Copilot. -![Function App](./images/Picture1.png)
+Security Administrators can also access this option through the Owner settings page. -Let’s get started with the configuration! +Use the following steps to update the audit log settings: -### Preparation -The following tasks describe the necessary preparation and configurations steps. -- Register an application in Azure AD -- Create an Office 365 Management Activity API Subscription -- Deploy the Azure Function App -- Post Configuration Steps for the Function App and Key Vault -- How to Use the Activity Logs in Azure Sentinel +1. Sign in to Security Copilot (https://securitycopilot.microsoft.com). +2. Select the home menu icon. +3. Navigate to the Owner settings > Logging audit data in Microsoft Purview. +![Security Copilot](./images/cfs_setting_1.png)
-### Register an application in Azure AD -The Azure AD app is later required to use it as service principle for the [Azure Funtion App](https://github.com/sreedharande/IngestSecurityCopilotAuditlogs) app. +### Enable Microsoft Defender for Cloud Apps logs via Microsoft Defender XDR Data connector +To integrate with Microsoft Defender XDR make sure you have: +1. Sentinel Log Analytics Workspace: read and write permissions. +2. Connector Access Control: the user applying changes to the connector must be a member of the Microsoft Entra ID associated with the tenant that the workspace belongs to. +3. Tenant Permissions: 'Global Administrator' or 'Security Administrator' on the workspace's tenant. +4. License: M365 E5, M365 A5 or any other Microsoft Defender XDR eligible license. -1. Go to **Azure Active Directory** / **App Registrations** -2. Create **New Registration**
-![App Registration](./images/Picture2.png)
-3. Call it "O365APItoAzureSentinel". Click **Register**. -4. Click **API Permissions** Blade. -5. Click **Add a Permission**. -6. Click **Office 365 Management APIs**. -7. Click **Appplication Permissions** -8. Check **ActivityFeed.Read** and **ActivityFeed.ReadDlp**. Click **Add permissions**.
-![Permissions](./images/Picture5.png)
-9. Click **Grant admin consent for ...**.
-![Admin Consent](./images/Picture6.png)
-10. Click **Certificates and Secrets** blade. -11. Click **New Client Secret**. -12. Enter a description, select **never**. Click **Add**.
-![Secret](./images/Picture3.png)
-13. **IMPORTANT**. Click **copy** next to the new secret and paste it somewhere temporaily. You can not come back to get the secret once you leave the blade. -14. Copy the **client Id** from the application properties and paste it somewhere. -15. Also copy the **tenant Id** from the AAD directory properties blade. - -For the deployment of [Azure Funtion App](https://github.com/Azure/Copilot-For-Security/Monitoring/IngestSecurityCopilotAuditlogs), make a note of following settings: -- The Azure AD Application ID -- The Azure AD Application Secret -- The Tenant ID -- The Tenant Domain - -### Create an Office 365 Management Activity API Subscription -After successfully creating the service principles, run the following PowerShell script to register the API subscription. -1. Open a PowerShell terminal. -2. Run the following, replacing variables with strings from the previous steps. -```powerhshell -$ClientID = " from AAD App Registration" -$ClientSecret = " from AAD App Registrtion" -$loginURL = "https://login.microsoftonline.[com][us]/" -$tenantdomain = ".onmicrosoft.[com][us]" -$TenantGUID = " from AAD" -$resource = "https://manage.office.[com][us]" -$body = @{grant_type="client_credentials";resource=$resource;client_id=$ClientID;client_secret=$ClientSecret} -$oauth = Invoke-RestMethod -Method Post -Uri $loginURL/$tenantdomain/oauth2/token?api-version=1.0 -Body $body -$headerParams = @{'Authorization'="$($oauth.token_type) $($oauth.access_token)"} -$publisher = "" Get a guid from https://guidgenerator.com/ -``` -3. Run this command to enable **Audit.General** Subscription. -```powershell -Invoke-WebRequest -Method Post -Headers $headerParams -Uri "https://manage.office.[com][us]/api/v1.0/$tenantGuid/activity/feed/subscriptions/start?contentType=Audit.General&PublisherIdentifier=$Publisher" -``` -4. Run this command to enable **DLP.ALL** subscription -```powershell -Invoke-WebRequest -Method Post -Headers $headerParams -Uri "https://manage.office.[com][us]/api/v1.0/$tenantGuid/activity/feed/subscriptions/start?contentType=DLP.ALL&PublisherIdentifier=$Publisher" -``` -5. A successful output looks like as below.
-![Output](./images/Picture7.png)
- -### Deploy the Azure FunctionApp -1. Click to **Deploy the template / Deploy to Azure** below. - -[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FSecurity-Copilot%2Fmain%2FMonitoring%2FIngestSecurityCopilotAuditlogs%2Fazuredeploy_functionapp.json) - - -2. Now it is time to use the noted details from previous steps. -- Select the right **Subscription**, **Resource Group** and **Region** where you what to deploy the Azure Funtion App. -- Fill the Instance Details **Client ID**, **Client Secret**, **Tenant Domain**, **Publisher Guid**. -- There is also a need of **Workspace ID** and **Workspace Key** from where Azure Sentinel is deployed. -3. Click to **Review + create**, review the configuration and click **Create**. +![Microsoft Defender XDR](./images/sentinel_XDR.png)
+ ### Deploy Analytical Rules [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FSecurity-Copilot%2Fmain%2FMonitoring%2FIngestSecurityCopilotAuditlogs%2Fazuredeploy_analytics.json) diff --git a/Monitoring/IngestSecurityCopilotAuditlogs/azuredeploy_analytics.json b/Monitoring/IngestSecurityCopilotAuditlogs/azuredeploy_analytics.json index 1d71aa6b..3fec1ebb 100644 --- a/Monitoring/IngestSecurityCopilotAuditlogs/azuredeploy_analytics.json +++ b/Monitoring/IngestSecurityCopilotAuditlogs/azuredeploy_analytics.json @@ -21,7 +21,7 @@ "description": "Identifies a match in SecurityCopilot Audit Logs prompts activity from any IP IOC from TI", "severity": "Medium", "enabled": false, - "query": "let dt_lookBack = 1h;\r\nlet ioc_lookBack = 14d;\r\nThreatIntelligenceIndicator\r\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\r\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\r\n| where Active == true\r\n// Picking up only IOC's that contain the entities we want\r\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\r\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\r\n// Taking the first non-empty value based on potential IOC match availability\r\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\r\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\r\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\r\n//Exclude local addresses, using the ipv4_is_private operator\r\n| where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\"\r\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\r\n| join kind=innerunique (\r\n SecurityCopilot_Audit_CL | where TimeGenerated >= ago(dt_lookBack)\r\n | project TimeGenerated, Operation = Operation_s, sessionoid = CopilotEventData_CorrelationId_g, EvaluationId = tostring(parse_json(CopilotEventData_Messages_s)[0].Id), ISPrompt = tostring(parse_json(CopilotEventData_Messages_s)[0].isPrompt), UserId = UserId_s, RecordType = RecordType_d, ClientIP = ClientIP_s, CopilotSettingsEventData_Resource = CopilotSettingsEventData_Resource_s, UserKey_s,CopilotEventData_AppHost_s,CopilotEventData_Messages_s\r\n | where RecordType == 261\r\n| where CopilotEventData_AppHost_s == \"Security Copilot\"\r\n | where isnotempty(ClientIP)\r\n | extend CFS_TimeGenerated = TimeGenerated\r\n)\r\non $left.TI_ipEntity == $right.ClientIP\r\n| where CFS_TimeGenerated < ExpirationDateTime\r\n| summarize CFS_TimeGenerated = arg_max(CFS_TimeGenerated, *) by IndicatorId, ClientIP\r\n| project CFS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ClientIP, NetworkIP, NetworkDestinationIP, NetworkSourceIP, UserId,EmailSourceIpAddress\r\n| extend timestamp = CFS_TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP", + "query": "let dt_lookBack = 1h;\r\nlet ioc_lookBack = 14d;\r\nThreatIntelligenceIndicator\r\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\r\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\r\n| where Active == true\r\n// Picking up only IOC's that contain the entities we want\r\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\r\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\r\n// Taking the first non-empty value based on potential IOC match availability\r\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\r\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\r\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\r\n//Exclude local addresses, using the ipv4_is_private operator\r\n| where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\"\r\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\r\n| join kind=innerunique (\r\n CloudAppEvents\r\n| where parse_json(RawEventData)[\"AppIdentity\"] == 'Copilot.Security.SecurityCopilot'\r\n| where parse_json(RawEventData)[\"Workload\"] == 'Copilot'\r\n| extend RecordType = RawEventData.RecordType\r\n| where RecordType == 261\r\n| where TimeGenerated >= ago(dt_lookBack)\r\n| extend Operation = RawEventData.Operation\r\n| extend ClientIP = tostring(RawEventData.ClientIP)\r\n| project TimeGenerated, Operation , sessionoid = tostring(parse_json(tostring(RawEventData.CopilotEventData)).CorrelationId), EvaluationId = tostring(parse_json(tostring(parse_json(tostring(RawEventData.CopilotEventData)).Messages))[0].Id), ISPrompt = tostring(parse_json(tostring(parse_json(tostring(RawEventData.CopilotEventData)).Messages))[0].isPrompt), UserId = AccountDisplayName, RecordType, ClientIP, AccountDisplayName, AppHost = tostring(parse_json(tostring(RawEventData.CopilotEventData)).AppHost)\r\n| where isnotempty(ClientIP)\r\n| extend CFS_TimeGenerated = TimeGenerated\r\n)\r\non $left.TI_ipEntity == $right.ClientIP\r\n| where CFS_TimeGenerated < ExpirationDateTime\r\n| summarize CFS_TimeGenerated = arg_max(CFS_TimeGenerated, *) by IndicatorId, ClientIP\r\n| project CFS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ClientIP, NetworkIP, NetworkDestinationIP, NetworkSourceIP, UserId,EmailSourceIpAddress\r\n| extend timestamp = CFS_TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP", "queryFrequency": "PT1H", "queryPeriod": "P14D", "triggerOperator": "GreaterThan", @@ -86,8 +86,8 @@ "displayName": "Security Copilot - Anomalous Operations by Security Copilot for User", "description": "Detect Anomalous audit operations involving actions such as \"DisableCopilotPlugin\" , \"DeleteFile\" , \"UpdatePluginSettings\" , or \"DeleteCopilotPromptBook\"", "severity": "Medium", - "enabled": false, - "query": "SecurityCopilot_Audit_CL\r\n| where isnotempty( UserId_s) and isnotempty( ClientIP_s)\r\n| where Operation_s contains \"DisableCopilotPlugin\" or Operation_s contains \"DeleteFile\" or Operation_s contains \"UpdatePluginSettings\" or Operation_s contains \"DeleteCopilotPromptBook\"\r\n| project TimeGenerated, UserId_s, ClientIP_s\r\n| evaluate basket()\r\n| join kind=leftouter (CFS_Audit_CL\r\n| where Operation_s contains \"DisableCopilotPlugin\" or Operation_s contains \"DeleteFile\" or Operation_s contains \"UpdatePluginSettings\" or Operation_s contains \"DeleteCopilotPromptBook\"\r\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserId_s, ClientIP_s) on UserId_s, ClientIP_s\r\n| project-away UserId_s1, ClientIP_s1\r\n| extend timestamp = StartTime, AccountCustomEntity = UserId_s, IPCustomEntity = ClientIP_s\r\n", + "enabled": true, + "query": "CloudAppEvents\r\n| where parse_json(RawEventData)[\"AppIdentity\"] == 'Copilot.Security.SecurityCopilot'\r\n| where parse_json(RawEventData)[\"Workload\"] == 'Copilot'\r\n| extend ClientIP = tostring(RawEventData.ClientIP)\r\n| where isnotempty( AccountDisplayName) and isnotempty( ClientIP)\r\n| extend Operation = RawEventData.Operation\r\n| where Operation contains \"DisableCopilotPlugin\" or Operation contains \"DeleteFile\" or Operation contains \"UpdatePluginSettings\" or Operation contains \"DeleteCopilotPromptBook\"\r\n| project TimeGenerated, AccountDisplayName, ClientIP\r\n| evaluate basket()\r\n| join kind=leftouter (CloudAppEvents\r\n| extend Operation = RawEventData.Operation\r\n| extend ClientIP = tostring(RawEventData.ClientIP)\r\n| where Operation contains \"DisableCopilotPlugin\" or Operation contains \"DeleteFile\" or Operation contains \"UpdatePluginSettings\" or Operation contains \"DeleteCopilotPromptBook\"\r\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by AccountDisplayName, ClientIP) on AccountDisplayName,ClientIP\r\n| extend timestamp = StartTime, AccountCustomEntity = AccountDisplayName, IPCustomEntity = ClientIP , ClientIP\r\n| project-away AccountDisplayName1, ClientIP1\r\n| extend timestamp = StartTime, AccountCustomEntity = AccountDisplayName, IPCustomEntity = ClientIP", "queryFrequency": "PT5H", "queryPeriod": "PT5H", "triggerOperator": "GreaterThan", @@ -127,7 +127,7 @@ "fieldMappings": [ { "identifier": "Name", - "columnName": "UserId_s" + "columnName": "AccountCustomEntity" } ] }, @@ -136,7 +136,7 @@ "fieldMappings": [ { "identifier": "Address", - "columnName": "ClientIP_s" + "columnName": "ClientIP" } ] } @@ -156,7 +156,7 @@ "description": "This rule detects anomalous user log on and resource access associated with usage of Copilot for Security where any of these operations have been executed: DeleteCopilotPromptBook,DisableCopilotPlugin,DeleteFile or EnableCopilotPlugin", "severity": "Medium", "enabled": false, - "query": "BehaviorAnalytics\r\n| where ActionType =~ \"Sign-in\"\r\n| where ActivityInsights.FirstTimeConnectionFromCountryObservedInTenant == True or ActivityInsights.CountryUncommonlyConnectedFromAmongPeers == True or ActivityInsights.ResourceUncommonlyAccessedAmongPeers == True \r\n| join kind=inner (\r\n SigninLogs\r\n )\r\n on $left.SourceRecordId == $right._ItemId\r\n| extend\r\n UserPrincipalName = iff(UserPrincipalName has \"#EXT#\", replace_string(tostring(split(UserPrincipalName, \"#\")[0]), \"_\", \"@\"), UserPrincipalName),\r\n UserName = iff(UserName has \"#EXT#\", replace_string(tostring(split(UserPrincipalName, \"#\")[0]), \"_\", \"@\"), UserName)\r\n| join SecurityCopilot_Audit_CL on $left.UserPrincipalName == $right.UserId_s\r\n| extend BlastRadius_ = tostring(UsersInsights.BlastRadius)\r\n| where Operation_s in (\"DeleteCopilotPromptBook\",\"DisableCopilotPlugin\",\"DeleteFile\",\"EnableCopilotPlugin\")\r\n| project\r\n TimeGenerated,\r\n UserId_s,\r\n UserPrincipalName,\r\n UsersInsights,\r\n ActivityType,\r\n ActionType,\r\n [\"Evidence\"]=ActivityInsights,\r\n ResourceDisplayName,\r\n AppDisplayName,\r\n SourceIPAddress,\r\n SourceIPLocation,\r\n SourceDevice,\r\n DevicesInsights,\r\n InvestigationPriority,\r\n BlastRadius_\r\n | extend\r\n Name=split(UserPrincipalName, \"@\")[0],\r\n UPNSuffix=split(UserPrincipalName, \"@\")[1]\r\n\r\n\r\n\r\n\r\n\r\n", + "query": "BehaviorAnalytics\r\n| where ActionType =~ \"Sign-in\"\r\n| where ActivityInsights.FirstTimeConnectionFromCountryObservedInTenant == True or ActivityInsights.CountryUncommonlyConnectedFromAmongPeers == True or ActivityInsights.ResourceUncommonlyAccessedAmongPeers == True \r\n| join kind=inner (\r\n SigninLogs\r\n )\r\n on $left.SourceRecordId == $right._ItemId\r\n| extend\r\n UserPrincipalName = iff(UserPrincipalName has \"#EXT#\", replace_string(tostring(split(UserPrincipalName, \"#\")[0]), \"_\", \"@\"), UserPrincipalName),\r\n UserName = iff(UserName has \"#EXT#\", replace_string(tostring(split(UserPrincipalName, \"#\")[0]), \"_\", \"@\"), UserName)\r\n| join CloudAppEvents on $left.UserPrincipalName == $right.AccountDisplayName\r\n| where parse_json(RawEventData)[\"AppIdentity\"] == 'Copilot.Security.SecurityCopilot'\r\n| where parse_json(RawEventData)[\"Workload\"] == 'Copilot'\r\n| extend Operation = RawEventData.Operation\r\n| extend BlastRadius_ = tostring(UsersInsights.BlastRadius)\r\n| where Operation in (\"DeleteCopilotPromptBook\",\"DisableCopilotPlugin\",\"DeleteFile\",\"EnableCopilotPlugin\")\r\n| project\r\n TimeGenerated,\r\n AccountDisplayName,\r\n UserPrincipalName,\r\n UsersInsights,\r\n ActivityType,\r\n ActionType,\r\n [\"Evidence\"]=ActivityInsights,\r\n ResourceDisplayName,\r\n AppDisplayName,\r\n SourceIPAddress,\r\n SourceIPLocation,\r\n SourceDevice,\r\n DevicesInsights,\r\n InvestigationPriority,\r\n BlastRadius_\r\n | extend\r\n Name=split(UserPrincipalName, \"@\")[0],\r\n UPNSuffix=split(UserPrincipalName, \"@\")[1]", "queryFrequency": "PT5H", "queryPeriod": "PT5H", "triggerOperator": "GreaterThan", @@ -195,7 +195,7 @@ "fieldMappings": [ { "identifier": "Name", - "columnName": "UserId_s" + "columnName": "AccountDisplayName" } ] }, @@ -221,6 +221,78 @@ "sentinelEntitiesMappings": null, "templateVersion": null } + }, + { + "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('LogAnalyticsWorkspaceName'), 'Microsoft.SecurityInsights'),'/alertRules/5e5fc31d-d9e0-4fad-b659-b183b0643aac')]", + "name": "[concat(parameters('LogAnalyticsWorkspaceName'),'/Microsoft.SecurityInsights/5e5fc31d-d9e0-4fad-b659-b183b0643aac')]", + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "kind": "Scheduled", + "apiVersion": "2023-12-01-preview", + "properties": { + "displayName": "Security Copilot-Audit logging settings changes", + "description": "This rule detects changes to logging settings", + "severity": "Medium", + "enabled": true, + "query": "CloudAppEvents\r\n| where parse_json(RawEventData)[\"AppIdentity\"] == 'Copilot.Security.SecurityCopilot'\r\n| where parse_json(RawEventData)[\"Workload\"] == 'Copilot'\r\n| where RawEventData.Operation == \"UpdateCopilotSettings\"\r\n| extend NewSetting = case(tostring(parse_json(tostring(parse_json(tostring(RawEventData.CopilotSettingsEventData)).Resource))[0].NewValue) == \"False\", \"Off\", tostring(parse_json(tostring(parse_json(tostring(RawEventData.CopilotSettingsEventData)).Resource))[0].NewValue) == \"True\", \"On\", tostring(parse_json(tostring(parse_json(tostring(RawEventData.CopilotSettingsEventData)).Resource))[0].NewValue))\r\n| extend PreviousSetting = case(tostring(parse_json(tostring(parse_json(tostring(RawEventData.CopilotSettingsEventData)).Resource))[0].OriginalValue) == \"False\", \"Off\", tostring(parse_json(tostring(parse_json(tostring(RawEventData.CopilotSettingsEventData)).Resource))[0].OriginalValue) == \"True\", \"On\", tostring(parse_json(tostring(parse_json(tostring(RawEventData.CopilotSettingsEventData)).Resource))[0].OriginalValue))\r\n| extend SettingChanged = tostring(parse_json(tostring(parse_json(tostring(RawEventData.CopilotSettingsEventData)).Resource))[0].Property)\r\n| project TimeGenerated, User= AccountDisplayName, Operation=RawEventData.Operation, PreviousSetting, NewSetting, SettingChanged, ClientIP = tostring(RawEventData.ClientIP)", + "queryFrequency": "P1D", + "queryPeriod": "P14D", + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "suppressionDuration": "PT5H", + "suppressionEnabled": false, + "startTimeUtc": null, + "tactics": [ + "DefenseEvasion" + ], + "techniques": [], + "subTechniques": [], + "alertRuleTemplateName": null, + "incidentConfiguration": { + "createIncident": true, + "groupingConfiguration": { + "enabled": false, + "reopenClosedIncident": false, + "lookbackDuration": "PT5H", + "matchingMethod": "AllEntities", + "groupByEntities": [], + "groupByAlertDetails": [], + "groupByCustomDetails": [] + } + }, + "eventGroupingSettings": { + "aggregationKind": "SingleAlert" + }, + "alertDetailsOverride": { + "alertDynamicProperties": [] + }, + "customDetails": { + "Operation": "Operation", + "PreviousSetting": "PreviousSetting", + "NewSetting": "NewSetting" + }, + "entityMappings": [ + { + "entityType": "IP", + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "ClientIP" + } + ] + }, + { + "entityType": "Account", + "fieldMappings": [ + { + "identifier": "AadUserId", + "columnName": "User" + } + ] + } + ], + "sentinelEntitiesMappings": null, + "templateVersion": null + } } ] } \ No newline at end of file diff --git a/Monitoring/IngestSecurityCopilotAuditlogs/azuredeploy_functionapp.json b/Monitoring/IngestSecurityCopilotAuditlogs/azuredeploy_functionapp.json deleted file mode 100644 index 7a4cdb93..00000000 --- a/Monitoring/IngestSecurityCopilotAuditlogs/azuredeploy_functionapp.json +++ /dev/null @@ -1,305 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "FunctionName": { - "defaultValue": "CFSAuditLogs", - "type": "string", - "metadata": { - "description": "Specifies the name of the Function App." - } - }, - "clientID": { - "type": "string", - "metadata": { - "description": "AAD Application Client ID" - } - }, - "clientSecret": { - "type": "securestring", - "metadata": { - "description": "AAD Application Client Secret" - } - }, - "domain": { - "type": "string", - "metadata": { - "description": ".onmicrosoft.com" - } - }, - "publisher": { - "type": "string", - "metadata": { - "description": "GUID" - } - }, - "workspaceID": { - "type": "string", - "metadata": { - "description": "Specifies the Log Analytics Workspace Id." - } - }, - "workspaceKey": { - "type": "securestring", - "metadata": { - "description": "Specifies the Log Analytics Workspace Key." - } - } - }, - "variables": { - "FunctionName": "[concat(toLower(parameters('FunctionName')), uniqueString(resourceGroup().id))]", - "StorageAccountName":"[concat(substring(variables('FunctionName'), 0, 20), 'sa')]", - "KeyVaultName": "[concat(substring(variables('FunctionName'), 0, 20), 'kv')]", - "AzureAADClientSecret": "AzureAADClientSecret", - "LogAnalyticsWorkspaceKey": "LogAnalyticsWorkspaceKey", - "StorageSuffix":"[environment().suffixes.storage]", - "HostingPlanName":"[concat('ASP-', variables('FunctionName'))]", - "LogAnaltyicsUri":"[replace(environment().portal, 'https://portal', concat('https://', toLower(parameters('workspaceId')), '.ods.opinsights'))]", - "OfficeLoginUri":"[replace(environment().portal, 'https://portal.azure', 'https://manage.office')]", - "AzureAADLoginUri":"[replace(environment().portal, 'https://portal.azure', 'https://login.microsoftonline')]" - }, - "resources": [ - { - "type": "Microsoft.Insights/components", - "apiVersion": "2015-05-01", - "name": "[variables('FunctionName')]", - "location": "[resourceGroup().location]", - "kind": "web", - "properties": { - "Application_Type": "web", - "ApplicationId": "[variables('FunctionName')]" - } - }, - { - "type": "Microsoft.KeyVault/vaults", - "apiVersion": "2016-10-01", - "name": "[variables('KeyVaultName')]", - "location": "[resourceGroup().location]", - "dependsOn": [ - "[resourceId('Microsoft.Web/sites', variables('FunctionName'))]" - ], - "properties": { - "sku": { - "family": "A", - "name": "Standard" - }, - "tenantId": "[subscription().tenantId]", - "accessPolicies": [ - { - "tenantId": "[subscription().tenantId]", - "objectId": "[reference(resourceId('Microsoft.Web/sites', variables('FunctionName')),'2019-08-01', 'full').identity.principalId]", - "permissions": { - "secrets": [ "get", - "list" - ] - } - } - ], - "enabledForDeployment": false, - "enabledForDiskEncryption": false, - "enabledForTemplateDeployment": true, - "enableSoftDelete": true - }, - "resources": [ - { - "type": "secrets", - "apiVersion": "2016-10-01", - "name": "[variables('AzureAADClientSecret')]", - "dependsOn": [ - "[resourceId('Microsoft.KeyVault/vaults/', variables('KeyVaultName'))]" - ], - "properties": { - "value": "[parameters('clientSecret')]", - "contentType": "string", - "attributes": { - "enabled": true - } - } - }, - { - "type": "secrets", - "apiVersion": "2016-10-01", - "name": "[variables('LogAnalyticsWorkspaceKey')]", - "dependsOn": [ - "[resourceId('Microsoft.KeyVault/vaults/', variables('KeyVaultName'))]" - ], - "properties": { - "value": "[parameters('workspaceKey')]", - "contentType": "string", - "attributes": { - "enabled": true - } - } - } - ] - }, - { - "type": "Microsoft.Storage/storageAccounts", - "apiVersion": "2019-06-01", - "name": "[variables('StorageAccountName')]", - "location": "[resourceGroup().location]", - "sku": { - "name": "Standard_LRS", - "tier": "Standard" - }, - "kind": "StorageV2", - "properties": { - "publicNetworkAccess": "Disabled" - } - }, - { - "apiVersion": "2018-02-01", - "name": "[variables('HostingPlanName')]", - "type": "Microsoft.Web/serverfarms", - "location": "[resourceGroup().location]", - "kind": "elastic", - "tags": {}, - "dependsOn": [], - "properties": { - "targetWorkerCount": "2", - "targetWorkerSizeId": "3", - "reserved": true, - "maximumElasticWorkerCount": "20" - }, - "sku": { - "tier": "ElasticPremium", - "name": "EP1" - } - }, - { - "type": "Microsoft.Storage/storageAccounts/blobServices", - "apiVersion": "2019-06-01", - "name": "[concat(variables('StorageAccountName'), '/default')]", - "dependsOn": [ - "[resourceId('Microsoft.Storage/storageAccounts', variables('StorageAccountName'))]" - ], - "sku": { - "name": "Standard_LRS", - "tier": "Standard" - }, - "properties": { - "cors": { - "corsRules": [ - ] - }, - "deleteRetentionPolicy": { - "enabled": false - } - } - }, - { - "type": "Microsoft.Storage/storageAccounts/fileServices", - "apiVersion": "2019-06-01", - "name": "[concat(variables('StorageAccountName'), '/default')]", - "dependsOn": [ - "[resourceId('Microsoft.Storage/storageAccounts', variables('StorageAccountName'))]" - ], - "sku": { - "name": "Standard_LRS", - "tier": "Standard" - }, - "properties": { - "cors": { - "corsRules": [ - ] - } - } - }, - { - "type": "Microsoft.Web/sites", - "apiVersion": "2018-11-01", - "name": "[variables('FunctionName')]", - "location": "[resourceGroup().location]", - "dependsOn": [ - "[resourceId('Microsoft.Storage/storageAccounts', variables('StorageAccountName'))]", - "[resourceId('Microsoft.Web/serverfarms', variables('HostingPlanName'))]", - "[resourceId('Microsoft.Insights/components', variables('FunctionName'))]" - ], - "kind": "functionapp", - "identity": { - "type": "SystemAssigned" - }, - "properties": { - "name": "[variables('FunctionName')]", - "httpsOnly": true, - "clientAffinityEnabled": true, - "alwaysOn": true, - "reserved": true, - "serverFarmId": "[concat('/subscriptions/', subscription().subscriptionId,'/resourcegroups/', resourceGroup().name, '/providers/Microsoft.Web/serverfarms/', variables('HostingPlanName'))]", - "siteConfig": { - "powerShellVersion": "~7" - } - }, - "resources": [ - { - "apiVersion": "2018-11-01", - "type": "config", - "name": "appsettings", - "dependsOn": [ - "[concat('Microsoft.Web/sites/', variables('FunctionName'))]", - "[resourceId('Microsoft.KeyVault/vaults/', variables('KeyVaultName'))]", - "[resourceId('Microsoft.KeyVault/vaults/secrets', variables('KeyVaultName'), variables('AzureAADClientSecret'))]", - "[resourceId('Microsoft.KeyVault/vaults/secrets', variables('KeyVaultName'), variables('LogAnalyticsWorkspaceKey'))]" - ], - "properties": { - "FUNCTIONS_EXTENSION_VERSION": "~4", - "FUNCTIONS_WORKER_RUNTIME": "powershell", - "APPINSIGHTS_INSTRUMENTATIONKEY": "[reference(resourceId('Microsoft.insights/components', variables('FunctionName')), '2015-05-01').InstrumentationKey]", - "APPLICATIONINSIGHTS_CONNECTION_STRING": "[reference(resourceId('microsoft.insights/components', variables('FunctionName')), '2015-05-01').ConnectionString]", - "AzureWebJobsStorage": "[concat('DefaultEndpointsProtocol=https;AccountName=', toLower(variables('StorageAccountName')),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('StorageAccountName')), '2019-06-01').keys[0].value, ';EndpointSuffix=',toLower(variables('StorageSuffix')))]", - "WEBSITE_CONTENTAZUREFILECONNECTIONSTRING": "[concat('DefaultEndpointsProtocol=https;AccountName=', toLower(variables('StorageAccountName')),';AccountKey=', listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('StorageAccountName')), '2019-06-01').keys[0].value, ';EndpointSuffix=',toLower(variables('StorageSuffix')))]", - "WEBSITE_CONTENTSHARE": "[variables('FunctionName')]", - "clientID": "[parameters('clientSecret')]", - "clientSecret": "[concat('@Microsoft.KeyVault(SecretUri=', reference(variables('AzureAADClientSecret')).secretUriWithVersion, ')')]", - "domain": "[parameters('domain')]", - "tenantGuid": "[subscription().tenantId]", - "publisher": "[parameters('publisher')]", - "workspaceID": "[parameters('workspaceID')]", - "workspaceKey": "[concat('@Microsoft.KeyVault(SecretUri=', reference(variables('LogAnalyticsWorkspaceKey')).secretUriWithVersion, ')')]", - "WEBSITE_RUN_FROM_PACKAGE": "https://aka.ms/IngestSecurityCopilotAuditLogs", - "LAUri":"[variables('LogAnaltyicsUri')]", - "AzureAADLoginUri":"[variables('AzureAADLoginUri')]", - "OfficeLoginUri":"[variables('OfficeLoginUri')]", - "Schedule":"0 */10 * * * *" - } - } - ] - }, - { - "type": "Microsoft.Storage/storageAccounts/blobServices/containers", - "apiVersion": "2019-06-01", - "name": "[concat(variables('StorageAccountName'), '/default/azure-webjobs-hosts')]", - "dependsOn": [ - "[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('StorageAccountName'), 'default')]", - "[resourceId('Microsoft.Storage/storageAccounts', variables('StorageAccountName'))]" - ], - "properties": { - "publicAccess": "None" - } - }, - { - "type": "Microsoft.Storage/storageAccounts/blobServices/containers", - "apiVersion": "2019-06-01", - "name": "[concat(variables('StorageAccountName'), '/default/azure-webjobs-secrets')]", - "dependsOn": [ - "[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('StorageAccountName'), 'default')]", - "[resourceId('Microsoft.Storage/storageAccounts', variables('StorageAccountName'))]" - ], - "properties": { - "publicAccess": "None" - } - }, - { - "type": "Microsoft.Storage/storageAccounts/fileServices/shares", - "apiVersion": "2019-06-01", - "name": "[concat(variables('StorageAccountName'), '/default/', tolower(variables('FunctionName')))]", - "dependsOn": [ - "[resourceId('Microsoft.Storage/storageAccounts/fileServices', variables('StorageAccountName'), 'default')]", - "[resourceId('Microsoft.Storage/storageAccounts', variables('StorageAccountName'))]" - ], - "properties": { - "shareQuota": 5120 - } - } - ] -} \ No newline at end of file diff --git a/Monitoring/IngestSecurityCopilotAuditlogs/azuredeploy_workbook.json b/Monitoring/IngestSecurityCopilotAuditlogs/azuredeploy_workbook.json index 42907217..a5d15385 100644 --- a/Monitoring/IngestSecurityCopilotAuditlogs/azuredeploy_workbook.json +++ b/Monitoring/IngestSecurityCopilotAuditlogs/azuredeploy_workbook.json @@ -29,7 +29,7 @@ "kind": "shared", "properties": { "displayName": "[parameters('WorkbookDisplayName')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Microsoft Security Copilot Audit Workbook](https://learn.microsoft.com/en-us/copilot/security/microsoft-security-copilot)\\n---\\n\\nMicrosoft Security Copilot is a generative AI-powered security solution designed to enhance the efficiency and capabilities of security professionals\\n\\nIt supports end-to-end scenarios such as incident response, threat hunting, intelligence gathering, and posture management\\nBy integrating with products like Microsoft Defender XDR, Microsoft Sentinel, and Microsoft Intune, as well as third-party services like ServiceNow, Security Copilot leverages security-specific plugins, organizational data, authoritative sources, and global threat intelligence\\n\\nThis enables security professionals to gain wider visibility into threats, prioritize response efforts, and streamline decision-making\\n\\nCopilot for Security provides actionable guidance for incident response, translating complex security alerts into concise summaries and offering step-by-step directions for triage, investigation, containment, and remediation.\"},\"name\":\"text - 2\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"f16d570f-12c1-48f2-94fa-7e114263a291\",\"cellValue\":\"Nav\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Security Copilot Audit\",\"subTarget\":\"audit\",\"preText\":\"Copilot for Security Audit Data\",\"style\":\"link\"},{\"id\":\"ab2c8e5c-1a0f-4041-ab18-c9b387ecf33b\",\"cellValue\":\"Nav\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Security Copilot Sign in Data\",\"subTarget\":\"Signin\",\"style\":\"link\"},{\"id\":\"03e3f1de-2a0f-4f14-ad2f-cba53365c4b3\",\"cellValue\":\"Nav\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Security Copilot SCU Events\",\"subTarget\":\"SCU\",\"style\":\"link\"}]},\"name\":\"links - 2\",\"styleSettings\":{\"padding\":\"0\",\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"value::selected\"],\"parameters\":[{\"id\":\"41bb3efb-b37d-47d6-851a-64929f841597\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DefaultSubscription_Internal\",\"type\":1,\"isRequired\":true,\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| take 1\\r\\n| project subscriptionId\",\"crossComponentResources\":[\"value::selected\"],\"isHiddenWhenLocked\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"e3388fc6-e10b-4a86-bdc1-22677adcb351\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":2419200000}},{\"id\":\"eede023b-bfca-4112-accb-440efb5709ab\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"query\":\"summarize by subscriptionId\\r\\n| project value = strcat(\\\"/subscriptions/\\\", subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ '{DefaultSubscription_Internal}', true, false)\\r\\n\",\"crossComponentResources\":[\"value::selected\"],\"typeSettings\":{\"additionalResourceOptions\":[],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":\"/subscriptions/ab48f397-fc82-4634-aa52-62dd91b3ebaa\"},{\"id\":\"b68ed14e-d0e2-41b2-9444-b38c88394beb\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| project id\",\"crossComponentResources\":[\"{Subscription}\"],\"typeSettings\":{\"resourceTypeFilter\":{\"microsoft.operationalinsights/workspaces\":true},\"additionalResourceOptions\":[]},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":\"variables('WorkbookSourceId')\"},{\"id\":\"1ba9eace-73f1-4958-a0a7-11bdb68195b9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"resourceGroup\",\"type\":1,\"query\":\"resources\\r\\n| where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| where id == \\\"{Workspace}\\\"\\r\\n| project resourceGroup\",\"crossComponentResources\":[\"value::selected\"],\"isHiddenWhenLocked\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"}],\"style\":\"pills\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"name\":\"parameters - 11 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let IP_Data = \\r\\n external_data(network:string,geoname_id:long,continent_code:string,continent_name:string ,country_iso_code:string, country_name:string,is_anonymous_proxy:bool,is_satellite_provider:bool)\\r\\n [@\\\"https://raw.githubusercontent.com/datasets/geoip2-ipv4/master/data/geoip2-ipv4.csv\\\"]\\r\\n with (ignoreFirstRecord=true, format=\\\"csv\\\");\\r\\nIdentityLogonEvents\\r\\n| where AdditionalFields.[\\\"ARG.CLOUD_SERVICE\\\"] == \\\"Medeina Portal\\\"\\r\\n| extend IPaddresses=tostring(IPAddress)\\r\\n| where isnotempty(IPaddresses) \\r\\n| evaluate ipv4_lookup(IP_Data, IPaddresses, network)\\r\\n| summarize interactioncount = count() by IPAddress, country_name\\r\\n\",\"size\":2,\"title\":\"Succesfull Sign ins By Location\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"map\",\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"country_name\",\"sizeSettings\":\"interactioncount\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"interactioncount\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"nodeColorField\":\"interactioncount\",\"colorAggregation\":\"Sum\",\"type\":\"heatmap\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let IP_Data = \\r\\n external_data(network:string,geoname_id:long,continent_code:string,continent_name:string ,country_iso_code:string, country_name:string,is_anonymous_proxy:bool,is_satellite_provider:bool)\\r\\n [@\\\"https://raw.githubusercontent.com/datasets/geoip2-ipv4/master/data/geoip2-ipv4.csv\\\"]\\r\\n with (ignoreFirstRecord=true, format=\\\"csv\\\");\\r\\nBehaviorAnalytics\\r\\n| where ActivityInsights.App == \\\"Medeina Portal\\\"\\r\\n| where ActivityInsights.Resource == \\\"Medeina Service\\\"\\r\\n| where ActivityType == \\\"FailedLogOn\\\"\\r\\n| extend IPaddresses=tostring(SourceIPAddress)\\r\\n| where isnotempty(IPaddresses) \\r\\n| evaluate ipv4_lookup(IP_Data, IPaddresses, network)\\r\\n| summarize interactioncount = count() by SourceIPAddress, country_name\\r\\n\",\"size\":2,\"title\":\"Failed Sign ins by Location \",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"map\",\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"country_name\",\"sizeSettings\":\"interactioncount\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"interactioncount\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"nodeColorField\":\"interactioncount\",\"colorAggregation\":\"Sum\",\"type\":\"heatmap\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"IdentityLogonEvents\\r\\n| where TimeGenerated >= ago(24h)\\r\\n| where AdditionalFields.[\\\"ARG.CLOUD_SERVICE\\\"] == \\\"Security Copilot\\\"\\r\\n| extend User = AdditionalFields.[\\\"ACTOR.ALIAS\\\"]\\r\\n| project AccountDomain, User, ActionType, AccountUpn, IPAddress, Location, ISP, OSPlatform, DeviceType\",\"size\":0,\"title\":\"Successfull Sign ins for Security Copilot\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"100\",\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Failed signins to the CfS service exposing user, reason, and other necessary information.\\r\\n\\r\\nBehaviorAnalytics\\r\\n| where TimeGenerated >= ago(7d)\\r\\n| where ActivityInsights.App == \\\"Medeina Portal\\\"\\r\\n| where ActivityInsights.Resource == \\\"Medeina Service\\\"\\r\\n| where ActivityType == \\\"FailedLogOn\\\"\\r\\n| project UserName, UserPrincipalName, ActionType, EventSource, SourceIPAddress, SourceIPLocation\",\"size\":0,\"title\":\"Failed Sign ins for Security Copilot\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ActionType\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"User did not pass the MFA challenge\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"\\t Other\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Invalid username or password \",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Flow token expired - Authentication Failed\",\"representation\":\"blue\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Device Authentication Required\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"gray\",\"text\":\"{0}{1}\"}]}}]}},\"customWidth\":\"100\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BehaviorAnalytics\\r\\n| where TimeGenerated >= ago(7d)\\r\\n| where ActivityInsights.App == \\\"Medeina Portal\\\"\\r\\n| where ActivityInsights.Resource == \\\"Medeina Service\\\"\\r\\n| where ActivityType == \\\"FailedLogOn\\\"\\r\\n| summarize Failedlogin = count() by ActionType\\r\\n\",\"size\":0,\"title\":\"Failed Sign ins By Reason\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\"},\"customWidth\":\"30\",\"name\":\"query - 4\"}]},\"conditionalVisibility\":{\"parameterName\":\"Nav\",\"comparison\":\"isEqualTo\",\"value\":\"Signin\"},\"name\":\"group - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"value::selected\"],\"parameters\":[{\"id\":\"061dd12a-4223-4b86-8d66-51dd276c35ae\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":7776000000}},{\"id\":\"0e871995-794b-4969-a964-4d4aeaa29e9b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DefaultSubscription_Internal\",\"type\":1,\"isRequired\":true,\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| take 1\\r\\n| project subscriptionId\",\"crossComponentResources\":[\"value::selected\"],\"isHiddenWhenLocked\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"88276ecc-5d60-47cd-acfc-e1e61c4e3545\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"query\":\"summarize by subscriptionId\\r\\n| project value = strcat(\\\"/subscriptions/\\\", subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ '{DefaultSubscription_Internal}', true, false)\",\"crossComponentResources\":[\"value::selected\"],\"typeSettings\":{\"additionalResourceOptions\":[],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"ca3cd047-6606-44e1-87a6-117bf68ab98e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| project id\",\"crossComponentResources\":[\"{Subscription}\"],\"typeSettings\":{\"resourceTypeFilter\":{\"microsoft.operationalinsights/workspaces\":true},\"additionalResourceOptions\":[]},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":\"variables('WorkbookSourceId')\"},{\"id\":\"81626c63-e609-4a86-9d65-c57d01c8307e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"resourceGroup\",\"type\":1,\"query\":\"resources\\r\\n| where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| where id == \\\"{Workspace}\\\"\\r\\n| project resourceGroup\",\"crossComponentResources\":[\"value::selected\"],\"isHiddenWhenLocked\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"}],\"style\":\"pills\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"name\":\"parameters - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityCopilot_Audit_CL \\r\\n| where Workload_s == \\\"Copilot\\\"\\r\\n| where AppIdentity_s == \\\"Copilot.Security.SecurityCopilot\\\"\\r\\n| where UserId_s !=\\\"\\\"\\r\\n| where UserId_s !=\\\"Security Copilot\\\"\\r\\n| distinct UserId_s\\r\\n| count \",\"size\":3,\"title\":\"Total number of users for Security Copilot\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Count\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orangeDark\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":true}},\"customWidth\":\"16\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityCopilot_Audit_CL\\r\\n| where Workload_s == \\\"Copilot\\\"\\r\\n| where AppIdentity_s == \\\"Copilot.Security.SecurityCopilot\\\"\\r\\n| where RecordType_d == 261\\r\\n| count\",\"size\":4,\"title\":\"Total No: Prompts\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Count\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orangeDark\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":true}},\"customWidth\":\"16\",\"name\":\"query - 3 - Copy\",\"styleSettings\":{\"maxWidth\":\"20\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityCopilot_Audit_CL\\r\\n| where Workload_s == \\\"Copilot\\\"\\r\\n| where AppIdentity_s == \\\"Copilot.Security.SecurityCopilot\\\"\\r\\n| where RecordType_d == 325\\r\\n| where Operation_s == \\\"UploadFile\\\"\\r\\n| count \",\"size\":4,\"title\":\"File Uploads\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Count\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orangeDark\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":true}},\"customWidth\":\"17\",\"name\":\"query - 3 - Copy - Copy\",\"styleSettings\":{\"maxWidth\":\"20\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityCopilot_Audit_CL\\r\\n| where Workload_s == \\\"Copilot\\\"\\r\\n| where AppIdentity_s == \\\"Copilot.Security.SecurityCopilot\\\"\\r\\n| where Operation_s contains \\\"DisableCopilotPlugin\\\"\\r\\n| count\",\"size\":4,\"title\":\"Disabled Security Copilot Plugins\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Count\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orangeDark\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":true}},\"customWidth\":\"17\",\"name\":\"query - 3 - Copy - Copy - Copy\",\"styleSettings\":{\"maxWidth\":\"20\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n| where DisplayName == \\\"Security Copilot - TI map IP entity to Security Copilot Audit Prompts\\\" \\r\\n| where DisplayName == \\\"Security Copilot - Anomalous sign-in activity by Security Copilot user\\\"\\r\\n| where DisplayName == \\\"Security Copilot - Anomalous Operations by Security Copilot for User\\\"\\r\\n| count \",\"size\":4,\"title\":\"Security Copilot Detections\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Count\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orangeDark\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":true}},\"customWidth\":\"17\",\"name\":\"query - 3 - Copy - Copy - Copy - Copy - Copy\",\"styleSettings\":{\"maxWidth\":\"20\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityCopilot_Audit_CL\\r\\n| where Workload_s == \\\"Copilot\\\"\\r\\n| where AppIdentity_s == \\\"Copilot.Security.SecurityCopilot\\\"\\r\\n| where Operation_s contains \\\"UpdateCopilotSettings\\\"\\r\\n| count\",\"size\":4,\"title\":\"Changed Security Copilot Settings\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Count\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orangeDark\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":true}},\"customWidth\":\"17\",\"name\":\"query - 3 - Copy - Copy - Copy - Copy\",\"styleSettings\":{\"maxWidth\":\"20\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityCopilot_Audit_CL\\r\\n| where Workload_s == \\\"Copilot\\\"\\r\\n| where AppIdentity_s == \\\"Copilot.Security.SecurityCopilot\\\"\\r\\n| where RecordType_d == 261\\r\\n| where CopilotEventData_AppHost_s !contains \\\"test\\\"\\r\\n| summarize count() by CopilotEventData_AppHost_s\",\"size\":0,\"title\":\"Security Copilot Prompts Per Experience\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"CopilotEventData_AppHost_s\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"count_\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"showLegend\":true}},\"customWidth\":\"40\",\"name\":\"query - 15\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityCopilot_Audit_CL\\r\\n| where RecordType_d == 261\\r\\n| where Workload_s == \\\"Copilot\\\"\\r\\n| where AppIdentity_s == \\\"Copilot.Security.SecurityCopilot\\\"\\r\\n| where UserId_s !~ \\\"Copilot for Security\\\"\\r\\n| where CopilotEventData_AppHost_s !contains \\\"test\\\"\\r\\n| summarize CountPerAppHost = count() by bin(TimeGenerated, 1d), CopilotEventData_AppHost_s\\r\\n| join kind=leftouter (\\r\\n SecurityCopilot_Audit_CL\\r\\n | where RecordType_d == 261\\r\\n | where Workload_s == \\\"Copilot\\\"\\r\\n | where AppIdentity_s == \\\"Copilot.Security.SecurityCopilot\\\"\\r\\n | where UserId_s !~ \\\"Copilot for Security\\\"\\r\\n | where CopilotEventData_AppHost_s !contains \\\"test\\\"\\r\\n | summarize TotalCount = count() by bin(TimeGenerated, 1d)\\r\\n) on TimeGenerated\\r\\n| project TimeGenerated, CopilotEventData_AppHost_s, CountPerAppHost, TotalCount\",\"size\":0,\"title\":\"Prompts over time \",\"color\":\"turquoise\",\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"TimeBrush\",\"exportFieldName\":\"CreatedTime\",\"exportParameterName\":\"TimePicker\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"categoricalbar\",\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"UserKey_s\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"promptCount\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"xAxis\":\"TimeGenerated\",\"yAxis\":[\"CountPerAppHost\"],\"group\":\"CopilotEventData_AppHost_s\",\"createOtherGroup\":null,\"seriesLabelSettings\":[{\"seriesName\":\"count_\",\"label\":\"Count of prompts\"}],\"ySettings\":{\"label\":\"Sum\"}}},\"customWidth\":\"60\",\"name\":\"Prompts over time \",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityCopilot_Audit_CL\\r\\n| where Workload_s ==\\\"CopilotForSecurity\\\"\\r\\n| where Operation_s != \\\"CopilotInteraction\\\"\\r\\n| summarize interactioncount = count() by Operation_s\",\"size\":0,\"title\":\"Security Copilot Prompts per Action\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showLegend\":true}},\"customWidth\":\"40\",\"name\":\"query - 4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityCopilot_Audit_CL\\r\\n| where RecordType_d == 261\\r\\n| where Workload_s == \\\"Copilot\\\"\\r\\n| where AppIdentity_s == \\\"Copilot.Security.SecurityCopilot\\\"\\r\\n| where CopilotEventData_AppHost_s <> \\\"TEST - Unknown\\\"\\r\\n| summarize CopilotInDefender = countif(CopilotEventData_AppHost_s == \\\"Copilot in Defender\\\"), Automation = countif(CopilotEventData_AppHost_s == \\\"Logic App\\\"), Standalone = countif(CopilotEventData_AppHost_s == \\\"Security Copilot standalone\\\"), CopilotInMicrosoftPurview = countif(CopilotEventData_AppHost_s == \\\"Sopilot in Microsoft Purview\\\"), CopilotinMicrosoftEntra\\r\\n = countif(CopilotEventData_AppHost_s == \\\"Copilot in Microsoft Entra\\\"), CopilotInIntune\\r\\n = countif(CopilotEventData_AppHost_s == \\\"Copilot in Intune\\\"), CopilotInAzureFirewall\\r\\n = countif(CopilotEventData_AppHost_s == \\\"Copilot in Azure Firewall\\\"), TotalPrompts = count() by UserKey_s\\r\\n| sort by TotalPrompts\\r\\n\",\"size\":0,\"title\":\"Top Users Prompts\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Automation\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\",\"aggregation\":\"Count\"}},{\"columnMatch\":\"Standalone\",\"formatter\":4,\"formatOptions\":{\"palette\":\"green\",\"aggregation\":\"Count\"}},{\"columnMatch\":\"CopilotInMicrosoftPurview\",\"formatter\":4,\"formatOptions\":{\"palette\":\"purple\"}},{\"columnMatch\":\"CopilotinMicrosoftEntra\",\"formatter\":4,\"formatOptions\":{\"palette\":\"orangeDark\",\"aggregation\":\"Count\"}},{\"columnMatch\":\"CopilotInIntune\",\"formatter\":4,\"formatOptions\":{\"palette\":\"magenta\",\"aggregation\":\"Count\"}},{\"columnMatch\":\"CopilotInAzureFirewall\",\"formatter\":4,\"formatOptions\":{\"palette\":\"brown\",\"aggregation\":\"Count\"}}],\"filter\":true,\"labelSettings\":[{\"columnId\":\"UserKey_s\",\"label\":\"User\"},{\"columnId\":\"CopilotInDefender\",\"label\":\"DefenderXDR\"},{\"columnId\":\"CopilotInMicrosoftPurview\",\"label\":\"Purview\"},{\"columnId\":\"CopilotinMicrosoftEntra\",\"label\":\"Entra\"},{\"columnId\":\"CopilotInIntune\",\"label\":\"Intune\"},{\"columnId\":\"CopilotInAzureFirewall\",\"label\":\"AZFW\"}]},\"tileSettings\":{\"showBorder\":false}},\"customWidth\":\"60\",\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let IP_Data = \\n external_data(network:string,geoname_id:long,continent_code:string,continent_name:string ,country_iso_code:string, country_name:string,is_anonymous_proxy:bool,is_satellite_provider:bool)\\n [@\\\"https://raw.githubusercontent.com/datasets/geoip2-ipv4/master/data/geoip2-ipv4.csv\\\"]\\n with (ignoreFirstRecord=true, format=\\\"csv\\\");\\nSecurityCopilot_Audit_CL\\n| where Workload_s == \\\"CopilotForSecurity\\\"\\n| extend IPaddresses=tostring(ClientIP_s)\\n| where isnotempty(IPaddresses) \\n| evaluate ipv4_lookup(IP_Data, IPaddresses, network)\\n| summarize interactioncount = count() by ClientIP_s, country_name\\n\",\"size\":0,\"title\":\"Security Copilot Interactions by Location\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"map\",\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"country_name\",\"latitude\":\"_TableName\",\"longitude\":\"_TableName\",\"sizeSettings\":\"interactioncount\",\"sizeAggregation\":\"Sum\",\"maxSize\":100,\"legendMetric\":\"interactioncount\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"SignInCount\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"40\",\"name\":\"query - 2\",\"styleSettings\":{\"padding\":\"0\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityCopilot_Audit_CL\\r\\n| where RecordType_d in (\\\"320\\\", \\\"321\\\", \\\"322\\\")\\r\\n| where Workload_s == \\\"Copilot\\\"\\r\\n| where AppIdentity_s == \\\"Copilot.Security.SecurityCopilot\\\"\\r\\n| project TimeGenerated, Operation = Operation_s, sessionoid = CopilotEventData_CorrelationId_g, EvaluationId = tostring(parse_json(CopilotEventData_Messages_s)[0].Id), ISPrompt = tostring(parse_json(CopilotEventData_Messages_s)[0].isPrompt), UserId = UserId_s, RecordType = RecordType_d, ClientIP = ClientIP_s, CopilotSettingsEventData_Resource = CopilotSettingsEventData_Resource_s, UserKey_s,CopilotEventData_Messages_s\\r\\n| sort by TimeGenerated\\r\\n| project TimeGenerated, UserId, Operation , ClientIP, CopilotSettingsEventData_Resource\\r\\n| take 50\",\"size\":0,\"title\":\"Security Copilot - Promptbook Interactions\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Operation\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"Create\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Delete\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Update\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ClientIP\",\"formatter\":5}]}},\"customWidth\":\"60\",\"name\":\"query - 9\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityCopilot_Audit_CL \\r\\n| where Workload_s == \\\"Copilot\\\"\\r\\n| where AppIdentity_s == \\\"Copilot.Security.SecurityCopilot\\\"\\r\\n| where UserId_s !=\\\"Security Copilot\\\"\\r\\n| where UserId_s !~ \\\"Copilot for Security\\\"\\r\\n| where RecordType_d == 313\\r\\n| where parse_json(CopilotSettingsEventData_Resource_s)[0].Property <> \\\"FileUploads\\\"\\r\\n| where parse_json(CopilotSettingsEventData_Resource_s)[0].NewValue == \\\"Enabled\\\"\\r\\n| extend PluginsName = parse_json(CopilotSettingsEventData_Resource_s)[0].Property\\r\\n| mv-expand PluginsName\\r\\n| project TimeGenerated, UserKey_s, PluginsName\\r\\n| sort by TimeGenerated\",\"size\":0,\"title\":\"Enable Plugin Opertion\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"labelSettings\":[{\"columnId\":\"UserKey_s\",\"label\":\"User\"},{\"columnId\":\"PluginsName\",\"label\":\"Plugin_Name\"}]}},\"customWidth\":\"40\",\"name\":\"query - 12\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityCopilot_Audit_CL \\r\\n| where RecordType_d == 314\\r\\n| where Workload_s == \\\"Copilot\\\"\\r\\n| where AppIdentity_s == \\\"Copilot.Security.SecurityCopilot\\\"\\r\\n| where UserId_s !=\\\"Security Copilot\\\"\\r\\n| where UserId_s !~ \\\"Copilot for Security\\\"\\r\\n| where parse_json(CopilotSettingsEventData_Resource_s)[0].Property <> \\\"FileUploads\\\"\\r\\n| where parse_json(CopilotSettingsEventData_Resource_s)[0].NewValue == \\\"Disabled\\\"\\r\\n| extend PluginsName = parse_json(CopilotSettingsEventData_Resource_s)[0].Property\\r\\n| mv-expand PluginsName\\r\\n| project TimeGenerated, UserKey_s, PluginsName\\r\\n| sort by TimeGenerated\",\"size\":0,\"title\":\"Disable Plugin\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"labelSettings\":[{\"columnId\":\"UserKey_s\",\"label\":\"User\"},{\"columnId\":\"PluginsName\",\"label\":\"PluginName\"}]}},\"customWidth\":\"60\",\"name\":\"query - 13\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityCopilot_Audit_CL \\r\\n| where RecordType_d == 325\\r\\n| where Operation_s <> \\\"DeleteFile\\\"\\r\\n| where Operation_s <> \\\"UploadFile\\\"\\r\\n| extend Property = tostring(parse_json(CopilotSettingsEventData_Resource_s)[0].Property)\\r\\n| where Property != \\\"Skillsets.ApiValidatorDefangUrlSkillsetTenant\\\" and Property != \\\"Skillsets.ApiValidatorDefangUrlSkillsetUser\\\"\\r\\n| extend NewValue = tostring(parse_json(CopilotSettingsEventData_Resource_s)[0].NewValue)\\r\\n| extend Property1 = substring(Property, 9) \\r\\n| extend Enable = NewValue\\r\\n| extend SettingLevel = case( Property1 contains \\\"AllowAuditLogging\\\", \\\"TenantLevel\\\", Property1 contains \\\"tenant\\\" , \\\"TenantLevel\\\", Property1 contains \\\"allowO365DataCollection\\\", \\\"TenantLevel\\\", Property1 contains \\\"User\\\", \\\"UserLevel\\\", \\\"Unknown\\\"\\r\\n)\\r\\n| project TimeGenerated, UserId_s, Property1 ,SettingLevel, NewValue\\r\\n| sort by TimeGenerated, SettingLevel asc \",\"size\":0,\"title\":\"Change Setting Opertion\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"SettingLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"TenantLevel\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"gray\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"NewValue\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"True\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"False\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":null,\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Action\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"True\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"False\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"labelSettings\":[{\"columnId\":\"UserId_s\",\"label\":\"User\"},{\"columnId\":\"Property1\",\"label\":\"Action\"},{\"columnId\":\"NewValue\",\"label\":\"Value\"}]}},\"name\":\"query - 14\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"Nav\",\"comparison\":\"isEqualTo\",\"value\":\"audit\"},\"name\":\"group - 12\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"variables('WorkbookSourceId')\"],\"parameters\":[{\"id\":\"59e79699-280b-4339-8cd2-55624b203cac\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"fefebdf8-9122-4dc4-ae76-5817d7e3bace\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DefaultSubscription_Internal\",\"type\":1,\"isRequired\":true,\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| take 1\\r\\n| project subscriptionId\",\"crossComponentResources\":[\"value::selected\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"6cbd900c-7049-484c-a0eb-d23c1ac5ff38\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"query\":\"summarize by subscriptionId\\r\\n| project value = strcat(\\\"/subscriptions/\\\", subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ '{DefaultSubscription_Internal}', true, false)\",\"crossComponentResources\":[\"value::selected\"],\"typeSettings\":{\"additionalResourceOptions\":[]},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":\"/subscriptions/ab48f397-fc82-4634-aa52-62dd91b3ebaa\"},{\"id\":\"37403463-ff86-47c0-8d04-3f432d0413a3\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| project id\",\"crossComponentResources\":[\"{Subscription}\"],\"typeSettings\":{\"additionalResourceOptions\":[]},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":\"variables('WorkbookSourceId')\"},{\"id\":\"8ac8842a-fc4e-44fd-9542-72baf58224f1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"resourceGroup\",\"type\":1,\"query\":\"resources\\r\\n| where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| where id == \\\"{Workspace}\\\"\\r\\n| project resourceGroup\",\"crossComponentResources\":[\"value::selected\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"name\":\"parameters - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"arg(\\\"\\\").resourcechanges\\r\\n| extend timestamp = todatetime(properties[\\\"changeAttributes\\\"][\\\"timestamp\\\"])\\r\\n| extend changes = properties[\\\"changes\\\"]\\r\\n| extend ResourceId = tostring(properties[\\\"targetResourceId\\\"])\\r\\n| extend CorrelationId = tostring(properties[\\\"changeAttributes\\\"][\\\"correlationId\\\"]) \\r\\n| extend changeType = tostring(properties.changeType)\\r\\n| where changeType == \\\"Update\\\"\\r\\n| where changes contains \\\"numberOfUnits\\\"\\r\\n| extend newValue = tostring(parse_json(tostring(changes.[\\\"properties.numberOfUnits\\\"])).newValue)\\r\\n| extend previousValue = tostring(parse_json(tostring(changes.[\\\"properties.numberOfUnits\\\"])).previousValue)\\r\\n| extend changedBy = tostring(parse_json(tostring(properties.changeAttributes)).changedBy)\\r\\n| sort by timestamp\\r\\n| take 1\\r\\n| project toint(newValue)\",\"size\":4,\"title\":\"Number Of SCU's\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"newValue\",\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":true}},\"customWidth\":\"30\",\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"arg(\\\"\\\").resourcechanges\\r\\n| extend timestamp = todatetime(properties[\\\"changeAttributes\\\"][\\\"timestamp\\\"])\\r\\n| where timestamp > ago(60d)\\r\\n| extend changes = properties[\\\"changes\\\"]\\r\\n| extend ResourceId = tostring(properties[\\\"targetResourceId\\\"])\\r\\n| extend CorrelationId = tostring(properties[\\\"changeAttributes\\\"][\\\"correlationId\\\"]) \\r\\n| extend changeType = tostring(properties.changeType)\\r\\n| where changeType == \\\"Update\\\"\\r\\n| where changes contains \\\"numberOfUnits\\\"\\r\\n| extend newValue = tostring(parse_json(tostring(changes.[\\\"properties.numberOfUnits\\\"])).newValue)\\r\\n| extend previousValue = tostring(parse_json(tostring(changes.[\\\"properties.numberOfUnits\\\"])).previousValue)\\r\\n| extend changedBy = tostring(parse_json(tostring(properties.changeAttributes)).changedBy)\\r\\n| project timestamp, previousValue, newValue , changedBy\",\"size\":1,\"title\":\"SCU Chnages\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"graphSettings\":{\"type\":0}},\"customWidth\":\"70\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureActivity\\r\\n| where ResourceProviderValue contains \\\"copilot\\\"\",\"size\":0,\"title\":\"SCU capacity Activities\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"name\":\"query - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"Nav\",\"comparison\":\"isEqualTo\",\"value\":\"SCU\"},\"name\":\"group - 4\"}],\"isLocked\":false,\"fallbackResourceIds\":[\"variables('WorkbookSourceId')\"],\"fromTemplateId\":\"sentinel-UserWorkbook\"}", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Microsoft Security Copilot Audit Workbook](https://learn.microsoft.com/en-us/copilot/security/microsoft-security-copilot)\\n---\\n\\nMicrosoft Security Copilot is a generative AI-powered security solution designed to enhance the efficiency and capabilities of security professionals\\n\\nIt supports end-to-end scenarios such as incident response, threat hunting, intelligence gathering, and posture management\\nBy integrating with products like Microsoft Defender XDR, Microsoft Sentinel, and Microsoft Intune, as well as third-party services like ServiceNow, Security Copilot leverages security-specific plugins, organizational data, authoritative sources, and global threat intelligence\\n\\nThis enables security professionals to gain wider visibility into threats, prioritize response efforts, and streamline decision-making\\n\\nCopilot for Security provides actionable guidance for incident response, translating complex security alerts into concise summaries and offering step-by-step directions for triage, investigation, containment, and remediation.\"},\"name\":\"text - 2\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"f16d570f-12c1-48f2-94fa-7e114263a291\",\"cellValue\":\"Nav\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Security Copilot Audit\",\"subTarget\":\"audit\",\"preText\":\"Copilot for Security Audit Data\",\"style\":\"link\"},{\"id\":\"ab2c8e5c-1a0f-4041-ab18-c9b387ecf33b\",\"cellValue\":\"Nav\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Security Copilot Sign in Data\",\"subTarget\":\"Signin\",\"style\":\"link\"},{\"id\":\"03e3f1de-2a0f-4f14-ad2f-cba53365c4b3\",\"cellValue\":\"Nav\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Security Copilot SCU Events\",\"subTarget\":\"SCU\",\"style\":\"link\"}]},\"name\":\"links - 2\",\"styleSettings\":{\"padding\":\"0\",\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"value::selected\"],\"parameters\":[{\"id\":\"41bb3efb-b37d-47d6-851a-64929f841597\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DefaultSubscription_Internal\",\"type\":1,\"isRequired\":true,\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| take 1\\r\\n| project subscriptionId\",\"crossComponentResources\":[\"value::selected\"],\"isHiddenWhenLocked\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"e3388fc6-e10b-4a86-bdc1-22677adcb351\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":2419200000}},{\"id\":\"eede023b-bfca-4112-accb-440efb5709ab\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"query\":\"summarize by subscriptionId\\r\\n| project value = strcat(\\\"/subscriptions/\\\", subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ '{DefaultSubscription_Internal}', true, false)\\r\\n\",\"crossComponentResources\":[\"value::selected\"],\"typeSettings\":{\"additionalResourceOptions\":[],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"b68ed14e-d0e2-41b2-9444-b38c88394beb\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| project id\",\"crossComponentResources\":[\"{Subscription}\"],\"typeSettings\":{\"resourceTypeFilter\":{\"microsoft.operationalinsights/workspaces\":true},\"additionalResourceOptions\":[]},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":\"variables('WorkbookSourceId')\"},{\"id\":\"1ba9eace-73f1-4958-a0a7-11bdb68195b9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"resourceGroup\",\"type\":1,\"query\":\"resources\\r\\n| where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| where id == \\\"{Workspace}\\\"\\r\\n| project resourceGroup\",\"crossComponentResources\":[\"value::selected\"],\"isHiddenWhenLocked\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"}],\"style\":\"pills\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"name\":\"parameters - 11 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let IP_Data = \\r\\n external_data(network:string,geoname_id:long,continent_code:string,continent_name:string ,country_iso_code:string, country_name:string,is_anonymous_proxy:bool,is_satellite_provider:bool)\\r\\n [@\\\"https://raw.githubusercontent.com/datasets/geoip2-ipv4/master/data/geoip2-ipv4.csv\\\"]\\r\\n with (ignoreFirstRecord=true, format=\\\"csv\\\");\\r\\nIdentityLogonEvents\\r\\n| where AdditionalFields.[\\\"ARG.CLOUD_SERVICE\\\"] == \\\"Medeina Portal\\\"\\r\\n| extend IPaddresses=tostring(IPAddress)\\r\\n| where isnotempty(IPaddresses) \\r\\n| evaluate ipv4_lookup(IP_Data, IPaddresses, network)\\r\\n| summarize interactioncount = count() by IPAddress, country_name\\r\\n\",\"size\":2,\"title\":\"Succesfull Sign ins By Location\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"map\",\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"country_name\",\"sizeSettings\":\"interactioncount\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"interactioncount\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"nodeColorField\":\"interactioncount\",\"colorAggregation\":\"Sum\",\"type\":\"heatmap\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let IP_Data = \\r\\n external_data(network:string,geoname_id:long,continent_code:string,continent_name:string ,country_iso_code:string, country_name:string,is_anonymous_proxy:bool,is_satellite_provider:bool)\\r\\n [@\\\"https://raw.githubusercontent.com/datasets/geoip2-ipv4/master/data/geoip2-ipv4.csv\\\"]\\r\\n with (ignoreFirstRecord=true, format=\\\"csv\\\");\\r\\nBehaviorAnalytics\\r\\n| where ActivityInsights.App == \\\"Medeina Portal\\\"\\r\\n| where ActivityInsights.Resource == \\\"Medeina Service\\\"\\r\\n| where ActivityType == \\\"FailedLogOn\\\"\\r\\n| extend IPaddresses=tostring(SourceIPAddress)\\r\\n| where isnotempty(IPaddresses) \\r\\n| evaluate ipv4_lookup(IP_Data, IPaddresses, network)\\r\\n| summarize interactioncount = count() by SourceIPAddress, country_name\\r\\n\",\"size\":2,\"title\":\"Failed Sign ins by Location \",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"map\",\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"country_name\",\"sizeSettings\":\"interactioncount\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"interactioncount\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"nodeColorField\":\"interactioncount\",\"colorAggregation\":\"Sum\",\"type\":\"heatmap\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"IdentityLogonEvents\\r\\n| where TimeGenerated >= ago(24h)\\r\\n| where AdditionalFields.[\\\"ARG.CLOUD_SERVICE\\\"] == \\\"Security Copilot\\\"\\r\\n| extend User = AdditionalFields.[\\\"ACTOR.ALIAS\\\"]\\r\\n| project AccountDomain, User, ActionType, AccountUpn, IPAddress, Location, ISP, OSPlatform, DeviceType\",\"size\":0,\"title\":\"Successfull Sign ins for Security Copilot\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"100\",\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Failed signins to the CfS service exposing user, reason, and other necessary information.\\r\\n\\r\\nBehaviorAnalytics\\r\\n| where TimeGenerated >= ago(7d)\\r\\n| where ActivityInsights.App == \\\"Medeina Portal\\\"\\r\\n| where ActivityInsights.Resource == \\\"Medeina Service\\\"\\r\\n| where ActivityType == \\\"FailedLogOn\\\"\\r\\n| project UserName, UserPrincipalName, ActionType, EventSource, SourceIPAddress, SourceIPLocation\",\"size\":0,\"title\":\"Failed Sign ins for Security Copilot\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ActionType\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"User did not pass the MFA challenge\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"\\t Other\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Invalid username or password \",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Flow token expired - Authentication Failed\",\"representation\":\"blue\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Device Authentication Required\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"gray\",\"text\":\"{0}{1}\"}]}}]}},\"customWidth\":\"100\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BehaviorAnalytics\\r\\n| where TimeGenerated >= ago(7d)\\r\\n| where ActivityInsights.App == \\\"Medeina Portal\\\"\\r\\n| where ActivityInsights.Resource == \\\"Medeina Service\\\"\\r\\n| where ActivityType == \\\"FailedLogOn\\\"\\r\\n| summarize Failedlogin = count() by ActionType\\r\\n\",\"size\":0,\"title\":\"Failed Sign ins By Reason\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\"},\"customWidth\":\"30\",\"name\":\"query - 4\"}]},\"conditionalVisibility\":{\"parameterName\":\"Nav\",\"comparison\":\"isEqualTo\",\"value\":\"Signin\"},\"name\":\"group - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"value::selected\"],\"parameters\":[{\"id\":\"061dd12a-4223-4b86-8d66-51dd276c35ae\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":7776000000}},{\"id\":\"0e871995-794b-4969-a964-4d4aeaa29e9b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DefaultSubscription_Internal\",\"type\":1,\"isRequired\":true,\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| take 1\\r\\n| project subscriptionId\",\"crossComponentResources\":[\"value::selected\"],\"isHiddenWhenLocked\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"88276ecc-5d60-47cd-acfc-e1e61c4e3545\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"query\":\"summarize by subscriptionId\\r\\n| project value = strcat(\\\"/subscriptions/\\\", subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ '{DefaultSubscription_Internal}', true, false)\",\"crossComponentResources\":[\"value::selected\"],\"typeSettings\":{\"additionalResourceOptions\":[],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":\"variables('WorkbookSourceId')\"},{\"id\":\"ca3cd047-6606-44e1-87a6-117bf68ab98e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| project id\",\"crossComponentResources\":[\"{Subscription}\"],\"typeSettings\":{\"resourceTypeFilter\":{\"microsoft.operationalinsights/workspaces\":true},\"additionalResourceOptions\":[]},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":\"variables('WorkbookSourceId')\"},{\"id\":\"81626c63-e609-4a86-9d65-c57d01c8307e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"resourceGroup\",\"type\":1,\"query\":\"resources\\r\\n| where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| where id == \\\"{Workspace}\\\"\\r\\n| project resourceGroup\",\"crossComponentResources\":[\"value::selected\"],\"isHiddenWhenLocked\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"}],\"style\":\"pills\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"name\":\"parameters - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CloudAppEvents\\r\\n| where parse_json(RawEventData)[\\\"AppIdentity\\\"] == 'Copilot.Security.SecurityCopilot'\\r\\n| where parse_json(RawEventData)[\\\"Workload\\\"] == 'Copilot'\\r\\n| distinct AccountDisplayName\\r\\n| count\",\"size\":3,\"title\":\"Total number of users for Security Copilot\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Count\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orangeDark\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":true}},\"customWidth\":\"16\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CloudAppEvents\\r\\n| where parse_json(RawEventData)[\\\"AppIdentity\\\"] == 'Copilot.Security.SecurityCopilot'\\r\\n| where parse_json(RawEventData)[\\\"Workload\\\"] == 'Copilot'\\r\\n| where RawEventData.RecordType == 261\\r\\n| count \",\"size\":4,\"title\":\"Total No: Prompts\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Count\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orangeDark\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":true}},\"customWidth\":\"16\",\"name\":\"query - 3 - Copy\",\"styleSettings\":{\"maxWidth\":\"20\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CloudAppEvents\\r\\n| where parse_json(RawEventData)[\\\"AppIdentity\\\"] == 'Copilot.Security.SecurityCopilot'\\r\\n| where parse_json(RawEventData)[\\\"Workload\\\"] == 'Copilot'\\r\\n| where RawEventData.RecordType == 325\\r\\n| where ActionType == \\\"UploadFile\\\"\\r\\n| count\",\"size\":4,\"title\":\"File Uploads\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Count\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orangeDark\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":true}},\"customWidth\":\"17\",\"name\":\"query - 3 - Copy - Copy\",\"styleSettings\":{\"maxWidth\":\"20\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CloudAppEvents\\r\\n| where parse_json(RawEventData)[\\\"AppIdentity\\\"] == 'Copilot.Security.SecurityCopilot'\\r\\n| where parse_json(RawEventData)[\\\"Workload\\\"] == 'Copilot'\\r\\n| where ActionType == \\\"DisableCopilotPlugin\\\"\\r\\n| count \",\"size\":4,\"title\":\"Disabled Security Copilot Plugins\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Count\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orangeDark\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":true}},\"customWidth\":\"17\",\"name\":\"query - 3 - Copy - Copy - Copy\",\"styleSettings\":{\"maxWidth\":\"20\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n| where DisplayName == \\\"Security Copilot - Anomalous Operations by Copilot for Security User\\\" \\r\\n| where DisplayName == \\\"Security Copilot - Anomalous sign-in activity by Copilot for Security user\\\"\\r\\n| where DisplayName == \\\"Security Copilot - TI map IP entity to Prompts\\\"\\r\\n| where DisplayName == \\\"Security Copilot-Audit logging settings changes\\\"\\r\\n| count \",\"size\":4,\"title\":\"Security Copilot Detections\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Count\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orangeDark\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":true}},\"customWidth\":\"17\",\"name\":\"query - 3 - Copy - Copy - Copy - Copy - Copy\",\"styleSettings\":{\"maxWidth\":\"20\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CloudAppEvents\\r\\n| where parse_json(RawEventData)[\\\"AppIdentity\\\"] == 'Copilot.Security.SecurityCopilot'\\r\\n| where parse_json(RawEventData)[\\\"Workload\\\"] == 'Copilot'\\r\\n| where ActionType == \\\"UpdateCopilotSettings\\\"\\r\\n| count\",\"size\":4,\"title\":\"Changed Security Copilot Settings\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Count\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orangeDark\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":true}},\"customWidth\":\"17\",\"name\":\"query - 3 - Copy - Copy - Copy - Copy\",\"styleSettings\":{\"maxWidth\":\"20\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CloudAppEvents\\r\\n| where parse_json(RawEventData)[\\\"AppIdentity\\\"] == 'Copilot.Security.SecurityCopilot'\\r\\n| where parse_json(RawEventData)[\\\"Workload\\\"] == 'Copilot'\\r\\n| where RawEventData.RecordType == 261\\r\\n| extend AppHost = tostring(parse_json(tostring(RawEventData.CopilotEventData)).AppHost)\\r\\n| where AppHost !contains \\\"test\\\"\\r\\n| summarize count() by AppHost\",\"size\":0,\"title\":\"Security Copilot Prompts Per Experience\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"CopilotEventData_AppHost_s\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"count_\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"showLegend\":true}},\"customWidth\":\"40\",\"name\":\"query - 15\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CloudAppEvents\\r\\n| where parse_json(RawEventData)[\\\"AppIdentity\\\"] == 'Copilot.Security.SecurityCopilot'\\r\\n| where parse_json(RawEventData)[\\\"Workload\\\"] == 'Copilot'\\r\\n| where RawEventData.RecordType == 261\\r\\n| extend AppHost = tostring(parse_json(tostring(RawEventData.CopilotEventData)).AppHost)\\r\\n| where AppHost !contains \\\"test\\\" \\r\\n| summarize CountPerAppHost = count() by bin(TimeGenerated, 1d), AppHost\\r\\n| join kind=leftouter ( CloudAppEvents\\r\\n| where RawEventData.RecordType == 261\\r\\n| where parse_json(RawEventData)[\\\"AppIdentity\\\"] == 'Copilot.Security.SecurityCopilot'\\r\\n| where parse_json(RawEventData)[\\\"Workload\\\"] == 'Copilot'\\r\\n| extend AppHost = tostring(parse_json(tostring(RawEventData.CopilotEventData)).AppHost)\\r\\n| where AppHost !contains \\\"test\\\" \\r\\n| summarize TotalCount = count() by bin(TimeGenerated, 1d)\\r\\n) on TimeGenerated\\r\\n| project TimeGenerated, AppHost, CountPerAppHost, TotalCount\",\"size\":0,\"title\":\"Prompts over time \",\"color\":\"turquoise\",\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"TimeBrush\",\"exportFieldName\":\"CreatedTime\",\"exportParameterName\":\"TimePicker\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"categoricalbar\",\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"UserKey_s\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"promptCount\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"xAxis\":\"TimeGenerated\",\"yAxis\":[\"CountPerAppHost\"],\"group\":\"AppHost\",\"createOtherGroup\":null,\"seriesLabelSettings\":[{\"seriesName\":\"count_\",\"label\":\"Count of prompts\"},{\"seriesName\":\"Copilot in Intune\",\"label\":\"Copilot in Intune\"},{\"seriesName\":\"Copilot in Defender\",\"label\":\"Copilot in Defender\"},{\"seriesName\":\"Copilot in Microsoft Purview\",\"label\":\"Copilot in Microsoft Purview\"},{\"seriesName\":\"Security Copilot standalone\",\"label\":\"Security Copilot standalone\"},{\"seriesName\":\"Copilot in Azure Firewall\",\"label\":\"Copilot in Azure Firewall\"},{\"seriesName\":\"Copilot in Microsoft Entra\",\"label\":\"Copilot in Microsoft Entra\"},{\"seriesName\":\"Copilot in Defender External Attack Surface Management (EASM)\",\"label\":\"Copilot in Defender External Attack Surface Management (EASM)\"}],\"ySettings\":{\"label\":\"Sum\"}}},\"customWidth\":\"60\",\"name\":\"Prompts over time \",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CloudAppEvents\\r\\n| where parse_json(RawEventData)[\\\"AppIdentity\\\"] == 'Copilot.Security.SecurityCopilot'\\r\\n| where parse_json(RawEventData)[\\\"Workload\\\"] == 'Copilot'\\r\\n| where RawEventData.RecordType == 261\\r\\n| extend AppHost = tostring(parse_json(tostring(RawEventData.CopilotEventData)).AppHost)\\r\\n| where AppHost !contains \\\"test\\\" and AppHost !contains \\\"unknown\\\"\\r\\n| summarize interactioncount = count() by AppHost\",\"size\":0,\"title\":\"Security Copilot Prompts per Action\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showLegend\":true}},\"customWidth\":\"40\",\"name\":\"query - 4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CloudAppEvents\\r\\n| where parse_json(RawEventData)[\\\"AppIdentity\\\"] == 'Copilot.Security.SecurityCopilot'\\r\\n| where parse_json(RawEventData)[\\\"Workload\\\"] == 'Copilot'\\r\\n| where RawEventData.RecordType == 261\\r\\n| extend AppHost = tostring(parse_json(tostring(RawEventData.CopilotEventData)).AppHost)\\r\\n| where AppHost !contains \\\"test\\\"\\r\\n| summarize CopilotInDefender = countif(AppHost == \\\"Copilot in Defender\\\"),\\r\\nAutomation = countif(AppHost == \\\"Logic App\\\"), \\r\\nStandalone = countif(AppHost == \\\"Security Copilot standalone\\\"), \\r\\nCopilotInMicrosoftPurview = countif(AppHost == \\\"Sopilot in Microsoft Purview\\\"), \\r\\nCopilotinMicrosoftEntra = countif(AppHost == \\\"Copilot in Microsoft Entra\\\"),\\r\\nCopilotInIntune = countif(AppHost == \\\"Copilot in Intune\\\"), \\r\\nEASM = countif(AppHost == \\\"Copilot in Defender External Attack Surface Management (EASM)\\\"), \\r\\nCopilotInAzureFirewall = countif(AppHost == \\\"Copilot in Azure Firewall\\\"),\\r\\nTotalPrompts = count() by AccountDisplayName\\r\\n| sort by TotalPrompts\",\"size\":0,\"title\":\"Top Users Prompts\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Automation\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\",\"aggregation\":\"Count\"}},{\"columnMatch\":\"Standalone\",\"formatter\":4,\"formatOptions\":{\"palette\":\"green\",\"aggregation\":\"Count\"}},{\"columnMatch\":\"CopilotInMicrosoftPurview\",\"formatter\":4,\"formatOptions\":{\"palette\":\"purple\"}},{\"columnMatch\":\"CopilotinMicrosoftEntra\",\"formatter\":4,\"formatOptions\":{\"palette\":\"orangeDark\",\"aggregation\":\"Count\"}},{\"columnMatch\":\"CopilotInIntune\",\"formatter\":4,\"formatOptions\":{\"palette\":\"magenta\",\"aggregation\":\"Count\"}},{\"columnMatch\":\"EASM\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellow\",\"aggregation\":\"Count\"}},{\"columnMatch\":\"CopilotInAzureFirewall\",\"formatter\":4,\"formatOptions\":{\"palette\":\"brown\",\"aggregation\":\"Count\"}}],\"filter\":true,\"labelSettings\":[{\"columnId\":\"CopilotInDefender\",\"label\":\"DefenderXDR\"},{\"columnId\":\"CopilotInMicrosoftPurview\",\"label\":\"Purview\"},{\"columnId\":\"CopilotinMicrosoftEntra\",\"label\":\"Entra\"},{\"columnId\":\"CopilotInIntune\",\"label\":\"Intune\"},{\"columnId\":\"CopilotInAzureFirewall\",\"label\":\"AZFW\"}]},\"tileSettings\":{\"showBorder\":false}},\"customWidth\":\"60\",\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let IP_Data = \\n external_data(network:string,geoname_id:long,continent_code:string,continent_name:string ,country_iso_code:string, country_name:string,is_anonymous_proxy:bool,is_satellite_provider:bool)\\n [@\\\"https://raw.githubusercontent.com/datasets/geoip2-ipv4/master/data/geoip2-ipv4.csv\\\"]\\n with (ignoreFirstRecord=true, format=\\\"csv\\\");\\nCloudAppEvents\\n| where parse_json(RawEventData)[\\\"AppIdentity\\\"] == 'Copilot.Security.SecurityCopilot'\\n| where parse_json(RawEventData)[\\\"Workload\\\"] == 'Copilot'\\n| extend ClientIP = tostring(RawEventData.ClientIP)\\n| extend IPaddresses=tostring(ClientIP)\\n| where isnotempty(IPaddresses) \\n| evaluate ipv4_lookup(IP_Data, IPaddresses, network)\\n| summarize interactioncount = count() by ClientIP, country_name\",\"size\":0,\"title\":\"Security Copilot Interactions by Location\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"map\",\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"country_name\",\"latitude\":\"_TableName\",\"longitude\":\"_TableName\",\"sizeSettings\":\"interactioncount\",\"sizeAggregation\":\"Sum\",\"maxSize\":100,\"legendMetric\":\"interactioncount\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"SignInCount\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"40\",\"name\":\"query - 2\",\"styleSettings\":{\"padding\":\"0\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CloudAppEvents\\r\\n| where parse_json(RawEventData)[\\\"AppIdentity\\\"] == 'Copilot.Security.SecurityCopilot'\\r\\n| where parse_json(RawEventData)[\\\"Workload\\\"] == 'Copilot'\\r\\n| where RawEventData.RecordType in (\\\"320\\\", \\\"321\\\", \\\"322\\\")\\r\\n| project TimeGenerated, AccountDisplayName, Operation = ActionType , ClientIP = RawEventData.ClientIP, CopilotSettingsEventData_Resource = tostring(parse_json(tostring(parse_json(tostring(RawEventData.CopilotSettingsEventData)).Resource))[0].Property)\\r\\n| sort by TimeGenerated\\r\\n| take 50\",\"size\":0,\"title\":\"Security Copilot - Promptbook Interactions\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Operation\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"Create\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Delete\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Update\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ClientIP\",\"formatter\":5}]}},\"customWidth\":\"60\",\"name\":\"query - 9\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CloudAppEvents\\r\\n| where parse_json(RawEventData)[\\\"AppIdentity\\\"] == 'Copilot.Security.SecurityCopilot'\\r\\n| where parse_json(RawEventData)[\\\"Workload\\\"] == 'Copilot'\\r\\n| where RawEventData.RecordType == 313\\r\\n| extend Operation = tostring(RawEventData.Operation)\\r\\n| where Operation contains \\\"Enable\\\"\\r\\n| where parse_json(tostring(parse_json(tostring(RawEventData.CopilotSettingsEventData)).Resource))[0].Property <> \\\"FileUploads\\\"\\r\\n| extend PluginsName = tostring(parse_json(tostring(parse_json(tostring(RawEventData.CopilotSettingsEventData)).Resource))[0].Property)\\r\\n| where parse_json(tostring(parse_json(tostring(RawEventData.CopilotSettingsEventData)).Resource))[0].NewValue == \\\"Enabled\\\"\\r\\n| where PluginsName !contains \\\"ApiValidatorDefangUrlSkillsetUser\\\"\\r\\n| mv-expand todynamic(PluginsName)\\r\\n| project TimeGenerated, AccountDisplayName, PluginsName\\r\\n| sort by TimeGenerated\",\"size\":0,\"title\":\"Enable Plugin Opertion\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"labelSettings\":[{\"columnId\":\"PluginsName\",\"label\":\"Plugin_Name\"}]}},\"customWidth\":\"40\",\"name\":\"query - 12\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CloudAppEvents\\r\\n| where parse_json(RawEventData)[\\\"AppIdentity\\\"] == 'Copilot.Security.SecurityCopilot'\\r\\n| where parse_json(RawEventData)[\\\"Workload\\\"] == 'Copilot'\\r\\n| where RawEventData.RecordType == 314\\r\\n| extend Operation = tostring(RawEventData.Operation)\\r\\n| where parse_json(tostring(parse_json(tostring(RawEventData.CopilotSettingsEventData)).Resource))[0].NewValue == \\\"Disabled\\\"\\r\\n| where parse_json(tostring(parse_json(tostring(RawEventData.CopilotSettingsEventData)).Resource))[0].Property <> \\\"FileUploads\\\"\\r\\n| extend PluginsName = tostring(parse_json(tostring(parse_json(tostring(RawEventData.CopilotSettingsEventData)).Resource))[0].Property)\\r\\n| where PluginsName !contains \\\"ApiValidatorDefangUrlSkillsetUser\\\"\\r\\n| mv-expand todynamic(PluginsName)\\r\\n| project TimeGenerated, AccountDisplayName, PluginsName\\r\\n| sort by TimeGenerated\",\"size\":0,\"title\":\"Disable Plugin\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"labelSettings\":[{\"columnId\":\"PluginsName\",\"label\":\"PluginName\"}]}},\"customWidth\":\"60\",\"name\":\"query - 13\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CloudAppEvents\\r\\n| where parse_json(RawEventData)[\\\"AppIdentity\\\"] == 'Copilot.Security.SecurityCopilot'\\r\\n| where parse_json(RawEventData)[\\\"Workload\\\"] == 'Copilot'\\r\\n| where RawEventData.RecordType == 325\\r\\n| extend Operation = tostring(RawEventData.Operation)\\r\\n| where Operation <> \\\"DeleteFile\\\"\\r\\n| extend Property = tostring(parse_json(tostring(parse_json(tostring(RawEventData.CopilotSettingsEventData)).Resource))[0].Property)\\r\\n| where Property != \\\"Skillsets.ApiValidatorDefangUrlSkillsetTenant\\\" and Property != \\\"Skillsets.ApiValidatorDefangUrlSkillsetUser\\\"\\r\\n| extend NewValue = tostring(parse_json(tostring(parse_json(tostring(RawEventData.CopilotSettingsEventData)).Resource))[0].NewValue)\\r\\n| extend Property1 = substring(Property, 9) \\r\\n| extend Enable = NewValue\\r\\n| extend SettingLevel = case( Property1 contains \\\"AllowAuditLogging\\\", \\\"TenantLevel\\\", Property1 contains \\\"tenant\\\" , \\\"TenantLevel\\\", Property1 contains \\\"allowO365DataCollection\\\", \\\"TenantLevel\\\", Property1 contains \\\"User\\\", \\\"UserLevel\\\", \\\"Unknown\\\"\\r\\n)\\r\\n| project TimeGenerated, AccountDisplayName, Property1 ,SettingLevel, NewValue\\r\\n| sort by TimeGenerated, SettingLevel asc \",\"size\":0,\"title\":\"Change Setting Opertion\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"SettingLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"TenantLevel\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"gray\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"NewValue\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"True\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"False\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":null,\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Action\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"True\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"False\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"labelSettings\":[{\"columnId\":\"Property1\",\"label\":\"Action\"},{\"columnId\":\"NewValue\",\"label\":\"Value\"}]}},\"name\":\"query - 14\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"Nav\",\"comparison\":\"isEqualTo\",\"value\":\"audit\"},\"name\":\"group - 12\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"variables('WorkbookSourceId')\"],\"parameters\":[{\"id\":\"59e79699-280b-4339-8cd2-55624b203cac\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"fefebdf8-9122-4dc4-ae76-5817d7e3bace\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DefaultSubscription_Internal\",\"type\":1,\"isRequired\":true,\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| take 1\\r\\n| project subscriptionId\",\"crossComponentResources\":[\"value::selected\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"6cbd900c-7049-484c-a0eb-d23c1ac5ff38\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"query\":\"summarize by subscriptionId\\r\\n| project value = strcat(\\\"/subscriptions/\\\", subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ '{DefaultSubscription_Internal}', true, false)\",\"crossComponentResources\":[\"value::selected\"],\"typeSettings\":{\"additionalResourceOptions\":[]},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":\"variables('WorkbookSourceId')\"},{\"id\":\"37403463-ff86-47c0-8d04-3f432d0413a3\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| project id\",\"crossComponentResources\":[\"{Subscription}\"],\"typeSettings\":{\"additionalResourceOptions\":[]},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":\"variables('WorkbookSourceId')\"},{\"id\":\"8ac8842a-fc4e-44fd-9542-72baf58224f1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"resourceGroup\",\"type\":1,\"query\":\"resources\\r\\n| where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| where id == \\\"{Workspace}\\\"\\r\\n| project resourceGroup\",\"crossComponentResources\":[\"value::selected\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"name\":\"parameters - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"arg(\\\"\\\").resourcechanges\\r\\n| extend timestamp = todatetime(properties[\\\"changeAttributes\\\"][\\\"timestamp\\\"])\\r\\n| extend changes = properties[\\\"changes\\\"]\\r\\n| extend ResourceId = tostring(properties[\\\"targetResourceId\\\"])\\r\\n| extend CorrelationId = tostring(properties[\\\"changeAttributes\\\"][\\\"correlationId\\\"]) \\r\\n| extend changeType = tostring(properties.changeType)\\r\\n| where changeType == \\\"Update\\\"\\r\\n| where changes contains \\\"numberOfUnits\\\"\\r\\n| extend newValue = tostring(parse_json(tostring(changes.[\\\"properties.numberOfUnits\\\"])).newValue)\\r\\n| extend previousValue = tostring(parse_json(tostring(changes.[\\\"properties.numberOfUnits\\\"])).previousValue)\\r\\n| extend changedBy = tostring(parse_json(tostring(properties.changeAttributes)).changedBy)\\r\\n| sort by timestamp\\r\\n| take 1\\r\\n| project toint(newValue)\",\"size\":4,\"title\":\"Number Of SCU's\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"newValue\",\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":true}},\"customWidth\":\"30\",\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"arg(\\\"\\\").resourcechanges\\r\\n| extend timestamp = todatetime(properties[\\\"changeAttributes\\\"][\\\"timestamp\\\"])\\r\\n| where timestamp > ago(60d)\\r\\n| extend changes = properties[\\\"changes\\\"]\\r\\n| extend ResourceId = tostring(properties[\\\"targetResourceId\\\"])\\r\\n| extend CorrelationId = tostring(properties[\\\"changeAttributes\\\"][\\\"correlationId\\\"]) \\r\\n| extend changeType = tostring(properties.changeType)\\r\\n| where changeType == \\\"Update\\\"\\r\\n| where changes contains \\\"numberOfUnits\\\"\\r\\n| extend newValue = tostring(parse_json(tostring(changes.[\\\"properties.numberOfUnits\\\"])).newValue)\\r\\n| extend previousValue = tostring(parse_json(tostring(changes.[\\\"properties.numberOfUnits\\\"])).previousValue)\\r\\n| extend changedBy = tostring(parse_json(tostring(properties.changeAttributes)).changedBy)\\r\\n| project timestamp, previousValue, newValue , changedBy\",\"size\":1,\"title\":\"SCU Chnages\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"graphSettings\":{\"type\":0}},\"customWidth\":\"70\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureActivity\\r\\n| where ResourceProviderValue contains \\\"copilot\\\"\",\"size\":0,\"title\":\"SCU capacity Activities\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"name\":\"query - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"Nav\",\"comparison\":\"isEqualTo\",\"value\":\"SCU\"},\"name\":\"group - 4\"}],\"isLocked\":false,\"fallbackResourceIds\":[\"variables('WorkbookSourceId')\"],\"fromTemplateId\":\"sentinel-UserWorkbook\"}", "version": "1.0", "sourceId": "[concat(resourceGroup().id, '/providers/Microsoft.OperationalInsights/workspaces/',parameters('LogAnalyticsWorkspaceName'))]", "category": "sentinel", diff --git a/Monitoring/IngestSecurityCopilotAuditlogs/images/Picture1.png b/Monitoring/IngestSecurityCopilotAuditlogs/images/Picture1.png deleted file mode 100644 index a840013e..00000000 Binary files a/Monitoring/IngestSecurityCopilotAuditlogs/images/Picture1.png and /dev/null differ diff --git a/Monitoring/IngestSecurityCopilotAuditlogs/images/Picture11.png b/Monitoring/IngestSecurityCopilotAuditlogs/images/Picture11.png deleted file mode 100644 index 7d695da9..00000000 Binary files a/Monitoring/IngestSecurityCopilotAuditlogs/images/Picture11.png and /dev/null differ diff --git a/Monitoring/IngestSecurityCopilotAuditlogs/images/Picture12.png b/Monitoring/IngestSecurityCopilotAuditlogs/images/Picture12.png deleted file mode 100644 index 5e6e8ffd..00000000 Binary files a/Monitoring/IngestSecurityCopilotAuditlogs/images/Picture12.png and /dev/null differ diff --git a/Monitoring/IngestSecurityCopilotAuditlogs/images/Picture13.png b/Monitoring/IngestSecurityCopilotAuditlogs/images/Picture13.png deleted file mode 100644 index 4f89bb6b..00000000 Binary files a/Monitoring/IngestSecurityCopilotAuditlogs/images/Picture13.png and /dev/null differ diff --git a/Monitoring/IngestSecurityCopilotAuditlogs/images/Picture14.png b/Monitoring/IngestSecurityCopilotAuditlogs/images/Picture14.png deleted file mode 100644 index 255d812e..00000000 Binary files a/Monitoring/IngestSecurityCopilotAuditlogs/images/Picture14.png and /dev/null differ diff --git a/Monitoring/IngestSecurityCopilotAuditlogs/images/Picture15.png b/Monitoring/IngestSecurityCopilotAuditlogs/images/Picture15.png deleted file mode 100644 index 7c174ae6..00000000 Binary files a/Monitoring/IngestSecurityCopilotAuditlogs/images/Picture15.png and /dev/null differ diff --git a/Monitoring/IngestSecurityCopilotAuditlogs/images/Picture16.png b/Monitoring/IngestSecurityCopilotAuditlogs/images/Picture16.png deleted file mode 100644 index fd0e1f33..00000000 Binary files a/Monitoring/IngestSecurityCopilotAuditlogs/images/Picture16.png and /dev/null differ diff --git a/Monitoring/IngestSecurityCopilotAuditlogs/images/Picture17.png b/Monitoring/IngestSecurityCopilotAuditlogs/images/Picture17.png deleted file mode 100644 index 17086def..00000000 Binary files a/Monitoring/IngestSecurityCopilotAuditlogs/images/Picture17.png and /dev/null differ diff --git a/Monitoring/IngestSecurityCopilotAuditlogs/images/Picture18.png b/Monitoring/IngestSecurityCopilotAuditlogs/images/Picture18.png deleted file mode 100644 index 23be3ddf..00000000 Binary files a/Monitoring/IngestSecurityCopilotAuditlogs/images/Picture18.png and /dev/null differ diff --git a/Monitoring/IngestSecurityCopilotAuditlogs/images/Picture19.png b/Monitoring/IngestSecurityCopilotAuditlogs/images/Picture19.png deleted file mode 100644 index b5a5772f..00000000 Binary files a/Monitoring/IngestSecurityCopilotAuditlogs/images/Picture19.png and /dev/null differ diff --git a/Monitoring/IngestSecurityCopilotAuditlogs/images/Picture2.png b/Monitoring/IngestSecurityCopilotAuditlogs/images/Picture2.png deleted file mode 100644 index 20d50e96..00000000 Binary files a/Monitoring/IngestSecurityCopilotAuditlogs/images/Picture2.png and /dev/null differ diff --git a/Monitoring/IngestSecurityCopilotAuditlogs/images/Picture20.png b/Monitoring/IngestSecurityCopilotAuditlogs/images/Picture20.png deleted file mode 100644 index 9da2760c..00000000 Binary files a/Monitoring/IngestSecurityCopilotAuditlogs/images/Picture20.png and /dev/null differ diff --git a/Monitoring/IngestSecurityCopilotAuditlogs/images/Picture3.png b/Monitoring/IngestSecurityCopilotAuditlogs/images/Picture3.png deleted file mode 100644 index e6498121..00000000 Binary files a/Monitoring/IngestSecurityCopilotAuditlogs/images/Picture3.png and /dev/null differ diff --git a/Monitoring/IngestSecurityCopilotAuditlogs/images/Picture4.png b/Monitoring/IngestSecurityCopilotAuditlogs/images/Picture4.png deleted file mode 100644 index e6498121..00000000 Binary files a/Monitoring/IngestSecurityCopilotAuditlogs/images/Picture4.png and /dev/null differ diff --git a/Monitoring/IngestSecurityCopilotAuditlogs/images/Picture5.png b/Monitoring/IngestSecurityCopilotAuditlogs/images/Picture5.png deleted file mode 100644 index c118de26..00000000 Binary files a/Monitoring/IngestSecurityCopilotAuditlogs/images/Picture5.png and /dev/null differ diff --git a/Monitoring/IngestSecurityCopilotAuditlogs/images/Picture6.png b/Monitoring/IngestSecurityCopilotAuditlogs/images/Picture6.png deleted file mode 100644 index e80d24da..00000000 Binary files a/Monitoring/IngestSecurityCopilotAuditlogs/images/Picture6.png and /dev/null differ diff --git a/Monitoring/IngestSecurityCopilotAuditlogs/images/Picture7.png b/Monitoring/IngestSecurityCopilotAuditlogs/images/Picture7.png deleted file mode 100644 index 1c8f735f..00000000 Binary files a/Monitoring/IngestSecurityCopilotAuditlogs/images/Picture7.png and /dev/null differ diff --git a/Monitoring/IngestSecurityCopilotAuditlogs/images/Picture8.png b/Monitoring/IngestSecurityCopilotAuditlogs/images/Picture8.png deleted file mode 100644 index 75e7474b..00000000 Binary files a/Monitoring/IngestSecurityCopilotAuditlogs/images/Picture8.png and /dev/null differ diff --git a/Monitoring/IngestSecurityCopilotAuditlogs/images/cfs_setting_1.png b/Monitoring/IngestSecurityCopilotAuditlogs/images/cfs_setting_1.png new file mode 100644 index 00000000..b4423907 Binary files /dev/null and b/Monitoring/IngestSecurityCopilotAuditlogs/images/cfs_setting_1.png differ diff --git a/Monitoring/IngestSecurityCopilotAuditlogs/images/sentinel_XDR.png b/Monitoring/IngestSecurityCopilotAuditlogs/images/sentinel_XDR.png new file mode 100644 index 00000000..b5bd3813 Binary files /dev/null and b/Monitoring/IngestSecurityCopilotAuditlogs/images/sentinel_XDR.png differ