diff --git a/Plugins/Community Based Plugins/SCU_All-in-One/SCU_All-in-One.yaml b/Plugins/Community Based Plugins/SCU_All-in-One/SCU_All-in-One.yaml index ce679e50..2d189d51 100644 --- a/Plugins/Community Based Plugins/SCU_All-in-One/SCU_All-in-One.yaml +++ b/Plugins/Community Based Plugins/SCU_All-in-One/SCU_All-in-One.yaml @@ -16,4 +16,4 @@ SkillGroups: ResourceGroupName: WorkspaceName: Template: |- - let CfS_Logins = SigninLogs | where AppDisplayName == "Medeina Portal" | project TimeGenerated, Identity, Caller=UserPrincipalName, AppDisplayName, OperationName; let SCU_Changes = AzureActivity | where ResourceProviderValue == "MICROSOFT.SECURITYCOPILOT" | extend resourceName = tostring(parse_json(Properties).resource) | extend resourceGroupName = tostring(parse_json(Properties).resourceGroup) | extend resourceActivity = tostring(parse_json(Properties).message) | where resourceActivity == "Microsoft.SecurityCopilot/capacities/write"| project Caller, CallerIpAddress, resourceName, resourceGroupName, resourceActivity, TimeGenerated; let SCU_Deleted = AzureActivity | where ResourceProviderValue == "MICROSOFT.SECURITYCOPILOT" | extend resourceName = tostring(parse_json(Properties).resource) | extend resourceGroupName = tostring(parse_json(Properties).resourceGroup) | extend resourceActivity = tostring(parse_json(Properties).message) | where resourceActivity == "Microsoft.SecurityCopilot/capacities/delete" | project Caller, resourceName, resourceGroupName, resourceActivity, TimeGenerated; union CfS_Logins, SCU_Changes, SCU_Deleted + let CfS_Logins = SigninLogs | where AppDisplayName == "Medeina Portal" | project TimeGenerated, Identity, Caller=UserPrincipalName, AppDisplayName, OperationName; let SCU_Changes = AzureActivity | where ResourceProviderValue == "MICROSOFT.SECURITYCOPILOT" | extend resourceName = tostring(parse_json(Properties).resource) | extend resourceGroupName = tostring(parse_json(Properties).resourceGroup) | extend resourceActivity = tostring(parse_json(Properties).message) | where resourceActivity == "Microsoft.SecurityCopilot/capacities/write"| project Caller, CallerIpAddress, resourceName, resourceGroupName, resourceActivity, TimeGenerated; let Bad_Login = BehaviorAnalytics| where ActivityInsights.App == "Medeina Portal"| where ActivityInsights.Resource == "Medeina Service"| where ActivityType == "FailedLogOn"| project UserName, UserPrincipalName, ActionType, EventSource, SourceIPAddress, SourceIPLocation;let SCU_Deleted = AzureActivity | where ResourceProviderValue == "MICROSOFT.SECURITYCOPILOT" | extend resourceName = tostring(parse_json(Properties).resource) | extend resourceGroupName = tostring(parse_json(Properties).resourceGroup) | extend resourceActivity = tostring(parse_json(Properties).message) | where resourceActivity == "Microsoft.SecurityCopilot/capacities/delete" | project Caller, resourceName, resourceGroupName, resourceActivity, TimeGenerated; let Intune_Activity = AADNonInteractiveUserSignInLogs | where AppDisplayName == "Microsoft Intune portal extension" | extend city_ = tostring(parse_json(LocationDetails).city) | extend countryOrRegion_ = tostring(parse_json(LocationDetails).countryOrRegion) | extend latitude_ = tostring(parse_json(tostring(parse_json(LocationDetails).geoCoordinates)).latitude) | extend longitude_ = tostring(parse_json(tostring(parse_json(LocationDetails).geoCoordinates)).longitude) | extend state_ = tostring(parse_json(LocationDetails).state) | project TimeGenerated, Identity, UserType, UserPrincipalName, city_, countryOrRegion_, state_, latitude_, longitude_, ResourceDisplayName, AppDisplayName, ProcessingTimeInMs; let Defender_XDR = AADNonInteractiveUserSignInLogs | where AppDisplayName == "Microsoft 365 Security and Compliance Center" | where ResourceDisplayName has "Medeina" | extend city_ = tostring(parse_json(LocationDetails).city) | extend countryOrRegion_ = tostring(parse_json(LocationDetails).countryOrRegion) | extend latitude_ = tostring(parse_json(tostring(parse_json(LocationDetails).geoCoordinates)).latitude) | extend longitude_ = tostring(parse_json(tostring(parse_json(LocationDetails).geoCoordinates)).longitude) | extend state_ = tostring(parse_json(LocationDetails).state) | project TimeGenerated, Identity, UserType, UserPrincipalName, city_, countryOrRegion_, state_, latitude_, longitude_, ResourceDisplayName, AppDisplayName, ProcessingTimeInMs; let Failed_MFA = SigninLogs | where TimeGenerated >= ago(24h) | where AppDisplayName == "Medeina Portal" | where ResultType == "50074" | extend city = LocationDetails.city | extend state = LocationDetails.state | extend region = LocationDetails.countryOrRegion | extend latitude = parse_json(tostring(LocationDetails.geoCoordinates)).latitude | extend longitude = parse_json(tostring(LocationDetails.geoCoordinates)).longitude | project UserDisplayName, UserPrincipalName, UserType, city, state, region, latitude, longitude, AADTenantId; union CfS_Logins, SCU_Changes, SCU_Deleted, Bad_Login, Intune_Activity, Defender_XDR, Failed_MFA