Plugins/Community Based Plugins/SCU Changes/KQL_Plugin_SCU_Changes.yaml (18 lines of code) (raw):
Descriptor:
Name: SCUChanges
DisplayName: SCU Changes
Description: Looks for SCU changes in the last 3 days
SkillGroups:
- Format: KQL
Skills:
- Name: SCUChanges
DisplayName: SCU Changes
Description: Looks for SCU changes in the last 3 days
Settings:
Target: Sentinel
TenantId: <your_tenant_ID>
SubscriptionId: <your_sub_ID>
ResourceGroupName: <your_RG>
WorkspaceName: <your_Sentinel_WS>
Template: |-
AzureActivity | where TimeGenerated >= ago(3d) | where ResourceProviderValue == "MICROSOFT.SECURITYCOPILOT" | extend resourceName = tostring(parse_json(Properties).resource) | extend resourceGroupName = tostring(parse_json(Properties).resourceGroup) | extend resourceActivity = tostring(parse_json(Properties).message) | where resourceActivity == "Microsoft.SecurityCopilot/capacities/write"| distinct Caller, CallerIpAddress, resourceName, resourceGroupName, resourceActivity