Plugins/Community Based Plugins/SCU Changes/KQL_Plugin_SCU_Changes.yaml (18 lines of code) (raw):

Descriptor: Name: SCUChanges DisplayName: SCU Changes Description: Looks for SCU changes in the last 3 days SkillGroups: - Format: KQL Skills: - Name: SCUChanges DisplayName: SCU Changes Description: Looks for SCU changes in the last 3 days Settings: Target: Sentinel TenantId: <your_tenant_ID> SubscriptionId: <your_sub_ID> ResourceGroupName: <your_RG> WorkspaceName: <your_Sentinel_WS> Template: |- AzureActivity | where TimeGenerated >= ago(3d) | where ResourceProviderValue == "MICROSOFT.SECURITYCOPILOT" | extend resourceName = tostring(parse_json(Properties).resource) | extend resourceGroupName = tostring(parse_json(Properties).resourceGroup) | extend resourceActivity = tostring(parse_json(Properties).message) | where resourceActivity == "Microsoft.SecurityCopilot/capacities/write"| distinct Caller, CallerIpAddress, resourceName, resourceGroupName, resourceActivity