Merge pull request #186 from mariocuomo/main

[standardization] Copilot Logins, Redact PII, IP Geolocation

Author: KwachSean

Images/Community Plugins/RedactPII/RedactPIIPrompt.png

@@ -0,0 +1,24 @@
+Descriptor:
+  Name: SecurityCopilotLoginsStandalone
+  DisplayName: Security Copilot Portal Logins
+  Description: Identifies Security Copilot Portal logins in the last 3 days
+
+SkillGroups:
+  - Format: KQL
+    Skills:
+      - Name: SecurityCopilotLogins
+        DisplayName: Security Copilot Portal Logins
+        Description: Fetches Security Copilot Standalone Portal logins in the last 3 days - for each identity, the count of logins performed is returned
+        Settings:
+          Target: Sentinel
+          TenantId: <your_tenant_ID>
+          SubscriptionId: <your_subscription_ID>
+          ResourceGroupName: <your_RG_name>
+          WorkspaceName: <your_WS_name>
+          Template: |-
+            SigninLogs
+            | where TimeGenerated >= ago(3d)
+            | where AppDisplayName == "Security Copilot"
+            | project TimeGenerated, Identity, UserPrincipalName, OperationName
+            | summarize count() by Identity
+            | order by count_

Images/Community Plugins/SecurityCopilotLogins/LoginsAndAnomalies.png

@@ -1,20 +1,49 @@
-# Security Copilot Plugin: Security Copilot Portal Logins
+# Security Copilot Login Activities
 
-### **This plugin enables you to track how many logins there have been to the Security Copilot standalone experience and who did it.**
+## DESCRIPTION
+This plugin enables you to track how many logins there have been to the Security Copilot standalone experience and who did it. For each identity, the count of logins performed is returned.
 
-### Pre-requisites
+---
 
--   [Security Copilot Enabled](https://learn.microsoft.com/en-us/security-copilot/get-started-security-copilot#onboarding-to-microsoft-security-copilot)
--   [Access to upload custom plugins](https://learn.microsoft.com/en-us/security-copilot/manage-plugins?tabs=securitycopilotplugin#managing-custom-plugins)
--   [Microsoft Sentinel Workspace](https://learn.microsoft.com/en-us/azure/sentinel/quickstart-onboard) created.
--   Parameters for KQL Plugin - Microsoft Sentinel Workspace Name, Subscription ID, Resource Group Name and Entra Tenant ID
+## TYPE AND REQUIREMENTS
+**TYPE**: KQL (Sentinel) <br>
+**SOURCE**: _Signinlogs_ table <br>
+**REQUIREMENTS**: Log Analytics Workspace with Sentinel enabled 
 
-### Instructions
+---
 
-#### Upload the Custom Plugin
+## SKILLS
+
+<table>
+  <tbody>
+    <tr>
+      <th>SkillName</th>
+      <th align="center">Description</th>
+      <th align="center">Parameters</th>
+    </tr>
+    <tr>
+      <td><b>SecurityCopilotLogins</b></td>
+      <td align="center">Fetches Security Copilot Standalone Portal logins in the last 3 days</td>
+      <td>
+        <ul>
+        </ul>
+      </td>
+    </tr>
+  </tbody>
+</table>
+
+
+---
+
+## SAMPLE PROMPTS
+
+- `« Fetches Security Copilot Standalone Portal logins in the last 3 days and detect if there are anomalies in user accesses »`
+---
+
+## SCREENSHOTS
+<div align="center">
+  <img src="https://github.com/mariocuomo/Security-Copilot/blob/main/Images/Community%20Plugins/SecurityCopilotLogins/LoginsAndAnomalies.png" width="700"> </img>
+</div>
 
-1.  Obtain the file KQL_Plugin_CfSLogins.yaml from this directory.
-2.  Modify the yaml file to specify your specific Entra TentantId, SubscriptionId, ResourceGroupName and WorkspaceName for your Sentinel instance.
-3.  Upload the custom plugin
 
 For more information, see: [Security Copilot Plugin: Security Copilot Portal Logins](https://rodtrent.substack.com/p/copilot-for-security-plugin-copilot)

Plugins/Community Based Plugins/Copilot Logins/KQL_Plugin_CfSLogins.yaml

@@ -1,18 +1,52 @@
-# Security Copilot Plugin: Rdact PII
+# Redact Personally Identifiable Information 
 
-### **This plugin will redcat PII content from a session or a prompt ouput. It will also redact Entra ID object IDs theat may also be sensistive, for example GUIDs for an identity**
+## DESCRIPTION
+This plugin will redcat PII content from a session or a prompt ouput. It will also redact Entra ID object IDs theat may also be sensistive, for example GUIDs for an identity
 
-### Pre-requisites
+---
 
--   [Security Copilot Enabled](https://learn.microsoft.com/en-us/security-copilot/get-started-security-copilot#onboarding-to-microsoft-security-copilot)
--   [Access to upload custom plugins](https://learn.microsoft.com/en-us/security-copilot/manage-plugins?tabs=securitycopilotplugin#managing-custom-plugins)
--   [Microsoft Defencer XDR](https://learn.microsoft.com/en-us/defender-xdr/microsoft-365-defender) 
+## TYPE AND REQUIREMENTS
+**TYPE**: GPT <br>
+**SOURCE**: None <br>
+**REQUIREMENTS**: None 
 
--   Plugin uses permissions of the user setting it up 
+---
 
-### Instructions
+## SKILLS
 
-#### Upload the Custom Plugin
+<table>
+  <tbody>
+    <tr>
+      <th>SkillName</th>
+      <th align="center">Description</th>
+      <th align="center">Parameters</th>
+    </tr>
+    <tr>
+      <td><b>RedactPII</b></td>
+      <td align="center">Redacts Personally Identifiable Information (PII) from the provided text</td>
+      <td>
+        <ul>
+          <li>
+            <i>text</i>
+          </li>
+        </ul>
+      </td>
+    </tr>
+  </tbody>
+</table>
+
+
+---
+
+## SAMPLE PROMPTS
+
+- `« Redacts Personally Identifiable Information (PII) from the provided text: <YOUR-TEXT> »`
+
+---
+
+## SCREENSHOTS
+<div align="center">
+  <img src="https://github.com/mariocuomo/Security-Copilot/blob/main/Images/Community%20Plugins/RedactPII/RedactPIIPrompt.png" width="700"> </img>
+</div>
 
-1.  Obtain the file RedactPII.yaml from this directory.