From 6ba858a685ace34722853afe4cfc3dcb66021dbf Mon Sep 17 00:00:00 2001
From: miyacho6712 <miya.cho@eyzakro.ca>
Date: Mon, 16 Dec 2024 12:39:27 -0500
Subject: [PATCH 1/2] add sentineldailyoperations

---
 .../KQL_SentinelDailyOperationsSample.yaml    | 40 +++++++++++++++++++
 1 file changed, 40 insertions(+)
 create mode 100644 Plugins/Community Based Plugins/Sentinel/SentinelDailyOperations/KQL_SentinelDailyOperationsSample.yaml

diff --git a/Plugins/Community Based Plugins/Sentinel/SentinelDailyOperations/KQL_SentinelDailyOperationsSample.yaml b/Plugins/Community Based Plugins/Sentinel/SentinelDailyOperations/KQL_SentinelDailyOperationsSample.yaml
new file mode 100644
index 00000000..2a2f8a83
--- /dev/null
+++ b/Plugins/Community Based Plugins/Sentinel/SentinelDailyOperations/KQL_SentinelDailyOperationsSample.yaml	
@@ -0,0 +1,40 @@
+Descriptor:
+  Name: DefenderDailyOperations
+  DisplayName: Defender Daily Operations
+  Description:  XDR Scenarios we use repeatedly for daily operations.
+SkillGroups:
+  - Format: KQL
+    Skills:
+      - Name: GetDefenderDevices
+        DisplayName: Get Defender Devices  
+        Description: Get the top 10 devices from defender based on device state, exposure etc for the last 8 hours
+        Inputs:
+          - Name: devicehealthstate
+            Description: Provide the state of the device you want to fetch - e.g. Active
+            Required: true
+          - Name: exposurelevel
+            Description: provide the exposure level you want to consider - e.g. High, Medium, Low
+            Required: false
+        Settings:
+          Target: Defender
+          Template: |-
+            DeviceInfo
+            | where SensorHealthState =~ '{{devicehealthstate}}'
+            | where ExposureLevel contains '{{exposurelevel}}'
+            | where TimeGenerated > ago(8h)
+            | project  DeviceName,DeviceCategory,OnboardingStatus,SensorHealthState, LoggedOnUsers, ExposureLevel, JoinType,TimeGenerated
+            | top 10 by TimeGenerated desc
+      - Name: GetLatestEmailsByRecipient
+        DisplayName: Get Latest Emails By Recipient
+        Description: Fetches the latest emails received by the user with the specified email address
+        Inputs:
+          - Name: email
+            Description: The email address of the recipient - e.g. xxxxxxx@contoso.com
+            Required: true
+        Settings:
+          Target: Defender
+          Template: |-
+            EmailEvents
+            | where RecipientEmailAddress =~ '{{email}}'
+            | project Timestamp, NetworkMessageId, SenderFromAddress, SenderDisplayName, Subject, DeliveryLocation
+            | top 100 by Timestamp desc
\ No newline at end of file

From 8e89595bedbd7b2f3d912607b7439c802d23e120 Mon Sep 17 00:00:00 2001
From: miyacho6712 <miya.cho@eyzakro.ca>
Date: Mon, 16 Dec 2024 12:52:14 -0500
Subject: [PATCH 2/2] removing testing data

---
 .../KQL_SentinelDailyOperationsSample.yaml    | 40 -------------------
 1 file changed, 40 deletions(-)
 delete mode 100644 Plugins/Community Based Plugins/Sentinel/SentinelDailyOperations/KQL_SentinelDailyOperationsSample.yaml

diff --git a/Plugins/Community Based Plugins/Sentinel/SentinelDailyOperations/KQL_SentinelDailyOperationsSample.yaml b/Plugins/Community Based Plugins/Sentinel/SentinelDailyOperations/KQL_SentinelDailyOperationsSample.yaml
deleted file mode 100644
index 2a2f8a83..00000000
--- a/Plugins/Community Based Plugins/Sentinel/SentinelDailyOperations/KQL_SentinelDailyOperationsSample.yaml	
+++ /dev/null
@@ -1,40 +0,0 @@
-Descriptor:
-  Name: DefenderDailyOperations
-  DisplayName: Defender Daily Operations
-  Description:  XDR Scenarios we use repeatedly for daily operations.
-SkillGroups:
-  - Format: KQL
-    Skills:
-      - Name: GetDefenderDevices
-        DisplayName: Get Defender Devices  
-        Description: Get the top 10 devices from defender based on device state, exposure etc for the last 8 hours
-        Inputs:
-          - Name: devicehealthstate
-            Description: Provide the state of the device you want to fetch - e.g. Active
-            Required: true
-          - Name: exposurelevel
-            Description: provide the exposure level you want to consider - e.g. High, Medium, Low
-            Required: false
-        Settings:
-          Target: Defender
-          Template: |-
-            DeviceInfo
-            | where SensorHealthState =~ '{{devicehealthstate}}'
-            | where ExposureLevel contains '{{exposurelevel}}'
-            | where TimeGenerated > ago(8h)
-            | project  DeviceName,DeviceCategory,OnboardingStatus,SensorHealthState, LoggedOnUsers, ExposureLevel, JoinType,TimeGenerated
-            | top 10 by TimeGenerated desc
-      - Name: GetLatestEmailsByRecipient
-        DisplayName: Get Latest Emails By Recipient
-        Description: Fetches the latest emails received by the user with the specified email address
-        Inputs:
-          - Name: email
-            Description: The email address of the recipient - e.g. xxxxxxx@contoso.com
-            Required: true
-        Settings:
-          Target: Defender
-          Template: |-
-            EmailEvents
-            | where RecipientEmailAddress =~ '{{email}}'
-            | project Timestamp, NetworkMessageId, SenderFromAddress, SenderDisplayName, Subject, DeliveryLocation
-            | top 100 by Timestamp desc
\ No newline at end of file