Updates to enrichment plugins and funcapp

[cd1zz]

Updates to KQL and the function app powering the user submitted phishing email logicapp

[Copilot]

Pull Request Overview

This PR updates KQL queries and function app configurations for Microsoft Defender XDR enrichment plugins, specifically enhancing user-related security analysis capabilities. The changes improve query accuracy, add new functionality, and enhance documentation.

• Standardized case-insensitive user principal name matching across all queries
• Enhanced failed sign-in analysis with date-specific filtering and improved structure
• Added comprehensive 48-hour user sign-in activity monitoring capability

Comments suppressed due to low confidence (1)

Plugins/Community Based Plugins/Microsoft Defender XDR Custom Plugin Scenarios/EnrichmentPlugins/UserEnrichment.yaml:698

• [nitpick] Variable naming inconsistency: 'UPN' is used here while other queries use lowercase 'upn'. Consider using consistent naming convention across all queries.

            let UPN = "{{upn}}";

[Copilot]

The 'date' parameter lacks input validation in the KQL template. Consider adding validation to ensure the date format matches YYYY-MM-DD and handle invalid date inputs gracefully to prevent query errors.

[Copilot]

Direct string interpolation of user input into datetime() function without validation could lead to injection issues or query failures. Consider validating the date format before using it in the KQL query.

Suggested change

	let startDate = datetime("{{date}}"); // Parse the input date (YYYY-MM-DD, UTC)
	let isValidDate = tostring("{{date}}") matches regex @"^\d{4}-\d{2}-\d{2}$"; // Validate date format (YYYY-MM-DD)
	let startDate = isValidDate ? datetime("{{date}}") : datetime(null); // Parse the input date or set to null if invalid
	let endDate = startDate + 1d; // Compute the end of the day window (exclusive)