Maximize Your FREE 400 SCUs Monthly!
Automated compliance reporting powered by Microsoft Security Copilot

OSCAR is an intelligent, automated compliance and threat hunting platform that transforms Microsoft Security Copilot into your 24/7 security operations assistant. Built for security teams who want comprehensive compliance reporting without the manual effort.

✅ Automated Daily Execution - Set it and forget it ✅ 100+ Compliance Queries - NIST, CIS, MITRE ATT&CK coverage ✅ Audit Trail Guaranteed - Every query returns results (even "No Findings") ✅ Cost Efficient - Uses only 7.5% of your free monthly SCUs ✅ Production Ready - Deploy in minutes with ARM templates

┌─────────────────────────────────────────────────────────────┐
│  Security Copilot Agent (OSCAR)                             │
│  • 100+ KQL Compliance Queries                              │
│  • NIST CSF 2.0, NIST 800-53, CIS Controls v8               │
└────────────────┬────────────────────────────────────────────┘
                 │ API Call (1 SCU per execution)
                 ▼
┌─────────────────────────────────────────────────────────────┐
│  Azure Logic App                                            │
│  • Scheduled: Daily @ 8:00 AM UTC                           │
│  • Process: Strip markdown → Parse JSON → Send data         │
└────────────────┬────────────────────────────────────────────┘
                 │ HTTP Data Collector API
                 ▼
┌─────────────────────────────────────────────────────────────┐
│  Azure Sentinel / Log Analytics                             │
│  • Table: ComplianceReports_CL                              │
│  • 90-day retention                                         │
└────────────────┬────────────────────────────────────────────┘
                 │ KQL Queries
                 ▼
┌─────────────────────────────────────────────────────────────┐
│  Sentinel Workbooks (Future)                                │
│  • Compliance dashboards                                    │
│  • Trend analysis                                           │
└─────────────────────────────────────────────────────────────┘

• Azure subscription with Sentinel workspace
• Microsoft Security Copilot license (free tier: 400 SCUs/month)
• Azure CLI installed
• Contributor access to resource group

1. Go to Microsoft Security Copilot Portal
2. Navigate to Custom Agents
3. Click Import and upload CONTEXT/agent-manifest-rebuild.yaml
4. Click Publish

# Clone the repository
git clone https://github.com/bobsyourmom/OSCAR.git
cd OSCAR

# Login to Azure
az login

# Deploy production Logic App
cd prod
az deployment group create \
  --resource-group sentinel \
  --template-file logicapp-copilot-failedauth.json \
  --parameters logicAppName="ComplianceReports-FailedAuth-Copilot" \
              workspaceId="YOUR_WORKSPACE_ID" \
              workspaceName="sentinel" \
  --mode Incremental

1. Go to Azure Portal → Resource Groups → sentinel
2. Find securitycopilot-failedauth connection
3. Click Edit API Connection → Authorize → Sign in
4. Save the connection

The azureloganalyticsdatacollector-copilot connection is auto-configured during deployment

# Manually trigger the Logic App from Azure Portal
# Wait 5-10 minutes for data ingestion

# Query the results (replace YOUR_WORKSPACE_ID with your actual workspace ID)
az monitor log-analytics query \
  --workspace YOUR_WORKSPACE_ID \
  --analytics-query "ComplianceReports_CL | where TimeGenerated > ago(1h) | take 10"

OSCAR/
├── prod/                           # Production files
│   └── logicapp-copilot-failedauth.json
├── test/                           # Test files (no SCU consumption)
│   ├── logicapp-test-single.json
│   └── test-webhook-data.py
├── CONTEXT/                        # Reference files
│   ├── agent-manifest-rebuild.yaml
│   ├── claude_audit.log
│   └── README-original.md
├── oscar blue glasses.png          # OSCAR mascot
├── architecture-diagram.svg        # Visual architecture
├── README.md                       # This file
├── PROJECT_STATUS.md               # Quick reference
└── TOOLS_AND_COMPONENTS.md         # Complete tools list

Want to test the complete flow without using your Security Copilot credits?

cd test
az deployment group create \
  --resource-group sentinel \
  --template-file logicapp-test-single.json \
  --parameters workspaceId="YOUR_WORKSPACE_ID" \
              workspaceName="sentinel" \
  --mode Incremental

This deploys a Logic App with static simulated data that tests:

• ✅ Markdown stripping
• ✅ JSON parsing
• ✅ Log Analytics ingestion
• ✅ Complete end-to-end flow

Zero SCUs consumed!

OSCAR includes 100+ pre-built KQL queries across multiple frameworks:

• MITREAttackReport - MITRE ATT&CK technique detection
• FailedAuthenticationReport - Failed login attempts and patterns
• AdminActivityReport - Privileged account activity monitoring
• HighSeverityAlertsReport - Critical security alerts
• DataExfiltrationReport - Suspicious data transfer detection
• PrivilegedAccountUsageReport - Admin account usage tracking
• NetworkAnomalyReport - Unusual network behavior
• EndpointSecurityComplianceReport - Device compliance status
• MFAStatusReport - Multi-factor authentication coverage
• VulnerabilityManagementReport - CVE and patch status
• BackupVerificationReport - Backup health monitoring
• FirewallRuleChangesReport - Network security changes
• SuspiciousProcessExecutionReport - Unusual process activity

• ✅ NIST Cybersecurity Framework 2.0
• ✅ NIST SP 800-53 Rev 5
• ✅ CIS Controls v8
• 🔜 HIPAA, PCI-DSS, SOC 2, ISO 27001 (customizable)

Edit the Logic App prompt in the Run_Copilot_FailedAuth_Report action:

{
  "PromptContent": "Using the Compliance&SecOpsAutomatedReportingAgent custom agent, execute the [ReportName] KQL skill and return only the raw JSON results"
}

Replace [ReportName] with any skill from the agent manifest (e.g., MitreAttackReport, FailedAuthenticationReport).

Edit the Recurrence trigger:

• Frequency: Day / Week / Month
• Interval: 1
• Time Zone: UTC
• At these hours: 8 (8:00 AM)

Add your own KQL queries to CONTEXT/agent-manifest-rebuild.yaml:

- Name: CustomComplianceCheck
  DisplayName: Custom Compliance Check
  Description: Your custom query description
  Settings:
    Target: LogAnalytics
    Template: |-
      let findings = YourTable
      | where TimeGenerated > ago(24h)
      | project TimeGenerated, Field1, Field2;

      let hasResults = toscalar(findings | count) > 0;

      union findings,
      (print placeholder = 1
      | where not(hasResults)
      | extend FindingType = "No Findings", Status = "Completed"
      | project-away placeholder)

• ✅ No Hardcoded Secrets - All credentials managed through Azure Key Vault
• ✅ OAuth Authentication - Security Copilot connection uses OAuth 2.0
• ✅ RBAC Controls - Role-based access through Azure AD
• ✅ Managed Connectors - Azure Log Analytics Data Collector handles HMAC auth
• ✅ Audit Trail - Complete execution history in Logic App runs
• ✅ Data Sovereignty - All data stays within your Azure tenant

• Security Copilot: ~1 SCU
• Logic App: ~$0.01 (Consumption tier)
• Log Analytics: Data ingestion charges (minimal)

• Security Copilot: ~30 SCUs (7.5% of free 400 SCUs)
• Logic App: ~$0.30
• Total: Essentially FREE if using free SCU tier!

1. Check Logic App run history (all actions green?)
2. Verify API connections are authorized
3. Check Send_Data action output (Status 200?)
4. Wait 5-10 minutes for ingestion latency
5. Query: ComplianceReports_CL | where TimeGenerated > ago(1h)

Security Copilot wraps JSON in markdown code fences. The Extract_JSON_from_Markdown action handles this automatically.

Skill names are case-sensitive. Use exact names from agent manifest:

• ✅ MitreAttackReport
• ❌ MITREAttackReport

Always use the Azure Log Analytics Data Collector connector. Manual HMAC calculation is not supported in Logic Apps.

• Build Sentinel workbook for visualization
• Create compliance dashboard
• Add alerting for critical findings

• Consolidate into single parameterized Logic App
• Support for additional frameworks (HIPAA, PCI-DSS, SOC 2)
• Historical trending and compliance scoring
• Multi-tenant support for MSSPs

• Automated remediation playbooks
• PDF/Excel export for audits
• Integration with ticketing systems (ServiceNow, Jira)
• Custom compliance framework builder

We welcome contributions! Please see CONTRIBUTING.md for details.

1. Fork the repository
2. Create a feature branch (git checkout -b feature/amazing-query)
3. Add your KQL query to the agent manifest
4. Test with the test Logic App (no SCU consumption)
5. Commit your changes (git commit -m 'Add amazing compliance query')
6. Push to the branch (git push origin feature/amazing-query)
7. Open a Pull Request

This project is licensed under the MIT License - see the LICENSE file for details.

• Microsoft Security Copilot team for the amazing AI platform
• Azure Sentinel team for the robust SIEM foundation
• Level Blue / Trustwave for sponsoring development
• The security community for compliance framework guidance

• Documentation: README.md | PROJECT_STATUS.md
• Issues: GitHub Issues
• Discussions: GitHub Discussions
• Professional Services: Contact Level Blue for custom deployments

If OSCAR helps your security operations, give us a ⭐ on GitHub!

Built with ❤️ by Level Blue Security Team
Maximizing security outcomes through intelligent automation