diff --git a/README.md b/README.md index 486b0f9..b901e75 100644 --- a/README.md +++ b/README.md @@ -15,6 +15,7 @@ __Current log sources supported__ : - _azure\_waf_ - _cef_ - _cisco\_meraki_ +- _cloudflare_ - _cyberark\_pam_ - _darktrace_ - _entra\_id_ @@ -23,6 +24,7 @@ __Current log sources supported__ : - _m365_ - _okta_ - _sentinelone_ +- _sophos\_endpoint_ - _syslog_ - _ti_ - _windows\_security_ diff --git a/modules/rules/cloudflare/cloudflare_-_bad_client_ip.json b/modules/rules/cloudflare/cloudflare_-_bad_client_ip.json new file mode 100644 index 0000000..e83f038 --- /dev/null +++ b/modules/rules/cloudflare/cloudflare_-_bad_client_ip.json @@ -0,0 +1,45 @@ +{ + "kind": "Scheduled", + "properties": { + "description": "Detects requests from IP with bad reputation index.", + "displayName": "Cloudflare - Bad client IP", + "enabled": true, + "query": "let ip_reputation = dynamic(['unknown', 'badHost', 'greylist', 'securityScanner', 'scan', 'tor']);\nCloudflare\n| where ClientIPClass in~ (ip_reputation)\n| extend IPCustomEntity = SrcIpAddr\n| extend UrlCustomEntity = ClientRequestURI\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "tactics": [ + "InitialAccess" + ], + "techniques": [ + "T1190", + "T1133" + ], + "entityMappings": [ + { + "entityType": "IP", + "fieldMappings": [ + { + "columnName": "IPCustomEntity", + "identifier": "Address" + } + ] + }, + { + "entityType": "URL", + "fieldMappings": [ + { + "columnName": "UrlCustomEntity", + "identifier": "Url" + } + ] + } + ], + "alertRuleTemplateName": "a7ce6135-9d55-4f14-b058-adc2e920a4fa", + "templateVersion": "1.0.0" + } +} diff --git a/modules/rules/cloudflare/cloudflare_-_client_request_from_country_in_blocklist.json b/modules/rules/cloudflare/cloudflare_-_client_request_from_country_in_blocklist.json new file mode 100644 index 0000000..8ad1f7a --- /dev/null +++ b/modules/rules/cloudflare/cloudflare_-_client_request_from_country_in_blocklist.json @@ -0,0 +1,45 @@ +{ + "kind": "Scheduled", + "properties": { + "description": "Detects requests from countries which are in blocklist.", + "displayName": "Cloudflare - Client request from country in blocklist", + "enabled": true, + "query": "let bl_countries = dynamic(['cn', 'hk']);\nCloudflare\n| where SrcGeoCountry in~ (bl_countries)\n| extend IPCustomEntity = SrcIpAddr\n| extend UrlCustomEntity = ClientRequestURI\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "tactics": [ + "InitialAccess" + ], + "techniques": [ + "T1190", + "T1133" + ], + "entityMappings": [ + { + "entityType": "IP", + "fieldMappings": [ + { + "columnName": "IPCustomEntity", + "identifier": "Address" + } + ] + }, + { + "entityType": "URL", + "fieldMappings": [ + { + "columnName": "UrlCustomEntity", + "identifier": "Url" + } + ] + } + ], + "alertRuleTemplateName": "40554544-6e4a-4413-8d14-bf2de939c5d9", + "templateVersion": "1.0.0" + } +} diff --git a/modules/rules/cloudflare/cloudflare_-_empty_user_agent.json b/modules/rules/cloudflare/cloudflare_-_empty_user_agent.json new file mode 100644 index 0000000..1e51ae6 --- /dev/null +++ b/modules/rules/cloudflare/cloudflare_-_empty_user_agent.json @@ -0,0 +1,36 @@ +{ + "kind": "Scheduled", + "properties": { + "description": "Detects requests where user agent is empty.", + "displayName": "Cloudflare - Empty user agent", + "enabled": true, + "query": "Cloudflare\n| where isempty(HttpUserAgentOriginal)\n| extend IPCustomEntity = SrcIpAddr\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "tactics": [ + "InitialAccess" + ], + "techniques": [ + "T1190", + "T1133" + ], + "entityMappings": [ + { + "entityType": "IP", + "fieldMappings": [ + { + "columnName": "IPCustomEntity", + "identifier": "Address" + } + ] + } + ], + "alertRuleTemplateName": "729c6d21-fad9-4a6a-9c7f-482393c95957", + "templateVersion": "1.0.0" + } +} diff --git a/modules/rules/cloudflare/cloudflare_-_multiple_error_requests_from_single_source.json b/modules/rules/cloudflare/cloudflare_-_multiple_error_requests_from_single_source.json new file mode 100644 index 0000000..5eed525 --- /dev/null +++ b/modules/rules/cloudflare/cloudflare_-_multiple_error_requests_from_single_source.json @@ -0,0 +1,36 @@ +{ + "kind": "Scheduled", + "properties": { + "description": "Detects multiple failure requests from single source in short timeframe.", + "displayName": "Cloudflare - Multiple error requests from single source", + "enabled": true, + "query": "let threshold = 100;\nCloudflare\n| where HttpRequestMethod =~ 'GET'\n| summarize err_cnt = count() by SrcIpAddr, bin(TimeGenerated, 5m)\n| where err_cnt > threshold\n| extend IPCustomEntity = SrcIpAddr\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Low", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "tactics": [ + "InitialAccess" + ], + "techniques": [ + "T1190", + "T1133" + ], + "entityMappings": [ + { + "entityType": "IP", + "fieldMappings": [ + { + "columnName": "IPCustomEntity", + "identifier": "Address" + } + ] + } + ], + "alertRuleTemplateName": "ef877d68-755f-4cf1-ac1d-f336e395667c", + "templateVersion": "1.0.0" + } +} diff --git a/modules/rules/cloudflare/cloudflare_-_multiple_user_agents_for_single_source.json b/modules/rules/cloudflare/cloudflare_-_multiple_user_agents_for_single_source.json new file mode 100644 index 0000000..cd37ad7 --- /dev/null +++ b/modules/rules/cloudflare/cloudflare_-_multiple_user_agents_for_single_source.json @@ -0,0 +1,36 @@ +{ + "kind": "Scheduled", + "properties": { + "description": "Detects requests with different user agents from one source in short timeframe.", + "displayName": "Cloudflare - Multiple user agents for single source", + "enabled": true, + "query": "let threshold = 10;\nCloudflare\n| where isnotempty(HttpUserAgentOriginal)\n| summarize d_ua = dcount(HttpUserAgentOriginal) by SrcIpAddr, bin(TimeGenerated, 3m)\n| where d_ua > threshold\n| extend IPCustomEntity = SrcIpAddr\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "tactics": [ + "InitialAccess" + ], + "techniques": [ + "T1190", + "T1133" + ], + "entityMappings": [ + { + "entityType": "IP", + "fieldMappings": [ + { + "columnName": "IPCustomEntity", + "identifier": "Address" + } + ] + } + ], + "alertRuleTemplateName": "fc50076a-0275-43d5-b9dd-38346c061f67", + "templateVersion": "1.0.0" + } +} diff --git a/modules/rules/cloudflare/cloudflare_-_unexpected_client_request.json b/modules/rules/cloudflare/cloudflare_-_unexpected_client_request.json new file mode 100644 index 0000000..58104c8 --- /dev/null +++ b/modules/rules/cloudflare/cloudflare_-_unexpected_client_request.json @@ -0,0 +1,36 @@ +{ + "kind": "Scheduled", + "properties": { + "description": "Detects client requests to unusual client request.", + "displayName": "Cloudflare - Unexpected client request", + "enabled": true, + "query": "Cloudflare\n| where HttpRequestMethod =~ 'GET'\n| where DstBytes != 0 or SrcBytes != 0\n| where ClientRequestURI has_any ('/admin', '/admin.php', 'wp-admin', '.htaccess', '/etc/shadow', '/etc/passwd', '/etc/hosts', '/etc/ssh/') \n| extend IPCustomEntity = SrcIpAddr\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "tactics": [ + "InitialAccess" + ], + "techniques": [ + "T1190", + "T1133" + ], + "entityMappings": [ + { + "entityType": "IP", + "fieldMappings": [ + { + "columnName": "IPCustomEntity", + "identifier": "Address" + } + ] + } + ], + "alertRuleTemplateName": "f32142b1-4bcb-45c0-92e4-2ddc18768522", + "templateVersion": "1.0.1" + } +} diff --git a/modules/rules/cloudflare/cloudflare_-_unexpected_post_requests.json b/modules/rules/cloudflare/cloudflare_-_unexpected_post_requests.json new file mode 100644 index 0000000..e007439 --- /dev/null +++ b/modules/rules/cloudflare/cloudflare_-_unexpected_post_requests.json @@ -0,0 +1,37 @@ +{ + "kind": "Scheduled", + "properties": { + "description": "Detects post requests to unusual extensions.", + "displayName": "Cloudflare - Unexpected POST requests", + "enabled": true, + "query": "Cloudflare\n| where HttpRequestMethod in~ ('POST', 'PUT')\n| where tostring(HttpStatusCode) startswith '2'\n| where DstBytes != 0 or SrcBytes != 0\n| extend fe = extract(@'.*(\\.\\w+)$', 1, ClientRequestURI)\n| where fe in~ ('.jpg', '.jpeg', '.gif', '.png', '.icon', '.ico', '.xml', '.swf', '.svg', '.ppt', '.pttx', '.doc', '.docx', '.rtf', '.pdf', '.tif', '.zip', '.mov')\n| extend IPCustomEntity = SrcIpAddr\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "tactics": [ + "Persistence", + "CommandAndControl" + ], + "techniques": [ + "T1505", + "T1071" + ], + "entityMappings": [ + { + "entityType": "IP", + "fieldMappings": [ + { + "columnName": "IPCustomEntity", + "identifier": "Address" + } + ] + } + ], + "alertRuleTemplateName": "7313352a-09f6-4a84-88bd-6f17f1cbeb8f", + "templateVersion": "1.0.0" + } +} diff --git a/modules/rules/cloudflare/cloudflare_-_unexpected_uri.json b/modules/rules/cloudflare/cloudflare_-_unexpected_uri.json new file mode 100644 index 0000000..f86f986 --- /dev/null +++ b/modules/rules/cloudflare/cloudflare_-_unexpected_uri.json @@ -0,0 +1,36 @@ +{ + "kind": "Scheduled", + "properties": { + "description": "Detects client requests to unusual URI.", + "displayName": "Cloudflare - Unexpected URI", + "enabled": true, + "query": "Cloudflare\n| where HttpRequestMethod =~ 'GET'\n| where DstBytes != 0 or SrcBytes != 0\n| where ClientRequestURI matches regex @'(127\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})|(10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})|(172\\.1[6-9]\\.\\d{1,3}\\.\\d{1,3})|(172\\.2[0-9]\\.\\d{1,3}\\.\\d{1,3})|(172\\.3[0-1]\\.\\d{1,3}\\.\\d{1,3})|(192\\.168\\.\\d{1,3}\\.\\d{1,3})'\n| extend IPCustomEntity = SrcIpAddr\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "tactics": [ + "InitialAccess" + ], + "techniques": [ + "T1190", + "T1133" + ], + "entityMappings": [ + { + "entityType": "IP", + "fieldMappings": [ + { + "columnName": "IPCustomEntity", + "identifier": "Address" + } + ] + } + ], + "alertRuleTemplateName": "dcb797cd-a4cd-4306-897b-7991f71d7e27", + "templateVersion": "1.0.0" + } +} diff --git a/modules/rules/cloudflare/cloudflare_-_waf_allowed_threat.json b/modules/rules/cloudflare/cloudflare_-_waf_allowed_threat.json new file mode 100644 index 0000000..567d0ed --- /dev/null +++ b/modules/rules/cloudflare/cloudflare_-_waf_allowed_threat.json @@ -0,0 +1,45 @@ +{ + "kind": "Scheduled", + "properties": { + "description": "Detects WAF \"Allowed\" action on threat events.", + "displayName": "Cloudflare - WAF Allowed threat", + "enabled": true, + "query": "Cloudflare\n| where isnotempty(WAFRuleID) or isnotempty(WAFRuleMessage)\n| where WAFAction =~ 'Allow'\n| extend IPCustomEntity = SrcIpAddr\n| extend UrlCustomEntity = ClientRequestURI\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "tactics": [ + "InitialAccess" + ], + "techniques": [ + "T1190", + "T1133" + ], + "entityMappings": [ + { + "entityType": "IP", + "fieldMappings": [ + { + "columnName": "IPCustomEntity", + "identifier": "Address" + } + ] + }, + { + "entityType": "URL", + "fieldMappings": [ + { + "columnName": "UrlCustomEntity", + "identifier": "Url" + } + ] + } + ], + "alertRuleTemplateName": "f53fe2a9-96b5-454c-827e-cf1764a67fb0", + "templateVersion": "1.0.0" + } +} diff --git a/modules/rules/cloudflare/cloudflare_-_xss_probing_pattern_in_request.json b/modules/rules/cloudflare/cloudflare_-_xss_probing_pattern_in_request.json new file mode 100644 index 0000000..f7f7b0a --- /dev/null +++ b/modules/rules/cloudflare/cloudflare_-_xss_probing_pattern_in_request.json @@ -0,0 +1,45 @@ +{ + "kind": "Scheduled", + "properties": { + "description": "Detects XSS probing patterns.", + "displayName": "Cloudflare - XSS probing pattern in request", + "enabled": true, + "query": "let s_threshold = 3;\nCloudflare\n| where HttpRequestMethod in~ ('POST', 'PUT')\n| extend susp_ch = countof(ClientRequestURI, '%00')\n| where ClientRequestURI matches regex @'(alert\\()|(alert\\%28)|(String\\.fromCharCode\\()|(expression\\(alert)' or susp_ch > s_threshold\n| extend IPCustomEntity = SrcIpAddr\n| extend UrlCustomEntity = ClientRequestURI\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "tactics": [ + "InitialAccess" + ], + "techniques": [ + "T1190", + "T1133" + ], + "entityMappings": [ + { + "entityType": "IP", + "fieldMappings": [ + { + "columnName": "IPCustomEntity", + "identifier": "Address" + } + ] + }, + { + "entityType": "URL", + "fieldMappings": [ + { + "columnName": "UrlCustomEntity", + "identifier": "Url" + } + ] + } + ], + "alertRuleTemplateName": "4d9d00b9-31a6-49e4-88c1-9e68277053ac", + "templateVersion": "1.0.0" + } +} diff --git a/modules/rules/ti/preview_-_ti_map_email_entity_to_cloud_app_events.json b/modules/rules/ti/preview_-_ti_map_email_entity_to_cloud_app_events.json index f92b8ce..c202363 100644 --- a/modules/rules/ti/preview_-_ti_map_email_entity_to_cloud_app_events.json +++ b/modules/rules/ti/preview_-_ti_map_email_entity_to_cloud_app_events.json @@ -4,7 +4,7 @@ "description": "Identifies compromises and attacks and detect malicious activities in one's email entity from TI", "displayName": "Preview - TI map Email entity to Cloud App Events", "enabled": true, - "query": "let dt_lookBack = 10d;\nlet ioc_lookBack = 30d;\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$';\nThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n | where isnotempty(EmailSenderAddress)\n | join kind=innerunique (CloudAppEvents\n| extend User_Id = tostring(RawEventData.UserId)\n| where User_Id != \"\"\n| where TimeGenerated >= ago(dt_lookBack) and isnotempty(Application)\n| extend CloudAppEvents_TimeGenerated = TimeGenerated \n| extend User_id = tostring(User_Id)\n| where User_id matches regex emailregex) on $left.EmailSenderAddress == $right.User_id\n| where CloudAppEvents_TimeGenerated < ExpirationDateTime\n| summarize CloudAppEvents_TimeGenerated = argmax(CloudAppEvents_TimeGenerated, *) by IndicatorId, User_id\n| extend Name = tostring(split(User_id, '@', 0)[0]), UPNSuffix = tostring(split(User_id, '@', 1)[0])\n| extend timestamp = CloudAppEvents_TimeGenerated\n", + "query": "let dt_lookBack = 10d;\nlet ioc_lookBack = 30d;\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$';\nThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n | where isnotempty(EmailSenderAddress)\n | join kind=innerunique (CloudAppEvents\n| extend User_Id = tostring(RawEventData.UserId)\n| where isnotempty(User_Id)\n| where TimeGenerated >= ago(dt_lookBack) and isnotempty(Application)\n| extend CloudAppEvents_TimeGenerated = TimeGenerated \n| where User_Id matches regex emailregex) on $left.EmailSenderAddress == $right.User_Id\n| where CloudAppEvents_TimeGenerated < ExpirationDateTime\n| summarize CloudAppEvents_TimeGenerated = argmax(CloudAppEvents_TimeGenerated, *) by IndicatorId, User_Id\n| extend Name = tostring(split(User_Id, '@', 0)[0]), UPNSuffix = tostring(split(User_Id, '@', 1)[0])\n| extend timestamp = CloudAppEvents_TimeGenerated\n", "queryFrequency": "PT1H", "queryPeriod": "P14D", "severity": "Medium", @@ -20,24 +20,24 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "DisplayName", - "columnName": "Name" + "columnName": "Name", + "identifier": "DisplayName" }, { - "identifier": "FullName", - "columnName": "User_Id" + "columnName": "User_Id", + "identifier": "FullName" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" } ], "alertRuleTemplateName": "47b9bb10-d216-4359-8cef-08ca2c67e5be", - "templateVersion": "1.0.2" + "templateVersion": "1.0.3" } } diff --git a/modules/rules/ti/preview_-_ti_map_ip_entity_to_cloud_app_events.json b/modules/rules/ti/preview_-_ti_map_ip_entity_to_cloud_app_events.json index 5c3686d..2fc5e97 100644 --- a/modules/rules/ti/preview_-_ti_map_ip_entity_to_cloud_app_events.json +++ b/modules/rules/ti/preview_-_ti_map_ip_entity_to_cloud_app_events.json @@ -4,7 +4,7 @@ "description": "Identifies compromises and attacks and detect malicious activities in one's IP entity from TI", "displayName": "Preview - TI map IP entity to Cloud App Events", "enabled": true, - "query": "let dt_lookBack = 1d;\nlet ioc_lookBack = 14d; \nlet IP_Indicators = ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n | where isnotempty(NetworkIP)\nor isnotempty(EmailSourceIpAddress)\nor isnotempty(NetworkDestinationIP)\nor isnotempty(NetworkSourceIP)\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n | extend TIipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n | extend TIipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity);\nIP_Indicators\n | join kind=innerunique (\n CloudAppEvents\n | where TimeGenerated >= ago(dt_lookBack)\n | extend CloudAppEvents_TimeGenerated = TimeGenerated) on $left.TI_ipEntity == $right.IPAddress\n | where CloudAppEvents_TimeGenerated < ExpirationDateTime\n | summarize CloudAppEventsTimeGenerated = argmax(CloudAppEvents_TimeGenerated, *) by IndicatorId, IPAddress\n | extend\n Description = max_CloudAppEvents_TimeGenerated_Description,\n ActivityGroupNames = max_CloudAppEvents_TimeGenerated_ActivityGroupNames,\n ThreatType = max_CloudAppEvents_TimeGenerated_ThreatType,\n ExpirationDateTime = max_CloudAppEvents_TimeGenerated_ExpirationDateTime,\n ConfidenceScore = max_CloudAppEvents_TimeGenerated_ConfidenceScore,\n TI_ipEntity = max_CloudAppEvents_TimeGenerated_TI_ipEntity,\n NetworkDestinationIP = max_CloudAppEvents_TimeGenerated_NetworkDestinationIP,\n NetworkSourceIP = max_CloudAppEvents_TimeGenerated_NetworkSourceIP,\n EmailSourceIPAddress = max_CloudAppEvents_TimeGenerated_EmailSourceIpAddress\n | project CloudAppEventsTimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, NetworkDestinationIP, NetworkSourceIP, EmailSourceIPAddress\n", + "query": "let dt_lookBack = 1d;\nlet ioc_lookBack = 14d; \nlet IP_Indicators = ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n | where isnotempty(NetworkIP)\nor isnotempty(EmailSourceIpAddress)\nor isnotempty(NetworkDestinationIP)\nor isnotempty(NetworkSourceIP)\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n | extend TIipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n | extend TIipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity);\nIP_Indicators\n | join kind=innerunique (\n CloudAppEvents\n | where isnotempty(IPAddress)\n | where TimeGenerated >= ago(dt_lookBack)\n | extend CloudAppEvents_TimeGenerated = TimeGenerated) on $left.TI_ipEntity == $right.IPAddress\n | where CloudAppEvents_TimeGenerated < ExpirationDateTime\n | summarize CloudAppEventsTimeGenerated = argmax(CloudAppEvents_TimeGenerated, *) by IndicatorId, IPAddress\n | extend\n Description = max_CloudAppEvents_TimeGenerated_Description,\n ActivityGroupNames = max_CloudAppEvents_TimeGenerated_ActivityGroupNames,\n ThreatType = max_CloudAppEvents_TimeGenerated_ThreatType,\n ExpirationDateTime = max_CloudAppEvents_TimeGenerated_ExpirationDateTime,\n ConfidenceScore = max_CloudAppEvents_TimeGenerated_ConfidenceScore,\n TI_ipEntity = max_CloudAppEvents_TimeGenerated_TI_ipEntity,\n NetworkDestinationIP = max_CloudAppEvents_TimeGenerated_NetworkDestinationIP,\n NetworkSourceIP = max_CloudAppEvents_TimeGenerated_NetworkSourceIP,\n EmailSourceIPAddress = max_CloudAppEvents_TimeGenerated_EmailSourceIpAddress\n | project CloudAppEventsTimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, NetworkDestinationIP, NetworkSourceIP, EmailSourceIPAddress\n", "queryFrequency": "PT1H", "queryPeriod": "P14D", "severity": "Medium", @@ -20,43 +20,43 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "TI_ipEntity" + "columnName": "TI_ipEntity", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "NetworkDestinationIP" + "columnName": "NetworkDestinationIP", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "NetworkSourceIP" + "columnName": "NetworkSourceIP", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "EmailSourceIPAddress" + "columnName": "EmailSourceIPAddress", + "identifier": "Address" } - ] + ], + "entityType": "IP" } ], "alertRuleTemplateName": "4e0a6fc8-697e-4455-be47-831b41ea91ac", - "templateVersion": "1.0.2" + "templateVersion": "1.0.3" } } diff --git a/modules/rules/ti/ti_map_domain_entity_to_dns_events__asim_dns_schema_.json b/modules/rules/ti/ti_map_domain_entity_to_dns_events__asim_dns_schema_.json index 066acb1..2849bed 100644 --- a/modules/rules/ti/ti_map_domain_entity_to_dns_events__asim_dns_schema_.json +++ b/modules/rules/ti/ti_map_domain_entity_to_dns_events__asim_dns_schema_.json @@ -4,7 +4,7 @@ "description": "Identifies a match in DNS events from any Domain IOC from TI\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema'", "displayName": "TI map Domain entity to Dns Events (ASIM DNS Schema)", "enabled": true, - "query": "let HAS_ANY_MAX = 10000;\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet DomainTIs= ThreatIntelligenceIndicator\n // Picking up only IOC's that contain the entities we want\n | where isnotempty(DomainName)\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now();\nlet Domains = DomainTIs | where isnotempty(DomainName) |summarize NDomains=dcount(DomainName), DomainsList=make_set(DomainName) \n | project DomainList = iff(NDomains > HAS_ANY_MAX, dynamic([]), DomainsList) ;\nDomainTIs\n | join (\n _Im_Dns(starttime=ago(dt_lookBack), domain_has_any=toscalar(Domains))\n | extend DNS_TimeGenerated = TimeGenerated\n) on $left.DomainName==$right.DnsQuery\n| where DNS_TimeGenerated < ExpirationDateTime\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, DnsQueryType\n| extend HostName = tostring(split(Dvc, \".\")[0]), DomainIndex = toint(indexof(Dvc, '.'))\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)\n", + "query": "let HAS_ANY_MAX = 10000;\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet DomainTIs= ThreatIntelligenceIndicator\n // Picking up only IOC's that contain the entities we want\n | where isnotempty(DomainName)\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now();\nlet Domains = DomainTIs | where isnotempty(DomainName) |summarize NDomains=dcount(DomainName), DomainsList=make_set(DomainName) \n | project DomainList = iff(NDomains > HAS_ANY_MAX, dynamic([]), DomainsList) ;\nDomainTIs\n | join (\n _Im_Dns(starttime=ago(dt_lookBack), domain_has_any=toscalar(Domains))\n | extend DNS_TimeGenerated = TimeGenerated\n) on $left.DomainName==$right.DnsQuery\n| where DNS_TimeGenerated < ExpirationDateTime\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, Domain, DnsQuery, DnsQueryType\n| extend HostName = tostring(split(Dvc, \".\")[0]), DomainIndex = toint(indexof(Dvc, '.'))\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)\n", "queryFrequency": "PT1H", "queryPeriod": "P14D", "severity": "Medium", @@ -20,55 +20,64 @@ ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Dvc" + "columnName": "Dvc", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "HostNameDomain" + "columnName": "HostNameDomain", + "identifier": "DnsDomain" } - ] + ], + "entityType": "Host" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "SrcIpAddr" + "columnName": "SrcIpAddr", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" + }, + { + "fieldMappings": [ + { + "columnName": "Domain", + "identifier": "DomainName" + } + ], + "entityType": "DNS" } ], "customDetails": { - "Description": "Description", - "ThreatType": "ThreatType", - "IndicatorId": "IndicatorId", + "DnsQuery": "DnsQuery", + "QueryType": "DnsQueryType", + "SourceIPAddress": "SrcIpAddr", "ActivityGroupNames": "ActivityGroupNames", + "Description": "Description", "LatestIndicatorTime": "LatestIndicatorTime", - "DnsQuery": "DnsQuery", + "IndicatorId": "IndicatorId", + "ThreatType": "ThreatType", "DNSRequestTime": "DNS_TimeGenerated", - "QueryType": "DnsQueryType", "ExpirationDateTime": "ExpirationDateTime", - "SourceIPAddress": "SrcIpAddr", "ConfidenceScore": "ConfidenceScore" }, "alertRuleTemplateName": "999e9f5d-db4a-4b07-a206-29c4e667b7e8", - "templateVersion": "1.1.7" + "templateVersion": "1.1.8" } } diff --git a/modules/solutions/templates/cloudflare.json b/modules/solutions/templates/cloudflare.json new file mode 100644 index 0000000..50a8b27 --- /dev/null +++ b/modules/solutions/templates/cloudflare.json @@ -0,0 +1,2873 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "String", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "String", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "String", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + } + }, + "resources": [ + { + "name": "pid-08b8f6d5-4c6d-44a1-8f88-a528a560dd8c-partnercenter", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring('CloudflareDataConnector')))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'cloudflare.cloudflare_sentinel')]" + ], + "properties": { + "description": "The Cloudflare data connector provides the capability to ingest [Cloudflare logs](https://developers.cloudflare.com/logs/) into Microsoft Sentinel using the Cloudflare Logpush and Azure Blob Storage. Refer to [Cloudflare documentation](https://developers.cloudflare.com/logs/logpush) for more information.", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/','CloudflareDataConnector')]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "id": "CloudflareDataConnector", + "title": "Cloudflare (Preview) (using Azure Functions)", + "publisher": "Cloudflare", + "descriptionMarkdown": "The Cloudflare data connector provides the capability to ingest [Cloudflare logs](https://developers.cloudflare.com/logs/) into Microsoft Sentinel using the Cloudflare Logpush and Azure Blob Storage. Refer to [Cloudflare documentation](https://developers.cloudflare.com/logs/logpush) for more information.", + "additionalRequirementBanner": ">This data connector depends on a parser based on a Kusto Function to work as expected [**Cloudflare**](https://aka.ms/sentinel-CloudflareDataConnector-parser) which is deployed with the Microsoft Sentinel Solution.", + "graphQueries": [ + { + "metricName": "Cloudflare logs", + "legend": "Cloudflare_CL", + "baseQuery": "Cloudflare_CL" + } + ], + "sampleQueries": [ + { + "description": "All Cloudflare logs", + "query": "Cloudflare_CL\n| sort by TimeGenerated desc" + } + ], + "dataTypes": [ + { + "name": "Cloudflare_CL", + "lastDataReceivedQuery": "Cloudflare_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "Cloudflare_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(1d)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions on the workspace are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Microsoft.Web/sites permissions", + "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." + }, + { + "name": "Azure Blob Storage connection string and container name", + "description": "Azure Blob Storage connection string and container name where the logs are pushed to by Cloudflare Logpush. [See the documentation to learn more about creating Azure Blob Storage container.](https://learn.microsoft.com/azure/storage/blobs/storage-quickstart-blobs-portal)" + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This connector uses Azure Functions to connect to the Azure Blob Storage API to pull logs into Microsoft Sentinel. This might result in additional costs for data ingestion and for storing data in Azure Blob Storage costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) and [Azure Blob Storage pricing page](https://azure.microsoft.com/pricing/details/storage/blobs/) for details." + }, + { + "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." + }, + { + "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**Cloudflare**](https://aka.ms/sentinel-CloudflareDataConnector-parser) which is deployed with the Microsoft Sentinel Solution." + }, + { + "description": "**STEP 1 - Configuration of the Cloudflare Logpush**\n\nSee documentation to [setup Cloudflare Logpush to Microsoft Azure](https://developers.cloudflare.com/logs/logpush/logpush-dashboard)" + }, + { + "description": "**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Cloudflare data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as Azure Blob Storage connection string and container name, readily available.", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Workspace ID" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "fillWith": [ + "PrimaryKey" + ], + "label": "Primary Key" + }, + "type": "CopyableLabel" + } + ] + }, + { + "description": "Use this method for automated deployment of the Cloudflare data connector using an ARM Template.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-CloudflareDataConnector-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Azure Blob Storage Container Name**, **Azure Blob Storage Connection String**, **Microsoft Sentinel Workspace Id**, **Microsoft Sentinel Shared Key**\n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**.\n5. Click **Purchase** to deploy.", + "title": "Option 1 - Azure Resource Manager (ARM) Template" + }, + { + "description": "Use the following step-by-step instructions to deploy the Cloudflare data connector manually with Azure Functions (Deployment via Visual Studio Code).", + "title": "Option 2 - Manual Deployment of Azure Functions" + }, + { + "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/create-first-function-vs-code-python) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-CloudflareDataConnector-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. CloudflareXX).\n\n\te. **Select a runtime:** Choose Python 3.8.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration." + }, + { + "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tCONTAINER_NAME\n\t\tAZURE_STORAGE_CONNECTION_STRING\n\t\tWORKSPACE_ID\n\t\tSHARED_KEY\n\t\tlogAnalyticsUri (Optional)\n - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://WORKSPACE_ID.ods.opinsights.azure.us`. \n4. Once all application settings have been entered, click **Save**." + } + ] + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', 'CloudflareDataConnector'),'/'))))]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', 'CloudflareDataConnector')]", + "contentId": "CloudflareDataConnector", + "kind": "DataConnector", + "version": "1.0.0", + "source": { + "kind": "Solution", + "name": "Cloudflare", + "sourceId": "cloudflare.cloudflare_sentinel" + }, + "author": { + "name": "Microsoft", + "email": "support@microsoft.com" + }, + "support": { + "name": "Cloudflare", + "email": "support@cloudflare.com", + "tier": "Partner", + "link": "https://support.cloudflare.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "3.0.1", + "packageName": "Cloudflare", + "packageId": "cloudflare.cloudflare_sentinel", + "contentSchemaVersion": "3.0.0", + "contentId": "CloudflareDataConnector", + "contentKind": "DataConnector", + "displayName": "Cloudflare (Preview) (using Azure Functions)", + "contentProductId": "cloudflare.cloudflare_sentinel-dc-pa7d7lsbg2vi4", + "id": "cloudflare.cloudflare_sentinel-dc-pa7d7lsbg2vi4", + "version": "1.0.0", + "isDeprecated": false + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', 'CloudflareDataConnector'),'/'))))]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', 'CloudflareDataConnector')]" + ], + "location": "[parameters('workspace-location')]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', 'CloudflareDataConnector')]", + "contentId": "CloudflareDataConnector", + "kind": "DataConnector", + "version": "1.0.0", + "source": { + "kind": "Solution", + "name": "Cloudflare", + "sourceId": "cloudflare.cloudflare_sentinel" + }, + "author": { + "name": "Microsoft", + "email": "support@microsoft.com" + }, + "support": { + "name": "Cloudflare", + "email": "support@cloudflare.com", + "tier": "Partner", + "link": "https://support.cloudflare.com" + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/','CloudflareDataConnector')]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "title": "Cloudflare (Preview) (using Azure Functions)", + "publisher": "Cloudflare", + "descriptionMarkdown": "The Cloudflare data connector provides the capability to ingest [Cloudflare logs](https://developers.cloudflare.com/logs/) into Microsoft Sentinel using the Cloudflare Logpush and Azure Blob Storage. Refer to [Cloudflare documentation](https://developers.cloudflare.com/logs/logpush) for more information.", + "graphQueries": [ + { + "metricName": "Cloudflare logs", + "legend": "Cloudflare_CL", + "baseQuery": "Cloudflare_CL" + } + ], + "dataTypes": [ + { + "name": "Cloudflare_CL", + "lastDataReceivedQuery": "Cloudflare_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "Cloudflare_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(1d)" + ] + } + ], + "sampleQueries": [ + { + "description": "All Cloudflare logs", + "query": "Cloudflare_CL\n| sort by TimeGenerated desc" + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions on the workspace are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Microsoft.Web/sites permissions", + "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." + }, + { + "name": "Azure Blob Storage connection string and container name", + "description": "Azure Blob Storage connection string and container name where the logs are pushed to by Cloudflare Logpush. [See the documentation to learn more about creating Azure Blob Storage container.](https://learn.microsoft.com/azure/storage/blobs/storage-quickstart-blobs-portal)" + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This connector uses Azure Functions to connect to the Azure Blob Storage API to pull logs into Microsoft Sentinel. This might result in additional costs for data ingestion and for storing data in Azure Blob Storage costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) and [Azure Blob Storage pricing page](https://azure.microsoft.com/pricing/details/storage/blobs/) for details." + }, + { + "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." + }, + { + "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**Cloudflare**](https://aka.ms/sentinel-CloudflareDataConnector-parser) which is deployed with the Microsoft Sentinel Solution." + }, + { + "description": "**STEP 1 - Configuration of the Cloudflare Logpush**\n\nSee documentation to [setup Cloudflare Logpush to Microsoft Azure](https://developers.cloudflare.com/logs/logpush/logpush-dashboard)" + }, + { + "description": "**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Cloudflare data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as Azure Blob Storage connection string and container name, readily available.", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Workspace ID" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "fillWith": [ + "PrimaryKey" + ], + "label": "Primary Key" + }, + "type": "CopyableLabel" + } + ] + }, + { + "description": "Use this method for automated deployment of the Cloudflare data connector using an ARM Template.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-CloudflareDataConnector-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Azure Blob Storage Container Name**, **Azure Blob Storage Connection String**, **Microsoft Sentinel Workspace Id**, **Microsoft Sentinel Shared Key**\n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**.\n5. Click **Purchase** to deploy.", + "title": "Option 1 - Azure Resource Manager (ARM) Template" + }, + { + "description": "Use the following step-by-step instructions to deploy the Cloudflare data connector manually with Azure Functions (Deployment via Visual Studio Code).", + "title": "Option 2 - Manual Deployment of Azure Functions" + }, + { + "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/create-first-function-vs-code-python) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-CloudflareDataConnector-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. CloudflareXX).\n\n\te. **Select a runtime:** Choose Python 3.8.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration." + }, + { + "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tCONTAINER_NAME\n\t\tAZURE_STORAGE_CONNECTION_STRING\n\t\tWORKSPACE_ID\n\t\tSHARED_KEY\n\t\tlogAnalyticsUri (Optional)\n - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://WORKSPACE_ID.ods.opinsights.azure.us`. \n4. Once all application settings have been entered, click **Save**." + } + ], + "id": "CloudflareDataConnector", + "additionalRequirementBanner": ">This data connector depends on a parser based on a Kusto Function to work as expected [**Cloudflare**](https://aka.ms/sentinel-CloudflareDataConnector-parser) which is deployed with the Microsoft Sentinel Solution." + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('Cloudflare-Parser')))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'cloudflare.cloudflare_sentinel')]" + ], + "properties": { + "description": "Cloudflare", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/','Cloudflare')]", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Cloudflare", + "category": "Samples", + "functionAlias": "Cloudflare", + "query": "\nCloudflare_CL\n| extend\n BotScore_d=column_ifexists('BotScore_d', ''),\n BotScoreSrc_s=column_ifexists('BotScoreSrc_s', ''),\n CacheCacheStatus_s=column_ifexists('CacheCacheStatus_s', ''),\n CacheResponseBytes_d=column_ifexists('CacheResponseBytes_d', ''),\n CacheResponseStatus_d=column_ifexists('CacheResponseStatus_d', ''),\n CacheTieredFill_b=column_ifexists('CacheTieredFill_b', ''),\n ClientASN_d=column_ifexists('ClientASN_d', ''),\n ClientCountry_s=column_ifexists('ClientCountry_s', ''),\n ClientDeviceType_s=column_ifexists('ClientDeviceType_s', ''),\n ClientIP_s=column_ifexists('ClientIP_s', ''),\n ClientIPClass_s=column_ifexists('ClientIPClass_s', ''),\n ClientRequestHost_s=column_ifexists('ClientRequestHost_s', ''),\n ClientRequestMethod_s=column_ifexists('ClientRequestMethod_s', ''),\n ClientRequestPath_s=column_ifexists('ClientRequestPath_s', ''),\n ClientRequestProtocol_s=column_ifexists('ClientRequestProtocol_s', ''),\n ClientRequestReferer_s=column_ifexists('ClientRequestReferer_s', ''),\n ClientRequestURI_s=column_ifexists('ClientRequestURI_s', ''),\n ClientRequestUserAgent_s=column_ifexists('ClientRequestUserAgent_s', ''),\n ClientSSLCipher_s=column_ifexists('ClientSSLCipher_s', ''),\n ClientSSLProtocol_s=column_ifexists('ClientSSLProtocol_s', ''),\n ClientXRequestedWith_s=column_ifexists('ClientXRequestedWith_s', ''),\n EdgeColoCode_s=column_ifexists('EdgeColoCode_s', ''),\n EdgeColoID_d=column_ifexists('EdgeColoID_d', ''),\n EdgeEndTimestamp_t=column_ifexists('EdgeEndTimestamp_t', ''),\n EdgePathingOp_s=column_ifexists('EdgePathingOp_s', ''),\n EdgePathingSrc_s=column_ifexists('EdgePathingSrc_s', ''),\n EdgePathingStatus_s=column_ifexists('EdgePathingStatus_s', ''),\n EdgeRateLimitAction_s=column_ifexists('EdgeRateLimitAction_s', ''),\n EdgeRateLimitID_d=column_ifexists('EdgeRateLimitID_d', ''),\n EdgeRequestHost_s=column_ifexists('EdgeRequestHost_s', ''),\n EdgeResponseBytes_d=column_ifexists('EdgeResponseBytes_d', ''),\n EdgeResponseCompressionRatio_d=column_ifexists('EdgeResponseCompressionRatio_d', ''),\n EdgeResponseContentType_s=column_ifexists('EdgeResponseContentType_s', ''),\n EdgeResponseStatus_d=column_ifexists('EdgeResponseStatus_d', ''),\n EdgeServerIP_s=column_ifexists('EdgeServerIP_s', ''),\n EdgeStartTimestamp_t=column_ifexists('EdgeStartTimestamp_t', ''),\n FirewallMatchesActions_s=column_ifexists('FirewallMatchesActions_s', ''),\n FirewallMatchesRuleIDs_s=column_ifexists('FirewallMatchesRuleIDs_s', ''),\n FirewallMatchesSources_s=column_ifexists('FirewallMatchesSources_s', ''),\n OriginIP_s=column_ifexists('OriginIP_s', ''),\n OriginResponseBytes_d=column_ifexists('OriginResponseBytes_d', ''),\n OriginResponseHTTPExpires_s=column_ifexists('OriginResponseHTTPExpires_s', ''),\n OriginResponseHTTPLastModified_s=column_ifexists('OriginResponseHTTPLastModified_s', ''),\n OriginResponseStatus_d=column_ifexists('OriginResponseStatus_d', ''),\n OriginResponseTime_d=column_ifexists('OriginResponseTime_d', ''),\n OriginSSLProtocol_s=column_ifexists('OriginSSLProtocol_s', ''),\n ParentRayID_s=column_ifexists('ParentRayID_s', ''),\n RayID_s=column_ifexists('RayID_s', ''),\n SecurityLevel_s=column_ifexists('SecurityLevel_s', ''),\n WAFAction_s=column_ifexists('WAFAction_s', ''),\n WAFFlags_s=column_ifexists('WAFFlags_s', ''),\n WAFMatchedVar_s=column_ifexists('WAFMatchedVar_s', ''),\n WAFProfile_s=column_ifexists('WAFProfile_s', ''),\n WAFRuleID_s=column_ifexists('WAFRuleID_s', ''),\n WAFRuleMessage_s=column_ifexists('WAFRuleMessage_s', ''),\n WorkerCPUTime_d=column_ifexists('WorkerCPUTime_d', ''),\n WorkerStatus_s=column_ifexists('WorkerStatus_s', ''),\n WorkerSubrequest_b=column_ifexists('WorkerSubrequest_b', ''),\n WorkerSubrequestCount_d=column_ifexists('WorkerSubrequestCount_d', ''),\n ZoneID_d=column_ifexists('ZoneID_d', ''),\n Application_s=column_ifexists('Application_s', ''),\n ClientMatchedIpFirewall_s=column_ifexists('ClientMatchedIpFirewall_s', ''),\n ClientProto_s=column_ifexists('ClientProto_s', ''),\n ClientTcpRtt_d=column_ifexists('ClientTcpRtt_d', ''),\n ClientTlsCipher_s=column_ifexists('ClientTlsCipher_s', ''),\n ClientTlsClientHelloServerName_s=column_ifexists('ClientTlsClientHelloServerName_s', ''),\n ClientTlsProtocol_s=column_ifexists('ClientTlsProtocol_s', ''),\n ClientTlsStatus_s=column_ifexists('ClientTlsStatus_s', ''),\n ColoCode_s=column_ifexists('ColoCode_s', ''),\n ConnectTimestamp_t=column_ifexists('ConnectTimestamp_t', ''),\n DisconnectTimestamp_t=column_ifexists('DisconnectTimestamp_t', ''),\n Event_s=column_ifexists('Event_s', ''),\n IpFirewall_b=column_ifexists('IpFirewall_b', ''),\n OriginBytes_d=column_ifexists('OriginBytes_d', ''),\n OriginPort_d=column_ifexists('OriginPort_d', ''),\n OriginProto_s=column_ifexists('OriginProto_s', ''),\n OriginTcpRtt_d=column_ifexists('OriginTcpRtt_d', ''),\n OriginTlsCipher_s=column_ifexists('OriginTlsCipher_s', ''),\n OriginTlsFingerprint_s=column_ifexists('OriginTlsFingerprint_s', ''),\n OriginTlsMode_s=column_ifexists('OriginTlsMode_s', ''),\n OriginTlsProtocol_s=column_ifexists('OriginTlsProtocol_s', ''),\n OriginTlsStatus_s=column_ifexists('OriginTlsStatus_s', ''),\n ProxyProtocol_s=column_ifexists('ProxyProtocol_s', ''),\n Status_d=column_ifexists('Status_d', ''),\n Timestamp_t=column_ifexists('Timestamp_t', ''),\n Action_s=column_ifexists('Action_s', ''),\n ClientASNDescription_s=column_ifexists('ClientASNDescription_s', ''),\n ClientRefererHost_s=column_ifexists('ClientRefererHost_s', ''),\n ClientRefererPath_s=column_ifexists('ClientRefererPath_s', ''),\n ClientRefererQuery_s=column_ifexists('ClientRefererQuery_s', ''),\n ClientRefererScheme_s=column_ifexists('ClientRefererScheme_s', ''),\n ClientRequestQuery_s=column_ifexists('ClientRequestQuery_s', ''),\n ClientRequestScheme_s=column_ifexists('ClientRequestScheme_s', ''),\n Datetime_t=column_ifexists('Datetime_t', ''),\n Kind_s=column_ifexists('Kind_s', ''),\n MatchIndex_d=column_ifexists('MatchIndex_d', ''),\n OriginatorRayID_s=column_ifexists('OriginatorRayID_s', ''),\n RuleID_s=column_ifexists('RuleID_s', ''),\n Source_s=column_ifexists('Source_s', '')\n| extend\n SrcDvcType=iff(isempty(ClientDeviceType_s), iff(isempty(Source_s), '', Source_s), ClientDeviceType_s),\n TlsCipher=iff(isempty(ClientSSLCipher_s), iff(isempty(ClientTlsCipher_s), '', ClientTlsCipher_s), ClientSSLCipher_s),\n TlsVersion=iff(isempty(ClientSSLProtocol_s), iff(isempty(ClientTlsProtocol_s), '', ClientTlsProtocol_s), ClientSSLProtocol_s),\n DvcAction=iff(isempty(FirewallMatchesActions_s), iff(isempty(Event_s), iff(isempty(Action_s), '', Action_s), Event_s), FirewallMatchesActions_s),\n NetworkRuleName=iff(isempty(FirewallMatchesRuleIDs_s), iff(isempty(RuleID_s), '', RuleID_s), FirewallMatchesRuleIDs_s),\n ClientRequestBytes_d=column_ifexists('ClientRequestBytes_d', column_ifexists('ClientBytes_d', '')),\n ClientSrcPort_d=column_ifexists('ClientSrcPort_d', column_ifexists('ClientPort_d', '')),\n EdgeResponseBytes_d=column_ifexists('EdgeResponseBytes_d', column_ifexists('OriginBytes_d', ''))\n| project-rename\n SrcBytes=ClientRequestBytes_d,\n SrcPortNumber=ClientSrcPort_d,\n DstBytes=EdgeResponseBytes_d,\n BotScore=BotScore_d,\n BotScoreSrc=BotScoreSrc_s,\n CacheCacheStatus=CacheCacheStatus_s,\n CacheResponseBytes=CacheResponseBytes_d,\n CacheResponseStatus=CacheResponseStatus_d,\n CacheTieredFill=CacheTieredFill_b,\n ClientASN=ClientASN_d,\n SrcGeoCountry=ClientCountry_s,\n SrcIpAddr=ClientIP_s,\n ClientIPClass=ClientIPClass_s,\n HttpRequestHeaderHost=ClientRequestHost_s,\n HttpRequestMethod=ClientRequestMethod_s,\n ClientRequestPath=ClientRequestPath_s,\n ClientRequestProtocol=ClientRequestProtocol_s,\n HttpReferrerOriginal=ClientRequestReferer_s,\n ClientRequestURI=ClientRequestURI_s,\n HttpUserAgentOriginal=ClientRequestUserAgent_s,\n ClientXRequestedWith=ClientXRequestedWith_s,\n EdgeColoCode=EdgeColoCode_s,\n EdgeColoID=EdgeColoID_d,\n EdgeEndTimestamp=EdgeEndTimestamp_t,\n EdgePathingOp=EdgePathingOp_s,\n EdgePathingSrc=EdgePathingSrc_s,\n EdgePathingStatus=EdgePathingStatus_s,\n EdgeRateLimitAction=EdgeRateLimitAction_s,\n EdgeRateLimitID=EdgeRateLimitID_d,\n EdgeRequestHost=EdgeRequestHost_s,\n EdgeResponseCompressionRatio=EdgeResponseCompressionRatio_d,\n HttpContentType=EdgeResponseContentType_s,\n EdgeResponseStatus=EdgeResponseStatus_d,\n EdgeServerIP=EdgeServerIP_s,\n EdgeStartTimestamp=EdgeStartTimestamp_t,\n FirewallMatchesSources=FirewallMatchesSources_s,\n DstIpAddr=OriginIP_s,\n OriginResponseBytes=OriginResponseBytes_d,\n OriginResponseHTTPExpires=OriginResponseHTTPExpires_s,\n OriginResponseHTTPLastModified=OriginResponseHTTPLastModified_s,\n HttpStatusCode=OriginResponseStatus_d,\n OriginResponseTime=OriginResponseTime_d,\n OriginSSLProtocol=OriginSSLProtocol_s,\n ParentRayID=ParentRayID_s,\n RayID=RayID_s,\n SecurityLevel=SecurityLevel_s,\n WAFAction=WAFAction_s,\n WAFFlags=WAFFlags_s,\n WAFMatchedVar=WAFMatchedVar_s,\n WAFProfile=WAFProfile_s,\n WAFRuleID=WAFRuleID_s,\n WAFRuleMessage=WAFRuleMessage_s,\n WorkerCPUTime=WorkerCPUTime_d,\n WorkerStatus=WorkerStatus_s,\n WorkerSubrequest=WorkerSubrequest_b,\n WorkerSubrequestCount=WorkerSubrequestCount_d,\n ZoneID=ZoneID_d,\n Application=Application_s,\n ClientMatchedIpFirewall=ClientMatchedIpFirewall_s,\n NetworkProtocol=ClientProto_s,\n ClientTcpRtt=ClientTcpRtt_d,\n ClientTlsClientHelloServerName=ClientTlsClientHelloServerName_s,\n ClientTlsStatus=ClientTlsStatus_s,\n ColoCode=ColoCode_s,\n ConnectTimestamp=ConnectTimestamp_t,\n DisconnectTimestamp=DisconnectTimestamp_t,\n IpFirewall=IpFirewall_b,\n DstPortNumber=OriginPort_d,\n OriginProto=OriginProto_s,\n OriginTcpRtt=OriginTcpRtt_d,\n OriginTlsCipher=OriginTlsCipher_s,\n OriginTlsFingerprint=OriginTlsFingerprint_s,\n OriginTlsMode=OriginTlsMode_s,\n OriginTlsProtocol=OriginTlsProtocol_s,\n OriginTlsStatus=OriginTlsStatus_s,\n ProxyProtocol=ProxyProtocol_s,\n EventResult=Status_d,\n Timestamp=Timestamp_t,\n ClientASNDescription=ClientASNDescription_s,\n ClientRefererHost=ClientRefererHost_s,\n ClientRefererPath=ClientRefererPath_s,\n ClientRefererQuery=ClientRefererQuery_s,\n ClientRefererScheme=ClientRefererScheme_s,\n ClientRequestQuery=ClientRequestQuery_s,\n ClientRequestScheme=ClientRequestScheme_s,\n Datetime=Datetime_t,\n EventSubType=Kind_s,\n MatchIndex=MatchIndex_d,\n OriginatorRayID=OriginatorRayID_s\n| project-away \n ClientDeviceType_s,\n Source_s,\n ClientSSLCipher_s,\n ClientTlsCipher_s,\n ClientSSLProtocol_s,\n ClientTlsProtocol_s,\n FirewallMatchesActions_s,\n Event_s,\n Action_s,\n FirewallMatchesRuleIDs_s,\n RuleID_s", + "functionParameters": "", + "version": 1, + "tags": [ + { + "name": "description", + "value": "Cloudflare" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Cloudflare'),'/'))))]", + "dependsOn": [ + "[concat(parameters('workspace'),'/','Cloudflare')]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Cloudflare')]", + "contentId": "Cloudflare-Parser", + "kind": "Parser", + "version": "1.0.0", + "source": { + "name": "Cloudflare", + "kind": "Solution", + "sourceId": "cloudflare.cloudflare_sentinel" + }, + "author": { + "name": "Microsoft", + "email": "support@microsoft.com" + }, + "support": { + "name": "Cloudflare", + "email": "support@cloudflare.com", + "tier": "Partner", + "link": "https://support.cloudflare.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "3.0.1", + "packageName": "Cloudflare", + "packageId": "cloudflare.cloudflare_sentinel", + "contentSchemaVersion": "3.0.0", + "contentId": "Cloudflare-Parser", + "contentKind": "Parser", + "displayName": "Cloudflare", + "contentProductId": "cloudflare.cloudflare_sentinel-pr-2eqx6yvmglytm", + "id": "cloudflare.cloudflare_sentinel-pr-2eqx6yvmglytm", + "version": "1.0.0", + "isDeprecated": false + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2022-10-01", + "name": "[concat(parameters('workspace'),'/','Cloudflare')]", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Cloudflare", + "category": "Samples", + "functionAlias": "Cloudflare", + "query": "\nCloudflare_CL\n| extend\n BotScore_d=column_ifexists('BotScore_d', ''),\n BotScoreSrc_s=column_ifexists('BotScoreSrc_s', ''),\n CacheCacheStatus_s=column_ifexists('CacheCacheStatus_s', ''),\n CacheResponseBytes_d=column_ifexists('CacheResponseBytes_d', ''),\n CacheResponseStatus_d=column_ifexists('CacheResponseStatus_d', ''),\n CacheTieredFill_b=column_ifexists('CacheTieredFill_b', ''),\n ClientASN_d=column_ifexists('ClientASN_d', ''),\n ClientCountry_s=column_ifexists('ClientCountry_s', ''),\n ClientDeviceType_s=column_ifexists('ClientDeviceType_s', ''),\n ClientIP_s=column_ifexists('ClientIP_s', ''),\n ClientIPClass_s=column_ifexists('ClientIPClass_s', ''),\n ClientRequestHost_s=column_ifexists('ClientRequestHost_s', ''),\n ClientRequestMethod_s=column_ifexists('ClientRequestMethod_s', ''),\n ClientRequestPath_s=column_ifexists('ClientRequestPath_s', ''),\n ClientRequestProtocol_s=column_ifexists('ClientRequestProtocol_s', ''),\n ClientRequestReferer_s=column_ifexists('ClientRequestReferer_s', ''),\n ClientRequestURI_s=column_ifexists('ClientRequestURI_s', ''),\n ClientRequestUserAgent_s=column_ifexists('ClientRequestUserAgent_s', ''),\n ClientSSLCipher_s=column_ifexists('ClientSSLCipher_s', ''),\n ClientSSLProtocol_s=column_ifexists('ClientSSLProtocol_s', ''),\n ClientXRequestedWith_s=column_ifexists('ClientXRequestedWith_s', ''),\n EdgeColoCode_s=column_ifexists('EdgeColoCode_s', ''),\n EdgeColoID_d=column_ifexists('EdgeColoID_d', ''),\n EdgeEndTimestamp_t=column_ifexists('EdgeEndTimestamp_t', ''),\n EdgePathingOp_s=column_ifexists('EdgePathingOp_s', ''),\n EdgePathingSrc_s=column_ifexists('EdgePathingSrc_s', ''),\n EdgePathingStatus_s=column_ifexists('EdgePathingStatus_s', ''),\n EdgeRateLimitAction_s=column_ifexists('EdgeRateLimitAction_s', ''),\n EdgeRateLimitID_d=column_ifexists('EdgeRateLimitID_d', ''),\n EdgeRequestHost_s=column_ifexists('EdgeRequestHost_s', ''),\n EdgeResponseBytes_d=column_ifexists('EdgeResponseBytes_d', ''),\n EdgeResponseCompressionRatio_d=column_ifexists('EdgeResponseCompressionRatio_d', ''),\n EdgeResponseContentType_s=column_ifexists('EdgeResponseContentType_s', ''),\n EdgeResponseStatus_d=column_ifexists('EdgeResponseStatus_d', ''),\n EdgeServerIP_s=column_ifexists('EdgeServerIP_s', ''),\n EdgeStartTimestamp_t=column_ifexists('EdgeStartTimestamp_t', ''),\n FirewallMatchesActions_s=column_ifexists('FirewallMatchesActions_s', ''),\n FirewallMatchesRuleIDs_s=column_ifexists('FirewallMatchesRuleIDs_s', ''),\n FirewallMatchesSources_s=column_ifexists('FirewallMatchesSources_s', ''),\n OriginIP_s=column_ifexists('OriginIP_s', ''),\n OriginResponseBytes_d=column_ifexists('OriginResponseBytes_d', ''),\n OriginResponseHTTPExpires_s=column_ifexists('OriginResponseHTTPExpires_s', ''),\n OriginResponseHTTPLastModified_s=column_ifexists('OriginResponseHTTPLastModified_s', ''),\n OriginResponseStatus_d=column_ifexists('OriginResponseStatus_d', ''),\n OriginResponseTime_d=column_ifexists('OriginResponseTime_d', ''),\n OriginSSLProtocol_s=column_ifexists('OriginSSLProtocol_s', ''),\n ParentRayID_s=column_ifexists('ParentRayID_s', ''),\n RayID_s=column_ifexists('RayID_s', ''),\n SecurityLevel_s=column_ifexists('SecurityLevel_s', ''),\n WAFAction_s=column_ifexists('WAFAction_s', ''),\n WAFFlags_s=column_ifexists('WAFFlags_s', ''),\n WAFMatchedVar_s=column_ifexists('WAFMatchedVar_s', ''),\n WAFProfile_s=column_ifexists('WAFProfile_s', ''),\n WAFRuleID_s=column_ifexists('WAFRuleID_s', ''),\n WAFRuleMessage_s=column_ifexists('WAFRuleMessage_s', ''),\n WorkerCPUTime_d=column_ifexists('WorkerCPUTime_d', ''),\n WorkerStatus_s=column_ifexists('WorkerStatus_s', ''),\n WorkerSubrequest_b=column_ifexists('WorkerSubrequest_b', ''),\n WorkerSubrequestCount_d=column_ifexists('WorkerSubrequestCount_d', ''),\n ZoneID_d=column_ifexists('ZoneID_d', ''),\n Application_s=column_ifexists('Application_s', ''),\n ClientMatchedIpFirewall_s=column_ifexists('ClientMatchedIpFirewall_s', ''),\n ClientProto_s=column_ifexists('ClientProto_s', ''),\n ClientTcpRtt_d=column_ifexists('ClientTcpRtt_d', ''),\n ClientTlsCipher_s=column_ifexists('ClientTlsCipher_s', ''),\n ClientTlsClientHelloServerName_s=column_ifexists('ClientTlsClientHelloServerName_s', ''),\n ClientTlsProtocol_s=column_ifexists('ClientTlsProtocol_s', ''),\n ClientTlsStatus_s=column_ifexists('ClientTlsStatus_s', ''),\n ColoCode_s=column_ifexists('ColoCode_s', ''),\n ConnectTimestamp_t=column_ifexists('ConnectTimestamp_t', ''),\n DisconnectTimestamp_t=column_ifexists('DisconnectTimestamp_t', ''),\n Event_s=column_ifexists('Event_s', ''),\n IpFirewall_b=column_ifexists('IpFirewall_b', ''),\n OriginBytes_d=column_ifexists('OriginBytes_d', ''),\n OriginPort_d=column_ifexists('OriginPort_d', ''),\n OriginProto_s=column_ifexists('OriginProto_s', ''),\n OriginTcpRtt_d=column_ifexists('OriginTcpRtt_d', ''),\n OriginTlsCipher_s=column_ifexists('OriginTlsCipher_s', ''),\n OriginTlsFingerprint_s=column_ifexists('OriginTlsFingerprint_s', ''),\n OriginTlsMode_s=column_ifexists('OriginTlsMode_s', ''),\n OriginTlsProtocol_s=column_ifexists('OriginTlsProtocol_s', ''),\n OriginTlsStatus_s=column_ifexists('OriginTlsStatus_s', ''),\n ProxyProtocol_s=column_ifexists('ProxyProtocol_s', ''),\n Status_d=column_ifexists('Status_d', ''),\n Timestamp_t=column_ifexists('Timestamp_t', ''),\n Action_s=column_ifexists('Action_s', ''),\n ClientASNDescription_s=column_ifexists('ClientASNDescription_s', ''),\n ClientRefererHost_s=column_ifexists('ClientRefererHost_s', ''),\n ClientRefererPath_s=column_ifexists('ClientRefererPath_s', ''),\n ClientRefererQuery_s=column_ifexists('ClientRefererQuery_s', ''),\n ClientRefererScheme_s=column_ifexists('ClientRefererScheme_s', ''),\n ClientRequestQuery_s=column_ifexists('ClientRequestQuery_s', ''),\n ClientRequestScheme_s=column_ifexists('ClientRequestScheme_s', ''),\n Datetime_t=column_ifexists('Datetime_t', ''),\n Kind_s=column_ifexists('Kind_s', ''),\n MatchIndex_d=column_ifexists('MatchIndex_d', ''),\n OriginatorRayID_s=column_ifexists('OriginatorRayID_s', ''),\n RuleID_s=column_ifexists('RuleID_s', ''),\n Source_s=column_ifexists('Source_s', '')\n| extend\n SrcDvcType=iff(isempty(ClientDeviceType_s), iff(isempty(Source_s), '', Source_s), ClientDeviceType_s),\n TlsCipher=iff(isempty(ClientSSLCipher_s), iff(isempty(ClientTlsCipher_s), '', ClientTlsCipher_s), ClientSSLCipher_s),\n TlsVersion=iff(isempty(ClientSSLProtocol_s), iff(isempty(ClientTlsProtocol_s), '', ClientTlsProtocol_s), ClientSSLProtocol_s),\n DvcAction=iff(isempty(FirewallMatchesActions_s), iff(isempty(Event_s), iff(isempty(Action_s), '', Action_s), Event_s), FirewallMatchesActions_s),\n NetworkRuleName=iff(isempty(FirewallMatchesRuleIDs_s), iff(isempty(RuleID_s), '', RuleID_s), FirewallMatchesRuleIDs_s),\n ClientRequestBytes_d=column_ifexists('ClientRequestBytes_d', column_ifexists('ClientBytes_d', '')),\n ClientSrcPort_d=column_ifexists('ClientSrcPort_d', column_ifexists('ClientPort_d', '')),\n EdgeResponseBytes_d=column_ifexists('EdgeResponseBytes_d', column_ifexists('OriginBytes_d', ''))\n| project-rename\n SrcBytes=ClientRequestBytes_d,\n SrcPortNumber=ClientSrcPort_d,\n DstBytes=EdgeResponseBytes_d,\n BotScore=BotScore_d,\n BotScoreSrc=BotScoreSrc_s,\n CacheCacheStatus=CacheCacheStatus_s,\n CacheResponseBytes=CacheResponseBytes_d,\n CacheResponseStatus=CacheResponseStatus_d,\n CacheTieredFill=CacheTieredFill_b,\n ClientASN=ClientASN_d,\n SrcGeoCountry=ClientCountry_s,\n SrcIpAddr=ClientIP_s,\n ClientIPClass=ClientIPClass_s,\n HttpRequestHeaderHost=ClientRequestHost_s,\n HttpRequestMethod=ClientRequestMethod_s,\n ClientRequestPath=ClientRequestPath_s,\n ClientRequestProtocol=ClientRequestProtocol_s,\n HttpReferrerOriginal=ClientRequestReferer_s,\n ClientRequestURI=ClientRequestURI_s,\n HttpUserAgentOriginal=ClientRequestUserAgent_s,\n ClientXRequestedWith=ClientXRequestedWith_s,\n EdgeColoCode=EdgeColoCode_s,\n EdgeColoID=EdgeColoID_d,\n EdgeEndTimestamp=EdgeEndTimestamp_t,\n EdgePathingOp=EdgePathingOp_s,\n EdgePathingSrc=EdgePathingSrc_s,\n EdgePathingStatus=EdgePathingStatus_s,\n EdgeRateLimitAction=EdgeRateLimitAction_s,\n EdgeRateLimitID=EdgeRateLimitID_d,\n EdgeRequestHost=EdgeRequestHost_s,\n EdgeResponseCompressionRatio=EdgeResponseCompressionRatio_d,\n HttpContentType=EdgeResponseContentType_s,\n EdgeResponseStatus=EdgeResponseStatus_d,\n EdgeServerIP=EdgeServerIP_s,\n EdgeStartTimestamp=EdgeStartTimestamp_t,\n FirewallMatchesSources=FirewallMatchesSources_s,\n DstIpAddr=OriginIP_s,\n OriginResponseBytes=OriginResponseBytes_d,\n OriginResponseHTTPExpires=OriginResponseHTTPExpires_s,\n OriginResponseHTTPLastModified=OriginResponseHTTPLastModified_s,\n HttpStatusCode=OriginResponseStatus_d,\n OriginResponseTime=OriginResponseTime_d,\n OriginSSLProtocol=OriginSSLProtocol_s,\n ParentRayID=ParentRayID_s,\n RayID=RayID_s,\n SecurityLevel=SecurityLevel_s,\n WAFAction=WAFAction_s,\n WAFFlags=WAFFlags_s,\n WAFMatchedVar=WAFMatchedVar_s,\n WAFProfile=WAFProfile_s,\n WAFRuleID=WAFRuleID_s,\n WAFRuleMessage=WAFRuleMessage_s,\n WorkerCPUTime=WorkerCPUTime_d,\n WorkerStatus=WorkerStatus_s,\n WorkerSubrequest=WorkerSubrequest_b,\n WorkerSubrequestCount=WorkerSubrequestCount_d,\n ZoneID=ZoneID_d,\n Application=Application_s,\n ClientMatchedIpFirewall=ClientMatchedIpFirewall_s,\n NetworkProtocol=ClientProto_s,\n ClientTcpRtt=ClientTcpRtt_d,\n ClientTlsClientHelloServerName=ClientTlsClientHelloServerName_s,\n ClientTlsStatus=ClientTlsStatus_s,\n ColoCode=ColoCode_s,\n ConnectTimestamp=ConnectTimestamp_t,\n DisconnectTimestamp=DisconnectTimestamp_t,\n IpFirewall=IpFirewall_b,\n DstPortNumber=OriginPort_d,\n OriginProto=OriginProto_s,\n OriginTcpRtt=OriginTcpRtt_d,\n OriginTlsCipher=OriginTlsCipher_s,\n OriginTlsFingerprint=OriginTlsFingerprint_s,\n OriginTlsMode=OriginTlsMode_s,\n OriginTlsProtocol=OriginTlsProtocol_s,\n OriginTlsStatus=OriginTlsStatus_s,\n ProxyProtocol=ProxyProtocol_s,\n EventResult=Status_d,\n Timestamp=Timestamp_t,\n ClientASNDescription=ClientASNDescription_s,\n ClientRefererHost=ClientRefererHost_s,\n ClientRefererPath=ClientRefererPath_s,\n ClientRefererQuery=ClientRefererQuery_s,\n ClientRefererScheme=ClientRefererScheme_s,\n ClientRequestQuery=ClientRequestQuery_s,\n ClientRequestScheme=ClientRequestScheme_s,\n Datetime=Datetime_t,\n EventSubType=Kind_s,\n MatchIndex=MatchIndex_d,\n OriginatorRayID=OriginatorRayID_s\n| project-away \n ClientDeviceType_s,\n Source_s,\n ClientSSLCipher_s,\n ClientTlsCipher_s,\n ClientSSLProtocol_s,\n ClientTlsProtocol_s,\n FirewallMatchesActions_s,\n Event_s,\n Action_s,\n FirewallMatchesRuleIDs_s,\n RuleID_s", + "functionParameters": "", + "version": 1, + "tags": [ + { + "name": "description", + "value": "Cloudflare" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "location": "[parameters('workspace-location')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Cloudflare'),'/'))))]", + "dependsOn": [ + "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Cloudflare')]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Cloudflare')]", + "contentId": "Cloudflare-Parser", + "kind": "Parser", + "version": "1.0.0", + "source": { + "kind": "Solution", + "name": "Cloudflare", + "sourceId": "cloudflare.cloudflare_sentinel" + }, + "author": { + "name": "Microsoft", + "email": "support@microsoft.com" + }, + "support": { + "name": "Cloudflare", + "email": "support@cloudflare.com", + "tier": "Partner", + "link": "https://support.cloudflare.com" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring('CloudflareWorkbook')))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'cloudflare.cloudflare_sentinel')]" + ], + "properties": { + "description": "Sets the time name for analysis", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Insights/workbooks", + "name": "CloudflareWorkbook", + "location": "[parameters('workspace-location')]", + "kind": "shared", + "apiVersion": "2021-08-01", + "metadata": { + "description": "Sets the time name for analysis" + }, + "properties": { + "displayName": "Cloudflare", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"**NOTE**: This workbook depends on a parser based on a Kusto Function to work as expected [**Cloudflare**](https://aka.ms/sentinel-CloudflareDataConnector-parse) which is deployed with the Microsoft Sentinel Solution.\"},\"name\":\"text - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"2088f290-65ee-4357-badb-55ce732a5004\",\"cellValue\":\"tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Cloudflare Web Traffic Overview\",\"subTarget\":\"cloudflare_web_traffic_overview\",\"style\":\"link\"},{\"id\":\"25df6ee6-dcf7-4aa2-b90e-50f8a4b6548d\",\"cellValue\":\"tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Cloudflare Security Overview\",\"subTarget\":\"cloudflare_security_overview\",\"style\":\"link\"},{\"id\":\"a2108bc6-5769-4c86-a5c0-201f531ed929\",\"cellValue\":\"tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Cloudflare Reliability Summary\",\"subTarget\":\"cloudflare_reliability_summary\",\"style\":\"link\"}]},\"name\":\"links - 1\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"c64d5d3d-90c6-484a-ab88-c70652b75b6e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":172800000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Cloudflare_CL\\n| summarize count() by ClientDeviceType_s\",\"size\":0,\"title\":\"Traffic Type\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"cloudflare_web_traffic_overview\"},\"customWidth\":\"25\",\"name\":\"Traffic Type\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Cloudflare_CL\\n| summarize count() by ClientRequestProtocol_s\",\"size\":0,\"title\":\"HTTP Protocols\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"cloudflare_web_traffic_overview\"},\"customWidth\":\"25\",\"name\":\"HTTP Protocols\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Cloudflare_CL\\n| summarize count() by ClientRequestMethod_s\",\"size\":0,\"title\":\"Request Methods\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"cloudflare_web_traffic_overview\"},\"customWidth\":\"25\",\"name\":\"Request Methods\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Cloudflare_CL\\n| extend EdgeResponseContentType = iif(isempty(EdgeResponseContentType_s),\\\"empty\\\",EdgeResponseContentType_s )\\n| summarize count() by EdgeResponseContentType\",\"size\":0,\"title\":\"Content Types\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"cloudflare_web_traffic_overview\"},\"customWidth\":\"25\",\"name\":\"Content Types\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Cloudflare_CL\\n| summarize Count=count() by ClientRequestURI_s\\n| sort by Count | project-rename ClientRequestURI=ClientRequestURI_s | take 50\",\"size\":0,\"title\":\"Top Requested URIs\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\"},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"cloudflare_web_traffic_overview\"},\"customWidth\":\"25\",\"name\":\"Top Requested URIs\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Cloudflare_CL\\n| summarize Count=count() by ClientIP_s\\n| sort by Count | take 50 | project-rename ClientIP=ClientIP_s\",\"size\":0,\"title\":\"Top Traffic IPs\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\"},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"cloudflare_web_traffic_overview\"},\"customWidth\":\"25\",\"name\":\"Top Traffic IPs\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Cloudflare_CL\\n| extend ClientRequestReferer = iif(isempty(ClientRequestReferer_s),\\\"empty\\\",ClientRequestReferer_s )\\n| summarize Count=count() by ClientRequestReferer\\n| sort by Count | take 50\\n\",\"size\":0,\"title\":\"Top Referer\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\"},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"cloudflare_web_traffic_overview\"},\"customWidth\":\"25\",\"name\":\"Top Referer\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Cloudflare_CL\\n| summarize Count=count() by ClientIPClass_s | project-rename ClientIPClass=ClientIPClass_s\\n| sort by Count | take 50\\n\",\"size\":0,\"title\":\"Top Traffic Types\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"cloudflare_web_traffic_overview\"},\"customWidth\":\"25\",\"name\":\"Top Traffic Types\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Cloudflare_CL\\n| summarize Count=count() by ClientRequestUserAgent_s | project-rename ClientRequestUserAgent=ClientRequestUserAgent_s\\n| sort by Count | take 50\",\"size\":0,\"title\":\"Top User Agents\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ClientRequestUserAgent\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"75%\"}}]}},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"cloudflare_web_traffic_overview\"},\"name\":\"Top User Agents\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let total_number_of_requests =\\nCloudflare_CL\\n| summarize Count=count()\\n| extend title=\\\"Total Number Of Requests\\\";\\n\\nlet threats_stopped =\\nCloudflare_CL \\n| extend threat=case(EdgePathingSrc_s ==\\\"user\\\" and EdgePathingOp_s == \\\"ban\\\" and EdgePathingStatus_s has \\\"ip\\\" ,\\\"IP Block\\\",EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ctry\\\",\\\"Country Block\\\",EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"zl\\\", \\\"Routed by Zone Lockdown\\\", EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ua\\\", \\\"Blocked User Agent\\\", EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"rateLimit\\\", \\\"Blocked by Rate Limiting\\\", EdgePathingSrc_s==\\\"filterBasedFirewall\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"unknown\\\", \\\"Blocked by Filter Based Firewall\\\", EdgePathingSrc_s==\\\"filterBasedFirewall\\\" and EdgePathingOp_s==\\\"chl\\\", \\\"Challenged by Filter Based Firewall\\\", EdgePathingSrc_s==\\\"bic\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"unknown\\\", \\\"Browser Integrity Check\\\", EdgePathingSrc_s==\\\"hot\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ctry\\\", \\\"Blocked Hotlink\\\", EdgePathingSrc_s==\\\"hot\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ip\\\", \\\"Blocked Hotlink\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaErr\\\", \\\"CAPTCHA Error\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaFail\\\", \\\"CAPTCHA Challenge Failed\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaNew\\\", \\\"New CAPTCHA\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlErr\\\", \\\"Java Script Challenge Error\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlFail\\\", \\\"Java Script Challenge Failed\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlNew\\\", \\\"New Java Script Challenge\\\", EdgePathingSrc_s==\\\"protect\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"17ddos\\\", \\\"L7 DDos Mitigation\\\",\\\"\\\")\\n| where isnotempty(threat) | summarize Count=count()\\n| extend title=\\\"Stopped Threats\\\";\\n\\nlet result_table = union total_number_of_requests, threats_stopped; \\nresult_table \\n| sort by Count\\n\\n\",\"size\":0,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"title\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false,\"sortCriteriaField\":\"Count\",\"sortOrderField\":2,\"size\":\"auto\"}},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"cloudflare_security_overview\"},\"customWidth\":\"33\",\"name\":\"Req_Threats_title\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Cloudflare_CL \\n| extend threat=case(EdgePathingSrc_s ==\\\"user\\\" and EdgePathingOp_s == \\\"ban\\\" and EdgePathingStatus_s has \\\"ip\\\" ,\\\"IP Block\\\",EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ctry\\\",\\\"Country Block\\\",EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"zl\\\", \\\"Routed by Zone Lockdown\\\", EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ua\\\", \\\"Blocked User Agent\\\", EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"rateLimit\\\", \\\"Blocked by Rate Limiting\\\", EdgePathingSrc_s==\\\"filterBasedFirewall\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"unknown\\\", \\\"Blocked by Filter Based Firewall\\\", EdgePathingSrc_s==\\\"filterBasedFirewall\\\" and EdgePathingOp_s==\\\"chl\\\", \\\"Challenged by Filter Based Firewall\\\", EdgePathingSrc_s==\\\"bic\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"unknown\\\", \\\"Browser Integrity Check\\\", EdgePathingSrc_s==\\\"hot\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ctry\\\", \\\"Blocked Hotlink\\\", EdgePathingSrc_s==\\\"hot\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ip\\\", \\\"Blocked Hotlink\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaErr\\\", \\\"CAPTCHA Error\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaFail\\\", \\\"CAPTCHA Challenge Failed\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaNew\\\", \\\"New CAPTCHA\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlErr\\\", \\\"Java Script Challenge Error\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlFail\\\", \\\"Java Script Challenge Failed\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlNew\\\", \\\"New Java Script Challenge\\\", EdgePathingSrc_s==\\\"protect\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"17ddos\\\", \\\"L7 DDos Mitigation\\\",\\\"\\\")\\n| where isnotempty(threat)\\n| summarize Count=count() by threat\",\"size\":0,\"title\":\"Top Threats\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"categoricalbar\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"title\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false,\"sortCriteriaField\":\"Count\",\"sortOrderField\":2,\"size\":\"auto\"}},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"cloudflare_security_overview\"},\"customWidth\":\"33\",\"name\":\"Top Threats\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let total_number_of_requests =\\nCloudflare_CL\\n| summarize Count=count()\\n| extend title=\\\"Total Number Of Requests\\\";\\n\\nlet threats_stopped =\\nCloudflare_CL \\n| extend threat=case(EdgePathingSrc_s ==\\\"user\\\" and EdgePathingOp_s == \\\"ban\\\" and EdgePathingStatus_s has \\\"ip\\\" ,\\\"IP Block\\\",EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ctry\\\",\\\"Country Block\\\",EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"zl\\\", \\\"Routed by Zone Lockdown\\\", EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ua\\\", \\\"Blocked User Agent\\\", EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"rateLimit\\\", \\\"Blocked by Rate Limiting\\\", EdgePathingSrc_s==\\\"filterBasedFirewall\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"unknown\\\", \\\"Blocked by Filter Based Firewall\\\", EdgePathingSrc_s==\\\"filterBasedFirewall\\\" and EdgePathingOp_s==\\\"chl\\\", \\\"Challenged by Filter Based Firewall\\\", EdgePathingSrc_s==\\\"bic\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"unknown\\\", \\\"Browser Integrity Check\\\", EdgePathingSrc_s==\\\"hot\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ctry\\\", \\\"Blocked Hotlink\\\", EdgePathingSrc_s==\\\"hot\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ip\\\", \\\"Blocked Hotlink\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaErr\\\", \\\"CAPTCHA Error\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaFail\\\", \\\"CAPTCHA Challenge Failed\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaNew\\\", \\\"New CAPTCHA\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlErr\\\", \\\"Java Script Challenge Error\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlFail\\\", \\\"Java Script Challenge Failed\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlNew\\\", \\\"New Java Script Challenge\\\", EdgePathingSrc_s==\\\"protect\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"17ddos\\\", \\\"L7 DDos Mitigation\\\",\\\"\\\")\\n| where isnotempty(threat) | summarize Count=count()\\n| extend title=\\\"Stopped Threats\\\";\\n\\nlet result_table = union total_number_of_requests, threats_stopped; \\nresult_table \\n| sort by Count\\n\\n\",\"size\":0,\"title\":\"Requests vs Threats\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"title\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false,\"sortCriteriaField\":\"Count\",\"sortOrderField\":2,\"size\":\"auto\"}},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"cloudflare_security_overview\"},\"customWidth\":\"33\",\"name\":\"Requests vs Threats\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Cloudflare_CL \\n| extend threat=case(EdgePathingSrc_s ==\\\"user\\\" and EdgePathingOp_s == \\\"ban\\\" and EdgePathingStatus_s has \\\"ip\\\" ,\\\"IP Block\\\",EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ctry\\\",\\\"Country Block\\\",EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"zl\\\", \\\"Routed by Zone Lockdown\\\", EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ua\\\", \\\"Blocked User Agent\\\", EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"rateLimit\\\", \\\"Blocked by Rate Limiting\\\", EdgePathingSrc_s==\\\"filterBasedFirewall\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"unknown\\\", \\\"Blocked by Filter Based Firewall\\\", EdgePathingSrc_s==\\\"filterBasedFirewall\\\" and EdgePathingOp_s==\\\"chl\\\", \\\"Challenged by Filter Based Firewall\\\", EdgePathingSrc_s==\\\"bic\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"unknown\\\", \\\"Browser Integrity Check\\\", EdgePathingSrc_s==\\\"hot\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ctry\\\", \\\"Blocked Hotlink\\\", EdgePathingSrc_s==\\\"hot\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ip\\\", \\\"Blocked Hotlink\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaErr\\\", \\\"CAPTCHA Error\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaFail\\\", \\\"CAPTCHA Challenge Failed\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaNew\\\", \\\"New CAPTCHA\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlErr\\\", \\\"Java Script Challenge Error\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlFail\\\", \\\"Java Script Challenge Failed\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlNew\\\", \\\"New Java Script Challenge\\\", EdgePathingSrc_s==\\\"protect\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"17ddos\\\", \\\"L7 DDos Mitigation\\\",\\\"\\\")\\n| where isnotempty(threat)\\n| make-series Trend = count() on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain};\",\"size\":0,\"title\":\"Threats Over Time\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"title\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false,\"sortCriteriaField\":\"Count\",\"sortOrderField\":2,\"size\":\"auto\"}},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"cloudflare_security_overview\"},\"customWidth\":\"33\",\"name\":\"Threats Over Time\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Cloudflare_CL \\n| extend threat=case(EdgePathingSrc_s ==\\\"user\\\" and EdgePathingOp_s == \\\"ban\\\" and EdgePathingStatus_s has \\\"ip\\\" ,\\\"IP Block\\\",EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ctry\\\",\\\"Country Block\\\",EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"zl\\\", \\\"Routed by Zone Lockdown\\\", EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ua\\\", \\\"Blocked User Agent\\\", EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"rateLimit\\\", \\\"Blocked by Rate Limiting\\\", EdgePathingSrc_s==\\\"filterBasedFirewall\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"unknown\\\", \\\"Blocked by Filter Based Firewall\\\", EdgePathingSrc_s==\\\"filterBasedFirewall\\\" and EdgePathingOp_s==\\\"chl\\\", \\\"Challenged by Filter Based Firewall\\\", EdgePathingSrc_s==\\\"bic\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"unknown\\\", \\\"Browser Integrity Check\\\", EdgePathingSrc_s==\\\"hot\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ctry\\\", \\\"Blocked Hotlink\\\", EdgePathingSrc_s==\\\"hot\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ip\\\", \\\"Blocked Hotlink\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaErr\\\", \\\"CAPTCHA Error\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaFail\\\", \\\"CAPTCHA Challenge Failed\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaNew\\\", \\\"New CAPTCHA\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlErr\\\", \\\"Java Script Challenge Error\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlFail\\\", \\\"Java Script Challenge Failed\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlNew\\\", \\\"New Java Script Challenge\\\", EdgePathingSrc_s==\\\"protect\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"17ddos\\\", \\\"L7 DDos Mitigation\\\",\\\"\\\")\\n| where isnotempty(threat)\\n| summarize count() by ClientCountry_s | project-rename Country=ClientCountry_s | take 20\",\"size\":0,\"title\":\"Top Threat Countries\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"title\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false,\"sortCriteriaField\":\"Count\",\"sortOrderField\":2,\"size\":\"auto\"}},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"cloudflare_security_overview\"},\"customWidth\":\"33\",\"name\":\"Top Threat Countries\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Cloudflare_CL \\n| extend threat=case(EdgePathingSrc_s ==\\\"user\\\" and EdgePathingOp_s == \\\"ban\\\" and EdgePathingStatus_s has \\\"ip\\\" ,\\\"IP Block\\\",EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ctry\\\",\\\"Country Block\\\",EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"zl\\\", \\\"Routed by Zone Lockdown\\\", EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ua\\\", \\\"Blocked User Agent\\\", EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"rateLimit\\\", \\\"Blocked by Rate Limiting\\\", EdgePathingSrc_s==\\\"filterBasedFirewall\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"unknown\\\", \\\"Blocked by Filter Based Firewall\\\", EdgePathingSrc_s==\\\"filterBasedFirewall\\\" and EdgePathingOp_s==\\\"chl\\\", \\\"Challenged by Filter Based Firewall\\\", EdgePathingSrc_s==\\\"bic\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"unknown\\\", \\\"Browser Integrity Check\\\", EdgePathingSrc_s==\\\"hot\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ctry\\\", \\\"Blocked Hotlink\\\", EdgePathingSrc_s==\\\"hot\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ip\\\", \\\"Blocked Hotlink\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaErr\\\", \\\"CAPTCHA Error\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaFail\\\", \\\"CAPTCHA Challenge Failed\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaNew\\\", \\\"New CAPTCHA\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlErr\\\", \\\"Java Script Challenge Error\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlFail\\\", \\\"Java Script Challenge Failed\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlNew\\\", \\\"New Java Script Challenge\\\", EdgePathingSrc_s==\\\"protect\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"17ddos\\\", \\\"L7 DDos Mitigation\\\",\\\"\\\")\\n| where isnotempty(threat)\\n| summarize count() by ClientIP_s | project-rename ClientIP=ClientIP_s\",\"size\":0,\"title\":\"Top Threat Client IPs\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"title\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false,\"sortCriteriaField\":\"Count\",\"sortOrderField\":2,\"size\":\"auto\"}},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"cloudflare_security_overview\"},\"customWidth\":\"33\",\"name\":\"Top Threat Client IPs\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Cloudflare_CL \\n| extend threat=case(EdgePathingSrc_s ==\\\"user\\\" and EdgePathingOp_s == \\\"ban\\\" and EdgePathingStatus_s has \\\"ip\\\" ,\\\"IP Block\\\",EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ctry\\\",\\\"Country Block\\\",EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"zl\\\", \\\"Routed by Zone Lockdown\\\", EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ua\\\", \\\"Blocked User Agent\\\", EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"rateLimit\\\", \\\"Blocked by Rate Limiting\\\", EdgePathingSrc_s==\\\"filterBasedFirewall\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"unknown\\\", \\\"Blocked by Filter Based Firewall\\\", EdgePathingSrc_s==\\\"filterBasedFirewall\\\" and EdgePathingOp_s==\\\"chl\\\", \\\"Challenged by Filter Based Firewall\\\", EdgePathingSrc_s==\\\"bic\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"unknown\\\", \\\"Browser Integrity Check\\\", EdgePathingSrc_s==\\\"hot\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ctry\\\", \\\"Blocked Hotlink\\\", EdgePathingSrc_s==\\\"hot\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ip\\\", \\\"Blocked Hotlink\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaErr\\\", \\\"CAPTCHA Error\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaFail\\\", \\\"CAPTCHA Challenge Failed\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaNew\\\", \\\"New CAPTCHA\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlErr\\\", \\\"Java Script Challenge Error\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlFail\\\", \\\"Java Script Challenge Failed\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlNew\\\", \\\"New Java Script Challenge\\\", EdgePathingSrc_s==\\\"protect\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"17ddos\\\", \\\"L7 DDos Mitigation\\\",\\\"\\\")\\n| where isnotempty(threat)\\n| summarize Count=count() by ClientRequestURI_s | project-rename ClientRequestURI=ClientRequestURI_s\",\"size\":0,\"title\":\"Top Threat URIs\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"title\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false,\"sortCriteriaField\":\"Count\",\"sortOrderField\":2,\"size\":\"auto\"}},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"cloudflare_security_overview\"},\"customWidth\":\"33\",\"name\":\"Top Threat URIs\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Cloudflare_CL \\n| extend threat=case(EdgePathingSrc_s ==\\\"user\\\" and EdgePathingOp_s == \\\"ban\\\" and EdgePathingStatus_s has \\\"ip\\\" ,\\\"IP Block\\\",EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ctry\\\",\\\"Country Block\\\",EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"zl\\\", \\\"Routed by Zone Lockdown\\\", EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ua\\\", \\\"Blocked User Agent\\\", EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"rateLimit\\\", \\\"Blocked by Rate Limiting\\\", EdgePathingSrc_s==\\\"filterBasedFirewall\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"unknown\\\", \\\"Blocked by Filter Based Firewall\\\", EdgePathingSrc_s==\\\"filterBasedFirewall\\\" and EdgePathingOp_s==\\\"chl\\\", \\\"Challenged by Filter Based Firewall\\\", EdgePathingSrc_s==\\\"bic\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"unknown\\\", \\\"Browser Integrity Check\\\", EdgePathingSrc_s==\\\"hot\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ctry\\\", \\\"Blocked Hotlink\\\", EdgePathingSrc_s==\\\"hot\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ip\\\", \\\"Blocked Hotlink\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaErr\\\", \\\"CAPTCHA Error\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaFail\\\", \\\"CAPTCHA Challenge Failed\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaNew\\\", \\\"New CAPTCHA\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlErr\\\", \\\"Java Script Challenge Error\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlFail\\\", \\\"Java Script Challenge Failed\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlNew\\\", \\\"New Java Script Challenge\\\", EdgePathingSrc_s==\\\"protect\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"17ddos\\\", \\\"L7 DDos Mitigation\\\",\\\"\\\")\\n| where isnotempty(threat)\\n| summarize Count=count() by ClientRequestUserAgent_s | project-rename ClientRequestUserAgent=ClientRequestUserAgent_s\",\"size\":0,\"title\":\"Top Threat User Agents\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"title\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false,\"sortCriteriaField\":\"Count\",\"sortOrderField\":2,\"size\":\"auto\"}},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"cloudflare_security_overview\"},\"customWidth\":\"33\",\"name\":\"Top Threat User Agents\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Cloudflare_CL \\n| extend threat=case(EdgePathingSrc_s ==\\\"user\\\" and EdgePathingOp_s == \\\"ban\\\" and EdgePathingStatus_s has \\\"ip\\\" ,\\\"IP Block\\\",EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ctry\\\",\\\"Country Block\\\",EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"zl\\\", \\\"Routed by Zone Lockdown\\\", EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ua\\\", \\\"Blocked User Agent\\\", EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"rateLimit\\\", \\\"Blocked by Rate Limiting\\\", EdgePathingSrc_s==\\\"filterBasedFirewall\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"unknown\\\", \\\"Blocked by Filter Based Firewall\\\", EdgePathingSrc_s==\\\"filterBasedFirewall\\\" and EdgePathingOp_s==\\\"chl\\\", \\\"Challenged by Filter Based Firewall\\\", EdgePathingSrc_s==\\\"bic\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"unknown\\\", \\\"Browser Integrity Check\\\", EdgePathingSrc_s==\\\"hot\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ctry\\\", \\\"Blocked Hotlink\\\", EdgePathingSrc_s==\\\"hot\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ip\\\", \\\"Blocked Hotlink\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaErr\\\", \\\"CAPTCHA Error\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaFail\\\", \\\"CAPTCHA Challenge Failed\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaNew\\\", \\\"New CAPTCHA\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlErr\\\", \\\"Java Script Challenge Error\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlFail\\\", \\\"Java Script Challenge Failed\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlNew\\\", \\\"New Java Script Challenge\\\", EdgePathingSrc_s==\\\"protect\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"17ddos\\\", \\\"L7 DDos Mitigation\\\",\\\"\\\")\\n| where isnotempty(threat)\\n| summarize Count=count() by EdgePathingStatus_s | project-rename EdgePathingStatus=EdgePathingStatus_s\",\"size\":0,\"title\":\"Top Threat User Agents\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"title\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false,\"sortCriteriaField\":\"Count\",\"sortOrderField\":2,\"size\":\"auto\"}},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"cloudflare_security_overview\"},\"customWidth\":\"33\",\"name\":\"Top Threat User Agents - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let 5xx = Cloudflare_CL \\n| where tostring(EdgeResponseStatus_d) startswith \\\"5\\\"\\n| summarize Count=count()\\n| extend title=\\\"5xx Errors (Edge)\\\";\\n\\nlet 4xx = Cloudflare_CL \\n| where tostring(EdgeResponseStatus_d) startswith \\\"4\\\"\\n| summarize Count=count()\\n| extend title=\\\"4xx Errors (Edge)\\\";\\n\\nlet 3xx = Cloudflare_CL \\n| where tostring(EdgeResponseStatus_d) startswith \\\"3\\\"\\n| summarize Count=count()\\n| extend title=\\\"3xx Errors (Edge)\\\";\\n\\nlet result_table = union 5xx, 4xx, 3xx; \\nresult_table \\n| sort by Count\\n\\n\",\"size\":0,\"title\":\"ERRORS Counts (Edge)\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"title\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"cloudflare_reliability_summary\"},\"customWidth\":\"33\",\"name\":\"Errors (Edge)\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Cloudflare_CL \\n| extend response_error_type= case(tostring(EdgeResponseStatus_d) startswith \\\"2\\\" , \\\"2xx\\\", tostring(EdgeResponseStatus_d) startswith \\\"3\\\" , \\\"3xx\\\", tostring(EdgeResponseStatus_d) startswith \\\"4\\\" , \\\"4xx\\\", tostring(EdgeResponseStatus_d) startswith \\\"5\\\" , \\\"5xx\\\",\\\"\\\")\\n| where isnotempty(response_error_type)\\n| summarize Count=count() by response_error_type\",\"size\":0,\"title\":\"Edge Response Error Ratio\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"title\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"cloudflare_reliability_summary\"},\"customWidth\":\"33\",\"name\":\"Edge Response Error Ratio\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Cloudflare_CL \\n| extend response_error_type= case(tostring(OriginResponseStatus_d) startswith \\\"2\\\" , \\\"2xx\\\", tostring(OriginResponseStatus_d) startswith \\\"3\\\" , \\\"3xx\\\", tostring(OriginResponseStatus_d) startswith \\\"4\\\" , \\\"4xx\\\", tostring(OriginResponseStatus_d) startswith \\\"5\\\" , \\\"5xx\\\",\\\"\\\")\\n| where isnotempty(response_error_type)\\n| summarize Count=count() by response_error_type\",\"size\":0,\"title\":\"Origin Response Error Ratio\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"title\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"cloudflare_reliability_summary\"},\"customWidth\":\"33\",\"name\":\"Origin Response Error Ratio\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Cloudflare_CL \\n| extend response_error_type= case(tostring(EdgeResponseStatus_d) startswith \\\"2\\\" , \\\"2xx\\\", tostring(EdgeResponseStatus_d) startswith \\\"3\\\" , \\\"3xx\\\", tostring(EdgeResponseStatus_d) startswith \\\"4\\\" , \\\"4xx\\\", tostring(EdgeResponseStatus_d) startswith \\\"5\\\" , \\\"5xx\\\",\\\"\\\")\\n| where isnotempty(response_error_type)\\n| make-series Trend = count() on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by response_error_type;\",\"size\":0,\"title\":\"Edge Response Status Over Time\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"title\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"cloudflare_reliability_summary\"},\"customWidth\":\"50\",\"name\":\"Edge Response Status Over Time\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Cloudflare_CL \\n| extend response_error_type= case(tostring(OriginResponseStatus_d) startswith \\\"2\\\" , \\\"2xx\\\", tostring(OriginResponseStatus_d) startswith \\\"3\\\" , \\\"3xx\\\", tostring(OriginResponseStatus_d) startswith \\\"4\\\" , \\\"4xx\\\", tostring(OriginResponseStatus_d) startswith \\\"5\\\" , \\\"5xx\\\",\\\"\\\")\\n| where isnotempty(response_error_type)\\n| make-series Trend = count() on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by response_error_type;\",\"size\":0,\"title\":\"Origin Response Status Over Time\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"title\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"cloudflare_reliability_summary\"},\"customWidth\":\"50\",\"name\":\"Origin Response Status Over Time\"}],\"fromTemplateId\":\"sentinel-CloudflareWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n", + "version": "1.0", + "sourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", + "category": "sentinel" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(resourceId('Microsoft.Insights/workbooks', 'CloudflareWorkbook'),'/'))))]", + "properties": { + "description": "@{workbookKey=CloudflareWorkbook; logoFileName=cloudflare.svg; description=Sets the time name for analysis; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=Cloudflare; templateRelativePath=Cloudflare.json; subtitle=; provider=Cloudflare}.description", + "parentId": "[resourceId('Microsoft.Insights/workbooks', 'CloudflareWorkbook')]", + "contentId": "CloudflareWorkbook", + "kind": "Workbook", + "version": "1.0.0", + "source": { + "kind": "Solution", + "name": "Cloudflare", + "sourceId": "cloudflare.cloudflare_sentinel" + }, + "author": { + "name": "Microsoft", + "email": "support@microsoft.com" + }, + "support": { + "name": "Cloudflare", + "email": "support@cloudflare.com", + "tier": "Partner", + "link": "https://support.cloudflare.com" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "contentId": "Cloudflare_CL", + "kind": "DataType" + }, + { + "contentId": "CloudflareDataConnector", + "kind": "DataConnector" + } + ] + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "3.0.1", + "packageName": "Cloudflare", + "packageId": "cloudflare.cloudflare_sentinel", + "contentSchemaVersion": "3.0.0", + "contentId": "CloudflareWorkbook", + "contentKind": "Workbook", + "displayName": "Cloudflare", + "contentProductId": "cloudflare.cloudflare_sentinel-wb-s52pkqqws7tw2", + "id": "cloudflare.cloudflare_sentinel-wb-s52pkqqws7tw2", + "version": "1.0.0", + "isDeprecated": false + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('a7ce6135-9d55-4f14-b058-adc2e920a4fa')))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'cloudflare.cloudflare_sentinel')]" + ], + "properties": { + "description": "Detects requests from IP with bad reputation index.", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "a7ce6135-9d55-4f14-b058-adc2e920a4fa", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Detects requests from IP with bad reputation index.", + "displayName": "Cloudflare - Bad client IP", + "enabled": false, + "query": "let ip_reputation = dynamic(['unknown', 'badHost', 'greylist', 'securityScanner', 'scan', 'tor']);\nCloudflare\n| where ClientIPClass in~ (ip_reputation)\n| extend IPCustomEntity = SrcIpAddr\n| extend UrlCustomEntity = ClientRequestURI\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "Cloudflare" + ], + "connectorId": "CloudflareDataConnector" + } + ], + "tactics": [ + "InitialAccess" + ], + "techniques": [ + "T1190", + "T1133" + ], + "entityMappings": [ + { + "entityType": "IP", + "fieldMappings": [ + { + "columnName": "IPCustomEntity", + "identifier": "Address" + } + ] + }, + { + "entityType": "URL", + "fieldMappings": [ + { + "columnName": "UrlCustomEntity", + "identifier": "Url" + } + ] + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'a7ce6135-9d55-4f14-b058-adc2e920a4fa'),'/'))))]", + "properties": { + "description": "Cloudflare Analytics Rule 1", + "parentId": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'a7ce6135-9d55-4f14-b058-adc2e920a4fa')]", + "contentId": "a7ce6135-9d55-4f14-b058-adc2e920a4fa", + "kind": "AnalyticsRule", + "version": "1.0.0", + "source": { + "kind": "Solution", + "name": "Cloudflare", + "sourceId": "cloudflare.cloudflare_sentinel" + }, + "author": { + "name": "Microsoft", + "email": "support@microsoft.com" + }, + "support": { + "name": "Cloudflare", + "email": "support@cloudflare.com", + "tier": "Partner", + "link": "https://support.cloudflare.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "3.0.1", + "packageName": "Cloudflare", + "packageId": "cloudflare.cloudflare_sentinel", + "contentSchemaVersion": "3.0.0", + "contentId": "a7ce6135-9d55-4f14-b058-adc2e920a4fa", + "contentKind": "AnalyticsRule", + "displayName": "Cloudflare - Bad client IP", + "contentProductId": "cloudflare.cloudflare_sentinel-ar-ds5o3c5ftyxac", + "id": "cloudflare.cloudflare_sentinel-ar-ds5o3c5ftyxac", + "version": "1.0.0", + "isDeprecated": false, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "contentKind": "DataType", + "contentId": "Cloudflare" + }, + { + "contentKind": "DataConnector", + "contentId": "CloudflareDataConnector" + } + ] + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('729c6d21-fad9-4a6a-9c7f-482393c95957')))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'cloudflare.cloudflare_sentinel')]" + ], + "properties": { + "description": "Detects requests where user agent is empty.", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "729c6d21-fad9-4a6a-9c7f-482393c95957", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Detects requests where user agent is empty.", + "displayName": "Cloudflare - Empty user agent", + "enabled": false, + "query": "Cloudflare\n| where isempty(HttpUserAgentOriginal)\n| extend IPCustomEntity = SrcIpAddr\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "Cloudflare" + ], + "connectorId": "CloudflareDataConnector" + } + ], + "tactics": [ + "InitialAccess" + ], + "techniques": [ + "T1190", + "T1133" + ], + "entityMappings": [ + { + "entityType": "IP", + "fieldMappings": [ + { + "columnName": "IPCustomEntity", + "identifier": "Address" + } + ] + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '729c6d21-fad9-4a6a-9c7f-482393c95957'),'/'))))]", + "properties": { + "description": "Cloudflare Analytics Rule 2", + "parentId": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '729c6d21-fad9-4a6a-9c7f-482393c95957')]", + "contentId": "729c6d21-fad9-4a6a-9c7f-482393c95957", + "kind": "AnalyticsRule", + "version": "1.0.0", + "source": { + "kind": "Solution", + "name": "Cloudflare", + "sourceId": "cloudflare.cloudflare_sentinel" + }, + "author": { + "name": "Microsoft", + "email": "support@microsoft.com" + }, + "support": { + "name": "Cloudflare", + "email": "support@cloudflare.com", + "tier": "Partner", + "link": "https://support.cloudflare.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "3.0.1", + "packageName": "Cloudflare", + "packageId": "cloudflare.cloudflare_sentinel", + "contentSchemaVersion": "3.0.0", + "contentId": "729c6d21-fad9-4a6a-9c7f-482393c95957", + "contentKind": "AnalyticsRule", + "displayName": "Cloudflare - Empty user agent", + "contentProductId": "cloudflare.cloudflare_sentinel-ar-ch2rlsrvs74bq", + "id": "cloudflare.cloudflare_sentinel-ar-ch2rlsrvs74bq", + "version": "1.0.0", + "isDeprecated": false, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "contentKind": "DataType", + "contentId": "Cloudflare" + }, + { + "contentKind": "DataConnector", + "contentId": "CloudflareDataConnector" + } + ] + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('ef877d68-755f-4cf1-ac1d-f336e395667c')))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'cloudflare.cloudflare_sentinel')]" + ], + "properties": { + "description": "Detects multiple failure requests from single source in short timeframe.", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "ef877d68-755f-4cf1-ac1d-f336e395667c", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Detects multiple failure requests from single source in short timeframe.", + "displayName": "Cloudflare - Multiple error requests from single source", + "enabled": false, + "query": "let threshold = 100;\nCloudflare\n| where HttpRequestMethod =~ 'GET'\n| summarize err_cnt = count() by SrcIpAddr, bin(TimeGenerated, 5m)\n| where err_cnt > threshold\n| extend IPCustomEntity = SrcIpAddr\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Low", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "Cloudflare" + ], + "connectorId": "CloudflareDataConnector" + } + ], + "tactics": [ + "InitialAccess" + ], + "techniques": [ + "T1190", + "T1133" + ], + "entityMappings": [ + { + "entityType": "IP", + "fieldMappings": [ + { + "columnName": "IPCustomEntity", + "identifier": "Address" + } + ] + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'ef877d68-755f-4cf1-ac1d-f336e395667c'),'/'))))]", + "properties": { + "description": "Cloudflare Analytics Rule 3", + "parentId": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'ef877d68-755f-4cf1-ac1d-f336e395667c')]", + "contentId": "ef877d68-755f-4cf1-ac1d-f336e395667c", + "kind": "AnalyticsRule", + "version": "1.0.0", + "source": { + "kind": "Solution", + "name": "Cloudflare", + "sourceId": "cloudflare.cloudflare_sentinel" + }, + "author": { + "name": "Microsoft", + "email": "support@microsoft.com" + }, + "support": { + "name": "Cloudflare", + "email": "support@cloudflare.com", + "tier": "Partner", + "link": "https://support.cloudflare.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "3.0.1", + "packageName": "Cloudflare", + "packageId": "cloudflare.cloudflare_sentinel", + "contentSchemaVersion": "3.0.0", + "contentId": "ef877d68-755f-4cf1-ac1d-f336e395667c", + "contentKind": "AnalyticsRule", + "displayName": "Cloudflare - Multiple error requests from single source", + "contentProductId": "cloudflare.cloudflare_sentinel-ar-fcvcejdspbhug", + "id": "cloudflare.cloudflare_sentinel-ar-fcvcejdspbhug", + "version": "1.0.0", + "isDeprecated": false, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "contentKind": "DataType", + "contentId": "Cloudflare" + }, + { + "contentKind": "DataConnector", + "contentId": "CloudflareDataConnector" + } + ] + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('fc50076a-0275-43d5-b9dd-38346c061f67')))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'cloudflare.cloudflare_sentinel')]" + ], + "properties": { + "description": "Detects requests with different user agents from one source in short timeframe.", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "fc50076a-0275-43d5-b9dd-38346c061f67", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Detects requests with different user agents from one source in short timeframe.", + "displayName": "Cloudflare - Multiple user agents for single source", + "enabled": false, + "query": "let threshold = 10;\nCloudflare\n| where isnotempty(HttpUserAgentOriginal)\n| summarize d_ua = dcount(HttpUserAgentOriginal) by SrcIpAddr, bin(TimeGenerated, 3m)\n| where d_ua > threshold\n| extend IPCustomEntity = SrcIpAddr\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "Cloudflare" + ], + "connectorId": "CloudflareDataConnector" + } + ], + "tactics": [ + "InitialAccess" + ], + "techniques": [ + "T1190", + "T1133" + ], + "entityMappings": [ + { + "entityType": "IP", + "fieldMappings": [ + { + "columnName": "IPCustomEntity", + "identifier": "Address" + } + ] + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'fc50076a-0275-43d5-b9dd-38346c061f67'),'/'))))]", + "properties": { + "description": "Cloudflare Analytics Rule 4", + "parentId": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'fc50076a-0275-43d5-b9dd-38346c061f67')]", + "contentId": "fc50076a-0275-43d5-b9dd-38346c061f67", + "kind": "AnalyticsRule", + "version": "1.0.0", + "source": { + "kind": "Solution", + "name": "Cloudflare", + "sourceId": "cloudflare.cloudflare_sentinel" + }, + "author": { + "name": "Microsoft", + "email": "support@microsoft.com" + }, + "support": { + "name": "Cloudflare", + "email": "support@cloudflare.com", + "tier": "Partner", + "link": "https://support.cloudflare.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "3.0.1", + "packageName": "Cloudflare", + "packageId": "cloudflare.cloudflare_sentinel", + "contentSchemaVersion": "3.0.0", + "contentId": "fc50076a-0275-43d5-b9dd-38346c061f67", + "contentKind": "AnalyticsRule", + "displayName": "Cloudflare - Multiple user agents for single source", + "contentProductId": "cloudflare.cloudflare_sentinel-ar-tnpefl4dgioe2", + "id": "cloudflare.cloudflare_sentinel-ar-tnpefl4dgioe2", + "version": "1.0.0", + "isDeprecated": false, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "contentKind": "DataType", + "contentId": "Cloudflare" + }, + { + "contentKind": "DataConnector", + "contentId": "CloudflareDataConnector" + } + ] + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('40554544-6e4a-4413-8d14-bf2de939c5d9')))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'cloudflare.cloudflare_sentinel')]" + ], + "properties": { + "description": "Detects requests from countries which are in blocklist.", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "40554544-6e4a-4413-8d14-bf2de939c5d9", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Detects requests from countries which are in blocklist.", + "displayName": "Cloudflare - Client request from country in blocklist", + "enabled": false, + "query": "let bl_countries = dynamic(['cn', 'hk']);\nCloudflare\n| where SrcGeoCountry in~ (bl_countries)\n| extend IPCustomEntity = SrcIpAddr\n| extend UrlCustomEntity = ClientRequestURI\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "Cloudflare" + ], + "connectorId": "CloudflareDataConnector" + } + ], + "tactics": [ + "InitialAccess" + ], + "techniques": [ + "T1190", + "T1133" + ], + "entityMappings": [ + { + "entityType": "IP", + "fieldMappings": [ + { + "columnName": "IPCustomEntity", + "identifier": "Address" + } + ] + }, + { + "entityType": "URL", + "fieldMappings": [ + { + "columnName": "UrlCustomEntity", + "identifier": "Url" + } + ] + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '40554544-6e4a-4413-8d14-bf2de939c5d9'),'/'))))]", + "properties": { + "description": "Cloudflare Analytics Rule 5", + "parentId": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '40554544-6e4a-4413-8d14-bf2de939c5d9')]", + "contentId": "40554544-6e4a-4413-8d14-bf2de939c5d9", + "kind": "AnalyticsRule", + "version": "1.0.0", + "source": { + "kind": "Solution", + "name": "Cloudflare", + "sourceId": "cloudflare.cloudflare_sentinel" + }, + "author": { + "name": "Microsoft", + "email": "support@microsoft.com" + }, + "support": { + "name": "Cloudflare", + "email": "support@cloudflare.com", + "tier": "Partner", + "link": "https://support.cloudflare.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "3.0.1", + "packageName": "Cloudflare", + "packageId": "cloudflare.cloudflare_sentinel", + "contentSchemaVersion": "3.0.0", + "contentId": "40554544-6e4a-4413-8d14-bf2de939c5d9", + "contentKind": "AnalyticsRule", + "displayName": "Cloudflare - Client request from country in blocklist", + "contentProductId": "cloudflare.cloudflare_sentinel-ar-qjwd4vlolaybw", + "id": "cloudflare.cloudflare_sentinel-ar-qjwd4vlolaybw", + "version": "1.0.0", + "isDeprecated": false, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "contentKind": "DataType", + "contentId": "Cloudflare" + }, + { + "contentKind": "DataConnector", + "contentId": "CloudflareDataConnector" + } + ] + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('7313352a-09f6-4a84-88bd-6f17f1cbeb8f')))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'cloudflare.cloudflare_sentinel')]" + ], + "properties": { + "description": "Detects post requests to unusual extensions.", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "7313352a-09f6-4a84-88bd-6f17f1cbeb8f", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Detects post requests to unusual extensions.", + "displayName": "Cloudflare - Unexpected POST requests", + "enabled": false, + "query": "Cloudflare\n| where HttpRequestMethod in~ ('POST', 'PUT')\n| where tostring(HttpStatusCode) startswith '2'\n| where DstBytes != 0 or SrcBytes != 0\n| extend fe = extract(@'.*(\\.\\w+)$', 1, ClientRequestURI)\n| where fe in~ ('.jpg', '.jpeg', '.gif', '.png', '.icon', '.ico', '.xml', '.swf', '.svg', '.ppt', '.pttx', '.doc', '.docx', '.rtf', '.pdf', '.tif', '.zip', '.mov')\n| extend IPCustomEntity = SrcIpAddr\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "Cloudflare" + ], + "connectorId": "CloudflareDataConnector" + } + ], + "tactics": [ + "Persistence", + "CommandAndControl" + ], + "techniques": [ + "T1505", + "T1071" + ], + "entityMappings": [ + { + "entityType": "IP", + "fieldMappings": [ + { + "columnName": "IPCustomEntity", + "identifier": "Address" + } + ] + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '7313352a-09f6-4a84-88bd-6f17f1cbeb8f'),'/'))))]", + "properties": { + "description": "Cloudflare Analytics Rule 6", + "parentId": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '7313352a-09f6-4a84-88bd-6f17f1cbeb8f')]", + "contentId": "7313352a-09f6-4a84-88bd-6f17f1cbeb8f", + "kind": "AnalyticsRule", + "version": "1.0.0", + "source": { + "kind": "Solution", + "name": "Cloudflare", + "sourceId": "cloudflare.cloudflare_sentinel" + }, + "author": { + "name": "Microsoft", + "email": "support@microsoft.com" + }, + "support": { + "name": "Cloudflare", + "email": "support@cloudflare.com", + "tier": "Partner", + "link": "https://support.cloudflare.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "3.0.1", + "packageName": "Cloudflare", + "packageId": "cloudflare.cloudflare_sentinel", + "contentSchemaVersion": "3.0.0", + "contentId": "7313352a-09f6-4a84-88bd-6f17f1cbeb8f", + "contentKind": "AnalyticsRule", + "displayName": "Cloudflare - Unexpected POST requests", + "contentProductId": "cloudflare.cloudflare_sentinel-ar-sb64hrmqb67hm", + "id": "cloudflare.cloudflare_sentinel-ar-sb64hrmqb67hm", + "version": "1.0.0", + "isDeprecated": false, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "contentKind": "DataType", + "contentId": "Cloudflare" + }, + { + "contentKind": "DataConnector", + "contentId": "CloudflareDataConnector" + } + ] + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('f32142b1-4bcb-45c0-92e4-2ddc18768522')))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'cloudflare.cloudflare_sentinel')]" + ], + "properties": { + "description": "Detects client requests to unusual client request.", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.1", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "f32142b1-4bcb-45c0-92e4-2ddc18768522", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Detects client requests to unusual client request.", + "displayName": "Cloudflare - Unexpected client request", + "enabled": false, + "query": "Cloudflare\n| where HttpRequestMethod =~ 'GET'\n| where DstBytes != 0 or SrcBytes != 0\n| where ClientRequestURI has_any ('/admin', '/admin.php', 'wp-admin', '.htaccess', '/etc/shadow', '/etc/passwd', '/etc/hosts', '/etc/ssh/') \n| extend IPCustomEntity = SrcIpAddr\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "Cloudflare" + ], + "connectorId": "CloudflareDataConnector" + } + ], + "tactics": [ + "InitialAccess" + ], + "techniques": [ + "T1190", + "T1133" + ], + "entityMappings": [ + { + "entityType": "IP", + "fieldMappings": [ + { + "columnName": "IPCustomEntity", + "identifier": "Address" + } + ] + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'f32142b1-4bcb-45c0-92e4-2ddc18768522'),'/'))))]", + "properties": { + "description": "Cloudflare Analytics Rule 7", + "parentId": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'f32142b1-4bcb-45c0-92e4-2ddc18768522')]", + "contentId": "f32142b1-4bcb-45c0-92e4-2ddc18768522", + "kind": "AnalyticsRule", + "version": "1.0.1", + "source": { + "kind": "Solution", + "name": "Cloudflare", + "sourceId": "cloudflare.cloudflare_sentinel" + }, + "author": { + "name": "Microsoft", + "email": "support@microsoft.com" + }, + "support": { + "name": "Cloudflare", + "email": "support@cloudflare.com", + "tier": "Partner", + "link": "https://support.cloudflare.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "3.0.1", + "packageName": "Cloudflare", + "packageId": "cloudflare.cloudflare_sentinel", + "contentSchemaVersion": "3.0.0", + "contentId": "f32142b1-4bcb-45c0-92e4-2ddc18768522", + "contentKind": "AnalyticsRule", + "displayName": "Cloudflare - Unexpected client request", + "contentProductId": "cloudflare.cloudflare_sentinel-ar-ec3bxip5g6xbs", + "id": "cloudflare.cloudflare_sentinel-ar-ec3bxip5g6xbs", + "version": "1.0.1", + "isDeprecated": false, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "contentKind": "DataType", + "contentId": "Cloudflare" + }, + { + "contentKind": "DataConnector", + "contentId": "CloudflareDataConnector" + } + ] + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('dcb797cd-a4cd-4306-897b-7991f71d7e27')))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'cloudflare.cloudflare_sentinel')]" + ], + "properties": { + "description": "Detects client requests to unusual URI.", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "dcb797cd-a4cd-4306-897b-7991f71d7e27", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Detects client requests to unusual URI.", + "displayName": "Cloudflare - Unexpected URI", + "enabled": false, + "query": "Cloudflare\n| where HttpRequestMethod =~ 'GET'\n| where DstBytes != 0 or SrcBytes != 0\n| where ClientRequestURI matches regex @'(127\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})|(10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})|(172\\.1[6-9]\\.\\d{1,3}\\.\\d{1,3})|(172\\.2[0-9]\\.\\d{1,3}\\.\\d{1,3})|(172\\.3[0-1]\\.\\d{1,3}\\.\\d{1,3})|(192\\.168\\.\\d{1,3}\\.\\d{1,3})'\n| extend IPCustomEntity = SrcIpAddr\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "Cloudflare" + ], + "connectorId": "CloudflareDataConnector" + } + ], + "tactics": [ + "InitialAccess" + ], + "techniques": [ + "T1190", + "T1133" + ], + "entityMappings": [ + { + "entityType": "IP", + "fieldMappings": [ + { + "columnName": "IPCustomEntity", + "identifier": "Address" + } + ] + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'dcb797cd-a4cd-4306-897b-7991f71d7e27'),'/'))))]", + "properties": { + "description": "Cloudflare Analytics Rule 8", + "parentId": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'dcb797cd-a4cd-4306-897b-7991f71d7e27')]", + "contentId": "dcb797cd-a4cd-4306-897b-7991f71d7e27", + "kind": "AnalyticsRule", + "version": "1.0.0", + "source": { + "kind": "Solution", + "name": "Cloudflare", + "sourceId": "cloudflare.cloudflare_sentinel" + }, + "author": { + "name": "Microsoft", + "email": "support@microsoft.com" + }, + "support": { + "name": "Cloudflare", + "email": "support@cloudflare.com", + "tier": "Partner", + "link": "https://support.cloudflare.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "3.0.1", + "packageName": "Cloudflare", + "packageId": "cloudflare.cloudflare_sentinel", + "contentSchemaVersion": "3.0.0", + "contentId": "dcb797cd-a4cd-4306-897b-7991f71d7e27", + "contentKind": "AnalyticsRule", + "displayName": "Cloudflare - Unexpected URI", + "contentProductId": "cloudflare.cloudflare_sentinel-ar-5ymbhc4s2ijia", + "id": "cloudflare.cloudflare_sentinel-ar-5ymbhc4s2ijia", + "version": "1.0.0", + "isDeprecated": false, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "contentKind": "DataType", + "contentId": "Cloudflare" + }, + { + "contentKind": "DataConnector", + "contentId": "CloudflareDataConnector" + } + ] + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('f53fe2a9-96b5-454c-827e-cf1764a67fb0')))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'cloudflare.cloudflare_sentinel')]" + ], + "properties": { + "description": "Detects WAF \"Allowed\" action on threat events.", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "f53fe2a9-96b5-454c-827e-cf1764a67fb0", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Detects WAF \"Allowed\" action on threat events.", + "displayName": "Cloudflare - WAF Allowed threat", + "enabled": false, + "query": "Cloudflare\n| where isnotempty(WAFRuleID) or isnotempty(WAFRuleMessage)\n| where WAFAction =~ 'Allow'\n| extend IPCustomEntity = SrcIpAddr\n| extend UrlCustomEntity = ClientRequestURI\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "Cloudflare" + ], + "connectorId": "CloudflareDataConnector" + } + ], + "tactics": [ + "InitialAccess" + ], + "techniques": [ + "T1190", + "T1133" + ], + "entityMappings": [ + { + "entityType": "IP", + "fieldMappings": [ + { + "columnName": "IPCustomEntity", + "identifier": "Address" + } + ] + }, + { + "entityType": "URL", + "fieldMappings": [ + { + "columnName": "UrlCustomEntity", + "identifier": "Url" + } + ] + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'f53fe2a9-96b5-454c-827e-cf1764a67fb0'),'/'))))]", + "properties": { + "description": "Cloudflare Analytics Rule 9", + "parentId": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'f53fe2a9-96b5-454c-827e-cf1764a67fb0')]", + "contentId": "f53fe2a9-96b5-454c-827e-cf1764a67fb0", + "kind": "AnalyticsRule", + "version": "1.0.0", + "source": { + "kind": "Solution", + "name": "Cloudflare", + "sourceId": "cloudflare.cloudflare_sentinel" + }, + "author": { + "name": "Microsoft", + "email": "support@microsoft.com" + }, + "support": { + "name": "Cloudflare", + "email": "support@cloudflare.com", + "tier": "Partner", + "link": "https://support.cloudflare.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "3.0.1", + "packageName": "Cloudflare", + "packageId": "cloudflare.cloudflare_sentinel", + "contentSchemaVersion": "3.0.0", + "contentId": "f53fe2a9-96b5-454c-827e-cf1764a67fb0", + "contentKind": "AnalyticsRule", + "displayName": "Cloudflare - WAF Allowed threat", + "contentProductId": "cloudflare.cloudflare_sentinel-ar-nirv2ihu2sobe", + "id": "cloudflare.cloudflare_sentinel-ar-nirv2ihu2sobe", + "version": "1.0.0", + "isDeprecated": false, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "contentKind": "DataType", + "contentId": "Cloudflare" + }, + { + "contentKind": "DataConnector", + "contentId": "CloudflareDataConnector" + } + ] + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('4d9d00b9-31a6-49e4-88c1-9e68277053ac')))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'cloudflare.cloudflare_sentinel')]" + ], + "properties": { + "description": "Detects XSS probing patterns.", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "4d9d00b9-31a6-49e4-88c1-9e68277053ac", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Detects XSS probing patterns.", + "displayName": "Cloudflare - XSS probing pattern in request", + "enabled": false, + "query": "let s_threshold = 3;\nCloudflare\n| where HttpRequestMethod in~ ('POST', 'PUT')\n| extend susp_ch = countof(ClientRequestURI, '%00')\n| where ClientRequestURI matches regex @'(alert\\()|(alert\\%28)|(String\\.fromCharCode\\()|(expression\\(alert)' or susp_ch > s_threshold\n| extend IPCustomEntity = SrcIpAddr\n| extend UrlCustomEntity = ClientRequestURI\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "Cloudflare" + ], + "connectorId": "CloudflareDataConnector" + } + ], + "tactics": [ + "InitialAccess" + ], + "techniques": [ + "T1190", + "T1133" + ], + "entityMappings": [ + { + "entityType": "IP", + "fieldMappings": [ + { + "columnName": "IPCustomEntity", + "identifier": "Address" + } + ] + }, + { + "entityType": "URL", + "fieldMappings": [ + { + "columnName": "UrlCustomEntity", + "identifier": "Url" + } + ] + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '4d9d00b9-31a6-49e4-88c1-9e68277053ac'),'/'))))]", + "properties": { + "description": "Cloudflare Analytics Rule 10", + "parentId": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '4d9d00b9-31a6-49e4-88c1-9e68277053ac')]", + "contentId": "4d9d00b9-31a6-49e4-88c1-9e68277053ac", + "kind": "AnalyticsRule", + "version": "1.0.0", + "source": { + "kind": "Solution", + "name": "Cloudflare", + "sourceId": "cloudflare.cloudflare_sentinel" + }, + "author": { + "name": "Microsoft", + "email": "support@microsoft.com" + }, + "support": { + "name": "Cloudflare", + "email": "support@cloudflare.com", + "tier": "Partner", + "link": "https://support.cloudflare.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "3.0.1", + "packageName": "Cloudflare", + "packageId": "cloudflare.cloudflare_sentinel", + "contentSchemaVersion": "3.0.0", + "contentId": "4d9d00b9-31a6-49e4-88c1-9e68277053ac", + "contentKind": "AnalyticsRule", + "displayName": "Cloudflare - XSS probing pattern in request", + "contentProductId": "cloudflare.cloudflare_sentinel-ar-z6obi4zkvxw7u", + "id": "cloudflare.cloudflare_sentinel-ar-z6obi4zkvxw7u", + "version": "1.0.0", + "isDeprecated": false, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "contentKind": "DataType", + "contentId": "Cloudflare" + }, + { + "contentKind": "DataConnector", + "contentId": "CloudflareDataConnector" + } + ] + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('5d72f483-929a-498a-b840-dff7deed2116')))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'cloudflare.cloudflare_sentinel')]" + ], + "properties": { + "description": "Query searches for client related errors.", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "Cloudflare_Hunting_Query_1", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Cloudflare - Client errors", + "category": "Hunting Queries", + "query": "Cloudflare\n| where TimeGenerated > ago(24h)\n| where HttpStatusCode between(400..499)\n| extend IPCustomEntity = SrcIpAddr\n| extend UrlCustomEntity = ClientRequestURI\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "Query searches for client related errors." + }, + { + "name": "tactics", + "value": "InitialAccess,Impact" + }, + { + "name": "techniques", + "value": "T1190,T1133,T1498" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', '5d72f483-929a-498a-b840-dff7deed2116'),'/'))))]", + "properties": { + "description": "Cloudflare Hunting Query 1", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', '5d72f483-929a-498a-b840-dff7deed2116')]", + "contentId": "5d72f483-929a-498a-b840-dff7deed2116", + "kind": "HuntingQuery", + "version": "1.0.0", + "source": { + "kind": "Solution", + "name": "Cloudflare", + "sourceId": "cloudflare.cloudflare_sentinel" + }, + "author": { + "name": "Microsoft", + "email": "support@microsoft.com" + }, + "support": { + "name": "Cloudflare", + "email": "support@cloudflare.com", + "tier": "Partner", + "link": "https://support.cloudflare.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "3.0.1", + "packageName": "Cloudflare", + "packageId": "cloudflare.cloudflare_sentinel", + "contentSchemaVersion": "3.0.0", + "contentId": "5d72f483-929a-498a-b840-dff7deed2116", + "contentKind": "HuntingQuery", + "displayName": "Cloudflare - Client errors", + "contentProductId": "cloudflare.cloudflare_sentinel-hq-nwjmtrhct4gpy", + "id": "cloudflare.cloudflare_sentinel-hq-nwjmtrhct4gpy", + "version": "1.0.0", + "isDeprecated": false + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('20ef3865-fd1f-44a4-ac8f-8d026cf954e0')))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'cloudflare.cloudflare_sentinel')]" + ], + "properties": { + "description": "Query searches for client TLS errors.", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "Cloudflare_Hunting_Query_2", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Cloudflare - Client TLS errors", + "category": "Hunting Queries", + "query": "let err_tls = dynamic(['UNKNOWN', 'INTERNAL_ERROR', 'INVALID_CONFIG', 'INVALID_SNI', 'HANDSHAKE_FAILED']);\nCloudflare\n| where TimeGenerated > ago(24h)\n| where ClientTlsStatus in~ (err_tls)\n| extend IPCustomEntity = SrcIpAddr\n| extend UrlCustomEntity = ClientRequestURI\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "Query searches for client TLS errors." + }, + { + "name": "tactics", + "value": "InitialAccess,Impact" + }, + { + "name": "techniques", + "value": "T1190,T1133,T1498" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', '20ef3865-fd1f-44a4-ac8f-8d026cf954e0'),'/'))))]", + "properties": { + "description": "Cloudflare Hunting Query 2", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', '20ef3865-fd1f-44a4-ac8f-8d026cf954e0')]", + "contentId": "20ef3865-fd1f-44a4-ac8f-8d026cf954e0", + "kind": "HuntingQuery", + "version": "1.0.0", + "source": { + "kind": "Solution", + "name": "Cloudflare", + "sourceId": "cloudflare.cloudflare_sentinel" + }, + "author": { + "name": "Microsoft", + "email": "support@microsoft.com" + }, + "support": { + "name": "Cloudflare", + "email": "support@cloudflare.com", + "tier": "Partner", + "link": "https://support.cloudflare.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "3.0.1", + "packageName": "Cloudflare", + "packageId": "cloudflare.cloudflare_sentinel", + "contentSchemaVersion": "3.0.0", + "contentId": "20ef3865-fd1f-44a4-ac8f-8d026cf954e0", + "contentKind": "HuntingQuery", + "displayName": "Cloudflare - Client TLS errors", + "contentProductId": "cloudflare.cloudflare_sentinel-hq-2iuhb4hbpxwxy", + "id": "cloudflare.cloudflare_sentinel-hq-2iuhb4hbpxwxy", + "version": "1.0.0", + "isDeprecated": false + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('d72d0055-ae52-43b5-859e-db72e5ef183a')))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'cloudflare.cloudflare_sentinel')]" + ], + "properties": { + "description": "Query searches for files requested.", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "Cloudflare_Hunting_Query_3", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Cloudflare - Files requested", + "category": "Hunting Queries", + "query": "Cloudflare\n| where TimeGenerated > ago(24h)\n| extend File = extract(@'\\/(\\w+\\.\\w+)', 1, ClientRequestURI)\n| summarize count() by File, SrcIpAddr\n| extend IPCustomEntity = SrcIpAddr\n| extend FileCustomEntity = File\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "Query searches for files requested." + }, + { + "name": "tactics", + "value": "InitialAccess" + }, + { + "name": "techniques", + "value": "T1190,T1133" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', 'd72d0055-ae52-43b5-859e-db72e5ef183a'),'/'))))]", + "properties": { + "description": "Cloudflare Hunting Query 3", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', 'd72d0055-ae52-43b5-859e-db72e5ef183a')]", + "contentId": "d72d0055-ae52-43b5-859e-db72e5ef183a", + "kind": "HuntingQuery", + "version": "1.0.0", + "source": { + "kind": "Solution", + "name": "Cloudflare", + "sourceId": "cloudflare.cloudflare_sentinel" + }, + "author": { + "name": "Microsoft", + "email": "support@microsoft.com" + }, + "support": { + "name": "Cloudflare", + "email": "support@cloudflare.com", + "tier": "Partner", + "link": "https://support.cloudflare.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "3.0.1", + "packageName": "Cloudflare", + "packageId": "cloudflare.cloudflare_sentinel", + "contentSchemaVersion": "3.0.0", + "contentId": "d72d0055-ae52-43b5-859e-db72e5ef183a", + "contentKind": "HuntingQuery", + "displayName": "Cloudflare - Files requested", + "contentProductId": "cloudflare.cloudflare_sentinel-hq-oysfksimyphiq", + "id": "cloudflare.cloudflare_sentinel-hq-oysfksimyphiq", + "version": "1.0.0", + "isDeprecated": false + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('a6f1938f-2f87-446c-83ac-624c277cfd32')))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'cloudflare.cloudflare_sentinel')]" + ], + "properties": { + "description": "Query searches rare user agent strings.", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "Cloudflare_Hunting_Query_4", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Cloudflare - Rare user agents", + "category": "Hunting Queries", + "query": "Cloudflare\n| where TimeGenerated > ago(24h)\n| where isnotempty(HttpUserAgentOriginal)\n| summarize count() by HttpUserAgentOriginal, SrcIpAddr\n| extend IPCustomEntity = SrcIpAddr\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "Query searches rare user agent strings." + }, + { + "name": "tactics", + "value": "InitialAccess" + }, + { + "name": "techniques", + "value": "T1190,T1133" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', 'a6f1938f-2f87-446c-83ac-624c277cfd32'),'/'))))]", + "properties": { + "description": "Cloudflare Hunting Query 4", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', 'a6f1938f-2f87-446c-83ac-624c277cfd32')]", + "contentId": "a6f1938f-2f87-446c-83ac-624c277cfd32", + "kind": "HuntingQuery", + "version": "1.0.0", + "source": { + "kind": "Solution", + "name": "Cloudflare", + "sourceId": "cloudflare.cloudflare_sentinel" + }, + "author": { + "name": "Microsoft", + "email": "support@microsoft.com" + }, + "support": { + "name": "Cloudflare", + "email": "support@cloudflare.com", + "tier": "Partner", + "link": "https://support.cloudflare.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "3.0.1", + "packageName": "Cloudflare", + "packageId": "cloudflare.cloudflare_sentinel", + "contentSchemaVersion": "3.0.0", + "contentId": "a6f1938f-2f87-446c-83ac-624c277cfd32", + "contentKind": "HuntingQuery", + "displayName": "Cloudflare - Rare user agents", + "contentProductId": "cloudflare.cloudflare_sentinel-hq-6onf5hnsbn3kg", + "id": "cloudflare.cloudflare_sentinel-hq-6onf5hnsbn3kg", + "version": "1.0.0", + "isDeprecated": false + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('7c8f0bed-b25c-4d48-9afa-c505e141bf4b')))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'cloudflare.cloudflare_sentinel')]" + ], + "properties": { + "description": "Query searches for server related errors.", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "Cloudflare_Hunting_Query_5", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Cloudflare - Server errors", + "category": "Hunting Queries", + "query": "Cloudflare\n| where TimeGenerated > ago(24h)\n| where HttpStatusCode between(500..599)\n| extend IPCustomEntity = SrcIpAddr\n| extend UrlCustomEntity = ClientRequestURI\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "Query searches for server related errors." + }, + { + "name": "tactics", + "value": "InitialAccess,Impact" + }, + { + "name": "techniques", + "value": "T1190,T1133,T1498" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', '7c8f0bed-b25c-4d48-9afa-c505e141bf4b'),'/'))))]", + "properties": { + "description": "Cloudflare Hunting Query 5", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', '7c8f0bed-b25c-4d48-9afa-c505e141bf4b')]", + "contentId": "7c8f0bed-b25c-4d48-9afa-c505e141bf4b", + "kind": "HuntingQuery", + "version": "1.0.0", + "source": { + "kind": "Solution", + "name": "Cloudflare", + "sourceId": "cloudflare.cloudflare_sentinel" + }, + "author": { + "name": "Microsoft", + "email": "support@microsoft.com" + }, + "support": { + "name": "Cloudflare", + "email": "support@cloudflare.com", + "tier": "Partner", + "link": "https://support.cloudflare.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "3.0.1", + "packageName": "Cloudflare", + "packageId": "cloudflare.cloudflare_sentinel", + "contentSchemaVersion": "3.0.0", + "contentId": "7c8f0bed-b25c-4d48-9afa-c505e141bf4b", + "contentKind": "HuntingQuery", + "displayName": "Cloudflare - Server errors", + "contentProductId": "cloudflare.cloudflare_sentinel-hq-hbd6n6vyynlrk", + "id": "cloudflare.cloudflare_sentinel-hq-hbd6n6vyynlrk", + "version": "1.0.0", + "isDeprecated": false + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('e1a9febc-6b37-47e6-b5a7-0eec7638ba82')))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'cloudflare.cloudflare_sentinel')]" + ], + "properties": { + "description": "Query searches for server TLS errors.", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "Cloudflare_Hunting_Query_6", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Cloudflare - Server TLS errors", + "category": "Hunting Queries", + "query": "let err_tls = dynamic(['UNKNOWN', 'INTERNAL_ERROR', 'INVALID_CONFIG', 'INVALID_SNI', 'HANDSHAKE_FAILED']);\nCloudflare\n| where TimeGenerated > ago(24h)\n| where OriginTlsStatus in~ (err_tls)\n| extend IPCustomEntity = SrcIpAddr\n| extend UrlCustomEntity = ClientRequestURI\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "Query searches for server TLS errors." + }, + { + "name": "tactics", + "value": "InitialAccess,Impact" + }, + { + "name": "techniques", + "value": "T1190,T1133,T1498" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', 'e1a9febc-6b37-47e6-b5a7-0eec7638ba82'),'/'))))]", + "properties": { + "description": "Cloudflare Hunting Query 6", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', 'e1a9febc-6b37-47e6-b5a7-0eec7638ba82')]", + "contentId": "e1a9febc-6b37-47e6-b5a7-0eec7638ba82", + "kind": "HuntingQuery", + "version": "1.0.0", + "source": { + "kind": "Solution", + "name": "Cloudflare", + "sourceId": "cloudflare.cloudflare_sentinel" + }, + "author": { + "name": "Microsoft", + "email": "support@microsoft.com" + }, + "support": { + "name": "Cloudflare", + "email": "support@cloudflare.com", + "tier": "Partner", + "link": "https://support.cloudflare.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "3.0.1", + "packageName": "Cloudflare", + "packageId": "cloudflare.cloudflare_sentinel", + "contentSchemaVersion": "3.0.0", + "contentId": "e1a9febc-6b37-47e6-b5a7-0eec7638ba82", + "contentKind": "HuntingQuery", + "displayName": "Cloudflare - Server TLS errors", + "contentProductId": "cloudflare.cloudflare_sentinel-hq-dn6imvejatqxa", + "id": "cloudflare.cloudflare_sentinel-hq-dn6imvejatqxa", + "version": "1.0.0", + "isDeprecated": false + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('eb7b88ab-47b1-483f-95b3-2b315d98d465')))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'cloudflare.cloudflare_sentinel')]" + ], + "properties": { + "description": "Query searches top network rules triggered.", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "Cloudflare_Hunting_Query_7", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Cloudflare - Top Network rules", + "category": "Hunting Queries", + "query": "Cloudflare\n| where TimeGenerated > ago(24h)\n| where isnotempty(NetworkRuleName)\n| summarize count() by NetworkRuleName, EdgeRequestHost\n| order by count_\n| extend CloudAppCustomEntity = EdgeRequestHost\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "Query searches top network rules triggered." + }, + { + "name": "tactics", + "value": "InitialAccess" + }, + { + "name": "techniques", + "value": "T1190,T1133" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', 'eb7b88ab-47b1-483f-95b3-2b315d98d465'),'/'))))]", + "properties": { + "description": "Cloudflare Hunting Query 7", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', 'eb7b88ab-47b1-483f-95b3-2b315d98d465')]", + "contentId": "eb7b88ab-47b1-483f-95b3-2b315d98d465", + "kind": "HuntingQuery", + "version": "1.0.0", + "source": { + "kind": "Solution", + "name": "Cloudflare", + "sourceId": "cloudflare.cloudflare_sentinel" + }, + "author": { + "name": "Microsoft", + "email": "support@microsoft.com" + }, + "support": { + "name": "Cloudflare", + "email": "support@cloudflare.com", + "tier": "Partner", + "link": "https://support.cloudflare.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "3.0.1", + "packageName": "Cloudflare", + "packageId": "cloudflare.cloudflare_sentinel", + "contentSchemaVersion": "3.0.0", + "contentId": "eb7b88ab-47b1-483f-95b3-2b315d98d465", + "contentKind": "HuntingQuery", + "displayName": "Cloudflare - Top Network rules", + "contentProductId": "cloudflare.cloudflare_sentinel-hq-4cj46bvok7pjw", + "id": "cloudflare.cloudflare_sentinel-hq-4cj46bvok7pjw", + "version": "1.0.0", + "isDeprecated": false + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('8a72cdb0-97d9-4547-9eca-1bdea2ccd796')))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'cloudflare.cloudflare_sentinel')]" + ], + "properties": { + "description": "Query searches top WAF rules triggered.", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "Cloudflare_Hunting_Query_8", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Cloudflare - Top WAF rules", + "category": "Hunting Queries", + "query": "Cloudflare\n| where TimeGenerated > ago(24h)\n| where isnotempty(WAFRuleID)\n| summarize count() by WAFRuleID, WAFRuleMessage, EdgeRequestHost\n| order by count_\n| extend CloudAppCustomEntity = EdgeRequestHost\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "Query searches top WAF rules triggered." + }, + { + "name": "tactics", + "value": "InitialAccess" + }, + { + "name": "techniques", + "value": "T1190,T1133" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', '8a72cdb0-97d9-4547-9eca-1bdea2ccd796'),'/'))))]", + "properties": { + "description": "Cloudflare Hunting Query 8", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', '8a72cdb0-97d9-4547-9eca-1bdea2ccd796')]", + "contentId": "8a72cdb0-97d9-4547-9eca-1bdea2ccd796", + "kind": "HuntingQuery", + "version": "1.0.0", + "source": { + "kind": "Solution", + "name": "Cloudflare", + "sourceId": "cloudflare.cloudflare_sentinel" + }, + "author": { + "name": "Microsoft", + "email": "support@microsoft.com" + }, + "support": { + "name": "Cloudflare", + "email": "support@cloudflare.com", + "tier": "Partner", + "link": "https://support.cloudflare.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "3.0.1", + "packageName": "Cloudflare", + "packageId": "cloudflare.cloudflare_sentinel", + "contentSchemaVersion": "3.0.0", + "contentId": "8a72cdb0-97d9-4547-9eca-1bdea2ccd796", + "contentKind": "HuntingQuery", + "displayName": "Cloudflare - Top WAF rules", + "contentProductId": "cloudflare.cloudflare_sentinel-hq-cshjhezyexuyw", + "id": "cloudflare.cloudflare_sentinel-hq-cshjhezyexuyw", + "version": "1.0.0", + "isDeprecated": false + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('9fc7d945-0e82-4664-aca0-dc121a5cd7be')))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'cloudflare.cloudflare_sentinel')]" + ], + "properties": { + "description": "Query searches requests by country and helps to identify requests coming from unexpected countries.", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "Cloudflare_Hunting_Query_9", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Cloudflare - Unexpected countries", + "category": "Hunting Queries", + "query": "Cloudflare\n| where TimeGenerated > ago(24h)\n| summarize count() by SrcGeoCountry, SrcIpAddr\n| extend IPCustomEntity = SrcIpAddr\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "Query searches requests by country and helps to identify requests coming from unexpected countries." + }, + { + "name": "tactics", + "value": "InitialAccess" + }, + { + "name": "techniques", + "value": "T1190,T1133" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', '9fc7d945-0e82-4664-aca0-dc121a5cd7be'),'/'))))]", + "properties": { + "description": "Cloudflare Hunting Query 9", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', '9fc7d945-0e82-4664-aca0-dc121a5cd7be')]", + "contentId": "9fc7d945-0e82-4664-aca0-dc121a5cd7be", + "kind": "HuntingQuery", + "version": "1.0.0", + "source": { + "kind": "Solution", + "name": "Cloudflare", + "sourceId": "cloudflare.cloudflare_sentinel" + }, + "author": { + "name": "Microsoft", + "email": "support@microsoft.com" + }, + "support": { + "name": "Cloudflare", + "email": "support@cloudflare.com", + "tier": "Partner", + "link": "https://support.cloudflare.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "3.0.1", + "packageName": "Cloudflare", + "packageId": "cloudflare.cloudflare_sentinel", + "contentSchemaVersion": "3.0.0", + "contentId": "9fc7d945-0e82-4664-aca0-dc121a5cd7be", + "contentKind": "HuntingQuery", + "displayName": "Cloudflare - Unexpected countries", + "contentProductId": "cloudflare.cloudflare_sentinel-hq-ywjsta7uad2pk", + "id": "cloudflare.cloudflare_sentinel-hq-ywjsta7uad2pk", + "version": "1.0.0", + "isDeprecated": false + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('0be3ddc1-99db-4153-ba3c-2c1e5c82560d')))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'cloudflare.cloudflare_sentinel')]" + ], + "properties": { + "description": "Query searches for unexpected EdgeResponseStatus values.", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "Cloudflare_Hunting_Query_10", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Cloudflare - Unexpected edge response", + "category": "Hunting Queries", + "query": "Cloudflare\n| where TimeGenerated > ago(24h)\n| where HttpStatusCode != EdgeResponseStatus\n| extend IPCustomEntity = SrcIpAddr\n| extend UrlCustomEntity = ClientRequestURI\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "Query searches for unexpected EdgeResponseStatus values." + }, + { + "name": "tactics", + "value": "InitialAccess" + }, + { + "name": "techniques", + "value": "T1190,T1133" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', '0be3ddc1-99db-4153-ba3c-2c1e5c82560d'),'/'))))]", + "properties": { + "description": "Cloudflare Hunting Query 10", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', '0be3ddc1-99db-4153-ba3c-2c1e5c82560d')]", + "contentId": "0be3ddc1-99db-4153-ba3c-2c1e5c82560d", + "kind": "HuntingQuery", + "version": "1.0.0", + "source": { + "kind": "Solution", + "name": "Cloudflare", + "sourceId": "cloudflare.cloudflare_sentinel" + }, + "author": { + "name": "Microsoft", + "email": "support@microsoft.com" + }, + "support": { + "name": "Cloudflare", + "email": "support@cloudflare.com", + "tier": "Partner", + "link": "https://support.cloudflare.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "3.0.1", + "packageName": "Cloudflare", + "packageId": "cloudflare.cloudflare_sentinel", + "contentSchemaVersion": "3.0.0", + "contentId": "0be3ddc1-99db-4153-ba3c-2c1e5c82560d", + "contentKind": "HuntingQuery", + "displayName": "Cloudflare - Unexpected edge response", + "contentProductId": "cloudflare.cloudflare_sentinel-hq-3b6afbxfhmlj4", + "id": "cloudflare.cloudflare_sentinel-hq-3b6afbxfhmlj4", + "version": "1.0.0", + "isDeprecated": false + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", + "apiVersion": "2023-04-01-preview", + "location": "[parameters('workspace-location')]", + "properties": { + "version": "3.0.1", + "kind": "Solution", + "contentSchemaVersion": "3.0.0", + "displayName": "Cloudflare", + "publisherDisplayName": "Cloudflare", + "descriptionHtml": "Cloudflare secures and ensures the reliability of your external-facing resources such as websites, APIs, and applications. It protects your internal resources such as behind-the-firewall applications, teams, and devices. And it is your platform for developing globally-scalable applications.

Microsoft Sentinel solutions provide a consolidated way to acquire Microsoft Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.", + "contentKind": "Solution", + "contentProductId": "cloudflare.cloudflare_sentinel-sl-davqtfrs3bq2k", + "id": "cloudflare.cloudflare_sentinel-sl-davqtfrs3bq2k", + "icon": "https://store-images.s-microsoft.com/image/apps.39988.08b8f6d5-4c6d-44a1-8f88-a528a560dd8c.8c6667b9-f730-42c6-93d6-62beb88d69a5.60e45a66-7220-48ec-9536-76f3d3a93a2f", + "contentId": "cloudflare.cloudflare_sentinel", + "parentId": "cloudflare.cloudflare_sentinel", + "source": { + "kind": "Solution", + "name": "Cloudflare", + "sourceId": "cloudflare.cloudflare_sentinel" + }, + "author": { + "name": "Microsoft", + "email": "support@microsoft.com" + }, + "support": { + "name": "Cloudflare", + "email": "support@cloudflare.com", + "tier": "Partner", + "link": "https://support.cloudflare.com" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "kind": "DataConnector", + "contentId": "CloudflareDataConnector", + "version": "1.0.0" + }, + { + "kind": "Parser", + "contentId": "Cloudflare-Parser", + "version": "1.0.0" + }, + { + "kind": "Workbook", + "contentId": "CloudflareWorkbook", + "version": "1.0.0" + }, + { + "kind": "AnalyticsRule", + "contentId": "a7ce6135-9d55-4f14-b058-adc2e920a4fa", + "version": "1.0.0" + }, + { + "kind": "AnalyticsRule", + "contentId": "729c6d21-fad9-4a6a-9c7f-482393c95957", + "version": "1.0.0" + }, + { + "kind": "AnalyticsRule", + "contentId": "ef877d68-755f-4cf1-ac1d-f336e395667c", + "version": "1.0.0" + }, + { + "kind": "AnalyticsRule", + "contentId": "fc50076a-0275-43d5-b9dd-38346c061f67", + "version": "1.0.0" + }, + { + "kind": "AnalyticsRule", + "contentId": "40554544-6e4a-4413-8d14-bf2de939c5d9", + "version": "1.0.0" + }, + { + "kind": "AnalyticsRule", + "contentId": "7313352a-09f6-4a84-88bd-6f17f1cbeb8f", + "version": "1.0.0" + }, + { + "kind": "AnalyticsRule", + "contentId": "f32142b1-4bcb-45c0-92e4-2ddc18768522", + "version": "1.0.1" + }, + { + "kind": "AnalyticsRule", + "contentId": "dcb797cd-a4cd-4306-897b-7991f71d7e27", + "version": "1.0.0" + }, + { + "kind": "AnalyticsRule", + "contentId": "f53fe2a9-96b5-454c-827e-cf1764a67fb0", + "version": "1.0.0" + }, + { + "kind": "AnalyticsRule", + "contentId": "4d9d00b9-31a6-49e4-88c1-9e68277053ac", + "version": "1.0.0" + }, + { + "kind": "HuntingQuery", + "contentId": "5d72f483-929a-498a-b840-dff7deed2116", + "version": "1.0.0" + }, + { + "kind": "HuntingQuery", + "contentId": "20ef3865-fd1f-44a4-ac8f-8d026cf954e0", + "version": "1.0.0" + }, + { + "kind": "HuntingQuery", + "contentId": "d72d0055-ae52-43b5-859e-db72e5ef183a", + "version": "1.0.0" + }, + { + "kind": "HuntingQuery", + "contentId": "a6f1938f-2f87-446c-83ac-624c277cfd32", + "version": "1.0.0" + }, + { + "kind": "HuntingQuery", + "contentId": "7c8f0bed-b25c-4d48-9afa-c505e141bf4b", + "version": "1.0.0" + }, + { + "kind": "HuntingQuery", + "contentId": "e1a9febc-6b37-47e6-b5a7-0eec7638ba82", + "version": "1.0.0" + }, + { + "kind": "HuntingQuery", + "contentId": "eb7b88ab-47b1-483f-95b3-2b315d98d465", + "version": "1.0.0" + }, + { + "kind": "HuntingQuery", + "contentId": "8a72cdb0-97d9-4547-9eca-1bdea2ccd796", + "version": "1.0.0" + }, + { + "kind": "HuntingQuery", + "contentId": "9fc7d945-0e82-4664-aca0-dc121a5cd7be", + "version": "1.0.0" + }, + { + "kind": "HuntingQuery", + "contentId": "0be3ddc1-99db-4153-ba3c-2c1e5c82560d", + "version": "1.0.0" + } + ] + }, + "firstPublishDate": "2021-10-20", + "providers": [ + "Cloudflare" + ], + "categories": { + "domains": [ + "Networking", + "Security - Network" + ] + }, + "isPreview": false, + "isDeprecated": false, + "migratedToPackageId": null + }, + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'cloudflare.cloudflare_sentinel')]" + } + ], + "variables": {} +} diff --git a/modules/solutions/templates/fortigate.json b/modules/solutions/templates/fortigate.json index 4d2f4c4..ec894a5 100644 --- a/modules/solutions/templates/fortigate.json +++ b/modules/solutions/templates/fortigate.json @@ -39,800 +39,6 @@ } } }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring('Fortinet')))]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-fortinetfortigate')]" - ], - "properties": { - "description": "Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel data connector with template version 3.0.6", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/','Fortinet')]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "id": "Fortinet", - "title": "[Deprecated] Fortinet via Legacy Agent", - "publisher": "Fortinet", - "logo": "FortinetLogo.svg", - "descriptionMarkdown": "The Fortinet firewall connector allows you to easily connect your Fortinet logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "Fortinet", - "baseQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Fortinet\"\n| where DeviceProduct startswith \"Fortigate\"\n" - } - ], - "sampleQueries": [ - { - "description": "All logs", - "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Fortinet\"\n| where DeviceProduct startswith \"Fortigate\"\n\n | sort by TimeGenerated" - }, - { - "description": "Summarize by destination IP and port", - "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Fortinet\"\n| where DeviceProduct startswith \"Fortigate\"\n\n | summarize count() by DestinationIP, DestinationPort, TimeGenerated\u200b\n | sort by TimeGenerated" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "\nCommonSecurityLog\n| where DeviceVendor == \"Fortinet\"\n| where DeviceProduct startswith \"Fortigate\"\n\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)" - ] - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (Fortinet)", - "lastDataReceivedQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Fortinet\"\n| where DeviceProduct startswith \"Fortigate\"\n\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "availability": { - "status": 2, - "isPreview": false, - "featureFlag": { - "feature": "FortinetConnector", - "featureStates": { - "1": 2, - "2": 2, - "3": 2, - "4": 2, - "5": 2, - "6": 1, - "7": 1 - } - } - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "read": true, - "write": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ] - }, - "instructionSteps": [ - { - "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace", - "innerSteps": [ - { - "title": "1.1 Select or create a Linux machine", - "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds." - }, - { - "title": "1.2 Install the CEF collector on the Linux machine", - "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python --version.\n\n> 2. You must have elevated permissions (sudo) on your machine.", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId", - "PrimaryKey" - ], - "label": "Run the following command to install and apply the CEF collector:", - "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py &&sudo python cef_installer.py {0} {1}" - }, - "type": "CopyableLabel" - } - ] - } - ], - "title": "1. Linux Syslog agent configuration" - }, - { - "description": "Set your Fortinet to send Syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machine\u2019s IP address.\n\n\nCopy the CLI commands below and:\n- Replace \"server <ip address>\" with the Syslog agent's IP address.\n- Set the \"<facility_name>\" to use the facility you configured in the Syslog agent (by default, the agent sets this to local4).\n- Set the Syslog port to 514, the port your agent uses.\n- To enable CEF format in early FortiOS versions, you may need to run the command \"set csv disable\".\n\nFor more information, go to the [Fortinet Document Library](https://aka.ms/asi-syslog-fortinet-fortinetdocumentlibrary), choose your version, and use the \"Handbook\" and \"Log Message Reference\" PDFs.\n\n[Learn more >](https://aka.ms/CEF-Fortinet)", - "instructions": [ - { - "parameters": { - "label": "Set up the connection using the CLI to run the following commands:", - "value": "config log syslogd setting\n set status enable\nset format cef\nset port 514\nset server \nend", - "rows": 8 - }, - "type": "CopyableLabel" - } - ], - "title": "2. Forward Fortinet logs to Syslog agent" - }, - { - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python --version\n\n>2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId" - ], - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py &&sudo python cef_troubleshoot.py {0}" - }, - "type": "CopyableLabel" - } - ], - "title": "3. Validate connection" - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "4. Secure your machine " - } - ], - "metadata": { - "id": "19ecaeff-8959-4cb8-a11e-a150ecd5a494", - "version": "1.0.0", - "kind": "dataConnector", - "source": { - "kind": "community" - }, - "author": { - "name": "Fortinet" - }, - "support": { - "name": "Fortinet", - "link": "https://www.fortinet.com/support/contact", - "tier": "developer" - } - } - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', 'Fortinet'),'/'))))]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', 'Fortinet')]", - "contentId": "Fortinet", - "kind": "DataConnector", - "version": "1.0.0", - "source": { - "kind": "Solution", - "name": "Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel", - "sourceId": "azuresentinel.azure-sentinel-solution-fortinetfortigate" - }, - "author": { - "name": "Microsoft", - "email": "support@microsoft.com" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "3.0.6", - "packageName": "Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel", - "packageId": "azuresentinel.azure-sentinel-solution-fortinetfortigate", - "contentSchemaVersion": "3.0.0", - "contentId": "Fortinet", - "contentKind": "DataConnector", - "displayName": "[Deprecated] Fortinet via Legacy Agent", - "contentProductId": "azuresentinel.azure-sentinel-solution-fortinetfort-dc-vwczofh76lfxa", - "id": "azuresentinel.azure-sentinel-solution-fortinetfort-dc-vwczofh76lfxa", - "version": "1.0.0", - "isDeprecated": false - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', 'Fortinet'),'/'))))]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', 'Fortinet')]" - ], - "location": "[parameters('workspace-location')]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', 'Fortinet')]", - "contentId": "Fortinet", - "kind": "DataConnector", - "version": "1.0.0", - "source": { - "kind": "Solution", - "name": "Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel", - "sourceId": "azuresentinel.azure-sentinel-solution-fortinetfortigate" - }, - "author": { - "name": "Microsoft", - "email": "support@microsoft.com" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/','Fortinet')]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "title": "[Deprecated] Fortinet via Legacy Agent", - "publisher": "Fortinet", - "descriptionMarkdown": "The Fortinet firewall connector allows you to easily connect your Fortinet logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "Fortinet", - "baseQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Fortinet\"\n| where DeviceProduct startswith \"Fortigate\"\n" - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (Fortinet)", - "lastDataReceivedQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Fortinet\"\n| where DeviceProduct startswith \"Fortigate\"\n\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "\nCommonSecurityLog\n| where DeviceVendor == \"Fortinet\"\n| where DeviceProduct startswith \"Fortigate\"\n\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)" - ] - } - ], - "sampleQueries": [ - { - "description": "All logs", - "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Fortinet\"\n| where DeviceProduct startswith \"Fortigate\"\n\n | sort by TimeGenerated" - }, - { - "description": "Summarize by destination IP and port", - "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Fortinet\"\n| where DeviceProduct startswith \"Fortigate\"\n\n | summarize count() by DestinationIP, DestinationPort, TimeGenerated\u200b\n | sort by TimeGenerated" - } - ], - "availability": { - "status": 2, - "isPreview": false, - "featureFlag": { - "feature": "FortinetConnector", - "featureStates": { - "1": 2, - "2": 2, - "3": 2, - "4": 2, - "5": 2, - "6": 1, - "7": 1 - } - } - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "read": true, - "write": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ] - }, - "instructionSteps": [ - { - "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace", - "innerSteps": [ - { - "title": "1.1 Select or create a Linux machine", - "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds." - }, - { - "title": "1.2 Install the CEF collector on the Linux machine", - "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python --version.\n\n> 2. You must have elevated permissions (sudo) on your machine.", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId", - "PrimaryKey" - ], - "label": "Run the following command to install and apply the CEF collector:", - "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py &&sudo python cef_installer.py {0} {1}" - }, - "type": "CopyableLabel" - } - ] - } - ], - "title": "1. Linux Syslog agent configuration" - }, - { - "description": "Set your Fortinet to send Syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machine\u2019s IP address.\n\n\nCopy the CLI commands below and:\n- Replace \"server <ip address>\" with the Syslog agent's IP address.\n- Set the \"<facility_name>\" to use the facility you configured in the Syslog agent (by default, the agent sets this to local4).\n- Set the Syslog port to 514, the port your agent uses.\n- To enable CEF format in early FortiOS versions, you may need to run the command \"set csv disable\".\n\nFor more information, go to the [Fortinet Document Library](https://aka.ms/asi-syslog-fortinet-fortinetdocumentlibrary), choose your version, and use the \"Handbook\" and \"Log Message Reference\" PDFs.\n\n[Learn more >](https://aka.ms/CEF-Fortinet)", - "instructions": [ - { - "parameters": { - "label": "Set up the connection using the CLI to run the following commands:", - "value": "config log syslogd setting\n set status enable\nset format cef\nset port 514\nset server \nend", - "rows": 8 - }, - "type": "CopyableLabel" - } - ], - "title": "2. Forward Fortinet logs to Syslog agent" - }, - { - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python --version\n\n>2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId" - ], - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py &&sudo python cef_troubleshoot.py {0}" - }, - "type": "CopyableLabel" - } - ], - "title": "3. Validate connection" - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "4. Secure your machine " - } - ], - "id": "Fortinet" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring('FortinetAma')))]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-fortinetfortigate')]" - ], - "properties": { - "description": "Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel data connector with template version 3.0.6", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/','FortinetAma')]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "id": "FortinetAma", - "title": "[Deprecated] Fortinet via AMA", - "publisher": "Fortinet", - "logo": "FortinetLogo.svg", - "descriptionMarkdown": "The Fortinet firewall connector allows you to easily connect your Fortinet logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "Fortinet", - "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Fortinet'\n |where DeviceProduct =~ 'Fortigate'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)" - } - ], - "sampleQueries": [ - { - "description": "All logs", - "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Fortinet\"\n| where DeviceProduct startswith \"Fortigate\"\n\n | sort by TimeGenerated" - }, - { - "description": "Summarize by destination IP and port", - "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Fortinet\"\n| where DeviceProduct startswith \"Fortigate\"\n\n | summarize count() by DestinationIP, DestinationPort, TimeGenerated\u200b\n | sort by TimeGenerated" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "CommonSecurityLog\n |where DeviceVendor =~ 'Fortinet'\n |where DeviceProduct =~ 'Fortigate'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (Fortinet)", - "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Fortinet'\n |where DeviceProduct =~ 'Fortigate'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "availability": { - "status": 1, - "isPreview": false, - "featureFlag": { - "feature": "FortinetConnector", - "featureStates": { - "1": 2, - "2": 2, - "3": 2, - "4": 2, - "5": 2, - "6": 1, - "7": 1 - } - } - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "read": true, - "write": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ], - "customs": [ - { - "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" - }, - { - "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)" - } - ] - }, - "instructionSteps": [ - { - "instructions": [ - { - "parameters": { - "title": "1. Kindly follow the steps to configure the data connector", - "instructionSteps": [ - { - "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector", - "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine" - }, - { - "title": "Step B. Forward Fortinet logs to Syslog agent", - "description": "Set your Fortinet to send Syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machine\u2019s IP address.\n\n\nCopy the CLI commands below and:\n- Replace \"server <ip address>\" with the Syslog agent's IP address.\n- Set the \"<facility_name>\" to use the facility you configured in the Syslog agent (by default, the agent sets this to local4).\n- Set the Syslog port to 514, the port your agent uses.\n- To enable CEF format in early FortiOS versions, you may need to run the command \"set csv disable\".\n\nFor more information, go to the [Fortinet Document Library](https://aka.ms/asi-syslog-fortinet-fortinetdocumentlibrary), choose your version, and use the \"Handbook\" and \"Log Message Reference\" PDFs.\n\n[Learn more >](https://aka.ms/CEF-Fortinet)", - "instructions": [ - { - "parameters": { - "label": "Set up the connection using the CLI to run the following commands:", - "value": "config log syslogd setting\n set status enable\nset format cef\nset port 514\nset server \nend", - "rows": 8 - }, - "type": "CopyableLabel" - } - ] - }, - { - "title": "Step C. Validate connection", - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef" - }, - "type": "CopyableLabel" - } - ] - } - ] - }, - "type": "InstructionStepsGroup" - } - ] - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "2. Secure your machine " - } - ], - "metadata": { - "id": "19ecaeff-8959-4cb8-a11e-a150ecd5a494", - "version": "1.0.0", - "kind": "dataConnector", - "source": { - "kind": "community" - }, - "author": { - "name": "Fortinet" - }, - "support": { - "name": "Fortinet", - "link": "https://www.fortinet.com/support/contact", - "tier": "developer" - } - } - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', 'FortinetAma'),'/'))))]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', 'FortinetAma')]", - "contentId": "FortinetAma", - "kind": "DataConnector", - "version": "1.0.0", - "source": { - "kind": "Solution", - "name": "Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel", - "sourceId": "azuresentinel.azure-sentinel-solution-fortinetfortigate" - }, - "author": { - "name": "Microsoft", - "email": "support@microsoft.com" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "3.0.6", - "packageName": "Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel", - "packageId": "azuresentinel.azure-sentinel-solution-fortinetfortigate", - "contentSchemaVersion": "3.0.0", - "contentId": "FortinetAma", - "contentKind": "DataConnector", - "displayName": "[Deprecated] Fortinet via AMA", - "contentProductId": "azuresentinel.azure-sentinel-solution-fortinetfort-dc-gzck56x6oe7ls", - "id": "azuresentinel.azure-sentinel-solution-fortinetfort-dc-gzck56x6oe7ls", - "version": "1.0.0", - "isDeprecated": false - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', 'FortinetAma'),'/'))))]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', 'FortinetAma')]" - ], - "location": "[parameters('workspace-location')]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', 'FortinetAma')]", - "contentId": "FortinetAma", - "kind": "DataConnector", - "version": "1.0.0", - "source": { - "kind": "Solution", - "name": "Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel", - "sourceId": "azuresentinel.azure-sentinel-solution-fortinetfortigate" - }, - "author": { - "name": "Microsoft", - "email": "support@microsoft.com" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/','FortinetAma')]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "title": "[Deprecated] Fortinet via AMA", - "publisher": "Fortinet", - "descriptionMarkdown": "The Fortinet firewall connector allows you to easily connect your Fortinet logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "Fortinet", - "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Fortinet'\n |where DeviceProduct =~ 'Fortigate'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)" - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (Fortinet)", - "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Fortinet'\n |where DeviceProduct =~ 'Fortigate'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "CommonSecurityLog\n |where DeviceVendor =~ 'Fortinet'\n |where DeviceProduct =~ 'Fortigate'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "sampleQueries": [ - { - "description": "All logs", - "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Fortinet\"\n| where DeviceProduct startswith \"Fortigate\"\n\n | sort by TimeGenerated" - }, - { - "description": "Summarize by destination IP and port", - "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Fortinet\"\n| where DeviceProduct startswith \"Fortigate\"\n\n | summarize count() by DestinationIP, DestinationPort, TimeGenerated\u200b\n | sort by TimeGenerated" - } - ], - "availability": { - "status": 1, - "isPreview": false, - "featureFlag": { - "feature": "FortinetConnector", - "featureStates": { - "1": 2, - "2": 2, - "3": 2, - "4": 2, - "5": 2, - "6": 1, - "7": 1 - } - } - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "read": true, - "write": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ], - "customs": [ - { - "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" - }, - { - "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)" - } - ] - }, - "instructionSteps": [ - { - "instructions": [ - { - "parameters": { - "title": "1. Kindly follow the steps to configure the data connector", - "instructionSteps": [ - { - "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector", - "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine" - }, - { - "title": "Step B. Forward Fortinet logs to Syslog agent", - "description": "Set your Fortinet to send Syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machine\u2019s IP address.\n\n\nCopy the CLI commands below and:\n- Replace \"server <ip address>\" with the Syslog agent's IP address.\n- Set the \"<facility_name>\" to use the facility you configured in the Syslog agent (by default, the agent sets this to local4).\n- Set the Syslog port to 514, the port your agent uses.\n- To enable CEF format in early FortiOS versions, you may need to run the command \"set csv disable\".\n\nFor more information, go to the [Fortinet Document Library](https://aka.ms/asi-syslog-fortinet-fortinetdocumentlibrary), choose your version, and use the \"Handbook\" and \"Log Message Reference\" PDFs.\n\n[Learn more >](https://aka.ms/CEF-Fortinet)", - "instructions": [ - { - "parameters": { - "label": "Set up the connection using the CLI to run the following commands:", - "value": "config log syslogd setting\n set status enable\nset format cef\nset port 514\nset server \nend", - "rows": 8 - }, - "type": "CopyableLabel" - } - ] - }, - { - "title": "Step C. Validate connection", - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef" - }, - "type": "CopyableLabel" - } - ] - } - ] - }, - "type": "InstructionStepsGroup" - } - ] - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "2. Secure your machine " - } - ], - "id": "FortinetAma" - } - } - }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", @@ -842,7 +48,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-fortinetfortigate')]" ], "properties": { - "description": "FortinetFortigateFunctionApp Playbook with template version 3.0.6", + "description": "", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0", @@ -953,11 +159,11 @@ "appSettings": [ { "name": "AzureWebJobsStorage", - "value": "[[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';EndpointSuffix=', environment().suffixes.storage, ';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2022-09-01').keys[0].value)]" + "value": "[[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';EndpointSuffix=', environment().suffixes.storage, ';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2023-04-01').keys[0].value)]" }, { "name": "WEBSITE_CONTENTAZUREFILECONNECTIONSTRING", - "value": "[[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';EndpointSuffix=', environment().suffixes.storage, ';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2022-09-01').keys[0].value)]" + "value": "[[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';EndpointSuffix=', environment().suffixes.storage, ';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2023-04-01').keys[0].value)]" }, { "name": "WEBSITE_CONTENTSHARE", @@ -1100,7 +306,7 @@ } }, "packageKind": "Solution", - "packageVersion": "3.0.6", + "packageVersion": "3.0.7", "packageName": "Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel", "packageId": "azuresentinel.azure-sentinel-solution-fortinetfortigate", "contentSchemaVersion": "3.0.0", @@ -1122,7 +328,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-fortinetfortigate')]" ], "properties": { - "description": "FortinetCustomConnector Playbook with template version 3.0.6", + "description": "", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0", @@ -2731,7 +1937,7 @@ ], "metadata": { "comments": "This Fortinet custom connector uses Fortinet-Fortigate API to perform different actions on Forinet VM", - "lastUpdateTime": "2024-08-22T10:53:14.293Z", + "lastUpdateTime": "2024-11-14T15:07:30.498Z", "releaseNotes": { "version": "1.0", "title": "[replace('b', 'b', '')]", @@ -2742,7 +1948,7 @@ } }, "packageKind": "Solution", - "packageVersion": "3.0.6", + "packageVersion": "3.0.7", "packageName": "Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel", "packageId": "azuresentinel.azure-sentinel-solution-fortinetfortigate", "contentSchemaVersion": "3.0.0", @@ -2764,7 +1970,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-fortinetfortigate')]" ], "properties": { - "description": "Fortinet-FortiGate-IPEnrichment Playbook with template version 3.0.6", + "description": "This playbook enriches the incident with address object and address group.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0", @@ -6217,10 +5423,7 @@ "type": "Microsoft.Logic/workflows", "location": "[[variables('workspace-location-inline')]", "identity": { - "type": "UserAssigned", - "userAssignedIdentities": { - "[[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('User Identifier Name'))]": {} - } + "type": "UserAssigned" }, "apiVersion": "2016-06-01", "tags": { @@ -6306,7 +5509,7 @@ } }, "packageKind": "Solution", - "packageVersion": "3.0.6", + "packageVersion": "3.0.7", "packageName": "Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel", "packageId": "azuresentinel.azure-sentinel-solution-fortinetfortigate", "contentSchemaVersion": "3.0.0", @@ -6328,7 +5531,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-fortinetfortigate')]" ], "properties": { - "description": "Fortinet-FortiGate-ResponseOnBlockIP Playbook with template version 3.0.6", + "description": "This playbook allows the SOC users to automatically response to Microsoft Sentinel incidents which includes IPs, by adding/removing the IPs to the Microsoft Sentinel IP blocked group.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0", @@ -6447,10 +5650,7 @@ "name": "[[parameters('PlaybookName')]", "location": "[[variables('workspace-location-inline')]", "identity": { - "type": "UserAssigned", - "userAssignedIdentities": { - "[[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('User Identifier Name'))]": {} - } + "type": "UserAssigned" }, "dependsOn": [ "[[resourceId('Microsoft.Web/connections', variables('FortinetConnectorConnectionName'))]", @@ -10393,7 +9593,7 @@ } }, "packageKind": "Solution", - "packageVersion": "3.0.6", + "packageVersion": "3.0.7", "packageName": "Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel", "packageId": "azuresentinel.azure-sentinel-solution-fortinetfortigate", "contentSchemaVersion": "3.0.0", @@ -10415,7 +9615,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-fortinetfortigate')]" ], "properties": { - "description": "Fortinet-FortiGate-ResponseOnBlockURL Playbook with template version 3.0.6", + "description": "This playbook allows the SOC users to automatically response to Microsoft Sentinel incidents which includes URL's, by adding the URLs to the Microsoft Sentinel URL blocked group.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0", @@ -12003,7 +11203,7 @@ } }, "packageKind": "Solution", - "packageVersion": "3.0.6", + "packageVersion": "3.0.7", "packageName": "Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel", "packageId": "azuresentinel.azure-sentinel-solution-fortinetfortigate", "contentSchemaVersion": "3.0.0", @@ -12025,7 +11225,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-fortinetfortigate')]" ], "properties": { - "description": "Fortigate Workbook with template version 3.0.6", + "description": "Gain insights into Fortigate firewalls by analyzing traffic and activities.\nThis workbook finds correlations in Fortigate threat events and identifies suspicious ports, users, protocols and IP addresses.\nYou can learn about trends across user and data traffic, and drill down into the Fortigate filter results.\nEasily detect attacks on your organization by monitoring management operations such as configuration and logins.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.1.0", @@ -12081,10 +11281,6 @@ "contentId": "CommonSecurityLog", "kind": "DataType" }, - { - "contentId": "Fortinet", - "kind": "DataConnector" - }, { "contentId": "CefAma", "kind": "DataConnector" @@ -12096,7 +11292,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.6", + "packageVersion": "3.0.7", "packageName": "Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel", "packageId": "azuresentinel.azure-sentinel-solution-fortinetfortigate", "contentSchemaVersion": "3.0.0", @@ -12114,15 +11310,15 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.6", + "version": "3.0.7", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Fortinet FortiGate Next-Generation Firewall connector", "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", - "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\u2022 Review the solution Release Notes

Gain insight into your organization's network and improve your security operation capabilities with the Fortinet FortiGate Next-generation Firewall Solution for Microsoft Sentinel. It allows you to easily connect your FortiGate logs with Microsoft Sentinel. This enables you to view dashboards, create custom alerts, and improve investigation.

Playbooks are included to help in automated remediation

For questions about FortiGate, please contact Fortinet at azuresales@fortinet.com.

This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.

NOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024.

Data Connectors: 2, Workbooks: 1, Custom Azure Logic Apps Connectors: 1, Function Apps: 1, Playbooks: 3

Learn more about Microsoft Sentinel | Learn more about Solutions

", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\u2022 Review the solution Release Notes

Gain insight into your organization's network and improve your security operation capabilities with the Fortinet FortiGate Next-generation Firewall Solution for Microsoft Sentinel. It allows you to easily connect your FortiGate logs with Microsoft Sentinel. This enables you to view dashboards, create custom alerts, and improve investigation.

Playbooks are included to help in automated remediation

For questions about FortiGate, please contact Fortinet at azuresales@fortinet.com.

This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.

NOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024.

Workbooks: 1, Custom Azure Logic Apps Connectors: 1, Function Apps: 1, Playbooks: 3

Learn more about Microsoft Sentinel | Learn more about Solutions

", "contentKind": "Solution", - "contentProductId": "azuresentinel.azure-sentinel-solution-fortinetfort-sl-yu6s2jsiirdp6", - "id": "azuresentinel.azure-sentinel-solution-fortinetfort-sl-yu6s2jsiirdp6", + "contentProductId": "azuresentinel.azure-sentinel-solution-fortinetfort-sl-wicshyvcq7p7e", + "id": "azuresentinel.azure-sentinel-solution-fortinetfort-sl-wicshyvcq7p7e", "icon": "https://store-images.s-microsoft.com/image/apps.64828.fb8a6200-e06e-480f-9dce-82ca6ccdd4af.9a421a4d-e81e-4b21-bb16-302b3ee5807a.cf276ff1-48a3-42c1-805e-5d8ee1182833", "contentId": "azuresentinel.azure-sentinel-solution-fortinetfortigate", "parentId": "azuresentinel.azure-sentinel-solution-fortinetfortigate", @@ -12143,16 +11339,6 @@ }, "dependencies": { "criteria": [ - { - "kind": "DataConnector", - "contentId": "Fortinet", - "version": "1.0.0" - }, - { - "kind": "DataConnector", - "contentId": "FortinetAma", - "version": "1.0.0" - }, { "kind": "AzureFunction", "contentId": "FortinetFortigateFunctionApp", @@ -12200,7 +11386,8 @@ ] }, "isPreview": false, - "isDeprecated": false + "isDeprecated": false, + "migratedToPackageId": null }, "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'azuresentinel.azure-sentinel-solution-fortinetfortigate')]" } diff --git a/modules/solutions/templates/okta.json b/modules/solutions/templates/okta.json index 77de332..918539e 100644 --- a/modules/solutions/templates/okta.json +++ b/modules/solutions/templates/okta.json @@ -62,7 +62,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-okta')]" ], "properties": { - "description": "FailedLoginsFromUnknownOrInvalidUser_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "This query searches for numerous login attempts to the management console with an unknown or invalid user name.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.1.0", @@ -160,7 +160,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Okta Single Sign-On", "packageId": "azuresentinel.azure-sentinel-solution-okta", "contentSchemaVersion": "3.0.0", @@ -203,7 +203,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-okta')]" ], "properties": { - "description": "LoginfromUsersfromDifferentCountrieswithin3hours_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "This query searches for successful user logins to the Okta Console from different countries within 3 hours.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.1.0", @@ -292,7 +292,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Okta Single Sign-On", "packageId": "azuresentinel.azure-sentinel-solution-okta", "contentSchemaVersion": "3.0.0", @@ -335,7 +335,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-okta')]" ], "properties": { - "description": "PasswordSpray_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "This query searches for failed attempts to log into the Okta console from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.1.0", @@ -424,7 +424,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Okta Single Sign-On", "packageId": "azuresentinel.azure-sentinel-solution-okta", "contentSchemaVersion": "3.0.0", @@ -467,7 +467,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-okta')]" ], "properties": { - "description": "PhishingDetection_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "This query detects cases in which Okta FastPass effectively prevented access to a known phishing website.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.1.0", @@ -538,8 +538,8 @@ } ], "customDetails": { - "UserAgent": "client_userAgent_rawUserAgent_s", - "Location": "Location" + "Location": "Location", + "UserAgent": "client_userAgent_rawUserAgent_s" } } }, @@ -573,7 +573,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Okta Single Sign-On", "packageId": "azuresentinel.azure-sentinel-solution-okta", "contentSchemaVersion": "3.0.0", @@ -616,7 +616,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-okta')]" ], "properties": { - "description": "NewDeviceLocationCriticalOperation_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "This query identifies users seen login from new geo location/country as well as a new device and performing critical operations.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.1.0", @@ -689,12 +689,12 @@ } ], "customDetails": { - "SessionId": "authenticationContext_externalSessionId_s", - "Location": "Location" + "Location": "Location", + "SessionId": "authenticationContext_externalSessionId_s" }, "alertDetailsOverride": { - "alertDisplayNameFormat": "New Device/Location {{Location}} sign-in along with critical operation", - "alertDescriptionFormat": "This query identifies users seen login from new geo location/country {{Location}} as well as a new device and performing critical operations\n" + "alertDescriptionFormat": "This query identifies users seen login from new geo location/country {{Location}} as well as a new device and performing critical operations\n", + "alertDisplayNameFormat": "New Device/Location {{Location}} sign-in along with critical operation" } } }, @@ -728,7 +728,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Okta Single Sign-On", "packageId": "azuresentinel.azure-sentinel-solution-okta", "contentSchemaVersion": "3.0.0", @@ -771,7 +771,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-okta')]" ], "properties": { - "description": "MFAFatigue_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "MFA fatigue attack is a cybersecurity threat where attackers exploit user exhaustion from multi-factor authentication prompts to trick them into providing their MFA details thus compromising their own security. The query identifies MFA fatigue attempts in the Okta data. \n Ref: https://sec.okta.com/everythingisyes.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.1.0", @@ -864,7 +864,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Okta Single Sign-On", "packageId": "azuresentinel.azure-sentinel-solution-okta", "contentSchemaVersion": "3.0.0", @@ -907,7 +907,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-okta')]" ], "properties": { - "description": "HighRiskAdminActivity_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "The Okta risk engine auto-assigns risk levels to each login attempt. This query identifies admin operations originating from events associated with high-risk profiles.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.1.0", @@ -1012,7 +1012,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Okta Single Sign-On", "packageId": "azuresentinel.azure-sentinel-solution-okta", "contentSchemaVersion": "3.0.0", @@ -1055,7 +1055,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-okta')]" ], "properties": { - "description": "DeviceRegistrationMaliciousIP_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "This query identifies Device Registration from IP addresses identified as malicious by Okta ThreatInsight.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.1.0", @@ -1157,7 +1157,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Okta Single Sign-On", "packageId": "azuresentinel.azure-sentinel-solution-okta", "contentSchemaVersion": "3.0.0", @@ -1200,7 +1200,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-okta')]" ], "properties": { - "description": "UserSessionImpersonation_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "A user has started a session impersonation, gaining access with the impersonated users permissions. This typically signifies Okta admin access and should only happen if anticipated and requested.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -1297,7 +1297,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Okta Single Sign-On", "packageId": "azuresentinel.azure-sentinel-solution-okta", "contentSchemaVersion": "3.0.0", @@ -1340,7 +1340,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-okta')]" ], "properties": { - "description": "Okta Single Sign-On data connector with template version 3.0.9", + "description": "The [Okta Single Sign-On (SSO)](https://www.okta.com/products/single-sign-on/) connector provides the capability to ingest audit and event logs from the Okta API into Microsoft Sentinel. The connector provides visibility into these log types in Microsoft Sentinel to view dashboards. create custom alerts. and to improve monitoring and investigation capabilities.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -1536,7 +1536,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Okta Single Sign-On", "packageId": "azuresentinel.azure-sentinel-solution-okta", "contentSchemaVersion": "3.0.0", @@ -2384,14 +2384,15 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Okta Single Sign-On", "contentProductId": "azuresentinel.azure-sentinel-solution-okta-dc-aabcn6l2oqasy", "packageId": "azuresentinel.azure-sentinel-solution-okta", "contentSchemaVersion": "3.0.0", "version": "1.0.0", "id": "azuresentinel.azure-sentinel-solution-okta-dc-aabcn6l2oqasy", - "isDeprecated": false + "isDeprecated": false, + "description": "" } }, { @@ -2682,14 +2683,15 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Okta Single Sign-On", "contentProductId": "azuresentinel.azure-sentinel-solution-okta-rdc-lhzkfmfydnqwm", "packageId": "azuresentinel.azure-sentinel-solution-okta", "contentSchemaVersion": "3.0.0", "version": "1.0.0", "id": "azuresentinel.azure-sentinel-solution-okta-rdc-lhzkfmfydnqwm", - "isDeprecated": false + "isDeprecated": false, + "description": "" } }, { @@ -2701,7 +2703,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-okta')]" ], "properties": { - "description": "AdminPrivilegeGrant_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Query checks for admin permissions granted to users/groups, often used by adversaries for access and privilege elevation.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -2765,7 +2767,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Okta Single Sign-On", "packageId": "azuresentinel.azure-sentinel-solution-okta", "contentSchemaVersion": "3.0.0", @@ -2787,7 +2789,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-okta')]" ], "properties": { - "description": "CreateAPIToken_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Okta API tokens are used to authenticate requests to Okta APIs. This query searches for attempts to create new API Token.\n Refrence: https://developer.okta.com/docs/reference/api/event-types/", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -2851,7 +2853,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Okta Single Sign-On", "packageId": "azuresentinel.azure-sentinel-solution-okta", "contentSchemaVersion": "3.0.0", @@ -2873,7 +2875,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-okta')]" ], "properties": { - "description": "ImpersonationSession_HuntingQueries Hunting Query with template version 3.0.9", + "description": "User.session.impersonation, usually triggered by Okta Support, are rare. This query checks for impersonation events used in LAPSUS$ breach.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -2937,7 +2939,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Okta Single Sign-On", "packageId": "azuresentinel.azure-sentinel-solution-okta", "contentSchemaVersion": "3.0.0", @@ -2959,7 +2961,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-okta')]" ], "properties": { - "description": "RareMFAOperation_HuntingQueries Hunting Query with template version 3.0.9", + "description": "MFA prevents credential compromise. This query checks for rare MFA operations like deactivation, update, reset, and bypass attempts often used by adversaries to compromise networks/accounts.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -3023,7 +3025,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Okta Single Sign-On", "packageId": "azuresentinel.azure-sentinel-solution-okta", "contentSchemaVersion": "3.0.0", @@ -3045,7 +3047,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-okta')]" ], "properties": { - "description": "UserPasswordReset_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Adversaries often manipulate accounts for access. This query checks for admin attempts to reset user passwords in Okta logs.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -3109,7 +3111,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Okta Single Sign-On", "packageId": "azuresentinel.azure-sentinel-solution-okta", "contentSchemaVersion": "3.0.0", @@ -3131,7 +3133,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-okta')]" ], "properties": { - "description": "NewDeviceRegistration_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query identifies new device being registered from a location where the user does not normally login from", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -3195,7 +3197,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Okta Single Sign-On", "packageId": "azuresentinel.azure-sentinel-solution-okta", "contentSchemaVersion": "3.0.0", @@ -3217,7 +3219,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-okta')]" ], "properties": { - "description": "LoginsVPSProvider_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query searches for successful logons from known VPS provider network ranges.\n This is not an exhaustive list of VPS provider ranges but covers some of the most prevalent providers observed.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -3281,7 +3283,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Okta Single Sign-On", "packageId": "azuresentinel.azure-sentinel-solution-okta", "contentSchemaVersion": "3.0.0", @@ -3303,7 +3305,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-okta')]" ], "properties": { - "description": "LoginNordVPN_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query searches for sign-in activity from Nord VPN providers.\nThe purpose is to identify any unfamiliar sign-in attempts from VPN providers, that are not typically observed among users in the organization.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -3367,7 +3369,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Okta Single Sign-On", "packageId": "azuresentinel.azure-sentinel-solution-okta", "contentSchemaVersion": "3.0.0", @@ -3389,7 +3391,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-okta')]" ], "properties": { - "description": "LoginFromMultipleLocations_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query identifies accounts associated with multiple authentications from different geographical locations in a short period of time.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -3453,7 +3455,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Okta Single Sign-On", "packageId": "azuresentinel.azure-sentinel-solution-okta", "contentSchemaVersion": "3.0.0", @@ -3475,7 +3477,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-okta')]" ], "properties": { - "description": "LegacyAuthentication_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query identifies use of legacy authentication protocol in the Okta Logs.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -3539,7 +3541,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Okta Single Sign-On", "packageId": "azuresentinel.azure-sentinel-solution-okta", "contentSchemaVersion": "3.0.0", @@ -3561,7 +3563,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-okta')]" ], "properties": { - "description": "OktaCustomConnector Playbook with template version 3.0.9", + "description": "", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0", @@ -4824,7 +4826,7 @@ ], "metadata": { "comments": "This OKTA connector uses okta API to perform different actions on the user accounts.", - "lastUpdateTime": "2024-10-14T18:36:21.775Z", + "lastUpdateTime": "2024-11-07T18:58:15.778Z", "releaseNotes": { "version": "1.0", "title": "[replace('b', 'b', '')]", @@ -4835,7 +4837,7 @@ } }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Okta Single Sign-On", "packageId": "azuresentinel.azure-sentinel-solution-okta", "contentSchemaVersion": "3.0.0", @@ -4857,7 +4859,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-okta')]" ], "properties": { - "description": "Okta-EnrichIncidentWithUserDetails Playbook with template version 3.0.9", + "description": "This playbook will collect user information from Okta and post a report on the incident.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0", @@ -5195,7 +5197,7 @@ } }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Okta Single Sign-On", "packageId": "azuresentinel.azure-sentinel-solution-okta", "contentSchemaVersion": "3.0.0", @@ -5217,7 +5219,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-okta')]" ], "properties": { - "description": "Okta-PromptUser Playbook with template version 3.0.9", + "description": "This playbook uses the OKTA connector to prompt the risky user on Teams. User is asked action was taken by them. Based on the user confirmation the SOC admin is notified to investige on the user account. Also, comment is added to the incident with user information and summary of actions taken.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0", @@ -5647,7 +5649,7 @@ } }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Okta Single Sign-On", "packageId": "azuresentinel.azure-sentinel-solution-okta", "contentSchemaVersion": "3.0.0", @@ -5669,7 +5671,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-okta')]" ], "properties": { - "description": "Okta-ResponseFromTeams Playbook with template version 3.0.9", + "description": "This playbooks sends an adaptive card to the SOC Teams channel with information about the Okta user and incident details. The SOC is allowed to take action such suspend, reset password, expire password, add to group. An informative comment will be posted to the incident.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0", @@ -6155,7 +6157,7 @@ } }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Okta Single Sign-On", "packageId": "azuresentinel.azure-sentinel-solution-okta", "contentSchemaVersion": "3.0.0", @@ -6177,7 +6179,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-okta')]" ], "properties": { - "description": "OktaSingleSignOn Workbook with template version 3.0.9", + "description": "Gain extensive insight into Okta Single Sign-On (SSO) by analyzing, collecting and correlating Audit and Event events.\nThis workbook provides visibility into message and click events that were permitted, delivered, or blocked.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.2", @@ -6252,7 +6254,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Okta Single Sign-On", "packageId": "azuresentinel.azure-sentinel-solution-okta", "contentSchemaVersion": "3.0.0", @@ -6274,10 +6276,10 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-okta')]" ], "properties": { - "description": "OktaSSO Data Parser with template version 3.0.9", + "description": "", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.1", + "contentVersion": "1.0.2", "parameters": {}, "variables": {}, "resources": [ @@ -6291,7 +6293,7 @@ "displayName": "Backward Compatibility Parser for Okta SSO", "category": "Microsoft Sentinel Parser", "functionAlias": "OktaSSO", - "query": "let Okta_SSO = view () {\nlet Oktav1_empty = datatable(\n actor_alternateId_s:string,\n actor_detailEntry_s:string,\n actor_displayName_s:string,\n actor_id_s:string,\n actor_type_s:string,\n authenticationContext_authenticationProvider_s:string,\n authenticationContext_authenticationStep_d:double,\n authenticationContext_credentialProvider_s:string,\n authenticationContext_credentialType_s:string,\n authenticationContext_externalSessionId_s:string,\n authenticationContext_interface_s:string,\n authenticationContext_issuerId_s:string,\n authenticationContext_issuerType_s:string,\n client_device_s:string,\n client_geographicalContext_city_s:string,\n client_geographicalContext_country_s:string,\n client_geographicalContext_geolocation_lat_d:double,\n client_geographicalContext_geolocation_lon_d:double,\n client_geographicalContext_postalCode_s:string,\n client_geographicalContext_state_s:string,\n client_id_s:string,\n client_ipAddress_s:string,\n client_userAgent_browser_s:string,\n client_userAgent_os_s:string,\n client_userAgent_rawUserAgent_s:string,\n client_zone_s:string,\n debugContext_debugData_s:string,\n displayMessage_s:string,\n eventType_s:string,\n legacyEventType_s:string,\n uuid_g:string,\n outcome_reason_s:string,\n outcome_result_s:string,\n request_ipChain_s:string,\n securityContext_asNumber_d:double,\n securityContext_asOrg_s:string,\n securityContext_domain_s:string,\n securityContext_isp_s:string,\n securityContext_isProxy_b:bool,\n severity_s:string,\n target_s:string,\n transaction_details_s:string,\n transaction_id_s:string,\n transaction_type_s:string,\n version_s:string\n )[];\n let Oktav2_empty = datatable(\n TimeGenerated:datetime,\n OriginalActorAlternateId:string,\n ActorDetailEntry:string,\n ActorDisplayName:string,\n OriginalUserId:string,\n OriginalUserType:string,\n AuthenticationContextAuthenticationProvider:string,\n AuthenticationContextAuthenticationStep: real,\n AuthenticationContextCredentialProvider: string,\n LogonMethod: string,\n ActorSessionId: string,\n AuthenticationContextInterface:string,\n AuthenticationContextIssuerId:string,\n AuthenticationContextIssuerType:string,\n OriginalClientDevice:string,\n SrcGeoCity:string,\n SrcGeoCountry:string,\n SrcGeoLatitude: double,\n SrcGeoLongtitude: double,\n SrcGeoPostalCode: string,\n SrcGeoRegion: string,\n SrcDvcId: string,\n SrcIpAddr: string,\n ActingAppName: string,\n SrcDvcOs: string,\n HttpUserAgent: string,\n SrcZone: string,\n DebugData: string,\n EventMessage: string,\n EventOriginalType: string,\n LegacyEventType: string,\n EventOriginalUid: string,\n EventOriginalResultDetails: string,\n OriginalOutcomeResult: string,\n Request: string,\n SecurityContextAsNumber: real,\n SecurityContextAsOrg: string,\n SecurityContextDomain: string,\n SrcIsp: string,\n SecurityContextIsProxy: bool,\n OriginalSeverity: string,\n OriginalTarget: string,\n TransactionDetail: string,\n TransactionId: string,\n TransactionType: string,\n Version: string\n)[];\nlet Oktav2 = union isfuzzy=true Oktav2_empty, OktaV2_CL |\n project TimeGenerated,\n actor_alternateId_s=OriginalActorAlternateId,\n actor_detailEntry_s=tostring(ActorDetailEntry),\n actor_displayName_s=ActorDisplayName,\n actor_id_s=OriginalUserId,\n actor_type_s=OriginalUserType,\n authenticationContext_authenticationProvider_s=AuthenticationContextAuthenticationProvider,\n authenticationContext_authenticationStep_d=toreal(AuthenticationContextAuthenticationStep),\n authenticationContext_credentialProvider_s=AuthenticationContextCredentialProvider,\n authenticationContext_credentialType_s=LogonMethod,\n authenticationContext_externalSessionId_s=ActorSessionId,\n authenticationContext_interface_s=AuthenticationContextInterface,\n authenticationContext_issuerId_s=AuthenticationContextIssuerId,\n authenticationContext_issuerType_s=AuthenticationContextIssuerType,\n client_device_s=OriginalClientDevice,\n client_geographicalContext_city_s=SrcGeoCity,\n client_geographicalContext_country_s=SrcGeoCountry,\n client_geographicalContext_geolocation_lat_d=SrcGeoLatitude,\n client_geographicalContext_geolocation_lon_d=SrcGeoLongtitude,\n client_geographicalContext_postalCode_s=SrcGeoPostalCode,\n client_geographicalContext_state_s=SrcGeoRegion,\n client_id_s=SrcDvcId,\n client_ipAddress_s=SrcIpAddr,\n client_userAgent_browser_s=ActingAppName,\n client_userAgent_os_s=SrcDvcOs,\n client_userAgent_rawUserAgent_s=HttpUserAgent,\n client_zone_s=SrcZone,\n debugContext_debugData_s=tostring(DebugData),\n displayMessage_s=EventMessage,\n eventType_s=EventOriginalType,\n legacyEventType_s=LegacyEventType,\n uuid_g=EventOriginalUid,\n outcome_reason_s=EventOriginalResultDetails,\n outcome_result_s=OriginalOutcomeResult,\n request_ipChain_s=tostring(Request),\n securityContext_asNumber_d=toreal(SecurityContextAsNumber),\n securityContext_asOrg_s=SecurityContextAsOrg,\n securityContext_domain_s=SecurityContextDomain,\n securityContext_isp_s=SrcIsp,\n securityContext_isProxy_b=SecurityContextIsProxy,\n severity_s=OriginalSeverity,\n target_s=tostring(OriginalTarget),\n transaction_details_s=tostring(TransactionDetail),\n transaction_id_s=TransactionId,\n transaction_type_s=TransactionType,\n version_s = Version;\n union isfuzzy=true Oktav1_empty, Oktav2, Okta_CL\n};\nOkta_SSO()\n", + "query": "let Okta_SSO = view () {\nlet Oktav1_empty = datatable(\n actor_alternateId_s:string,\n actor_detailEntry_s:string,\n actor_displayName_s:string,\n actor_id_s:string,\n actor_type_s:string,\n authenticationContext_authenticationProvider_s:string,\n authenticationContext_authenticationStep_d:double,\n authenticationContext_credentialProvider_s:string,\n authenticationContext_credentialType_s:string,\n authenticationContext_externalSessionId_s:string,\n authenticationContext_interface_s:string,\n authenticationContext_issuerId_s:string,\n authenticationContext_issuerType_s:string,\n client_device_s:string,\n client_geographicalContext_city_s:string,\n client_geographicalContext_country_s:string,\n client_geographicalContext_geolocation_lat_d:double,\n client_geographicalContext_geolocation_lon_d:double,\n client_geographicalContext_postalCode_s:string,\n client_geographicalContext_state_s:string,\n client_id_s:string,\n client_ipAddress_s:string,\n client_userAgent_browser_s:string,\n client_userAgent_os_s:string,\n client_userAgent_rawUserAgent_s:string,\n client_zone_s:string,\n debugContext_debugData_s:string,\n displayMessage_s:string,\n eventType_s:string,\n legacyEventType_s:string,\n uuid_g:string,\n outcome_reason_s:string,\n outcome_result_s:string,\n request_ipChain_s:string,\n securityContext_asNumber_d:double,\n securityContext_asOrg_s:string,\n securityContext_domain_s:string,\n securityContext_isp_s:string,\n securityContext_isProxy_b:bool,\n severity_s:string,\n target_s:string,\n transaction_details_s:string,\n transaction_id_s:string,\n transaction_type_s:string,\n version_s:string\n )[];\n let Oktav2_empty = datatable(\n TimeGenerated:datetime,\n OriginalActorAlternateId:string,\n ActorDetailEntry:dynamic,\n ActorDisplayName:string,\n OriginalUserId:string,\n OriginalUserType:string,\n AuthenticationContextAuthenticationProvider:string,\n AuthenticationContextAuthenticationStep: int,\n AuthenticationContextCredentialProvider: string,\n LogonMethod: string,\n ActorSessionId: string,\n AuthenticationContextInterface:string,\n AuthenticationContextIssuerId:string,\n AuthenticationContextIssuerType:string,\n OriginalClientDevice:string,\n SrcGeoCity:string,\n SrcGeoCountry:string,\n SrcGeoLatitude: double,\n SrcGeoLongtitude: double,\n SrcGeoPostalCode: string,\n SrcGeoRegion: string,\n SrcDvcId: string,\n SrcIpAddr: string,\n ActingAppName: string,\n SrcDvcOs: string,\n HttpUserAgent: string,\n SrcZone: string,\n DebugData: dynamic,\n EventMessage: string,\n EventOriginalType: string,\n LegacyEventType: string,\n EventOriginalUid: string,\n EventOriginalResultDetails: string,\n OriginalOutcomeResult: string,\n Request: dynamic,\n SecurityContextAsNumber: int,\n SecurityContextAsOrg: string,\n SecurityContextDomain: string,\n SrcIsp: string,\n DomainName: string ,\n SecurityContextIsProxy: bool,\n OriginalSeverity: string,\n OriginalTarget: dynamic,\n TransactionDetail: dynamic,\n TransactionId: string,\n TransactionType: string,\n Version: string\n)[];\nlet Oktav2 = union isfuzzy=true Oktav2_empty, OktaV2_CL |\n project TimeGenerated,\n actor_alternateId_s=OriginalActorAlternateId,\n actor_detailEntry_s=tostring(ActorDetailEntry),\n domain_s=DomainName,\n actor_displayName_s=ActorDisplayName,\n actor_id_s=OriginalUserId,\n actor_type_s=OriginalUserType,\n authenticationContext_authenticationProvider_s=AuthenticationContextAuthenticationProvider,\n authenticationContext_authenticationStep_d=toreal(AuthenticationContextAuthenticationStep),\n authenticationContext_credentialProvider_s=AuthenticationContextCredentialProvider,\n authenticationContext_credentialType_s=LogonMethod,\n authenticationContext_externalSessionId_s=ActorSessionId,\n authenticationContext_interface_s=AuthenticationContextInterface,\n authenticationContext_issuerId_s=AuthenticationContextIssuerId,\n authenticationContext_issuerType_s=AuthenticationContextIssuerType,\n client_device_s=OriginalClientDevice,\n client_geographicalContext_city_s=SrcGeoCity,\n client_geographicalContext_country_s=SrcGeoCountry,\n client_geographicalContext_geolocation_lat_d=SrcGeoLatitude,\n client_geographicalContext_geolocation_lon_d=SrcGeoLongtitude,\n client_geographicalContext_postalCode_s=SrcGeoPostalCode,\n client_geographicalContext_state_s=SrcGeoRegion,\n client_id_s=SrcDvcId,\n client_ipAddress_s=SrcIpAddr,\n client_userAgent_browser_s=ActingAppName,\n client_userAgent_os_s=SrcDvcOs,\n client_userAgent_rawUserAgent_s=HttpUserAgent,\n client_zone_s=SrcZone,\n debugContext_debugData_s=tostring(DebugData),\n displayMessage_s=EventMessage,\n eventType_s=EventOriginalType,\n legacyEventType_s=LegacyEventType,\n uuid_g=EventOriginalUid,\n outcome_reason_s=EventOriginalResultDetails,\n outcome_result_s=OriginalOutcomeResult,\n request_ipChain_s=tostring(Request),\n securityContext_asNumber_d=toreal(SecurityContextAsNumber),\n securityContext_asOrg_s=SecurityContextAsOrg,\n securityContext_domain_s=SecurityContextDomain,\n securityContext_isp_s=SrcIsp,\n securityContext_isProxy_b=SecurityContextIsProxy,\n severity_s=OriginalSeverity,\n target_s=tostring(OriginalTarget),\n transaction_details_s=tostring(TransactionDetail),\n transaction_id_s=TransactionId,\n transaction_type_s=TransactionType,\n version_s = Version;\n union isfuzzy=true Oktav1_empty, Oktav2, Okta_CL\n};\nOkta_SSO()\n", "functionParameters": "", "version": 2, "tags": [ @@ -6313,7 +6315,7 @@ "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'OktaSSO')]", "contentId": "OktaSSO-Parser", "kind": "Parser", - "version": "1.0.1", + "version": "1.0.2", "source": { "name": "Okta Single Sign-On", "kind": "Solution", @@ -6334,16 +6336,16 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Okta Single Sign-On", "packageId": "azuresentinel.azure-sentinel-solution-okta", "contentSchemaVersion": "3.0.0", "contentId": "OktaSSO-Parser", "contentKind": "Parser", "displayName": "Backward Compatibility Parser for Okta SSO", - "contentProductId": "azuresentinel.azure-sentinel-solution-okta-pr-zyvgybxhahmkk", - "id": "azuresentinel.azure-sentinel-solution-okta-pr-zyvgybxhahmkk", - "version": "1.0.1", + "contentProductId": "azuresentinel.azure-sentinel-solution-okta-pr-biihe3mywms26", + "id": "azuresentinel.azure-sentinel-solution-okta-pr-biihe3mywms26", + "version": "1.0.2", "isDeprecated": false } }, @@ -6357,7 +6359,7 @@ "displayName": "Backward Compatibility Parser for Okta SSO", "category": "Microsoft Sentinel Parser", "functionAlias": "OktaSSO", - "query": "let Okta_SSO = view () {\nlet Oktav1_empty = datatable(\n actor_alternateId_s:string,\n actor_detailEntry_s:string,\n actor_displayName_s:string,\n actor_id_s:string,\n actor_type_s:string,\n authenticationContext_authenticationProvider_s:string,\n authenticationContext_authenticationStep_d:double,\n authenticationContext_credentialProvider_s:string,\n authenticationContext_credentialType_s:string,\n authenticationContext_externalSessionId_s:string,\n authenticationContext_interface_s:string,\n authenticationContext_issuerId_s:string,\n authenticationContext_issuerType_s:string,\n client_device_s:string,\n client_geographicalContext_city_s:string,\n client_geographicalContext_country_s:string,\n client_geographicalContext_geolocation_lat_d:double,\n client_geographicalContext_geolocation_lon_d:double,\n client_geographicalContext_postalCode_s:string,\n client_geographicalContext_state_s:string,\n client_id_s:string,\n client_ipAddress_s:string,\n client_userAgent_browser_s:string,\n client_userAgent_os_s:string,\n client_userAgent_rawUserAgent_s:string,\n client_zone_s:string,\n debugContext_debugData_s:string,\n displayMessage_s:string,\n eventType_s:string,\n legacyEventType_s:string,\n uuid_g:string,\n outcome_reason_s:string,\n outcome_result_s:string,\n request_ipChain_s:string,\n securityContext_asNumber_d:double,\n securityContext_asOrg_s:string,\n securityContext_domain_s:string,\n securityContext_isp_s:string,\n securityContext_isProxy_b:bool,\n severity_s:string,\n target_s:string,\n transaction_details_s:string,\n transaction_id_s:string,\n transaction_type_s:string,\n version_s:string\n )[];\n let Oktav2_empty = datatable(\n TimeGenerated:datetime,\n OriginalActorAlternateId:string,\n ActorDetailEntry:string,\n ActorDisplayName:string,\n OriginalUserId:string,\n OriginalUserType:string,\n AuthenticationContextAuthenticationProvider:string,\n AuthenticationContextAuthenticationStep: real,\n AuthenticationContextCredentialProvider: string,\n LogonMethod: string,\n ActorSessionId: string,\n AuthenticationContextInterface:string,\n AuthenticationContextIssuerId:string,\n AuthenticationContextIssuerType:string,\n OriginalClientDevice:string,\n SrcGeoCity:string,\n SrcGeoCountry:string,\n SrcGeoLatitude: double,\n SrcGeoLongtitude: double,\n SrcGeoPostalCode: string,\n SrcGeoRegion: string,\n SrcDvcId: string,\n SrcIpAddr: string,\n ActingAppName: string,\n SrcDvcOs: string,\n HttpUserAgent: string,\n SrcZone: string,\n DebugData: string,\n EventMessage: string,\n EventOriginalType: string,\n LegacyEventType: string,\n EventOriginalUid: string,\n EventOriginalResultDetails: string,\n OriginalOutcomeResult: string,\n Request: string,\n SecurityContextAsNumber: real,\n SecurityContextAsOrg: string,\n SecurityContextDomain: string,\n SrcIsp: string,\n SecurityContextIsProxy: bool,\n OriginalSeverity: string,\n OriginalTarget: string,\n TransactionDetail: string,\n TransactionId: string,\n TransactionType: string,\n Version: string\n)[];\nlet Oktav2 = union isfuzzy=true Oktav2_empty, OktaV2_CL |\n project TimeGenerated,\n actor_alternateId_s=OriginalActorAlternateId,\n actor_detailEntry_s=tostring(ActorDetailEntry),\n actor_displayName_s=ActorDisplayName,\n actor_id_s=OriginalUserId,\n actor_type_s=OriginalUserType,\n authenticationContext_authenticationProvider_s=AuthenticationContextAuthenticationProvider,\n authenticationContext_authenticationStep_d=toreal(AuthenticationContextAuthenticationStep),\n authenticationContext_credentialProvider_s=AuthenticationContextCredentialProvider,\n authenticationContext_credentialType_s=LogonMethod,\n authenticationContext_externalSessionId_s=ActorSessionId,\n authenticationContext_interface_s=AuthenticationContextInterface,\n authenticationContext_issuerId_s=AuthenticationContextIssuerId,\n authenticationContext_issuerType_s=AuthenticationContextIssuerType,\n client_device_s=OriginalClientDevice,\n client_geographicalContext_city_s=SrcGeoCity,\n client_geographicalContext_country_s=SrcGeoCountry,\n client_geographicalContext_geolocation_lat_d=SrcGeoLatitude,\n client_geographicalContext_geolocation_lon_d=SrcGeoLongtitude,\n client_geographicalContext_postalCode_s=SrcGeoPostalCode,\n client_geographicalContext_state_s=SrcGeoRegion,\n client_id_s=SrcDvcId,\n client_ipAddress_s=SrcIpAddr,\n client_userAgent_browser_s=ActingAppName,\n client_userAgent_os_s=SrcDvcOs,\n client_userAgent_rawUserAgent_s=HttpUserAgent,\n client_zone_s=SrcZone,\n debugContext_debugData_s=tostring(DebugData),\n displayMessage_s=EventMessage,\n eventType_s=EventOriginalType,\n legacyEventType_s=LegacyEventType,\n uuid_g=EventOriginalUid,\n outcome_reason_s=EventOriginalResultDetails,\n outcome_result_s=OriginalOutcomeResult,\n request_ipChain_s=tostring(Request),\n securityContext_asNumber_d=toreal(SecurityContextAsNumber),\n securityContext_asOrg_s=SecurityContextAsOrg,\n securityContext_domain_s=SecurityContextDomain,\n securityContext_isp_s=SrcIsp,\n securityContext_isProxy_b=SecurityContextIsProxy,\n severity_s=OriginalSeverity,\n target_s=tostring(OriginalTarget),\n transaction_details_s=tostring(TransactionDetail),\n transaction_id_s=TransactionId,\n transaction_type_s=TransactionType,\n version_s = Version;\n union isfuzzy=true Oktav1_empty, Oktav2, Okta_CL\n};\nOkta_SSO()\n", + "query": "let Okta_SSO = view () {\nlet Oktav1_empty = datatable(\n actor_alternateId_s:string,\n actor_detailEntry_s:string,\n actor_displayName_s:string,\n actor_id_s:string,\n actor_type_s:string,\n authenticationContext_authenticationProvider_s:string,\n authenticationContext_authenticationStep_d:double,\n authenticationContext_credentialProvider_s:string,\n authenticationContext_credentialType_s:string,\n authenticationContext_externalSessionId_s:string,\n authenticationContext_interface_s:string,\n authenticationContext_issuerId_s:string,\n authenticationContext_issuerType_s:string,\n client_device_s:string,\n client_geographicalContext_city_s:string,\n client_geographicalContext_country_s:string,\n client_geographicalContext_geolocation_lat_d:double,\n client_geographicalContext_geolocation_lon_d:double,\n client_geographicalContext_postalCode_s:string,\n client_geographicalContext_state_s:string,\n client_id_s:string,\n client_ipAddress_s:string,\n client_userAgent_browser_s:string,\n client_userAgent_os_s:string,\n client_userAgent_rawUserAgent_s:string,\n client_zone_s:string,\n debugContext_debugData_s:string,\n displayMessage_s:string,\n eventType_s:string,\n legacyEventType_s:string,\n uuid_g:string,\n outcome_reason_s:string,\n outcome_result_s:string,\n request_ipChain_s:string,\n securityContext_asNumber_d:double,\n securityContext_asOrg_s:string,\n securityContext_domain_s:string,\n securityContext_isp_s:string,\n securityContext_isProxy_b:bool,\n severity_s:string,\n target_s:string,\n transaction_details_s:string,\n transaction_id_s:string,\n transaction_type_s:string,\n version_s:string\n )[];\n let Oktav2_empty = datatable(\n TimeGenerated:datetime,\n OriginalActorAlternateId:string,\n ActorDetailEntry:dynamic,\n ActorDisplayName:string,\n OriginalUserId:string,\n OriginalUserType:string,\n AuthenticationContextAuthenticationProvider:string,\n AuthenticationContextAuthenticationStep: int,\n AuthenticationContextCredentialProvider: string,\n LogonMethod: string,\n ActorSessionId: string,\n AuthenticationContextInterface:string,\n AuthenticationContextIssuerId:string,\n AuthenticationContextIssuerType:string,\n OriginalClientDevice:string,\n SrcGeoCity:string,\n SrcGeoCountry:string,\n SrcGeoLatitude: double,\n SrcGeoLongtitude: double,\n SrcGeoPostalCode: string,\n SrcGeoRegion: string,\n SrcDvcId: string,\n SrcIpAddr: string,\n ActingAppName: string,\n SrcDvcOs: string,\n HttpUserAgent: string,\n SrcZone: string,\n DebugData: dynamic,\n EventMessage: string,\n EventOriginalType: string,\n LegacyEventType: string,\n EventOriginalUid: string,\n EventOriginalResultDetails: string,\n OriginalOutcomeResult: string,\n Request: dynamic,\n SecurityContextAsNumber: int,\n SecurityContextAsOrg: string,\n SecurityContextDomain: string,\n SrcIsp: string,\n DomainName: string ,\n SecurityContextIsProxy: bool,\n OriginalSeverity: string,\n OriginalTarget: dynamic,\n TransactionDetail: dynamic,\n TransactionId: string,\n TransactionType: string,\n Version: string\n)[];\nlet Oktav2 = union isfuzzy=true Oktav2_empty, OktaV2_CL |\n project TimeGenerated,\n actor_alternateId_s=OriginalActorAlternateId,\n actor_detailEntry_s=tostring(ActorDetailEntry),\n domain_s=DomainName,\n actor_displayName_s=ActorDisplayName,\n actor_id_s=OriginalUserId,\n actor_type_s=OriginalUserType,\n authenticationContext_authenticationProvider_s=AuthenticationContextAuthenticationProvider,\n authenticationContext_authenticationStep_d=toreal(AuthenticationContextAuthenticationStep),\n authenticationContext_credentialProvider_s=AuthenticationContextCredentialProvider,\n authenticationContext_credentialType_s=LogonMethod,\n authenticationContext_externalSessionId_s=ActorSessionId,\n authenticationContext_interface_s=AuthenticationContextInterface,\n authenticationContext_issuerId_s=AuthenticationContextIssuerId,\n authenticationContext_issuerType_s=AuthenticationContextIssuerType,\n client_device_s=OriginalClientDevice,\n client_geographicalContext_city_s=SrcGeoCity,\n client_geographicalContext_country_s=SrcGeoCountry,\n client_geographicalContext_geolocation_lat_d=SrcGeoLatitude,\n client_geographicalContext_geolocation_lon_d=SrcGeoLongtitude,\n client_geographicalContext_postalCode_s=SrcGeoPostalCode,\n client_geographicalContext_state_s=SrcGeoRegion,\n client_id_s=SrcDvcId,\n client_ipAddress_s=SrcIpAddr,\n client_userAgent_browser_s=ActingAppName,\n client_userAgent_os_s=SrcDvcOs,\n client_userAgent_rawUserAgent_s=HttpUserAgent,\n client_zone_s=SrcZone,\n debugContext_debugData_s=tostring(DebugData),\n displayMessage_s=EventMessage,\n eventType_s=EventOriginalType,\n legacyEventType_s=LegacyEventType,\n uuid_g=EventOriginalUid,\n outcome_reason_s=EventOriginalResultDetails,\n outcome_result_s=OriginalOutcomeResult,\n request_ipChain_s=tostring(Request),\n securityContext_asNumber_d=toreal(SecurityContextAsNumber),\n securityContext_asOrg_s=SecurityContextAsOrg,\n securityContext_domain_s=SecurityContextDomain,\n securityContext_isp_s=SrcIsp,\n securityContext_isProxy_b=SecurityContextIsProxy,\n severity_s=OriginalSeverity,\n target_s=tostring(OriginalTarget),\n transaction_details_s=tostring(TransactionDetail),\n transaction_id_s=TransactionId,\n transaction_type_s=TransactionType,\n version_s = Version;\n union isfuzzy=true Oktav1_empty, Oktav2, Okta_CL\n};\nOkta_SSO()\n", "functionParameters": "", "version": 2, "tags": [ @@ -6380,7 +6382,7 @@ "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'OktaSSO')]", "contentId": "OktaSSO-Parser", "kind": "Parser", - "version": "1.0.1", + "version": "1.0.2", "source": { "kind": "Solution", "name": "Okta Single Sign-On", @@ -6403,15 +6405,15 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.9", + "version": "3.0.10", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Okta Single Sign-On", "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\u2022 Review the solution Release Notes

The Okta Single Sign-On (SSO) solution for Microsoft Sentinel provides the capability to ingest audit and event logs into Microsoft Sentinel using the Okta API.

Underlying Microsoft Technologies used:

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

a. Azure Monitor HTTP Data Collector API

b. Azure Functions

c. Codeless Connector Platform (CCP)

Data Connectors: 2, Parsers: 1, Workbooks: 1, Analytic Rules: 9, Hunting Queries: 10, Custom Azure Logic Apps Connectors: 1, Playbooks: 3

Learn more about Microsoft Sentinel | Learn more about Solutions

", "contentKind": "Solution", - "contentProductId": "azuresentinel.azure-sentinel-solution-okta-sl-ybgq3smgs3dik", - "id": "azuresentinel.azure-sentinel-solution-okta-sl-ybgq3smgs3dik", + "contentProductId": "azuresentinel.azure-sentinel-solution-okta-sl-h6ssz4itecn4e", + "id": "azuresentinel.azure-sentinel-solution-okta-sl-h6ssz4itecn4e", "icon": "https://store-images.s-microsoft.com/image/apps.34108.b239392b-efc9-4022-9c36-fed4f0ded1e3.323909ea-f2e8-42ce-8010-8db7d28f23cd.47066c0b-5d4e-4c49-9321-8ce6822828c8", "contentId": "azuresentinel.azure-sentinel-solution-okta", "parentId": "azuresentinel.azure-sentinel-solution-okta", @@ -6566,7 +6568,7 @@ { "kind": "Parser", "contentId": "OktaSSO-Parser", - "version": "1.0.1" + "version": "1.0.2" } ] }, @@ -6581,7 +6583,8 @@ ] }, "isPreview": false, - "isDeprecated": false + "isDeprecated": false, + "migratedToPackageId": null }, "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'azuresentinel.azure-sentinel-solution-okta')]" } diff --git a/modules/solutions/templates/sophos_endpoint.json b/modules/solutions/templates/sophos_endpoint.json new file mode 100644 index 0000000..fdd72f1 --- /dev/null +++ b/modules/solutions/templates/sophos_endpoint.json @@ -0,0 +1,1626 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "String", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "String", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "String", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + }, + "resourceGroupName": { + "type": "String", + "defaultValue": "[resourceGroup().name]", + "metadata": { + "description": "resource group name where Microsoft Sentinel is setup" + } + }, + "subscription": { + "type": "String", + "defaultValue": "[last(split(subscription().id, '/'))]", + "metadata": { + "description": "subscription id where Microsoft Sentinel is setup" + } + } + }, + "resources": [ + { + "name": "pid-2b740b78-b211-45f8-839b-2f67e70008bc-partnercenter", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('SophosEPEvent-Parser')))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-sophosep')]" + ], + "properties": { + "description": "", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.1", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/','Sophos Endpoint Protection Data Parser')]", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Sophos Endpoint Protection Data Parser", + "category": "Microsoft Sentinel Parser", + "functionAlias": "SophosEPEvent", + "query": "let SophosEP_CL = view() {\nSophosEP_CL\n| extend EventVendor = 'Sophos'\n| extend EventProduct = 'Endpoint Protection'\n| extend TimeGenerated = created_at_t\n| extend\n DstUserSid = column_ifexists('user_id_s', ''),\n CustomerId = column_ifexists('customer_id_g', ''),\n EventSeverity = column_ifexists('severity_s', ''),\n Created = column_ifexists('created_at_t', ''),\n SrcIpAddr = column_ifexists('source_info_ip_s', ''),\n ThreatName = column_ifexists('threat_s', ''),\n EndpointId = column_ifexists('endpoint_id_g', ''),\n SrcDvcType = column_ifexists('endpoint_type_s', ''),\n EventSubType = column_ifexists('origin_s', ''),\n EventEndTime = column_ifexists('when_t', ''),\n Source = column_ifexists('source_s', ''),\n DvcAction = column_ifexists('type_s', ''),\n EventMessage = column_ifexists('name_s', ''),\n DvcHostname = column_ifexists('location_s', ''),\n EventOriginalUid = column_ifexists('id_g', ''),\n ThreatCategory = column_ifexists('group_s', ''),\n EventType = column_ifexists('datastream_s', ''),\n AppSha256 = column_ifexists('appSha256_s', ''),\n CoreRemedyItems= column_ifexists('core_remedy_items_items_s', ''),\n CoreRemedyTotalItems= toint(column_ifexists('core_remedy_items_totalItems_d', ''))\n };\nlet SophosEPEvents_CL=view() {\nSophosEPEvents_CL\n};\nlet SophosEPAlerts_CL=view() {\nSophosEPAlerts_CL\n}; \nunion withsource='SourceTable' isfuzzy= true\nSophosEP_CL,\nSophosEPEvents_CL,\nSophosEPAlerts_CL\n| project \nTimeGenerated,\nSourceTable,\nCustomerId,\nEventSeverity,\nCreated,\nEventEndTime,\nDvcAction,\nEventMessage,\nSrcIpAddr,\nThreatName,\nEndpointId,\nSrcDvcType,\nEventSubType,\nSource,\nDvcHostname,\nEventOriginalUid,\nThreatCategory,\nDstUserSid,\nCoreRemedyItems,\nCoreRemedyTotalItems,\nAppSha256,\nEventType,\nEventVendor,\nEventProduct\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Sophos Endpoint Protection Data Parser'),'/'))))]", + "dependsOn": [ + "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Sophos Endpoint Protection Data Parser')]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Sophos Endpoint Protection Data Parser')]", + "contentId": "SophosEPEvent-Parser", + "kind": "Parser", + "version": "2.0.1", + "source": { + "name": "Sophos Endpoint Protection", + "kind": "Solution", + "sourceId": "azuresentinel.azure-sentinel-solution-sophosep" + }, + "author": { + "name": "Microsoft", + "email": "support@microsoft.com" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "3.0.5", + "packageName": "Sophos Endpoint Protection", + "packageId": "azuresentinel.azure-sentinel-solution-sophosep", + "contentSchemaVersion": "3.0.0", + "contentId": "SophosEPEvent-Parser", + "contentKind": "Parser", + "displayName": "Sophos Endpoint Protection Data Parser", + "contentProductId": "azuresentinel.azure-sentinel-solution-sophosep-pr-uvu5dokqa6zds", + "id": "azuresentinel.azure-sentinel-solution-sophosep-pr-uvu5dokqa6zds", + "version": "2.0.1", + "isDeprecated": false + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2022-10-01", + "name": "[concat(parameters('workspace'),'/','Sophos Endpoint Protection Data Parser')]", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Sophos Endpoint Protection Data Parser", + "category": "Microsoft Sentinel Parser", + "functionAlias": "SophosEPEvent", + "query": "let SophosEP_CL = view() {\nSophosEP_CL\n| extend EventVendor = 'Sophos'\n| extend EventProduct = 'Endpoint Protection'\n| extend TimeGenerated = created_at_t\n| extend\n DstUserSid = column_ifexists('user_id_s', ''),\n CustomerId = column_ifexists('customer_id_g', ''),\n EventSeverity = column_ifexists('severity_s', ''),\n Created = column_ifexists('created_at_t', ''),\n SrcIpAddr = column_ifexists('source_info_ip_s', ''),\n ThreatName = column_ifexists('threat_s', ''),\n EndpointId = column_ifexists('endpoint_id_g', ''),\n SrcDvcType = column_ifexists('endpoint_type_s', ''),\n EventSubType = column_ifexists('origin_s', ''),\n EventEndTime = column_ifexists('when_t', ''),\n Source = column_ifexists('source_s', ''),\n DvcAction = column_ifexists('type_s', ''),\n EventMessage = column_ifexists('name_s', ''),\n DvcHostname = column_ifexists('location_s', ''),\n EventOriginalUid = column_ifexists('id_g', ''),\n ThreatCategory = column_ifexists('group_s', ''),\n EventType = column_ifexists('datastream_s', ''),\n AppSha256 = column_ifexists('appSha256_s', ''),\n CoreRemedyItems= column_ifexists('core_remedy_items_items_s', ''),\n CoreRemedyTotalItems= toint(column_ifexists('core_remedy_items_totalItems_d', ''))\n };\nlet SophosEPEvents_CL=view() {\nSophosEPEvents_CL\n};\nlet SophosEPAlerts_CL=view() {\nSophosEPAlerts_CL\n}; \nunion withsource='SourceTable' isfuzzy= true\nSophosEP_CL,\nSophosEPEvents_CL,\nSophosEPAlerts_CL\n| project \nTimeGenerated,\nSourceTable,\nCustomerId,\nEventSeverity,\nCreated,\nEventEndTime,\nDvcAction,\nEventMessage,\nSrcIpAddr,\nThreatName,\nEndpointId,\nSrcDvcType,\nEventSubType,\nSource,\nDvcHostname,\nEventOriginalUid,\nThreatCategory,\nDstUserSid,\nCoreRemedyItems,\nCoreRemedyTotalItems,\nAppSha256,\nEventType,\nEventVendor,\nEventProduct\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "location": "[parameters('workspace-location')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Sophos Endpoint Protection Data Parser'),'/'))))]", + "dependsOn": [ + "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Sophos Endpoint Protection Data Parser')]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Sophos Endpoint Protection Data Parser')]", + "contentId": "SophosEPEvent-Parser", + "kind": "Parser", + "version": "2.0.1", + "source": { + "kind": "Solution", + "name": "Sophos Endpoint Protection", + "sourceId": "azuresentinel.azure-sentinel-solution-sophosep" + }, + "author": { + "name": "Microsoft", + "email": "support@microsoft.com" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring('SophosEP')))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-sophosep')]" + ], + "properties": { + "description": "The [Sophos Endpoint Protection](https://www.sophos.com/en-us/products/endpoint-antivirus.aspx) data connector provides the capability to ingest [Sophos events](https://docs.sophos.com/central/Customer/help/en-us/central/Customer/common/concepts/Events.html) into Microsoft Sentinel. Refer to [Sophos Central Admin documentation](https://docs.sophos.com/central/Customer/help/en-us/central/Customer/concepts/Logs.html) for more information.", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/','SophosEP')]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "id": "SophosEP", + "title": "Sophos Endpoint Protection (using Azure Functions)", + "publisher": "Sophos", + "descriptionMarkdown": "The [Sophos Endpoint Protection](https://www.sophos.com/en-us/products/endpoint-antivirus.aspx) data connector provides the capability to ingest [Sophos events](https://docs.sophos.com/central/Customer/help/en-us/central/Customer/common/concepts/Events.html) into Microsoft Sentinel. Refer to [Sophos Central Admin documentation](https://docs.sophos.com/central/Customer/help/en-us/central/Customer/concepts/Logs.html) for more information.", + "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**SophosEPEvent**](https://aka.ms/sentinel-SophosEP-parser) which is deployed with the Microsoft Sentinel Solution.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "SophosEP_CL", + "baseQuery": "SophosEP_CL" + } + ], + "sampleQueries": [ + { + "description": "All logs", + "query": "SophosEP_CL\n | sort by TimeGenerated desc" + } + ], + "dataTypes": [ + { + "name": "SophosEP_CL", + "lastDataReceivedQuery": "SophosEP_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "SophosEP_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions on the workspace are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Microsoft.Web/sites permissions", + "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." + }, + { + "name": "REST API Credentials/permissions", + "description": "**API token** is required. [See the documentation to learn more about API token](https://docs.sophos.com/central/Customer/help/en-us/central/Customer/concepts/ep_ApiTokenManagement.html)" + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This connector uses Azure Functions to connect to the Sophos Central APIs to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." + }, + { + "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." + }, + { + "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**SophosEPEvent**](https://aka.ms/sentinel-SophosEP-parser) which is deployed with the Microsoft Sentinel Solution." + }, + { + "description": "**STEP 1 - Configuration steps for the Sophos Central API**\n\n Follow the instructions to obtain the credentials.\n\n1. In Sophos Central Admin, go to **Global Settings > API Token Management**.\n2. To create a new token, click **Add token** from the top-right corner of the screen.\n3. Select a **token name** and click **Save**. The **API Token Summary** for this token is displayed.\n4. Click **Copy** to copy your **API Access URL + Headers** from the **API Token Summary** section into your clipboard." + }, + { + "description": "**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Sophos Endpoint Protection data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following).", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Workspace ID" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "fillWith": [ + "PrimaryKey" + ], + "label": "Primary Key" + }, + "type": "CopyableLabel" + } + ] + }, + { + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Option 1 - Azure Resource Manager (ARM) Template", + "description": "Use this method for automated deployment of the Sophos Endpoint Protection data connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-SophosEP-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n> **NOTE:** Within the same resource group, you can't mix Windows and Linux apps in the same region. Select existing resource group without Windows apps in it or create new resource group.\n3. Enter the **Sophos API Access URL and Headers**, **AzureSentinelWorkspaceId**, **AzureSentinelSharedKey**. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy." + }, + { + "title": "Option 2 - Manual Deployment of Azure Functions", + "description": "Use the following step-by-step instructions to deploy the Sophos Endpoint Protection data connector manually with Azure Functions (Deployment via Visual Studio Code).", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Step 1 - Deploy a Function App", + "description": "**NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-SophosEP-functionapp) file. Extract archive to your local development computer.\n2. Follow the [function app manual deployment instructions](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/AzureFunctionsManualDeployment.md#function-app-manual-deployment-instructions) to deploy the Azure Functions app using VSCode.\n3. After successful deployment of the function app, follow next steps for configuring it." + }, + { + "title": "Step 2 - Configure the Function App", + "description": "1. Go to Azure Portal for the Function App configuration.\n2. In the Function App, select the Function App Name and select **Configuration**.\n3. In the **Application settings** tab, select **New application setting**.\n4. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tSOPHOS_TOKEN\n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tlogAnalyticsUri (optional)\n> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://.ods.opinsights.azure.us`.\n5. Once all application settings have been entered, click **Save**." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ] + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', 'SophosEP'),'/'))))]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', 'SophosEP')]", + "contentId": "SophosEP", + "kind": "DataConnector", + "version": "1.0.0", + "source": { + "kind": "Solution", + "name": "Sophos Endpoint Protection", + "sourceId": "azuresentinel.azure-sentinel-solution-sophosep" + }, + "author": { + "name": "Microsoft", + "email": "support@microsoft.com" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "3.0.5", + "packageName": "Sophos Endpoint Protection", + "packageId": "azuresentinel.azure-sentinel-solution-sophosep", + "contentSchemaVersion": "3.0.0", + "contentId": "SophosEP", + "contentKind": "DataConnector", + "displayName": "Sophos Endpoint Protection (using Azure Functions)", + "contentProductId": "azuresentinel.azure-sentinel-solution-sophosep-dc-crbywzfay6dzw", + "id": "azuresentinel.azure-sentinel-solution-sophosep-dc-crbywzfay6dzw", + "version": "1.0.0", + "isDeprecated": false + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', 'SophosEP'),'/'))))]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', 'SophosEP')]" + ], + "location": "[parameters('workspace-location')]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', 'SophosEP')]", + "contentId": "SophosEP", + "kind": "DataConnector", + "version": "1.0.0", + "source": { + "kind": "Solution", + "name": "Sophos Endpoint Protection", + "sourceId": "azuresentinel.azure-sentinel-solution-sophosep" + }, + "author": { + "name": "Microsoft", + "email": "support@microsoft.com" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/','SophosEP')]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "title": "Sophos Endpoint Protection (using Azure Functions)", + "publisher": "Sophos", + "descriptionMarkdown": "The [Sophos Endpoint Protection](https://www.sophos.com/en-us/products/endpoint-antivirus.aspx) data connector provides the capability to ingest [Sophos events](https://docs.sophos.com/central/Customer/help/en-us/central/Customer/common/concepts/Events.html) into Microsoft Sentinel. Refer to [Sophos Central Admin documentation](https://docs.sophos.com/central/Customer/help/en-us/central/Customer/concepts/Logs.html) for more information.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "SophosEP_CL", + "baseQuery": "SophosEP_CL" + } + ], + "dataTypes": [ + { + "name": "SophosEP_CL", + "lastDataReceivedQuery": "SophosEP_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "SophosEP_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "sampleQueries": [ + { + "description": "All logs", + "query": "SophosEP_CL\n | sort by TimeGenerated desc" + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions on the workspace are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Microsoft.Web/sites permissions", + "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." + }, + { + "name": "REST API Credentials/permissions", + "description": "**API token** is required. [See the documentation to learn more about API token](https://docs.sophos.com/central/Customer/help/en-us/central/Customer/concepts/ep_ApiTokenManagement.html)" + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This connector uses Azure Functions to connect to the Sophos Central APIs to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." + }, + { + "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." + }, + { + "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**SophosEPEvent**](https://aka.ms/sentinel-SophosEP-parser) which is deployed with the Microsoft Sentinel Solution." + }, + { + "description": "**STEP 1 - Configuration steps for the Sophos Central API**\n\n Follow the instructions to obtain the credentials.\n\n1. In Sophos Central Admin, go to **Global Settings > API Token Management**.\n2. To create a new token, click **Add token** from the top-right corner of the screen.\n3. Select a **token name** and click **Save**. The **API Token Summary** for this token is displayed.\n4. Click **Copy** to copy your **API Access URL + Headers** from the **API Token Summary** section into your clipboard." + }, + { + "description": "**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Sophos Endpoint Protection data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following).", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Workspace ID" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "fillWith": [ + "PrimaryKey" + ], + "label": "Primary Key" + }, + "type": "CopyableLabel" + } + ] + }, + { + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Option 1 - Azure Resource Manager (ARM) Template", + "description": "Use this method for automated deployment of the Sophos Endpoint Protection data connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-SophosEP-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n> **NOTE:** Within the same resource group, you can't mix Windows and Linux apps in the same region. Select existing resource group without Windows apps in it or create new resource group.\n3. Enter the **Sophos API Access URL and Headers**, **AzureSentinelWorkspaceId**, **AzureSentinelSharedKey**. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy." + }, + { + "title": "Option 2 - Manual Deployment of Azure Functions", + "description": "Use the following step-by-step instructions to deploy the Sophos Endpoint Protection data connector manually with Azure Functions (Deployment via Visual Studio Code).", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Step 1 - Deploy a Function App", + "description": "**NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-SophosEP-functionapp) file. Extract archive to your local development computer.\n2. Follow the [function app manual deployment instructions](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/AzureFunctionsManualDeployment.md#function-app-manual-deployment-instructions) to deploy the Azure Functions app using VSCode.\n3. After successful deployment of the function app, follow next steps for configuring it." + }, + { + "title": "Step 2 - Configure the Function App", + "description": "1. Go to Azure Portal for the Function App configuration.\n2. In the Function App, select the Function App Name and select **Configuration**.\n3. In the **Application settings** tab, select **New application setting**.\n4. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tSOPHOS_TOKEN\n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tlogAnalyticsUri (optional)\n> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://.ods.opinsights.azure.us`.\n5. Once all application settings have been entered, click **Save**." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ], + "id": "SophosEP", + "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**SophosEPEvent**](https://aka.ms/sentinel-SophosEP-parser) which is deployed with the Microsoft Sentinel Solution." + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', concat(parameters('workspace'),'-dc-',uniquestring('SophosEndpointProtectionCCPDefinition')), '1.0.0')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-sophosep')]" + ], + "properties": { + "contentId": "SophosEndpointProtectionCCPDefinition", + "displayName": "Sophos Endpoint Protection (using REST API)", + "contentKind": "DataConnector", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/','SophosEndpointProtectionCCPDefinition')]", + "apiVersion": "2022-09-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", + "location": "[parameters('workspace-location')]", + "kind": "Customizable", + "properties": { + "connectorUiConfig": { + "id": "SophosEndpointProtectionCCPDefinition", + "title": "Sophos Endpoint Protection (using REST API)", + "publisher": "Microsoft", + "descriptionMarkdown": "The [Sophos Endpoint Protection](https://www.sophos.com/en-us/products/endpoint-antivirus.aspx) data connector provides the capability to ingest [Sophos events](https://developer.sophos.com/docs/siem-v1/1/routes/events/get) and [Sophos alerts](https://developer.sophos.com/docs/siem-v1/1/routes/alerts/get) into Microsoft Sentinel. Refer to [Sophos Central Admin documentation](https://docs.sophos.com/central/Customer/help/en-us/central/Customer/concepts/Logs.html) for more information.", + "graphQueriesTableName": "SophosEPEvents_CL", + "graphQueries": [ + { + "metricName": "Total events received", + "legend": "Sophos Endpoint Protection Event logs", + "baseQuery": "{{graphQueriesTableName}}" + }, + { + "metricName": "Total alerts received", + "legend": "Sophos Endpoint Protection Alert logs", + "baseQuery": "SophosEPAlerts_CL" + } + ], + "sampleQueries": [ + { + "description": "Get a sample of Sophos Endpoint Protection Event logs", + "query": "{{graphQueriesTableName}}\n| take 10" + }, + { + "description": "Get a sample of Sophos Endpoint Protection Alert logs", + "query": "SophosEPAlerts_CL\n| take 10" + } + ], + "dataTypes": [ + { + "name": "{{graphQueriesTableName}}", + "lastDataReceivedQuery": "{{graphQueriesTableName}}\n|summarize Time = max (TimeGenerated)\n|where isnotempty(Time)" + }, + { + "name": "SophosEPAlerts_CL", + "lastDataReceivedQuery": "SophosEPAlerts_CL\n|summarize Time = max (TimeGenerated)\n|where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "HasDataConnectors" + } + ], + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and Write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + } + ], + "customs": [ + { + "name": "Sophos Endpoint Protection API access", + "description": "Access to the Sophos Endpoint Protection API through a service principal is required." + } + ] + }, + "instructionSteps": [ + { + "description": "Follow [Sophos instructions](https://developer.sophos.com/getting-started-tenant) to create a service principal with access to the Sophos API. It will need the Service Principal ReadOnly role.\n Through those instructions, you should get the Client ID, Client Secret, Tenant ID and data region.\n Fill the form bellow with that information.", + "instructions": [ + { + "type": "Textbox", + "parameters": { + "label": "Sophos Tenant ID", + "placeholder": "Sophos Tenant ID", + "type": "text", + "name": "sophosTenantId" + } + }, + { + "type": "Textbox", + "parameters": { + "label": "Sophos Tenant Data Region", + "placeholder": "eu01, eu02, us01, us02 or us03", + "type": "text", + "name": "sophosRegion" + } + }, + { + "type": "OAuthForm", + "parameters": { + "clientIdLabel": "Client ID", + "clientSecretLabel": "Client Secret", + "connectButtonLabel": "Connect", + "disconnectButtonLabel": "Disconnect" + } + }, + { + "type": "DataConnectorsGrid", + "parameters": { + "mapping": [ + { + "columnValue": "name", + "columnName": "Name" + }, + { + "columnValue": "id", + "columnName": "ID" + } + ] + } + } + ], + "title": "Connect to Sophos Endpoint Protection API to start collecting event and alert logs in Microsoft Sentinel" + } + ] + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', 'SophosEndpointProtectionCCPDefinition'))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', 'SophosEndpointProtectionCCPDefinition')]", + "contentId": "SophosEndpointProtectionCCPDefinition", + "kind": "DataConnector", + "version": "1.0.0", + "source": { + "sourceId": "azuresentinel.azure-sentinel-solution-sophosep", + "name": "Sophos Endpoint Protection", + "kind": "Solution" + }, + "author": { + "name": "Microsoft", + "email": "support@microsoft.com" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" + }, + "dependencies": { + "criteria": [ + { + "version": "1.0.0", + "contentId": "SophosEndpointProtectionCCPDefinitionConnections", + "kind": "ResourcesDataConnector" + } + ] + } + } + }, + { + "name": "SophosEndpointDCR", + "apiVersion": "2022-06-01", + "type": "Microsoft.Insights/dataCollectionRules", + "location": "[parameters('workspace-location')]", + "kind": "[replace('b', 'b', '')]", + "properties": { + "dataCollectionEndpointId": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]", + "streamDeclarations": { + "Custom-SophosEPAlerts_CL": { + "columns": [ + { + "name": "customer_id", + "type": "string" + }, + { + "name": "created_at", + "type": "datetime" + }, + { + "name": "severity", + "type": "string" + }, + { + "name": "event_service_event_id", + "type": "string" + }, + { + "name": "when", + "type": "datetime" + }, + { + "name": "type", + "type": "string" + }, + { + "name": "description", + "type": "string" + }, + { + "name": "location", + "type": "string" + }, + { + "name": "id", + "type": "string" + }, + { + "name": "data", + "type": "dynamic" + }, + { + "name": "source", + "type": "string" + }, + { + "name": "threat", + "type": "string" + }, + { + "name": "threat_cleanable", + "type": "boolean" + }, + { + "name": "info", + "type": "dynamic" + } + ] + }, + "Custom-SophosEPEvents_CL": { + "columns": [ + { + "name": "amsi_threat_data", + "type": "dynamic" + }, + { + "name": "appCerts", + "type": "dynamic" + }, + { + "name": "appSha256", + "type": "string" + }, + { + "name": "core_remedy_items", + "type": "dynamic" + }, + { + "name": "created_at", + "type": "datetime" + }, + { + "name": "customer_id", + "type": "string" + }, + { + "name": "details", + "type": "dynamic" + }, + { + "name": "endpoint_id", + "type": "string" + }, + { + "name": "endpoint_type", + "type": "string" + }, + { + "name": "group", + "type": "string" + }, + { + "name": "ips_threat_data", + "type": "dynamic" + }, + { + "name": "location", + "type": "string" + }, + { + "name": "name", + "type": "string" + }, + { + "name": "origin", + "type": "string" + }, + { + "name": "severity", + "type": "string" + }, + { + "name": "source", + "type": "string" + }, + { + "name": "source_info", + "type": "dynamic" + }, + { + "name": "threat", + "type": "string" + }, + { + "name": "user_id", + "type": "string" + }, + { + "name": "when", + "type": "datetime" + }, + { + "name": "whitelist_properties", + "type": "dynamic" + }, + { + "name": "id", + "type": "string" + }, + { + "name": "type", + "type": "string" + } + ] + } + }, + "destinations": { + "logAnalytics": [ + { + "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", + "name": "clv2ws1" + } + ] + }, + "dataFlows": [ + { + "streams": [ + "Custom-SophosEPAlerts_CL" + ], + "destinations": [ + "clv2ws1" + ], + "transformKql": "source\n| extend TimeGenerated = created_at | extend EventType = 'alert'| extend EventVendor = 'Sophos' | extend EventProduct = 'Endpoint Protection'| project-rename Created=created_at, CustomerId=customer_id, DvcAction=type, DvcHostname=location, EventEndTime=when, EventOriginalUid=id, EventSeverity=severity, Source=source, ThreatName=threat\n", + "outputStream": "Custom-SophosEPAlerts_CL" + }, + { + "streams": [ + "Custom-SophosEPEvents_CL" + ], + "destinations": [ + "clv2ws1" + ], + "transformKql": "source\n| extend TimeGenerated = created_at | extend EventType = 'event' | extend EventVendor = 'Sophos' | extend EventProduct = 'Endpoint Protection'| extend SrcIpAddr = tostring(source_info.ip) | extend CoreRemedyTotalItems = toint(core_remedy_items.totalItems) | extend CoreRemedyItems = tostring(core_remedy_items.items) | project-rename AppSha256=appSha256, Created=created_at, CustomerId=customer_id, DstUserSid=user_id, DvcHostname=location, EndpointId=endpoint_id, EventEndTime=when, EventMessage=name, EventOriginalUid=id, EventSubType=origin, EventSeverity=severity, DvcAction = type, Source=source, SrcDvcType=endpoint_type, ThreatCategory=group, ThreatName=threat \n", + "outputStream": "Custom-SophosEPEvents_CL" + } + ] + } + }, + { + "name": "SophosEPAlerts_CL", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "location": "[parameters('workspace-location')]", + "properties": { + "schema": { + "name": "SophosEPAlerts_CL", + "columns": [ + { + "name": "TimeGenerated", + "type": "Datetime", + "isDefaultDisplay": true, + "description": "The timestamp (UTC) reflecting the time in which the event was generated." + }, + { + "name": "CustomerId", + "type": "string" + }, + { + "name": "EventSeverity", + "type": "string" + }, + { + "name": "EventVendor", + "type": "string" + }, + { + "name": "EventType", + "type": "string" + }, + { + "name": "EventProduct", + "type": "string" + }, + { + "name": "event_service_event_id", + "type": "string" + }, + { + "name": "EventEndTime", + "type": "datetime" + }, + { + "name": "DvcAction", + "type": "string" + }, + { + "name": "description", + "type": "string" + }, + { + "name": "DvcHostname", + "type": "string" + }, + { + "name": "EventOriginalUid", + "type": "string" + }, + { + "name": "data", + "type": "dynamic" + }, + { + "name": "Source", + "type": "string" + }, + { + "name": "info", + "type": "dynamic" + }, + { + "name": "ThreatName", + "type": "string" + }, + { + "name": "threat_cleanable", + "type": "boolean" + } + ] + } + } + }, + { + "name": "SophosEPEvents_CL", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "location": "[parameters('workspace-location')]", + "properties": { + "schema": { + "name": "SophosEPEvents_CL", + "columns": [ + { + "name": "TimeGenerated", + "type": "Datetime", + "isDefaultDisplay": true, + "description": "The timestamp (UTC) reflecting the time in which the event was generated." + }, + { + "name": "EventVendor", + "type": "string" + }, + { + "name": "EventProduct", + "type": "string" + }, + { + "name": "EventType", + "type": "string" + }, + { + "name": "amsi_threat_data", + "type": "dynamic" + }, + { + "name": "appCerts", + "type": "dynamic" + }, + { + "name": "AppSha256", + "type": "string" + }, + { + "name": "CoreRemedyItems", + "type": "string" + }, + { + "name": "CoreRemedyTotalItems", + "type": "int" + }, + { + "name": "Created", + "type": "datetime" + }, + { + "name": "CustomerId", + "type": "string" + }, + { + "name": "details", + "type": "dynamic" + }, + { + "name": "EndpointId", + "type": "string" + }, + { + "name": "SrcDvcType", + "type": "string" + }, + { + "name": "ThreatCategory", + "type": "string" + }, + { + "name": "EventOriginalUid", + "type": "string" + }, + { + "name": "ips_threat_data", + "type": "dynamic" + }, + { + "name": "DvcHostname", + "type": "string" + }, + { + "name": "EventMessage", + "type": "string" + }, + { + "name": "EventSubType", + "type": "string" + }, + { + "name": "EventSeverity", + "type": "string" + }, + { + "name": "Source", + "type": "string" + }, + { + "name": "source_info", + "type": "dynamic" + }, + { + "name": "SrcIpAddr", + "type": "string" + }, + { + "name": "ThreatName", + "type": "string" + }, + { + "name": "DvcAction", + "type": "string" + }, + { + "name": "DstUserSid", + "type": "string" + }, + { + "name": "EventEndTime", + "type": "datetime" + }, + { + "name": "whitelist_properties", + "type": "dynamic" + } + ] + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "3.0.5", + "packageName": "Sophos Endpoint Protection", + "contentProductId": "azuresentinel.azure-sentinel-solution-sophosep-dc-pr2idgrp7epoc", + "packageId": "azuresentinel.azure-sentinel-solution-sophosep", + "contentSchemaVersion": "3.0.0", + "version": "1.0.0", + "id": "azuresentinel.azure-sentinel-solution-sophosep-dc-pr2idgrp7epoc", + "isDeprecated": false, + "description": "" + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/','SophosEndpointProtectionCCPDefinition')]", + "apiVersion": "2022-09-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", + "location": "[parameters('workspace-location')]", + "kind": "Customizable", + "properties": { + "connectorUiConfig": { + "id": "SophosEndpointProtectionCCPDefinition", + "title": "Sophos Endpoint Protection (using REST API)", + "publisher": "Microsoft", + "descriptionMarkdown": "The [Sophos Endpoint Protection](https://www.sophos.com/en-us/products/endpoint-antivirus.aspx) data connector provides the capability to ingest [Sophos events](https://developer.sophos.com/docs/siem-v1/1/routes/events/get) and [Sophos alerts](https://developer.sophos.com/docs/siem-v1/1/routes/alerts/get) into Microsoft Sentinel. Refer to [Sophos Central Admin documentation](https://docs.sophos.com/central/Customer/help/en-us/central/Customer/concepts/Logs.html) for more information.", + "graphQueriesTableName": "SophosEPEvents_CL", + "graphQueries": [ + { + "metricName": "Total events received", + "legend": "Sophos Endpoint Protection Event logs", + "baseQuery": "{{graphQueriesTableName}}" + }, + { + "metricName": "Total alerts received", + "legend": "Sophos Endpoint Protection Alert logs", + "baseQuery": "SophosEPAlerts_CL" + } + ], + "sampleQueries": [ + { + "description": "Get a sample of Sophos Endpoint Protection Event logs", + "query": "{{graphQueriesTableName}}\n| take 10" + }, + { + "description": "Get a sample of Sophos Endpoint Protection Alert logs", + "query": "SophosEPAlerts_CL\n| take 10" + } + ], + "dataTypes": [ + { + "name": "{{graphQueriesTableName}}", + "lastDataReceivedQuery": "{{graphQueriesTableName}}\n|summarize Time = max (TimeGenerated)\n|where isnotempty(Time)" + }, + { + "name": "SophosEPAlerts_CL", + "lastDataReceivedQuery": "SophosEPAlerts_CL\n|summarize Time = max (TimeGenerated)\n|where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "HasDataConnectors" + } + ], + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and Write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + } + ], + "customs": [ + { + "name": "Sophos Endpoint Protection API access", + "description": "Access to the Sophos Endpoint Protection API through a service principal is required." + } + ] + }, + "instructionSteps": [ + { + "description": "Follow [Sophos instructions](https://developer.sophos.com/getting-started-tenant) to create a service principal with access to the Sophos API. It will need the Service Principal ReadOnly role.\n Through those instructions, you should get the Client ID, Client Secret, Tenant ID and data region.\n Fill the form bellow with that information.", + "instructions": [ + { + "type": "Textbox", + "parameters": { + "label": "Sophos Tenant ID", + "placeholder": "Sophos Tenant ID", + "type": "text", + "name": "sophosTenantId" + } + }, + { + "type": "Textbox", + "parameters": { + "label": "Sophos Tenant Data Region", + "placeholder": "eu01, eu02, us01, us02 or us03", + "type": "text", + "name": "sophosRegion" + } + }, + { + "type": "OAuthForm", + "parameters": { + "clientIdLabel": "Client ID", + "clientSecretLabel": "Client Secret", + "connectButtonLabel": "Connect", + "disconnectButtonLabel": "Disconnect" + } + }, + { + "type": "DataConnectorsGrid", + "parameters": { + "mapping": [ + { + "columnValue": "name", + "columnName": "Name" + }, + { + "columnValue": "id", + "columnName": "ID" + } + ] + } + } + ], + "title": "Connect to Sophos Endpoint Protection API to start collecting event and alert logs in Microsoft Sentinel" + } + ] + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', 'SophosEndpointProtectionCCPDefinition'))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', 'SophosEndpointProtectionCCPDefinition')]", + "contentId": "SophosEndpointProtectionCCPDefinition", + "kind": "DataConnector", + "version": "1.0.0", + "source": { + "sourceId": "azuresentinel.azure-sentinel-solution-sophosep", + "name": "Sophos Endpoint Protection", + "kind": "Solution" + }, + "author": { + "name": "Microsoft", + "email": "support@microsoft.com" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" + }, + "dependencies": { + "criteria": [ + { + "version": "1.0.0", + "contentId": "SophosEndpointProtectionCCPDefinitionConnections", + "kind": "ResourcesDataConnector" + } + ] + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', concat(parameters('workspace'),'-dc-',uniquestring('SophosEndpointProtectionCCPDefinitionConnections')), '1.0.0')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-sophosep')]" + ], + "properties": { + "contentId": "SophosEndpointProtectionCCPDefinitionConnections", + "displayName": "Sophos Endpoint Protection (using REST API)", + "contentKind": "ResourcesDataConnector", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0", + "parameters": { + "ClientId": { + "defaultValue": "-NA-", + "type": "securestring", + "minLength": 1 + }, + "ClientSecret": { + "defaultValue": "-NA-", + "type": "securestring", + "minLength": 1 + }, + "sophosRegion": { + "defaultValue": "Enter sophosRegion value", + "type": "String", + "minLength": 1 + }, + "connectorDefinitionName": { + "defaultValue": "Sophos Endpoint Protection (using REST API)", + "type": "String", + "minLength": 1 + }, + "workspace": { + "defaultValue": "[parameters('workspace')]", + "type": "string" + }, + "dcrConfig": { + "defaultValue": { + "dataCollectionEndpoint": "data collection Endpoint", + "dataCollectionRuleImmutableId": "data collection rule immutableId" + }, + "type": "object" + }, + "sophosTenantId": { + "defaultValue": "sophosTenantId", + "type": "String", + "minLength": 1 + }, + "AuthorizationCode": { + "defaultValue": "-NA-", + "type": "securestring", + "minLength": 1 + } + }, + "variables": { + "_dataConnectorContentIdConnections2": "SophosEndpointProtectionCCPDefinitionConnections" + }, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', 'SophosEndpointProtectionCCPDefinitionConnections'))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', 'SophosEndpointProtectionCCPDefinitionConnections')]", + "contentId": "SophosEndpointProtectionCCPDefinitionConnections", + "kind": "ResourcesDataConnector", + "version": "1.0.0", + "source": { + "sourceId": "azuresentinel.azure-sentinel-solution-sophosep", + "name": "Sophos Endpoint Protection", + "kind": "Solution" + }, + "author": { + "name": "Microsoft", + "email": "support@microsoft.com" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'SophosEndpointProtectionCCPAlertsPolling')]", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "RestApiPoller", + "properties": { + "connectorDefinitionName": "SophosEndpointProtectionCCPDefinition", + "dataType": "SophosEPAlerts_CL", + "dcrConfig": { + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]", + "streamName": "Custom-SophosEPAlerts_CL" + }, + "auth": { + "type": "OAuth2", + "ClientSecret": "[[parameters('ClientSecret')]", + "ClientId": "[[parameters('ClientId')]", + "TokenEndpoint": "https://id.sophos.com/api/v2/oauth2/token", + "tokenEndpointHeaders": { + "Accept": "application/json", + "Content-Type": "application/x-www-form-urlencoded" + }, + "TokenEndpointQueryParameters": {}, + "scope": "token", + "grantType": "client_credentials" + }, + "request": { + "apiEndpoint": "[[concat('https://api-', parameters('sophosRegion'), '.central.sophos.com/siem/v1/alerts')]", + "rateLimitQPS": 10, + "queryWindowInMin": 5, + "httpMethod": "GET", + "retryCount": 3, + "timeoutInSeconds": 60, + "queryTimeFormat": "UnixTimestamp", + "startTimeAttributeName": "from_date", + "headers": { + "Accept": "application/json", + "X-Tenant-ID": "[[parameters('sophosTenantId')]" + } + }, + "paging": { + "pagingType": "NextPageToken", + "nextPageTokenJsonPath": "$.next_cursor", + "hasNextFlagJsonPath": "$.has_more", + "nextPageParaName": "cursor" + }, + "response": { + "eventsJsonPaths": [ + "$.items" + ] + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'SophosEndpointProtectionCCPEventsPolling')]", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "RestApiPoller", + "properties": { + "connectorDefinitionName": "SophosEndpointProtectionCCPDefinition", + "dataType": "SophosEPEvents_CL", + "dcrConfig": { + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]", + "streamName": "Custom-SophosEPEvents_CL" + }, + "auth": { + "type": "OAuth2", + "ClientSecret": "[[parameters('ClientSecret')]", + "ClientId": "[[parameters('ClientId')]", + "TokenEndpoint": "https://id.sophos.com/api/v2/oauth2/token", + "tokenEndpointHeaders": { + "Accept": "application/json", + "Content-Type": "application/x-www-form-urlencoded" + }, + "TokenEndpointQueryParameters": {}, + "scope": "token", + "grantType": "client_credentials" + }, + "request": { + "apiEndpoint": "[[concat('https://api-', parameters('sophosRegion'), '.central.sophos.com/siem/v1/events')]", + "rateLimitQPS": 10, + "queryWindowInMin": 5, + "httpMethod": "GET", + "retryCount": 3, + "timeoutInSeconds": 60, + "queryTimeFormat": "UnixTimestamp", + "startTimeAttributeName": "from_date", + "headers": { + "Accept": "application/json", + "X-Tenant-ID": "[[parameters('sophosTenantId')]" + } + }, + "paging": { + "pagingType": "NextPageToken", + "nextPageTokenJsonPath": "$.next_cursor", + "hasNextFlagJsonPath": "$.has_more", + "nextPageParaName": "cursor" + }, + "response": { + "eventsJsonPaths": [ + "$.items" + ] + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "3.0.5", + "packageName": "Sophos Endpoint Protection", + "contentProductId": "azuresentinel.azure-sentinel-solution-sophosep-rdc-mz5giusssbwxk", + "packageId": "azuresentinel.azure-sentinel-solution-sophosep", + "contentSchemaVersion": "3.0.0", + "version": "1.0.0", + "id": "azuresentinel.azure-sentinel-solution-sophosep-rdc-mz5giusssbwxk", + "isDeprecated": false, + "description": "" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", + "apiVersion": "2023-04-01-preview", + "location": "[parameters('workspace-location')]", + "properties": { + "version": "3.0.5", + "kind": "Solution", + "contentSchemaVersion": "3.0.0", + "displayName": "Sophos Endpoint Protection", + "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\u2022 Review the solution Release Notes

The Sophos Endpoint Protection solution provides the capability to ingest to ingest Sophos events and Sophos alerts into Microsoft Sentinel. Refer to Sophos Central documentation for more information.

Underlying Microsoft Technologies used:

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

a. Azure Monitor HTTP Data Collector API

b. Azure Functions

c. Codeless Connector Platform (CCP)

Data Connectors: 2, Parsers: 1

Learn more about Microsoft Sentinel | Learn more about Solutions

", + "contentKind": "Solution", + "contentProductId": "azuresentinel.azure-sentinel-solution-sophosep-sl-requotohfanc2", + "id": "azuresentinel.azure-sentinel-solution-sophosep-sl-requotohfanc2", + "icon": "https://store-images.s-microsoft.com/image/apps.41419.2b740b78-b211-45f8-839b-2f67e70008bc.19cf8bba-0f67-4e4d-b042-90d70a5dfef1.1d473b06-07e6-4bbb-90de-c8ee4f473ad3", + "contentId": "azuresentinel.azure-sentinel-solution-sophosep", + "parentId": "azuresentinel.azure-sentinel-solution-sophosep", + "source": { + "kind": "Solution", + "name": "Sophos Endpoint Protection", + "sourceId": "azuresentinel.azure-sentinel-solution-sophosep" + }, + "author": { + "name": "Microsoft", + "email": "support@microsoft.com" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com/" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "kind": "Parser", + "contentId": "SophosEPEvent-Parser", + "version": "2.0.1" + }, + { + "kind": "DataConnector", + "contentId": "SophosEP", + "version": "1.0.0" + }, + { + "kind": "DataConnector", + "contentId": "SophosEndpointProtectionCCPDefinitionConnections", + "version": "1.0.0" + } + ] + }, + "firstPublishDate": "2021-07-07", + "providers": [ + "Sophos" + ], + "categories": { + "domains": [ + "Security - Threat Protection" + ] + }, + "isPreview": false, + "isDeprecated": false, + "migratedToPackageId": null + }, + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'azuresentinel.azure-sentinel-solution-sophosep')]" + } + ], + "variables": {} +} diff --git a/modules/solutions/templates/ti.json b/modules/solutions/templates/ti.json index e820fce..0f8df44 100644 --- a/modules/solutions/templates/ti.json +++ b/modules/solutions/templates/ti.json @@ -48,7 +48,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-threatintelligence-taxii')]" ], "properties": { - "description": "Threat Intelligence data connector with template version 3.0.6", + "description": "Threat Intelligence data connector with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -120,7 +120,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.6", + "packageVersion": "3.0.7", "packageName": "Threat Intelligence", "packageId": "azuresentinel.azure-sentinel-solution-threatintelligence-taxii", "contentSchemaVersion": "3.0.0", @@ -208,7 +208,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-threatintelligence-taxii')]" ], "properties": { - "description": "Threat Intelligence data connector with template version 3.0.6", + "description": "Threat Intelligence data connector with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -280,7 +280,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.6", + "packageVersion": "3.0.7", "packageName": "Threat Intelligence", "packageId": "azuresentinel.azure-sentinel-solution-threatintelligence-taxii", "contentSchemaVersion": "3.0.0", @@ -368,7 +368,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-threatintelligence-taxii')]" ], "properties": { - "description": "Threat Intelligence data connector with template version 3.0.6", + "description": "Threat Intelligence data connector with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -482,7 +482,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.6", + "packageVersion": "3.0.7", "packageName": "Threat Intelligence", "packageId": "azuresentinel.azure-sentinel-solution-threatintelligence-taxii", "contentSchemaVersion": "3.0.0", @@ -612,7 +612,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-threatintelligence-taxii')]" ], "properties": { - "description": "Threat Intelligence data connector with template version 3.0.6", + "description": "Threat Intelligence data connector with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -740,7 +740,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.6", + "packageVersion": "3.0.7", "packageName": "Threat Intelligence", "packageId": "azuresentinel.azure-sentinel-solution-threatintelligence-taxii", "contentSchemaVersion": "3.0.0", @@ -881,7 +881,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-threatintelligence-taxii')]" ], "properties": { - "description": "Threat Intelligence data connector with template version 3.0.6", + "description": "Threat Intelligence data connector with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -953,7 +953,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.6", + "packageVersion": "3.0.7", "packageName": "Threat Intelligence", "packageId": "azuresentinel.azure-sentinel-solution-threatintelligence-taxii", "contentSchemaVersion": "3.0.0", @@ -1041,7 +1041,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-threatintelligence-taxii')]" ], "properties": { - "description": "ThreatIntelligence Workbook with template version 3.0.6", + "description": "ThreatIntelligence Workbook with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "5.0.0", @@ -1124,7 +1124,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.6", + "packageVersion": "3.0.7", "packageName": "Threat Intelligence", "packageId": "azuresentinel.azure-sentinel-solution-threatintelligence-taxii", "contentSchemaVersion": "3.0.0", @@ -1146,7 +1146,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-threatintelligence-taxii')]" ], "properties": { - "description": "FileEntity_OfficeActivity_HuntingQueries Hunting Query with template version 3.0.6", + "description": "FileEntity_OfficeActivity_HuntingQueries Hunting Query with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.3", @@ -1206,7 +1206,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.6", + "packageVersion": "3.0.7", "packageName": "Threat Intelligence", "packageId": "azuresentinel.azure-sentinel-solution-threatintelligence-taxii", "contentSchemaVersion": "3.0.0", @@ -1228,7 +1228,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-threatintelligence-taxii')]" ], "properties": { - "description": "FileEntity_SecurityEvent_HuntingQueries Hunting Query with template version 3.0.6", + "description": "FileEntity_SecurityEvent_HuntingQueries Hunting Query with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.3", @@ -1288,7 +1288,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.6", + "packageVersion": "3.0.7", "packageName": "Threat Intelligence", "packageId": "azuresentinel.azure-sentinel-solution-threatintelligence-taxii", "contentSchemaVersion": "3.0.0", @@ -1310,7 +1310,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-threatintelligence-taxii')]" ], "properties": { - "description": "FileEntity_Syslog_HuntingQueries Hunting Query with template version 3.0.6", + "description": "FileEntity_Syslog_HuntingQueries Hunting Query with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.3", @@ -1370,7 +1370,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.6", + "packageVersion": "3.0.7", "packageName": "Threat Intelligence", "packageId": "azuresentinel.azure-sentinel-solution-threatintelligence-taxii", "contentSchemaVersion": "3.0.0", @@ -1392,7 +1392,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-threatintelligence-taxii')]" ], "properties": { - "description": "FileEntity_VMConnection_HuntingQueries Hunting Query with template version 3.0.6", + "description": "FileEntity_VMConnection_HuntingQueries Hunting Query with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.3", @@ -1452,7 +1452,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.6", + "packageVersion": "3.0.7", "packageName": "Threat Intelligence", "packageId": "azuresentinel.azure-sentinel-solution-threatintelligence-taxii", "contentSchemaVersion": "3.0.0", @@ -1474,7 +1474,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-threatintelligence-taxii')]" ], "properties": { - "description": "FileEntity_WireData_HuntingQueries Hunting Query with template version 3.0.6", + "description": "FileEntity_WireData_HuntingQueries Hunting Query with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.3", @@ -1534,7 +1534,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.6", + "packageVersion": "3.0.7", "packageName": "Threat Intelligence", "packageId": "azuresentinel.azure-sentinel-solution-threatintelligence-taxii", "contentSchemaVersion": "3.0.0", @@ -1556,7 +1556,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-threatintelligence-taxii')]" ], "properties": { - "description": "DomainEntity_CommonSecurityLog_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "DomainEntity_CommonSecurityLog_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.4.2", @@ -1610,31 +1610,31 @@ ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "DeviceName" + "columnName": "DeviceName", + "identifier": "HostName" } - ] + ], + "entityType": "Host" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "SourceIP" + "columnName": "SourceIP", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "PA_Url" + "columnName": "PA_Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ] } @@ -1669,7 +1669,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.6", + "packageVersion": "3.0.7", "packageName": "Threat Intelligence", "packageId": "azuresentinel.azure-sentinel-solution-threatintelligence-taxii", "contentSchemaVersion": "3.0.0", @@ -1712,7 +1712,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-threatintelligence-taxii')]" ], "properties": { - "description": "DomainEntity_DeviceNetworkEvents_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "DomainEntity_DeviceNetworkEvents_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.1", @@ -1772,44 +1772,44 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "DeviceName" + "columnName": "DeviceName", + "identifier": "FullName" } - ] + ], + "entityType": "Host" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" }, { - "entityType": "Process", "fieldMappings": [ { - "identifier": "CommandLine", - "columnName": "InitiatingProcessCommandLine" + "columnName": "InitiatingProcessCommandLine", + "identifier": "CommandLine" } - ] + ], + "entityType": "Process" } ] } @@ -1844,7 +1844,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.6", + "packageVersion": "3.0.7", "packageName": "Threat Intelligence", "packageId": "azuresentinel.azure-sentinel-solution-threatintelligence-taxii", "contentSchemaVersion": "3.0.0", @@ -1895,7 +1895,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-threatintelligence-taxii')]" ], "properties": { - "description": "DomainEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "DomainEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.4.3", @@ -1955,39 +1955,39 @@ ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "DnsDomain" + "columnName": "DnsDomain", + "identifier": "DnsDomain" } - ] + ], + "entityType": "Host" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "ClientIP" + "columnName": "ClientIP", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ] } @@ -2022,7 +2022,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.6", + "packageVersion": "3.0.7", "packageName": "Threat Intelligence", "packageId": "azuresentinel.azure-sentinel-solution-threatintelligence-taxii", "contentSchemaVersion": "3.0.0", @@ -2073,7 +2073,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-threatintelligence-taxii')]" ], "properties": { - "description": "DomainEntity_EmailEvents_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "DomainEntity_EmailEvents_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.2", @@ -2133,21 +2133,21 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "RecipientEmailAddress" + "columnName": "RecipientEmailAddress", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" } ] } @@ -2182,7 +2182,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.6", + "packageVersion": "3.0.7", "packageName": "Threat Intelligence", "packageId": "azuresentinel.azure-sentinel-solution-threatintelligence-taxii", "contentSchemaVersion": "3.0.0", @@ -2233,7 +2233,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-threatintelligence-taxii')]" ], "properties": { - "description": "DomainEntity_EmailUrlInfo_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "DomainEntity_EmailUrlInfo_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.2", @@ -2293,30 +2293,30 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "RecipientEmailAddress" + "columnName": "RecipientEmailAddress", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ] } @@ -2351,7 +2351,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.6", + "packageVersion": "3.0.7", "packageName": "Threat Intelligence", "packageId": "azuresentinel.azure-sentinel-solution-threatintelligence-taxii", "contentSchemaVersion": "3.0.0", @@ -2402,7 +2402,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-threatintelligence-taxii')]" ], "properties": { - "description": "DomainEntity_imWebSession_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "DomainEntity_imWebSession_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.6", @@ -2468,32 +2468,32 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "SrcIpAddr" + "columnName": "SrcIpAddr", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ], "customDetails": { - "EventTime": "Event_TimeGenerated", + "IoCExpirationTime": "ExpirationDateTime", "ActivityGroupNames": "ActivityGroupNames", "IoCConfidenceScore": "ConfidenceScore", - "IoCDescription": "Description", - "ThreatType": "ThreatType", "IndicatorId": "IndicatorId", - "IoCExpirationTime": "ExpirationDateTime" + "ThreatType": "ThreatType", + "IoCDescription": "Description", + "EventTime": "Event_TimeGenerated" }, "alertDetailsOverride": { "alertDescriptionFormat": "A client with address {{SrcIpAddr}} requested the URL {{Url}}, whose hostname is a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blade for more information on the indicator.", @@ -2531,7 +2531,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.6", + "packageVersion": "3.0.7", "packageName": "Threat Intelligence", "packageId": "azuresentinel.azure-sentinel-solution-threatintelligence-taxii", "contentSchemaVersion": "3.0.0", @@ -2590,7 +2590,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-threatintelligence-taxii')]" ], "properties": { - "description": "DomainEntity_PaloAlto_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "DomainEntity_PaloAlto_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.4.2", @@ -2650,31 +2650,31 @@ ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "DeviceName" + "columnName": "DeviceName", + "identifier": "HostName" } - ] + ], + "entityType": "Host" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "SourceIP" + "columnName": "SourceIP", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "PA_Url" + "columnName": "PA_Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ] } @@ -2709,7 +2709,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.6", + "packageVersion": "3.0.7", "packageName": "Threat Intelligence", "packageId": "azuresentinel.azure-sentinel-solution-threatintelligence-taxii", "contentSchemaVersion": "3.0.0", @@ -2760,7 +2760,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-threatintelligence-taxii')]" ], "properties": { - "description": "DomainEntity_SecurityAlert_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "DomainEntity_SecurityAlert_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.4.3", @@ -2826,31 +2826,31 @@ ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" } - ] + ], + "entityType": "Host" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "IP_addr" + "columnName": "IP_addr", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ] } @@ -2885,7 +2885,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.6", + "packageVersion": "3.0.7", "packageName": "Threat Intelligence", "packageId": "azuresentinel.azure-sentinel-solution-threatintelligence-taxii", "contentSchemaVersion": "3.0.0", @@ -2940,7 +2940,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-threatintelligence-taxii')]" ], "properties": { - "description": "DomainEntity_Syslog_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "DomainEntity_Syslog_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.4.3", @@ -3000,39 +3000,39 @@ ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "DnsDomain" + "columnName": "DnsDomain", + "identifier": "DnsDomain" } - ] + ], + "entityType": "Host" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "HostIP" + "columnName": "HostIP", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ] } @@ -3067,7 +3067,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.6", + "packageVersion": "3.0.7", "packageName": "Threat Intelligence", "packageId": "azuresentinel.azure-sentinel-solution-threatintelligence-taxii", "contentSchemaVersion": "3.0.0", @@ -3118,7 +3118,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-threatintelligence-taxii')]" ], "properties": { - "description": "EmailEntity_AzureActivity_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "EmailEntity_AzureActivity_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.2.7", @@ -3178,39 +3178,39 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Caller" + "columnName": "Caller", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "CallerIpAddress" + "columnName": "CallerIpAddress", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ] } @@ -3245,7 +3245,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.6", + "packageVersion": "3.0.7", "packageName": "Threat Intelligence", "packageId": "azuresentinel.azure-sentinel-solution-threatintelligence-taxii", "contentSchemaVersion": "3.0.0", @@ -3296,7 +3296,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-threatintelligence-taxii')]" ], "properties": { - "description": "EmailEntity_EmailEvents_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "EmailEntity_EmailEvents_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.2", @@ -3356,21 +3356,21 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "RecipientEmailAddress" + "columnName": "RecipientEmailAddress", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" } ] } @@ -3405,7 +3405,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.6", + "packageVersion": "3.0.7", "packageName": "Threat Intelligence", "packageId": "azuresentinel.azure-sentinel-solution-threatintelligence-taxii", "contentSchemaVersion": "3.0.0", @@ -3456,7 +3456,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-threatintelligence-taxii')]" ], "properties": { - "description": "EmailEntity_OfficeActivity_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "EmailEntity_OfficeActivity_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.2.7", @@ -3516,39 +3516,39 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "UserId" + "columnName": "UserId", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "ClientIP" + "columnName": "ClientIP", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ] } @@ -3583,7 +3583,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.6", + "packageVersion": "3.0.7", "packageName": "Threat Intelligence", "packageId": "azuresentinel.azure-sentinel-solution-threatintelligence-taxii", "contentSchemaVersion": "3.0.0", @@ -3634,7 +3634,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-threatintelligence-taxii')]" ], "properties": { - "description": "EmailEntity_PaloAlto_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "EmailEntity_PaloAlto_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.2.6", @@ -3694,31 +3694,31 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "DestinationUserID" + "columnName": "DestinationUserID", + "identifier": "Name" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "SourceIP" + "columnName": "SourceIP", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ] } @@ -3753,7 +3753,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.6", + "packageVersion": "3.0.7", "packageName": "Threat Intelligence", "packageId": "azuresentinel.azure-sentinel-solution-threatintelligence-taxii", "contentSchemaVersion": "3.0.0", @@ -3804,7 +3804,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-threatintelligence-taxii')]" ], "properties": { - "description": "EmailEntity_SecurityAlert_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "EmailEntity_SecurityAlert_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.2.8", @@ -3864,30 +3864,30 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "EntityEmail" + "columnName": "EntityEmail", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ] } @@ -3922,7 +3922,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.6", + "packageVersion": "3.0.7", "packageName": "Threat Intelligence", "packageId": "azuresentinel.azure-sentinel-solution-threatintelligence-taxii", "contentSchemaVersion": "3.0.0", @@ -3973,7 +3973,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-threatintelligence-taxii')]" ], "properties": { - "description": "EmailEntity_SecurityEvent_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "EmailEntity_SecurityEvent_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.3.6", @@ -4045,44 +4045,44 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "TargetUserName" + "columnName": "TargetUserName", + "identifier": "Name" } - ] + ], + "entityType": "Account" }, { - "entityType": "Host", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "DnsDomain" + "columnName": "DnsDomain", + "identifier": "DnsDomain" } - ] + ], + "entityType": "Host" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "IpAddress" + "columnName": "IpAddress", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ] } @@ -4117,7 +4117,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.6", + "packageVersion": "3.0.7", "packageName": "Threat Intelligence", "packageId": "azuresentinel.azure-sentinel-solution-threatintelligence-taxii", "contentSchemaVersion": "3.0.0", @@ -4184,7 +4184,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-threatintelligence-taxii')]" ], "properties": { - "description": "EmailEntity_SigninLogs_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "EmailEntity_SigninLogs_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.2.7", @@ -4250,39 +4250,39 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "UserPrincipalName" + "columnName": "UserPrincipalName", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "IPAddress" + "columnName": "IPAddress", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ] } @@ -4317,7 +4317,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.6", + "packageVersion": "3.0.7", "packageName": "Threat Intelligence", "packageId": "azuresentinel.azure-sentinel-solution-threatintelligence-taxii", "contentSchemaVersion": "3.0.0", @@ -4376,7 +4376,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-threatintelligence-taxii')]" ], "properties": { - "description": "FileHashEntity_CommonSecurityLog_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "FileHashEntity_CommonSecurityLog_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.3.6", @@ -4436,69 +4436,69 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "SourceUserName" + "columnName": "SourceUserName", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "DeviceName" + "columnName": "DeviceName", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "DnsDomain" + "columnName": "DnsDomain", + "identifier": "DnsDomain" } - ] + ], + "entityType": "Host" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "SourceIP" + "columnName": "SourceIP", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" }, { - "entityType": "FileHash", "fieldMappings": [ { - "identifier": "Value", - "columnName": "FileHashValue" + "columnName": "FileHashValue", + "identifier": "Value" }, { - "identifier": "Algorithm", - "columnName": "FileHashType" + "columnName": "FileHashType", + "identifier": "Algorithm" } - ] + ], + "entityType": "FileHash" } ] } @@ -4533,7 +4533,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.6", + "packageVersion": "3.0.7", "packageName": "Threat Intelligence", "packageId": "azuresentinel.azure-sentinel-solution-threatintelligence-taxii", "contentSchemaVersion": "3.0.0", @@ -4584,7 +4584,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-threatintelligence-taxii')]" ], "properties": { - "description": "FileHashEntity_DeviceFileEvents_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "FileHashEntity_DeviceFileEvents_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.1", @@ -4644,43 +4644,43 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "RequestAccountName" + "columnName": "RequestAccountName", + "identifier": "Name" }, { - "identifier": "Sid", - "columnName": "RequestAccountSid" + "columnName": "RequestAccountSid", + "identifier": "Sid" }, { - "identifier": "NTDomain", - "columnName": "RequestAccountDomain" + "columnName": "RequestAccountDomain", + "identifier": "NTDomain" } - ] + ], + "entityType": "Account" }, { - "entityType": "FileHash", "fieldMappings": [ { - "identifier": "Value", - "columnName": "FileHashValue" + "columnName": "FileHashValue", + "identifier": "Value" }, { - "identifier": "Algorithm", - "columnName": "FileHashType" + "columnName": "FileHashType", + "identifier": "Algorithm" } - ] + ], + "entityType": "FileHash" }, { - "entityType": "Host", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "DeviceName" + "columnName": "DeviceName", + "identifier": "HostName" } - ] + ], + "entityType": "Host" } ] } @@ -4715,7 +4715,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.6", + "packageVersion": "3.0.7", "packageName": "Threat Intelligence", "packageId": "azuresentinel.azure-sentinel-solution-threatintelligence-taxii", "contentSchemaVersion": "3.0.0", @@ -4766,7 +4766,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-threatintelligence-taxii')]" ], "properties": { - "description": "FileHashEntity_SecurityEvent_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "FileHashEntity_SecurityEvent_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.4.6", @@ -4838,60 +4838,60 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Account" + "columnName": "Account", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "NTDomain", - "columnName": "NTDomain" + "columnName": "NTDomain", + "identifier": "NTDomain" } - ] + ], + "entityType": "Account" }, { - "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "DnsDomain" + "columnName": "DnsDomain", + "identifier": "DnsDomain" } - ] + ], + "entityType": "Host" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" }, { - "entityType": "FileHash", "fieldMappings": [ { - "identifier": "Value", - "columnName": "FileHashValue" + "columnName": "FileHashValue", + "identifier": "Value" }, { - "identifier": "Algorithm", - "columnName": "FileHashType" + "columnName": "FileHashType", + "identifier": "Algorithm" } - ] + ], + "entityType": "FileHash" } ] } @@ -4926,7 +4926,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.6", + "packageVersion": "3.0.7", "packageName": "Threat Intelligence", "packageId": "azuresentinel.azure-sentinel-solution-threatintelligence-taxii", "contentSchemaVersion": "3.0.0", @@ -4993,7 +4993,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-threatintelligence-taxii')]" ], "properties": { - "description": "IPEntity_AppServiceHTTPLogs_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "IPEntity_AppServiceHTTPLogs_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.5.2", @@ -5047,53 +5047,53 @@ ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "DnsDomain" + "columnName": "DnsDomain", + "identifier": "DnsDomain" } - ] + ], + "entityType": "Host" }, { - "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "CsUsername" + "columnName": "CsUsername", + "identifier": "Name" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "CIp" + "columnName": "CIp", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" }, { - "entityType": "AzureResource", "fieldMappings": [ { - "identifier": "ResourceId", - "columnName": "_ResourceId" + "columnName": "_ResourceId", + "identifier": "ResourceId" } - ] + ], + "entityType": "AzureResource" } ], "alertDetailsOverride": { @@ -5131,7 +5131,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.6", + "packageVersion": "3.0.7", "packageName": "Threat Intelligence", "packageId": "azuresentinel.azure-sentinel-solution-threatintelligence-taxii", "contentSchemaVersion": "3.0.0", @@ -5174,7 +5174,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-threatintelligence-taxii')]" ], "properties": { - "description": "IPEntity_AWSCloudTrail_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "IPEntity_AWSCloudTrail_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.4.2", @@ -5234,31 +5234,31 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "ObjectGuid", - "columnName": "UserIdentityUserName" + "columnName": "UserIdentityUserName", + "identifier": "ObjectGuid" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "SourceIpAddress" + "columnName": "SourceIpAddress", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ] } @@ -5293,7 +5293,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.6", + "packageVersion": "3.0.7", "packageName": "Threat Intelligence", "packageId": "azuresentinel.azure-sentinel-solution-threatintelligence-taxii", "contentSchemaVersion": "3.0.0", @@ -5344,7 +5344,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-threatintelligence-taxii')]" ], "properties": { - "description": "IPEntity_AzureActivity_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "IPEntity_AzureActivity_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.4.3", @@ -5404,57 +5404,57 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Caller" + "columnName": "Caller", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "Account", "fieldMappings": [ { - "identifier": "AadUserId", - "columnName": "AadUserId" + "columnName": "AadUserId", + "identifier": "AadUserId" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "CallerIpAddress" + "columnName": "CallerIpAddress", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" }, { - "entityType": "AzureResource", "fieldMappings": [ { - "identifier": "ResourceId", - "columnName": "ResourceId" + "columnName": "ResourceId", + "identifier": "ResourceId" } - ] + ], + "entityType": "AzureResource" } ] } @@ -5489,7 +5489,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.6", + "packageVersion": "3.0.7", "packageName": "Threat Intelligence", "packageId": "azuresentinel.azure-sentinel-solution-threatintelligence-taxii", "contentSchemaVersion": "3.0.0", @@ -5540,7 +5540,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-threatintelligence-taxii')]" ], "properties": { - "description": "IPEntity_AzureFirewall_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "IPEntity_AzureFirewall_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.3.2", @@ -5600,22 +5600,22 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "TI_ipEntity" + "columnName": "TI_ipEntity", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ] } @@ -5650,7 +5650,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.6", + "packageVersion": "3.0.7", "packageName": "Threat Intelligence", "packageId": "azuresentinel.azure-sentinel-solution-threatintelligence-taxii", "contentSchemaVersion": "3.0.0", @@ -5701,7 +5701,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-threatintelligence-taxii')]" ], "properties": { - "description": "IPEntity_AzureKeyVault_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "IPEntity_AzureKeyVault_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.3.4", @@ -5761,22 +5761,22 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "ClientIP" + "columnName": "ClientIP", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "AzureResource", "fieldMappings": [ { - "identifier": "ResourceId", - "columnName": "ResourceId" + "columnName": "ResourceId", + "identifier": "ResourceId" } - ] + ], + "entityType": "AzureResource" } ] } @@ -5811,7 +5811,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.6", + "packageVersion": "3.0.7", "packageName": "Threat Intelligence", "packageId": "azuresentinel.azure-sentinel-solution-threatintelligence-taxii", "contentSchemaVersion": "3.0.0", @@ -5862,7 +5862,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-threatintelligence-taxii')]" ], "properties": { - "description": "IPEntity_AzureNetworkAnalytics_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "IPEntity_AzureNetworkAnalytics_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.4.3", @@ -5916,39 +5916,39 @@ ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "DnsDomain" + "columnName": "DnsDomain", + "identifier": "DnsDomain" } - ] + ], + "entityType": "Host" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "TI_ipEntity" + "columnName": "TI_ipEntity", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ] } @@ -5983,7 +5983,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.6", + "packageVersion": "3.0.7", "packageName": "Threat Intelligence", "packageId": "azuresentinel.azure-sentinel-solution-threatintelligence-taxii", "contentSchemaVersion": "3.0.0", @@ -6026,7 +6026,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-threatintelligence-taxii')]" ], "properties": { - "description": "IPEntity_AzureSQL_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "IPEntity_AzureSQL_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.3.2", @@ -6086,13 +6086,13 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "ClientIP" + "columnName": "ClientIP", + "identifier": "Address" } - ] + ], + "entityType": "IP" } ] } @@ -6127,7 +6127,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.6", + "packageVersion": "3.0.7", "packageName": "Threat Intelligence", "packageId": "azuresentinel.azure-sentinel-solution-threatintelligence-taxii", "contentSchemaVersion": "3.0.0", @@ -6178,7 +6178,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-threatintelligence-taxii')]" ], "properties": { - "description": "IPEntity_CustomSecurityLog_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "IPEntity_CustomSecurityLog_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.2.2", @@ -6238,13 +6238,13 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "CS_ipEntity" + "columnName": "CS_ipEntity", + "identifier": "Address" } - ] + ], + "entityType": "IP" } ] } @@ -6279,7 +6279,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.6", + "packageVersion": "3.0.7", "packageName": "Threat Intelligence", "packageId": "azuresentinel.azure-sentinel-solution-threatintelligence-taxii", "contentSchemaVersion": "3.0.0", @@ -6330,7 +6330,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-threatintelligence-taxii')]" ], "properties": { - "description": "IPEntity_DeviceNetworkEvents_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "IPEntity_DeviceNetworkEvents_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.1", @@ -6390,44 +6390,44 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "TI_ipEntity" + "columnName": "TI_ipEntity", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "RemoteUrl" + "columnName": "RemoteUrl", + "identifier": "Url" } - ] + ], + "entityType": "URL" }, { - "entityType": "Host", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "DeviceName" + "columnName": "DeviceName", + "identifier": "HostName" } - ] + ], + "entityType": "Host" } ] } @@ -6462,7 +6462,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.6", + "packageVersion": "3.0.7", "packageName": "Threat Intelligence", "packageId": "azuresentinel.azure-sentinel-solution-threatintelligence-taxii", "contentSchemaVersion": "3.0.0", @@ -6513,7 +6513,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-threatintelligence-taxii')]" ], "properties": { - "description": "IPEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "IPEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.4.3", @@ -6573,39 +6573,39 @@ ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "DnsDomain" + "columnName": "DnsDomain", + "identifier": "DnsDomain" } - ] + ], + "entityType": "Host" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "ClientIP" + "columnName": "ClientIP", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ] } @@ -6640,7 +6640,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.6", + "packageVersion": "3.0.7", "packageName": "Threat Intelligence", "packageId": "azuresentinel.azure-sentinel-solution-threatintelligence-taxii", "contentSchemaVersion": "3.0.0", @@ -6691,7 +6691,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-threatintelligence-taxii')]" ], "properties": { - "description": "IPEntity_imWebSession_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "IPEntity_imWebSession_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.2.5", @@ -6757,23 +6757,23 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "DstIpAddr" + "columnName": "DstIpAddr", + "identifier": "Address" } - ] + ], + "entityType": "IP" } ], "customDetails": { - "EventTime": "imNWS_TimeGenerated", + "IoCExpirationTime": "ExpirationDateTime", "ActivityGroupNames": "ActivityGroupNames", "IoCConfidenceScore": "ConfidenceScore", - "IoCDescription": "Description", - "ThreatType": "ThreatType", "IndicatorId": "IndicatorId", - "IoCExpirationTime": "ExpirationDateTime" + "ThreatType": "ThreatType", + "IoCDescription": "Description", + "EventTime": "imNWS_TimeGenerated" }, "alertDetailsOverride": { "alertDescriptionFormat": "The source address {{SrcIpAddr}} of the web request for the URL {{Url}} matches a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence feed for more information about the indicator.", @@ -6811,7 +6811,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.6", + "packageVersion": "3.0.7", "packageName": "Threat Intelligence", "packageId": "azuresentinel.azure-sentinel-solution-threatintelligence-taxii", "contentSchemaVersion": "3.0.0", @@ -6870,7 +6870,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-threatintelligence-taxii')]" ], "properties": { - "description": "IPEntity_OfficeActivity_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "IPEntity_OfficeActivity_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.4.3", @@ -6930,39 +6930,39 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "UserId" + "columnName": "UserId", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "TI_ipEntity" + "columnName": "TI_ipEntity", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ] } @@ -6997,7 +6997,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.6", + "packageVersion": "3.0.7", "packageName": "Threat Intelligence", "packageId": "azuresentinel.azure-sentinel-solution-threatintelligence-taxii", "contentSchemaVersion": "3.0.0", @@ -7048,7 +7048,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-threatintelligence-taxii')]" ], "properties": { - "description": "IPEntity_SigninLogs_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "IPEntity_SigninLogs_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.2.8", @@ -7114,39 +7114,39 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "UserPrincipalName" + "columnName": "UserPrincipalName", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "IPAddress" + "columnName": "IPAddress", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ] } @@ -7181,7 +7181,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.6", + "packageVersion": "3.0.7", "packageName": "Threat Intelligence", "packageId": "azuresentinel.azure-sentinel-solution-threatintelligence-taxii", "contentSchemaVersion": "3.0.0", @@ -7240,7 +7240,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-threatintelligence-taxii')]" ], "properties": { - "description": "IPEntity_VMConnection_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "IPEntity_VMConnection_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.4.2", @@ -7300,35 +7300,35 @@ ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "DnsDomain" + "columnName": "DnsDomain", + "identifier": "DnsDomain" } - ] + ], + "entityType": "Host" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "RemoteIp" + "columnName": "RemoteIp", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ] } @@ -7363,7 +7363,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.6", + "packageVersion": "3.0.7", "packageName": "Threat Intelligence", "packageId": "azuresentinel.azure-sentinel-solution-threatintelligence-taxii", "contentSchemaVersion": "3.0.0", @@ -7414,7 +7414,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-threatintelligence-taxii')]" ], "properties": { - "description": "IPEntity_W3CIISLog_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "IPEntity_W3CIISLog_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.4.2", @@ -7474,40 +7474,40 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "csUserName" + "columnName": "csUserName", + "identifier": "Name" } - ] + ], + "entityType": "Account" }, { - "entityType": "Host", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "HostName" } - ] + ], + "entityType": "Host" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "cIP" + "columnName": "cIP", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ] } @@ -7542,7 +7542,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.6", + "packageVersion": "3.0.7", "packageName": "Threat Intelligence", "packageId": "azuresentinel.azure-sentinel-solution-threatintelligence-taxii", "contentSchemaVersion": "3.0.0", @@ -7593,7 +7593,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-threatintelligence-taxii')]" ], "properties": { - "description": "URLEntity_AuditLogs_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "URLEntity_AuditLogs_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.2.8", @@ -7653,47 +7653,47 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "userPrincipalName" + "columnName": "userPrincipalName", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "AccountUPNSuffix" + "columnName": "AccountUPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "TargetResourceDisplayName" + "columnName": "TargetResourceDisplayName", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "HostNameDomain" + "columnName": "HostNameDomain", + "identifier": "DnsDomain" } - ] + ], + "entityType": "Host" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ] } @@ -7728,7 +7728,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.6", + "packageVersion": "3.0.7", "packageName": "Threat Intelligence", "packageId": "azuresentinel.azure-sentinel-solution-threatintelligence-taxii", "contentSchemaVersion": "3.0.0", @@ -7779,7 +7779,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-threatintelligence-taxii')]" ], "properties": { - "description": "URLEntity_DeviceNetworkEvents_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "URLEntity_DeviceNetworkEvents_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.2", @@ -7839,44 +7839,44 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "DeviceName" + "columnName": "DeviceName", + "identifier": "FullName" } - ] + ], + "entityType": "Host" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" }, { - "entityType": "Process", "fieldMappings": [ { - "identifier": "CommandLine", - "columnName": "InitiatingProcessCommandLine" + "columnName": "InitiatingProcessCommandLine", + "identifier": "CommandLine" } - ] + ], + "entityType": "Process" } ] } @@ -7911,7 +7911,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.6", + "packageVersion": "3.0.7", "packageName": "Threat Intelligence", "packageId": "azuresentinel.azure-sentinel-solution-threatintelligence-taxii", "contentSchemaVersion": "3.0.0", @@ -7962,7 +7962,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-threatintelligence-taxii')]" ], "properties": { - "description": "URLEntity_EmailUrlInfo_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "URLEntity_EmailUrlInfo_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.2", @@ -8022,30 +8022,30 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "RecipientEmailAddress" + "columnName": "RecipientEmailAddress", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ] } @@ -8080,7 +8080,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.6", + "packageVersion": "3.0.7", "packageName": "Threat Intelligence", "packageId": "azuresentinel.azure-sentinel-solution-threatintelligence-taxii", "contentSchemaVersion": "3.0.0", @@ -8131,7 +8131,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-threatintelligence-taxii')]" ], "properties": { - "description": "URLEntity_OfficeActivity_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "URLEntity_OfficeActivity_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.2.9", @@ -8191,30 +8191,30 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "User" + "columnName": "User", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ] } @@ -8249,7 +8249,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.6", + "packageVersion": "3.0.7", "packageName": "Threat Intelligence", "packageId": "azuresentinel.azure-sentinel-solution-threatintelligence-taxii", "contentSchemaVersion": "3.0.0", @@ -8300,7 +8300,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-threatintelligence-taxii')]" ], "properties": { - "description": "URLEntity_PaloAlto_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "URLEntity_PaloAlto_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.2.5", @@ -8360,31 +8360,31 @@ ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "DeviceName" + "columnName": "DeviceName", + "identifier": "HostName" } - ] + ], + "entityType": "Host" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "SourceIP" + "columnName": "SourceIP", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "PA_Url" + "columnName": "PA_Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ] } @@ -8419,7 +8419,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.6", + "packageVersion": "3.0.7", "packageName": "Threat Intelligence", "packageId": "azuresentinel.azure-sentinel-solution-threatintelligence-taxii", "contentSchemaVersion": "3.0.0", @@ -8470,7 +8470,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-threatintelligence-taxii')]" ], "properties": { - "description": "URLEntity_SecurityAlerts_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "URLEntity_SecurityAlerts_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.2.8", @@ -8536,22 +8536,22 @@ ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "Compromised_Host" + "columnName": "Compromised_Host", + "identifier": "HostName" } - ] + ], + "entityType": "Host" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ] } @@ -8586,7 +8586,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.6", + "packageVersion": "3.0.7", "packageName": "Threat Intelligence", "packageId": "azuresentinel.azure-sentinel-solution-threatintelligence-taxii", "contentSchemaVersion": "3.0.0", @@ -8641,7 +8641,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-threatintelligence-taxii')]" ], "properties": { - "description": "URLEntity_Syslog_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "URLEntity_Syslog_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.2.6", @@ -8701,31 +8701,31 @@ ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "HostName" } - ] + ], + "entityType": "Host" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "HostIP" + "columnName": "HostIP", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ] } @@ -8760,7 +8760,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.6", + "packageVersion": "3.0.7", "packageName": "Threat Intelligence", "packageId": "azuresentinel.azure-sentinel-solution-threatintelligence-taxii", "contentSchemaVersion": "3.0.0", @@ -8811,7 +8811,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-threatintelligence-taxii')]" ], "properties": { - "description": "URLEntity_UrlClickEvents_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "URLEntity_UrlClickEvents_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.2", @@ -8871,30 +8871,30 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "AccountUpn" + "columnName": "AccountUpn", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ] } @@ -8929,7 +8929,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.6", + "packageVersion": "3.0.7", "packageName": "Threat Intelligence", "packageId": "azuresentinel.azure-sentinel-solution-threatintelligence-taxii", "contentSchemaVersion": "3.0.0", @@ -8980,7 +8980,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-threatintelligence-taxii')]" ], "properties": { - "description": "IPEntity_DuoSecurity_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "IPEntity_DuoSecurity_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.6", @@ -9040,30 +9040,30 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "user_name_s" + "columnName": "user_name_s", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "access_device_ip_s" + "columnName": "access_device_ip_s", + "identifier": "Address" } - ] + ], + "entityType": "IP" } ] } @@ -9098,7 +9098,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.6", + "packageVersion": "3.0.7", "packageName": "Threat Intelligence", "packageId": "azuresentinel.azure-sentinel-solution-threatintelligence-taxii", "contentSchemaVersion": "3.0.0", @@ -9149,10 +9149,10 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-threatintelligence-taxii')]" ], "properties": { - "description": "imDns_DomainEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "imDns_DomainEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.1.7", + "contentVersion": "1.1.8", "parameters": {}, "variables": {}, "resources": [ @@ -9166,7 +9166,7 @@ "description": "Identifies a match in DNS events from any Domain IOC from TI\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema'", "displayName": "TI map Domain entity to Dns Events (ASIM DNS Schema)", "enabled": false, - "query": "let HAS_ANY_MAX = 10000;\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet DomainTIs= ThreatIntelligenceIndicator\n // Picking up only IOC's that contain the entities we want\n | where isnotempty(DomainName)\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now();\nlet Domains = DomainTIs | where isnotempty(DomainName) |summarize NDomains=dcount(DomainName), DomainsList=make_set(DomainName) \n | project DomainList = iff(NDomains > HAS_ANY_MAX, dynamic([]), DomainsList) ;\nDomainTIs\n | join (\n _Im_Dns(starttime=ago(dt_lookBack), domain_has_any=toscalar(Domains))\n | extend DNS_TimeGenerated = TimeGenerated\n) on $left.DomainName==$right.DnsQuery\n| where DNS_TimeGenerated < ExpirationDateTime\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, DnsQueryType\n| extend HostName = tostring(split(Dvc, \".\")[0]), DomainIndex = toint(indexof(Dvc, '.'))\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)\n", + "query": "let HAS_ANY_MAX = 10000;\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet DomainTIs= ThreatIntelligenceIndicator\n // Picking up only IOC's that contain the entities we want\n | where isnotempty(DomainName)\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now();\nlet Domains = DomainTIs | where isnotempty(DomainName) |summarize NDomains=dcount(DomainName), DomainsList=make_set(DomainName) \n | project DomainList = iff(NDomains > HAS_ANY_MAX, dynamic([]), DomainsList) ;\nDomainTIs\n | join (\n _Im_Dns(starttime=ago(dt_lookBack), domain_has_any=toscalar(Domains))\n | extend DNS_TimeGenerated = TimeGenerated\n) on $left.DomainName==$right.DnsQuery\n| where DNS_TimeGenerated < ExpirationDateTime\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, Domain, DnsQuery, DnsQueryType\n| extend HostName = tostring(split(Dvc, \".\")[0]), DomainIndex = toint(indexof(Dvc, '.'))\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)\n", "queryFrequency": "PT1H", "queryPeriod": "P14D", "severity": "Medium", @@ -9251,53 +9251,62 @@ ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Dvc" + "columnName": "Dvc", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "HostNameDomain" + "columnName": "HostNameDomain", + "identifier": "DnsDomain" } - ] + ], + "entityType": "Host" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "SrcIpAddr" + "columnName": "SrcIpAddr", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" + }, + { + "fieldMappings": [ + { + "columnName": "Domain", + "identifier": "DomainName" + } + ], + "entityType": "DNS" } ], "customDetails": { - "SourceIPAddress": "SrcIpAddr", "DnsQuery": "DnsQuery", + "QueryType": "DnsQueryType", + "SourceIPAddress": "SrcIpAddr", "ActivityGroupNames": "ActivityGroupNames", - "ConfidenceScore": "ConfidenceScore", "Description": "Description", "LatestIndicatorTime": "LatestIndicatorTime", - "DNSRequestTime": "DNS_TimeGenerated", - "ThreatType": "ThreatType", "IndicatorId": "IndicatorId", - "QueryType": "DnsQueryType", - "ExpirationDateTime": "ExpirationDateTime" + "ThreatType": "ThreatType", + "DNSRequestTime": "DNS_TimeGenerated", + "ExpirationDateTime": "ExpirationDateTime", + "ConfidenceScore": "ConfidenceScore" } } }, @@ -9310,7 +9319,7 @@ "parentId": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '999e9f5d-db4a-4b07-a206-29c4e667b7e8')]", "contentId": "999e9f5d-db4a-4b07-a206-29c4e667b7e8", "kind": "AnalyticsRule", - "version": "1.1.7", + "version": "1.1.8", "source": { "kind": "Solution", "name": "Threat Intelligence", @@ -9331,16 +9340,16 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.6", + "packageVersion": "3.0.7", "packageName": "Threat Intelligence", "packageId": "azuresentinel.azure-sentinel-solution-threatintelligence-taxii", "contentSchemaVersion": "3.0.0", "contentId": "999e9f5d-db4a-4b07-a206-29c4e667b7e8", "contentKind": "AnalyticsRule", "displayName": "TI map Domain entity to Dns Events (ASIM DNS Schema)", - "contentProductId": "azuresentinel.azure-sentinel-solution-threatintell-ar-t3sffopmgc3pe", - "id": "azuresentinel.azure-sentinel-solution-threatintell-ar-t3sffopmgc3pe", - "version": "1.1.7", + "contentProductId": "azuresentinel.azure-sentinel-solution-threatintell-ar-qscs4jff5ihkg", + "id": "azuresentinel.azure-sentinel-solution-threatintell-ar-qscs4jff5ihkg", + "version": "1.1.8", "isDeprecated": false, "dependencies": { "operator": "AND", @@ -9438,7 +9447,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-threatintelligence-taxii')]" ], "properties": { - "description": "imDns_IPEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "imDns_IPEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.2.4", @@ -9540,44 +9549,44 @@ ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Dvc" + "columnName": "Dvc", + "identifier": "FullName" } - ] + ], + "entityType": "Host" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "IoC" + "columnName": "IoC", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "SrcIpAddr" + "columnName": "SrcIpAddr", + "identifier": "Address" } - ] + ], + "entityType": "IP" } ], "customDetails": { - "SourceIPAddress": "SrcIpAddr", "DnsQuery": "DnsQuery", + "SourceIPAddress": "SrcIpAddr", "ActivityGroupNames": "ActivityGroupNames", - "ConfidenceScore": "ConfidenceScore", "Description": "Description", "LatestIndicatorTime": "LatestIndicatorTime", - "DNSRequestTime": "imDns_mintime", - "ThreatType": "ThreatType", "IndicatorId": "IndicatorId", - "ExpirationDateTime": "ExpirationDateTime" + "ThreatType": "ThreatType", + "DNSRequestTime": "imDns_mintime", + "ExpirationDateTime": "ExpirationDateTime", + "ConfidenceScore": "ConfidenceScore" }, "alertDetailsOverride": { "alertDescriptionFormat": "The response address {{IoC}} to a DNS query matched a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blade for more information on the indicator.", @@ -9615,7 +9624,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.6", + "packageVersion": "3.0.7", "packageName": "Threat Intelligence", "packageId": "azuresentinel.azure-sentinel-solution-threatintelligence-taxii", "contentSchemaVersion": "3.0.0", @@ -9722,7 +9731,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-threatintelligence-taxii')]" ], "properties": { - "description": "IPEntity_imNetworkSession_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "IPEntity_imNetworkSession_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.2.6", @@ -9867,25 +9876,25 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "IoCIP" + "columnName": "IoCIP", + "identifier": "Address" } - ] + ], + "entityType": "IP" } ], "customDetails": { - "ActivityGroupNames": "ActivityGroupNames", + "IoCExpirationTime": "ExpirationDateTime", "EventEndTime": "imNWS_maxtime", - "IoCConfidenceScore": "ConfidenceScore", - "IoCDescription": "Description", - "ThreatType": "ThreatType", - "IoCIPDirection": "IoCDirection", "EventStartTime": "imNWS_mintime", + "ActivityGroupNames": "ActivityGroupNames", + "IoCConfidenceScore": "ConfidenceScore", "IndicatorId": "IndicatorId", - "IoCExpirationTime": "ExpirationDateTime" + "ThreatType": "ThreatType", + "IoCDescription": "Description", + "IoCIPDirection": "IoCDirection" }, "alertDetailsOverride": { "alertDescriptionFormat": "The {{IoCDirection}} address {{IoCIP}} of a network session matched a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blead for more information on the indicator.", @@ -9923,7 +9932,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.6", + "packageVersion": "3.0.7", "packageName": "Threat Intelligence", "packageId": "azuresentinel.azure-sentinel-solution-threatintelligence-taxii", "contentSchemaVersion": "3.0.0", @@ -10070,7 +10079,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-threatintelligence-taxii')]" ], "properties": { - "description": "Threat Intel Matches to GitHub Audit Logs_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "Threat Intel Matches to GitHub Audit Logs_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.4", @@ -10124,22 +10133,22 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "FullName" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "IPCustomEntity" + "columnName": "IPCustomEntity", + "identifier": "Address" } - ] + ], + "entityType": "IP" } ] } @@ -10174,7 +10183,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.6", + "packageVersion": "3.0.7", "packageName": "Threat Intelligence", "packageId": "azuresentinel.azure-sentinel-solution-threatintelligence-taxii", "contentSchemaVersion": "3.0.0", @@ -10217,7 +10226,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-threatintelligence-taxii')]" ], "properties": { - "description": "DomainEntity_CloudAppEvents_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "DomainEntity_CloudAppEvents_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.3", @@ -10265,22 +10274,22 @@ ], "entityMappings": [ { - "entityType": "DNS", "fieldMappings": [ { - "identifier": "DomainName", - "columnName": "DomainName" + "columnName": "DomainName", + "identifier": "DomainName" } - ] + ], + "entityType": "DNS" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "IPAddress" + "columnName": "IPAddress", + "identifier": "Address" } - ] + ], + "entityType": "IP" } ] } @@ -10315,7 +10324,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.6", + "packageVersion": "3.0.7", "packageName": "Threat Intelligence", "packageId": "azuresentinel.azure-sentinel-solution-threatintelligence-taxii", "contentSchemaVersion": "3.0.0", @@ -10358,10 +10367,10 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-threatintelligence-taxii')]" ], "properties": { - "description": "EmailEntity_CloudAppEvents_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "EmailEntity_CloudAppEvents_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.2", + "contentVersion": "1.0.3", "parameters": {}, "variables": {}, "resources": [ @@ -10375,7 +10384,7 @@ "description": "Identifies compromises and attacks and detect malicious activities in one's email entity from TI", "displayName": "Preview - TI map Email entity to Cloud App Events", "enabled": false, - "query": "let dt_lookBack = 10d;\nlet ioc_lookBack = 30d;\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$';\nThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n | where isnotempty(EmailSenderAddress)\n | join kind=innerunique (CloudAppEvents\n| extend User_Id = tostring(RawEventData.UserId)\n| where User_Id != \"\"\n| where TimeGenerated >= ago(dt_lookBack) and isnotempty(Application)\n| extend CloudAppEvents_TimeGenerated = TimeGenerated \n| extend User_id = tostring(User_Id)\n| where User_id matches regex emailregex) on $left.EmailSenderAddress == $right.User_id\n| where CloudAppEvents_TimeGenerated < ExpirationDateTime\n| summarize CloudAppEvents_TimeGenerated = argmax(CloudAppEvents_TimeGenerated, *) by IndicatorId, User_id\n| extend Name = tostring(split(User_id, '@', 0)[0]), UPNSuffix = tostring(split(User_id, '@', 1)[0])\n| extend timestamp = CloudAppEvents_TimeGenerated\n", + "query": "let dt_lookBack = 10d;\nlet ioc_lookBack = 30d;\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$';\nThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n | where isnotempty(EmailSenderAddress)\n | join kind=innerunique (CloudAppEvents\n| extend User_Id = tostring(RawEventData.UserId)\n| where isnotempty(User_Id)\n| where TimeGenerated >= ago(dt_lookBack) and isnotempty(Application)\n| extend CloudAppEvents_TimeGenerated = TimeGenerated \n| where User_Id matches regex emailregex) on $left.EmailSenderAddress == $right.User_Id\n| where CloudAppEvents_TimeGenerated < ExpirationDateTime\n| summarize CloudAppEvents_TimeGenerated = argmax(CloudAppEvents_TimeGenerated, *) by IndicatorId, User_Id\n| extend Name = tostring(split(User_Id, '@', 0)[0]), UPNSuffix = tostring(split(User_Id, '@', 1)[0])\n| extend timestamp = CloudAppEvents_TimeGenerated\n", "queryFrequency": "PT1H", "queryPeriod": "P14D", "severity": "Medium", @@ -10406,21 +10415,21 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "DisplayName", - "columnName": "Name" + "columnName": "Name", + "identifier": "DisplayName" }, { - "identifier": "FullName", - "columnName": "User_Id" + "columnName": "User_Id", + "identifier": "FullName" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" } ] } @@ -10434,7 +10443,7 @@ "parentId": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '47b9bb10-d216-4359-8cef-08ca2c67e5be')]", "contentId": "47b9bb10-d216-4359-8cef-08ca2c67e5be", "kind": "AnalyticsRule", - "version": "1.0.2", + "version": "1.0.3", "source": { "kind": "Solution", "name": "Threat Intelligence", @@ -10455,16 +10464,16 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.6", + "packageVersion": "3.0.7", "packageName": "Threat Intelligence", "packageId": "azuresentinel.azure-sentinel-solution-threatintelligence-taxii", "contentSchemaVersion": "3.0.0", "contentId": "47b9bb10-d216-4359-8cef-08ca2c67e5be", "contentKind": "AnalyticsRule", "displayName": "Preview - TI map Email entity to Cloud App Events", - "contentProductId": "azuresentinel.azure-sentinel-solution-threatintell-ar-tybcporf72sys", - "id": "azuresentinel.azure-sentinel-solution-threatintell-ar-tybcporf72sys", - "version": "1.0.2", + "contentProductId": "azuresentinel.azure-sentinel-solution-threatintell-ar-eqb6qtgzoiqdc", + "id": "azuresentinel.azure-sentinel-solution-threatintell-ar-eqb6qtgzoiqdc", + "version": "1.0.3", "isDeprecated": false, "dependencies": { "operator": "AND", @@ -10498,7 +10507,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-threatintelligence-taxii')]" ], "properties": { - "description": "FileHashEntity_CloudAppEvents_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "FileHashEntity_CloudAppEvents_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.3", @@ -10552,44 +10561,44 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "DestinationIP" + "columnName": "DestinationIP", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "SourceIP" + "columnName": "SourceIP", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "Host", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "DeviceName" + "columnName": "DeviceName", + "identifier": "HostName" } - ] + ], + "entityType": "Host" }, { - "entityType": "FileHash", "fieldMappings": [ { - "identifier": "Value", - "columnName": "FileHashValue" + "columnName": "FileHashValue", + "identifier": "Value" }, { - "identifier": "Algorithm", - "columnName": "FileHashType" + "columnName": "FileHashType", + "identifier": "Algorithm" } - ] + ], + "entityType": "FileHash" } ] } @@ -10624,7 +10633,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.6", + "packageVersion": "3.0.7", "packageName": "Threat Intelligence", "packageId": "azuresentinel.azure-sentinel-solution-threatintelligence-taxii", "contentSchemaVersion": "3.0.0", @@ -10675,10 +10684,10 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-threatintelligence-taxii')]" ], "properties": { - "description": "IPEntity_CloudAppEvents_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "IPEntity_CloudAppEvents_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.2", + "contentVersion": "1.0.3", "parameters": {}, "variables": {}, "resources": [ @@ -10692,7 +10701,7 @@ "description": "Identifies compromises and attacks and detect malicious activities in one's IP entity from TI", "displayName": "Preview - TI map IP entity to Cloud App Events", "enabled": false, - "query": "let dt_lookBack = 1d;\nlet ioc_lookBack = 14d; \nlet IP_Indicators = ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n | where isnotempty(NetworkIP)\nor isnotempty(EmailSourceIpAddress)\nor isnotempty(NetworkDestinationIP)\nor isnotempty(NetworkSourceIP)\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n | extend TIipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n | extend TIipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity);\nIP_Indicators\n | join kind=innerunique (\n CloudAppEvents\n | where TimeGenerated >= ago(dt_lookBack)\n | extend CloudAppEvents_TimeGenerated = TimeGenerated) on $left.TI_ipEntity == $right.IPAddress\n | where CloudAppEvents_TimeGenerated < ExpirationDateTime\n | summarize CloudAppEventsTimeGenerated = argmax(CloudAppEvents_TimeGenerated, *) by IndicatorId, IPAddress\n | extend\n Description = max_CloudAppEvents_TimeGenerated_Description,\n ActivityGroupNames = max_CloudAppEvents_TimeGenerated_ActivityGroupNames,\n ThreatType = max_CloudAppEvents_TimeGenerated_ThreatType,\n ExpirationDateTime = max_CloudAppEvents_TimeGenerated_ExpirationDateTime,\n ConfidenceScore = max_CloudAppEvents_TimeGenerated_ConfidenceScore,\n TI_ipEntity = max_CloudAppEvents_TimeGenerated_TI_ipEntity,\n NetworkDestinationIP = max_CloudAppEvents_TimeGenerated_NetworkDestinationIP,\n NetworkSourceIP = max_CloudAppEvents_TimeGenerated_NetworkSourceIP,\n EmailSourceIPAddress = max_CloudAppEvents_TimeGenerated_EmailSourceIpAddress\n | project CloudAppEventsTimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, NetworkDestinationIP, NetworkSourceIP, EmailSourceIPAddress\n", + "query": "let dt_lookBack = 1d;\nlet ioc_lookBack = 14d; \nlet IP_Indicators = ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n | where isnotempty(NetworkIP)\nor isnotempty(EmailSourceIpAddress)\nor isnotempty(NetworkDestinationIP)\nor isnotempty(NetworkSourceIP)\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n | extend TIipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n | extend TIipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity);\nIP_Indicators\n | join kind=innerunique (\n CloudAppEvents\n | where isnotempty(IPAddress)\n | where TimeGenerated >= ago(dt_lookBack)\n | extend CloudAppEvents_TimeGenerated = TimeGenerated) on $left.TI_ipEntity == $right.IPAddress\n | where CloudAppEvents_TimeGenerated < ExpirationDateTime\n | summarize CloudAppEventsTimeGenerated = argmax(CloudAppEvents_TimeGenerated, *) by IndicatorId, IPAddress\n | extend\n Description = max_CloudAppEvents_TimeGenerated_Description,\n ActivityGroupNames = max_CloudAppEvents_TimeGenerated_ActivityGroupNames,\n ThreatType = max_CloudAppEvents_TimeGenerated_ThreatType,\n ExpirationDateTime = max_CloudAppEvents_TimeGenerated_ExpirationDateTime,\n ConfidenceScore = max_CloudAppEvents_TimeGenerated_ConfidenceScore,\n TI_ipEntity = max_CloudAppEvents_TimeGenerated_TI_ipEntity,\n NetworkDestinationIP = max_CloudAppEvents_TimeGenerated_NetworkDestinationIP,\n NetworkSourceIP = max_CloudAppEvents_TimeGenerated_NetworkSourceIP,\n EmailSourceIPAddress = max_CloudAppEvents_TimeGenerated_EmailSourceIpAddress\n | project CloudAppEventsTimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, NetworkDestinationIP, NetworkSourceIP, EmailSourceIPAddress\n", "queryFrequency": "PT1H", "queryPeriod": "P14D", "severity": "Medium", @@ -10723,40 +10732,40 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "TI_ipEntity" + "columnName": "TI_ipEntity", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "NetworkDestinationIP" + "columnName": "NetworkDestinationIP", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "NetworkSourceIP" + "columnName": "NetworkSourceIP", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "EmailSourceIPAddress" + "columnName": "EmailSourceIPAddress", + "identifier": "Address" } - ] + ], + "entityType": "IP" } ] } @@ -10770,7 +10779,7 @@ "parentId": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '4e0a6fc8-697e-4455-be47-831b41ea91ac')]", "contentId": "4e0a6fc8-697e-4455-be47-831b41ea91ac", "kind": "AnalyticsRule", - "version": "1.0.2", + "version": "1.0.3", "source": { "kind": "Solution", "name": "Threat Intelligence", @@ -10791,16 +10800,16 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.6", + "packageVersion": "3.0.7", "packageName": "Threat Intelligence", "packageId": "azuresentinel.azure-sentinel-solution-threatintelligence-taxii", "contentSchemaVersion": "3.0.0", "contentId": "4e0a6fc8-697e-4455-be47-831b41ea91ac", "contentKind": "AnalyticsRule", "displayName": "Preview - TI map IP entity to Cloud App Events", - "contentProductId": "azuresentinel.azure-sentinel-solution-threatintell-ar-ghivvhkconcw4", - "id": "azuresentinel.azure-sentinel-solution-threatintell-ar-ghivvhkconcw4", - "version": "1.0.2", + "contentProductId": "azuresentinel.azure-sentinel-solution-threatintell-ar-wd2kamki7z5de", + "id": "azuresentinel.azure-sentinel-solution-threatintell-ar-wd2kamki7z5de", + "version": "1.0.3", "isDeprecated": false, "dependencies": { "operator": "AND", @@ -10834,7 +10843,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-threatintelligence-taxii')]" ], "properties": { - "description": "URLEntity_CloudAppEvents_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "URLEntity_CloudAppEvents_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.3", @@ -10882,52 +10891,52 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "ObjectGuid", - "columnName": "AccountObjectId" + "columnName": "AccountObjectId", + "identifier": "ObjectGuid" }, { - "identifier": "FullName", - "columnName": "userPrincipalName" + "columnName": "userPrincipalName", + "identifier": "FullName" }, { - "identifier": "DisplayName", - "columnName": "AccountDisplayName" + "columnName": "AccountDisplayName", + "identifier": "DisplayName" } - ] + ], + "entityType": "Account" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "IPAddress" + "columnName": "IPAddress", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "CloudApplication", "fieldMappings": [ { - "identifier": "Name", - "columnName": "Application" + "columnName": "Application", + "identifier": "Name" }, { - "identifier": "AppId", - "columnName": "ApplicationID" + "columnName": "ApplicationID", + "identifier": "AppId" } - ] + ], + "entityType": "CloudApplication" } ] } @@ -10962,7 +10971,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.6", + "packageVersion": "3.0.7", "packageName": "Threat Intelligence", "packageId": "azuresentinel.azure-sentinel-solution-threatintelligence-taxii", "contentSchemaVersion": "3.0.0", @@ -11001,15 +11010,15 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.6", + "version": "3.0.7", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Threat Intelligence", "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\u2022 Review the solution Release Notes

The Threat Intelligence solution contains data connectors for import of threat indicators into Microsoft Sentinel, analytic rules for matching TI data with event data, workbook, and hunting queries. Threat indicators can be malicious IP's, URL's, filehashes, domains, email addresses etc.

Data Connectors: 5, Workbooks: 1, Analytic Rules: 52, Hunting Queries: 5

Learn more about Microsoft Sentinel | Learn more about Solutions

", "contentKind": "Solution", - "contentProductId": "azuresentinel.azure-sentinel-solution-threatintell-sl-7lx5zwqckcod4", - "id": "azuresentinel.azure-sentinel-solution-threatintell-sl-7lx5zwqckcod4", + "contentProductId": "azuresentinel.azure-sentinel-solution-threatintell-sl-lffkto5jp7mxa", + "id": "azuresentinel.azure-sentinel-solution-threatintell-sl-lffkto5jp7mxa", "icon": "https://store-images.s-microsoft.com/image/apps.64133.3d66786f-2045-4b50-ae59-87e205de9836.117c9a55-3a76-4c66-bf93-0518bcce6926.b603f9a0-cf30-4987-b528-28988f8f735d", "contentId": "azuresentinel.azure-sentinel-solution-threatintelligence-taxii", "parentId": "azuresentinel.azure-sentinel-solution-threatintelligence-taxii", @@ -11304,7 +11313,7 @@ { "kind": "AnalyticsRule", "contentId": "999e9f5d-db4a-4b07-a206-29c4e667b7e8", - "version": "1.1.7" + "version": "1.1.8" }, { "kind": "AnalyticsRule", @@ -11329,7 +11338,7 @@ { "kind": "AnalyticsRule", "contentId": "47b9bb10-d216-4359-8cef-08ca2c67e5be", - "version": "1.0.2" + "version": "1.0.3" }, { "kind": "AnalyticsRule", @@ -11339,7 +11348,7 @@ { "kind": "AnalyticsRule", "contentId": "4e0a6fc8-697e-4455-be47-831b41ea91ac", - "version": "1.0.2" + "version": "1.0.3" }, { "kind": "AnalyticsRule", diff --git a/modules/solutions/templates/xdr.json b/modules/solutions/templates/xdr.json index d78058e..37a1ba7 100644 --- a/modules/solutions/templates/xdr.json +++ b/modules/solutions/templates/xdr.json @@ -48,7 +48,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "Microsoft Defender XDR data connector with template version 3.0.9", + "description": "Microsoft Defender XDR is a unified. natively integrated. pre- and post-breach enterprise defense suite that protects endpoint. identity. email. and applications and helps you detect. prevent. investigate. and automatically respond to sophisticated threats. Microsoft Defender XDR suite includes: - Microsoft Defender for Endpoint - Microsoft Defender for Identity - Microsoft Defender for Office 365 - Threat & Vulnerability Management - Microsoft Defender for Cloud Apps For more information. see the [Microsoft Sentinel documentation](https://go.microsoft.com/fwlink/p/?linkid=2220004&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -279,7 +279,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -526,7 +526,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "PossiblePhishingwithCSL&NetworkSession_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "This query looks for malicious URL clicks in phishing email recognized by MDO in correlation with CommonSecurityLogs(CSL) & NetworkSession events. \nIf your workspace doesnt have one of the many data sources required for ASIM it may give informational error which can be safely ignored.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.1.2", @@ -554,86 +554,86 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "AlertEvidence", "EmailEvents", "IdentityInfo", "DeviceEvents", "DeviceNetworkEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" }, { - "connectorId": "Zscaler", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "Zscaler" }, { - "connectorId": "Fortinet", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "Fortinet" }, { - "connectorId": "CheckPoint", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "CheckPoint" }, { - "connectorId": "PaloAltoNetworks", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "PaloAltoNetworks" }, { - "connectorId": "AWSS3", "datatypes": [ "AWSVPCFlow" - ] + ], + "connectorId": "AWSS3" }, { - "connectorId": "WindowsForwardedEvents", "dataTypes": [ "WindowsEvent" - ] + ], + "connectorId": "WindowsForwardedEvents" }, { - "connectorId": "SecurityEvents", "dataTypes": [ "SecurityEvent" - ] + ], + "connectorId": "SecurityEvents" }, { - "connectorId": "WindowsSecurityEvents", "dataTypes": [ "SecurityEvent" - ] + ], + "connectorId": "WindowsSecurityEvents" }, { - "connectorId": "MicrosoftSysmonForLinux", "dataTypes": [ "Syslog" - ] + ], + "connectorId": "MicrosoftSysmonForLinux" }, { - "connectorId": "AzureNSG", "dataTypes": [ "AzureDiagnostics" - ] + ], + "connectorId": "AzureNSG" }, { - "connectorId": "AzureMonitor(VMInsights)", "dataTypes": [ "VMConnection" - ] + ], + "connectorId": "AzureMonitor(VMInsights)" }, { - "connectorId": "AIVectraStream", "dataTypes": [ "VectraStream_CL" - ] + ], + "connectorId": "AIVectraStream" } ], "tactics": [ @@ -646,6 +646,7 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", @@ -659,10 +660,10 @@ "identifier": "UPNSuffix", "columnName": "InitiatingProcessAccountDomain" } - ], - "entityType": "Account" + ] }, { + "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", @@ -676,10 +677,10 @@ "identifier": "UPNSuffix", "columnName": "RecipientEmailUPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -693,26 +694,25 @@ "identifier": "DnsDomain", "columnName": "HostNameDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "SourceIP" } - ], - "entityType": "IP" + ] }, { + "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "DestinationIP" } - ], - "entityType": "IP" + ] } ] } @@ -747,7 +747,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -878,7 +878,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "SUNSPOTHashes_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "This query uses Microsoft Defender for Endpoint data to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike.\nMore details: \n - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ \n - https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.2", @@ -906,11 +906,11 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceImageLoadEvents", "DeviceEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -921,6 +921,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -934,10 +935,10 @@ "identifier": "DnsDomain", "columnName": "HostNameDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", @@ -951,8 +952,7 @@ "identifier": "UPNSuffix", "columnName": "InitiatingProcessAccountDomain" } - ], - "entityType": "Account" + ] } ] } @@ -987,7 +987,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -1026,7 +1026,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "PotentialBuildProcessCompromiseMDE_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process. This query uses Microsoft Defender for Endpoint telemetry.\nMore details: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.1.0", @@ -1054,11 +1054,11 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents", "DeviceFileEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -1069,6 +1069,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "HostName", @@ -1078,10 +1079,10 @@ "identifier": "DnsDomain", "columnName": "HostNameDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", @@ -1095,8 +1096,7 @@ "identifier": "UPNSuffix", "columnName": "FileEditDomain" } - ], - "entityType": "Account" + ] } ] } @@ -1131,7 +1131,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -1170,7 +1170,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "SolarWinds_TEARDROP_Process-IOCs_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "Identifies SolarWinds TEARDROP memory-only dropper IOCs in Window's defender Exploit Guard activity\nReferences:\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.6", @@ -1198,10 +1198,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -1216,6 +1216,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -1229,10 +1230,10 @@ "identifier": "DnsDomain", "columnName": "HostNameDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", @@ -1246,10 +1247,10 @@ "identifier": "UPNSuffix", "columnName": "InitiatingProcessAccountDomain" } - ], - "entityType": "Account" + ] }, { + "entityType": "FileHash", "fieldMappings": [ { "identifier": "Algorithm", @@ -1259,8 +1260,7 @@ "identifier": "Value", "columnName": "InitiatingProcessSHA1" } - ], - "entityType": "FileHash" + ] } ] } @@ -1295,7 +1295,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -1330,7 +1330,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "SolarWinds_SUNBURST_Network-IOCs_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "Identifies SolarWinds SUNBURST domain beacon IOCs in DeviceNetworkEvents\nReferences:\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.5", @@ -1358,10 +1358,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceNetworkEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -1376,6 +1376,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -1389,10 +1390,10 @@ "identifier": "DnsDomain", "columnName": "HostNameDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", @@ -1406,28 +1407,28 @@ "identifier": "UPNSuffix", "columnName": "InitiatingProcessAccountDomain" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "RemoteIP" } - ], - "entityType": "IP" + ] }, { + "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "RemoteUrl" } - ], - "entityType": "URL" + ] }, { + "entityType": "FileHash", "fieldMappings": [ { "identifier": "Algorithm", @@ -1437,8 +1438,7 @@ "identifier": "Value", "columnName": "InitiatingProcessMD5" } - ], - "entityType": "FileHash" + ] } ] } @@ -1473,7 +1473,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -1508,7 +1508,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "SolarWinds_SUNBURST_&_SUPERNOVA_File-IOCs_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in DeviceFileEvents\nReferences:\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.7", @@ -1536,10 +1536,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceFileEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -1554,6 +1554,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -1567,10 +1568,10 @@ "identifier": "DnsDomain", "columnName": "HostNameDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", @@ -1584,10 +1585,10 @@ "identifier": "UPNSuffix", "columnName": "InitiatingProcessAccountDomain" } - ], - "entityType": "Account" + ] }, { + "entityType": "FileHash", "fieldMappings": [ { "identifier": "Algorithm", @@ -1597,8 +1598,7 @@ "identifier": "Value", "columnName": "MD5" } - ], - "entityType": "FileHash" + ] } ] } @@ -1633,7 +1633,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -1668,7 +1668,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "AVdetectionsrelatedtoUkrainebasedthreats_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "This query looks for Microsoft Defender AV detections for malware observed in relation to the war in Ukraine.\n Ref: https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/ ", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.1.3", @@ -1696,10 +1696,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "SecurityAlert" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -1710,6 +1710,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -1723,8 +1724,7 @@ "identifier": "DnsDomain", "columnName": "HostNameDomain" } - ], - "entityType": "Host" + ] } ] } @@ -1759,7 +1759,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -1794,7 +1794,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "AVTarrask_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "This query looks for Microsoft Defender AV detections related to Tarrask malware. In Microsoft Sentinel, the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged-on users etc. \n This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\n Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.4", @@ -1822,10 +1822,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "SecurityAlert" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -1836,6 +1836,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -1849,17 +1850,16 @@ "identifier": "DnsDomain", "columnName": "HostNameDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "PublicIP" } - ], - "entityType": "IP" + ] } ] } @@ -1894,7 +1894,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -1929,7 +1929,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "AVSpringShell_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "This query looks for Microsoft Defender AV detections related to the SpringShell vulnerability. In Microsoft Sentinel, the SecurityAlerts table includes only the Device Name of the affected device.\n This query joins the DeviceInfo table to clearly connect other information such as device group, IP, logged-on users, etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\n Reference: https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.3", @@ -1957,10 +1957,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "SecurityAlert" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -1971,6 +1971,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -1984,17 +1985,16 @@ "identifier": "DnsDomain", "columnName": "HostNameDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "PublicIP" } - ], - "entityType": "IP" + ] } ] } @@ -2029,7 +2029,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -2064,7 +2064,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "PossibleWebpBufferOverflow_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "This query looks at device, process, and network events from Defender for Endpoint that may be vulnerable to buffer overflow defined in CVE-2023-4863. Results are not an indicator of malicious activity.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.1.1", @@ -2092,13 +2092,13 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents", "DeviceNetworkEvents", "DeviceEvents", "DeviceTvmSoftwareVulnerabilities" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -2109,6 +2109,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -2122,10 +2123,10 @@ "identifier": "DnsDomain", "columnName": "HostNameDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", @@ -2139,62 +2140,61 @@ "identifier": "UPNSuffix", "columnName": "UPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "LocalIP" } - ], - "entityType": "IP" + ] }, { + "entityType": "Process", "fieldMappings": [ { "identifier": "ProcessId", "columnName": "ProcessId" } - ], - "entityType": "Process" + ] }, { + "entityType": "Process", "fieldMappings": [ { "identifier": "ProcessId", "columnName": "InitiatingProcessId" } - ], - "entityType": "Process" + ] }, { + "entityType": "Process", "fieldMappings": [ { "identifier": "CommandLine", "columnName": "ProcessCommandLine" } - ], - "entityType": "Process" + ] } ], "eventGroupingSettings": { "aggregationKind": "SingleAlert" }, "alertDetailsOverride": { - "alertDynamicProperties": [], - "alertDisplayNameFormat": "Possible exploitation of CVE-2023-4863" + "alertDisplayNameFormat": "Possible exploitation of CVE-2023-4863", + "alertDynamicProperties": [] }, "incidentConfiguration": { "groupingConfiguration": { + "reopenClosedIncident": false, + "enabled": false, + "matchingMethod": "Selected", "groupByEntities": [ "Account" ], - "lookbackDuration": "PT5H", - "enabled": false, - "matchingMethod": "Selected", - "reopenClosedIncident": false + "lookbackDuration": "PT5H" }, "createIncident": false } @@ -2230,7 +2230,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -2277,7 +2277,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "DeimosComponentExecution_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "Jupyter, otherwise known as SolarMarker, is a malware family and cluster of components known for its info-stealing and backdoor capabilities that mainly proliferates through search engine optimization manipulation and malicious advertising in order to successfully encourage users to download malicious templates and documents. This malware has been popular since 2020 and currently is still active as of 2021.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -2305,10 +2305,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -2323,6 +2323,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -2336,8 +2337,7 @@ "identifier": "DnsDomain", "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] } ] } @@ -2372,7 +2372,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -2407,7 +2407,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "ImminentRansomware_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "This query checks for a series of commands that are commonly used by attackers to disable security tools and system recovery tools before deploying Macaw ransomware in an organization.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -2444,6 +2444,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -2457,8 +2458,7 @@ "identifier": "DnsDomain", "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] } ] } @@ -2493,7 +2493,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -2515,7 +2515,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "MaliciousCMDExecutionByJava_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "This query was originally published in the threat analytics report, Sysrv botnet evolution.\nSysrv is a Go-based botnet that targets both Windows and Linux servers, and steals resources to mine cryptocurrency.\nThe following query finds instances of the Java process being used to execute cmd.exe, and download and execute a PowerShell script.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -2543,10 +2543,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -2557,6 +2557,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -2570,8 +2571,7 @@ "identifier": "DnsDomain", "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] } ] } @@ -2606,7 +2606,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -2641,7 +2641,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "C2-NamedPipe_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "Detects the creation of a named pipe used by known APT malware.\nReference - https://docs.microsoft.com/openspecs/windows_protocols/ms-wpo/4de75e21-36fd-440a-859b-75accc74487c", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -2669,10 +2669,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -2683,6 +2683,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -2696,8 +2697,7 @@ "identifier": "DnsDomain", "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] } ] } @@ -2732,7 +2732,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -2767,7 +2767,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "DoppelPaymerProcDump_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "This query was originally published in the threat analytics report, Doppelpaymer: More human-operated ransomware. There is also a related blog.\nDoppelPaymer is ransomware that is spread manually by human operators. These operators have exhibited extensive knowledge of system administration and common network security misconfigurations. For example, they use SysInternal utilities such as ProcDump to dump credentials from LSASS. They often use these stolen credentials to turn off security software, run malicious commands, and spread malware throughout an organization.\nThe following query detects ProcDump being used to dump credentials from LSASS.\nThe See also section below lists links to other queries associated with DoppelPaymer.\nReferences:\nhttps://msrc-blog.microsoft.com/2019/11/20/customer-guidance-for-the-dopplepaymer-ransomware/\nhttps://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/DoppelPaymer.KM!MTB\nhttps://docs.microsoft.com/sysinternals/downloads/procdump\nhttps://docs.microsoft.com/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -2795,10 +2795,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -2809,6 +2809,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -2822,8 +2823,7 @@ "identifier": "DnsDomain", "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] } ] } @@ -2858,7 +2858,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -2893,7 +2893,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "LSASSCredDumpProcdump_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "This query was originally published in the threat analytics report, \"Exchange Server zero-days exploited in the wild\".\nIn early March 2021, Microsoft released patches for four different zero-day vulnerabilities affecting Microsoft Exchange Server. The vulnerabilities were being used in a coordinated attack. For more information on the vulnerabilities, visit the following links:\n1. CVE-2021-26855\n2. CVE-2021-26857\n3. CVE-2021-26858\n4. CVE-2021-27065\nThe following query looks for evidence of Procdump being used to dump credentials from LSASS, the Local Security Authentication Server. This might indicate an attacker has compromised user accounts.\nMore queries related to this threat can be found under the See also section of this page.\nReference - https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -2921,10 +2921,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -2935,6 +2935,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -2948,8 +2949,7 @@ "identifier": "DnsDomain", "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] } ] } @@ -2984,7 +2984,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -3019,7 +3019,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "DoppelpaymerStopService_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "This query was originally published in the threat analytics report, Doppelpaymer: More human-operated ransomware. There is also a related blog.\nDoppelPaymer is ransomware that is spread manually by human operators. These operators have exhibited extensive knowledge of system administration and common network security misconfigurations. They often use stolen credentials from over-privileged service accounts to turn off security software, run malicious commands, and spread malware throughout an organization.\nThe following query detects attempts to stop security services.\nThe See also section below lists links to other queries associated with DoppelPaymer.\nReferences:\nhttps://msrc-blog.microsoft.com/2019/11/20/customer-guidance-for-the-dopplepaymer-ransomware/\nhttps://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/DoppelPaymer.KM!MTB", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -3047,10 +3047,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -3063,6 +3063,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -3076,8 +3077,7 @@ "identifier": "DnsDomain", "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] } ] } @@ -3112,7 +3112,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -3147,7 +3147,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "QakbotCampaignSelfDeletion_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "This query was originally published in the threat analytics report, Qakbot blight lingers, seeds ransomware\nQakbot is malware that steals login credentials from banking and financial services. It has been deployed against small businesses as well as major corporations. Some outbreaks have involved targeted ransomware campaigns that use a similar set of techniques. Links to related queries are listed under See also.\nThe following query detects if an instance of Qakbot has attempted to overwrite its original binary.\nReference - https://www.microsoft.com/security/blog/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -3175,10 +3175,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -3189,6 +3189,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -3202,8 +3203,7 @@ "identifier": "DnsDomain", "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] } ] } @@ -3238,7 +3238,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -3273,7 +3273,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "Regsvr32Rundll32ImageLoadsAbnormalExtension_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "This query is looking for regsvr32.exe or rundll32.exe loading DLL images with other extensions than .dll.\nJoins the data to public network events.\nReferences:\nhttps://threathunt.blog/running-live-malware-for-threat-hunting-purposes/", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -3301,11 +3301,11 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents", "DeviceNetworkEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -3321,6 +3321,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -3334,35 +3335,34 @@ "identifier": "DnsDomain", "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "LocalIP" } - ], - "entityType": "IP" + ] }, { + "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "RemoteIP" } - ], - "entityType": "IP" + ] }, { + "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "RemoteUrl" } - ], - "entityType": "URL" + ] } ] } @@ -3397,7 +3397,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -3436,7 +3436,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "Regsvr32Rundll32WithAnomalousParentProcess_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "This analytical rule looks for rundll32.exe or regsvr32.exe being spawned by abnormal processes: wscript.exe, powershell.exe, cmd.exe, pwsh.exe, cscript.exe.\nBlog: https://threathunt.blog/running-live-malware-for-threat-hunting-purposes/", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -3464,11 +3464,11 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents", "DeviceNetworkEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -3484,6 +3484,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -3497,35 +3498,34 @@ "identifier": "DnsDomain", "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "LocalIP" } - ], - "entityType": "IP" + ] }, { + "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "RemoteIP" } - ], - "entityType": "IP" + ] }, { + "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "RemoteUrl" } - ], - "entityType": "URL" + ] } ] } @@ -3560,7 +3560,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -3599,7 +3599,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "SuspiciousCommandInitiatedByWebServerProcess_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "This query was originally published in the threat analytics report, Operation Soft Cell.\nOperation Soft Cell is a series of campaigns targeting users' call logs at telecommunications providers throughout the world. These attacks date from as early as 2012.\nOperation Soft Cell operators sometimes use legitimate web server processes to launch commands, especially for network discovery and user/owner discovery. The following query detects activity of this kind.\nReference - https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -3627,10 +3627,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -3646,6 +3646,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -3659,8 +3660,7 @@ "identifier": "DnsDomain", "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] } ] } @@ -3695,7 +3695,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -3730,7 +3730,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "BITSAdminActivity_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "Background Intelligent Transfer Service (BITS) is a way to reliably download files from webservers or SMB servers. \nThis service is commonly used for legitimate purposes, but can also be used as part of a malware downloader. \nAdditionally, bitsadmin can be used to upload files and therefore can be used for data exfiltration. This\nquery will identify use of bitsadmin.exe for either purpose and will identify directionality file transfer\ndirectionality.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -3758,10 +3758,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -3776,6 +3776,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -3789,10 +3790,10 @@ "identifier": "DnsDomain", "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "Process", "fieldMappings": [ { "identifier": "ProcessId", @@ -3802,8 +3803,7 @@ "identifier": "CommandLine", "columnName": "ProcessCommandLine" } - ], - "entityType": "Process" + ] } ] } @@ -3838,7 +3838,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -3873,7 +3873,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "OfficeAppsLaunchingWscript_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "This query was originally published in the threat analytics report, Trickbot: Pervasive & underestimated.\nTrickbot is a very prevalent piece of malware with an array of malicious capabilities. Originally designed to steal banking credentials, it has since evolved into a modular trojan that can deploy other malware, disable security software, and perform command-and-control (C2) operations.\nTrickbot is frequently spread through email. An attacker will send a target a message with an attachment containing a malicious macro. If the target enables the macro, it will write a JScript Encoded (JSE) file to disk (JScript is a Microsoft dialect of ECMAScript). The JSE file will then be launched using wscript.exe to perform a variety of malicious tasks, particularly reconnaissance.\nThe following query detects when Office applications have launched wscript.exe to run a JSE file.\nSee Detect rundll.exe being used for reconnaissance and command-and-control for another query related to Trickbot activity.\nReference - https://attack.mitre.org/software/S0266/", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -3901,10 +3901,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -3919,6 +3919,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -3932,10 +3933,10 @@ "identifier": "DnsDomain", "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "Process", "fieldMappings": [ { "identifier": "ProcessId", @@ -3945,8 +3946,7 @@ "identifier": "CommandLine", "columnName": "ProcessCommandLine" } - ], - "entityType": "Process" + ] } ] } @@ -3981,7 +3981,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -4016,7 +4016,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "PotentialKerberoastActivities_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "This query aim to detect if someone requests service tickets (where count => maxcount)\nThe query requires trimming to set a baseline level for MaxCount \nMitre Technique: Kerberoasting (T1558.003)\n@MattiasBorg82", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -4044,10 +4044,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "IdentityLogonEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -4061,6 +4061,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -4074,10 +4075,10 @@ "identifier": "DnsDomain", "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", @@ -4091,8 +4092,7 @@ "identifier": "Name", "columnName": "AccountName" } - ], - "entityType": "Account" + ] } ] } @@ -4127,7 +4127,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -4162,7 +4162,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "FilesCopiedToUSBDrives_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "This query lists files copied to USB external drives with USB drive information based on FileCreated events associated with most recent USBDriveMount events befor file creations. But be aware that Advanced Hunting is not monitoring all the file types.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -4190,11 +4190,11 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceEvents", "DeviceFileEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -4205,6 +4205,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -4218,10 +4219,10 @@ "identifier": "DnsDomain", "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "File", "fieldMappings": [ { "identifier": "Name", @@ -4231,10 +4232,10 @@ "identifier": "Directory", "columnName": "FolderPath" } - ], - "entityType": "File" + ] }, { + "entityType": "FileHash", "fieldMappings": [ { "identifier": "Algorithm", @@ -4244,8 +4245,7 @@ "identifier": "Value", "columnName": "SHA256" } - ], - "entityType": "FileHash" + ] } ] } @@ -4280,7 +4280,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -4319,7 +4319,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "MosaicLoader_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "This query looks Malware Hides Itself Among Windows Defender Exclusions to Evade Detection.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -4347,10 +4347,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceRegistryEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -4361,6 +4361,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -4374,10 +4375,10 @@ "identifier": "DnsDomain", "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "RegistryValue", "fieldMappings": [ { "identifier": "Name", @@ -4387,8 +4388,7 @@ "identifier": "Value", "columnName": "RegistryValueData" } - ], - "entityType": "RegistryValue" + ] } ] } @@ -4423,7 +4423,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -4458,7 +4458,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "AnomalousVoulmeOfFileDeletion_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "This query looks for users performing file deletion activities. Spikes in file deletion observed from risky sign-in sessions are flagged here.\nThis applies to SharePoint and OneDrive users.\nAudit event and Cloud application identifier references.\nReference - https://learn.microsoft.com/microsoft-365/compliance/audit-log-activities?view=o365-worldwide\nReference - https://learn.microsoft.com/azure/sentinel/entities-reference#cloud-application-identifiers", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.1", @@ -4486,11 +4486,11 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "CloudAppEvents", "AADSignInEventsBeta" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -4501,15 +4501,16 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "identifier": "AadUserId", "columnName": "UserId" } - ], - "entityType": "Account" + ] }, { + "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -4519,17 +4520,16 @@ "identifier": "NTDomain", "columnName": "NTDomain" } - ], - "entityType": "Account" + ] }, { + "entityType": "CloudApplication", "fieldMappings": [ { "identifier": "AppId", "columnName": "ApplicationId" } - ], - "entityType": "CloudApplication" + ] } ], "customDetails": { @@ -4567,7 +4567,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -4606,7 +4606,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "RemoteFileCreationWithPsExec_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "This query was originally published in the threat analytics report, Ryuk ransomware. There is also a related blog.\nRyuk is human-operated ransomware. Much like DoppelPaymer ransomware, Ryuk is spread manually, often on networks that are already infected with Trickbot.\nRyuk operators use PsExec to manually spread the ransomware to other devices.\nThe following query detects remote file creation events that might indicate an active attack.\nThe See also section below lists links to other queries associated with Ryuk ransomware.\nReferences:\nhttps://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/\nhttps://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Ryuk.AA\nhttps://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/\nhttps://docs.microsoft.com/sysinternals/downloads/psexec", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -4634,10 +4634,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceFileEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -4648,6 +4648,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -4661,8 +4662,7 @@ "identifier": "DnsDomain", "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] } ] } @@ -4697,7 +4697,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -4732,7 +4732,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "ServiceAccountsPerformingRemotePS_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "Service Accounts Performing Remote PowerShell.\nThe purpose behind this detection is for finding service accounts that are performing remote powershell sessions.\nThere are two phases to the detection: Identify service accounts, Find remote PS cmdlets being ran by these accounts.\nTo accomplish this, we utilize DeviceLogonEvents and DeviceEvents to find cmdlets ran that meet the criteria.\nOne of the main advantages of this method is that only requires server telemetry, and not the attacking client.\nThe first phase relies on the DeviceLogonEvents to determine whether an account is a service account or not, consider the following accounts with logons:.\nRandom_user has DeviceLogonEvents with type 2, 3, 7, 10, 11 & 13.\nRandom_service_account 'should' only have DeviceLogonEvents with type 3,4 or 5.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -4760,11 +4760,11 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceLogonEvents", "DeviceEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -4775,6 +4775,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -4788,10 +4789,10 @@ "identifier": "DnsDomain", "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", @@ -4805,8 +4806,7 @@ "identifier": "Name", "columnName": "AccountName" } - ], - "entityType": "Account" + ] } ] } @@ -4841,7 +4841,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -4880,7 +4880,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "AccountCreation_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "User accounts may be created to achieve persistence on a machine.\nRead more here: https://attack.mitre.org/wiki/Technique/T1136.\nTags: #CreateAccount.\nQuery #1: Query for users being created using \"net user\" command.\n\"net user\" commands are noisy, so needs to be joined with another signal -.\nE.g. in this example we look for use of uncommon & undocumented commandline switches (e.g. /ad instead of /add).", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -4908,10 +4908,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -4922,6 +4922,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -4935,10 +4936,10 @@ "identifier": "DnsDomain", "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "Process", "fieldMappings": [ { "identifier": "ProcessId", @@ -4948,8 +4949,7 @@ "identifier": "CommandLine", "columnName": "ProcessCommandLine" } - ], - "entityType": "Process" + ] } ] } @@ -4984,7 +4984,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -5019,7 +5019,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "LocalAdminGroupChanges_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "This query searches for changes to the local administrators group.\nBlogpost: https://www.verboon.info/2020/09/hunting-for-local-group-membership-changes.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.1", @@ -5047,11 +5047,11 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "IdentityInfo", "DeviceEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -5062,6 +5062,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -5075,10 +5076,10 @@ "identifier": "DnsDomain", "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", @@ -5092,8 +5093,7 @@ "identifier": "NTDomain", "columnName": "laccountdomain" } - ], - "entityType": "Account" + ] } ] } @@ -5128,7 +5128,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -5167,7 +5167,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "RareProcessAsService_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "This query is looking for rarely seen processes which are launched as a service. Whiltelisted process list need to be updated based on the environment.\nAuthor: Jouni Mikkola\nMore info: https://threathunt.blog/rare-process-launch-as-a-service/", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -5195,13 +5195,13 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents", "DeviceNetworkEvents", "DeviceFileEvents", "DeviceImageLoadEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -5216,6 +5216,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -5229,10 +5230,10 @@ "identifier": "DnsDomain", "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "Process", "fieldMappings": [ { "identifier": "ProcessId", @@ -5242,8 +5243,7 @@ "identifier": "CommandLine", "columnName": "ServiceProcessCmdline" } - ], - "entityType": "Process" + ] } ] } @@ -5278,7 +5278,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -5325,7 +5325,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "DisableSecurityServiceViaRegistry_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "This query checks for processes modifying the registry to disable security features. This is a common technique used by threat actors for defence evasion.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -5353,10 +5353,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -5367,6 +5367,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -5380,10 +5381,10 @@ "identifier": "DnsDomain", "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", @@ -5397,10 +5398,10 @@ "identifier": "NTDomain", "columnName": "AccountDomain" } - ], - "entityType": "Account" + ] }, { + "entityType": "Process", "fieldMappings": [ { "identifier": "ProcessId", @@ -5410,8 +5411,7 @@ "identifier": "CommandLine", "columnName": "ProcessCommandLine" } - ], - "entityType": "Process" + ] } ] } @@ -5446,7 +5446,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -5481,7 +5481,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "DataDeletionOnMulipleDrivesUsingCipherExe_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "This query checks for attempts to delete data on multiple drives using cipher.exe. This activity is typically done by ransomware to prevent recovery of data after encryption.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -5509,10 +5509,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -5523,6 +5523,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -5536,8 +5537,7 @@ "identifier": "DnsDomain", "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] } ] } @@ -5572,7 +5572,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -5607,7 +5607,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "LaZagneCredTheft_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "LaZagne is a popular open-source tool used to recover passwords stored on a local computer. It has been used in ransomware attacks to steal credentials and escalate privileges. This query looks for the execution of LaZagne.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -5635,10 +5635,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -5649,6 +5649,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -5662,10 +5663,10 @@ "identifier": "DnsDomain", "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "Process", "fieldMappings": [ { "identifier": "ProcessId", @@ -5675,8 +5676,7 @@ "identifier": "CommandLine", "columnName": "ProcessCommandLine" } - ], - "entityType": "Process" + ] } ] } @@ -5711,7 +5711,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -5746,7 +5746,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "LogDeletionUsingWevtutil_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "This query checks for attempts to clear at least 10 log entries from event logs using wevtutil. Clearing event logs can be a sign of ransomware activity, as ransomware often attempts to cover its tracks by deleting logs.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -5774,10 +5774,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -5788,6 +5788,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -5801,8 +5802,7 @@ "identifier": "DnsDomain", "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] } ] } @@ -5837,7 +5837,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -5872,7 +5872,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "MultiProcessKillWithTaskKill_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "This query checks for attempts to stop at least 10 separate processes using the taskkill.exe utility. This is a common technique used by ransomware to stop security products and other processes.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -5900,10 +5900,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -5914,6 +5914,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -5927,8 +5928,7 @@ "identifier": "DnsDomain", "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] } ] } @@ -5963,7 +5963,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -5998,7 +5998,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "PotentialCobaltStrikeRansomwareActivity_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "This query searches for alerts related to suspected ransomware and Cobalt Strike activity, a tool used in numerous ransomware campaigns. It looks for alerts that indicate potential ransomware activity, such as attempts to clear security event logs, delete backup files, and execute Cobalt Strike malware.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.1", @@ -6026,12 +6026,12 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "AlertInfo", "AlertEvidence", "DeviceLogonEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -6048,6 +6048,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -6061,10 +6062,10 @@ "identifier": "DnsDomain", "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", @@ -6078,17 +6079,16 @@ "identifier": "DnsDomain", "columnName": "AccountDomain" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "RemoteIP" } - ], - "entityType": "IP" + ] } ] } @@ -6123,7 +6123,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -6166,7 +6166,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "QakbotDiscoveryActivities_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "This query searches for injected processes launching discovery activity. Qakbot has been observed leading to ransomware in numerous instances. It looks for discovery commands such as net.exe, whoami.exe, nslookup.exe, netstat.exe, arp.exe, and ping.exe.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -6194,10 +6194,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -6212,6 +6212,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -6225,8 +6226,7 @@ "identifier": "DnsDomain", "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] } ] } @@ -6261,7 +6261,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -6296,7 +6296,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "ShadowCopyDeletion_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "This rule detects when Shadow Copies are being deleted. This is a know actions that is performed by threat actors.\nThis query detects know commands that have been used by the ransomware actors.\nSome information from Mitre Attack: \nhttps://attack.mitre.org/techniques/T1490/", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -6324,10 +6324,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -6338,6 +6338,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -6351,10 +6352,10 @@ "identifier": "DnsDomain", "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", @@ -6368,10 +6369,10 @@ "identifier": "DnsDomain", "columnName": "AccountDomain" } - ], - "entityType": "Account" + ] }, { + "entityType": "Process", "fieldMappings": [ { "identifier": "ProcessId", @@ -6381,8 +6382,7 @@ "identifier": "CommandLine", "columnName": "ProcessCommandLine" } - ], - "entityType": "Process" + ] } ] } @@ -6417,7 +6417,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -6452,7 +6452,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "Check for spoofing attempts on the domain with Authentication failures_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query identifies potential phishing or spoofing attempts originating from specific domains with authentication failures.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.1.0", @@ -6516,7 +6516,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -6538,7 +6538,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "Delivered Bad Emails from Top bad IPv4 addresses_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query identifies phishing emails sent that were successfully delivered, by top IP addressess. cutoff default value is 5, adjust the value as needed.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.1", @@ -6602,7 +6602,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -6624,7 +6624,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "EmailDelivered-ToInbox_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query identifies threats which got successfully delivered to Inbox/Junk folder.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.1", @@ -6688,7 +6688,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -6710,7 +6710,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "DeimosComponentExecution_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Jupyter, otherwise known as SolarMarker, is a malware family and cluster of components known for its info-stealing and backdoor capabilities that mainly proliferates through search engine optimization manipulation and malicious advertising.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -6770,7 +6770,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -6792,7 +6792,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "LemonDuckRegistrationFunction_HuntingQueries Hunting Query with template version 3.0.9", + "description": "LemonDuck is a malware primarily known for its botnet and cryptocurrency mining objectives. First discovered in 2019, LemonDuck has since adopted more sophisticated behavior and escalated its operations in 2021.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -6852,7 +6852,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -6874,7 +6874,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "DeviceWithLog4jAlerts_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Microsoft has observed threat actors exploiting vulnerabilities associated with Log4J.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -6934,7 +6934,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -6956,7 +6956,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "Log4jVulnRelatedAlerts_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Microsoft has observed attackers exploiting vulnerabilities associated with Log4J.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -7016,7 +7016,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -7038,7 +7038,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "MaliciousUseOfMSBuildAsLoLBin_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Prior to deploying Macaw ransomware in an organization, the adversary frequently uses MSBuild.exe as a LOLBin to communicate with the C2.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -7098,7 +7098,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -7120,7 +7120,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "QakbotReconActivities_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query searches for reconnaissance and beaconing activities after code injection occurs in Qakbot infections.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -7180,7 +7180,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -7202,7 +7202,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "JudgementPandaExfilActivity_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_judgement_panda_gtr19.yml.\nQuestions via Twitter: @janvonkirchheim.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -7266,7 +7266,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -7288,7 +7288,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "C2-NamedPipe_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Detects the creation of a named pipe used by known APT malware.\nReference - https://docs.microsoft.com/openspecs/windows_protocols/ms-wpo/4de75e21-36fd-440a-859b-75accc74487c", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -7348,7 +7348,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -7370,7 +7370,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "ReconWithRundll_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query detects suspicious rundll.exe activity associated with Trickbot campaigns.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -7430,7 +7430,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -7452,7 +7452,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "DoppelPaymerProcdump_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Detects the use of ProcDump to dump credentials from LSASS memory by DoppelPaymer ransomware operators.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -7512,7 +7512,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -7534,7 +7534,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "LaZagne_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Detects the use of LaZagne to steal credentials from the SAM database by Ryuk ransomware operators.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -7594,7 +7594,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -7616,7 +7616,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "LSASSCredDumpProcdump_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Detects the use of Procdump to dump credentials from LSASS memory.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -7676,7 +7676,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -7698,7 +7698,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "DoppelpaymerStopServices_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query searches for attempts to stop security services, which is a common tactic used by DoppelPaymer ransomware operators.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -7758,7 +7758,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -7780,7 +7780,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "QakbotCampaignSelfDeletion_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query detects if an instance of Qakbot has attempted to overwrite its original binary.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -7840,7 +7840,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -7862,7 +7862,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "SuspiciousCommandInitiatedByWebServerProcess_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Detect suspicious commands initiated by web server processes used for network discovery and user/owner discovery.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -7922,7 +7922,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -7944,7 +7944,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "AnomalousPayloadDeliveredWithISOFile_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query searches for lnk file executions from other locations than C: drive, which can relate to mounted ISO-files.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -8008,7 +8008,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -8030,7 +8030,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "BitsadminActivity_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query searches for use of bitsadmin.exe for file transfer, which can be used for legitimate purposes or as part of a malware downloader.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -8090,7 +8090,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -8112,7 +8112,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "MaliciousUseOfMSIExec_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query detects possible download and execution using Msiexec.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -8172,7 +8172,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -8194,7 +8194,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "MaliciousUseOfMsiExecMimikatz_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query searches for malicious use of msiexec.exe, particularly alongside mimikatz, a common credential dumper and privilege escalation tool.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -8254,7 +8254,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -8276,7 +8276,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "OfficeAppsLaunchingWscript_HuntingQueries Hunting Query with template version 3.0.9", + "description": "The query searches for Office applications launching wscript.exe to run a JSE file.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -8336,7 +8336,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -8358,7 +8358,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "PowerShellDownloads_HuntingQueries Hunting Query with template version 3.0.9", + "description": "The query searches for PowerShell execution events that could involve a download.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -8418,7 +8418,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -8440,7 +8440,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "SuspiciousMshtaUsage_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query detects when mshta.exe has been run, which might include illegitimate usage by attackers.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -8500,7 +8500,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -8522,7 +8522,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "FilesCopiedToUSBDrives_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query lists files copied to USB external drives with USB drive information based on FileCreated events associated with most recent USBDriveMount events befor file creations.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -8582,7 +8582,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -8604,7 +8604,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "SuspiciousDLLInSpoolFolder_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Look for the creation of suspicious DLL files spawned in the \\spool\\ folder along with DLLs that were recently loaded afterwards from \\Old.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -8664,7 +8664,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -8686,7 +8686,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "SuspiciousFilesInSpoolFolder_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Monitor for creation of suspicious files in the /spools/driver/ folder. This is a broad-based search that will surface any creation or modification of files in the folder targeted by this exploit.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -8746,7 +8746,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -8768,7 +8768,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "SuspiciousSpoolsvChildProcess_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Surfaces suspicious spoolsv.exe behavior likely related to CVE-2021-1675", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -8828,7 +8828,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -8850,7 +8850,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "CVE-2022-26134-Confluence_HuntingQueries Hunting Query with template version 3.0.9", + "description": "The query checks for suspicious Tomcat process launches associated with likely exploitation of Confluence - CVE-2022-26134.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -8914,7 +8914,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -8936,7 +8936,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "MosaicLoader_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This hunting query looks Malware Hides Itself Among Windows Defender Exclusions to Evade Detection.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -8996,7 +8996,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -9018,7 +9018,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "PrintNightmareUsageDetection-CVE-2021-1675_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query looks for any file creations in the print spooler drivers folder.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -9078,7 +9078,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -9100,7 +9100,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "AnomalousVoulmeOfFileDeletion_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query looks for users performing file deletion activities. Spikes in file deletion observed from risky sign-in sessions are flagged here.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.1", @@ -9160,7 +9160,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -9182,7 +9182,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "DetectMailSniper_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query searches for usage of MailSniper Exchange attack tool.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -9242,7 +9242,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -9264,7 +9264,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "AccountBruteForce_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This hunting query searches for public IP addresses that failed to logon to a computer multiple times, using multiple accounts, and eventually succeeded.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -9320,7 +9320,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -9342,7 +9342,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "ServiceAccountsPerformingRemotePS_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query searches for any Service Accounts Performing Remote PowerShell.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -9402,7 +9402,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -9424,7 +9424,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "LocalAdminGroupChanges_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This hunting query searches for changes to the local administrators group.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -9484,7 +9484,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -9506,7 +9506,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "ScheduledTaskCreation_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query searches for any scheduled task creation event.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -9566,7 +9566,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -9588,7 +9588,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "DetectMultipleSignsOfRamsomwareActivity_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query checks for multiple signs of ransomware activity to identify affected devices.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -9648,7 +9648,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -9670,7 +9670,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "IcedIdSuspiciousImageLoad_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query searches for suspicious load image events by rundll32.exe or regsvr32.exe, a behavior associated with IcedId, which can lead to IcedId ransomware.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -9730,7 +9730,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -9752,7 +9752,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "LogDeletionUsingWevtutil_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query checks for attempts to clear at least 10 log entries from event logs using wevtutil.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -9812,7 +9812,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -9834,7 +9834,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "MultiProcessKillWithTaskKill_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query checks for attempts to stop at least 10 separate processes using the taskkill.exe utility.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -9894,7 +9894,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -9916,7 +9916,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "PotentialCobaltStrikeRansomwareActivity_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query searches for alerts related to suspected ransomware and Cobalt Strike activity, a tool used in numerous ransomware campaigns.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -9976,7 +9976,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -9998,7 +9998,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "QakbotDiscoveryActivities_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query searches for injected processes launching discovery activity. Qakbot has been observed leading to ransomware in numerous instances.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -10058,7 +10058,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -10080,7 +10080,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "ShadowCopyDeletion_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This rule detects when Shadow Copies are being deleted. This is a know actions that is performed by threat actors.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -10144,7 +10144,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -10166,7 +10166,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "TurningOffServicesWithSCCommad_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query checks for attempts to turn off at least 10 existing services using sc.exe.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -10226,7 +10226,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -10248,7 +10248,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "Detect_CISA_Alert_AA22-117A2021_Top_Routinely_Exploited_Vulnerabilities_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This advanced hunting query detects CISA Alert (AA22-117A) 2021 Top Routinely Exploited Vulnerabilities https://www.cisa.gov/uscert/ncas/alerts/aa22-117a", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -10308,7 +10308,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -10330,7 +10330,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "PayloadDropUsingCertUtil_HuntingQueries Hunting Query with template version 3.0.9", + "description": "BazaCall campaign tricks users into calling a fake customer support center, and download a malicious Excel file which contains a macro to infect users' device with BazaLoader. This query searches for a copy of certutil.exe used by the macro.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -10390,7 +10390,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -10412,7 +10412,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "ImminentRansomware_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Before deploying Macaw ransomware in an organization, the attacker will run several commands designed to disable security tools and system recovery tools.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -10472,7 +10472,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -10494,7 +10494,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "RobbinhoodDriver_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query detects the presence of the Robbinhood ransomware driver.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -10554,7 +10554,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -10576,7 +10576,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "Snip3MaliciousNetworkConnectivity_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This hunting query looks for potentially hollowed processes that may be used to facilitate command-and-control or exfiltration by Snip3 malware.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -10636,7 +10636,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -10658,7 +10658,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "MaliciousCMDExecutionByJava_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query finds instances of the Java process being used to execute cmd.exe, and download and execute a PowerShell script.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -10718,7 +10718,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -10740,7 +10740,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "ClearSystemLogs_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This hunting query searches for attempts to use fsutil.exe to clear system logs and delete forensic artifacts.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -10800,7 +10800,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -10822,7 +10822,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "Regsvr32Rundll32ImageLoadsAbnormalExtension_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query is looking for regsvr32.exe or rundll32.exe loading DLL images with other extensions than .dll.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -10886,7 +10886,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -10908,7 +10908,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "Regsvr32Rundll32WithAnomalousParentProcess_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query searches for rundll32.exe or regsvr32.exe being spawned by abnormal processes such as wscript.exe, powershell.exe, cmd.exe, pwsh.exe, cscript.exe.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -10972,7 +10972,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -10994,7 +10994,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "User&GroupEnumWithNetCommand_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query hunts for attempts to list users or groups using Net commands, which are commonly used for lateral movement.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -11050,7 +11050,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -11072,7 +11072,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "PotentialKerberoastActivities_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query aim to detect if someone requests service tickets (where count => maxcount). The query requires trimming to set a baseline level for MaxCount.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -11136,7 +11136,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -11158,7 +11158,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "SuspiciousAppExeutedByWebserver_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query looks for common webserver process names and identifies any processes launched using a scripting language (cmd, powershell, wscript, cscript).", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -11218,7 +11218,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -11240,7 +11240,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "SuspiciousFileCreationByPrintSpoolerService_HuntingQueries Hunting Query with template version 3.0.9", + "description": "The query digs in Windows print spooler drivers folder for any file creations. This behavior is used from PoC Exploit of CVE-2021-34527, CVE-2021-1675 or CVE-2022-21999.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -11304,7 +11304,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -11326,7 +11326,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "SpoolsvSpawningRundll32_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Look for the spoolsv.exe launching rundll32.exe with an empty command line.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -11386,7 +11386,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -11408,7 +11408,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "MITRESuspiciousEvents_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This hunting query looks for several different MITRE techniques, grouped by risk level. A weighting is applied to each risk level and a total score calculated per machine. Techniques can be added/removed as required.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -11464,7 +11464,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -11486,7 +11486,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "RemoteFileCreationWithPsExec_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query detects remote file creation events that might indicate an active attack using PsExec.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -11546,7 +11546,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -11568,7 +11568,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "AccountCreation_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query looks for the creation of user accounts on a machine using the \"net user\" command.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -11624,7 +11624,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -11646,7 +11646,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "RareProcessAsService_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query looks for rarely seen processes which are launched as a service.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -11710,7 +11710,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -11732,7 +11732,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "SAMNameChange_CVE-2021-42278_HuntingQueries Hunting Query with template version 3.0.9", + "description": "The following query detects possible CVE-2021-42278 exploitation by finding changes of device names in the network using Microsoft Defender for Identity.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -11792,7 +11792,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -11814,7 +11814,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "DisableSecurityServiceViaRegistry_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Search for processes modifying the registry to disable security features.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -11874,7 +11874,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -11896,7 +11896,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "DomainDiscoveryWMICwithDLLHostExe_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query checks for dllhost.exe calling WMIC to discover additional hosts and associated domain.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -11956,7 +11956,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -11978,7 +11978,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "MDEExclusionUsingPowerShell_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Identify PowerShell creating an exclusion path of ProgramData directory for Microsoft Defender to not monitor.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -12038,7 +12038,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -12060,7 +12060,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "DataDeletionOnMulipleDrivesUsingCipherExe_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query checks for attempts to delete data on multiple drives using cipher.exe. This activity is typically done by ransomware to prevent recovery of data after encryption.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -12120,7 +12120,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -12142,7 +12142,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "LaZagneCredTheft_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query can be used to locate processes executing credential theft activity, often LaZagne in ransomware compromises.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -12202,7 +12202,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -12224,7 +12224,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "ATP policy status check_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query displays the configuration auditing for 'Safe Attachments for SharePoint, OneDrive, and Microsoft Teams' and 'Safe Documents' in Microsoft Defender for Office 365.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -12288,7 +12288,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -12310,7 +12310,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "JNLP attachment_HuntingQueries Hunting Query with template version 3.0.9", + "description": "JNLP file extensions are an uncommon file type often used to deliver malware.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -12374,7 +12374,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -12396,7 +12396,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "Safe attachment detection_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query provides insights on the detections done by Safe Attachment detections", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -12460,7 +12460,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -12482,7 +12482,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "Authentication failures_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query helps reviewing authentication failure count by authentication type. Update the authentication type below as DMARC, DKIM, SPM, CompAuth", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -12546,7 +12546,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -12568,7 +12568,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "Spoof attempts with auth failure_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query helps in checking for spoofing attempts on the domain with Authentication failures", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -12632,7 +12632,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -12654,7 +12654,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "Audit Email Preview-Download action_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query helps report on who Previewed/Downloaded email messages using the Email entity page in Defender for Office 365", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -12718,7 +12718,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -12740,7 +12740,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "Hunt for TABL changes_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query helps hunting for Tenant allow/block list (TABL) changes in Defender for Office 365", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -12804,7 +12804,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -12826,7 +12826,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "Local time to UTC time conversion_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Advanced Hunting has default timezone as UTC time. Filters in Advanced Hunting also work in UTC by default whereas query results are shown in local time if user has selected local time zone in security center settings.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -12890,7 +12890,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -12912,7 +12912,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "MDO daily detection summary report_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query helps report daily on total number of emails, total number of emails detected aby Defender for Office 365", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -12976,7 +12976,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -12998,7 +12998,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "Mail item accessed_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query helps reviewing emails accessed by end users using cloud app events data", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -13062,7 +13062,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -13084,7 +13084,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "Malicious email senders_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query helps hunting for emails from a sender with at least one email in quarantine", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -13148,7 +13148,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -13170,7 +13170,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "New TABL Items_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query helps identifying when new items being added to the Tenant/Allow Block List (TABL) in Defender for Office 365.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -13234,7 +13234,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -13256,7 +13256,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "Emails containing links to IP addresses_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query helps hunting for Emails containing links to IP addresses", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -13320,7 +13320,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -13342,7 +13342,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "Good emails from senders with bad patterns_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query helps hunting for good emails from senders with bad patterns", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -13406,7 +13406,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -13428,7 +13428,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "Hunt for email conversation take over attempts_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query helps hunting for email conversation take over attempts", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -13492,7 +13492,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -13514,7 +13514,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "Hunt for malicious URLs using external IOC source_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query helps hunt for emails with malicious URLs based on external IOC source", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -13578,7 +13578,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -13600,7 +13600,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "Hunt for malicious attachments using external IOC source_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query helps hunt for emails with malicious attachments based on SH256 hash from external IOC source", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -13664,7 +13664,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -13686,7 +13686,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "Inbox rule change which forward-redirect email_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query helps hunting for Inbox rule changes which forward-redirect email", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -13750,7 +13750,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -13772,7 +13772,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "MDO_CountOfRecipientsEmailaddressbySubject_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Count of recipient's email addresses by subject", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -13836,7 +13836,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -13858,7 +13858,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "MDO_CountOfSendersEmailaddressbySubject_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Count of sender's email addresses by subject", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -13922,7 +13922,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -13944,7 +13944,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "MDO_Countofrecipientsemailaddressesbysubject_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Count of recipient's email addresses by subject", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -14008,7 +14008,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -14030,7 +14030,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "MDO_SummaryOfSenders_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Count of all Senders and where they were delivered", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -14094,7 +14094,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -14116,7 +14116,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "MDO_URLClickedinEmail_HuntingQueries Hunting Query with template version 3.0.9", + "description": "URLs clicked in Email", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -14180,7 +14180,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -14202,7 +14202,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "Detections by detection methods_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query helps reviewing malicious email detections by detection methods", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -14266,7 +14266,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -14288,7 +14288,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "Mail reply to new domain_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query helps reviewing mail that is likely a reply but there is no history of the people chatting and the domain is new", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -14352,7 +14352,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -14374,7 +14374,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "Mailflow by directionality_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query helps reviewing inbound / outbound / intra-org emails by domain per day", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -14438,7 +14438,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -14460,7 +14460,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "Malicious emails detected per day_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query helps reviewing Malware, Phishing, Spam emails caught per day", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -14524,7 +14524,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -14546,7 +14546,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "Sender recipient contact establishment_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query helps in checking the sender-recipient contact establishment status", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -14610,7 +14610,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -14632,7 +14632,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "Top 100 malicious email senders_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query helps reviewing top 100 malicious senders", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -14696,7 +14696,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -14718,7 +14718,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "Top 100 senders_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query helps reviewing top 100 senders in your organization in last 30 days", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -14782,7 +14782,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -14804,7 +14804,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "Zero day threats_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query helps reviewing zero day threats via URL and file detonations", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -14868,7 +14868,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -14890,7 +14890,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "Email containing malware accessed on a unmanaged device_HuntingQueries Hunting Query with template version 3.0.9", + "description": "In this query, we are looking for emails containing malware accessed on a unmanaged device", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -14954,7 +14954,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -14976,7 +14976,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "Email containing malware sent by an internal sender_HuntingQueries Hunting Query with template version 3.0.9", + "description": "In this query, we are looking for emails containing malware attachment sent by an internal sender", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -15040,7 +15040,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -15062,7 +15062,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "Email malware detection report_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query helps reviewing email malware detection cases", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -15126,7 +15126,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -15148,7 +15148,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "Malware detections by detection methods_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query helps reviewing malware detections by detection methods", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -15212,7 +15212,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -15234,7 +15234,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "Admin overrides_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query helps in reviewing malicious emails allowed due to admin overrides", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -15298,7 +15298,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -15320,7 +15320,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "Top policies performing admin overrides_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query helps in reviewing top policies for admin overrides (Allow/Block)", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -15384,7 +15384,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -15406,7 +15406,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "Top policies performing user overrides_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query helps in reviewing top policies for user overrides (Allow/Block)", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -15470,7 +15470,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -15492,7 +15492,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "User overrides_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query helps in reviewing malicious emails allowed due to user overrides", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -15556,7 +15556,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -15578,7 +15578,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "Appspot phishing abuse_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query helps surface phishing campaigns associated with Appspot abuse.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -15642,7 +15642,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -15664,7 +15664,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "PhishDetectionByDetectionMethod_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query helps reviewing Phish detections done by some of the most frequent detection technologies in the last 7 days", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -15728,7 +15728,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -15750,7 +15750,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "Campaign with randomly named attachments_HuntingQueries Hunting Query with template version 3.0.9", + "description": "In this detection,we hunt for emails with randomly named attachment names from the same sender to multiple recipients", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -15814,7 +15814,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -15836,7 +15836,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "Campaign with suspicious keywords_HuntingQueries Hunting Query with template version 3.0.9", + "description": "In this detection, we track emails with suspicious keywords in subjects.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -15900,7 +15900,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -15922,7 +15922,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "Custom detection-Emails with QR from non-prevalent senders_HuntingQueries Hunting Query with template version 3.0.9", + "description": "In this detection, we check the sender prevalence over the last 14 days and use the same to detect malicious activity via email containing QR code", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -15986,7 +15986,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -16008,7 +16008,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "Emails delivered having URLs from QR codes_HuntingQueries Hunting Query with template version 3.0.9", + "description": "In this query, we hunt for inbound emails delivered having URLs from QR codes", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -16072,7 +16072,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -16094,7 +16094,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "Emails with QR codes and suspicious keywords in subject_HuntingQueries Hunting Query with template version 3.0.9", + "description": "In this query, we hunt for inbound emails having URLs from QR codes and suspicious keywords in subject", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -16158,7 +16158,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -16180,7 +16180,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "Emails with QR codes from non-prevalent sender_HuntingQueries Hunting Query with template version 3.0.9", + "description": "In this query, we hunt for inbound emails having URLs from QR codes and send by non-prevalent senders", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -16244,7 +16244,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -16266,7 +16266,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "Hunting for sender patterns_HuntingQueries Hunting Query with template version 3.0.9", + "description": "In this detection approach, we correlate email from non-prevalent senders in the organization with impersonation intents", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -16330,7 +16330,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -16352,7 +16352,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "Hunting for user signals-clusters_HuntingQueries Hunting Query with template version 3.0.9", + "description": "In this detection,we use Email reported by user as malware or phish MDO alert as a starting point to identify the scope of a campaign.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -16416,7 +16416,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -16438,7 +16438,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "Inbound emails with QR code URLs_HuntingQueries Hunting Query with template version 3.0.9", + "description": "In this query, we summarize volume of inbound emails with QR code URLs in last 30 days", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -16502,7 +16502,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -16524,7 +16524,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "Personalized campaigns based on the first few keywords_HuntingQueries Hunting Query with template version 3.0.9", + "description": "In this detection, we track emails with personalized subjects.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -16588,7 +16588,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -16610,7 +16610,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "Personalized campaigns based on the last few keywords_HuntingQueries Hunting Query with template version 3.0.9", + "description": "In this detection, we track emails with personalized subjects.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -16674,7 +16674,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -16696,7 +16696,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "Risky sign-in attempt from a non-managed device_HuntingQueries Hunting Query with template version 3.0.9", + "description": "In this detection,we hunt for any sign-in attempt from a non-managed, non-compliant, untrusted device.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -16760,7 +16760,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -16782,7 +16782,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "Suspicious sign-in attempts from QR code phishing campaigns_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This detection approach correlates a user accessing an email with image/document attachments and a risky sign-in attempt from non-trusted devices.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -16846,7 +16846,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -16868,7 +16868,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "Group quarantine release_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query helps in reviewing group Quarantine released messages by detection type. Useful to see what is leading to the largest number of messages being released.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -16932,7 +16932,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -16954,7 +16954,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "High Confidence Phish Released_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query shows information about high confidence phish email that has been released from the Quarantine.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -17018,7 +17018,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -17040,7 +17040,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "Quarantine Release Email Details_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query shows information about email that has been released from the Quarantine in Defender for Office 365.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -17104,7 +17104,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -17126,7 +17126,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "Quarantine release trend_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query helps reviewing quarantine release trend in Defender for Office 365", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -17190,7 +17190,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -17212,7 +17212,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "Email remediation action list_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Listing Email Remediation Actions performed via Explorer in Defender for Office 365", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -17276,7 +17276,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -17298,7 +17298,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "Display Name - Spoof and Impersonation_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query helps reviewing incoming email messages where the Display Name of the sender contains own or other partner company/brand name", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -17362,7 +17362,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -17384,7 +17384,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "Referral phish emails_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Hunting for credential phishing using the \"Referral\" infrastructure using Defender for Office 365 data", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -17448,7 +17448,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -17470,7 +17470,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "Spoof and impersonation detections by sender IP_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query helps reviewing count of spoof and impersonation detections done per sender IP", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -17534,7 +17534,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -17556,7 +17556,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "Spoof and impersonation phish detections_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query helps reviewing count of phish detections done by spoof detection methods", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -17620,7 +17620,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -17642,7 +17642,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "User not covered under display name impersonation_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query helps to find threats using display name impersonation for users not already protected with User Impersonation", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -17706,7 +17706,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -17728,7 +17728,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "Admin reported submissions_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query helps reviewing admin reported email submissions", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -17792,7 +17792,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -17814,7 +17814,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "Status of submissions_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query helps reviewing status of submissions", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -17878,7 +17878,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -17900,7 +17900,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "Top submitters of admin submissions_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query helps reviewing top submitters of admin submissions", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -17964,7 +17964,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -17986,7 +17986,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "Top submitters of user submissions_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query helps reviewing top submitters of user submissions", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -18050,7 +18050,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -18072,7 +18072,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "User reported submissions_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query helps reviewing user reported email submissions", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -18136,7 +18136,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -18158,7 +18158,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "Attacked more than x times average_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query helps reviewing count of users attacked more than x times average.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -18222,7 +18222,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -18244,7 +18244,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "Malicious mails by sender IPs_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query helps reviewing sender IPs sending malicious email of type Malware or Phish", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -18308,7 +18308,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -18330,7 +18330,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "Top 10 URL domains attacking organization_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query helps reviewing list of top 10 URL domains attacking the organization", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -18394,7 +18394,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -18416,7 +18416,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "Top 10 percent of most attacked users_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query helps reviewing the list of top 10% of most attacked users", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -18480,7 +18480,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -18502,7 +18502,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "Top external malicious senders_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query helps reviewing external top malicious email sender with malware or phishing emails in an organization in last 30 days", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -18566,7 +18566,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -18588,7 +18588,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "Top targeted users_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query helps reviewing top targeted users with malware or phishing emails in an organization in last 30 days", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -18652,7 +18652,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -18674,7 +18674,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "End user malicious clicks_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query helps reviewing list of top users click on Phis URLs", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -18738,7 +18738,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -18760,7 +18760,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "URL click count by click action_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query helps reviewing URL click count by ClickAction", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -18824,7 +18824,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -18846,7 +18846,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "URL click on ZAP Email_HuntingQueries Hunting Query with template version 3.0.9", + "description": "In this query, we are looking for Url clicks on emails which get actioned by Zerohour auto purge", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -18910,7 +18910,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -18932,7 +18932,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "URL clicks actions by URL_HuntingQueries Hunting Query with template version 3.0.9", + "description": "In this query, we are looking URL click actions by URL in the last 7 days", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -18996,7 +18996,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -19018,7 +19018,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "URLClick details based on malicious URL click alert_HuntingQueries Hunting Query with template version 3.0.9", + "description": "In this query, we are looking for Url clicks on emails which are generated the alert-A potentially malicious URL click was detected", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -19082,7 +19082,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -19104,7 +19104,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "User clicked through events_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query helps reviewing malicious clicks where user was allowed to proceed through malicious URL page.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -19168,7 +19168,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -19190,7 +19190,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "User clicks on malicious inbound emails_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query provides insights on users who clicked on a suspicious URL", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -19254,7 +19254,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -19276,7 +19276,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "User clicks on phishing URLs in emails_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query helps in determining clickthroughs when email delivered because of detection overrides.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -19340,7 +19340,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -19362,7 +19362,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "Phishing Email Url Redirector_HuntingQueries Hunting Query with template version 3.0.9", + "description": "The query helps detect emails associated with the open redirector URL campaign using Defender for Office 365 data.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -19426,7 +19426,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -19448,7 +19448,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "SafeLinks URL detections_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query provides insights on the detections done by SafeLinks protection in Defender for Office 365", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -19512,7 +19512,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -19534,7 +19534,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "Total ZAP count_HuntingQueries Hunting Query with template version 3.0.9", + "description": "This query helps reviewing count of total ZAP events", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -19598,7 +19598,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -19611,6 +19611,350 @@ "isDeprecated": false } }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('0955f477-6471-468a-9b13-fc5fa96d7db2')))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" + ], + "properties": { + "description": "This query helps hunting for Automated email notifications and suspicious sign-in activity", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "Microsoft_Defender_XDR_Hunting_Query_157", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Automated email notifications and suspicious sign-in activity", + "category": "Hunting Queries", + "query": "let usersWithSuspiciousEmails = EmailEvents\n| where SenderFromAddress in (\"no-reply@notify.microsoft.com\", \"no-reply@dropbox.com\") or InternetMessageId startswith \"= 10\n| mv-expand RecipientList to typeof(string)\n| distinct RecipientList;\nAADSignInEventsBeta\n| where AccountObjectId in (usersWithSuspiciousEmails)\n| where RiskLevelDuringSignIn == 100\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "This query helps hunting for Files share contents and suspicious sign-in activity" + }, + { + "name": "tactics", + "value": "InitialAccess" + }, + { + "name": "techniques", + "value": "T1566" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', '11cc0e3f-9718-4ab5-be7b-d9c036ed6b0a'),'/'))))]", + "properties": { + "description": "Microsoft Defender XDR Hunting Query 158", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', '11cc0e3f-9718-4ab5-be7b-d9c036ed6b0a')]", + "contentId": "11cc0e3f-9718-4ab5-be7b-d9c036ed6b0a", + "kind": "HuntingQuery", + "version": "1.0.0", + "source": { + "kind": "Solution", + "name": "Microsoft Defender XDR", + "sourceId": "azuresentinel.azure-sentinel-solution-microsoft365defender" + }, + "author": { + "name": "Microsoft", + "email": "support@microsoft.com" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "3.0.10", + "packageName": "Microsoft Defender XDR", + "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", + "contentSchemaVersion": "3.0.0", + "contentId": "11cc0e3f-9718-4ab5-be7b-d9c036ed6b0a", + "contentKind": "HuntingQuery", + "displayName": "Files share contents and suspicious sign-in activity", + "contentProductId": "azuresentinel.azure-sentinel-solution-microsoft365-hq-4xqlp5oupqrca", + "id": "azuresentinel.azure-sentinel-solution-microsoft365-hq-4xqlp5oupqrca", + "version": "1.0.0", + "isDeprecated": false + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('da745698-da8a-40c5-b527-2e9328c2cefe')))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" + ], + "properties": { + "description": "This query helps hunting for BEC - File sharing tactics - OneDrive or SharePoint", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "Microsoft_Defender_XDR_Hunting_Query_159", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "BEC - File sharing tactics - OneDrive or SharePoint", + "category": "Hunting Queries", + "query": "let securelinkCreated = CloudAppEvents\n| where ActionType == \"SecureLinkCreated\"\n| project FileCreatedTime = Timestamp, AccountObjectId, ObjectName;\nlet filesCreated = securelinkCreated\n| where isnotempty(ObjectName)\n| distinct tostring(ObjectName);\nCloudAppEvents\n| where ActionType == \"AddedToSecureLink\"\n| where Application in (\"Microsoft SharePoint Online\", \"Microsoft OneDrive for Business\")\n| extend FileShared = tostring(RawEventData.ObjectId)\n| where FileShared in (filesCreated)\n| extend UserSharedWith = tostring(RawEventData.TargetUserOrGroupName)\n| extend TypeofUserSharedWith = RawEventData.TargetUserOrGroupType\n| where TypeofUserSharedWith == \"Guest\"\n| where isnotempty(FileShared) and isnotempty(UserSharedWith)\n| join kind=inner securelinkCreated on $left.FileShared==$right.ObjectName\n// Secure file created recently (in the last 1day)\n| where (Timestamp - FileCreatedTime) between (1d .. 0h)\n| summarize NumofUsersSharedWith = dcount(UserSharedWith) by FileShared\n| where NumofUsersSharedWith >= 20\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "This query helps hunting for BEC - File sharing tactics - OneDrive or SharePoint" + }, + { + "name": "tactics", + "value": "LateralMovement" + }, + { + "name": "techniques", + "value": "T1021" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', 'da745698-da8a-40c5-b527-2e9328c2cefe'),'/'))))]", + "properties": { + "description": "Microsoft Defender XDR Hunting Query 159", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', 'da745698-da8a-40c5-b527-2e9328c2cefe')]", + "contentId": "da745698-da8a-40c5-b527-2e9328c2cefe", + "kind": "HuntingQuery", + "version": "1.0.0", + "source": { + "kind": "Solution", + "name": "Microsoft Defender XDR", + "sourceId": "azuresentinel.azure-sentinel-solution-microsoft365defender" + }, + "author": { + "name": "Microsoft", + "email": "support@microsoft.com" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "3.0.10", + "packageName": "Microsoft Defender XDR", + "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", + "contentSchemaVersion": "3.0.0", + "contentId": "da745698-da8a-40c5-b527-2e9328c2cefe", + "contentKind": "HuntingQuery", + "displayName": "BEC - File sharing tactics - OneDrive or SharePoint", + "contentProductId": "azuresentinel.azure-sentinel-solution-microsoft365-hq-6yfyblzyxj5re", + "id": "azuresentinel.azure-sentinel-solution-microsoft365-hq-6yfyblzyxj5re", + "version": "1.0.0", + "isDeprecated": false + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('85dea577-1c76-44ff-8cad-b47182874ddb')))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" + ], + "properties": { + "description": "This query helps hunting for BEC - File sharing tactics - Dropbox", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "Microsoft_Defender_XDR_Hunting_Query_160", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "BEC - File sharing tactics - Dropbox", + "category": "Hunting Queries", + "query": "CloudAppEvents\n| where ActionType in (\"Added users and/or groups to shared file/folder\", \"Invited user to Dropbox and added them to shared file/folder\")\n| where Application == \"Dropbox\"\n| where ObjectType == \"File\"\n| extend FileShared = tostring(ObjectName)\n| where isnotempty(FileShared)\n| mv-expand ActivityObjects\n| where ActivityObjects.Type == \"Account\" and ActivityObjects.Role == \"To\"\n| extend SharedBy = AccountId\n| extend UserSharedWith = tostring(ActivityObjects.Name)\n| summarize dcount(UserSharedWith) by FileShared, AccountObjectId\n| where dcount_UserSharedWith >= 20\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "This query helps hunting for BEC - File sharing tactics - Dropbox" + }, + { + "name": "tactics", + "value": "LateralMovement" + }, + { + "name": "techniques", + "value": "T1021" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', '85dea577-1c76-44ff-8cad-b47182874ddb'),'/'))))]", + "properties": { + "description": "Microsoft Defender XDR Hunting Query 160", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', '85dea577-1c76-44ff-8cad-b47182874ddb')]", + "contentId": "85dea577-1c76-44ff-8cad-b47182874ddb", + "kind": "HuntingQuery", + "version": "1.0.0", + "source": { + "kind": "Solution", + "name": "Microsoft Defender XDR", + "sourceId": "azuresentinel.azure-sentinel-solution-microsoft365defender" + }, + "author": { + "name": "Microsoft", + "email": "support@microsoft.com" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "3.0.10", + "packageName": "Microsoft Defender XDR", + "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", + "contentSchemaVersion": "3.0.0", + "contentId": "85dea577-1c76-44ff-8cad-b47182874ddb", + "contentKind": "HuntingQuery", + "displayName": "BEC - File sharing tactics - Dropbox", + "contentProductId": "azuresentinel.azure-sentinel-solution-microsoft365-hq-kszhvscrj4kqa", + "id": "azuresentinel.azure-sentinel-solution-microsoft365-hq-kszhvscrj4kqa", + "version": "1.0.0", + "isDeprecated": false + } + }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", @@ -19620,7 +19964,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "MicrosoftDefenderForOffice365detectionsandinsights Workbook with template version 3.0.9", + "description": "Gain extensive insight into your organization's Microsoft Defender for Office 365 Detections by analyzing and correlating events. \nYou can track various detections and insights over time including: metrics for phish, spam, malware, URL and URL click detection details, post delivery detections, user and admin submissions, system overrides and actions taken by security administrators.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -19703,7 +20047,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -19725,7 +20069,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "MicrosoftDefenderForEndPoint Workbook with template version 3.0.9", + "description": "A wokbook to provide details about Microsoft Defender for Endpoint Advance Hunting to Overview & Analyse data brought through M365 Defender Connector.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -19779,7 +20123,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -19801,7 +20145,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" ], "properties": { - "description": "MicrosoftDefenderForIdentity Workbook with template version 3.0.9", + "description": "Use this workbook to analyse the advance hunting data ingested for Defender For Identity.", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0", @@ -19876,7 +20220,7 @@ ] }, "packageKind": "Solution", - "packageVersion": "3.0.9", + "packageVersion": "3.0.10", "packageName": "Microsoft Defender XDR", "packageId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "contentSchemaVersion": "3.0.0", @@ -19894,15 +20238,15 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.9", + "version": "3.0.10", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Microsoft Defender XDR", "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", - "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\u2022 Review the solution Release Notes

The Microsoft Defender XDR solution for Microsoft Sentinel enables you to ingest Security Alerts/Incidents and raw logs from the products within Microsoft Defender XDR suite into Microsoft Sentinel.

Additional Hunting Queries to support proactive and reactive hunting for the Microsoft Defender XDR solution can be found on GitHub. This repository has a collection of queries developed by Microsoft Security Research and Microsoft Sentinel community contributions.

Underlying Microsoft Technologies used:

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

a. Azure Monitor HTTP Data Collector API

Data Connectors: 1, Workbooks: 3, Analytic Rules: 40, Hunting Queries: 156

Learn more about Microsoft Sentinel | Learn more about Solutions

", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\u2022 Review the solution Release Notes

The Microsoft Defender XDR solution for Microsoft Sentinel enables you to ingest Security Alerts/Incidents and raw logs from the products within Microsoft Defender XDR suite into Microsoft Sentinel.

Additional Hunting Queries to support proactive and reactive hunting for the Microsoft Defender XDR solution can be found on GitHub. This repository has a collection of queries developed by Microsoft Security Research and Microsoft Sentinel community contributions.

Underlying Microsoft Technologies used:

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

a. Azure Monitor HTTP Data Collector API

Data Connectors: 1, Workbooks: 3, Analytic Rules: 40, Hunting Queries: 160

Learn more about Microsoft Sentinel | Learn more about Solutions

", "contentKind": "Solution", - "contentProductId": "azuresentinel.azure-sentinel-solution-microsoft365-sl-eokbtzwfckcna", - "id": "azuresentinel.azure-sentinel-solution-microsoft365-sl-eokbtzwfckcna", + "contentProductId": "azuresentinel.azure-sentinel-solution-microsoft365-sl-wwynkwuacxfmq", + "id": "azuresentinel.azure-sentinel-solution-microsoft365-sl-wwynkwuacxfmq", "icon": "https://store-images.s-microsoft.com/image/apps.64133.0a2d9bd8-6f34-4f6f-ae30-d476bd8647f2.e51485c2-dbc5-4844-8222-281cdb288b0b.fff86b82-5f81-4ac5-8ccc-055a9331cfdb", "contentId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "parentId": "azuresentinel.azure-sentinel-solution-microsoft365defender", @@ -20909,6 +21253,26 @@ "contentId": "c10b22a0-6021-46f9-bdaf-05bf2350a554", "version": "1.0.0" }, + { + "kind": "HuntingQuery", + "contentId": "0955f477-6471-468a-9b13-fc5fa96d7db2", + "version": "1.0.0" + }, + { + "kind": "HuntingQuery", + "contentId": "11cc0e3f-9718-4ab5-be7b-d9c036ed6b0a", + "version": "1.0.0" + }, + { + "kind": "HuntingQuery", + "contentId": "da745698-da8a-40c5-b527-2e9328c2cefe", + "version": "1.0.0" + }, + { + "kind": "HuntingQuery", + "contentId": "85dea577-1c76-44ff-8cad-b47182874ddb", + "version": "1.0.0" + }, { "kind": "Workbook", "contentId": "MicrosoftDefenderForOffice365detectionsandinsights", @@ -20936,7 +21300,8 @@ ] }, "isPreview": false, - "isDeprecated": false + "isDeprecated": false, + "migratedToPackageId": null }, "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'azuresentinel.azure-sentinel-solution-microsoft365defender')]" }