![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/akamai.svg\"width=\"75px\"height=\"75px\")
",
- "Description": "The Akamai Security Solution for Microsoft Sentinel enables ingestion of [Akamai Security Solutions](https://www.akamai.com/solutions/security) events using the Common Event Format (CEF) into Microsoft Sentinel for Security Monitoring. \n\n\r\n **Underlying Microsoft Technologies used:** \r\n\r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n a. [Common Event Format (CEF) formatted logs in Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/connect-common-event-format)",
+ "Description": "The Akamai Security Solution for Microsoft Sentinel enables ingestion of [Akamai Security Solutions](https://www.akamai.com/solutions/security) events using the Common Event Format (CEF) into Microsoft Sentinel for Security Monitoring. \n\r\n1. **Akamai Security Events via AMA** - This data connector helps in ingesting Akamai Security Events logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **Akamai Security Events via Legacy Agent** - This data connector helps in ingesting Akamai Security Events logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of Akamai Security Events via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).",
"Data Connectors": [
- "Data Connectors/Connector_CEF_Akamai.json"
+ "Data Connectors/Connector_CEF_Akamai.json",
+ "Data Connectors/template_AkamaiSecurityEventsAMA.json"
],
"Parsers": [
- "Parsers/AkamaiSIEMEvent.txt"
+ "Parsers/AkamaiSIEMEvent.yaml"
],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Akamai Security Events",
- "Version": "2.0.2",
+ "Version": "3.0.0",
"TemplateSpec": true,
"Is1PConnector": false
}
\ No newline at end of file
diff --git a/Solutions/Akamai Security Events/Data/system_generated_metadata.json b/Solutions/Akamai Security Events/Data/system_generated_metadata.json
new file mode 100644
index 00000000000..a350a287baa
--- /dev/null
+++ b/Solutions/Akamai Security Events/Data/system_generated_metadata.json
@@ -0,0 +1,30 @@
+{
+ "Name": "Akamai Security Events",
+ "Author": "Microsoft - support@microsoft.com",
+ "Logo": "",
+ "Description": "The Akamai Security Solution for Microsoft Sentinel enables ingestion of [Akamai Security Solutions](https://www.akamai.com/solutions/security) events using the Common Event Format (CEF) into Microsoft Sentinel for Security Monitoring. \n\r\n1. **Akamai Security Events via AMA** - This data connector helps in ingesting Akamai Security Events logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **Akamai Security Events via Legacy Agent** - This data connector helps in ingesting Akamai Security Events logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of Akamai Security Events via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).",
+ "Metadata": "SolutionMetadata.json",
+ "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Akamai Security Events",
+ "Version": "3.0.0",
+ "TemplateSpec": true,
+ "Is1PConnector": false,
+ "publisherId": "azuresentinel",
+ "offerId": "azure-sentinel-solution-akamai",
+ "providers": [
+ "Akamai"
+ ],
+ "categories": {
+ "domains": [
+ "Security - Cloud Security"
+ ]
+ },
+ "firstPublishDate": "2022-03-23",
+ "support": {
+ "name": "Microsoft Corporation",
+ "email": "support@microsoft.com",
+ "tier": "Microsoft",
+ "link": "https://support.microsoft.com"
+ },
+ "Data Connectors": "[\n \"Data Connectors/Connector_CEF_Akamai.json\",\n \"Data Connectors/template_AkamaiSecurityEventsAMA.json\"\n]",
+ "Parsers": "[\n \"AkamaiSIEMEvent.yaml\"\n]"
+}
diff --git a/Solutions/Akamai Security Events/Package/3.0.0.zip b/Solutions/Akamai Security Events/Package/3.0.0.zip
new file mode 100644
index 00000000000..8a43e678930
Binary files /dev/null and b/Solutions/Akamai Security Events/Package/3.0.0.zip differ
diff --git a/Solutions/Akamai Security Events/Package/createUiDefinition.json b/Solutions/Akamai Security Events/Package/createUiDefinition.json
index 8d1ed7f7b5b..e5a264907d2 100644
--- a/Solutions/Akamai Security Events/Package/createUiDefinition.json
+++ b/Solutions/Akamai Security Events/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe Akamai Security Solution for Microsoft Sentinel enables ingestion of [Akamai Security Solutions](https://www.akamai.com/solutions/security) events using the Common Event Format (CEF) into Microsoft Sentinel for Security Monitoring. \n\n\r\n **Underlying Microsoft Technologies used:** \r\n\r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n a. [Common Event Format (CEF) formatted logs in Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/connect-common-event-format)\n\n**Data Connectors:** 1, **Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Akamai%20Security%20Events/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Akamai Security Solution for Microsoft Sentinel enables ingestion of [Akamai Security Solutions](https://www.akamai.com/solutions/security) events using the Common Event Format (CEF) into Microsoft Sentinel for Security Monitoring. \n\r\n1. **Akamai Security Events via AMA** - This data connector helps in ingesting Akamai Security Events logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **Akamai Security Events via Legacy Agent** - This data connector helps in ingesting Akamai Security Events logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of Akamai Security Events via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Data Connectors:** 2, **Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -80,6 +80,7 @@
}
}
}
+
]
}
],
diff --git a/Solutions/Akamai Security Events/Package/mainTemplate.json b/Solutions/Akamai Security Events/Package/mainTemplate.json
index ea6fd868dea..184b4615a9b 100644
--- a/Solutions/Akamai Security Events/Package/mainTemplate.json
+++ b/Solutions/Akamai Security Events/Package/mainTemplate.json
@@ -34,53 +34,48 @@
"_solutionId": "[variables('solutionId')]",
"email": "support@microsoft.com",
"_email": "[variables('email')]",
- "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
+ "_solutionName": "Akamai Security Events",
+ "_solutionVersion": "3.0.0",
"uiConfigId1": "AkamaiSecurityEvents",
"_uiConfigId1": "[variables('uiConfigId1')]",
"dataConnectorContentId1": "AkamaiSecurityEvents",
"_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
"dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
"_dataConnectorId1": "[variables('dataConnectorId1')]",
- "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1')))]",
+ "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
"dataConnectorVersion1": "1.0.0",
- "parserVersion1": "1.0.0",
- "parserContentId1": "AkamaiSIEMEvent-Parser",
- "_parserContentId1": "[variables('parserContentId1')]",
+ "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
+ "uiConfigId2": "AkamaiSecurityEventsAma",
+ "_uiConfigId2": "[variables('uiConfigId2')]",
+ "dataConnectorContentId2": "AkamaiSecurityEventsAma",
+ "_dataConnectorContentId2": "[variables('dataConnectorContentId2')]",
+ "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
+ "_dataConnectorId2": "[variables('dataConnectorId2')]",
+ "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]",
+ "dataConnectorVersion2": "1.0.0",
+ "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]",
"parserName1": "AkamaiSIEMEvent",
"_parserName1": "[concat(parameters('workspace'),'/',variables('parserName1'))]",
"parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
"_parserId1": "[variables('parserId1')]",
- "parserTemplateSpecName1": "[concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1')))]"
+ "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1'))))]",
+ "parserVersion1": "1.0.0",
+ "parserContentId1": "AkamaiSIEMEvent-Parser",
+ "_parserContentId1": "[variables('parserContentId1')]",
+ "_parsercontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('_parserContentId1'),'-', variables('parserVersion1'))))]",
+ "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('dataConnectorTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "DataConnector"
- },
- "properties": {
- "description": "Akamai Security Events data connector with template",
- "displayName": "Akamai Security Events template"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('dataConnectorTemplateSpecName1'),'/',variables('dataConnectorVersion1'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "DataConnector"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Akamai Security Events data connector with template version 2.0.2",
+ "description": "Akamai Security Events data connector with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
@@ -96,9 +91,9 @@
"properties": {
"connectorUiConfig": {
"id": "[variables('_uiConfigId1')]",
- "title": "Akamai Security Events",
+ "title": "[Deprecated] Akamai Security Events via Legacy Agent",
"publisher": "Akamai",
- "descriptionMarkdown": "Akamai Solution for Sentinel provides the capability to ingest [Akamai Security Events](https://www.akamai.com/us/en/products/security/) into Microsoft Sentinel. Refer to [Akamai SIEM Integration documentation](https://developer.akamai.com/tools/integrations/siem) for more information.",
+ "descriptionMarkdown": "Akamai Solution for Microsoft Sentinel provides the capability to ingest [Akamai Security Events](https://www.akamai.com/us/en/products/security/) into Microsoft Sentinel. Refer to [Akamai SIEM Integration documentation](https://developer.akamai.com/tools/integrations/siem) for more information.",
"additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution.",
"graphQueries": [
{
@@ -157,7 +152,7 @@
},
"instructionSteps": [
{
- "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias Akamai Security Events and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Akamai%20Security%20Events/Parsers/AkamaiSIEMEvent.txt), on the second line of the query, enter the hostname(s) of your Akamai Security Events device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update."
+ "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias Akamai Security Events and load the function code or click [here](https://aka.ms/sentinel-akamaisecurityevents-parser), on the second line of the query, enter the hostname(s) of your Akamai Security Events device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update."
},
{
"description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
@@ -216,7 +211,7 @@
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
+ "apiVersion": "2023-04-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
"properties": {
"parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
@@ -241,12 +236,23 @@
}
}
]
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_dataConnectorContentId1')]",
+ "contentKind": "DataConnector",
+ "displayName": "[Deprecated] Akamai Security Events via Legacy Agent",
+ "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
+ "id": "[variables('_dataConnectorcontentProductId1')]",
+ "version": "[variables('dataConnectorVersion1')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
+ "apiVersion": "2023-04-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
"dependsOn": [
"[variables('_dataConnectorId1')]"
@@ -282,9 +288,9 @@
"kind": "GenericUI",
"properties": {
"connectorUiConfig": {
- "title": "Akamai Security Events",
+ "title": "[Deprecated] Akamai Security Events via Legacy Agent",
"publisher": "Akamai",
- "descriptionMarkdown": "Akamai Solution for Sentinel provides the capability to ingest [Akamai Security Events](https://www.akamai.com/us/en/products/security/) into Microsoft Sentinel. Refer to [Akamai SIEM Integration documentation](https://developer.akamai.com/tools/integrations/siem) for more information.",
+ "descriptionMarkdown": "Akamai Solution for Microsoft Sentinel provides the capability to ingest [Akamai Security Events](https://www.akamai.com/us/en/products/security/) into Microsoft Sentinel. Refer to [Akamai SIEM Integration documentation](https://developer.akamai.com/tools/integrations/siem) for more information.",
"graphQueries": [
{
"metricName": "Total data received",
@@ -342,7 +348,7 @@
},
"instructionSteps": [
{
- "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias Akamai Security Events and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Akamai%20Security%20Events/Parsers/AkamaiSIEMEvent.txt), on the second line of the query, enter the hostname(s) of your Akamai Security Events device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update."
+ "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias Akamai Security Events and load the function code or click [here](https://aka.ms/sentinel-akamaisecurityevents-parser), on the second line of the query, enter the hostname(s) of your Akamai Security Events device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update."
},
{
"description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
@@ -402,33 +408,344 @@
}
},
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
- "name": "[variables('parserTemplateSpecName1')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('dataConnectorTemplateSpecName2')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Parser"
- },
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
"properties": {
- "description": "AkamaiSIEMEvent Data Parser with template",
- "displayName": "AkamaiSIEMEvent Data Parser template"
+ "description": "Akamai Security Events data connector with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('dataConnectorVersion2')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
+ "apiVersion": "2021-03-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "location": "[parameters('workspace-location')]",
+ "kind": "GenericUI",
+ "properties": {
+ "connectorUiConfig": {
+ "id": "[variables('_uiConfigId2')]",
+ "title": "[Recommended] Akamai Security Events via AMA",
+ "publisher": "Akamai",
+ "descriptionMarkdown": "Akamai Solution for Microsoft Sentinel provides the capability to ingest [Akamai Security Events](https://www.akamai.com/us/en/products/security/) into Microsoft Sentinel. Refer to [Akamai SIEM Integration documentation](https://developer.akamai.com/tools/integrations/siem) for more information.",
+ "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution.",
+ "graphQueries": [
+ {
+ "metricName": "Total data received",
+ "legend": "AkamaiSecurityEvents",
+ "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Akamai' \n |where DeviceProduct =~ 'akamai_siem'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "Top 10 Countries",
+ "query": "AkamaiSIEMEvent\n | summarize count() by SrcGeoCountry\n | top 10 by count_"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "CommonSecurityLog (AkamaiSecurityEvents)",
+ "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Akamai' \n |where DeviceProduct =~ 'akamai_siem'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriterias": [
+ {
+ "type": "IsConnectedQuery",
+ "value": [
+ "CommonSecurityLog\n |where DeviceVendor =~ 'Akamai' \n |where DeviceProduct =~ 'akamai_siem'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
+ ]
+ }
+ ],
+ "availability": {
+ "status": 1,
+ "isPreview": false
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "read and write permissions are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "read": true,
+ "write": true,
+ "delete": true
+ }
+ },
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+ "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+ "providerDisplayName": "Keys",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "action": true
+ }
+ }
+ ],
+ "customs": [
+ {
+ "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+ },
+ {
+ "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias Akamai Security Events and load the function code or click [here](https://aka.ms/sentinel-akamaisecurityevents-parser), on the second line of the query, enter the hostname(s) of your Akamai Security Events device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update.",
+ "instructions": [
+ {
+ "parameters": {
+ "title": "1. Kindly follow the steps to configure the data connector",
+ "instructionSteps": [
+ {
+ "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
+ "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
+
+ },
+ {
+ "title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent",
+ "description": "[Follow these steps](https://developer.akamai.com/tools/integrations/siem) to configure Akamai CEF connector to send Syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machine's IP address."
+
+ },
+ {
+ "title": "Step C. Validate connection",
+ "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
+ "instructions": [
+ {
+ "parameters": {
+ "label": "Run the following command to validate your connectivity:",
+ "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
+ },
+ "type": "CopyableLabel"
+ }
+ ]
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ]
+ },
+ {
+ "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
+ "title": "2. Secure your machine "
+ }
+ ]
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
+ "contentId": "[variables('_dataConnectorContentId2')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorVersion2')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Akamai Security Events",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Microsoft",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Microsoft Corporation",
+ "email": "support@microsoft.com",
+ "tier": "Microsoft",
+ "link": "https://support.microsoft.com"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_dataConnectorContentId2')]",
+ "contentKind": "DataConnector",
+ "displayName": "[Recommended] Akamai Security Events via AMA",
+ "contentProductId": "[variables('_dataConnectorcontentProductId2')]",
+ "id": "[variables('_dataConnectorcontentProductId2')]",
+ "version": "[variables('dataConnectorVersion2')]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('parserTemplateSpecName1'),'/',variables('parserVersion1'))]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
+ "dependsOn": [
+ "[variables('_dataConnectorId2')]"
+ ],
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
+ "contentId": "[variables('_dataConnectorContentId2')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorVersion2')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Akamai Security Events",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Microsoft",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Microsoft Corporation",
+ "email": "support@microsoft.com",
+ "tier": "Microsoft",
+ "link": "https://support.microsoft.com"
+ }
+ }
+ },
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
+ "apiVersion": "2021-03-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "location": "[parameters('workspace-location')]",
+ "kind": "GenericUI",
+ "properties": {
+ "connectorUiConfig": {
+ "title": "[Recommended] Akamai Security Events via AMA",
+ "publisher": "Akamai",
+ "descriptionMarkdown": "Akamai Solution for Microsoft Sentinel provides the capability to ingest [Akamai Security Events](https://www.akamai.com/us/en/products/security/) into Microsoft Sentinel. Refer to [Akamai SIEM Integration documentation](https://developer.akamai.com/tools/integrations/siem) for more information.",
+ "graphQueries": [
+ {
+ "metricName": "Total data received",
+ "legend": "AkamaiSecurityEvents",
+ "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Akamai' \n |where DeviceProduct =~ 'akamai_siem'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "CommonSecurityLog (AkamaiSecurityEvents)",
+ "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Akamai' \n |where DeviceProduct =~ 'akamai_siem'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriterias": [
+ {
+ "type": "IsConnectedQuery",
+ "value": [
+ "CommonSecurityLog\n |where DeviceVendor =~ 'Akamai' \n |where DeviceProduct =~ 'akamai_siem'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
+ ]
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "Top 10 Countries",
+ "query": "AkamaiSIEMEvent\n | summarize count() by SrcGeoCountry\n | top 10 by count_"
+ }
+ ],
+ "availability": {
+ "status": 1,
+ "isPreview": false
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "read and write permissions are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "read": true,
+ "write": true,
+ "delete": true
+ }
+ },
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+ "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+ "providerDisplayName": "Keys",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "action": true
+ }
+ }
+ ],
+ "customs": [
+ {
+ "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+ },
+ {
+ "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias Akamai Security Events and load the function code or click [here](https://aka.ms/sentinel-akamaisecurityevents-parser), on the second line of the query, enter the hostname(s) of your Akamai Security Events device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update.",
+ "instructions": [
+ {
+ "parameters": {
+ "title": "1. Kindly follow the steps to configure the data connector",
+ "instructionSteps": [
+ {
+ "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
+ "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
+
+ },
+ {
+ "title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent",
+ "description": "[Follow these steps](https://developer.akamai.com/tools/integrations/siem) to configure Akamai CEF connector to send Syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machine's IP address."
+
+ },
+ {
+ "title": "Step C. Validate connection",
+ "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
+ "instructions": [
+ {
+ "parameters": {
+ "label": "Run the following command to validate your connectivity:",
+ "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
+ },
+ "type": "CopyableLabel"
+ }
+ ]
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ]
+ },
+ {
+ "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
+ "title": "2. Secure your machine "
+ }
+ ],
+ "id": "[variables('_uiConfigId2')]",
+ "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution."
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('parserTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Parser"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('parserTemplateSpecName1'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AkamaiSIEMEvent Data Parser with template version 2.0.2",
+ "description": "AkamaiSIEMEvent Data Parser with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserVersion1')]",
@@ -437,20 +754,21 @@
"resources": [
{
"name": "[variables('_parserName1')]",
- "apiVersion": "2020-08-01",
+ "apiVersion": "2022-10-01",
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
"displayName": "AkamaiSIEMEvent",
- "category": "Samples",
+ "category": "Microsoft Sentinel Parser",
"functionAlias": "AkamaiSIEMEvent",
- "query": "\nCommonSecurityLog \r\n| where DeviceVendor == 'Akamai'\r\n| where DeviceProduct == 'akamai_siem'\r\n| extend EventVendor = 'Akamai'\r\n| extend EventProduct = 'akamai_siem'\r\n| extend EventProductVersion = '1.0'\r\n| extend EventId = DeviceEventClassID\r\n| extend EventCategory = Activity\r\n| extend EventSeverity = LogSeverity\r\n| extend DvcAction = DeviceAction\r\n| extend NetworkApplicationProtocol = ApplicationProtocol\r\n| extend Ipv6Src = DeviceCustomIPv6Address2\r\n| extend RuleName = DeviceCustomString1\r\n| extend RuleMessages = DeviceCustomString2\r\n| extend RuleData = DeviceCustomString3\r\n| extend RuleSelectors = DeviceCustomString4\r\n| extend ClientReputation = DeviceCustomString5\r\n| extend ApiId = DeviceCustomString6\r\n| extend RequestId = DevicePayloadId\r\n| extend DstDvcHostname = DestinationHostName\r\n| extend DstPortNumber = DestinationPort\r\n| extend ConfigId = FlexString1\r\n| extend PolicyId = FlexString2\r\n| extend NetworkBytes = SentBytes\r\n| extend UrlOriginal = RequestURL\r\n| extend HttpRequestMethod = RequestMethod\r\n| extend SrcIpAddr = SourceIP\r\n| extend EventStartTime = datetime(1970-01-01) + coalesce(\r\n tolong(extract(@'.*start=(.*?);', 1, AdditionalExtensions)),\r\n tolong(column_ifexists(\"StartTime\", long(null)))\r\n ) * 1s \r\n| extend SlowPostAction = extract(@'.*AkamaiSiemSlowPostAction=(.*?);', 1, AdditionalExtensions)\r\n| extend SlowPostRate = extract(@'.*AkamaiSiemSlowPostRate=(.*?);', 1, AdditionalExtensions)\r\n| extend RuleVersions = extract(@'.*AkamaiSiemRuleVersions=,?(.*?);', 1, AdditionalExtensions)\r\n| extend RuleTags = extract(@'.*AkamaiSiemRuleTags=(.*?);', 1, AdditionalExtensions)\r\n| extend ApiKey = extract(@'.*AkamaiSiemApiKey=(.*?);', 1, AdditionalExtensions)\r\n| extend Tls = extract(@'.*AkamaiSiemTLSVersion=(.*?);', 1, AdditionalExtensions)\r\n| extend RequestHeaders = extract(@'.*AkamaiSiemRequestHeaders=;?(.*?);', 1, AdditionalExtensions)\r\n| extend ResponseHeaders = extract(@'.*AkamaiSiemResponseHeaders=(.*?);', 1, AdditionalExtensions)\r\n| extend HttpStatusCode = extract(@'.*AkamaiSiemResponseStatus=(.*?);', 1, AdditionalExtensions)\r\n| extend GeoContinent = extract(@'.*AkamaiSiemContinent=(.*?);', 1, AdditionalExtensions)\r\n| extend SrcGeoCountry = extract(@'.*AkamaiSiemCountry=(.*?);', 1, AdditionalExtensions)\r\n| extend SrcGeoCity = extract(@'.*AkamaiSiemCity=(.*?);', 1, AdditionalExtensions)\r\n| extend SrcGeoRegion = extract(@'.*AkamaiSiemRegion=(.*?);', 1, AdditionalExtensions)\r\n| extend GeoAsn = extract(@'.*AkamaiSiemASN=(\\d+)', 1, AdditionalExtensions)\r\n| extend Custom = extract(@'.*AkamaiSiemCusomData=(.*?)', 1, AdditionalExtensions)\r\n| project TimeGenerated\r\n , EventVendor\r\n , EventProduct\r\n , EventProductVersion\r\n , EventStartTime\r\n , EventId\r\n , EventCategory\r\n , EventSeverity\r\n , DvcAction\r\n , NetworkApplicationProtocol\r\n , Ipv6Src\r\n , RuleName\r\n , RuleMessages\r\n , RuleData\r\n , RuleSelectors\r\n , ClientReputation\r\n , ApiId\r\n , RequestId\r\n , DstDvcHostname\r\n , DstPortNumber\r\n , ConfigId\r\n , PolicyId\r\n , NetworkBytes\r\n , UrlOriginal\r\n , HttpRequestMethod\r\n , SrcIpAddr\r\n , SlowPostAction\r\n , SlowPostRate\r\n , RuleVersions\r\n , RuleTags\r\n , ApiKey\r\n , Tls\r\n , RequestHeaders\r\n , ResponseHeaders\r\n , HttpStatusCode\r\n , GeoContinent\r\n , SrcGeoCountry\r\n , SrcGeoCity\r\n , SrcGeoRegion\r\n , GeoAsn\r\n , Custom\r\n",
- "version": 1,
+ "query": "CommonSecurityLog \n| where DeviceVendor == 'Akamai'\n| where DeviceProduct == 'akamai_siem'\n| extend EventVendor = 'Akamai'\n| extend EventProduct = 'akamai_siem'\n| extend EventProductVersion = '1.0'\n| extend EventId = DeviceEventClassID\n| extend EventCategory = Activity\n| extend EventSeverity = LogSeverity\n| extend DvcAction = DeviceAction\n| extend NetworkApplicationProtocol = ApplicationProtocol\n| extend Ipv6Src = DeviceCustomIPv6Address2\n| extend RuleName = DeviceCustomString1\n| extend RuleMessages = DeviceCustomString2\n| extend RuleData = DeviceCustomString3\n| extend RuleSelectors = DeviceCustomString4\n| extend ClientReputation = DeviceCustomString5\n| extend ApiId = DeviceCustomString6\n| extend RequestId = DevicePayloadId\n| extend DstDvcHostname = DestinationHostName\n| extend DstPortNumber = DestinationPort\n| extend ConfigId = FlexString1\n| extend PolicyId = FlexString2\n| extend NetworkBytes = SentBytes\n| extend UrlOriginal = RequestURL\n| extend HttpRequestMethod = RequestMethod\n| extend SrcIpAddr = SourceIP\n| extend EventStartTime = datetime(1970-01-01) + coalesce(\n tolong(extract(@'.*start=(.*?);', 1, AdditionalExtensions)),\n tolong(column_ifexists(\"StartTime\", long(null)))\n ) * 1s \n| extend SlowPostAction = extract(@'.*AkamaiSiemSlowPostAction=(.*?);', 1, AdditionalExtensions)\n| extend SlowPostRate = extract(@'.*AkamaiSiemSlowPostRate=(.*?);', 1, AdditionalExtensions)\n| extend RuleVersions = extract(@'.*AkamaiSiemRuleVersions=,?(.*?);', 1, AdditionalExtensions)\n| extend RuleTags = extract(@'.*AkamaiSiemRuleTags=(.*?);', 1, AdditionalExtensions)\n| extend ApiKey = extract(@'.*AkamaiSiemApiKey=(.*?);', 1, AdditionalExtensions)\n| extend Tls = extract(@'.*AkamaiSiemTLSVersion=(.*?);', 1, AdditionalExtensions)\n| extend RequestHeaders = extract(@'.*AkamaiSiemRequestHeaders=;?(.*?);', 1, AdditionalExtensions)\n| extend ResponseHeaders = extract(@'.*AkamaiSiemResponseHeaders=(.*?);', 1, AdditionalExtensions)\n| extend HttpStatusCode = extract(@'.*AkamaiSiemResponseStatus=(.*?);', 1, AdditionalExtensions)\n| extend GeoContinent = extract(@'.*AkamaiSiemContinent=(.*?);', 1, AdditionalExtensions)\n| extend SrcGeoCountry = extract(@'.*AkamaiSiemCountry=(.*?);', 1, AdditionalExtensions)\n| extend SrcGeoCity = extract(@'.*AkamaiSiemCity=(.*?);', 1, AdditionalExtensions)\n| extend SrcGeoRegion = extract(@'.*AkamaiSiemRegion=(.*?);', 1, AdditionalExtensions)\n| extend GeoAsn = extract(@'.*AkamaiSiemASN=(\\d+)', 1, AdditionalExtensions)\n| extend Custom = extract(@'.*AkamaiSiemCusomData=(.*?)', 1, AdditionalExtensions)\n| project TimeGenerated\n , EventVendor\n , EventProduct\n , EventProductVersion\n , EventStartTime\n , EventId\n , EventCategory\n , EventSeverity\n , DvcAction\n , NetworkApplicationProtocol\n , Ipv6Src\n , RuleName\n , RuleMessages\n , RuleData\n , RuleSelectors\n , ClientReputation\n , ApiId\n , RequestId\n , DstDvcHostname\n , DstPortNumber\n , ConfigId\n , PolicyId\n , NetworkBytes\n , UrlOriginal\n , HttpRequestMethod\n , SrcIpAddr\n , SlowPostAction\n , SlowPostRate\n , RuleVersions\n , RuleTags\n , ApiKey\n , Tls\n , RequestHeaders\n , ResponseHeaders\n , HttpStatusCode\n , GeoContinent\n , SrcGeoCountry\n , SrcGeoCity\n , SrcGeoRegion\n , GeoAsn\n , Custom\n",
+ "functionParameters": "",
+ "version": 2,
"tags": [
{
"name": "description",
- "value": "AkamaiSIEMEvent"
+ "value": ""
}
]
}
@@ -460,7 +778,7 @@
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]",
"dependsOn": [
- "[variables('_parserName1')]"
+ "[variables('_parserId1')]"
],
"properties": {
"parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
@@ -485,21 +803,39 @@
}
}
]
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_parserContentId1')]",
+ "contentKind": "Parser",
+ "displayName": "AkamaiSIEMEvent",
+ "contentProductId": "[variables('_parsercontentProductId1')]",
+ "id": "[variables('_parsercontentProductId1')]",
+ "version": "[variables('parserVersion1')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
- "apiVersion": "2021-06-01",
+ "apiVersion": "2022-10-01",
"name": "[variables('_parserName1')]",
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
"displayName": "AkamaiSIEMEvent",
- "category": "Samples",
+ "category": "Microsoft Sentinel Parser",
"functionAlias": "AkamaiSIEMEvent",
- "query": "\nCommonSecurityLog \r\n| where DeviceVendor == 'Akamai'\r\n| where DeviceProduct == 'akamai_siem'\r\n| extend EventVendor = 'Akamai'\r\n| extend EventProduct = 'akamai_siem'\r\n| extend EventProductVersion = '1.0'\r\n| extend EventId = DeviceEventClassID\r\n| extend EventCategory = Activity\r\n| extend EventSeverity = LogSeverity\r\n| extend DvcAction = DeviceAction\r\n| extend NetworkApplicationProtocol = ApplicationProtocol\r\n| extend Ipv6Src = DeviceCustomIPv6Address2\r\n| extend RuleName = DeviceCustomString1\r\n| extend RuleMessages = DeviceCustomString2\r\n| extend RuleData = DeviceCustomString3\r\n| extend RuleSelectors = DeviceCustomString4\r\n| extend ClientReputation = DeviceCustomString5\r\n| extend ApiId = DeviceCustomString6\r\n| extend RequestId = DevicePayloadId\r\n| extend DstDvcHostname = DestinationHostName\r\n| extend DstPortNumber = DestinationPort\r\n| extend ConfigId = FlexString1\r\n| extend PolicyId = FlexString2\r\n| extend NetworkBytes = SentBytes\r\n| extend UrlOriginal = RequestURL\r\n| extend HttpRequestMethod = RequestMethod\r\n| extend SrcIpAddr = SourceIP\r\n| extend EventStartTime = datetime(1970-01-01) + coalesce(\r\n tolong(extract(@'.*start=(.*?);', 1, AdditionalExtensions)),\r\n tolong(column_ifexists(\"StartTime\", long(null)))\r\n ) * 1s \r\n| extend SlowPostAction = extract(@'.*AkamaiSiemSlowPostAction=(.*?);', 1, AdditionalExtensions)\r\n| extend SlowPostRate = extract(@'.*AkamaiSiemSlowPostRate=(.*?);', 1, AdditionalExtensions)\r\n| extend RuleVersions = extract(@'.*AkamaiSiemRuleVersions=,?(.*?);', 1, AdditionalExtensions)\r\n| extend RuleTags = extract(@'.*AkamaiSiemRuleTags=(.*?);', 1, AdditionalExtensions)\r\n| extend ApiKey = extract(@'.*AkamaiSiemApiKey=(.*?);', 1, AdditionalExtensions)\r\n| extend Tls = extract(@'.*AkamaiSiemTLSVersion=(.*?);', 1, AdditionalExtensions)\r\n| extend RequestHeaders = extract(@'.*AkamaiSiemRequestHeaders=;?(.*?);', 1, AdditionalExtensions)\r\n| extend ResponseHeaders = extract(@'.*AkamaiSiemResponseHeaders=(.*?);', 1, AdditionalExtensions)\r\n| extend HttpStatusCode = extract(@'.*AkamaiSiemResponseStatus=(.*?);', 1, AdditionalExtensions)\r\n| extend GeoContinent = extract(@'.*AkamaiSiemContinent=(.*?);', 1, AdditionalExtensions)\r\n| extend SrcGeoCountry = extract(@'.*AkamaiSiemCountry=(.*?);', 1, AdditionalExtensions)\r\n| extend SrcGeoCity = extract(@'.*AkamaiSiemCity=(.*?);', 1, AdditionalExtensions)\r\n| extend SrcGeoRegion = extract(@'.*AkamaiSiemRegion=(.*?);', 1, AdditionalExtensions)\r\n| extend GeoAsn = extract(@'.*AkamaiSiemASN=(\\d+)', 1, AdditionalExtensions)\r\n| extend Custom = extract(@'.*AkamaiSiemCusomData=(.*?)', 1, AdditionalExtensions)\r\n| project TimeGenerated\r\n , EventVendor\r\n , EventProduct\r\n , EventProductVersion\r\n , EventStartTime\r\n , EventId\r\n , EventCategory\r\n , EventSeverity\r\n , DvcAction\r\n , NetworkApplicationProtocol\r\n , Ipv6Src\r\n , RuleName\r\n , RuleMessages\r\n , RuleData\r\n , RuleSelectors\r\n , ClientReputation\r\n , ApiId\r\n , RequestId\r\n , DstDvcHostname\r\n , DstPortNumber\r\n , ConfigId\r\n , PolicyId\r\n , NetworkBytes\r\n , UrlOriginal\r\n , HttpRequestMethod\r\n , SrcIpAddr\r\n , SlowPostAction\r\n , SlowPostRate\r\n , RuleVersions\r\n , RuleTags\r\n , ApiKey\r\n , Tls\r\n , RequestHeaders\r\n , ResponseHeaders\r\n , HttpStatusCode\r\n , GeoContinent\r\n , SrcGeoCountry\r\n , SrcGeoCity\r\n , SrcGeoRegion\r\n , GeoAsn\r\n , Custom\r\n",
- "version": 1
+ "query": "CommonSecurityLog \n| where DeviceVendor == 'Akamai'\n| where DeviceProduct == 'akamai_siem'\n| extend EventVendor = 'Akamai'\n| extend EventProduct = 'akamai_siem'\n| extend EventProductVersion = '1.0'\n| extend EventId = DeviceEventClassID\n| extend EventCategory = Activity\n| extend EventSeverity = LogSeverity\n| extend DvcAction = DeviceAction\n| extend NetworkApplicationProtocol = ApplicationProtocol\n| extend Ipv6Src = DeviceCustomIPv6Address2\n| extend RuleName = DeviceCustomString1\n| extend RuleMessages = DeviceCustomString2\n| extend RuleData = DeviceCustomString3\n| extend RuleSelectors = DeviceCustomString4\n| extend ClientReputation = DeviceCustomString5\n| extend ApiId = DeviceCustomString6\n| extend RequestId = DevicePayloadId\n| extend DstDvcHostname = DestinationHostName\n| extend DstPortNumber = DestinationPort\n| extend ConfigId = FlexString1\n| extend PolicyId = FlexString2\n| extend NetworkBytes = SentBytes\n| extend UrlOriginal = RequestURL\n| extend HttpRequestMethod = RequestMethod\n| extend SrcIpAddr = SourceIP\n| extend EventStartTime = datetime(1970-01-01) + coalesce(\n tolong(extract(@'.*start=(.*?);', 1, AdditionalExtensions)),\n tolong(column_ifexists(\"StartTime\", long(null)))\n ) * 1s \n| extend SlowPostAction = extract(@'.*AkamaiSiemSlowPostAction=(.*?);', 1, AdditionalExtensions)\n| extend SlowPostRate = extract(@'.*AkamaiSiemSlowPostRate=(.*?);', 1, AdditionalExtensions)\n| extend RuleVersions = extract(@'.*AkamaiSiemRuleVersions=,?(.*?);', 1, AdditionalExtensions)\n| extend RuleTags = extract(@'.*AkamaiSiemRuleTags=(.*?);', 1, AdditionalExtensions)\n| extend ApiKey = extract(@'.*AkamaiSiemApiKey=(.*?);', 1, AdditionalExtensions)\n| extend Tls = extract(@'.*AkamaiSiemTLSVersion=(.*?);', 1, AdditionalExtensions)\n| extend RequestHeaders = extract(@'.*AkamaiSiemRequestHeaders=;?(.*?);', 1, AdditionalExtensions)\n| extend ResponseHeaders = extract(@'.*AkamaiSiemResponseHeaders=(.*?);', 1, AdditionalExtensions)\n| extend HttpStatusCode = extract(@'.*AkamaiSiemResponseStatus=(.*?);', 1, AdditionalExtensions)\n| extend GeoContinent = extract(@'.*AkamaiSiemContinent=(.*?);', 1, AdditionalExtensions)\n| extend SrcGeoCountry = extract(@'.*AkamaiSiemCountry=(.*?);', 1, AdditionalExtensions)\n| extend SrcGeoCity = extract(@'.*AkamaiSiemCity=(.*?);', 1, AdditionalExtensions)\n| extend SrcGeoRegion = extract(@'.*AkamaiSiemRegion=(.*?);', 1, AdditionalExtensions)\n| extend GeoAsn = extract(@'.*AkamaiSiemASN=(\\d+)', 1, AdditionalExtensions)\n| extend Custom = extract(@'.*AkamaiSiemCusomData=(.*?)', 1, AdditionalExtensions)\n| project TimeGenerated\n , EventVendor\n , EventProduct\n , EventProductVersion\n , EventStartTime\n , EventId\n , EventCategory\n , EventSeverity\n , DvcAction\n , NetworkApplicationProtocol\n , Ipv6Src\n , RuleName\n , RuleMessages\n , RuleData\n , RuleSelectors\n , ClientReputation\n , ApiId\n , RequestId\n , DstDvcHostname\n , DstPortNumber\n , ConfigId\n , PolicyId\n , NetworkBytes\n , UrlOriginal\n , HttpRequestMethod\n , SrcIpAddr\n , SlowPostAction\n , SlowPostRate\n , RuleVersions\n , RuleTags\n , ApiKey\n , Tls\n , RequestHeaders\n , ResponseHeaders\n , HttpStatusCode\n , GeoContinent\n , SrcGeoCountry\n , SrcGeoCity\n , SrcGeoRegion\n , GeoAsn\n , Custom\n",
+ "functionParameters": "",
+ "version": 2,
+ "tags": [
+ {
+ "name": "description",
+ "value": ""
+ }
+ ]
}
},
{
@@ -533,13 +869,20 @@
}
},
{
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages",
+ "apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "2.0.2",
+ "version": "3.0.0",
"kind": "Solution",
- "contentSchemaVersion": "2.0.0",
+ "contentSchemaVersion": "3.0.0",
+ "displayName": "Akamai Security Events",
+ "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
+ "descriptionHtml": "Note: There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Akamai Security Solution for Microsoft Sentinel enables ingestion of Akamai Security Solutions events using the Common Event Format (CEF) into Microsoft Sentinel for Security Monitoring.
\n- \n
Akamai Security Events via AMA - This data connector helps in ingesting Akamai Security Events logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent here. Microsoft recommends using this Data Connector.
\n \nAkamai Security Events via Legacy Agent - This data connector helps in ingesting Akamai Security Events logs into your Log Analytics Workspace using the legacy Log Analytics agent.
\n \n
NOTE: Microsoft recommends installation of Akamai Security Events via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024, and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.
\nData Connectors: 2, Parsers: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "",
"contentId": "[variables('_solutionId')]",
"parentId": "[variables('_solutionId')]",
"source": {
@@ -565,6 +908,11 @@
"contentId": "[variables('_dataConnectorContentId1')]",
"version": "[variables('dataConnectorVersion1')]"
},
+ {
+ "kind": "DataConnector",
+ "contentId": "[variables('_dataConnectorContentId2')]",
+ "version": "[variables('dataConnectorVersion2')]"
+ },
{
"kind": "Parser",
"contentId": "[variables('_parserContentId1')]",
diff --git a/Solutions/Akamai Security Events/Parsers/AkamaiSIEMEvent.txt b/Solutions/Akamai Security Events/Parsers/AkamaiSIEMEvent.txt
deleted file mode 100644
index 61b9b545a55..00000000000
--- a/Solutions/Akamai Security Events/Parsers/AkamaiSIEMEvent.txt
+++ /dev/null
@@ -1,88 +0,0 @@
-// Reference : Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions
-CommonSecurityLog
-| where DeviceVendor == 'Akamai'
-| where DeviceProduct == 'akamai_siem'
-| extend EventVendor = 'Akamai'
-| extend EventProduct = 'akamai_siem'
-| extend EventProductVersion = '1.0'
-| extend EventId = DeviceEventClassID
-| extend EventCategory = Activity
-| extend EventSeverity = LogSeverity
-| extend DvcAction = DeviceAction
-| extend NetworkApplicationProtocol = ApplicationProtocol
-| extend Ipv6Src = DeviceCustomIPv6Address2
-| extend RuleName = DeviceCustomString1
-| extend RuleMessages = DeviceCustomString2
-| extend RuleData = DeviceCustomString3
-| extend RuleSelectors = DeviceCustomString4
-| extend ClientReputation = DeviceCustomString5
-| extend ApiId = DeviceCustomString6
-| extend RequestId = DevicePayloadId
-| extend DstDvcHostname = DestinationHostName
-| extend DstPortNumber = DestinationPort
-| extend ConfigId = FlexString1
-| extend PolicyId = FlexString2
-| extend NetworkBytes = SentBytes
-| extend UrlOriginal = RequestURL
-| extend HttpRequestMethod = RequestMethod
-| extend SrcIpAddr = SourceIP
-| extend EventStartTime = datetime(1970-01-01) + coalesce(
- tolong(extract(@'.*start=(.*?);', 1, AdditionalExtensions)),
- tolong(column_ifexists("StartTime", long(null)))
- ) * 1s
-| extend SlowPostAction = extract(@'.*AkamaiSiemSlowPostAction=(.*?);', 1, AdditionalExtensions)
-| extend SlowPostRate = extract(@'.*AkamaiSiemSlowPostRate=(.*?);', 1, AdditionalExtensions)
-| extend RuleVersions = extract(@'.*AkamaiSiemRuleVersions=,?(.*?);', 1, AdditionalExtensions)
-| extend RuleTags = extract(@'.*AkamaiSiemRuleTags=(.*?);', 1, AdditionalExtensions)
-| extend ApiKey = extract(@'.*AkamaiSiemApiKey=(.*?);', 1, AdditionalExtensions)
-| extend Tls = extract(@'.*AkamaiSiemTLSVersion=(.*?);', 1, AdditionalExtensions)
-| extend RequestHeaders = extract(@'.*AkamaiSiemRequestHeaders=;?(.*?);', 1, AdditionalExtensions)
-| extend ResponseHeaders = extract(@'.*AkamaiSiemResponseHeaders=(.*?);', 1, AdditionalExtensions)
-| extend HttpStatusCode = extract(@'.*AkamaiSiemResponseStatus=(.*?);', 1, AdditionalExtensions)
-| extend GeoContinent = extract(@'.*AkamaiSiemContinent=(.*?);', 1, AdditionalExtensions)
-| extend SrcGeoCountry = extract(@'.*AkamaiSiemCountry=(.*?);', 1, AdditionalExtensions)
-| extend SrcGeoCity = extract(@'.*AkamaiSiemCity=(.*?);', 1, AdditionalExtensions)
-| extend SrcGeoRegion = extract(@'.*AkamaiSiemRegion=(.*?);', 1, AdditionalExtensions)
-| extend GeoAsn = extract(@'.*AkamaiSiemASN=(\d+)', 1, AdditionalExtensions)
-| extend Custom = extract(@'.*AkamaiSiemCusomData=(.*?)', 1, AdditionalExtensions)
-| project TimeGenerated
- , EventVendor
- , EventProduct
- , EventProductVersion
- , EventStartTime
- , EventId
- , EventCategory
- , EventSeverity
- , DvcAction
- , NetworkApplicationProtocol
- , Ipv6Src
- , RuleName
- , RuleMessages
- , RuleData
- , RuleSelectors
- , ClientReputation
- , ApiId
- , RequestId
- , DstDvcHostname
- , DstPortNumber
- , ConfigId
- , PolicyId
- , NetworkBytes
- , UrlOriginal
- , HttpRequestMethod
- , SrcIpAddr
- , SlowPostAction
- , SlowPostRate
- , RuleVersions
- , RuleTags
- , ApiKey
- , Tls
- , RequestHeaders
- , ResponseHeaders
- , HttpStatusCode
- , GeoContinent
- , SrcGeoCountry
- , SrcGeoCity
- , SrcGeoRegion
- , GeoAsn
- , Custom
diff --git a/Solutions/Akamai Security Events/ReleaseNotes.md b/Solutions/Akamai Security Events/ReleaseNotes.md
new file mode 100644
index 00000000000..079c01c0a83
--- /dev/null
+++ b/Solutions/Akamai Security Events/ReleaseNotes.md
@@ -0,0 +1,5 @@
+| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
+|-------------|--------------------------------|--------------------------------------------------------------------|
+| 3.0.0 | 20-09-2023 | Addition of new Akamai Security Events AMA **Data Connector** | |
+
+
diff --git a/Solutions/Aruba ClearPass/Data Connectors/Connector_Syslog_ArubaClearPass.json b/Solutions/Aruba ClearPass/Data Connectors/Connector_Syslog_ArubaClearPass.json
index 7bcd8068372..74369318b04 100644
--- a/Solutions/Aruba ClearPass/Data Connectors/Connector_Syslog_ArubaClearPass.json
+++ b/Solutions/Aruba ClearPass/Data Connectors/Connector_Syslog_ArubaClearPass.json
@@ -1,6 +1,6 @@
{
"id": "ArubaClearPass",
- "title": "Aruba ClearPass",
+ "title": "[Deprecated] Aruba ClearPass via Legacy Agent",
"publisher": "Aruba Networks",
"descriptionMarkdown": "The [Aruba ClearPass](https://www.arubanetworks.com/products/security/network-access-control/secure-access/) connector allows you to easily connect your Aruba ClearPass with Microsoft Sentinel, to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organization’s network and improves your security operation capabilities.",
"additionalRequirementBanner":"These queries are dependent on a parser based on a Kusto Function deployed as part of the solution.",
@@ -54,7 +54,7 @@
"instructionSteps": [
{
"title": "",
- "description": "**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias ArubaClearPass and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Aruba%20ClearPass/Parsers/ArubaClearPass.txt).The function usually takes 10-15 minutes to activate after solution installation/update.",
+ "description": "**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias ArubaClearPass and load the function code or click [here](https://aka.ms/sentinel-arubaclearpass-parser).The function usually takes 10-15 minutes to activate after solution installation/update.",
"instructions": [
]
},
diff --git a/Solutions/Aruba ClearPass/Data Connectors/template_ArubaClearPassAMA.json b/Solutions/Aruba ClearPass/Data Connectors/template_ArubaClearPassAMA.json
new file mode 100644
index 00000000000..940dd63ed98
--- /dev/null
+++ b/Solutions/Aruba ClearPass/Data Connectors/template_ArubaClearPassAMA.json
@@ -0,0 +1,108 @@
+{
+ "id": "ArubaClearPassAma",
+ "title": "[Recommended] Aruba ClearPass via AMA",
+ "publisher": "Aruba Networks",
+ "descriptionMarkdown": "The [Aruba ClearPass](https://www.arubanetworks.com/products/security/network-access-control/secure-access/) connector allows you to easily connect your Aruba ClearPass with Microsoft Sentinel, to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organization’s network and improves your security operation capabilities.",
+ "additionalRequirementBanner":"These queries are dependent on a parser based on a Kusto Function deployed as part of the solution.",
+ "graphQueries": [{
+ "metricName": "Total data received",
+ "legend": "ArubaClearPass",
+ "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Aruba Networks'\n |where DeviceProduct =~ 'ClearPass'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
+ }],
+ "sampleQueries": [{
+ "description": "Top 10 Events by Username",
+ "query": "ArubaClearPass \n | summarize count() by UserName \n| top 10 by count_"
+ }, {
+ "description": "Top 10 Error Codes",
+ "query": "ArubaClearPass \n | summarize count() by ErrorCode \n| top 10 by count_"
+ }],
+ "connectivityCriterias": [{
+ "type": "IsConnectedQuery",
+ "value": [
+ "CommonSecurityLog\n |where DeviceVendor =~ 'Aruba Networks'\n |where DeviceProduct =~ 'ClearPass'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
+ ]
+ }],
+ "dataTypes": [{
+ "name": "CommonSecurityLog (ArubaClearPass)",
+ "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Aruba Networks'\n |where DeviceProduct =~ 'ClearPass'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ }],
+ "availability": {
+ "status": 1,
+ "isPreview": false
+ },
+ "permissions": {
+ "resourceProvider": [{
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "read and write permissions are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "read": true,
+ "write": true,
+ "delete": true
+ }
+ }, {
+ "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+ "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+ "providerDisplayName": "Keys",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "action": true
+ }
+ }],
+ "customs": [
+ {
+ "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+ },
+ {
+ "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "title": "",
+ "description": "**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias ArubaClearPass and load the function code or click [here](https://aka.ms/sentinel-arubaclearpass-parser).The function usually takes 10-15 minutes to activate after solution installation/update.",
+ "instructions": [
+ {
+ "parameters": {
+ "title": "1. Kindly follow the steps to configure the data connector",
+ "instructionSteps": [
+ {
+ "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
+ "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine",
+ "instructions": [
+ ]
+ },
+ {
+ "title": "Step B. Forward Aruba ClearPass logs to a Syslog agent",
+ "description": "Configure Aruba ClearPass to forward Syslog messages in CEF format to your Microsoft Sentinel workspace via the Syslog agent.\n1. [Follow these instructions](https://www.arubanetworks.com/techdocs/ClearPass/6.7/PolicyManager/Content/CPPM_UserGuide/Admin/syslogExportFilters_add_syslog_filter_general.htm) to configure the Aruba ClearPass to forward syslog.\n2. Use the IP address or hostname for the Linux device with the Linux agent installed as the Destination IP address.",
+ "instructions": [
+ ]
+ },
+ {
+ "title": "Step C. Validate connection",
+ "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
+ "instructions": [
+ {
+ "parameters": {
+ "label": "Run the following command to validate your connectivity:",
+ "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
+ },
+ "type": "CopyableLabel"
+ }
+ ]
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ]
+ },
+ {
+ "title": "2. Secure your machine ",
+ "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)"
+ }
+
+ ]
+}
diff --git a/Solutions/Aruba ClearPass/Data/Solution_Aruba.json b/Solutions/Aruba ClearPass/Data/Solution_Aruba.json
index f3f5bdbce47..2e56770a67a 100644
--- a/Solutions/Aruba ClearPass/Data/Solution_Aruba.json
+++ b/Solutions/Aruba ClearPass/Data/Solution_Aruba.json
@@ -2,15 +2,16 @@
"Name": "Aruba ClearPass",
"Author": "Aruba Networks",
"Logo": "![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/ArubaClearPass.svg\"){kind=spacer}
",
- "Description": "The [Aruba ClearPass](https://www.arubanetworks.com/products/security/network-access-control/secure-access/) solution allows you to easily connect your Aruba ClearPass with Microsoft Sentinel. solution for Microsoft Sentinel enables you to ingest Symantec VIP's authentication logs into Microsoft Sentinel.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs\n\n- [Agent-based log collection (CEF)](https://docs.microsoft.com/azure/sentinel/connect-common-event-format)",
+ "Description": "The [Aruba ClearPass](https://www.arubanetworks.com/products/security/network-access-control/secure-access/) solution allows you to easily connect your Aruba ClearPass with Microsoft Sentinel. \n\r\n1. **Aruba ClearPass via AMA** - This data connector helps in ingesting Aruba ClearPass logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **Aruba ClearPass via Legacy Agent** - This data connector helps in ingesting Aruba ClearPass logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of Aruba ClearPass via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).",
"Data Connectors": [
- "Solutions/Aruba ClearPass/Data Connectors/Connector_Syslog_ArubaClearPass.json"
+ "Solutions/Aruba ClearPass/Data Connectors/Connector_Syslog_ArubaClearPass.json",
+ "Solutions/Aruba ClearPass/Data Connectors/template_ArubaClearPassAMA.json"
],
"Parsers": [
- "Solutions/Aruba ClearPass/Parsers/ArubaClearPass.txt"
+ "Solutions/Aruba ClearPass/Parsers/ArubaClearPass.yaml"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel",
- "Version": "2.0.2",
+ "Version": "3.0.0",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1PConnector": false
diff --git a/Solutions/Aruba ClearPass/Data/system_generated_metadata.json b/Solutions/Aruba ClearPass/Data/system_generated_metadata.json
new file mode 100644
index 00000000000..34d058d2ea1
--- /dev/null
+++ b/Solutions/Aruba ClearPass/Data/system_generated_metadata.json
@@ -0,0 +1,31 @@
+{
+ "Name": "Aruba ClearPass",
+ "Author": "Aruba Networks",
+ "Logo": "",
+ "Description": "The [Aruba ClearPass](https://www.arubanetworks.com/products/security/network-access-control/secure-access/) solution allows you to easily connect your Aruba ClearPass with Microsoft Sentinel. \n\r\n1. **Aruba ClearPass via AMA** - This data connector helps in ingesting Aruba ClearPass logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **Aruba ClearPass via Legacy Agent** - This data connector helps in ingesting Aruba ClearPass logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of Aruba ClearPass via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).",
+ "BasePath": "C:\\GitHub\\Azure-Sentinel",
+ "Version": "3.0.0",
+ "Metadata": "SolutionMetadata.json",
+ "TemplateSpec": true,
+ "Is1PConnector": false,
+ "publisherId": "azuresentinel",
+ "offerId": "azure-sentinel-solution-arubaclearpass",
+ "providers": [
+ "Aruba"
+ ],
+ "categories": {
+ "domains": [
+ "Security - Threat Protection"
+ ],
+ "verticals": []
+ },
+ "firstPublishDate": "2022-05-23",
+ "support": {
+ "tier": "Microsoft",
+ "name": "Microsoft Corporation",
+ "email": "support@microsoft.com",
+ "link": "https://support.microsoft.com/"
+ },
+ "Data Connectors": "[\n \"Connector_Syslog_ArubaClearPass.json\",\n \"template_ArubaClearPassAMA.json\"\n]",
+ "Parsers": "[\n \"ArubaClearPass.yaml\"\n]"
+}
diff --git a/Solutions/Aruba ClearPass/Package/3.0.0.zip b/Solutions/Aruba ClearPass/Package/3.0.0.zip
new file mode 100644
index 00000000000..088fd756d98
Binary files /dev/null and b/Solutions/Aruba ClearPass/Package/3.0.0.zip differ
diff --git a/Solutions/Aruba ClearPass/Package/3.0.1.zip b/Solutions/Aruba ClearPass/Package/3.0.1.zip
new file mode 100644
index 00000000000..92d4c3602aa
Binary files /dev/null and b/Solutions/Aruba ClearPass/Package/3.0.1.zip differ
diff --git a/Solutions/Aruba ClearPass/Package/createUiDefinition.json b/Solutions/Aruba ClearPass/Package/createUiDefinition.json
index b54986ca34a..c5be275e43f 100644
--- a/Solutions/Aruba ClearPass/Package/createUiDefinition.json
+++ b/Solutions/Aruba ClearPass/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Aruba ClearPass](https://www.arubanetworks.com/products/security/network-access-control/secure-access/) solution allows you to easily connect your Aruba ClearPass with Microsoft Sentinel.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs\n\n- [Agent-based log collection (CEF)](https://docs.microsoft.com/azure/sentinel/connect-common-event-format)\n\n**Data Connectors:** 1, **Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Aruba%20ClearPass/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Aruba ClearPass](https://www.arubanetworks.com/products/security/network-access-control/secure-access/) solution allows you to easily connect your Aruba ClearPass with Microsoft Sentinel. \n\r\n1. **Aruba ClearPass via AMA** - This data connector helps in ingesting Aruba ClearPass logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **Aruba ClearPass via Legacy Agent** - This data connector helps in ingesting Aruba ClearPass logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of Aruba ClearPass via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Data Connectors:** 2, **Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -63,6 +63,7 @@
"text": "The solution installs the data connector ingesting Aruba ClearPass to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organization’s network and improves your security operation capabilities. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
+
{
"name": "dataconnectors-parser-text",
"type": "Microsoft.Common.TextBlock",
diff --git a/Solutions/Aruba ClearPass/Package/mainTemplate.json b/Solutions/Aruba ClearPass/Package/mainTemplate.json
index 3a2d4d9b15b..ce7574a75c2 100644
--- a/Solutions/Aruba ClearPass/Package/mainTemplate.json
+++ b/Solutions/Aruba ClearPass/Package/mainTemplate.json
@@ -30,55 +30,50 @@
}
},
"variables": {
+ "_solutionName": "Aruba ClearPass",
+ "_solutionVersion": "3.0.1",
"solutionId": "azuresentinel.azure-sentinel-solution-arubaclearpass",
"_solutionId": "[variables('solutionId')]",
- "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
"uiConfigId1": "ArubaClearPass",
"_uiConfigId1": "[variables('uiConfigId1')]",
"dataConnectorContentId1": "ArubaClearPass",
"_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
"dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
"_dataConnectorId1": "[variables('dataConnectorId1')]",
- "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1')))]",
+ "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
"dataConnectorVersion1": "1.0.0",
- "parserVersion1": "1.0.0",
- "parserContentId1": "ArubaClearPass-Parser",
- "_parserContentId1": "[variables('parserContentId1')]",
+ "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
+ "uiConfigId2": "ArubaClearPassAma",
+ "_uiConfigId2": "[variables('uiConfigId2')]",
+ "dataConnectorContentId2": "ArubaClearPassAma",
+ "_dataConnectorContentId2": "[variables('dataConnectorContentId2')]",
+ "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
+ "_dataConnectorId2": "[variables('dataConnectorId2')]",
+ "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]",
+ "dataConnectorVersion2": "1.0.0",
+ "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]",
"parserName1": "ArubaClearPass",
"_parserName1": "[concat(parameters('workspace'),'/',variables('parserName1'))]",
"parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
"_parserId1": "[variables('parserId1')]",
- "parserTemplateSpecName1": "[concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1')))]"
+ "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1'))))]",
+ "parserVersion1": "1.0.0",
+ "parserContentId1": "ArubaClearPass-Parser",
+ "_parserContentId1": "[variables('parserContentId1')]",
+ "_parsercontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('_parserContentId1'),'-', variables('parserVersion1'))))]",
+ "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('dataConnectorTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "DataConnector"
- },
- "properties": {
- "description": "Aruba ClearPass data connector with template",
- "displayName": "Aruba ClearPass template"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('dataConnectorTemplateSpecName1'),'/',variables('dataConnectorVersion1'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "DataConnector"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Aruba ClearPass data connector with template version 2.0.2",
+ "description": "Aruba ClearPass data connector with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
@@ -94,7 +89,7 @@
"properties": {
"connectorUiConfig": {
"id": "[variables('_uiConfigId1')]",
- "title": "Aruba ClearPass",
+ "title": "[Deprecated] Aruba ClearPass via Legacy Agent",
"publisher": "Aruba Networks",
"descriptionMarkdown": "The [Aruba ClearPass](https://www.arubanetworks.com/products/security/network-access-control/secure-access/) connector allows you to easily connect your Aruba ClearPass with Microsoft Sentinel, to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organization’s network and improves your security operation capabilities.",
"additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution.",
@@ -159,7 +154,7 @@
},
"instructionSteps": [
{
- "description": "**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias ArubaClearPass and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Aruba%20ClearPass/Parsers/ArubaClearPass.txt).The function usually takes 10-15 minutes to activate after solution installation/update."
+ "description": "**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias ArubaClearPass and load the function code or click [here](https://aka.ms/sentinel-arubaclearpass-parser).The function usually takes 10-15 minutes to activate after solution installation/update."
},
{
"description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
@@ -218,7 +213,7 @@
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
+ "apiVersion": "2023-04-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
"properties": {
"parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
@@ -242,12 +237,23 @@
}
}
]
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_dataConnectorContentId1')]",
+ "contentKind": "DataConnector",
+ "displayName": "[Deprecated] Aruba ClearPass via Legacy Agent",
+ "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
+ "id": "[variables('_dataConnectorcontentProductId1')]",
+ "version": "[variables('dataConnectorVersion1')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
+ "apiVersion": "2023-04-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
"dependsOn": [
"[variables('_dataConnectorId1')]"
@@ -282,7 +288,7 @@
"kind": "GenericUI",
"properties": {
"connectorUiConfig": {
- "title": "Aruba ClearPass",
+ "title": "[Deprecated] Aruba ClearPass via Legacy Agent",
"publisher": "Aruba Networks",
"descriptionMarkdown": "The [Aruba ClearPass](https://www.arubanetworks.com/products/security/network-access-control/secure-access/) connector allows you to easily connect your Aruba ClearPass with Microsoft Sentinel, to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organization’s network and improves your security operation capabilities.",
"graphQueries": [
@@ -346,7 +352,7 @@
},
"instructionSteps": [
{
- "description": "**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias ArubaClearPass and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Aruba%20ClearPass/Parsers/ArubaClearPass.txt).The function usually takes 10-15 minutes to activate after solution installation/update."
+ "description": "**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias ArubaClearPass and load the function code or click [here](https://aka.ms/sentinel-arubaclearpass-parser).The function usually takes 10-15 minutes to activate after solution installation/update."
},
{
"description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
@@ -406,33 +412,350 @@
}
},
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
- "name": "[variables('parserTemplateSpecName1')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('dataConnectorTemplateSpecName2')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Parser"
- },
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
"properties": {
- "description": "ArubaClearPass Data Parser with template",
- "displayName": "ArubaClearPass Data Parser template"
+ "description": "Aruba ClearPass data connector with template version 3.0.1",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('dataConnectorVersion2')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
+ "apiVersion": "2021-03-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "location": "[parameters('workspace-location')]",
+ "kind": "GenericUI",
+ "properties": {
+ "connectorUiConfig": {
+ "id": "[variables('_uiConfigId2')]",
+ "title": "[Recommended] Aruba ClearPass via AMA",
+ "publisher": "Aruba Networks",
+ "descriptionMarkdown": "The [Aruba ClearPass](https://www.arubanetworks.com/products/security/network-access-control/secure-access/) connector allows you to easily connect your Aruba ClearPass with Microsoft Sentinel, to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organization’s network and improves your security operation capabilities.",
+ "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution.",
+ "graphQueries": [
+ {
+ "metricName": "Total data received",
+ "legend": "ArubaClearPass",
+ "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Aruba Networks'\n |where DeviceProduct =~ 'ClearPass'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "Top 10 Events by Username",
+ "query": "ArubaClearPass \n | summarize count() by UserName \n| top 10 by count_"
+ },
+ {
+ "description": "Top 10 Error Codes",
+ "query": "ArubaClearPass \n | summarize count() by ErrorCode \n| top 10 by count_"
+ }
+ ],
+ "connectivityCriterias": [
+ {
+ "type": "IsConnectedQuery",
+ "value": [
+ "CommonSecurityLog\n |where DeviceVendor =~ 'Aruba Networks'\n |where DeviceProduct =~ 'ClearPass'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
+ ]
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "CommonSecurityLog (ArubaClearPass)",
+ "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Aruba Networks'\n |where DeviceProduct =~ 'ClearPass'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ }
+ ],
+ "availability": {
+ "status": 1,
+ "isPreview": false
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "read and write permissions are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "read": true,
+ "write": true,
+ "delete": true
+ }
+ },
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+ "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+ "providerDisplayName": "Keys",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "action": true
+ }
+ }
+ ],
+ "customs": [
+ {
+ "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+ },
+ {
+ "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "description": "**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias ArubaClearPass and load the function code or click [here](https://aka.ms/sentinel-arubaclearpass-parser).The function usually takes 10-15 minutes to activate after solution installation/update.",
+ "instructions": [
+ {
+ "parameters": {
+ "title": "1. Kindly follow the steps to configure the data connector",
+ "instructionSteps": [
+ {
+ "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
+ "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
+
+ },
+ {
+ "title": "Step B. Forward Aruba ClearPass logs to a Syslog agent",
+ "description": "Configure Aruba ClearPass to forward Syslog messages in CEF format to your Microsoft Sentinel workspace via the Syslog agent.\n1. [Follow these instructions](https://www.arubanetworks.com/techdocs/ClearPass/6.7/PolicyManager/Content/CPPM_UserGuide/Admin/syslogExportFilters_add_syslog_filter_general.htm) to configure the Aruba ClearPass to forward syslog.\n2. Use the IP address or hostname for the Linux device with the Linux agent installed as the Destination IP address."
+
+ },
+ {
+ "title": "Step C. Validate connection",
+ "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
+ "instructions": [
+ {
+ "parameters": {
+ "label": "Run the following command to validate your connectivity:",
+ "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
+ },
+ "type": "CopyableLabel"
+ }
+ ]
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ]
+ },
+ {
+ "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
+ "title": "2. Secure your machine "
+ }
+ ]
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
+ "contentId": "[variables('_dataConnectorContentId2')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorVersion2')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Aruba ClearPass",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Aruba Networks"
+ },
+ "support": {
+ "tier": "Microsoft",
+ "name": "Microsoft Corporation",
+ "email": "support@microsoft.com",
+ "link": "https://support.microsoft.com/"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_dataConnectorContentId2')]",
+ "contentKind": "DataConnector",
+ "displayName": "[Recommended] Aruba ClearPass via AMA",
+ "contentProductId": "[variables('_dataConnectorcontentProductId2')]",
+ "id": "[variables('_dataConnectorcontentProductId2')]",
+ "version": "[variables('dataConnectorVersion2')]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('parserTemplateSpecName1'),'/',variables('parserVersion1'))]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
+ "dependsOn": [
+ "[variables('_dataConnectorId2')]"
+ ],
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
+ "contentId": "[variables('_dataConnectorContentId2')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorVersion2')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Aruba ClearPass",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Aruba Networks"
+ },
+ "support": {
+ "tier": "Microsoft",
+ "name": "Microsoft Corporation",
+ "email": "support@microsoft.com",
+ "link": "https://support.microsoft.com/"
+ }
+ }
+ },
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
+ "apiVersion": "2021-03-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "location": "[parameters('workspace-location')]",
+ "kind": "GenericUI",
+ "properties": {
+ "connectorUiConfig": {
+ "title": "[Recommended] Aruba ClearPass via AMA",
+ "publisher": "Aruba Networks",
+ "descriptionMarkdown": "The [Aruba ClearPass](https://www.arubanetworks.com/products/security/network-access-control/secure-access/) connector allows you to easily connect your Aruba ClearPass with Microsoft Sentinel, to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organization’s network and improves your security operation capabilities.",
+ "graphQueries": [
+ {
+ "metricName": "Total data received",
+ "legend": "ArubaClearPass",
+ "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Aruba Networks'\n |where DeviceProduct =~ 'ClearPass'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "CommonSecurityLog (ArubaClearPass)",
+ "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Aruba Networks'\n |where DeviceProduct =~ 'ClearPass'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriterias": [
+ {
+ "type": "IsConnectedQuery",
+ "value": [
+ "CommonSecurityLog\n |where DeviceVendor =~ 'Aruba Networks'\n |where DeviceProduct =~ 'ClearPass'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
+ ]
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "Top 10 Events by Username",
+ "query": "ArubaClearPass \n | summarize count() by UserName \n| top 10 by count_"
+ },
+ {
+ "description": "Top 10 Error Codes",
+ "query": "ArubaClearPass \n | summarize count() by ErrorCode \n| top 10 by count_"
+ }
+ ],
+ "availability": {
+ "status": 1,
+ "isPreview": false
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "read and write permissions are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "read": true,
+ "write": true,
+ "delete": true
+ }
+ },
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+ "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+ "providerDisplayName": "Keys",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "action": true
+ }
+ }
+ ],
+ "customs": [
+ {
+ "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+ },
+ {
+ "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "description": "**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias ArubaClearPass and load the function code or click [here](https://aka.ms/sentinel-arubaclearpass-parser).The function usually takes 10-15 minutes to activate after solution installation/update.",
+ "instructions": [
+ {
+ "parameters": {
+ "title": "1. Kindly follow the steps to configure the data connector",
+ "instructionSteps": [
+ {
+ "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
+ "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
+
+ },
+ {
+ "title": "Step B. Forward Aruba ClearPass logs to a Syslog agent",
+ "description": "Configure Aruba ClearPass to forward Syslog messages in CEF format to your Microsoft Sentinel workspace via the Syslog agent.\n1. [Follow these instructions](https://www.arubanetworks.com/techdocs/ClearPass/6.7/PolicyManager/Content/CPPM_UserGuide/Admin/syslogExportFilters_add_syslog_filter_general.htm) to configure the Aruba ClearPass to forward syslog.\n2. Use the IP address or hostname for the Linux device with the Linux agent installed as the Destination IP address."
+
+ },
+ {
+ "title": "Step C. Validate connection",
+ "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
+ "instructions": [
+ {
+ "parameters": {
+ "label": "Run the following command to validate your connectivity:",
+ "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
+ },
+ "type": "CopyableLabel"
+ }
+ ]
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ]
+ },
+ {
+ "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
+ "title": "2. Secure your machine "
+ }
+ ],
+ "id": "[variables('_uiConfigId2')]",
+ "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution."
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('parserTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Parser"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('parserTemplateSpecName1'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ArubaClearPass Data Parser with template version 2.0.2",
+ "description": "ArubaClearPass Data Parser with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserVersion1')]",
@@ -441,20 +764,21 @@
"resources": [
{
"name": "[variables('_parserName1')]",
- "apiVersion": "2020-08-01",
+ "apiVersion": "2022-10-01",
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
"displayName": "ArubaClearPass",
- "category": "Samples",
+ "category": "Microsoft Sentinel Parser",
"functionAlias": "ArubaClearPass",
- "query": "\nlet LogHeader =\r\nCommonSecurityLog\r\n| where DeviceVendor == \"Aruba Networks\" and DeviceProduct == \"ClearPass\"\r\n| extend Category = coalesce(\r\n extract(@'cat=([^;]+)(\\;|$)',1, AdditionalExtensions), \r\n column_ifexists(\"DeviceEventCategory\", \"\")\r\n ),\r\n Outcome = coalesce(\r\n extract(@'outcome=([^;]+)\\;',1, AdditionalExtensions), \r\n column_ifexists(\"EventOutcome\", \"\")\r\n )\r\n| project-rename DvcIpAddr = DeviceAddress,\r\n DvcVersion = DeviceVersion,\r\n SrcIpAddr = SourceIP;\r\nlet InsightLogs = LogHeader\r\n| where Activity == \"Insight Logs\" or Category == \"Insight Logs\"\r\n| extend UserName = extract(@'Auth.Username=([^;]+)\\;',1, AdditionalExtensions),\r\n AuthorizationSources = extract(@'Auth.Authorization-Sources=([^;]+)\\;',1, AdditionalExtensions),\r\n NetworkProtocol = extract(@'Auth.Protocol=([^;]+)\\;',1, AdditionalExtensions),\r\n RequestTimestamp = extract(@'Auth.Request-Timestamp=([^;]+)\\;',1, AdditionalExtensions),\r\n LoginStatus = extract(@'Auth.Login-Status=([^;]+)\\;',1, AdditionalExtensions),\r\n Source = extract(@'Auth.Source=([^;]+)\\;',1, AdditionalExtensions),\r\n EnforcementProfiles = extract(@'Auth.Enforcement-Profiles=([^;]+)\\;',1, AdditionalExtensions),\r\n NasPort = extract(@'Auth.NAS-Port=([^;]+)\\;',1, AdditionalExtensions),\r\n TimestampFormat = extract(@'TimestampFormat=([^;]+)\\;',1, AdditionalExtensions),\r\n Ssid = extract(@'Auth.SSID=([^;]+)\\;',1, AdditionalExtensions),\r\n NasPortType = extract(@'Auth.NAS-Port-Type=([^;]+)\\;',1, AdditionalExtensions),\r\n ErrorCode = extract(@'Auth.Error-Code=([^;]+)\\;',1, AdditionalExtensions),\r\n Roles = extract(@'Auth.Roles=([^;]+)\\;',1, AdditionalExtensions),\r\n Service = extract(@'Auth.Service=([^;]+)\\;',1, AdditionalExtensions),\r\n SrcMacAddr = extract(@'Auth.Host-MAC-Address=([^;]+)\\;',1, AdditionalExtensions),\r\n Unhealthy = extract(@'Auth.Unhealthy=([^;]+)\\;',1, AdditionalExtensions),\r\n NasIpAddr = extract(@'Auth.NAS-IP-Address=([^;]+)\\;',1, AdditionalExtensions),\r\n CalledStationId = extract(@'Auth.CalledStationId=([^;]+)\\;',1, AdditionalExtensions),\r\n NasIdentifier = extract(@'Auth.NAS-Identifier=([^;]+)\\;',1, AdditionalExtensions)\r\n| extend EndpointStatus = extract(@'ArubaClearpassEndpointStatus=([^;]+)\\;',1, AdditionalExtensions),\r\n EndpointConflict = extract(@'ArubaClearpassEndpointConflict=([^;]+)\\;',1, AdditionalExtensions),\r\n EndpointDvcCategory = iif(DeviceCustomString3Label == \"Endpoint.Device-Category\", DeviceCustomString3, \"\"),\r\n EndpointDvcFamily = iif(DeviceCustomString4Label == \"Endpoint.Device-Family\", DeviceCustomString4, \"\"),\r\n EndpointDvcName = iif(DeviceCustomString5Label == \"Endpoint.Device-Name\", DeviceCustomString5, \"\"),\r\n EndpointMacVendor = iif(DeviceCustomString6Label == \"Endpoint.MAC-Vendor\", DeviceCustomString6, \"\"), \r\n EndpointAddedDate= iif(DeviceCustomDate1Label == \"Endpoint.Added-At\", todatetime(DeviceCustomDate1), todatetime(\"\"))\r\n| extend Category = iif(isempty(Category), \"Insight Logs\", Category); \r\nlet AuditRecords = LogHeader\r\n| where Activity == \"Audit Records\" or Category == \"Audit Records\"\r\n| extend TimestampFormat = extract(@'timeFormat=([^;]+)\\;',1, AdditionalExtensions),\r\n UserName = extract(@'usrName=([^;]+)(\\;|$)',1, AdditionalExtensions)\r\n| extend Category = iif(isempty(Category), \"Audit Records\", Category);\r\nlet SessionLogs = LogHeader\r\n| where Activity == \"Session Logs\" or Category == \"Session Logs\"\r\n| extend Timestamp = extract(@'RADIUS.Acct-Timestamp=([^;]+)\\;',1, AdditionalExtensions),\r\n CallingStationId = extract(@'RADIUS.Acct-Calling-Station-Id=([^;]+)\\;',1, AdditionalExtensions),\r\n InputOctets = extract(@'RADIUS.Acct-Input-Octets=([^;]+)\\;',1, AdditionalExtensions),\r\n TimestampFormat = extract(@'TimestampFormat=([^;]+)\\;',1, AdditionalExtensions),\r\n SessionTime = extract(@'RADIUS.Acct-Session-Time=([^;]+)\\;',1, AdditionalExtensions),\r\n FramedIpAddr = extract(@'RADIUS.Acct-Framed-IP-Address=([^;]+)\\;',1, AdditionalExtensions),\r\n Source = extract(@'RADIUS.Auth-Source=([^;]+)\\;',1, AdditionalExtensions),\r\n Method = extract(@'RADIUS.Auth-Method=([^;]+)\\;',1, AdditionalExtensions),\r\n SessionId = extract(@'RADIUS.Acct-Session-Id=([^;]+)\\;',1, AdditionalExtensions),\r\n ServiceName = extract(@'RADIUS.Acct-Service-Name=([^;]+)\\;',1, AdditionalExtensions),\r\n NasPortNumber = extract(@'RADIUS.Acct-NAS-Port=([^;]+)\\;',1, AdditionalExtensions),\r\n NasPortType = extract(@'RADIUS.Acct-NAS-Port-Type=([^;]+)\\;',1, AdditionalExtensions),\r\n OutputOctets = extract(@'RADIUS.Acct-Output-Octets=([^;]+)\\;',1, AdditionalExtensions),\r\n UserName = extract(@'RADIUS.Acct-Username=([^;]+)\\;',1, AdditionalExtensions),\r\n NasIpAddr = extract(@'RADIUS.Acct-NAS-IP-Address=([^;]+)\\;',1, AdditionalExtensions)\r\n| project-rename DstServiceName = DestinationServiceName,\r\n DstUserPriviledges = DestinationUserPrivileges,\r\n DstUserName = DestinationUserName,\r\n DstMacAddr = DestinationMACAddress\r\n| extend Category = iif(isempty(Category), \"Sessions Logs\", Category);\r\nlet SystemLogs = LogHeader\r\n| where Activity == \"System Logs\" or Category == \"ClearPass System Events\"\r\n| extend Description = extract(@'description=([^;]+)\\;',1, AdditionalExtensions),\r\n Action = extract(@'daction=([^;]+)\\;',1, AdditionalExtensions),\r\n InputOctets = extract(@'RADIUS.Acct-Input-Octets=([^;]+)\\;',1, AdditionalExtensions),\r\n TimeFormat = extract(@'devTimeFormat=([^;]+)\\;',1, AdditionalExtensions)\r\n| extend Category = iif(isempty(Category), \"System Logs\", \"System Logs\");\r\nunion SessionLogs, InsightLogs, AuditRecords, SystemLogs",
- "version": 1,
+ "query": "let LogHeader =\nCommonSecurityLog\n| where DeviceVendor == \"Aruba Networks\" and DeviceProduct == \"ClearPass\"\n| extend Category = coalesce(\n extract(@'cat=([^;]+)(\\;|$)',1, AdditionalExtensions), \n column_ifexists(\"DeviceEventCategory\", \"\")\n ),\n Outcome = coalesce(\n extract(@'outcome=([^;]+)\\;',1, AdditionalExtensions), \n column_ifexists(\"EventOutcome\", \"\")\n )\n| project-rename DvcIpAddr = DeviceAddress,\n DvcVersion = DeviceVersion,\n SrcIpAddr = SourceIP;\nlet InsightLogs = LogHeader\n| where Activity == \"Insight Logs\" or Category == \"Insight Logs\"\n// Version 6.5\n| extend UserName = extract(@'Auth.Username=([^;]+)\\;',1, AdditionalExtensions),\n AuthorizationSources = extract(@'Auth.Authorization-Sources=([^;]+)\\;',1, AdditionalExtensions),\n NetworkProtocol = extract(@'Auth.Protocol=([^;]+)\\;',1, AdditionalExtensions),\n RequestTimestamp = extract(@'Auth.Request-Timestamp=([^;]+)\\;',1, AdditionalExtensions),\n LoginStatus = extract(@'Auth.Login-Status=([^;]+)\\;',1, AdditionalExtensions),\n Source = extract(@'Auth.Source=([^;]+)\\;',1, AdditionalExtensions),\n EnforcementProfiles = extract(@'Auth.Enforcement-Profiles=([^;]+)\\;',1, AdditionalExtensions),\n NasPort = extract(@'Auth.NAS-Port=([^;]+)\\;',1, AdditionalExtensions),\n TimestampFormat = extract(@'TimestampFormat=([^;]+)\\;',1, AdditionalExtensions),\n Ssid = extract(@'Auth.SSID=([^;]+)\\;',1, AdditionalExtensions),\n NasPortType = extract(@'Auth.NAS-Port-Type=([^;]+)\\;',1, AdditionalExtensions),\n ErrorCode = extract(@'Auth.Error-Code=([^;]+)\\;',1, AdditionalExtensions),\n Roles = extract(@'Auth.Roles=([^;]+)\\;',1, AdditionalExtensions),\n Service = extract(@'Auth.Service=([^;]+)\\;',1, AdditionalExtensions),\n SrcMacAddr = extract(@'Auth.Host-MAC-Address=([^;]+)\\;',1, AdditionalExtensions),\n Unhealthy = extract(@'Auth.Unhealthy=([^;]+)\\;',1, AdditionalExtensions),\n NasIpAddr = extract(@'Auth.NAS-IP-Address=([^;]+)\\;',1, AdditionalExtensions),\n CalledStationId = extract(@'Auth.CalledStationId=([^;]+)\\;',1, AdditionalExtensions),\n NasIdentifier = extract(@'Auth.NAS-Identifier=([^;]+)\\;',1, AdditionalExtensions)\n// Version 6.6+\n| extend EndpointStatus = extract(@'ArubaClearpassEndpointStatus=([^;]+)\\;',1, AdditionalExtensions),\n EndpointConflict = extract(@'ArubaClearpassEndpointConflict=([^;]+)\\;',1, AdditionalExtensions),\n EndpointDvcCategory = iif(DeviceCustomString3Label == \"Endpoint.Device-Category\", DeviceCustomString3, \"\"),\n EndpointDvcFamily = iif(DeviceCustomString4Label == \"Endpoint.Device-Family\", DeviceCustomString4, \"\"),\n EndpointDvcName = iif(DeviceCustomString5Label == \"Endpoint.Device-Name\", DeviceCustomString5, \"\"),\n EndpointMacVendor = iif(DeviceCustomString6Label == \"Endpoint.MAC-Vendor\", DeviceCustomString6, \"\"), \n EndpointAddedDate= iif(DeviceCustomDate1Label == \"Endpoint.Added-At\", todatetime(DeviceCustomDate1), todatetime(\"\"))\n| extend Category = iif(isempty(Category), \"Insight Logs\", Category); \nlet AuditRecords = LogHeader\n| where Activity == \"Audit Records\" or Category == \"Audit Records\"\n| extend TimestampFormat = extract(@'timeFormat=([^;]+)\\;',1, AdditionalExtensions),\n UserName = extract(@'usrName=([^;]+)(\\;|$)',1, AdditionalExtensions)\n| extend Category = iif(isempty(Category), \"Audit Records\", Category);\nlet SessionLogs = LogHeader\n| where Activity == \"Session Logs\" or Category == \"Session Logs\"\n| extend Timestamp = extract(@'RADIUS.Acct-Timestamp=([^;]+)\\;',1, AdditionalExtensions),\n CallingStationId = extract(@'RADIUS.Acct-Calling-Station-Id=([^;]+)\\;',1, AdditionalExtensions),\n InputOctets = extract(@'RADIUS.Acct-Input-Octets=([^;]+)\\;',1, AdditionalExtensions),\n TimestampFormat = extract(@'TimestampFormat=([^;]+)\\;',1, AdditionalExtensions),\n SessionTime = extract(@'RADIUS.Acct-Session-Time=([^;]+)\\;',1, AdditionalExtensions),\n FramedIpAddr = extract(@'RADIUS.Acct-Framed-IP-Address=([^;]+)\\;',1, AdditionalExtensions),\n Source = extract(@'RADIUS.Auth-Source=([^;]+)\\;',1, AdditionalExtensions),\n Method = extract(@'RADIUS.Auth-Method=([^;]+)\\;',1, AdditionalExtensions),\n SessionId = extract(@'RADIUS.Acct-Session-Id=([^;]+)\\;',1, AdditionalExtensions),\n ServiceName = extract(@'RADIUS.Acct-Service-Name=([^;]+)\\;',1, AdditionalExtensions),\n NasPortNumber = extract(@'RADIUS.Acct-NAS-Port=([^;]+)\\;',1, AdditionalExtensions),\n NasPortType = extract(@'RADIUS.Acct-NAS-Port-Type=([^;]+)\\;',1, AdditionalExtensions),\n OutputOctets = extract(@'RADIUS.Acct-Output-Octets=([^;]+)\\;',1, AdditionalExtensions),\n UserName = extract(@'RADIUS.Acct-Username=([^;]+)\\;',1, AdditionalExtensions),\n NasIpAddr = extract(@'RADIUS.Acct-NAS-IP-Address=([^;]+)\\;',1, AdditionalExtensions)\n| project-rename DstServiceName = DestinationServiceName,\n DstUserPriviledges = DestinationUserPrivileges,\n DstUserName = DestinationUserName,\n DstMacAddr = DestinationMACAddress\n| extend Category = iif(isempty(Category), \"Sessions Logs\", Category);\nlet SystemLogs = LogHeader\n| where Activity == \"System Logs\" or Category == \"ClearPass System Events\"\n| extend Description = extract(@'description=([^;]+)\\;',1, AdditionalExtensions),\n Action = extract(@'daction=([^;]+)\\;',1, AdditionalExtensions),\n InputOctets = extract(@'RADIUS.Acct-Input-Octets=([^;]+)\\;',1, AdditionalExtensions),\n TimeFormat = extract(@'devTimeFormat=([^;]+)\\;',1, AdditionalExtensions)\n| extend Category = iif(isempty(Category), \"System Logs\", \"System Logs\");\nunion SessionLogs, InsightLogs, AuditRecords, SystemLogs\n",
+ "functionParameters": "",
+ "version": 2,
"tags": [
{
"name": "description",
- "value": "ArubaClearPass"
+ "value": ""
}
]
}
@@ -464,7 +788,7 @@
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]",
"dependsOn": [
- "[variables('_parserName1')]"
+ "[variables('_parserId1')]"
],
"properties": {
"parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
@@ -488,21 +812,39 @@
}
}
]
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_parserContentId1')]",
+ "contentKind": "Parser",
+ "displayName": "ArubaClearPass",
+ "contentProductId": "[variables('_parsercontentProductId1')]",
+ "id": "[variables('_parsercontentProductId1')]",
+ "version": "[variables('parserVersion1')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
- "apiVersion": "2021-06-01",
+ "apiVersion": "2022-10-01",
"name": "[variables('_parserName1')]",
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
"displayName": "ArubaClearPass",
- "category": "Samples",
+ "category": "Microsoft Sentinel Parser",
"functionAlias": "ArubaClearPass",
- "query": "\nlet LogHeader =\r\nCommonSecurityLog\r\n| where DeviceVendor == \"Aruba Networks\" and DeviceProduct == \"ClearPass\"\r\n| extend Category = coalesce(\r\n extract(@'cat=([^;]+)(\\;|$)',1, AdditionalExtensions), \r\n column_ifexists(\"DeviceEventCategory\", \"\")\r\n ),\r\n Outcome = coalesce(\r\n extract(@'outcome=([^;]+)\\;',1, AdditionalExtensions), \r\n column_ifexists(\"EventOutcome\", \"\")\r\n )\r\n| project-rename DvcIpAddr = DeviceAddress,\r\n DvcVersion = DeviceVersion,\r\n SrcIpAddr = SourceIP;\r\nlet InsightLogs = LogHeader\r\n| where Activity == \"Insight Logs\" or Category == \"Insight Logs\"\r\n| extend UserName = extract(@'Auth.Username=([^;]+)\\;',1, AdditionalExtensions),\r\n AuthorizationSources = extract(@'Auth.Authorization-Sources=([^;]+)\\;',1, AdditionalExtensions),\r\n NetworkProtocol = extract(@'Auth.Protocol=([^;]+)\\;',1, AdditionalExtensions),\r\n RequestTimestamp = extract(@'Auth.Request-Timestamp=([^;]+)\\;',1, AdditionalExtensions),\r\n LoginStatus = extract(@'Auth.Login-Status=([^;]+)\\;',1, AdditionalExtensions),\r\n Source = extract(@'Auth.Source=([^;]+)\\;',1, AdditionalExtensions),\r\n EnforcementProfiles = extract(@'Auth.Enforcement-Profiles=([^;]+)\\;',1, AdditionalExtensions),\r\n NasPort = extract(@'Auth.NAS-Port=([^;]+)\\;',1, AdditionalExtensions),\r\n TimestampFormat = extract(@'TimestampFormat=([^;]+)\\;',1, AdditionalExtensions),\r\n Ssid = extract(@'Auth.SSID=([^;]+)\\;',1, AdditionalExtensions),\r\n NasPortType = extract(@'Auth.NAS-Port-Type=([^;]+)\\;',1, AdditionalExtensions),\r\n ErrorCode = extract(@'Auth.Error-Code=([^;]+)\\;',1, AdditionalExtensions),\r\n Roles = extract(@'Auth.Roles=([^;]+)\\;',1, AdditionalExtensions),\r\n Service = extract(@'Auth.Service=([^;]+)\\;',1, AdditionalExtensions),\r\n SrcMacAddr = extract(@'Auth.Host-MAC-Address=([^;]+)\\;',1, AdditionalExtensions),\r\n Unhealthy = extract(@'Auth.Unhealthy=([^;]+)\\;',1, AdditionalExtensions),\r\n NasIpAddr = extract(@'Auth.NAS-IP-Address=([^;]+)\\;',1, AdditionalExtensions),\r\n CalledStationId = extract(@'Auth.CalledStationId=([^;]+)\\;',1, AdditionalExtensions),\r\n NasIdentifier = extract(@'Auth.NAS-Identifier=([^;]+)\\;',1, AdditionalExtensions)\r\n| extend EndpointStatus = extract(@'ArubaClearpassEndpointStatus=([^;]+)\\;',1, AdditionalExtensions),\r\n EndpointConflict = extract(@'ArubaClearpassEndpointConflict=([^;]+)\\;',1, AdditionalExtensions),\r\n EndpointDvcCategory = iif(DeviceCustomString3Label == \"Endpoint.Device-Category\", DeviceCustomString3, \"\"),\r\n EndpointDvcFamily = iif(DeviceCustomString4Label == \"Endpoint.Device-Family\", DeviceCustomString4, \"\"),\r\n EndpointDvcName = iif(DeviceCustomString5Label == \"Endpoint.Device-Name\", DeviceCustomString5, \"\"),\r\n EndpointMacVendor = iif(DeviceCustomString6Label == \"Endpoint.MAC-Vendor\", DeviceCustomString6, \"\"), \r\n EndpointAddedDate= iif(DeviceCustomDate1Label == \"Endpoint.Added-At\", todatetime(DeviceCustomDate1), todatetime(\"\"))\r\n| extend Category = iif(isempty(Category), \"Insight Logs\", Category); \r\nlet AuditRecords = LogHeader\r\n| where Activity == \"Audit Records\" or Category == \"Audit Records\"\r\n| extend TimestampFormat = extract(@'timeFormat=([^;]+)\\;',1, AdditionalExtensions),\r\n UserName = extract(@'usrName=([^;]+)(\\;|$)',1, AdditionalExtensions)\r\n| extend Category = iif(isempty(Category), \"Audit Records\", Category);\r\nlet SessionLogs = LogHeader\r\n| where Activity == \"Session Logs\" or Category == \"Session Logs\"\r\n| extend Timestamp = extract(@'RADIUS.Acct-Timestamp=([^;]+)\\;',1, AdditionalExtensions),\r\n CallingStationId = extract(@'RADIUS.Acct-Calling-Station-Id=([^;]+)\\;',1, AdditionalExtensions),\r\n InputOctets = extract(@'RADIUS.Acct-Input-Octets=([^;]+)\\;',1, AdditionalExtensions),\r\n TimestampFormat = extract(@'TimestampFormat=([^;]+)\\;',1, AdditionalExtensions),\r\n SessionTime = extract(@'RADIUS.Acct-Session-Time=([^;]+)\\;',1, AdditionalExtensions),\r\n FramedIpAddr = extract(@'RADIUS.Acct-Framed-IP-Address=([^;]+)\\;',1, AdditionalExtensions),\r\n Source = extract(@'RADIUS.Auth-Source=([^;]+)\\;',1, AdditionalExtensions),\r\n Method = extract(@'RADIUS.Auth-Method=([^;]+)\\;',1, AdditionalExtensions),\r\n SessionId = extract(@'RADIUS.Acct-Session-Id=([^;]+)\\;',1, AdditionalExtensions),\r\n ServiceName = extract(@'RADIUS.Acct-Service-Name=([^;]+)\\;',1, AdditionalExtensions),\r\n NasPortNumber = extract(@'RADIUS.Acct-NAS-Port=([^;]+)\\;',1, AdditionalExtensions),\r\n NasPortType = extract(@'RADIUS.Acct-NAS-Port-Type=([^;]+)\\;',1, AdditionalExtensions),\r\n OutputOctets = extract(@'RADIUS.Acct-Output-Octets=([^;]+)\\;',1, AdditionalExtensions),\r\n UserName = extract(@'RADIUS.Acct-Username=([^;]+)\\;',1, AdditionalExtensions),\r\n NasIpAddr = extract(@'RADIUS.Acct-NAS-IP-Address=([^;]+)\\;',1, AdditionalExtensions)\r\n| project-rename DstServiceName = DestinationServiceName,\r\n DstUserPriviledges = DestinationUserPrivileges,\r\n DstUserName = DestinationUserName,\r\n DstMacAddr = DestinationMACAddress\r\n| extend Category = iif(isempty(Category), \"Sessions Logs\", Category);\r\nlet SystemLogs = LogHeader\r\n| where Activity == \"System Logs\" or Category == \"ClearPass System Events\"\r\n| extend Description = extract(@'description=([^;]+)\\;',1, AdditionalExtensions),\r\n Action = extract(@'daction=([^;]+)\\;',1, AdditionalExtensions),\r\n InputOctets = extract(@'RADIUS.Acct-Input-Octets=([^;]+)\\;',1, AdditionalExtensions),\r\n TimeFormat = extract(@'devTimeFormat=([^;]+)\\;',1, AdditionalExtensions)\r\n| extend Category = iif(isempty(Category), \"System Logs\", \"System Logs\");\r\nunion SessionLogs, InsightLogs, AuditRecords, SystemLogs",
- "version": 1
+ "query": "let LogHeader =\nCommonSecurityLog\n| where DeviceVendor == \"Aruba Networks\" and DeviceProduct == \"ClearPass\"\n| extend Category = coalesce(\n extract(@'cat=([^;]+)(\\;|$)',1, AdditionalExtensions), \n column_ifexists(\"DeviceEventCategory\", \"\")\n ),\n Outcome = coalesce(\n extract(@'outcome=([^;]+)\\;',1, AdditionalExtensions), \n column_ifexists(\"EventOutcome\", \"\")\n )\n| project-rename DvcIpAddr = DeviceAddress,\n DvcVersion = DeviceVersion,\n SrcIpAddr = SourceIP;\nlet InsightLogs = LogHeader\n| where Activity == \"Insight Logs\" or Category == \"Insight Logs\"\n// Version 6.5\n| extend UserName = extract(@'Auth.Username=([^;]+)\\;',1, AdditionalExtensions),\n AuthorizationSources = extract(@'Auth.Authorization-Sources=([^;]+)\\;',1, AdditionalExtensions),\n NetworkProtocol = extract(@'Auth.Protocol=([^;]+)\\;',1, AdditionalExtensions),\n RequestTimestamp = extract(@'Auth.Request-Timestamp=([^;]+)\\;',1, AdditionalExtensions),\n LoginStatus = extract(@'Auth.Login-Status=([^;]+)\\;',1, AdditionalExtensions),\n Source = extract(@'Auth.Source=([^;]+)\\;',1, AdditionalExtensions),\n EnforcementProfiles = extract(@'Auth.Enforcement-Profiles=([^;]+)\\;',1, AdditionalExtensions),\n NasPort = extract(@'Auth.NAS-Port=([^;]+)\\;',1, AdditionalExtensions),\n TimestampFormat = extract(@'TimestampFormat=([^;]+)\\;',1, AdditionalExtensions),\n Ssid = extract(@'Auth.SSID=([^;]+)\\;',1, AdditionalExtensions),\n NasPortType = extract(@'Auth.NAS-Port-Type=([^;]+)\\;',1, AdditionalExtensions),\n ErrorCode = extract(@'Auth.Error-Code=([^;]+)\\;',1, AdditionalExtensions),\n Roles = extract(@'Auth.Roles=([^;]+)\\;',1, AdditionalExtensions),\n Service = extract(@'Auth.Service=([^;]+)\\;',1, AdditionalExtensions),\n SrcMacAddr = extract(@'Auth.Host-MAC-Address=([^;]+)\\;',1, AdditionalExtensions),\n Unhealthy = extract(@'Auth.Unhealthy=([^;]+)\\;',1, AdditionalExtensions),\n NasIpAddr = extract(@'Auth.NAS-IP-Address=([^;]+)\\;',1, AdditionalExtensions),\n CalledStationId = extract(@'Auth.CalledStationId=([^;]+)\\;',1, AdditionalExtensions),\n NasIdentifier = extract(@'Auth.NAS-Identifier=([^;]+)\\;',1, AdditionalExtensions)\n// Version 6.6+\n| extend EndpointStatus = extract(@'ArubaClearpassEndpointStatus=([^;]+)\\;',1, AdditionalExtensions),\n EndpointConflict = extract(@'ArubaClearpassEndpointConflict=([^;]+)\\;',1, AdditionalExtensions),\n EndpointDvcCategory = iif(DeviceCustomString3Label == \"Endpoint.Device-Category\", DeviceCustomString3, \"\"),\n EndpointDvcFamily = iif(DeviceCustomString4Label == \"Endpoint.Device-Family\", DeviceCustomString4, \"\"),\n EndpointDvcName = iif(DeviceCustomString5Label == \"Endpoint.Device-Name\", DeviceCustomString5, \"\"),\n EndpointMacVendor = iif(DeviceCustomString6Label == \"Endpoint.MAC-Vendor\", DeviceCustomString6, \"\"), \n EndpointAddedDate= iif(DeviceCustomDate1Label == \"Endpoint.Added-At\", todatetime(DeviceCustomDate1), todatetime(\"\"))\n| extend Category = iif(isempty(Category), \"Insight Logs\", Category); \nlet AuditRecords = LogHeader\n| where Activity == \"Audit Records\" or Category == \"Audit Records\"\n| extend TimestampFormat = extract(@'timeFormat=([^;]+)\\;',1, AdditionalExtensions),\n UserName = extract(@'usrName=([^;]+)(\\;|$)',1, AdditionalExtensions)\n| extend Category = iif(isempty(Category), \"Audit Records\", Category);\nlet SessionLogs = LogHeader\n| where Activity == \"Session Logs\" or Category == \"Session Logs\"\n| extend Timestamp = extract(@'RADIUS.Acct-Timestamp=([^;]+)\\;',1, AdditionalExtensions),\n CallingStationId = extract(@'RADIUS.Acct-Calling-Station-Id=([^;]+)\\;',1, AdditionalExtensions),\n InputOctets = extract(@'RADIUS.Acct-Input-Octets=([^;]+)\\;',1, AdditionalExtensions),\n TimestampFormat = extract(@'TimestampFormat=([^;]+)\\;',1, AdditionalExtensions),\n SessionTime = extract(@'RADIUS.Acct-Session-Time=([^;]+)\\;',1, AdditionalExtensions),\n FramedIpAddr = extract(@'RADIUS.Acct-Framed-IP-Address=([^;]+)\\;',1, AdditionalExtensions),\n Source = extract(@'RADIUS.Auth-Source=([^;]+)\\;',1, AdditionalExtensions),\n Method = extract(@'RADIUS.Auth-Method=([^;]+)\\;',1, AdditionalExtensions),\n SessionId = extract(@'RADIUS.Acct-Session-Id=([^;]+)\\;',1, AdditionalExtensions),\n ServiceName = extract(@'RADIUS.Acct-Service-Name=([^;]+)\\;',1, AdditionalExtensions),\n NasPortNumber = extract(@'RADIUS.Acct-NAS-Port=([^;]+)\\;',1, AdditionalExtensions),\n NasPortType = extract(@'RADIUS.Acct-NAS-Port-Type=([^;]+)\\;',1, AdditionalExtensions),\n OutputOctets = extract(@'RADIUS.Acct-Output-Octets=([^;]+)\\;',1, AdditionalExtensions),\n UserName = extract(@'RADIUS.Acct-Username=([^;]+)\\;',1, AdditionalExtensions),\n NasIpAddr = extract(@'RADIUS.Acct-NAS-IP-Address=([^;]+)\\;',1, AdditionalExtensions)\n| project-rename DstServiceName = DestinationServiceName,\n DstUserPriviledges = DestinationUserPrivileges,\n DstUserName = DestinationUserName,\n DstMacAddr = DestinationMACAddress\n| extend Category = iif(isempty(Category), \"Sessions Logs\", Category);\nlet SystemLogs = LogHeader\n| where Activity == \"System Logs\" or Category == \"ClearPass System Events\"\n| extend Description = extract(@'description=([^;]+)\\;',1, AdditionalExtensions),\n Action = extract(@'daction=([^;]+)\\;',1, AdditionalExtensions),\n InputOctets = extract(@'RADIUS.Acct-Input-Octets=([^;]+)\\;',1, AdditionalExtensions),\n TimeFormat = extract(@'devTimeFormat=([^;]+)\\;',1, AdditionalExtensions)\n| extend Category = iif(isempty(Category), \"System Logs\", \"System Logs\");\nunion SessionLogs, InsightLogs, AuditRecords, SystemLogs\n",
+ "functionParameters": "",
+ "version": 2,
+ "tags": [
+ {
+ "name": "description",
+ "value": ""
+ }
+ ]
}
},
{
@@ -535,13 +877,20 @@
}
},
{
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages",
+ "apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "2.0.2",
+ "version": "3.0.1",
"kind": "Solution",
- "contentSchemaVersion": "2.0.0",
+ "contentSchemaVersion": "3.0.0",
+ "displayName": "Aruba ClearPass",
+ "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
+ "descriptionHtml": "Note: There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Aruba ClearPass solution allows you to easily connect your Aruba ClearPass with Microsoft Sentinel.
\n- \n
Aruba ClearPass via AMA - This data connector helps in ingesting Aruba ClearPass logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent here. Microsoft recommends using this Data Connector.
\n \nAruba ClearPass via Legacy Agent - This data connector helps in ingesting Aruba ClearPass logs into your Log Analytics Workspace using the legacy Log Analytics agent.
\n \n
NOTE: Microsoft recommends installation of Aruba ClearPass via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024, and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.
\nData Connectors: 2, Parsers: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "",
"contentId": "[variables('_solutionId')]",
"parentId": "[variables('_solutionId')]",
"source": {
@@ -566,6 +915,11 @@
"contentId": "[variables('_dataConnectorContentId1')]",
"version": "[variables('dataConnectorVersion1')]"
},
+ {
+ "kind": "DataConnector",
+ "contentId": "[variables('_dataConnectorContentId2')]",
+ "version": "[variables('dataConnectorVersion2')]"
+ },
{
"kind": "Parser",
"contentId": "[variables('_parserContentId1')]",
diff --git a/Solutions/Aruba ClearPass/Parsers/ArubaClearPass.txt b/Solutions/Aruba ClearPass/Parsers/ArubaClearPass.txt
deleted file mode 100644
index 04530bf446b..00000000000
--- a/Solutions/Aruba ClearPass/Parsers/ArubaClearPass.txt
+++ /dev/null
@@ -1,104 +0,0 @@
-// Title: Aruba ClearPass Parser
-// Author: Microsoft
-// Version: 1.1
-// Last Updated: 01/23/2020
-// Comment: Added Supported for Version 6.6+
-//
-// DESCRIPTION:
-// This parser takes raw Aruba ClearPass logs from a Syslog (CEF) stream and parses the logs into a normalized schema.
-//
-//
-// REFERENCES:
-// Using functions in Azure monitor log queries: https://docs.microsoft.com/azure/azure-monitor/log-query/functions
-//
-// LOG SAMPLES:
-// This parser assumes the raw log are formatted as follows:
-//
-// Dec 03 2017 16:31:28.861 IST 10.17.4.208 CEF:0|Aruba Networks|ClearPass|6.5.0.69058|0-1-0|Insight Logs|0|Auth.Username=host/Asif-Test-PC2 Auth.Authorization-Sources=null Auth.Login-Status=216 Auth.Request-Timestamp=2017-12-03 16:28:20+05:30 Auth.Protocol=RADIUS Auth.Source=null Auth.Enforcement-Profiles=[Allow Access Profile] Auth.NAS-Port=null Auth.SSID=cppm-dot1x-test TimestampFormat=MMM dd yyyy HH:mm:ss.SSS zzz Auth.NAS-Port-Type=19 Auth.Error-Code=216 Auth.Roles=null Auth.Service=Test Wireless Auth.Host-MAC-Address=6817294b0636 Auth.Unhealthy=null Auth.NAS-IP-Address=10.17.4.7 src=10.17.4.208 Auth.CalledStationId=000B8661CD70 Auth.NAS-Identifier=ClearPassLab3600
-//
-// Nov 19 2017 18:22:40.700 IST 10.17.4.221 CEF:0|Aruba Networks|ClearPass|6.5.0.68754|13-1-0|Audit Records|5|cat=Role timeFormat=MMM dd yyyy HH:mm:ss.SSS zzz rt=Nov 19, 2014 18:21:13 IST src=Test Role 10 act=ADD usrName=admin
-//
-// Dec 01 2017 15:28:40.540 IST 10.17.4.206 CEF:0Aruba Networks|ClearPass|6.5.0.68878|1604-1-0|Session Logs|0|RADIUS.Acct-Calling-Station-Id=00:32:b6:2c:28:95 RADIUS.Acct-Framed-IP-Address=192.167.230.129 RADIUS.Auth-Source=AD:10.17.4.130 RADIUS.Acct-Timestamp=2014-12-01 15:26:43+05:30 RADIUS.Auth-Method=PAP RADIUS.Acct-Service-Name=Authenticate-Only RADIUS.Acct-Session-Time=3155 TimestampFormat=MMM dd yyyy HH:mm:ss.SSS zzz RADIUS.Acct-NAS-Port=0 RADIUS.Acct-Session-Id=R00001316-01-547c3b5a RADIUS.Acct-NAS-Port-Type=Wireless-802.11 RADIUS.Acct-Output-Octets=578470212 RADIUS.Acct-Username=A_user2 RADIUS.Acct-NAS-IP-Address=10.17.6.124 RADIUS.Acct-Input-Octets=786315664
-//
-// <143>Aug 10 2016 15:18:04 172.20.21.100 CEF:0|Aruba Networks|ClearPass|6.6.1.84176|2006|Guest Access|1|duser=bob dmac=784b877a4155 dpriv=[User Authenticated] cs2=UNKNOWN cs2Label=System Posture Token outcome=[Allow Access Profile] rt=Aug 10 2016 15:16:51 dvc=172.20.21.100 cat=Session Logs
-//
-let LogHeader =
-CommonSecurityLog
-| where DeviceVendor == "Aruba Networks" and DeviceProduct == "ClearPass"
-| extend Category = coalesce(
- extract(@'cat=([^;]+)(\;|$)',1, AdditionalExtensions),
- column_ifexists("DeviceEventCategory", "")
- ),
- Outcome = coalesce(
- extract(@'outcome=([^;]+)\;',1, AdditionalExtensions),
- column_ifexists("EventOutcome", "")
- )
-| project-rename DvcIpAddr = DeviceAddress,
- DvcVersion = DeviceVersion,
- SrcIpAddr = SourceIP;
-let InsightLogs = LogHeader
-| where Activity == "Insight Logs" or Category == "Insight Logs"
-// Version 6.5
-| extend UserName = extract(@'Auth.Username=([^;]+)\;',1, AdditionalExtensions),
- AuthorizationSources = extract(@'Auth.Authorization-Sources=([^;]+)\;',1, AdditionalExtensions),
- NetworkProtocol = extract(@'Auth.Protocol=([^;]+)\;',1, AdditionalExtensions),
- RequestTimestamp = extract(@'Auth.Request-Timestamp=([^;]+)\;',1, AdditionalExtensions),
- LoginStatus = extract(@'Auth.Login-Status=([^;]+)\;',1, AdditionalExtensions),
- Source = extract(@'Auth.Source=([^;]+)\;',1, AdditionalExtensions),
- EnforcementProfiles = extract(@'Auth.Enforcement-Profiles=([^;]+)\;',1, AdditionalExtensions),
- NasPort = extract(@'Auth.NAS-Port=([^;]+)\;',1, AdditionalExtensions),
- TimestampFormat = extract(@'TimestampFormat=([^;]+)\;',1, AdditionalExtensions),
- Ssid = extract(@'Auth.SSID=([^;]+)\;',1, AdditionalExtensions),
- NasPortType = extract(@'Auth.NAS-Port-Type=([^;]+)\;',1, AdditionalExtensions),
- ErrorCode = extract(@'Auth.Error-Code=([^;]+)\;',1, AdditionalExtensions),
- Roles = extract(@'Auth.Roles=([^;]+)\;',1, AdditionalExtensions),
- Service = extract(@'Auth.Service=([^;]+)\;',1, AdditionalExtensions),
- SrcMacAddr = extract(@'Auth.Host-MAC-Address=([^;]+)\;',1, AdditionalExtensions),
- Unhealthy = extract(@'Auth.Unhealthy=([^;]+)\;',1, AdditionalExtensions),
- NasIpAddr = extract(@'Auth.NAS-IP-Address=([^;]+)\;',1, AdditionalExtensions),
- CalledStationId = extract(@'Auth.CalledStationId=([^;]+)\;',1, AdditionalExtensions),
- NasIdentifier = extract(@'Auth.NAS-Identifier=([^;]+)\;',1, AdditionalExtensions)
-// Version 6.6+
-| extend EndpointStatus = extract(@'ArubaClearpassEndpointStatus=([^;]+)\;',1, AdditionalExtensions),
- EndpointConflict = extract(@'ArubaClearpassEndpointConflict=([^;]+)\;',1, AdditionalExtensions),
- EndpointDvcCategory = iif(DeviceCustomString3Label == "Endpoint.Device-Category", DeviceCustomString3, ""),
- EndpointDvcFamily = iif(DeviceCustomString4Label == "Endpoint.Device-Family", DeviceCustomString4, ""),
- EndpointDvcName = iif(DeviceCustomString5Label == "Endpoint.Device-Name", DeviceCustomString5, ""),
- EndpointMacVendor = iif(DeviceCustomString6Label == "Endpoint.MAC-Vendor", DeviceCustomString6, ""),
- EndpointAddedDate= iif(DeviceCustomDate1Label == "Endpoint.Added-At", todatetime(DeviceCustomDate1), todatetime(""))
-| extend Category = iif(isempty(Category), "Insight Logs", Category);
-let AuditRecords = LogHeader
-| where Activity == "Audit Records" or Category == "Audit Records"
-| extend TimestampFormat = extract(@'timeFormat=([^;]+)\;',1, AdditionalExtensions),
- UserName = extract(@'usrName=([^;]+)(\;|$)',1, AdditionalExtensions)
-| extend Category = iif(isempty(Category), "Audit Records", Category);
-let SessionLogs = LogHeader
-| where Activity == "Session Logs" or Category == "Session Logs"
-| extend Timestamp = extract(@'RADIUS.Acct-Timestamp=([^;]+)\;',1, AdditionalExtensions),
- CallingStationId = extract(@'RADIUS.Acct-Calling-Station-Id=([^;]+)\;',1, AdditionalExtensions),
- InputOctets = extract(@'RADIUS.Acct-Input-Octets=([^;]+)\;',1, AdditionalExtensions),
- TimestampFormat = extract(@'TimestampFormat=([^;]+)\;',1, AdditionalExtensions),
- SessionTime = extract(@'RADIUS.Acct-Session-Time=([^;]+)\;',1, AdditionalExtensions),
- FramedIpAddr = extract(@'RADIUS.Acct-Framed-IP-Address=([^;]+)\;',1, AdditionalExtensions),
- Source = extract(@'RADIUS.Auth-Source=([^;]+)\;',1, AdditionalExtensions),
- Method = extract(@'RADIUS.Auth-Method=([^;]+)\;',1, AdditionalExtensions),
- SessionId = extract(@'RADIUS.Acct-Session-Id=([^;]+)\;',1, AdditionalExtensions),
- ServiceName = extract(@'RADIUS.Acct-Service-Name=([^;]+)\;',1, AdditionalExtensions),
- NasPortNumber = extract(@'RADIUS.Acct-NAS-Port=([^;]+)\;',1, AdditionalExtensions),
- NasPortType = extract(@'RADIUS.Acct-NAS-Port-Type=([^;]+)\;',1, AdditionalExtensions),
- OutputOctets = extract(@'RADIUS.Acct-Output-Octets=([^;]+)\;',1, AdditionalExtensions),
- UserName = extract(@'RADIUS.Acct-Username=([^;]+)\;',1, AdditionalExtensions),
- NasIpAddr = extract(@'RADIUS.Acct-NAS-IP-Address=([^;]+)\;',1, AdditionalExtensions)
-| project-rename DstServiceName = DestinationServiceName,
- DstUserPriviledges = DestinationUserPrivileges,
- DstUserName = DestinationUserName,
- DstMacAddr = DestinationMACAddress
-| extend Category = iif(isempty(Category), "Sessions Logs", Category);
-let SystemLogs = LogHeader
-| where Activity == "System Logs" or Category == "ClearPass System Events"
-| extend Description = extract(@'description=([^;]+)\;',1, AdditionalExtensions),
- Action = extract(@'daction=([^;]+)\;',1, AdditionalExtensions),
- InputOctets = extract(@'RADIUS.Acct-Input-Octets=([^;]+)\;',1, AdditionalExtensions),
- TimeFormat = extract(@'devTimeFormat=([^;]+)\;',1, AdditionalExtensions)
-| extend Category = iif(isempty(Category), "System Logs", "System Logs");
-union SessionLogs, InsightLogs, AuditRecords, SystemLogs
\ No newline at end of file
diff --git a/Solutions/Aruba ClearPass/ReleaseNotes.md b/Solutions/Aruba ClearPass/ReleaseNotes.md
new file mode 100644
index 00000000000..ebe1ea7cfaa
--- /dev/null
+++ b/Solutions/Aruba ClearPass/ReleaseNotes.md
@@ -0,0 +1,5 @@
+| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
+|-------------|--------------------------------|--------------------------------------------------------------------|
+| 3.0.0 | 21-09-2023 | Addition of new Aruba ClearPass AMA **Data Connector** | |
+
+
diff --git a/Solutions/Azure Active Directory/Analytic Rules/NRT_AuthenticationMethodsChangedforVIPUsers.yaml b/Solutions/Azure Active Directory/Analytic Rules/NRT_AuthenticationMethodsChangedforVIPUsers.yaml
index d6fb35b5517..1dc8dc1eb4c 100644
--- a/Solutions/Azure Active Directory/Analytic Rules/NRT_AuthenticationMethodsChangedforVIPUsers.yaml
+++ b/Solutions/Azure Active Directory/Analytic Rules/NRT_AuthenticationMethodsChangedforVIPUsers.yaml
@@ -15,7 +15,7 @@ tags:
- AADSecOpsGuide
query: |
let security_info_actions = dynamic(["User registered security info", "User changed default security info", "User deleted security info", "Admin updated security info", "User reviewed security info", "Admin deleted security info", "Admin registered security info"]);
- let VIPUsers = (_GetWatchlist('VIPUsers') | distinct ["User Principal Name"]);
+ let VIPUsers = (_GetWatchlist('VIPUsers') | distinct "User Principal Name");
AuditLogs
| where Category =~ "UserManagement"
| where ActivityDisplayName in (security_info_actions)
@@ -40,5 +40,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IP
-version: 1.0.1
+version: 1.0.2
kind: NRT
diff --git a/Solutions/Azure Active Directory/Analytic Rules/PIMElevationRequestRejected.yaml b/Solutions/Azure Active Directory/Analytic Rules/PIMElevationRequestRejected.yaml
index b76ed73cfce..80483912104 100644
--- a/Solutions/Azure Active Directory/Analytic Rules/PIMElevationRequestRejected.yaml
+++ b/Solutions/Azure Active Directory/Analytic Rules/PIMElevationRequestRejected.yaml
@@ -21,8 +21,7 @@ tags:
- AADSecOpsGuide
query: |
AuditLogs
- | where ActivityDisplayName =~'Add member to role completed (PIM activation)'
- | where Result =~ "failure"
+ | where (ActivityDisplayName =~'Add member to role completed (PIM activation)' and Result =~ "failure") or ActivityDisplayName =~'Add member to role request denied (PIM activation)'
| mv-apply ResourceItem = TargetResources on
(
where ResourceItem.type =~ "Role"
@@ -55,5 +54,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: InitiatingIpAddress
-version: 1.0.5
+version: 1.0.6
kind: Scheduled
diff --git a/Solutions/Azure Active Directory/Data/Solution_AAD.json b/Solutions/Azure Active Directory/Data/Solution_AAD.json
index f4f35a9a0ca..5e70ac37944 100644
--- a/Solutions/Azure Active Directory/Data/Solution_AAD.json
+++ b/Solutions/Azure Active Directory/Data/Solution_AAD.json
@@ -85,7 +85,7 @@
"Solutions/Azure Active Directory/Playbooks/Revoke-AADSignInSessions/entity-trigger/azuredeploy.json"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel",
- "Version": "3.0.2",
+ "Version": "3.0.3",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1PConnector": true
diff --git a/Solutions/Azure Active Directory/Data/system_generated_metadata.json b/Solutions/Azure Active Directory/Data/system_generated_metadata.json
new file mode 100644
index 00000000000..74556428f5b
--- /dev/null
+++ b/Solutions/Azure Active Directory/Data/system_generated_metadata.json
@@ -0,0 +1,45 @@
+{
+ "Name": "Azure Active Directory",
+ "Author": "Microsoft - support@microsoft.com",
+ "Logo": "![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/azureactivedirectory_logo.svg\"width=\"75px\"){kind=logo}
",
+ "Description": "The [ Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis) solution for Microsoft Sentinel enables you to ingest Azure Active Directory [Audit](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-audit-logs), [Sign-in](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins), [Provisioning](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-provisioning-logs), [Risk Events and Risky User/Service Principal](https://docs.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk#risky-users) logs using Diagnostic Settings into Microsoft Sentinel.",
+ "BasePath": "C:\\GitHub\\Azure-Sentinel",
+ "Metadata": "SolutionMetadata.json",
+ "TemplateSpec": true,
+ "Is1PConnector": true,
+ "Version": "3.0.3",
+ "publisherId": "azuresentinel",
+ "offerId": "azure-sentinel-solution-azureactivedirectory",
+ "providers": [
+ "Microsoft"
+ ],
+ "categories": {
+ "domains": [
+ "Identity",
+ "Security - Automation (SOAR)"
+ ]
+ },
+ "firstPublishDate": "2022-05-16",
+ "support": {
+ "tier": "Microsoft",
+ "name": "Microsoft Corporation",
+ "email": "support@microsoft.com",
+ "link": "https://support.microsoft.com/"
+ },
+ "Data Connectors": "[\n \"template_AzureActiveDirectory.json\"\n]",
+ "Playbooks": [
+ "Playbooks/Block-AADUser/alert-trigger/azuredeploy.json",
+ "Playbooks/Block-AADUser/entity-trigger/azuredeploy.json",
+ "Playbooks/Block-AADUser/incident-trigger/azuredeploy.json",
+ "Playbooks/Prompt-User/alert-trigger/azuredeploy.json",
+ "Playbooks/Prompt-User/incident-trigger/azuredeploy.json",
+ "Playbooks/Reset-AADUserPassword/alert-trigger/azuredeploy.json",
+ "Playbooks/Reset-AADUserPassword/entity-trigger/azuredeploy.json",
+ "Playbooks/Reset-AADUserPassword/incident-trigger/azuredeploy.json",
+ "Playbooks/Revoke-AADSignInSessions/alert-trigger/azuredeploy.json",
+ "Playbooks/Revoke-AADSignInSessions/entity-trigger/azuredeploy.json",
+ "Playbooks/Revoke-AADSignInSessions/incident-trigger/azuredeploy.json"
+ ],
+ "Workbooks": "[\n \"AzureActiveDirectoryAuditLogs.json\",\n \"AzureActiveDirectorySignins.json\"\n]",
+ "Analytic Rules": "[\n \"AccountCreatedandDeletedinShortTimeframe.yaml\",\n \"AccountCreatedDeletedByNonApprovedUser.yaml\",\n \"ADFSDomainTrustMods.yaml\",\n \"ADFSSignInLogsPasswordSpray.yaml\",\n \"AdminPromoAfterRoleMgmtAppPermissionGrant.yaml\",\n \"AnomalousUserAppSigninLocationIncrease-detection.yaml\",\n \"AuthenticationMethodsChangedforPrivilegedAccount.yaml\",\n \"AzureAADPowerShellAnomaly.yaml\",\n \"AzureADRoleManagementPermissionGrant.yaml\",\n \"AzurePortalSigninfromanotherAzureTenant.yaml\",\n \"Brute Force Attack against GitHub Account.yaml\",\n \"BruteForceCloudPC.yaml\",\n \"BulkChangestoPrivilegedAccountPermissions.yaml\",\n \"BypassCondAccessRule.yaml\",\n \"CredentialAddedAfterAdminConsent.yaml\",\n \"Cross-tenantAccessSettingsOrganizationAdded.yaml\",\n \"Cross-tenantAccessSettingsOrganizationDeleted.yaml\",\n \"Cross-tenantAccessSettingsOrganizationInboundCollaborationSettingsChanged.yaml\",\n \"Cross-tenantAccessSettingsOrganizationInboundDirectSettingsChanged.yaml\",\n \"Cross-tenantAccessSettingsOrganizationOutboundCollaborationSettingsChanged.yaml\",\n \"Cross-tenantAccessSettingsOrganizationOutboundDirectSettingsChanged.yaml\",\n \"DisabledAccountSigninsAcrossManyApplications.yaml\",\n \"DistribPassCrackAttempt.yaml\",\n \"ExplicitMFADeny.yaml\",\n \"ExchangeFullAccessGrantedToApp.yaml\",\n \"FailedLogonToAzurePortal.yaml\",\n \"FirstAppOrServicePrincipalCredential.yaml\",\n \"GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified.yaml\",\n \"MailPermissionsAddedToApplication.yaml\",\n \"MaliciousOAuthApp_O365AttackToolkit.yaml\",\n \"MaliciousOAuthApp_PwnAuth.yaml\",\n \"MFARejectedbyUser.yaml\",\n \"MultipleAdmin_membership_removals_from_NewAdmin.yaml\",\n \"NewAppOrServicePrincipalCredential.yaml\",\n \"NRT_ADFSDomainTrustMods.yaml\",\n \"NRT_AuthenticationMethodsChangedforVIPUsers.yaml\",\n \"nrt_FirstAppOrServicePrincipalCredential.yaml\",\n \"NRT_NewAppOrServicePrincipalCredential.yaml\",\n \"NRT_PIMElevationRequestRejected.yaml\",\n \"NRT_PrivlegedRoleAssignedOutsidePIM.yaml\",\n \"NRT_UseraddedtoPrivilgedGroups.yaml\",\n \"PIMElevationRequestRejected.yaml\",\n \"PrivilegedAccountsSigninFailureSpikes.yaml\",\n \"PrivlegedRoleAssignedOutsidePIM.yaml\",\n \"RareApplicationConsent.yaml\",\n \"SeamlessSSOPasswordSpray.yaml\",\n \"Sign-in Burst from Multiple Locations.yaml\",\n \"SigninAttemptsByIPviaDisabledAccounts.yaml\",\n \"SigninBruteForce-AzurePortal.yaml\",\n \"SigninPasswordSpray.yaml\",\n \"SuccessThenFail_DiffIP_SameUserandApp.yaml\",\n \"SuspiciousAADJoinedDeviceUpdate.yaml\",\n \"SuspiciousOAuthApp_OfflineAccess.yaml\",\n \"SuspiciousServicePrincipalcreationactivity.yaml\",\n \"UnusualGuestActivity.yaml\",\n \"UserAccounts-CABlockedSigninSpikes.yaml\",\n \"UseraddedtoPrivilgedGroups.yaml\",\n \"UserAssignedPrivilegedRole.yaml\",\n \"NewOnmicrosoftDomainAdded.yaml\"\n]"
+}
diff --git a/Solutions/Azure Active Directory/Package/3.0.3.zip b/Solutions/Azure Active Directory/Package/3.0.3.zip
new file mode 100644
index 00000000000..7a61443d3de
Binary files /dev/null and b/Solutions/Azure Active Directory/Package/3.0.3.zip differ
diff --git a/Solutions/Azure Active Directory/Package/createUiDefinition.json b/Solutions/Azure Active Directory/Package/createUiDefinition.json
index ef08ad1cf97..2530be72fb7 100644
--- a/Solutions/Azure Active Directory/Package/createUiDefinition.json
+++ b/Solutions/Azure Active Directory/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [ Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis) solution for Microsoft Sentinel enables you to ingest Azure Active Directory [Audit](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-audit-logs), [Sign-in](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins), [Provisioning](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-provisioning-logs), [Risk Events and Risky User/Service Principal](https://docs.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk#risky-users) logs using Diagnostic Settings into Microsoft Sentinel.\n\n**Data Connectors:** 1, **Workbooks:** 2, **Analytic Rules:** 59, **Playbooks:** 11\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [ Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis) solution for Microsoft Sentinel enables you to ingest Azure Active Directory [Audit](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-audit-logs), [Sign-in](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins), [Provisioning](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-provisioning-logs), [Risk Events and Risky User/Service Principal](https://docs.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk#risky-users) logs using Diagnostic Settings into Microsoft Sentinel.\n\n**Workbooks:** 2, **Analytic Rules:** 59, **Playbooks:** 11\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -104,19 +104,13 @@
{
"name": "workbook1",
"type": "Microsoft.Common.Section",
- "label": [
- "Azure AD Audit logs",
- "Azure AD Audit logs"
- ],
+ "label": "Azure AD Audit logs",
"elements": [
{
"name": "workbook1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": [
- "Gain insights into Azure Active Directory by connecting Microsoft Sentinel and using the audit logs to gather insights around Azure AD scenarios. \nYou can learn about user operations, including password and group management, device activities, and top active users and apps.",
- "Gain insights into Azure Active Directory by connecting Microsoft Sentinel and using the audit logs to gather insights around Azure AD scenarios. \nYou can learn about user operations, including password and group management, device activities, and top active users and apps."
- ]
+ "text": "Gain insights into Azure Active Directory by connecting Microsoft Sentinel and using the audit logs to gather insights around Azure AD scenarios. \nYou can learn about user operations, including password and group management, device activities, and top active users and apps."
}
}
]
@@ -124,19 +118,13 @@
{
"name": "workbook2",
"type": "Microsoft.Common.Section",
- "label": [
- "Azure AD Sign-in logs",
- "Azure AD Sign-in logs"
- ],
+ "label": "Azure AD Sign-in logs",
"elements": [
{
"name": "workbook2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": [
- "Gain insights into Azure Active Directory by connecting Microsoft Sentinel and using the sign-in logs to gather insights around Azure AD scenarios. \nYou can learn about sign-in operations, such as user sign-ins and locations, email addresses, and IP addresses of your users, as well as failed activities and the errors that triggered the failures.",
- "Gain insights into Azure Active Directory by connecting Microsoft Sentinel and using the sign-in logs to gather insights around Azure AD scenarios. \nYou can learn about sign-in operations, such as user sign-ins and locations, email addresses, and IP addresses of your users, as well as failed activities and the errors that triggered the failures."
- ]
+ "text": "Gain insights into Azure Active Directory by connecting Microsoft Sentinel and using the sign-in logs to gather insights around Azure AD scenarios. \nYou can learn about sign-in operations, such as user sign-ins and locations, email addresses, and IP addresses of your users, as well as failed activities and the errors that triggered the failures."
}
}
]
@@ -878,7 +866,7 @@
"name": "analytic51-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP.\nThis may indicate a malicious attempt at password guessing based on knowledge of the users account. This query has also been updated to include UEBA \nlogs IdentityInfo and BehaviorAnalytics for contextual information around the results."
+ "text": "Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP (may indicate a malicious attempt at password guessing with known account). UEBA added for context."
}
}
]
diff --git a/Solutions/Azure Active Directory/Package/mainTemplate.json b/Solutions/Azure Active Directory/Package/mainTemplate.json
index 364f880ca1f..67f37493196 100644
--- a/Solutions/Azure Active Directory/Package/mainTemplate.json
+++ b/Solutions/Azure Active Directory/Package/mainTemplate.json
@@ -49,7 +49,7 @@
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"_solutionName": "Azure Active Directory",
- "_solutionVersion": "3.0.2",
+ "_solutionVersion": "3.0.3",
"solutionId": "azuresentinel.azure-sentinel-solution-azureactivedirectory",
"_solutionId": "[variables('solutionId')]",
"uiConfigId1": "AzureActiveDirectory",
@@ -284,7 +284,7 @@
"analyticRuleId35": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId35'))]",
"analyticRuleTemplateSpecName35": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId35'))))]",
"_analyticRulecontentProductId35": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId35'),'-', variables('analyticRuleVersion35'))))]",
- "analyticRuleVersion36": "1.0.1",
+ "analyticRuleVersion36": "1.0.2",
"analyticRulecontentId36": "29e99017-e28d-47be-8b9a-c8c711f8a903",
"_analyticRulecontentId36": "[variables('analyticRulecontentId36')]",
"analyticRuleId36": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId36'))]",
@@ -296,7 +296,7 @@
"analyticRuleId37": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId37'))]",
"analyticRuleTemplateSpecName37": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId37'))))]",
"_analyticRulecontentProductId37": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId37'),'-', variables('analyticRuleVersion37'))))]",
- "analyticRuleVersion38": "1.0.1",
+ "analyticRuleVersion38": "1.0.2",
"analyticRulecontentId38": "e42e889a-caaf-4dbb-aec6-371b37d64298",
"_analyticRulecontentId38": "[variables('analyticRulecontentId38')]",
"analyticRuleId38": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId38'))]",
@@ -320,7 +320,7 @@
"analyticRuleId41": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId41'))]",
"analyticRuleTemplateSpecName41": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId41'))))]",
"_analyticRulecontentProductId41": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId41'),'-', variables('analyticRuleVersion41'))))]",
- "analyticRuleVersion42": "1.0.5",
+ "analyticRuleVersion42": "1.0.6",
"analyticRulecontentId42": "7d7e20f8-3384-4b71-811c-f5e950e8306c",
"_analyticRulecontentId42": "[variables('analyticRulecontentId42')]",
"analyticRuleId42": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId42'))]",
@@ -356,7 +356,7 @@
"analyticRuleId47": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId47'))]",
"analyticRuleTemplateSpecName47": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId47'))))]",
"_analyticRulecontentProductId47": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId47'),'-', variables('analyticRuleVersion47'))))]",
- "analyticRuleVersion48": "2.1.2",
+ "analyticRuleVersion48": "2.1.3",
"analyticRulecontentId48": "500c103a-0319-4d56-8e99-3cec8d860757",
"_analyticRulecontentId48": "[variables('analyticRulecontentId48')]",
"analyticRuleId48": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId48'))]",
@@ -374,7 +374,7 @@
"analyticRuleId50": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId50'))]",
"analyticRuleTemplateSpecName50": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId50'))))]",
"_analyticRulecontentProductId50": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId50'),'-', variables('analyticRuleVersion50'))))]",
- "analyticRuleVersion51": "2.1.3",
+ "analyticRuleVersion51": "2.1.6",
"analyticRulecontentId51": "02ef8d7e-fc3a-4d86-a457-650fa571d8d2",
"_analyticRulecontentId51": "[variables('analyticRulecontentId51')]",
"analyticRuleId51": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId51'))]",
@@ -416,7 +416,7 @@
"analyticRuleId57": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId57'))]",
"analyticRuleTemplateSpecName57": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId57'))))]",
"_analyticRulecontentProductId57": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId57'),'-', variables('analyticRuleVersion57'))))]",
- "analyticRuleVersion58": "1.0.5",
+ "analyticRuleVersion58": "1.0.6",
"analyticRulecontentId58": "050b9b3d-53d0-4364-a3da-1b678b8211ec",
"_analyticRulecontentId58": "[variables('analyticRulecontentId58')]",
"analyticRuleId58": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId58'))]",
@@ -529,7 +529,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Azure Active Directory data connector with template version 3.0.2",
+ "description": "Azure Active Directory data connector with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
@@ -908,7 +908,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AzureActiveDirectoryAuditLogsWorkbook Workbook with template version 3.0.2",
+ "description": "AzureActiveDirectoryAuditLogsWorkbook Workbook with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@@ -996,7 +996,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AzureActiveDirectorySigninsWorkbook Workbook with template version 3.0.2",
+ "description": "AzureActiveDirectorySigninsWorkbook Workbook with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion2')]",
@@ -1084,7 +1084,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AccountCreatedandDeletedinShortTimeframe_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "AccountCreatedandDeletedinShortTimeframe_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion1')]",
@@ -1201,7 +1201,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AccountCreatedDeletedByNonApprovedUser_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "AccountCreatedDeletedByNonApprovedUser_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion2')]",
@@ -1318,7 +1318,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ADFSDomainTrustMods_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "ADFSDomainTrustMods_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion3')]",
@@ -1432,7 +1432,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ADFSSignInLogsPasswordSpray_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "ADFSSignInLogsPasswordSpray_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion4')]",
@@ -1536,7 +1536,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AdminPromoAfterRoleMgmtAppPermissionGrant_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "AdminPromoAfterRoleMgmtAppPermissionGrant_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion5')]",
@@ -1655,7 +1655,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AnomalousUserAppSigninLocationIncrease-detection_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "AnomalousUserAppSigninLocationIncrease-detection_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion6')]",
@@ -1783,7 +1783,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AuthenticationMethodsChangedforPrivilegedAccount_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "AuthenticationMethodsChangedforPrivilegedAccount_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion7')]",
@@ -1913,7 +1913,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AzureAADPowerShellAnomaly_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "AzureAADPowerShellAnomaly_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion8')]",
@@ -2040,7 +2040,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AzureADRoleManagementPermissionGrant_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "AzureADRoleManagementPermissionGrant_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion9')]",
@@ -2159,7 +2159,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AzurePortalSigninfromanotherAzureTenant_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "AzurePortalSigninfromanotherAzureTenant_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion10')]",
@@ -2284,7 +2284,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Brute Force Attack against GitHub Account_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "Brute Force Attack against GitHub Account_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion11')]",
@@ -2398,7 +2398,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "BruteForceCloudPC_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "BruteForceCloudPC_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion12')]",
@@ -2515,7 +2515,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "BulkChangestoPrivilegedAccountPermissions_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "BulkChangestoPrivilegedAccountPermissions_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion13')]",
@@ -2640,7 +2640,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "BypassCondAccessRule_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "BypassCondAccessRule_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion14')]",
@@ -2765,7 +2765,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CredentialAddedAfterAdminConsent_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "CredentialAddedAfterAdminConsent_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion15')]",
@@ -2879,7 +2879,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Cross-tenantAccessSettingsOrganizationAdded_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "Cross-tenantAccessSettingsOrganizationAdded_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion16')]",
@@ -3000,7 +3000,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Cross-tenantAccessSettingsOrganizationDeleted_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "Cross-tenantAccessSettingsOrganizationDeleted_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion17')]",
@@ -3121,7 +3121,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Cross-tenantAccessSettingsOrganizationInboundCollaborationSettingsChanged_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "Cross-tenantAccessSettingsOrganizationInboundCollaborationSettingsChanged_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion18')]",
@@ -3242,7 +3242,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Cross-tenantAccessSettingsOrganizationInboundDirectSettingsChanged_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "Cross-tenantAccessSettingsOrganizationInboundDirectSettingsChanged_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion19')]",
@@ -3363,7 +3363,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Cross-tenantAccessSettingsOrganizationOutboundCollaborationSettingsChanged_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "Cross-tenantAccessSettingsOrganizationOutboundCollaborationSettingsChanged_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion20')]",
@@ -3484,7 +3484,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Cross-tenantAccessSettingsOrganizationOutboundDirectSettingsChanged_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "Cross-tenantAccessSettingsOrganizationOutboundDirectSettingsChanged_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion21')]",
@@ -3605,7 +3605,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "DisabledAccountSigninsAcrossManyApplications_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "DisabledAccountSigninsAcrossManyApplications_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion22')]",
@@ -3728,7 +3728,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "DistribPassCrackAttempt_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "DistribPassCrackAttempt_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion23')]",
@@ -3851,7 +3851,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ExplicitMFADeny_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "ExplicitMFADeny_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion24')]",
@@ -3983,7 +3983,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ExchangeFullAccessGrantedToApp_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "ExchangeFullAccessGrantedToApp_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion25')]",
@@ -4048,9 +4048,9 @@
}
],
"customDetails": {
- "OAuthAppId": "AppId",
+ "OAuthApplication": "OAuthAppName",
"UserAgent": "GrantUserAgent",
- "OAuthApplication": "OAuthAppName"
+ "OAuthAppId": "AppId"
},
"alertDetailsOverride": {
"alertDescriptionFormat": "This detection looks for the full_access_as_app permission being granted to an OAuth application with Admin Consent.\nThis permission provide access to all Exchange mailboxes via the EWS API can could be exploited to access sensitive data \nby being added to a compromised application. The application granted this permission should be reviewed to ensure that it \nis absolutely necessary for the applications function.\nIn this case {{GrantInitiatedBy}} granted full_access_as_app to {{OAuthAppName}} from {{GrantIpAddress}}\nRef: https://learn.microsoft.com/graph/auth-limit-mailbox-access\n",
@@ -4109,7 +4109,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "FailedLogonToAzurePortal_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "FailedLogonToAzurePortal_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion26')]",
@@ -4232,7 +4232,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "FirstAppOrServicePrincipalCredential_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "FirstAppOrServicePrincipalCredential_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion27')]",
@@ -4358,7 +4358,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion28')]",
@@ -4488,7 +4488,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "MailPermissionsAddedToApplication_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "MailPermissionsAddedToApplication_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion29')]",
@@ -4605,7 +4605,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "MaliciousOAuthApp_O365AttackToolkit_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "MaliciousOAuthApp_O365AttackToolkit_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion30')]",
@@ -4733,7 +4733,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "MaliciousOAuthApp_PwnAuth_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "MaliciousOAuthApp_PwnAuth_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion31')]",
@@ -4852,7 +4852,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "MFARejectedbyUser_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "MFARejectedbyUser_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion32')]",
@@ -4985,7 +4985,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "MultipleAdmin_membership_removals_from_NewAdmin_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "MultipleAdmin_membership_removals_from_NewAdmin_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion33')]",
@@ -5093,7 +5093,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "NewAppOrServicePrincipalCredential_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "NewAppOrServicePrincipalCredential_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion34')]",
@@ -5210,7 +5210,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "NRT_ADFSDomainTrustMods_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "NRT_ADFSDomainTrustMods_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion35')]",
@@ -5320,7 +5320,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "NRT_AuthenticationMethodsChangedforVIPUsers_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "NRT_AuthenticationMethodsChangedforVIPUsers_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion36')]",
@@ -5337,7 +5337,7 @@
"description": "Identifies authentication methods being changed for a list of VIP users watchlist. This could be an indication of an attacker adding an auth method to the account so they can have continued access.",
"displayName": "NRT Authentication Methods Changed for VIP Users",
"enabled": false,
- "query": "let security_info_actions = dynamic([\"User registered security info\", \"User changed default security info\", \"User deleted security info\", \"Admin updated security info\", \"User reviewed security info\", \"Admin deleted security info\", \"Admin registered security info\"]);\nlet VIPUsers = (_GetWatchlist('VIPUsers') | distinct [\"User Principal Name\"]);\nAuditLogs\n| where Category =~ \"UserManagement\"\n| where ActivityDisplayName in (security_info_actions)\n| extend Initiator = tostring(InitiatedBy.user.userPrincipalName)\n| extend IP = tostring(InitiatedBy.user.ipAddress)\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"User\"\n | extend Target = trim(@'\"',tolower(tostring(TargetResource.userPrincipalName)))\n )\n| where Target in~ (VIPUsers)\n| summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason) by Initiator, IP, Result, Target\n| extend Name = tostring(split(Target,'@',0)[0]), UPNSuffix = tostring(split(Target,'@',1)[0])\n",
+ "query": "let security_info_actions = dynamic([\"User registered security info\", \"User changed default security info\", \"User deleted security info\", \"Admin updated security info\", \"User reviewed security info\", \"Admin deleted security info\", \"Admin registered security info\"]);\nlet VIPUsers = (_GetWatchlist('VIPUsers') | distinct \"User Principal Name\");\nAuditLogs\n| where Category =~ \"UserManagement\"\n| where ActivityDisplayName in (security_info_actions)\n| extend Initiator = tostring(InitiatedBy.user.userPrincipalName)\n| extend IP = tostring(InitiatedBy.user.ipAddress)\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"User\"\n | extend Target = trim(@'\"',tolower(tostring(TargetResource.userPrincipalName)))\n )\n| where Target in~ (VIPUsers)\n| summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason) by Initiator, IP, Result, Target\n| extend Name = tostring(split(Target,'@',0)[0]), UPNSuffix = tostring(split(Target,'@',1)[0])\n",
"severity": "Medium",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
@@ -5433,7 +5433,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "nrt_FirstAppOrServicePrincipalCredential_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "nrt_FirstAppOrServicePrincipalCredential_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion37')]",
@@ -5546,7 +5546,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "NRT_NewAppOrServicePrincipalCredential_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "NRT_NewAppOrServicePrincipalCredential_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion38')]",
@@ -5563,7 +5563,7 @@
"description": "This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.",
"displayName": "NRT New access credential added to Application or Service Principal",
"enabled": false,
- "query": "AuditLogs\n| where OperationName has_any (\"Add service principal\", \"Certificates and secrets management\") // captures \"Add service principal\", \"Add service principal credentials\", and \"Update application - Certificates and secrets management\" events\n| where Result =~ \"success\"\n| where tostring(InitiatedBy.user.userPrincipalName) has \"@\" or tostring(InitiatedBy.app.displayName) has \"@\"\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"Application\"\n | extend targetDisplayName = tostring(TargetResource.displayName),\n targetId = tostring(TargetResource.id),\n targetType = tostring(TargetResource.type),\n keyEvents = TargetResource.modifiedProperties\n )\n| mv-apply Property = keyEvents on \n (\n where Property.displayName =~ \"KeyDescription\"\n | extend new_value_set = parse_json(tostring(Property.newValue)),\n old_value_set = parse_json(tostring(Property.oldValue))\n )\n| where old_value_set != \"[]\"\n| extend diff = set_difference(new_value_set, old_value_set)\n| where isnotempty(diff)\n| parse diff with * \"KeyIdentifier=\" keyIdentifier:string \",KeyType=\" keyType:string \",KeyUsage=\" keyUsage:string \",DisplayName=\" keyDisplayName:string \"]\" *\n| where keyUsage =~ \"Verify\"\n| mv-apply AdditionalDetail = AdditionalDetails on \n (\n where AdditionalDetail.key =~ \"User-Agent\"\n | extend UserAgent = tostring(AdditionalDetail.value)\n )\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\n//| where targetType =~ \"Application\" // or targetType =~ \"ServicePrincipal\"\n| project-away diff, new_value_set, old_value_set\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\n| extend timestamp = TimeGenerated, Name = tostring(split(InitiatingUserOrApp,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUserOrApp,'@',1)[0])\n",
+ "query": "AuditLogs\n| where OperationName has_any (\"Add service principal\", \"Certificates and secrets management\") // captures \"Add service principal\", \"Add service principal credentials\", and \"Update application - Certificates and secrets management\" events\n| where Result =~ \"success\"\n| where tostring(InitiatedBy.user.userPrincipalName) has \"@\" or tostring(InitiatedBy.app.displayName) has \"@\"\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"Application\"\n | extend targetDisplayName = tostring(TargetResource.displayName),\n targetId = tostring(TargetResource.id),\n targetType = tostring(TargetResource.type),\n keyEvents = TargetResource.modifiedProperties\n )\n| mv-apply Property = keyEvents on \n (\n where Property.displayName =~ \"KeyDescription\"\n | extend new_value_set = parse_json(tostring(Property.newValue)),\n old_value_set = parse_json(tostring(Property.oldValue))\n )\n| where old_value_set != \"[]\"\n| extend diff = set_difference(new_value_set, old_value_set)\n| where diff != \"[]\"\n| parse diff with * \"KeyIdentifier=\" keyIdentifier:string \",KeyType=\" keyType:string \",KeyUsage=\" keyUsage:string \",DisplayName=\" keyDisplayName:string \"]\" *\n| where keyUsage =~ \"Verify\"\n| mv-apply AdditionalDetail = AdditionalDetails on \n (\n where AdditionalDetail.key =~ \"User-Agent\"\n | extend UserAgent = tostring(AdditionalDetail.value)\n )\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\n//| where targetType =~ \"Application\" // or targetType =~ \"ServicePrincipal\"\n| project-away diff, new_value_set, old_value_set\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\n| extend timestamp = TimeGenerated, Name = tostring(split(InitiatingUserOrApp,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUserOrApp,'@',1)[0])\n",
"severity": "Medium",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
@@ -5659,7 +5659,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "NRT_PIMElevationRequestRejected_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "NRT_PIMElevationRequestRejected_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion39')]",
@@ -5785,7 +5785,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "NRT_PrivlegedRoleAssignedOutsidePIM_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "NRT_PrivlegedRoleAssignedOutsidePIM_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion40')]",
@@ -5898,7 +5898,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "NRT_UseraddedtoPrivilgedGroups_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "NRT_UseraddedtoPrivilgedGroups_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion41')]",
@@ -6017,7 +6017,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PIMElevationRequestRejected_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "PIMElevationRequestRejected_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion42')]",
@@ -6034,7 +6034,7 @@
"description": "Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management",
"displayName": "PIM Elevation Request Rejected",
"enabled": false,
- "query": "AuditLogs\n| where ActivityDisplayName =~'Add member to role completed (PIM activation)'\n| where Result =~ \"failure\"\n| mv-apply ResourceItem = TargetResources on \n (\n where ResourceItem.type =~ \"Role\"\n | extend Role = trim(@'\"',tostring(ResourceItem.displayName))\n )\n| mv-apply ResourceItem = TargetResources on \n (\n where ResourceItem.type =~ \"User\"\n | extend User = trim(@'\"',tostring(ResourceItem.userPrincipalName))\n )\n| project-reorder TimeGenerated, User, Role, OperationName, Result, ResultDescription\n| where isnotempty(InitiatedBy.user)\n| extend InitiatingUser = tostring(InitiatedBy.user.userPrincipalName), InitiatingIpAddress = tostring(InitiatedBy.user.ipAddress)\n| extend InitiatingName = tostring(split(InitiatingUser,'@',0)[0]), InitiatingUPNSuffix = tostring(split(InitiatingUser,'@',1)[0])\n| extend UserName = tostring(split(User,'@',0)[0]), UserUPNSuffix = tostring(split(User,'@',1)[0])\n",
+ "query": "AuditLogs\n| where (ActivityDisplayName =~'Add member to role completed (PIM activation)' and Result =~ \"failure\") or ActivityDisplayName =~'Add member to role request denied (PIM activation)'\n| mv-apply ResourceItem = TargetResources on \n (\n where ResourceItem.type =~ \"Role\"\n | extend Role = trim(@'\"',tostring(ResourceItem.displayName))\n )\n| mv-apply ResourceItem = TargetResources on \n (\n where ResourceItem.type =~ \"User\"\n | extend User = trim(@'\"',tostring(ResourceItem.userPrincipalName))\n )\n| project-reorder TimeGenerated, User, Role, OperationName, Result, ResultDescription\n| where isnotempty(InitiatedBy.user)\n| extend InitiatingUser = tostring(InitiatedBy.user.userPrincipalName), InitiatingIpAddress = tostring(InitiatedBy.user.ipAddress)\n| extend InitiatingName = tostring(split(InitiatingUser,'@',0)[0]), InitiatingUPNSuffix = tostring(split(InitiatingUser,'@',1)[0])\n| extend UserName = tostring(split(User,'@',0)[0]), UserUPNSuffix = tostring(split(User,'@',1)[0])\n",
"queryFrequency": "PT2H",
"queryPeriod": "PT2H",
"severity": "High",
@@ -6147,7 +6147,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PrivilegedAccountsSigninFailureSpikes_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "PrivilegedAccountsSigninFailureSpikes_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion43')]",
@@ -6270,7 +6270,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PrivlegedRoleAssignedOutsidePIM_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "PrivlegedRoleAssignedOutsidePIM_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion44')]",
@@ -6387,7 +6387,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "RareApplicationConsent_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "RareApplicationConsent_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion45')]",
@@ -6515,7 +6515,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "SeamlessSSOPasswordSpray_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "SeamlessSSOPasswordSpray_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion46')]",
@@ -6632,7 +6632,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Sign-in Burst from Multiple Locations_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "Sign-in Burst from Multiple Locations_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion47')]",
@@ -6746,7 +6746,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "SigninAttemptsByIPviaDisabledAccounts_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "SigninAttemptsByIPviaDisabledAccounts_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion48')]",
@@ -6763,7 +6763,7 @@
"description": "Identifies IPs with failed attempts to sign in to one or more disabled accounts using the IP through which successful signins from other accounts have happened.\nThis could indicate an attacker who obtained credentials for a list of accounts and is attempting to login with those accounts, some of which may have already been disabled.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n50057 - User account is disabled. The account has been disabled by an administrator.\nThis query has also been updated to include UEBA logs IdentityInfo and BehaviorAnalytics for contextual information around the results.",
"displayName": "Sign-ins from IPs that attempt sign-ins to disabled accounts",
"enabled": false,
- "query": "let aadFunc = (tableName: string) {\ntable(tableName)\n| where ResultType == \"50057\"\n| where ResultDescription == \"User account is disabled. The account has been disabled by an administrator.\"\n| summarize\n StartTime = min(TimeGenerated),\n EndTime = max(TimeGenerated),\n disabledAccountLoginAttempts = count(),\n disabledAccountsTargeted = dcount(UserPrincipalName),\n applicationsTargeted = dcount(AppDisplayName),\n disabledAccountSet = make_set(UserPrincipalName),\n applicationSet = make_set(AppDisplayName)\nby IPAddress, Type\n| order by disabledAccountLoginAttempts desc\n| join kind= leftouter ( \n // Consider these IPs suspicious - and alert any related successful sign-ins\n table(tableName)\n | where ResultType == 0\n | summarize\n successfulAccountSigninCount = dcount(UserPrincipalName),\n successfulAccountSigninSet = make_set(UserPrincipalName, 15)\n by IPAddress, Type\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\n | where successfulAccountSigninCount < 100\n) on IPAddress \n// IPs from which attempts to authenticate as disabled user accounts originated, and had a non-zero success rate for some other account\n| where isnotempty(successfulAccountSigninCount)\n| project StartTime, EndTime, IPAddress, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, successfulAccountSigninCount, successfulAccountSigninSet, Type\n| order by disabledAccountLoginAttempts\n| extend timestamp = StartTime, IPCustomEntity = IPAddress\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n| join kind=leftouter (\n BehaviorAnalytics\n | where ActivityType in (\"FailedLogOn\", \"LogOn\")\n | where EventSource =~ \"Azure AD\"\n | project UsersInsights, DevicesInsights, ActivityInsights, InvestigationPriority, SourceIPAddress, UserPrincipalName\n | project-rename IPAddress = SourceIPAddress\n | summarize\n Users = make_set(UserPrincipalName, 1000),\n UsersInsights = make_set(UsersInsights, 1000),\n DevicesInsights = make_set(DevicesInsights, 1000),\n IPInvestigationPriority = sum(InvestigationPriority)\n by IPAddress\n) on IPAddress\n| sort by IPInvestigationPriority desc\n",
+ "query": "let aadFunc = (tableName: string) {\nlet failed_signins = table(tableName)\n| where ResultType == \"50057\"\n| where ResultDescription == \"User account is disabled. The account has been disabled by an administrator.\";\nlet disabled_users = failed_signins | summarize by UserPrincipalName;\ntable(tableName)\n | where ResultType == 0\n | where isnotempty(UserPrincipalName)\n | where UserPrincipalName !in (disabled_users)\n| summarize\n successfulAccountsTargettedCount = dcount(UserPrincipalName),\n successfulAccountSigninSet = make_set(UserPrincipalName, 100),\n successfulApplicationSet = make_set(AppDisplayName, 100)\n by IPAddress, Type\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\n | where successfulAccountsTargettedCount < 50\n | where isnotempty(successfulAccountsTargettedCount)\n | join kind=inner (failed_signins\n| summarize\n StartTime = min(TimeGenerated),\n EndTime = max(TimeGenerated),\n totalDisabledAccountLoginAttempts = count(),\n disabledAccountsTargettedCount = dcount(UserPrincipalName),\n applicationsTargeted = dcount(AppDisplayName),\n disabledAccountSet = make_set(UserPrincipalName, 100),\n disabledApplicationSet = make_set(AppDisplayName, 100)\nby IPAddress, Type\n| order by totalDisabledAccountLoginAttempts desc) on IPAddress\n| project StartTime, EndTime, IPAddress, totalDisabledAccountLoginAttempts, disabledAccountsTargettedCount, disabledAccountSet, disabledApplicationSet, successfulApplicationSet, successfulAccountsTargettedCount, successfulAccountSigninSet, Type\n| order by totalDisabledAccountLoginAttempts};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n| join kind=leftouter (\n BehaviorAnalytics\n | where ActivityType in (\"FailedLogOn\", \"LogOn\")\n | where EventSource =~ \"Azure AD\"\n | project UsersInsights, DevicesInsights, ActivityInsights, InvestigationPriority, SourceIPAddress, UserPrincipalName\n | project-rename IPAddress = SourceIPAddress\n | summarize\n Users = make_set(UserPrincipalName, 100),\n UsersInsights = make_set(UsersInsights, 100),\n DevicesInsights = make_set(DevicesInsights, 100),\n IPInvestigationPriority = sum(InvestigationPriority)\n by IPAddress\n) on IPAddress\n| extend SFRatio = toreal(toreal(disabledAccountsTargettedCount)/toreal(successfulAccountsTargettedCount))\n| where SFRatio >= 0.5\n| sort by IPInvestigationPriority desc\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"severity": "Medium",
@@ -6864,7 +6864,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "SigninBruteForce-AzurePortal_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "SigninBruteForce-AzurePortal_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion49')]",
@@ -6987,7 +6987,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "SigninPasswordSpray_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "SigninPasswordSpray_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion50')]",
@@ -7097,7 +7097,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "SuccessThenFail_DiffIP_SameUserandApp_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "SuccessThenFail_DiffIP_SameUserandApp_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion51')]",
@@ -7111,10 +7111,10 @@
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP.\nThis may indicate a malicious attempt at password guessing based on knowledge of the users account. This query has also been updated to include UEBA \nlogs IdentityInfo and BehaviorAnalytics for contextual information around the results.",
+ "description": "Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP (may indicate a malicious attempt at password guessing with known account). UEBA added for context.",
"displayName": "Successful logon from IP and failure from a different IP",
"enabled": false,
- "query": "let riskScoreCutoff = 20; //Adjust this based on volume of results\nlet logonDiff = 10m; let aadFunc = (tableName:string){ table(tableName)\n| where ResultType == \"0\"\n| where AppDisplayName !in (\"Office 365 Exchange Online\", \"Skype for Business Online\") // To remove false-positives, add more Apps to this array\n| project SuccessLogonTime = TimeGenerated, UserPrincipalName, SuccessIPAddress = IPAddress, AppDisplayName, SuccessIPBlock = iff(IPAddress contains \":\", strcat(split(IPAddress, \":\")[0], \":\", split(IPAddress, \":\")[1]), strcat(split(IPAddress, \".\")[0], \".\", split(IPAddress, \".\")[1])), Type\n| join kind= inner (\n table(tableName)\n | where ResultType !in (\"0\", \"50140\")\n | where ResultDescription !~ \"Other\"\n | where AppDisplayName !in (\"Office 365 Exchange Online\", \"Skype for Business Online\")\n | project FailedLogonTime = TimeGenerated, UserPrincipalName, FailedIPAddress = IPAddress, AppDisplayName, ResultType, ResultDescription, Type \n) on UserPrincipalName, AppDisplayName\n| where SuccessLogonTime < FailedLogonTime and FailedLogonTime - SuccessLogonTime <= logonDiff and FailedIPAddress !startswith SuccessIPBlock\n| summarize FailedLogonTime = max(FailedLogonTime), SuccessLogonTime = max(SuccessLogonTime) by UserPrincipalName, SuccessIPAddress, AppDisplayName, FailedIPAddress, ResultType, ResultDescription, Type\n| extend timestamp = SuccessLogonTime\n| extend UserPrincipalName = tolower(UserPrincipalName)};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n| join kind=leftouter (\n IdentityInfo\n | summarize LatestReportTime = arg_max(TimeGenerated, *) by AccountUPN\n | extend BlastRadiusInt = iif(BlastRadius == \"High\", 1, 0)\n | project AccountUPN, Tags, JobTitle, GroupMembership, AssignedRoles, UserType, IsAccountEnabled, BlastRadiusInt\n | summarize\n Tags = make_set(Tags, 1000),\n GroupMembership = make_set(GroupMembership, 1000),\n AssignedRoles = make_set(AssignedRoles, 1000),\n BlastRadiusInt = sum(BlastRadiusInt),\n UserType = make_set(UserType, 1000),\n UserAccountControl = make_set(UserType, 1000)\n by AccountUPN\n | extend UserPrincipalName=tolower(AccountUPN)\n) on UserPrincipalName\n| join kind=leftouter (\n BehaviorAnalytics\n | where ActivityType in (\"FailedLogOn\", \"LogOn\")\n | where isnotempty(SourceIPAddress)\n | project UsersInsights, DevicesInsights, ActivityInsights, InvestigationPriority, SourceIPAddress\n | project-rename FailedIPAddress = SourceIPAddress\n | summarize\n UsersInsights = make_set(UsersInsights, 1000),\n DevicesInsights = make_set(DevicesInsights, 1000),\n IPInvestigationPriority = sum(InvestigationPriority)\n by FailedIPAddress)\non FailedIPAddress\n| extend UEBARiskScore = BlastRadiusInt + IPInvestigationPriority\n| where UEBARiskScore > riskScoreCutoff\n| sort by UEBARiskScore desc \n",
+ "query": "let riskScoreCutoff = 20; //Adjust this based on volume of results\nlet logonDiff = 10m; let aadFunc = (tableName:string){ table(tableName)\n| where ResultType == \"0\"\n| where AppDisplayName !in (\"Office 365 Exchange Online\", \"Skype for Business Online\") // To remove false-positives, add more Apps to this array\n// ---------- Fix for SuccessBlock to also consider IPv6\n| extend SuccessIPv6Block = strcat(split(IPAddress, \":\")[0], \":\", split(IPAddress, \":\")[1], \":\", split(IPAddress, \":\")[2], \":\", split(IPAddress, \":\")[3])\n| extend SuccessIPv4Block = strcat(split(IPAddress, \".\")[0], \".\", split(IPAddress, \".\")[1])\n// ------------------\n| project SuccessLogonTime = TimeGenerated, UserPrincipalName, SuccessIPAddress = IPAddress, SuccessLocation = Location, AppDisplayName, SuccessIPBlock = iff(IPAddress contains \":\", strcat(split(IPAddress, \":\")[0], \":\", split(IPAddress, \":\")[1]), strcat(split(IPAddress, \".\")[0], \".\", split(IPAddress, \".\")[1])), Type\n| join kind= inner (\n table(tableName)\n | where ResultType !in (\"0\", \"50140\")\n | where ResultDescription !~ \"Other\"\n | where AppDisplayName !in (\"Office 365 Exchange Online\", \"Skype for Business Online\")\n | project FailedLogonTime = TimeGenerated, UserPrincipalName, FailedIPAddress = IPAddress, FailedLocation = Location, AppDisplayName, ResultType, ResultDescription, Type \n) on UserPrincipalName, AppDisplayName\n| where SuccessLogonTime < FailedLogonTime and FailedLogonTime - SuccessLogonTime <= logonDiff and FailedIPAddress !startswith SuccessIPBlock\n| summarize FailedLogonTime = max(FailedLogonTime), SuccessLogonTime = max(SuccessLogonTime) by UserPrincipalName, SuccessIPAddress, SuccessLocation, AppDisplayName, FailedIPAddress, FailedLocation, ResultType, ResultDescription, Type\n| extend timestamp = SuccessLogonTime\n| extend UserPrincipalName = tolower(UserPrincipalName)};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n| extend Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n// UEBA context below - make sure you have these 2 datatypes, otherwise the query will not work. If so, comment all that is below.\n| join kind=leftouter (\n IdentityInfo\n | summarize LatestReportTime = arg_max(TimeGenerated, *) by AccountUPN\n | extend BlastRadiusInt = iif(BlastRadius == \"High\", 1, 0)\n | project AccountUPN, Tags, JobTitle, GroupMembership, AssignedRoles, UserType, IsAccountEnabled, BlastRadiusInt\n | summarize\n Tags = make_set(Tags, 1000),\n GroupMembership = make_set(GroupMembership, 1000),\n AssignedRoles = make_set(AssignedRoles, 1000),\n BlastRadiusInt = sum(BlastRadiusInt),\n UserType = make_set(UserType, 1000),\n UserAccountControl = make_set(UserType, 1000)\n by AccountUPN\n | extend UserPrincipalName=tolower(AccountUPN)\n) on UserPrincipalName\n| join kind=leftouter (\n BehaviorAnalytics\n | where ActivityType in (\"FailedLogOn\", \"LogOn\")\n | where isnotempty(SourceIPAddress)\n | project UsersInsights, DevicesInsights, ActivityInsights, InvestigationPriority, SourceIPAddress\n | project-rename FailedIPAddress = SourceIPAddress\n | summarize\n UsersInsights = make_set(UsersInsights, 1000),\n DevicesInsights = make_set(DevicesInsights, 1000),\n IPInvestigationPriority = sum(InvestigationPriority)\n by FailedIPAddress)\non FailedIPAddress\n| extend UEBARiskScore = BlastRadiusInt + IPInvestigationPriority\n| where UEBARiskScore > riskScoreCutoff\n| sort by UEBARiskScore desc \n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"severity": "Medium",
@@ -7243,7 +7243,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "SuspiciousAADJoinedDeviceUpdate_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "SuspiciousAADJoinedDeviceUpdate_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion52')]",
@@ -7378,7 +7378,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "SuspiciousOAuthApp_OfflineAccess_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "SuspiciousOAuthApp_OfflineAccess_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion53')]",
@@ -7495,7 +7495,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "SuspiciousServicePrincipalcreationactivity_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "SuspiciousServicePrincipalcreationactivity_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion54')]",
@@ -7630,7 +7630,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "UnusualGuestActivity_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "UnusualGuestActivity_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion55')]",
@@ -7770,7 +7770,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "UserAccounts-CABlockedSigninSpikes_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "UserAccounts-CABlockedSigninSpikes_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion56')]",
@@ -7905,7 +7905,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "UseraddedtoPrivilgedGroups_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "UseraddedtoPrivilgedGroups_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion57')]",
@@ -8028,7 +8028,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "UserAssignedPrivilegedRole_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "UserAssignedPrivilegedRole_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion58')]",
@@ -8045,7 +8045,7 @@
"description": "Identifies when a new privileged role is assigned to a user. Any account eligible for a role is now being given privileged access. If the assignment is unexpected or into a role that isn't the responsibility of the account holder, investigate.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1",
"displayName": "User Assigned Privileged Role",
"enabled": false,
- "query": "AuditLogs\n| where Category =~ \"RoleManagement\"\n| where AADOperationType in (\"Assign\", \"AssignEligibleRole\")\n| where ActivityDisplayName has_any (\"Add eligible member to role\", \"Add member to role\")\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"User\"\n | extend Target = tostring(TargetResource.userPrincipalName)\n | extend Target = iff(TargetResources.type == \"ServicePrincipal\", tostring(TargetResources.displayName), Target),\n props = TargetResource.modifiedProperties\n )\n| mv-apply Property = props on \n (\n where Property.displayName =~ \"Role.DisplayName\"\n | extend RoleName = trim('\"',tostring(Property.newValue))\n )\n| where RoleName contains \"Admin\"\n| extend InitiatingApp = tostring(InitiatedBy.app.displayName)\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(InitiatedBy.user.userPrincipalName))\n// Uncomment below to not alert for PIM activations\n//| where Initiator != \"MS-PIM\"\n| summarize by bin(TimeGenerated, 1h), OperationName, RoleName, Target, Initiator, Result\n| extend TargetName = tostring(split(Target,'@',0)[0]), TargetUPNSuffix = tostring(split(Target,'@',1)[0]), InitiatorName = tostring(split(Initiator,'@',0)[0]), InitiatorUPNSuffix = tostring(split(Initiator,'@',1)[0])\n",
+ "query": "AuditLogs\n| where Category =~ \"RoleManagement\"\n| where AADOperationType in (\"Assign\", \"AssignEligibleRole\")\n| where ActivityDisplayName has_any (\"Add eligible member to role\", \"Add member to role\")\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type in~ (\"User\", \"ServicePrincipal\")\n | extend Target = iff(TargetResource.type =~ \"ServicePrincipal\", tostring(TargetResource.displayName), tostring(TargetResource.userPrincipalName)),\n props = TargetResource.modifiedProperties\n )\n| mv-apply Property = props on \n (\n where Property.displayName =~ \"Role.DisplayName\"\n | extend RoleName = trim('\"',tostring(Property.newValue))\n )\n| where RoleName contains \"Admin\"\n| extend InitiatingApp = tostring(InitiatedBy.app.displayName)\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(InitiatedBy.user.userPrincipalName))\n// Uncomment below to not alert for PIM activations\n//| where Initiator != \"MS-PIM\"\n| summarize by bin(TimeGenerated, 1h), OperationName, RoleName, Target, Initiator, Result\n| extend TargetName = tostring(split(Target,'@',0)[0]), TargetUPNSuffix = tostring(split(Target,'@',1)[0]), InitiatorName = tostring(split(Initiator,'@',0)[0]), InitiatorUPNSuffix = tostring(split(Initiator,'@',1)[0])\n",
"queryFrequency": "PT2H",
"queryPeriod": "PT2H",
"severity": "High",
@@ -8149,7 +8149,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "NewOnmicrosoftDomainAdded_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "NewOnmicrosoftDomainAdded_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion59')]",
@@ -8286,7 +8286,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Block-AADUser-Alert Playbook with template version 3.0.2",
+ "description": "Block-AADUser-Alert Playbook with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion1')]",
@@ -8729,7 +8729,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Block-AADUser-Incident Playbook with template version 3.0.2",
+ "description": "Block-AADUser-Incident Playbook with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion2')]",
@@ -9155,7 +9155,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Prompt-User-Alert Playbook with template version 3.0.2",
+ "description": "Prompt-User-Alert Playbook with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion3')]",
@@ -9591,7 +9591,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Prompt-User-Incident Playbook with template version 3.0.2",
+ "description": "Prompt-User-Incident Playbook with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion4')]",
@@ -10010,7 +10010,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Reset-AADPassword-AlertTrigger Playbook with template version 3.0.2",
+ "description": "Reset-AADPassword-AlertTrigger Playbook with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion5')]",
@@ -10410,7 +10410,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Reset-AADPassword-IncidentTrigger Playbook with template version 3.0.2",
+ "description": "Reset-AADPassword-IncidentTrigger Playbook with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion6')]",
@@ -10793,7 +10793,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Block-AADUser-EntityTrigger Playbook with template version 3.0.2",
+ "description": "Block-AADUser-EntityTrigger Playbook with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion7')]",
@@ -11254,7 +11254,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Reset-AADUserPassword-EntityTrigger Playbook with template version 3.0.2",
+ "description": "Reset-AADUserPassword-EntityTrigger Playbook with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion8')]",
@@ -11659,7 +11659,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Revoke-AADSignInSessions-alert Playbook with template version 3.0.2",
+ "description": "Revoke-AADSignInSessions-alert Playbook with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion9')]",
@@ -11987,7 +11987,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Revoke-AADSignInSessions-incident Playbook with template version 3.0.2",
+ "description": "Revoke-AADSignInSessions-incident Playbook with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion10')]",
@@ -12311,7 +12311,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Revoke-AADSignIn-Session-entityTrigger Playbook with template version 3.0.2",
+ "description": "Revoke-AADSignIn-Session-entityTrigger Playbook with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion11')]",
@@ -12522,7 +12522,7 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.2",
+ "version": "3.0.3",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "Azure Active Directory",
diff --git a/Solutions/Azure Active Directory/ReleaseNotes.md b/Solutions/Azure Active Directory/ReleaseNotes.md
index c61cc87ac47..cf294f260bc 100644
--- a/Solutions/Azure Active Directory/ReleaseNotes.md
+++ b/Solutions/Azure Active Directory/ReleaseNotes.md
@@ -1,5 +1,6 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------------|
+| 3.0.3 | 22-09-2023 | 2 **Analytic Rules** updated in the solution (PIM Elevation Request Rejected),(NRT Authentication Methods Changed for VIP Users) |
| 3.0.2 | 08-08-2023 | 1 **Analytic Rules** updated in the solution (Credential added after admin consented to Application) |
| 3.0.1 | 01-08-2023 | Added new **Analytic Rule** (New onmicrosoft domain added to tenant) |
| 3.0.0 | 19-07-2023 | 2 **Analytic Rules** updated in the solution (User Assigned Privileged Role,Successful logon from IP and failure from a different IP) |
diff --git a/Solutions/Box/Data Connectors/BoxConn.zip b/Solutions/Box/Data Connectors/BoxConn.zip
index e48dad8b711..165ba1c5555 100644
Binary files a/Solutions/Box/Data Connectors/BoxConn.zip and b/Solutions/Box/Data Connectors/BoxConn.zip differ
diff --git a/Solutions/Box/Data Connectors/requirements.txt b/Solutions/Box/Data Connectors/requirements.txt
index 56587a2a52e..f8008ef8d6f 100644
--- a/Solutions/Box/Data Connectors/requirements.txt
+++ b/Solutions/Box/Data Connectors/requirements.txt
@@ -5,7 +5,7 @@
azure-functions
pyjwt==2.4.0
-cryptography==41.0.3
+cryptography==41.0.4
boxsdk==3.3.0
azure-storage-file-share==12.7.0
python-dateutil==2.8.2
\ No newline at end of file
diff --git a/Solutions/Commvault Security IQ/Package/3.0.0.zip b/Solutions/Commvault Security IQ/Package/3.0.0.zip
index 268889bddf4..372d9bdef3d 100644
Binary files a/Solutions/Commvault Security IQ/Package/3.0.0.zip and b/Solutions/Commvault Security IQ/Package/3.0.0.zip differ
diff --git a/Solutions/Commvault Security IQ/Package/mainTemplate.json b/Solutions/Commvault Security IQ/Package/mainTemplate.json
index e58160ff630..bab08b8d288 100644
--- a/Solutions/Commvault Security IQ/Package/mainTemplate.json
+++ b/Solutions/Commvault Security IQ/Package/mainTemplate.json
@@ -764,10 +764,10 @@
"1. Administrative access to your Commvault/Metallic environment.",
"2. Administrative access to your Azure Resource Group and Subscription.",
"3. A Microsoft Sentinel instance in the aforementioned Azure Resource Group.",
- "4. A Keyvault and an Automation Account configured as mentioned in the documentation here :- (https://github.com/Cv-securityIQ/Azure-Integration/blob/Commvault/Solutions/Commvault%20Security%20IQ/README.md)"
+ "4. A Keyvault and an Automation Account configured as mentioned in the documentation here :- (https://github.com/Cv-securityIQ/Azure-Integration/blob/master/Solutions/Commvault%20Security%20IQ/README.md)"
],
"postDeployment": [
- "1. Steps to follow the instructions are mentioned here :- (https://github.com/Cv-securityIQ/Azure-Integration/blob/Commvault/Solutions/Commvault%20Security%20IQ/README.md)",
+ "1. Steps to follow the instructions are mentioned here :- (https://github.com/Cv-securityIQ/Azure-Integration/blob/master/Solutions/Commvault%20Security%20IQ/README.md)",
"2. Give the required permissions to the logic app to get the secrets from the keyvault.",
"3. Setup the Managed Identity"
],
diff --git a/Solutions/Commvault Security IQ/Playbooks/CommvaultLogicApp/azuredeploy.json b/Solutions/Commvault Security IQ/Playbooks/CommvaultLogicApp/azuredeploy.json
index bd44edeeae4..6c4f5b1b39b 100644
--- a/Solutions/Commvault Security IQ/Playbooks/CommvaultLogicApp/azuredeploy.json
+++ b/Solutions/Commvault Security IQ/Playbooks/CommvaultLogicApp/azuredeploy.json
@@ -7,8 +7,8 @@
"prerequisites": ["1. Administrative access to your Commvault/Metallic environment.",
"2. Administrative access to your Azure Resource Group and Subscription.",
"3. A Microsoft Sentinel instance in the aforementioned Azure Resource Group.",
- "4. A Keyvault and an Automation Account configured as mentioned in the documentation here :- (https://github.com/Cv-securityIQ/Azure-Integration/blob/Commvault/Solutions/Commvault%20Security%20IQ/README.md)"],
- "postDeployment": ["1. Steps to follow the instructions are mentioned here :- (https://github.com/Cv-securityIQ/Azure-Integration/blob/Commvault/Solutions/Commvault%20Security%20IQ/README.md)",
+ "4. A Keyvault and an Automation Account configured as mentioned in the documentation here :- (https://github.com/Cv-securityIQ/Azure-Integration/blob/master/Solutions/Commvault%20Security%20IQ/README.md)"],
+ "postDeployment": ["1. Steps to follow the instructions are mentioned here :- (https://github.com/Cv-securityIQ/Azure-Integration/blob/master/Solutions/Commvault%20Security%20IQ/README.md)",
"2. Give the required permissions to the logic app to get the secrets from the keyvault.",
"3. Setup the Managed Identity"
],
diff --git a/Solutions/Commvault Security IQ/Playbooks/CommvaultLogicApp/readme.md b/Solutions/Commvault Security IQ/Playbooks/CommvaultLogicApp/readme.md
index b7b33008afe..59e67d18bef 100644
--- a/Solutions/Commvault Security IQ/Playbooks/CommvaultLogicApp/readme.md
+++ b/Solutions/Commvault Security IQ/Playbooks/CommvaultLogicApp/readme.md
@@ -6,7 +6,7 @@ This Logic App executes when called upon by an Automation Rule. Accessing the Ke
- Administrative access to your Commvault/Metallic environment.
- Administrative access to your Azure Resource Group and Subscription.
- A Microsoft Sentinel instance in the aforementioned Azure Resource Group.
-- A Keyvault and an Automation Account configured as mentioned in the documentation here :- (https://github.com/Cv-securityIQ/Azure-Integration/blob/Commvault/Solutions/Commvault%20Security%20IQ/README.md)
+- A Keyvault and an Automation Account configured as mentioned in the documentation here :- (https://github.com/Cv-securityIQ/Azure-Integration/blob/master/Solutions/Commvault%20Security%20IQ/README.md)
## Deployment Instructions
Deploy the playbook by clicking on "Deploy to Azure" button. This will take you to deploying an ARM Template wizard.
@@ -21,6 +21,6 @@ Alternatively:-
4. Enter in the required parameters
## Post-deployment Instructions
-Steps to follow the instructions are mentioned here :- (https://github.com/Cv-securityIQ/Azure-Integration/blob/Commvault/Solutions/Commvault%20Security%20IQ/README.md)
+Steps to follow the instructions are mentioned here :- (https://github.com/Cv-securityIQ/Azure-Integration/blob/master/Solutions/Commvault%20Security%20IQ/README.md)
1. Give the required permissions to the logic app to get the secrets from the keyvault.
2. Setup the Managed Identity
diff --git a/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Data Connectors/CyberArk Data Connector.json b/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Data Connectors/CyberArk Data Connector.json
index cd979f541d4..1abb2407a51 100644
--- a/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Data Connectors/CyberArk Data Connector.json
+++ b/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Data Connectors/CyberArk Data Connector.json
@@ -1,6 +1,6 @@
{
"id": "CyberArk",
- "title": "CyberArk Enterprise Password Vault (EPV) Events",
+ "title": "[Deprecated] CyberArk Enterprise Password Vault (EPV) Events via Legacy Agent ",
"publisher": "Cyber-Ark",
"descriptionMarkdown": "CyberArk Enterprise Password Vault generates an xml Syslog message for every action taken against the Vault. The EPV will send the xml messages through the Microsoft Sentinel.xsl translator to be converted into CEF standard format and sent to a syslog staging server of your choice (syslog-ng, rsyslog). The Log Analytics agent installed on your syslog staging server will import the messages into Microsoft Log Analytics. Refer to the [CyberArk documentation](https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/DV-Integrating-with-SIEM-Applications.htm) for more guidance on SIEM integrations.",
"graphQueries": [{
diff --git a/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Data Connectors/template_CyberArkAMA.json b/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Data Connectors/template_CyberArkAMA.json
new file mode 100644
index 00000000000..6121fea3ad4
--- /dev/null
+++ b/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Data Connectors/template_CyberArkAMA.json
@@ -0,0 +1,124 @@
+{
+ "id": "CyberArkAma",
+ "title": "[Recommended] CyberArk Enterprise Password Vault (EPV) Events via AMA ",
+ "publisher": "Cyber-Ark",
+ "descriptionMarkdown": "CyberArk Enterprise Password Vault generates an xml Syslog message for every action taken against the Vault. The EPV will send the xml messages through the Microsoft Sentinel.xsl translator to be converted into CEF standard format and sent to a syslog staging server of your choice (syslog-ng, rsyslog). The Log Analytics agent installed on your syslog staging server will import the messages into Microsoft Log Analytics. Refer to the [CyberArk documentation](https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/DV-Integrating-with-SIEM-Applications.htm) for more guidance on SIEM integrations.",
+ "graphQueries": [{
+ "metricName": "Total data received",
+ "legend": "CyberArk",
+ "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Cyber-Ark'\n |where DeviceProduct =~ 'Vault'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
+ }],
+ "sampleQueries": [{
+ "description": "CyberArk Alerts",
+ "query": "CommonSecurityLog\n| where DeviceVendor == \"Cyber-Ark\"\n| where DeviceProduct == \"Vault\"\n| where LogSeverity == \"7\" or LogSeverity == \"10\"\n| sort by TimeGenerated desc"
+ }],
+ "dataTypes": [{
+ "name": "CommonSecurityLog (CyberArk)",
+ "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Cyber-Ark'\n |where DeviceProduct =~ 'Vault'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ }],
+ "connectivityCriterias": [{
+ "type": "IsConnectedQuery",
+ "value": [
+ "CommonSecurityLog\n |where DeviceVendor =~ 'Cyber-Ark'\n |where DeviceProduct =~ 'Vault'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
+ ]
+ }],
+ "availability": {
+ "status": 1,
+ "isPreview": false
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "read and write permissions are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "read": true,
+ "write": true,
+ "delete": true
+ }
+ },
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+ "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+ "providerDisplayName": "Keys",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "action": true
+ }
+ }
+ ],
+ "customs": [
+ {
+ "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+ },
+ {
+ "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "title": "",
+ "description":"",
+ "instructions": [
+ {
+ "parameters": {
+ "title": "1. Kindly follow the steps to configure the data connector",
+ "instructionSteps": [
+ {
+ "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
+ "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine",
+ "instructions": [
+ ]
+ },
+ {
+ "title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent",
+ "description": "On the EPV configure the dbparm.ini to send Syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machines IP address.",
+ "instructions": [
+ ]
+ },
+ {
+ "title": "Step C. Validate connection",
+ "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
+ "instructions": [
+ {
+ "parameters": {
+ "label": "Run the following command to validate your connectivity:",
+ "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
+ },
+ "type": "CopyableLabel"
+ }
+ ]
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ]
+
+ },
+
+ {
+ "title": "2. Secure your machine ",
+ "description": "Make sure to configure the machines security according to your organizations security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)"
+ }
+ ],
+ "metadata": {
+ "id": "1c45e738-21dd-4fcd-9449-e2c9478e9552",
+ "version": "1.0.0",
+ "kind": "dataConnector",
+ "source": {
+ "kind": "community"
+ },
+ "author": {
+ "name": "Cyberark"
+ },
+ "support": {
+ "name": "Cyberark",
+ "link": "https://www.cyberark.com/customer-support/",
+ "tier": "developer"
+ }
+ }
+}
diff --git a/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Data/Solution_CyberArkEPVEvents.json b/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Data/Solution_CyberArkEPVEvents.json
index 495f30829c4..7f8a4b9ec6c 100644
--- a/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Data/Solution_CyberArkEPVEvents.json
+++ b/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Data/Solution_CyberArkEPVEvents.json
@@ -2,16 +2,18 @@
"Name": "CyberArk Enterprise Password Vault (EPV) Events",
"Author": "Cyberark",
"Logo": "![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/CyberArk_Logo.svg\"){kind=logo}
",
- "Description": "[CyberArk Enterprise Password Vault](https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-CP/Latest/en/Content/CP%20for%20zOS/Installing-the-Enterprise-Password-Vault.htm?TocPath=Installation%7Cz%2FOS%20Credential%20Provider%7C_____2#:~:text=%20Enterprise%20Password%20Vault%20%201%20Install%20the,applications%20and%20create%2C%20request%2C%20access%20and...%20More%20) Solution for Microsoft Sentinel enables ingestion of Common Event Format (CEF) logs into Microsoft Sentinel. The EPV generates an xml Syslog message for every action taken against the Vault. The EPV will send the xml messages through the Sentinel.xsl translator to be converted into CEF standard format and sent to a syslog server of your choice (syslog-ng, rsyslog). The Log Analytics agent installed on your syslog staging server will import the messages into Azure Log Analytics. Refer to the [CyberArk documentation](https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/DV-Integrating-with-SIEM-Applications.htm) for more guidance on SIEM integrations.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\n1. [Agent-based log collection (CEF over Syslog)](https://docs.microsoft.com/azure/sentinel/connect-common-event-format)",
+ "Description": "[CyberArk Enterprise Password Vault](https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-CP/Latest/en/Content/CP%20for%20zOS/Installing-the-Enterprise-Password-Vault.htm?TocPath=Installation%7Cz%2FOS%20Credential%20Provider%7C_____2#:~:text=%20Enterprise%20Password%20Vault%20%201%20Install%20the,applications%20and%20create%2C%20request%2C%20access%20and...%20More%20) Solution for Microsoft Sentinel enables ingestion of Common Event Format (CEF) logs into Microsoft Sentinel. The EPV generates an xml Syslog message for every action taken against the Vault. The EPV will send the xml messages through the Sentinel.xsl translator to be converted into CEF standard format and sent to a syslog server of your choice (syslog-ng, rsyslog). The Log Analytics agent installed on your syslog staging server will import the messages into Azure Log Analytics. Refer to the [CyberArk documentation](https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/DV-Integrating-with-SIEM-Applications.htm) for more guidance on SIEM integrations.\n\r\n1. **CyberArk Enterprise Password Vault via AMA** - This data connector helps in ingesting CyberArk Enterprise Password Vault logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **CyberArk Enterprise Password Vault via Legacy Agent** - This data connector helps in ingesting CyberArk Enterprise Password Vault logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of CyberArk Enterprise Password Vault via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).",
"Data Connectors": [
- "Data Connectors/CyberArk Data Connector.json"
+ "Data Connectors/CyberArk Data Connector.json",
+ "Data Connectors/template_CyberArkAMA.json"
],
"Workbooks": [
"Workbooks/CyberArkEPV.json"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\CyberArk Enterprise Password Vault (EPV) Events",
- "Version": "2.0.2",
+ "Version": "3.0.0",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1Pconnector": false
+
}
\ No newline at end of file
diff --git a/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Data/system_generated_metadata.json b/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Data/system_generated_metadata.json
new file mode 100644
index 00000000000..d66173db840
--- /dev/null
+++ b/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Data/system_generated_metadata.json
@@ -0,0 +1,30 @@
+{
+ "Name": "CyberArk Enterprise Password Vault (EPV) Events",
+ "Author": "Cyberark",
+ "Logo": "",
+ "Description": "[CyberArk Enterprise Password Vault](https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-CP/Latest/en/Content/CP%20for%20zOS/Installing-the-Enterprise-Password-Vault.htm?TocPath=Installation%7Cz%2FOS%20Credential%20Provider%7C_____2#:~:text=%20Enterprise%20Password%20Vault%20%201%20Install%20the,applications%20and%20create%2C%20request%2C%20access%20and...%20More%20) Solution for Microsoft Sentinel enables ingestion of Common Event Format (CEF) logs into Microsoft Sentinel. The EPV generates an xml Syslog message for every action taken against the Vault. The EPV will send the xml messages through the Sentinel.xsl translator to be converted into CEF standard format and sent to a syslog server of your choice (syslog-ng, rsyslog). The Log Analytics agent installed on your syslog staging server will import the messages into Azure Log Analytics. Refer to the [CyberArk documentation](https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/DV-Integrating-with-SIEM-Applications.htm) for more guidance on SIEM integrations.\n\r\n1. **CyberArk Enterprise Password Vault via AMA** - This data connector helps in ingesting CyberArk Enterprise Password Vault logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **CyberArk Enterprise Password Vault via Legacy Agent** - This data connector helps in ingesting CyberArk Enterprise Password Vault logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of CyberArk Enterprise Password Vault via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).",
+ "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\CyberArk Enterprise Password Vault (EPV) Events",
+ "Version": "3.0.0",
+ "Metadata": "SolutionMetadata.json",
+ "TemplateSpec": true,
+ "Is1Pconnector": false,
+ "publisherId": "cyberark",
+ "offerId": "cyberark_epv_events_mss",
+ "providers": [
+ "Cyberark"
+ ],
+ "categories": {
+ "domains": [
+ "Identity"
+ ],
+ "verticals": []
+ },
+ "firstPublishDate": "2022-05-02",
+ "support": {
+ "name": "Cyberark",
+ "tier": "Partner",
+ "link": "https://www.cyberark.com/services-support/technical-support/"
+ },
+ "Data Connectors": "[\n \"Data Connectors/CyberArk Data Connector.json\",\n \"Data Connectors/template_CyberArkAMA.json\"\n]",
+ "Workbooks": "[\n \"Workbooks/CyberArkEPV.json\"\n]"
+}
diff --git a/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Package/3.0.0.zip b/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Package/3.0.0.zip
new file mode 100644
index 00000000000..8d44b6ef97b
Binary files /dev/null and b/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Package/3.0.0.zip differ
diff --git a/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Package/createUiDefinition.json b/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Package/createUiDefinition.json
index d09fe73c567..476d71eba35 100644
--- a/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Package/createUiDefinition.json
+++ b/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\n[CyberArk Enterprise Password Vault](https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-CP/Latest/en/Content/CP%20for%20zOS/Installing-the-Enterprise-Password-Vault.htm?TocPath=Installation%7Cz%2FOS%20Credential%20Provider%7C_____2#:~:text=%20Enterprise%20Password%20Vault%20%201%20Install%20the,applications%20and%20create%2C%20request%2C%20access%20and...%20More%20) Solution for Microsoft Sentinel enables ingestion of Common Event Format (CEF) logs into Microsoft Sentinel. The EPV generates an xml Syslog message for every action taken against the Vault. The EPV will send the xml messages through the Sentinel.xsl translator to be converted into CEF standard format and sent to a syslog server of your choice (syslog-ng, rsyslog). The Log Analytics agent installed on your syslog staging server will import the messages into Azure Log Analytics. Refer to the [CyberArk documentation](https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/DV-Integrating-with-SIEM-Applications.htm) for more guidance on SIEM integrations.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\n1. [Agent-based log collection (CEF over Syslog)](https://docs.microsoft.com/azure/sentinel/connect-common-event-format)\n\n**Data Connectors:** 1, **Workbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/CyberArk%20Enterprise%20Password%20Vault%20%20Events/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\n[CyberArk Enterprise Password Vault](https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-CP/Latest/en/Content/CP%20for%20zOS/Installing-the-Enterprise-Password-Vault.htm?TocPath=Installation%7Cz%2FOS%20Credential%20Provider%7C_____2#:~:text=%20Enterprise%20Password%20Vault%20%201%20Install%20the,applications%20and%20create%2C%20request%2C%20access%20and...%20More%20) Solution for Microsoft Sentinel enables ingestion of Common Event Format (CEF) logs into Microsoft Sentinel. The EPV generates an xml Syslog message for every action taken against the Vault. The EPV will send the xml messages through the Sentinel.xsl translator to be converted into CEF standard format and sent to a syslog server of your choice (syslog-ng, rsyslog). The Log Analytics agent installed on your syslog staging server will import the messages into Azure Log Analytics. Refer to the [CyberArk documentation](https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/DV-Integrating-with-SIEM-Applications.htm) for more guidance on SIEM integrations.\n\r\n1. **CyberArk Enterprise Password Vault via AMA** - This data connector helps in ingesting CyberArk Enterprise Password Vault logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **CyberArk Enterprise Password Vault via Legacy Agent** - This data connector helps in ingesting CyberArk Enterprise Password Vault logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of CyberArk Enterprise Password Vault via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Data Connectors:** 2, **Workbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -63,6 +63,7 @@
"text": "This solution installs the data connector for ingesting CyberArk Enterprise Password Vault (EPV) Events in the CEF format into Microsoft Sentinel. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
+
{
"name": "dataconnectors-link2",
"type": "Microsoft.Common.TextBlock",
diff --git a/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Package/mainTemplate.json b/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Package/mainTemplate.json
index 4f522189409..20723c1bfe6 100644
--- a/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Package/mainTemplate.json
+++ b/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Package/mainTemplate.json
@@ -38,52 +38,48 @@
}
},
"variables": {
+ "_solutionName": "CyberArk Enterprise Password Vault (EPV) Events",
+ "_solutionVersion": "3.0.0",
"solutionId": "cyberark.cyberark_epv_events_mss",
"_solutionId": "[variables('solutionId')]",
- "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
"uiConfigId1": "CyberArk",
"_uiConfigId1": "[variables('uiConfigId1')]",
"dataConnectorContentId1": "CyberArk",
"_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
"dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
"_dataConnectorId1": "[variables('dataConnectorId1')]",
- "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1')))]",
+ "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
"dataConnectorVersion1": "1.0.0",
+ "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
+ "uiConfigId2": "CyberArkAma",
+ "_uiConfigId2": "[variables('uiConfigId2')]",
+ "dataConnectorContentId2": "CyberArkAma",
+ "_dataConnectorContentId2": "[variables('dataConnectorContentId2')]",
+ "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
+ "_dataConnectorId2": "[variables('dataConnectorId2')]",
+ "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]",
+ "dataConnectorVersion2": "1.0.0",
+ "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]",
"workbookVersion1": "1.1.0",
"workbookContentId1": "CyberArkWorkbook",
"workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]",
- "workbookTemplateSpecName1": "[concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1')))]",
- "_workbookContentId1": "[variables('workbookContentId1')]"
+ "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]",
+ "_workbookContentId1": "[variables('workbookContentId1')]",
+ "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
+ "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]",
+ "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2022-02-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('dataConnectorTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "DataConnector"
- },
- "properties": {
- "description": "CyberArk Enterprise Password Vault (EPV) Events data connector with template",
- "displayName": "CyberArk Enterprise Password Vault (EPV) Events template"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2022-02-01",
- "name": "[concat(variables('dataConnectorTemplateSpecName1'),'/',variables('dataConnectorVersion1'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "DataConnector"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CyberArk Enterprise Password Vault (EPV) Events data connector with template version 2.0.2",
+ "description": "CyberArk Enterprise Password Vault (EPV) Events data connector with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
@@ -99,7 +95,7 @@
"properties": {
"connectorUiConfig": {
"id": "[variables('_uiConfigId1')]",
- "title": "CyberArk Enterprise Password Vault (EPV) Events",
+ "title": "[Deprecated] CyberArk Enterprise Password Vault (EPV) Events via Legacy Agent ",
"publisher": "Cyber-Ark",
"descriptionMarkdown": "CyberArk Enterprise Password Vault generates an xml Syslog message for every action taken against the Vault. The EPV will send the xml messages through the Microsoft Sentinel.xsl translator to be converted into CEF standard format and sent to a syslog staging server of your choice (syslog-ng, rsyslog). The Log Analytics agent installed on your syslog staging server will import the messages into Microsoft Log Analytics. Refer to the [CyberArk documentation](https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/DV-Integrating-with-SIEM-Applications.htm) for more guidance on SIEM integrations.",
"graphQueries": [
@@ -231,7 +227,7 @@
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
+ "apiVersion": "2023-04-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
"properties": {
"parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
@@ -254,12 +250,23 @@
}
}
]
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_dataConnectorContentId1')]",
+ "contentKind": "DataConnector",
+ "displayName": "[Deprecated] CyberArk Enterprise Password Vault (EPV) Events via Legacy Agent ",
+ "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
+ "id": "[variables('_dataConnectorcontentProductId1')]",
+ "version": "[variables('dataConnectorVersion1')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
+ "apiVersion": "2023-04-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
"dependsOn": [
"[variables('_dataConnectorId1')]"
@@ -293,7 +300,7 @@
"kind": "GenericUI",
"properties": {
"connectorUiConfig": {
- "title": "CyberArk Enterprise Password Vault (EPV) Events",
+ "title": "[Deprecated] CyberArk Enterprise Password Vault (EPV) Events via Legacy Agent ",
"publisher": "Cyber-Ark",
"descriptionMarkdown": "CyberArk Enterprise Password Vault generates an xml Syslog message for every action taken against the Vault. The EPV will send the xml messages through the Microsoft Sentinel.xsl translator to be converted into CEF standard format and sent to a syslog staging server of your choice (syslog-ng, rsyslog). The Log Analytics agent installed on your syslog staging server will import the messages into Microsoft Log Analytics. Refer to the [CyberArk documentation](https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/DV-Integrating-with-SIEM-Applications.htm) for more guidance on SIEM integrations.",
"graphQueries": [
@@ -409,33 +416,352 @@
}
},
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2022-02-01",
- "name": "[variables('workbookTemplateSpecName1')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('dataConnectorTemplateSpecName2')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Workbook"
- },
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
"properties": {
- "description": "CyberArk Enterprise Password Vault (EPV) Events Workbook with template",
- "displayName": "CyberArk EPV Events workbook template"
+ "description": "CyberArk Enterprise Password Vault (EPV) Events data connector with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('dataConnectorVersion2')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
+ "apiVersion": "2021-03-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "location": "[parameters('workspace-location')]",
+ "kind": "GenericUI",
+ "properties": {
+ "connectorUiConfig": {
+ "id": "[variables('_uiConfigId2')]",
+ "title": "[Recommended] CyberArk Enterprise Password Vault (EPV) Events via AMA",
+ "publisher": "Cyber-Ark",
+ "descriptionMarkdown": "CyberArk Enterprise Password Vault generates an xml Syslog message for every action taken against the Vault. The EPV will send the xml messages through the Microsoft Sentinel.xsl translator to be converted into CEF standard format and sent to a syslog staging server of your choice (syslog-ng, rsyslog). The Log Analytics agent installed on your syslog staging server will import the messages into Microsoft Log Analytics. Refer to the [CyberArk documentation](https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/DV-Integrating-with-SIEM-Applications.htm) for more guidance on SIEM integrations.",
+ "graphQueries": [
+ {
+ "metricName": "Total data received",
+ "legend": "CyberArk",
+ "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Cyber-Ark'\n |where DeviceProduct =~ 'Vault'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "CyberArk Alerts",
+ "query": "CommonSecurityLog\n| where DeviceVendor == \"Cyber-Ark\"\n| where DeviceProduct == \"Vault\"\n| where LogSeverity == \"7\" or LogSeverity == \"10\"\n| sort by TimeGenerated desc"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "CommonSecurityLog (CyberArk)",
+ "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Cyber-Ark'\n |where DeviceProduct =~ 'Vault'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriterias": [
+ {
+ "type": "IsConnectedQuery",
+ "value": [
+ "CommonSecurityLog\n |where DeviceVendor =~ 'Cyber-Ark'\n |where DeviceProduct =~ 'Vault'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
+ ]
+ }
+ ],
+ "availability": {
+ "status": 1,
+ "isPreview": false
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "read and write permissions are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "read": true,
+ "write": true,
+ "delete": true
+ }
+ },
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+ "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+ "providerDisplayName": "Keys",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "action": true
+ }
+ }
+ ],
+ "customs": [
+ {
+ "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+ },
+ {
+ "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "instructions": [
+ {
+ "parameters": {
+ "title": "1. Kindly follow the steps to configure the data connector",
+ "instructionSteps": [
+ {
+ "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
+ "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
+
+ },
+ {
+ "title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent",
+ "description": "On the EPV configure the dbparm.ini to send Syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machines IP address."
+
+ },
+ {
+ "title": "Step C. Validate connection",
+ "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
+ "instructions": [
+ {
+ "parameters": {
+ "label": "Run the following command to validate your connectivity:",
+ "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
+ },
+ "type": "CopyableLabel"
+ }
+ ]
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ]
+ },
+ {
+ "description": "Make sure to configure the machines security according to your organizations security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
+ "title": "2. Secure your machine "
+ }
+ ],
+ "metadata": {
+ "id": "1c45e738-21dd-4fcd-9449-e2c9478e9552",
+ "version": "1.0.0",
+ "kind": "dataConnector",
+ "source": {
+ "kind": "community"
+ },
+ "author": {
+ "name": "Cyberark"
+ },
+ "support": {
+ "name": "Cyberark",
+ "link": "https://www.cyberark.com/customer-support/",
+ "tier": "developer"
+ }
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
+ "contentId": "[variables('_dataConnectorContentId2')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorVersion2')]",
+ "source": {
+ "kind": "Solution",
+ "name": "CyberArk Enterprise Password Vault (EPV) Events",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Cyberark"
+ },
+ "support": {
+ "name": "Cyberark",
+ "tier": "Partner",
+ "link": "https://www.cyberark.com/services-support/technical-support/"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_dataConnectorContentId2')]",
+ "contentKind": "DataConnector",
+ "displayName": "[Recommended] CyberArk Enterprise Password Vault (EPV) Events via AMA",
+ "contentProductId": "[variables('_dataConnectorcontentProductId2')]",
+ "id": "[variables('_dataConnectorcontentProductId2')]",
+ "version": "[variables('dataConnectorVersion2')]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2022-02-01",
- "name": "[concat(variables('workbookTemplateSpecName1'),'/',variables('workbookVersion1'))]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
+ "dependsOn": [
+ "[variables('_dataConnectorId2')]"
+ ],
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
+ "contentId": "[variables('_dataConnectorContentId2')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorVersion2')]",
+ "source": {
+ "kind": "Solution",
+ "name": "CyberArk Enterprise Password Vault (EPV) Events",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Cyberark"
+ },
+ "support": {
+ "name": "Cyberark",
+ "tier": "Partner",
+ "link": "https://www.cyberark.com/services-support/technical-support/"
+ }
+ }
+ },
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
+ "apiVersion": "2021-03-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "location": "[parameters('workspace-location')]",
+ "kind": "GenericUI",
+ "properties": {
+ "connectorUiConfig": {
+ "title": "[Recommended] CyberArk Enterprise Password Vault (EPV) Events via AMA",
+ "publisher": "Cyber-Ark",
+ "descriptionMarkdown": "CyberArk Enterprise Password Vault generates an xml Syslog message for every action taken against the Vault. The EPV will send the xml messages through the Microsoft Sentinel.xsl translator to be converted into CEF standard format and sent to a syslog staging server of your choice (syslog-ng, rsyslog). The Log Analytics agent installed on your syslog staging server will import the messages into Microsoft Log Analytics. Refer to the [CyberArk documentation](https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/DV-Integrating-with-SIEM-Applications.htm) for more guidance on SIEM integrations.",
+ "graphQueries": [
+ {
+ "metricName": "Total data received",
+ "legend": "CyberArk",
+ "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Cyber-Ark'\n |where DeviceProduct =~ 'Vault'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "CommonSecurityLog (CyberArk)",
+ "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Cyber-Ark'\n |where DeviceProduct =~ 'Vault'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriterias": [
+ {
+ "type": "IsConnectedQuery",
+ "value": [
+ "CommonSecurityLog\n |where DeviceVendor =~ 'Cyber-Ark'\n |where DeviceProduct =~ 'Vault'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
+ ]
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "CyberArk Alerts",
+ "query": "CommonSecurityLog\n| where DeviceVendor == \"Cyber-Ark\"\n| where DeviceProduct == \"Vault\"\n| where LogSeverity == \"7\" or LogSeverity == \"10\"\n| sort by TimeGenerated desc"
+ }
+ ],
+ "availability": {
+ "status": 1,
+ "isPreview": false
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "read and write permissions are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "read": true,
+ "write": true,
+ "delete": true
+ }
+ },
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+ "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+ "providerDisplayName": "Keys",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "action": true
+ }
+ }
+ ],
+ "customs": [
+ {
+ "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+ },
+ {
+ "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "instructions": [
+ {
+ "parameters": {
+ "title": "1. Kindly follow the steps to configure the data connector",
+ "instructionSteps": [
+ {
+ "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
+ "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
+
+ },
+ {
+ "title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent",
+ "description": "On the EPV configure the dbparm.ini to send Syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machines IP address."
+
+ },
+ {
+ "title": "Step C. Validate connection",
+ "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
+ "instructions": [
+ {
+ "parameters": {
+ "label": "Run the following command to validate your connectivity:",
+ "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
+ },
+ "type": "CopyableLabel"
+ }
+ ]
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ]
+ },
+ {
+ "description": "Make sure to configure the machines security according to your organizations security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
+ "title": "2. Secure your machine "
+ }
+ ],
+ "id": "[variables('_uiConfigId2')]"
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('workbookTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Workbook"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('workbookTemplateSpecName1'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CyberArkEPVWorkbook with template version 2.0.2",
+ "description": "CyberArkEPVWorkbook Workbook with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@@ -498,17 +824,35 @@
}
}
]
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_workbookContentId1')]",
+ "contentKind": "Workbook",
+ "displayName": "[parameters('workbook1-name')]",
+ "contentProductId": "[variables('_workbookcontentProductId1')]",
+ "id": "[variables('_workbookcontentProductId1')]",
+ "version": "[variables('workbookVersion1')]"
}
},
{
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages",
+ "apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "2.0.2",
+ "version": "3.0.0",
"kind": "Solution",
- "contentSchemaVersion": "2.0.0",
+ "contentSchemaVersion": "3.0.0",
+ "displayName": "CyberArk Enterprise Password Vault (EPV) Events",
+ "publisherDisplayName": "Cyberark",
+ "descriptionHtml": "Note: There may be known issues pertaining to this Solution, please refer to them before installing.
\nCyberArk Enterprise Password Vault Solution for Microsoft Sentinel enables ingestion of Common Event Format (CEF) logs into Microsoft Sentinel. The EPV generates an xml Syslog message for every action taken against the Vault. The EPV will send the xml messages through the Sentinel.xsl translator to be converted into CEF standard format and sent to a syslog server of your choice (syslog-ng, rsyslog). The Log Analytics agent installed on your syslog staging server will import the messages into Azure Log Analytics. Refer to the CyberArk documentation for more guidance on SIEM integrations.
\n- \n
CyberArk Enterprise Password Vault via AMA - This data connector helps in ingesting CyberArk Enterprise Password Vault logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent here. Microsoft recommends using this Data Connector.
\n \nCyberArk Enterprise Password Vault via Legacy Agent - This data connector helps in ingesting CyberArk Enterprise Password Vault logs into your Log Analytics Workspace using the legacy Log Analytics agent.
\n \n
NOTE: Microsoft recommends installation of CyberArk Enterprise Password Vault via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024, and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.
\nData Connectors: 2, Workbooks: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "",
"contentId": "[variables('_solutionId')]",
"parentId": "[variables('_solutionId')]",
"source": {
@@ -532,6 +876,11 @@
"contentId": "[variables('_dataConnectorContentId1')]",
"version": "[variables('dataConnectorVersion1')]"
},
+ {
+ "kind": "DataConnector",
+ "contentId": "[variables('_dataConnectorContentId2')]",
+ "version": "[variables('dataConnectorVersion2')]"
+ },
{
"kind": "Workbook",
"contentId": "[variables('_workbookContentId1')]",
diff --git a/Solutions/CyberArk Enterprise Password Vault (EPV) Events/ReleaseNotes.md b/Solutions/CyberArk Enterprise Password Vault (EPV) Events/ReleaseNotes.md
new file mode 100644
index 00000000000..8307f60b7cf
--- /dev/null
+++ b/Solutions/CyberArk Enterprise Password Vault (EPV) Events/ReleaseNotes.md
@@ -0,0 +1,5 @@
+| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
+|-------------|--------------------------------|--------------------------------------------------------------------------------------------|
+| 3.0.0 | 21-09-2023 | Addition of new CyberArk Enterprise Password Vault (EPV) Events AMA **Data Connector** | | |
+
+
diff --git a/Solutions/Cyberpion/Data/Solution_Cyberpion.json b/Solutions/Cyberpion/Data/Solution_Cyberpion.json
deleted file mode 100644
index d90f0affaa5..00000000000
--- a/Solutions/Cyberpion/Data/Solution_Cyberpion.json
+++ /dev/null
@@ -1,20 +0,0 @@
-{
- "Name": "Cyberpion",
- "Author": "Cyberpion",
- "Logo": "![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/cyberpion_logo.svg\"){kind=logo}
",
- "Description": "The [Cyberpion](https://www.cyberpion.com/) solution for Microsoft Sentinel enables you to ingest vulnerability logs from the Cyberpion platform into Microsoft Sentinel.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution is dependent on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Codeless Connector Platform/Native Sentinel Polling](https://docs.microsoft.com/azure/sentinel/create-codeless-connector?tabs=deploy-via-arm-template%2Cconnect-via-the-azure-portal)",
- "Data Connectors": [
- "Data Connectors/CyberpionSecurityLogs.json"
- ],
- "Analytic Rules": [
- "Analytic Rules/HighUrgencyActionItems.yaml"
- ],
- "Workbooks": [
- "Workbooks/CyberpionOverviewWorkbook.json"
- ],
- "BasePath": "C:\\GitHub\\azure\\Solutions\\Cyberpion",
- "Version": "2.0.1",
- "Metadata": "SolutionMetadata.json",
- "TemplateSpec": true,
- "Is1Pconnector": false
-}
\ No newline at end of file
diff --git a/Solutions/Dataminr Pulse/Data Connectors/DataminrPulseAlerts/DataminrPulseAlerts.zip b/Solutions/Dataminr Pulse/Data Connectors/DataminrPulseAlerts/DataminrPulseAlerts.zip
index 18dec5fc2b0..f55bc489462 100644
Binary files a/Solutions/Dataminr Pulse/Data Connectors/DataminrPulseAlerts/DataminrPulseAlerts.zip and b/Solutions/Dataminr Pulse/Data Connectors/DataminrPulseAlerts/DataminrPulseAlerts.zip differ
diff --git a/Solutions/Dataminr Pulse/Data Connectors/DataminrPulseAlerts/requirements.txt b/Solutions/Dataminr Pulse/Data Connectors/DataminrPulseAlerts/requirements.txt
index 7c002d78ffe..f94d901f066 100644
--- a/Solutions/Dataminr Pulse/Data Connectors/DataminrPulseAlerts/requirements.txt
+++ b/Solutions/Dataminr Pulse/Data Connectors/DataminrPulseAlerts/requirements.txt
@@ -8,7 +8,7 @@ requests
#Libraries for Log Analytics to Threat Intelligence Function.
azure-monitor-query
azure-identity
-cryptography==41.0.3
+cryptography==41.0.4
asyncio
aiohttp
azure-storage-file-share==12.10.1
diff --git a/Solutions/Delinea Secret Server/Data Connectors/DelineaSecretServer_CEF.json b/Solutions/Delinea Secret Server/Data Connectors/DelineaSecretServer_CEF.json
index d4d37cfe7e7..4f276598551 100644
--- a/Solutions/Delinea Secret Server/Data Connectors/DelineaSecretServer_CEF.json
+++ b/Solutions/Delinea Secret Server/Data Connectors/DelineaSecretServer_CEF.json
@@ -1,6 +1,6 @@
{
"id": "DelineaSecretServer_CEF",
- "title": "Delinea Secret Server",
+ "title": "[Deprecated] Delinea Secret Server via Legacy Agent",
"publisher": "Delinea, Inc",
"descriptionMarkdown": "Common Event Format (CEF) from Delinea Secret Server ",
"graphQueries": [
diff --git a/Solutions/Delinea Secret Server/Data Connectors/template_DelineaSecretServerAMA.json b/Solutions/Delinea Secret Server/Data Connectors/template_DelineaSecretServerAMA.json
new file mode 100644
index 00000000000..67ceb5502cf
--- /dev/null
+++ b/Solutions/Delinea Secret Server/Data Connectors/template_DelineaSecretServerAMA.json
@@ -0,0 +1,119 @@
+{
+ "id": "DelineaSecretServerAma",
+ "title": "[Recommended] Delinea Secret Server via AMA",
+ "publisher": "Delinea, Inc",
+ "descriptionMarkdown": "Common Event Format (CEF) from Delinea Secret Server ",
+ "graphQueries": [
+ {
+ "metricName": "Total data received",
+ "legend": "CommonSecurityLog(DelineaSecretServer)",
+ "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Delinea Software' or DeviceVendor =~ 'Thycotic Software' \n |where DeviceProduct =~ 'Secret Server'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description" : "Get records create new secret",
+ "query": "CommonSecurityLog\n| where DeviceVendor == \"Delinea Software\" or DeviceVendor == \"Thycotic Software\"\n| where DeviceProduct == \"Secret Server\"\n| where Activity has \"SECRET - CREATE\""
+ },
+ {
+ "description" : "Get records where view secret",
+ "query" :"CommonSecurityLog\n| where DeviceVendor == \"Delinea Software\" or DeviceVendor == \"Thycotic Software\"\n| where DeviceProduct == \"Secret Server\"\n| where Activity has \"SECRET - VIEW\""
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "CommonSecurityLog(DelineaSecretServer)",
+ "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Delinea Software' or DeviceVendor =~ 'Thycotic Software' \n |where DeviceProduct =~ 'Secret Server'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriterias": [
+ {
+ "type": "IsConnectedQuery",
+ "value": [
+ "CommonSecurityLog\n |where DeviceVendor =~ 'Delinea Software' or DeviceVendor =~ 'Thycotic Software' \n |where DeviceProduct =~ 'Secret Server'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
+ ]
+ }
+ ],
+ "availability": {
+ "status": 1,
+ "isPreview": false
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "read and write permissions are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "read": true,
+ "write": true,
+ "delete": true
+ }
+ },
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+ "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+ "providerDisplayName": "Keys",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "action": true
+ }
+ }
+ ],
+ "customs": [
+ {
+ "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+ },
+ {
+ "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "title": "",
+ "description": "",
+ "instructions": [
+ {
+ "parameters": {
+ "title": "1. Kindly follow the steps to configure the data connector",
+ "instructionSteps": [
+ {
+ "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
+ "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine",
+ "instructions": [
+ ]
+ },
+ {
+ "title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent",
+ "description": "Set your security solution to send Syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machine's IP address.",
+ "instructions": [
+ ]
+ },
+ {
+ "title": "Step C. Validate connection",
+ "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
+ "instructions": [
+ {
+ "parameters": {
+ "label": "Run the following command to validate your connectivity:",
+ "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
+ },
+ "type": "CopyableLabel"
+ }
+ ]
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ]
+ },
+
+ {
+ "title": "2. Secure your machine ",
+ "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)"
+ }
+ ]
+}
diff --git a/Solutions/Delinea Secret Server/Data/Solution_DelineaSecretServer.json b/Solutions/Delinea Secret Server/Data/Solution_DelineaSecretServer.json
index ee9bab81e48..8e484b289ec 100644
--- a/Solutions/Delinea Secret Server/Data/Solution_DelineaSecretServer.json
+++ b/Solutions/Delinea Secret Server/Data/Solution_DelineaSecretServer.json
@@ -2,15 +2,16 @@
"Name": "Delinea Secret Server",
"Author": "Delinea",
"Logo": "![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/DelineaLogo.svg\"width=\"75px\")
",
- "Description": "The [Delinea](https://delinea.com/) Secret Server Microsoft Sentinel Data Solution enables delivery of Delinea Secret Server log messages to your Microsoft Sentinel Workspace.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Common Event Format (CEF) formatted logs in Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/connect-common-event-format)",
+ "Description": "The [Delinea](https://delinea.com/) Secret Server Microsoft Sentinel Data Solution enables delivery of Delinea Secret Server log messages to your Microsoft Sentinel Workspace.\n\r\n1. **Delinea Secret Server via AMA** - This data connector helps in ingesting Delinea Secret Server logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **Delinea Secret Server via Legacy Agent** - This data connector helps in ingesting Delinea Secret Server logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of Delinea Secret Server via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).",
"Data Connectors": [
- "Solutions/Delinea Secret Server/Data Connectors/DelineaSecretServer_CEF.json"
+ "Solutions/Delinea Secret Server/Data Connectors/DelineaSecretServer_CEF.json",
+ "Solutions/Delinea Secret Server/Data Connectors/template_DelineaSecretServerAMA.json"
],
"Workbooks": [
"Solutions/Delinea Secret Server/Workbooks/DelineaWorkbook.json"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel",
- "Version": "2.0.1",
+ "Version": "3.0.0",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1PConnector": false
diff --git a/Solutions/Delinea Secret Server/Data/system_generated_metadata.json b/Solutions/Delinea Secret Server/Data/system_generated_metadata.json
new file mode 100644
index 00000000000..3b1608a3281
--- /dev/null
+++ b/Solutions/Delinea Secret Server/Data/system_generated_metadata.json
@@ -0,0 +1,29 @@
+{
+ "Name": "Delinea Secret Server",
+ "Author": "Delinea",
+ "Logo": "",
+ "Description": "The [Delinea](https://delinea.com/) Secret Server Microsoft Sentinel Data Solution enables delivery of Delinea Secret Server log messages to your Microsoft Sentinel Workspace.\n\r\n1. **Delinea Secret Server via AMA** - This data connector helps in ingesting Delinea Secret Server logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **Delinea Secret Server via Legacy Agent** - This data connector helps in ingesting Delinea Secret Server logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of Delinea Secret Server via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).",
+ "BasePath": "C:\\GitHub\\Azure-Sentinel",
+ "Version": "3.0.0",
+ "Metadata": "SolutionMetadata.json",
+ "TemplateSpec": true,
+ "Is1PConnector": false,
+ "publisherId": "delineainc1653506022260",
+ "offerId": "delinea_secret_server_mss",
+ "providers": [
+ "Delinea"
+ ],
+ "categories": {
+ "domains": [
+ "Security - Threat Protection"
+ ]
+ },
+ "firstPublishDate": "2022-05-06",
+ "support": {
+ "name": "Delinea",
+ "tier": "Partner",
+ "link": "https://delinea.com/support/"
+ },
+ "Data Connectors": "[\n \"DelineaSecretServer_CEF.json\",\n \"template_DelineaSecretServerAMA.json\"\n]",
+ "Workbooks": "[\n \"DelineaWorkbook.json\"\n]"
+}
diff --git a/Solutions/Delinea Secret Server/Package/3.0.0.zip b/Solutions/Delinea Secret Server/Package/3.0.0.zip
new file mode 100644
index 00000000000..fea559457e5
Binary files /dev/null and b/Solutions/Delinea Secret Server/Package/3.0.0.zip differ
diff --git a/Solutions/Delinea Secret Server/Package/createUiDefinition.json b/Solutions/Delinea Secret Server/Package/createUiDefinition.json
index b20a55f2bb9..a15d00c800e 100644
--- a/Solutions/Delinea Secret Server/Package/createUiDefinition.json
+++ b/Solutions/Delinea Secret Server/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Delinea](https://delinea.com/) Secret Server Microsoft Sentinel Data Solution enables delivery of Delinea Secret Server log messages to your Microsoft Sentinel Workspace.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Common Event Format (CEF) formatted logs in Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/connect-common-event-format)\n\n**Data Connectors:** 1, **Workbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Delinea%20Secret%20Server/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Delinea](https://delinea.com/) Secret Server Microsoft Sentinel Data Solution enables delivery of Delinea Secret Server log messages to your Microsoft Sentinel Workspace.\n\r\n1. **Delinea Secret Server via AMA** - This data connector helps in ingesting Delinea Secret Server logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **Delinea Secret Server via Legacy Agent** - This data connector helps in ingesting Delinea Secret Server logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of Delinea Secret Server via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Data Connectors:** 2, **Workbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -100,6 +100,20 @@
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data"
}
}
+ },
+ {
+ "name": "workbook1",
+ "type": "Microsoft.Common.Section",
+ "label": "Delinea Secret Server Workbook",
+ "elements": [
+ {
+ "name": "workbook1-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "The Delinea Secret Server Syslog connector"
+ }
+ }
+ ]
}
]
}
diff --git a/Solutions/Delinea Secret Server/Package/mainTemplate.json b/Solutions/Delinea Secret Server/Package/mainTemplate.json
index 9bae0969a9c..e9b2955e719 100644
--- a/Solutions/Delinea Secret Server/Package/mainTemplate.json
+++ b/Solutions/Delinea Secret Server/Package/mainTemplate.json
@@ -40,50 +40,46 @@
"variables": {
"solutionId": "delineainc1653506022260.delinea_secret_server_mss",
"_solutionId": "[variables('solutionId')]",
- "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
+ "_solutionName": "Delinea Secret Server",
+ "_solutionVersion": "3.0.0",
"uiConfigId1": "DelineaSecretServer_CEF",
"_uiConfigId1": "[variables('uiConfigId1')]",
"dataConnectorContentId1": "DelineaSecretServer_CEF",
"_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
"dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
"_dataConnectorId1": "[variables('dataConnectorId1')]",
- "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1')))]",
+ "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
"dataConnectorVersion1": "1.0.0",
+ "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
+ "uiConfigId2": "DelineaSecretServerAma",
+ "_uiConfigId2": "[variables('uiConfigId2')]",
+ "dataConnectorContentId2": "DelineaSecretServerAma",
+ "_dataConnectorContentId2": "[variables('dataConnectorContentId2')]",
+ "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
+ "_dataConnectorId2": "[variables('dataConnectorId2')]",
+ "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]",
+ "dataConnectorVersion2": "1.0.0",
+ "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]",
"workbookVersion1": "1.0.0",
"workbookContentId1": "DelineaWorkbook",
"workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]",
- "workbookTemplateSpecName1": "[concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1')))]",
- "_workbookContentId1": "[variables('workbookContentId1')]"
+ "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]",
+ "_workbookContentId1": "[variables('workbookContentId1')]",
+ "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
+ "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]",
+ "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('dataConnectorTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "DataConnector"
- },
- "properties": {
- "description": "Delinea Secret Server data connector with template",
- "displayName": "Delinea Secret Server template"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('dataConnectorTemplateSpecName1'),'/',variables('dataConnectorVersion1'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "DataConnector"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Delinea Secret Server data connector with template version 2.0.1",
+ "description": "Delinea Secret Server data connector with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
@@ -99,7 +95,7 @@
"properties": {
"connectorUiConfig": {
"id": "[variables('_uiConfigId1')]",
- "title": "Delinea Secret Server",
+ "title": "[Deprecated] Delinea Secret Server via Legacy Agent",
"publisher": "Delinea, Inc",
"descriptionMarkdown": "Common Event Format (CEF) from Delinea Secret Server ",
"graphQueries": [
@@ -225,7 +221,7 @@
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
+ "apiVersion": "2023-04-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
"properties": {
"parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
@@ -248,12 +244,23 @@
}
}
]
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_dataConnectorContentId1')]",
+ "contentKind": "DataConnector",
+ "displayName": "[Deprecated] Delinea Secret Server via Legacy Agent",
+ "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
+ "id": "[variables('_dataConnectorcontentProductId1')]",
+ "version": "[variables('dataConnectorVersion1')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
+ "apiVersion": "2023-04-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
"dependsOn": [
"[variables('_dataConnectorId1')]"
@@ -287,7 +294,7 @@
"kind": "GenericUI",
"properties": {
"connectorUiConfig": {
- "title": "Delinea Secret Server",
+ "title": "[Deprecated] Delinea Secret Server via Legacy Agent",
"publisher": "Delinea, Inc",
"descriptionMarkdown": "Common Event Format (CEF) from Delinea Secret Server ",
"graphQueries": [
@@ -413,33 +420,344 @@
}
},
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
- "name": "[variables('workbookTemplateSpecName1')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('dataConnectorTemplateSpecName2')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "Delinea Secret Server data connector with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('dataConnectorVersion2')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
+ "apiVersion": "2021-03-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "location": "[parameters('workspace-location')]",
+ "kind": "GenericUI",
+ "properties": {
+ "connectorUiConfig": {
+ "id": "[variables('_uiConfigId2')]",
+ "title": "[Recommended] Delinea Secret Server via AMA",
+ "publisher": "Delinea, Inc",
+ "descriptionMarkdown": "Common Event Format (CEF) from Delinea Secret Server ",
+ "graphQueries": [
+ {
+ "metricName": "Total data received",
+ "legend": "CommonSecurityLog(DelineaSecretServer)",
+ "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Delinea Software' or DeviceVendor =~ 'Thycotic Software' \n |where DeviceProduct =~ 'Secret Server'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "Get records create new secret",
+ "query": "CommonSecurityLog\n| where DeviceVendor == \"Delinea Software\" or DeviceVendor == \"Thycotic Software\"\n| where DeviceProduct == \"Secret Server\"\n| where Activity has \"SECRET - CREATE\""
+ },
+ {
+ "description": "Get records where view secret",
+ "query": "CommonSecurityLog\n| where DeviceVendor == \"Delinea Software\" or DeviceVendor == \"Thycotic Software\"\n| where DeviceProduct == \"Secret Server\"\n| where Activity has \"SECRET - VIEW\""
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "CommonSecurityLog(DelineaSecretServer)",
+ "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Delinea Software' or DeviceVendor =~ 'Thycotic Software' \n |where DeviceProduct =~ 'Secret Server'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriterias": [
+ {
+ "type": "IsConnectedQuery",
+ "value": [
+ "CommonSecurityLog\n |where DeviceVendor =~ 'Delinea Software' or DeviceVendor =~ 'Thycotic Software' \n |where DeviceProduct =~ 'Secret Server'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
+ ]
+ }
+ ],
+ "availability": {
+ "status": 1,
+ "isPreview": false
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "read and write permissions are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "read": true,
+ "write": true,
+ "delete": true
+ }
+ },
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+ "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+ "providerDisplayName": "Keys",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "action": true
+ }
+ }
+ ],
+ "customs": [
+ {
+ "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+ },
+ {
+ "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "instructions": [
+ {
+ "parameters": {
+ "title": "1. Kindly follow the steps to configure the data connector",
+ "instructionSteps": [
+ {
+ "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
+ "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
+
+ },
+ {
+ "title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent",
+ "description": "Set your security solution to send Syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machine's IP address."
+
+ },
+ {
+ "title": "Step C. Validate connection",
+ "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
+ "instructions": [
+ {
+ "parameters": {
+ "label": "Run the following command to validate your connectivity:",
+ "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
+ },
+ "type": "CopyableLabel"
+ }
+ ]
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ]
+ },
+ {
+ "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
+ "title": "2. Secure your machine "
+ }
+ ]
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
+ "contentId": "[variables('_dataConnectorContentId2')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorVersion2')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Delinea Secret Server",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Delinea"
+ },
+ "support": {
+ "name": "Delinea",
+ "tier": "Partner",
+ "link": "https://delinea.com/support/"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_dataConnectorContentId2')]",
+ "contentKind": "DataConnector",
+ "displayName": "[Recommended] Delinea Secret Server via AMA",
+ "contentProductId": "[variables('_dataConnectorcontentProductId2')]",
+ "id": "[variables('_dataConnectorcontentProductId2')]",
+ "version": "[variables('dataConnectorVersion2')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
+ "dependsOn": [
+ "[variables('_dataConnectorId2')]"
+ ],
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Workbook"
- },
"properties": {
- "description": "Delinea Secret Server Workbook with template",
- "displayName": "Delinea Secret Server workbook template"
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
+ "contentId": "[variables('_dataConnectorContentId2')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorVersion2')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Delinea Secret Server",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Delinea"
+ },
+ "support": {
+ "name": "Delinea",
+ "tier": "Partner",
+ "link": "https://delinea.com/support/"
+ }
}
},
{
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('workbookTemplateSpecName1'),'/',variables('workbookVersion1'))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
+ "apiVersion": "2021-03-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "location": "[parameters('workspace-location')]",
+ "kind": "GenericUI",
+ "properties": {
+ "connectorUiConfig": {
+ "title": "[Recommended] Delinea Secret Server via AMA",
+ "publisher": "Delinea, Inc",
+ "descriptionMarkdown": "Common Event Format (CEF) from Delinea Secret Server ",
+ "graphQueries": [
+ {
+ "metricName": "Total data received",
+ "legend": "CommonSecurityLog(DelineaSecretServer)",
+ "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Delinea Software' or DeviceVendor =~ 'Thycotic Software' \n |where DeviceProduct =~ 'Secret Server'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "CommonSecurityLog(DelineaSecretServer)",
+ "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Delinea Software' or DeviceVendor =~ 'Thycotic Software' \n |where DeviceProduct =~ 'Secret Server'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriterias": [
+ {
+ "type": "IsConnectedQuery",
+ "value": [
+ "CommonSecurityLog\n |where DeviceVendor =~ 'Delinea Software' or DeviceVendor =~ 'Thycotic Software' \n |where DeviceProduct =~ 'Secret Server'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
+ ]
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "Get records create new secret",
+ "query": "CommonSecurityLog\n| where DeviceVendor == \"Delinea Software\" or DeviceVendor == \"Thycotic Software\"\n| where DeviceProduct == \"Secret Server\"\n| where Activity has \"SECRET - CREATE\""
+ },
+ {
+ "description": "Get records where view secret",
+ "query": "CommonSecurityLog\n| where DeviceVendor == \"Delinea Software\" or DeviceVendor == \"Thycotic Software\"\n| where DeviceProduct == \"Secret Server\"\n| where Activity has \"SECRET - VIEW\""
+ }
+ ],
+ "availability": {
+ "status": 1,
+ "isPreview": false
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "read and write permissions are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "read": true,
+ "write": true,
+ "delete": true
+ }
+ },
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+ "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+ "providerDisplayName": "Keys",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "action": true
+ }
+ }
+ ],
+ "customs": [
+ {
+ "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+ },
+ {
+ "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "instructions": [
+ {
+ "parameters": {
+ "title": "1. Kindly follow the steps to configure the data connector",
+ "instructionSteps": [
+ {
+ "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
+ "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
+
+ },
+ {
+ "title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent",
+ "description": "Set your security solution to send Syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machine's IP address."
+
+ },
+ {
+ "title": "Step C. Validate connection",
+ "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
+ "instructions": [
+ {
+ "parameters": {
+ "label": "Run the following command to validate your connectivity:",
+ "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
+ },
+ "type": "CopyableLabel"
+ }
+ ]
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ]
+ },
+ {
+ "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
+ "title": "2. Secure your machine "
+ }
+ ],
+ "id": "[variables('_uiConfigId2')]"
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('workbookTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Workbook"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('workbookTemplateSpecName1'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "DelineaWorkbookWorkbook Workbook with template version 2.0.1",
+ "description": "DelineaWorkbookWorkbook Workbook with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@@ -457,7 +775,7 @@
},
"properties": {
"displayName": "[parameters('workbook1-name')]",
- "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### Delinea Workbook\\n\"},\"name\":\"text - 2\",\"styleSettings\":{\"margin\":\"1\",\"padding\":\"1\"}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"d273a798-8340-441a-9289-d1a79c87ed0c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Timespan\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":43200000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":1,\"content\":{\"json\":\"Most usage operations for SecretServer\"},\"name\":\"text - 9\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"cellValue\":\"page\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Overview\",\"subTarget\":\"FileType != \\\"test event\\\"\",\"style\":\"primary\"},{\"cellValue\":\"page\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Secret\",\"subTarget\":\"FileType == \\\"Secret\\\"\",\"style\":\"primary\"},{\"cellValue\":\"page\",\"linkTarget\":\"parameter\",\"linkLabel\":\"User\",\"subTarget\":\"FileType == \\\"User\\\"\",\"style\":\"primary\"},{\"cellValue\":\"page\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Folder\",\"subTarget\":\"FileType == \\\"Folder\\\"\",\"style\":\"secondary\"}]},\"name\":\"links - 3\",\"styleSettings\":{\"margin\":\"0px\",\"padding\":\"0px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\n| where DeviceVendor == \\\"Delinea Software\\\" | where DeviceProduct == \\\"Secret Server\\\" | where LogSeverity == 2 \\n| where {page:query}\\n| where TimeGenerated {Timespan:query}\\n| summarize countRecord = count(), lastDate = arg_max(TimeGenerated, *) by FileName\\n| order by countRecord\\n| take 10\\n| project FileType, Activity, SecretName=FileName, countRecord, lastDate \",\"size\":2,\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"FileType\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"countRecord\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"FileType\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"countRecord\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"nodeIdField\":\"countRecord\",\"sourceIdField\":\"Activity\",\"targetIdField\":\"FileType\",\"graphOrientation\":3,\"showOrientationToggles\":false,\"staticNodeSize\":100,\"hivesMargin\":5}},\"name\":\"query - 3\"},{\"type\":1,\"content\":{\"json\":\"## Expiring Secrets\"},\"name\":\"text - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Delinea Software\\\" \\r\\n| where DeviceProduct == \\\"Secret Server\\\" \\r\\n| where LogSeverity == 2 \\r\\n| where TimeGenerated > ago(1d)\\r\\n| summarize count() by Activity\\r\\n| where extract(\\\"EXPIRE[S|D](\\\\\\\\d+)DAY\\\\\\\\w?\\\", 1, Activity) != \\\"\\\"\\r\\n| project extract(\\\"EXPIRE[S|D](\\\\\\\\d+)DAY\\\\\\\\w?\\\", 1, Activity), count_\\r\\n| order by count_ asc \",\"size\":0,\"noDataMessage\":\"Secrets that will soon expire are not found\",\"noDataMessageStyle\":3,\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"categoricalbar\",\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"03\",\"label\":\"Expiring in 3 days\",\"comment\":\"Expire to 3 days\"},{\"seriesName\":\"07\",\"label\":\"Expiring in 7 days\",\"comment\":\"Expire to 7 days\"},{\"seriesName\":\"15\",\"label\":\"Expiring in 15 days\",\"comment\":\"Expire to 15 days\"},{\"seriesName\":\"30\",\"label\":\"Expiring in 30 days\"},{\"seriesName\":\"01\",\"label\":\"Expiring in 1 day\"}],\"ySettings\":{\"numberFormatSettings\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":true}}}}},\"name\":\"query - 4\"},{\"type\":1,\"content\":{\"json\":\"### Expiring Today\"},\"name\":\"text - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Delinea Software\\\"\\n| where DeviceProduct == \\\"Secret Server\\\"\\n| where LogSeverity == 2 \\r\\n| where TimeGenerated > ago(1d)\\r\\n| summarize count() by Activity\\r\\n| where Activity == \\\"SECRET - EXPIREDTODAY\\\"\\r\\n| project count_\\r\\n| order by count_ asc \",\"size\":0,\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"FileName\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"name\":\"query - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Delinea Software\\\"\\n| where DeviceProduct == \\\"Secret Server\\\"\\n| where LogSeverity == 2 \\r\\n| where TimeGenerated > ago(1d)\\r\\n| summarize count() by Activity, FileName\\r\\n| where Activity == \\\"SECRET - EXPIREDTODAY\\\"\\r\\n| project FileName\",\"size\":0,\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"FileName\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"150px\"}}],\"labelSettings\":[{\"columnId\":\"FileName\",\"label\":\"Secret Name\"}]}},\"name\":\"query - 8\"}],\"fallbackResourceIds\":[\"\"],\"fromTemplateId\":\"sentinel-Delinea\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
+ "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### Delinea Workbook\\n\"},\"name\":\"text - 2\",\"styleSettings\":{\"margin\":\"1\",\"padding\":\"1\"}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"d273a798-8340-441a-9289-d1a79c87ed0c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Timespan\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":43200000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":1,\"content\":{\"json\":\"Most usage operations for SecretServer\"},\"name\":\"text - 9\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"cellValue\":\"page\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Overview\",\"subTarget\":\"FileType != \\\"test event\\\"\",\"style\":\"primary\"},{\"cellValue\":\"page\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Secret\",\"subTarget\":\"FileType == \\\"Secret\\\"\",\"style\":\"primary\"},{\"cellValue\":\"page\",\"linkTarget\":\"parameter\",\"linkLabel\":\"User\",\"subTarget\":\"FileType == \\\"User\\\"\",\"style\":\"primary\"},{\"cellValue\":\"page\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Folder\",\"subTarget\":\"FileType == \\\"Folder\\\"\",\"style\":\"secondary\"}]},\"name\":\"links - 3\",\"styleSettings\":{\"margin\":\"0px\",\"padding\":\"0px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\n| where DeviceVendor == \\\"Delinea Software\\\" or DeviceVendor == \\\"Thycotic Software\\\" | where DeviceProduct == \\\"Secret Server\\\" | where LogSeverity == 2 \\n| where {page:query}\\n| where TimeGenerated {Timespan:query}\\n| summarize countRecord = count(), lastDate = arg_max(TimeGenerated, *) by FileName\\n| order by countRecord\\n| take 10\\n| project FileType, Activity, SecretName=FileName, countRecord, lastDate \",\"size\":2,\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"FileType\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"countRecord\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"FileType\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"countRecord\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"nodeIdField\":\"countRecord\",\"sourceIdField\":\"Activity\",\"targetIdField\":\"FileType\",\"graphOrientation\":3,\"showOrientationToggles\":false,\"nodeSize\":\"\",\"staticNodeSize\":100,\"colorSettings\":\"\",\"hivesMargin\":5}},\"name\":\"query - 3\"},{\"type\":1,\"content\":{\"json\":\"## Expiring Secrets\"},\"name\":\"text - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Delinea Software\\\" or DeviceVendor == \\\"Thycotic Software\\\" \\r\\n| where DeviceProduct == \\\"Secret Server\\\" \\r\\n| where LogSeverity == 2 \\r\\n| where TimeGenerated > ago(1d)\\r\\n| summarize count() by Activity\\r\\n| where extract(\\\"EXPIRE[S|D](\\\\\\\\d+)DAY\\\\\\\\w?\\\", 1, Activity) != \\\"\\\"\\r\\n| project extract(\\\"EXPIRE[S|D](\\\\\\\\d+)DAY\\\\\\\\w?\\\", 1, Activity), count_\\r\\n| order by count_ asc \",\"size\":0,\"noDataMessage\":\"Secrets that will soon expire are not found\",\"noDataMessageStyle\":3,\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"categoricalbar\",\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"03\",\"label\":\"Expiring in 3 days\",\"comment\":\"Expire to 3 days\"},{\"seriesName\":\"07\",\"label\":\"Expiring in 7 days\",\"comment\":\"Expire to 7 days\"},{\"seriesName\":\"15\",\"label\":\"Expiring in 15 days\",\"comment\":\"Expire to 15 days\"},{\"seriesName\":\"30\",\"label\":\"Expiring in 30 days\"},{\"seriesName\":\"01\",\"label\":\"Expiring in 1 day\"}],\"ySettings\":{\"numberFormatSettings\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":true}}}}},\"name\":\"query - 4\"},{\"type\":1,\"content\":{\"json\":\"### Expiring Today\"},\"name\":\"text - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Delinea Software\\\" or DeviceVendor == \\\"Thycotic Software\\\"\\n| where DeviceProduct == \\\"Secret Server\\\"\\n| where LogSeverity == 2 \\r\\n| where TimeGenerated > ago(1d)\\r\\n| summarize count() by Activity\\r\\n| where Activity == \\\"SECRET - EXPIREDTODAY\\\"\\r\\n| project count_\\r\\n| order by count_ asc \",\"size\":0,\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"FileName\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"name\":\"query - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Delinea Software\\\" or DeviceVendor == \\\"Thycotic Software\\\"\\n| where DeviceProduct == \\\"Secret Server\\\"\\n| where LogSeverity == 2 \\r\\n| where TimeGenerated > ago(1d)\\r\\n| summarize count() by Activity, FileName\\r\\n| where Activity == \\\"SECRET - EXPIREDTODAY\\\"\\r\\n| project FileName\",\"size\":0,\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"FileName\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"150px\"}}],\"labelSettings\":[{\"columnId\":\"FileName\",\"label\":\"Secret Name\"}]}},\"name\":\"query - 8\"}],\"fallbackResourceIds\":[\"\"],\"fromTemplateId\":\"sentinel-Delinea\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n",
"version": "1.0",
"sourceId": "[variables('workspaceResourceId')]",
"category": "sentinel"
@@ -485,21 +803,56 @@
"name": "Delinea",
"tier": "Partner",
"link": "https://delinea.com/support/"
+ },
+ "dependencies": {
+ "operator": "AND",
+ "criteria": [
+ {
+ "contentId": "CommonSecurityLog",
+ "kind": "DataType"
+ },
+ {
+ "contentId": "DelineaSecretServer_CEF",
+ "kind": "DataConnector"
+ },
+ {
+ "contentId": "DelineaSecretServerAma",
+ "kind": "DataConnector"
+ }
+ ]
}
}
}
]
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_workbookContentId1')]",
+ "contentKind": "Workbook",
+ "displayName": "[parameters('workbook1-name')]",
+ "contentProductId": "[variables('_workbookcontentProductId1')]",
+ "id": "[variables('_workbookcontentProductId1')]",
+ "version": "[variables('workbookVersion1')]"
}
},
{
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages",
+ "apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "2.0.1",
+ "version": "3.0.0",
"kind": "Solution",
- "contentSchemaVersion": "2.0.0",
+ "contentSchemaVersion": "3.0.0",
+ "displayName": "Delinea Secret Server",
+ "publisherDisplayName": "Delinea",
+ "descriptionHtml": "Note: There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Delinea Secret Server Microsoft Sentinel Data Solution enables delivery of Delinea Secret Server log messages to your Microsoft Sentinel Workspace.
\n- \n
Delinea Secret Server via AMA - This data connector helps in ingesting Delinea Secret Server logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent here. Microsoft recommends using this Data Connector.
\n \nDelinea Secret Server via Legacy Agent - This data connector helps in ingesting Delinea Secret Server logs into your Log Analytics Workspace using the legacy Log Analytics agent.
\n \n
NOTE: Microsoft recommends installation of Delinea Secret Server via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024, and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.
\nData Connectors: 2, Workbooks: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "",
"contentId": "[variables('_solutionId')]",
"parentId": "[variables('_solutionId')]",
"source": {
@@ -523,6 +876,11 @@
"contentId": "[variables('_dataConnectorContentId1')]",
"version": "[variables('dataConnectorVersion1')]"
},
+ {
+ "kind": "DataConnector",
+ "contentId": "[variables('_dataConnectorContentId2')]",
+ "version": "[variables('dataConnectorVersion2')]"
+ },
{
"kind": "Workbook",
"contentId": "[variables('_workbookContentId1')]",
diff --git a/Solutions/Delinea Secret Server/ReleaseNotes.md b/Solutions/Delinea Secret Server/ReleaseNotes.md
new file mode 100644
index 00000000000..f22e302d377
--- /dev/null
+++ b/Solutions/Delinea Secret Server/ReleaseNotes.md
@@ -0,0 +1,5 @@
+| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
+|-------------|--------------------------------|--------------------------------------------------------------------|
+| 3.0.0 | 20-09-2023 | Addition of new Delinea Secret Server AMA **Data Connector** | |
+
+
diff --git a/Solutions/GitHub/Package/3.0.1.zip b/Solutions/GitHub/Package/3.0.1.zip
new file mode 100644
index 00000000000..2230c296c19
Binary files /dev/null and b/Solutions/GitHub/Package/3.0.1.zip differ
diff --git a/Solutions/GitHub/Package/createUiDefinition.json b/Solutions/GitHub/Package/createUiDefinition.json
index 087466ebdc1..0926637032f 100644
--- a/Solutions/GitHub/Package/createUiDefinition.json
+++ b/Solutions/GitHub/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/GitHub.svg\"width=\"75px\"height=\"75px\")
\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitHub/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution.\n\nThe [GitHub](https://github.com/) Solution for Microsoft Sentinel enables you to easily ingest events and logs from GitHub to Microsoft Sentinel using GitHub audit log API and webhooks. This enables you to view and analyze this data in your workbooks, query it to create custom alerts, and incorporate it to improve your investigation process, giving you more insight into your platform security.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n \r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n \r\n 1. [Codeless Connector Platform (CCP) (used in GitHub Enterprise Audit Log data connector)](https://docs.microsoft.com/azure/sentinel/create-codeless-connector?tabs=deploy-via-arm-template%2Cconnect-via-the-azure-portal) \r\n \r\n 2. [Azure Functions ](https://azure.microsoft.com/services/functions/#overview)\n\n**Data Connectors:** 2, **Parsers:** 4, **Workbooks:** 2, **Analytic Rules:** 14, **Hunting Queries:** 8\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [GitHub](https://github.com/) Solution for Microsoft Sentinel enables you to easily ingest events and logs from GitHub to Microsoft Sentinel using GitHub audit log API and webhooks. This enables you to view and analyze this data in your workbooks, query it to create custom alerts, and incorporate it to improve your investigation process, giving you more insight into your platform security.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n \r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n \r\n 1. [Codeless Connector Platform (CCP) (used in GitHub Enterprise Audit Log data connector)](https://docs.microsoft.com/azure/sentinel/create-codeless-connector?tabs=deploy-via-arm-template%2Cconnect-via-the-azure-portal) \r\n \r\n 2. [Azure Functions ](https://azure.microsoft.com/services/functions/#overview)\n\n**Data Connectors:** 2, **Parsers:** 4, **Workbooks:** 2, **Analytic Rules:** 14, **Hunting Queries:** 8\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
diff --git a/Solutions/GitHub/Package/mainTemplate.json b/Solutions/GitHub/Package/mainTemplate.json
index 8ed3db5a20a..ce71a7c5572 100644
--- a/Solutions/GitHub/Package/mainTemplate.json
+++ b/Solutions/GitHub/Package/mainTemplate.json
@@ -49,20 +49,20 @@
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"_solutionName": "GitHub",
- "_solutionVersion": "3.0.0",
+ "_solutionVersion": "3.0.1",
"solutionId": "microsoftcorporation1622712991604.sentinel4github",
"_solutionId": "[variables('solutionId')]",
"workbookVersion1": "1.0.0",
"workbookContentId1": "UserWorkbook-alexdemichieli-github-update-1",
"workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]",
- "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))),variables('workbookVersion1')))]",
+ "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]",
"_workbookContentId1": "[variables('workbookContentId1')]",
"workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
"_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]",
"workbookVersion2": "1.0.0",
"workbookContentId2": "GitHubSecurityWorkbook",
"workbookId2": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId2'))]",
- "workbookTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId2'))),variables('workbookVersion2')))]",
+ "workbookTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId2'))))]",
"_workbookContentId2": "[variables('workbookContentId2')]",
"_workbookcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId2'),'-', variables('workbookVersion2'))))]",
"analyticRuleVersion1": "1.0.0",
@@ -70,139 +70,139 @@
"_analyticRulecontentId1": "[variables('analyticRulecontentId1')]",
"TemplateEmptyArray": "[json('[]')]",
"analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]",
- "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1'))),variables('analyticRuleVersion1')))]",
+ "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1'))))]",
"_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId1'),'-', variables('analyticRuleVersion1'))))]",
"analyticRuleVersion2": "1.0.0",
"analyticRulecontentId2": "f041e01d-840d-43da-95c8-4188f6cef546",
"_analyticRulecontentId2": "[variables('analyticRulecontentId2')]",
"analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId2'))]",
- "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2'))),variables('analyticRuleVersion2')))]",
+ "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2'))))]",
"_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId2'),'-', variables('analyticRuleVersion2'))))]",
"analyticRuleVersion3": "1.0.0",
"analyticRulecontentId3": "0b85a077-8ba5-4cb5-90f7-1e882afe10c5",
"_analyticRulecontentId3": "[variables('analyticRulecontentId3')]",
"analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId3'))]",
- "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId3'))),variables('analyticRuleVersion3')))]",
+ "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId3'))))]",
"_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId3'),'-', variables('analyticRuleVersion3'))))]",
"analyticRuleVersion4": "1.0.0",
"analyticRulecontentId4": "0b85a077-8ba5-4cb5-90f7-1e882afe10c2",
"_analyticRulecontentId4": "[variables('analyticRulecontentId4')]",
"analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId4'))]",
- "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId4'))),variables('analyticRuleVersion4')))]",
+ "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId4'))))]",
"_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId4'),'-', variables('analyticRuleVersion4'))))]",
"analyticRuleVersion5": "1.0.0",
"analyticRulecontentId5": "0b85a077-8ba5-4cb5-90f7-1e882afe10c3",
"_analyticRulecontentId5": "[variables('analyticRulecontentId5')]",
"analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId5'))]",
- "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId5'))),variables('analyticRuleVersion5')))]",
+ "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId5'))))]",
"_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId5'),'-', variables('analyticRuleVersion5'))))]",
"analyticRuleVersion6": "1.0.1",
"analyticRulecontentId6": "3ff0fffb-d963-40c0-b235-3404f915add7",
"_analyticRulecontentId6": "[variables('analyticRulecontentId6')]",
"analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId6'))]",
- "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId6'))),variables('analyticRuleVersion6')))]",
+ "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId6'))))]",
"_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId6'),'-', variables('analyticRuleVersion6'))))]",
"analyticRuleVersion7": "1.0.0",
"analyticRulecontentId7": "0b85a077-8ba5-4cb5-90f7-1e882afe20c9",
"_analyticRulecontentId7": "[variables('analyticRulecontentId7')]",
"analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId7'))]",
- "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId7'))),variables('analyticRuleVersion7')))]",
+ "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId7'))))]",
"_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId7'),'-', variables('analyticRuleVersion7'))))]",
"analyticRuleVersion8": "1.0.0",
"analyticRulecontentId8": "0b85a077-8ba5-4cb5-90f7-1e882afe10c4",
"_analyticRulecontentId8": "[variables('analyticRulecontentId8')]",
"analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId8'))]",
- "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId8'))),variables('analyticRuleVersion8')))]",
+ "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId8'))))]",
"_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId8'),'-', variables('analyticRuleVersion8'))))]",
"analyticRuleVersion9": "1.0.0",
"analyticRulecontentId9": "0b85a077-8ba5-4cb5-90f7-1e882afe10c8",
"_analyticRulecontentId9": "[variables('analyticRulecontentId9')]",
"analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId9'))]",
- "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId9'))),variables('analyticRuleVersion9')))]",
+ "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId9'))))]",
"_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId9'),'-', variables('analyticRuleVersion9'))))]",
"analyticRuleVersion10": "1.0.0",
"analyticRulecontentId10": "0b85a077-8ba5-4cb5-90f7-1e882afe40c9",
"_analyticRulecontentId10": "[variables('analyticRulecontentId10')]",
"analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId10'))]",
- "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId10'))),variables('analyticRuleVersion10')))]",
+ "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId10'))))]",
"_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId10'),'-', variables('analyticRuleVersion10'))))]",
"analyticRuleVersion11": "1.0.0",
"analyticRulecontentId11": "0b85a077-8ba5-4cb5-90f7-1e882afe10c7",
"_analyticRulecontentId11": "[variables('analyticRulecontentId11')]",
"analyticRuleId11": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId11'))]",
- "analyticRuleTemplateSpecName11": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId11'))),variables('analyticRuleVersion11')))]",
+ "analyticRuleTemplateSpecName11": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId11'))))]",
"_analyticRulecontentProductId11": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId11'),'-', variables('analyticRuleVersion11'))))]",
"analyticRuleVersion12": "1.0.0",
"analyticRulecontentId12": "0b85a077-8ba5-4cb5-90f7-1e882afe10c6",
"_analyticRulecontentId12": "[variables('analyticRulecontentId12')]",
"analyticRuleId12": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId12'))]",
- "analyticRuleTemplateSpecName12": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId12'))),variables('analyticRuleVersion12')))]",
+ "analyticRuleTemplateSpecName12": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId12'))))]",
"_analyticRulecontentProductId12": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId12'),'-', variables('analyticRuleVersion12'))))]",
"analyticRuleVersion13": "1.0.1",
"analyticRulecontentId13": "594c653d-719a-4c23-b028-36e3413e632e",
"_analyticRulecontentId13": "[variables('analyticRulecontentId13')]",
"analyticRuleId13": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId13'))]",
- "analyticRuleTemplateSpecName13": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId13'))),variables('analyticRuleVersion13')))]",
+ "analyticRuleTemplateSpecName13": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId13'))))]",
"_analyticRulecontentProductId13": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId13'),'-', variables('analyticRuleVersion13'))))]",
"analyticRuleVersion14": "1.0.1",
"analyticRulecontentId14": "5436f471-b03d-41cb-b333-65891f887c43",
"_analyticRulecontentId14": "[variables('analyticRulecontentId14')]",
"analyticRuleId14": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId14'))]",
- "analyticRuleTemplateSpecName14": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId14'))),variables('analyticRuleVersion14')))]",
+ "analyticRuleTemplateSpecName14": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId14'))))]",
"_analyticRulecontentProductId14": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId14'),'-', variables('analyticRuleVersion14'))))]",
"huntingQueryVersion1": "1.0.0",
"huntingQuerycontentId1": "f0d30d3c-e6ad-480a-90e8-1bd7cc84881b",
"_huntingQuerycontentId1": "[variables('huntingQuerycontentId1')]",
"huntingQueryId1": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId1'))]",
- "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId1'))),variables('huntingQueryVersion1')))]",
+ "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId1'))))]",
"_huntingQuerycontentProductId1": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId1'),'-', variables('huntingQueryVersion1'))))]",
"huntingQueryVersion2": "1.0.0",
"huntingQuerycontentId2": "b8508e24-47a6-4f8e-9066-3cc937197e7f",
"_huntingQuerycontentId2": "[variables('huntingQuerycontentId2')]",
"huntingQueryId2": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId2'))]",
- "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId2'))),variables('huntingQueryVersion2')))]",
+ "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId2'))))]",
"_huntingQuerycontentProductId2": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId2'),'-', variables('huntingQueryVersion2'))))]",
"huntingQueryVersion3": "1.0.0",
"huntingQuerycontentId3": "67da5c4e-49f2-476d-96ff-2dbe4b855a48",
"_huntingQuerycontentId3": "[variables('huntingQuerycontentId3')]",
"huntingQueryId3": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId3'))]",
- "huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId3'))),variables('huntingQueryVersion3')))]",
+ "huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId3'))))]",
"_huntingQuerycontentProductId3": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId3'),'-', variables('huntingQueryVersion3'))))]",
"huntingQueryVersion4": "1.0.0",
"huntingQuerycontentId4": "667e6a70-adc9-49b7-9cf3-f21927c71959",
"_huntingQuerycontentId4": "[variables('huntingQuerycontentId4')]",
"huntingQueryId4": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId4'))]",
- "huntingQueryTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId4'))),variables('huntingQueryVersion4')))]",
+ "huntingQueryTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId4'))))]",
"_huntingQuerycontentProductId4": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId4'),'-', variables('huntingQueryVersion4'))))]",
"huntingQueryVersion5": "1.0.0",
"huntingQuerycontentId5": "ec986fb7-34ed-4528-a5f3-a496e61d8860",
"_huntingQuerycontentId5": "[variables('huntingQuerycontentId5')]",
"huntingQueryId5": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId5'))]",
- "huntingQueryTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId5'))),variables('huntingQueryVersion5')))]",
+ "huntingQueryTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId5'))))]",
"_huntingQuerycontentProductId5": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId5'),'-', variables('huntingQueryVersion5'))))]",
"huntingQueryVersion6": "1.0.0",
"huntingQuerycontentId6": "a6e2afd3-559c-4e88-a693-39c1f6789ef1",
"_huntingQuerycontentId6": "[variables('huntingQuerycontentId6')]",
"huntingQueryId6": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId6'))]",
- "huntingQueryTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId6'))),variables('huntingQueryVersion6')))]",
+ "huntingQueryTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId6'))))]",
"_huntingQuerycontentProductId6": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId6'),'-', variables('huntingQueryVersion6'))))]",
"huntingQueryVersion7": "1.0.0",
"huntingQuerycontentId7": "c3237d88-fdc4-4dee-8b90-118ded2c507c",
"_huntingQuerycontentId7": "[variables('huntingQuerycontentId7')]",
"huntingQueryId7": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId7'))]",
- "huntingQueryTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId7'))),variables('huntingQueryVersion7')))]",
+ "huntingQueryTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId7'))))]",
"_huntingQuerycontentProductId7": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId7'),'-', variables('huntingQueryVersion7'))))]",
"huntingQueryVersion8": "1.0.0",
"huntingQuerycontentId8": "f18c4dfb-4fa6-4a9d-9bd3-f7569d1d685a",
"_huntingQuerycontentId8": "[variables('huntingQuerycontentId8')]",
"huntingQueryId8": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId8'))]",
- "huntingQueryTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId8'))),variables('huntingQueryVersion8')))]",
+ "huntingQueryTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId8'))))]",
"_huntingQuerycontentProductId8": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId8'),'-', variables('huntingQueryVersion8'))))]",
"parserName1": "GitHubAuditData",
"_parserName1": "[concat(parameters('workspace'),'/',variables('parserName1'))]",
"parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
"_parserId1": "[variables('parserId1')]",
- "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1'))),variables('parserVersion1')))]",
+ "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1'))))]",
"parserVersion1": "1.0.0",
"parserContentId1": "GitHubAuditData-Parser",
"_parserContentId1": "[variables('parserContentId1')]",
@@ -211,7 +211,7 @@
"_parserName2": "[concat(parameters('workspace'),'/',variables('parserName2'))]",
"parserId2": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName2'))]",
"_parserId2": "[variables('parserId2')]",
- "parserTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId2'))),variables('parserVersion2')))]",
+ "parserTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId2'))))]",
"parserVersion2": "1.0.0",
"parserContentId2": "GitHubCodeScanningData-Parser",
"_parserContentId2": "[variables('parserContentId2')]",
@@ -220,7 +220,7 @@
"_parserName3": "[concat(parameters('workspace'),'/',variables('parserName3'))]",
"parserId3": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName3'))]",
"_parserId3": "[variables('parserId3')]",
- "parserTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId3'))),variables('parserVersion3')))]",
+ "parserTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId3'))))]",
"parserVersion3": "1.0.0",
"parserContentId3": "GitHubDependabotData-Parser",
"_parserContentId3": "[variables('parserContentId3')]",
@@ -229,7 +229,7 @@
"_parserName4": "[concat(parameters('workspace'),'/',variables('parserName4'))]",
"parserId4": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName4'))]",
"_parserId4": "[variables('parserId4')]",
- "parserTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId4'))),variables('parserVersion4')))]",
+ "parserTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId4'))))]",
"parserVersion4": "1.0.0",
"parserContentId4": "GithubSecretScanningData-Parser",
"_parserContentId4": "[variables('parserContentId4')]",
@@ -240,7 +240,7 @@
"_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
"dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
"_dataConnectorId1": "[variables('dataConnectorId1')]",
- "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))),variables('dataConnectorVersion1')))]",
+ "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
"dataConnectorVersion1": "1.0.0",
"_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
"uiConfigId2": "GitHubWebhook",
@@ -249,7 +249,7 @@
"_dataConnectorContentId2": "[variables('dataConnectorContentId2')]",
"dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
"_dataConnectorId2": "[variables('dataConnectorId2')]",
- "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))),variables('dataConnectorVersion2')))]",
+ "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]",
"dataConnectorVersion2": "1.0.0",
"_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]",
"_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
@@ -264,7 +264,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "GitHubAdvancedSecurityWorkbook Workbook with template version 3.0.0",
+ "description": "GitHubAdvancedSecurityWorkbook Workbook with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@@ -352,7 +352,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "GitHubWorkbookWorkbook Workbook with template version 3.0.0",
+ "description": "GitHubWorkbookWorkbook Workbook with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion2')]",
@@ -370,7 +370,7 @@
},
"properties": {
"displayName": "[parameters('workbook2-name')]",
- "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## GitHub Audit Log\\n\"},\"customWidth\":\"10\",\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"9c6caa2f-88f7-4472-b6cf-789023c368de\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":900000},{\"durationMs\":3600000},{\"durationMs\":86400000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":7776000000}},{\"id\":\"ee9cafd5-814c-4ad7-9958-2542da484a29\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Repositories\",\"type\":5,\"description\":\"Filter for events that include specific repository values\",\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"GitHubAuditLogPolling_CL\\n| extend repository = repo_s\\n| distinct tostring(repository)\\n| where isnotempty(repository)\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"357ea458-5943-4bbf-a429-13bccf9a7a62\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Actors\",\"type\":5,\"description\":\"Filter for events that include a specific Actor\",\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"GitHubAuditLogPolling_CL\\n| extend actor = actor_s\\n| distinct tostring(actor)\\n| where isnotempty(actor)\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"90\",\"name\":\"parameters - 7\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"c6cb9ad8-00ac-45db-acc7-d8416ef91c1b\",\"cellValue\":\"SelectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Recent Events\",\"subTarget\":\"Recent Events\",\"style\":\"link\"},{\"id\":\"16b6c7a2-8607-4715-959e-c054c366e22c\",\"cellValue\":\"SelectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Top 10 Offenders\",\"subTarget\":\"Top 10 Offenders\",\"style\":\"link\"}]},\"name\":\"links - 6\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Compliance\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"GitHubAuditData \\r\\n| where Action == \\\"repo.access\\\" and Visibility == \\\"public\\\"\\r\\n| where Actor in ({Actors}) and Repository in ({Repositories}) // parameter filter\\r\\n| sort by TimeGenerated desc\\r\\n| project Time=TimeGenerated, Repository, Actor\",\"size\":0,\"title\":\"Private Repos made Public\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"privatereposmadepublic\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"GitHubAuditData \\n| where Action == \\\"protected_branch.policy_override\\\"\\n| where Actor in ({Actors}) and Repository in ({Repositories}) // parameter filter\\n| sort by TimeGenerated desc\\n| project Time=TimeGenerated, Repository, Actor\",\"size\":0,\"title\":\"Branch Protection - Bypass\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"34\",\"name\":\"query - 6\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"GitHubAuditData\\n| where Action == \\\"secret_scanning_push_protection.bypass\\\"\\n| where Actor in ({Actors}) and Repository in ({Repositories}) // parameter filter\\n| sort by TimeGenerated desc\\n| project Time=TimeGenerated, Repository, Actor\",\"size\":0,\"title\":\"Push Protection - Bypass\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"query - 7\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Recent Events\"},\"name\":\"group - 10\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Access\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"GitHubAuditData \\n| where Action == \\\"org.add_member\\\" or Action == \\\"org.remove_member\\\"\\n| where Actor in ({Actors}) // parameter filter\\n| extend Action = iif(Action==\\\"org.add_member\\\", \\\"Added\\\", \\\"Removed\\\")\\n| sort by TimeGenerated desc\\n| project Time=TimeGenerated, Actor, Action, User=ImpactedUser, Organization\",\"size\":1,\"title\":\"Members Added or Removed\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"membersaddedorremoved\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"GitHubAuditData \\r\\n| where Action == \\\"team.add_repository\\\" or Action == \\\"team.remove_repository\\\"\\r\\n| where Actor in ({Actors}) and Repository in ({Repositories}) // parameter filter\\r\\n| extend Action = iif(Action==\\\"team.add_repository\\\", \\\"Added\\\", \\\"Removed\\\")\\r\\n| sort by TimeGenerated desc\\r\\n| project Time=TimeGenerated, Actor, Action, Permission=InvitedUserPermission, Team=TeamName, Repository\",\"size\":0,\"title\":\"Teams Added/Removed Repository\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"teamsaddedremovedtorepository\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Recent Events\"},\"name\":\"group - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Repositories\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"GitHubAuditData \\r\\n| where Action == \\\"repo.create\\\"\\r\\n| where Actor in ({Actors}) and Repository in ({Repositories}) // parameter filter\\r\\n| sort by TimeGenerated desc\\r\\n| project Time=TimeGenerated, Repository, Actor, Visibility\",\"size\":0,\"title\":\"Created\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"repositoriescreated\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"GitHubAuditData \\n| where Action == \\\"repo.transfer_outgoing\\\"\\n| where Actor in ({Actors}) and Repository in ({Repositories}) // parameter filter\\n| sort by TimeGenerated desc\\n| project Time=TimeGenerated, Repository, Actor, Visibility\",\"size\":0,\"title\":\"Ownership Transferred\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"query - 5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"GitHubAuditData \\n| where Action == \\\"repo.archived\\\"\\n| where Actor in ({Actors}) and Repository in ({Repositories}) // parameter filter\\n| sort by TimeGenerated desc\\n| project Time=TimeGenerated, Repository, Actor, Visibility\",\"size\":0,\"title\":\"Archived\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"GitHubAuditData \\n| where Action == \\\"repo.destroy\\\"\\n| where Actor in ({Actors}) and Repository in ({Repositories}) // parameter filter\\n| sort by TimeGenerated desc\\n| project Time=TimeGenerated, Repository, Actor, Visibility\",\"size\":0,\"title\":\"Deleted\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Recent Events\"},\"name\":\"group - 7\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Top 10 Offenders\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"GitHubAuditData\\n| where Action == \\\"repo.access\\\" and Visibility == \\\"public\\\"\\n| where Actor in ({Actors}) and Repository in ({Repositories}) // parameter filter\\n| summarize [\\\"Number of Bypasses\\\"] = count() by Actor\\n| top 10 by ['Number of Bypasses'] desc\\n| project-reorder ['Number of Bypasses'], Actor\",\"size\":0,\"title\":\"Private Repos made Public by Actor\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"GitHubAuditData\\n| where Action == \\\"protected_branch.policy_override\\\"\\n| where Actor in ({Actors}) and Repository in ({Repositories}) // parameter filter\\n| summarize [\\\"Number of Bypasses\\\"] = count() by Actor\\n| top 10 by ['Number of Bypasses'] desc\\n| project-reorder ['Number of Bypasses'], Actor\",\"size\":0,\"title\":\"Branch Protection - Bypass by Actor\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"34\",\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"GitHubAuditData\\n| where Action == \\\"secret_scanning_push_protection.bypass\\\"\\n| where Actor in ({Actors}) and Repository in ({Repositories}) // parameter filter\\n| summarize [\\\"Number of Bypasses\\\"] = count() by Actor\\n| top 10 by ['Number of Bypasses'] desc\\n| project-reorder ['Number of Bypasses'], Actor\",\"size\":1,\"title\":\"Push Protection - Bypass by Actor\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"33\",\"name\":\"query - 5\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Top 10 Offenders\"},\"name\":\"group - 7\",\"styleSettings\":{\"showBorder\":true}}],\"fromTemplateId\":\"sentinel-GitHubSecurity\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
+ "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"Topics and repository filters are mutually exlusive. To filter for topics, deselect all repositories and vice versa\",\"style\":\"warning\"},\"name\":\"text - 6\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"f80bd5e4-0e9d-4dc7-b999-110328e5b08e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"isGlobal\":true,\"value\":{\"durationMs\":2592000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"87b3e22f-fc5b-4c56-a449-372be28ec152\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Orgs\",\"type\":5,\"description\":\"Org selector\",\"isRequired\":true,\"isGlobal\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"githubscanaudit_CL \\n| extend organization = todynamic(organization_s).login\\n| distinct tostring(organization)\\n| where isnotempty(organization)\\n\\n\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"dsp-testing\"]},{\"id\":\"1673856e-da45-4e3b-8c00-9790024bea39\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Repositories\",\"type\":5,\"description\":\"Repository selector\",\"isGlobal\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"githubscanaudit_CL \\n| extend repository = todynamic(repository_s).full_name\\n| extend organization = todynamic(organization_s).login\\n| where isnotempty(repository) and tostring(organization) in ({Orgs})\\n| distinct tostring(repository)\\n\\n\\n\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"\",\"showDefault\":false},\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"10bfa980-1673-4a8c-9d59-fe12a24e297c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Topics\",\"type\":5,\"isGlobal\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let selection = dynamic([{Repositories}]);\\ngithubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend topics = repository.topics\\n| extend org = todynamic(organization_s)\\n| extend orgName = org.login\\n| extend reposAreNotSelected = array_length((selection)) == 0\\n| where topics <> \\\"[]\\\" and orgName in ({Orgs}) //and reposAreNotSelected\\n| mv-expand topics\\n| distinct tostring(topics)\\n| project topics\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 5\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"b7b61394-d7c7-4a2a-9e90-5d17ce94f8d8\",\"cellValue\":\"SelectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Advanced Security Overview\",\"subTarget\":\"Advanced Security Overview\",\"style\":\"link\"},{\"id\":\"7b984311-578d-4162-8e03-1c82cfa37519\",\"cellValue\":\"SelectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Code Scanning Alerts\",\"subTarget\":\"Code Scanning Alerts\",\"style\":\"link\"},{\"id\":\"03316284-9c39-4d15-853b-568d16d264f5\",\"cellValue\":\"SelectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Secret Scanning Alerts\",\"subTarget\":\"Secret Scanning Alerts\",\"style\":\"link\"},{\"id\":\"8853be7b-58d0-45cc-89c3-1a9897f01b19\",\"cellValue\":\"SelectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Dependabot Alerts\",\"subTarget\":\"Dependabot Alerts\",\"style\":\"link\"}]},\"customWidth\":\"50\",\"name\":\"links - 5\",\"styleSettings\":{\"margin\":\"0px\",\"padding\":\"0px\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"Advanced Security Overview
\"},\"name\":\"text - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\nlet RepositoryVulnerabilityAlerts = githubscanaudit_CL \\n| extend EventType='Dependabot Alert'\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s) \\n| extend alertexternalidentifier= alert.external_identifier\\n| extend Severity = tostring(alert.severity)\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where action_s in ('create') and isnotempty(alertexternalidentifier)\\n| project EventType, Severity, orgFullName;\\n\\nlet CodeScanningAlerts = githubscanaudit_CL \\n| extend EventType='Code Scanning Alert'\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s)\\n| extend Severity = tostring(alert.rule.security_severity_level)\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where action_s in ('created') and isnotempty(commit_oid_s) and isnotempty(Severity) \\n| project EventType, Severity, orgFullName, repositoryfullname;\\n\\nlet SecretScanningAlerts = githubscanaudit_CL \\n| extend EventType='Secret Scanning Alert'\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s)\\n| extend alertSecretType = alert.secret_type\\n| extend Severity = \\\"high\\\"\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where action_s in ('created') and isnotempty(alertSecretType)\\n| project EventType, Severity, orgFullName, repositoryfullname;\\n union withsource=\\\"AllEvents\\\" RepositoryVulnerabilityAlerts, CodeScanningAlerts, SecretScanningAlerts\\n| summarize Count = count() by tostring(Severity)\",\"size\":0,\"title\":\"Open Alerts By Severity\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"group\":\"Severity\",\"createOtherGroup\":\"\",\"seriesLabelSettings\":[{\"seriesName\":\"high\",\"label\":\"High\",\"color\":\"redBright\"},{\"seriesName\":\"moderate\",\"label\":\"Moderate\",\"color\":\"orange\"},{\"seriesName\":\"medium\",\"label\":\"Medium\",\"color\":\"brown\"},{\"seriesName\":\"critical\",\"label\":\"Critical\",\"color\":\"redDark\"},{\"seriesName\":\"low\",\"label\":\"Low\",\"color\":\"yellow\"}]}},\"customWidth\":\"25\",\"name\":\"query - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\nlet RepositoryVulnerabilityAlerts = githubscanaudit_CL \\n| extend EventType='Dependabot Alert'\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend alert = todynamic(alert_s) \\n| extend alertexternalidentifier= alert.external_identifier\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where isnotempty(alertexternalidentifier) and action_s in ('create');\\n\\nlet CodeScanningAlerts = githubscanaudit_CL \\n| extend EventType='Code Scanning Alert'\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s) \\n| extend Severity = alert.rule.security_severity_level\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where action_s in ('created') and isnotempty(commit_oid_s);\\n\\nlet SecretScanningAlerts = githubscanaudit_CL \\n| extend EventType='Secret Scanning Alert'\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s) \\n| extend alertSecretType = alert.secret_type\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where isnotempty(alertSecretType) and action_s in ('created');\\nunion withsource=\\\"AllEvents\\\" RepositoryVulnerabilityAlerts, CodeScanningAlerts, SecretScanningAlerts\\n|summarize Count = count() by tostring(repositoryfullname)\",\"size\":0,\"title\":\"Open Alerts by Repository\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"repositoryfullname\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"repositoryfullname\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"25\",\"name\":\"query - 8 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\n\\nlet RepositoryVulnerabilityAlerts = githubscanaudit_CL \\n| extend EventType='Dependabot Alert'\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s) \\n| extend alertexternalidentifier= alert.external_identifier\\n| extend Severity = alert.severity\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where isnotempty(alertexternalidentifier) and action_s in ('create')\\n| project EventType, Severity;\\n\\nlet CodeScanningAlerts = githubscanaudit_CL \\n| extend EventType='Code Scanning Alert'\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s)\\n| extend Severity = alert.rule.security_severity_level\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where action_s in ('created') and isnotempty(commit_oid_s)\\n| project EventType, Severity;\\n\\nlet SecretScanningAlerts = githubscanaudit_CL \\n| extend EventType='Secret Scanning Alert'\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s)\\n| extend alertSecretType = alert.secret_type\\n| extend Severity = \\\"High\\\"\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where action_s in ('created') and isnotempty(alertSecretType)\\n| project EventType, Severity;\\nunion withsource=\\\"AllEvents\\\" RepositoryVulnerabilityAlerts, CodeScanningAlerts, SecretScanningAlerts\\n|summarize Count = count() by tostring(EventType)\",\"size\":0,\"title\":\"Open Alerts by Type\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"25\",\"name\":\"query - 8 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\n\\nlet RepositoryVulnerabilityAlerts = githubscanaudit_CL \\n| extend EventType='Dependabot Alert'\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s) \\n| extend Repository = repository.full_name \\n| extend alertexternalidentifier= alert.external_identifier\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where action_s in ('dismiss', 'resolve') and isnotempty(alertexternalidentifier);\\n\\nlet CodeScanningAlerts = githubscanaudit_CL \\n| extend EventType='Code Scanning Alert'\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s)\\n| extend Repository = repository.full_name \\n| extend Severity = alert.rule.security_severity_level\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where action_s in ('closed_by_user', 'fixed') and isnotempty(commit_oid_s);\\n\\nlet SecretScanningAlerts = githubscanaudit_CL\\n| extend EventType='Secret Scanning Alert'\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s)\\n| extend Repository = repository.full_name \\n| extend alertSecretType = alert.secret_type\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where action_s in ('resolved') and isnotempty(alertSecretType);\\nunion withsource=\\\"AllEvents\\\" RepositoryVulnerabilityAlerts, CodeScanningAlerts, SecretScanningAlerts\\n| count\",\"size\":4,\"title\":\"Resolved Alert Count\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"25\",\"name\":\"query - 8 - Copy - Copy\",\"styleSettings\":{\"padding\":\"50px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\nlet RepositoryVulnerabilityAlerts = \\ngithubscanaudit_CL \\n| extend EventType='Dependabot Alert'\\n| extend repository = todynamic(repository_s)\\n| extend Repository = repository.full_name \\n| extend alert = todynamic(alert_s) \\n| extend alertexternalidentifier = alert.external_identifier\\n| extend Severity = alert.severity\\n| extend id = alert.ghsa_id \\n| extend Status = action_s\\n| extend Reason = alert.affected_package_name\\n| extend Created_at = alert.created_at\\n| extend Number = alert.number\\n| extend Age = now() - todatetime(Created_at)\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (Repository in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where action_s in ('create', 'dismiss', 'resolve') and isnotempty(alertexternalidentifier)\\n| project Repository, Reason, id, EventType, tostring(Severity), Status, Created_at, Number, format_timespan(Age, 'dd:hh:mm:ss');\\n\\nlet CodeScanningAlerts =\\ngithubscanaudit_CL \\n| extend EventType='Code Scanning Alert'\\n| extend repository = todynamic(repository_s)\\n| extend Repository = repository.full_name \\n| extend alert = todynamic(alert_s)\\n| extend Severity = alert.rule.security_severity_level\\n| extend Reason = alert.rule.name\\n| extend id = alert.rule.id\\n| extend Severity = alert.rule.security_severity_level\\n| extend Status = action_s\\n| extend Created_at = alert.created_at\\n| extend Number = alert.number\\n| extend Age = now() - todatetime(Created_at)\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (Repository in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where action_s in ('created', 'reopened_by_user', 'closed_by_user', 'fixed', 'appeared_in_branch', 'reopened') and isnotempty(commit_oid_s) and isnotempty(Severity) \\n| project Repository, Reason, id, EventType, tostring(Severity), Status, Created_at, Number, format_timespan(Age, 'dd:hh:mm:ss');\\n\\nlet SecretScanningAlerts = \\ngithubscanaudit_CL \\n| extend EventType='Secret Scanning Alert'\\n| extend repository = todynamic(repository_s)\\n| extend Repository = repository.full_name \\n| extend alert = todynamic(alert_s)\\n| extend Severity = \\\"high\\\"\\n| extend Reason = alert.secret_type \\n| extend id = alert.number\\n| extend alertSecretType = alert.secret_type\\n| extend Status = action_s\\n| extend Created_at = alert.created_at\\n| extend Number = alert.number\\n| extend Age = now() - todatetime(Created_at)\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (Repository in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where action_s in ('created', 'resolved', 'reopened') and isnotempty(alertSecretType)\\n| project Repository, Reason, id, EventType, tostring(Severity), Status, Created_at, Number, format_timespan(Age, 'dd:hh:mm:ss');\\nunion withsource=\\\"AllEvents\\\" RepositoryVulnerabilityAlerts, CodeScanningAlerts, SecretScanningAlerts\",\"size\":0,\"title\":\"Alert Details\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AllEvents\",\"formatter\":5},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"high\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"critical\",\"representation\":\"redDark\"},{\"operator\":\"contains\",\"thresholdValue\":\"moderate\",\"representation\":\"red\"},{\"operator\":\"contains\",\"thresholdValue\":\"medium\",\"representation\":\"orange\"},{\"operator\":\"contains\",\"thresholdValue\":\"low\",\"representation\":\"yellow\"},{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"gray\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":5000,\"filter\":true}},\"name\":\"query - 5\"}]},\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Advanced Security Overview\"},\"name\":\"Advanced Security Overview\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"Code Scanning Alerts
\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend alert = todynamic(alert_s)\\n| extend url = alert.url\\n| extend repo = todynamic(repository_s)\\n| extend repository = repo.name\\n| extend created_at = alert.created_at\\n| extend resolved_at = alert.fixed_at\\n| extend day = todatetime(resolved_at) - todatetime(created_at)\\n| where action_s in ('closed_by_user', 'fixed') and isnotempty(commit_oid_s)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| summarize format_timespan(avg(day), 'dd:hh:mm:ss')\",\"size\":4,\"title\":\"Mean Time to Resolution (dd:hh:mm:ss)\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"25\",\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where action_s in ('created') and isnotempty(commit_oid_s)\\n| count\",\"size\":4,\"title\":\"Created\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Status\",\"formatter\":5},{\"columnMatch\":\"Count\",\"formatter\":1}],\"sortBy\":[{\"itemKey\":\"Count\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"Count\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Status\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"Count\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"Count\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"Count\",\"heatmapPalette\":\"greenRed\"}},\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"25\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where action_s in ('fixed') and isnotempty(commit_oid_s)\\n| count\",\"size\":4,\"title\":\"Fixed\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Status\",\"formatter\":5},{\"columnMatch\":\"Count\",\"formatter\":1}],\"sortBy\":[{\"itemKey\":\"Count\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"Count\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Status\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"Count\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"Count\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"Count\",\"heatmapPalette\":\"greenRed\"}},\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"25\",\"name\":\"query - 2 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where action_s in ('reopened') and isnotempty(commit_oid_s)\\n| count\",\"size\":4,\"title\":\"Reopened\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Status\",\"formatter\":5},{\"columnMatch\":\"Count\",\"formatter\":1}],\"sortBy\":[{\"itemKey\":\"Count\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"Count\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Status\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"Count\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"Count\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"Count\",\"heatmapPalette\":\"greenRed\"}},\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"25\",\"name\":\"query - 2 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where action_s in ('created', \\\"fixed\\\") and isnotempty(commit_oid_s)\\n| summarize event_count=count() by tostring(action_s), bin(TimeGenerated,1d)\",\"size\":0,\"title\":\"Alert Found/Fixed Ratio\",\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"action_s\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"event_count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"created\",\"label\":\"Created\"},{\"seriesName\":\"fixed\",\"label\":\"Fixed\"}]}},\"customWidth\":\"33\",\"name\":\"query - 7\",\"styleSettings\":{\"padding\":\"20px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\nlet GithubPushes = githubscanaudit_CL\\n| extend EventType='Push'\\n| extend status = todynamic(action_s)\\n| extend commit = todynamic(commits_s)[0]\\n| extend added = commit.added\\n| extend modified = commit.modified\\n| extend removed = commit.removed\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where isnotempty(modified[0]) or isnotempty(added[0]);\\nlet CodeScanningAlerts = \\ngithubscanaudit_CL\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where action_s in ('created', 'reopened') and isnotempty(commit_oid_s)\\n| extend EventType='Code Scanning Alert';\\nunion withsource=\\\"AllEvents\\\" CodeScanningAlerts, GithubPushes\\n| summarize event_count=count() by EventType, bin(TimeGenerated,1d)\\n\",\"size\":0,\"title\":\"Commit/Alert Ratio\",\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Push\",\"label\":\"Commits\"},{\"seriesName\":\"Code Scanning Alert\",\"label\":\"Alerts\"}]}},\"customWidth\":\"33\",\"name\":\"query - 7 - Copy\",\"styleSettings\":{\"padding\":\"20px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s)\\n| extend Tool = alert.tool.name\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where action_s in ('created', \\\"appeared_in_branch\\\") and isnotempty(commit_oid_s)\\n| project TimeGenerated, Tool\\n| summarize Count = count() by tostring(Tool), bin(TimeGenerated,1d)\",\"size\":0,\"title\":\"New Alerts by Tool\",\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"unstackedbar\"},\"customWidth\":\"33\",\"name\":\"query - 7 - Copy\",\"styleSettings\":{\"padding\":\"20px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend topics = repository.topics\\n| extend alert = todynamic(alert_s)\\n| extend URL = alert.html_url\\n| extend tool = alert.tool.name\\n| extend created_at = alert.created_at\\n| extend resolved_at = alert.fixed_at\\n| extend Time_To_Resolution = format_timespan(todatetime(resolved_at) - todatetime(created_at), 'dd:hh:mm:ss')\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where action_s in ('closed_by_user', 'fixed') and isnotempty(commit_oid_s)\\n| project repository, URL, tool, created_at, resolved_at, Time_To_Resolution\",\"size\":0,\"title\":\"Fixed Alerts\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"URL\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\"}}]}},\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s)\\n| extend severity = alert.rule.security_severity_level\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where action_s in ('created', 'reopened_by_user', 'reopened') and isnotempty(commit_oid_s) and isnotempty(severity)\\n| summarize Total=count(severity), Critical=countif(severity=='critical'), High=countif(severity=='high'), Medium=countif(severity=='medium'), Low=countif(severity=='low') by tostring(repositoryfullname)\\n\",\"size\":0,\"title\":\"Alerts by Severity\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Critical\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"representation\":\"redDark\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"red\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"High\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Medium\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"orange\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Low\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"}]}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"Total\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"Total\",\"sortOrder\":2}],\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"severity\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"event_count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"severity\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"event_count\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"event_count\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"event_count\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"event_count\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\",\"styleSettings\":{\"margin\":\"10px\",\"padding\":\"20px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL\\n| extend repository = todynamic(repository_s)\\n| extend alert = todynamic(alert_s)\\n| extend repo = todynamic(repository_s)\\n| extend Tool = tostring(alert.tool.name)\\n| extend Repository = repo.full_name\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (Repository in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where action_s in ('created', 'reopened') and isnotempty(commit_oid_s)\\n| project Repository, Tool\\n| evaluate pivot(tostring(Tool))\\n| order by tostring(Repository) asc\",\"size\":0,\"title\":\"Alerts by Repo\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"filter\":true,\"sortBy\":[{\"itemKey\":\"Grype\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"Grype\",\"sortOrder\":2}]},\"customWidth\":\"45\",\"name\":\"query - 1\",\"styleSettings\":{\"margin\":\"10px\",\"padding\":\"20px\"}}]},\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Code Scanning Alerts\"},\"name\":\"Code Scanning Alerts\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"Secret Scanning Alerts
\"},\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Secret Scanning Alerts\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s)\\n| extend alertSecretType = alert.secret_type\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend created_at = alert.created_at\\n| extend resolved_at = alert.resolved_at\\n| extend day = todatetime(resolved_at) - todatetime(created_at)\\n| extend day = todatetime(resolved_at) - todatetime(created_at)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where isnotempty(alertSecretType)\\n| summarize format_timespan(avg(day), 'dd:hh:mm:ss')\",\"size\":4,\"title\":\"Mean Time to Resolution (dd:hh:mm:ss)\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"MTTR\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"MTTR\",\"sortOrder\":2}],\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"33\",\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\n\\nlet repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend alert = todynamic(alert_s)\\n| extend alertSecretType = alert.secret_type\\n| where isnotempty(alertSecretType) and action_s in ('created')\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| project repositoryfullname, topic, repoTopics, Out, areTopicsSelected\\n| count\\n\",\"size\":4,\"title\":\"Found Secrets\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Status\",\"formatter\":5},{\"columnMatch\":\"Count\",\"formatter\":1}],\"sortBy\":[{\"itemKey\":\"Count\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"Count\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Status\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"Count\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"Count\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"Count\",\"heatmapPalette\":\"greenRed\"}},\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"33\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\n\\nlet repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| extend alert = todynamic(alert_s)\\n| extend alertSecretType = alert.secret_type\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n| extend Out = topic in (repoTopics)\\n| summarize topic = make_list(topic), Out= make_list(Out)\\n| project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where isnotempty(alertSecretType) and action_s in ('resolved')\\n| count\",\"size\":4,\"title\":\"Fixed Secrets\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"33\",\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s)\\n| extend alertSecretType = alert.secret_type\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where isnotempty(alertSecretType) and action_s in ('created')\\n| summarize Count = count() by tostring(alertSecretType)\",\"size\":0,\"title\":\"Secrets by Type\",\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"query - 7 - Copy\",\"styleSettings\":{\"padding\":\"20px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s)\\n| extend alertSecretType = alert.secret_type\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where isnotempty(alertSecretType) and action_s in ('created')\\n| summarize Count = count() by tostring(repositoryfullname)\",\"size\":0,\"title\":\"Secrets by Repository\",\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"action_s\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"event_count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"33\",\"name\":\"query - 7\",\"styleSettings\":{\"padding\":\"20px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s)\\n| extend alertSecretType = alert.secret_type\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where isnotempty(alertSecretType) and action_s in ('created', 'resolved')\\n| summarize Count = count() by bin(TimeGenerated, 1d), action_s\",\"size\":0,\"title\":\"Secrets Found/Fixed Ratio\",\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\"},\"customWidth\":\"33\",\"name\":\"query - 7 - Copy\",\"styleSettings\":{\"padding\":\"20px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s)\\n| extend Secret_Type = alert.secret_type\\n| extend Repository = todynamic(repository_s).full_name\\n| extend Organization = todynamic(organization_s).login\\n| extend Created_at = alert.created_at\\n| extend Resolved_at = alert.resolved_at\\n| extend Time_to_Resolution= format_timespan(todatetime(Resolved_at) - todatetime(Created_at), 'dd:hh:mm:ss' )\\n| extend Resolution = case(isnotnull(alert.resolution), alert.resolution, \\\"Null\\\") \\n| extend URL = todynamic(repository_s).url\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where isnotempty(Secret_Type) and action_s in ('resolved')\\n|project Secret_Type, Organization, Repository, Resolution, Time_to_Resolution\",\"size\":0,\"title\":\"Fixed Secrets\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"filter\":true,\"sortBy\":[{\"itemKey\":\"Time_to_Resolution\",\"sortOrder\":2}],\"labelSettings\":[{\"columnId\":\"Secret_Type\",\"label\":\"Secret Type\"},{\"columnId\":\"Time_to_Resolution\",\"label\":\"Time to Resolution(dd:hh:mm:ss)\"}]},\"sortBy\":[{\"itemKey\":\"Time_to_Resolution\",\"sortOrder\":2}]},\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s)\\n| extend Secret_Type = alert.secret_type\\n| extend Repository = todynamic(repository_s).full_name\\n| extend Organization = todynamic(organization_s).login\\n| extend Created_at = alert.created_at\\n| extend URL = alert.html_url\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where isnotempty(Secret_Type) and action_s in ('created')\\n| project tostring(Secret_Type), tostring(Organization), tostring(Repository), tostring(URL), tostring(Created_at)\",\"size\":0,\"title\":\"Found Secrets\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"URL\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\"}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"Created_at\",\"sortOrder\":2}],\"labelSettings\":[{\"columnId\":\"Secret_Type\",\"label\":\"Secret Type\"},{\"columnId\":\"Created_at\",\"label\":\"Created at\"}]},\"sortBy\":[{\"itemKey\":\"Created_at\",\"sortOrder\":2}]},\"name\":\"query - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Secret Scanning Alerts\"},\"name\":\"Secret Scanning Alerts\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"Dependabot Alerts
\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend alert = todynamic(alert_s)\\n| extend created_at = alert.created_at \\n| extend resolved_at = alert.fixed_at\\n| extend alertexternalidentifier= alert.external_identifier\\n| extend day = todatetime(resolved_at) - todatetime(created_at)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where isnotempty(alertexternalidentifier) and action_s in ('resolve')\\n| summarize format_timespan(avg(day), 'dd:hh:mm:ss')\\n\",\"size\":4,\"title\":\"Mean Time to Resolution (dd:hh:mm:ss)\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"MTTR\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"MTTR\",\"sortOrder\":2}],\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"25\",\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s)\\n| extend Status = action_s\\n| extend alertexternalidentifier= alert.external_identifier\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where isnotempty(alertexternalidentifier) and action_s in ('create')\\n| count\",\"size\":4,\"title\":\"Created\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Status\",\"formatter\":5},{\"columnMatch\":\"Count\",\"formatter\":1}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Status\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"Count\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"Count\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"Count\",\"heatmapPalette\":\"greenRed\"}},\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"25\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s)\\n| extend Status = action_s\\n| extend alertexternalidentifier= alert.external_identifier\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where isnotempty(alertexternalidentifier) and action_s in ('resolve')\\n| count\",\"size\":4,\"title\":\"Resolved\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Status\",\"formatter\":5},{\"columnMatch\":\"Count\",\"formatter\":1}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Status\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"Count\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"Count\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"Count\",\"heatmapPalette\":\"greenRed\"}},\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"25\",\"name\":\"query - 2 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s)\\n| extend Status = action_s\\n| extend alertexternalidentifier= alert.external_identifier\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where isnotempty(alertexternalidentifier) and action_s in ('dismiss')\\n| count\",\"size\":4,\"title\":\"Dismissed\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Status\",\"formatter\":5},{\"columnMatch\":\"Count\",\"formatter\":1}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Status\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"Count\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"Count\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"Count\",\"heatmapPalette\":\"greenRed\"}},\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"25\",\"name\":\"query - 2 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s)\\n| extend alertexternalidentifier = alert.external_identifier\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where isnotempty(alertexternalidentifier) and action_s in ('create', 'dismiss', 'resolve')\\n| summarize Count = count() by tostring(action_s), bin(TimeGenerated,1d)\",\"size\":0,\"title\":\"Alert Found/Fixed Ratio\",\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"create\",\"label\":\"Found\"},{\"seriesName\":\"resolve\",\"label\":\"Fixed\"},{\"seriesName\":\"dismiss\",\"label\":\"Dismissed\"}]}},\"customWidth\":\"33\",\"name\":\"query - 7 - Copy\",\"styleSettings\":{\"padding\":\"20px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend Repository = todynamic(repository_s).full_name\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s)\\n| extend alertexternalidentifier = alert.external_identifier \\n| extend Severity = alert.severity\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where isnotempty(alertexternalidentifier) and action_s in ('create')\\n| summarize Count=count() by tostring(Repository)\",\"size\":0,\"title\":\"Vulnerabilities by Repo\",\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"Count\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"Count\",\"sortOrder\":2}],\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"action_s\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"event_count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"33\",\"name\":\"query - 7\",\"styleSettings\":{\"padding\":\"20px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s)\\n| extend alertexternalidentifier = alert.external_identifier \\n| extend Severity = alert.severity\\n| extend Repository = todynamic(repository_s).full_name\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where isnotempty(alertexternalidentifier) and action_s in ('create')\\n| summarize Count=count() by tostring(Severity), bin(TimeGenerated,1d)\",\"size\":0,\"title\":\"New Alerts by Severity\",\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"customWidth\":\"33\",\"name\":\"query - 7 - Copy\",\"styleSettings\":{\"padding\":\"20px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s)\\n| extend Action = todynamic(action_s)\\n| extend alertexternalidentifier = alert.external_identifier \\n| extend Severity = alert.severity\\n| extend repo = todynamic(repository_s)\\n| extend Alert_URL = alert.external_reference\\n| extend Repository = repo.full_name\\n| extend created_at = alert.created_at\\n| extend resolved_at = case(isnotnull(alert.fixed_at), alert.fixed_at, alert.dismissed_at)\\n| extend Time_to_Resolution = format_timespan(todatetime(resolved_at) - todatetime(created_at), 'dd:hh:mm:ss')\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where isnotempty(alertexternalidentifier) and action_s in ('resolve', 'dismiss')\\n| project Action, Repository, Severity, Alert_URL, Time_to_Resolution\",\"size\":0,\"title\":\"Fixed Alerts\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Alert_URL\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\"}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"Repository\",\"sortOrder\":2}],\"labelSettings\":[{\"columnId\":\"Time_to_Resolution\",\"label\":\"Time to Resolution(dd:hh:mm:ss)\"}]},\"sortBy\":[{\"itemKey\":\"Repository\",\"sortOrder\":2}]},\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s)\\n| extend Action = todynamic(action_s)\\n| extend alertexternalidentifier = alert.external_identifier \\n| extend Severity = alert.severity\\n| extend repo = todynamic(repository_s)\\n| extend Alert_URL = alert.external_reference\\n| extend Repository = repo.full_name\\n| extend created_at = alert.created_at\\n| extend resolved_at = alert.fixed_at\\n| extend Time_to_Resolution = todatetime(resolved_at) - todatetime(created_at)\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where isnotempty(alertexternalidentifier) and action_s in ('create')\\n| summarize Total=count(Severity), Critical=countif(Severity=='critical'), High=countif(Severity=='high'), Medium=countif(Severity=='moderate'), Low=countif(Severity=='low') by tostring(Repository)\",\"size\":0,\"title\":\"Alerts by Repo\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Critical\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"redDark\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"High\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Medium\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"orange\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Low\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"}]}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"Total\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"Total\",\"sortOrder\":2}]},\"name\":\"query - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Dependabot Alerts\"},\"name\":\"Dependabot Alerts\"}],\"fromTemplateId\":\"GitHubAdvancedSecurity - topics\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", "version": "1.0", "sourceId": "[variables('workspaceResourceId')]", "category": "sentinel" @@ -440,7 +440,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "(Preview) GitHub - A payment method was removed_AnalyticalRules Analytics Rule with template version 3.0.0", + "description": "(Preview) GitHub - A payment method was removed_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion1')]", @@ -475,13 +475,13 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", "columnName": "AccountCustomEntity" } - ], - "entityType": "Account" + ] } ] } @@ -537,7 +537,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "(Preview) GitHub - Activities from Infrequent Country_AnalyticalRules Analytics Rule with template version 3.0.0", + "description": "(Preview) GitHub - Activities from Infrequent Country_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion2')]", @@ -572,13 +572,13 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", "columnName": "AccountCustomEntity" } - ], - "entityType": "Account" + ] } ] } @@ -634,7 +634,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "(Preview) GitHub - Oauth application - a client secret was removed_AnalyticalRules Analytics Rule with template version 3.0.0", + "description": "(Preview) GitHub - Oauth application - a client secret was removed_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion3')]", @@ -669,13 +669,13 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", "columnName": "AccountCustomEntity" } - ], - "entityType": "Account" + ] } ] } @@ -731,7 +731,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "(Preview) GitHub - Repository was created_AnalyticalRules Analytics Rule with template version 3.0.0", + "description": "(Preview) GitHub - Repository was created_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion4')]", @@ -766,13 +766,13 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", "columnName": "AccountCustomEntity" } - ], - "entityType": "Account" + ] } ] } @@ -828,7 +828,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "(Preview) GitHub - Repository was destroyed_AnalyticalRules Analytics Rule with template version 3.0.0", + "description": "(Preview) GitHub - Repository was destroyed_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion5')]", @@ -863,13 +863,13 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", "columnName": "AccountCustomEntity" } - ], - "entityType": "Account" + ] } ] } @@ -925,7 +925,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "(Preview) GitHub - Two Factor Authentication Disabled in GitHub_AnalyticalRules Analytics Rule with template version 3.0.0", + "description": "(Preview) GitHub - Two Factor Authentication Disabled in GitHub_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion6')]", @@ -960,13 +960,13 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", "columnName": "AccountCustomEntity" } - ], - "entityType": "Account" + ] } ] } @@ -1022,7 +1022,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "(Preview) GitHub - User visibility Was changed_AnalyticalRules Analytics Rule with template version 3.0.0", + "description": "(Preview) GitHub - User visibility Was changed_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion7')]", @@ -1057,13 +1057,13 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", "columnName": "AccountCustomEntity" } - ], - "entityType": "Account" + ] } ] } @@ -1119,7 +1119,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "(Preview) GitHub - User was added to the organization_AnalyticalRules Analytics Rule with template version 3.0.0", + "description": "(Preview) GitHub - User was added to the organization_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion8')]", @@ -1154,13 +1154,13 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", "columnName": "AccountCustomEntity" } - ], - "entityType": "Account" + ] } ] } @@ -1216,7 +1216,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "(Preview) GitHub - User was blocked_AnalyticalRules Analytics Rule with template version 3.0.0", + "description": "(Preview) GitHub - User was blocked_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion9')]", @@ -1251,13 +1251,13 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", "columnName": "AccountCustomEntity" } - ], - "entityType": "Account" + ] } ] } @@ -1313,7 +1313,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "(Preview) GitHub - User was invited to the repository_AnalyticalRules Analytics Rule with template version 3.0.0", + "description": "(Preview) GitHub - User was invited to the repository_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion10')]", @@ -1348,13 +1348,13 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", "columnName": "AccountCustomEntity" } - ], - "entityType": "Account" + ] } ] } @@ -1410,7 +1410,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "(Preview) GitHub - pull request was created_AnalyticalRules Analytics Rule with template version 3.0.0", + "description": "(Preview) GitHub - pull request was created_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion11')]", @@ -1445,13 +1445,13 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", "columnName": "AccountCustomEntity" } - ], - "entityType": "Account" + ] } ] } @@ -1507,7 +1507,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "(Preview) GitHub - pull request was merged_AnalyticalRules Analytics Rule with template version 3.0.0", + "description": "(Preview) GitHub - pull request was merged_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion12')]", @@ -1542,13 +1542,13 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", "columnName": "AccountCustomEntity" } - ], - "entityType": "Account" + ] } ] } @@ -1604,7 +1604,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "NRT Two Factor Authentication Disabled_AnalyticalRules Analytics Rule with template version 3.0.0", + "description": "NRT Two Factor Authentication Disabled_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion13')]", @@ -1635,22 +1635,22 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", "columnName": "AccountCustomEntity" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "IPCustomEntity" } - ], - "entityType": "IP" + ] } ] } @@ -1706,7 +1706,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Security Vulnerability in Repo_AnalyticalRules Analytics Rule with template version 3.0.0", + "description": "Security Vulnerability in Repo_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion14')]", @@ -1786,7 +1786,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "First Time User Invite and Add Member to Org_HuntingQueries Hunting Query with template version 3.0.0", + "description": "First Time User Invite and Add Member to Org_HuntingQueries Hunting Query with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryVersion1')]", @@ -1871,7 +1871,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Inactive or New Account Usage_HuntingQueries Hunting Query with template version 3.0.0", + "description": "Inactive or New Account Usage_HuntingQueries Hunting Query with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryVersion2')]", @@ -1956,7 +1956,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Mass Deletion of Repositories _HuntingQueries Hunting Query with template version 3.0.0", + "description": "Mass Deletion of Repositories _HuntingQueries Hunting Query with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryVersion3')]", @@ -2041,7 +2041,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Oauth App Restrictions Disabled_HuntingQueries Hunting Query with template version 3.0.0", + "description": "Oauth App Restrictions Disabled_HuntingQueries Hunting Query with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryVersion4')]", @@ -2126,7 +2126,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Org Repositories Default Permissions Change_HuntingQueries Hunting Query with template version 3.0.0", + "description": "Org Repositories Default Permissions Change_HuntingQueries Hunting Query with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryVersion5')]", @@ -2211,7 +2211,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Repository Permission Switched to Public_HuntingQueries Hunting Query with template version 3.0.0", + "description": "Repository Permission Switched to Public_HuntingQueries Hunting Query with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryVersion6')]", @@ -2296,7 +2296,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "User First Time Repository Delete Activity_HuntingQueries Hunting Query with template version 3.0.0", + "description": "User First Time Repository Delete Activity_HuntingQueries Hunting Query with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryVersion7')]", @@ -2381,7 +2381,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "User Grant Access and Grants Other Access_HuntingQueries Hunting Query with template version 3.0.0", + "description": "User Grant Access and Grants Other Access_HuntingQueries Hunting Query with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryVersion8')]", @@ -2466,7 +2466,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "GitHubAuditData Data Parser with template version 3.0.0", + "description": "GitHubAuditData Data Parser with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserVersion1')]", @@ -2598,7 +2598,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "GitHubCodeScanningData Data Parser with template version 3.0.0", + "description": "GitHubCodeScanningData Data Parser with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserVersion2')]", @@ -2730,7 +2730,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "GitHubDependabotData Data Parser with template version 3.0.0", + "description": "GitHubDependabotData Data Parser with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserVersion3')]", @@ -2862,7 +2862,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "GithubSecretScanningData Data Parser with template version 3.0.0", + "description": "GithubSecretScanningData Data Parser with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserVersion4')]", @@ -2994,7 +2994,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "GitHub data connector with template version 3.0.0", + "description": "GitHub data connector with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -3339,7 +3339,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "GitHub data connector with template version 3.0.0", + "description": "GitHub data connector with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion2')]", @@ -3357,7 +3357,7 @@ "id": "[variables('_uiConfigId2')]", "title": "GitHub (using Webhooks) (using Azure Functions)", "publisher": "Microsoft", - "descriptionMarkdown": "The [GitHub](https://www.github.com) webhook data connector provides the capability to ingest GitHub subscribed events into Microsoft Sentinel using [GitHub webhook events](https://docs.github.com/en/developers/webhooks-and-events/webhooks/webhook-events-and-payloads). The connector provides ability to get eventsinto Microsoft Sentinel which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more. \n\n **Note:** If you are intended to ingest Github Audit logs, Please refer to GitHub Enterprise Audit Log Connector from \"**Data Connectors**\" gallery.", + "descriptionMarkdown": "The [GitHub](https://www.github.com) webhook data connector provides the capability to ingest GitHub subscribed events into Microsoft Sentinel using [GitHub webhook events](https://docs.github.com/en/developers/webhooks-and-events/webhooks/webhook-events-and-payloads). The connector provides ability to get events into Microsoft Sentinel which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more. \n\n **Note:** If you are intended to ingest Github Audit logs, Please refer to GitHub Enterprise Audit Log Connector from \"**Data Connectors**\" gallery.", "graphQueries": [ { "metricName": "Total data received", @@ -3574,7 +3574,7 @@ "connectorUiConfig": { "title": "GitHub (using Webhooks) (using Azure Functions)", "publisher": "Microsoft", - "descriptionMarkdown": "The [GitHub](https://www.github.com) webhook data connector provides the capability to ingest GitHub subscribed events into Microsoft Sentinel using [GitHub webhook events](https://docs.github.com/en/developers/webhooks-and-events/webhooks/webhook-events-and-payloads). The connector provides ability to get eventsinto Microsoft Sentinel which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more. \n\n **Note:** If you are intended to ingest Github Audit logs, Please refer to GitHub Enterprise Audit Log Connector from \"**Data Connectors**\" gallery.", + "descriptionMarkdown": "The [GitHub](https://www.github.com) webhook data connector provides the capability to ingest GitHub subscribed events into Microsoft Sentinel using [GitHub webhook events](https://docs.github.com/en/developers/webhooks-and-events/webhooks/webhook-events-and-payloads). The connector provides ability to get events into Microsoft Sentinel which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more. \n\n **Note:** If you are intended to ingest Github Audit logs, Please refer to GitHub Enterprise Audit Log Connector from \"**Data Connectors**\" gallery.", "graphQueries": [ { "metricName": "Total data received", @@ -3700,12 +3700,12 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.0", + "version": "3.0.1", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "GitHub", "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", - "descriptionHtml": "Note: Please refer to the following before installing the solution: \r \n • Review the solution Release Notes\r \n • There may be known issues pertaining to this Solution.
\nThe GitHub Solution for Microsoft Sentinel enables you to easily ingest events and logs from GitHub to Microsoft Sentinel using GitHub audit log API and webhooks. This enables you to view and analyze this data in your workbooks, query it to create custom alerts, and incorporate it to improve your investigation process, giving you more insight into your platform security.
\nUnderlying Microsoft Technologies used:
\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:
\n\nData Connectors: 2, Parsers: 4, Workbooks: 2, Analytic Rules: 14, Hunting Queries: 8
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "descriptionHtml": "Note: There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe GitHub Solution for Microsoft Sentinel enables you to easily ingest events and logs from GitHub to Microsoft Sentinel using GitHub audit log API and webhooks. This enables you to view and analyze this data in your workbooks, query it to create custom alerts, and incorporate it to improve your investigation process, giving you more insight into your platform security.
\nUnderlying Microsoft Technologies used:
\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:
\n\nData Connectors: 2, Parsers: 4, Workbooks: 2, Analytic Rules: 14, Hunting Queries: 8
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", diff --git a/Solutions/GitHub/Workbooks/GitHubWorkbook.json b/Solutions/GitHub/Workbooks/GitHubWorkbook.json index 7c7ebe46a5f..aa528e5324a 100644 --- a/Solutions/GitHub/Workbooks/GitHubWorkbook.json +++ b/Solutions/GitHub/Workbooks/GitHubWorkbook.json @@ -4,10 +4,10 @@ { "type": 1, "content": { - "json": "## GitHub Audit Log\n" + "json": "Topics and repository filters are mutually exlusive. To filter for topics, deselect all repositories and vice versa", + "style": "warning" }, - "customWidth": "10", - "name": "text - 2" + "name": "text - 6" }, { "type": 9, @@ -15,28 +15,53 @@ "version": "KqlParameterItem/1.0", "parameters": [ { - "id": "9c6caa2f-88f7-4472-b6cf-789023c368de", + "id": "f80bd5e4-0e9d-4dc7-b999-110328e5b08e", "version": "KqlParameterItem/1.0", "name": "TimeRange", - "label": "Time Range", "type": 4, + "isRequired": true, + "isGlobal": true, + "value": { + "durationMs": 2592000000 + }, "typeSettings": { "selectableValues": [ + { + "durationMs": 300000 + }, { "durationMs": 900000 }, + { + "durationMs": 1800000 + }, { "durationMs": 3600000 }, + { + "durationMs": 14400000 + }, + { + "durationMs": 43200000 + }, { "durationMs": 86400000 }, + { + "durationMs": 172800000 + }, { "durationMs": 259200000 }, { "durationMs": 604800000 }, + { + "durationMs": 1209600000 + }, + { + "durationMs": 2419200000 + }, { "durationMs": 2592000000 }, @@ -51,22 +76,20 @@ }, "timeContext": { "durationMs": 86400000 - }, - "value": { - "durationMs": 7776000000 } }, { - "id": "ee9cafd5-814c-4ad7-9958-2542da484a29", + "id": "87b3e22f-fc5b-4c56-a449-372be28ec152", "version": "KqlParameterItem/1.0", - "name": "Repositories", + "name": "Orgs", "type": 5, - "description": "Filter for events that include specific repository values", + "description": "Org selector", "isRequired": true, + "isGlobal": true, "multiSelect": true, "quote": "'", "delimiter": ",", - "query": "GitHubAuditLogPolling_CL\n| extend repository = repo_s\n| distinct tostring(repository)\n| where isnotempty(repository)", + "query": "githubscanaudit_CL \n| extend organization = todynamic(organization_s).login\n| distinct tostring(organization)\n| where isnotempty(organization)\n\n", "typeSettings": { "additionalResourceOptions": [ "value::all" @@ -74,45 +97,76 @@ "showDefault": false }, "timeContext": { - "durationMs": 7776000000 + "durationMs": 0 }, "timeContextFromParameter": "TimeRange", "defaultValue": "value::all", "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" + "resourceType": "microsoft.operationalinsights/workspaces", + "value": [ + "dsp-testing" + ] }, { - "id": "357ea458-5943-4bbf-a429-13bccf9a7a62", + "id": "1673856e-da45-4e3b-8c00-9790024bea39", "version": "KqlParameterItem/1.0", - "name": "Actors", + "name": "Repositories", "type": 5, - "description": "Filter for events that include a specific Actor", - "isRequired": true, + "description": "Repository selector", + "isGlobal": true, "multiSelect": true, "quote": "'", "delimiter": ",", - "query": "GitHubAuditLogPolling_CL\n| extend actor = actor_s\n| distinct tostring(actor)\n| where isnotempty(actor)", + "query": "githubscanaudit_CL \n| extend repository = todynamic(repository_s).full_name\n| extend organization = todynamic(organization_s).login\n| where isnotempty(repository) and tostring(organization) in ({Orgs})\n| distinct tostring(repository)\n\n\n", "typeSettings": { "additionalResourceOptions": [ "value::all" ], + "selectAllValue": "", "showDefault": false }, "timeContext": { - "durationMs": 7776000000 + "durationMs": 604800000 }, "timeContextFromParameter": "TimeRange", "defaultValue": "value::all", "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" + "resourceType": "microsoft.operationalinsights/workspaces", + "value": [] + }, + { + "id": "10bfa980-1673-4a8c-9d59-fe12a24e297c", + "version": "KqlParameterItem/1.0", + "name": "Topics", + "type": 5, + "isGlobal": true, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "query": "let selection = dynamic([{Repositories}]);\ngithubscanaudit_CL \n| extend repository = todynamic(repository_s)\n| extend topics = repository.topics\n| extend org = todynamic(organization_s)\n| extend orgName = org.login\n| extend reposAreNotSelected = array_length((selection)) == 0\n| where topics <> \"[]\" and orgName in ({Orgs}) //and reposAreNotSelected\n| mv-expand topics\n| distinct tostring(topics)\n| project topics", + "typeSettings": { + "additionalResourceOptions": [ + "value::all" + ], + "selectAllValue": "", + "showDefault": false + }, + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "value": [ + "value::all" + ] } ], "style": "pills", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, - "customWidth": "90", - "name": "parameters - 7" + "name": "parameters - 5" }, { "type": 11, @@ -121,134 +175,845 @@ "style": "tabs", "links": [ { - "id": "c6cb9ad8-00ac-45db-acc7-d8416ef91c1b", + "id": "b7b61394-d7c7-4a2a-9e90-5d17ce94f8d8", "cellValue": "SelectedTab", "linkTarget": "parameter", - "linkLabel": "Recent Events", - "subTarget": "Recent Events", + "linkLabel": "Advanced Security Overview", + "subTarget": "Advanced Security Overview", "style": "link" }, { - "id": "16b6c7a2-8607-4715-959e-c054c366e22c", + "id": "7b984311-578d-4162-8e03-1c82cfa37519", "cellValue": "SelectedTab", "linkTarget": "parameter", - "linkLabel": "Top 10 Offenders", - "subTarget": "Top 10 Offenders", + "linkLabel": "Code Scanning Alerts", + "subTarget": "Code Scanning Alerts", + "style": "link" + }, + { + "id": "03316284-9c39-4d15-853b-568d16d264f5", + "cellValue": "SelectedTab", + "linkTarget": "parameter", + "linkLabel": "Secret Scanning Alerts", + "subTarget": "Secret Scanning Alerts", + "style": "link" + }, + { + "id": "8853be7b-58d0-45cc-89c3-1a9897f01b19", + "cellValue": "SelectedTab", + "linkTarget": "parameter", + "linkLabel": "Dependabot Alerts", + "subTarget": "Dependabot Alerts", "style": "link" } ] }, - "name": "links - 6" + "customWidth": "50", + "name": "links - 5", + "styleSettings": { + "margin": "0px", + "padding": "0px" + } }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", - "title": "Compliance", "items": [ + { + "type": 1, + "content": { + "json": "Advanced Security Overview
" + }, + "name": "text - 7" + }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "GitHubAuditData \r\n| where Action == \"repo.access\" and Visibility == \"public\"\r\n| where Actor in ({Actors}) and Repository in ({Repositories}) // parameter filter\r\n| sort by TimeGenerated desc\r\n| project Time=TimeGenerated, Repository, Actor", + "query": "let repositoriesList = dynamic([{Repositories}]);\nlet repoTopics = dynamic([{Topics}]);\nlet RepositoryVulnerabilityAlerts = githubscanaudit_CL \n| extend EventType='Dependabot Alert'\n| extend repository = todynamic(repository_s)\n| extend repositoryfullname = repository.full_name\n| extend alert = todynamic(alert_s) \n| extend alertexternalidentifier= alert.external_identifier\n| extend Severity = tostring(alert.severity)\n| extend org = todynamic(organization_s)\n| extend orgFullName = org.login\n| extend topic = repository.topics\n| mv-apply repoTopics, topic on (\n mv-expand topic\n | extend Out = topic in (repoTopics)\n | summarize topic = make_list(topic), Out= make_list(Out)\n | project Out, topic\n)\n| extend areReposSelected = array_length((repositoriesList)) == 0\n| extend areTopicsSelected = array_length((repoTopics)) > 0\n| where\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\n| where action_s in ('create') and isnotempty(alertexternalidentifier)\n| project EventType, Severity, orgFullName;\n\nlet CodeScanningAlerts = githubscanaudit_CL \n| extend EventType='Code Scanning Alert'\n| extend repository = todynamic(repository_s)\n| extend repositoryfullname = repository.full_name\n| extend alert = todynamic(alert_s)\n| extend Severity = tostring(alert.rule.security_severity_level)\n| extend org = todynamic(organization_s)\n| extend orgFullName = org.login\n| extend topic = repository.topics\n| mv-apply repoTopics, topic on (\n mv-expand topic\n | extend Out = topic in (repoTopics)\n | summarize topic = make_list(topic), Out= make_list(Out)\n | project Out, topic\n)\n| extend areReposSelected = array_length((repositoriesList)) == 0\n| extend areTopicsSelected = array_length((repoTopics)) > 0\n| where\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\n| where action_s in ('created') and isnotempty(commit_oid_s) and isnotempty(Severity) \n| project EventType, Severity, orgFullName, repositoryfullname;\n\nlet SecretScanningAlerts = githubscanaudit_CL \n| extend EventType='Secret Scanning Alert'\n| extend repository = todynamic(repository_s)\n| extend repositoryfullname = repository.full_name\n| extend alert = todynamic(alert_s)\n| extend alertSecretType = alert.secret_type\n| extend Severity = \"high\"\n| extend org = todynamic(organization_s)\n| extend orgFullName = org.login\n| extend topic = repository.topics\n| mv-apply repoTopics, topic on (\n mv-expand topic\n | extend Out = topic in (repoTopics)\n | summarize topic = make_list(topic), Out= make_list(Out)\n | project Out, topic\n)\n| extend areReposSelected = array_length((repositoriesList)) == 0\n| extend areTopicsSelected = array_length((repoTopics)) > 0\n| where\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\n| where action_s in ('created') and isnotempty(alertSecretType)\n| project EventType, Severity, orgFullName, repositoryfullname;\n union withsource=\"AllEvents\" RepositoryVulnerabilityAlerts, CodeScanningAlerts, SecretScanningAlerts\n| summarize Count = count() by tostring(Severity)", "size": 0, - "title": "Private Repos made Public", + "title": "Open Alerts By Severity", "timeContextFromParameter": "TimeRange", "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "sortBy": [], + "chartSettings": { + "group": "Severity", + "createOtherGroup": null, + "seriesLabelSettings": [ + { + "seriesName": "high", + "label": "High", + "color": "redBright" + }, + { + "seriesName": "moderate", + "label": "Moderate", + "color": "orange" + }, + { + "seriesName": "medium", + "label": "Medium", + "color": "brown" + }, + { + "seriesName": "critical", + "label": "Critical", + "color": "redDark" + }, + { + "seriesName": "low", + "label": "Low", + "color": "yellow" + } + ] + } }, - "customWidth": "33", - "name": "privatereposmadepublic", - "styleSettings": { - "showBorder": true - } + "customWidth": "25", + "name": "query - 8" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "GitHubAuditData \n| where Action == \"protected_branch.policy_override\"\n| where Actor in ({Actors}) and Repository in ({Repositories}) // parameter filter\n| sort by TimeGenerated desc\n| project Time=TimeGenerated, Repository, Actor", + "query": "let repositoriesList = dynamic([{Repositories}]);\nlet repoTopics = dynamic([{Topics}]);\nlet RepositoryVulnerabilityAlerts = githubscanaudit_CL \n| extend EventType='Dependabot Alert'\n| extend repository = todynamic(repository_s)\n| extend repositoryfullname = repository.full_name\n| extend org = todynamic(organization_s)\n| extend orgFullName = org.login\n| extend alert = todynamic(alert_s) \n| extend alertexternalidentifier= alert.external_identifier\n| extend org = todynamic(organization_s)\n| extend orgFullName = org.login\n| extend topic = repository.topics\n| mv-apply repoTopics, topic on (\n mv-expand topic\n | extend Out = topic in (repoTopics)\n | summarize topic = make_list(topic), Out= make_list(Out)\n | project Out, topic\n)\n| extend areReposSelected = array_length((repositoriesList)) == 0\n| extend areTopicsSelected = array_length((repoTopics)) > 0\n| where\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\n| where isnotempty(alertexternalidentifier) and action_s in ('create');\n\nlet CodeScanningAlerts = githubscanaudit_CL \n| extend EventType='Code Scanning Alert'\n| extend repository = todynamic(repository_s)\n| extend repositoryfullname = repository.full_name\n| extend alert = todynamic(alert_s) \n| extend Severity = alert.rule.security_severity_level\n| extend org = todynamic(organization_s)\n| extend orgFullName = org.login\n| extend topic = repository.topics\n| mv-apply repoTopics, topic on (\n mv-expand topic\n | extend Out = topic in (repoTopics)\n | summarize topic = make_list(topic), Out= make_list(Out)\n | project Out, topic\n)\n| extend areReposSelected = array_length((repositoriesList)) == 0\n| extend areTopicsSelected = array_length((repoTopics)) > 0\n| where\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\n| where action_s in ('created') and isnotempty(commit_oid_s);\n\nlet SecretScanningAlerts = githubscanaudit_CL \n| extend EventType='Secret Scanning Alert'\n| extend repository = todynamic(repository_s)\n| extend repositoryfullname = repository.full_name\n| extend alert = todynamic(alert_s) \n| extend alertSecretType = alert.secret_type\n| extend org = todynamic(organization_s)\n| extend orgFullName = org.login\n| extend topic = repository.topics\n| mv-apply repoTopics, topic on (\n mv-expand topic\n | extend Out = topic in (repoTopics)\n | summarize topic = make_list(topic), Out= make_list(Out)\n | project Out, topic\n)\n| extend areReposSelected = array_length((repositoriesList)) == 0\n| extend areTopicsSelected = array_length((repoTopics)) > 0\n| where\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\n| where isnotempty(alertSecretType) and action_s in ('created');\nunion withsource=\"AllEvents\" RepositoryVulnerabilityAlerts, CodeScanningAlerts, SecretScanningAlerts\n|summarize Count = count() by tostring(repositoryfullname)", "size": 0, - "title": "Branch Protection - Bypass", + "title": "Open Alerts by Repository", "timeContextFromParameter": "TimeRange", "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "tileSettings": { + "showBorder": false, + "titleContent": { + "columnMatch": "repositoryfullname", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "auto" + }, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + } + }, + "graphSettings": { + "type": 0, + "topContent": { + "columnMatch": "repositoryfullname", + "formatter": 1 + }, + "centerContent": { + "columnMatch": "Count", + "formatter": 1, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + } + } }, - "customWidth": "34", - "name": "query - 6", - "styleSettings": { - "showBorder": true - } + "customWidth": "25", + "name": "query - 8 - Copy" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "GitHubAuditData\n| where Action == \"secret_scanning_push_protection.bypass\"\n| where Actor in ({Actors}) and Repository in ({Repositories}) // parameter filter\n| sort by TimeGenerated desc\n| project Time=TimeGenerated, Repository, Actor", + "query": "let repositoriesList = dynamic([{Repositories}]);\nlet repoTopics = dynamic([{Topics}]);\n\nlet RepositoryVulnerabilityAlerts = githubscanaudit_CL \n| extend EventType='Dependabot Alert'\n| extend repository = todynamic(repository_s)\n| extend repositoryfullname = repository.full_name\n| extend alert = todynamic(alert_s) \n| extend alertexternalidentifier= alert.external_identifier\n| extend Severity = alert.severity\n| extend org = todynamic(organization_s)\n| extend orgFullName = org.login\n| extend topic = repository.topics\n| mv-apply repoTopics, topic on (\n mv-expand topic\n | extend Out = topic in (repoTopics)\n | summarize topic = make_list(topic), Out= make_list(Out)\n | project Out, topic\n)\n| extend areReposSelected = array_length((repositoriesList)) == 0\n| extend areTopicsSelected = array_length((repoTopics)) > 0\n| where\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\n| where isnotempty(alertexternalidentifier) and action_s in ('create')\n| project EventType, Severity;\n\nlet CodeScanningAlerts = githubscanaudit_CL \n| extend EventType='Code Scanning Alert'\n| extend repository = todynamic(repository_s)\n| extend repositoryfullname = repository.full_name\n| extend alert = todynamic(alert_s)\n| extend Severity = alert.rule.security_severity_level\n| extend org = todynamic(organization_s)\n| extend orgFullName = org.login\n| extend topic = repository.topics\n| mv-apply repoTopics, topic on (\n mv-expand topic\n | extend Out = topic in (repoTopics)\n | summarize topic = make_list(topic), Out= make_list(Out)\n | project Out, topic\n)\n| extend areReposSelected = array_length((repositoriesList)) == 0\n| extend areTopicsSelected = array_length((repoTopics)) > 0\n| where\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\n| where action_s in ('created') and isnotempty(commit_oid_s)\n| project EventType, Severity;\n\nlet SecretScanningAlerts = githubscanaudit_CL \n| extend EventType='Secret Scanning Alert'\n| extend repository = todynamic(repository_s)\n| extend repositoryfullname = repository.full_name\n| extend alert = todynamic(alert_s)\n| extend alertSecretType = alert.secret_type\n| extend Severity = \"High\"\n| extend org = todynamic(organization_s)\n| extend orgFullName = org.login\n| extend topic = repository.topics\n| mv-apply repoTopics, topic on (\n mv-expand topic\n | extend Out = topic in (repoTopics)\n | summarize topic = make_list(topic), Out= make_list(Out)\n | project Out, topic\n)\n| extend areReposSelected = array_length((repositoriesList)) == 0\n| extend areTopicsSelected = array_length((repoTopics)) > 0\n| where\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\n| where action_s in ('created') and isnotempty(alertSecretType)\n| project EventType, Severity;\nunion withsource=\"AllEvents\" RepositoryVulnerabilityAlerts, CodeScanningAlerts, SecretScanningAlerts\n|summarize Count = count() by tostring(EventType)", "size": 0, - "title": "Push Protection - Bypass", + "title": "Open Alerts by Type", "timeContextFromParameter": "TimeRange", "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart" }, - "customWidth": "33", - "name": "query - 7", + "customWidth": "25", + "name": "query - 8 - Copy" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let repositoriesList = dynamic([{Repositories}]);\nlet repoTopics = dynamic([{Topics}]);\n\nlet RepositoryVulnerabilityAlerts = githubscanaudit_CL \n| extend EventType='Dependabot Alert'\n| extend repository = todynamic(repository_s)\n| extend repositoryfullname = repository.full_name\n| extend alert = todynamic(alert_s) \n| extend Repository = repository.full_name \n| extend alertexternalidentifier= alert.external_identifier\n| extend org = todynamic(organization_s)\n| extend orgFullName = org.login\n| extend topic = repository.topics\n| mv-apply repoTopics, topic on (\n mv-expand topic\n | extend Out = topic in (repoTopics)\n | summarize topic = make_list(topic), Out= make_list(Out)\n | project Out, topic\n)\n| extend areReposSelected = array_length((repositoriesList)) == 0\n| extend areTopicsSelected = array_length((repoTopics)) > 0\n| where\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\n| where action_s in ('dismiss', 'resolve') and isnotempty(alertexternalidentifier);\n\nlet CodeScanningAlerts = githubscanaudit_CL \n| extend EventType='Code Scanning Alert'\n| extend repository = todynamic(repository_s)\n| extend repositoryfullname = repository.full_name\n| extend alert = todynamic(alert_s)\n| extend Repository = repository.full_name \n| extend Severity = alert.rule.security_severity_level\n| extend org = todynamic(organization_s)\n| extend orgFullName = org.login\n| extend topic = repository.topics\n| mv-apply repoTopics, topic on (\n mv-expand topic\n | extend Out = topic in (repoTopics)\n | summarize topic = make_list(topic), Out= make_list(Out)\n | project Out, topic\n)\n| extend areReposSelected = array_length((repositoriesList)) == 0\n| extend areTopicsSelected = array_length((repoTopics)) > 0\n| where\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\n| where action_s in ('closed_by_user', 'fixed') and isnotempty(commit_oid_s);\n\nlet SecretScanningAlerts = githubscanaudit_CL\n| extend EventType='Secret Scanning Alert'\n| extend repository = todynamic(repository_s)\n| extend repositoryfullname = repository.full_name\n| extend alert = todynamic(alert_s)\n| extend Repository = repository.full_name \n| extend alertSecretType = alert.secret_type\n| extend org = todynamic(organization_s)\n| extend orgFullName = org.login\n| extend topic = repository.topics\n| mv-apply repoTopics, topic on (\n mv-expand topic\n | extend Out = topic in (repoTopics)\n | summarize topic = make_list(topic), Out= make_list(Out)\n | project Out, topic\n)\n| extend areReposSelected = array_length((repositoriesList)) == 0\n| extend areTopicsSelected = array_length((repoTopics)) > 0\n| where\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\n| where action_s in ('resolved') and isnotempty(alertSecretType);\nunion withsource=\"AllEvents\" RepositoryVulnerabilityAlerts, CodeScanningAlerts, SecretScanningAlerts\n| count", + "size": 4, + "title": "Resolved Alert Count", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "card", + "textSettings": { + "style": "bignumber" + } + }, + "customWidth": "25", + "name": "query - 8 - Copy - Copy", "styleSettings": { - "showBorder": true + "padding": "50px" } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let repositoriesList = dynamic([{Repositories}]);\nlet repoTopics = dynamic([{Topics}]);\nlet RepositoryVulnerabilityAlerts = \ngithubscanaudit_CL \n| extend EventType='Dependabot Alert'\n| extend repository = todynamic(repository_s)\n| extend Repository = repository.full_name \n| extend alert = todynamic(alert_s) \n| extend alertexternalidentifier = alert.external_identifier\n| extend Severity = alert.severity\n| extend id = alert.ghsa_id \n| extend Status = action_s\n| extend Reason = alert.affected_package_name\n| extend Created_at = alert.created_at\n| extend Number = alert.number\n| extend Age = now() - todatetime(Created_at)\n| extend org = todynamic(organization_s)\n| extend orgFullName = org.login\n| extend topic = repository.topics\n| mv-apply repoTopics, topic on (\n mv-expand topic\n | extend Out = topic in (repoTopics)\n | summarize topic = make_list(topic), Out= make_list(Out)\n | project Out, topic\n)\n| extend areReposSelected = array_length((repositoriesList)) == 0\n| extend areTopicsSelected = array_length((repoTopics)) > 0\n| where\n (Repository in (repositoriesList) and orgFullName in ({Orgs})) or\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\n| where action_s in ('create', 'dismiss', 'resolve') and isnotempty(alertexternalidentifier)\n| project Repository, Reason, id, EventType, tostring(Severity), Status, Created_at, Number, format_timespan(Age, 'dd:hh:mm:ss');\n\nlet CodeScanningAlerts =\ngithubscanaudit_CL \n| extend EventType='Code Scanning Alert'\n| extend repository = todynamic(repository_s)\n| extend Repository = repository.full_name \n| extend alert = todynamic(alert_s)\n| extend Severity = alert.rule.security_severity_level\n| extend Reason = alert.rule.name\n| extend id = alert.rule.id\n| extend Severity = alert.rule.security_severity_level\n| extend Status = action_s\n| extend Created_at = alert.created_at\n| extend Number = alert.number\n| extend Age = now() - todatetime(Created_at)\n| extend org = todynamic(organization_s)\n| extend orgFullName = org.login\n| extend topic = repository.topics\n| mv-apply repoTopics, topic on (\n mv-expand topic\n | extend Out = topic in (repoTopics)\n | summarize topic = make_list(topic), Out= make_list(Out)\n | project Out, topic\n)\n| extend areReposSelected = array_length((repositoriesList)) == 0\n| extend areTopicsSelected = array_length((repoTopics)) > 0\n| where\n (Repository in (repositoriesList) and orgFullName in ({Orgs})) or\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\n| where action_s in ('created', 'reopened_by_user', 'closed_by_user', 'fixed', 'appeared_in_branch', 'reopened') and isnotempty(commit_oid_s) and isnotempty(Severity) \n| project Repository, Reason, id, EventType, tostring(Severity), Status, Created_at, Number, format_timespan(Age, 'dd:hh:mm:ss');\n\nlet SecretScanningAlerts = \ngithubscanaudit_CL \n| extend EventType='Secret Scanning Alert'\n| extend repository = todynamic(repository_s)\n| extend Repository = repository.full_name \n| extend alert = todynamic(alert_s)\n| extend Severity = \"high\"\n| extend Reason = alert.secret_type \n| extend id = alert.number\n| extend alertSecretType = alert.secret_type\n| extend Status = action_s\n| extend Created_at = alert.created_at\n| extend Number = alert.number\n| extend Age = now() - todatetime(Created_at)\n| extend org = todynamic(organization_s)\n| extend orgFullName = org.login\n| extend topic = repository.topics\n| mv-apply repoTopics, topic on (\n mv-expand topic\n | extend Out = topic in (repoTopics)\n | summarize topic = make_list(topic), Out= make_list(Out)\n | project Out, topic\n)\n| extend areReposSelected = array_length((repositoriesList)) == 0\n| extend areTopicsSelected = array_length((repoTopics)) > 0\n| where\n (Repository in (repositoriesList) and orgFullName in ({Orgs})) or\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\n| where action_s in ('created', 'resolved', 'reopened') and isnotempty(alertSecretType)\n| project Repository, Reason, id, EventType, tostring(Severity), Status, Created_at, Number, format_timespan(Age, 'dd:hh:mm:ss');\nunion withsource=\"AllEvents\" RepositoryVulnerabilityAlerts, CodeScanningAlerts, SecretScanningAlerts", + "size": 0, + "title": "Alert Details", + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "AllEvents", + "formatter": 5 + }, + { + "columnMatch": "Severity", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "contains", + "thresholdValue": "high", + "representation": "redBright", + "text": "{0}{1}" + }, + { + "operator": "contains", + "thresholdValue": "critical", + "representation": "redDark" + }, + { + "operator": "contains", + "thresholdValue": "moderate", + "representation": "red" + }, + { + "operator": "contains", + "thresholdValue": "medium", + "representation": "orange" + }, + { + "operator": "contains", + "thresholdValue": "low", + "representation": "yellow" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "gray", + "text": "{0}{1}" + } + ] + } + } + ], + "rowLimit": 5000, + "filter": true + } + }, + "name": "query - 5" } ] }, "conditionalVisibility": { "parameterName": "SelectedTab", "comparison": "isEqualTo", - "value": "Recent Events" + "value": "Advanced Security Overview" }, - "name": "group - 10", - "styleSettings": { - "showBorder": true - } + "name": "Advanced Security Overview" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", - "title": "Access", "items": [ + { + "type": 1, + "content": { + "json": "Code Scanning Alerts
" + }, + "name": "text - 0" + }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "GitHubAuditData \n| where Action == \"org.add_member\" or Action == \"org.remove_member\"\n| where Actor in ({Actors}) // parameter filter\n| extend Action = iif(Action==\"org.add_member\", \"Added\", \"Removed\")\n| sort by TimeGenerated desc\n| project Time=TimeGenerated, Actor, Action, User=ImpactedUser, Organization", - "size": 1, - "title": "Members Added or Removed", + "query": "let repositoriesList = dynamic([{Repositories}]);\nlet repoTopics = dynamic([{Topics}]);\ngithubscanaudit_CL\n| extend repository = todynamic(repository_s)\n| extend repositoryfullname = repository.full_name\n| extend org = todynamic(organization_s)\n| extend orgFullName = org.login\n| extend topic = repository.topics\n| mv-apply repoTopics, topic on (\n mv-expand topic\n | extend Out = topic in (repoTopics)\n | summarize topic = make_list(topic), Out= make_list(Out)\n | project Out, topic\n)\n| extend alert = todynamic(alert_s)\n| extend url = alert.url\n| extend repo = todynamic(repository_s)\n| extend repository = repo.name\n| extend created_at = alert.created_at\n| extend resolved_at = alert.fixed_at\n| extend day = todatetime(resolved_at) - todatetime(created_at)\n| where action_s in ('closed_by_user', 'fixed') and isnotempty(commit_oid_s)\n| extend areReposSelected = array_length((repositoriesList)) == 0\n| extend areTopicsSelected = array_length((repoTopics)) > 0\n| where\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\n| summarize format_timespan(avg(day), 'dd:hh:mm:ss')", + "size": 4, + "title": "Mean Time to Resolution (dd:hh:mm:ss)", "timeContextFromParameter": "TimeRange", "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "card", + "sortBy": [], + "textSettings": { + "style": "bignumber" + } }, - "customWidth": "50", - "name": "membersaddedorremoved", + "customWidth": "25", + "name": "query - 5" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let repositoriesList = dynamic([{Repositories}]);\nlet repoTopics = dynamic([{Topics}]);\ngithubscanaudit_CL\n| extend repository = todynamic(repository_s)\n| extend repositoryfullname = repository.full_name\n| extend org = todynamic(organization_s)\n| extend orgFullName = org.login\n| extend topic = repository.topics\n| mv-apply repoTopics, topic on (\n mv-expand topic\n | extend Out = topic in (repoTopics)\n | summarize topic = make_list(topic), Out= make_list(Out)\n | project Out, topic\n)\n| extend areReposSelected = array_length((repositoriesList)) == 0\n| extend areTopicsSelected = array_length((repoTopics)) > 0\n| where\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\n| where action_s in ('created') and isnotempty(commit_oid_s)\n| count", + "size": 4, + "title": "Created", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "card", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Status", + "formatter": 5 + }, + { + "columnMatch": "Count", + "formatter": 1 + } + ], + "sortBy": [ + { + "itemKey": "Count", + "sortOrder": 1 + } + ] + }, + "sortBy": [ + { + "itemKey": "Count", + "sortOrder": 1 + } + ], + "tileSettings": { + "titleContent": { + "columnMatch": "Status", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "auto" + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal", + "maximumFractionDigits": 2, + "maximumSignificantDigits": 3 + } + } + }, + "showBorder": false, + "size": "auto" + }, + "mapSettings": { + "locInfo": "LatLong", + "sizeSettings": "Count", + "sizeAggregation": "Sum", + "legendMetric": "Count", + "legendAggregation": "Sum", + "itemColorSettings": { + "type": "heatmap", + "colorAggregation": "Sum", + "nodeColorField": "Count", + "heatmapPalette": "greenRed" + } + }, + "textSettings": { + "style": "bignumber" + } + }, + "customWidth": "25", + "name": "query - 2" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let repositoriesList = dynamic([{Repositories}]);\nlet repoTopics = dynamic([{Topics}]);\ngithubscanaudit_CL\n| extend repository = todynamic(repository_s)\n| extend repositoryfullname = repository.full_name\n| extend org = todynamic(organization_s)\n| extend orgFullName = org.login\n| extend topic = repository.topics\n| mv-apply repoTopics, topic on (\n mv-expand topic\n | extend Out = topic in (repoTopics)\n | summarize topic = make_list(topic), Out= make_list(Out)\n | project Out, topic\n)\n| extend areReposSelected = array_length((repositoriesList)) == 0\n| extend areTopicsSelected = array_length((repoTopics)) > 0\n| where\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\n| where action_s in ('fixed') and isnotempty(commit_oid_s)\n| count", + "size": 4, + "title": "Fixed", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "card", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Status", + "formatter": 5 + }, + { + "columnMatch": "Count", + "formatter": 1 + } + ], + "sortBy": [ + { + "itemKey": "Count", + "sortOrder": 1 + } + ] + }, + "sortBy": [ + { + "itemKey": "Count", + "sortOrder": 1 + } + ], + "tileSettings": { + "titleContent": { + "columnMatch": "Status", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "auto" + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal", + "maximumFractionDigits": 2, + "maximumSignificantDigits": 3 + } + } + }, + "showBorder": false, + "size": "auto" + }, + "mapSettings": { + "locInfo": "LatLong", + "sizeSettings": "Count", + "sizeAggregation": "Sum", + "legendMetric": "Count", + "legendAggregation": "Sum", + "itemColorSettings": { + "type": "heatmap", + "colorAggregation": "Sum", + "nodeColorField": "Count", + "heatmapPalette": "greenRed" + } + }, + "textSettings": { + "style": "bignumber" + } + }, + "customWidth": "25", + "name": "query - 2 - Copy" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let repositoriesList = dynamic([{Repositories}]);\nlet repoTopics = dynamic([{Topics}]);\ngithubscanaudit_CL\n| extend repository = todynamic(repository_s)\n| extend repositoryfullname = repository.full_name\n| extend org = todynamic(organization_s)\n| extend orgFullName = org.login\n| extend topic = repository.topics\n| mv-apply repoTopics, topic on (\n mv-expand topic\n | extend Out = topic in (repoTopics)\n | summarize topic = make_list(topic), Out= make_list(Out)\n | project Out, topic\n)\n| extend areReposSelected = array_length((repositoriesList)) == 0\n| extend areTopicsSelected = array_length((repoTopics)) > 0\n| where\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\n| where action_s in ('reopened') and isnotempty(commit_oid_s)\n| count", + "size": 4, + "title": "Reopened", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "card", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Status", + "formatter": 5 + }, + { + "columnMatch": "Count", + "formatter": 1 + } + ], + "sortBy": [ + { + "itemKey": "Count", + "sortOrder": 1 + } + ] + }, + "sortBy": [ + { + "itemKey": "Count", + "sortOrder": 1 + } + ], + "tileSettings": { + "titleContent": { + "columnMatch": "Status", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "auto" + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal", + "maximumFractionDigits": 2, + "maximumSignificantDigits": 3 + } + } + }, + "showBorder": false, + "size": "auto" + }, + "mapSettings": { + "locInfo": "LatLong", + "sizeSettings": "Count", + "sizeAggregation": "Sum", + "legendMetric": "Count", + "legendAggregation": "Sum", + "itemColorSettings": { + "type": "heatmap", + "colorAggregation": "Sum", + "nodeColorField": "Count", + "heatmapPalette": "greenRed" + } + }, + "textSettings": { + "style": "bignumber" + } + }, + "customWidth": "25", + "name": "query - 2 - Copy - Copy" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let repositoriesList = dynamic([{Repositories}]);\nlet repoTopics = dynamic([{Topics}]);\ngithubscanaudit_CL\n| extend repository = todynamic(repository_s)\n| extend repositoryfullname = repository.full_name\n| extend org = todynamic(organization_s)\n| extend orgFullName = org.login\n| extend topic = repository.topics\n| mv-apply repoTopics, topic on (\n mv-expand topic\n | extend Out = topic in (repoTopics)\n | summarize topic = make_list(topic), Out= make_list(Out)\n | project Out, topic\n)\n| extend areReposSelected = array_length((repositoriesList)) == 0\n| extend areTopicsSelected = array_length((repoTopics)) > 0\n| where\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\n| where action_s in ('created', \"fixed\") and isnotempty(commit_oid_s)\n| summarize event_count=count() by tostring(action_s), bin(TimeGenerated,1d)", + "size": 0, + "title": "Alert Found/Fixed Ratio", + "timeContextFromParameter": "TimeRange", + "timeBrushParameterName": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "timechart", + "tileSettings": { + "showBorder": false, + "titleContent": { + "columnMatch": "action_s", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "event_count", + "formatter": 12, + "formatOptions": { + "palette": "auto" + }, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + } + }, + "chartSettings": { + "seriesLabelSettings": [ + { + "seriesName": "created", + "label": "Created" + }, + { + "seriesName": "fixed", + "label": "Fixed" + } + ] + } + }, + "customWidth": "33", + "name": "query - 7", + "styleSettings": { + "padding": "20px" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let repositoriesList = dynamic([{Repositories}]);\nlet repoTopics = dynamic([{Topics}]);\nlet GithubPushes = githubscanaudit_CL\n| extend EventType='Push'\n| extend status = todynamic(action_s)\n| extend commit = todynamic(commits_s)[0]\n| extend added = commit.added\n| extend modified = commit.modified\n| extend removed = commit.removed\n| extend repository = todynamic(repository_s)\n| extend repositoryfullname = repository.full_name\n| extend org = todynamic(organization_s)\n| extend orgFullName = org.login\n| extend topic = repository.topics\n| mv-apply repoTopics, topic on (\n mv-expand topic\n | extend Out = topic in (repoTopics)\n | summarize topic = make_list(topic), Out= make_list(Out)\n | project Out, topic\n)\n| extend areReposSelected = array_length((repositoriesList)) == 0\n| extend areTopicsSelected = array_length((repoTopics)) > 0\n| where\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\n| where isnotempty(modified[0]) or isnotempty(added[0]);\nlet CodeScanningAlerts = \ngithubscanaudit_CL\n| extend repository = todynamic(repository_s)\n| extend repositoryfullname = repository.full_name\n| extend org = todynamic(organization_s)\n| extend orgFullName = org.login\n| extend topic = repository.topics\n| mv-apply repoTopics, topic on (\n mv-expand topic\n | extend Out = topic in (repoTopics)\n | summarize topic = make_list(topic), Out= make_list(Out)\n | project Out, topic\n)\n| extend areReposSelected = array_length((repositoriesList)) == 0\n| extend areTopicsSelected = array_length((repoTopics)) > 0\n| where\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\n| where action_s in ('created', 'reopened') and isnotempty(commit_oid_s)\n| extend EventType='Code Scanning Alert';\nunion withsource=\"AllEvents\" CodeScanningAlerts, GithubPushes\n| summarize event_count=count() by EventType, bin(TimeGenerated,1d)\n", + "size": 0, + "title": "Commit/Alert Ratio", + "timeContextFromParameter": "TimeRange", + "timeBrushParameterName": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "timechart", + "chartSettings": { + "seriesLabelSettings": [ + { + "seriesName": "Push", + "label": "Commits" + }, + { + "seriesName": "Code Scanning Alert", + "label": "Alerts" + } + ] + } + }, + "customWidth": "33", + "name": "query - 7 - Copy", + "styleSettings": { + "padding": "20px" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let repositoriesList = dynamic([{Repositories}]);\nlet repoTopics = dynamic([{Topics}]);\ngithubscanaudit_CL\n| extend repository = todynamic(repository_s)\n| extend repositoryfullname = repository.full_name\n| extend alert = todynamic(alert_s)\n| extend Tool = alert.tool.name\n| extend org = todynamic(organization_s)\n| extend orgFullName = org.login\n| extend topic = repository.topics\n| mv-apply repoTopics, topic on (\n mv-expand topic\n | extend Out = topic in (repoTopics)\n | summarize topic = make_list(topic), Out= make_list(Out)\n | project Out, topic\n)\n| extend areReposSelected = array_length((repositoriesList)) == 0\n| extend areTopicsSelected = array_length((repoTopics)) > 0\n| where\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\n| where action_s in ('created', \"appeared_in_branch\") and isnotempty(commit_oid_s)\n| project TimeGenerated, Tool\n| summarize Count = count() by tostring(Tool), bin(TimeGenerated,1d)", + "size": 0, + "title": "New Alerts by Tool", + "timeContextFromParameter": "TimeRange", + "timeBrushParameterName": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "unstackedbar" + }, + "customWidth": "33", + "name": "query - 7 - Copy", "styleSettings": { - "showBorder": true + "padding": "20px" } }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "GitHubAuditData \r\n| where Action == \"team.add_repository\" or Action == \"team.remove_repository\"\r\n| where Actor in ({Actors}) and Repository in ({Repositories}) // parameter filter\r\n| extend Action = iif(Action==\"team.add_repository\", \"Added\", \"Removed\")\r\n| sort by TimeGenerated desc\r\n| project Time=TimeGenerated, Actor, Action, Permission=InvitedUserPermission, Team=TeamName, Repository", + "query": "let repositoriesList = dynamic([{Repositories}]);\nlet repoTopics = dynamic([{Topics}]);\ngithubscanaudit_CL\n| extend repository = todynamic(repository_s)\n| extend repositoryfullname = repository.full_name\n| extend topics = repository.topics\n| extend alert = todynamic(alert_s)\n| extend URL = alert.html_url\n| extend tool = alert.tool.name\n| extend created_at = alert.created_at\n| extend resolved_at = alert.fixed_at\n| extend Time_To_Resolution = format_timespan(todatetime(resolved_at) - todatetime(created_at), 'dd:hh:mm:ss')\n| extend org = todynamic(organization_s)\n| extend orgFullName = org.login\n| extend topic = repository.topics\n| mv-apply repoTopics, topic on (\n mv-expand topic\n | extend Out = topic in (repoTopics)\n | summarize topic = make_list(topic), Out= make_list(Out)\n | project Out, topic\n)\n| extend areReposSelected = array_length((repositoriesList)) == 0\n| extend areTopicsSelected = array_length((repoTopics)) > 0\n| where\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\n| where action_s in ('closed_by_user', 'fixed') and isnotempty(commit_oid_s)\n| project repository, URL, tool, created_at, resolved_at, Time_To_Resolution", "size": 0, - "title": "Teams Added/Removed Repository", + "title": "Fixed Alerts", "timeContextFromParameter": "TimeRange", "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "URL", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url" + } + } + ] + }, + "sortBy": [] + }, + "name": "query - 4" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let repositoriesList = dynamic([{Repositories}]);\nlet repoTopics = dynamic([{Topics}]);\ngithubscanaudit_CL \n| extend repository = todynamic(repository_s)\n| extend repositoryfullname = repository.full_name\n| extend alert = todynamic(alert_s)\n| extend severity = alert.rule.security_severity_level\n| extend org = todynamic(organization_s)\n| extend orgFullName = org.login\n| extend topic = repository.topics\n| mv-apply repoTopics, topic on (\n mv-expand topic\n | extend Out = topic in (repoTopics)\n | summarize topic = make_list(topic), Out= make_list(Out)\n | project Out, topic\n)\n| extend areReposSelected = array_length((repositoriesList)) == 0\n| extend areTopicsSelected = array_length((repoTopics)) > 0\n| where\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\n| where action_s in ('created', 'reopened_by_user', 'reopened') and isnotempty(commit_oid_s) and isnotempty(severity)\n| summarize Total=count(severity), Critical=countif(severity=='critical'), High=countif(severity=='high'), Medium=countif(severity=='medium'), Low=countif(severity=='low') by tostring(repositoryfullname)\n", + "size": 0, + "title": "Alerts by Severity", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Critical", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "representation": "redDark", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "red", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "High", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "redBright", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Medium", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "orange", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Low", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "yellow", + "text": "{0}{1}" + } + ] + } + } + ], + "filter": true, + "sortBy": [ + { + "itemKey": "Total", + "sortOrder": 2 + } + ] + }, + "sortBy": [ + { + "itemKey": "Total", + "sortOrder": 2 + } + ], + "tileSettings": { + "showBorder": false, + "titleContent": { + "columnMatch": "severity", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "event_count", + "formatter": 12, + "formatOptions": { + "palette": "auto" + }, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + } + }, + "graphSettings": { + "type": 0, + "topContent": { + "columnMatch": "severity", + "formatter": 1 + }, + "centerContent": { + "columnMatch": "event_count", + "formatter": 1, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + } + }, + "mapSettings": { + "locInfo": "LatLong", + "sizeSettings": "event_count", + "sizeAggregation": "Sum", + "legendMetric": "event_count", + "legendAggregation": "Sum", + "itemColorSettings": { + "type": "heatmap", + "colorAggregation": "Sum", + "nodeColorField": "event_count", + "heatmapPalette": "greenRed" + } + } }, "customWidth": "50", - "name": "teamsaddedremovedtorepository", + "name": "query - 3", + "styleSettings": { + "margin": "10px", + "padding": "20px" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let repositoriesList = dynamic([{Repositories}]);\nlet repoTopics = dynamic([{Topics}]);\ngithubscanaudit_CL\n| extend repository = todynamic(repository_s)\n| extend alert = todynamic(alert_s)\n| extend repo = todynamic(repository_s)\n| extend Tool = tostring(alert.tool.name)\n| extend Repository = repo.full_name\n| extend org = todynamic(organization_s)\n| extend orgFullName = org.login\n| extend topic = repository.topics\n| mv-apply repoTopics, topic on (\n mv-expand topic\n | extend Out = topic in (repoTopics)\n | summarize topic = make_list(topic), Out= make_list(Out)\n | project Out, topic\n)\n| extend areReposSelected = array_length((repositoriesList)) == 0\n| extend areTopicsSelected = array_length((repoTopics)) > 0\n| where\n (Repository in (repositoriesList) and orgFullName in ({Orgs})) or\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\n| where action_s in ('created', 'reopened') and isnotempty(commit_oid_s)\n| project Repository, Tool\n| evaluate pivot(tostring(Tool))\n| order by tostring(Repository) asc", + "size": 0, + "title": "Alerts by Repo", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "filter": true, + "sortBy": [ + { + "itemKey": "Grype", + "sortOrder": 2 + } + ] + }, + "sortBy": [ + { + "itemKey": "Grype", + "sortOrder": 2 + } + ] + }, + "customWidth": "45", + "name": "query - 1", "styleSettings": { - "showBorder": true + "margin": "10px", + "padding": "20px" } } ] @@ -256,176 +1021,826 @@ "conditionalVisibility": { "parameterName": "SelectedTab", "comparison": "isEqualTo", - "value": "Recent Events" + "value": "Code Scanning Alerts" }, - "name": "group - 8", - "styleSettings": { - "showBorder": true - } + "name": "Code Scanning Alerts" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", - "title": "Repositories", "items": [ + { + "type": 1, + "content": { + "json": "Secret Scanning Alerts
" + }, + "conditionalVisibility": { + "parameterName": "SelectedTab", + "comparison": "isEqualTo", + "value": "Secret Scanning Alerts" + }, + "name": "text - 0" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let repositoriesList = dynamic([{Repositories}]);\nlet repoTopics = dynamic([{Topics}]);\ngithubscanaudit_CL \n| extend repository = todynamic(repository_s)\n| extend repositoryfullname = repository.full_name\n| extend alert = todynamic(alert_s)\n| extend alertSecretType = alert.secret_type\n| extend org = todynamic(organization_s)\n| extend orgFullName = org.login\n| extend topic = repository.topics\n| mv-apply repoTopics, topic on (\n mv-expand topic\n | extend Out = topic in (repoTopics)\n | summarize topic = make_list(topic), Out= make_list(Out)\n | project Out, topic\n)\n| extend created_at = alert.created_at\n| extend resolved_at = alert.resolved_at\n| extend day = todatetime(resolved_at) - todatetime(created_at)\n| extend day = todatetime(resolved_at) - todatetime(created_at)\n| extend areReposSelected = array_length((repositoriesList)) == 0\n| extend areTopicsSelected = array_length((repoTopics)) > 0\n| where\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\n| where isnotempty(alertSecretType)\n| summarize format_timespan(avg(day), 'dd:hh:mm:ss')", + "size": 4, + "title": "Mean Time to Resolution (dd:hh:mm:ss)", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "card", + "gridSettings": { + "sortBy": [ + { + "itemKey": "MTTR", + "sortOrder": 2 + } + ] + }, + "sortBy": [ + { + "itemKey": "MTTR", + "sortOrder": 2 + } + ], + "textSettings": { + "style": "bignumber" + } + }, + "customWidth": "33", + "name": "query - 5" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "\n\nlet repositoriesList = dynamic([{Repositories}]);\nlet repoTopics = dynamic([{Topics}]);\ngithubscanaudit_CL\n| extend repository = todynamic(repository_s)\n| extend repositoryfullname = repository.full_name\n| extend org = todynamic(organization_s)\n| extend orgFullName = org.login\n| extend topic = repository.topics\n| mv-apply repoTopics, topic on (\n mv-expand topic\n | extend Out = topic in (repoTopics)\n | summarize topic = make_list(topic), Out= make_list(Out)\n | project Out, topic\n)\n| extend alert = todynamic(alert_s)\n| extend alertSecretType = alert.secret_type\n| where isnotempty(alertSecretType) and action_s in ('created')\n| extend areReposSelected = array_length((repositoriesList)) == 0\n| extend areTopicsSelected = array_length((repoTopics)) > 0\n| where\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\n| project repositoryfullname, topic, repoTopics, Out, areTopicsSelected\n| count\n", + "size": 4, + "title": "Found Secrets", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "card", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Status", + "formatter": 5 + }, + { + "columnMatch": "Count", + "formatter": 1 + } + ], + "sortBy": [ + { + "itemKey": "Count", + "sortOrder": 1 + } + ] + }, + "sortBy": [ + { + "itemKey": "Count", + "sortOrder": 1 + } + ], + "tileSettings": { + "titleContent": { + "columnMatch": "Status", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "auto" + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal", + "maximumFractionDigits": 2, + "maximumSignificantDigits": 3 + } + } + }, + "showBorder": false, + "size": "auto" + }, + "mapSettings": { + "locInfo": "LatLong", + "sizeSettings": "Count", + "sizeAggregation": "Sum", + "legendMetric": "Count", + "legendAggregation": "Sum", + "itemColorSettings": { + "type": "heatmap", + "colorAggregation": "Sum", + "nodeColorField": "Count", + "heatmapPalette": "greenRed" + } + }, + "textSettings": { + "style": "bignumber" + } + }, + "customWidth": "33", + "name": "query - 2" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "\n\nlet repositoriesList = dynamic([{Repositories}]);\nlet repoTopics = dynamic([{Topics}]);\ngithubscanaudit_CL\n| extend repository = todynamic(repository_s)\n| extend repositoryfullname = repository.full_name\n| extend org = todynamic(organization_s)\n| extend orgFullName = org.login\n| extend topic = repository.topics\n| extend alert = todynamic(alert_s)\n| extend alertSecretType = alert.secret_type\n| mv-apply repoTopics, topic on (\n mv-expand topic\n| extend Out = topic in (repoTopics)\n| summarize topic = make_list(topic), Out= make_list(Out)\n| project Out, topic\n)\n| extend areReposSelected = array_length((repositoriesList)) == 0\n| extend areTopicsSelected = array_length((repoTopics)) > 0\n| where\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\n| where isnotempty(alertSecretType) and action_s in ('resolved')\n| count", + "size": 4, + "title": "Fixed Secrets", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "card", + "textSettings": { + "style": "bignumber" + } + }, + "customWidth": "33", + "name": "query - 9" + }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "GitHubAuditData \r\n| where Action == \"repo.create\"\r\n| where Actor in ({Actors}) and Repository in ({Repositories}) // parameter filter\r\n| sort by TimeGenerated desc\r\n| project Time=TimeGenerated, Repository, Actor, Visibility", + "query": "let repositoriesList = dynamic([{Repositories}]);\nlet repoTopics = dynamic([{Topics}]);\ngithubscanaudit_CL \n| extend repository = todynamic(repository_s)\n| extend repositoryfullname = repository.full_name\n| extend alert = todynamic(alert_s)\n| extend alertSecretType = alert.secret_type\n| extend org = todynamic(organization_s)\n| extend orgFullName = org.login\n| extend topic = repository.topics\n| mv-apply repoTopics, topic on (\n mv-expand topic\n | extend Out = topic in (repoTopics)\n | summarize topic = make_list(topic), Out= make_list(Out)\n | project Out, topic\n)\n| extend areReposSelected = array_length((repositoriesList)) == 0\n| extend areTopicsSelected = array_length((repoTopics)) > 0\n| where\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\n| where isnotempty(alertSecretType) and action_s in ('created')\n| summarize Count = count() by tostring(alertSecretType)", "size": 0, - "title": "Created", + "title": "Secrets by Type", "timeContextFromParameter": "TimeRange", + "timeBrushParameterName": "TimeRange", "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart" }, - "customWidth": "50", - "name": "repositoriescreated", + "customWidth": "33", + "name": "query - 7 - Copy", "styleSettings": { - "showBorder": true + "padding": "20px" } }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "GitHubAuditData \n| where Action == \"repo.transfer_outgoing\"\n| where Actor in ({Actors}) and Repository in ({Repositories}) // parameter filter\n| sort by TimeGenerated desc\n| project Time=TimeGenerated, Repository, Actor, Visibility", + "query": "let repositoriesList = dynamic([{Repositories}]);\nlet repoTopics = dynamic([{Topics}]);\ngithubscanaudit_CL \n| extend repository = todynamic(repository_s)\n| extend repositoryfullname = repository.full_name\n| extend alert = todynamic(alert_s)\n| extend alertSecretType = alert.secret_type\n| extend repository = todynamic(repository_s)\n| extend repositoryfullname = repository.full_name\n| extend org = todynamic(organization_s)\n| extend orgFullName = org.login\n| extend topic = repository.topics\n| mv-apply repoTopics, topic on (\n mv-expand topic\n | extend Out = topic in (repoTopics)\n | summarize topic = make_list(topic), Out= make_list(Out)\n | project Out, topic\n)\n| extend areReposSelected = array_length((repositoriesList)) == 0\n| extend areTopicsSelected = array_length((repoTopics)) > 0\n| where\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\n| where isnotempty(alertSecretType) and action_s in ('created')\n| summarize Count = count() by tostring(repositoryfullname)", "size": 0, - "title": "Ownership Transferred", - "timeContext": { - "durationMs": 86400000 - }, + "title": "Secrets by Repository", + "timeContextFromParameter": "TimeRange", + "timeBrushParameterName": "TimeRange", "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "tileSettings": { + "showBorder": false, + "titleContent": { + "columnMatch": "action_s", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "event_count", + "formatter": 12, + "formatOptions": { + "palette": "auto" + }, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + } + } }, - "customWidth": "50", - "name": "query - 5", + "customWidth": "33", + "name": "query - 7", "styleSettings": { - "showBorder": true + "padding": "20px" } }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "GitHubAuditData \n| where Action == \"repo.archived\"\n| where Actor in ({Actors}) and Repository in ({Repositories}) // parameter filter\n| sort by TimeGenerated desc\n| project Time=TimeGenerated, Repository, Actor, Visibility", + "query": "let repositoriesList = dynamic([{Repositories}]);\nlet repoTopics = dynamic([{Topics}]);\ngithubscanaudit_CL \n| extend repository = todynamic(repository_s)\n| extend repositoryfullname = repository.full_name\n| extend alert = todynamic(alert_s)\n| extend alertSecretType = alert.secret_type\n| extend org = todynamic(organization_s)\n| extend orgFullName = org.login\n| extend topic = repository.topics\n| mv-apply repoTopics, topic on (\n mv-expand topic\n | extend Out = topic in (repoTopics)\n | summarize topic = make_list(topic), Out= make_list(Out)\n | project Out, topic\n)\n| extend areReposSelected = array_length((repositoriesList)) == 0\n| extend areTopicsSelected = array_length((repoTopics)) > 0\n| where\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\n| where isnotempty(alertSecretType) and action_s in ('created', 'resolved')\n| summarize Count = count() by bin(TimeGenerated, 1d), action_s", "size": 0, - "title": "Archived", + "title": "Secrets Found/Fixed Ratio", "timeContextFromParameter": "TimeRange", + "timeBrushParameterName": "TimeRange", "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "timechart" }, - "customWidth": "50", - "name": "query - 9", + "customWidth": "33", + "name": "query - 7 - Copy", "styleSettings": { - "showBorder": true + "padding": "20px" } }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "GitHubAuditData \n| where Action == \"repo.destroy\"\n| where Actor in ({Actors}) and Repository in ({Repositories}) // parameter filter\n| sort by TimeGenerated desc\n| project Time=TimeGenerated, Repository, Actor, Visibility", + "query": "let repositoriesList = dynamic([{Repositories}]);\nlet repoTopics = dynamic([{Topics}]);\ngithubscanaudit_CL \n| extend repository = todynamic(repository_s)\n| extend repositoryfullname = repository.full_name\n| extend alert = todynamic(alert_s)\n| extend Secret_Type = alert.secret_type\n| extend Repository = todynamic(repository_s).full_name\n| extend Organization = todynamic(organization_s).login\n| extend Created_at = alert.created_at\n| extend Resolved_at = alert.resolved_at\n| extend Time_to_Resolution= format_timespan(todatetime(Resolved_at) - todatetime(Created_at), 'dd:hh:mm:ss' )\n| extend Resolution = case(isnotnull(alert.resolution), alert.resolution, \"Null\") \n| extend URL = todynamic(repository_s).url\n| extend org = todynamic(organization_s)\n| extend orgFullName = org.login\n| extend topic = repository.topics\n| mv-apply repoTopics, topic on (\n mv-expand topic\n | extend Out = topic in (repoTopics)\n | summarize topic = make_list(topic), Out= make_list(Out)\n | project Out, topic\n)\n| extend areReposSelected = array_length((repositoriesList)) == 0\n| extend areTopicsSelected = array_length((repoTopics)) > 0\n| where\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\n| where isnotempty(Secret_Type) and action_s in ('resolved')\n|project Secret_Type, Organization, Repository, Resolution, Time_to_Resolution", "size": 0, - "title": "Deleted", + "title": "Fixed Secrets", "timeContextFromParameter": "TimeRange", "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "filter": true, + "sortBy": [ + { + "itemKey": "Time_to_Resolution", + "sortOrder": 2 + } + ], + "labelSettings": [ + { + "columnId": "Secret_Type", + "label": "Secret Type" + }, + { + "columnId": "Time_to_Resolution", + "label": "Time to Resolution(dd:hh:mm:ss)" + } + ] + }, + "sortBy": [ + { + "itemKey": "Time_to_Resolution", + "sortOrder": 2 + } + ] }, - "customWidth": "50", - "name": "query - 8", - "styleSettings": { - "showBorder": true - } + "name": "query - 4" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let repositoriesList = dynamic([{Repositories}]);\nlet repoTopics = dynamic([{Topics}]);\ngithubscanaudit_CL \n| extend repository = todynamic(repository_s)\n| extend repositoryfullname = repository.full_name\n| extend alert = todynamic(alert_s)\n| extend Secret_Type = alert.secret_type\n| extend Repository = todynamic(repository_s).full_name\n| extend Organization = todynamic(organization_s).login\n| extend Created_at = alert.created_at\n| extend URL = alert.html_url\n| extend org = todynamic(organization_s)\n| extend orgFullName = org.login\n| extend topic = repository.topics\n| mv-apply repoTopics, topic on (\n mv-expand topic\n | extend Out = topic in (repoTopics)\n | summarize topic = make_list(topic), Out= make_list(Out)\n | project Out, topic\n)\n| extend areReposSelected = array_length((repositoriesList)) == 0\n| extend areTopicsSelected = array_length((repoTopics)) > 0\n| where\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\n| where isnotempty(Secret_Type) and action_s in ('created')\n| project tostring(Secret_Type), tostring(Organization), tostring(Repository), tostring(URL), tostring(Created_at)", + "size": 0, + "title": "Found Secrets", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "URL", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url" + } + } + ], + "filter": true, + "sortBy": [ + { + "itemKey": "Created_at", + "sortOrder": 2 + } + ], + "labelSettings": [ + { + "columnId": "Secret_Type", + "label": "Secret Type" + }, + { + "columnId": "Created_at", + "label": "Created at" + } + ] + }, + "sortBy": [ + { + "itemKey": "Created_at", + "sortOrder": 2 + } + ] + }, + "name": "query - 1" } ] }, "conditionalVisibility": { "parameterName": "SelectedTab", "comparison": "isEqualTo", - "value": "Recent Events" + "value": "Secret Scanning Alerts" }, - "name": "group - 7", - "styleSettings": { - "showBorder": true - } + "name": "Secret Scanning Alerts" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", - "title": "Top 10 Offenders", "items": [ + { + "type": 1, + "content": { + "json": "Dependabot Alerts
" + }, + "name": "text - 0" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let repositoriesList = dynamic([{Repositories}]);\nlet repoTopics = dynamic([{Topics}]);\ngithubscanaudit_CL \n| extend repository = todynamic(repository_s)\n| extend repositoryfullname = repository.full_name\n| extend org = todynamic(organization_s)\n| extend orgFullName = org.login\n| extend topic = repository.topics\n| mv-apply repoTopics, topic on (\n mv-expand topic\n | extend Out = topic in (repoTopics)\n | summarize topic = make_list(topic), Out= make_list(Out)\n | project Out, topic\n)\n| extend alert = todynamic(alert_s)\n| extend created_at = alert.created_at \n| extend resolved_at = alert.fixed_at\n| extend alertexternalidentifier= alert.external_identifier\n| extend day = todatetime(resolved_at) - todatetime(created_at)\n| extend areReposSelected = array_length((repositoriesList)) == 0\n| extend areTopicsSelected = array_length((repoTopics)) > 0\n| where\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\n| where isnotempty(alertexternalidentifier) and action_s in ('resolve')\n| summarize format_timespan(avg(day), 'dd:hh:mm:ss')\n", + "size": 4, + "title": "Mean Time to Resolution (dd:hh:mm:ss)", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "card", + "gridSettings": { + "sortBy": [ + { + "itemKey": "MTTR", + "sortOrder": 2 + } + ] + }, + "sortBy": [ + { + "itemKey": "MTTR", + "sortOrder": 2 + } + ], + "textSettings": { + "style": "bignumber" + } + }, + "customWidth": "25", + "name": "query - 5" + }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "GitHubAuditData\n| where Action == \"repo.access\" and Visibility == \"public\"\n| where Actor in ({Actors}) and Repository in ({Repositories}) // parameter filter\n| summarize [\"Number of Bypasses\"] = count() by Actor\n| top 10 by ['Number of Bypasses'] desc\n| project-reorder ['Number of Bypasses'], Actor", + "query": "let repositoriesList = dynamic([{Repositories}]);\nlet repoTopics = dynamic([{Topics}]);\ngithubscanaudit_CL \n| extend repository = todynamic(repository_s)\n| extend repositoryfullname = repository.full_name\n| extend alert = todynamic(alert_s)\n| extend Status = action_s\n| extend alertexternalidentifier= alert.external_identifier\n| extend org = todynamic(organization_s)\n| extend orgFullName = org.login\n| extend topic = repository.topics\n| mv-apply repoTopics, topic on (\n mv-expand topic\n | extend Out = topic in (repoTopics)\n | summarize topic = make_list(topic), Out= make_list(Out)\n | project Out, topic\n)\n| extend areReposSelected = array_length((repositoriesList)) == 0\n| extend areTopicsSelected = array_length((repoTopics)) > 0\n| where\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\n| where isnotempty(alertexternalidentifier) and action_s in ('create')\n| count", + "size": 4, + "title": "Created", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "card", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Status", + "formatter": 5 + }, + { + "columnMatch": "Count", + "formatter": 1 + } + ] + }, + "sortBy": [], + "tileSettings": { + "titleContent": { + "columnMatch": "Status", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "auto" + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal", + "maximumFractionDigits": 2, + "maximumSignificantDigits": 3 + } + } + }, + "showBorder": false, + "size": "auto" + }, + "mapSettings": { + "locInfo": "LatLong", + "sizeSettings": "Count", + "sizeAggregation": "Sum", + "legendMetric": "Count", + "legendAggregation": "Sum", + "itemColorSettings": { + "type": "heatmap", + "colorAggregation": "Sum", + "nodeColorField": "Count", + "heatmapPalette": "greenRed" + } + }, + "textSettings": { + "style": "bignumber" + } + }, + "customWidth": "25", + "name": "query - 2" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let repositoriesList = dynamic([{Repositories}]);\nlet repoTopics = dynamic([{Topics}]);\ngithubscanaudit_CL \n| extend repository = todynamic(repository_s)\n| extend repositoryfullname = repository.full_name\n| extend alert = todynamic(alert_s)\n| extend Status = action_s\n| extend alertexternalidentifier= alert.external_identifier\n| extend org = todynamic(organization_s)\n| extend orgFullName = org.login\n| extend topic = repository.topics\n| mv-apply repoTopics, topic on (\n mv-expand topic\n | extend Out = topic in (repoTopics)\n | summarize topic = make_list(topic), Out= make_list(Out)\n | project Out, topic\n)\n| extend areReposSelected = array_length((repositoriesList)) == 0\n| extend areTopicsSelected = array_length((repoTopics)) > 0\n| where\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\n| where isnotempty(alertexternalidentifier) and action_s in ('resolve')\n| count", + "size": 4, + "title": "Resolved", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "card", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Status", + "formatter": 5 + }, + { + "columnMatch": "Count", + "formatter": 1 + } + ] + }, + "sortBy": [], + "tileSettings": { + "titleContent": { + "columnMatch": "Status", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "auto" + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal", + "maximumFractionDigits": 2, + "maximumSignificantDigits": 3 + } + } + }, + "showBorder": false, + "size": "auto" + }, + "mapSettings": { + "locInfo": "LatLong", + "sizeSettings": "Count", + "sizeAggregation": "Sum", + "legendMetric": "Count", + "legendAggregation": "Sum", + "itemColorSettings": { + "type": "heatmap", + "colorAggregation": "Sum", + "nodeColorField": "Count", + "heatmapPalette": "greenRed" + } + }, + "textSettings": { + "style": "bignumber" + } + }, + "customWidth": "25", + "name": "query - 2 - Copy" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let repositoriesList = dynamic([{Repositories}]);\nlet repoTopics = dynamic([{Topics}]);\ngithubscanaudit_CL \n| extend repository = todynamic(repository_s)\n| extend repositoryfullname = repository.full_name\n| extend alert = todynamic(alert_s)\n| extend Status = action_s\n| extend alertexternalidentifier= alert.external_identifier\n| extend org = todynamic(organization_s)\n| extend orgFullName = org.login\n| extend topic = repository.topics\n| mv-apply repoTopics, topic on (\n mv-expand topic\n | extend Out = topic in (repoTopics)\n | summarize topic = make_list(topic), Out= make_list(Out)\n | project Out, topic\n)\n| extend areReposSelected = array_length((repositoriesList)) == 0\n| extend areTopicsSelected = array_length((repoTopics)) > 0\n| where\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\n| where isnotempty(alertexternalidentifier) and action_s in ('dismiss')\n| count", + "size": 4, + "title": "Dismissed", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "card", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Status", + "formatter": 5 + }, + { + "columnMatch": "Count", + "formatter": 1 + } + ] + }, + "sortBy": [], + "tileSettings": { + "titleContent": { + "columnMatch": "Status", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "auto" + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal", + "maximumFractionDigits": 2, + "maximumSignificantDigits": 3 + } + } + }, + "showBorder": false, + "size": "auto" + }, + "mapSettings": { + "locInfo": "LatLong", + "sizeSettings": "Count", + "sizeAggregation": "Sum", + "legendMetric": "Count", + "legendAggregation": "Sum", + "itemColorSettings": { + "type": "heatmap", + "colorAggregation": "Sum", + "nodeColorField": "Count", + "heatmapPalette": "greenRed" + } + }, + "textSettings": { + "style": "bignumber" + } + }, + "customWidth": "25", + "name": "query - 2 - Copy - Copy" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let repositoriesList = dynamic([{Repositories}]);\nlet repoTopics = dynamic([{Topics}]);\ngithubscanaudit_CL \n| extend repository = todynamic(repository_s)\n| extend repositoryfullname = repository.full_name\n| extend alert = todynamic(alert_s)\n| extend alertexternalidentifier = alert.external_identifier\n| extend org = todynamic(organization_s)\n| extend orgFullName = org.login\n| extend topic = repository.topics\n| mv-apply repoTopics, topic on (\n mv-expand topic\n | extend Out = topic in (repoTopics)\n | summarize topic = make_list(topic), Out= make_list(Out)\n | project Out, topic\n)\n| extend areReposSelected = array_length((repositoriesList)) == 0\n| extend areTopicsSelected = array_length((repoTopics)) > 0\n| where\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\n| where isnotempty(alertexternalidentifier) and action_s in ('create', 'dismiss', 'resolve')\n| summarize Count = count() by tostring(action_s), bin(TimeGenerated,1d)", "size": 0, - "title": "Private Repos made Public by Actor", + "title": "Alert Found/Fixed Ratio", "timeContextFromParameter": "TimeRange", + "timeBrushParameterName": "TimeRange", "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "timechart", + "chartSettings": { + "seriesLabelSettings": [ + { + "seriesName": "create", + "label": "Found" + }, + { + "seriesName": "resolve", + "label": "Fixed" + }, + { + "seriesName": "dismiss", + "label": "Dismissed" + } + ] + } }, "customWidth": "33", - "name": "query - 1", + "name": "query - 7 - Copy", "styleSettings": { - "showBorder": true + "padding": "20px" } }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "GitHubAuditData\n| where Action == \"protected_branch.policy_override\"\n| where Actor in ({Actors}) and Repository in ({Repositories}) // parameter filter\n| summarize [\"Number of Bypasses\"] = count() by Actor\n| top 10 by ['Number of Bypasses'] desc\n| project-reorder ['Number of Bypasses'], Actor", + "query": "let repositoriesList = dynamic([{Repositories}]);\nlet repoTopics = dynamic([{Topics}]);\ngithubscanaudit_CL \n| extend repository = todynamic(repository_s)\n| extend Repository = todynamic(repository_s).full_name\n| extend repositoryfullname = repository.full_name\n| extend alert = todynamic(alert_s)\n| extend alertexternalidentifier = alert.external_identifier \n| extend Severity = alert.severity\n| extend org = todynamic(organization_s)\n| extend orgFullName = org.login\n| extend topic = repository.topics\n| mv-apply repoTopics, topic on (\n mv-expand topic\n | extend Out = topic in (repoTopics)\n | summarize topic = make_list(topic), Out= make_list(Out)\n | project Out, topic\n)\n| extend areReposSelected = array_length((repositoriesList)) == 0\n| extend areTopicsSelected = array_length((repoTopics)) > 0\n| where\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\n| where isnotempty(alertexternalidentifier) and action_s in ('create')\n| summarize Count=count() by tostring(Repository)", "size": 0, - "title": "Branch Protection - Bypass by Actor", + "title": "Vulnerabilities by Repo", "timeContextFromParameter": "TimeRange", + "timeBrushParameterName": "TimeRange", "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "gridSettings": { + "sortBy": [ + { + "itemKey": "Count", + "sortOrder": 2 + } + ] + }, + "sortBy": [ + { + "itemKey": "Count", + "sortOrder": 2 + } + ], + "tileSettings": { + "showBorder": false, + "titleContent": { + "columnMatch": "action_s", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "event_count", + "formatter": 12, + "formatOptions": { + "palette": "auto" + }, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + } + } }, - "customWidth": "34", - "name": "query - 2", + "customWidth": "33", + "name": "query - 7", "styleSettings": { - "showBorder": true + "padding": "20px" } }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "GitHubAuditData\n| where Action == \"secret_scanning_push_protection.bypass\"\n| where Actor in ({Actors}) and Repository in ({Repositories}) // parameter filter\n| summarize [\"Number of Bypasses\"] = count() by Actor\n| top 10 by ['Number of Bypasses'] desc\n| project-reorder ['Number of Bypasses'], Actor", - "size": 1, - "title": "Push Protection - Bypass by Actor", + "query": "let repositoriesList = dynamic([{Repositories}]);\nlet repoTopics = dynamic([{Topics}]);\ngithubscanaudit_CL \n| extend repository = todynamic(repository_s)\n| extend repositoryfullname = repository.full_name\n| extend alert = todynamic(alert_s)\n| extend alertexternalidentifier = alert.external_identifier \n| extend Severity = alert.severity\n| extend Repository = todynamic(repository_s).full_name\n| extend org = todynamic(organization_s)\n| extend orgFullName = org.login\n| extend topic = repository.topics\n| mv-apply repoTopics, topic on (\n mv-expand topic\n | extend Out = topic in (repoTopics)\n | summarize topic = make_list(topic), Out= make_list(Out)\n | project Out, topic\n)\n| extend areReposSelected = array_length((repositoriesList)) == 0\n| extend areTopicsSelected = array_length((repoTopics)) > 0\n| where\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\n| where isnotempty(alertexternalidentifier) and action_s in ('create')\n| summarize Count=count() by tostring(Severity), bin(TimeGenerated,1d)", + "size": 0, + "title": "New Alerts by Severity", "timeContextFromParameter": "TimeRange", + "timeBrushParameterName": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", - "textSettings": { - "style": "bignumber" - } + "visualization": "barchart" }, "customWidth": "33", - "name": "query - 5", + "name": "query - 7 - Copy", "styleSettings": { - "showBorder": true + "padding": "20px" } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let repositoriesList = dynamic([{Repositories}]);\nlet repoTopics = dynamic([{Topics}]);\ngithubscanaudit_CL \n| extend repository = todynamic(repository_s)\n| extend repositoryfullname = repository.full_name\n| extend alert = todynamic(alert_s)\n| extend Action = todynamic(action_s)\n| extend alertexternalidentifier = alert.external_identifier \n| extend Severity = alert.severity\n| extend repo = todynamic(repository_s)\n| extend Alert_URL = alert.external_reference\n| extend Repository = repo.full_name\n| extend created_at = alert.created_at\n| extend resolved_at = case(isnotnull(alert.fixed_at), alert.fixed_at, alert.dismissed_at)\n| extend Time_to_Resolution = format_timespan(todatetime(resolved_at) - todatetime(created_at), 'dd:hh:mm:ss')\n| extend org = todynamic(organization_s)\n| extend orgFullName = org.login\n| extend topic = repository.topics\n| mv-apply repoTopics, topic on (\n mv-expand topic\n | extend Out = topic in (repoTopics)\n | summarize topic = make_list(topic), Out= make_list(Out)\n | project Out, topic\n)\n| extend areReposSelected = array_length((repositoriesList)) == 0\n| extend areTopicsSelected = array_length((repoTopics)) > 0\n| where\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\n| where isnotempty(alertexternalidentifier) and action_s in ('resolve', 'dismiss')\n| project Action, Repository, Severity, Alert_URL, Time_to_Resolution", + "size": 0, + "title": "Fixed Alerts", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Alert_URL", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url" + } + } + ], + "filter": true, + "sortBy": [ + { + "itemKey": "Repository", + "sortOrder": 2 + } + ], + "labelSettings": [ + { + "columnId": "Time_to_Resolution", + "label": "Time to Resolution(dd:hh:mm:ss)" + } + ] + }, + "sortBy": [ + { + "itemKey": "Repository", + "sortOrder": 2 + } + ] + }, + "name": "query - 4" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let repositoriesList = dynamic([{Repositories}]);\nlet repoTopics = dynamic([{Topics}]);\ngithubscanaudit_CL \n| extend repository = todynamic(repository_s)\n| extend repositoryfullname = repository.full_name\n| extend alert = todynamic(alert_s)\n| extend Action = todynamic(action_s)\n| extend alertexternalidentifier = alert.external_identifier \n| extend Severity = alert.severity\n| extend repo = todynamic(repository_s)\n| extend Alert_URL = alert.external_reference\n| extend Repository = repo.full_name\n| extend created_at = alert.created_at\n| extend resolved_at = alert.fixed_at\n| extend Time_to_Resolution = todatetime(resolved_at) - todatetime(created_at)\n| extend org = todynamic(organization_s)\n| extend orgFullName = org.login\n| extend topic = repository.topics\n| mv-apply repoTopics, topic on (\n mv-expand topic\n | extend Out = topic in (repoTopics)\n | summarize topic = make_list(topic), Out= make_list(Out)\n | project Out, topic\n)\n| extend areReposSelected = array_length((repositoriesList)) == 0\n| extend areTopicsSelected = array_length((repoTopics)) > 0\n| where\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\n| where isnotempty(alertexternalidentifier) and action_s in ('create')\n| summarize Total=count(Severity), Critical=countif(Severity=='critical'), High=countif(Severity=='high'), Medium=countif(Severity=='moderate'), Low=countif(Severity=='low') by tostring(Repository)", + "size": 0, + "title": "Alerts by Repo", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Critical", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "redDark", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "High", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "redBright", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Medium", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "orange", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Low", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "yellow", + "text": "{0}{1}" + } + ] + } + } + ], + "filter": true, + "sortBy": [ + { + "itemKey": "Total", + "sortOrder": 2 + } + ] + }, + "sortBy": [ + { + "itemKey": "Total", + "sortOrder": 2 + } + ] + }, + "name": "query - 1" } ] }, "conditionalVisibility": { "parameterName": "SelectedTab", "comparison": "isEqualTo", - "value": "Top 10 Offenders" + "value": "Dependabot Alerts" }, - "name": "group - 7", - "styleSettings": { - "showBorder": true - } + "name": "Dependabot Alerts" } ], - "fromTemplateId": "sentinel-GitHubSecurity", + "fallbackResourceIds": [], + "fromTemplateId": "GitHubAdvancedSecurity - topics", "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" -} \ No newline at end of file +} diff --git a/Solutions/Cyberpion/Analytic Rules/HighUrgencyActionItems.yaml b/Solutions/IONIX/Analytic Rules/HighUrgencyActionItems.yaml similarity index 88% rename from Solutions/Cyberpion/Analytic Rules/HighUrgencyActionItems.yaml rename to Solutions/IONIX/Analytic Rules/HighUrgencyActionItems.yaml index 3e80629ca5e..5de1074ce13 100644 --- a/Solutions/Cyberpion/Analytic Rules/HighUrgencyActionItems.yaml +++ b/Solutions/IONIX/Analytic Rules/HighUrgencyActionItems.yaml @@ -1,7 +1,7 @@ id: 8e0403b1-07f8-4865-b2e9-74d1e83200a4 -name: High Urgency Cyberpion Action Items +name: High Urgency IONIX Action Items description: | - 'This query creates an alert for active Cyberpion Action Items with high urgency (9-10). + 'This query creates an alert for active IONIX Action Items with high urgency (9-10). Urgency can be altered using the "min_urgency" variable in the query.' severity: High status: Available @@ -38,5 +38,5 @@ entityMappings: fieldMappings: - identifier: DomainName columnName: DNSCustomEntity -version: 1.0.0 +version: 1.0.1 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Cyberpion/Data Connectors/CyberpionSecurityLogs.json b/Solutions/IONIX/Data Connectors/IONIXSecurityLogs.json similarity index 80% rename from Solutions/Cyberpion/Data Connectors/CyberpionSecurityLogs.json rename to Solutions/IONIX/Data Connectors/IONIXSecurityLogs.json index 61bd35a45bb..d870cbbf387 100644 --- a/Solutions/Cyberpion/Data Connectors/CyberpionSecurityLogs.json +++ b/Solutions/IONIX/Data Connectors/IONIXSecurityLogs.json @@ -1,8 +1,8 @@ { "id": "CyberpionSecurityLogs", - "title": "Cyberpion Security Logs", - "publisher": "Cyberpion", - "descriptionMarkdown": "The Cyberpion Security Logs data connector, ingests logs from the Cyberpion system directly into Sentinel. The connector allows users to visualize their data, create alerts and incidents and improve security investigations.", + "title": "IONIX Security Logs", + "publisher": "IONIX", + "descriptionMarkdown": "The IONIX Security Logs data connector, ingests logs from the IONIX system directly into Sentinel. The connector allows users to visualize their data, create alerts and incidents and improve security investigations.", "graphQueries": [ { "metricName": "Total data received", @@ -59,15 +59,15 @@ ], "customs": [ { - "name": "Cyberpion Subscription", - "description": "a subscription and account is required for cyberpion logs. [One can be acquired here.](https://azuremarketplace.microsoft.com/en/marketplace/apps/cyberpion1597832716616.cyberpion)" + "name": "IONIX Subscription", + "description": "a subscription and account is required for IONIX logs. [One can be acquired here.](https://azuremarketplace.microsoft.com/en/marketplace/apps/cyberpion1597832716616.cyberpion)" } ] }, "instructionSteps": [ { "title": "", - "description": "Follow the [instructions](https://www.cyberpion.com/resource-center/integrations/azure-sentinel/) to integrate Cyberpion Security Alerts into Sentinel.", + "description": "Follow the [instructions](https://www.ionix.io/integrations/azure-sentinel/) to integrate IONIX Security Alerts into Sentinel.", "instructions": [ { "parameters": { diff --git a/Solutions/IONIX/Data/Solution_IONIX.json b/Solutions/IONIX/Data/Solution_IONIX.json new file mode 100644 index 00000000000..027b95ca000 --- /dev/null +++ b/Solutions/IONIX/Data/Solution_IONIX.json @@ -0,0 +1,20 @@ +{ + "Name": "IONIX", + "Author": "IONIX", + "Logo": "![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/ionix-logo.svg\"){kind=logo}
",
+ "Description": "The [IONIX](https://ionix.io/) solution for Microsoft Sentinel enables you to ingest vulnerability logs from the IONIX platform into Microsoft Sentinel.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution is dependent on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Codeless Connector Platform/Native Sentinel Polling](https://docs.microsoft.com/azure/sentinel/create-codeless-connector?tabs=deploy-via-arm-template%2Cconnect-via-the-azure-portal)",
+ "Data Connectors": [
+ "Data Connectors/IONIXSecurityLogs.json"
+ ],
+ "Analytic Rules": [
+ "Analytic Rules/HighUrgencyActionItems.yaml"
+ ],
+ "Workbooks": [
+ "Workbooks/IONIXOverviewWorkbook.json"
+ ],
+ "BasePath": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/IONIX",
+ "Version": "3.0.0",
+ "Metadata": "SolutionMetadata.json",
+ "TemplateSpec": true,
+ "Is1Pconnector": false
+}
\ No newline at end of file
diff --git a/Solutions/Cyberpion/Package/2.0.0.zip b/Solutions/IONIX/Package/2.0.0.zip
similarity index 100%
rename from Solutions/Cyberpion/Package/2.0.0.zip
rename to Solutions/IONIX/Package/2.0.0.zip
diff --git a/Solutions/Cyberpion/Package/2.0.1.zip b/Solutions/IONIX/Package/2.0.1.zip
similarity index 100%
rename from Solutions/Cyberpion/Package/2.0.1.zip
rename to Solutions/IONIX/Package/2.0.1.zip
diff --git a/Solutions/IONIX/Package/3.0.0.zip b/Solutions/IONIX/Package/3.0.0.zip
new file mode 100644
index 00000000000..4009f466a33
Binary files /dev/null and b/Solutions/IONIX/Package/3.0.0.zip differ
diff --git a/Solutions/Cyberpion/Package/createUiDefinition.json b/Solutions/IONIX/Package/createUiDefinition.json
old mode 100644
new mode 100755
similarity index 70%
rename from Solutions/Cyberpion/Package/createUiDefinition.json
rename to Solutions/IONIX/Package/createUiDefinition.json
index 2cc2cda9068..3581e0c262e
--- a/Solutions/Cyberpion/Package/createUiDefinition.json
+++ b/Solutions/IONIX/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Cyberpion](https://www.cyberpion.com/) solution for Microsoft Sentinel enables you to ingest vulnerability logs from the Cyberpion platform into Microsoft Sentinel.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution is dependent on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Codeless Connector Platform/Native Sentinel Polling](https://docs.microsoft.com/azure/sentinel/create-codeless-connector?tabs=deploy-via-arm-template%2Cconnect-via-the-azure-portal)\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IONIX/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [IONIX](https://ionix.io/) solution for Microsoft Sentinel enables you to ingest vulnerability logs from the IONIX platform into Microsoft Sentinel.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution is dependent on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Codeless Connector Platform/Native Microsoft Sentinel Polling](https://docs.microsoft.com/azure/sentinel/create-codeless-connector?tabs=deploy-via-arm-template%2Cconnect-via-the-azure-portal)\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -60,7 +60,7 @@
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "This solution installs the data connector for ingesting Cyberpion logs into Microsoft Sentinel, using Codeless Connector Platform and Native Sentinel Polling. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+ "text": "This Solution installs the data connector for IONIX. You can get IONIX custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
{
@@ -100,6 +100,20 @@
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data"
}
}
+ },
+ {
+ "name": "workbook1",
+ "type": "Microsoft.Common.Section",
+ "label": "IONIX Overview",
+ "elements": [
+ {
+ "name": "workbook1-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Gain insights into your IONIX Security Logs."
+ }
+ }
+ ]
}
]
},
@@ -132,13 +146,13 @@
{
"name": "analytic1",
"type": "Microsoft.Common.Section",
- "label": "High Urgency Cyberpion Action Items",
+ "label": "High Urgency IONIX Action Items",
"elements": [
{
"name": "analytic1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "This query creates an alert for active Cyberpion Action Items with high urgency (9-10).\n Urgency can be altered using the \"min_urgency\" variable in the query."
+ "text": "Creates an alert for active IONIX Action Items with high urgency (9-10)."
}
}
]
diff --git a/Solutions/Cyberpion/Package/mainTemplate.json b/Solutions/IONIX/Package/mainTemplate.json
old mode 100644
new mode 100755
similarity index 57%
rename from Solutions/Cyberpion/Package/mainTemplate.json
rename to Solutions/IONIX/Package/mainTemplate.json
index 66bfc16b349..71b8cd1bad1
--- a/Solutions/Cyberpion/Package/mainTemplate.json
+++ b/Solutions/IONIX/Package/mainTemplate.json
@@ -2,8 +2,8 @@
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
- "author": "Cyberpion",
- "comments": "Solution template for Cyberpion"
+ "author": "IONIX",
+ "comments": "Solution template for IONIX"
},
"parameters": {
"location": {
@@ -30,7 +30,7 @@
},
"workbook1-name": {
"type": "string",
- "defaultValue": "Cyberpion Overview",
+ "defaultValue": "IONIX Overview",
"minLength": 1,
"metadata": {
"description": "Name for the workbook"
@@ -38,57 +38,49 @@
}
},
"variables": {
+ "_solutionName": "IONIX",
+ "_solutionVersion": "3.0.0",
"solutionId": "cyberpion1597832716616.cyberpion_mss",
"_solutionId": "[variables('solutionId')]",
- "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
"uiConfigId1": "CyberpionSecurityLogs",
"_uiConfigId1": "[variables('uiConfigId1')]",
"dataConnectorContentId1": "CyberpionSecurityLogs",
"_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
"dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
"_dataConnectorId1": "[variables('dataConnectorId1')]",
- "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1')))]",
- "dataConnectorVersion1": "1.0.0",
- "analyticRuleVersion1": "1.0.0",
+ "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
+ "dataConnectorVersion1": "1.0.1",
+ "dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
+ "_dataConnectorcontentProductId1": "[variables('dataConnectorcontentProductId1')]",
+ "analyticRuleVersion1": "1.0.1",
"analyticRulecontentId1": "8e0403b1-07f8-4865-b2e9-74d1e83200a4",
"_analyticRulecontentId1": "[variables('analyticRulecontentId1')]",
"analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]",
- "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1')))]",
- "workbookVersion1": "1.0.0",
+ "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1'))))]",
+ "analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId1'),'-', variables('analyticRuleVersion1'))))]",
+ "_analyticRulecontentProductId1": "[variables('analyticRulecontentProductId1')]",
+ "workbookVersion1": "1.0.1",
"workbookContentId1": "CyberpionOverviewWorkbook",
"workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]",
- "workbookTemplateSpecName1": "[concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1')))]",
- "_workbookContentId1": "[variables('workbookContentId1')]"
+ "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]",
+ "_workbookContentId1": "[variables('workbookContentId1')]",
+ "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
+ "workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]",
+ "_workbookcontentProductId1": "[variables('workbookcontentProductId1')]",
+ "solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]",
+ "_solutioncontentProductId": "[variables('solutioncontentProductId')]"
},
"resources": [
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('dataConnectorTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "DataConnector"
- },
- "properties": {
- "description": "Cyberpion data connector with template",
- "displayName": "Cyberpion template"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('dataConnectorTemplateSpecName1'),'/',variables('dataConnectorVersion1'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "DataConnector"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Cyberpion data connector with template version 2.0.1",
+ "description": "IONIX data connector with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
@@ -104,9 +96,9 @@
"properties": {
"connectorUiConfig": {
"id": "[variables('_uiConfigId1')]",
- "title": "Cyberpion Security Logs",
- "publisher": "Cyberpion",
- "descriptionMarkdown": "The Cyberpion Security Logs data connector, ingests logs from the Cyberpion system directly into Sentinel. The connector allows users to visualize their data, create alerts and incidents and improve security investigations.",
+ "title": "IONIX Security Logs",
+ "publisher": "IONIX",
+ "descriptionMarkdown": "The IONIX Security Logs data connector, ingests logs from the IONIX system directly into Sentinel. The connector allows users to visualize their data, create alerts and incidents and improve security investigations.",
"graphQueries": [
{
"metricName": "Total data received",
@@ -163,14 +155,14 @@
],
"customs": [
{
- "name": "Cyberpion Subscription",
- "description": "a subscription and account is required for cyberpion logs. [One can be acquired here.](https://azuremarketplace.microsoft.com/en/marketplace/apps/cyberpion1597832716616.cyberpion)"
+ "name": "IONIX Subscription",
+ "description": "a subscription and account is required for IONIX logs. [One can be acquired here.](https://azuremarketplace.microsoft.com/en/marketplace/apps/cyberpion1597832716616.cyberpion)"
}
]
},
"instructionSteps": [
{
- "description": "Follow the [instructions](https://www.cyberpion.com/resource-center/integrations/azure-sentinel/) to integrate Cyberpion Security Alerts into Sentinel.",
+ "description": "Follow the [instructions](https://www.ionix.io/integrations/azure-sentinel/) to integrate IONIX Security Alerts into Sentinel.",
"instructions": [
{
"parameters": {
@@ -198,7 +190,7 @@
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
+ "apiVersion": "2023-04-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
"properties": {
"parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
@@ -207,26 +199,38 @@
"version": "[variables('dataConnectorVersion1')]",
"source": {
"kind": "Solution",
- "name": "Cyberpion",
+ "name": "IONIX",
"sourceId": "[variables('_solutionId')]"
},
"author": {
- "name": "Cyberpion"
+ "name": "IONIX"
},
"support": {
- "name": "Cyberpion",
+ "name": "IONIX",
+ "email": "support@ionix.io",
"tier": "Partner",
- "link": "https://www.cyberpion.com/contact/"
+ "link": "https://www.ionix.io/contact-us/"
}
}
}
]
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_dataConnectorContentId1')]",
+ "contentKind": "DataConnector",
+ "displayName": "IONIX Security Logs",
+ "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
+ "id": "[variables('_dataConnectorcontentProductId1')]",
+ "version": "[variables('dataConnectorVersion1')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
+ "apiVersion": "2023-04-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
"dependsOn": [
"[variables('_dataConnectorId1')]"
@@ -239,16 +243,17 @@
"version": "[variables('dataConnectorVersion1')]",
"source": {
"kind": "Solution",
- "name": "Cyberpion",
+ "name": "IONIX",
"sourceId": "[variables('_solutionId')]"
},
"author": {
- "name": "Cyberpion"
+ "name": "IONIX"
},
"support": {
- "name": "Cyberpion",
+ "name": "IONIX",
+ "email": "support@ionix.io",
"tier": "Partner",
- "link": "https://www.cyberpion.com/contact/"
+ "link": "https://www.ionix.io/contact-us/"
}
}
},
@@ -260,9 +265,9 @@
"kind": "GenericUI",
"properties": {
"connectorUiConfig": {
- "title": "Cyberpion Security Logs",
- "publisher": "Cyberpion",
- "descriptionMarkdown": "The Cyberpion Security Logs data connector, ingests logs from the Cyberpion system directly into Sentinel. The connector allows users to visualize their data, create alerts and incidents and improve security investigations.",
+ "title": "IONIX Security Logs",
+ "publisher": "IONIX",
+ "descriptionMarkdown": "The IONIX Security Logs data connector, ingests logs from the IONIX system directly into Sentinel. The connector allows users to visualize their data, create alerts and incidents and improve security investigations.",
"graphQueries": [
{
"metricName": "Total data received",
@@ -319,14 +324,14 @@
],
"customs": [
{
- "name": "Cyberpion Subscription",
- "description": "a subscription and account is required for cyberpion logs. [One can be acquired here.](https://azuremarketplace.microsoft.com/en/marketplace/apps/cyberpion1597832716616.cyberpion)"
+ "name": "IONIX Subscription",
+ "description": "a subscription and account is required for IONIX logs. [One can be acquired here.](https://azuremarketplace.microsoft.com/en/marketplace/apps/cyberpion1597832716616.cyberpion)"
}
]
},
"instructionSteps": [
{
- "description": "Follow the [instructions](https://www.cyberpion.com/resource-center/integrations/azure-sentinel/) to integrate Cyberpion Security Alerts into Sentinel.",
+ "description": "Follow the [instructions](https://www.ionix.io/integrations/azure-sentinel/) to integrate IONIX Security Alerts into Sentinel.",
"instructions": [
{
"parameters": {
@@ -354,33 +359,15 @@
}
},
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('analyticRuleTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
- "properties": {
- "description": "Cyberpion Analytics Rule 1 with template",
- "displayName": "Cyberpion Analytics Rule template"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('analyticRuleTemplateSpecName1'),'/',variables('analyticRuleVersion1'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName1'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "HighUrgencyActionItems_AnalyticalRules Analytics Rule with template version 2.0.1",
+ "description": "HighUrgencyActionItems_AnalyticalRules Analytics Rule with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion1')]",
@@ -389,13 +376,13 @@
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('AnalyticRulecontentId1')]",
+ "name": "[variables('analyticRulecontentId1')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "This query creates an alert for active Cyberpion Action Items with high urgency (9-10).\n Urgency can be altered using the \"min_urgency\" variable in the query.",
- "displayName": "High Urgency Cyberpion Action Items",
+ "description": "This query creates an alert for active IONIX Action Items with high urgency (9-10).\n Urgency can be altered using the \"min_urgency\" variable in the query.",
+ "displayName": "High Urgency IONIX Action Items",
"enabled": false,
"query": "let timeframe = 14d;\nlet time_generated_bucket = 1h;\nlet min_urgency = 9;\nlet maxTimeGeneratedBucket = toscalar(\n CyberpionActionItems_CL\n | where TimeGenerated > ago(timeframe)\n | summarize max(bin(TimeGenerated, time_generated_bucket))\n );\nCyberpionActionItems_CL\n | where TimeGenerated > ago(timeframe) and is_open_b == true\n | where bin(TimeGenerated, time_generated_bucket) == maxTimeGeneratedBucket\n | where urgency_d >= min_urgency\n | extend timestamp = opening_datetime_t\n | extend DNSCustomEntity = host_s\n",
"queryFrequency": "P1D",
@@ -408,22 +395,26 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "CyberpionSecurityLogs",
"dataTypes": [
"CyberpionActionItems_CL"
- ],
- "connectorId": "CyberpionSecurityLogs"
+ ]
}
],
"tactics": [
"InitialAccess"
],
+ "techniques": [
+ "T1190",
+ "T1195"
+ ],
"entityMappings": [
{
"entityType": "DNS",
"fieldMappings": [
{
- "columnName": "DNSCustomEntity",
- "identifier": "DomainName"
+ "identifier": "DomainName",
+ "columnName": "DNSCustomEntity"
}
]
}
@@ -435,58 +426,52 @@
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId1'),'/'))))]",
"properties": {
- "description": "Cyberpion Analytics Rule 1",
+ "description": "IONIX Analytics Rule 1",
"parentId": "[variables('analyticRuleId1')]",
"contentId": "[variables('_analyticRulecontentId1')]",
"kind": "AnalyticsRule",
"version": "[variables('analyticRuleVersion1')]",
"source": {
"kind": "Solution",
- "name": "Cyberpion",
+ "name": "IONIX",
"sourceId": "[variables('_solutionId')]"
},
"author": {
- "name": "Cyberpion"
+ "name": "IONIX"
},
"support": {
- "name": "Cyberpion",
+ "name": "IONIX",
+ "email": "support@ionix.io",
"tier": "Partner",
- "link": "https://www.cyberpion.com/contact/"
+ "link": "https://www.ionix.io/contact-us/"
}
}
}
]
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_analyticRulecontentId1')]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "High Urgency IONIX Action Items",
+ "contentProductId": "[variables('_analyticRulecontentProductId1')]",
+ "id": "[variables('_analyticRulecontentProductId1')]",
+ "version": "[variables('analyticRuleVersion1')]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('workbookTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Workbook"
- },
- "properties": {
- "description": "Cyberpion Workbook with template",
- "displayName": "Cyberpion workbook template"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('workbookTemplateSpecName1'),'/',variables('workbookVersion1'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Workbook"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('workbookTemplateSpecName1'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CyberpionOverviewWorkbookWorkbook Workbook with template version 2.0.1",
+ "description": "IONIXOverviewWorkbookWorkbook Workbook with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@@ -500,11 +485,11 @@
"kind": "shared",
"apiVersion": "2021-08-01",
"metadata": {
- "description": "Use Cyberpion's Security Logs and this workbook, to get an overview of your online assets, gain insights into their current state, and find ways to better secure your ecosystem."
+ "description": ""
},
"properties": {
"displayName": "[parameters('workbook1-name')]",
- "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Cyberpion Action Items\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Current Open Action Items\",\"expandable\":true,\"expanded\":true,\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let lookbackTime = 14d;\\nlet bucketTimeSpan = 1h;\\nlet maxTimeGeneratedBucket = toscalar(CyberpionActionItems_CL | where TimeGenerated > ago(lookbackTime)| summarize max(bin(TimeGenerated, bucketTimeSpan)));\\nCyberpionActionItems_CL\\n | where TimeGenerated > ago(lookbackTime) and is_open_b == true\\n | extend TimeGeneratedBucket = bin(TimeGenerated, bucketTimeSpan)\\n | where TimeGeneratedBucket == maxTimeGeneratedBucket\\n | summarize count() by Category\\n | render barchart\\n\\n\",\"size\":0,\"title\":\"Action Items by Category\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"action-items-by-category\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let lookbackTime = 14d;\\nlet bucketTimeSpan = 1h;\\nlet maxTimeGeneratedBucket = toscalar(CyberpionActionItems_CL | where TimeGenerated > ago(lookbackTime)| summarize max(bin(TimeGenerated, bucketTimeSpan)));\\nCyberpionActionItems_CL\\n | where TimeGenerated > ago(lookbackTime) and is_open_b == true\\n | extend TimeGeneratedBucket = bin(TimeGenerated, bucketTimeSpan)\\n | where TimeGeneratedBucket == maxTimeGeneratedBucket\\n | summarize count() by solution_s\\n | render piechart\",\"size\":0,\"title\":\"Most Common Solutions\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"most-common-solution\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let lookbackTime = 14d;\\nlet bucketTimeSpan = 1h;\\nlet maxTimeGeneratedBucket = toscalar(CyberpionActionItems_CL | where TimeGenerated > ago(lookbackTime)| summarize max(bin(TimeGenerated, bucketTimeSpan)));\\nCyberpionActionItems_CL\\n | where TimeGenerated > ago(lookbackTime) and is_open_b == true\\n | extend TimeGeneratedBucket = bin(TimeGenerated, bucketTimeSpan)\\n | where TimeGeneratedBucket == maxTimeGeneratedBucket\\n | extend Urgency = bin(urgency_d, 1)\\n | summarize count() by Urgency\\n | join kind=rightouter (range Urgency from 1.0 to 10.0 step 1) on Urgency\\n | project Urgency = Urgency1, Count = iff(isnotempty(count_), count_, 0)\\n | sort by Urgency asc\\n | extend Urgency = tostring(Urgency)\\n | render barchart\\n\\n\",\"size\":0,\"title\":\"Action Items Count by Urgency\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"categoricalbar\",\"chartSettings\":{\"createOtherGroup\":0,\"xSettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true}}},\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true}}}}},\"customWidth\":\"50\",\"name\":\"open-ai-urgency-bars\"}]},\"name\":\"current-ais\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Historical Info\",\"expandable\":true,\"expanded\":true,\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"e8bb48b6-6706-48bd-b8a1-94de288bcb4c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":604800000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let lookbackTime = now(-{TimeRange:seconds}s);\\nlet bucketTimeSpan = 1h;\\nCyberpionActionItems_CL\\n | where TimeGenerated > lookbackTime and is_open_b == true\\n | project id_s, TimeGenerated\\n | make-series count() default=long(null) on TimeGenerated from bin(lookbackTime, bucketTimeSpan) to now() step bucketTimeSpan\\n | extend open_action_items=series_fill_forward(count_, long(null))\\n | project TimeGenerated, open_action_items\\n | mv-expand TimeGenerated to typeof(datetime), open_action_items to typeof(int)\\n | where isnotnull(open_action_items)\\n | render timechart\",\"size\":0,\"aggregation\":5,\"title\":\"Open Action Items over time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"action-items-over-time\"}]},\"name\":\"historical-data\"}],\"fromTemplateId\":\"sentinel-CyberpionOverviewWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
+ "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## IONIX Action Items\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Current Open Action Items\",\"expandable\":true,\"expanded\":true,\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let lookbackTime = 14d;\\nlet bucketTimeSpan = 1h;\\nlet maxTimeGeneratedBucket = toscalar(CyberpionActionItems_CL | where TimeGenerated > ago(lookbackTime)| summarize max(bin(TimeGenerated, bucketTimeSpan)));\\nCyberpionActionItems_CL\\n | where TimeGenerated > ago(lookbackTime) and is_open_b == true\\n | extend TimeGeneratedBucket = bin(TimeGenerated, bucketTimeSpan)\\n | where TimeGeneratedBucket == maxTimeGeneratedBucket\\n | summarize count() by Category\\n | render barchart\\n\\n\",\"size\":0,\"title\":\"Action Items by Category\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"action-items-by-category\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let lookbackTime = 14d;\\nlet bucketTimeSpan = 1h;\\nlet maxTimeGeneratedBucket = toscalar(CyberpionActionItems_CL | where TimeGenerated > ago(lookbackTime)| summarize max(bin(TimeGenerated, bucketTimeSpan)));\\nCyberpionActionItems_CL\\n | where TimeGenerated > ago(lookbackTime) and is_open_b == true\\n | extend TimeGeneratedBucket = bin(TimeGenerated, bucketTimeSpan)\\n | where TimeGeneratedBucket == maxTimeGeneratedBucket\\n | summarize count() by solution_s\\n | render piechart\",\"size\":0,\"title\":\"Most Common Solutions\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"most-common-solution\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let lookbackTime = 14d;\\nlet bucketTimeSpan = 1h;\\nlet maxTimeGeneratedBucket = toscalar(CyberpionActionItems_CL | where TimeGenerated > ago(lookbackTime)| summarize max(bin(TimeGenerated, bucketTimeSpan)));\\nCyberpionActionItems_CL\\n | where TimeGenerated > ago(lookbackTime) and is_open_b == true\\n | extend TimeGeneratedBucket = bin(TimeGenerated, bucketTimeSpan)\\n | where TimeGeneratedBucket == maxTimeGeneratedBucket\\n | extend Urgency = bin(urgency_d, 1)\\n | summarize count() by Urgency\\n | join kind=rightouter (range Urgency from 1.0 to 10.0 step 1) on Urgency\\n | project Urgency = Urgency1, Count = iff(isnotempty(count_), count_, 0)\\n | sort by Urgency asc\\n | extend Urgency = tostring(Urgency)\\n | render barchart\\n\\n\",\"size\":0,\"title\":\"Action Items Count by Urgency\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"categoricalbar\",\"chartSettings\":{\"group\":\"\",\"createOtherGroup\":0,\"xSettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true}}},\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true}}}}},\"customWidth\":\"50\",\"name\":\"open-ai-urgency-bars\"}]},\"name\":\"current-ais\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Historical Info\",\"expandable\":true,\"expanded\":true,\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"e8bb48b6-6706-48bd-b8a1-94de288bcb4c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":604800000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let lookbackTime = now(-{TimeRange:seconds}s);\\nlet bucketTimeSpan = 1h;\\nCyberpionActionItems_CL\\n | where TimeGenerated > lookbackTime and is_open_b == true\\n | project id_s, TimeGenerated\\n | make-series count() default=long(null) on TimeGenerated from bin(lookbackTime, bucketTimeSpan) to now() step bucketTimeSpan\\n | extend open_action_items=series_fill_forward(count_, long(null))\\n | project TimeGenerated, open_action_items\\n | mv-expand TimeGenerated to typeof(datetime), open_action_items to typeof(int)\\n | where isnotnull(open_action_items)\\n | render timechart\",\"size\":0,\"aggregation\":5,\"title\":\"Open Action Items over time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"action-items-over-time\"}]},\"name\":\"historical-data\"}],\"fromTemplateId\":\"sentinel-CyberpionOverviewWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n",
"version": "1.0",
"sourceId": "[variables('workspaceResourceId')]",
"category": "sentinel"
@@ -515,65 +500,72 @@
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]",
"properties": {
- "description": "@{workbookKey=CyberpionOverviewWorkbook; logoFileName=cyberpion_logo.svg; description=Use Cyberpion's Security Logs and this workbook, to get an overview of your online assets, gain insights into their current state, and find ways to better secure your ecosystem.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=Cyberpion Overview; templateRelativePath=CyberpionOverviewWorkbook.json; subtitle=; provider=Cyberpion}.description",
+ "description": ".description",
"parentId": "[variables('workbookId1')]",
"contentId": "[variables('_workbookContentId1')]",
"kind": "Workbook",
"version": "[variables('workbookVersion1')]",
"source": {
"kind": "Solution",
- "name": "Cyberpion",
+ "name": "IONIX",
"sourceId": "[variables('_solutionId')]"
},
"author": {
- "name": "Cyberpion"
+ "name": "IONIX"
},
"support": {
- "name": "Cyberpion",
+ "name": "IONIX",
+ "email": "support@ionix.io",
"tier": "Partner",
- "link": "https://www.cyberpion.com/contact/"
- },
- "dependencies": {
- "operator": "AND",
- "criteria": [
- {
- "contentId": "CyberpionActionItems_CL",
- "kind": "DataType"
- },
- {
- "contentId": "CyberpionSecurityLogs",
- "kind": "DataConnector"
- }
- ]
+ "link": "https://www.ionix.io/contact-us/"
}
}
}
]
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_workbookContentId1')]",
+ "contentKind": "Workbook",
+ "displayName": "[parameters('workbook1-name')]",
+ "contentProductId": "[variables('_workbookcontentProductId1')]",
+ "id": "[variables('_workbookcontentProductId1')]",
+ "version": "[variables('workbookVersion1')]"
}
},
{
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages",
+ "apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "2.0.1",
+ "version": "3.0.0",
"kind": "Solution",
- "contentSchemaVersion": "2.0.0",
+ "contentSchemaVersion": "3.0.0",
+ "displayName": "IONIX",
+ "publisherDisplayName": "IONIX",
+ "descriptionHtml": "Note: There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe IONIX solution for Microsoft Sentinel enables you to ingest vulnerability logs from the IONIX platform into Microsoft Sentinel.
\nUnderlying Microsoft Technologies used:
\nThis solution is dependent on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:
\n\nData Connectors: 1, Workbooks: 1, Analytic Rules: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "",
"contentId": "[variables('_solutionId')]",
"parentId": "[variables('_solutionId')]",
"source": {
"kind": "Solution",
- "name": "Cyberpion",
+ "name": "IONIX",
"sourceId": "[variables('_solutionId')]"
},
"author": {
- "name": "Cyberpion"
+ "name": "IONIX"
},
"support": {
- "name": "Cyberpion",
+ "name": "IONIX",
+ "email": "support@ionix.io",
"tier": "Partner",
- "link": "https://www.cyberpion.com/contact/"
+ "link": "https://www.ionix.io/contact-us/"
},
"dependencies": {
"operator": "AND",
@@ -597,7 +589,7 @@
},
"firstPublishDate": "2022-05-02",
"providers": [
- "Cyberpion"
+ "IONIX"
],
"categories": {
"domains": [
diff --git a/Solutions/IONIX/ReleaseNotes.md b/Solutions/IONIX/ReleaseNotes.md
new file mode 100644
index 00000000000..b6f11b13579
--- /dev/null
+++ b/Solutions/IONIX/ReleaseNotes.md
@@ -0,0 +1,5 @@
+| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
+|-------------|--------------------------------|--------------------------------------------------------------------------------------------------------------------|
+| 3.0.0 | 20-09-2023 | A UI-only update as part of a re-branding from "Cyberpion" to "IONIX" (no change to core functionality) \| v1.0.1 |
+
+
diff --git a/Solutions/Cyberpion/SolutionMetadata.json b/Solutions/IONIX/SolutionMetadata.json
similarity index 65%
rename from Solutions/Cyberpion/SolutionMetadata.json
rename to Solutions/IONIX/SolutionMetadata.json
index 1a81096923b..0303cbc96e5 100644
--- a/Solutions/Cyberpion/SolutionMetadata.json
+++ b/Solutions/IONIX/SolutionMetadata.json
@@ -2,15 +2,16 @@
"publisherId": "cyberpion1597832716616",
"offerId": "cyberpion_mss",
"firstPublishDate": "2022-05-02",
- "providers": ["Cyberpion"],
+ "providers": ["IONIX"],
"categories": {
"domains" : ["Security - Threat Protection"],
"verticals": []
},
"support": {
- "name": "Cyberpion",
+ "name": "IONIX",
+ "email": "support@ionix.io",
"tier": "Partner",
- "link": "https://www.cyberpion.com/contact/"
+ "link": "https://www.ionix.io/contact-us/"
}
}
diff --git a/Solutions/Cyberpion/Workbooks/CyberpionOverviewWorkbook.json b/Solutions/IONIX/Workbooks/IONIXOverviewWorkbook.json
similarity index 99%
rename from Solutions/Cyberpion/Workbooks/CyberpionOverviewWorkbook.json
rename to Solutions/IONIX/Workbooks/IONIXOverviewWorkbook.json
index 744826a7202..5888db9dd25 100644
--- a/Solutions/Cyberpion/Workbooks/CyberpionOverviewWorkbook.json
+++ b/Solutions/IONIX/Workbooks/IONIXOverviewWorkbook.json
@@ -4,7 +4,7 @@
{
"type": 1,
"content": {
- "json": "## Cyberpion Action Items"
+ "json": "## IONIX Action Items"
},
"name": "text - 2"
},
diff --git a/Solutions/IONIX/Workbooks/Images/Logos/ionix-logo.svg b/Solutions/IONIX/Workbooks/Images/Logos/ionix-logo.svg
new file mode 100644
index 00000000000..26f7d3cb422
--- /dev/null
+++ b/Solutions/IONIX/Workbooks/Images/Logos/ionix-logo.svg
@@ -0,0 +1,14 @@
+
+
diff --git a/Solutions/IONIX/Workbooks/Images/Previews/IONIXActionItemsBlack.png b/Solutions/IONIX/Workbooks/Images/Previews/IONIXActionItemsBlack.png
new file mode 100644
index 00000000000..e3eb2a2621b
Binary files /dev/null and b/Solutions/IONIX/Workbooks/Images/Previews/IONIXActionItemsBlack.png differ
diff --git a/Solutions/IONIX/Workbooks/Images/Previews/IONIXActionItemsWhite.png b/Solutions/IONIX/Workbooks/Images/Previews/IONIXActionItemsWhite.png
new file mode 100644
index 00000000000..5887b4bcc5b
Binary files /dev/null and b/Solutions/IONIX/Workbooks/Images/Previews/IONIXActionItemsWhite.png differ
diff --git a/Solutions/Microsoft Defender for Office 365/Playbooks/CustomConnector/O365_Defender_FunctionAppConnector/GetInboxRule/function.json b/Solutions/Microsoft Defender for Office 365/Playbooks/CustomConnector/O365_Defender_FunctionAppConnector/GetInboxRule/function.json
new file mode 100644
index 00000000000..e03b7547950
--- /dev/null
+++ b/Solutions/Microsoft Defender for Office 365/Playbooks/CustomConnector/O365_Defender_FunctionAppConnector/GetInboxRule/function.json
@@ -0,0 +1,19 @@
+{
+ "bindings": [
+ {
+ "authLevel": "function",
+ "type": "httpTrigger",
+ "direction": "in",
+ "name": "Request",
+ "methods": [
+ "get",
+ "post"
+ ]
+ },
+ {
+ "type": "http",
+ "direction": "out",
+ "name": "Response"
+ }
+ ]
+}
diff --git a/Solutions/Microsoft Defender for Office 365/Playbooks/CustomConnector/O365_Defender_FunctionAppConnector/GetInboxRule/run.ps1 b/Solutions/Microsoft Defender for Office 365/Playbooks/CustomConnector/O365_Defender_FunctionAppConnector/GetInboxRule/run.ps1
new file mode 100644
index 00000000000..178c2b8271d
--- /dev/null
+++ b/Solutions/Microsoft Defender for Office 365/Playbooks/CustomConnector/O365_Defender_FunctionAppConnector/GetInboxRule/run.ps1
@@ -0,0 +1,44 @@
+using namespace System.Net
+
+# Input bindings are passed in via param block.
+param($Request, $TriggerMetadata)
+$flag = 0
+# Write to the Azure Functions log stream.
+Write-Host "Fetching list of Malware policies"
+
+$Mailbox = $Request.Body.Mailbox
+# Interact with query parameters or the body of the request.
+
+try{
+if($Mailbox)
+{
+ $Result = Get-InboxRule -Mailbox "$Mailbox"
+ if($?){Write-Host "Successfully fetched list of Inbox Rules"
+ $flag = 1
+}
+ else
+ {Write-Host "Failed to fetch list of Inbox Rules"}
+
+}else
+ {Write-Host "Mailbox not provided : Failed to fetch list of Inbox Rules"}
+}
+
+catch{
+ Write-Host "$_.Exception"
+ $Result = "$_.Exception"
+}
+
+finally{
+if($flag){
+ # Associate values to output bindings by calling 'Push-OutputBinding'.
+ Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
+ StatusCode = [HttpStatusCode]::OK
+ Body = $Result
+ })}else{
+
+ Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
+ StatusCode = [HttpStatusCode]::NotFound
+ Body = $Result
+ })
+ }
+}
diff --git a/Solutions/Microsoft Defender for Office 365/Playbooks/CustomConnector/O365_Defender_FunctionAppConnector/O365DefenderFunctionApp.zip b/Solutions/Microsoft Defender for Office 365/Playbooks/CustomConnector/O365_Defender_FunctionAppConnector/O365DefenderFunctionApp.zip
index fdfac24ccb9..b4812ae5379 100644
Binary files a/Solutions/Microsoft Defender for Office 365/Playbooks/CustomConnector/O365_Defender_FunctionAppConnector/O365DefenderFunctionApp.zip and b/Solutions/Microsoft Defender for Office 365/Playbooks/CustomConnector/O365_Defender_FunctionAppConnector/O365DefenderFunctionApp.zip differ
diff --git a/Solutions/Microsoft Defender for Office 365/Playbooks/CustomConnector/O365_Defender_FunctionAppConnector/RemoveInboxRule/function.json b/Solutions/Microsoft Defender for Office 365/Playbooks/CustomConnector/O365_Defender_FunctionAppConnector/RemoveInboxRule/function.json
new file mode 100644
index 00000000000..e03b7547950
--- /dev/null
+++ b/Solutions/Microsoft Defender for Office 365/Playbooks/CustomConnector/O365_Defender_FunctionAppConnector/RemoveInboxRule/function.json
@@ -0,0 +1,19 @@
+{
+ "bindings": [
+ {
+ "authLevel": "function",
+ "type": "httpTrigger",
+ "direction": "in",
+ "name": "Request",
+ "methods": [
+ "get",
+ "post"
+ ]
+ },
+ {
+ "type": "http",
+ "direction": "out",
+ "name": "Response"
+ }
+ ]
+}
diff --git a/Solutions/Microsoft Defender for Office 365/Playbooks/CustomConnector/O365_Defender_FunctionAppConnector/RemoveInboxRule/run.ps1 b/Solutions/Microsoft Defender for Office 365/Playbooks/CustomConnector/O365_Defender_FunctionAppConnector/RemoveInboxRule/run.ps1
new file mode 100644
index 00000000000..be8cc5f8721
--- /dev/null
+++ b/Solutions/Microsoft Defender for Office 365/Playbooks/CustomConnector/O365_Defender_FunctionAppConnector/RemoveInboxRule/run.ps1
@@ -0,0 +1,45 @@
+using namespace System.Net
+
+# Input bindings are passed in via param block.
+param($Request, $TriggerMetadata)
+$flag = 0
+# Write to the Azure Functions log stream.
+Write-Host "Proceeding with delete of Inbox Rule"
+
+$Mailbox = $Request.Body.Mailbox
+$Identity = $Request.Body.Identity
+# Interact with query parameters or the body of the request.
+
+try{
+if($Mailbox -AND $Identity)
+{
+ $Result = Remove-InboxRule -Mailbox "$Mailbox" -Identity "$Identity" -Confirm:$false
+ if($?){Write-Host "Successfully Deleted the rule"
+ $flag = 1
+}
+ else
+ {Write-Host "Failed to delete Inbox Rules"}
+
+}else
+ {Write-Host "Mailbox or Identity not provided : Failed to delete Inbox Rules"}
+}
+
+catch{
+ Write-Host "$_.Exception"
+ $Result = "$_.Exception"
+}
+
+finally{
+if($flag){
+ # Associate values to output bindings by calling 'Push-OutputBinding'.
+ Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
+ StatusCode = [HttpStatusCode]::OK
+ Body = $Result
+ })}else{
+
+ Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
+ StatusCode = [HttpStatusCode]::NotFound
+ Body = $Result
+ })
+ }
+}
\ No newline at end of file
diff --git a/Solutions/Microsoft Defender for Office 365/Playbooks/CustomConnector/O365_Defender_FunctionAppConnector/readme.md b/Solutions/Microsoft Defender for Office 365/Playbooks/CustomConnector/O365_Defender_FunctionAppConnector/readme.md
index bedaac14ac9..960a8ac2689 100644
--- a/Solutions/Microsoft Defender for Office 365/Playbooks/CustomConnector/O365_Defender_FunctionAppConnector/readme.md
+++ b/Solutions/Microsoft Defender for Office 365/Playbooks/CustomConnector/O365_Defender_FunctionAppConnector/readme.md
@@ -26,6 +26,8 @@ This Functions App Connector is to connect Defender for office 365 API.
| **RemoveAllowBlockListItems** | Remove entries for email addresses from the Tenant Allow/Block List |
| **ListMalwarePolicy** | View existing malware filter policies|
| **BlockMalwareFileExtension** | Add Malware file extensions to malware policy block list |
+| **GetInboxRule** | View list of existing Rules created in mailbox |
+| **RemoveInboxRule** | Remove the Inbox rule from particular Mailbox |
### Deployment Instructions
@@ -113,6 +115,15 @@ This Functions App Connector is to connect Defender for office 365 API.
- {
"MalwarePolicyName": "malware policy Name",
"FileExtensions": "malicious file extension to be mark as blocked" for example["dgz","mde"]
+ }
+12. GetInboxRule
+ - {
+ "Mailbox" : "mailbox name ex: abc@yahoo.com"
+ }
+13. RemoveInboxRule
+ - {
+ "Mailbox" : "mailbox name ex: abc@yahoo.com",
+ "Identity" : "inbox rule name/RuleIdentity property"
}
### References below link for more details
diff --git a/Solutions/MicrosoftPurviewInsiderRiskManagement/Package/3.0.1.zip b/Solutions/MicrosoftPurviewInsiderRiskManagement/Package/3.0.1.zip
index 81c701d33d7..5e4b7f0200a 100644
Binary files a/Solutions/MicrosoftPurviewInsiderRiskManagement/Package/3.0.1.zip and b/Solutions/MicrosoftPurviewInsiderRiskManagement/Package/3.0.1.zip differ
diff --git a/Solutions/MicrosoftPurviewInsiderRiskManagement/Package/mainTemplate.json b/Solutions/MicrosoftPurviewInsiderRiskManagement/Package/mainTemplate.json
index 3b041f930d4..b0bfbcd8202 100644
--- a/Solutions/MicrosoftPurviewInsiderRiskManagement/Package/mainTemplate.json
+++ b/Solutions/MicrosoftPurviewInsiderRiskManagement/Package/mainTemplate.json
@@ -975,7 +975,7 @@
"type": "ApiConnection",
"inputs": {
"body": {
- "messageBody": "Insider Risk Team,
\n
\nAn Insider Risk Management Alert was observed per the details below:
\n
\nSeverity of Alert: @{items('For_each')?['properties']?['severity']}
\n
\nAzure Sentinel Incident
\nTItle: @{triggerBody()?['object']?['properties']?['title']}
\nStatus: @{triggerBody()?['object']?['properties']?['status']}
\nNumber: @{triggerBody()?['object']?['properties']?['incidentNumber']}
\nCreated Time (UTC): @{triggerBody()?['object']?['properties']?['createdTimeUtc']}
\nIncident Link: @{triggerBody()?['object']?['properties']?['incidentUrl']}
\n
\nAlert Details
\nAlert Display Name: @{items('For_each')?['properties']?['alertDisplayName']}
\nAlert Type: @{items('For_each')?['properties']?['alertType']}
\nSubscription ID: @{triggerBody()?['workspaceInfo']?['SubscriptionId']}
\nProvider Alert ID: @{items('For_each')?['properties']?['providerAlertId']}
\nAlert Link: @{items('For_each')?['properties']?['alertLink']}
Insider Risk Team,
\n
\nAn Insider Risk Management Alert was observed per the details below:
\n
\nSeverity of Alert: @{items('For_each')?['properties']?['severity']}
\n
\nMicrosoft Sentinel Incident
\nTItle: @{triggerBody()?['object']?['properties']?['title']}
\nStatus: @{triggerBody()?['object']?['properties']?['status']}
\nNumber: @{triggerBody()?['object']?['properties']?['incidentNumber']}
\nCreated Time (UTC): @{triggerBody()?['object']?['properties']?['createdTimeUtc']}
\nIncident Link: @{triggerBody()?['object']?['properties']?['incidentUrl']}
\n
\nAlert Details
\nAlert Display Name: @{items('For_each')?['properties']?['alertDisplayName']}
\nAlert Type: @{items('For_each')?['properties']?['alertType']}
\nSubscription ID: @{triggerBody()?['workspaceInfo']?['SubscriptionId']}
\nProvider Alert ID: @{items('For_each')?['properties']?['providerAlertId']}
\nAlert Link: @{items('For_each')?['properties']?['alertLink']}
Insider Risk Team,
\n
\nAn Insider Risk Management Alert was observed per the details below:
\n
\n
\nAzure Sentinel Incident
\nTItle: @{triggerBody()?['object']?['properties']?['title']}
\nStatus: @{triggerBody()?['object']?['properties']?['status']}
\nNumber: @{triggerBody()?['object']?['properties']?['incidentNumber']}
\nIncident Severity: @{triggerBody()?['object']?['properties']?['severity']}
\nCreated Time (UTC): @{triggerBody()?['object']?['properties']?['createdTimeUtc']}
\nIncident Link: @{triggerBody()?['object']?['properties']?['incidentUrl']}
\n
\nAlert Details
\nAlert Display Name: @{items('For_each')?['properties']?['alertDisplayName']}
\nAlert Product Name: @{items('For_each')?['properties']?['productName']}
\nAlert Severity: @{items('For_each')?['properties']?['severity']}
\nAlert Type: @{items('For_each')?['properties']?['alertType']}
\nSubscription ID: @{triggerBody()?['workspaceInfo']?['SubscriptionId']}
\nProvider Alert ID: @{items('For_each')?['properties']?['providerAlertId']}
\nAlert Link: @{items('For_each')?['properties']?['alertLink']}
Insider Risk Team,
\n
\nAn Insider Risk Management Alert was observed per the details below:
\n
\n
\nMicrosoft Sentinel Incident
\nTItle: @{triggerBody()?['object']?['properties']?['title']}
\nStatus: @{triggerBody()?['object']?['properties']?['status']}
\nNumber: @{triggerBody()?['object']?['properties']?['incidentNumber']}
\nIncident Severity: @{triggerBody()?['object']?['properties']?['severity']}
\nCreated Time (UTC): @{triggerBody()?['object']?['properties']?['createdTimeUtc']}
\nIncident Link: @{triggerBody()?['object']?['properties']?['incidentUrl']}
\n
\nAlert Details
\nAlert Display Name: @{items('For_each')?['properties']?['alertDisplayName']}
\nAlert Product Name: @{items('For_each')?['properties']?['productName']}
\nAlert Severity: @{items('For_each')?['properties']?['severity']}
\nAlert Type: @{items('For_each')?['properties']?['alertType']}
\nSubscription ID: @{triggerBody()?['workspaceInfo']?['SubscriptionId']}
\nProvider Alert ID: @{items('For_each')?['properties']?['providerAlertId']}
\nAlert Link: @{items('For_each')?['properties']?['alertLink']}
![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Mimecast.svg\")
",
+ "Description": "The data connector for [Mimecast Secure Email Gateway](https://community.mimecast.com/s/article/Azure-Sentinel) allows easy log collection from the Secure Email Gateway to surface email insight and user activity within Microsoft Sentinel. The data connector provides pre-created dashboards to allow analysts to view insight into email based threats, aid in incident correlation and reduce investigation response times coupled with custom alert capabilities. Mimecast products and features required: \n- Mimecast Secure Email Gateway \n- Mimecast Data Leak Prevention\n \n\nMicrosoft Sentinel Solutions provide a consolidated way to acquire Microsoft Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.",
+ "Analytic Rules": [
+ "Analytic Rules/MimecastDLP_Hold.yaml",
+ "Analytic Rules/MimecastDLP.yaml",
+ "Analytic Rules/MimecastSIEM_Attachment.yaml",
+ "Analytic Rules/MimecastSIEM_AV.yaml",
+ "Analytic Rules/MimecastSIEM_Impersonation.yaml",
+ "Analytic Rules/MimecastSIEM_Internal_Mail_Protect.yaml",
+ "Analytic Rules/MimecastSIEM_Spam_Event.yaml",
+ "Analytic Rules/MimecastSIEM_Url_Protect.yaml",
+ "Analytic Rules/MimecastSIEM_Virus.yaml"
+ ],
+ "Workbooks": [
+ "Workbooks/MimecastSEGworkbook.json"
+ ],
+ "Data Connectors": [
+ "Data Connectors/MimecastSEG_API_AzureFunctionApp.json"
+ ],
+ "BasePath": "C:\\Azure-Sentinel\\Solutions\\MimecastSEG",
+ "Version": "3.0.0",
+ "Metadata": "SolutionMetadata.json",
+ "TemplateSpec": true,
+ "Is1PConnector": false
+}
\ No newline at end of file
diff --git a/Solutions/MimecastSEG/Package/3.0.0.zip b/Solutions/MimecastSEG/Package/3.0.0.zip
new file mode 100644
index 00000000000..e7de0d45bb2
Binary files /dev/null and b/Solutions/MimecastSEG/Package/3.0.0.zip differ
diff --git a/Solutions/MimecastSEG/Package/createUiDefinition.json b/Solutions/MimecastSEG/Package/createUiDefinition.json
new file mode 100644
index 00000000000..b47c41e8d98
--- /dev/null
+++ b/Solutions/MimecastSEG/Package/createUiDefinition.json
@@ -0,0 +1,281 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
+ "handler": "Microsoft.Azure.CreateUIDef",
+ "version": "0.1.2-preview",
+ "parameters": {
+ "config": {
+ "isWizard": false,
+ "basics": {
+ "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe data connector for [Mimecast Secure Email Gateway](https://community.mimecast.com/s/article/Azure-Sentinel) allows easy log collection from the Secure Email Gateway to surface email insight and user activity within Microsoft Sentinel. The data connector provides pre-created dashboards to allow analysts to view insight into email based threats, aid in incident correlation and reduce investigation response times coupled with custom alert capabilities. Mimecast products and features required: \n- Mimecast Secure Email Gateway \n- Mimecast Data Leak Prevention\n \n\nMicrosoft Sentinel Solutions provide a consolidated way to acquire Microsoft Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 9\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "subscription": {
+ "resourceProviders": [
+ "Microsoft.OperationsManagement/solutions",
+ "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "Microsoft.Insights/workbooks",
+ "Microsoft.Logic/workflows"
+ ]
+ },
+ "location": {
+ "metadata": {
+ "hidden": "Hiding location, we get it from the log analytics workspace"
+ },
+ "visible": false
+ },
+ "resourceGroup": {
+ "allowExisting": true
+ }
+ }
+ },
+ "basics": [
+ {
+ "name": "getLAWorkspace",
+ "type": "Microsoft.Solutions.ArmApiControl",
+ "toolTip": "This filters by workspaces that exist in the Resource Group selected",
+ "condition": "[greater(length(resourceGroup().name),0)]",
+ "request": {
+ "method": "GET",
+ "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
+ }
+ },
+ {
+ "name": "workspace",
+ "type": "Microsoft.Common.DropDown",
+ "label": "Workspace",
+ "placeholder": "Select a workspace",
+ "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
+ "constraints": {
+ "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
+ "required": true
+ },
+ "visible": true
+ }
+ ],
+ "steps": [
+ {
+ "name": "dataconnectors",
+ "label": "Data Connectors",
+ "bladeTitle": "Data Connectors",
+ "elements": [
+ {
+ "name": "dataconnectors1-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This Solution installs the data connector for MimecastSEG. You can get MimecastSEG custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+ }
+ },
+ {
+ "name": "dataconnectors-link2",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "link": {
+ "label": "Learn more about connecting data sources",
+ "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
+ }
+ }
+ }
+ ]
+ },
+ {
+ "name": "workbooks",
+ "label": "Workbooks",
+ "subLabel": {
+ "preValidation": "Configure the workbooks",
+ "postValidation": "Done"
+ },
+ "bladeTitle": "Workbooks",
+ "elements": [
+ {
+ "name": "workbooks-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This solution installs workbook(s) to help you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view."
+ }
+ },
+ {
+ "name": "workbooks-link",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "link": {
+ "label": "Learn more",
+ "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data"
+ }
+ }
+ },
+ {
+ "name": "workbook1",
+ "type": "Microsoft.Common.Section",
+ "label": "MimecastSEG",
+ "elements": [
+ {
+ "name": "workbook1-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "A workbook providing insights into Mimecast Secure Email Gateway."
+ }
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "name": "analytics",
+ "label": "Analytics",
+ "subLabel": {
+ "preValidation": "Configure the analytics",
+ "postValidation": "Done"
+ },
+ "bladeTitle": "Analytics",
+ "elements": [
+ {
+ "name": "analytics-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view."
+ }
+ },
+ {
+ "name": "analytics-link",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "link": {
+ "label": "Learn more",
+ "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
+ }
+ }
+ },
+ {
+ "name": "analytic1",
+ "type": "Microsoft.Common.Section",
+ "label": "Mimecast Data Leak Prevention - Hold",
+ "elements": [
+ {
+ "name": "analytic1-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Detects threat for data leak when action is hold"
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic2",
+ "type": "Microsoft.Common.Section",
+ "label": "Mimecast Data Leak Prevention - Notifications",
+ "elements": [
+ {
+ "name": "analytic2-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Detects threat for data leak when action is notification"
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic3",
+ "type": "Microsoft.Common.Section",
+ "label": "Mimecast Secure Email Gateway - Attachment Protect",
+ "elements": [
+ {
+ "name": "analytic3-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Detect threat for mail attachment under the targeted threat protection"
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic4",
+ "type": "Microsoft.Common.Section",
+ "label": "Mimecast Secure Email Gateway - AV",
+ "elements": [
+ {
+ "name": "analytic4-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Detects threats from email anti virus scan"
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic5",
+ "type": "Microsoft.Common.Section",
+ "label": "Mimecast Secure Email Gateway - Impersonation Protect",
+ "elements": [
+ {
+ "name": "analytic5-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Detects threats from impersonation mail under targeted threat protection"
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic6",
+ "type": "Microsoft.Common.Section",
+ "label": "Mimecast Secure Email Gateway - Internal Email Protect",
+ "elements": [
+ {
+ "name": "analytic6-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Detects threats from internal email threat protection"
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic7",
+ "type": "Microsoft.Common.Section",
+ "label": "Mimecast Secure Email Gateway - Spam Event Thread",
+ "elements": [
+ {
+ "name": "analytic7-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Detects threat from spam event thread protection logs"
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic8",
+ "type": "Microsoft.Common.Section",
+ "label": "Mimecast Secure Email Gateway - URL Protect",
+ "elements": [
+ {
+ "name": "analytic8-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Detect threat when potentially malicious url found"
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic9",
+ "type": "Microsoft.Common.Section",
+ "label": "Mimecast Secure Email Gateway - Virus",
+ "elements": [
+ {
+ "name": "analytic9-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Detect threat for virus from mail receipt virus event"
+ }
+ }
+ ]
+ }
+ ]
+ }
+ ],
+ "outputs": {
+ "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
+ "location": "[location()]",
+ "workspace": "[basics('workspace')]"
+ }
+ }
+}
diff --git a/Solutions/MimecastSEG/Package/mainTemplate.json b/Solutions/MimecastSEG/Package/mainTemplate.json
new file mode 100644
index 00000000000..8b1a5cd1b32
--- /dev/null
+++ b/Solutions/MimecastSEG/Package/mainTemplate.json
@@ -0,0 +1,1944 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "author": "Mimecast - dlapi@mimecast.com",
+ "comments": "Solution template for MimecastSEG"
+ },
+ "parameters": {
+ "location": {
+ "type": "string",
+ "minLength": 1,
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
+ }
+ },
+ "workspace-location": {
+ "type": "string",
+ "defaultValue": "",
+ "metadata": {
+ "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
+ }
+ },
+ "workspace": {
+ "defaultValue": "",
+ "type": "string",
+ "metadata": {
+ "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
+ }
+ },
+ "workbook1-name": {
+ "type": "string",
+ "defaultValue": "MimecastSEG",
+ "minLength": 1,
+ "metadata": {
+ "description": "Name for the workbook"
+ }
+ }
+ },
+ "variables": {
+ "email": "dlapi@mimecast.com",
+ "_email": "[variables('email')]",
+ "_solutionName": "MimecastSEG",
+ "_solutionVersion": "3.0.0",
+ "solutionId": "mimecast.azure-sentinel-solution-mimecastseg",
+ "_solutionId": "[variables('solutionId')]",
+ "analyticRuleVersion1": "1.0.0",
+ "analyticRulecontentId1": "3e12b7b1-75e5-497c-ba01-b6cb30b60d7f",
+ "_analyticRulecontentId1": "[variables('analyticRulecontentId1')]",
+ "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]",
+ "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1'))))]",
+ "analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId1'),'-', variables('analyticRuleVersion1'))))]",
+ "_analyticRulecontentProductId1": "[variables('analyticRulecontentProductId1')]",
+ "analyticRuleVersion2": "1.0.0",
+ "analyticRulecontentId2": "1818aeaa-4cc8-426b-ba54-539de896d299",
+ "_analyticRulecontentId2": "[variables('analyticRulecontentId2')]",
+ "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId2'))]",
+ "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2'))))]",
+ "analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId2'),'-', variables('analyticRuleVersion2'))))]",
+ "_analyticRulecontentProductId2": "[variables('analyticRulecontentProductId2')]",
+ "analyticRuleVersion3": "1.0.0",
+ "analyticRulecontentId3": "72264f4f-61fb-4f4f-96c4-635571a376c2",
+ "_analyticRulecontentId3": "[variables('analyticRulecontentId3')]",
+ "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId3'))]",
+ "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId3'))))]",
+ "analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId3'),'-', variables('analyticRuleVersion3'))))]",
+ "_analyticRulecontentProductId3": "[variables('analyticRulecontentProductId3')]",
+ "analyticRuleVersion4": "1.0.0",
+ "analyticRulecontentId4": "0f0dc725-29dc-48c3-bf10-bd2f34fd1cbb",
+ "_analyticRulecontentId4": "[variables('analyticRulecontentId4')]",
+ "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId4'))]",
+ "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId4'))))]",
+ "analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId4'),'-', variables('analyticRuleVersion4'))))]",
+ "_analyticRulecontentProductId4": "[variables('analyticRulecontentProductId4')]",
+ "analyticRuleVersion5": "1.0.0",
+ "analyticRulecontentId5": "7034abc9-6b66-4533-9bf3-056672fd9d9e",
+ "_analyticRulecontentId5": "[variables('analyticRulecontentId5')]",
+ "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId5'))]",
+ "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId5'))))]",
+ "analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId5'),'-', variables('analyticRuleVersion5'))))]",
+ "_analyticRulecontentProductId5": "[variables('analyticRulecontentProductId5')]",
+ "analyticRuleVersion6": "1.0.0",
+ "analyticRulecontentId6": "5b66d176-e344-4abf-b915-e5f09a6430ef",
+ "_analyticRulecontentId6": "[variables('analyticRulecontentId6')]",
+ "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId6'))]",
+ "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId6'))))]",
+ "analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId6'),'-', variables('analyticRuleVersion6'))))]",
+ "_analyticRulecontentProductId6": "[variables('analyticRulecontentProductId6')]",
+ "analyticRuleVersion7": "1.0.0",
+ "analyticRulecontentId7": "df1b9377-5c29-4928-872f-9934a6b4f611",
+ "_analyticRulecontentId7": "[variables('analyticRulecontentId7')]",
+ "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId7'))]",
+ "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId7'))))]",
+ "analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId7'),'-', variables('analyticRuleVersion7'))))]",
+ "_analyticRulecontentProductId7": "[variables('analyticRulecontentProductId7')]",
+ "analyticRuleVersion8": "1.0.0",
+ "analyticRulecontentId8": "ea19dae6-bbb3-4444-a1b8-8e9ae6064aab",
+ "_analyticRulecontentId8": "[variables('analyticRulecontentId8')]",
+ "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId8'))]",
+ "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId8'))))]",
+ "analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId8'),'-', variables('analyticRuleVersion8'))))]",
+ "_analyticRulecontentProductId8": "[variables('analyticRulecontentProductId8')]",
+ "analyticRuleVersion9": "1.0.0",
+ "analyticRulecontentId9": "30f73baa-602c-4373-8f02-04ff5e51fc7f",
+ "_analyticRulecontentId9": "[variables('analyticRulecontentId9')]",
+ "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId9'))]",
+ "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId9'))))]",
+ "analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId9'),'-', variables('analyticRuleVersion9'))))]",
+ "_analyticRulecontentProductId9": "[variables('analyticRulecontentProductId9')]",
+ "workbookVersion1": "1.0.0",
+ "workbookContentId1": "MimecastSEG",
+ "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]",
+ "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]",
+ "_workbookContentId1": "[variables('workbookContentId1')]",
+ "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
+ "workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]",
+ "_workbookcontentProductId1": "[variables('workbookcontentProductId1')]",
+ "uiConfigId1": "MimecastSIEMAPI",
+ "_uiConfigId1": "[variables('uiConfigId1')]",
+ "dataConnectorContentId1": "MimecastSIEMAPI",
+ "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
+ "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
+ "_dataConnectorId1": "[variables('dataConnectorId1')]",
+ "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
+ "dataConnectorVersion1": "1.0.0",
+ "dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
+ "_dataConnectorcontentProductId1": "[variables('dataConnectorcontentProductId1')]",
+ "solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]",
+ "_solutioncontentProductId": "[variables('solutioncontentProductId')]",
+ "MessageId": "MsgId_s",
+ "_MessageId": "[variables('MessageId')]",
+ "msgid": "msgid_s",
+ "_msgid": "[variables('msgid')]"
+ },
+ "resources": [
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('analyticRuleTemplateSpecName1')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "MimecastDLP_Hold_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('analyticRuleVersion1')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+ "name": "[variables('analyticRulecontentId1')]",
+ "apiVersion": "2022-04-01-preview",
+ "kind": "Scheduled",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "description": "Detects threat for data leak when action is hold",
+ "displayName": "Mimecast Data Leak Prevention - Hold",
+ "enabled": false,
+ "query": "MimecastDLP_CL| where action_s == \"hold\";",
+ "queryFrequency": "PT5M",
+ "queryPeriod": "PT15M",
+ "severity": "Informational",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "status": "Available",
+ "requiredDataConnectors": [
+ {
+ "connectorId": "MimecastSIEMAPI",
+ "dataTypes": [
+ "MimecastDLP_CL"
+ ]
+ }
+ ],
+ "tactics": [
+ "Exfiltration"
+ ],
+ "techniques": [
+ "T1030"
+ ],
+ "entityMappings": [
+ {
+ "entityType": "MailMessage",
+ "fieldMappings": [
+ {
+ "identifier": "Sender",
+ "columnName": "senderAddress_s"
+ },
+ {
+ "identifier": "Recipient",
+ "columnName": "recipientAddress_s"
+ },
+ {
+ "identifier": "DeliveryAction",
+ "columnName": "action_s"
+ }
+ ]
+ }
+ ],
+ "eventGroupingSettings": {
+ "aggregationKind": "SingleAlert"
+ },
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "reopenClosedIncident": false,
+ "matchingMethod": "AllEntities",
+ "enabled": true,
+ "lookbackDuration": "1d"
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId1'),'/'))))]",
+ "properties": {
+ "description": "MimecastSEG Analytics Rule 1",
+ "parentId": "[variables('analyticRuleId1')]",
+ "contentId": "[variables('_analyticRulecontentId1')]",
+ "kind": "AnalyticsRule",
+ "version": "[variables('analyticRuleVersion1')]",
+ "source": {
+ "kind": "Solution",
+ "name": "MimecastSEG",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Mimecast",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Mimecast",
+ "email": "support@mimecast.com",
+ "tier": "Partner",
+ "link": "https://community.mimecast.com/s/contactsupport"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_analyticRulecontentId1')]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "Mimecast Data Leak Prevention - Hold",
+ "contentProductId": "[variables('_analyticRulecontentProductId1')]",
+ "id": "[variables('_analyticRulecontentProductId1')]",
+ "version": "[variables('analyticRuleVersion1')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('analyticRuleTemplateSpecName2')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "MimecastDLP_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('analyticRuleVersion2')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+ "name": "[variables('analyticRulecontentId2')]",
+ "apiVersion": "2022-04-01-preview",
+ "kind": "Scheduled",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "description": "Detects threat for data leak when action is notification",
+ "displayName": "Mimecast Data Leak Prevention - Notifications",
+ "enabled": false,
+ "query": "MimecastDLP_CL| where action_s == \"notification\";",
+ "queryFrequency": "PT5M",
+ "queryPeriod": "PT15M",
+ "severity": "High",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "status": "Available",
+ "requiredDataConnectors": [
+ {
+ "connectorId": "MimecastSIEMAPI",
+ "dataTypes": [
+ "MimecastDLP_CL"
+ ]
+ }
+ ],
+ "tactics": [
+ "Exfiltration"
+ ],
+ "techniques": [
+ "T1030"
+ ],
+ "entityMappings": [
+ {
+ "entityType": "MailMessage",
+ "fieldMappings": [
+ {
+ "identifier": "Sender",
+ "columnName": "senderAddress_s"
+ },
+ {
+ "identifier": "Recipient",
+ "columnName": "recipientAddress_s"
+ },
+ {
+ "identifier": "DeliveryAction",
+ "columnName": "action_s"
+ }
+ ]
+ }
+ ],
+ "eventGroupingSettings": {
+ "aggregationKind": "SingleAlert"
+ },
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "reopenClosedIncident": false,
+ "matchingMethod": "AllEntities",
+ "enabled": true,
+ "lookbackDuration": "1d"
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId2'),'/'))))]",
+ "properties": {
+ "description": "MimecastSEG Analytics Rule 2",
+ "parentId": "[variables('analyticRuleId2')]",
+ "contentId": "[variables('_analyticRulecontentId2')]",
+ "kind": "AnalyticsRule",
+ "version": "[variables('analyticRuleVersion2')]",
+ "source": {
+ "kind": "Solution",
+ "name": "MimecastSEG",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Mimecast",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Mimecast",
+ "email": "support@mimecast.com",
+ "tier": "Partner",
+ "link": "https://community.mimecast.com/s/contactsupport"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_analyticRulecontentId2')]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "Mimecast Data Leak Prevention - Notifications",
+ "contentProductId": "[variables('_analyticRulecontentProductId2')]",
+ "id": "[variables('_analyticRulecontentProductId2')]",
+ "version": "[variables('analyticRuleVersion2')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('analyticRuleTemplateSpecName3')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "MimecastSIEM_Attachment_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('analyticRuleVersion3')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+ "name": "[variables('analyticRulecontentId3')]",
+ "apiVersion": "2022-04-01-preview",
+ "kind": "Scheduled",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "description": "Detect threat for mail attachment under the targeted threat protection",
+ "displayName": "Mimecast Secure Email Gateway - Attachment Protect",
+ "enabled": false,
+ "query": "MimecastSIEM_CL| where mimecastEventId_s==\"mail_ttp_attachment\"",
+ "queryFrequency": "PT5M",
+ "queryPeriod": "PT15M",
+ "severity": "High",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "status": "Available",
+ "requiredDataConnectors": [
+ {
+ "connectorId": "MimecastSIEMAPI",
+ "dataTypes": [
+ "MimecastSIEM_CL"
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection",
+ "Exfiltration",
+ "Discovery",
+ "InitialAccess",
+ "Execution"
+ ],
+ "techniques": [
+ "T1114",
+ "T1566",
+ "T0865"
+ ],
+ "entityMappings": [
+ {
+ "entityType": "MailMessage",
+ "fieldMappings": [
+ {
+ "identifier": "Sender",
+ "columnName": "Sender_s"
+ },
+ {
+ "identifier": "Recipient",
+ "columnName": "Recipient_s"
+ },
+ {
+ "identifier": "Subject",
+ "columnName": "Subject_s"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IP_s"
+ }
+ ]
+ }
+ ],
+ "eventGroupingSettings": {
+ "aggregationKind": "SingleAlert"
+ },
+ "customDetails": {
+ "MsgId": "[variables('_MessageId')]",
+ "fileName": "fileName_s",
+ "sha256": "sha256_s"
+ },
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "reopenClosedIncident": false,
+ "matchingMethod": "AllEntities",
+ "enabled": true,
+ "lookbackDuration": "1d"
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId3'),'/'))))]",
+ "properties": {
+ "description": "MimecastSEG Analytics Rule 3",
+ "parentId": "[variables('analyticRuleId3')]",
+ "contentId": "[variables('_analyticRulecontentId3')]",
+ "kind": "AnalyticsRule",
+ "version": "[variables('analyticRuleVersion3')]",
+ "source": {
+ "kind": "Solution",
+ "name": "MimecastSEG",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Mimecast",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Mimecast",
+ "email": "support@mimecast.com",
+ "tier": "Partner",
+ "link": "https://community.mimecast.com/s/contactsupport"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_analyticRulecontentId3')]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "Mimecast Secure Email Gateway - Attachment Protect",
+ "contentProductId": "[variables('_analyticRulecontentProductId3')]",
+ "id": "[variables('_analyticRulecontentProductId3')]",
+ "version": "[variables('analyticRuleVersion3')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('analyticRuleTemplateSpecName4')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "MimecastSIEM_AV_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('analyticRuleVersion4')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+ "name": "[variables('analyticRulecontentId4')]",
+ "apiVersion": "2022-04-01-preview",
+ "kind": "Scheduled",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "description": "Detects threats from email anti virus scan",
+ "displayName": "Mimecast Secure Email Gateway - AV",
+ "enabled": false,
+ "query": "MimecastSIEM_CL| where mimecastEventId_s==\"mail_av\"",
+ "queryFrequency": "PT5M",
+ "queryPeriod": "PT15M",
+ "severity": "Informational",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "status": "Available",
+ "requiredDataConnectors": [
+ {
+ "connectorId": "MimecastSIEMAPI",
+ "dataTypes": [
+ "MimecastSIEM_CL"
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution"
+ ],
+ "techniques": [
+ "T1053"
+ ],
+ "entityMappings": [
+ {
+ "entityType": "MailMessage",
+ "fieldMappings": [
+ {
+ "identifier": "Sender",
+ "columnName": "Sender_s"
+ },
+ {
+ "identifier": "Recipient",
+ "columnName": "Recipient_s"
+ },
+ {
+ "identifier": "Subject",
+ "columnName": "Subject_s"
+ }
+ ]
+ }
+ ],
+ "eventGroupingSettings": {
+ "aggregationKind": "SingleAlert"
+ },
+ "customDetails": {
+ "sha1": "sha1_s",
+ "fileName": "fileName_s",
+ "MimecastIP": "MimecastIP_s",
+ "SenderDomain": "SenderDomain_s",
+ "CustomerIP": "CustomerIP_s",
+ "fileMime": "fileMime_s",
+ "Route": "Route_s",
+ "sha256": "sha256_s",
+ "MsgId": "[variables('_MessageId')]",
+ "IP": "IP_s",
+ "fileExt": "fileExt_s",
+ "Virus": "Virus_s",
+ "SenderDomainInternal": "SenderDomainInternal_s",
+ "Size": "Size_s",
+ "md5": "md5_g"
+ },
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "reopenClosedIncident": false,
+ "matchingMethod": "AllEntities",
+ "enabled": true,
+ "lookbackDuration": "1d"
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId4'),'/'))))]",
+ "properties": {
+ "description": "MimecastSEG Analytics Rule 4",
+ "parentId": "[variables('analyticRuleId4')]",
+ "contentId": "[variables('_analyticRulecontentId4')]",
+ "kind": "AnalyticsRule",
+ "version": "[variables('analyticRuleVersion4')]",
+ "source": {
+ "kind": "Solution",
+ "name": "MimecastSEG",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Mimecast",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Mimecast",
+ "email": "support@mimecast.com",
+ "tier": "Partner",
+ "link": "https://community.mimecast.com/s/contactsupport"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_analyticRulecontentId4')]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "Mimecast Secure Email Gateway - AV",
+ "contentProductId": "[variables('_analyticRulecontentProductId4')]",
+ "id": "[variables('_analyticRulecontentProductId4')]",
+ "version": "[variables('analyticRuleVersion4')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('analyticRuleTemplateSpecName5')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "MimecastSIEM_Impersonation_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('analyticRuleVersion5')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+ "name": "[variables('analyticRulecontentId5')]",
+ "apiVersion": "2022-04-01-preview",
+ "kind": "Scheduled",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "description": "Detects threats from impersonation mail under targeted threat protection",
+ "displayName": "Mimecast Secure Email Gateway - Impersonation Protect",
+ "enabled": false,
+ "query": "MimecastSIEM_CL| where mimecastEventId_s == \"mail_ttp_impersonation\"",
+ "queryFrequency": "PT5M",
+ "queryPeriod": "PT15M",
+ "severity": "High",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "status": "Available",
+ "requiredDataConnectors": [
+ {
+ "connectorId": "MimecastSIEMAPI",
+ "dataTypes": [
+ "MimecastSIEM_CL"
+ ]
+ }
+ ],
+ "tactics": [
+ "Discovery",
+ "LateralMovement",
+ "Collection"
+ ],
+ "techniques": [
+ "T1114"
+ ],
+ "entityMappings": [
+ {
+ "entityType": "MailMessage",
+ "fieldMappings": [
+ {
+ "identifier": "Sender",
+ "columnName": "Sender_s"
+ },
+ {
+ "identifier": "SenderIP",
+ "columnName": "IP_s"
+ },
+ {
+ "identifier": "Recipient",
+ "columnName": "Recipient_s"
+ }
+ ]
+ }
+ ],
+ "eventGroupingSettings": {
+ "aggregationKind": "SingleAlert"
+ },
+ "customDetails": {
+ "SimilarCustExtDomain": "SimilarCustomExternalDomain_s",
+ "ThreatDictionary": "ThreatDictionary_s",
+ "Hits": "Hits_s",
+ "CustomName": "CustomName_s",
+ "Definition": "Definition_s",
+ "SimilarIntDomain": "SimilarInternalDomain_s",
+ "ReplyMismatch": "ReplyMismatch_s",
+ "TaggedExternal": "TaggedExternal_s",
+ "SimilarMCExtDomain": "SimilarMimecastExternalDomain_s",
+ "Action": "Action_s",
+ "Route": "Route_s",
+ "Subject": "Subject_s",
+ "MsgId": "[variables('_MessageId')]",
+ "InternalName": "InternalName_s",
+ "NewDomain": "NewDomain_s",
+ "TaggedMalicious": "TaggedMalicious_s",
+ "CustomThreatDict": "CustomThreatDictionary_s"
+ },
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "reopenClosedIncident": false,
+ "matchingMethod": "AllEntities",
+ "enabled": true,
+ "lookbackDuration": "1d"
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId5'),'/'))))]",
+ "properties": {
+ "description": "MimecastSEG Analytics Rule 5",
+ "parentId": "[variables('analyticRuleId5')]",
+ "contentId": "[variables('_analyticRulecontentId5')]",
+ "kind": "AnalyticsRule",
+ "version": "[variables('analyticRuleVersion5')]",
+ "source": {
+ "kind": "Solution",
+ "name": "MimecastSEG",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Mimecast",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Mimecast",
+ "email": "support@mimecast.com",
+ "tier": "Partner",
+ "link": "https://community.mimecast.com/s/contactsupport"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_analyticRulecontentId5')]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "Mimecast Secure Email Gateway - Impersonation Protect",
+ "contentProductId": "[variables('_analyticRulecontentProductId5')]",
+ "id": "[variables('_analyticRulecontentProductId5')]",
+ "version": "[variables('analyticRuleVersion5')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('analyticRuleTemplateSpecName6')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "MimecastSIEM_Internal_Mail_Protect_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('analyticRuleVersion6')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+ "name": "[variables('analyticRulecontentId6')]",
+ "apiVersion": "2022-04-01-preview",
+ "kind": "Scheduled",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "description": "Detects threats from internal email threat protection",
+ "displayName": "Mimecast Secure Email Gateway - Internal Email Protect",
+ "enabled": false,
+ "query": "MimecastSIEM_CL| where mimecastEventId_s==\"mail_ttp_iep\"",
+ "queryFrequency": "PT5M",
+ "queryPeriod": "PT15M",
+ "severity": "High",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "status": "Available",
+ "requiredDataConnectors": [
+ {
+ "connectorId": "MimecastSIEMAPI",
+ "dataTypes": [
+ "MimecastSIEM_CL"
+ ]
+ }
+ ],
+ "tactics": [
+ "LateralMovement",
+ "Persistence",
+ "Exfiltration"
+ ],
+ "techniques": [
+ "T1534",
+ "T1546"
+ ],
+ "entityMappings": [
+ {
+ "entityType": "MailMessage",
+ "fieldMappings": [
+ {
+ "identifier": "Sender",
+ "columnName": "Sender_s"
+ },
+ {
+ "identifier": "Recipient",
+ "columnName": "Recipient_s"
+ },
+ {
+ "identifier": "InternetMessageId",
+ "columnName": "[variables('_MessageId')]"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URL_s"
+ }
+ ]
+ }
+ ],
+ "eventGroupingSettings": {
+ "aggregationKind": "SingleAlert"
+ },
+ "customDetails": {
+ "Subject": "Subject_s",
+ "UrlCategory": "UrlCategory_s",
+ "Route": "Route_s",
+ "ScanResultInfo": "ScanResultInfo_s"
+ },
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "reopenClosedIncident": false,
+ "matchingMethod": "AllEntities",
+ "enabled": true,
+ "lookbackDuration": "1d"
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId6'),'/'))))]",
+ "properties": {
+ "description": "MimecastSEG Analytics Rule 6",
+ "parentId": "[variables('analyticRuleId6')]",
+ "contentId": "[variables('_analyticRulecontentId6')]",
+ "kind": "AnalyticsRule",
+ "version": "[variables('analyticRuleVersion6')]",
+ "source": {
+ "kind": "Solution",
+ "name": "MimecastSEG",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Mimecast",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Mimecast",
+ "email": "support@mimecast.com",
+ "tier": "Partner",
+ "link": "https://community.mimecast.com/s/contactsupport"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_analyticRulecontentId6')]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "Mimecast Secure Email Gateway - Internal Email Protect",
+ "contentProductId": "[variables('_analyticRulecontentProductId6')]",
+ "id": "[variables('_analyticRulecontentProductId6')]",
+ "version": "[variables('analyticRuleVersion6')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('analyticRuleTemplateSpecName7')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "MimecastSIEM_Spam_Event_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('analyticRuleVersion7')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+ "name": "[variables('analyticRulecontentId7')]",
+ "apiVersion": "2022-04-01-preview",
+ "kind": "Scheduled",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "description": "Detects threat from spam event thread protection logs",
+ "displayName": "Mimecast Secure Email Gateway - Spam Event Thread",
+ "enabled": false,
+ "query": "MimecastSIEM_CL| where mimecastEventId_s==\"mail_spameventthread\"",
+ "queryFrequency": "PT5M",
+ "queryPeriod": "PT15M",
+ "severity": "Low",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "status": "Available",
+ "requiredDataConnectors": [
+ {
+ "connectorId": "MimecastSIEMAPI",
+ "dataTypes": [
+ "MimecastSIEM_CL"
+ ]
+ }
+ ],
+ "tactics": [
+ "Discovery"
+ ],
+ "techniques": [
+ "T1083"
+ ],
+ "entityMappings": [
+ {
+ "entityType": "MailMessage",
+ "fieldMappings": [
+ {
+ "identifier": "Sender",
+ "columnName": "Sender_s"
+ },
+ {
+ "identifier": "Recipient",
+ "columnName": "Recipient_s"
+ },
+ {
+ "identifier": "Subject",
+ "columnName": "Subject_s"
+ }
+ ]
+ }
+ ],
+ "eventGroupingSettings": {
+ "aggregationKind": "SingleAlert"
+ },
+ "customDetails": {
+ "MsgId": "[variables('_MessageId')]",
+ "SenderDomain": "SenderDomain_s",
+ "headerFrom": "headerFrom_s",
+ "Route": "Route_s",
+ "SourceIP": "SourceIP"
+ },
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "reopenClosedIncident": false,
+ "matchingMethod": "AllEntities",
+ "enabled": true,
+ "lookbackDuration": "1d"
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId7'),'/'))))]",
+ "properties": {
+ "description": "MimecastSEG Analytics Rule 7",
+ "parentId": "[variables('analyticRuleId7')]",
+ "contentId": "[variables('_analyticRulecontentId7')]",
+ "kind": "AnalyticsRule",
+ "version": "[variables('analyticRuleVersion7')]",
+ "source": {
+ "kind": "Solution",
+ "name": "MimecastSEG",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Mimecast",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Mimecast",
+ "email": "support@mimecast.com",
+ "tier": "Partner",
+ "link": "https://community.mimecast.com/s/contactsupport"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_analyticRulecontentId7')]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "Mimecast Secure Email Gateway - Spam Event Thread",
+ "contentProductId": "[variables('_analyticRulecontentProductId7')]",
+ "id": "[variables('_analyticRulecontentProductId7')]",
+ "version": "[variables('analyticRuleVersion7')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('analyticRuleTemplateSpecName8')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "MimecastSIEM_Url_Protect_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('analyticRuleVersion8')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+ "name": "[variables('analyticRulecontentId8')]",
+ "apiVersion": "2022-04-01-preview",
+ "kind": "Scheduled",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "description": "Detect threat when potentially malicious url found",
+ "displayName": "Mimecast Secure Email Gateway - URL Protect",
+ "enabled": false,
+ "query": "MimecastSIEM_CL| where mimecastEventId_s==\"mail_ttp_url\" and reason_s != \"clean\"",
+ "queryFrequency": "PT5M",
+ "queryPeriod": "PT15M",
+ "severity": "High",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "status": "Available",
+ "requiredDataConnectors": [
+ {
+ "connectorId": "MimecastSIEMAPI",
+ "dataTypes": [
+ "MimecastSIEM_CL"
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess",
+ "Discovery",
+ "Execution"
+ ],
+ "techniques": [
+ "T1566"
+ ],
+ "entityMappings": [
+ {
+ "entityType": "MailMessage",
+ "fieldMappings": [
+ {
+ "identifier": "Sender",
+ "columnName": "sender_s"
+ },
+ {
+ "identifier": "Recipient",
+ "columnName": "recipient_s"
+ },
+ {
+ "identifier": "Subject",
+ "columnName": "subject_s"
+ }
+ ]
+ }
+ ],
+ "eventGroupingSettings": {
+ "aggregationKind": "SingleAlert"
+ },
+ "customDetails": {
+ "msgid": "[variables('_msgid')]",
+ "route": "route_s",
+ "credentialTheft": "credentialTheft_s",
+ "action": "action_s",
+ "urlCategory": "urlCategory_s",
+ "SourceIP": "SourceIP",
+ "senderDomain": "senderDomain_s",
+ "url": "url_s",
+ "reason": "reason_s"
+ },
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "reopenClosedIncident": false,
+ "matchingMethod": "AllEntities",
+ "enabled": true,
+ "lookbackDuration": "1d"
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId8'),'/'))))]",
+ "properties": {
+ "description": "MimecastSEG Analytics Rule 8",
+ "parentId": "[variables('analyticRuleId8')]",
+ "contentId": "[variables('_analyticRulecontentId8')]",
+ "kind": "AnalyticsRule",
+ "version": "[variables('analyticRuleVersion8')]",
+ "source": {
+ "kind": "Solution",
+ "name": "MimecastSEG",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Mimecast",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Mimecast",
+ "email": "support@mimecast.com",
+ "tier": "Partner",
+ "link": "https://community.mimecast.com/s/contactsupport"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_analyticRulecontentId8')]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "Mimecast Secure Email Gateway - URL Protect",
+ "contentProductId": "[variables('_analyticRulecontentProductId8')]",
+ "id": "[variables('_analyticRulecontentProductId8')]",
+ "version": "[variables('analyticRuleVersion8')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('analyticRuleTemplateSpecName9')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "MimecastSIEM_Virus_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('analyticRuleVersion9')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+ "name": "[variables('analyticRulecontentId9')]",
+ "apiVersion": "2022-04-01-preview",
+ "kind": "Scheduled",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "description": "Detect threat for virus from mail receipt virus event",
+ "displayName": "Mimecast Secure Email Gateway - Virus",
+ "enabled": false,
+ "query": "MimecastSIEM_CL| where mimecastEventId_s==\"mail_receipt_virus\"",
+ "queryFrequency": "PT5M",
+ "queryPeriod": "PT15M",
+ "severity": "Informational",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "status": "Available",
+ "requiredDataConnectors": [
+ {
+ "connectorId": "MimecastSIEMAPI",
+ "dataTypes": [
+ "MimecastSIEM_CL"
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution"
+ ],
+ "techniques": [
+ "T1053"
+ ],
+ "entityMappings": [
+ {
+ "entityType": "MailMessage",
+ "fieldMappings": [
+ {
+ "identifier": "Sender",
+ "columnName": "Sender_s"
+ },
+ {
+ "identifier": "Recipient",
+ "columnName": "Rcpt_s"
+ },
+ {
+ "identifier": "Subject",
+ "columnName": "Subject_s"
+ }
+ ]
+ }
+ ],
+ "eventGroupingSettings": {
+ "aggregationKind": "SingleAlert"
+ },
+ "customDetails": {
+ "TlsVer": "TlsVer_s",
+ "IP": "IP_s",
+ "RejCode": "RejCode_s",
+ "headerFrom": "headerFrom_s",
+ "Dir": "Dir_s",
+ "Cphr": "Cphr_s",
+ "RejType": "RejType_s",
+ "Act": "Act_s",
+ "RejInfo": "RejInfo_s",
+ "Error": "Error_s",
+ "MsgId": "[variables('_MessageId')]",
+ "Virus": "Virus_s"
+ },
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "reopenClosedIncident": false,
+ "matchingMethod": "AllEntities",
+ "enabled": true,
+ "lookbackDuration": "1d"
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId9'),'/'))))]",
+ "properties": {
+ "description": "MimecastSEG Analytics Rule 9",
+ "parentId": "[variables('analyticRuleId9')]",
+ "contentId": "[variables('_analyticRulecontentId9')]",
+ "kind": "AnalyticsRule",
+ "version": "[variables('analyticRuleVersion9')]",
+ "source": {
+ "kind": "Solution",
+ "name": "MimecastSEG",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Mimecast",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Mimecast",
+ "email": "support@mimecast.com",
+ "tier": "Partner",
+ "link": "https://community.mimecast.com/s/contactsupport"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_analyticRulecontentId9')]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "Mimecast Secure Email Gateway - Virus",
+ "contentProductId": "[variables('_analyticRulecontentProductId9')]",
+ "id": "[variables('_analyticRulecontentProductId9')]",
+ "version": "[variables('analyticRuleVersion9')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('workbookTemplateSpecName1')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "MimecastSEGworkbookWorkbook Workbook with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('workbookVersion1')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.Insights/workbooks",
+ "name": "[variables('workbookContentId1')]",
+ "location": "[parameters('workspace-location')]",
+ "kind": "shared",
+ "apiVersion": "2021-08-01",
+ "metadata": {
+ "description": "A workbook providing insights into Mimecast Secure Email Gateway."
+ },
+ "properties": {
+ "displayName": "[parameters('workbook1-name')]",
+ "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"8ccaabbc-2531-4a3a-a4d1-22890e77fe7e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"time_range\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":1209600000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 6\"},{\"type\":1,\"content\":{\"json\":\"# Mail Receipt Events\"},\"name\":\"text - 2\"},{\"type\":1,\"content\":{\"json\":\"## Receipt Events by Mimecast Event Id\",\"style\":\"info\"},\"name\":\"text - 25\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastSIEM_CL\\n| where logType_s==\\\"receipt\\\"\\n| summarize count() by mimecastEventId_s, bin(TimeGenerated, 1h)\",\"size\":3,\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"mail_receipt_received\",\"label\":\"Received\"},{\"seriesName\":\"mail_receipt_virus\",\"label\":\"Viruses\"},{\"seriesName\":\"mail_receipt_received_notls\",\"label\":\"Non-TLS\"},{\"seriesName\":\"mail_receipt_rejected\",\"label\":\"Rejected\"},{\"seriesName\":\"mail_receipt_spam\",\"label\":\"Spam\"}]}},\"name\":\"query - 1\"},{\"type\":1,\"content\":{\"json\":\"## Rejection Types\",\"style\":\"info\"},\"name\":\"text - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastSIEM_CL\\n| where logType_s==\\\"receipt\\\" and mimecastEventId_s == \\\"mail_receipt_rejected\\\" and RejType_s !=\\\"\\\"\\n| summarize count() by RejType_s , bin(TimeGenerated, 1h)\",\"size\":3,\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"RejType_s\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":true,\"size\":\"auto\"},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"RejType_s\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"count_\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"nodeIdField\":\"RejType_s\",\"sourceIdField\":\"TimeGenerated\",\"targetIdField\":\"count_\",\"graphOrientation\":1,\"showOrientationToggles\":false,\"nodeSize\":\"\",\"staticNodeSize\":100,\"colorSettings\":\"\",\"hivesMargin\":5},\"chartSettings\":{\"createOtherGroup\":0},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"count_\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"count_\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"count_\",\"heatmapPalette\":\"greenRed\"}}},\"name\":\"query - 14\"},{\"type\":1,\"content\":{\"json\":\"## Rejections - Spam\",\"style\":\"info\"},\"name\":\"text - 13\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastSIEM_CL\\n| where logType_s==\\\"receipt\\\" and mimecastEventId_s==\\\"mail_receipt_spam\\\"\\n| summarize count() by Sender_s, headerFrom_s, Rcpt_s, IP_s, Subject_s, SpamScore_s, bin(TimeGenerated, 1h)\\n\",\"size\":0,\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"SpamScore_s\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"SpamScore_s\",\"sortOrder\":1}],\"chartSettings\":{\"createOtherGroup\":0,\"seriesLabelSettings\":[{\"seriesName\":\"mail_receipt_spam\",\"label\":\"Spam\"}]}},\"name\":\"query - 14\"},{\"type\":1,\"content\":{\"json\":\"## Rejections - Malware\",\"style\":\"info\"},\"name\":\"text - 15\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastSIEM_CL\\n| where logType_s==\\\"receipt\\\" and mimecastEventId_s == \\\"mail_receipt_virus\\\" and RejType_s != \\\"\\\"\\n| summarize count() by Sender_s, headerFrom_s, Rcpt_s, IP_s, Subject_s, RejInfo_s, Virus_s, Error_s, bin(TimeGenerated, 1h)\",\"size\":0,\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"Sender_s\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"count_\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"mapSettings\":{\"locInfo\":\"AzureResource\",\"locInfoColumn\":\"Error_s\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"count_\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"nodeColorField\":\"count_\",\"colorAggregation\":\"Sum\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"blue\"}]}}},\"name\":\"query - 16\"},{\"type\":1,\"content\":{\"json\":\"# Mail Process Events\",\"style\":\"info\"},\"name\":\"text - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastSIEM_CL\\n| where logType_s==\\\"process\\\"\\n| summarize dcount=count() by TenantId, SourceSystem, MG, ManagementGroupName, TimeGenerated, Computer, RawData, Err_s, datetime_t, aCode_s, acc_s, Sender_s, Rcpt_s, RcptActType_s, Dir_s, RcptHdrType_s, logType_s, mimecastEventId_s, mimecastEventCategory_s, CustomThreatDictionary_s, Action_s, Hits_s, SimilarCustomExternalDomain_s, TaggedExternal_s, SimilarInternalDomain_s, IP_s, Definition_s, Recipient_s, NewDomain_s, InternalName_s, ThreatDictionary_s, MsgId_s, Subject_s, SimilarMimecastExternalDomain_s, CustomName_s, TaggedMalicious_s, ReplyMismatch_s, Route_s, Delivered_s, AttCnt_s, ReceiptAck_s, Latency_s, AttSize_s, Attempt_s, TlsVer_s, Cphr_s, Snt_s, UseTls_s, Hld_s, IPNewDomain_s, AttNames_s, MsgSize_s, IPThreadDict_s, IPSimilarDomain_s, Act_s, IPReplyMismatch_s, IPInternalName_s, SpamLimit_s, headerFrom_s, SpamInfo_s, SpamScore_s, SpamProcessingDetail_s, fileName_s, sha256_s, Size_s, SenderDomain_s, fileExt_s, sha1_s, fileMime_s, md5_g, RejType_s, Error_s, RejCode_s, RejInfo_s, aCode_g, Virus_s, UrlCategory_s, ScanResultInfo_s, URL_s, MimecastIP_s, SenderDomainInternal_s, CustomerIP_s, SourceIP, reason_s, subject_s, msgid_s, url_s, route_s, sender_s, recipient_s, action_s, urlCategory_s, credentialTheft_s, senderDomain_s, Type, _ResourceId\\n| summarize count() by mimecastEventId_s, bin(TimeGenerated, 1h)\",\"size\":3,\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"mail_process_accepted\",\"label\":\"Accepted\",\"color\":\"green\"},{\"seriesName\":\"mail_process_held\",\"label\":\"Held\",\"color\":\"brown\"},{\"seriesName\":\"mail_process_sandboxed\",\"label\":\"Sandboxed\",\"color\":\"turquoise\"},{\"seriesName\":\"mail_process_retried\",\"label\":\"Retries\",\"color\":\"pink\"}]}},\"name\":\"query - 3\"},{\"type\":1,\"content\":{\"json\":\"## Held Messages\",\"style\":\"info\"},\"name\":\"text - 18\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastSIEM_CL\\n| where logType_s==\\\"process\\\" and Hld_s != \\\"\\\"\\n| summarize count() by TenantId, SourceSystem, MG, ManagementGroupName, TimeGenerated, Computer, RawData, Err_s, datetime_t, aCode_s, acc_s, Sender_s, Rcpt_s, RcptActType_s, Dir_s, RcptHdrType_s, logType_s, mimecastEventId_s, mimecastEventCategory_s, CustomThreatDictionary_s, Action_s, Hits_s, SimilarCustomExternalDomain_s, TaggedExternal_s, SimilarInternalDomain_s, IP_s, Definition_s, Recipient_s, NewDomain_s, InternalName_s, ThreatDictionary_s, MsgId_s, Subject_s, SimilarMimecastExternalDomain_s, CustomName_s, TaggedMalicious_s, ReplyMismatch_s, Route_s, Delivered_s, AttCnt_s, ReceiptAck_s, Latency_s, AttSize_s, Attempt_s, TlsVer_s, Cphr_s, Snt_s, UseTls_s, Hld_s, IPNewDomain_s, AttNames_s, MsgSize_s, IPThreadDict_s, IPSimilarDomain_s, Act_s, IPReplyMismatch_s, IPInternalName_s, SpamLimit_s, headerFrom_s, SpamInfo_s, SpamScore_s, SpamProcessingDetail_s, fileName_s, sha256_s, Size_s, SenderDomain_s, fileExt_s, sha1_s, fileMime_s, md5_g, RejType_s, Error_s, RejCode_s, RejInfo_s, aCode_g, Virus_s, UrlCategory_s, ScanResultInfo_s, URL_s, MimecastIP_s, SenderDomainInternal_s, CustomerIP_s, SourceIP, reason_s, subject_s, msgid_s, url_s, route_s, sender_s, recipient_s, action_s, urlCategory_s, credentialTheft_s, senderDomain_s, Type, _ResourceId\\n| summarize count() by Hld_s, Sender_s, Subject_s, AttSize_s, AttCnt_s, AttNames_s, MsgSize_s, bin(TimeGenerated, 1h)\\n\",\"size\":0,\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 17\"},{\"type\":1,\"content\":{\"json\":\"## Message Delivery Retried\\n\",\"style\":\"info\"},\"name\":\"text - 19\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastSIEM_CL\\n| where logType_s==\\\"process\\\" and mimecastEventId_s==\\\"mail_process_retried\\\"\\n| summarize count() by TenantId, SourceSystem, MG, ManagementGroupName, TimeGenerated, Computer, RawData, Err_s, datetime_t, aCode_s, acc_s, Sender_s, Rcpt_s, RcptActType_s, Dir_s, RcptHdrType_s, logType_s, mimecastEventId_s, mimecastEventCategory_s, CustomThreatDictionary_s, Action_s, Hits_s, SimilarCustomExternalDomain_s, TaggedExternal_s, SimilarInternalDomain_s, IP_s, Definition_s, Recipient_s, NewDomain_s, InternalName_s, ThreatDictionary_s, MsgId_s, Subject_s, SimilarMimecastExternalDomain_s, CustomName_s, TaggedMalicious_s, ReplyMismatch_s, Route_s, Delivered_s, AttCnt_s, ReceiptAck_s, Latency_s, AttSize_s, Attempt_s, TlsVer_s, Cphr_s, Snt_s, UseTls_s, Hld_s, IPNewDomain_s, AttNames_s, MsgSize_s, IPThreadDict_s, IPSimilarDomain_s, Act_s, IPReplyMismatch_s, IPInternalName_s, SpamLimit_s, headerFrom_s, SpamInfo_s, SpamScore_s, SpamProcessingDetail_s, fileName_s, sha256_s, Size_s, SenderDomain_s, fileExt_s, sha1_s, fileMime_s, md5_g, RejType_s, Error_s, RejCode_s, RejInfo_s, aCode_g, Virus_s, UrlCategory_s, ScanResultInfo_s, URL_s, MimecastIP_s, SenderDomainInternal_s, CustomerIP_s, SourceIP, reason_s, subject_s, msgid_s, url_s, route_s, sender_s, recipient_s, action_s, urlCategory_s, credentialTheft_s, senderDomain_s, Type, _ResourceId\\n| summarize count() by Sender_s, Subject_s, MsgId_s, AttCnt_s, AttNames_s, AttSize_s, MsgSize_s, bin(TimeGenerated, 1h)\\n\",\"size\":0,\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\"},\"name\":\"query - 20\"},{\"type\":1,\"content\":{\"json\":\"## Messages with Sandboxed Attachments\",\"style\":\"info\"},\"name\":\"text - 21\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastSIEM_CL\\n| where logType_s==\\\"process\\\" and mimecastEventId_s==\\\"mail_process_sandboxed\\\"\\n| summarize count() by TenantId, SourceSystem, MG, ManagementGroupName, TimeGenerated, Computer, RawData, Err_s, datetime_t, aCode_s, acc_s, Sender_s, Rcpt_s, RcptActType_s, Dir_s, RcptHdrType_s, logType_s, mimecastEventId_s, mimecastEventCategory_s, CustomThreatDictionary_s, Action_s, Hits_s, SimilarCustomExternalDomain_s, TaggedExternal_s, SimilarInternalDomain_s, IP_s, Definition_s, Recipient_s, NewDomain_s, InternalName_s, ThreatDictionary_s, MsgId_s, Subject_s, SimilarMimecastExternalDomain_s, CustomName_s, TaggedMalicious_s, ReplyMismatch_s, Route_s, Delivered_s, AttCnt_s, ReceiptAck_s, Latency_s, AttSize_s, Attempt_s, TlsVer_s, Cphr_s, Snt_s, UseTls_s, Hld_s, IPNewDomain_s, AttNames_s, MsgSize_s, IPThreadDict_s, IPSimilarDomain_s, Act_s, IPReplyMismatch_s, IPInternalName_s, SpamLimit_s, headerFrom_s, SpamInfo_s, SpamScore_s, SpamProcessingDetail_s, fileName_s, sha256_s, Size_s, SenderDomain_s, fileExt_s, sha1_s, fileMime_s, md5_g, RejType_s, Error_s, RejCode_s, RejInfo_s, aCode_g, Virus_s, UrlCategory_s, ScanResultInfo_s, URL_s, MimecastIP_s, SenderDomainInternal_s, CustomerIP_s, SourceIP, reason_s, subject_s, msgid_s, url_s, route_s, sender_s, recipient_s, action_s, urlCategory_s, credentialTheft_s, senderDomain_s, Type, _ResourceId\\n| summarize count() by Sender_s, Subject_s, MsgId_s, AttSize_s, AttCnt_s, bin(TimeGenerated, 1h)\\n\",\"size\":0,\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\"},\"name\":\"query - 22\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Mail Delivery Events\",\"style\":\"info\"},\"name\":\"text - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastSIEM_CL\\n| where logType_s==\\\"delivery\\\"\\n| summarize count() by mimecastEventId_s, bin(TimeGenerated, 1h)\",\"size\":3,\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"mail_delivery_delivered\",\"label\":\"Delivered with TLS\",\"color\":\"green\"},{\"seriesName\":\"mail_delivery_delivered_notls\",\"label\":\"Delivered without TLS\",\"color\":\"orange\"},{\"seriesName\":\"mail_delivery_not_delivered\",\"label\":\"Undelivered\",\"color\":\"red\"}]}},\"name\":\"query - 5\"}]},\"customWidth\":\"33\",\"name\":\"group - 2\",\"styleSettings\":{\"maxWidth\":\"33%\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## TLS Versions in Use\",\"style\":\"info\"},\"name\":\"text - 32\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastSIEM_CL\\n| where logType_s==\\\"delivery\\\" and UseTls_s==\\\"Yes\\\"\\n| summarize count() by TlsVer_s, bin(TimeGenerated, 1h)\\n\",\"size\":3,\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"name\":\"query - 33\"}]},\"customWidth\":\"33\",\"name\":\"group - 4\",\"styleSettings\":{\"maxWidth\":\"33%\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## TLS Cipher Suites in Use\",\"style\":\"info\"},\"name\":\"text - 34\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastSIEM_CL\\n| where logType_s==\\\"delivery\\\" and UseTls_s==\\\"Yes\\\"\\n| summarize count() by Cphr_s, bin(TimeGenerated, 1h)\",\"size\":3,\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":0}},\"name\":\"query - 35\"}]},\"customWidth\":\"33\",\"name\":\"group - 5\",\"styleSettings\":{\"maxWidth\":\"33%\"}}]},\"name\":\"group - 31\"},{\"type\":1,\"content\":{\"json\":\"## Undelivered Messages\",\"style\":\"info\"},\"name\":\"text - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastSIEM_CL\\n| where logType_s==\\\"delivery\\\" and mimecastEventId_s == \\\"mail_delivery_not_delivered\\\"\\n| summarize count() by Dir_s, Route_s, Sender_s, Rcpt_s, RejType_s, RejCode_s, RejInfo_s, bin(TimeGenerated, 1h)\\n\",\"size\":0,\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"mail_delivery_not_delivered\",\"label\":\"Undelivered\"}]}},\"name\":\"query - 12\"},{\"type\":1,\"content\":{\"json\":\"## Messages Delivered without TLS\",\"style\":\"info\"},\"name\":\"text - 17\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastSIEM_CL\\n| where logType_s==\\\"delivery\\\" and mimecastEventId_s==\\\"mail_delivery_delivered_notls\\\"\\n| summarize count() by Dir_s, Route_s, IP_s, Sender_s, Rcpt_s, Subject_s, Delivered_s, ReceiptAck_s, bin(TimeGenerated, 1h)\\n\",\"size\":0,\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 18\"},{\"type\":1,\"content\":{\"json\":\"# Data Leak Prevention Events\"},\"name\":\"text - 24\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastDLP_CL\\n| where mimecastEventCategory_s == \\\"data_leak_prevention\\\"\\n| summarize count() by mimecastEventId_s, bin(TimeGenerated, 1h)\\n\",\"size\":3,\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"chartSettings\":{\"group\":\"mimecastEventId_s\",\"createOtherGroup\":0,\"seriesLabelSettings\":[{\"seriesName\":\"data_leak_prevention_notification\",\"label\":\"Notification\"},{\"seriesName\":\"data_leak_prevention_hold\",\"label\":\"Hold\"},{\"seriesName\":\"data_leak_prevention_smart_folder\",\"label\":\"Smart Folder\"},{\"seriesName\":\"data_leak_prevention_secure_messaging\",\"label\":\"Secure Messaging\"},{\"seriesName\":\"data_leak_prevention_secure_delivery\",\"label\":\"Secure Delivery\"},{\"seriesName\":\"data_leak_prevention_bounce\",\"label\":\"Bounce\"},{\"seriesName\":\"data_leak_prevention_stationery\",\"label\":\"Stationary\"},{\"seriesName\":\"data_leak_prevention_delete\",\"label\":\"Delete\"},{\"seriesName\":\"data_leak_prevention_meta_expire\",\"label\":\"Meta Expire\"},{\"seriesName\":\"data_leak_prevention_content_expire\",\"label\":\"Content Expire\"}]}},\"name\":\"query - 23\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## DLP Events by Route\",\"style\":\"info\"},\"name\":\"text - 31\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastDLP_CL\\n| where mimecastEventCategory_s == \\\"data_leak_prevention\\\"\\n| summarize count() by route_s, bin(TimeGenerated, 1h)\\n\",\"size\":3,\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":0}},\"name\":\"query - 30\"}]},\"customWidth\":\"33\",\"name\":\"group - 2\",\"styleSettings\":{\"maxWidth\":\"33%\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## DLP Events by Actions Triggered\",\"style\":\"info\"},\"name\":\"text - 28\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastDLP_CL\\n| where mimecastEventCategory_s == \\\"data_leak_prevention\\\"\\n| summarize count() by action_s, bin(TimeGenerated, 1h)\\n\",\"size\":3,\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":0}},\"name\":\"query - 29\"}]},\"customWidth\":\"33\",\"name\":\"group - 1\",\"styleSettings\":{\"maxWidth\":\"33%\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## DLP Events by Policies Triggered\",\"style\":\"info\"},\"name\":\"text - 26\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastDLP_CL\\n| where mimecastEventCategory_s == \\\"data_leak_prevention\\\"\\n| summarize count() by policy_s, bin(TimeGenerated, 1h)\\n\",\"size\":3,\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":0}},\"name\":\"query - 27\"}]},\"customWidth\":\"33\",\"name\":\"group - 4\",\"styleSettings\":{\"maxWidth\":\"33%\"}}]},\"name\":\"group - 36\"}],\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
+ "version": "1.0",
+ "sourceId": "[variables('workspaceResourceId')]",
+ "category": "sentinel"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]",
+ "properties": {
+ "description": "@{workbookKey=MimecastSEGWorkbook; logoFileName=Mimecast.svg; description=A workbook providing insights into Mimecast Secure Email Gateway.; dataTypesDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=MimecastSEG; templateRelativePath=MimecastSEGworkbook.json; subtitle=Mimecast Secure Email Gateway; provider=Mimecast}.description",
+ "parentId": "[variables('workbookId1')]",
+ "contentId": "[variables('_workbookContentId1')]",
+ "kind": "Workbook",
+ "version": "[variables('workbookVersion1')]",
+ "source": {
+ "kind": "Solution",
+ "name": "MimecastSEG",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Mimecast",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Mimecast",
+ "email": "support@mimecast.com",
+ "tier": "Partner",
+ "link": "https://community.mimecast.com/s/contactsupport"
+ },
+ "dependencies": {
+ "operator": "AND",
+ "criteria": [
+ {
+ "contentId": "MimecastDLP_CL",
+ "kind": "DataType"
+ },
+ {
+ "contentId": "MimecastSIEM_CL",
+ "kind": "DataType"
+ }
+ ]
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_workbookContentId1')]",
+ "contentKind": "Workbook",
+ "displayName": "[parameters('workbook1-name')]",
+ "contentProductId": "[variables('_workbookcontentProductId1')]",
+ "id": "[variables('_workbookcontentProductId1')]",
+ "version": "[variables('workbookVersion1')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('dataConnectorTemplateSpecName1')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "MimecastSEG data connector with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('dataConnectorVersion1')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
+ "apiVersion": "2021-03-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "location": "[parameters('workspace-location')]",
+ "kind": "GenericUI",
+ "properties": {
+ "connectorUiConfig": {
+ "id": "[variables('_uiConfigId1')]",
+ "title": "Mimecast Secure Email Gateway (using Azure Functions)",
+ "publisher": "Mimecast",
+ "descriptionMarkdown": "The data connector for [Mimecast Secure Email Gateway](https://community.mimecast.com/s/article/Azure-Sentinel) allows easy log collection from the Secure Email Gateway to surface email insight and user activity within Microsoft Sentinel. The data connector provides pre-created dashboards to allow analysts to view insight into email based threats, aid in incident correlation and reduce investigation response times coupled with custom alert capabilities. Mimecast products and features required: \n- Mimecast Secure Email Gateway \n- Mimecast Data Leak Prevention\n ",
+ "graphQueries": [
+ {
+ "metricName": "Total Secure Email Gateway data received",
+ "legend": "MimecastSIEM_CL",
+ "baseQuery": "MimecastSIEM_CL"
+ },
+ {
+ "metricName": "Total Data Leak Prevention data received",
+ "legend": "MimecastDLP_CL",
+ "baseQuery": "MimecastDLP_CL"
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "MimecastSIEM_CL",
+ "query": "MimecastSIEM_CL\n| sort by TimeGenerated desc"
+ },
+ {
+ "description": "MimecastDLP_CL",
+ "query": "MimecastDLP_CL\n| sort by TimeGenerated desc"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "MimecastSIEM_CL",
+ "lastDataReceivedQuery": "MimecastSIEM_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ },
+ {
+ "name": "MimecastDLP_CL",
+ "lastDataReceivedQuery": "MimecastDLP_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriterias": [
+ {
+ "type": "IsConnectedQuery",
+ "value": [
+ "MimecastSIEM_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)",
+ "MimecastDLP_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
+ ]
+ }
+ ],
+ "availability": {
+ "status": 1,
+ "isPreview": false
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "read and write permissions on the workspace are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "write": true,
+ "read": true,
+ "delete": true
+ }
+ },
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+ "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+ "providerDisplayName": "Keys",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "action": true
+ }
+ }
+ ],
+ "customs": [
+ {
+ "name": "Microsoft.Web/sites permissions",
+ "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)."
+ },
+ {
+ "name": "Mimecast API credentials",
+ "description": "You need to have the following pieces of information to configure the integration:\n- mimecastEmail: Email address of a dedicated Mimecast admin user\n- mimecastPassword: Password for the dedicated Mimecast admin user\n- mimecastAppId: API Application Id of the Mimecast Microsoft Sentinel app registered with Mimecast\n- mimecastAppKey: API Application Key of the Mimecast Microsoft Sentinel app registered with Mimecast\n- mimecastAccessKey: Access Key for the dedicated Mimecast admin user\n- mimecastSecretKey: Secret Key for the dedicated Mimecast admin user\n- mimecastBaseURL: Mimecast Regional API Base URL\n\n> The Mimecast Application Id, Application Key, along with the Access Key and Secret keys for the dedicated Mimecast admin user are obtainable via the Mimecast Administration Console: Administration | Services | API and Platform Integrations.\n\n> The Mimecast API Base URL for each region is documented here: https://integrations.mimecast.com/documentation/api-overview/global-base-urls/"
+ },
+ {
+ "name": "Resource group",
+ "description": "You need to have a resource group created with a subscription you are going to use."
+ },
+ {
+ "name": "Functions app",
+ "description": "You need to have an Azure App registered for this connector to use\n1. Application Id\n2. Tenant Id\n3. Client Id\n4. Client Secret"
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "description": ">**NOTE:** This connector uses Azure Functions to connect to a Mimecast API to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details."
+ },
+ {
+ "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App."
+ },
+ {
+ "description": "**STEP 1 - Configuration steps for the Mimecast API**\n\nGo to ***Azure portal ---> App registrations ---> [your_app] ---> Certificates & secrets ---> New client secret*** and create a new secret (save the Value somewhere safe right away because you will not be able to preview it later)",
+ "title": "Configuration:"
+ },
+ {
+ "description": "**STEP 2 - Deploy Mimecast API Connector**\n\n>**IMPORTANT:** Before deploying the Mimecast API connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the Mimecast API authorization key(s) or Token, readily available.",
+ "instructions": [
+ {
+ "parameters": {
+ "fillWith": [
+ "WorkspaceId"
+ ],
+ "label": "Workspace ID"
+ },
+ "type": "CopyableLabel"
+ },
+ {
+ "parameters": {
+ "fillWith": [
+ "PrimaryKey"
+ ],
+ "label": "Primary Key"
+ },
+ "type": "CopyableLabel"
+ }
+ ]
+ },
+ {
+ "description": "\n1. Click the **Deploy to Azure** button below. \n\n\t[](https://aka.ms/sentinel-MimecastSEG-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the following fields:\n - appName: Unique string that will be used as id for the app in Azure platform\n - objectId: Azure portal ---> Azure Active Directory ---> more info ---> Profile -----> Object ID\n - appInsightsLocation(default): westeurope\n - mimecastEmail: Email address of dedicated user for this integraion\n - mimecastPassword: Password for dedicated user\n - mimecastAppId: Application Id from the Microsoft Sentinel app registered with Mimecast\n - mimecastAppKey: Application Key from the Microsoft Sentinel app registered with Mimecast\n - mimecastAccessKey: Access Key for the dedicated Mimecast user\n - mimecastSecretKey: Secret Key for dedicated Mimecast user\n - mimecastBaseURL: Regional Mimecast API Base URL\n - activeDirectoryAppId: Azure portal ---> App registrations ---> [your_app] ---> Application ID\n - activeDirectoryAppSecret: Azure portal ---> App registrations ---> [your_app] ---> Certificates & secrets ---> [your_app_secret]\n\n >Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details.\n\n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.\n\n6. Go to ***Azure portal ---> Resource groups ---> [your_resource_group] ---> [appName](type: Storage account) ---> Storage Explorer ---> BLOB CONTAINERS ---> SIEM checkpoints ---> Upload*** and create empty file on your machine named checkpoint.txt, dlp-checkpoint.txt and select it for upload (this is done so that date_range for SIEM logs is stored in consistent state)\n",
+ "title": "Deploy the Mimecast Secure Email Gateway Data Connector:"
+ }
+ ],
+ "metadata": {
+ "id": "d394478b-62f5-49c9-9ce7-96ed999cc727",
+ "version": "1.0.0",
+ "kind": "dataConnector",
+ "source": {
+ "kind": "solution",
+ "name": "Mimecast"
+ },
+ "author": {
+ "name": "Mimecast"
+ },
+ "support": {
+ "tier": "Partner",
+ "name": "Mimecast",
+ "email": "support@mimecast.com",
+ "link": "https://community.mimecast.com/s/contactsupport"
+ }
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
+ "contentId": "[variables('_dataConnectorContentId1')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorVersion1')]",
+ "source": {
+ "kind": "Solution",
+ "name": "MimecastSEG",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Mimecast",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Mimecast",
+ "email": "support@mimecast.com",
+ "tier": "Partner",
+ "link": "https://community.mimecast.com/s/contactsupport"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_dataConnectorContentId1')]",
+ "contentKind": "DataConnector",
+ "displayName": "Mimecast Secure Email Gateway (using Azure Functions)",
+ "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
+ "id": "[variables('_dataConnectorcontentProductId1')]",
+ "version": "[variables('dataConnectorVersion1')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
+ "dependsOn": [
+ "[variables('_dataConnectorId1')]"
+ ],
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
+ "contentId": "[variables('_dataConnectorContentId1')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorVersion1')]",
+ "source": {
+ "kind": "Solution",
+ "name": "MimecastSEG",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Mimecast",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Mimecast",
+ "email": "support@mimecast.com",
+ "tier": "Partner",
+ "link": "https://community.mimecast.com/s/contactsupport"
+ }
+ }
+ },
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
+ "apiVersion": "2021-03-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "location": "[parameters('workspace-location')]",
+ "kind": "GenericUI",
+ "properties": {
+ "connectorUiConfig": {
+ "title": "Mimecast Secure Email Gateway (using Azure Functions)",
+ "publisher": "Mimecast",
+ "descriptionMarkdown": "The data connector for [Mimecast Secure Email Gateway](https://community.mimecast.com/s/article/Azure-Sentinel) allows easy log collection from the Secure Email Gateway to surface email insight and user activity within Microsoft Sentinel. The data connector provides pre-created dashboards to allow analysts to view insight into email based threats, aid in incident correlation and reduce investigation response times coupled with custom alert capabilities. Mimecast products and features required: \n- Mimecast Secure Email Gateway \n- Mimecast Data Leak Prevention\n ",
+ "graphQueries": [
+ {
+ "metricName": "Total Secure Email Gateway data received",
+ "legend": "MimecastSIEM_CL",
+ "baseQuery": "MimecastSIEM_CL"
+ },
+ {
+ "metricName": "Total Data Leak Prevention data received",
+ "legend": "MimecastDLP_CL",
+ "baseQuery": "MimecastDLP_CL"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "MimecastSIEM_CL",
+ "lastDataReceivedQuery": "MimecastSIEM_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ },
+ {
+ "name": "MimecastDLP_CL",
+ "lastDataReceivedQuery": "MimecastDLP_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriterias": [
+ {
+ "type": "IsConnectedQuery",
+ "value": [
+ "MimecastSIEM_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)",
+ "MimecastDLP_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
+ ]
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "MimecastSIEM_CL",
+ "query": "MimecastSIEM_CL\n| sort by TimeGenerated desc"
+ },
+ {
+ "description": "MimecastDLP_CL",
+ "query": "MimecastDLP_CL\n| sort by TimeGenerated desc"
+ }
+ ],
+ "availability": {
+ "status": 1,
+ "isPreview": false
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "read and write permissions on the workspace are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "write": true,
+ "read": true,
+ "delete": true
+ }
+ },
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+ "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+ "providerDisplayName": "Keys",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "action": true
+ }
+ }
+ ],
+ "customs": [
+ {
+ "name": "Microsoft.Web/sites permissions",
+ "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)."
+ },
+ {
+ "name": "Mimecast API credentials",
+ "description": "You need to have the following pieces of information to configure the integration:\n- mimecastEmail: Email address of a dedicated Mimecast admin user\n- mimecastPassword: Password for the dedicated Mimecast admin user\n- mimecastAppId: API Application Id of the Mimecast Microsoft Sentinel app registered with Mimecast\n- mimecastAppKey: API Application Key of the Mimecast Microsoft Sentinel app registered with Mimecast\n- mimecastAccessKey: Access Key for the dedicated Mimecast admin user\n- mimecastSecretKey: Secret Key for the dedicated Mimecast admin user\n- mimecastBaseURL: Mimecast Regional API Base URL\n\n> The Mimecast Application Id, Application Key, along with the Access Key and Secret keys for the dedicated Mimecast admin user are obtainable via the Mimecast Administration Console: Administration | Services | API and Platform Integrations.\n\n> The Mimecast API Base URL for each region is documented here: https://integrations.mimecast.com/documentation/api-overview/global-base-urls/"
+ },
+ {
+ "name": "Resource group",
+ "description": "You need to have a resource group created with a subscription you are going to use."
+ },
+ {
+ "name": "Functions app",
+ "description": "You need to have an Azure App registered for this connector to use\n1. Application Id\n2. Tenant Id\n3. Client Id\n4. Client Secret"
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "description": ">**NOTE:** This connector uses Azure Functions to connect to a Mimecast API to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details."
+ },
+ {
+ "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App."
+ },
+ {
+ "description": "**STEP 1 - Configuration steps for the Mimecast API**\n\nGo to ***Azure portal ---> App registrations ---> [your_app] ---> Certificates & secrets ---> New client secret*** and create a new secret (save the Value somewhere safe right away because you will not be able to preview it later)",
+ "title": "Configuration:"
+ },
+ {
+ "description": "**STEP 2 - Deploy Mimecast API Connector**\n\n>**IMPORTANT:** Before deploying the Mimecast API connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the Mimecast API authorization key(s) or Token, readily available.",
+ "instructions": [
+ {
+ "parameters": {
+ "fillWith": [
+ "WorkspaceId"
+ ],
+ "label": "Workspace ID"
+ },
+ "type": "CopyableLabel"
+ },
+ {
+ "parameters": {
+ "fillWith": [
+ "PrimaryKey"
+ ],
+ "label": "Primary Key"
+ },
+ "type": "CopyableLabel"
+ }
+ ]
+ },
+ {
+ "description": "\n1. Click the **Deploy to Azure** button below. \n\n\t[](https://aka.ms/sentinel-MimecastSEG-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the following fields:\n - appName: Unique string that will be used as id for the app in Azure platform\n - objectId: Azure portal ---> Azure Active Directory ---> more info ---> Profile -----> Object ID\n - appInsightsLocation(default): westeurope\n - mimecastEmail: Email address of dedicated user for this integraion\n - mimecastPassword: Password for dedicated user\n - mimecastAppId: Application Id from the Microsoft Sentinel app registered with Mimecast\n - mimecastAppKey: Application Key from the Microsoft Sentinel app registered with Mimecast\n - mimecastAccessKey: Access Key for the dedicated Mimecast user\n - mimecastSecretKey: Secret Key for dedicated Mimecast user\n - mimecastBaseURL: Regional Mimecast API Base URL\n - activeDirectoryAppId: Azure portal ---> App registrations ---> [your_app] ---> Application ID\n - activeDirectoryAppSecret: Azure portal ---> App registrations ---> [your_app] ---> Certificates & secrets ---> [your_app_secret]\n\n >Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details.\n\n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.\n\n6. Go to ***Azure portal ---> Resource groups ---> [your_resource_group] ---> [appName](type: Storage account) ---> Storage Explorer ---> BLOB CONTAINERS ---> SIEM checkpoints ---> Upload*** and create empty file on your machine named checkpoint.txt, dlp-checkpoint.txt and select it for upload (this is done so that date_range for SIEM logs is stored in consistent state)\n",
+ "title": "Deploy the Mimecast Secure Email Gateway Data Connector:"
+ }
+ ],
+ "id": "[variables('_uiConfigId1')]"
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages",
+ "apiVersion": "2023-04-01-preview",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "version": "3.0.0",
+ "kind": "Solution",
+ "contentSchemaVersion": "3.0.0",
+ "displayName": "MimecastSEG",
+ "publisherDisplayName": "Mimecast",
+ "descriptionHtml": "Note: There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe data connector for Mimecast Secure Email Gateway allows easy log collection from the Secure Email Gateway to surface email insight and user activity within Microsoft Sentinel. The data connector provides pre-created dashboards to allow analysts to view insight into email based threats, aid in incident correlation and reduce investigation response times coupled with custom alert capabilities. Mimecast products and features required:
\n- \n
- Mimecast Secure Email Gateway \n
- Mimecast Data Leak Prevention \n
Microsoft Sentinel Solutions provide a consolidated way to acquire Microsoft Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.
\nData Connectors: 1, Workbooks: 1, Analytic Rules: 9
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "",
+ "contentId": "[variables('_solutionId')]",
+ "parentId": "[variables('_solutionId')]",
+ "source": {
+ "kind": "Solution",
+ "name": "MimecastSEG",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Mimecast",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Mimecast",
+ "email": "support@mimecast.com",
+ "tier": "Partner",
+ "link": "https://community.mimecast.com/s/contactsupport"
+ },
+ "dependencies": {
+ "operator": "AND",
+ "criteria": [
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRulecontentId1')]",
+ "version": "[variables('analyticRuleVersion1')]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRulecontentId2')]",
+ "version": "[variables('analyticRuleVersion2')]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRulecontentId3')]",
+ "version": "[variables('analyticRuleVersion3')]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRulecontentId4')]",
+ "version": "[variables('analyticRuleVersion4')]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRulecontentId5')]",
+ "version": "[variables('analyticRuleVersion5')]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRulecontentId6')]",
+ "version": "[variables('analyticRuleVersion6')]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRulecontentId7')]",
+ "version": "[variables('analyticRuleVersion7')]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRulecontentId8')]",
+ "version": "[variables('analyticRuleVersion8')]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRulecontentId9')]",
+ "version": "[variables('analyticRuleVersion9')]"
+ },
+ {
+ "kind": "Workbook",
+ "contentId": "[variables('_workbookContentId1')]",
+ "version": "[variables('workbookVersion1')]"
+ },
+ {
+ "kind": "DataConnector",
+ "contentId": "[variables('_dataConnectorContentId1')]",
+ "version": "[variables('dataConnectorVersion1')]"
+ }
+ ]
+ },
+ "firstPublishDate": "2022-02-24",
+ "lastPublishDate": "2022-02-24",
+ "providers": [
+ "Mimecast"
+ ],
+ "categories": {
+ "domains": [
+ "Security - Network"
+ ]
+ }
+ },
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]"
+ }
+ ],
+ "outputs": {}
+}
diff --git a/Solutions/MimecastSEG/ReleaseNotes.md b/Solutions/MimecastSEG/ReleaseNotes.md
new file mode 100644
index 00000000000..a97fa385729
--- /dev/null
+++ b/Solutions/MimecastSEG/ReleaseNotes.md
@@ -0,0 +1,3 @@
+| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
+|-------------|--------------------------------|---------------------------------------------|
+| 3.0.0 | 23-08-2023 | Initial solution release |
diff --git a/Solutions/MimecastSEG/SolutionMetadata.json b/Solutions/MimecastSEG/SolutionMetadata.json
new file mode 100644
index 00000000000..9810b8dc14c
--- /dev/null
+++ b/Solutions/MimecastSEG/SolutionMetadata.json
@@ -0,0 +1,20 @@
+{
+ "publisherId": "mimecast",
+ "offerId": "azure-sentinel-solution-mimecastseg",
+ "firstPublishDate": "2022-02-24",
+ "lastPublishDate": "2022-02-24",
+ "providers": [
+ "Mimecast"
+ ],
+ "categories": {
+ "domains": [
+ "Security - Network"
+ ]
+ },
+ "support": {
+ "name": "Mimecast",
+ "email": "support@mimecast.com",
+ "tier": "Partner",
+ "link": "https://community.mimecast.com/s/contactsupport"
+ }
+}
\ No newline at end of file
diff --git a/Solutions/MimecastSEG/Workbooks/Images/Preview/MimecastSEGBlack.png b/Solutions/MimecastSEG/Workbooks/Images/Preview/MimecastSEGBlack.png
new file mode 100644
index 00000000000..8ae01ce763b
Binary files /dev/null and b/Solutions/MimecastSEG/Workbooks/Images/Preview/MimecastSEGBlack.png differ
diff --git a/Solutions/MimecastSEG/Workbooks/Images/Preview/MimecastSEGWhite.png b/Solutions/MimecastSEG/Workbooks/Images/Preview/MimecastSEGWhite.png
new file mode 100644
index 00000000000..bd6aa01ccae
Binary files /dev/null and b/Solutions/MimecastSEG/Workbooks/Images/Preview/MimecastSEGWhite.png differ
diff --git a/Solutions/MimecastSEG/Workbooks/MimecastSEGworkbook.json b/Solutions/MimecastSEG/Workbooks/MimecastSEGworkbook.json
new file mode 100644
index 00000000000..c35d9391285
--- /dev/null
+++ b/Solutions/MimecastSEG/Workbooks/MimecastSEGworkbook.json
@@ -0,0 +1,858 @@
+{
+ "version": "Notebook/1.0",
+ "items": [
+ {
+ "type": 9,
+ "content": {
+ "version": "KqlParameterItem/1.0",
+ "parameters": [
+ {
+ "id": "8ccaabbc-2531-4a3a-a4d1-22890e77fe7e",
+ "version": "KqlParameterItem/1.0",
+ "name": "time_range",
+ "type": 4,
+ "isRequired": true,
+ "value": {
+ "durationMs": 1209600000
+ },
+ "typeSettings": {
+ "selectableValues": [
+ {
+ "durationMs": 300000
+ },
+ {
+ "durationMs": 900000
+ },
+ {
+ "durationMs": 1800000
+ },
+ {
+ "durationMs": 3600000
+ },
+ {
+ "durationMs": 14400000
+ },
+ {
+ "durationMs": 43200000
+ },
+ {
+ "durationMs": 86400000
+ },
+ {
+ "durationMs": 172800000
+ },
+ {
+ "durationMs": 259200000
+ },
+ {
+ "durationMs": 604800000
+ },
+ {
+ "durationMs": 1209600000
+ },
+ {
+ "durationMs": 2419200000
+ },
+ {
+ "durationMs": 2592000000
+ },
+ {
+ "durationMs": 5184000000
+ },
+ {
+ "durationMs": 7776000000
+ }
+ ],
+ "allowCustom": true
+ },
+ "timeContext": {
+ "durationMs": 86400000
+ }
+ }
+ ],
+ "style": "pills",
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces"
+ },
+ "name": "parameters - 6"
+ },
+ {
+ "type": 1,
+ "content": {
+ "json": "# Mail Receipt Events"
+ },
+ "name": "text - 2"
+ },
+ {
+ "type": 1,
+ "content": {
+ "json": "## Receipt Events by Mimecast Event Id",
+ "style": "info"
+ },
+ "name": "text - 25"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "MimecastSIEM_CL\n| where logType_s==\"receipt\"\n| summarize count() by mimecastEventId_s, bin(TimeGenerated, 1h)",
+ "size": 3,
+ "timeContext": {
+ "durationMs": 1209600000
+ },
+ "timeContextFromParameter": "time_range",
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "visualization": "barchart",
+ "chartSettings": {
+ "seriesLabelSettings": [
+ {
+ "seriesName": "mail_receipt_received",
+ "label": "Received"
+ },
+ {
+ "seriesName": "mail_receipt_virus",
+ "label": "Viruses"
+ },
+ {
+ "seriesName": "mail_receipt_received_notls",
+ "label": "Non-TLS"
+ },
+ {
+ "seriesName": "mail_receipt_rejected",
+ "label": "Rejected"
+ },
+ {
+ "seriesName": "mail_receipt_spam",
+ "label": "Spam"
+ }
+ ]
+ }
+ },
+ "name": "query - 1"
+ },
+ {
+ "type": 1,
+ "content": {
+ "json": "## Rejection Types",
+ "style": "info"
+ },
+ "name": "text - 7"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "MimecastSIEM_CL\n| where logType_s==\"receipt\" and mimecastEventId_s == \"mail_receipt_rejected\" and RejType_s !=\"\"\n| summarize count() by RejType_s , bin(TimeGenerated, 1h)",
+ "size": 3,
+ "timeContext": {
+ "durationMs": 1209600000
+ },
+ "timeContextFromParameter": "time_range",
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "visualization": "piechart",
+ "tileSettings": {
+ "titleContent": {
+ "columnMatch": "RejType_s",
+ "formatter": 1
+ },
+ "leftContent": {
+ "columnMatch": "count_",
+ "formatter": 12,
+ "formatOptions": {
+ "palette": "auto"
+ },
+ "numberFormat": {
+ "unit": 17,
+ "options": {
+ "maximumSignificantDigits": 3,
+ "maximumFractionDigits": 2
+ }
+ }
+ },
+ "showBorder": true,
+ "size": "auto"
+ },
+ "graphSettings": {
+ "type": 0,
+ "topContent": {
+ "columnMatch": "RejType_s",
+ "formatter": 1
+ },
+ "centerContent": {
+ "columnMatch": "count_",
+ "formatter": 1,
+ "numberFormat": {
+ "unit": 17,
+ "options": {
+ "maximumSignificantDigits": 3,
+ "maximumFractionDigits": 2
+ }
+ }
+ },
+ "nodeIdField": "RejType_s",
+ "sourceIdField": "TimeGenerated",
+ "targetIdField": "count_",
+ "graphOrientation": 1,
+ "showOrientationToggles": false,
+ "nodeSize": null,
+ "staticNodeSize": 100,
+ "colorSettings": null,
+ "hivesMargin": 5
+ },
+ "chartSettings": {
+ "createOtherGroup": 0
+ },
+ "mapSettings": {
+ "locInfo": "LatLong",
+ "sizeSettings": "count_",
+ "sizeAggregation": "Sum",
+ "legendMetric": "count_",
+ "legendAggregation": "Sum",
+ "itemColorSettings": {
+ "type": "heatmap",
+ "colorAggregation": "Sum",
+ "nodeColorField": "count_",
+ "heatmapPalette": "greenRed"
+ }
+ }
+ },
+ "name": "query - 14"
+ },
+ {
+ "type": 1,
+ "content": {
+ "json": "## Rejections - Spam",
+ "style": "info"
+ },
+ "name": "text - 13"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "MimecastSIEM_CL\n| where logType_s==\"receipt\" and mimecastEventId_s==\"mail_receipt_spam\"\n| summarize count() by Sender_s, headerFrom_s, Rcpt_s, IP_s, Subject_s, SpamScore_s, bin(TimeGenerated, 1h)\n",
+ "size": 0,
+ "timeContext": {
+ "durationMs": 1209600000
+ },
+ "timeContextFromParameter": "time_range",
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "visualization": "table",
+ "gridSettings": {
+ "sortBy": [
+ {
+ "itemKey": "SpamScore_s",
+ "sortOrder": 1
+ }
+ ]
+ },
+ "sortBy": [
+ {
+ "itemKey": "SpamScore_s",
+ "sortOrder": 1
+ }
+ ],
+ "chartSettings": {
+ "createOtherGroup": 0,
+ "seriesLabelSettings": [
+ {
+ "seriesName": "mail_receipt_spam",
+ "label": "Spam"
+ }
+ ]
+ }
+ },
+ "name": "query - 14"
+ },
+ {
+ "type": 1,
+ "content": {
+ "json": "## Rejections - Malware",
+ "style": "info"
+ },
+ "name": "text - 15"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "MimecastSIEM_CL\n| where logType_s==\"receipt\" and mimecastEventId_s == \"mail_receipt_virus\" and RejType_s != \"\"\n| summarize count() by Sender_s, headerFrom_s, Rcpt_s, IP_s, Subject_s, RejInfo_s, Virus_s, Error_s, bin(TimeGenerated, 1h)",
+ "size": 0,
+ "timeContext": {
+ "durationMs": 1209600000
+ },
+ "timeContextFromParameter": "time_range",
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "visualization": "table",
+ "graphSettings": {
+ "type": 0,
+ "topContent": {
+ "columnMatch": "Sender_s",
+ "formatter": 1
+ },
+ "centerContent": {
+ "columnMatch": "count_",
+ "formatter": 1,
+ "numberFormat": {
+ "unit": 17,
+ "options": {
+ "maximumSignificantDigits": 3,
+ "maximumFractionDigits": 2
+ }
+ }
+ }
+ },
+ "mapSettings": {
+ "locInfo": "AzureResource",
+ "locInfoColumn": "Error_s",
+ "sizeAggregation": "Count",
+ "legendMetric": "count_",
+ "legendAggregation": "Sum",
+ "itemColorSettings": {
+ "nodeColorField": "count_",
+ "colorAggregation": "Sum",
+ "type": "thresholds",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": "blue"
+ }
+ ]
+ }
+ }
+ },
+ "name": "query - 16"
+ },
+ {
+ "type": 1,
+ "content": {
+ "json": "# Mail Process Events",
+ "style": "info"
+ },
+ "name": "text - 2"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "MimecastSIEM_CL\n| where logType_s==\"process\"\n| summarize dcount=count() by TenantId, SourceSystem, MG, ManagementGroupName, TimeGenerated, Computer, RawData, Err_s, datetime_t, aCode_s, acc_s, Sender_s, Rcpt_s, RcptActType_s, Dir_s, RcptHdrType_s, logType_s, mimecastEventId_s, mimecastEventCategory_s, CustomThreatDictionary_s, Action_s, Hits_s, SimilarCustomExternalDomain_s, TaggedExternal_s, SimilarInternalDomain_s, IP_s, Definition_s, Recipient_s, NewDomain_s, InternalName_s, ThreatDictionary_s, MsgId_s, Subject_s, SimilarMimecastExternalDomain_s, CustomName_s, TaggedMalicious_s, ReplyMismatch_s, Route_s, Delivered_s, AttCnt_s, ReceiptAck_s, Latency_s, AttSize_s, Attempt_s, TlsVer_s, Cphr_s, Snt_s, UseTls_s, Hld_s, IPNewDomain_s, AttNames_s, MsgSize_s, IPThreadDict_s, IPSimilarDomain_s, Act_s, IPReplyMismatch_s, IPInternalName_s, SpamLimit_s, headerFrom_s, SpamInfo_s, SpamScore_s, SpamProcessingDetail_s, fileName_s, sha256_s, Size_s, SenderDomain_s, fileExt_s, sha1_s, fileMime_s, md5_g, RejType_s, Error_s, RejCode_s, RejInfo_s, aCode_g, Virus_s, UrlCategory_s, ScanResultInfo_s, URL_s, MimecastIP_s, SenderDomainInternal_s, CustomerIP_s, SourceIP, reason_s, subject_s, msgid_s, url_s, route_s, sender_s, recipient_s, action_s, urlCategory_s, credentialTheft_s, senderDomain_s, Type, _ResourceId\n| summarize count() by mimecastEventId_s, bin(TimeGenerated, 1h)",
+ "size": 3,
+ "timeContext": {
+ "durationMs": 1209600000
+ },
+ "timeContextFromParameter": "time_range",
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "visualization": "piechart",
+ "chartSettings": {
+ "seriesLabelSettings": [
+ {
+ "seriesName": "mail_process_accepted",
+ "label": "Accepted",
+ "color": "green"
+ },
+ {
+ "seriesName": "mail_process_held",
+ "label": "Held",
+ "color": "brown"
+ },
+ {
+ "seriesName": "mail_process_sandboxed",
+ "label": "Sandboxed",
+ "color": "turquoise"
+ },
+ {
+ "seriesName": "mail_process_retried",
+ "label": "Retries",
+ "color": "pink"
+ }
+ ]
+ }
+ },
+ "name": "query - 3"
+ },
+ {
+ "type": 1,
+ "content": {
+ "json": "## Held Messages",
+ "style": "info"
+ },
+ "name": "text - 18"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "MimecastSIEM_CL\n| where logType_s==\"process\" and Hld_s != \"\"\n| summarize count() by TenantId, SourceSystem, MG, ManagementGroupName, TimeGenerated, Computer, RawData, Err_s, datetime_t, aCode_s, acc_s, Sender_s, Rcpt_s, RcptActType_s, Dir_s, RcptHdrType_s, logType_s, mimecastEventId_s, mimecastEventCategory_s, CustomThreatDictionary_s, Action_s, Hits_s, SimilarCustomExternalDomain_s, TaggedExternal_s, SimilarInternalDomain_s, IP_s, Definition_s, Recipient_s, NewDomain_s, InternalName_s, ThreatDictionary_s, MsgId_s, Subject_s, SimilarMimecastExternalDomain_s, CustomName_s, TaggedMalicious_s, ReplyMismatch_s, Route_s, Delivered_s, AttCnt_s, ReceiptAck_s, Latency_s, AttSize_s, Attempt_s, TlsVer_s, Cphr_s, Snt_s, UseTls_s, Hld_s, IPNewDomain_s, AttNames_s, MsgSize_s, IPThreadDict_s, IPSimilarDomain_s, Act_s, IPReplyMismatch_s, IPInternalName_s, SpamLimit_s, headerFrom_s, SpamInfo_s, SpamScore_s, SpamProcessingDetail_s, fileName_s, sha256_s, Size_s, SenderDomain_s, fileExt_s, sha1_s, fileMime_s, md5_g, RejType_s, Error_s, RejCode_s, RejInfo_s, aCode_g, Virus_s, UrlCategory_s, ScanResultInfo_s, URL_s, MimecastIP_s, SenderDomainInternal_s, CustomerIP_s, SourceIP, reason_s, subject_s, msgid_s, url_s, route_s, sender_s, recipient_s, action_s, urlCategory_s, credentialTheft_s, senderDomain_s, Type, _ResourceId\n| summarize count() by Hld_s, Sender_s, Subject_s, AttSize_s, AttCnt_s, AttNames_s, MsgSize_s, bin(TimeGenerated, 1h)\n",
+ "size": 0,
+ "timeContext": {
+ "durationMs": 1209600000
+ },
+ "timeContextFromParameter": "time_range",
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces"
+ },
+ "name": "query - 17"
+ },
+ {
+ "type": 1,
+ "content": {
+ "json": "## Message Delivery Retried\n",
+ "style": "info"
+ },
+ "name": "text - 19"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "MimecastSIEM_CL\n| where logType_s==\"process\" and mimecastEventId_s==\"mail_process_retried\"\n| summarize count() by TenantId, SourceSystem, MG, ManagementGroupName, TimeGenerated, Computer, RawData, Err_s, datetime_t, aCode_s, acc_s, Sender_s, Rcpt_s, RcptActType_s, Dir_s, RcptHdrType_s, logType_s, mimecastEventId_s, mimecastEventCategory_s, CustomThreatDictionary_s, Action_s, Hits_s, SimilarCustomExternalDomain_s, TaggedExternal_s, SimilarInternalDomain_s, IP_s, Definition_s, Recipient_s, NewDomain_s, InternalName_s, ThreatDictionary_s, MsgId_s, Subject_s, SimilarMimecastExternalDomain_s, CustomName_s, TaggedMalicious_s, ReplyMismatch_s, Route_s, Delivered_s, AttCnt_s, ReceiptAck_s, Latency_s, AttSize_s, Attempt_s, TlsVer_s, Cphr_s, Snt_s, UseTls_s, Hld_s, IPNewDomain_s, AttNames_s, MsgSize_s, IPThreadDict_s, IPSimilarDomain_s, Act_s, IPReplyMismatch_s, IPInternalName_s, SpamLimit_s, headerFrom_s, SpamInfo_s, SpamScore_s, SpamProcessingDetail_s, fileName_s, sha256_s, Size_s, SenderDomain_s, fileExt_s, sha1_s, fileMime_s, md5_g, RejType_s, Error_s, RejCode_s, RejInfo_s, aCode_g, Virus_s, UrlCategory_s, ScanResultInfo_s, URL_s, MimecastIP_s, SenderDomainInternal_s, CustomerIP_s, SourceIP, reason_s, subject_s, msgid_s, url_s, route_s, sender_s, recipient_s, action_s, urlCategory_s, credentialTheft_s, senderDomain_s, Type, _ResourceId\n| summarize count() by Sender_s, Subject_s, MsgId_s, AttCnt_s, AttNames_s, AttSize_s, MsgSize_s, bin(TimeGenerated, 1h)\n",
+ "size": 0,
+ "timeContext": {
+ "durationMs": 1209600000
+ },
+ "timeContextFromParameter": "time_range",
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "visualization": "table",
+ "sortBy": []
+ },
+ "name": "query - 20"
+ },
+ {
+ "type": 1,
+ "content": {
+ "json": "## Messages with Sandboxed Attachments",
+ "style": "info"
+ },
+ "name": "text - 21"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "MimecastSIEM_CL\n| where logType_s==\"process\" and mimecastEventId_s==\"mail_process_sandboxed\"\n| summarize count() by TenantId, SourceSystem, MG, ManagementGroupName, TimeGenerated, Computer, RawData, Err_s, datetime_t, aCode_s, acc_s, Sender_s, Rcpt_s, RcptActType_s, Dir_s, RcptHdrType_s, logType_s, mimecastEventId_s, mimecastEventCategory_s, CustomThreatDictionary_s, Action_s, Hits_s, SimilarCustomExternalDomain_s, TaggedExternal_s, SimilarInternalDomain_s, IP_s, Definition_s, Recipient_s, NewDomain_s, InternalName_s, ThreatDictionary_s, MsgId_s, Subject_s, SimilarMimecastExternalDomain_s, CustomName_s, TaggedMalicious_s, ReplyMismatch_s, Route_s, Delivered_s, AttCnt_s, ReceiptAck_s, Latency_s, AttSize_s, Attempt_s, TlsVer_s, Cphr_s, Snt_s, UseTls_s, Hld_s, IPNewDomain_s, AttNames_s, MsgSize_s, IPThreadDict_s, IPSimilarDomain_s, Act_s, IPReplyMismatch_s, IPInternalName_s, SpamLimit_s, headerFrom_s, SpamInfo_s, SpamScore_s, SpamProcessingDetail_s, fileName_s, sha256_s, Size_s, SenderDomain_s, fileExt_s, sha1_s, fileMime_s, md5_g, RejType_s, Error_s, RejCode_s, RejInfo_s, aCode_g, Virus_s, UrlCategory_s, ScanResultInfo_s, URL_s, MimecastIP_s, SenderDomainInternal_s, CustomerIP_s, SourceIP, reason_s, subject_s, msgid_s, url_s, route_s, sender_s, recipient_s, action_s, urlCategory_s, credentialTheft_s, senderDomain_s, Type, _ResourceId\n| summarize count() by Sender_s, Subject_s, MsgId_s, AttSize_s, AttCnt_s, bin(TimeGenerated, 1h)\n",
+ "size": 0,
+ "timeContext": {
+ "durationMs": 1209600000
+ },
+ "timeContextFromParameter": "time_range",
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "visualization": "table",
+ "sortBy": []
+ },
+ "name": "query - 22"
+ },
+ {
+ "type": 12,
+ "content": {
+ "version": "NotebookGroup/1.0",
+ "groupType": "editable",
+ "items": [
+ {
+ "type": 12,
+ "content": {
+ "version": "NotebookGroup/1.0",
+ "groupType": "editable",
+ "items": [
+ {
+ "type": 1,
+ "content": {
+ "json": "## Mail Delivery Events",
+ "style": "info"
+ },
+ "name": "text - 4"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "MimecastSIEM_CL\n| where logType_s==\"delivery\"\n| summarize count() by mimecastEventId_s, bin(TimeGenerated, 1h)",
+ "size": 3,
+ "timeContext": {
+ "durationMs": 1209600000
+ },
+ "timeContextFromParameter": "time_range",
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "visualization": "piechart",
+ "chartSettings": {
+ "seriesLabelSettings": [
+ {
+ "seriesName": "mail_delivery_delivered",
+ "label": "Delivered with TLS",
+ "color": "green"
+ },
+ {
+ "seriesName": "mail_delivery_delivered_notls",
+ "label": "Delivered without TLS",
+ "color": "orange"
+ },
+ {
+ "seriesName": "mail_delivery_not_delivered",
+ "label": "Undelivered",
+ "color": "red"
+ }
+ ]
+ }
+ },
+ "name": "query - 5"
+ }
+ ]
+ },
+ "customWidth": "33",
+ "name": "group - 2",
+ "styleSettings": {
+ "maxWidth": "33%"
+ }
+ },
+ {
+ "type": 12,
+ "content": {
+ "version": "NotebookGroup/1.0",
+ "groupType": "editable",
+ "items": [
+ {
+ "type": 1,
+ "content": {
+ "json": "## TLS Versions in Use",
+ "style": "info"
+ },
+ "name": "text - 32"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "MimecastSIEM_CL\n| where logType_s==\"delivery\" and UseTls_s==\"Yes\"\n| summarize count() by TlsVer_s, bin(TimeGenerated, 1h)\n",
+ "size": 3,
+ "timeContext": {
+ "durationMs": 1209600000
+ },
+ "timeContextFromParameter": "time_range",
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "visualization": "piechart"
+ },
+ "name": "query - 33"
+ }
+ ]
+ },
+ "customWidth": "33",
+ "name": "group - 4",
+ "styleSettings": {
+ "maxWidth": "33%"
+ }
+ },
+ {
+ "type": 12,
+ "content": {
+ "version": "NotebookGroup/1.0",
+ "groupType": "editable",
+ "items": [
+ {
+ "type": 1,
+ "content": {
+ "json": "## TLS Cipher Suites in Use",
+ "style": "info"
+ },
+ "name": "text - 34"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "MimecastSIEM_CL\n| where logType_s==\"delivery\" and UseTls_s==\"Yes\"\n| summarize count() by Cphr_s, bin(TimeGenerated, 1h)",
+ "size": 3,
+ "timeContext": {
+ "durationMs": 1209600000
+ },
+ "timeContextFromParameter": "time_range",
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "visualization": "piechart",
+ "chartSettings": {
+ "createOtherGroup": 0
+ }
+ },
+ "name": "query - 35"
+ }
+ ]
+ },
+ "customWidth": "33",
+ "name": "group - 5",
+ "styleSettings": {
+ "maxWidth": "33%"
+ }
+ }
+ ]
+ },
+ "name": "group - 31"
+ },
+ {
+ "type": 1,
+ "content": {
+ "json": "## Undelivered Messages",
+ "style": "info"
+ },
+ "name": "text - 8"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "MimecastSIEM_CL\n| where logType_s==\"delivery\" and mimecastEventId_s == \"mail_delivery_not_delivered\"\n| summarize count() by Dir_s, Route_s, Sender_s, Rcpt_s, RejType_s, RejCode_s, RejInfo_s, bin(TimeGenerated, 1h)\n",
+ "size": 0,
+ "timeContext": {
+ "durationMs": 1209600000
+ },
+ "timeContextFromParameter": "time_range",
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "visualization": "table",
+ "chartSettings": {
+ "seriesLabelSettings": [
+ {
+ "seriesName": "mail_delivery_not_delivered",
+ "label": "Undelivered"
+ }
+ ]
+ }
+ },
+ "name": "query - 12"
+ },
+ {
+ "type": 1,
+ "content": {
+ "json": "## Messages Delivered without TLS",
+ "style": "info"
+ },
+ "name": "text - 17"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "MimecastSIEM_CL\n| where logType_s==\"delivery\" and mimecastEventId_s==\"mail_delivery_delivered_notls\"\n| summarize count() by Dir_s, Route_s, IP_s, Sender_s, Rcpt_s, Subject_s, Delivered_s, ReceiptAck_s, bin(TimeGenerated, 1h)\n",
+ "size": 0,
+ "timeContext": {
+ "durationMs": 1209600000
+ },
+ "timeContextFromParameter": "time_range",
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces"
+ },
+ "name": "query - 18"
+ },
+ {
+ "type": 1,
+ "content": {
+ "json": "# Data Leak Prevention Events"
+ },
+ "name": "text - 24"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "MimecastDLP_CL\n| where mimecastEventCategory_s == \"data_leak_prevention\"\n| summarize count() by mimecastEventId_s, bin(TimeGenerated, 1h)\n",
+ "size": 3,
+ "timeContext": {
+ "durationMs": 1209600000
+ },
+ "timeContextFromParameter": "time_range",
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "visualization": "barchart",
+ "chartSettings": {
+ "group": "mimecastEventId_s",
+ "createOtherGroup": 0,
+ "seriesLabelSettings": [
+ {
+ "seriesName": "data_leak_prevention_notification",
+ "label": "Notification"
+ },
+ {
+ "seriesName": "data_leak_prevention_hold",
+ "label": "Hold"
+ },
+ {
+ "seriesName": "data_leak_prevention_smart_folder",
+ "label": "Smart Folder"
+ },
+ {
+ "seriesName": "data_leak_prevention_secure_messaging",
+ "label": "Secure Messaging"
+ },
+ {
+ "seriesName": "data_leak_prevention_secure_delivery",
+ "label": "Secure Delivery"
+ },
+ {
+ "seriesName": "data_leak_prevention_bounce",
+ "label": "Bounce"
+ },
+ {
+ "seriesName": "data_leak_prevention_stationery",
+ "label": "Stationary"
+ },
+ {
+ "seriesName": "data_leak_prevention_delete",
+ "label": "Delete"
+ },
+ {
+ "seriesName": "data_leak_prevention_meta_expire",
+ "label": "Meta Expire"
+ },
+ {
+ "seriesName": "data_leak_prevention_content_expire",
+ "label": "Content Expire"
+ }
+ ]
+ }
+ },
+ "name": "query - 23"
+ },
+ {
+ "type": 12,
+ "content": {
+ "version": "NotebookGroup/1.0",
+ "groupType": "editable",
+ "items": [
+ {
+ "type": 12,
+ "content": {
+ "version": "NotebookGroup/1.0",
+ "groupType": "editable",
+ "items": [
+ {
+ "type": 1,
+ "content": {
+ "json": "## DLP Events by Route",
+ "style": "info"
+ },
+ "name": "text - 31"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "MimecastDLP_CL\n| where mimecastEventCategory_s == \"data_leak_prevention\"\n| summarize count() by route_s, bin(TimeGenerated, 1h)\n",
+ "size": 3,
+ "timeContext": {
+ "durationMs": 1209600000
+ },
+ "timeContextFromParameter": "time_range",
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "visualization": "piechart",
+ "sortBy": [],
+ "chartSettings": {
+ "createOtherGroup": 0
+ }
+ },
+ "name": "query - 30"
+ }
+ ]
+ },
+ "customWidth": "33",
+ "name": "group - 2",
+ "styleSettings": {
+ "maxWidth": "33%"
+ }
+ },
+ {
+ "type": 12,
+ "content": {
+ "version": "NotebookGroup/1.0",
+ "groupType": "editable",
+ "items": [
+ {
+ "type": 1,
+ "content": {
+ "json": "## DLP Events by Actions Triggered",
+ "style": "info"
+ },
+ "name": "text - 28"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "MimecastDLP_CL\n| where mimecastEventCategory_s == \"data_leak_prevention\"\n| summarize count() by action_s, bin(TimeGenerated, 1h)\n",
+ "size": 3,
+ "timeContext": {
+ "durationMs": 1209600000
+ },
+ "timeContextFromParameter": "time_range",
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "visualization": "piechart",
+ "chartSettings": {
+ "createOtherGroup": 0
+ }
+ },
+ "name": "query - 29"
+ }
+ ]
+ },
+ "customWidth": "33",
+ "name": "group - 1",
+ "styleSettings": {
+ "maxWidth": "33%"
+ }
+ },
+ {
+ "type": 12,
+ "content": {
+ "version": "NotebookGroup/1.0",
+ "groupType": "editable",
+ "items": [
+ {
+ "type": 1,
+ "content": {
+ "json": "## DLP Events by Policies Triggered",
+ "style": "info"
+ },
+ "name": "text - 26"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "MimecastDLP_CL\n| where mimecastEventCategory_s == \"data_leak_prevention\"\n| summarize count() by policy_s, bin(TimeGenerated, 1h)\n",
+ "size": 3,
+ "timeContext": {
+ "durationMs": 1209600000
+ },
+ "timeContextFromParameter": "time_range",
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "visualization": "piechart",
+ "chartSettings": {
+ "createOtherGroup": 0
+ }
+ },
+ "name": "query - 27"
+ }
+ ]
+ },
+ "customWidth": "33",
+ "name": "group - 4",
+ "styleSettings": {
+ "maxWidth": "33%"
+ }
+ }
+ ]
+ },
+ "name": "group - 36"
+ }
+ ],
+ "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
+}
\ No newline at end of file
diff --git a/Solutions/MimecastTTP/Data Connectors/MimecastTTP_API_FunctionApp.json b/Solutions/MimecastTTP/Data Connectors/MimecastTTP_API_FunctionApp.json
index fb8758c95cb..b408483a971 100644
--- a/Solutions/MimecastTTP/Data Connectors/MimecastTTP_API_FunctionApp.json
+++ b/Solutions/MimecastTTP/Data Connectors/MimecastTTP_API_FunctionApp.json
@@ -143,7 +143,7 @@
},
{
"title": "Deploy the Mimecast Targeted Threat Protection Data Connector:",
- "description": "\n1. Click the **Deploy to Azure** button below. \n\n\t[](https://aka.ms/sentinel-mimecastttp-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the following fields:\n - appName: Unique string that will be used as id for the app in Azure platform\n - objectId: Azure portal ---> Azure Active Directory ---> more info ---> Profile -----> Object ID\n - appInsightsLocation(default): westeurope\n - mimecastEmail: Email address of dedicated user for this integraion\n - mimecastPassword: Password for dedicated user\n - mimecastAppId: Application Id from the Microsoft Sentinel app registered with Mimecast\n - mimecastAppKey: Application Key from the Microsoft Sentinel app registered with Mimecast\n - mimecastAccessKey: Access Key for the dedicated Mimecast user\n - mimecastSecretKey: Secret Key for dedicated Mimecast user\n - mimecastBaseURL: Regional Mimecast API Base URL\n - activeDirectoryAppId: Azure portal ---> App registrations ---> [your_app] ---> Application ID\n - activeDirectoryAppSecret: Azure portal ---> App registrations ---> [your_app] ---> Certificates & secrets ---> [your_app_secret]\n\n >Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details.\n\n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.\n\n6. Go to ***Azure portal ---> Resource groups ---> [your_resource_group] ---> [appName](type: Storage account) ---> Storage Explorer ---> BLOB CONTAINERS ---> TTP checkpoints ---> Upload*** and create empty files on your machine named attachment-checkpoint.txt, impersonation-checkpoint.txt, url-checkpoint.txt and select them for upload (this is done so that date_range for TTP logs are stored in consistent state)\n"
+ "description": "\n1. Click the **Deploy to Azure** button below. \n\n\t[](https://aka.ms/sentinel-MimecastTTP-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the following fields:\n - appName: Unique string that will be used as id for the app in Azure platform\n - objectId: Azure portal ---> Azure Active Directory ---> more info ---> Profile -----> Object ID\n - appInsightsLocation(default): westeurope\n - mimecastEmail: Email address of dedicated user for this integraion\n - mimecastPassword: Password for dedicated user\n - mimecastAppId: Application Id from the Microsoft Sentinel app registered with Mimecast\n - mimecastAppKey: Application Key from the Microsoft Sentinel app registered with Mimecast\n - mimecastAccessKey: Access Key for the dedicated Mimecast user\n - mimecastSecretKey: Secret Key for dedicated Mimecast user\n - mimecastBaseURL: Regional Mimecast API Base URL\n - activeDirectoryAppId: Azure portal ---> App registrations ---> [your_app] ---> Application ID\n - activeDirectoryAppSecret: Azure portal ---> App registrations ---> [your_app] ---> Certificates & secrets ---> [your_app_secret]\n\n >Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details.\n\n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.\n\n6. Go to ***Azure portal ---> Resource groups ---> [your_resource_group] ---> [appName](type: Storage account) ---> Storage Explorer ---> BLOB CONTAINERS ---> TTP checkpoints ---> Upload*** and create empty files on your machine named attachment-checkpoint.txt, impersonation-checkpoint.txt, url-checkpoint.txt and select them for upload (this is done so that date_range for TTP logs are stored in consistent state)\n"
}
],
"metadata": {
diff --git a/Solutions/MimecastTTP/Data Connectors/azuredeploy_MimecastTTP_AzureFunctionApp.json b/Solutions/MimecastTTP/Data Connectors/azuredeploy_MimecastTTP_AzureFunctionApp.json
index 9c351d85c08..9c31dfe37c6 100644
--- a/Solutions/MimecastTTP/Data Connectors/azuredeploy_MimecastTTP_AzureFunctionApp.json
+++ b/Solutions/MimecastTTP/Data Connectors/azuredeploy_MimecastTTP_AzureFunctionApp.json
@@ -205,7 +205,7 @@
"active_directory_tenant_id": "[concat('@Microsoft.KeyVault(SecretUri=https://', variables('functionAppName'), '.vault.azure.net/secrets/', 'active-directory-tenant-id', '/)')]",
"log_analytics_workspace_id": "[concat('@Microsoft.KeyVault(SecretUri=https://', variables('functionAppName'), '.vault.azure.net/secrets/', 'log-analytics-workspace-id', '/)')]",
"log_analytics_workspace_key": "[concat('@Microsoft.KeyVault(SecretUri=https://', variables('functionAppName'), '.vault.azure.net/secrets/', 'log-analytics-workspace-key', '/)')]",
- "WEBSITE_RUN_FROM_PACKAGE": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MimecastTTP/Data%20Connectors/MimecastTTPAzureConn.zip"
+ "WEBSITE_RUN_FROM_PACKAGE": "https://aka.ms/sentinel-MimecastTTP-functionapp"
}
}]
},
diff --git a/Solutions/MimecastTTP/Package/3.0.0.zip b/Solutions/MimecastTTP/Package/3.0.0.zip
index 465c1bdb038..ee14592f60b 100644
Binary files a/Solutions/MimecastTTP/Package/3.0.0.zip and b/Solutions/MimecastTTP/Package/3.0.0.zip differ
diff --git a/Solutions/MimecastTTP/Package/mainTemplate.json b/Solutions/MimecastTTP/Package/mainTemplate.json
index 304012f93f3..18f641b1857 100644
--- a/Solutions/MimecastTTP/Package/mainTemplate.json
+++ b/Solutions/MimecastTTP/Package/mainTemplate.json
@@ -743,7 +743,7 @@
]
},
{
- "description": "\n1. Click the **Deploy to Azure** button below. \n\n\t[](https://aka.ms/sentinel-mimecastttp-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the following fields:\n - appName: Unique string that will be used as id for the app in Azure platform\n - objectId: Azure portal ---> Azure Active Directory ---> more info ---> Profile -----> Object ID\n - appInsightsLocation(default): westeurope\n - mimecastEmail: Email address of dedicated user for this integraion\n - mimecastPassword: Password for dedicated user\n - mimecastAppId: Application Id from the Microsoft Sentinel app registered with Mimecast\n - mimecastAppKey: Application Key from the Microsoft Sentinel app registered with Mimecast\n - mimecastAccessKey: Access Key for the dedicated Mimecast user\n - mimecastSecretKey: Secret Key for dedicated Mimecast user\n - mimecastBaseURL: Regional Mimecast API Base URL\n - activeDirectoryAppId: Azure portal ---> App registrations ---> [your_app] ---> Application ID\n - activeDirectoryAppSecret: Azure portal ---> App registrations ---> [your_app] ---> Certificates & secrets ---> [your_app_secret]\n\n >Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details.\n\n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.\n\n6. Go to ***Azure portal ---> Resource groups ---> [your_resource_group] ---> [appName](type: Storage account) ---> Storage Explorer ---> BLOB CONTAINERS ---> TTP checkpoints ---> Upload*** and create empty files on your machine named attachment-checkpoint.txt, impersonation-checkpoint.txt, url-checkpoint.txt and select them for upload (this is done so that date_range for TTP logs are stored in consistent state)\n",
+ "description": "\n1. Click the **Deploy to Azure** button below. \n\n\t[](https://aka.ms/sentinel-MimecastTTP-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the following fields:\n - appName: Unique string that will be used as id for the app in Azure platform\n - objectId: Azure portal ---> Azure Active Directory ---> more info ---> Profile -----> Object ID\n - appInsightsLocation(default): westeurope\n - mimecastEmail: Email address of dedicated user for this integraion\n - mimecastPassword: Password for dedicated user\n - mimecastAppId: Application Id from the Microsoft Sentinel app registered with Mimecast\n - mimecastAppKey: Application Key from the Microsoft Sentinel app registered with Mimecast\n - mimecastAccessKey: Access Key for the dedicated Mimecast user\n - mimecastSecretKey: Secret Key for dedicated Mimecast user\n - mimecastBaseURL: Regional Mimecast API Base URL\n - activeDirectoryAppId: Azure portal ---> App registrations ---> [your_app] ---> Application ID\n - activeDirectoryAppSecret: Azure portal ---> App registrations ---> [your_app] ---> Certificates & secrets ---> [your_app_secret]\n\n >Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details.\n\n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.\n\n6. Go to ***Azure portal ---> Resource groups ---> [your_resource_group] ---> [appName](type: Storage account) ---> Storage Explorer ---> BLOB CONTAINERS ---> TTP checkpoints ---> Upload*** and create empty files on your machine named attachment-checkpoint.txt, impersonation-checkpoint.txt, url-checkpoint.txt and select them for upload (this is done so that date_range for TTP logs are stored in consistent state)\n",
"title": "Deploy the Mimecast Targeted Threat Protection Data Connector:"
}
],
@@ -986,7 +986,7 @@
]
},
{
- "description": "\n1. Click the **Deploy to Azure** button below. \n\n\t[](https://aka.ms/sentinel-mimecastttp-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the following fields:\n - appName: Unique string that will be used as id for the app in Azure platform\n - objectId: Azure portal ---> Azure Active Directory ---> more info ---> Profile -----> Object ID\n - appInsightsLocation(default): westeurope\n - mimecastEmail: Email address of dedicated user for this integraion\n - mimecastPassword: Password for dedicated user\n - mimecastAppId: Application Id from the Microsoft Sentinel app registered with Mimecast\n - mimecastAppKey: Application Key from the Microsoft Sentinel app registered with Mimecast\n - mimecastAccessKey: Access Key for the dedicated Mimecast user\n - mimecastSecretKey: Secret Key for dedicated Mimecast user\n - mimecastBaseURL: Regional Mimecast API Base URL\n - activeDirectoryAppId: Azure portal ---> App registrations ---> [your_app] ---> Application ID\n - activeDirectoryAppSecret: Azure portal ---> App registrations ---> [your_app] ---> Certificates & secrets ---> [your_app_secret]\n\n >Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details.\n\n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.\n\n6. Go to ***Azure portal ---> Resource groups ---> [your_resource_group] ---> [appName](type: Storage account) ---> Storage Explorer ---> BLOB CONTAINERS ---> TTP checkpoints ---> Upload*** and create empty files on your machine named attachment-checkpoint.txt, impersonation-checkpoint.txt, url-checkpoint.txt and select them for upload (this is done so that date_range for TTP logs are stored in consistent state)\n",
+ "description": "\n1. Click the **Deploy to Azure** button below. \n\n\t[](https://aka.ms/sentinel-MimecastTTP-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the following fields:\n - appName: Unique string that will be used as id for the app in Azure platform\n - objectId: Azure portal ---> Azure Active Directory ---> more info ---> Profile -----> Object ID\n - appInsightsLocation(default): westeurope\n - mimecastEmail: Email address of dedicated user for this integraion\n - mimecastPassword: Password for dedicated user\n - mimecastAppId: Application Id from the Microsoft Sentinel app registered with Mimecast\n - mimecastAppKey: Application Key from the Microsoft Sentinel app registered with Mimecast\n - mimecastAccessKey: Access Key for the dedicated Mimecast user\n - mimecastSecretKey: Secret Key for dedicated Mimecast user\n - mimecastBaseURL: Regional Mimecast API Base URL\n - activeDirectoryAppId: Azure portal ---> App registrations ---> [your_app] ---> Application ID\n - activeDirectoryAppSecret: Azure portal ---> App registrations ---> [your_app] ---> Certificates & secrets ---> [your_app_secret]\n\n >Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details.\n\n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.\n\n6. Go to ***Azure portal ---> Resource groups ---> [your_resource_group] ---> [appName](type: Storage account) ---> Storage Explorer ---> BLOB CONTAINERS ---> TTP checkpoints ---> Upload*** and create empty files on your machine named attachment-checkpoint.txt, impersonation-checkpoint.txt, url-checkpoint.txt and select them for upload (this is done so that date_range for TTP logs are stored in consistent state)\n",
"title": "Deploy the Mimecast Targeted Threat Protection Data Connector:"
}
],
diff --git a/Solutions/NXLogDnsLogs/Data Connectors/NXLogDnsLogs.json b/Solutions/NXLogDnsLogs/Data Connectors/NXLogDnsLogs.json
index e2d9b2f84e7..e53993ba988 100644
--- a/Solutions/NXLogDnsLogs/Data Connectors/NXLogDnsLogs.json
+++ b/Solutions/NXLogDnsLogs/Data Connectors/NXLogDnsLogs.json
@@ -1,8 +1,8 @@
{
- "id": "NXLogDnsLogs",
+ "id": "NXLogDNSLogs",
"title": "NXLog DNS Logs",
"publisher": "NXLog",
- "descriptionMarkdown": "The NXLog DNS Logs data connector uses Event Tracing for Windows ([ETW](https://docs.microsoft.com/windows/apps/trace-processing/overview)) for collecting both Audit and Analytical DNS Server events. The [NXLog *im_etw* module](https://nxlog.co/documentation/nxlog-user-guide/im_etw.html) reads event tracing data directly for maximum efficiency, without the need to capture the event trace into an .etl file. This REST API connector can forward DNS Server events to Microsoft Sentinel in real time.",
+ "descriptionMarkdown": "The NXLog DNS Logs data connector uses Event Tracing for Windows ([ETW](https://docs.microsoft.com/windows/apps/trace-processing/overview)) for collecting both Audit and Analytical DNS Server events. The [NXLog *im_etw* module](https://docs.nxlog.co/refman/current/im/etw.html) reads event tracing data directly for maximum efficiency, without the need to capture the event trace into an .etl file. This REST API connector can forward DNS Server events to Microsoft Sentinel in real time.",
"additionalRequirementBanner": "This data connector depends on parsers based on Kusto functions deployed with the Microsoft Sentinel Solution to work as expected. The [**ASimDnsMicrosoftNXLog **](https://aka.ms/sentinel-nxlogdnslogs-parser) is designed to leverage Microsoft Sentinel's built-in DNS-related analytics capabilities.",
"graphQueries": [
{
@@ -76,7 +76,7 @@
},
{
"title": "",
- "description": "Follow the step-by-step instructions in the *NXLog User Guide* Integration Topic [Microsoft Sentinel](https://nxlog.co/documentation/nxlog-user-guide/sentinel.html) to configure this connector.",
+ "description": "Follow the step-by-step instructions in the *NXLog User Guide* Integration Topic [Microsoft Sentinel](https://docs.nxlog.co/userguide/integrate/microsoft-azure-sentinel.html) to configure this connector.",
"instructions": [
{
"parameters": {
diff --git a/Solutions/NXLogDnsLogs/Data/Solution_NXLogDnsLogs.json b/Solutions/NXLogDnsLogs/Data/Solution_NXLogDnsLogs.json
index ae7a7201dfc..985bfd00243 100644
--- a/Solutions/NXLogDnsLogs/Data/Solution_NXLogDnsLogs.json
+++ b/Solutions/NXLogDnsLogs/Data/Solution_NXLogDnsLogs.json
@@ -1,17 +1,17 @@
{
- "Name": "NXLogDnsLogs",
+ "Name": "NXLogDNSLogs",
"Author": "NXLog",
"Logo": "![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/NXLog.svg\")
",
- "Description": "The [NXLog DnsLogs](https://docs.nxlog.co/refman/v5.5/im/etw.html) solution for Microsoft Sentinel enables you to ingest DNS server events. NXLog DnsLogs uses Event Tracing for Windows [(ETW)](https://docs.microsoft.com/windows/apps/trace-processing/overview?WT.mc_id=Portal-fx) for collecting both Audit and Analytical DNS server events.[The NXLog im_etw module](https://docs.nxlog.co/refman/v5.5/im/etw.html)reads event tracing data directly for maximum efficiency, without the need to capture the event trace into an .etl file. \n \n **Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs: \n\n a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)",
+ "Description": "The [NXLog DNSLogs](https://docs.nxlog.co/refman/current/im/etw.html) solution for Microsoft Sentinel enables you to ingest DNS server events. NXLog DNSLogs uses Event Tracing for Windows [(ETW)](https://docs.microsoft.com/windows/apps/trace-processing/overview?WT.mc_id=Portal-fx) for collecting both Audit and Analytical DNS server events.[The NXLog im_etw module](https://docs.nxlog.co/refman/current/im/etw.html) reads event tracing data directly for maximum efficiency, without the need to capture the event trace into an .etl file. \n \n **Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs: \n\n a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)",
"Data Connectors": [
"Data Connectors/NXLogDnsLogs.json"
],
"Parsers": [
- "Parsers/ASimDnsMicrosoftNXLog.txt"
+ "Parsers/ASimDnsMicrosoftNXLog.yaml"
],
- "BasePath": "C:\\GitHub\\azure\\Solutions\\NXLogDnsLogs",
- "Version": "2.0.1",
+ "BasePath": "C:\\One\\Azure-Sentinel-jszigetvari\\Solutions\\NXLogDnsLogs",
+ "Version": "3.0.0",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1Pconnector": false
-}
\ No newline at end of file
+}
diff --git a/Solutions/NXLogDnsLogs/Package/3.0.0.zip b/Solutions/NXLogDnsLogs/Package/3.0.0.zip
new file mode 100644
index 00000000000..4ba4a625d73
Binary files /dev/null and b/Solutions/NXLogDnsLogs/Package/3.0.0.zip differ
diff --git a/Solutions/NXLogDnsLogs/Package/createUiDefinition.json b/Solutions/NXLogDnsLogs/Package/createUiDefinition.json
index 3fb5d8f3377..af507b043d2 100644
--- a/Solutions/NXLogDnsLogs/Package/createUiDefinition.json
+++ b/Solutions/NXLogDnsLogs/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [NXLog DnsLogs](https://docs.nxlog.co/refman/v5.5/im/etw.html) solution for Microsoft Sentinel enables you to ingest DNS server events. NXLog DnsLogs uses Event Tracing for Windows [(ETW)](https://docs.microsoft.com/windows/apps/trace-processing/overview?WT.mc_id=Portal-fx) for collecting both Audit and Analytical DNS server events. [The NXLog im_etw module](https://docs.nxlog.co/refman/v5.5/im/etw.html) reads event tracing data directly for maximum efficiency, without the need to capture the event trace into an .etl file. \r\n \n **Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n \r\n a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\n\n**Data Connectors:** 1, **Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [NXLog DNSLogs](https://docs.nxlog.co/refman/current/im/etw.html) solution for Microsoft Sentinel enables you to ingest DNS server events. NXLog DNSLogs uses Event Tracing for Windows [(ETW)](https://docs.microsoft.com/windows/apps/trace-processing/overview?WT.mc_id=Portal-fx) for collecting both Audit and Analytical DNS server events.[The NXLog im_etw module](https://docs.nxlog.co/refman/current/im/etw.html) reads event tracing data directly for maximum efficiency, without the need to capture the event trace into an .etl file. \n \n **Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs: \n\n a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\n\n**Data Connectors:** 1, **Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -60,14 +60,14 @@
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "This solution installs the data connector for ingesting DNS server events from NXLog DnsLogs into Microsoft Sentinel through the Azure Monitor HTTP Data Collector REST API. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+ "text": "This Solution installs the data connector for NXLogDNSLogs. You can get NXLogDNSLogs custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
{
"name": "dataconnectors-parser-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "The solution also installs a parser that transforms ingested data. The transformed logs can be accessed using the NXLogDnsLogs Kusto Function alias."
+ "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel."
}
},
{
diff --git a/Solutions/NXLogDnsLogs/Package/mainTemplate.json b/Solutions/NXLogDnsLogs/Package/mainTemplate.json
index c2b3d3d6564..90e426f7991 100644
--- a/Solutions/NXLogDnsLogs/Package/mainTemplate.json
+++ b/Solutions/NXLogDnsLogs/Package/mainTemplate.json
@@ -3,7 +3,7 @@
"contentVersion": "1.0.0.0",
"metadata": {
"author": "NXLog",
- "comments": "Solution template for NXLogDnsLogs"
+ "comments": "Solution template for NXLogDNSLogs"
},
"parameters": {
"location": {
@@ -30,55 +30,41 @@
}
},
"variables": {
+ "_solutionName": "NXLogDNSLogs",
+ "_solutionVersion": "3.0.0",
"solutionId": "nxlogltd1589381969261.nxlog_dns_logs",
"_solutionId": "[variables('solutionId')]",
- "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
- "uiConfigId1": "NXLogDnsLogs",
+ "uiConfigId1": "NXLogDNSLogs",
"_uiConfigId1": "[variables('uiConfigId1')]",
- "dataConnectorContentId1": "NXLogDnsLogs",
+ "dataConnectorContentId1": "NXLogDNSLogs",
"_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
"dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
"_dataConnectorId1": "[variables('dataConnectorId1')]",
- "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1')))]",
+ "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
"dataConnectorVersion1": "1.0.0",
- "parserVersion1": "1.0.0",
- "parserContentId1": "ASimDnsMicrosoftNXLog-Parser",
- "_parserContentId1": "[variables('parserContentId1')]",
+ "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
"parserName1": "ASimDnsMicrosoftNXLog",
"_parserName1": "[concat(parameters('workspace'),'/',variables('parserName1'))]",
"parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
"_parserId1": "[variables('parserId1')]",
- "parserTemplateSpecName1": "[concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1')))]"
+ "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1'))))]",
+ "parserVersion1": "1.0.0",
+ "parserContentId1": "ASimDnsMicrosoftNXLog-Parser",
+ "_parserContentId1": "[variables('parserContentId1')]",
+ "_parsercontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('_parserContentId1'),'-', variables('parserVersion1'))))]",
+ "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('dataConnectorTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "DataConnector"
- },
- "properties": {
- "description": "NXLogDnsLogs data connector with template",
- "displayName": "NXLogDnsLogs template"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('dataConnectorTemplateSpecName1'),'/',variables('dataConnectorVersion1'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "DataConnector"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "NXLogDnsLogs data connector with template version 2.0.1",
+ "description": "NXLogDNSLogs data connector with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
@@ -96,7 +82,7 @@
"id": "[variables('_uiConfigId1')]",
"title": "NXLog DNS Logs",
"publisher": "NXLog",
- "descriptionMarkdown": "The NXLog DNS Logs data connector uses Event Tracing for Windows ([ETW](https://docs.microsoft.com/windows/apps/trace-processing/overview)) for collecting both Audit and Analytical DNS Server events. The [NXLog *im_etw* module](https://nxlog.co/documentation/nxlog-user-guide/im_etw.html) reads event tracing data directly for maximum efficiency, without the need to capture the event trace into an .etl file. This REST API connector can forward DNS Server events to Microsoft Sentinel in real time.",
+ "descriptionMarkdown": "The NXLog DNS Logs data connector uses Event Tracing for Windows ([ETW](https://docs.microsoft.com/windows/apps/trace-processing/overview)) for collecting both Audit and Analytical DNS Server events. The [NXLog *im_etw* module](https://docs.nxlog.co/refman/current/im/etw.html) reads event tracing data directly for maximum efficiency, without the need to capture the event trace into an .etl file. This REST API connector can forward DNS Server events to Microsoft Sentinel in real time.",
"additionalRequirementBanner": "This data connector depends on parsers based on Kusto functions deployed with the Microsoft Sentinel Solution to work as expected. The [**ASimDnsMicrosoftNXLog **](https://aka.ms/sentinel-nxlogdnslogs-parser) is designed to leverage Microsoft Sentinel's built-in DNS-related analytics capabilities.",
"graphQueries": [
{
@@ -166,7 +152,7 @@
"description": ">**NOTE:** This data connector depends on parsers based on Kusto functions deployed with the Microsoft Sentinel Solution to work as expected. The [**ASimDnsMicrosoftNXLog **](https://aka.ms/sentinel-nxlogdnslogs-parser) is designed to leverage Microsoft Sentinel's built-in DNS-related analytics capabilities."
},
{
- "description": "Follow the step-by-step instructions in the *NXLog User Guide* Integration Topic [Microsoft Sentinel](https://nxlog.co/documentation/nxlog-user-guide/sentinel.html) to configure this connector.",
+ "description": "Follow the step-by-step instructions in the *NXLog User Guide* Integration Topic [Microsoft Sentinel](https://docs.nxlog.co/userguide/integrate/microsoft-azure-sentinel.html) to configure this connector.",
"instructions": [
{
"parameters": {
@@ -194,7 +180,7 @@
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
+ "apiVersion": "2023-04-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
"properties": {
"parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
@@ -203,7 +189,7 @@
"version": "[variables('dataConnectorVersion1')]",
"source": {
"kind": "Solution",
- "name": "NXLogDnsLogs",
+ "name": "NXLogDNSLogs",
"sourceId": "[variables('_solutionId')]"
},
"author": {
@@ -212,17 +198,28 @@
"support": {
"name": "NXLog",
"tier": "Partner",
- "link": "https://nxlog.co/user?destination=node/add/support-ticket"
+ "link": "https://nxlog.co/support-tickets/add/support-ticket"
}
}
}
]
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_dataConnectorContentId1')]",
+ "contentKind": "DataConnector",
+ "displayName": "NXLog DNS Logs",
+ "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
+ "id": "[variables('_dataConnectorcontentProductId1')]",
+ "version": "[variables('dataConnectorVersion1')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
+ "apiVersion": "2023-04-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
"dependsOn": [
"[variables('_dataConnectorId1')]"
@@ -235,7 +232,7 @@
"version": "[variables('dataConnectorVersion1')]",
"source": {
"kind": "Solution",
- "name": "NXLogDnsLogs",
+ "name": "NXLogDNSLogs",
"sourceId": "[variables('_solutionId')]"
},
"author": {
@@ -244,7 +241,7 @@
"support": {
"name": "NXLog",
"tier": "Partner",
- "link": "https://nxlog.co/user?destination=node/add/support-ticket"
+ "link": "https://nxlog.co/support-tickets/add/support-ticket"
}
}
},
@@ -258,7 +255,7 @@
"connectorUiConfig": {
"title": "NXLog DNS Logs",
"publisher": "NXLog",
- "descriptionMarkdown": "The NXLog DNS Logs data connector uses Event Tracing for Windows ([ETW](https://docs.microsoft.com/windows/apps/trace-processing/overview)) for collecting both Audit and Analytical DNS Server events. The [NXLog *im_etw* module](https://nxlog.co/documentation/nxlog-user-guide/im_etw.html) reads event tracing data directly for maximum efficiency, without the need to capture the event trace into an .etl file. This REST API connector can forward DNS Server events to Microsoft Sentinel in real time.",
+ "descriptionMarkdown": "The NXLog DNS Logs data connector uses Event Tracing for Windows ([ETW](https://docs.microsoft.com/windows/apps/trace-processing/overview)) for collecting both Audit and Analytical DNS Server events. The [NXLog *im_etw* module](https://docs.nxlog.co/refman/current/im/etw.html) reads event tracing data directly for maximum efficiency, without the need to capture the event trace into an .etl file. This REST API connector can forward DNS Server events to Microsoft Sentinel in real time.",
"graphQueries": [
{
"metricName": "Total data received",
@@ -327,7 +324,7 @@
"description": ">**NOTE:** This data connector depends on parsers based on Kusto functions deployed with the Microsoft Sentinel Solution to work as expected. The [**ASimDnsMicrosoftNXLog **](https://aka.ms/sentinel-nxlogdnslogs-parser) is designed to leverage Microsoft Sentinel's built-in DNS-related analytics capabilities."
},
{
- "description": "Follow the step-by-step instructions in the *NXLog User Guide* Integration Topic [Microsoft Sentinel](https://nxlog.co/documentation/nxlog-user-guide/sentinel.html) to configure this connector.",
+ "description": "Follow the step-by-step instructions in the *NXLog User Guide* Integration Topic [Microsoft Sentinel](https://docs.nxlog.co/userguide/integrate/microsoft-azure-sentinel.html) to configure this connector.",
"instructions": [
{
"parameters": {
@@ -356,33 +353,15 @@
}
},
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('parserTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Parser"
- },
- "properties": {
- "description": "ASimDnsMicrosoftNXLog Data Parser with template",
- "displayName": "ASimDnsMicrosoftNXLog Data Parser template"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('parserTemplateSpecName1'),'/',variables('parserVersion1'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Parser"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('parserTemplateSpecName1'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ASimDnsMicrosoftNXLog Data Parser with template version 2.0.1",
+ "description": "ASimDnsMicrosoftNXLog Data Parser with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserVersion1')]",
@@ -391,20 +370,21 @@
"resources": [
{
"name": "[variables('_parserName1')]",
- "apiVersion": "2020-08-01",
+ "apiVersion": "2022-10-01",
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
"displayName": "ASimDnsMicrosoftNXLog",
- "category": "Samples",
+ "category": "Microsoft Sentinel Parser",
"functionAlias": "ASimDnsMicrosoftNXLog",
- "query": "\nlet ASimDnsMicrosoftNXLog = view () {\r\n let EventTypeTable=datatable(EventOriginalType:real,EventType:string)[\r\n 256, 'Query'\r\n , 257, 'Query'\r\n , 258, 'Query'\r\n , 259, 'Query'\r\n , 260, 'Query'\r\n , 261, 'Query'\r\n , 262, 'Query'\r\n , 263, 'Dynamic update'\r\n , 264, 'Dynamic update'\r\n , 265, 'Zone XFR'\r\n , 266, 'Zone XFR'\r\n , 267, 'Zone XFR'\r\n , 268, 'Zone XFR'\r\n , 269, 'Zone XFR'\r\n , 270, 'Zone XFR'\r\n , 271, 'Zone XFR'\r\n , 272, 'Zone XFR'\r\n , 273, 'Zone XFR'\r\n , 274, 'Zone XFR'\r\n , 275, 'Zone XFR'\r\n , 276, 'Zone XFR'\r\n , 277, 'Dynamic update'\r\n , 278, 'Dynamic update'\r\n , 279, 'Query'\r\n , 280, 'Query'\r\n ];\r\n let EventSubTypeTable=datatable(EventOriginalType:real,EventSubType:string)[\r\n 256, 'request'\r\n , 257, 'response'\r\n , 258, 'response'\r\n , 259, 'response'\r\n , 260, 'request'\r\n , 261, 'response'\r\n , 262, 'response'\r\n , 263, 'request'\r\n , 264, 'response'\r\n , 265, 'request'\r\n , 266, 'request'\r\n , 267, 'response'\r\n , 268, 'response'\r\n , 269, 'request'\r\n , 270, 'request'\r\n , 271, 'response'\r\n , 272, 'response'\r\n , 273, 'request'\r\n , 274, 'request'\r\n , 275, 'response'\r\n , 276, 'response'\r\n , 277, 'request'\r\n , 278, 'response'\r\n , 279, 'NA'\r\n , 280, 'NA'\r\n ];\r\n let EventResultTable=datatable(EventOriginalType:real,EventResult:string)[\r\n 256, 'NA'\r\n , 257, 'Success'\r\n , 258, 'Failure'\r\n , 259, 'Failure'\r\n , 260, 'NA'\r\n , 261, 'NA'\r\n , 262, 'Failure'\r\n , 263, 'NA'\r\n , 264, 'Based on RCODE'\r\n , 265, 'NA'\r\n , 266, 'NA'\r\n , 267, 'Based on RCODE'\r\n , 268, 'Based on RCODE'\r\n , 269, 'NA'\r\n , 270, 'NA'\r\n , 271, 'Based on RCODE'\r\n , 272, 'Based on RCODE'\r\n , 273, 'NA'\r\n , 274, 'NA'\r\n , 275, 'Success'\r\n , 276, 'Success'\r\n , 277, 'NA'\r\n , 278, 'Based on RCODE'\r\n , 279, 'NA'\r\n , 280, 'NA'\r\n ];\r\n let RCodeTable=datatable(DnsResponseCode:int,ResponseCodeName:string)[\r\n 0,'NOERROR'\r\n , 1,'FORMERR'\r\n , 2,'SERVFAIL'\r\n , 3,'NXDOMAIN'\r\n , 4,'NOTIMP'\r\n , 5,'REFUSED'\r\n , 6,'YXDOMAIN'\r\n , 7,'YXRRSET'\r\n , 8,'NXRRSET'\r\n , 9,'NOTAUTH'\r\n , 10,'NOTZONE'\r\n , 11,'DSOTYPENI'\r\n , 16,'BADVERS'\r\n , 16,'BADSIG'\r\n , 17,'BADKEY'\r\n , 18,'BADTIME'\r\n , 19,'BADMODE'\r\n , 20,'BADNAME'\r\n , 21,'BADALG'\r\n , 22,'BADTRUNC'\r\n , 23,'BADCOOKIE'\r\n ];\r\n let QTypeTable=datatable(DnsQueryType:int,QTypeName:string)[\r\n 0, 'Reserved'\r\n , 1, 'A'\r\n , 2, 'NS'\r\n , 3, 'MD'\r\n , 4, 'MF'\r\n , 5, 'CNAME'\r\n , 6, 'SOA'\r\n , 7, 'MB'\r\n , 8 ,'MG'\r\n , 9 ,'MR'\r\n , 10,'NULL'\r\n , 11,'WKS'\r\n , 12,'PTR'\r\n , 13,'HINFO'\r\n , 14,'MINFO'\r\n , 15,'MX'\r\n , 16,'TXT'\r\n , 17,'RP'\r\n , 18,'AFSDB'\r\n , 19,'X25'\r\n , 20,'ISDN'\r\n , 21,'RT'\r\n , 22,'NSAP'\r\n , 23,'NSAP-PTR'\r\n , 24,'SIG'\r\n , 25,'KEY'\r\n , 26,'PX'\r\n , 27,'GPOS'\r\n , 28,'AAAA'\r\n , 29,'LOC'\r\n , 30,'NXT'\r\n , 31,'EID'\r\n , 32,'NIMLOC'\r\n , 33,'SRV'\r\n ];\r\n NXLog_DNS_Server_CL\r\n | where EventID_d < 281\r\n | project-rename\r\n DnsFlags=Flags_s,\r\n DnsQuery=QNAME_s,\r\n DnsQueryType=QTYPE_s,\r\n DnsResponseCode=RCODE_s,\r\n DnsResponseName=PacketData_s,\r\n Dvc=Hostname_s,\r\n DvcIpAddr=HostIP_s,\r\n EventOriginalType=EventID_d,\r\n EventOriginalUid=GUID_g,\r\n EventStartTime=EventTime_t,\r\n SrcPortNumber=Port_s,\r\n SrcIpAddr=Source_s\r\n | extend\r\n DnsQuery=trim_end(\".\",DnsQuery),\r\n DnsQueryType=toint(DnsQueryType),\r\n DnsResponseCode=toint(DnsResponseCode),\r\n DvcHostname=Dvc,\r\n EventEndTime=EventStartTime,\r\n EventProduct=\"Microsoft DNS Server\",\r\n EventSchemaVersion=\"0.1.1\",\r\n EventVendor=\"Microsoft\",\r\n NetworkProtocol=iff(TCP_s == \"0\",\"UDP\",\"TCP\"),\r\n TransactionIdHex=tohex(toint(XID_s))\r\n | lookup EventTypeTable on EventOriginalType\r\n | lookup EventSubTypeTable on EventOriginalType\r\n | lookup EventResultTable on EventOriginalType\r\n | lookup RCodeTable on DnsResponseCode\r\n | lookup QTypeTable on DnsQueryType\r\n | extend\r\n EventResultDetails = case (isnotempty(ResponseCodeName), ResponseCodeName\r\n , DnsResponseCode between (3841 .. 4095), 'Reserved for Private Use'\r\n , 'Unassigned')\r\n | extend\r\n Domain=DnsQuery,\r\n DnsResponseCodeName=EventResultDetails,\r\n DnsQueryTypeName = case (isnotempty(QTypeName), QTypeName\r\n , DnsQueryType between (66 .. 98), 'Unassigned'\r\n , DnsQueryType between (110 .. 248), 'Unassigned'\r\n , DnsQueryType between (261 .. 32767), 'Unassigned'\r\n , 'Unassigned'),\r\n EventResult=iff (DnsResponseCode == 0 and EventResult == 'Informational','Success',EventResult)\r\n | project-away\r\n AA_s,\r\n AD_s,\r\n AdditionalInfo_s,\r\n BufferSize_s,\r\n AccountName_s,\r\n AccountType_s,\r\n CacheScope_s,\r\n ChannelID_d,\r\n Destination_s,\r\n DNSSEC_s,\r\n Domain_s,\r\n ElapsedTime_s,\r\n EventReceivedTime_t,\r\n EventType_s,\r\n ExecutionProcessID_d,\r\n ExecutionThreadID_d,\r\n InterfaceIP_s,\r\n Keywords_s,\r\n OpcodeValue_d,\r\n PolicyName_s,\r\n ProviderGuid_g,\r\n QXID_s,\r\n RD_s,\r\n Reason_s,\r\n RecursionDepth_s,\r\n RecursionScope_s,\r\n ResponseCodeName,\r\n Scope_s,\r\n Severity_s,\r\n SeverityValue_d,\r\n SourceModuleName_s,\r\n SourceModuleType_s,\r\n SourceName_s,\r\n TaskValue_d,\r\n TCP_s,\r\n UserID_s,\r\n Version_d,\r\n XID_s,\r\n Zone_s\r\n};\r\nASimDnsMicrosoftNXLog();",
- "version": 1,
+ "query": "_Im_Dns\n| where EventVendor == \"Microsoft\" and EventProduct == \"DNS Server\"\n",
+ "functionParameters": "",
+ "version": 2,
"tags": [
{
"name": "description",
- "value": "ASimDnsMicrosoftNXLog"
+ "value": ""
}
]
}
@@ -422,7 +402,7 @@
"kind": "Parser",
"version": "[variables('parserVersion1')]",
"source": {
- "name": "NXLogDnsLogs",
+ "name": "NXLogDNSLogs",
"kind": "Solution",
"sourceId": "[variables('_solutionId')]"
},
@@ -432,26 +412,44 @@
"support": {
"name": "NXLog",
"tier": "Partner",
- "link": "https://nxlog.co/user?destination=node/add/support-ticket"
+ "link": "https://nxlog.co/support-tickets/add/support-ticket"
}
}
}
]
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_parserContentId1')]",
+ "contentKind": "Parser",
+ "displayName": "ASimDnsMicrosoftNXLog",
+ "contentProductId": "[variables('_parsercontentProductId1')]",
+ "id": "[variables('_parsercontentProductId1')]",
+ "version": "[variables('parserVersion1')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
- "apiVersion": "2021-06-01",
+ "apiVersion": "2022-10-01",
"name": "[variables('_parserName1')]",
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
"displayName": "ASimDnsMicrosoftNXLog",
- "category": "Samples",
+ "category": "Microsoft Sentinel Parser",
"functionAlias": "ASimDnsMicrosoftNXLog",
- "query": "\nlet ASimDnsMicrosoftNXLog = view () {\r\n let EventTypeTable=datatable(EventOriginalType:real,EventType:string)[\r\n 256, 'Query'\r\n , 257, 'Query'\r\n , 258, 'Query'\r\n , 259, 'Query'\r\n , 260, 'Query'\r\n , 261, 'Query'\r\n , 262, 'Query'\r\n , 263, 'Dynamic update'\r\n , 264, 'Dynamic update'\r\n , 265, 'Zone XFR'\r\n , 266, 'Zone XFR'\r\n , 267, 'Zone XFR'\r\n , 268, 'Zone XFR'\r\n , 269, 'Zone XFR'\r\n , 270, 'Zone XFR'\r\n , 271, 'Zone XFR'\r\n , 272, 'Zone XFR'\r\n , 273, 'Zone XFR'\r\n , 274, 'Zone XFR'\r\n , 275, 'Zone XFR'\r\n , 276, 'Zone XFR'\r\n , 277, 'Dynamic update'\r\n , 278, 'Dynamic update'\r\n , 279, 'Query'\r\n , 280, 'Query'\r\n ];\r\n let EventSubTypeTable=datatable(EventOriginalType:real,EventSubType:string)[\r\n 256, 'request'\r\n , 257, 'response'\r\n , 258, 'response'\r\n , 259, 'response'\r\n , 260, 'request'\r\n , 261, 'response'\r\n , 262, 'response'\r\n , 263, 'request'\r\n , 264, 'response'\r\n , 265, 'request'\r\n , 266, 'request'\r\n , 267, 'response'\r\n , 268, 'response'\r\n , 269, 'request'\r\n , 270, 'request'\r\n , 271, 'response'\r\n , 272, 'response'\r\n , 273, 'request'\r\n , 274, 'request'\r\n , 275, 'response'\r\n , 276, 'response'\r\n , 277, 'request'\r\n , 278, 'response'\r\n , 279, 'NA'\r\n , 280, 'NA'\r\n ];\r\n let EventResultTable=datatable(EventOriginalType:real,EventResult:string)[\r\n 256, 'NA'\r\n , 257, 'Success'\r\n , 258, 'Failure'\r\n , 259, 'Failure'\r\n , 260, 'NA'\r\n , 261, 'NA'\r\n , 262, 'Failure'\r\n , 263, 'NA'\r\n , 264, 'Based on RCODE'\r\n , 265, 'NA'\r\n , 266, 'NA'\r\n , 267, 'Based on RCODE'\r\n , 268, 'Based on RCODE'\r\n , 269, 'NA'\r\n , 270, 'NA'\r\n , 271, 'Based on RCODE'\r\n , 272, 'Based on RCODE'\r\n , 273, 'NA'\r\n , 274, 'NA'\r\n , 275, 'Success'\r\n , 276, 'Success'\r\n , 277, 'NA'\r\n , 278, 'Based on RCODE'\r\n , 279, 'NA'\r\n , 280, 'NA'\r\n ];\r\n let RCodeTable=datatable(DnsResponseCode:int,ResponseCodeName:string)[\r\n 0,'NOERROR'\r\n , 1,'FORMERR'\r\n , 2,'SERVFAIL'\r\n , 3,'NXDOMAIN'\r\n , 4,'NOTIMP'\r\n , 5,'REFUSED'\r\n , 6,'YXDOMAIN'\r\n , 7,'YXRRSET'\r\n , 8,'NXRRSET'\r\n , 9,'NOTAUTH'\r\n , 10,'NOTZONE'\r\n , 11,'DSOTYPENI'\r\n , 16,'BADVERS'\r\n , 16,'BADSIG'\r\n , 17,'BADKEY'\r\n , 18,'BADTIME'\r\n , 19,'BADMODE'\r\n , 20,'BADNAME'\r\n , 21,'BADALG'\r\n , 22,'BADTRUNC'\r\n , 23,'BADCOOKIE'\r\n ];\r\n let QTypeTable=datatable(DnsQueryType:int,QTypeName:string)[\r\n 0, 'Reserved'\r\n , 1, 'A'\r\n , 2, 'NS'\r\n , 3, 'MD'\r\n , 4, 'MF'\r\n , 5, 'CNAME'\r\n , 6, 'SOA'\r\n , 7, 'MB'\r\n , 8 ,'MG'\r\n , 9 ,'MR'\r\n , 10,'NULL'\r\n , 11,'WKS'\r\n , 12,'PTR'\r\n , 13,'HINFO'\r\n , 14,'MINFO'\r\n , 15,'MX'\r\n , 16,'TXT'\r\n , 17,'RP'\r\n , 18,'AFSDB'\r\n , 19,'X25'\r\n , 20,'ISDN'\r\n , 21,'RT'\r\n , 22,'NSAP'\r\n , 23,'NSAP-PTR'\r\n , 24,'SIG'\r\n , 25,'KEY'\r\n , 26,'PX'\r\n , 27,'GPOS'\r\n , 28,'AAAA'\r\n , 29,'LOC'\r\n , 30,'NXT'\r\n , 31,'EID'\r\n , 32,'NIMLOC'\r\n , 33,'SRV'\r\n ];\r\n NXLog_DNS_Server_CL\r\n | where EventID_d < 281\r\n | project-rename\r\n DnsFlags=Flags_s,\r\n DnsQuery=QNAME_s,\r\n DnsQueryType=QTYPE_s,\r\n DnsResponseCode=RCODE_s,\r\n DnsResponseName=PacketData_s,\r\n Dvc=Hostname_s,\r\n DvcIpAddr=HostIP_s,\r\n EventOriginalType=EventID_d,\r\n EventOriginalUid=GUID_g,\r\n EventStartTime=EventTime_t,\r\n SrcPortNumber=Port_s,\r\n SrcIpAddr=Source_s\r\n | extend\r\n DnsQuery=trim_end(\".\",DnsQuery),\r\n DnsQueryType=toint(DnsQueryType),\r\n DnsResponseCode=toint(DnsResponseCode),\r\n DvcHostname=Dvc,\r\n EventEndTime=EventStartTime,\r\n EventProduct=\"Microsoft DNS Server\",\r\n EventSchemaVersion=\"0.1.1\",\r\n EventVendor=\"Microsoft\",\r\n NetworkProtocol=iff(TCP_s == \"0\",\"UDP\",\"TCP\"),\r\n TransactionIdHex=tohex(toint(XID_s))\r\n | lookup EventTypeTable on EventOriginalType\r\n | lookup EventSubTypeTable on EventOriginalType\r\n | lookup EventResultTable on EventOriginalType\r\n | lookup RCodeTable on DnsResponseCode\r\n | lookup QTypeTable on DnsQueryType\r\n | extend\r\n EventResultDetails = case (isnotempty(ResponseCodeName), ResponseCodeName\r\n , DnsResponseCode between (3841 .. 4095), 'Reserved for Private Use'\r\n , 'Unassigned')\r\n | extend\r\n Domain=DnsQuery,\r\n DnsResponseCodeName=EventResultDetails,\r\n DnsQueryTypeName = case (isnotempty(QTypeName), QTypeName\r\n , DnsQueryType between (66 .. 98), 'Unassigned'\r\n , DnsQueryType between (110 .. 248), 'Unassigned'\r\n , DnsQueryType between (261 .. 32767), 'Unassigned'\r\n , 'Unassigned'),\r\n EventResult=iff (DnsResponseCode == 0 and EventResult == 'Informational','Success',EventResult)\r\n | project-away\r\n AA_s,\r\n AD_s,\r\n AdditionalInfo_s,\r\n BufferSize_s,\r\n AccountName_s,\r\n AccountType_s,\r\n CacheScope_s,\r\n ChannelID_d,\r\n Destination_s,\r\n DNSSEC_s,\r\n Domain_s,\r\n ElapsedTime_s,\r\n EventReceivedTime_t,\r\n EventType_s,\r\n ExecutionProcessID_d,\r\n ExecutionThreadID_d,\r\n InterfaceIP_s,\r\n Keywords_s,\r\n OpcodeValue_d,\r\n PolicyName_s,\r\n ProviderGuid_g,\r\n QXID_s,\r\n RD_s,\r\n Reason_s,\r\n RecursionDepth_s,\r\n RecursionScope_s,\r\n ResponseCodeName,\r\n Scope_s,\r\n Severity_s,\r\n SeverityValue_d,\r\n SourceModuleName_s,\r\n SourceModuleType_s,\r\n SourceName_s,\r\n TaskValue_d,\r\n TCP_s,\r\n UserID_s,\r\n Version_d,\r\n XID_s,\r\n Zone_s\r\n};\r\nASimDnsMicrosoftNXLog();",
- "version": 1
+ "query": "_Im_Dns\n| where EventVendor == \"Microsoft\" and EventProduct == \"DNS Server\"\n",
+ "functionParameters": "",
+ "version": 2,
+ "tags": [
+ {
+ "name": "description",
+ "value": ""
+ }
+ ]
}
},
{
@@ -469,7 +467,7 @@
"version": "[variables('parserVersion1')]",
"source": {
"kind": "Solution",
- "name": "NXLogDnsLogs",
+ "name": "NXLogDNSLogs",
"sourceId": "[variables('_solutionId')]"
},
"author": {
@@ -478,23 +476,30 @@
"support": {
"name": "NXLog",
"tier": "Partner",
- "link": "https://nxlog.co/user?destination=node/add/support-ticket"
+ "link": "https://nxlog.co/support-tickets/add/support-ticket"
}
}
},
{
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages",
+ "apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "2.0.1",
+ "version": "3.0.0",
"kind": "Solution",
- "contentSchemaVersion": "2.0.0",
+ "contentSchemaVersion": "3.0.0",
+ "displayName": "NXLogDNSLogs",
+ "publisherDisplayName": "NXLog",
+ "descriptionHtml": "Note: There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe NXLog DNSLogs solution for Microsoft Sentinel enables you to ingest DNS server events. NXLog DNSLogs uses Event Tracing for Windows (ETW) for collecting both Audit and Analytical DNS server events.The NXLog im_etw module reads event tracing data directly for maximum efficiency, without the need to capture the event trace into an .etl file.
\nUnderlying Microsoft Technologies used:
\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:
\n\nData Connectors: 1, Parsers: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "",
"contentId": "[variables('_solutionId')]",
"parentId": "[variables('_solutionId')]",
"source": {
"kind": "Solution",
- "name": "NXLogDnsLogs",
+ "name": "NXLogDNSLogs",
"sourceId": "[variables('_solutionId')]"
},
"author": {
@@ -503,7 +508,7 @@
"support": {
"name": "NXLog",
"tier": "Partner",
- "link": "https://nxlog.co/user?destination=node/add/support-ticket"
+ "link": "https://nxlog.co/support-tickets/add/support-ticket"
},
"dependencies": {
"operator": "AND",
diff --git a/Solutions/NXLogDnsLogs/Parsers/ASimDnsMicrosoftNXLog.yaml b/Solutions/NXLogDnsLogs/Parsers/ASimDnsMicrosoftNXLog.yaml
index e1d22df0835..dee0b90a24e 100644
--- a/Solutions/NXLogDnsLogs/Parsers/ASimDnsMicrosoftNXLog.yaml
+++ b/Solutions/NXLogDnsLogs/Parsers/ASimDnsMicrosoftNXLog.yaml
@@ -7,230 +7,5 @@ Category: Microsoft Sentinel Parser
FunctionName: ASimDnsMicrosoftNXLog
FunctionAlias: ASimDnsMicrosoftNXLog
FunctionQuery: |
- let ASimDnsMicrosoftNXLog = view () {
- let EventTypeTable=datatable(EventOriginalType:real,EventType:string)[
- 256, 'Query'
- , 257, 'Query'
- , 258, 'Query'
- , 259, 'Query'
- , 260, 'Query'
- , 261, 'Query'
- , 262, 'Query'
- , 263, 'Dynamic update'
- , 264, 'Dynamic update'
- , 265, 'Zone XFR'
- , 266, 'Zone XFR'
- , 267, 'Zone XFR'
- , 268, 'Zone XFR'
- , 269, 'Zone XFR'
- , 270, 'Zone XFR'
- , 271, 'Zone XFR'
- , 272, 'Zone XFR'
- , 273, 'Zone XFR'
- , 274, 'Zone XFR'
- , 275, 'Zone XFR'
- , 276, 'Zone XFR'
- , 277, 'Dynamic update'
- , 278, 'Dynamic update'
- , 279, 'Query'
- , 280, 'Query'
- ];
- let EventSubTypeTable=datatable(EventOriginalType:real,EventSubType:string)[
- 256, 'request'
- , 257, 'response'
- , 258, 'response'
- , 259, 'response'
- , 260, 'request'
- , 261, 'response'
- , 262, 'response'
- , 263, 'request'
- , 264, 'response'
- , 265, 'request'
- , 266, 'request'
- , 267, 'response'
- , 268, 'response'
- , 269, 'request'
- , 270, 'request'
- , 271, 'response'
- , 272, 'response'
- , 273, 'request'
- , 274, 'request'
- , 275, 'response'
- , 276, 'response'
- , 277, 'request'
- , 278, 'response'
- , 279, 'NA'
- , 280, 'NA'
- ];
- let EventResultTable=datatable(EventOriginalType:real,EventResult:string)[
- 256, 'NA'
- , 257, 'Success'
- , 258, 'Failure'
- , 259, 'Failure'
- , 260, 'NA'
- , 261, 'NA'
- , 262, 'Failure'
- , 263, 'NA'
- , 264, 'Based on RCODE'
- , 265, 'NA'
- , 266, 'NA'
- , 267, 'Based on RCODE'
- , 268, 'Based on RCODE'
- , 269, 'NA'
- , 270, 'NA'
- , 271, 'Based on RCODE'
- , 272, 'Based on RCODE'
- , 273, 'NA'
- , 274, 'NA'
- , 275, 'Success'
- , 276, 'Success'
- , 277, 'NA'
- , 278, 'Based on RCODE'
- , 279, 'NA'
- , 280, 'NA'
- ];
- let RCodeTable=datatable(DnsResponseCode:int,ResponseCodeName:string)[
- 0,'NOERROR'
- , 1,'FORMERR'
- , 2,'SERVFAIL'
- , 3,'NXDOMAIN'
- , 4,'NOTIMP'
- , 5,'REFUSED'
- , 6,'YXDOMAIN'
- , 7,'YXRRSET'
- , 8,'NXRRSET'
- , 9,'NOTAUTH'
- , 10,'NOTZONE'
- , 11,'DSOTYPENI'
- , 16,'BADVERS'
- , 16,'BADSIG'
- , 17,'BADKEY'
- , 18,'BADTIME'
- , 19,'BADMODE'
- , 20,'BADNAME'
- , 21,'BADALG'
- , 22,'BADTRUNC'
- , 23,'BADCOOKIE'
- ];
- let QTypeTable=datatable(DnsQueryType:int,QTypeName:string)[
- 0, 'Reserved'
- , 1, 'A'
- , 2, 'NS'
- , 3, 'MD'
- , 4, 'MF'
- , 5, 'CNAME'
- , 6, 'SOA'
- , 7, 'MB'
- , 8 ,'MG'
- , 9 ,'MR'
- , 10,'NULL'
- , 11,'WKS'
- , 12,'PTR'
- , 13,'HINFO'
- , 14,'MINFO'
- , 15,'MX'
- , 16,'TXT'
- , 17,'RP'
- , 18,'AFSDB'
- , 19,'X25'
- , 20,'ISDN'
- , 21,'RT'
- , 22,'NSAP'
- , 23,'NSAP-PTR'
- , 24,'SIG'
- , 25,'KEY'
- , 26,'PX'
- , 27,'GPOS'
- , 28,'AAAA'
- , 29,'LOC'
- , 30,'NXT'
- , 31,'EID'
- , 32,'NIMLOC'
- , 33,'SRV'
- ];
- NXLog_DNS_Server_CL
- | where EventID_d < 281
- | project-rename
- DnsFlags=Flags_s,
- DnsQuery=QNAME_s,
- DnsQueryType=QTYPE_s,
- DnsResponseCode=RCODE_s,
- DnsResponseName=PacketData_s,
- Dvc=Hostname_s,
- DvcIpAddr=HostIP_s,
- EventOriginalType=EventID_d,
- EventOriginalUid=GUID_g,
- EventStartTime=EventTime_t,
- SrcPortNumber=Port_s,
- SrcIpAddr=Source_s
- | extend
- DnsQuery=trim_end(".",DnsQuery),
- DnsQueryType=toint(DnsQueryType),
- DnsResponseCode=toint(DnsResponseCode),
- DvcHostname=Dvc,
- EventEndTime=EventStartTime,
- EventProduct="Microsoft DNS Server",
- EventSchemaVersion="0.1.1",
- EventVendor="Microsoft",
- NetworkProtocol=iff(TCP_s == "0","UDP","TCP"),
- TransactionIdHex=tohex(toint(XID_s))
- | lookup EventTypeTable on EventOriginalType
- | lookup EventSubTypeTable on EventOriginalType
- | lookup EventResultTable on EventOriginalType
- | lookup RCodeTable on DnsResponseCode
- | lookup QTypeTable on DnsQueryType
- | extend
- EventResultDetails = case (isnotempty(ResponseCodeName), ResponseCodeName
- , DnsResponseCode between (3841 .. 4095), 'Reserved for Private Use'
- , 'Unassigned')
- | extend
- Domain=DnsQuery,
- DnsResponseCodeName=EventResultDetails,
- DnsQueryTypeName = case (isnotempty(QTypeName), QTypeName
- , DnsQueryType between (66 .. 98), 'Unassigned'
- , DnsQueryType between (110 .. 248), 'Unassigned'
- , DnsQueryType between (261 .. 32767), 'Unassigned'
- , 'Unassigned'),
- EventResult=iff (DnsResponseCode == 0 and EventResult == 'Informational','Success',EventResult)
- | project-away
- AA_s,
- AD_s,
- AdditionalInfo_s,
- BufferSize_s,
- AccountName_s,
- AccountType_s,
- CacheScope_s,
- ChannelID_d,
- Destination_s,
- DNSSEC_s,
- Domain_s,
- ElapsedTime_s,
- EventReceivedTime_t,
- EventType_s,
- ExecutionProcessID_d,
- ExecutionThreadID_d,
- InterfaceIP_s,
- Keywords_s,
- OpcodeValue_d,
- PolicyName_s,
- ProviderGuid_g,
- QXID_s,
- RD_s,
- Reason_s,
- RecursionDepth_s,
- RecursionScope_s,
- ResponseCodeName,
- Scope_s,
- Severity_s,
- SeverityValue_d,
- SourceModuleName_s,
- SourceModuleType_s,
- SourceName_s,
- TaskValue_d,
- TCP_s,
- UserID_s,
- Version_d,
- XID_s,
- Zone_s
- };
- ASimDnsMicrosoftNXLog();
\ No newline at end of file
+ _Im_Dns
+ | where EventVendor == "Microsoft" and EventProduct == "DNS Server"
\ No newline at end of file
diff --git a/Solutions/NXLogDnsLogs/SolutionMetadata.json b/Solutions/NXLogDnsLogs/SolutionMetadata.json
index 8d045a47285..54bcf6b8d78 100644
--- a/Solutions/NXLogDnsLogs/SolutionMetadata.json
+++ b/Solutions/NXLogDnsLogs/SolutionMetadata.json
@@ -9,6 +9,6 @@
"support": {
"name": "NXLog",
"tier": "Partner",
- "link": "https://nxlog.co/user?destination=node/add/support-ticket"
+ "link": "https://nxlog.co/support-tickets/add/support-ticket"
}
-}
\ No newline at end of file
+}
diff --git a/Solutions/OneLoginIAM/Data Connectors/OneLogin_Webhooks_FunctionApp.json b/Solutions/OneLoginIAM/Data Connectors/OneLogin_Webhooks_FunctionApp.json
index 1ec44507b61..a4478187bbd 100644
--- a/Solutions/OneLoginIAM/Data Connectors/OneLogin_Webhooks_FunctionApp.json
+++ b/Solutions/OneLoginIAM/Data Connectors/OneLogin_Webhooks_FunctionApp.json
@@ -102,22 +102,42 @@
]
},
{
- "title": "Option 1 - Azure Resource Manager (ARM) Template",
- "description": "Use this method for automated deployment of the OneLogin data connector using an ARM Template.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[](https://aka.ms/sentinel-OneLogin-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n> **NOTE:** Within the same resource group, you can't mix Windows and Linux apps in the same region. Select existing resource group without Windows apps in it or create new resource group.\n3. Enter the **OneLoginBearerToken** and deploy. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.\n6. After deploying open Function App page, select your app, go to the **Functions** and click **Get Function Url** copy it and follow p.7 from STEP 1."
- },
- {
- "title": "Option 2 - Manual Deployment of Azure Functions",
- "description": "Use the following step-by-step instructions to deploy the OneLogin data connector manually with Azure Functions (Deployment via Visual Studio Code)."
- },
- {
- "title": "",
- "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-OneLogin-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. OneLoginXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.8.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration."
- },
- {
- "title": "",
- "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select ** New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tOneLoginBearerToken\n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tlogAnalyticsUri (optional)\n> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\")
",
"Description": "The [OneLogin](https://www.onelogin.com/) solution for Microsoft Sentinel provides the capability to ingest common OneLogin IAM Platform events into Microsoft Sentinel through Webhooks.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n\r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\r\n\n b. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)\r\n\n",
@@ -7,11 +7,11 @@
"Data Connectors/OneLogin_Webhooks_FunctionApp.json"
],
"Parsers": [
- "Parsers/OneLogin.txt"
+ "Parsers/OneLogin.yaml"
],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\OneLoginIAM",
- "Version": "2.0.2",
+ "Version": "3.0.0",
"TemplateSpec": true,
"Is1PConnector": false
}
\ No newline at end of file
diff --git a/Solutions/OneLoginIAM/Data/system_generated_metadata.json b/Solutions/OneLoginIAM/Data/system_generated_metadata.json
new file mode 100644
index 00000000000..08e8e13d1ea
--- /dev/null
+++ b/Solutions/OneLoginIAM/Data/system_generated_metadata.json
@@ -0,0 +1,30 @@
+{
+ "Name": "OneLogin IAM",
+ "Author": "Microsoft - support@microsoft.com",
+ "Logo": "",
+ "Description": "The [OneLogin](https://www.onelogin.com/) solution for Microsoft Sentinel provides the capability to ingest common OneLogin IAM Platform events into Microsoft Sentinel through Webhooks.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n\r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\r\n\n b. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)\r\n\n",
+ "Metadata": "SolutionMetadata.json",
+ "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\OneLoginIAM",
+ "TemplateSpec": true,
+ "Is1PConnector": false,
+ "Version": "3.0.0",
+ "publisherId": "azuresentinel",
+ "offerId": "azure-sentinel-solution-oneloginiam",
+ "providers": [
+ "OneLogin"
+ ],
+ "categories": {
+ "domains": [
+ "Identity"
+ ]
+ },
+ "firstPublishDate": "2022-08-18",
+ "support": {
+ "name": "Microsoft Corporation",
+ "email": "support@microsoft.com",
+ "tier": "Microsoft",
+ "link": "https://support.microsoft.com"
+ },
+ "Data Connectors": "[\n \"Data Connectors/OneLogin_Webhooks_FunctionApp.json\"\n]",
+ "Parsers": "[\n \"OneLogin.yaml\"\n]"
+}
diff --git a/Solutions/OneLoginIAM/Package/3.0.0.zip b/Solutions/OneLoginIAM/Package/3.0.0.zip
new file mode 100644
index 00000000000..8407c6269b6
Binary files /dev/null and b/Solutions/OneLoginIAM/Package/3.0.0.zip differ
diff --git a/Solutions/OneLoginIAM/Package/createUiDefinition.json b/Solutions/OneLoginIAM/Package/createUiDefinition.json
index a70d431b207..2660e002cee 100644
--- a/Solutions/OneLoginIAM/Package/createUiDefinition.json
+++ b/Solutions/OneLoginIAM/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [OneLogin](https://www.onelogin.com/) solution for Microsoft Sentinel provides the capability to ingest common OneLogin IAM Platform events into Microsoft Sentinel through Webhooks.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n\r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\r\n\n b. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)\r\n\n\n\n**Data Connectors:** 1, **Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/OneLoginIAM/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [OneLogin](https://www.onelogin.com/) solution for Microsoft Sentinel provides the capability to ingest common OneLogin IAM Platform events into Microsoft Sentinel through Webhooks.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n\r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\r\n\n b. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)\r\n\n\n\n**Data Connectors:** 1, **Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -60,7 +60,7 @@
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "This solution installs a data connector that helps ingest OneLogin logs into Microsoft Sentinel using Syslog. The connector provides ability to get events which helps to examine potential security risks, analyse your team's use of collaboration, diagnose configuration problems and more.After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+ "text": "This solution installs a data connector that helps ingest OneLogin logs into Microsoft Sentinel using Syslog. The connector provides ability to get events which helps to examine potential security risks, analyse your team's use of collaboration, diagnose configuration problems and more."
}
},
{
diff --git a/Solutions/OneLoginIAM/Package/mainTemplate.json b/Solutions/OneLoginIAM/Package/mainTemplate.json
index e3ddb588e9d..02afa0db162 100644
--- a/Solutions/OneLoginIAM/Package/mainTemplate.json
+++ b/Solutions/OneLoginIAM/Package/mainTemplate.json
@@ -3,7 +3,7 @@
"contentVersion": "1.0.0.0",
"metadata": {
"author": "Microsoft - support@microsoft.com",
- "comments": "Solution template for OneLogin IAM"
+ "comments": "Solution template for OneLoginIAM"
},
"parameters": {
"location": {
@@ -30,57 +30,43 @@
}
},
"variables": {
- "solutionId": "azuresentinel.azure-sentinel-solution-oneloginiam",
- "_solutionId": "[variables('solutionId')]",
"email": "support@microsoft.com",
"_email": "[variables('email')]",
- "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
+ "_solutionName": "OneLoginIAM",
+ "_solutionVersion": "3.0.0",
+ "solutionId": "azuresentinel.azure-sentinel-solution-oneloginiam",
+ "_solutionId": "[variables('solutionId')]",
"uiConfigId1": "OneLogin",
"_uiConfigId1": "[variables('uiConfigId1')]",
"dataConnectorContentId1": "OneLogin",
"_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
"dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
"_dataConnectorId1": "[variables('dataConnectorId1')]",
- "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1')))]",
+ "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
"dataConnectorVersion1": "1.0.0",
- "parserVersion1": "1.0.0",
- "parserContentId1": "OneLogin-Parser",
- "_parserContentId1": "[variables('parserContentId1')]",
+ "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
"parserName1": "OneLogin",
"_parserName1": "[concat(parameters('workspace'),'/',variables('parserName1'))]",
"parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
"_parserId1": "[variables('parserId1')]",
- "parserTemplateSpecName1": "[concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1')))]"
+ "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1'))))]",
+ "parserVersion1": "1.0.1",
+ "parserContentId1": "OneLogin-Parser",
+ "_parserContentId1": "[variables('parserContentId1')]",
+ "_parsercontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('_parserContentId1'),'-', variables('parserVersion1'))))]",
+ "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2022-02-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('dataConnectorTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "DataConnector"
- },
- "properties": {
- "description": "OneLogin IAM data connector with template",
- "displayName": "OneLogin IAM template"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2022-02-01",
- "name": "[concat(variables('dataConnectorTemplateSpecName1'),'/',variables('dataConnectorVersion1'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "DataConnector"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "OneLogin IAM data connector with template version 2.0.2",
+ "description": "OneLoginIAM data connector with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
@@ -202,18 +188,40 @@
]
},
{
- "description": "Use this method for automated deployment of the OneLogin data connector using an ARM Template.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[](https://aka.ms/sentinel-OneLogin-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n> **NOTE:** Within the same resource group, you can't mix Windows and Linux apps in the same region. Select existing resource group without Windows apps in it or create new resource group.\n3. Enter the **OneLoginBearerToken** and deploy. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.\n6. After deploying open Function App page, select your app, go to the **Functions** and click **Get Function Url** copy it and follow p.7 from STEP 1.",
- "title": "Option 1 - Azure Resource Manager (ARM) Template"
- },
- {
- "description": "Use the following step-by-step instructions to deploy the OneLogin data connector manually with Azure Functions (Deployment via Visual Studio Code).",
- "title": "Option 2 - Manual Deployment of Azure Functions"
- },
- {
- "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-OneLogin-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. OneLoginXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.8.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration."
- },
- {
- "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select ** New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tOneLoginBearerToken\n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tlogAnalyticsUri (optional)\n> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://Note: There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe OneLogin solution for Microsoft Sentinel provides the capability to ingest common OneLogin IAM Platform events into Microsoft Sentinel through Webhooks.
\nUnderlying Microsoft Technologies used:
\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:
\n\nData Connectors: 1, Parsers: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "",
"contentId": "[variables('_solutionId')]",
"parentId": "[variables('_solutionId')]",
"source": {
"kind": "Solution",
- "name": "OneLogin IAM",
+ "name": "OneLoginIAM",
"sourceId": "[variables('_solutionId')]"
},
"author": {
diff --git a/Solutions/OneLoginIAM/Parsers/OneLogin.yaml b/Solutions/OneLoginIAM/Parsers/OneLogin.yaml
index f38ee515df8..a7e0328b7d1 100644
--- a/Solutions/OneLoginIAM/Parsers/OneLogin.yaml
+++ b/Solutions/OneLoginIAM/Parsers/OneLogin.yaml
@@ -1,13 +1,20 @@
id: cd80d5ce-6c89-4d23-9f98-77066a599982
Function:
Title: Parser for OneLogin
- Version: '1.0.0'
- LastUpdated: '2023-08-23'
+ Version: '1.0.1'
+ LastUpdated: '2023-09-25'
Category: Microsoft Sentinel Parser
FunctionName: OneLogin
FunctionAlias: OneLogin
FunctionQuery: |
OneLogin_CL
+ | extend app_name_s = column_ifexists("app_name_s", ''),
+ app_id_d = column_ifexists("app_id_d", ''),
+ role_name_s = column_ifexists("role_name_s", ''),
+ role_id_d = column_ifexists("role_id_d", ''),
+ user_attributes_username_s = column_ifexists("user_attributes_username_s", ''),
+ user_attributes_department_s = column_ifexists("user_attributes_department_s", ''),
+ user_attributes_title_s = column_ifexists("user_attributes_title_s", '')
| project-rename TargetAppName = app_name_s,
TargetAppId = app_id_d,
RoleName = role_name_s,
diff --git a/Solutions/OneLoginIAM/ReleaseNotes.md b/Solutions/OneLoginIAM/ReleaseNotes.md
new file mode 100644
index 00000000000..4075994d6a6
--- /dev/null
+++ b/Solutions/OneLoginIAM/ReleaseNotes.md
@@ -0,0 +1,5 @@
+| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
+|-------------|--------------------------------|--------------------------------------------------------------------|
+| 3.0.0 | 25-09-2023 | Modified **Parser** for query optimization. |
+| | | Manual deployment instructions updated for **Data Connector** |
+
diff --git a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLConflictingMacAddress.yaml b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLConflictingMacAddress.yaml
index febcea8c894..3249272b483 100644
--- a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLConflictingMacAddress.yaml
+++ b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLConflictingMacAddress.yaml
@@ -8,6 +8,9 @@ requiredDataConnectors:
- connectorId: PaloAltoCDL
dataTypes:
- PaloAltoCDLEvent
+ - connectorId: PaloAltoCDLAma
+ dataTypes:
+ - PaloAltoCDLEvent
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
@@ -35,5 +38,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.1
kind: Scheduled
diff --git a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLDroppingSessionWithSentTraffic.yaml b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLDroppingSessionWithSentTraffic.yaml
index bbb612d6bc1..78d8c9e38d3 100644
--- a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLDroppingSessionWithSentTraffic.yaml
+++ b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLDroppingSessionWithSentTraffic.yaml
@@ -8,6 +8,9 @@ requiredDataConnectors:
- connectorId: PaloAltoCDL
dataTypes:
- PaloAltoCDLEvent
+ - connectorId: PaloAltoCDLAma
+ dataTypes:
+ - PaloAltoCDLEvent
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
@@ -36,5 +39,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
-version: 1.0.1
+version: 1.0.2
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLFileTypeWasChanged.yaml b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLFileTypeWasChanged.yaml
index 0f74b67bec6..e88356b23f9 100644
--- a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLFileTypeWasChanged.yaml
+++ b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLFileTypeWasChanged.yaml
@@ -8,6 +8,9 @@ requiredDataConnectors:
- connectorId: PaloAltoCDL
dataTypes:
- PaloAltoCDLEvent
+ - connectorId: PaloAltoCDLAma
+ dataTypes:
+ - PaloAltoCDLEvent
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
@@ -32,5 +35,5 @@ entityMappings:
fieldMappings:
- identifier: Name
columnName: FileCustomEntity
-version: 1.0.0
+version: 1.0.1
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLInboundRiskPorts.yaml b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLInboundRiskPorts.yaml
index de1987e25b2..281ef14caeb 100644
--- a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLInboundRiskPorts.yaml
+++ b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLInboundRiskPorts.yaml
@@ -8,6 +8,9 @@ requiredDataConnectors:
- connectorId: PaloAltoCDL
dataTypes:
- PaloAltoCDLEvent
+ - connectorId: PaloAltoCDLAma
+ dataTypes:
+ - PaloAltoCDLEvent
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
@@ -29,5 +32,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.1
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPossibleAttackWithoutResponse.yaml b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPossibleAttackWithoutResponse.yaml
index d8c6abf3530..5d9ca1e3395 100644
--- a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPossibleAttackWithoutResponse.yaml
+++ b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPossibleAttackWithoutResponse.yaml
@@ -8,6 +8,9 @@ requiredDataConnectors:
- connectorId: PaloAltoCDL
dataTypes:
- PaloAltoCDLEvent
+ - connectorId: PaloAltoCDLAma
+ dataTypes:
+ - PaloAltoCDLEvent
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
@@ -35,5 +38,5 @@ entityMappings:
fieldMappings:
- identifier: Url
columnName: UrlCustomEntity
-version: 1.0.1
+version: 1.0.2
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPossibleFlooding.yaml b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPossibleFlooding.yaml
index ab69ea35774..b7cc42c4522 100644
--- a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPossibleFlooding.yaml
+++ b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPossibleFlooding.yaml
@@ -8,6 +8,9 @@ requiredDataConnectors:
- connectorId: PaloAltoCDL
dataTypes:
- PaloAltoCDLEvent
+ - connectorId: PaloAltoCDLAma
+ dataTypes:
+ - PaloAltoCDLEvent
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
@@ -32,5 +35,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
-version: 1.0.1
+version: 1.0.2
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPossiblePortScan.yaml b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPossiblePortScan.yaml
index 35e70c1dffa..9354d3e9c5e 100644
--- a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPossiblePortScan.yaml
+++ b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPossiblePortScan.yaml
@@ -8,6 +8,9 @@ requiredDataConnectors:
- connectorId: PaloAltoCDL
dataTypes:
- PaloAltoCDLEvent
+ - connectorId: PaloAltoCDLAma
+ dataTypes:
+ - PaloAltoCDLEvent
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
@@ -29,5 +32,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
-version: 1.0.1
+version: 1.0.2
kind: Scheduled
diff --git a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPrivilegesWasChanged.yaml b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPrivilegesWasChanged.yaml
index ac1ea11bac6..bfbcb784c38 100644
--- a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPrivilegesWasChanged.yaml
+++ b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPrivilegesWasChanged.yaml
@@ -8,6 +8,9 @@ requiredDataConnectors:
- connectorId: PaloAltoCDL
dataTypes:
- PaloAltoCDLEvent
+ - connectorId: PaloAltoCDLAma
+ dataTypes:
+ - PaloAltoCDLEvent
queryFrequency: 1h
queryPeriod: 14d
triggerOperator: gt
@@ -34,5 +37,5 @@ entityMappings:
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
-version: 1.0.1
+version: 1.0.2
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPutMethodInHighRiskFileType.yaml b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPutMethodInHighRiskFileType.yaml
index 02688bb6c55..d8553fee7b3 100644
--- a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPutMethodInHighRiskFileType.yaml
+++ b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPutMethodInHighRiskFileType.yaml
@@ -8,6 +8,9 @@ requiredDataConnectors:
- connectorId: PaloAltoCDL
dataTypes:
- PaloAltoCDLEvent
+ - connectorId: PaloAltoCDLAma
+ dataTypes:
+ - PaloAltoCDLEvent
queryFrequency: 10m
queryPeriod: 10m
triggerOperator: gt
@@ -30,5 +33,5 @@ entityMappings:
fieldMappings:
- identifier: Name
columnName: FileCustomEntity
-version: 1.0.1
+version: 1.0.2
kind: Scheduled
diff --git a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLUnexpectedCountries.yaml b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLUnexpectedCountries.yaml
index fc697d0aab4..80a2d54058f 100644
--- a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLUnexpectedCountries.yaml
+++ b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLUnexpectedCountries.yaml
@@ -8,6 +8,9 @@ requiredDataConnectors:
- connectorId: PaloAltoCDL
dataTypes:
- PaloAltoCDLEvent
+ - connectorId: PaloAltoCDLAma
+ dataTypes:
+ - PaloAltoCDLEvent
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
@@ -33,5 +36,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
-version: 1.0.1
+version: 1.0.2
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/PaloAltoCDL/Data Connectors/Connector_PaloAlto_CDL_CEF.json b/Solutions/PaloAltoCDL/Data Connectors/Connector_PaloAlto_CDL_CEF.json
index bf1d1c2b037..36f2416fdc6 100644
--- a/Solutions/PaloAltoCDL/Data Connectors/Connector_PaloAlto_CDL_CEF.json
+++ b/Solutions/PaloAltoCDL/Data Connectors/Connector_PaloAlto_CDL_CEF.json
@@ -1,6 +1,6 @@
{
"id": "PaloAltoCDL",
- "title": "Palo Alto Networks Cortex Data Lake (CDL)",
+ "title": "[Deprecated] Palo Alto Networks Cortex Data Lake (CDL) via Legacy Agent",
"publisher": "Palo Alto Networks",
"descriptionMarkdown": "The [Palo Alto Networks CDL](https://www.paloaltonetworks.com/cortex/cortex-data-lake) data connector provides the capability to ingest [CDL logs](https://docs.paloaltonetworks.com/cortex/cortex-data-lake/log-forwarding-schema-reference/log-forwarding-schema-overview.html) into Microsoft Sentinel.",
"additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**PaloAltoCDLEvent**](https://aka.ms/sentinel-paloaltocdl-parser) which is deployed with the Microsoft Sentinel Solution.",
diff --git a/Solutions/PaloAltoCDL/Data Connectors/template_PaloAlto_CDLAMA.json b/Solutions/PaloAltoCDL/Data Connectors/template_PaloAlto_CDLAMA.json
new file mode 100644
index 00000000000..7b988559461
--- /dev/null
+++ b/Solutions/PaloAltoCDL/Data Connectors/template_PaloAlto_CDLAMA.json
@@ -0,0 +1,115 @@
+{
+ "id": "PaloAltoCDLAma",
+ "title": "[Recommended] Palo Alto Networks Cortex Data Lake (CDL) via AMA",
+ "publisher": "Palo Alto Networks",
+ "descriptionMarkdown": "The [Palo Alto Networks CDL](https://www.paloaltonetworks.com/cortex/cortex-data-lake) data connector provides the capability to ingest [CDL logs](https://docs.paloaltonetworks.com/cortex/cortex-data-lake/log-forwarding-schema-reference/log-forwarding-schema-overview.html) into Microsoft Sentinel.",
+ "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**PaloAltoCDLEvent**](https://aka.ms/sentinel-paloaltocdl-parser) which is deployed with the Microsoft Sentinel Solution.",
+ "graphQueries": [
+ {
+ "metricName": "Total data received",
+ "legend": "PaloAltoNetworksCDL",
+ "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Palo Alto Networks'\n |where DeviceProduct =~ 'LF'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description" : "Top 10 Destinations",
+ "query": "PaloAltoCDLEvent\n | where isnotempty(DstIpAddr)\n | summarize count() by DstIpAddr\n | top 10 by count_"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "CommonSecurityLog (PaloAltoNetworksCDL)",
+ "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Palo Alto Networks'\n |where DeviceProduct =~ 'LF'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriterias": [
+ {
+ "type": "IsConnectedQuery",
+ "value": [
+ "CommonSecurityLog\n |where DeviceVendor =~ 'Palo Alto Networks'\n |where DeviceProduct =~ 'LF'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
+ ]
+ }
+ ],
+ "availability": {
+ "status": 1,
+ "isPreview": false
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "read and write permissions are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "write": true,
+ "read": true,
+ "delete": true
+ }
+ },
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+ "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+ "providerDisplayName": "Keys",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "action": true
+ }
+ }
+ ],
+ "customs": [
+ {
+ "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+ },
+ {
+ "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "title": "",
+ "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**PaloAltoCDLEvent**](https://aka.ms/sentinel-paloaltocdl-parser) which is deployed with the Microsoft Sentinel Solution.",
+ "instructions": [
+ {
+ "parameters": {
+ "title": "1. Kindly follow the steps to configure the data connector",
+ "instructionSteps": [
+ {
+ "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
+ "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine",
+ "instructions": [
+ ]
+ },
+ {
+ "title": "Step B. Configure Cortex Data Lake to forward logs to a Syslog Server using CEF",
+ "description": "[Follow the instructions](https://docs.paloaltonetworks.com/cortex/cortex-data-lake/cortex-data-lake-getting-started/get-started-with-log-forwarding-app/forward-logs-from-logging-service-to-syslog-server.html) to configure logs forwarding from Cortex Data Lake to a Syslog Server.",
+ "instructions": [
+ ]
+ },
+ {
+ "title": "Step C. Validate connection",
+ "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
+ "instructions": [
+ {
+ "parameters": {
+ "label": "Run the following command to validate your connectivity:",
+ "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
+ },
+ "type": "CopyableLabel"
+ }
+ ]
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ]
+ },
+ {
+ "title": "2. Secure your machine ",
+ "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)"
+ }
+ ]
+}
diff --git a/Solutions/PaloAltoCDL/Data/Solution_PaloAltoCDL.json b/Solutions/PaloAltoCDL/Data/Solution_PaloAltoCDL.json
index 46fd29efcc1..9c82bdc82f8 100644
--- a/Solutions/PaloAltoCDL/Data/Solution_PaloAltoCDL.json
+++ b/Solutions/PaloAltoCDL/Data/Solution_PaloAltoCDL.json
@@ -2,12 +2,12 @@
"Name": "PaloAltoCDL",
"Author": "Microsoft - support@microsoft.com",
"Logo": "![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/PaloAltoCDL/logo/Palo-alto-logo.png\"){kind=logo}
",
- "Description": "The [Palo Alto Networks CDL](https://www.paloaltonetworks.com/cortex/cortex-data-lake) solution provides the capability to ingest [CDL logs](https://docs.paloaltonetworks.com/cortex/cortex-data-lake/log-forwarding-schema-reference/log-forwarding-schema-overview) into Microsoft Sentinel.\n\r**Underlying Microsoft Technologies used:**\n\rThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\ra. [Agent-based log collection (CEF over Syslog)](https://docs.microsoft.com/azure/sentinel/connect-common-event-format)",
+ "Description": "The [Palo Alto Networks CDL](https://www.paloaltonetworks.com/cortex/cortex-data-lake) solution provides the capability to ingest [CDL logs](https://docs.paloaltonetworks.com/cortex/cortex-data-lake/log-forwarding-schema-reference/log-forwarding-schema-overview) into Microsoft Sentinel.\n\r\n1. **PaloAltoCDL via AMA** - This data connector helps in ingesting PaloAltoCDL logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **PaloAltoCDL via Legacy Agent** - This data connector helps in ingesting PaloAltoCDL logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of PaloAltoCDL via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).",
"Workbooks": [
"Workbooks/PaloAltoCDL.json"
],
"Parsers": [
- "Parsers/PaloAltoCDLEvent.txt"
+ "Parsers/PaloAltoCDLEvent.yaml"
],
"Hunting Queries": [
"Hunting Queries/PaloAltoCDLCriticalEventResult.yaml",
@@ -22,7 +22,8 @@
"Hunting Queries/PaloAltoCDLRarePortsbyUser.yaml"
],
"Data Connectors": [
- "Data Connectors/Connector_PaloAlto_CDL_CEF.json"
+ "Data Connectors/Connector_PaloAlto_CDL_CEF.json",
+ "Data Connectors/template_PaloAlto_CDLAMA.json"
],
"Analytic Rules": [
"Analytic Rules/PaloAltoCDLConflictingMacAddress.yaml",
diff --git a/Solutions/PaloAltoCDL/Data/system_generated_metadata.json b/Solutions/PaloAltoCDL/Data/system_generated_metadata.json
new file mode 100644
index 00000000000..2fef117cbba
--- /dev/null
+++ b/Solutions/PaloAltoCDL/Data/system_generated_metadata.json
@@ -0,0 +1,33 @@
+{
+ "Name": "PaloAltoCDL",
+ "Author": "Microsoft - support@microsoft.com",
+ "Logo": "",
+ "Description": "The [Palo Alto Networks CDL](https://www.paloaltonetworks.com/cortex/cortex-data-lake) solution provides the capability to ingest [CDL logs](https://docs.paloaltonetworks.com/cortex/cortex-data-lake/log-forwarding-schema-reference/log-forwarding-schema-overview) into Microsoft Sentinel.\n\r\n1. **PaloAltoCDL via AMA** - This data connector helps in ingesting PaloAltoCDL logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **PaloAltoCDL via Legacy Agent** - This data connector helps in ingesting PaloAltoCDL logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of PaloAltoCDL via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).",
+ "Metadata": "SolutionMetadata.json",
+ "BasePath": "C:\\One\\Azure\\Azure-Sentinel\\Solutions\\PaloAltoCDL",
+ "TemplateSpec": true,
+ "Is1PConnector": false,
+ "Version": "3.0.0",
+ "publisherId": "azuresentinel",
+ "offerId": "azure-sentinel-solution-paloaltocdl",
+ "providers": [
+ "Palo Alto Networks"
+ ],
+ "categories": {
+ "domains": [
+ "Security - Cloud Security"
+ ]
+ },
+ "firstPublishDate": "2021-10-23",
+ "support": {
+ "name": "Microsoft Corporation",
+ "email": "support@microsoft.com",
+ "tier": "Microsoft",
+ "link": "https://support.microsoft.com"
+ },
+ "Data Connectors": "[\n \"Data Connectors/Connector_PaloAlto_CDL_CEF.json\",\n \"Data Connectors/template_PaloAlto_CDLAMA.json\"\n]",
+ "Parsers": "[\n \"PaloAltoCDLEvent.yaml\"\n]",
+ "Workbooks": "[\n \"Workbooks/PaloAltoCDL.json\"\n]",
+ "Analytic Rules": "[\n \"PaloAltoCDLConflictingMacAddress.yaml\",\n \"PaloAltoCDLDroppingSessionWithSentTraffic.yaml\",\n \"PaloAltoCDLFileTypeWasChanged.yaml\",\n \"PaloAltoCDLInboundRiskPorts.yaml\",\n \"PaloAltoCDLPossibleAttackWithoutResponse.yaml\",\n \"PaloAltoCDLPossibleFlooding.yaml\",\n \"PaloAltoCDLPossiblePortScan.yaml\",\n \"PaloAltoCDLPrivilegesWasChanged.yaml\",\n \"PaloAltoCDLPutMethodInHighRiskFileType.yaml\",\n \"PaloAltoCDLUnexpectedCountries.yaml\"\n]",
+ "Hunting Queries": "[\n \"PaloAltoCDLCriticalEventResult.yaml\",\n \"PaloAltoCDLFilePermissionWithPutRequest.yaml\",\n \"PaloAltoCDLIPsByPorts.yaml\",\n \"PaloAltoCDLIncompleteApplicationProtocol.yaml\",\n \"PaloAltoCDLMultiDenyResultbyUser.yaml\",\n \"PaloAltoCDLOutdatedAgentVersions.yaml\",\n \"PaloAltoCDLOutdatedConfigVersions.yaml\",\n \"PaloAltoCDLRareApplicationLayerProtocol.yaml\",\n \"PaloAltoCDLRareFileRequests.yaml\",\n \"PaloAltoCDLRarePortsbyUser.yaml\"\n]"
+}
diff --git a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLCriticalEventResult.yaml b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLCriticalEventResult.yaml
index c7fa6ecd4e7..157f7c0841e 100644
--- a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLCriticalEventResult.yaml
+++ b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLCriticalEventResult.yaml
@@ -7,6 +7,9 @@ requiredDataConnectors:
- connectorId: PaloAltoCDL
dataTypes:
- PaloAltoCDLEvent
+ - connectorId: PaloAltoCDLAma
+ dataTypes:
+ - PaloAltoCDLEvent
tactics:
- InitialAccess
relevantTechniques:
diff --git a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLFilePermissionWithPutRequest.yaml b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLFilePermissionWithPutRequest.yaml
index f4a1e3e3e1f..fa47b79cf8f 100644
--- a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLFilePermissionWithPutRequest.yaml
+++ b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLFilePermissionWithPutRequest.yaml
@@ -7,6 +7,9 @@ requiredDataConnectors:
- connectorId: PaloAltoCDL
dataTypes:
- PaloAltoCDLEvent
+ - connectorId: PaloAltoCDLAma
+ dataTypes:
+ - PaloAltoCDLEvent
tactics:
- InitialAccess
relevantTechniques:
diff --git a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLIPsByPorts.yaml b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLIPsByPorts.yaml
index 8bc5b0cd4ae..eef780ab970 100644
--- a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLIPsByPorts.yaml
+++ b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLIPsByPorts.yaml
@@ -7,6 +7,9 @@ requiredDataConnectors:
- connectorId: PaloAltoCDL
dataTypes:
- PaloAltoCDLEvent
+ - connectorId: PaloAltoCDLAma
+ dataTypes:
+ - PaloAltoCDLEvent
tactics:
- InitialAccess
relevantTechniques:
diff --git a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLIncompleteApplicationProtocol.yaml b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLIncompleteApplicationProtocol.yaml
index 6f5b814bacb..5c39e60b327 100644
--- a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLIncompleteApplicationProtocol.yaml
+++ b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLIncompleteApplicationProtocol.yaml
@@ -7,6 +7,9 @@ requiredDataConnectors:
- connectorId: PaloAltoCDL
dataTypes:
- PaloAltoCDLEvent
+ - connectorId: PaloAltoCDLAma
+ dataTypes:
+ - PaloAltoCDLEvent
tactics:
- InitialAccess
relevantTechniques:
diff --git a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLMultiDenyResultbyUser.yaml b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLMultiDenyResultbyUser.yaml
index 639a3a7ac5f..c3ae5a69935 100644
--- a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLMultiDenyResultbyUser.yaml
+++ b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLMultiDenyResultbyUser.yaml
@@ -7,6 +7,9 @@ requiredDataConnectors:
- connectorId: PaloAltoCDL
dataTypes:
- PaloAltoCDLEvent
+ - connectorId: PaloAltoCDLAma
+ dataTypes:
+ - PaloAltoCDLEvent
tactics:
- InitialAccess
relevantTechniques:
diff --git a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLOutdatedAgentVersions.yaml b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLOutdatedAgentVersions.yaml
index e503e9a0384..ce1f538ff93 100644
--- a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLOutdatedAgentVersions.yaml
+++ b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLOutdatedAgentVersions.yaml
@@ -7,6 +7,9 @@ requiredDataConnectors:
- connectorId: PaloAltoCDL
dataTypes:
- PaloAltoCDLEvent
+ - connectorId: PaloAltoCDLAma
+ dataTypes:
+ - PaloAltoCDLEvent
tactics:
- InitialAccess
relevantTechniques:
diff --git a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLOutdatedConfigVersions.yaml b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLOutdatedConfigVersions.yaml
index ac76cd48c2d..32c47737c92 100644
--- a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLOutdatedConfigVersions.yaml
+++ b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLOutdatedConfigVersions.yaml
@@ -7,6 +7,9 @@ requiredDataConnectors:
- connectorId: PaloAltoCDL
dataTypes:
- PaloAltoCDLEvent
+ - connectorId: PaloAltoCDLAma
+ dataTypes:
+ - PaloAltoCDLEvent
tactics:
- InitialAccess
relevantTechniques:
diff --git a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLRareApplicationLayerProtocol.yaml b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLRareApplicationLayerProtocol.yaml
index 03ce19e46b2..d8b07c2d787 100644
--- a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLRareApplicationLayerProtocol.yaml
+++ b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLRareApplicationLayerProtocol.yaml
@@ -7,6 +7,9 @@ requiredDataConnectors:
- connectorId: PaloAltoCDL
dataTypes:
- PaloAltoCDLEvent
+ - connectorId: PaloAltoCDLAma
+ dataTypes:
+ - PaloAltoCDLEvent
tactics:
- InitialAccess
relevantTechniques:
diff --git a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLRareFileRequests.yaml b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLRareFileRequests.yaml
index c92f33d43a4..d749917529b 100644
--- a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLRareFileRequests.yaml
+++ b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLRareFileRequests.yaml
@@ -7,6 +7,9 @@ requiredDataConnectors:
- connectorId: PaloAltoCDL
dataTypes:
- PaloAltoCDLEvent
+ - connectorId: PaloAltoCDLAma
+ dataTypes:
+ - PaloAltoCDLEvent
tactics:
- InitialAccess
relevantTechniques:
diff --git a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLRarePortsbyUser.yaml b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLRarePortsbyUser.yaml
index b998585f9b1..501d1113fea 100644
--- a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLRarePortsbyUser.yaml
+++ b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLRarePortsbyUser.yaml
@@ -7,6 +7,9 @@ requiredDataConnectors:
- connectorId: PaloAltoCDL
dataTypes:
- PaloAltoCDLEvent
+ - connectorId: PaloAltoCDLAma
+ dataTypes:
+ - PaloAltoCDLEvent
tactics:
- InitialAccess
relevantTechniques:
diff --git a/Solutions/PaloAltoCDL/Package/3.0.0.zip b/Solutions/PaloAltoCDL/Package/3.0.0.zip
new file mode 100644
index 00000000000..c08f94fc91a
Binary files /dev/null and b/Solutions/PaloAltoCDL/Package/3.0.0.zip differ
diff --git a/Solutions/PaloAltoCDL/Package/createUiDefinition.json b/Solutions/PaloAltoCDL/Package/createUiDefinition.json
index c281e12e134..87d4931541b 100644
--- a/Solutions/PaloAltoCDL/Package/createUiDefinition.json
+++ b/Solutions/PaloAltoCDL/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Palo Alto Networks CDL](https://www.paloaltonetworks.com/cortex/cortex-data-lake) solution provides the capability to ingest [CDL logs](https://docs.paloaltonetworks.com/cortex/cortex-data-lake/log-forwarding-schema-reference/log-forwarding-schema-overview) into Microsoft Sentinel.\n\r**Underlying Microsoft Technologies used:**\n\rThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\ra. [Agent-based log collection (CEF over Syslog)](https://docs.microsoft.com/azure/sentinel/connect-common-event-format)\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/PaloAltoCDL/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Palo Alto Networks CDL](https://www.paloaltonetworks.com/cortex/cortex-data-lake) solution provides the capability to ingest [CDL logs](https://docs.paloaltonetworks.com/cortex/cortex-data-lake/log-forwarding-schema-reference/log-forwarding-schema-overview) into Microsoft Sentinel.\n\r\n1. **PaloAltoCDL via AMA** - This data connector helps in ingesting PaloAltoCDL logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **PaloAltoCDL via Legacy Agent** - This data connector helps in ingesting PaloAltoCDL logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of PaloAltoCDL via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Data Connectors:** 2, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -60,7 +60,7 @@
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "This solution installs the data connector for ingesting CDL logs into Microsoft Sentinel. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+ "text": "This solution installs the data connector for ingesting CDL logs into Microsoft Sentinel. After installing the solution, configure and enable this data connector by following guidance in Manage solution view.."
}
},
{
@@ -95,7 +95,7 @@
"name": "workbooks-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "The workbook installed with the Palo Alto Networks Cortex Data Lake help’s you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view."
+ "text": "This solution installs workbook(s) to help you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view."
}
},
{
diff --git a/Solutions/PaloAltoCDL/Package/mainTemplate.json b/Solutions/PaloAltoCDL/Package/mainTemplate.json
index 2796042848e..eb3e941550e 100644
--- a/Solutions/PaloAltoCDL/Package/mainTemplate.json
+++ b/Solutions/PaloAltoCDL/Package/mainTemplate.json
@@ -42,191 +42,317 @@
"_solutionId": "[variables('solutionId')]",
"email": "support@microsoft.com",
"_email": "[variables('email')]",
+ "_solutionName": "PaloAltoCDL",
+ "_solutionVersion": "3.0.0",
+ "uiConfigId1": "PaloAltoCDL",
+ "_uiConfigId1": "[variables('uiConfigId1')]",
+ "dataConnectorContentId1": "PaloAltoCDL",
+ "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
+ "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
+ "_dataConnectorId1": "[variables('dataConnectorId1')]",
+ "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
+ "dataConnectorVersion1": "1.0.0",
+ "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
+ "uiConfigId2": "PaloAltoCDLAma",
+ "_uiConfigId2": "[variables('uiConfigId2')]",
+ "dataConnectorContentId2": "PaloAltoCDLAma",
+ "_dataConnectorContentId2": "[variables('dataConnectorContentId2')]",
+ "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
+ "_dataConnectorId2": "[variables('dataConnectorId2')]",
+ "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]",
+ "dataConnectorVersion2": "1.0.0",
+ "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]",
+ "parserName1": "PaloAltoCDLEvent",
+ "_parserName1": "[concat(parameters('workspace'),'/',variables('parserName1'))]",
+ "parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
+ "_parserId1": "[variables('parserId1')]",
+ "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1'))))]",
+ "parserVersion1": "1.0.0",
+ "parserContentId1": "PaloAltoCDLEvent-Parser",
+ "_parserContentId1": "[variables('parserContentId1')]",
+ "_parsercontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('_parserContentId1'),'-', variables('parserVersion1'))))]",
"workbookVersion1": "1.0.0",
"workbookContentId1": "PaloAltoCDL",
"workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]",
- "workbookTemplateSpecName1": "[concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1')))]",
+ "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]",
"_workbookContentId1": "[variables('workbookContentId1')]",
"workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
- "parserVersion1": "1.0.0",
- "parserContentId1": "PaloAltoCDLEvent-Parser",
- "_parserContentId1": "[variables('parserContentId1')]",
- "parserName1": "PaloAltoCDLEvent",
- "_parserName1": "[concat(parameters('workspace'),'/',variables('parserName1'))]",
- "parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
- "_parserId1": "[variables('parserId1')]",
- "parserTemplateSpecName1": "[concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1')))]",
+ "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]",
+ "analyticRuleVersion1": "1.0.1",
+ "analyticRulecontentId1": "976d2eee-51cb-11ec-bf63-0242ac130002",
+ "_analyticRulecontentId1": "[variables('analyticRulecontentId1')]",
+ "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]",
+ "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1'))))]",
+ "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId1'),'-', variables('analyticRuleVersion1'))))]",
+ "analyticRuleVersion2": "1.0.2",
+ "analyticRulecontentId2": "ba663b74-51f4-11ec-bf63-0242ac130002",
+ "_analyticRulecontentId2": "[variables('analyticRulecontentId2')]",
+ "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId2'))]",
+ "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2'))))]",
+ "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId2'),'-', variables('analyticRuleVersion2'))))]",
+ "analyticRuleVersion3": "1.0.1",
+ "analyticRulecontentId3": "9150ad68-51c8-11ec-bf63-0242ac130002",
+ "_analyticRulecontentId3": "[variables('analyticRulecontentId3')]",
+ "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId3'))]",
+ "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId3'))))]",
+ "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId3'),'-', variables('analyticRuleVersion3'))))]",
+ "analyticRuleVersion4": "1.0.1",
+ "analyticRulecontentId4": "b2dd2dac-51c9-11ec-bf63-0242ac130002",
+ "_analyticRulecontentId4": "[variables('analyticRulecontentId4')]",
+ "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId4'))]",
+ "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId4'))))]",
+ "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId4'),'-', variables('analyticRuleVersion4'))))]",
+ "analyticRuleVersion5": "1.0.2",
+ "analyticRulecontentId5": "b6d54840-51d3-11ec-bf63-0242ac130002",
+ "_analyticRulecontentId5": "[variables('analyticRulecontentId5')]",
+ "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId5'))]",
+ "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId5'))))]",
+ "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId5'),'-', variables('analyticRuleVersion5'))))]",
+ "analyticRuleVersion6": "1.0.2",
+ "analyticRulecontentId6": "feb185cc-51f4-11ec-bf63-0242ac130002",
+ "_analyticRulecontentId6": "[variables('analyticRulecontentId6')]",
+ "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId6'))]",
+ "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId6'))))]",
+ "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId6'),'-', variables('analyticRuleVersion6'))))]",
+ "analyticRuleVersion7": "1.0.2",
+ "analyticRulecontentId7": "3575a9c0-51c9-11ec-bf63-0242ac130002",
+ "_analyticRulecontentId7": "[variables('analyticRulecontentId7')]",
+ "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId7'))]",
+ "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId7'))))]",
+ "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId7'),'-', variables('analyticRuleVersion7'))))]",
+ "analyticRuleVersion8": "1.0.2",
+ "analyticRulecontentId8": "38f9e010-51ca-11ec-bf63-0242ac130002",
+ "_analyticRulecontentId8": "[variables('analyticRulecontentId8')]",
+ "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId8'))]",
+ "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId8'))))]",
+ "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId8'),'-', variables('analyticRuleVersion8'))))]",
+ "analyticRuleVersion9": "1.0.2",
+ "analyticRulecontentId9": "f12e9d10-51ca-11ec-bf63-0242ac130002",
+ "_analyticRulecontentId9": "[variables('analyticRulecontentId9')]",
+ "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId9'))]",
+ "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId9'))))]",
+ "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId9'),'-', variables('analyticRuleVersion9'))))]",
+ "analyticRuleVersion10": "1.0.2",
+ "analyticRulecontentId10": "9fcc7734-4d1b-11ec-81d3-0242ac130003",
+ "_analyticRulecontentId10": "[variables('analyticRulecontentId10')]",
+ "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId10'))]",
+ "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId10'))))]",
+ "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId10'),'-', variables('analyticRuleVersion10'))))]",
"huntingQueryVersion1": "1.0.0",
"huntingQuerycontentId1": "97760cb0-511e-11ec-bf63-0242ac130002",
"_huntingQuerycontentId1": "[variables('huntingQuerycontentId1')]",
"huntingQueryId1": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId1'))]",
- "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId1')))]",
+ "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId1'))))]",
+ "_huntingQuerycontentProductId1": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId1'),'-', variables('huntingQueryVersion1'))))]",
"huntingQueryVersion2": "1.0.0",
"huntingQuerycontentId2": "2af5e154-511f-11ec-bf63-0242ac130002",
"_huntingQuerycontentId2": "[variables('huntingQuerycontentId2')]",
"huntingQueryId2": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId2'))]",
- "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId2')))]",
+ "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId2'))))]",
+ "_huntingQuerycontentProductId2": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId2'),'-', variables('huntingQueryVersion2'))))]",
"huntingQueryVersion3": "1.0.0",
"huntingQuerycontentId3": "a8887944-4c72-11ec-81d3-0242ac130003",
"_huntingQuerycontentId3": "[variables('huntingQuerycontentId3')]",
"huntingQueryId3": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId3'))]",
- "huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId3')))]",
+ "huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId3'))))]",
+ "_huntingQuerycontentProductId3": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId3'),'-', variables('huntingQueryVersion3'))))]",
"huntingQueryVersion4": "1.0.0",
"huntingQuerycontentId4": "7cbd46ce-5121-11ec-bf63-0242ac130002",
"_huntingQuerycontentId4": "[variables('huntingQuerycontentId4')]",
"huntingQueryId4": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId4'))]",
- "huntingQueryTemplateSpecName4": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId4')))]",
+ "huntingQueryTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId4'))))]",
+ "_huntingQuerycontentProductId4": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId4'),'-', variables('huntingQueryVersion4'))))]",
"huntingQueryVersion5": "1.0.0",
"huntingQuerycontentId5": "04456860-5122-11ec-bf63-0242ac130002",
"_huntingQuerycontentId5": "[variables('huntingQuerycontentId5')]",
"huntingQueryId5": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId5'))]",
- "huntingQueryTemplateSpecName5": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId5')))]",
+ "huntingQueryTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId5'))))]",
+ "_huntingQuerycontentProductId5": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId5'),'-', variables('huntingQueryVersion5'))))]",
"huntingQueryVersion6": "1.0.0",
"huntingQuerycontentId6": "555bf415-e171-4ad2-920f-1a4a96a9644c",
"_huntingQuerycontentId6": "[variables('huntingQuerycontentId6')]",
"huntingQueryId6": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId6'))]",
- "huntingQueryTemplateSpecName6": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId6')))]",
+ "huntingQueryTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId6'))))]",
+ "_huntingQuerycontentProductId6": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId6'),'-', variables('huntingQueryVersion6'))))]",
"huntingQueryVersion7": "1.0.0",
"huntingQuerycontentId7": "6e4b6758-23a5-409b-a444-9bdef78e9dcc",
"_huntingQuerycontentId7": "[variables('huntingQuerycontentId7')]",
"huntingQueryId7": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId7'))]",
- "huntingQueryTemplateSpecName7": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId7')))]",
+ "huntingQueryTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId7'))))]",
+ "_huntingQuerycontentProductId7": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId7'),'-', variables('huntingQueryVersion7'))))]",
"huntingQueryVersion8": "1.0.0",
"huntingQuerycontentId8": "0a18756a-5123-11ec-bf63-0242ac130002",
"_huntingQuerycontentId8": "[variables('huntingQuerycontentId8')]",
"huntingQueryId8": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId8'))]",
- "huntingQueryTemplateSpecName8": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId8')))]",
+ "huntingQueryTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId8'))))]",
+ "_huntingQuerycontentProductId8": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId8'),'-', variables('huntingQueryVersion8'))))]",
"huntingQueryVersion9": "1.0.0",
"huntingQuerycontentId9": "93ae5df2-4c74-11ec-81d3-0242ac130003",
"_huntingQuerycontentId9": "[variables('huntingQuerycontentId9')]",
"huntingQueryId9": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId9'))]",
- "huntingQueryTemplateSpecName9": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId9')))]",
+ "huntingQueryTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId9'))))]",
+ "_huntingQuerycontentProductId9": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId9'),'-', variables('huntingQueryVersion9'))))]",
"huntingQueryVersion10": "1.0.0",
"huntingQuerycontentId10": "ce9d58ce-51cd-11ec-bf63-0242ac130002",
"_huntingQuerycontentId10": "[variables('huntingQuerycontentId10')]",
"huntingQueryId10": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId10'))]",
- "huntingQueryTemplateSpecName10": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId10')))]",
- "uiConfigId1": "PaloAltoCDL",
- "_uiConfigId1": "[variables('uiConfigId1')]",
- "dataConnectorContentId1": "PaloAltoCDL",
- "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
- "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "_dataConnectorId1": "[variables('dataConnectorId1')]",
- "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1')))]",
- "dataConnectorVersion1": "1.0.0",
- "analyticRuleVersion1": "1.0.0",
- "analyticRulecontentId1": "976d2eee-51cb-11ec-bf63-0242ac130002",
- "_analyticRulecontentId1": "[variables('analyticRulecontentId1')]",
- "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]",
- "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1')))]",
- "analyticRuleVersion2": "1.0.1",
- "analyticRulecontentId2": "ba663b74-51f4-11ec-bf63-0242ac130002",
- "_analyticRulecontentId2": "[variables('analyticRulecontentId2')]",
- "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId2'))]",
- "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2')))]",
- "analyticRuleVersion3": "1.0.0",
- "analyticRulecontentId3": "9150ad68-51c8-11ec-bf63-0242ac130002",
- "_analyticRulecontentId3": "[variables('analyticRulecontentId3')]",
- "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId3'))]",
- "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId3')))]",
- "analyticRuleVersion4": "1.0.0",
- "analyticRulecontentId4": "b2dd2dac-51c9-11ec-bf63-0242ac130002",
- "_analyticRulecontentId4": "[variables('analyticRulecontentId4')]",
- "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId4'))]",
- "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId4')))]",
- "analyticRuleVersion5": "1.0.1",
- "analyticRulecontentId5": "b6d54840-51d3-11ec-bf63-0242ac130002",
- "_analyticRulecontentId5": "[variables('analyticRulecontentId5')]",
- "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId5'))]",
- "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId5')))]",
- "analyticRuleVersion6": "1.0.1",
- "analyticRulecontentId6": "feb185cc-51f4-11ec-bf63-0242ac130002",
- "_analyticRulecontentId6": "[variables('analyticRulecontentId6')]",
- "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId6'))]",
- "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId6')))]",
- "analyticRuleVersion7": "1.0.1",
- "analyticRulecontentId7": "3575a9c0-51c9-11ec-bf63-0242ac130002",
- "_analyticRulecontentId7": "[variables('analyticRulecontentId7')]",
- "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId7'))]",
- "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId7')))]",
- "analyticRuleVersion8": "1.0.1",
- "analyticRulecontentId8": "38f9e010-51ca-11ec-bf63-0242ac130002",
- "_analyticRulecontentId8": "[variables('analyticRulecontentId8')]",
- "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId8'))]",
- "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId8')))]",
- "analyticRuleVersion9": "1.0.1",
- "analyticRulecontentId9": "f12e9d10-51ca-11ec-bf63-0242ac130002",
- "_analyticRulecontentId9": "[variables('analyticRulecontentId9')]",
- "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId9'))]",
- "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId9')))]",
- "analyticRuleVersion10": "1.0.1",
- "analyticRulecontentId10": "9fcc7734-4d1b-11ec-81d3-0242ac130003",
- "_analyticRulecontentId10": "[variables('analyticRulecontentId10')]",
- "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId10'))]",
- "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId10')))]"
+ "huntingQueryTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId10'))))]",
+ "_huntingQuerycontentProductId10": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId10'),'-', variables('huntingQueryVersion10'))))]",
+ "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiversion": "2022-02-01",
- "name": "[variables('workbookTemplateSpecName1')]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Workbook"
- },
- "properties": {
- "description": "PaloAltoCDL Workbook with template",
- "displayName": "PaloAltoCDL workbook template"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiversion": "2022-02-01",
- "name": "[concat(variables('workbookTemplateSpecName1'),'/',variables('workbookVersion1'))]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('dataConnectorTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Workbook"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('workbookTemplateSpecName1'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PaloAltoCDLWorkbook with template version 2.0.4",
+ "description": "PaloAltoCDL data connector with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('workbookVersion1')]",
+ "contentVersion": "[variables('dataConnectorVersion1')]",
"parameters": {},
"variables": {},
"resources": [
{
- "type": "Microsoft.Insights/workbooks",
- "name": "[variables('workbookContentId1')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
+ "apiVersion": "2021-03-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('workspace-location')]",
- "kind": "shared",
- "apiVersion": "2021-08-01",
- "metadata": {
- "description": "Sets the time name for analysis"
- },
+ "kind": "GenericUI",
"properties": {
- "displayName": "[parameters('workbook1-name')]",
- "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"**NOTE**: This data connector depends on a parser based on Kusto Function **PaloAltoCDLEvent** to work as expected. [Follow steps to get this Kusto Function](https://aka.ms/sentinel-paloaltocdl-parser)\"},\"name\":\"text - 8\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"cd8447d9-b096-4673-92d8-2a1e8291a125\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"description\":\"Sets the time name for analysis\",\"value\":{\"durationMs\":7776000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":900000},{\"durationMs\":3600000},{\"durationMs\":86400000},{\"durationMs\":604800000},{\"durationMs\":2592000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PaloAltoCDLEvent\\r\\n| make-series TotalEvents = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain};\",\"size\":0,\"title\":\"Events Over Time\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"graphSettings\":{\"type\":0}},\"customWidth\":\"60\",\"name\":\"query - 12\",\"styleSettings\":{\"maxWidth\":\"55\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PaloAltoCDLEvent\\r\\n | summarize Result = count() by EventSeverity\",\"size\":3,\"title\":\"Events Severity\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"30\",\"name\":\"query - 0\",\"styleSettings\":{\"maxWidth\":\"30\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PaloAltoCDLEvent\\r\\n| where isnotempty(SrcIpAddr)\\r\\n| summarize dcount(SrcIpAddr) \",\"size\":3,\"title\":\"Unique IP Addresses\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"name\":\"query - 0\"}]},\"name\":\"group - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PaloAltoCDLEvent\\r\\n| where EventResourceId contains \\\"THREAT\\\"\\r\\n| count \",\"size\":3,\"title\":\"Total Threat Events\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"name\":\"query - 0\"}]},\"name\":\"group - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PaloAltoCDLEvent\\r\\n| where EventResourceId contains \\\"THREAT\\\"\\r\\n| where isnotempty(DvcAction) \\r\\n| where EventResult contains \\\"drop\\\" or EventResult contains \\\"deny\\\" or EventResult contains \\\"reset\\\" or EventResult contains \\\"block\\\" or EventResult contains \\\"lockout\\\" or EventResult contains \\\"override\\\"\\r\\n| count \",\"size\":3,\"title\":\"Total Threat Response\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"name\":\"query - 0\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"10\",\"name\":\"group - 9\",\"styleSettings\":{\"maxWidth\":\"100\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PaloAltoCDLEvent\\r\\n| where EventResourceId contains \\\"THREAT\\\"\\r\\n| summarize ResponseAction = count() by DvcAction\",\"size\":3,\"title\":\"Response action \",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"query - 3\",\"styleSettings\":{\"margin\":\"10\",\"padding\":\"10\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" PaloAltoCDLEvent\\r\\n | where isnotempty(NetworkApplicationProtocol) \\r\\n | summarize ApplicationLayerProtocol = count() by NetworkApplicationProtocol\",\"size\":3,\"title\":\"Application layer protocol\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"30\",\"name\":\"query - 15\",\"styleSettings\":{\"maxWidth\":\"30\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PaloAltoCDLEvent\\r\\n| where EventResourceId contains \\\"THREAT\\\"\\r\\n| where isnotempty(IndicatorThreatType) \\r\\n| summarize ThreatType = count() by IndicatorThreatType\",\"size\":3,\"title\":\"Threat Types\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"TotalEvents\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"TotalEvents\",\"sortOrder\":2}]},\"customWidth\":\"33\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PaloAltoCDLEvent\\r\\n| where isnotempty(DstUsername)\\r\\n| sort by TimeGenerated desc \\r\\n| project User=DstUsername, ThreatEvent=strcat(iff(EventResourceId contains \\\"THREAT\\\", '❌', '✅')), SourceAddress=SrcIpAddr\",\"size\":0,\"title\":\"Latest events\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":50,\"filter\":true}},\"customWidth\":\"35\",\"name\":\"query - 12\",\"styleSettings\":{\"maxWidth\":\"33\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PaloAltoCDLEvent\\r\\n| where isnotempty(DstPortNumber) \\r\\n| summarize TopPorts = count() by tostring(DstPortNumber)\\r\\n| top 20 by TopPorts desc \",\"size\":3,\"title\":\"Top ports\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"showBorder\":false},\"graphSettings\":{\"type\":0},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"DstPortNumber\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"DstPortNumber\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"DstPortNumber\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"30\",\"name\":\"query - 14\",\"styleSettings\":{\"maxWidth\":\"30\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PaloAltoCDLEvent\\r\\n| where EventResourceId contains \\\"THREAT\\\"\\r\\n| where isnotempty(Url)\\r\\n| summarize ThreatEventUrl = count() by Url\\r\\n| top 10 by ThreatEventUrl desc \",\"size\":3,\"title\":\"Top Threat Event URLs \",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\"},\"customWidth\":\"35\",\"name\":\"query - 10\",\"styleSettings\":{\"maxWidth\":\"100\"}}],\"fromTemplateId\":\"sentinel-PaloAltoCDLWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
- "version": "1.0",
- "sourceId": "[variables('workspaceResourceId')]",
- "category": "sentinel"
+ "connectorUiConfig": {
+ "id": "[variables('_uiConfigId1')]",
+ "title": "[Deprecated] Palo Alto Networks Cortex Data Lake (CDL) via Legacy Agent",
+ "publisher": "Palo Alto Networks",
+ "descriptionMarkdown": "The [Palo Alto Networks CDL](https://www.paloaltonetworks.com/cortex/cortex-data-lake) data connector provides the capability to ingest [CDL logs](https://docs.paloaltonetworks.com/cortex/cortex-data-lake/log-forwarding-schema-reference/log-forwarding-schema-overview.html) into Microsoft Sentinel.",
+ "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**PaloAltoCDLEvent**](https://aka.ms/sentinel-paloaltocdl-parser) which is deployed with the Microsoft Sentinel Solution.",
+ "graphQueries": [
+ {
+ "metricName": "Total data received",
+ "legend": "PaloAltoNetworksCDL",
+ "baseQuery": "PaloAltoCDLEvent"
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "Top 10 Destinations",
+ "query": "PaloAltoCDLEvent\n | where isnotempty(DstIpAddr)\n | summarize count() by DstIpAddr\n | top 10 by count_"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "CommonSecurityLog (PaloAltoNetworksCDL)",
+ "lastDataReceivedQuery": "PaloAltoCDLEvent\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriterias": [
+ {
+ "type": "IsConnectedQuery",
+ "value": [
+ "PaloAltoCDLEvent\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(1d)"
+ ]
+ }
+ ],
+ "availability": {
+ "status": 1,
+ "isPreview": false
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "read and write permissions are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "write": true,
+ "read": true,
+ "delete": true
+ }
+ },
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+ "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+ "providerDisplayName": "Keys",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "action": true
+ }
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**PaloAltoCDLEvent**](https://aka.ms/sentinel-paloaltocdl-parser) which is deployed with the Microsoft Sentinel Solution."
+ },
+ {
+ "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
+ "innerSteps": [
+ {
+ "title": "1.1 Select or create a Linux machine",
+ "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
+ },
+ {
+ "title": "1.2 Install the CEF collector on the Linux machine",
+ "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
+ "instructions": [
+ {
+ "parameters": {
+ "fillWith": [
+ "WorkspaceId",
+ "PrimaryKey"
+ ],
+ "label": "Run the following command to install and apply the CEF collector:",
+ "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
+ },
+ "type": "CopyableLabel"
+ }
+ ]
+ }
+ ],
+ "title": "1. Linux Syslog agent configuration"
+ },
+ {
+ "description": "[Follow the instructions](https://docs.paloaltonetworks.com/cortex/cortex-data-lake/cortex-data-lake-getting-started/get-started-with-log-forwarding-app/forward-logs-from-logging-service-to-syslog-server.html) to configure logs forwarding from Cortex Data Lake to a Syslog Server.",
+ "title": "2. Configure Cortex Data Lake to forward logs to a Syslog Server using CEF"
+ },
+ {
+ "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine",
+ "instructions": [
+ {
+ "parameters": {
+ "fillWith": [
+ "WorkspaceId"
+ ],
+ "label": "Run the following command to validate your connectivity:",
+ "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
+ },
+ "type": "CopyableLabel"
+ }
+ ],
+ "title": "3. Validate connection"
+ },
+ {
+ "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
+ "title": "4. Secure your machine "
+ }
+ ]
+ }
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
"properties": {
- "description": "@{workbookKey=PaloAltoCDL; logoFileName=paloalto_logo.svg; description=Sets the time name for analysis; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=Palo Alto Networks Cortex Data Lake; templateRelativePath=PaloAltoCDL.json; subtitle=; provider=Palo Alto Networks}.description",
- "parentId": "[variables('workbookId1')]",
- "contentId": "[variables('_workbookContentId1')]",
- "kind": "Workbook",
- "version": "[variables('workbookVersion1')]",
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
+ "contentId": "[variables('_dataConnectorContentId1')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorVersion1')]",
"source": {
"kind": "Solution",
"name": "PaloAltoCDL",
@@ -241,95 +367,330 @@
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
- },
- "dependencies": {
- "operator": "AND",
- "criteria": [
- {
- "contentId": "CommonSecurityLog",
- "kind": "DataType"
- },
- {
- "contentId": "PaloAltoCDL",
- "kind": "DataConnector"
- }
- ]
}
}
}
]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_dataConnectorContentId1')]",
+ "contentKind": "DataConnector",
+ "displayName": "[Deprecated] Palo Alto Networks Cortex Data Lake (CDL) via Legacy Agent",
+ "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
+ "id": "[variables('_dataConnectorcontentProductId1')]",
+ "version": "[variables('dataConnectorVersion1')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
+ "dependsOn": [
+ "[variables('_dataConnectorId1')]"
+ ],
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
+ "contentId": "[variables('_dataConnectorContentId1')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorVersion1')]",
+ "source": {
+ "kind": "Solution",
+ "name": "PaloAltoCDL",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Microsoft",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Microsoft Corporation",
+ "email": "support@microsoft.com",
+ "tier": "Microsoft",
+ "link": "https://support.microsoft.com"
}
}
},
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiversion": "2022-02-01",
- "name": "[variables('parserTemplateSpecName1')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
+ "apiVersion": "2021-03-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Parser"
- },
+ "kind": "GenericUI",
"properties": {
- "description": "PaloAltoCDLEvent Data Parser with template",
- "displayName": "PaloAltoCDLEvent Data Parser template"
+ "connectorUiConfig": {
+ "title": "[Deprecated] Palo Alto Networks Cortex Data Lake (CDL) via Legacy Agent",
+ "publisher": "Palo Alto Networks",
+ "descriptionMarkdown": "The [Palo Alto Networks CDL](https://www.paloaltonetworks.com/cortex/cortex-data-lake) data connector provides the capability to ingest [CDL logs](https://docs.paloaltonetworks.com/cortex/cortex-data-lake/log-forwarding-schema-reference/log-forwarding-schema-overview.html) into Microsoft Sentinel.",
+ "graphQueries": [
+ {
+ "metricName": "Total data received",
+ "legend": "PaloAltoNetworksCDL",
+ "baseQuery": "PaloAltoCDLEvent"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "CommonSecurityLog (PaloAltoNetworksCDL)",
+ "lastDataReceivedQuery": "PaloAltoCDLEvent\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriterias": [
+ {
+ "type": "IsConnectedQuery",
+ "value": [
+ "PaloAltoCDLEvent\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(1d)"
+ ]
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "Top 10 Destinations",
+ "query": "PaloAltoCDLEvent\n | where isnotempty(DstIpAddr)\n | summarize count() by DstIpAddr\n | top 10 by count_"
+ }
+ ],
+ "availability": {
+ "status": 1,
+ "isPreview": false
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "read and write permissions are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "write": true,
+ "read": true,
+ "delete": true
+ }
+ },
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+ "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+ "providerDisplayName": "Keys",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "action": true
+ }
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**PaloAltoCDLEvent**](https://aka.ms/sentinel-paloaltocdl-parser) which is deployed with the Microsoft Sentinel Solution."
+ },
+ {
+ "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
+ "innerSteps": [
+ {
+ "title": "1.1 Select or create a Linux machine",
+ "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
+ },
+ {
+ "title": "1.2 Install the CEF collector on the Linux machine",
+ "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
+ "instructions": [
+ {
+ "parameters": {
+ "fillWith": [
+ "WorkspaceId",
+ "PrimaryKey"
+ ],
+ "label": "Run the following command to install and apply the CEF collector:",
+ "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
+ },
+ "type": "CopyableLabel"
+ }
+ ]
+ }
+ ],
+ "title": "1. Linux Syslog agent configuration"
+ },
+ {
+ "description": "[Follow the instructions](https://docs.paloaltonetworks.com/cortex/cortex-data-lake/cortex-data-lake-getting-started/get-started-with-log-forwarding-app/forward-logs-from-logging-service-to-syslog-server.html) to configure logs forwarding from Cortex Data Lake to a Syslog Server.",
+ "title": "2. Configure Cortex Data Lake to forward logs to a Syslog Server using CEF"
+ },
+ {
+ "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine",
+ "instructions": [
+ {
+ "parameters": {
+ "fillWith": [
+ "WorkspaceId"
+ ],
+ "label": "Run the following command to validate your connectivity:",
+ "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
+ },
+ "type": "CopyableLabel"
+ }
+ ],
+ "title": "3. Validate connection"
+ },
+ {
+ "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
+ "title": "4. Secure your machine "
+ }
+ ],
+ "id": "[variables('_uiConfigId1')]",
+ "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**PaloAltoCDLEvent**](https://aka.ms/sentinel-paloaltocdl-parser) which is deployed with the Microsoft Sentinel Solution."
+ }
}
},
{
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiversion": "2022-02-01",
- "name": "[concat(variables('parserTemplateSpecName1'),'/',variables('parserVersion1'))]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('dataConnectorTemplateSpecName2')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Parser"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('parserTemplateSpecName1'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PaloAltoCDLEvent Data Parser with template version 2.0.4",
+ "description": "PaloAltoCDL data connector with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('parserVersion1')]",
+ "contentVersion": "[variables('dataConnectorVersion2')]",
"parameters": {},
"variables": {},
"resources": [
{
- "name": "[variables('_parserName1')]",
- "apiVersion": "2020-08-01",
- "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
+ "apiVersion": "2021-03-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('workspace-location')]",
+ "kind": "GenericUI",
"properties": {
- "eTag": "*",
- "displayName": "PaloAltoCDLEvent",
- "category": "Samples",
- "functionAlias": "PaloAltoCDLEvent",
- "query": "\nCommonSecurityLog\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where DeviceProduct =~ 'LF'\r\n| extend EventVendor = 'Palo Alto Networks'\r\n| extend EventProduct = 'Cortex Data Lake'\r\n| extend EventSchemaVersion = 0.2\r\n| extend EventCount = 1\r\n| extend DeviceCustomNumber1 = coalesce(column_ifexists(\"FieldDeviceCustomNumber1\", long(null)),DeviceCustomNumber1),\r\n DeviceCustomNumber2 = coalesce(column_ifexists(\"FieldDeviceCustomNumber2\", long(null)),DeviceCustomNumber2),\r\n DeviceCustomNumber3 = coalesce(column_ifexists(\"FieldDeviceCustomNumber3\", long(null)),DeviceCustomNumber3)\r\n| extend packed = pack(DeviceCustomNumber1Label, DeviceCustomNumber1\r\n , DeviceCustomNumber2Label, DeviceCustomNumber2\r\n , DeviceCustomNumber3Label, DeviceCustomNumber3\r\n , DeviceCustomString1Label, DeviceCustomString1\r\n , DeviceCustomString2Label, DeviceCustomString2\r\n , DeviceCustomString3Label, DeviceCustomString3\r\n , DeviceCustomString4Label, DeviceCustomString4\r\n , DeviceCustomString5Label, DeviceCustomString5\r\n , DeviceCustomString6Label, DeviceCustomString6\r\n , DeviceCustomDate1Label, DeviceCustomDate1\r\n , DeviceCustomDate2Label, DeviceCustomDate2\r\n , FlexString1Label, FlexString1\r\n , FlexString2Label, FlexString2\r\n , DeviceCustomFloatingPoint1Label, DeviceCustomFloatingPoint1\r\n , DeviceCustomFloatingPoint2Label, DeviceCustomFloatingPoint2\r\n , DeviceCustomIPv6Address1Label, DeviceCustomIPv6Address1\r\n , DeviceCustomIPv6Address2Label, DeviceCustomIPv6Address2\r\n , DeviceCustomIPv6Address3Label, DeviceCustomIPv6Address3)\r\n| evaluate bag_unpack(packed)\r\n| mv-apply AdditionalFields = extract_all(@'(?PNote: There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Palo Alto Networks CDL solution provides the capability to ingest CDL logs into Microsoft Sentinel.
\n- \n
PaloAltoCDL via AMA - This data connector helps in ingesting PaloAltoCDL logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent here. Microsoft recommends using this Data Connector.
\n \nPaloAltoCDL via Legacy Agent - This data connector helps in ingesting PaloAltoCDL logs into your Log Analytics Workspace using the legacy Log Analytics agent.
\n \n
NOTE: Microsoft recommends installation of PaloAltoCDL via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024, and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.
\nData Connectors: 2, Parsers: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 10
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "",
"contentId": "[variables('_solutionId')]",
"parentId": "[variables('_solutionId')]",
"source": {
@@ -2871,9 +3149,14 @@
"operator": "AND",
"criteria": [
{
- "kind": "Workbook",
- "contentId": "[variables('_workbookContentId1')]",
- "version": "[variables('workbookVersion1')]"
+ "kind": "DataConnector",
+ "contentId": "[variables('_dataConnectorContentId1')]",
+ "version": "[variables('dataConnectorVersion1')]"
+ },
+ {
+ "kind": "DataConnector",
+ "contentId": "[variables('_dataConnectorContentId2')]",
+ "version": "[variables('dataConnectorVersion2')]"
},
{
"kind": "Parser",
@@ -2881,59 +3164,9 @@
"version": "[variables('parserVersion1')]"
},
{
- "kind": "HuntingQuery",
- "contentId": "[variables('_huntingQuerycontentId1')]",
- "version": "[variables('huntingQueryVersion1')]"
- },
- {
- "kind": "HuntingQuery",
- "contentId": "[variables('_huntingQuerycontentId2')]",
- "version": "[variables('huntingQueryVersion2')]"
- },
- {
- "kind": "HuntingQuery",
- "contentId": "[variables('_huntingQuerycontentId3')]",
- "version": "[variables('huntingQueryVersion3')]"
- },
- {
- "kind": "HuntingQuery",
- "contentId": "[variables('_huntingQuerycontentId4')]",
- "version": "[variables('huntingQueryVersion4')]"
- },
- {
- "kind": "HuntingQuery",
- "contentId": "[variables('_huntingQuerycontentId5')]",
- "version": "[variables('huntingQueryVersion5')]"
- },
- {
- "kind": "HuntingQuery",
- "contentId": "[variables('_huntingQuerycontentId6')]",
- "version": "[variables('huntingQueryVersion6')]"
- },
- {
- "kind": "HuntingQuery",
- "contentId": "[variables('_huntingQuerycontentId7')]",
- "version": "[variables('huntingQueryVersion7')]"
- },
- {
- "kind": "HuntingQuery",
- "contentId": "[variables('_huntingQuerycontentId8')]",
- "version": "[variables('huntingQueryVersion8')]"
- },
- {
- "kind": "HuntingQuery",
- "contentId": "[variables('_huntingQuerycontentId9')]",
- "version": "[variables('huntingQueryVersion9')]"
- },
- {
- "kind": "HuntingQuery",
- "contentId": "[variables('_huntingQuerycontentId10')]",
- "version": "[variables('huntingQueryVersion10')]"
- },
- {
- "kind": "DataConnector",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "version": "[variables('dataConnectorVersion1')]"
+ "kind": "Workbook",
+ "contentId": "[variables('_workbookContentId1')]",
+ "version": "[variables('workbookVersion1')]"
},
{
"kind": "AnalyticsRule",
@@ -2984,6 +3217,56 @@
"kind": "AnalyticsRule",
"contentId": "[variables('analyticRulecontentId10')]",
"version": "[variables('analyticRuleVersion10')]"
+ },
+ {
+ "kind": "HuntingQuery",
+ "contentId": "[variables('_huntingQuerycontentId1')]",
+ "version": "[variables('huntingQueryVersion1')]"
+ },
+ {
+ "kind": "HuntingQuery",
+ "contentId": "[variables('_huntingQuerycontentId2')]",
+ "version": "[variables('huntingQueryVersion2')]"
+ },
+ {
+ "kind": "HuntingQuery",
+ "contentId": "[variables('_huntingQuerycontentId3')]",
+ "version": "[variables('huntingQueryVersion3')]"
+ },
+ {
+ "kind": "HuntingQuery",
+ "contentId": "[variables('_huntingQuerycontentId4')]",
+ "version": "[variables('huntingQueryVersion4')]"
+ },
+ {
+ "kind": "HuntingQuery",
+ "contentId": "[variables('_huntingQuerycontentId5')]",
+ "version": "[variables('huntingQueryVersion5')]"
+ },
+ {
+ "kind": "HuntingQuery",
+ "contentId": "[variables('_huntingQuerycontentId6')]",
+ "version": "[variables('huntingQueryVersion6')]"
+ },
+ {
+ "kind": "HuntingQuery",
+ "contentId": "[variables('_huntingQuerycontentId7')]",
+ "version": "[variables('huntingQueryVersion7')]"
+ },
+ {
+ "kind": "HuntingQuery",
+ "contentId": "[variables('_huntingQuerycontentId8')]",
+ "version": "[variables('huntingQueryVersion8')]"
+ },
+ {
+ "kind": "HuntingQuery",
+ "contentId": "[variables('_huntingQuerycontentId9')]",
+ "version": "[variables('huntingQueryVersion9')]"
+ },
+ {
+ "kind": "HuntingQuery",
+ "contentId": "[variables('_huntingQuerycontentId10')]",
+ "version": "[variables('huntingQueryVersion10')]"
}
]
},
diff --git a/Solutions/PaloAltoCDL/ReleaseNotes.md b/Solutions/PaloAltoCDL/ReleaseNotes.md
new file mode 100644
index 00000000000..2ebb0688703
--- /dev/null
+++ b/Solutions/PaloAltoCDL/ReleaseNotes.md
@@ -0,0 +1,5 @@
+| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
+|-------------|--------------------------------|--------------------------------------------------------------------|
+| 3.0.0 | 25-09-2023 | Addition of new PaloAltoCDL AMA **Data Connector** | |
+
+
diff --git a/Solutions/SailPointIdentityNow/Data Connectors/SearchEvent.zip b/Solutions/SailPointIdentityNow/Data Connectors/SearchEvent.zip
index aa60f69db12..4eea89898af 100644
Binary files a/Solutions/SailPointIdentityNow/Data Connectors/SearchEvent.zip and b/Solutions/SailPointIdentityNow/Data Connectors/SearchEvent.zip differ
diff --git a/Solutions/SailPointIdentityNow/Data Connectors/requirements.txt b/Solutions/SailPointIdentityNow/Data Connectors/requirements.txt
index e96dbdbb84e..f0e4152235a 100644
--- a/Solutions/SailPointIdentityNow/Data Connectors/requirements.txt
+++ b/Solutions/SailPointIdentityNow/Data Connectors/requirements.txt
@@ -9,4 +9,4 @@ azure-storage==0.36.0
azure-data-tables==12.1.0
azure-cosmos==4.2.0
azure-cosmosdb-table==1.0.6
-cryptography==41.0.3
\ No newline at end of file
+cryptography==41.0.4
\ No newline at end of file
diff --git a/Solutions/Salesforce Service Cloud/Data Connectors/SalesforceServiceCloud_API_FunctionApp.json b/Solutions/Salesforce Service Cloud/Data Connectors/SalesforceServiceCloud_API_FunctionApp.json
index 26fb37a9b99..de8cbaa4c27 100644
--- a/Solutions/Salesforce Service Cloud/Data Connectors/SalesforceServiceCloud_API_FunctionApp.json
+++ b/Solutions/Salesforce Service Cloud/Data Connectors/SalesforceServiceCloud_API_FunctionApp.json
@@ -79,7 +79,7 @@
"description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App."
},
{
- "description":"**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias SalesforceServiceCloud and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Salesforce%20Service%20Cloud/Parsers/SalesforceServiceCloud.txt). The function usually takes 10-15 minutes to activate after solution installation/update."
+ "description":"**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias SalesforceServiceCloud and load the function code or click [here](https://aka.ms/sentinel-SalesforceServiceCloud-parser). The function usually takes 10-15 minutes to activate after solution installation/update."
},
{
"title": "",
@@ -114,21 +114,40 @@
]
},
{
- "title": "Option 1 - Azure Resource Manager (ARM) Template",
- "description": "Use this method for automated deployment of the Salesforce Service Cloud data connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[](https://aka.ms/sentinel-SalesforceServiceCloud-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID**, **Workspace Key**, **Salesforce API Username**, **Salesforce API Password**, **Salesforce Security Token**, **Salesforce Consumer Key**, **Salesforce Consumer Secret** and deploy. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy."
- },
- {
- "title": "Option 2 - Manual Deployment of Azure Functions",
- "description": "Use the following step-by-step instructions to deploy the Salesforce Service Cloud data connector manually with Azure Functions (Deployment via Visual Studio Code)."
- },
- {
- "title": "",
- "description": "**1. Deploy a Function App**\n\n> NOTE:You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-SalesforceServiceCloud-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. SalesforceXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.8.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration."
- },
- {
- "title": "",
- "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tSalesforceUser\n\t\tSalesforcePass\n\t\tSalesforceSecurityToken\n\t\tSalesforceConsumerKey\n\t\tSalesforceConsumerSecret\n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tlogAnalyticsUri (optional)\n - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/salesforce_logo.svg\"){kind=logo}
",
- "Description": "The [Salesforce Service Cloud](https://www.salesforce.com/in/products/service-cloud/overview/) solution for Microsoft Sentinel enables you to ingest Service Cloud events into Microsoft Sentinel.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n\r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\r\n\n b. [Azure Functions](https://azure.microsoft.com/services/functions/#overview).",
+ "Description": "The [Salesforce Service Cloud](https://www.salesforce.com/in/products/service-cloud/overview/) solution for Microsoft Sentinel enables you to ingest Service Cloud events into Microsoft Sentinel.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n\r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\r\n\n b. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)",
"Analytic Rules": [
"Analytic Rules/Salesforce-BruteForce.yaml",
"Analytic Rules/Salesforce-PasswordSpray.yaml",
@@ -12,13 +12,13 @@
"Data Connectors/SalesforceServiceCloud_API_FunctionApp.json"
],
"Parsers": [
- "Parsers/SalesforceServiceCloud.txt"
+ "Parsers/SalesforceServiceCloud.yaml"
],
"Workbooks": [
"Workbooks/SalesforceServiceCloud.json"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Salesforce Service Cloud",
- "Version": "2.0.4",
+ "Version": "3.0.0",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1PConnector": false
diff --git a/Solutions/Salesforce Service Cloud/Data/system_generated_metadata.json b/Solutions/Salesforce Service Cloud/Data/system_generated_metadata.json
new file mode 100644
index 00000000000..0834e9ec209
--- /dev/null
+++ b/Solutions/Salesforce Service Cloud/Data/system_generated_metadata.json
@@ -0,0 +1,33 @@
+{
+ "Name": "Salesforce Service Cloud",
+ "Author": "Microsoft - support@microsoft.com",
+ "Logo": "",
+ "Description": "The [Salesforce Service Cloud](https://www.salesforce.com/in/products/service-cloud/overview/) solution for Microsoft Sentinel enables you to ingest Service Cloud events into Microsoft Sentinel.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n\r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\r\n\n b. [Azure Functions](https://azure.microsoft.com/services/functions/#overview).",
+ "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Salesforce Service Cloud",
+ "Version": "3.0.0",
+ "Metadata": "SolutionMetadata.json",
+ "TemplateSpec": true,
+ "Is1PConnector": false,
+ "publisherId": "azuresentinel",
+ "offerId": "azure-sentinel-solution-salesforceservicecloud",
+ "providers": [
+ "Salesforce"
+ ],
+ "categories": {
+ "domains": [
+ "Cloud Provider"
+ ],
+ "verticals": []
+ },
+ "firstPublishDate": "2022-05-16",
+ "support": {
+ "name": "Microsoft Corporation",
+ "email": "support@microsoft.com",
+ "tier": "Microsoft",
+ "link": "https://support.microsoft.com/"
+ },
+ "Data Connectors": "[\n \"Data Connectors/SalesforceServiceCloud_API_FunctionApp.json\"\n]",
+ "Parsers": "[\n \"SalesforceServiceCloud.yaml\"\n]",
+ "Workbooks": "[\n \"Workbooks/SalesforceServiceCloud.json\"\n]",
+ "Analytic Rules": "[\n \"Salesforce-BruteForce.yaml\",\n \"Salesforce-PasswordSpray.yaml\",\n \"Salesforce-SigninsMultipleCountries.yaml\"\n]"
+}
diff --git a/Solutions/Salesforce Service Cloud/Package/3.0.0.zip b/Solutions/Salesforce Service Cloud/Package/3.0.0.zip
new file mode 100644
index 00000000000..611ed9a2e28
Binary files /dev/null and b/Solutions/Salesforce Service Cloud/Package/3.0.0.zip differ
diff --git a/Solutions/Salesforce Service Cloud/Package/createUiDefinition.json b/Solutions/Salesforce Service Cloud/Package/createUiDefinition.json
index 66d3f3ad677..09c7fec5421 100644
--- a/Solutions/Salesforce Service Cloud/Package/createUiDefinition.json
+++ b/Solutions/Salesforce Service Cloud/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Salesforce Service Cloud](https://www.salesforce.com/in/products/service-cloud/overview/) solution for Microsoft Sentinel enables you to ingest Service Cloud events into Microsoft Sentinel.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n\r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\r\n\n b. [Azure Functions](https://azure.microsoft.com/services/functions/#overview).\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Salesforce%20Service%20Cloud/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Salesforce Service Cloud](https://www.salesforce.com/in/products/service-cloud/overview/) solution for Microsoft Sentinel enables you to ingest Service Cloud events into Microsoft Sentinel.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n\r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\r\n\n b. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -60,14 +60,14 @@
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "This Solution installs the data connector for Salesforce Service Cloud. You can get Salesforce Service Cloud custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+ "text": "The Salesforce Service Cloud data connector provides the capability to ingest information about your Salesforce operational events into Microsoft Sentinel through the REST API. The connector provides the ability to review events in your org on an accelerated basis and get event log files in hourly increments for recent activity. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
{
"name": "dataconnectors-parser-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel."
+ "text": "The solution installs a parser that transforms ingested data. The transformed logs can be accessed using the SalesforceServiceCloud Kusto Function alias."
}
},
{
diff --git a/Solutions/Salesforce Service Cloud/Package/mainTemplate.json b/Solutions/Salesforce Service Cloud/Package/mainTemplate.json
index 7f281d5c0f2..b114a3242f1 100644
--- a/Solutions/Salesforce Service Cloud/Package/mainTemplate.json
+++ b/Solutions/Salesforce Service Cloud/Package/mainTemplate.json
@@ -42,140 +42,236 @@
"_solutionId": "[variables('solutionId')]",
"email": "support@microsoft.com",
"_email": "[variables('email')]",
- "analyticRuleVersion1": "1.0.1",
- "analyticRulecontentId1": "5a6ce089-e756-40fb-b022-c8e8864a973a",
- "_analyticRulecontentId1": "[variables('analyticRulecontentId1')]",
- "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]",
- "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1')))]",
- "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
- "analyticRuleVersion2": "1.0.1",
- "analyticRulecontentId2": "64d16e62-1a17-4a35-9ea7-2b9fe6f07118",
- "_analyticRulecontentId2": "[variables('analyticRulecontentId2')]",
- "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId2'))]",
- "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2')))]",
- "analyticRuleVersion3": "1.0.1",
- "analyticRulecontentId3": "3094e036-e5ae-4d6e-8626-b0f86ebc71f2",
- "_analyticRulecontentId3": "[variables('analyticRulecontentId3')]",
- "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId3'))]",
- "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId3')))]",
+ "_solutionName": "Salesforce Service Cloud",
+ "_solutionVersion": "3.0.0",
"uiConfigId1": "SalesforceServiceCloud",
"_uiConfigId1": "[variables('uiConfigId1')]",
"dataConnectorContentId1": "SalesforceServiceCloud",
"_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
"dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
"_dataConnectorId1": "[variables('dataConnectorId1')]",
- "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1')))]",
+ "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
"dataConnectorVersion1": "1.0.0",
- "parserVersion1": "1.0.0",
- "parserContentId1": "SalesforceServiceCloud-Parser",
- "_parserContentId1": "[variables('parserContentId1')]",
+ "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
"parserName1": "SalesforceServiceCloud",
"_parserName1": "[concat(parameters('workspace'),'/',variables('parserName1'))]",
"parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
"_parserId1": "[variables('parserId1')]",
- "parserTemplateSpecName1": "[concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1')))]",
+ "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1'))))]",
+ "parserVersion1": "1.0.0",
+ "parserContentId1": "SalesforceServiceCloud-Parser",
+ "_parserContentId1": "[variables('parserContentId1')]",
+ "_parsercontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('_parserContentId1'),'-', variables('parserVersion1'))))]",
"workbookVersion1": "1.0.0",
"workbookContentId1": "SalesforceServiceCloudWorkbook",
"workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]",
- "workbookTemplateSpecName1": "[concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1')))]",
- "_workbookContentId1": "[variables('workbookContentId1')]"
+ "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]",
+ "_workbookContentId1": "[variables('workbookContentId1')]",
+ "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
+ "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]",
+ "analyticRuleVersion1": "1.0.1",
+ "analyticRulecontentId1": "5a6ce089-e756-40fb-b022-c8e8864a973a",
+ "_analyticRulecontentId1": "[variables('analyticRulecontentId1')]",
+ "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]",
+ "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1'))))]",
+ "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId1'),'-', variables('analyticRuleVersion1'))))]",
+ "analyticRuleVersion2": "1.0.1",
+ "analyticRulecontentId2": "64d16e62-1a17-4a35-9ea7-2b9fe6f07118",
+ "_analyticRulecontentId2": "[variables('analyticRulecontentId2')]",
+ "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId2'))]",
+ "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2'))))]",
+ "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId2'),'-', variables('analyticRuleVersion2'))))]",
+ "analyticRuleVersion3": "1.0.1",
+ "analyticRulecontentId3": "3094e036-e5ae-4d6e-8626-b0f86ebc71f2",
+ "_analyticRulecontentId3": "[variables('analyticRulecontentId3')]",
+ "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId3'))]",
+ "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId3'))))]",
+ "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId3'),'-', variables('analyticRuleVersion3'))))]",
+ "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
- "name": "[variables('analyticRuleTemplateSpecName1')]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
- "properties": {
- "description": "Salesforce Service Cloud Analytics Rule 1 with template",
- "displayName": "Salesforce Service Cloud Analytics Rule template"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('analyticRuleTemplateSpecName1'),'/',variables('analyticRuleVersion1'))]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('dataConnectorTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName1'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Salesforce-BruteForce_AnalyticalRules Analytics Rule with template version 2.0.4",
+ "description": "Salesforce Service Cloud data connector with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion1')]",
+ "contentVersion": "[variables('dataConnectorVersion1')]",
"parameters": {},
"variables": {},
"resources": [
{
- "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('AnalyticRulecontentId1')]",
- "apiVersion": "2022-04-01-preview",
- "kind": "Scheduled",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
+ "apiVersion": "2021-03-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('workspace-location')]",
+ "kind": "GenericUI",
"properties": {
- "description": "Identifies evidence of brute force activity against a user based on multiple authentication failures \nand at least one successful authentication within a given time window. This query limits IPAddresses to 100 and may not potentially cover all IPAddresses\nThe default failure threshold is 10, success threshold is 1, and the default time window is 20 minutes.",
- "displayName": "Brute force attack against user credentials",
- "enabled": false,
- "query": "let failureCountThreshold = 10;\nlet successCountThreshold = 1;\nlet Failures =\nSalesforceServiceCloud\n| where EventType == \"Login\" and LoginStatus != \"LOGIN_NO_ERROR\"\n| summarize\n FailureStartTime = min(TimeGenerated),\n FailureEndTime = max(TimeGenerated),\n IpAddresses = make_set (ClientIp, 100),\n FailureCount = count() by User, UserId, UserType;\n SalesforceServiceCloud\n | where EventType == \"Login\" and LoginStatus == \"LOGIN_NO_ERROR\"\n | summarize\n SuccessStartTime = min(TimeGenerated),\n SuccessEndTime = max(TimeGenerated),\n IpAddresses = make_set (ClientIp, 100),\n SuccessCount = count() by User, UserId, UserType\n | join kind=leftouter Failures on UserId\n | where FailureCount >= failureCountThreshold and SuccessCount >= successCountThreshold\n | where FailureEndTime < SuccessStartTime\n | project User, EventStartTime = FailureStartTime, EventEndTime = SuccessEndTime, IpAddresses\n",
- "queryFrequency": "PT20M",
- "queryPeriod": "PT20M",
- "severity": "Medium",
- "suppressionDuration": "PT1H",
- "suppressionEnabled": false,
- "triggerOperator": "GreaterThan",
- "triggerThreshold": 0,
- "status": "Available",
- "requiredDataConnectors": [
- {
- "dataTypes": [
- "SalesforceServiceCloud"
- ],
- "connectorId": "SalesforceServiceCloud"
- }
- ],
- "tactics": [
- "CredentialAccess"
- ],
- "techniques": [
- "T1110"
- ],
- "entityMappings": [
- {
- "fieldMappings": [
+ "connectorUiConfig": {
+ "id": "[variables('_uiConfigId1')]",
+ "title": "Salesforce Service Cloud (using Azure Functions)",
+ "publisher": "Salesforce",
+ "descriptionMarkdown": "The Salesforce Service Cloud data connector provides the capability to ingest information about your Salesforce operational events into Microsoft Sentinel through the REST API. The connector provides ability to review events in your org on an accelerated basis, get [event log files](https://developer.salesforce.com/docs/atlas.en-us.api_rest.meta/api_rest/event_log_file_hourly_overview.htm) in hourly increments for recent activity.",
+ "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution.",
+ "graphQueries": [
+ {
+ "metricName": "Total data received",
+ "legend": "SalesforceServiceCloud_CL",
+ "baseQuery": "SalesforceServiceCloud_CL"
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "Last Salesforce Service Cloud EventLogFile Events",
+ "query": "SalesforceServiceCloud\n | sort by TimeGenerated desc"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "SalesforceServiceCloud_CL",
+ "lastDataReceivedQuery": "SalesforceServiceCloud_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriterias": [
+ {
+ "type": "IsConnectedQuery",
+ "value": [
+ "SalesforceServiceCloud_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
+ ]
+ }
+ ],
+ "availability": {
+ "status": 1,
+ "isPreview": false
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "read and write permissions on the workspace are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "write": true,
+ "read": true,
+ "delete": true
+ }
+ },
{
- "columnName": "User",
- "identifier": "FullName"
+ "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+ "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+ "providerDisplayName": "Keys",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "action": true
+ }
}
],
- "entityType": "Account"
- }
- ],
- "customDetails": {
- "EventStartTime": "FailureStartTime",
- "EventEndTime": "SuccessEndTime",
- "IPAddresses": "IpAddresses"
+ "customs": [
+ {
+ "name": "Microsoft.Web/sites permissions",
+ "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)."
+ },
+ {
+ "name": "REST API Credentials/permissions",
+ "description": "**Salesforce API Username**, **Salesforce API Password**, **Salesforce Security Token**, **Salesforce Consumer Key**, **Salesforce Consumer Secret** is required for REST API. [See the documentation to learn more about API](https://developer.salesforce.com/docs/atlas.en-us.api_rest.meta/api_rest/quickstart.htm)."
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "description": ">**NOTE:** This connector uses Azure Functions to connect to the Salesforce Lightning Platform REST API to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details."
+ },
+ {
+ "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App."
+ },
+ {
+ "description": "**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias SalesforceServiceCloud and load the function code or click [here](https://aka.ms/sentinel-SalesforceServiceCloud-parser). The function usually takes 10-15 minutes to activate after solution installation/update."
+ },
+ {
+ "description": "**STEP 1 - Configuration steps for the Salesforce Lightning Platform REST API**\n\n1. See the [link](https://developer.salesforce.com/docs/atlas.en-us.api_rest.meta/api_rest/quickstart.htm) and follow the instructions for obtaining Salesforce API Authorization credentials. \n2. On the **Set Up Authorization** step choose **Session ID Authorization** method.\n3. You must provide your client id, client secret, username, and password with user security token."
+ },
+ {
+ "description": ">**NOTE:** Ingesting data from on an hourly interval may require additional licensing based on the edition of the Salesforce Service Cloud being used. Please refer to [Salesforce documentation](https://www.salesforce.com/editions-pricing/service-cloud/) and/or support for more details."
+ },
+ {
+ "description": "**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Salesforce Service Cloud data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the Salesforce API Authorization credentials, readily available.",
+ "instructions": [
+ {
+ "parameters": {
+ "fillWith": [
+ "WorkspaceId"
+ ],
+ "label": "Workspace ID"
+ },
+ "type": "CopyableLabel"
+ },
+ {
+ "parameters": {
+ "fillWith": [
+ "PrimaryKey"
+ ],
+ "label": "Primary Key"
+ },
+ "type": "CopyableLabel"
+ }
+ ]
+ },
+ {
+ "instructions": [
+ {
+ "parameters": {
+ "instructionSteps": [
+ {
+ "title": "Option 1 - Azure Resource Manager (ARM) Template",
+ "description": "Use this method for automated deployment of the Salesforce Service Cloud data connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[](https://aka.ms/sentinel-SalesforceServiceCloud-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID**, **Workspace Key**, **Salesforce API Username**, **Salesforce API Password**, **Salesforce Security Token**, **Salesforce Consumer Key**, **Salesforce Consumer Secret** and deploy. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy."
+ },
+ {
+ "title": "Option 2 - Manual Deployment of Azure Functions",
+ "description": "Use the following step-by-step instructions to deploy the Salesforce Service Cloud data connector manually with Azure Functions (Deployment via Visual Studio Code).",
+ "instructions": [
+ {
+ "parameters": {
+ "instructionSteps": [
+ {
+ "title": "Step 1 - Deploy a Function App",
+ "description": "**NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-SalesforceServiceCloud-functionapp) file. Extract archive to your local development computer.\n2. Follow the [function app manual deployment instructions](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/AzureFunctionsManualDeployment.md#function-app-manual-deployment-instructions) to deploy the Azure Functions app using VSCode.\n3. After successful deployment of the function app, follow next steps for configuring it."
+ },
+ {
+ "title": "Step 2 - Configure the Function App",
+ "description": "1. Go to Azure Portal for the Function App configuration.\n2. In the Function App, select the Function App Name and select **Configuration**.\n3. In the **Application settings** tab, select **+ New application setting**.\n4. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tSalesforceUser\n\t\tSalesforcePass\n\t\tSalesforceSecurityToken\n\t\tSalesforceConsumerKey\n\t\tSalesforceConsumerSecret\n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tlogAnalyticsUri (optional)\n - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://Note: There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Salesforce Service Cloud solution for Microsoft Sentinel enables you to ingest Service Cloud events into Microsoft Sentinel.
\nUnderlying Microsoft Technologies used:
\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:
\n\nData Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 3
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "",
"contentId": "[variables('_solutionId')]",
"parentId": "[variables('_solutionId')]",
"source": {
@@ -1040,21 +1066,6 @@
"dependencies": {
"operator": "AND",
"criteria": [
- {
- "kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId1')]",
- "version": "[variables('analyticRuleVersion1')]"
- },
- {
- "kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId2')]",
- "version": "[variables('analyticRuleVersion2')]"
- },
- {
- "kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId3')]",
- "version": "[variables('analyticRuleVersion3')]"
- },
{
"kind": "DataConnector",
"contentId": "[variables('_dataConnectorContentId1')]",
@@ -1069,6 +1080,21 @@
"kind": "Workbook",
"contentId": "[variables('_workbookContentId1')]",
"version": "[variables('workbookVersion1')]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRulecontentId1')]",
+ "version": "[variables('analyticRuleVersion1')]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRulecontentId2')]",
+ "version": "[variables('analyticRuleVersion2')]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRulecontentId3')]",
+ "version": "[variables('analyticRuleVersion3')]"
}
]
},
diff --git a/Solutions/Salesforce Service Cloud/Parsers/SalesforceServiceCloud.txt b/Solutions/Salesforce Service Cloud/Parsers/SalesforceServiceCloud.txt
deleted file mode 100644
index 36527634a05..00000000000
--- a/Solutions/Salesforce Service Cloud/Parsers/SalesforceServiceCloud.txt
+++ /dev/null
@@ -1,218 +0,0 @@
-SalesforceServiceCloud_CL
-| extend
- RequestSize=column_ifexists('request_size_s',''),
- ExecTime=column_ifexists('exec_time_s',''),
- Action=column_ifexists('action_s',''),
- PlatformType=column_ifexists('platform_type_s',''),
- OsName=column_ifexists('os_name_s',''),
- OsVersion=column_ifexists('os_version_s',''),
- Timestamp=column_ifexists('timestamp_s',''),
- StatusCode=column_ifexists('status_code_s',''),
- EventType=column_ifexists('event_type_s',''),
- ReferrerUri=column_ifexists('referrer_uri_s',''),
- UserAgent=column_ifexists('user_agent_s',''),
- BrowserType=column_ifexists('browser_type_s',''),
- Time=column_ifexists('time_s',''),
- ResponseSize=column_ifexists('response_size_s',''),
- DeviceId=column_ifexists('device_id_s',''),
- DeviceModel=column_ifexists('device_model_s',''),
- SourceIp=column_ifexists('source_ip_s',''),
- ClientIp=column_ifexists('client_ip_s',''),
- Success=column_ifexists('success_s',''),
- Uri=column_ifexists('uri_s',''),
- Url=column_ifexists('url_s',''),
- ClientName=column_ifexists('client_name_s',''),
- UserType=column_ifexists('user_type_s',''),
- UserInitiatedLogout=column_ifexists('user_initiated_logout_s',''),
- UserIdDerived=column_ifexists('user_id_derived_s',''),
- UserId=column_ifexists('user_id_s',''),
- UserEmail=column_ifexists('user_email_s',''),
- User=column_ifexists('user_name_s',''),
- UriIdDerived=column_ifexists('uri_id_derived_s',''),
- UiEventType=column_ifexists('ui_event_type_s',''),
- UiEventTimestamp=column_ifexists('ui_event_timestamp_s',''),
- UiEventSource=column_ifexists('ui_event_source_s',''),
- UiEventSequenceNum=column_ifexists('ui_event_sequence_num_s',''),
- UiEventId=column_ifexists('ui_event_id_s',''),
- TlsProtocol=column_ifexists('tls_protocol_s',''),
- TimestampDerived=column_ifexists('timestamp_derived_t',''),
- TargetUiElement=column_ifexists('target_ui_element_s',''),
- Sort=column_ifexists('sort_s',''),
- SessionType=column_ifexists('session_type_s',''),
- SessionLevel=column_ifexists('session_level_s',''),
- SessionKey=column_ifexists('session_key_s',''),
- SearchQuery=column_ifexists('search_query_s',''),
- SdkVersion=column_ifexists('sdk_version_s',''),
- SdkAppVersion=column_ifexists('sdk_app_version_s',''),
- SdkAppType=column_ifexists('sdk_app_type_s',''),
- RunTime=column_ifexists('run_time_s',''),
- RowsProcessed=column_ifexists('rows_processed_s',''),
- RowCount=column_ifexists('row_count_s',''),
- ResolutionType=column_ifexists('resolution_type_s',''),
- RequestStatus=column_ifexists('request_status_s',''),
- RequestId=column_ifexists('request_id_s',''),
- ReportIdDerived=column_ifexists('report_id_derived_s',''),
- ReportId=column_ifexists('report_id_s',''),
- RenderingType=column_ifexists('rendering_type_s',''),
- RelatedList=column_ifexists('related_list_s',''),
- RecordType=column_ifexists('record_type_s',''),
- RecordId=column_ifexists('record_id_s',''),
- Quiddity=column_ifexists('quiddity_s',''),
- QueryId=column_ifexists('query_id_s',''),
- PrevpageUrl=column_ifexists('prevpage_url_s',''),
- PrevpageEntityType=column_ifexists('prevpage_entity_type_s',''),
- PrevpageEntityId=column_ifexists('prevpage_entity_id_s',''),
- PrevpageContext=column_ifexists('prevpage_context_s',''),
- PrevpageAppName=column_ifexists('prevpage_app_name_s',''),
- PrefixesSearched=column_ifexists('prefixes_searched_s',''),
- ParentUiElement=column_ifexists('parent_ui_element_s',''),
- PageUrl=column_ifexists('page_url_s',''),
- PageStartTime=column_ifexists('page_start_time_s',''),
- PageEntityType=column_ifexists('page_entity_type_s',''),
- PageEntityId=column_ifexists('page_entity_id_s',''),
- PageContext=column_ifexists('page_context_s',''),
- PageAppName=column_ifexists('page_app_name_s',''),
- Origin=column_ifexists('origin_s',''),
- OrganizationId=column_ifexists('organization_id_s',''),
- NumResults=column_ifexists('num_results_s',''),
- NumberSoqlQueries=column_ifexists('number_soql_queries_s',''),
- NumberFields=column_ifexists('number_fields_s',''),
- NumberExceptionFilters=column_ifexists('number_exception_filters_s',''),
- NumberColumns=column_ifexists('number_columns_s',''),
- NumberBuckets=column_ifexists('number_buckets_s',''),
- MethodName=column_ifexists('method_name_s',''),
- Method=column_ifexists('method_s',''),
- MediaType=column_ifexists('media_type_s',''),
- LoginStatus=column_ifexists('login_status_s',''),
- LoginKey=column_ifexists('login_key_s',''),
- HttpMethod=column_ifexists('http_method_s',''),
- GrandparentUiElement=column_ifexists('grandparent_ui_element_s',''),
- EntryPoint=column_ifexists('entry_point_s',''),
- EntityName=column_ifexists('entity_name_s',''),
- Entity=column_ifexists('entity_s',''),
- EffectivePageTime=column_ifexists('effective_page_time_s',''),
- Duration=column_ifexists('duration_s',''),
- DisplayType=column_ifexists('display_type_s',''),
- DeviceSessionId=column_ifexists('device_session_id_s',''),
- DevicePlatform=column_ifexists('device_platform_s',''),
- DbTotalTime=column_ifexists('db_total_time_s',''),
- DbCpuTime=column_ifexists('db_cpu_time_s',''),
- DbBlocks=column_ifexists('db_blocks_s',''),
- CpuTime=column_ifexists('cpu_time_s',''),
- ConnectionType=column_ifexists('connection_type_s',''),
- ComponentName=column_ifexists('component_name_s',''),
- ClientVersion=column_ifexists('client_version_s',''),
- ClientId=column_ifexists('client_id_s',''),
- CipherSuite=column_ifexists('cipher_suite_s',''),
- CalloutTime=column_ifexists('callout_time_s',''),
- BrowserVersion=column_ifexists('browser_version_s',''),
- BrowserName=column_ifexists('browser_name_s',''),
- AverageRowSize=column_ifexists('average_row_size_s',''),
- AppType=column_ifexists('app_type_s',''),
- AppName=column_ifexists('app_name_s',''),
- ApiVersion=column_ifexists('api_version_s',''),
- ApiType=column_ifexists('api_type_s',''),
- ArticleVersionId=column_ifexists('article_version_id_s',''),
- ArticleVersion=column_ifexists('article_version_s',''),
- ArticleStatus=column_ifexists('article_status_s',''),
- ArticleId=column_ifexists('article_id_s',''),
- AnalyticsMode=column_ifexists('analytics_mode_s',''),
- BatchId=column_ifexists('batch_id_s',''),
- ClickedRecordId=column_ifexists('clicked_record_id_s',''),
- ClassName=column_ifexists('class_name_s',''),
- ComponentIdDerived=column_ifexists('component_id_derived_s',''),
- ComponentId=column_ifexists('component_id_s',''),
- ControllerType=column_ifexists('controller_type_s',''),
- Context=column_ifexists('context_s',''),
- ConsoleIdDerived=column_ifexists('console_id_derived_s',''),
- ConsoleId=column_ifexists('console_id_s',''),
- ClientInfo=column_ifexists('client_info_s',''),
- DstBytes=column_ifexists('request_size_s',''),
- DstUser=column_ifexists('delegated_user_name_s',''),
- DstUserSid=column_ifexists('delegated_user_id_s',''),
- DstUserSidDerived=column_ifexists('delegated_user_id_derived_s',''),
- Data=column_ifexists('data_s',''),
- DashboardType=column_ifexists('dashboard_type_s',''),
- DashboardIdDerived=column_ifexists('dashboard_id_derived_s',''),
- DashboardId=column_ifexists('dashboard_id_s',''),
- DashboardComponentId=column_ifexists('dashboard_component_id_s',''),
- DvcAction=column_ifexists('action_s',''),
- DvcOS=column_ifexists('platform_type_s',''),
- DvcOSName=column_ifexists('os_name_s',''),
- DvcOSVersion=column_ifexists('os_version_s',''),
- DeliveryLocation=column_ifexists('delivery_location_s',''),
- DeliveryId=column_ifexists('delivery_id_s',''),
- DocumentIdDerived=column_ifexists('document_id_derived_s',''),
- DocumentId=column_ifexists('document_id_s',''),
- EntityType=column_ifexists('entity_type_s',''),
- EntityId=column_ifexists('entity_id_s',''),
- FileType=column_ifexists('file_type_s',''),
- FilePreviewType=column_ifexists('file_preview_type_s',''),
- ExceptionType=column_ifexists('exception_type_s',''),
- ExceptionMessage=column_ifexists('exception_message_s',''),
- Ept=column_ifexists('ept_s',''),
- EventCount=column_ifexists('number_of_records_s',''),
- EventEndTime=column_ifexists('timestamp_s',''),
- EventResult=column_ifexists('status_code_s',''),
- FileSize=column_ifexists('size_bytes_s',''),
- HttpReferrerOriginal=column_ifexists('referrer_uri_s',''),
- HttpUserAgentOriginal=column_ifexists('user_agent_s',''),
- HttpUserAgent=column_ifexists('browser_type_s',''),
- LogGroupId=column_ifexists('log_group_id_s',''),
- LimitUsagePercent=column_ifexists('limit_usage_percent_s',''),
- LicenseContext=column_ifexists('license_context_s',''),
- LastVersion=column_ifexists('last_version_s',''),
- Language=column_ifexists('language_s',''),
- JobId=column_ifexists('job_id_s',''),
- IsSuccess=column_ifexists('is_success_s',''),
- IsSecure=column_ifexists('is_secure_s',''),
- IsScheduled=column_ifexists('is_scheduled_s',''),
- IsNew=column_ifexists('is_new_s',''),
- IsMobile=column_ifexists('is_mobile_s',''),
- IsLongRunningRequest=column_ifexists('is_long_running_request_s',''),
- IsGuest=column_ifexists('is_guest_s',''),
- IsFirstRequest=column_ifexists('is_first_request_s',''),
- IsError=column_ifexists('is_error_s',''),
- IsApi=column_ifexists('is_api_s',''),
- IsAjaxRequest=column_ifexists('is_ajax_request_s',''),
- ManagedPackageNamespace=column_ifexists('managed_package_namespace_s',''),
- HttpHeaders=column_ifexists('http_headers_s',''),
- NetworkDuration=column_ifexists('time_s',''),
- Name=column_ifexists('name_s',''),
- NumberFailures=column_ifexists('number_failures_s',''),
- NumClicks=column_ifexists('num_clicks_s',''),
- OperationType=column_ifexists('operation_type_s',''),
- NumSessions=column_ifexists('num_sessions_s',''),
- PageName=column_ifexists('page_name_s',''),
- Query=column_ifexists('query_s',''),
- RequestType=column_ifexists('request_type_s',''),
- ReportDescription=column_ifexists('report_description_s',''),
- ReopenCount=column_ifexists('reopen_count_s',''),
- RelatedEntityId=column_ifexists('related_entity_id_s',''),
- RecordIdDerived=column_ifexists('record_id_derived_s',''),
- ReadTime=column_ifexists('read_time_s',''),
- Rank=column_ifexists('rank_s',''),
- SrcBytes=column_ifexists('response_size_s',''),
- SrcDvcId=column_ifexists('device_id_s',''),
- SrcDvcModelName=column_ifexists('device_model_s',''),
- SrcIpAddr=column_ifexists('source_ip_s',''),
- SrcNatIpAddr=column_ifexists('client_ip_s',''),
- SessionId=column_ifexists('session_id_s',''),
- SiteId=column_ifexists('site_id_s',''),
- SharingPermission=column_ifexists('sharing_permission_s',''),
- SharingOperation=column_ifexists('sharing_operation_s',''),
- SharedWithEntityId=column_ifexists('shared_with_entity_id_s',''),
- UrlOriginal=column_ifexists('url_s',''),
- WaveTimestamp=column_ifexists('wave_timestamp_s',''),
- WaveSessionId=column_ifexists('wave_session_id_g',''),
- ViewStateSize=column_ifexists('view_state_size_s',''),
- VersionIdDerived=column_ifexists('version_id_derived_s',''),
- VersionId=column_ifexists('version_id_s',''),
- TriggerType=column_ifexists('trigger_type_s',''),
- TriggerName=column_ifexists('trigger_name_s',''),
- TriggerId=column_ifexists('trigger_id_s',''),
- TransactionType=column_ifexists('transaction_type_s',''),
- TotalTime=column_ifexists('total_time_s',''),
- TabId=column_ifexists('tab_id_s',''),
- StackTrace=column_ifexists('stack_trace_s','')
-| project-away *_s
\ No newline at end of file
diff --git a/Solutions/Salesforce Service Cloud/ReleaseNotes.md b/Solutions/Salesforce Service Cloud/ReleaseNotes.md
new file mode 100644
index 00000000000..6c1f40e5e37
--- /dev/null
+++ b/Solutions/Salesforce Service Cloud/ReleaseNotes.md
@@ -0,0 +1,4 @@
+| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
+|-------------|--------------------------------|--------------------------------------------------------------------|
+| 3.0.0 | 05-09-2023 | Manual deployment instructions updated for **Data Connector** |
+
diff --git a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneAttackDiscoveryDetectionRisks.yaml b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneAttackDiscoveryDetectionRisks.yaml
index 915bd1b4995..c8f882aa86a 100644
--- a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneAttackDiscoveryDetectionRisks.yaml
+++ b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneAttackDiscoveryDetectionRisks.yaml
@@ -8,6 +8,9 @@ requiredDataConnectors:
- connectorId: TrendMicroApexOne
dataTypes:
- TMApexOneEvent
+ - connectorId: TrendMicroApexOneAma
+ dataTypes:
+ - TMApexOneEvent
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
@@ -29,5 +32,5 @@ entityMappings:
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
-version: 1.0.0
+version: 1.0.1
kind: Scheduled
diff --git a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneCommandLineSuspiciousRequests.yaml b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneCommandLineSuspiciousRequests.yaml
index 8e796ae4a87..b9167b7ba37 100644
--- a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneCommandLineSuspiciousRequests.yaml
+++ b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneCommandLineSuspiciousRequests.yaml
@@ -8,6 +8,9 @@ requiredDataConnectors:
- connectorId: TrendMicroApexOne
dataTypes:
- TMApexOneEvent
+ - connectorId: TrendMicroApexOneAma
+ dataTypes:
+ - TMApexOneEvent
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
@@ -30,5 +33,5 @@ entityMappings:
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
-version: 1.0.0
+version: 1.0.1
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneCommandsInRequest.yaml b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneCommandsInRequest.yaml
index abcedf6f0be..ea63cca3155 100644
--- a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneCommandsInRequest.yaml
+++ b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneCommandsInRequest.yaml
@@ -8,6 +8,9 @@ requiredDataConnectors:
- connectorId: TrendMicroApexOne
dataTypes:
- TMApexOneEvent
+ - connectorId: TrendMicroApexOneAma
+ dataTypes:
+ - TMApexOneEvent
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
@@ -27,5 +30,5 @@ entityMappings:
fieldMappings:
- identifier: Url
columnName: UrlCustomEntity
-version: 1.0.0
+version: 1.0.1
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneDvcAccessPermissionWasChanged.yaml b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneDvcAccessPermissionWasChanged.yaml
index 6495f7de254..7ae5bd1488b 100644
--- a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneDvcAccessPermissionWasChanged.yaml
+++ b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneDvcAccessPermissionWasChanged.yaml
@@ -8,6 +8,9 @@ requiredDataConnectors:
- connectorId: TrendMicroApexOne
dataTypes:
- TMApexOneEvent
+ - connectorId: TrendMicroApexOneAma
+ dataTypes:
+ - TMApexOneEvent
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
@@ -42,5 +45,5 @@ entityMappings:
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
-version: 1.0.1
+version: 1.0.2
kind: Scheduled
diff --git a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneInboundRemoteAccess.yaml b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneInboundRemoteAccess.yaml
index 54fd4a5001e..c6e1dc3c8a5 100644
--- a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneInboundRemoteAccess.yaml
+++ b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneInboundRemoteAccess.yaml
@@ -8,6 +8,9 @@ requiredDataConnectors:
- connectorId: TrendMicroApexOne
dataTypes:
- TMApexOneEvent
+ - connectorId: TrendMicroApexOneAma
+ dataTypes:
+ - TMApexOneEvent
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
@@ -31,5 +34,5 @@ entityMappings:
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
-version: 1.0.0
+version: 1.0.1
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneMultipleDenyOrTerminateActionOnSingleIp.yaml b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneMultipleDenyOrTerminateActionOnSingleIp.yaml
index ce846544659..fce5f9c224d 100644
--- a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneMultipleDenyOrTerminateActionOnSingleIp.yaml
+++ b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneMultipleDenyOrTerminateActionOnSingleIp.yaml
@@ -8,6 +8,9 @@ requiredDataConnectors:
- connectorId: TrendMicroApexOne
dataTypes:
- TMApexOneEvent
+ - connectorId: TrendMicroApexOneAma
+ dataTypes:
+ - TMApexOneEvent
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
@@ -29,5 +32,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.1
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOnePossibleExploitOrExecuteOperation.yaml b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOnePossibleExploitOrExecuteOperation.yaml
index 78803f0d511..4dd6755b05b 100644
--- a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOnePossibleExploitOrExecuteOperation.yaml
+++ b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOnePossibleExploitOrExecuteOperation.yaml
@@ -8,6 +8,9 @@ requiredDataConnectors:
- connectorId: TrendMicroApexOne
dataTypes:
- TMApexOneEvent
+ - connectorId: TrendMicroApexOneAma
+ dataTypes:
+ - TMApexOneEvent
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
@@ -32,5 +35,5 @@ entityMappings:
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
-version: 1.0.2
+version: 1.0.3
kind: Scheduled
diff --git a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneRiskCnCEvents.yaml b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneRiskCnCEvents.yaml
index ed17b2d9d75..d019c9cb462 100644
--- a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneRiskCnCEvents.yaml
+++ b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneRiskCnCEvents.yaml
@@ -8,6 +8,9 @@ requiredDataConnectors:
- connectorId: TrendMicroApexOne
dataTypes:
- TMApexOneEvent
+ - connectorId: TrendMicroApexOneAma
+ dataTypes:
+ - TMApexOneEvent
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
@@ -29,5 +32,5 @@ entityMappings:
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
-version: 1.0.0
+version: 1.0.1
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneSpywareWithFailedResponse.yaml b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneSpywareWithFailedResponse.yaml
index d9a09de7778..2f093d7beec 100644
--- a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneSpywareWithFailedResponse.yaml
+++ b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneSpywareWithFailedResponse.yaml
@@ -8,6 +8,9 @@ requiredDataConnectors:
- connectorId: TrendMicroApexOne
dataTypes:
- TMApexOneEvent
+ - connectorId: TrendMicroApexOneAma
+ dataTypes:
+ - TMApexOneEvent
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
@@ -30,5 +33,5 @@ entityMappings:
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
-version: 1.0.0
+version: 1.0.1
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneSuspiciousConnections.yaml b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneSuspiciousConnections.yaml
index 19916ee2c25..949e1aad44a 100644
--- a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneSuspiciousConnections.yaml
+++ b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneSuspiciousConnections.yaml
@@ -8,6 +8,9 @@ requiredDataConnectors:
- connectorId: TrendMicroApexOne
dataTypes:
- TMApexOneEvent
+ - connectorId: TrendMicroApexOneAma
+ dataTypes:
+ - TMApexOneEvent
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
@@ -31,5 +34,5 @@ entityMappings:
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
-version: 1.0.0
+version: 1.0.1
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/Trend Micro Apex One/Data Connectors/TrendMicro_ApexOne.json b/Solutions/Trend Micro Apex One/Data Connectors/TrendMicro_ApexOne.json
index 11fd4fe3f00..bb926294e58 100644
--- a/Solutions/Trend Micro Apex One/Data Connectors/TrendMicro_ApexOne.json
+++ b/Solutions/Trend Micro Apex One/Data Connectors/TrendMicro_ApexOne.json
@@ -1,6 +1,6 @@
{
"id": "TrendMicroApexOne",
- "title": "Trend Micro Apex One",
+ "title": "[Deprecated] Trend Micro Apex One via Legacy Agent",
"publisher": "Trend Micro",
"descriptionMarkdown": "The [Trend Micro Apex One](https://www.trendmicro.com/en_us/business/products/user-protection/sps/endpoint.html) data connector provides the capability to ingest [Trend Micro Apex One events](https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-central-2019-online-help/appendices/syslog-mapping-cef.aspx) into Microsoft Sentinel. Refer to [Trend Micro Apex Central](https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-central-2019-online-help/preface_001.aspx) for more information.",
"additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected [**TMApexOneEvent**](https://aka.ms/sentinel-TMApexOneEvent-parser) which is deployed with the Microsoft Sentinel Solution.",
diff --git a/Solutions/Trend Micro Apex One/Data Connectors/template_TrendMicro_ApexOneAMA.json b/Solutions/Trend Micro Apex One/Data Connectors/template_TrendMicro_ApexOneAMA.json
new file mode 100644
index 00000000000..375127fbba0
--- /dev/null
+++ b/Solutions/Trend Micro Apex One/Data Connectors/template_TrendMicro_ApexOneAMA.json
@@ -0,0 +1,118 @@
+{
+ "id": "TrendMicroApexOneAma",
+ "title": "[Recommended] Trend Micro Apex One via AMA",
+ "publisher": "Trend Micro",
+ "descriptionMarkdown": "The [Trend Micro Apex One](https://www.trendmicro.com/en_us/business/products/user-protection/sps/endpoint.html) data connector provides the capability to ingest [Trend Micro Apex One events](https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-central-2019-online-help/appendices/syslog-mapping-cef.aspx) into Microsoft Sentinel. Refer to [Trend Micro Apex Central](https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-central-2019-online-help/preface_001.aspx) for more information.",
+ "additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected [**TMApexOneEvent**](https://aka.ms/sentinel-TMApexOneEvent-parser) which is deployed with the Microsoft Sentinel Solution.",
+ "graphQueries": [
+ {
+ "metricName": "Total data received",
+ "legend": "TrendMicroApexOne",
+ "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Trend Micro'\n |where DeviceProduct =~ 'Apex Central'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description" : "All logs",
+ "query": "\nTMApexOneEvent\n| sort by TimeGenerated"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "CommonSecurityLog (TrendMicroApexOne)",
+ "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Trend Micro'\n |where DeviceProduct =~ 'Apex Central'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriterias": [
+ {
+ "type": "IsConnectedQuery",
+ "value": [
+ "CommonSecurityLog\n |where DeviceVendor =~ 'Trend Micro'\n |where DeviceProduct =~ 'Apex Central'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
+ ]
+ }
+ ],
+ "availability": {
+ "status": 1,
+ "isPreview": false
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "read and write permissions are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "write": true,
+ "read": true,
+ "delete": true
+ }
+ },
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+ "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+ "providerDisplayName": "Keys",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "action": true
+ }
+ }
+ ],
+ "customs": [
+ {
+ "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+ },
+ {
+ "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "title": "",
+ "description": ">This data connector depends on a parser based on a Kusto Function to work as expected [**TMApexOneEvent**](https://aka.ms/sentinel-TMApexOneEvent-parser) which is deployed with the Microsoft Sentinel Solution.",
+ "instructions": [
+ {
+ "parameters": {
+ "title": "1. Kindly follow the steps to configure the data connector",
+ "instructionSteps": [
+ {
+ "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
+ "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine",
+ "instructions": [
+ ]
+ },
+ {
+ "title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent",
+ "description": "[Follow these steps](https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-central-2019-online-help/detections/logs_001/syslog-forwarding.aspx) to configure Apex Central sending alerts via syslog. While configuring, on step 6, select the log format **CEF**.",
+ "instructions": [
+ ]
+ },
+ {
+ "title": "Step C. Validate connection",
+ "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
+ "instructions": [
+ {
+ "parameters": {
+ "label": "Run the following command to validate your connectivity:",
+ "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
+ },
+ "type": "CopyableLabel"
+ }
+ ]
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ]
+ },
+
+
+
+ {
+ "title": "2. Secure your machine ",
+ "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)"
+ }
+ ]
+}
diff --git a/Solutions/Trend Micro Apex One/Data/Solution_Trend Micro Apex One.json b/Solutions/Trend Micro Apex One/Data/Solution_Trend Micro Apex One.json
index 2dd0d03e0ed..b783819eda4 100644
--- a/Solutions/Trend Micro Apex One/Data/Solution_Trend Micro Apex One.json
+++ b/Solutions/Trend Micro Apex One/Data/Solution_Trend Micro Apex One.json
@@ -2,12 +2,13 @@
"Name": "Trend Micro Apex One",
"Author": "Microsoft - support@microsoft.com",
"Logo": "![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Trend_Micro_Logo.svg\"){kind=logo}
",
- "Description": "The [Trend Micro Apex One](https://www.trendmicro.com/business/products/user-protection/sps/endpoint.htmlhttps:/www.trendmicro.com/business/products/user-protection/sps/endpoint.html) solution for Microsoft Sentinel enables ingestion of [Trend Micro Apex One events](https://docs.trendmicro.com/enterprise/trend-micro-apex-central-2019-online-help/appendices/syslog-mapping-cef.aspx) into Microsoft Sentinel. Refer to [Trend Micro Apex Central](https://docs.trendmicro.com/enterprise/trend-micro-apex-central-2019-online-help/preface_001.aspx) for more information. \r\n \r\n **Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n \r\n a. [Agent-based log collection (CEF over Syslog) ](https://docs.microsoft.com/azure/sentinel/connect-common-event-format)",
+ "Description": "The [Trend Micro Apex One](https://www.trendmicro.com/business/products/user-protection/sps/endpoint.htmlhttps:/www.trendmicro.com/business/products/user-protection/sps/endpoint.html) solution for Microsoft Sentinel enables ingestion of [Trend Micro Apex One events](https://docs.trendmicro.com/enterprise/trend-micro-apex-central-2019-online-help/appendices/syslog-mapping-cef.aspx) into Microsoft Sentinel. Refer to [Trend Micro Apex Central](https://docs.trendmicro.com/enterprise/trend-micro-apex-central-2019-online-help/preface_001.aspx) for more information. \n\r\n1. **Trend Micro Apex One via AMA** - This data connector helps in ingesting Trend Micro Apex One logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **Trend Micro Apex One via Legacy Agent** - This data connector helps in ingesting Trend Micro Apex One logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of Trend Micro Apex One via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).",
"Data Connectors": [
- "Data Connectors/TrendMicro_ApexOne.json"
+ "Data Connectors/TrendMicro_ApexOne.json",
+ "Data Connectors/template_TrendMicro_ApexOneAMA.json"
],
"Parsers": [
- "Parsers/TMApexOneEvent.txt"
+ "Parsers/TMApexOneEvent.yaml"
],
"Workbooks": [
"Workbooks/TrendMicroApexOne.json"
diff --git a/Solutions/Trend Micro Apex One/Data/system_generated_metadata.json b/Solutions/Trend Micro Apex One/Data/system_generated_metadata.json
new file mode 100644
index 00000000000..f2ddb6407f2
--- /dev/null
+++ b/Solutions/Trend Micro Apex One/Data/system_generated_metadata.json
@@ -0,0 +1,34 @@
+{
+ "Name": "Trend Micro Apex One",
+ "Author": "Microsoft - support@microsoft.com",
+ "Logo": "",
+ "Description": "The [Trend Micro Apex One](https://www.trendmicro.com/business/products/user-protection/sps/endpoint.htmlhttps:/www.trendmicro.com/business/products/user-protection/sps/endpoint.html) solution for Microsoft Sentinel enables ingestion of [Trend Micro Apex One events](https://docs.trendmicro.com/enterprise/trend-micro-apex-central-2019-online-help/appendices/syslog-mapping-cef.aspx) into Microsoft Sentinel. Refer to [Trend Micro Apex Central](https://docs.trendmicro.com/enterprise/trend-micro-apex-central-2019-online-help/preface_001.aspx) for more information. \n\r\n1. **Trend Micro Apex One via AMA** - This data connector helps in ingesting Trend Micro Apex One logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **Trend Micro Apex One via Legacy Agent** - This data connector helps in ingesting Trend Micro Apex One logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of Trend Micro Apex One via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).",
+ "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Trend Micro Apex One",
+ "Metadata": "SolutionMetadata.json",
+ "TemplateSpec": true,
+ "Is1PConnector": false,
+ "Version": "3.0.0",
+ "publisherId": "azuresentinel",
+ "offerId": "azure-sentinel-solution-trendmicroapexone",
+ "providers": [
+ "TrendMicro"
+ ],
+ "categories": {
+ "domains": [
+ "Security - Threat Protection"
+ ]
+ },
+ "firstPublishDate": "2021-07-06",
+ "lastPublishDate": "2022-03-24",
+ "support": {
+ "name": "Microsoft Corporation",
+ "email": "support@microsoft.com",
+ "tier": "Microsoft",
+ "link": "https://support.microsoft.com"
+ },
+ "Data Connectors": "[\n \"Data Connectors/TrendMicro_ApexOne.json\",\n \"Data Connectors/template_TrendMicro_ApexOneAMA.json\"\n]",
+ "Parsers": "[\n \"TMApexOneEvent.txt\"\n]",
+ "Workbooks": "[\n \"Workbooks/TrendMicroApexOne.json\"\n]",
+ "Analytic Rules": "[\n \"TMApexOneAttackDiscoveryDetectionRisks.yaml\",\n \"TMApexOneCommandLineSuspiciousRequests.yaml\",\n \"TMApexOneCommandsInRequest.yaml\",\n \"TMApexOneDvcAccessPermissionWasChanged.yaml\",\n \"TMApexOneInboundRemoteAccess.yaml\",\n \"TMApexOneMultipleDenyOrTerminateActionOnSingleIp.yaml\",\n \"TMApexOnePossibleExploitOrExecuteOperation.yaml\",\n \"TMApexOneRiskCnCEvents.yaml\",\n \"TMApexOneSpywareWithFailedResponse.yaml\",\n \"TMApexOneSuspiciousConnections.yaml\"\n]",
+ "Hunting Queries": "[\n \"TMApexOneBehaviorMonitoringTranslatedAction.yaml\",\n \"TMApexOneBehaviorMonitoringTranslatedOperation.yaml\",\n \"TMApexOneBehaviorMonitoringTriggeredPolicy.yaml\",\n \"TMApexOneBehaviorMonitoringTypesOfEvent.yaml\",\n \"TMApexOneChannelType.yaml\",\n \"TMApexOneDataLossPreventionAction.yaml\",\n \"TMApexOneRareAppProtocolByIP.yaml\",\n \"TMApexOneSpywareDetection.yaml\",\n \"TMApexOneSuspiciousFiles.yaml\",\n \"TMApexOneTopSources.yaml\"\n]"
+}
diff --git a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneBehaviorMonitoringTranslatedAction.yaml b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneBehaviorMonitoringTranslatedAction.yaml
index 0a281615745..651177aea5f 100644
--- a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneBehaviorMonitoringTranslatedAction.yaml
+++ b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneBehaviorMonitoringTranslatedAction.yaml
@@ -7,6 +7,9 @@ requiredDataConnectors:
- connectorId: TrendMicroApexOne
dataTypes:
- TMApexOneEvent
+ - connectorId: TrendMicroApexOneAma
+ dataTypes:
+ - TMApexOneEvent
tactics:
- Execution
relevantTechniques:
diff --git a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneBehaviorMonitoringTranslatedOperation.yaml b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneBehaviorMonitoringTranslatedOperation.yaml
index a80218ffc4f..bf248a910ba 100644
--- a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneBehaviorMonitoringTranslatedOperation.yaml
+++ b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneBehaviorMonitoringTranslatedOperation.yaml
@@ -7,6 +7,9 @@ requiredDataConnectors:
- connectorId: TrendMicroApexOne
dataTypes:
- TMApexOneEvent
+ - connectorId: TrendMicroApexOneAma
+ dataTypes:
+ - TMApexOneEvent
tactics:
- Execution
relevantTechniques:
diff --git a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneBehaviorMonitoringTriggeredPolicy.yaml b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneBehaviorMonitoringTriggeredPolicy.yaml
index 16f0dac96f8..dd6825d0292 100644
--- a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneBehaviorMonitoringTriggeredPolicy.yaml
+++ b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneBehaviorMonitoringTriggeredPolicy.yaml
@@ -7,6 +7,9 @@ requiredDataConnectors:
- connectorId: TrendMicroApexOne
dataTypes:
- TMApexOneEvent
+ - connectorId: TrendMicroApexOneAma
+ dataTypes:
+ - TMApexOneEvent
tactics:
- Execution
relevantTechniques:
diff --git a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneBehaviorMonitoringTypesOfEvent.yaml b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneBehaviorMonitoringTypesOfEvent.yaml
index dda2e4c76eb..a6dc53e85a7 100644
--- a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneBehaviorMonitoringTypesOfEvent.yaml
+++ b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneBehaviorMonitoringTypesOfEvent.yaml
@@ -7,6 +7,9 @@ requiredDataConnectors:
- connectorId: TrendMicroApexOne
dataTypes:
- TMApexOneEvent
+ - connectorId: TrendMicroApexOneAma
+ dataTypes:
+ - TMApexOneEvent
tactics:
- Privilege Escalation
- Persistence
diff --git a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneChannelType.yaml b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneChannelType.yaml
index 065e4e2b227..8afccce98ea 100644
--- a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneChannelType.yaml
+++ b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneChannelType.yaml
@@ -7,6 +7,9 @@ requiredDataConnectors:
- connectorId: TrendMicroApexOne
dataTypes:
- TMApexOneEvent
+ - connectorId: TrendMicroApexOneAma
+ dataTypes:
+ - TMApexOneEvent
tactics:
- CommandandControl
relevantTechniques:
diff --git a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneDataLossPreventionAction.yaml b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneDataLossPreventionAction.yaml
index ab894e13254..c04718c33f0 100644
--- a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneDataLossPreventionAction.yaml
+++ b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneDataLossPreventionAction.yaml
@@ -7,6 +7,9 @@ requiredDataConnectors:
- connectorId: TrendMicroApexOne
dataTypes:
- TMApexOneEvent
+ - connectorId: TrendMicroApexOneAma
+ dataTypes:
+ - TMApexOneEvent
tactics:
- Collection
relevantTechniques:
diff --git a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneRareAppProtocolByIP.yaml b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneRareAppProtocolByIP.yaml
index 95d085848b3..ac8baab99b9 100644
--- a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneRareAppProtocolByIP.yaml
+++ b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneRareAppProtocolByIP.yaml
@@ -7,6 +7,9 @@ requiredDataConnectors:
- connectorId: TrendMicroApexOne
dataTypes:
- TMApexOneEvent
+ - connectorId: TrendMicroApexOneAma
+ dataTypes:
+ - TMApexOneEvent
tactics:
- InitialAccess
relevantTechniques:
diff --git a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneSpywareDetection.yaml b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneSpywareDetection.yaml
index 9f95ca89d52..e07985ea22c 100644
--- a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneSpywareDetection.yaml
+++ b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneSpywareDetection.yaml
@@ -7,6 +7,9 @@ requiredDataConnectors:
- connectorId: TrendMicroApexOne
dataTypes:
- TMApexOneEvent
+ - connectorId: TrendMicroApexOneAma
+ dataTypes:
+ - TMApexOneEvent
tactics:
- Execution
relevantTechniques:
diff --git a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneSuspiciousFiles.yaml b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneSuspiciousFiles.yaml
index 4185b05a0d9..5d4d8d9106b 100644
--- a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneSuspiciousFiles.yaml
+++ b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneSuspiciousFiles.yaml
@@ -7,6 +7,9 @@ requiredDataConnectors:
- connectorId: TrendMicroApexOne
dataTypes:
- TMApexOneEvent
+ - connectorId: TrendMicroApexOneAma
+ dataTypes:
+ - TMApexOneEvent
tactics:
- Execution
relevantTechniques:
diff --git a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneTopSources.yaml b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneTopSources.yaml
index 809150881cb..1b64e59f4f0 100644
--- a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneTopSources.yaml
+++ b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneTopSources.yaml
@@ -7,6 +7,9 @@ requiredDataConnectors:
- connectorId: TrendMicroApexOne
dataTypes:
- TMApexOneEvent
+ - connectorId: TrendMicroApexOneAma
+ dataTypes:
+ - TMApexOneEvent
tactics:
- Execution
- InitialAccess
diff --git a/Solutions/Trend Micro Apex One/Package/3.0.0.zip b/Solutions/Trend Micro Apex One/Package/3.0.0.zip
new file mode 100644
index 00000000000..494c7fda49a
Binary files /dev/null and b/Solutions/Trend Micro Apex One/Package/3.0.0.zip differ
diff --git a/Solutions/Trend Micro Apex One/Package/createUiDefinition.json b/Solutions/Trend Micro Apex One/Package/createUiDefinition.json
index a03fdbe3e4f..7a5b9ba1ada 100644
--- a/Solutions/Trend Micro Apex One/Package/createUiDefinition.json
+++ b/Solutions/Trend Micro Apex One/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Trend Micro Apex One](https://www.trendmicro.com/business/products/user-protection/sps/endpoint.htmlhttps:/www.trendmicro.com/business/products/user-protection/sps/endpoint.html) solution for Microsoft Sentinel enables ingestion of [Trend Micro Apex One events](https://docs.trendmicro.com/enterprise/trend-micro-apex-central-2019-online-help/appendices/syslog-mapping-cef.aspx) into Microsoft Sentinel. Refer to [Trend Micro Apex Central](https://docs.trendmicro.com/enterprise/trend-micro-apex-central-2019-online-help/preface_001.aspx) for more information. \r\n \r\n **Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n \r\n a. [Agent-based log collection (CEF over Syslog) ](https://docs.microsoft.com/azure/sentinel/connect-common-event-format)\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Trend%20Micro%20Apex%20One/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Trend Micro Apex One](https://www.trendmicro.com/business/products/user-protection/sps/endpoint.htmlhttps:/www.trendmicro.com/business/products/user-protection/sps/endpoint.html) solution for Microsoft Sentinel enables ingestion of [Trend Micro Apex One events](https://docs.trendmicro.com/enterprise/trend-micro-apex-central-2019-online-help/appendices/syslog-mapping-cef.aspx) into Microsoft Sentinel. Refer to [Trend Micro Apex Central](https://docs.trendmicro.com/enterprise/trend-micro-apex-central-2019-online-help/preface_001.aspx) for more information. \n\r\n1. **Trend Micro Apex One via AMA** - This data connector helps in ingesting Trend Micro Apex One logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **Trend Micro Apex One via Legacy Agent** - This data connector helps in ingesting Trend Micro Apex One logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of Trend Micro Apex One via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Data Connectors:** 2, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -63,6 +63,7 @@
"text": "The Trend Micro Apex One connector allows you to easily connect your Trend Micro Apex One events logs with Microsoft Sentinel. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
+
{
"name": "dataconnectors-parser-text",
"type": "Microsoft.Common.TextBlock",
@@ -107,6 +108,20 @@
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data"
}
}
+ },
+ {
+ "name": "workbook1",
+ "type": "Microsoft.Common.Section",
+ "label": "Trend Micro Apex One",
+ "elements": [
+ {
+ "name": "workbook1-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Sets the time name for analysis."
+ }
+ }
+ ]
}
]
},
@@ -309,7 +324,7 @@
"name": "huntingquery1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Shows behavior monitoring actions taken for files. It depends on the TrendMicroApexOne data connector and TMApexOneEvent data type and TrendMicroApexOne parser."
+ "text": "Shows behavior monitoring actions taken for files. This hunting query depends on TrendMicroApexOne data connector (TMApexOneEvent Parser or Table)"
}
}
]
@@ -323,7 +338,7 @@
"name": "huntingquery2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Shows behavior monitoring operations by users. It depends on the TrendMicroApexOne data connector and TMApexOneEvent data type and TrendMicroApexOne parser."
+ "text": "Shows behavior monitoring operations by users. This hunting query depends on TrendMicroApexOne data connector (TMApexOneEvent Parser or Table)"
}
}
]
@@ -337,7 +352,7 @@
"name": "huntingquery3-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Shows behavior monitoring triggered policy by command line. It depends on the TrendMicroApexOne data connector and TMApexOneEvent data type and TrendMicroApexOne parser."
+ "text": "Shows behavior monitoring triggered policy by command line. This hunting query depends on TrendMicroApexOne data connector (TMApexOneEvent Parser or Table)"
}
}
]
@@ -351,7 +366,7 @@
"name": "huntingquery4-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Shows behavior monitoring event types. It depends on the TrendMicroApexOne data connector and TMApexOneEvent data type and TrendMicroApexOne parser."
+ "text": "Shows behavior monitoring event types. This hunting query depends on TrendMicroApexOne data connector (TMApexOneEvent Parser or Table)"
}
}
]
@@ -365,7 +380,7 @@
"name": "huntingquery5-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Shows channel type. It depends on the TrendMicroApexOne data connector and TMApexOneEvent data type and TrendMicroApexOne parser."
+ "text": "Shows channel type. This hunting query depends on TrendMicroApexOne data connector (TMApexOneEvent Parser or Table)"
}
}
]
@@ -379,7 +394,7 @@
"name": "huntingquery6-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Shows data loss prevention action by IP address. It depends on the TrendMicroApexOne data connector and TMApexOneEvent data type and TrendMicroApexOne parser."
+ "text": "Shows data loss prevention action by IP address. This hunting query depends on TrendMicroApexOne data connector (TMApexOneEvent Parser or Table)"
}
}
]
@@ -393,7 +408,7 @@
"name": "huntingquery7-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query searches rare application protocols by Ip address. It depends on the TrendMicroApexOne data connector and TMApexOneEvent data type and TrendMicroApexOne parser."
+ "text": "Query searches rare application protocols by Ip address. This hunting query depends on TrendMicroApexOne data connector (TMApexOneEvent Parser or Table)"
}
}
]
@@ -407,7 +422,7 @@
"name": "huntingquery8-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query searches spyware detection events. It depends on the TrendMicroApexOne data connector and TMApexOneEvent data type and TrendMicroApexOne parser."
+ "text": "Query searches spyware detection events. This hunting query depends on TrendMicroApexOne data connector (TMApexOneEvent Parser or Table)"
}
}
]
@@ -421,7 +436,7 @@
"name": "huntingquery9-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query searches suspicious files events. It depends on the TrendMicroApexOne data connector and TMApexOneEvent data type and TrendMicroApexOne parser."
+ "text": "Query searches suspicious files events. This hunting query depends on TrendMicroApexOne data connector (TMApexOneEvent Parser or Table)"
}
}
]
@@ -435,7 +450,7 @@
"name": "huntingquery10-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query shows list of top sources with alerts. It depends on the TrendMicroApexOne data connector and TMApexOneEvent data type and TrendMicroApexOne parser."
+ "text": "Query shows list of top sources with alerts. This hunting query depends on TrendMicroApexOne data connector (TMApexOneEvent Parser or Table)"
}
}
]
diff --git a/Solutions/Trend Micro Apex One/Package/mainTemplate.json b/Solutions/Trend Micro Apex One/Package/mainTemplate.json
index f4584a96e5e..d1557a5c99a 100644
--- a/Solutions/Trend Micro Apex One/Package/mainTemplate.json
+++ b/Solutions/Trend Micro Apex One/Package/mainTemplate.json
@@ -38,162 +38,179 @@
}
},
"variables": {
- "solutionId": "azuresentinel.azure-sentinel-solution-trendmicroapexone",
- "_solutionId": "[variables('solutionId')]",
"email": "support@microsoft.com",
"_email": "[variables('email')]",
- "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
+ "_solutionName": "Trend Micro Apex One",
+ "_solutionVersion": "3.0.0",
+ "solutionId": "azuresentinel.azure-sentinel-solution-trendmicroapexone",
+ "_solutionId": "[variables('solutionId')]",
"uiConfigId1": "TrendMicroApexOne",
"_uiConfigId1": "[variables('uiConfigId1')]",
"dataConnectorContentId1": "TrendMicroApexOne",
"_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
"dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
"_dataConnectorId1": "[variables('dataConnectorId1')]",
- "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1')))]",
+ "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
"dataConnectorVersion1": "1.0.0",
- "parserVersion1": "1.0.0",
- "parserContentId1": "TMApexOneEvent-Parser",
- "_parserContentId1": "[variables('parserContentId1')]",
+ "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
+ "uiConfigId2": "TrendMicroApexOneAma",
+ "_uiConfigId2": "[variables('uiConfigId2')]",
+ "dataConnectorContentId2": "TrendMicroApexOneAma",
+ "_dataConnectorContentId2": "[variables('dataConnectorContentId2')]",
+ "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
+ "_dataConnectorId2": "[variables('dataConnectorId2')]",
+ "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]",
+ "dataConnectorVersion2": "1.0.0",
+ "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]",
"parserName1": "Trend Micro Apex One Data Parser",
"_parserName1": "[concat(parameters('workspace'),'/',variables('parserName1'))]",
"parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
"_parserId1": "[variables('parserId1')]",
- "parserTemplateSpecName1": "[concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1')))]",
+ "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1'))))]",
+ "parserVersion1": "1.0.0",
+ "parserContentId1": "TMApexOneEvent-Parser",
+ "_parserContentId1": "[variables('parserContentId1')]",
+ "_parsercontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('_parserContentId1'),'-', variables('parserVersion1'))))]",
"workbookVersion1": "1.0.0",
"workbookContentId1": "TrendMicroApexOneWorkbook",
"workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]",
- "workbookTemplateSpecName1": "[concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1')))]",
+ "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]",
"_workbookContentId1": "[variables('workbookContentId1')]",
- "analyticRuleVersion1": "1.0.0",
+ "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
+ "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]",
+ "analyticRuleVersion1": "1.0.1",
"analyticRulecontentId1": "7a3193b8-67b7-11ec-90d6-0242ac120003",
"_analyticRulecontentId1": "[variables('analyticRulecontentId1')]",
"analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]",
- "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1')))]",
- "analyticRuleVersion2": "1.0.0",
+ "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1'))))]",
+ "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId1'),'-', variables('analyticRuleVersion1'))))]",
+ "analyticRuleVersion2": "1.0.1",
"analyticRulecontentId2": "4d7199b2-67b8-11ec-90d6-0242ac120003",
"_analyticRulecontentId2": "[variables('analyticRulecontentId2')]",
"analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId2'))]",
- "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2')))]",
- "analyticRuleVersion3": "1.0.0",
+ "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2'))))]",
+ "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId2'),'-', variables('analyticRuleVersion2'))))]",
+ "analyticRuleVersion3": "1.0.1",
"analyticRulecontentId3": "4a9a5900-67b7-11ec-90d6-0242ac120003",
"_analyticRulecontentId3": "[variables('analyticRulecontentId3')]",
"analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId3'))]",
- "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId3')))]",
- "analyticRuleVersion4": "1.0.1",
+ "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId3'))))]",
+ "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId3'),'-', variables('analyticRuleVersion3'))))]",
+ "analyticRuleVersion4": "1.0.2",
"analyticRulecontentId4": "b463b952-67b8-11ec-90d6-0242ac120003",
"_analyticRulecontentId4": "[variables('analyticRulecontentId4')]",
"analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId4'))]",
- "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId4')))]",
- "analyticRuleVersion5": "1.0.0",
+ "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId4'))))]",
+ "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId4'),'-', variables('analyticRuleVersion4'))))]",
+ "analyticRuleVersion5": "1.0.1",
"analyticRulecontentId5": "6303235a-ee70-42a4-b969-43e7b969b916",
"_analyticRulecontentId5": "[variables('analyticRulecontentId5')]",
"analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId5'))]",
- "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId5')))]",
- "analyticRuleVersion6": "1.0.0",
+ "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId5'))))]",
+ "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId5'),'-', variables('analyticRuleVersion5'))))]",
+ "analyticRuleVersion6": "1.0.1",
"analyticRulecontentId6": "cd94e078-67b7-11ec-90d6-0242ac120003",
"_analyticRulecontentId6": "[variables('analyticRulecontentId6')]",
"analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId6'))]",
- "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId6')))]",
- "analyticRuleVersion7": "1.0.2",
+ "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId6'))))]",
+ "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId6'),'-', variables('analyticRuleVersion6'))))]",
+ "analyticRuleVersion7": "1.0.3",
"analyticRulecontentId7": "e289d762-6cc2-11ec-90d6-0242ac120003",
"_analyticRulecontentId7": "[variables('analyticRulecontentId7')]",
"analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId7'))]",
- "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId7')))]",
- "analyticRuleVersion8": "1.0.0",
+ "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId7'))))]",
+ "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId7'),'-', variables('analyticRuleVersion7'))))]",
+ "analyticRuleVersion8": "1.0.1",
"analyticRulecontentId8": "1a87cd10-67b7-11ec-90d6-0242ac120003",
"_analyticRulecontentId8": "[variables('analyticRulecontentId8')]",
"analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId8'))]",
- "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId8')))]",
- "analyticRuleVersion9": "1.0.0",
+ "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId8'))))]",
+ "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId8'),'-', variables('analyticRuleVersion8'))))]",
+ "analyticRuleVersion9": "1.0.1",
"analyticRulecontentId9": "c92d9fe4-67b6-11ec-90d6-0242ac120003",
"_analyticRulecontentId9": "[variables('analyticRulecontentId9')]",
"analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId9'))]",
- "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId9')))]",
- "analyticRuleVersion10": "1.0.0",
+ "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId9'))))]",
+ "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId9'),'-', variables('analyticRuleVersion9'))))]",
+ "analyticRuleVersion10": "1.0.1",
"analyticRulecontentId10": "9e3dc038-67b7-11ec-90d6-0242ac120003",
"_analyticRulecontentId10": "[variables('analyticRulecontentId10')]",
"analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId10'))]",
- "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId10')))]",
+ "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId10'))))]",
+ "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId10'),'-', variables('analyticRuleVersion10'))))]",
"huntingQueryVersion1": "1.0.0",
"huntingQuerycontentId1": "96451e96-67b5-11ec-90d6-0242ac120003",
"_huntingQuerycontentId1": "[variables('huntingQuerycontentId1')]",
"huntingQueryId1": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId1'))]",
- "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId1')))]",
+ "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId1'))))]",
+ "_huntingQuerycontentProductId1": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId1'),'-', variables('huntingQueryVersion1'))))]",
"huntingQueryVersion2": "1.0.0",
"huntingQuerycontentId2": "0caa3472-67b6-11ec-90d6-0242ac120003",
"_huntingQuerycontentId2": "[variables('huntingQuerycontentId2')]",
"huntingQueryId2": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId2'))]",
- "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId2')))]",
+ "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId2'))))]",
+ "_huntingQuerycontentProductId2": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId2'),'-', variables('huntingQueryVersion2'))))]",
"huntingQueryVersion3": "1.0.0",
"huntingQuerycontentId3": "14a4a824-67b6-11ec-90d6-0242ac120003",
"_huntingQuerycontentId3": "[variables('huntingQuerycontentId3')]",
"huntingQueryId3": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId3'))]",
- "huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId3')))]",
+ "huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId3'))))]",
+ "_huntingQuerycontentProductId3": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId3'),'-', variables('huntingQueryVersion3'))))]",
"huntingQueryVersion4": "1.0.0",
"huntingQuerycontentId4": "433ccdb0-67b6-11ec-90d6-0242ac120003",
"_huntingQuerycontentId4": "[variables('huntingQuerycontentId4')]",
"huntingQueryId4": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId4'))]",
- "huntingQueryTemplateSpecName4": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId4')))]",
+ "huntingQueryTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId4'))))]",
+ "_huntingQuerycontentProductId4": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId4'),'-', variables('huntingQueryVersion4'))))]",
"huntingQueryVersion5": "1.0.0",
"huntingQuerycontentId5": "40d8ad3e-67b4-11ec-90d6-0242ac120003",
"_huntingQuerycontentId5": "[variables('huntingQuerycontentId5')]",
"huntingQueryId5": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId5'))]",
- "huntingQueryTemplateSpecName5": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId5')))]",
+ "huntingQueryTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId5'))))]",
+ "_huntingQuerycontentProductId5": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId5'),'-', variables('huntingQueryVersion5'))))]",
"huntingQueryVersion6": "1.0.0",
"huntingQuerycontentId6": "6c7f9bfe-67b5-11ec-90d6-0242ac120003",
"_huntingQuerycontentId6": "[variables('huntingQuerycontentId6')]",
"huntingQueryId6": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId6'))]",
- "huntingQueryTemplateSpecName6": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId6')))]",
+ "huntingQueryTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId6'))))]",
+ "_huntingQuerycontentProductId6": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId6'),'-', variables('huntingQueryVersion6'))))]",
"huntingQueryVersion7": "1.0.0",
"huntingQuerycontentId7": "be89944e-4e75-4d0a-b2d6-ae757d22ed43",
"_huntingQuerycontentId7": "[variables('huntingQuerycontentId7')]",
"huntingQueryId7": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId7'))]",
- "huntingQueryTemplateSpecName7": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId7')))]",
+ "huntingQueryTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId7'))))]",
+ "_huntingQuerycontentProductId7": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId7'),'-', variables('huntingQueryVersion7'))))]",
"huntingQueryVersion8": "1.0.0",
"huntingQuerycontentId8": "506955be-648f-11ec-90d6-0242ac120003",
"_huntingQuerycontentId8": "[variables('huntingQuerycontentId8')]",
"huntingQueryId8": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId8'))]",
- "huntingQueryTemplateSpecName8": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId8')))]",
+ "huntingQueryTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId8'))))]",
+ "_huntingQuerycontentProductId8": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId8'),'-', variables('huntingQueryVersion8'))))]",
"huntingQueryVersion9": "1.0.0",
"huntingQuerycontentId9": "7bf0f260-61a0-11ec-90d6-0242ac120003",
"_huntingQuerycontentId9": "[variables('huntingQuerycontentId9')]",
"huntingQueryId9": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId9'))]",
- "huntingQueryTemplateSpecName9": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId9')))]",
+ "huntingQueryTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId9'))))]",
+ "_huntingQuerycontentProductId9": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId9'),'-', variables('huntingQueryVersion9'))))]",
"huntingQueryVersion10": "1.0.0",
"huntingQuerycontentId10": "8bb86556-67b4-11ec-90d6-0242ac120003",
"_huntingQuerycontentId10": "[variables('huntingQuerycontentId10')]",
"huntingQueryId10": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId10'))]",
- "huntingQueryTemplateSpecName10": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId10')))]"
+ "huntingQueryTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId10'))))]",
+ "_huntingQuerycontentProductId10": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId10'),'-', variables('huntingQueryVersion10'))))]",
+ "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('dataConnectorTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "DataConnector"
- },
- "properties": {
- "description": "Trend Micro Apex One data connector with template",
- "displayName": "Trend Micro Apex One template"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('dataConnectorTemplateSpecName1'),'/',variables('dataConnectorVersion1'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "DataConnector"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Trend Micro Apex One data connector with template version 2.0.3",
+ "description": "Trend Micro Apex One data connector with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
@@ -209,7 +226,7 @@
"properties": {
"connectorUiConfig": {
"id": "[variables('_uiConfigId1')]",
- "title": "Trend Micro Apex One",
+ "title": "[Deprecated] Trend Micro Apex One via Legacy Agent",
"publisher": "Trend Micro",
"descriptionMarkdown": "The [Trend Micro Apex One](https://www.trendmicro.com/en_us/business/products/user-protection/sps/endpoint.html) data connector provides the capability to ingest [Trend Micro Apex One events](https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-central-2019-online-help/appendices/syslog-mapping-cef.aspx) into Microsoft Sentinel. Refer to [Trend Micro Apex Central](https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-central-2019-online-help/preface_001.aspx) for more information.",
"additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected [**TMApexOneEvent**](https://aka.ms/sentinel-TMApexOneEvent-parser) which is deployed with the Microsoft Sentinel Solution.",
@@ -332,7 +349,7 @@
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
+ "apiVersion": "2023-04-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
"properties": {
"parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
@@ -357,12 +374,23 @@
}
}
]
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_dataConnectorContentId1')]",
+ "contentKind": "DataConnector",
+ "displayName": "[Deprecated] Trend Micro Apex One via Legacy Agent",
+ "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
+ "id": "[variables('_dataConnectorcontentProductId1')]",
+ "version": "[variables('dataConnectorVersion1')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
+ "apiVersion": "2023-04-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
"dependsOn": [
"[variables('_dataConnectorId1')]"
@@ -398,7 +426,7 @@
"kind": "GenericUI",
"properties": {
"connectorUiConfig": {
- "title": "Trend Micro Apex One",
+ "title": "[Deprecated] Trend Micro Apex One via Legacy Agent",
"publisher": "Trend Micro",
"descriptionMarkdown": "The [Trend Micro Apex One](https://www.trendmicro.com/en_us/business/products/user-protection/sps/endpoint.html) data connector provides the capability to ingest [Trend Micro Apex One events](https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-central-2019-online-help/appendices/syslog-mapping-cef.aspx) into Microsoft Sentinel. Refer to [Trend Micro Apex Central](https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-central-2019-online-help/preface_001.aspx) for more information.",
"graphQueries": [
@@ -521,33 +549,344 @@
}
},
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
- "name": "[variables('parserTemplateSpecName1')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('dataConnectorTemplateSpecName2')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Parser"
- },
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
"properties": {
- "description": "TMApexOneEvent Data Parser with template",
- "displayName": "TMApexOneEvent Data Parser template"
+ "description": "Trend Micro Apex One data connector with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('dataConnectorVersion2')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
+ "apiVersion": "2021-03-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "location": "[parameters('workspace-location')]",
+ "kind": "GenericUI",
+ "properties": {
+ "connectorUiConfig": {
+ "id": "[variables('_uiConfigId2')]",
+ "title": "[Recommended] Trend Micro Apex One via AMA",
+ "publisher": "Trend Micro",
+ "descriptionMarkdown": "The [Trend Micro Apex One](https://www.trendmicro.com/en_us/business/products/user-protection/sps/endpoint.html) data connector provides the capability to ingest [Trend Micro Apex One events](https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-central-2019-online-help/appendices/syslog-mapping-cef.aspx) into Microsoft Sentinel. Refer to [Trend Micro Apex Central](https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-central-2019-online-help/preface_001.aspx) for more information.",
+ "additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected [**TMApexOneEvent**](https://aka.ms/sentinel-TMApexOneEvent-parser) which is deployed with the Microsoft Sentinel Solution.",
+ "graphQueries": [
+ {
+ "metricName": "Total data received",
+ "legend": "TrendMicroApexOne",
+ "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Trend Micro'\n |where DeviceProduct =~ 'Apex Central'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "All logs",
+ "query": "\nTMApexOneEvent\n| sort by TimeGenerated"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "CommonSecurityLog (TrendMicroApexOne)",
+ "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Trend Micro'\n |where DeviceProduct =~ 'Apex Central'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriterias": [
+ {
+ "type": "IsConnectedQuery",
+ "value": [
+ "CommonSecurityLog\n |where DeviceVendor =~ 'Trend Micro'\n |where DeviceProduct =~ 'Apex Central'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
+ ]
+ }
+ ],
+ "availability": {
+ "status": 1,
+ "isPreview": false
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "read and write permissions are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "write": true,
+ "read": true,
+ "delete": true
+ }
+ },
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+ "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+ "providerDisplayName": "Keys",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "action": true
+ }
+ }
+ ],
+ "customs": [
+ {
+ "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+ },
+ {
+ "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "description": ">This data connector depends on a parser based on a Kusto Function to work as expected [**TMApexOneEvent**](https://aka.ms/sentinel-TMApexOneEvent-parser) which is deployed with the Microsoft Sentinel Solution.",
+ "instructions": [
+ {
+ "parameters": {
+ "title": "1. Kindly follow the steps to configure the data connector",
+ "instructionSteps": [
+ {
+ "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
+ "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
+
+ },
+ {
+ "title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent",
+ "description": "[Follow these steps](https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-central-2019-online-help/detections/logs_001/syslog-forwarding.aspx) to configure Apex Central sending alerts via syslog. While configuring, on step 6, select the log format **CEF**."
+
+ },
+ {
+ "title": "Step C. Validate connection",
+ "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
+ "instructions": [
+ {
+ "parameters": {
+ "label": "Run the following command to validate your connectivity:",
+ "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
+ },
+ "type": "CopyableLabel"
+ }
+ ]
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ]
+ },
+ {
+ "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
+ "title": "2. Secure your machine "
+ }
+ ]
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
+ "contentId": "[variables('_dataConnectorContentId2')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorVersion2')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Trend Micro Apex One",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Microsoft",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Microsoft Corporation",
+ "email": "support@microsoft.com",
+ "tier": "Microsoft",
+ "link": "https://support.microsoft.com"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_dataConnectorContentId2')]",
+ "contentKind": "DataConnector",
+ "displayName": "[Recommended] Trend Micro Apex One via AMA",
+ "contentProductId": "[variables('_dataConnectorcontentProductId2')]",
+ "id": "[variables('_dataConnectorcontentProductId2')]",
+ "version": "[variables('dataConnectorVersion2')]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('parserTemplateSpecName1'),'/',variables('parserVersion1'))]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
+ "dependsOn": [
+ "[variables('_dataConnectorId2')]"
+ ],
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
+ "contentId": "[variables('_dataConnectorContentId2')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorVersion2')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Trend Micro Apex One",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Microsoft",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Microsoft Corporation",
+ "email": "support@microsoft.com",
+ "tier": "Microsoft",
+ "link": "https://support.microsoft.com"
+ }
+ }
+ },
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
+ "apiVersion": "2021-03-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "location": "[parameters('workspace-location')]",
+ "kind": "GenericUI",
+ "properties": {
+ "connectorUiConfig": {
+ "title": "[Recommended] Trend Micro Apex One via AMA",
+ "publisher": "Trend Micro",
+ "descriptionMarkdown": "The [Trend Micro Apex One](https://www.trendmicro.com/en_us/business/products/user-protection/sps/endpoint.html) data connector provides the capability to ingest [Trend Micro Apex One events](https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-central-2019-online-help/appendices/syslog-mapping-cef.aspx) into Microsoft Sentinel. Refer to [Trend Micro Apex Central](https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-central-2019-online-help/preface_001.aspx) for more information.",
+ "graphQueries": [
+ {
+ "metricName": "Total data received",
+ "legend": "TrendMicroApexOne",
+ "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Trend Micro'\n |where DeviceProduct =~ 'Apex Central'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "CommonSecurityLog (TrendMicroApexOne)",
+ "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Trend Micro'\n |where DeviceProduct =~ 'Apex Central'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriterias": [
+ {
+ "type": "IsConnectedQuery",
+ "value": [
+ "CommonSecurityLog\n |where DeviceVendor =~ 'Trend Micro'\n |where DeviceProduct =~ 'Apex Central'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
+ ]
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "All logs",
+ "query": "\nTMApexOneEvent\n| sort by TimeGenerated"
+ }
+ ],
+ "availability": {
+ "status": 1,
+ "isPreview": false
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "read and write permissions are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "write": true,
+ "read": true,
+ "delete": true
+ }
+ },
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+ "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+ "providerDisplayName": "Keys",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "action": true
+ }
+ }
+ ],
+ "customs": [
+ {
+ "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+ },
+ {
+ "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "description": ">This data connector depends on a parser based on a Kusto Function to work as expected [**TMApexOneEvent**](https://aka.ms/sentinel-TMApexOneEvent-parser) which is deployed with the Microsoft Sentinel Solution.",
+ "instructions": [
+ {
+ "parameters": {
+ "title": "1. Kindly follow the steps to configure the data connector",
+ "instructionSteps": [
+ {
+ "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
+ "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
+
+ },
+ {
+ "title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent",
+ "description": "[Follow these steps](https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-central-2019-online-help/detections/logs_001/syslog-forwarding.aspx) to configure Apex Central sending alerts via syslog. While configuring, on step 6, select the log format **CEF**."
+
+ },
+ {
+ "title": "Step C. Validate connection",
+ "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
+ "instructions": [
+ {
+ "parameters": {
+ "label": "Run the following command to validate your connectivity:",
+ "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
+ },
+ "type": "CopyableLabel"
+ }
+ ]
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ]
+ },
+ {
+ "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
+ "title": "2. Secure your machine "
+ }
+ ],
+ "id": "[variables('_uiConfigId2')]",
+ "additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected [**TMApexOneEvent**](https://aka.ms/sentinel-TMApexOneEvent-parser) which is deployed with the Microsoft Sentinel Solution."
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('parserTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Parser"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('parserTemplateSpecName1'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TMApexOneEvent Data Parser with template version 2.0.3",
+ "description": "TMApexOneEvent Data Parser with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserVersion1')]",
@@ -556,20 +895,21 @@
"resources": [
{
"name": "[variables('_parserName1')]",
- "apiVersion": "2020-08-01",
+ "apiVersion": "2022-10-01",
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
"displayName": "Trend Micro Apex One Data Parser",
- "category": "Samples",
+ "category": "Microsoft Sentinel Parser",
"functionAlias": "TMApexOneEvent",
- "query": "\nCommonSecurityLog\r\n| where DeviceVendor == \"Trend Micro\"\r\n| where DeviceProduct == \"Apex Central\"\r\n| extend DeviceCustomNumber1 = coalesce(column_ifexists(\"FieldDeviceCustomNumber1\", long(null)),DeviceCustomNumber1),\r\n DeviceCustomNumber2 = coalesce(column_ifexists(\"FieldDeviceCustomNumber2\", long(null)),DeviceCustomNumber2),\r\n DeviceCustomNumber3 = coalesce(column_ifexists(\"FieldDeviceCustomNumber3\", long(null)),DeviceCustomNumber3),\r\n ExternalID = coalesce(column_ifexists(\"ExtID\", \"\"),tostring(ExternalID))\r\n| extend packed = pack (DeviceCustomNumber1Label, DeviceCustomNumber1,\r\n DeviceCustomNumber2Label, DeviceCustomNumber2,\r\n DeviceCustomString1Label, DeviceCustomString1,\r\n DeviceCustomString2Label, DeviceCustomString2,\r\n DeviceCustomString3Label, DeviceCustomString3,\r\n DeviceCustomString4Label, DeviceCustomString4,\r\n DeviceCustomString5Label, DeviceCustomString5,\r\n DeviceCustomString6Label, DeviceCustomString6,\r\n DeviceCustomDate1Label, DeviceCustomDate1,\r\n DeviceCustomDate2Label, DeviceCustomDate2)\r\n| evaluate bag_unpack(packed)\r\n| project-rename EventVendor=DeviceVendor,\r\n EventProduct=DeviceProduct,\r\n EventProductVersion=DeviceVersion,\r\n EventSubType=DeviceEventClassID,\r\n EventMessage=Activity,\r\n EventSeverity=LogSeverity,\r\n EventOriginalUid=DeviceExternalID,\r\n EventEndTime=ReceiptTime,\r\n DstDvcHostname=DestinationHostName,\r\n DstIpAddr=DestinationIP,\r\n DstUserName=DestinationUserName,\r\n DstPortNumber=DestinationPort,\r\n DstServiceName=DestinationServiceName,\r\n SrcPortNumber=SourcePort,\r\n SrcIpAddr=SourceIP,\r\n SrcDvcHostname=SourceHostName,\r\n SrcServiceName=SourceServiceName,\r\n SrcUserName=SourceUserName,\r\n SrcProcessName=SourceProcessName,\r\n SrcMacAddr=SourceMACAddress,\r\n DvcAction=DeviceAction,\r\n DvcHostname=DeviceName,\r\n DvcProcessName=ProcessName,\r\n FileHashSha1=FileHash,\r\n UrlOriginal=RequestURL,\r\n NetworkDirection=CommunicationDirection\r\n| extend Command = iif(DeviceCustomString3Label == \"Command\", DeviceCustomString3, \"\")\r\n| extend ActionResult = iif(DeviceCustomString5Label == \"ActionResult\", DeviceCustomString5, \"\")\r\n| extend Event_Type = iif(DeviceCustomNumber2Label == \"Event_Type\", DeviceCustomNumber2, long(null))\r\n| extend VirusName = iif(DeviceCustomString1Label == \"VirusName\", DeviceCustomString1, \"\")\r\n| extend Policy = iif(DeviceCustomString2Label == \"Policy\", DeviceCustomString2, \"\")\r\n| extend ProcessCommandLine = iif(DeviceCustomString4Label == \"ProcessCommandLine\", DeviceCustomString4, \"\")\r\n| project-away DeviceCustomNumber1Label,\r\n DeviceCustomNumber1,\r\n DeviceCustomNumber2Label,\r\n DeviceCustomNumber2,\r\n DeviceCustomString1Label,\r\n DeviceCustomString1,\r\n DeviceCustomString2Label,\r\n DeviceCustomString2,\r\n DeviceCustomString3Label,\r\n DeviceCustomString3,\r\n DeviceCustomString4Label,\r\n DeviceCustomString4,\r\n DeviceCustomString5Label,\r\n DeviceCustomString5,\r\n DeviceCustomString6Label,\r\n DeviceCustomString6,\r\n DeviceCustomDate1Label,\r\n DeviceCustomDate1,\r\n DeviceCustomDate2Label,\r\n DeviceCustomDate2\r\n",
- "version": 1,
+ "query": "CommonSecurityLog\n| where DeviceVendor == \"Trend Micro\"\n| where DeviceProduct == \"Apex Central\"\n| extend DeviceCustomNumber1 = coalesce(column_ifexists(\"FieldDeviceCustomNumber1\", long(null)),DeviceCustomNumber1),\n DeviceCustomNumber2 = coalesce(column_ifexists(\"FieldDeviceCustomNumber2\", long(null)),DeviceCustomNumber2),\n DeviceCustomNumber3 = coalesce(column_ifexists(\"FieldDeviceCustomNumber3\", long(null)),DeviceCustomNumber3),\n ExternalID = coalesce(column_ifexists(\"ExtID\", \"\"),tostring(ExternalID))\n| extend packed = pack (DeviceCustomNumber1Label, DeviceCustomNumber1,\n DeviceCustomNumber2Label, DeviceCustomNumber2,\n DeviceCustomString1Label, DeviceCustomString1,\n DeviceCustomString2Label, DeviceCustomString2,\n DeviceCustomString3Label, DeviceCustomString3,\n DeviceCustomString4Label, DeviceCustomString4,\n DeviceCustomString5Label, DeviceCustomString5,\n DeviceCustomString6Label, DeviceCustomString6,\n DeviceCustomDate1Label, DeviceCustomDate1,\n DeviceCustomDate2Label, DeviceCustomDate2)\n| evaluate bag_unpack(packed)\n| project-rename EventVendor=DeviceVendor,\n EventProduct=DeviceProduct,\n EventProductVersion=DeviceVersion,\n EventSubType=DeviceEventClassID,\n EventMessage=Activity,\n EventSeverity=LogSeverity,\n EventOriginalUid=DeviceExternalID,\n EventEndTime=ReceiptTime,\n DstDvcHostname=DestinationHostName,\n DstIpAddr=DestinationIP,\n DstUserName=DestinationUserName,\n DstPortNumber=DestinationPort,\n DstServiceName=DestinationServiceName,\n SrcPortNumber=SourcePort,\n SrcIpAddr=SourceIP,\n SrcDvcHostname=SourceHostName,\n SrcServiceName=SourceServiceName,\n SrcUserName=SourceUserName,\n SrcProcessName=SourceProcessName,\n SrcMacAddr=SourceMACAddress,\n DvcAction=DeviceAction,\n DvcHostname=DeviceName,\n DvcProcessName=ProcessName,\n FileHashSha1=FileHash,\n UrlOriginal=RequestURL,\n NetworkDirection=CommunicationDirection\n| extend Command = iif(DeviceCustomString3Label == \"Command\", DeviceCustomString3, \"\")\n| extend ActionResult = iif(DeviceCustomString5Label == \"ActionResult\", DeviceCustomString5, \"\")\n| extend Event_Type = iif(DeviceCustomNumber2Label == \"Event_Type\", DeviceCustomNumber2, long(null))\n| extend VirusName = iif(DeviceCustomString1Label == \"VirusName\", DeviceCustomString1, \"\")\n| extend Policy = iif(DeviceCustomString2Label == \"Policy\", DeviceCustomString2, \"\")\n| extend ProcessCommandLine = iif(DeviceCustomString4Label == \"ProcessCommandLine\", DeviceCustomString4, \"\")\n| project-away DeviceCustomNumber1Label,\n DeviceCustomNumber1,\n DeviceCustomNumber2Label,\n DeviceCustomNumber2,\n DeviceCustomString1Label,\n DeviceCustomString1,\n DeviceCustomString2Label,\n DeviceCustomString2,\n DeviceCustomString3Label,\n DeviceCustomString3,\n DeviceCustomString4Label,\n DeviceCustomString4,\n DeviceCustomString5Label,\n DeviceCustomString5,\n DeviceCustomString6Label,\n DeviceCustomString6,\n DeviceCustomDate1Label,\n DeviceCustomDate1,\n DeviceCustomDate2Label,\n DeviceCustomDate2\n",
+ "functionParameters": "",
+ "version": 2,
"tags": [
{
"name": "description",
- "value": "Trend Micro Apex One Data Parser"
+ "value": ""
}
]
}
@@ -579,7 +919,7 @@
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]",
"dependsOn": [
- "[variables('_parserName1')]"
+ "[variables('_parserId1')]"
],
"properties": {
"parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
@@ -604,21 +944,39 @@
}
}
]
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_parserContentId1')]",
+ "contentKind": "Parser",
+ "displayName": "Trend Micro Apex One Data Parser",
+ "contentProductId": "[variables('_parsercontentProductId1')]",
+ "id": "[variables('_parsercontentProductId1')]",
+ "version": "[variables('parserVersion1')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
- "apiVersion": "2021-06-01",
+ "apiVersion": "2022-10-01",
"name": "[variables('_parserName1')]",
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
"displayName": "Trend Micro Apex One Data Parser",
- "category": "Samples",
+ "category": "Microsoft Sentinel Parser",
"functionAlias": "TMApexOneEvent",
- "query": "\nCommonSecurityLog\r\n| where DeviceVendor == \"Trend Micro\"\r\n| where DeviceProduct == \"Apex Central\"\r\n| extend DeviceCustomNumber1 = coalesce(column_ifexists(\"FieldDeviceCustomNumber1\", long(null)),DeviceCustomNumber1),\r\n DeviceCustomNumber2 = coalesce(column_ifexists(\"FieldDeviceCustomNumber2\", long(null)),DeviceCustomNumber2),\r\n DeviceCustomNumber3 = coalesce(column_ifexists(\"FieldDeviceCustomNumber3\", long(null)),DeviceCustomNumber3),\r\n ExternalID = coalesce(column_ifexists(\"ExtID\", \"\"),tostring(ExternalID))\r\n| extend packed = pack (DeviceCustomNumber1Label, DeviceCustomNumber1,\r\n DeviceCustomNumber2Label, DeviceCustomNumber2,\r\n DeviceCustomString1Label, DeviceCustomString1,\r\n DeviceCustomString2Label, DeviceCustomString2,\r\n DeviceCustomString3Label, DeviceCustomString3,\r\n DeviceCustomString4Label, DeviceCustomString4,\r\n DeviceCustomString5Label, DeviceCustomString5,\r\n DeviceCustomString6Label, DeviceCustomString6,\r\n DeviceCustomDate1Label, DeviceCustomDate1,\r\n DeviceCustomDate2Label, DeviceCustomDate2)\r\n| evaluate bag_unpack(packed)\r\n| project-rename EventVendor=DeviceVendor,\r\n EventProduct=DeviceProduct,\r\n EventProductVersion=DeviceVersion,\r\n EventSubType=DeviceEventClassID,\r\n EventMessage=Activity,\r\n EventSeverity=LogSeverity,\r\n EventOriginalUid=DeviceExternalID,\r\n EventEndTime=ReceiptTime,\r\n DstDvcHostname=DestinationHostName,\r\n DstIpAddr=DestinationIP,\r\n DstUserName=DestinationUserName,\r\n DstPortNumber=DestinationPort,\r\n DstServiceName=DestinationServiceName,\r\n SrcPortNumber=SourcePort,\r\n SrcIpAddr=SourceIP,\r\n SrcDvcHostname=SourceHostName,\r\n SrcServiceName=SourceServiceName,\r\n SrcUserName=SourceUserName,\r\n SrcProcessName=SourceProcessName,\r\n SrcMacAddr=SourceMACAddress,\r\n DvcAction=DeviceAction,\r\n DvcHostname=DeviceName,\r\n DvcProcessName=ProcessName,\r\n FileHashSha1=FileHash,\r\n UrlOriginal=RequestURL,\r\n NetworkDirection=CommunicationDirection\r\n| extend Command = iif(DeviceCustomString3Label == \"Command\", DeviceCustomString3, \"\")\r\n| extend ActionResult = iif(DeviceCustomString5Label == \"ActionResult\", DeviceCustomString5, \"\")\r\n| extend Event_Type = iif(DeviceCustomNumber2Label == \"Event_Type\", DeviceCustomNumber2, long(null))\r\n| extend VirusName = iif(DeviceCustomString1Label == \"VirusName\", DeviceCustomString1, \"\")\r\n| extend Policy = iif(DeviceCustomString2Label == \"Policy\", DeviceCustomString2, \"\")\r\n| extend ProcessCommandLine = iif(DeviceCustomString4Label == \"ProcessCommandLine\", DeviceCustomString4, \"\")\r\n| project-away DeviceCustomNumber1Label,\r\n DeviceCustomNumber1,\r\n DeviceCustomNumber2Label,\r\n DeviceCustomNumber2,\r\n DeviceCustomString1Label,\r\n DeviceCustomString1,\r\n DeviceCustomString2Label,\r\n DeviceCustomString2,\r\n DeviceCustomString3Label,\r\n DeviceCustomString3,\r\n DeviceCustomString4Label,\r\n DeviceCustomString4,\r\n DeviceCustomString5Label,\r\n DeviceCustomString5,\r\n DeviceCustomString6Label,\r\n DeviceCustomString6,\r\n DeviceCustomDate1Label,\r\n DeviceCustomDate1,\r\n DeviceCustomDate2Label,\r\n DeviceCustomDate2\r\n",
- "version": 1
+ "query": "CommonSecurityLog\n| where DeviceVendor == \"Trend Micro\"\n| where DeviceProduct == \"Apex Central\"\n| extend DeviceCustomNumber1 = coalesce(column_ifexists(\"FieldDeviceCustomNumber1\", long(null)),DeviceCustomNumber1),\n DeviceCustomNumber2 = coalesce(column_ifexists(\"FieldDeviceCustomNumber2\", long(null)),DeviceCustomNumber2),\n DeviceCustomNumber3 = coalesce(column_ifexists(\"FieldDeviceCustomNumber3\", long(null)),DeviceCustomNumber3),\n ExternalID = coalesce(column_ifexists(\"ExtID\", \"\"),tostring(ExternalID))\n| extend packed = pack (DeviceCustomNumber1Label, DeviceCustomNumber1,\n DeviceCustomNumber2Label, DeviceCustomNumber2,\n DeviceCustomString1Label, DeviceCustomString1,\n DeviceCustomString2Label, DeviceCustomString2,\n DeviceCustomString3Label, DeviceCustomString3,\n DeviceCustomString4Label, DeviceCustomString4,\n DeviceCustomString5Label, DeviceCustomString5,\n DeviceCustomString6Label, DeviceCustomString6,\n DeviceCustomDate1Label, DeviceCustomDate1,\n DeviceCustomDate2Label, DeviceCustomDate2)\n| evaluate bag_unpack(packed)\n| project-rename EventVendor=DeviceVendor,\n EventProduct=DeviceProduct,\n EventProductVersion=DeviceVersion,\n EventSubType=DeviceEventClassID,\n EventMessage=Activity,\n EventSeverity=LogSeverity,\n EventOriginalUid=DeviceExternalID,\n EventEndTime=ReceiptTime,\n DstDvcHostname=DestinationHostName,\n DstIpAddr=DestinationIP,\n DstUserName=DestinationUserName,\n DstPortNumber=DestinationPort,\n DstServiceName=DestinationServiceName,\n SrcPortNumber=SourcePort,\n SrcIpAddr=SourceIP,\n SrcDvcHostname=SourceHostName,\n SrcServiceName=SourceServiceName,\n SrcUserName=SourceUserName,\n SrcProcessName=SourceProcessName,\n SrcMacAddr=SourceMACAddress,\n DvcAction=DeviceAction,\n DvcHostname=DeviceName,\n DvcProcessName=ProcessName,\n FileHashSha1=FileHash,\n UrlOriginal=RequestURL,\n NetworkDirection=CommunicationDirection\n| extend Command = iif(DeviceCustomString3Label == \"Command\", DeviceCustomString3, \"\")\n| extend ActionResult = iif(DeviceCustomString5Label == \"ActionResult\", DeviceCustomString5, \"\")\n| extend Event_Type = iif(DeviceCustomNumber2Label == \"Event_Type\", DeviceCustomNumber2, long(null))\n| extend VirusName = iif(DeviceCustomString1Label == \"VirusName\", DeviceCustomString1, \"\")\n| extend Policy = iif(DeviceCustomString2Label == \"Policy\", DeviceCustomString2, \"\")\n| extend ProcessCommandLine = iif(DeviceCustomString4Label == \"ProcessCommandLine\", DeviceCustomString4, \"\")\n| project-away DeviceCustomNumber1Label,\n DeviceCustomNumber1,\n DeviceCustomNumber2Label,\n DeviceCustomNumber2,\n DeviceCustomString1Label,\n DeviceCustomString1,\n DeviceCustomString2Label,\n DeviceCustomString2,\n DeviceCustomString3Label,\n DeviceCustomString3,\n DeviceCustomString4Label,\n DeviceCustomString4,\n DeviceCustomString5Label,\n DeviceCustomString5,\n DeviceCustomString6Label,\n DeviceCustomString6,\n DeviceCustomDate1Label,\n DeviceCustomDate1,\n DeviceCustomDate2Label,\n DeviceCustomDate2\n",
+ "functionParameters": "",
+ "version": 2,
+ "tags": [
+ {
+ "name": "description",
+ "value": ""
+ }
+ ]
}
},
{
@@ -652,33 +1010,15 @@
}
},
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('workbookTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Workbook"
- },
- "properties": {
- "description": "Trend Micro Apex One Workbook with template",
- "displayName": "Trend Micro Apex One workbook template"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('workbookTemplateSpecName1'),'/',variables('workbookVersion1'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Workbook"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('workbookTemplateSpecName1'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TrendMicroApexOneWorkbook Workbook with template version 2.0.3",
+ "description": "TrendMicroApexOneWorkbook Workbook with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@@ -743,37 +1083,30 @@
}
}
]
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_workbookContentId1')]",
+ "contentKind": "Workbook",
+ "displayName": "[parameters('workbook1-name')]",
+ "contentProductId": "[variables('_workbookcontentProductId1')]",
+ "id": "[variables('_workbookcontentProductId1')]",
+ "version": "[variables('workbookVersion1')]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('analyticRuleTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
- "properties": {
- "description": "Trend Micro Apex One Analytics Rule 1 with template",
- "displayName": "Trend Micro Apex One Analytics Rule template"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('analyticRuleTemplateSpecName1'),'/',variables('analyticRuleVersion1'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName1'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TMApexOneAttackDiscoveryDetectionRisks_AnalyticalRules Analytics Rule with template version 2.0.3",
+ "description": "TMApexOneAttackDiscoveryDetectionRisks_AnalyticalRules Analytics Rule with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion1')]",
@@ -782,7 +1115,7 @@
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('AnalyticRulecontentId1')]",
+ "name": "[variables('analyticRulecontentId1')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -801,33 +1134,42 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "TrendMicroApexOne",
"dataTypes": [
"TMApexOneEvent"
- ]
+ ],
+ "connectorId": "TrendMicroApexOne"
+ },
+ {
+ "dataTypes": [
+ "TMApexOneEvent"
+ ],
+ "connectorId": "TrendMicroApexOneAma"
}
],
"tactics": [
"InitialAccess"
],
+ "techniques": [
+ "T1190"
+ ],
"entityMappings": [
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPCustomEntity"
}
- ],
- "entityType": "IP"
+ ]
},
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
"columnName": "AccountCustomEntity"
}
- ],
- "entityType": "Account"
+ ]
}
]
}
@@ -860,37 +1202,30 @@
}
}
]
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_analyticRulecontentId1')]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "ApexOne - Attack Discovery Detection",
+ "contentProductId": "[variables('_analyticRulecontentProductId1')]",
+ "id": "[variables('_analyticRulecontentProductId1')]",
+ "version": "[variables('analyticRuleVersion1')]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('analyticRuleTemplateSpecName2')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
- "properties": {
- "description": "Trend Micro Apex One Analytics Rule 2 with template",
- "displayName": "Trend Micro Apex One Analytics Rule template"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('analyticRuleTemplateSpecName2'),'/',variables('analyticRuleVersion2'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName2'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TMApexOneCommandLineSuspiciousRequests_AnalyticalRules Analytics Rule with template version 2.0.3",
+ "description": "TMApexOneCommandLineSuspiciousRequests_AnalyticalRules Analytics Rule with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion2')]",
@@ -899,7 +1234,7 @@
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('AnalyticRulecontentId2')]",
+ "name": "[variables('analyticRulecontentId2')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -918,33 +1253,42 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "TrendMicroApexOne",
"dataTypes": [
"TMApexOneEvent"
- ]
+ ],
+ "connectorId": "TrendMicroApexOne"
+ },
+ {
+ "dataTypes": [
+ "TMApexOneEvent"
+ ],
+ "connectorId": "TrendMicroApexOneAma"
}
],
"tactics": [
"Execution"
],
+ "techniques": [
+ "T1059"
+ ],
"entityMappings": [
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPCustomEntity"
}
- ],
- "entityType": "IP"
+ ]
},
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
"columnName": "AccountCustomEntity"
}
- ],
- "entityType": "Account"
+ ]
}
]
}
@@ -974,40 +1318,33 @@
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
- }
- }
- ]
- }
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
- "name": "[variables('analyticRuleTemplateSpecName3')]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
- "properties": {
- "description": "Trend Micro Apex One Analytics Rule 3 with template",
- "displayName": "Trend Micro Apex One Analytics Rule template"
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_analyticRulecontentId2')]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "ApexOne - Suspicious commandline arguments",
+ "contentProductId": "[variables('_analyticRulecontentProductId2')]",
+ "id": "[variables('_analyticRulecontentProductId2')]",
+ "version": "[variables('analyticRuleVersion2')]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('analyticRuleTemplateSpecName3'),'/',variables('analyticRuleVersion3'))]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('analyticRuleTemplateSpecName3')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName3'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TMApexOneCommandsInRequest_AnalyticalRules Analytics Rule with template version 2.0.3",
+ "description": "TMApexOneCommandsInRequest_AnalyticalRules Analytics Rule with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion3')]",
@@ -1016,7 +1353,7 @@
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('AnalyticRulecontentId3')]",
+ "name": "[variables('analyticRulecontentId3')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -1035,24 +1372,34 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "TrendMicroApexOne",
"dataTypes": [
"TMApexOneEvent"
- ]
+ ],
+ "connectorId": "TrendMicroApexOne"
+ },
+ {
+ "dataTypes": [
+ "TMApexOneEvent"
+ ],
+ "connectorId": "TrendMicroApexOneAma"
}
],
"tactics": [
"InitialAccess"
],
+ "techniques": [
+ "T1190",
+ "T1133"
+ ],
"entityMappings": [
{
+ "entityType": "URL",
"fieldMappings": [
{
"identifier": "Url",
"columnName": "UrlCustomEntity"
}
- ],
- "entityType": "URL"
+ ]
}
]
}
@@ -1085,37 +1432,30 @@
}
}
]
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_analyticRulecontentId3')]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "ApexOne - Commands in Url",
+ "contentProductId": "[variables('_analyticRulecontentProductId3')]",
+ "id": "[variables('_analyticRulecontentProductId3')]",
+ "version": "[variables('analyticRuleVersion3')]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('analyticRuleTemplateSpecName4')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
- "properties": {
- "description": "Trend Micro Apex One Analytics Rule 4 with template",
- "displayName": "Trend Micro Apex One Analytics Rule template"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('analyticRuleTemplateSpecName4'),'/',variables('analyticRuleVersion4'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName4'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TMApexOneDvcAccessPermissionWasChanged_AnalyticalRules Analytics Rule with template version 2.0.3",
+ "description": "TMApexOneDvcAccessPermissionWasChanged_AnalyticalRules Analytics Rule with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion4')]",
@@ -1124,7 +1464,7 @@
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('AnalyticRulecontentId4')]",
+ "name": "[variables('analyticRulecontentId4')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -1143,24 +1483,33 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "TrendMicroApexOne",
"dataTypes": [
"TMApexOneEvent"
- ]
+ ],
+ "connectorId": "TrendMicroApexOne"
+ },
+ {
+ "dataTypes": [
+ "TMApexOneEvent"
+ ],
+ "connectorId": "TrendMicroApexOneAma"
}
],
"tactics": [
"PrivilegeEscalation"
],
+ "techniques": [
+ "T1078"
+ ],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
"columnName": "AccountCustomEntity"
}
- ],
- "entityType": "Account"
+ ]
}
]
}
@@ -1193,37 +1542,30 @@
}
}
]
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_analyticRulecontentId4')]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "ApexOne - Device access permissions was changed",
+ "contentProductId": "[variables('_analyticRulecontentProductId4')]",
+ "id": "[variables('_analyticRulecontentProductId4')]",
+ "version": "[variables('analyticRuleVersion4')]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('analyticRuleTemplateSpecName5')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
- "properties": {
- "description": "Trend Micro Apex One Analytics Rule 5 with template",
- "displayName": "Trend Micro Apex One Analytics Rule template"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('analyticRuleTemplateSpecName5'),'/',variables('analyticRuleVersion5'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName5'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TMApexOneInboundRemoteAccess_AnalyticalRules Analytics Rule with template version 2.0.3",
+ "description": "TMApexOneInboundRemoteAccess_AnalyticalRules Analytics Rule with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion5')]",
@@ -1232,7 +1574,7 @@
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('AnalyticRulecontentId5')]",
+ "name": "[variables('analyticRulecontentId5')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -1251,33 +1593,42 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "TrendMicroApexOne",
"dataTypes": [
"TMApexOneEvent"
- ]
+ ],
+ "connectorId": "TrendMicroApexOne"
+ },
+ {
+ "dataTypes": [
+ "TMApexOneEvent"
+ ],
+ "connectorId": "TrendMicroApexOneAma"
}
],
"tactics": [
"LateralMovement"
],
+ "techniques": [
+ "T1021"
+ ],
"entityMappings": [
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPCustomEntity"
}
- ],
- "entityType": "IP"
+ ]
},
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
"columnName": "AccountCustomEntity"
}
- ],
- "entityType": "Account"
+ ]
}
]
}
@@ -1310,37 +1661,30 @@
}
}
]
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_analyticRulecontentId5')]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "ApexOne - Inbound remote access connection",
+ "contentProductId": "[variables('_analyticRulecontentProductId5')]",
+ "id": "[variables('_analyticRulecontentProductId5')]",
+ "version": "[variables('analyticRuleVersion5')]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('analyticRuleTemplateSpecName6')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
- "properties": {
- "description": "Trend Micro Apex One Analytics Rule 6 with template",
- "displayName": "Trend Micro Apex One Analytics Rule template"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('analyticRuleTemplateSpecName6'),'/',variables('analyticRuleVersion6'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName6'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TMApexOneMultipleDenyOrTerminateActionOnSingleIp_AnalyticalRules Analytics Rule with template version 2.0.3",
+ "description": "TMApexOneMultipleDenyOrTerminateActionOnSingleIp_AnalyticalRules Analytics Rule with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion6')]",
@@ -1349,7 +1693,7 @@
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('AnalyticRulecontentId6')]",
+ "name": "[variables('analyticRulecontentId6')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -1368,24 +1712,33 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "TrendMicroApexOne",
"dataTypes": [
"TMApexOneEvent"
- ]
+ ],
+ "connectorId": "TrendMicroApexOne"
+ },
+ {
+ "dataTypes": [
+ "TMApexOneEvent"
+ ],
+ "connectorId": "TrendMicroApexOneAma"
}
],
"tactics": [
"InitialAccess"
],
+ "techniques": [
+ "T1190"
+ ],
"entityMappings": [
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPCustomEntity"
}
- ],
- "entityType": "IP"
+ ]
}
]
}
@@ -1418,37 +1771,30 @@
}
}
]
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_analyticRulecontentId6')]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "ApexOne - Multiple deny or terminate actions on single IP",
+ "contentProductId": "[variables('_analyticRulecontentProductId6')]",
+ "id": "[variables('_analyticRulecontentProductId6')]",
+ "version": "[variables('analyticRuleVersion6')]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('analyticRuleTemplateSpecName7')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
- "properties": {
- "description": "Trend Micro Apex One Analytics Rule 7 with template",
- "displayName": "Trend Micro Apex One Analytics Rule template"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('analyticRuleTemplateSpecName7'),'/',variables('analyticRuleVersion7'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName7'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TMApexOnePossibleExploitOrExecuteOperation_AnalyticalRules Analytics Rule with template version 2.0.3",
+ "description": "TMApexOnePossibleExploitOrExecuteOperation_AnalyticalRules Analytics Rule with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion7')]",
@@ -1457,7 +1803,7 @@
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('AnalyticRulecontentId7')]",
+ "name": "[variables('analyticRulecontentId7')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -1476,34 +1822,43 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "TrendMicroApexOne",
"dataTypes": [
"TMApexOneEvent"
- ]
+ ],
+ "connectorId": "TrendMicroApexOne"
+ },
+ {
+ "dataTypes": [
+ "TMApexOneEvent"
+ ],
+ "connectorId": "TrendMicroApexOneAma"
}
],
"tactics": [
"PrivilegeEscalation",
"Persistence"
],
+ "techniques": [
+ "T1546"
+ ],
"entityMappings": [
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPCustomEntity"
}
- ],
- "entityType": "IP"
+ ]
},
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
"columnName": "AccountCustomEntity"
}
- ],
- "entityType": "Account"
+ ]
}
]
}
@@ -1536,37 +1891,30 @@
}
}
]
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_analyticRulecontentId7')]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "ApexOne - Possible exploit or execute operation",
+ "contentProductId": "[variables('_analyticRulecontentProductId7')]",
+ "id": "[variables('_analyticRulecontentProductId7')]",
+ "version": "[variables('analyticRuleVersion7')]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('analyticRuleTemplateSpecName8')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
- "properties": {
- "description": "Trend Micro Apex One Analytics Rule 8 with template",
- "displayName": "Trend Micro Apex One Analytics Rule template"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('analyticRuleTemplateSpecName8'),'/',variables('analyticRuleVersion8'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName8'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TMApexOneRiskCnCEvents_AnalyticalRules Analytics Rule with template version 2.0.3",
+ "description": "TMApexOneRiskCnCEvents_AnalyticalRules Analytics Rule with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion8')]",
@@ -1575,7 +1923,7 @@
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('AnalyticRulecontentId8')]",
+ "name": "[variables('analyticRulecontentId8')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -1594,33 +1942,42 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "TrendMicroApexOne",
"dataTypes": [
"TMApexOneEvent"
- ]
+ ],
+ "connectorId": "TrendMicroApexOne"
+ },
+ {
+ "dataTypes": [
+ "TMApexOneEvent"
+ ],
+ "connectorId": "TrendMicroApexOneAma"
}
],
"tactics": [
"CommandAndControl"
],
+ "techniques": [
+ "T1071"
+ ],
"entityMappings": [
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPCustomEntity"
}
- ],
- "entityType": "IP"
+ ]
},
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
"columnName": "AccountCustomEntity"
}
- ],
- "entityType": "Account"
+ ]
}
]
}
@@ -1653,37 +2010,30 @@
}
}
]
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_analyticRulecontentId8')]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "ApexOne - C&C callback events",
+ "contentProductId": "[variables('_analyticRulecontentProductId8')]",
+ "id": "[variables('_analyticRulecontentProductId8')]",
+ "version": "[variables('analyticRuleVersion8')]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('analyticRuleTemplateSpecName9')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
- "properties": {
- "description": "Trend Micro Apex One Analytics Rule 9 with template",
- "displayName": "Trend Micro Apex One Analytics Rule template"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('analyticRuleTemplateSpecName9'),'/',variables('analyticRuleVersion9'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName9'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TMApexOneSpywareWithFailedResponse_AnalyticalRules Analytics Rule with template version 2.0.3",
+ "description": "TMApexOneSpywareWithFailedResponse_AnalyticalRules Analytics Rule with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion9')]",
@@ -1692,7 +2042,7 @@
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('AnalyticRulecontentId9')]",
+ "name": "[variables('analyticRulecontentId9')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -1711,33 +2061,42 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "TrendMicroApexOne",
"dataTypes": [
"TMApexOneEvent"
- ]
+ ],
+ "connectorId": "TrendMicroApexOne"
+ },
+ {
+ "dataTypes": [
+ "TMApexOneEvent"
+ ],
+ "connectorId": "TrendMicroApexOneAma"
}
],
"tactics": [
"InitialAccess"
],
+ "techniques": [
+ "T1190"
+ ],
"entityMappings": [
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPCustomEntity"
}
- ],
- "entityType": "IP"
+ ]
},
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
"columnName": "AccountCustomEntity"
}
- ],
- "entityType": "Account"
+ ]
}
]
}
@@ -1770,37 +2129,30 @@
}
}
]
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_analyticRulecontentId9')]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "ApexOne - Spyware with failed response",
+ "contentProductId": "[variables('_analyticRulecontentProductId9')]",
+ "id": "[variables('_analyticRulecontentProductId9')]",
+ "version": "[variables('analyticRuleVersion9')]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('analyticRuleTemplateSpecName10')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
- "properties": {
- "description": "Trend Micro Apex One Analytics Rule 10 with template",
- "displayName": "Trend Micro Apex One Analytics Rule template"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('analyticRuleTemplateSpecName10'),'/',variables('analyticRuleVersion10'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName10'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TMApexOneSuspiciousConnections_AnalyticalRules Analytics Rule with template version 2.0.3",
+ "description": "TMApexOneSuspiciousConnections_AnalyticalRules Analytics Rule with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion10')]",
@@ -1809,7 +2161,7 @@
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('AnalyticRulecontentId10')]",
+ "name": "[variables('analyticRulecontentId10')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -1828,33 +2180,42 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "TrendMicroApexOne",
"dataTypes": [
"TMApexOneEvent"
- ]
+ ],
+ "connectorId": "TrendMicroApexOne"
+ },
+ {
+ "dataTypes": [
+ "TMApexOneEvent"
+ ],
+ "connectorId": "TrendMicroApexOneAma"
}
],
"tactics": [
"CommandAndControl"
],
+ "techniques": [
+ "T1102"
+ ],
"entityMappings": [
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPCustomEntity"
}
- ],
- "entityType": "IP"
+ ]
},
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
"columnName": "AccountCustomEntity"
}
- ],
- "entityType": "Account"
+ ]
}
]
}
@@ -1887,37 +2248,30 @@
}
}
]
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_analyticRulecontentId10')]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "ApexOne - Suspicious connections",
+ "contentProductId": "[variables('_analyticRulecontentProductId10')]",
+ "id": "[variables('_analyticRulecontentProductId10')]",
+ "version": "[variables('analyticRuleVersion10')]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('huntingQueryTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "HuntingQuery"
- },
- "properties": {
- "description": "Trend Micro Apex One Hunting Query 1 with template",
- "displayName": "Trend Micro Apex One Hunting Query template"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('huntingQueryTemplateSpecName1'),'/',variables('huntingQueryVersion1'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "HuntingQuery"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName1'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TMApexOneBehaviorMonitoringTranslatedAction_HuntingQueries Hunting Query with template version 2.0.3",
+ "description": "TMApexOneBehaviorMonitoringTranslatedAction_HuntingQueries Hunting Query with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryVersion1')]",
@@ -1926,7 +2280,7 @@
"resources": [
{
"type": "Microsoft.OperationalInsights/savedSearches",
- "apiVersion": "2020-08-01",
+ "apiVersion": "2022-10-01",
"name": "Trend_Micro_Apex_One_Hunting_Query_1",
"location": "[parameters('workspace-location')]",
"properties": {
@@ -1979,37 +2333,30 @@
}
}
]
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_huntingQuerycontentId1')]",
+ "contentKind": "HuntingQuery",
+ "displayName": "ApexOne - Behavior monitoring actions by files",
+ "contentProductId": "[variables('_huntingQuerycontentProductId1')]",
+ "id": "[variables('_huntingQuerycontentProductId1')]",
+ "version": "[variables('huntingQueryVersion1')]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('huntingQueryTemplateSpecName2')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "HuntingQuery"
- },
- "properties": {
- "description": "Trend Micro Apex One Hunting Query 2 with template",
- "displayName": "Trend Micro Apex One Hunting Query template"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('huntingQueryTemplateSpecName2'),'/',variables('huntingQueryVersion2'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "HuntingQuery"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName2'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TMApexOneBehaviorMonitoringTranslatedOperation_HuntingQueries Hunting Query with template version 2.0.3",
+ "description": "TMApexOneBehaviorMonitoringTranslatedOperation_HuntingQueries Hunting Query with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryVersion2')]",
@@ -2018,7 +2365,7 @@
"resources": [
{
"type": "Microsoft.OperationalInsights/savedSearches",
- "apiVersion": "2020-08-01",
+ "apiVersion": "2022-10-01",
"name": "Trend_Micro_Apex_One_Hunting_Query_2",
"location": "[parameters('workspace-location')]",
"properties": {
@@ -2071,37 +2418,30 @@
}
}
]
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_huntingQuerycontentId2')]",
+ "contentKind": "HuntingQuery",
+ "displayName": "ApexOne - Behavior monitoring operations by users",
+ "contentProductId": "[variables('_huntingQuerycontentProductId2')]",
+ "id": "[variables('_huntingQuerycontentProductId2')]",
+ "version": "[variables('huntingQueryVersion2')]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('huntingQueryTemplateSpecName3')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "HuntingQuery"
- },
- "properties": {
- "description": "Trend Micro Apex One Hunting Query 3 with template",
- "displayName": "Trend Micro Apex One Hunting Query template"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('huntingQueryTemplateSpecName3'),'/',variables('huntingQueryVersion3'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "HuntingQuery"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName3'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TMApexOneBehaviorMonitoringTriggeredPolicy_HuntingQueries Hunting Query with template version 2.0.3",
+ "description": "TMApexOneBehaviorMonitoringTriggeredPolicy_HuntingQueries Hunting Query with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryVersion3')]",
@@ -2110,7 +2450,7 @@
"resources": [
{
"type": "Microsoft.OperationalInsights/savedSearches",
- "apiVersion": "2020-08-01",
+ "apiVersion": "2022-10-01",
"name": "Trend_Micro_Apex_One_Hunting_Query_3",
"location": "[parameters('workspace-location')]",
"properties": {
@@ -2163,37 +2503,30 @@
}
}
]
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_huntingQuerycontentId3')]",
+ "contentKind": "HuntingQuery",
+ "displayName": "ApexOne - Behavior monitoring triggered policy by command line",
+ "contentProductId": "[variables('_huntingQuerycontentProductId3')]",
+ "id": "[variables('_huntingQuerycontentProductId3')]",
+ "version": "[variables('huntingQueryVersion3')]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('huntingQueryTemplateSpecName4')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "HuntingQuery"
- },
- "properties": {
- "description": "Trend Micro Apex One Hunting Query 4 with template",
- "displayName": "Trend Micro Apex One Hunting Query template"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('huntingQueryTemplateSpecName4'),'/',variables('huntingQueryVersion4'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "HuntingQuery"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName4'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TMApexOneBehaviorMonitoringTypesOfEvent_HuntingQueries Hunting Query with template version 2.0.3",
+ "description": "TMApexOneBehaviorMonitoringTypesOfEvent_HuntingQueries Hunting Query with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryVersion4')]",
@@ -2202,7 +2535,7 @@
"resources": [
{
"type": "Microsoft.OperationalInsights/savedSearches",
- "apiVersion": "2020-08-01",
+ "apiVersion": "2022-10-01",
"name": "Trend_Micro_Apex_One_Hunting_Query_4",
"location": "[parameters('workspace-location')]",
"properties": {
@@ -2255,37 +2588,30 @@
}
}
]
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_huntingQuerycontentId4')]",
+ "contentKind": "HuntingQuery",
+ "displayName": "ApexOne - Behavior monitoring event types by users",
+ "contentProductId": "[variables('_huntingQuerycontentProductId4')]",
+ "id": "[variables('_huntingQuerycontentProductId4')]",
+ "version": "[variables('huntingQueryVersion4')]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('huntingQueryTemplateSpecName5')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "HuntingQuery"
- },
- "properties": {
- "description": "Trend Micro Apex One Hunting Query 5 with template",
- "displayName": "Trend Micro Apex One Hunting Query template"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('huntingQueryTemplateSpecName5'),'/',variables('huntingQueryVersion5'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "HuntingQuery"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName5'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TMApexOneChannelType_HuntingQueries Hunting Query with template version 2.0.3",
+ "description": "TMApexOneChannelType_HuntingQueries Hunting Query with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryVersion5')]",
@@ -2294,7 +2620,7 @@
"resources": [
{
"type": "Microsoft.OperationalInsights/savedSearches",
- "apiVersion": "2020-08-01",
+ "apiVersion": "2022-10-01",
"name": "Trend_Micro_Apex_One_Hunting_Query_5",
"location": "[parameters('workspace-location')]",
"properties": {
@@ -2347,37 +2673,30 @@
}
}
]
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_huntingQuerycontentId5')]",
+ "contentKind": "HuntingQuery",
+ "displayName": "ApexOne - Channel type by users",
+ "contentProductId": "[variables('_huntingQuerycontentProductId5')]",
+ "id": "[variables('_huntingQuerycontentProductId5')]",
+ "version": "[variables('huntingQueryVersion5')]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('huntingQueryTemplateSpecName6')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "HuntingQuery"
- },
- "properties": {
- "description": "Trend Micro Apex One Hunting Query 6 with template",
- "displayName": "Trend Micro Apex One Hunting Query template"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('huntingQueryTemplateSpecName6'),'/',variables('huntingQueryVersion6'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "HuntingQuery"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName6'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TMApexOneDataLossPreventionAction_HuntingQueries Hunting Query with template version 2.0.3",
+ "description": "TMApexOneDataLossPreventionAction_HuntingQueries Hunting Query with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryVersion6')]",
@@ -2386,7 +2705,7 @@
"resources": [
{
"type": "Microsoft.OperationalInsights/savedSearches",
- "apiVersion": "2020-08-01",
+ "apiVersion": "2022-10-01",
"name": "Trend_Micro_Apex_One_Hunting_Query_6",
"location": "[parameters('workspace-location')]",
"properties": {
@@ -2439,37 +2758,30 @@
}
}
]
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_huntingQuerycontentId6')]",
+ "contentKind": "HuntingQuery",
+ "displayName": "ApexOne - Data loss prevention action by IP",
+ "contentProductId": "[variables('_huntingQuerycontentProductId6')]",
+ "id": "[variables('_huntingQuerycontentProductId6')]",
+ "version": "[variables('huntingQueryVersion6')]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('huntingQueryTemplateSpecName7')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "HuntingQuery"
- },
- "properties": {
- "description": "Trend Micro Apex One Hunting Query 7 with template",
- "displayName": "Trend Micro Apex One Hunting Query template"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('huntingQueryTemplateSpecName7'),'/',variables('huntingQueryVersion7'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "HuntingQuery"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName7'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TMApexOneRareAppProtocolByIP_HuntingQueries Hunting Query with template version 2.0.3",
+ "description": "TMApexOneRareAppProtocolByIP_HuntingQueries Hunting Query with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryVersion7')]",
@@ -2478,7 +2790,7 @@
"resources": [
{
"type": "Microsoft.OperationalInsights/savedSearches",
- "apiVersion": "2020-08-01",
+ "apiVersion": "2022-10-01",
"name": "Trend_Micro_Apex_One_Hunting_Query_7",
"location": "[parameters('workspace-location')]",
"properties": {
@@ -2531,37 +2843,30 @@
}
}
]
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_huntingQuerycontentId7')]",
+ "contentKind": "HuntingQuery",
+ "displayName": "ApexOne - Rare application protocols by Ip address",
+ "contentProductId": "[variables('_huntingQuerycontentProductId7')]",
+ "id": "[variables('_huntingQuerycontentProductId7')]",
+ "version": "[variables('huntingQueryVersion7')]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('huntingQueryTemplateSpecName8')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "HuntingQuery"
- },
- "properties": {
- "description": "Trend Micro Apex One Hunting Query 8 with template",
- "displayName": "Trend Micro Apex One Hunting Query template"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('huntingQueryTemplateSpecName8'),'/',variables('huntingQueryVersion8'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "HuntingQuery"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName8'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TMApexOneSpywareDetection_HuntingQueries Hunting Query with template version 2.0.3",
+ "description": "TMApexOneSpywareDetection_HuntingQueries Hunting Query with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryVersion8')]",
@@ -2570,7 +2875,7 @@
"resources": [
{
"type": "Microsoft.OperationalInsights/savedSearches",
- "apiVersion": "2020-08-01",
+ "apiVersion": "2022-10-01",
"name": "Trend_Micro_Apex_One_Hunting_Query_8",
"location": "[parameters('workspace-location')]",
"properties": {
@@ -2623,37 +2928,30 @@
}
}
]
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_huntingQuerycontentId8')]",
+ "contentKind": "HuntingQuery",
+ "displayName": "ApexOne - Spyware detection",
+ "contentProductId": "[variables('_huntingQuerycontentProductId8')]",
+ "id": "[variables('_huntingQuerycontentProductId8')]",
+ "version": "[variables('huntingQueryVersion8')]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('huntingQueryTemplateSpecName9')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "HuntingQuery"
- },
- "properties": {
- "description": "Trend Micro Apex One Hunting Query 9 with template",
- "displayName": "Trend Micro Apex One Hunting Query template"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('huntingQueryTemplateSpecName9'),'/',variables('huntingQueryVersion9'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "HuntingQuery"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName9'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TMApexOneSuspiciousFiles_HuntingQueries Hunting Query with template version 2.0.3",
+ "description": "TMApexOneSuspiciousFiles_HuntingQueries Hunting Query with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryVersion9')]",
@@ -2662,7 +2960,7 @@
"resources": [
{
"type": "Microsoft.OperationalInsights/savedSearches",
- "apiVersion": "2020-08-01",
+ "apiVersion": "2022-10-01",
"name": "Trend_Micro_Apex_One_Hunting_Query_9",
"location": "[parameters('workspace-location')]",
"properties": {
@@ -2715,37 +3013,30 @@
}
}
]
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_huntingQuerycontentId9')]",
+ "contentKind": "HuntingQuery",
+ "displayName": "ApexOne - Suspicious files events",
+ "contentProductId": "[variables('_huntingQuerycontentProductId9')]",
+ "id": "[variables('_huntingQuerycontentProductId9')]",
+ "version": "[variables('huntingQueryVersion9')]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('huntingQueryTemplateSpecName10')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "HuntingQuery"
- },
- "properties": {
- "description": "Trend Micro Apex One Hunting Query 10 with template",
- "displayName": "Trend Micro Apex One Hunting Query template"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('huntingQueryTemplateSpecName10'),'/',variables('huntingQueryVersion10'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "HuntingQuery"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName10'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TMApexOneTopSources_HuntingQueries Hunting Query with template version 2.0.3",
+ "description": "TMApexOneTopSources_HuntingQueries Hunting Query with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryVersion10')]",
@@ -2754,7 +3045,7 @@
"resources": [
{
"type": "Microsoft.OperationalInsights/savedSearches",
- "apiVersion": "2020-08-01",
+ "apiVersion": "2022-10-01",
"name": "Trend_Micro_Apex_One_Hunting_Query_10",
"location": "[parameters('workspace-location')]",
"properties": {
@@ -2807,17 +3098,35 @@
}
}
]
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_huntingQuerycontentId10')]",
+ "contentKind": "HuntingQuery",
+ "displayName": "ApexOne - Top sources with alerts",
+ "contentProductId": "[variables('_huntingQuerycontentProductId10')]",
+ "id": "[variables('_huntingQuerycontentProductId10')]",
+ "version": "[variables('huntingQueryVersion10')]"
}
},
{
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages",
+ "apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "2.0.3",
+ "version": "3.0.0",
"kind": "Solution",
- "contentSchemaVersion": "2.0.0",
+ "contentSchemaVersion": "3.0.0",
+ "displayName": "Trend Micro Apex One",
+ "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
+ "descriptionHtml": "Note: There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Trend Micro Apex One solution for Microsoft Sentinel enables ingestion of Trend Micro Apex One events into Microsoft Sentinel. Refer to Trend Micro Apex Central for more information.
\n- \n
Trend Micro Apex One via AMA - This data connector helps in ingesting Trend Micro Apex One logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent here. Microsoft recommends using this Data Connector.
\n \nTrend Micro Apex One via Legacy Agent - This data connector helps in ingesting Trend Micro Apex One logs into your Log Analytics Workspace using the legacy Log Analytics agent.
\n \n
NOTE: Microsoft recommends installation of Trend Micro Apex One via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024, and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.
\nData Connectors: 2, Parsers: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 10
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "",
"contentId": "[variables('_solutionId')]",
"parentId": "[variables('_solutionId')]",
"source": {
@@ -2843,6 +3152,11 @@
"contentId": "[variables('_dataConnectorContentId1')]",
"version": "[variables('dataConnectorVersion1')]"
},
+ {
+ "kind": "DataConnector",
+ "contentId": "[variables('_dataConnectorContentId2')]",
+ "version": "[variables('dataConnectorVersion2')]"
+ },
{
"kind": "Parser",
"contentId": "[variables('_parserContentId1')]",
diff --git a/Solutions/Trend Micro Apex One/ReleaseNotes.md b/Solutions/Trend Micro Apex One/ReleaseNotes.md
new file mode 100644
index 00000000000..19df1aa026c
--- /dev/null
+++ b/Solutions/Trend Micro Apex One/ReleaseNotes.md
@@ -0,0 +1,5 @@
+| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
+|-------------|--------------------------------|--------------------------------------------------------------------|
+| 3.0.0 | 22-09-2023 | Addition of new Trend Micro Apex One AMA **Data Connector** | |
+
+
diff --git a/Solutions/Web Session Essentials/Package/3.0.0.zip b/Solutions/Web Session Essentials/Package/3.0.0.zip
index a8d71c1bd1b..2aaa27683fc 100644
Binary files a/Solutions/Web Session Essentials/Package/3.0.0.zip and b/Solutions/Web Session Essentials/Package/3.0.0.zip differ
diff --git a/Solutions/Web Session Essentials/Package/mainTemplate.json b/Solutions/Web Session Essentials/Package/mainTemplate.json
index 0d44d401348..946250ccf3a 100644
--- a/Solutions/Web Session Essentials/Package/mainTemplate.json
+++ b/Solutions/Web Session Essentials/Package/mainTemplate.json
@@ -988,7 +988,7 @@
},
"properties": {
"displayName": "[parameters('workbook1-name')]",
- "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Web Session Essentials\\n---\\n\\nThe 'Web Session Essentials' workbook provides real-time insights into activity and potential threats in your network.\\n\\nThis workbook is designed for network teams, security architects, analysts, and consultants to monitor, identify and investigate threats on Web servers, Web Proxies and Web Security Gateways assets. This Workbook gives a summary of analysed web traffic and helps with threat analysis and investigating suspicious http traffic.\\n\\nThe \\\"SummarizeWebSessionData\\\" Playbook installed along with the solution helps in summarizing the logs and improving the performance of the Workbook and data searches. This Workbook leverages the default as well as custom web session summarized data tables for visualising the data. Although enabling the summarization playbook is optional, we highly recommend enabling it for better user experience in environments with high EPS (events per second) data ingestion. Please note that summarization would require the playbook to run on a scheduled basis to utilise this workbook's capabilities.\\n\\nSummarized web session data can found in following custom tables:\\n- WebSession_Summarized_SrcInfo_CL\\n- WebSession_Summarized_SrcIP_CL\\n- WebSession_Summarized_DstIP_CL\\n- WebSession_Summarized_ThreatInfo_CL\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"10f90ed9-b14c-4bd3-8618-fe92d29d0055\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DefaultSubscription_Internal\",\"type\":1,\"isRequired\":true,\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| take 1\\r\\n| project subscriptionId\",\"crossComponentResources\":[\"value::selected\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"a28728e5-2c6b-4f0f-9b2e-906fe24c52a6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"query\":\"summarize by subscriptionId\\r\\n| project value = strcat(\\\"/subscriptions/\\\", subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ '{DefaultSubscription_Internal}', true, false)\",\"crossComponentResources\":[\"value::selected\"],\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"c8af6801-1cdf-47f6-b959-a7774b2f5faf\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"description\":\"Select required Log Analytics Workspace\",\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| project id\",\"crossComponentResources\":[\"{Subscription}\"],\"typeSettings\":{\"resourceTypeFilter\":{\"microsoft.operationalinsights/workspaces\":true},\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":\"\"},{\"id\":\"b875f4b5-5a7c-4cf1-baf9-7b860f737cb8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":604800000}},{\"id\":\"ab5ebbc3-a282-4ee4-9cc0-7cfebaa7e06a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"LastIngestionTimeSrcInfo\",\"type\":1,\"description\":\"Get last ingestion time in WebSession_Summarized_SrcInfo_CL custom table\",\"isRequired\":true,\"query\":\"let LastIngestionTime = toscalar (\\r\\n union isfuzzy=true \\r\\n (\\r\\n WebSession_Summarized_SrcInfo_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | summarize max_TimeGenerated=max(EventTime_t)\\r\\n | extend max_TimeGenerated = datetime_add('hour', 1, max_TimeGenerated)\\r\\n ),\\r\\n (\\r\\n print({TimeRange:start})\\r\\n | extend max_TimeGenerated = print_0\\r\\n | project max_TimeGenerated\\r\\n )\\r\\n | summarize maxTimeGenerated = max(max_TimeGenerated) \\r\\n );\\r\\n print LastIngestionTime\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"b8fc59a5-83c9-4ec1-9dfa-f71fa4e1ad15\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"LastIngestionTimeSrcIP\",\"type\":1,\"description\":\"Get last ingestion time in WebSession_Summarized_SrcIP_CL custom table\",\"isRequired\":true,\"query\":\"let LastIngestionTime = toscalar (\\r\\n union isfuzzy=true \\r\\n (\\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | summarize max_TimeGenerated=max(EventTime_t)\\r\\n | extend max_TimeGenerated = datetime_add('hour', 1, max_TimeGenerated)\\r\\n ),\\r\\n (\\r\\n print({TimeRange:start})\\r\\n | extend max_TimeGenerated = print_0\\r\\n | project max_TimeGenerated\\r\\n )\\r\\n | summarize maxTimeGenerated = max(max_TimeGenerated) \\r\\n );\\r\\n print LastIngestionTime\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"c318ae1b-984d-4f08-a0a1-46f0a8e62252\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"LastIngestionTimeDstIP\",\"type\":1,\"description\":\"Get last ingestion time in WebSession_Summarized_DstIP_CL custom table\",\"isRequired\":true,\"query\":\"let LastIngestionTime = toscalar (\\r\\n union isfuzzy=true \\r\\n (\\r\\n WebSession_Summarized_DstIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | summarize max_TimeGenerated=max(EventTime_t)\\r\\n | extend max_TimeGenerated = datetime_add('hour', 1, max_TimeGenerated)\\r\\n ),\\r\\n (\\r\\n print({TimeRange:start})\\r\\n | extend max_TimeGenerated = print_0\\r\\n | project max_TimeGenerated\\r\\n )\\r\\n | summarize maxTimeGenerated = max(max_TimeGenerated) \\r\\n );\\r\\n print LastIngestionTime\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"041050ed-6db3-42ae-96cd-100abebd7492\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"LastIngestionTimeThreatInfo\",\"type\":1,\"description\":\"Get last ingestion time in WebSession_Summarized_ThreatInfo_CL custom table\",\"isRequired\":true,\"query\":\"let LastIngestionTime = toscalar (\\r\\n union isfuzzy=true \\r\\n (\\r\\n WebSession_Summarized_ThreatInfo_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | summarize max_TimeGenerated=max(EventTime_t)\\r\\n | extend max_TimeGenerated = datetime_add('hour', 1, max_TimeGenerated)\\r\\n ),\\r\\n (\\r\\n print({TimeRange:start})\\r\\n | extend max_TimeGenerated = print_0\\r\\n | project max_TimeGenerated\\r\\n )\\r\\n | summarize maxTimeGenerated = max(max_TimeGenerated) \\r\\n );\\r\\n print LastIngestionTime\",\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"7c67ea90-b8cb-44e0-b7e0-24d7b55e2680\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SrcIpAddr\",\"label\":\"Source IP\",\"type\":2,\"description\":\"search single or multiple Source IPs\",\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | where isnotempty(SrcIpAddr)\\r\\n | distinct SrcIpAddr\\r\\n ),\\r\\n ( \\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where isnotempty(SrcIpAddr_s)\\r\\n | distinct SrcIpAddr=SrcIpAddr_s\\r\\n )\\r\\n | distinct SrcIpAddr\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"value\":[\"value::all\"]},{\"id\":\"a8533e73-c384-4490-94d7-a86b0298add0\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SrcUsername\",\"label\":\"User name\",\"type\":2,\"description\":\"search single or multiple usernames\",\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | where isnotempty(SrcUsername)\\r\\n | distinct SrcUsername\\r\\n ),\\r\\n ( \\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where isnotempty(SrcUsername_s)\\r\\n | distinct SrcUsername=SrcUsername_s\\r\\n )\\r\\n | distinct SrcUsername\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"value\":[\"value::all\"]},{\"id\":\"161946b4-aa92-4bc3-8ae1-8b4ee67389ea\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SrcHostname\",\"type\":2,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | where isnotempty(SrcHostname)\\r\\n | distinct SrcHostname\\r\\n ),\\r\\n ( \\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where isnotempty(SrcHostname_s)\\r\\n | distinct SrcHostname=SrcHostname_s\\r\\n )\\r\\n | distinct SrcHostname\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\"},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"value\":[\"value::all\"],\"label\":\"Source Host\"},{\"id\":\"e67b1965-4b24-45bd-9e07-64892a11ed5c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DstHostname\",\"type\":2,\"description\":\"search single or multiple URLs\",\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | where isnotempty(Url)\\r\\n | extend SiteName = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | distinct SiteName\\r\\n ),\\r\\n ( \\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where isnotempty(DestDomain_s)\\r\\n | distinct SiteName = DestDomain_s\\r\\n )\\r\\n | distinct SiteName\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"value\":[\"value::all\"],\"label\":\"Dest Site\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"tabStyle\":\"bigger\",\"links\":[{\"id\":\"c3e512f5-3e3f-41f3-b645-121f7bd6a557\",\"cellValue\":\"tabVisibility\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Web servers\",\"subTarget\":\"webservers\",\"preText\":\"Web servers\",\"style\":\"link\"},{\"id\":\"6d785be8-da74-4cae-977f-576d5d3fa070\",\"cellValue\":\"tabVisibility\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Web Proxies and Security Gateways\",\"subTarget\":\"webproxies\",\"style\":\"link\"},{\"id\":\"9f095674-3da6-4a46-aae9-6820b2b4baee\",\"cellValue\":\"tabVisibility\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Top Queries\",\"subTarget\":\"topQueries\",\"style\":\"link\"},{\"id\":\"e4f43157-d64d-41d2-8f9d-e39a30b0c1ce\",\"cellValue\":\"tabVisibility\",\"linkTarget\":\"parameter\",\"linkLabel\":\"View Threat Events\",\"subTarget\":\"threatevents\",\"style\":\"link\"}]},\"name\":\"links - 8\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let uniqueConnection = \\r\\nunion isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | where EventType =~ 'WebServerSession'\\r\\n\\t\\t| where isnotempty(SrcIpAddr) and isnotempty(Url)\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t\\t| summarize count() by SrcIpAddr, DestHostname\\r\\n ),\\r\\n ( \\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventType_s =~ 'WebServerSession'\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n\\t\\t| where isnotempty(SrcIpAddr_s) and isnotempty(DestDomain_s)\\r\\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t\\t| summarize count() by SrcIpAddr, DestHostname\\r\\n )\\r\\n | summarize count() by SrcIpAddr, DestHostname\\r\\n | count\\r\\n | extend Metric = \\\"Unique Connections\\\", orderNum = 1;\\r\\nlet products = \\r\\n union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | where EventType =~ 'WebServerSession'\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where isnotempty(EventProduct)\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | distinct EventProduct\\r\\n ),\\r\\n ( \\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventType_s =~ 'WebServerSession'\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where isnotempty(EventProduct_s)\\r\\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | distinct EventProduct=EventProduct_s\\r\\n )\\r\\n | distinct EventProduct\\r\\n | count\\r\\n | extend Metric = \\\"Product Count\\\", orderNum = 2;\\r\\nlet UserNames = \\r\\n union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | where EventType =~ 'WebServerSession'\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where isnotempty(SrcUsername)\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | distinct SrcUsername\\r\\n ),\\r\\n ( \\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventType_s =~ 'WebServerSession'\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where isnotempty(SrcUsername_s)\\r\\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | distinct SrcUsername\\r\\n )\\r\\n | distinct SrcUsername\\r\\n | count\\r\\n | extend Metric = \\\"Unique UserNames\\\", orderNum = 3;\\r\\nlet Srchosts = \\r\\n union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | where EventType =~ 'WebServerSession'\\r\\n | where isnotempty(SrcHostname)\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | distinct SrcHostname\\r\\n ),\\r\\n ( \\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventType_s =~ 'WebServerSession'\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where isnotempty(SrcHostname_s)\\r\\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | distinct SrcHostname=SrcHostname_s\\r\\n )\\r\\n | distinct SrcHostname\\r\\n | count\\r\\n | extend Metric = \\\"Source HostNames\\\", orderNum = 4;\\r\\nlet ClientIPs = \\r\\n union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | where EventType =~ 'WebServerSession'\\r\\n | where isnotempty(SrcIpAddr)\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | distinct SrcIpAddr\\r\\n ),\\r\\n ( \\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventType_s =~ 'WebServerSession'\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where isnotempty(SrcIpAddr_s)\\r\\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | distinct SrcIpAddr=SrcIpAddr_s\\r\\n )\\r\\n | distinct SrcIpAddr\\r\\n | count\\r\\n | extend Metric = \\\"Unique Source IPs\\\", orderNum = 5;\\r\\nlet DestHostName = \\r\\n union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | where EventType =~ 'WebServerSession'\\r\\n | where isnotempty(Url)\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | distinct DestHostname\\r\\n ),\\r\\n ( \\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventType_s =~ 'WebServerSession'\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where isnotempty(DestDomain_s)\\r\\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | distinct DestHostname\\r\\n )\\r\\n | distinct DestHostname\\r\\n | count\\r\\n | extend Metric = \\\"Unique Dest Sites\\\", orderNum = 6;\\r\\nlet TotalUserAgents = \\r\\n union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | where EventType =~ 'WebServerSession'\\r\\n | where isnotempty(HttpUserAgent)\\r\\n | where ('*' in~ ({SrcIpAddr}))\\r\\n and ('*' in~ ({SrcUsername}))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}))\\r\\n | distinct HttpUserAgent\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_SrcInfo_CL\\r\\n | where EventType_s =~ 'WebServerSession'\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where isnotempty(HttpUserAgent_s)\\r\\n | where ('*' in~ ({SrcIpAddr}))\\r\\n and ('*' in~ ({SrcUsername}))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}))\\r\\n | distinct HttpUserAgent=HttpUserAgent_s\\r\\n )\\r\\n | distinct HttpUserAgent\\r\\n | count\\r\\n | extend Metric = \\\"Unique UserAgents\\\", orderNum = 7;\\r\\nlet ServerErrorsCount = \\r\\nunion isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | where EventType =~ 'WebServerSession'\\r\\n | where toint(EventResultDetails) between (500 .. 599)\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | summarize EventCount=tolong(count()) by EventResultDetails, bin(TimeGenerated,{TimeRange:grain})\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventType_s =~ 'WebServerSession'\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where toint(EventResultDetails_s) between (500 .. 599)\\r\\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, EventResultDetails=EventResultDetails_s, EventTime = EventTime_t, EventCount = EventCount_d\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | summarize EventCount=tolong(sum(EventCount)) by EventResultDetails, bin(TimeGenerated=EventTime,{TimeRange:grain})\\r\\n )\\r\\n | summarize Count = sum(EventCount)\\r\\n | extend Metric = \\\"Total Server Errors\\\", orderNum = 8;\\r\\nlet ClientErrorsCount = \\r\\nunion isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | where EventType =~ 'WebServerSession'\\r\\n | where toint(EventResultDetails) between (400 .. 499)\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | summarize EventCount=tolong(count()) by EventResultDetails, bin(TimeGenerated,{TimeRange:grain})\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventType_s =~ 'WebServerSession'\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where toint(EventResultDetails_s) between (400 .. 499)\\r\\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, EventResultDetails=EventResultDetails_s, EventTime = EventTime_t, EventCount = EventCount_d\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | summarize EventCount=tolong(sum(EventCount)) by EventResultDetails, bin(TimeGenerated=EventTime,{TimeRange:grain})\\r\\n )\\r\\n | summarize Count = sum(EventCount)\\r\\n | extend Metric = \\\"Total Client Errors\\\", orderNum = 9;\\r\\nunion uniqueConnection, products, UserNames, Srchosts, ClientIPs, DestHostName, TotalUserAgents, ServerErrorsCount, ClientErrorsCount | where Count != 0\\r\\n| order by orderNum asc\",\"size\":4,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Metric\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"name\":\"query - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | where EventType =~ 'WebServerSession'\\r\\n | where isnotempty(EventProduct)\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | summarize EventCount=tolong(count()) by EventProduct, bin(TimeGenerated,{TimeRange:grain})\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where EventType_s =~ 'WebServerSession'\\r\\n | extend EventProduct = EventProduct_s\\r\\n | where isnotempty(EventProduct)\\r\\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | summarize EventCount=tolong(sum(EventCount_d)) by EventProduct, bin(TimeGenerated=EventTime_t,{TimeRange:grain})\\r\\n )\\r\\n | summarize EventCount = sum(EventCount) by EventProduct, bin(TimeGenerated, {TimeRange:grain})\",\"size\":0,\"aggregation\":3,\"showAnalytics\":true,\"title\":\"Events by products over time\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"areachart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"EventProduct\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"EventCount\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"EventProduct\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"EventCount\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"EventCount\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"EventCount\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"EventCount\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"name\":\"Events by products over time - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | where EventType =~ 'WebServerSession'\\r\\n | where isnotempty(EventResultDetails) and EventResultDetails !~ 'NA'\\r\\n | where toint(EventResultDetails) between (400 .. 599)\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | summarize EventCount=tolong(count()) by EventResultDetails, bin(TimeGenerated, {TimeRange:grain})\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where EventType_s =~ 'WebServerSession'\\r\\n | project\\r\\n EventResultDetails= EventResultDetails_s,\\r\\n EventTime = EventTime_t,\\r\\n EventCount = EventCount_d,\\r\\n SrcIpAddr=SrcIpAddr_s,\\r\\n DestHostname=DestDomain_s,\\r\\n SrcUsername=SrcUsername_s,\\r\\n SrcHostname=SrcHostname_s\\r\\n | where isnotempty(EventResultDetails) and EventResultDetails !~ 'NA'\\r\\n | where toint(EventResultDetails) between (400 .. 599)\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | summarize EventCount=tolong(sum(EventCount)) by EventResultDetails, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n )\\r\\n| summarize EventCount = sum(EventCount) by EventResultDetails, bin(TimeGenerated, {TimeRange:grain})\",\"size\":0,\"aggregation\":3,\"showAnalytics\":true,\"title\":\"Events by error type over time\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"barchart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"RequestCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"EventResultDetails\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"EventCount\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"Count by errors type over time\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData = \\r\\n union isfuzzy=true\\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | where EventType =~ 'WebServerSession'\\r\\n | extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n | where isnotempty(User) and ipv4_is_private(SrcIpAddr)\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | summarize RequestCount=tolong(count()) by User, bin(TimeGenerated, {TimeRange:grain})\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where EventType_s =~ 'WebServerSession'\\r\\n | extend User = coalesce(SrcUsername_s, SrcIpAddr_s)\\r\\n | where isnotempty(User) and ipv4_is_private(SrcIpAddr_s)\\r\\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, EventTime=EventTime_t, EventCount=EventCount_d\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | summarize RequestCount=tolong(sum(EventCount)) by User, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n )\\r\\n | summarize RequestCount = sum(RequestCount) by User, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize RequestCount = sum(RequestCount) by User\\r\\n| order by RequestCount desc\\r\\n| take 10\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top internal users by request count\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\"},\"customWidth\":\"25\",\"name\":\"Top internal users by request count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData = \\r\\n union isfuzzy=true\\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | where EventType =~ 'WebServerSession'\\r\\n | extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n | where isnotempty(User) and not(ipv4_is_private(SrcIpAddr))\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | summarize RequestCount=tolong(count()) by User, bin(TimeGenerated, {TimeRange:grain})\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where EventType_s =~ 'WebServerSession'\\r\\n | extend User = coalesce(SrcUsername_s, SrcIpAddr_s)\\r\\n | where isnotempty(User) and not(ipv4_is_private(SrcIpAddr_s))\\r\\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, EventTime=EventTime_t, EventCount=EventCount_d\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | summarize RequestCount=tolong(sum(EventCount)) by User, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n )\\r\\n | summarize RequestCount = sum(RequestCount) by User, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize RequestCount = sum(RequestCount) by User\\r\\n| order by RequestCount desc\\r\\n| take 10\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top external users by request count\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\"},\"customWidth\":\"25\",\"name\":\"Top external clients by request count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"_Im_WebSession(starttime={TimeRange:start}, endtime=now())\\r\\n| where EventType =~ 'WebServerSession'\\r\\n| where isnotempty(EventSeverity)\\r\\n| extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize RequestCount=tolong(count()) by EventSeverity\",\"size\":1,\"showAnalytics\":true,\"title\":\"Events by Severity\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\"},\"customWidth\":\"25\",\"name\":\"query - 7\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData = \\r\\nunion isfuzzy=true \\r\\n(\\r\\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeDstIP}'), endtime=now())\\r\\n| where EventType =~ 'WebServerSession'\\r\\n| extend DstHostname = coalesce(DstHostname, DstIpAddr)\\r\\n | where isnotempty(DstHostname)\\r\\n| extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}))\\r\\n and ('*' in~ ({SrcUsername}))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(count()) by DstHostname, bin(TimeGenerated, {TimeRange:grain})\\r\\n),\\r\\n(\\r\\nWebSession_Summarized_DstIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where EventType_s =~ 'WebServerSession'\\r\\n | extend DstHostname_s = coalesce(DstHostname_s, DstIpAddr_s)\\r\\n | project EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, DstHostname=DstHostname_s, DestHostname=DestDomain_s\\r\\n | where isnotempty(DstHostname)\\r\\n | where ('*' in~ ({SrcIpAddr}))\\r\\n and ('*' in~ ({SrcUsername}))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(sum(EventCount)) by DstHostname, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n)\\r\\n| summarize EventCount = sum(EventCount) by DstHostname, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by DstHostname\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by DstHostname\\r\\n) on DstHostname\\r\\n| project WebServer=DstHostname, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top web hosts with most request count\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"25\",\"name\":\"Top web hosts with most request count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"_Im_WebSession(starttime={TimeRange:start}, eventresult='Failure')\\r\\n| where EventType =~ 'WebServerSession'\\r\\n| where isnotempty(Url)\\r\\n| extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=count() by Url\\r\\n| order by EventCount desc \\r\\n| take 25\",\"size\":3,\"showAnalytics\":true,\"title\":\"Urls with most failed requests\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Url\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"EventCount\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false}},\"name\":\"Urls with most failed requests\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData = \\r\\nunion isfuzzy=true \\r\\n(\\r\\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeDstIP}'), endtime=now())\\r\\n| where EventType =~ 'WebServerSession'\\r\\n | extend DstHostname = coalesce(DstHostname, DstIpAddr)\\r\\n | where isnotempty(DstHostname) and toint(EventResultDetails) between (500 .. 599)\\r\\n| extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}))\\r\\n and ('*' in~ ({SrcUsername}))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(count()) by DstHostname, bin(TimeGenerated, {TimeRange:grain})\\r\\n),\\r\\n(\\r\\nWebSession_Summarized_DstIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where EventType_s =~ 'WebServerSession'\\r\\n | extend DstHostname_s = coalesce(DstHostname_s, DstIpAddr_s)\\r\\n | project EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, DstHostname=DstHostname_s, DestHostname=DestDomain_s\\r\\n | where isnotempty(DstHostname) and toint(EventResultDetails) between (500 .. 599)\\r\\n | where ('*' in~ ({SrcIpAddr}))\\r\\n and ('*' in~ ({SrcUsername}))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(sum(EventCount)) by DstHostname, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n)\\r\\n| summarize EventCount = sum(EventCount) by DstHostname, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by DstHostname\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by DstHostname\\r\\n) on DstHostname\\r\\n| project WebServer=DstHostname, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top web hosts with most server errors\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top web hosts with most server errors\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData = \\r\\nunion isfuzzy=true \\r\\n(\\r\\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeDstIP}'), endtime=now())\\r\\n| where EventType =~ 'WebServerSession'\\r\\n| extend DstHostname = coalesce(DstHostname, DstIpAddr)\\r\\n | where isnotempty(DstHostname) and toint(EventResultDetails) between (400 .. 499)\\r\\n| extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}))\\r\\n and ('*' in~ ({SrcUsername}))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(count()) by DstHostname, bin(TimeGenerated, {TimeRange:grain})\\r\\n),\\r\\n(\\r\\nWebSession_Summarized_DstIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where EventType_s =~ 'WebServerSession'\\r\\n | extend DstHostname_s = coalesce(DstHostname_s, DstIpAddr_s)\\r\\n | project EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, DstHostname=DstHostname_s, DestHostname=DestDomain_s\\r\\n | where isnotempty(DstHostname) and toint(EventResultDetails) between (400 .. 499)\\r\\n | where ('*' in~ ({SrcIpAddr}))\\r\\n and ('*' in~ ({SrcUsername}))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(sum(EventCount)) by DstHostname, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n)\\r\\n| summarize EventCount = sum(EventCount) by DstHostname, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by DstHostname\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by DstHostname\\r\\n) on DstHostname\\r\\n| project WebServer=DstHostname, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top web hosts with most client errors\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top web hosts with most client errors\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData = \\r\\n_Im_WebSession(starttime={TimeRange:start}, endtime=now())\\r\\n| where EventType =~ 'WebServerSession'\\r\\n| extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n| extend DstHostname = coalesce(DstHostname, DstIpAddr)\\r\\n | where isnotempty(User) and toint(EventResultDetails) between (400 .. 499)\\r\\n| extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(count()) by User, DstHostname, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by User, DstHostname\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by User, DstHostname\\r\\n) on User, DstHostname\\r\\n| project User, WebServer=DstHostname, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top users with most client errors\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top users with most client errors\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData = \\r\\n_Im_WebSession(starttime={TimeRange:start}, endtime=now())\\r\\n| where EventType =~ 'WebServerSession'\\r\\n| extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n| extend DstHostname = coalesce(DstHostname, DstIpAddr)\\r\\n | where isnotempty(User) and toint(EventResultDetails) between (500 .. 599)\\r\\n| extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n| where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\nand ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\nand ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\nand ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(count()) by User, DstHostname, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by User, DstHostname\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by User, DstHostname\\r\\n) on User, DstHostname\\r\\n| project User, WebServer=DstHostname, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top users with most server errors\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top users with most server errors\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData = \\r\\n _Im_WebSession(starttime={TimeRange:start}, endtime=now(), eventresult='Success')\\r\\n | where EventType =~ 'WebServerSession'\\r\\n | extend DstHostname = coalesce(DstHostname, DstIpAddr)\\r\\n | where isnotempty(HttpUserAgent) and HttpUserAgent != 'Unknown'\\r\\n | summarize EventCount=tolong(count()) by HttpUserAgent, DstHostname, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by HttpUserAgent, DstHostname\\r\\n| join kind=inner (WebData\\r\\n | make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by HttpUserAgent, DstHostname\\r\\n )\\r\\n on HttpUserAgent, DstHostname\\r\\n| project HttpUserAgent, WebServer=DstHostname, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Rare User Agent requests resulted in success\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Rare User Agent requests resulted in success\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData = \\r\\n _Im_WebSession(starttime={TimeRange:start}, endtime=now(), eventresult='Failure')\\r\\n | where EventType =~ 'WebServerSession'\\r\\n | extend DstHostname = coalesce(DstHostname, DstIpAddr)\\r\\n | where isnotempty(HttpUserAgent) and HttpUserAgent != 'Unknown'\\r\\n | summarize EventCount=tolong(count()) by HttpUserAgent, DstHostname, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by HttpUserAgent, DstHostname\\r\\n| join kind=inner (WebData\\r\\n | make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by HttpUserAgent, DstHostname\\r\\n )\\r\\n on HttpUserAgent, DstHostname\\r\\n| project HttpUserAgent, WebServer=DstHostname, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Rare User Agent requests resulted in errors\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Rare User Agent requests resulted in errors\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData = \\r\\nunion isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeDstIP}'), endtime=now())\\r\\n | where EventType =~ 'WebServerSession'\\r\\n | extend DstHostname = coalesce(DstHostname, DstIpAddr)\\r\\n | where isnotempty(DstHostname) and isnotempty(DstBytes)\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | summarize DataReceived=tolong(sum(DstBytes)) by DstHostname, bin(TimeGenerated,{TimeRange:grain})\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_DstIP_CL\\r\\n| where EventTime_t >= {TimeRange:start}\\r\\n| where EventType_s =~ 'WebServerSession'\\r\\n| extend DstHostname_s = coalesce(DstHostname_s, DstIpAddr_s)\\r\\n| project EventCount=EventCount_d, EventTime=EventTime_t, DstHostname=DstHostname_s, DestHostname=DestDomain_s, DstBytes= DstBytes_d\\r\\n | where isnotempty(DstHostname) and isnotempty(DstBytes)\\r\\n | where ('*' in~ ({SrcIpAddr}))\\r\\n and ('*' in~ ({SrcUsername}))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | summarize DataReceived=tolong(sum(DstBytes)) by DstHostname, bin(TimeGenerated=EventTime,{TimeRange:grain})\\r\\n )\\r\\n | summarize DataReceived = sum(DataReceived) by DstHostname, bin(TimeGenerated, {TimeRange:grain});\\r\\n WebData\\r\\n | summarize DataReceived = sum(DataReceived) by DstHostname\\r\\n | join kind=inner (WebData\\r\\n | make-series Trend = sum(DataReceived) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by DstHostname\\r\\n ) on DstHostname\\r\\n | project WebServer=DstHostname, DataReceived=DataReceived, Trend\\r\\n | order by DataReceived desc\\r\\n | take 25\",\"size\":1,\"title\":\"Top Web servers with highest download\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top Web servers with highest download\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let common_file_ext_list = dynamic([\\\".txt\\\", \\\".xlsx\\\", \\\".doc\\\", \\\".docx\\\", \\\".csv\\\", \\\".pdf\\\", \\\".png\\\", \\\".jpg\\\", \\\".jpeg\\\"]); // Add list of common files as per your environment\\r\\n_Im_WebSession (starttime={TimeRange:start}, eventresult='Success')\\r\\n| where EventType =~ 'WebServerSession'\\r\\n| where HttpRequestMethod in~ (\\\"POST\\\", \\\"PUT\\\") \\r\\n| project\\r\\n Url,\\r\\n SrcIpAddr,\\r\\n SrcUsername,\\r\\n SrcHostname,\\r\\n DstIpAddr,\\r\\n DstPortNumber,\\r\\n DstHostname,\\r\\n TimeGenerated\\r\\n| extend requestedFileName=tostring(split(tostring(parse_url(Url)[\\\"Path\\\"]), '/')[-1])\\r\\n| extend FileWithdualextension = extract(@'([\\\\w-]+\\\\.\\\\w+\\\\.\\\\w+)$', 1, requestedFileName, typeof(string))\\r\\n| extend SecondExt = tostring(split(FileWithdualextension, '.')[-1])\\r\\n| where strcat('.', SecondExt) in~ (common_file_ext_list) // Second extension is mostly from the common files\\r\\n| summarize\\r\\n EventCount=count(),\\r\\n EventStartTime=min(TimeGenerated),\\r\\n EventEndTime=max(TimeGenerated)\\r\\n by\\r\\n SrcIpAddr,\\r\\n Url,\\r\\n FileWithdualextension,\\r\\n SrcUsername,\\r\\n SrcHostname,\\r\\n DstIpAddr,\\r\\n DstPortNumber,\\r\\n DstHostname\",\"size\":1,\"title\":\"Possible malicious double extension file upload\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"tabVisibility\",\"comparison\":\"isEqualTo\",\"value\":\"webservers\"},\"name\":\"Web servers\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let uniqueConnection = \\r\\nunion isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | where EventType =~ 'HTTPsession'\\r\\n\\t\\t| where isnotempty(SrcIpAddr) and isnotempty(Url)\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t\\t| summarize count() by SrcIpAddr, DestHostname\\r\\n ),\\r\\n ( \\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where EventType_s =~ 'HTTPsession'\\r\\n\\t\\t| where isnotempty(SrcIpAddr_s) and isnotempty(DestDomain_s)\\r\\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t\\t| summarize count() by SrcIpAddr, DestHostname\\r\\n )\\r\\n | summarize count() by SrcIpAddr, DestHostname\\r\\n | count\\r\\n | extend Metric = \\\"Unique Connections\\\", orderNum = 1;\\r\\nlet products = \\r\\n union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | where EventType =~ 'HTTPsession'\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where isnotempty(EventProduct)\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | distinct EventProduct\\r\\n ),\\r\\n ( \\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where EventType_s =~ 'HTTPsession'\\r\\n | where isnotempty(EventProduct_s)\\r\\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | distinct EventProduct=EventProduct_s\\r\\n )\\r\\n | distinct EventProduct\\r\\n | count\\r\\n | extend Metric = \\\"Product Count\\\", orderNum = 2;\\r\\nlet UserNames = \\r\\n union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | where EventType =~ 'HTTPsession'\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where isnotempty(SrcUsername)\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | distinct SrcUsername\\r\\n ),\\r\\n ( \\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where EventType_s =~ 'HTTPsession'\\r\\n | where isnotempty(SrcUsername_s)\\r\\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | distinct SrcUsername\\r\\n )\\r\\n | distinct SrcUsername\\r\\n | count\\r\\n | extend Metric = \\\"Unique UserNames\\\", orderNum = 3;\\r\\nlet Srchosts = \\r\\n union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | where EventType =~ 'HTTPsession'\\r\\n | where isnotempty(SrcHostname)\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | distinct SrcHostname\\r\\n ),\\r\\n ( \\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where EventType_s =~ 'HTTPsession'\\r\\n | where isnotempty(SrcHostname_s)\\r\\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | distinct SrcHostname=SrcHostname_s\\r\\n )\\r\\n | distinct SrcHostname\\r\\n | count\\r\\n | extend Metric = \\\"Source HostNames\\\", orderNum = 4;\\r\\nlet ClientIPs = \\r\\n union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | where EventType =~ 'HTTPsession'\\r\\n | where isnotempty(SrcIpAddr)\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | distinct SrcIpAddr\\r\\n ),\\r\\n ( \\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where EventType_s =~ 'HTTPsession'\\r\\n | where isnotempty(SrcIpAddr_s)\\r\\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | distinct SrcIpAddr=SrcIpAddr_s\\r\\n )\\r\\n | distinct SrcIpAddr\\r\\n | count\\r\\n | extend Metric = \\\"Unique Source IPs\\\", orderNum = 5;\\r\\nlet DestHostName = \\r\\n union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | where EventType =~ 'HTTPsession'\\r\\n | where isnotempty(Url)\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | distinct DestHostname\\r\\n ),\\r\\n ( \\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where EventType_s =~ 'HTTPsession'\\r\\n | where isnotempty(DestDomain_s)\\r\\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | distinct DestHostname\\r\\n )\\r\\n | distinct DestHostname\\r\\n | count\\r\\n | extend Metric = \\\"Unique Dest HostNames\\\", orderNum = 6;\\r\\nlet TotalUserAgents = \\r\\n union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | where EventType =~ 'HTTPsession'\\r\\n | where isnotempty(HttpUserAgent)\\r\\n | where ('*' in~ ({SrcIpAddr}))\\r\\n and ('*' in~ ({SrcUsername}))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}))\\r\\n | distinct HttpUserAgent\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_SrcInfo_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where EventType_s =~ 'HTTPsession'\\r\\n | where isnotempty(HttpUserAgent_s)\\r\\n | where ('*' in~ ({SrcIpAddr}))\\r\\n and ('*' in~ ({SrcUsername}))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}))\\r\\n | distinct HttpUserAgent=HttpUserAgent_s\\r\\n )\\r\\n | distinct HttpUserAgent\\r\\n | count\\r\\n | extend Metric = \\\"Unique UserAgents\\\", orderNum = 7;\\r\\nunion uniqueConnection, products, UserNames, Srchosts, ClientIPs, DestHostName, TotalUserAgents | where Count != 0\\r\\n| order by orderNum asc\",\"size\":4,\"showAnalytics\":true,\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Metric\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Unique Connections\",\"representation\":\"Connect\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Product Count\",\"representation\":\"Normal\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Unique UserNames\",\"representation\":\"AvatarDefault\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Source HostNames\",\"representation\":\"resource\"},{\"operator\":\"==\",\"thresholdValue\":\"Unique Source IPs\",\"representation\":\"Publish\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Unique UserAgents\",\"representation\":\"Important\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Unique Hosts\",\"representation\":\"Book\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":true,\"size\":\"auto\"}},\"name\":\"query - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | where EventType =~ 'HTTPsession'\\r\\n | where isnotempty(EventProduct)\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | summarize EventCount=tolong(count()) by EventProduct, bin(TimeGenerated,{TimeRange:grain})\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where EventType_s =~ 'HTTPsession'\\r\\n | extend EventProduct = EventProduct_s\\r\\n | where isnotempty(EventProduct)\\r\\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | summarize EventCount=tolong(sum(EventCount_d)) by EventProduct, bin(TimeGenerated=EventTime_t,{TimeRange:grain})\\r\\n )\\r\\n | summarize EventCount = sum(EventCount) by EventProduct, bin(TimeGenerated, {TimeRange:grain})\",\"size\":0,\"aggregation\":3,\"showAnalytics\":true,\"title\":\"Events by products over time\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"areachart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"EventProduct\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"EventCount\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"EventProduct\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"EventCount\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"EventCount\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"EventCount\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"EventCount\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"33\",\"name\":\"Events by products over time\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | where EventType =~ 'HTTPsession'\\r\\n | where isnotempty(EventResult)\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | summarize EventCount=tolong(count()) by EventResult, bin(TimeGenerated,{TimeRange:grain})\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where EventType_s =~ 'HTTPsession'\\r\\n | extend EventResult = EventResult_s\\r\\n | where isnotempty(EventResult)\\r\\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | summarize EventCount=tolong(sum(EventCount_d)) by EventResult, bin(TimeGenerated=EventTime_t,{TimeRange:grain})\\r\\n )\\r\\n | summarize EventCount = sum(EventCount) by EventResult, bin(TimeGenerated, {TimeRange:grain})\",\"size\":0,\"aggregation\":3,\"showAnalytics\":true,\"title\":\"Events by result over time\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"timechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"EventResult\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"EventCount\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Failure\",\"color\":\"red\"},{\"seriesName\":\"Success\",\"color\":\"green\"}]},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"EventCount\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"EventCount\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"EventCount\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"33\",\"name\":\"Events by result over time\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | where EventType =~ 'HTTPsession'\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | where toint(EventResultDetails) > 399 // Take events resulted in errors\\r\\n | summarize EventCount=tolong(count()) by EventResultDetails, bin(TimeGenerated, {TimeRange:grain})\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where EventType_s =~ 'HTTPsession'\\r\\n | extend\\r\\n SrcIpAddr=SrcIpAddr_s,\\r\\n DestHostname=DestDomain_s,\\r\\n SrcUsername=SrcUsername_s,\\r\\n SrcHostname=SrcHostname_s,\\r\\n SrcBytes = SrcBytes_d,\\r\\n DstBytes = DstBytes_d\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | where toint(EventResultDetails_s) > 399 // Take events resulted in errors\\r\\n | summarize EventCount=tolong(sum(EventCount_d)) by EventResultDetails=EventResultDetails_s, TimeGenerated=bin(EventTime_t, {TimeRange:grain})\\r\\n )\\r\\n| summarize EventCount = sum(EventCount) by EventResultDetails, bin(TimeGenerated, {TimeRange:grain})\",\"size\":0,\"aggregation\":3,\"showAnalytics\":true,\"title\":\"Errors by type over time\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"timechart\"},\"customWidth\":\"33\",\"name\":\"Errors by type over time\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | where EventType =~ 'HTTPsession'\\r\\n | where isnotempty(EventType)\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | summarize EventCount=tolong(count()) by EventType, bin(TimeGenerated,{TimeRange:grain})\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where EventType_s =~ 'HTTPsession'\\r\\n | extend EventType=EventType_s, EventCount=EventCount_d, EventTime=EventTime_t\\r\\n | where isnotempty(EventType)\\r\\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | summarize EventCount=tolong(sum(EventCount)) by EventType, bin(TimeGenerated=EventTime,{TimeRange:grain})\\r\\n )\\r\\n | summarize EventCount = sum(EventCount) by EventType, bin(TimeGenerated, {TimeRange:grain})\",\"size\":1,\"showAnalytics\":true,\"title\":\"Events by type\",\"color\":\"lightBlue\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"20\",\"name\":\"Events by type\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | where EventType =~ 'HTTPsession'\\r\\n | where isnotnull(SrcBytes) or isnotnull(DstBytes)\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | summarize DataSent=tolong(sum(SrcBytes)), DataReceived=tolong(sum(DstBytes)) by bin(TimeGenerated,{TimeRange:grain})\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where EventType_s =~ 'HTTPsession'\\r\\n | where isnotnull(SrcBytes_d) or isnotnull(DstBytes_d)\\r\\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, SrcBytes = SrcBytes_d, DstBytes = DstBytes_d\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | summarize DataSent=tolong(sum(SrcBytes)), DataReceived=tolong(sum(DstBytes)) by bin(TimeGenerated=EventTime_t,{TimeRange:grain})\\r\\n )\\r\\n | summarize DataSent = sum(DataSent), DataReceived=tolong(sum(DataReceived)) by bin(TimeGenerated, {TimeRange:grain})\\r\\n | project DataSentinGB = format_bytes(DataSent,0,'GB'), DataReceivedinGB=format_bytes(DataReceived,0,'GB'), TimeGenerated\\r\\n | extend DataSentinGB = toint(replace_string(DataSentinGB,\\\" GB\\\",\\\"\\\")), DataReceivedinGB = toint(replace_string(DataReceivedinGB,\\\" GB\\\",\\\"\\\"))\",\"size\":1,\"aggregation\":3,\"showAnalytics\":true,\"title\":\"Sent and Received data in GB over time\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"linechart\"},\"customWidth\":\"40\",\"name\":\"Sent and Received data in GB over time\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | where EventType =~ 'HTTPsession'\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | summarize DestHostnameSet = make_set(DestHostname, 1000000) by bin(TimeGenerated, {TimeRange:grain})\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where EventType_s =~ 'HTTPsession'\\r\\n| where isnotempty(DestDomain_s)\\r\\n| extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, SrcBytes = SrcBytes_d, DstBytes = DstBytes_d\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize DestHostnameSet = make_set(DestHostname, 1000000) by TimeGenerated=bin(EventTime_t, {TimeRange:grain})\\r\\n)\\r\\n| summarize TotalSites = array_length(make_set(DestHostnameSet, 1000000)) by bin(TimeGenerated, {TimeRange:grain})\\r\\n\",\"size\":1,\"aggregation\":3,\"showAnalytics\":true,\"title\":\"Distinct requested applications over time\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"customWidth\":\"40\",\"name\":\"Distinct requested applications over time\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"_Im_WebSession(starttime={TimeRange:start}, eventresult='Failure')\\r\\n| where EventType =~ 'HTTPsession'\\r\\n| where isnotempty(Url)\\r\\n| extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=count() by Url\\r\\n| order by EventCount desc \\r\\n| take 25\",\"size\":0,\"showAnalytics\":true,\"title\":\"Urls with most failed requests count\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Url\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"EventCount\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"name\":\"Urls with most failed requests count\"}]},\"conditionalVisibility\":{\"parameterName\":\"tabVisibility\",\"comparison\":\"isEqualTo\",\"value\":\"webproxies\"},\"name\":\"Group - Web Proxies and Security Gateways\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData = \\r\\n union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | extend DestDomain = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestDomain in~ ({DstHostname})))\\r\\n | extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n | where isnotempty(User) and isnotempty(DestDomain)\\r\\n | summarize RequestCount=tolong(count()) by User, DestDomain, bin(TimeGenerated, {TimeRange:grain})\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | project\\r\\n SrcUsername=SrcUsername_s,\\r\\n SrcIpAddr=SrcIpAddr_s,\\r\\n SrcHostname=SrcHostname_s,\\r\\n TimeGenerated=EventTime_t,\\r\\n DestDomain=DestDomain_s,\\r\\n EventCount=EventCount_d\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestDomain in~ ({DstHostname})))\\r\\n | extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n | where isnotempty(User) and isnotempty(DestDomain)\\r\\n | summarize RequestCount=tolong(sum(EventCount)) by User, DestDomain, bin(TimeGenerated, {TimeRange:grain})\\r\\n )\\r\\n | summarize RequestCount = sum(RequestCount) by User, DestDomain, bin(TimeGenerated, {TimeRange:grain});\\r\\nlet UserData = WebData\\r\\n | summarize RequestCount=sum(RequestCount) by User\\r\\n | join kind=inner (WebData\\r\\n | make-series Trend = sum(RequestCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by User)\\r\\n on User\\r\\n | order by RequestCount desc, User asc;\\r\\nWebData\\r\\n| summarize RequestCount=sum(RequestCount) by User, DestDomain\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(RequestCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by User, DestDomain\\r\\n) on User, DestDomain\\r\\n| order by RequestCount desc, User asc\\r\\n| project Id=DestDomain, Name=DestDomain, RequestCount, Trend, ParentId=User, Type='DestDomain'\\r\\n| union (UserData\\r\\n| project Id=User, Name=User, RequestCount, Trend, ParentId = 'root', Type='User'\\r\\n)\\r\\n| order by RequestCount desc, Name asc\\r\\n| take 25\",\"size\":1,\"title\":\"Top sites of the top users\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Id\",\"formatter\":5},{\"columnMatch\":\"RequestCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"ParentId\",\"formatter\":5}],\"hierarchySettings\":{\"idColumn\":\"Id\",\"parentColumn\":\"ParentId\",\"treeType\":0,\"expanderColumn\":\"Name\",\"expandTopLevel\":false}}},\"customWidth\":\"50\",\"name\":\"Top sites of the top users\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData = \\r\\nunion isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n | where isnotempty(User)\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | summarize EventCount=tolong(count()) by User, bin(TimeGenerated,{TimeRange:grain})\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | extend EventCount=EventCount_d, SrcIpAddr=SrcIpAddr_s, EventTime=EventTime_t, SrcUsername=SrcUsername_s, DestHostname=DestDomain_s, SrcHostname=SrcHostname_s\\r\\n | extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n | where isnotempty(User)\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | summarize EventCount=tolong(sum(EventCount)) by User, bin(TimeGenerated=EventTime,{TimeRange:grain})\\r\\n )\\r\\n | summarize EventCount = sum(EventCount) by User, bin(TimeGenerated, {TimeRange:grain});\\r\\n WebData\\r\\n | summarize EventCount = sum(EventCount) by User\\r\\n | join kind=inner (WebData\\r\\n | make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by User\\r\\n ) on User\\r\\n | project User, EventCount, Trend\\r\\n | order by EventCount desc\\r\\n | take 25\",\"size\":1,\"title\":\"Top Users with most request count\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"User\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"25%\"}},{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\",\"customColumnWidthSetting\":\"25%\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\",\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":\"[]\"},\"customColumnWidthSetting\":\"50%\"}},{\"columnMatch\":\"RequestCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top Users with most request count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData = \\r\\nunion isfuzzy=true \\r\\n(\\r\\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n| extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n | where isnotempty(User) and toint(EventResultDetails) between (400 .. 499)\\r\\n| extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(count()) by User, bin(TimeGenerated, {TimeRange:grain})\\r\\n),\\r\\n(\\r\\nWebSession_Summarized_SrcIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | project SrcIpAddr=SrcIpAddr_s, EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, DestHostname=DestDomain_s\\r\\n| extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n | where isnotempty(User) and toint(EventResultDetails) between (400 .. 499)\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(sum(EventCount)) by User, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n)\\r\\n| summarize EventCount = sum(EventCount) by User, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by User\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by User\\r\\n) on User\\r\\n| project User, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"title\":\"Top Users with most client errors\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"RequestCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top Users with most client errors\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData = \\r\\nunion isfuzzy=true \\r\\n(\\r\\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n| extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n | where isnotempty(User) and toint(EventResultDetails) between (500 .. 599)\\r\\n| extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(count()) by User, bin(TimeGenerated, {TimeRange:grain})\\r\\n),\\r\\n(\\r\\nWebSession_Summarized_SrcIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | project SrcIpAddr=SrcIpAddr_s, EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, DestHostname=DestDomain_s\\r\\n| extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n | where isnotempty(User) and toint(EventResultDetails) between (500 .. 599)\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(sum(EventCount)) by User, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n)\\r\\n| summarize EventCount = sum(EventCount) by User, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by User\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by User\\r\\n) on User\\r\\n| project User, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top Users with most server errors\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"RequestCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top Users with most server errors\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData = \\r\\nunion isfuzzy=true \\r\\n(\\r\\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n| extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n | where isnotempty(User) and toint(EventResultDetails) between (400 .. 499)\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(count()) by EventResultDetails=toint(EventResultDetails), bin(TimeGenerated, {TimeRange:grain})\\r\\n),\\r\\n(\\r\\nWebSession_Summarized_SrcIP_CL\\r\\n| where EventTime_t >= {TimeRange:start}\\r\\n| project SrcIpAddr=SrcIpAddr_s, EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, DestHostname=DestDomain_s\\r\\n| extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n | where isnotempty(User) and toint(EventResultDetails) between (400 .. 499)\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(sum(EventCount)) by EventResultDetails=toint(EventResultDetails), bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n)\\r\\n| summarize EventCount = sum(EventCount) by EventResultDetails, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by EventResultDetails\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by EventResultDetails\\r\\n) on EventResultDetails\\r\\n| project EventResultDetails, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"title\":\"Top client error types\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"RequestCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top client error types\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData = \\r\\nunion isfuzzy=true \\r\\n(\\r\\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n| extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n | where isnotempty(User) and toint(EventResultDetails) between (500 .. 599)\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(count()) by EventResultDetails=toint(EventResultDetails), bin(TimeGenerated, {TimeRange:grain})\\r\\n),\\r\\n(\\r\\nWebSession_Summarized_SrcIP_CL\\r\\n| where EventTime_t >= {TimeRange:start}\\r\\n| project SrcIpAddr=SrcIpAddr_s, EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, DestHostname=DestDomain_s\\r\\n| extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n | where isnotempty(User) and toint(EventResultDetails) between (500 .. 599)\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(sum(EventCount)) by EventResultDetails=toint(EventResultDetails), bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n)\\r\\n| summarize EventCount = sum(EventCount) by EventResultDetails, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by EventResultDetails\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by EventResultDetails\\r\\n) on EventResultDetails\\r\\n| project EventResultDetails, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"title\":\"Top server error types\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"RequestCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top server error types\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Webdata = \\r\\nunion isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now(), eventresult='Success')\\r\\n | extend Website = case(\\r\\n isnotempty(DstDomain),DstDomain\\r\\n , isnotempty(Url),tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n ,\\\"NA\\\"\\r\\n )\\r\\n | where Website != \\\"NA\\\"\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (Website in~ ({DstHostname})))\\r\\n | summarize EventCount = count() by Website, bin(TimeGenerated,{TimeRange:grain})\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_SrcIP_CL\\r\\n| where EventTime_t >= {TimeRange:start}\\r\\n | project SrcIpAddr=SrcIpAddr_s, EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, DestHostname=DestDomain_s, DstBytes= DstBytes_d, EventResult_s\\r\\n | extend Website = case(\\r\\n isnotempty(DestHostname),DestHostname\\r\\n ,\\\"NA\\\"\\r\\n )\\r\\n | where Website != \\\"NA\\\" and EventResult_s =~ 'Success'\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (Website in~ ({DstHostname})))\\r\\n | summarize EventCount=tolong(sum(EventCount)) by Website, bin(TimeGenerated=EventTime,{TimeRange:grain})\\r\\n )\\r\\n | summarize EventCount = sum(EventCount) by Website, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebdata\\r\\n| summarize EventCount = sum(EventCount) by Website\\r\\n| join kind = inner (\\r\\nWebdata | make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by Website\\r\\n) \\r\\non Website\\r\\n| project Website, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"title\":\"Top websites by successful requests count\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"RequestCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top websites by successful requests count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Webdata = \\r\\nunion isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now(), eventresult='Failure')\\r\\n | extend Website = case(\\r\\n isnotempty(DstDomain),DstDomain\\r\\n , isnotempty(Url),tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n ,\\\"NA\\\"\\r\\n )\\r\\n | where Website != \\\"NA\\\"\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (Website in~ ({DstHostname})))\\r\\n | summarize EventCount = count() by Website, bin(TimeGenerated,{TimeRange:grain})\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_SrcIP_CL\\r\\n| where EventTime_t >= {TimeRange:start}\\r\\n | project SrcIpAddr=SrcIpAddr_s, EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, DestHostname=DestDomain_s, DstBytes= DstBytes_d, EventResult_s\\r\\n | extend Website = case(\\r\\n isnotempty(DestHostname),DestHostname\\r\\n ,\\\"NA\\\"\\r\\n )\\r\\n | where Website != \\\"NA\\\" and EventResult_s =~ 'Failure'\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (Website in~ ({DstHostname})))\\r\\n | summarize EventCount=tolong(sum(EventCount)) by Website, bin(TimeGenerated=EventTime,{TimeRange:grain})\\r\\n )\\r\\n | summarize EventCount = sum(EventCount) by Website, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebdata\\r\\n| summarize EventCount = sum(EventCount) by Website\\r\\n| join kind = inner (\\r\\nWebdata | make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by Website\\r\\n) \\r\\non Website\\r\\n| project Website, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"title\":\"Top websites by failed requests count\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"RequestCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top websites by failed requests count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData = \\r\\nunion isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n | where isnotempty(User) and isnotempty(SrcBytes)\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | summarize DataSent=tolong(sum(SrcBytes)) by User, bin(TimeGenerated,{TimeRange:grain})\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | project SrcIpAddr=SrcIpAddr_s, EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, DestHostname=DestDomain_s, SrcBytes= SrcBytes_d\\r\\n | extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n | where isnotempty(User) and isnotempty(SrcBytes)\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | summarize DataSent=tolong(sum(SrcBytes)) by User, bin(TimeGenerated=EventTime,{TimeRange:grain})\\r\\n )\\r\\n | summarize DataSent = sum(DataSent) by User, bin(TimeGenerated, {TimeRange:grain});\\r\\n WebData\\r\\n | summarize DataSent = sum(DataSent) by User\\r\\n | join kind=inner (WebData\\r\\n | make-series Trend = sum(DataSent) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by User\\r\\n ) on User\\r\\n | project User, DataSentinMB=DataSent/1048576, Trend\\r\\n | order by DataSentinMB desc\\r\\n | take 25\",\"size\":1,\"title\":\"Users with highest upload (MB)\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"DataSentinMB\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"SentData\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Users with highest upload (MB)\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData = \\r\\nunion isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n | where isnotempty(User) and isnotempty(DstBytes)\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | summarize DataReceived=tolong(sum(DstBytes)) by User, bin(TimeGenerated,{TimeRange:grain})\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_SrcIP_CL\\r\\n| where EventTime_t >= {TimeRange:start}\\r\\n| project SrcIpAddr=SrcIpAddr_s, EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, DestHostname=DestDomain_s, DstBytes= DstBytes_d\\r\\n | extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n | where isnotempty(User) and isnotempty(DstBytes)\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | summarize DataReceived=tolong(sum(DstBytes)) by User, bin(TimeGenerated=EventTime,{TimeRange:grain})\\r\\n )\\r\\n | summarize DataReceived = sum(DataReceived) by User, bin(TimeGenerated, {TimeRange:grain});\\r\\n WebData\\r\\n | summarize DataReceived = sum(DataReceived) by User\\r\\n | join kind=inner (WebData\\r\\n | make-series Trend = sum(DataReceived) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by User\\r\\n ) on User\\r\\n | project User, DataReceivedinMB=DataReceived/1048576, Trend\\r\\n | order by DataReceivedinMB desc\\r\\n | take 25\",\"size\":1,\"title\":\"Users with highest download (MB)\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"DataReceivedinMB\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Users with highest download (MB)\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData = \\r\\n union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | extend Website = case(\\r\\n isnotempty(DstDomain),\\r\\n DstDomain\\r\\n ,\\r\\n isnotempty(Url),\\r\\n tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n ,\\r\\n \\\"NA\\\"\\r\\n )\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (Website in~ ({DstHostname})))\\r\\n | where Website != \\\"NA\\\" and isnotempty(SrcBytes)\\r\\n | summarize DataSent=tolong(sum(SrcBytes)) by Website, bin(TimeGenerated, {TimeRange:grain})\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | project\\r\\n SrcIpAddr=SrcIpAddr_s,\\r\\n EventResultDetails=EventResultDetails_s,\\r\\n EventCount=EventCount_d,\\r\\n EventTime=EventTime_t,\\r\\n SrcUsername=SrcUsername_s,\\r\\n SrcHostname=SrcHostname_s,\\r\\n DestHostname=DestDomain_s,\\r\\n SrcBytes= SrcBytes_d\\r\\n | extend Website = case(\\r\\n isnotempty(DestHostname),\\r\\n DestHostname\\r\\n ,\\r\\n \\\"NA\\\"\\r\\n )\\r\\n | where Website != \\\"NA\\\" and isnotnull(SrcBytes)\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | summarize DataSent=tolong(sum(SrcBytes)) by Website, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n )\\r\\n | summarize DataSent = sum(DataSent) by Website, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize DataSent = sum(DataSent) by Website\\r\\n| join kind=inner (WebData\\r\\n | make-series Trend = sum(DataSent) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by Website\\r\\n )\\r\\n on Website\\r\\n| project Website, DataSentinMB=DataSent / 1048576, Trend\\r\\n| order by DataSentinMB desc\\r\\n| take 25\",\"size\":1,\"title\":\"Websites with highest upload (MB)\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"DataSentinMB\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Websites with highest upload (MB) (no summarization)\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData = \\r\\n union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | project DstDomain, Url, TimeGenerated, DstBytes, SrcIpAddr, SrcUsername, SrcHostname\\r\\n | extend Website = case(\\r\\n isnotempty(DstDomain),\\r\\n DstDomain\\r\\n ,\\r\\n isnotempty(Url),\\r\\n tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n ,\\r\\n \\\"NA\\\"\\r\\n )\\r\\n | where Website != \\\"NA\\\" and isnotempty(DstBytes)\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (Website in~ ({DstHostname})))\\r\\n | where Website != \\\"NA\\\" and isnotempty(DstBytes)\\r\\n | summarize DataReceived=tolong(sum(DstBytes)) by Website, bin(TimeGenerated, {TimeRange:grain})\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | project\\r\\n SrcIpAddr=SrcIpAddr_s,\\r\\n EventResultDetails=EventResultDetails_s,\\r\\n EventCount=EventCount_d,\\r\\n EventTime=EventTime_t,\\r\\n SrcUsername=SrcUsername_s,\\r\\n SrcHostname=SrcHostname_s,\\r\\n DestHostname=DestDomain_s,\\r\\n DstBytes= DstBytes_d\\r\\n | extend Website = case(\\r\\n isnotempty(DestHostname),\\r\\n DestHostname\\r\\n ,\\r\\n \\\"NA\\\"\\r\\n )\\r\\n | where Website != \\\"NA\\\" and isnotempty(DstBytes)\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (Website in~ ({DstHostname})))\\r\\n | summarize DataReceived=tolong(sum(DstBytes)) by Website, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n )\\r\\n | summarize DataReceived = sum(DataReceived) by Website, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize DataReceived = sum(DataReceived) by Website\\r\\n| join kind=inner (WebData\\r\\n | make-series Trend = sum(DataReceived) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by Website\\r\\n )\\r\\n on Website\\r\\n| project Website, DataReceivedinMB=DataReceived / 1048576, Trend\\r\\n| order by DataReceivedinMB desc\\r\\n| take 25\",\"size\":1,\"title\":\"Websites with highest download(MB)\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"DataReceivedinMB\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Websites with highest download(MB)\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData = \\r\\nunion isfuzzy=true \\r\\n(\\r\\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcInfo}'), endtime=now(), eventresult='Success')\\r\\n| where isnotempty(HttpRequestMethod) and HttpRequestMethod != \\\"NA\\\"\\r\\n| summarize EventCount=tolong(count()) by HttpRequestMethod, bin(TimeGenerated, {TimeRange:grain})\\r\\n),\\r\\n(\\r\\nWebSession_Summarized_SrcInfo_CL\\r\\n| where EventTime_t >= {TimeRange:start}\\r\\n| project HttpRequestMethod=HttpRequestMethod_s, EventCount=EventCount_d, EventTime=EventTime_t, EventResult=EventResult_s\\r\\n| where isnotempty(HttpRequestMethod) and HttpRequestMethod != \\\"NA\\\" and EventResult =~ 'Success'\\r\\n| summarize EventCount=tolong(sum(EventCount)) by HttpRequestMethod, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n)\\r\\n| summarize EventCount = sum(EventCount) by HttpRequestMethod, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by HttpRequestMethod\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by HttpRequestMethod\\r\\n) on HttpRequestMethod\\r\\n| project HttpRequestMethod, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"title\":\"Top HTTP request methods by successful requests count\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top HTTP request methods by successful requests count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData = \\r\\nunion isfuzzy=true \\r\\n(\\r\\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcInfo}'), endtime=now(), eventresult='Failure')\\r\\n| where isnotempty(HttpRequestMethod) and HttpRequestMethod != \\\"NA\\\"\\r\\n| summarize EventCount=tolong(count()) by HttpRequestMethod, bin(TimeGenerated, {TimeRange:grain})\\r\\n),\\r\\n(\\r\\nWebSession_Summarized_SrcInfo_CL\\r\\n| where EventTime_t >= {TimeRange:start}\\r\\n| project HttpRequestMethod=HttpRequestMethod_s, EventCount=EventCount_d, EventTime=EventTime_t, EventResult=EventResult_s\\r\\n| where isnotempty(HttpRequestMethod) and HttpRequestMethod != \\\"NA\\\" and EventResult =~ 'Failure'\\r\\n| summarize EventCount=tolong(sum(EventCount)) by HttpRequestMethod, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n)\\r\\n| summarize EventCount = sum(EventCount) by HttpRequestMethod, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by HttpRequestMethod\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by HttpRequestMethod\\r\\n) on HttpRequestMethod\\r\\n| project HttpRequestMethod, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"title\":\"Top HTTP request methods by failed requests count\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top HTTP request methods by failed requests count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData = \\r\\nunion isfuzzy=true \\r\\n(\\r\\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcInfo}'), endtime=now(), eventresult='Success')\\r\\n| where isnotempty(HttpContentType) and HttpContentType != \\\"None\\\"\\r\\n| summarize EventCount=tolong(count()) by HttpContentType, bin(TimeGenerated, {TimeRange:grain})\\r\\n),\\r\\n(\\r\\nWebSession_Summarized_SrcInfo_CL\\r\\n| where EventTime_t >= {TimeRange:start}\\r\\n| project HttpContentType=HttpContentType_s, EventCount=EventCount_d, EventTime=EventTime_t, EventResult=EventResult_s\\r\\n| where isnotempty(HttpContentType) and HttpContentType != \\\"None\\\" and EventResult =~ 'Success'\\r\\n| summarize EventCount=tolong(sum(EventCount)) by HttpContentType, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n)\\r\\n| summarize EventCount = sum(EventCount) by HttpContentType, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by HttpContentType\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by HttpContentType\\r\\n) on HttpContentType\\r\\n| project HttpContentType, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top HTTP content types by successful requests count\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top HTTP content types by successful requests count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData = \\r\\nunion isfuzzy=true \\r\\n(\\r\\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcInfo}'), endtime=now(), eventresult='Failure')\\r\\n| where isnotempty(HttpContentType) and HttpContentType != \\\"None\\\"\\r\\n| summarize EventCount=tolong(count()) by HttpContentType, bin(TimeGenerated, {TimeRange:grain})\\r\\n),\\r\\n(\\r\\nWebSession_Summarized_SrcInfo_CL\\r\\n| where EventTime_t >= {TimeRange:start}\\r\\n| project HttpContentType=HttpContentType_s, EventCount=EventCount_d, EventTime=EventTime_t, EventResult=EventResult_s\\r\\n| where isnotempty(HttpContentType) and HttpContentType != \\\"None\\\" and EventResult =~ 'Failure'\\r\\n| summarize EventCount=tolong(sum(EventCount)) by HttpContentType, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n)\\r\\n| summarize EventCount = sum(EventCount) by HttpContentType, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by HttpContentType\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by HttpContentType\\r\\n) on HttpContentType\\r\\n| project HttpContentType, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top HTTP content types by failed requests count\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top HTTP content types by failed requests count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData = \\r\\n _Im_WebSession(starttime = {TimeRange:start}, endtime=now(), eventresult='Success')\\r\\n | where isnotempty(HttpReferrer)\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | summarize EventCount=tolong(count()) by HttpReferrer, bin(TimeGenerated,{TimeRange:grain})\\r\\n ;\\r\\n WebData\\r\\n | summarize EventCount = sum(EventCount) by HttpReferrer\\r\\n | join kind=inner (WebData\\r\\n | make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by HttpReferrer\\r\\n ) on HttpReferrer\\r\\n | project HttpReferrer, EventCount, Trend\\r\\n | order by EventCount desc\\r\\n | take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top HTTP referrers by successful requests count\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top HTTP referrers by successful requests count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData = \\r\\n _Im_WebSession(starttime = {TimeRange:start}, endtime=now(), eventresult='Failure')\\r\\n | where isnotempty(HttpReferrer)\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | summarize EventCount=tolong(count()) by HttpReferrer, bin(TimeGenerated,{TimeRange:grain})\\r\\n ;\\r\\n WebData\\r\\n | summarize EventCount = sum(EventCount) by HttpReferrer\\r\\n | join kind=inner (WebData\\r\\n | make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by HttpReferrer\\r\\n ) on HttpReferrer\\r\\n | project HttpReferrer, EventCount, Trend\\r\\n | order by EventCount desc\\r\\n | take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top HTTP referrers by failed requests count\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top HTTP referrers by failed requests count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData = \\r\\n union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcInfo}'), endtime=now(), eventresult=\\\"Failure\\\")\\r\\n | project UrlCategory, TimeGenerated\\r\\n | where isnotempty(UrlCategory)\\r\\n | summarize EventCount=tolong(count()) by UrlCategory, bin(TimeGenerated, {TimeRange:grain})\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_SrcInfo_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | project UrlCategory=UrlCategory_s, TimeGenerated=EventTime_t, EventCount=EventCount_d, EventResult = EventResult_s\\r\\n | where isnotempty(UrlCategory) and EventResult =~ \\\"Failure\\\"\\r\\n | summarize EventCount=tolong(sum(EventCount)) by UrlCategory, bin(TimeGenerated, {TimeRange:grain})\\r\\n )\\r\\n | summarize EventCount = sum(EventCount) by UrlCategory, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by UrlCategory\\r\\n| join kind=inner (WebData\\r\\n | make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by UrlCategory\\r\\n) on UrlCategory\\r\\n| project UrlCategory, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"title\":\"Top URL Categories by failed requests count\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top URL Categories by failed requests count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData = \\r\\n union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcInfo}'), endtime=now(), eventresult=\\\"Success\\\")\\r\\n | project UrlCategory, TimeGenerated\\r\\n | where isnotempty(UrlCategory)\\r\\n | summarize EventCount=tolong(count()) by UrlCategory, bin(TimeGenerated, {TimeRange:grain})\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_SrcInfo_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | project UrlCategory=UrlCategory_s, TimeGenerated=EventTime_t, EventCount=EventCount_d, EventResult = EventResult_s\\r\\n | where isnotempty(UrlCategory) and EventResult =~ \\\"Success\\\"\\r\\n | summarize EventCount=tolong(sum(EventCount)) by UrlCategory, bin(TimeGenerated, {TimeRange:grain})\\r\\n )\\r\\n | summarize EventCount = sum(EventCount) by UrlCategory, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by UrlCategory\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by UrlCategory\\r\\n) on UrlCategory\\r\\n| project UrlCategory, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"title\":\"Top URL Categories by successful requests count\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top URL Categories by successful requests count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData = \\r\\n union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcInfo}'), endtime=now(), eventresult='Success')\\r\\n | where isnotempty(HttpUserAgent) and HttpUserAgent != 'Unknown'\\r\\n | summarize EventCount=tolong(count()) by HttpUserAgent, bin(TimeGenerated, {TimeRange:grain})\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_SrcInfo_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | project\\r\\n HttpUserAgent=HttpUserAgent_s,\\r\\n EventCount=EventCount_d,\\r\\n EventTime=EventTime_t,\\r\\n EventResult=EventResult_s\\r\\n | where isnotempty(HttpUserAgent)\\r\\n and HttpUserAgent != 'Unknown'\\r\\n and EventResult =~ 'Success'\\r\\n | summarize EventCount=tolong(sum(EventCount)) by HttpUserAgent, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n )\\r\\n | summarize EventCount = sum(EventCount) by HttpUserAgent, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by HttpUserAgent\\r\\n| join kind=inner (WebData\\r\\n | make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by HttpUserAgent\\r\\n )\\r\\n on HttpUserAgent\\r\\n| project HttpUserAgent, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"title\":\"Top HTTP User Agents by successful request count\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top HTTP User Agents by successful request count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData = \\r\\n union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcInfo}'), endtime=now(), eventresult='Failure')\\r\\n | where isnotempty(HttpUserAgent) and HttpUserAgent != 'Unknown'\\r\\n | summarize EventCount=tolong(count()) by HttpUserAgent, bin(TimeGenerated, {TimeRange:grain})\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_SrcInfo_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | project\\r\\n HttpUserAgent=HttpUserAgent_s,\\r\\n EventCount=EventCount_d,\\r\\n EventTime=EventTime_t,\\r\\n EventResult=EventResult_s\\r\\n | where isnotempty(HttpUserAgent)\\r\\n and HttpUserAgent != 'Unknown'\\r\\n and EventResult =~ 'Failure'\\r\\n | summarize EventCount=tolong(sum(EventCount)) by HttpUserAgent, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n )\\r\\n | summarize EventCount = sum(EventCount) by HttpUserAgent, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by HttpUserAgent\\r\\n| join kind=inner (WebData\\r\\n | make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by HttpUserAgent\\r\\n )\\r\\n on HttpUserAgent\\r\\n| project HttpUserAgent, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top HTTP User Agents by failed request count\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top HTTP User Agents by failed request count\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"tabVisibility\",\"comparison\":\"isEqualTo\",\"value\":\"topQueries\"},\"name\":\"Group - Top Queries\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let exludeString = dynamic ( [ \\\"/\\\", \\\"None\\\",\\\"\\\" ]);\\r\\nlet distinctThreats = \\r\\n union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeThreatInfo}'), endtime=now())\\r\\n | where (ThreatName !in~ (exludeString) and isnotempty(ThreatName))\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_ThreatInfo_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where (ThreatName_s !in~ (exludeString) and isnotempty(ThreatName_s))\\r\\n | extend ThreatName = ThreatName_s\\r\\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n )\\r\\n | summarize Result=tostring(dcount(ThreatName))\\r\\n | extend Query = \\\"Distinct ThreatNames\\\", orderNum = 1;\\r\\nlet distinctThreatCategory = \\r\\n union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeThreatInfo}'), endtime=now())\\r\\n | where (ThreatCategory !in~ (exludeString) and isnotempty(ThreatCategory))\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n ),\\r\\n ( \\r\\n WebSession_Summarized_ThreatInfo_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where (ThreatCategory_s !in~ (exludeString) and isnotempty(ThreatCategory_s))\\r\\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | extend ThreatCategory = ThreatCategory_s\\r\\n )\\r\\n | summarize Result=tostring(dcount(ThreatCategory))\\r\\n | extend Query = \\\"Distinct Threat Categories\\\", orderNum = 2;\\r\\nlet maxRiskLevel = \\r\\n union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeThreatInfo}'), endtime=now())\\r\\n | where ThreatRiskLevel > 60\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n ),\\r\\n ( \\r\\n WebSession_Summarized_ThreatInfo_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where ThreatRiskLevel_d > 60\\r\\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | extend ThreatRiskLevel = toint(ThreatRiskLevel_d)\\r\\n )\\r\\n | summarize Max_RiskLevel=max(ThreatRiskLevel)\\r\\n | extend Result=tostring(iff(isempty(Max_RiskLevel), 0, Max_RiskLevel))\\r\\n | extend Query = \\\"Maximum RiskLevel\\\", orderNum = 3;\\r\\nlet maxThreatConfidence = \\r\\n union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeThreatInfo}'), endtime=now())\\r\\n | extend ThreatOriginalConfidence=toint(ThreatOriginalConfidence)\\r\\n | where ThreatOriginalConfidence > 0\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n ),\\r\\n ( \\r\\n WebSession_Summarized_ThreatInfo_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where toint(ThreatOriginalConfidence_d) > 0\\r\\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, ThreatOriginalConfidence=ThreatOriginalConfidence_d\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | extend ThreatOriginalConfidence = toint(ThreatOriginalConfidence)\\r\\n )\\r\\n | summarize Max_ThreatOriginalConfidence=max(ThreatOriginalConfidence)\\r\\n | extend Result=tostring(iff(isempty(Max_ThreatOriginalConfidence), 0, Max_ThreatOriginalConfidence))\\r\\n | extend Query = \\\"Maximum ThreatConfidence\\\", orderNum = 4;\\r\\nlet MaxEventSeverity = \\r\\n union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeThreatInfo}'), endtime=now())\\r\\n | where isnotempty(EventSeverity) and EventSeverity != 'Informational'\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | distinct EventSeverity\\r\\n ),\\r\\n ( \\r\\n WebSession_Summarized_ThreatInfo_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where isnotempty(EventSeverity_s)\\r\\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | distinct EventSeverity=EventSeverity_s\\r\\n )\\r\\n | distinct EventSeverity\\r\\n | summarize EventSeverity=make_set(EventSeverity, 5)\\r\\n | extend Result=case(\\r\\n EventSeverity has 'High',\\r\\n 'High',\\r\\n EventSeverity has 'Medium',\\r\\n 'Medium',\\r\\n EventSeverity has 'Low',\\r\\n 'Low',\\r\\n EventSeverity has 'Informational',\\r\\n 'Informational',\\r\\n EventSeverity\\r\\n )\\r\\n | extend Query = \\\"Max Event Severity\\\", orderNum = 5;\\r\\nunion distinctThreatCategory, distinctThreats, maxRiskLevel, maxThreatConfidence, MaxEventSeverity\\r\\n| order by orderNum asc\",\"size\":4,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Query\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Result\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"2\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"4\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"0\",\"representation\":\"success\",\"text\":\"{0}{1}\"},{\"operator\":\"!=\",\"thresholdValue\":\"0\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"unknown\",\"text\":\"{0}{1}\"}]},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":true,\"size\":\"auto\"}},\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeThreatInfo}'), endtime=now())\\r\\n | where (ThreatName != 'None' and isnotempty(ThreatName))\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | summarize EventCount=count() by ThreatName, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult, bin(TimeGenerated, {TimeRange:grain})\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_ThreatInfo_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | project ThreatName=ThreatName_s, EventCount=EventCount_d, TimeGenerated=EventTime_t, ThreatField=ThreatField_s, SrcIpAddr=SrcIpAddr_s, SrcUsername=SrcUsername_s, DestHostname=DestDomain_s, EventResult=EventResult_s\\r\\n | where (ThreatName != 'None' and isnotempty(ThreatName))\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | summarize EventCount=tolong(sum(EventCount)) by ThreatName, bin(TimeGenerated, {TimeRange:grain})\\r\\n )\\r\\n| summarize EventCount = sum(EventCount) by ThreatName, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\\r\\n| order by EventCount\",\"size\":1,\"aggregation\":3,\"title\":\"Events by threat name\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\"},\"customWidth\":\"50\",\"name\":\"Events by threat name\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let exludeString = dynamic ( [ \\\"/\\\", \\\"None\\\",\\\"\\\" ]);\\r\\nunion isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeThreatInfo}'), endtime=now())\\r\\n | where ThreatCategory !in~ (exludeString)\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | summarize EventCount=count() by ThreatCategory, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_ThreatInfo_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | project ThreatCategory=ThreatCategory_s, EventCount=EventCount_d, ThreatField=ThreatField_s, SrcIpAddr=SrcIpAddr_s, SrcUsername=SrcUsername_s, DestHostname=DestDomain_s, EventResult=EventResult_s\\r\\n | where ThreatCategory !in~ (exludeString)\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | summarize EventCount=tolong(sum(EventCount)) by ThreatCategory, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\\r\\n )\\r\\n| summarize EventCount = sum(EventCount) by ThreatCategory, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\",\"size\":1,\"aggregation\":3,\"title\":\"Events by threat category\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\"},\"customWidth\":\"50\",\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeThreatInfo}'), endtime=now())\\r\\n | where isnotempty(EventSeverity) and EventSeverity != 'Informational'\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t\\t| summarize EventCount=tolong(count()) by EventSeverity, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_ThreatInfo_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | project EventSeverity=EventSeverity_s, EventCount=EventCount_d, ThreatField=ThreatField_s, SrcIpAddr=SrcIpAddr_s, SrcUsername=SrcUsername_s, DestHostname=DestDomain_s, EventResult=EventResult_s\\r\\n\\t | where isnotempty(EventSeverity) and EventSeverity != 'Informational'\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t | summarize EventCount=tolong(sum(EventCount)) by EventSeverity, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\\r\\n )\\r\\n | summarize EventCount=sum(EventCount) by EventSeverity, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\",\"size\":1,\"aggregation\":3,\"title\":\"Events by Severity over time\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\"},\"customWidth\":\"33\",\"name\":\"query - 6\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeThreatInfo}'), endtime=now())\\r\\n | where ThreatRiskLevel > 60\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t\\t| summarize EventCount=tolong(count()) by ThreatRiskLevel, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_ThreatInfo_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | project ThreatRiskLevel=toint(ThreatRiskLevel_d), EventCount=EventCount_d, ThreatField=ThreatField_s, SrcIpAddr=SrcIpAddr_s, SrcUsername=SrcUsername_s, DestHostname=DestDomain_s, EventResult=EventResult_s\\r\\n | where ThreatRiskLevel > 60\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t | summarize EventCount=tolong(sum(EventCount)) by ThreatRiskLevel, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\\r\\n )\\r\\n | summarize EventCount=sum(EventCount) by tostring(ThreatRiskLevel), ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\",\"size\":1,\"aggregation\":3,\"title\":\"Events by Risk Level over time\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\"},\"customWidth\":\"33\",\"name\":\"query - 4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeThreatInfo}'), endtime=now())\\r\\n | extend ThreatOriginalConfidence = toint(ThreatOriginalConfidence)\\r\\n | where ThreatOriginalConfidence > 0\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t\\t| summarize EventCount=tolong(count()) by ThreatOriginalConfidence, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_ThreatInfo_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where ThreatOriginalConfidence_d > 0\\r\\n | project ThreatOriginalConfidence=toint(ThreatOriginalConfidence_d), EventTime_t, EventCount_d, ThreatField=ThreatField_s, SrcIpAddr=SrcIpAddr_s, SrcUsername=SrcUsername_s, DestHostname=DestDomain_s, EventResult=EventResult_s\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | summarize EventCount=tolong(sum(EventCount_d)) by ThreatOriginalConfidence, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\\r\\n )\\r\\n | summarize EventCount=sum(EventCount) by ThreatOriginalConfidence, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\",\"size\":1,\"title\":\"Events by Confidence over time\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"timechart\"},\"customWidth\":\"33\",\"name\":\"query - 5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let AllPublicIPs = \\r\\nunion isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | where not(ipv4_is_private(SrcIpAddr))\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | extend PublicIPAddress = SrcIpAddr\\r\\n | where PublicIPAddress != ''\\r\\n\\t\\t| project PublicIPAddress\\r\\n\\t\\t| distinct PublicIPAddress\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | project SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n | where not(ipv4_is_private(SrcIpAddr))\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | extend PublicIPAddress = SrcIpAddr\\r\\n | where PublicIPAddress != ''\\r\\n | project PublicIPAddress\\r\\n\\t\\t| distinct PublicIPAddress\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_DstIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | extend DstIpAddr=DstIpAddr_s, DestHostname=DestDomain_s\\r\\n | where not(ipv4_is_private(DstIpAddr))\\r\\n | where ('*' in~ ({SrcIpAddr}))\\r\\n and ('*' in~ ({SrcUsername}))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | extend PublicIPAddress = DstIpAddr\\r\\n | where PublicIPAddress != ''\\r\\n | project PublicIPAddress\\r\\n\\t\\t| distinct PublicIPAddress\\r\\n )\\r\\n | distinct PublicIPAddress;\\r\\n ThreatIntelligenceIndicator\\r\\n | where NetworkIP in~ (AllPublicIPs)\",\"size\":1,\"title\":\"Source or Destination IPs matching with Threat Intelligence indicators\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\"},\"customWidth\":\"50\",\"name\":\"query - 6\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let AllDstWebsites = \\r\\nunion isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | where isnotempty(Url)\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where isnotempty(DestHostname)\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | distinct DestHostname\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where isnotempty(DestDomain_s)\\r\\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | distinct DestHostname\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_DstIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where isnotempty(DestDomain_s)\\r\\n | extend DstIpAddr=DstIpAddr_s, DestHostname=DestDomain_s\\r\\n | where ('*' in~ ({SrcIpAddr}))\\r\\n and ('*' in~ ({SrcUsername}))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | distinct DestHostname\\r\\n )\\r\\n | distinct DestHostname;\\r\\n ThreatIntelligenceIndicator\\r\\n | where Url has_any(AllDstWebsites)\",\"size\":1,\"title\":\"Requested URL matching with Threat Intelligence Indicators\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\"},\"customWidth\":\"50\",\"name\":\"Requested URL with Threat Intelligence Indicators\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let AllSrcIPs = \\r\\nunion isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | where isnotempty(SrcIpAddr)\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t\\t| project SrcIpAddr\\r\\n\\t\\t| distinct SrcIpAddr\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where isnotempty(SrcIpAddr_s)\\r\\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t\\t| distinct SrcIpAddr=SrcIpAddr_s\\r\\n )\\r\\n | distinct SrcIpAddr;\\r\\nlet AllDstIPs = \\r\\nunion isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeDstIP}'), endtime=now())\\r\\n | where isnotempty(DstIpAddr)\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t\\t| distinct DstIpAddr\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_DstIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where isnotempty(DstIpAddr_s)\\r\\n | extend DstIpAddr=DstIpAddr_s, DestHostname=DestDomain_s\\r\\n | where ('*' in~ ({SrcIpAddr}))\\r\\n and ('*' in~ ({SrcUsername}))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t\\t| distinct DstIpAddr\\r\\n )\\r\\n | distinct DstIpAddr;\\r\\nlet AllIPs =\\r\\nunion AllSrcIPs, AllDstIPs;\\r\\n SecurityAlert\\r\\n | where TimeGenerated > {TimeRange:start}\\r\\n | extend Parsed_Entities = parse_json(Entities)\\r\\n | mv-expand Parsed_Entities\\r\\n | extend Parsed_EntityType=tostring(Parsed_Entities.Type)\\r\\n | where Parsed_EntityType =~ 'ip'\\r\\n | extend IPEntity = tostring(Parsed_Entities.Address)\\r\\n | project-away Parsed_Entities\\r\\n | where IPEntity in~ (AllIPs)\\r\\n | project TimeGenerated, AlertSeverity, AlertName, Description, ProviderName, IPEntity, Status, Tactics, Techniques\",\"size\":1,\"title\":\"Source or Destination IPs matching with Entities in Security Alert table\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\"},\"customWidth\":\"33\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let AllDstWebsites = \\r\\nunion isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | where isnotempty(Url)\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | distinct DestHostname\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where isnotempty(DestDomain_s)\\r\\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | distinct DestHostname\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_DstIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where isnotempty(DestDomain_s)\\r\\n | extend DestHostname = DestDomain_s\\r\\n | where ('*' in~ ({SrcIpAddr}))\\r\\n and ('*' in~ ({SrcUsername}))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | distinct DestHostname\\r\\n )\\r\\n | distinct DestHostname;\\r\\nSecurityAlert\\r\\n| where TimeGenerated > {TimeRange:start}\\r\\n | extend Parsed_Entities = parse_json(Entities)\\r\\n | mv-expand Parsed_Entities\\r\\n | extend Parsed_EntityType=tostring(Parsed_Entities.Type)\\r\\n | where Parsed_EntityType =~ 'url'\\r\\n | extend UrlEntity = tostring(Parsed_Entities.Url)\\r\\n | project-away Parsed_Entities\\r\\n| where UrlEntity has_any (AllDstWebsites)\\r\\n| project TimeGenerated, AlertSeverity, AlertName, Description, ProviderName, UrlEntity, Status, Tactics, Techniques\",\"size\":1,\"title\":\"Request URLs matching with Entities in Security Alert table\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"33\",\"name\":\"query - 9\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let AllSrcHostnames = \\r\\n union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | where isnotempty(SrcHostname)\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | distinct SrcHostname\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where isnotempty(SrcHostname_s)\\r\\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | distinct SrcHostname=SrcHostname_s\\r\\n )\\r\\n | distinct SrcHostname;\\r\\nSecurityAlert\\r\\n| where TimeGenerated > {TimeRange:start}\\r\\n | extend Parsed_Entities = parse_json(Entities)\\r\\n | mv-expand Parsed_Entities\\r\\n | extend Parsed_EntityType=tostring(Parsed_Entities.Type)\\r\\n | where Parsed_EntityType =~ 'host'\\r\\n | extend HostEntity = tostring(Parsed_Entities.HostName)\\r\\n | project-away Parsed_Entities\\r\\n| where HostEntity in~ (AllSrcHostnames)\\r\\n| project TimeGenerated, AlertSeverity, AlertName, Description, ProviderName, HostEntity, Status, Tactics, Techniques\",\"size\":1,\"title\":\"Source HostNames matching with Entities in Security Alert table\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"query - 10\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"tabVisibility\",\"comparison\":\"isEqualTo\",\"value\":\"threatevents\"},\"name\":\"Threat Events\"}],\"fallbackResourceIds\":[],\"fromTemplateId\":\"sentinel-WebSessionDomainSolution\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n",
+ "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Web Session Essentials\\n---\\n\\nThe 'Web Session Essentials' workbook provides real-time insights into activity and potential threats in your network.\\n\\nThis workbook is designed for network teams, security architects, analysts, and consultants to monitor, identify and investigate threats on Web servers, Web Proxies and Web Security Gateways assets. This Workbook gives a summary of analysed web traffic and helps with threat analysis and investigating suspicious http traffic.\\n\\nThe \\\"SummarizeWebSessionData\\\" Playbook installed along with the solution helps in summarizing the logs and improving the performance of the Workbook and data searches. This Workbook leverages the default as well as custom web session summarized data tables for visualising the data. Although enabling the summarization playbook is optional, we highly recommend enabling it for better user experience in environments with high EPS (events per second) data ingestion. Please note that summarization would require the playbook to run on a scheduled basis to utilise this workbook's capabilities.\\n\\nSummarized web session data can found in following custom tables:\\n- WebSession_Summarized_SrcInfo_CL\\n- WebSession_Summarized_SrcIP_CL\\n- WebSession_Summarized_DstIP_CL\\n- WebSession_Summarized_ThreatInfo_CL\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"10f90ed9-b14c-4bd3-8618-fe92d29d0055\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DefaultSubscription_Internal\",\"type\":1,\"isRequired\":true,\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| take 1\\r\\n| project subscriptionId\",\"crossComponentResources\":[\"value::selected\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"a28728e5-2c6b-4f0f-9b2e-906fe24c52a6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"query\":\"summarize by subscriptionId\\r\\n| project value = strcat(\\\"/subscriptions/\\\", subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ '{DefaultSubscription_Internal}', true, false)\",\"crossComponentResources\":[\"value::selected\"],\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"c8af6801-1cdf-47f6-b959-a7774b2f5faf\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"description\":\"Select required Log Analytics Workspace\",\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| project id\",\"crossComponentResources\":[\"{Subscription}\"],\"typeSettings\":{\"resourceTypeFilter\":{\"microsoft.operationalinsights/workspaces\":true},\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":\"\"},{\"id\":\"b875f4b5-5a7c-4cf1-baf9-7b860f737cb8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":604800000}},{\"id\":\"ab5ebbc3-a282-4ee4-9cc0-7cfebaa7e06a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"LastIngestionTimeSrcInfo\",\"type\":1,\"description\":\"Get last ingestion time in WebSession_Summarized_SrcInfo_CL custom table\",\"isRequired\":true,\"query\":\"let LastIngestionTime = toscalar (\\r\\n union isfuzzy=true \\r\\n (\\r\\n WebSession_Summarized_SrcInfo_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | summarize max_TimeGenerated=max(EventTime_t)\\r\\n | extend max_TimeGenerated = datetime_add('hour', 1, max_TimeGenerated)\\r\\n ),\\r\\n (\\r\\n print({TimeRange:start})\\r\\n | extend max_TimeGenerated = print_0\\r\\n | project max_TimeGenerated\\r\\n )\\r\\n | summarize maxTimeGenerated = max(max_TimeGenerated) \\r\\n );\\r\\n print LastIngestionTime\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"b8fc59a5-83c9-4ec1-9dfa-f71fa4e1ad15\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"LastIngestionTimeSrcIP\",\"type\":1,\"description\":\"Get last ingestion time in WebSession_Summarized_SrcIP_CL custom table\",\"isRequired\":true,\"query\":\"let LastIngestionTime = toscalar (\\r\\n union isfuzzy=true \\r\\n (\\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | summarize max_TimeGenerated=max(EventTime_t)\\r\\n | extend max_TimeGenerated = datetime_add('hour', 1, max_TimeGenerated)\\r\\n ),\\r\\n (\\r\\n print({TimeRange:start})\\r\\n | extend max_TimeGenerated = print_0\\r\\n | project max_TimeGenerated\\r\\n )\\r\\n | summarize maxTimeGenerated = max(max_TimeGenerated) \\r\\n );\\r\\n print LastIngestionTime\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"c318ae1b-984d-4f08-a0a1-46f0a8e62252\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"LastIngestionTimeDstIP\",\"type\":1,\"description\":\"Get last ingestion time in WebSession_Summarized_DstIP_CL custom table\",\"isRequired\":true,\"query\":\"let LastIngestionTime = toscalar (\\r\\n union isfuzzy=true \\r\\n (\\r\\n WebSession_Summarized_DstIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | summarize max_TimeGenerated=max(EventTime_t)\\r\\n | extend max_TimeGenerated = datetime_add('hour', 1, max_TimeGenerated)\\r\\n ),\\r\\n (\\r\\n print({TimeRange:start})\\r\\n | extend max_TimeGenerated = print_0\\r\\n | project max_TimeGenerated\\r\\n )\\r\\n | summarize maxTimeGenerated = max(max_TimeGenerated) \\r\\n );\\r\\n print LastIngestionTime\",\"crossComponentResources\":[\"{Workspace}\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"041050ed-6db3-42ae-96cd-100abebd7492\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"LastIngestionTimeThreatInfo\",\"type\":1,\"description\":\"Get last ingestion time in WebSession_Summarized_ThreatInfo_CL custom table\",\"isRequired\":true,\"query\":\"let LastIngestionTime = toscalar (\\r\\n union isfuzzy=true \\r\\n (\\r\\n WebSession_Summarized_ThreatInfo_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | summarize max_TimeGenerated=max(EventTime_t)\\r\\n | extend max_TimeGenerated = datetime_add('hour', 1, max_TimeGenerated)\\r\\n ),\\r\\n (\\r\\n print({TimeRange:start})\\r\\n | extend max_TimeGenerated = print_0\\r\\n | project max_TimeGenerated\\r\\n )\\r\\n | summarize maxTimeGenerated = max(max_TimeGenerated) \\r\\n );\\r\\n print LastIngestionTime\",\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"7c67ea90-b8cb-44e0-b7e0-24d7b55e2680\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SrcIpAddr\",\"label\":\"Source IP\",\"type\":2,\"description\":\"search single or multiple Source IPs\",\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | where isnotempty(SrcIpAddr)\\r\\n | distinct SrcIpAddr\\r\\n ),\\r\\n ( \\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where isnotempty(SrcIpAddr_s)\\r\\n | distinct SrcIpAddr=SrcIpAddr_s\\r\\n )\\r\\n | distinct SrcIpAddr\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"value\":[\"value::all\"]},{\"id\":\"a8533e73-c384-4490-94d7-a86b0298add0\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SrcUsername\",\"label\":\"User name\",\"type\":2,\"description\":\"search single or multiple usernames\",\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | where isnotempty(SrcUsername)\\r\\n | distinct SrcUsername\\r\\n ),\\r\\n ( \\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where isnotempty(SrcUsername_s)\\r\\n | distinct SrcUsername=SrcUsername_s\\r\\n )\\r\\n | distinct SrcUsername\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"value\":[\"value::all\"]},{\"id\":\"161946b4-aa92-4bc3-8ae1-8b4ee67389ea\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SrcHostname\",\"type\":2,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | where isnotempty(SrcHostname)\\r\\n | distinct SrcHostname\\r\\n ),\\r\\n ( \\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where isnotempty(SrcHostname_s)\\r\\n | distinct SrcHostname=SrcHostname_s\\r\\n )\\r\\n | distinct SrcHostname\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\"},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"value\":[\"value::all\"],\"label\":\"Source Host\"},{\"id\":\"e67b1965-4b24-45bd-9e07-64892a11ed5c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DstHostname\",\"type\":2,\"description\":\"search single or multiple URLs\",\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | where isnotempty(Url)\\r\\n | extend SiteName = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | distinct SiteName\\r\\n ),\\r\\n ( \\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where isnotempty(DestDomain_s)\\r\\n | distinct SiteName = DestDomain_s\\r\\n )\\r\\n | distinct SiteName\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"value\":[\"value::all\"],\"label\":\"Dest Site\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"tabStyle\":\"bigger\",\"links\":[{\"id\":\"c3e512f5-3e3f-41f3-b645-121f7bd6a557\",\"cellValue\":\"tabVisibility\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Web servers\",\"subTarget\":\"webservers\",\"preText\":\"Web servers\",\"style\":\"link\"},{\"id\":\"6d785be8-da74-4cae-977f-576d5d3fa070\",\"cellValue\":\"tabVisibility\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Web Proxies and Security Gateways\",\"subTarget\":\"webproxies\",\"style\":\"link\"},{\"id\":\"9f095674-3da6-4a46-aae9-6820b2b4baee\",\"cellValue\":\"tabVisibility\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Top Queries\",\"subTarget\":\"topQueries\",\"style\":\"link\"},{\"id\":\"e4f43157-d64d-41d2-8f9d-e39a30b0c1ce\",\"cellValue\":\"tabVisibility\",\"linkTarget\":\"parameter\",\"linkLabel\":\"View Threat Events\",\"subTarget\":\"threatevents\",\"style\":\"link\"}]},\"name\":\"links - 8\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let uniqueConnection = \\r\\nunion isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | where EventType =~ 'WebServerSession'\\r\\n\\t\\t| where isnotempty(SrcIpAddr) and isnotempty(Url)\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t\\t| summarize count() by SrcIpAddr, DestHostname\\r\\n ),\\r\\n ( \\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventType_s =~ 'WebServerSession'\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n\\t\\t| where isnotempty(SrcIpAddr_s) and isnotempty(DestDomain_s)\\r\\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t\\t| summarize count() by SrcIpAddr, DestHostname\\r\\n )\\r\\n | summarize count() by SrcIpAddr, DestHostname\\r\\n | count\\r\\n | extend Metric = \\\"Unique Connections\\\", orderNum = 1;\\r\\nlet products = \\r\\n union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | where EventType =~ 'WebServerSession'\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where isnotempty(EventProduct)\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | distinct EventProduct\\r\\n ),\\r\\n ( \\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventType_s =~ 'WebServerSession'\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where isnotempty(EventProduct_s)\\r\\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | distinct EventProduct=EventProduct_s\\r\\n )\\r\\n | distinct EventProduct\\r\\n | count\\r\\n | extend Metric = \\\"Product Count\\\", orderNum = 2;\\r\\nlet UserNames = \\r\\n union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | where EventType =~ 'WebServerSession'\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where isnotempty(SrcUsername)\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | distinct SrcUsername\\r\\n ),\\r\\n ( \\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventType_s =~ 'WebServerSession'\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where isnotempty(SrcUsername_s)\\r\\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | distinct SrcUsername\\r\\n )\\r\\n | distinct SrcUsername\\r\\n | count\\r\\n | extend Metric = \\\"Unique UserNames\\\", orderNum = 3;\\r\\nlet Srchosts = \\r\\n union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | where EventType =~ 'WebServerSession'\\r\\n | where isnotempty(SrcHostname)\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | distinct SrcHostname\\r\\n ),\\r\\n ( \\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventType_s =~ 'WebServerSession'\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where isnotempty(SrcHostname_s)\\r\\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | distinct SrcHostname=SrcHostname_s\\r\\n )\\r\\n | distinct SrcHostname\\r\\n | count\\r\\n | extend Metric = \\\"Source HostNames\\\", orderNum = 4;\\r\\nlet ClientIPs = \\r\\n union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | where EventType =~ 'WebServerSession'\\r\\n | where isnotempty(SrcIpAddr)\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | distinct SrcIpAddr\\r\\n ),\\r\\n ( \\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventType_s =~ 'WebServerSession'\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where isnotempty(SrcIpAddr_s)\\r\\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | distinct SrcIpAddr=SrcIpAddr_s\\r\\n )\\r\\n | distinct SrcIpAddr\\r\\n | count\\r\\n | extend Metric = \\\"Unique Source IPs\\\", orderNum = 5;\\r\\nlet DestHostName = \\r\\n union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | where EventType =~ 'WebServerSession'\\r\\n | where isnotempty(Url)\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | distinct DestHostname\\r\\n ),\\r\\n ( \\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventType_s =~ 'WebServerSession'\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where isnotempty(DestDomain_s)\\r\\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | distinct DestHostname\\r\\n )\\r\\n | distinct DestHostname\\r\\n | count\\r\\n | extend Metric = \\\"Unique Dest Sites\\\", orderNum = 6;\\r\\nlet TotalUserAgents = \\r\\n union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | where EventType =~ 'WebServerSession'\\r\\n | where isnotempty(HttpUserAgent)\\r\\n | where ('*' in~ ({SrcIpAddr}))\\r\\n and ('*' in~ ({SrcUsername}))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}))\\r\\n | distinct HttpUserAgent\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_SrcInfo_CL\\r\\n | where EventType_s =~ 'WebServerSession'\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where isnotempty(HttpUserAgent_s)\\r\\n | where ('*' in~ ({SrcIpAddr}))\\r\\n and ('*' in~ ({SrcUsername}))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}))\\r\\n | distinct HttpUserAgent=HttpUserAgent_s\\r\\n )\\r\\n | distinct HttpUserAgent\\r\\n | count\\r\\n | extend Metric = \\\"Unique UserAgents\\\", orderNum = 7;\\r\\nlet ServerErrorsCount = \\r\\nunion isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | where EventType =~ 'WebServerSession'\\r\\n | where toint(EventResultDetails) between (500 .. 599)\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | summarize EventCount=tolong(count()) by EventResultDetails, bin(TimeGenerated,{TimeRange:grain})\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventType_s =~ 'WebServerSession'\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where toint(EventResultDetails_s) between (500 .. 599)\\r\\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, EventResultDetails=EventResultDetails_s, EventTime = EventTime_t, EventCount = EventCount_d\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | summarize EventCount=tolong(sum(EventCount)) by EventResultDetails, bin(TimeGenerated=EventTime,{TimeRange:grain})\\r\\n )\\r\\n | summarize Count = sum(EventCount)\\r\\n | extend Metric = \\\"Total Server Errors\\\", orderNum = 8;\\r\\nlet ClientErrorsCount = \\r\\nunion isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | where EventType =~ 'WebServerSession'\\r\\n | where toint(EventResultDetails) between (400 .. 499)\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | summarize EventCount=tolong(count()) by EventResultDetails, bin(TimeGenerated,{TimeRange:grain})\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventType_s =~ 'WebServerSession'\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where toint(EventResultDetails_s) between (400 .. 499)\\r\\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, EventResultDetails=EventResultDetails_s, EventTime = EventTime_t, EventCount = EventCount_d\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | summarize EventCount=tolong(sum(EventCount)) by EventResultDetails, bin(TimeGenerated=EventTime,{TimeRange:grain})\\r\\n )\\r\\n | summarize Count = sum(EventCount)\\r\\n | extend Metric = \\\"Total Client Errors\\\", orderNum = 9;\\r\\nunion uniqueConnection, products, UserNames, Srchosts, ClientIPs, DestHostName, TotalUserAgents, ServerErrorsCount, ClientErrorsCount | where Count != 0\\r\\n| order by orderNum asc\",\"size\":4,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Metric\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"name\":\"query - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | where EventType =~ 'WebServerSession'\\r\\n | where isnotempty(EventProduct)\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | summarize EventCount=tolong(count()) by EventProduct, bin(TimeGenerated,{TimeRange:grain})\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where EventType_s =~ 'WebServerSession'\\r\\n | extend EventProduct = EventProduct_s\\r\\n | where isnotempty(EventProduct)\\r\\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | summarize EventCount=tolong(sum(EventCount_d)) by EventProduct, bin(TimeGenerated=EventTime_t,{TimeRange:grain})\\r\\n )\\r\\n | summarize EventCount = sum(EventCount) by EventProduct, bin(TimeGenerated, {TimeRange:grain})\",\"size\":0,\"aggregation\":3,\"showAnalytics\":true,\"title\":\"Events by products over time\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"areachart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"EventProduct\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"EventCount\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"EventProduct\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"EventCount\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"EventCount\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"EventCount\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"EventCount\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"name\":\"Events by products over time - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | where EventType =~ 'WebServerSession'\\r\\n | where isnotempty(EventResultDetails) and EventResultDetails !~ 'NA'\\r\\n | where toint(EventResultDetails) between (400 .. 599)\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | summarize EventCount=tolong(count()) by EventResultDetails, bin(TimeGenerated, {TimeRange:grain})\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where EventType_s =~ 'WebServerSession'\\r\\n | project\\r\\n EventResultDetails= EventResultDetails_s,\\r\\n EventTime = EventTime_t,\\r\\n EventCount = EventCount_d,\\r\\n SrcIpAddr=SrcIpAddr_s,\\r\\n DestHostname=DestDomain_s,\\r\\n SrcUsername=SrcUsername_s,\\r\\n SrcHostname=SrcHostname_s\\r\\n | where isnotempty(EventResultDetails) and EventResultDetails !~ 'NA'\\r\\n | where toint(EventResultDetails) between (400 .. 599)\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | summarize EventCount=tolong(sum(EventCount)) by EventResultDetails, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n )\\r\\n| summarize EventCount = sum(EventCount) by EventResultDetails, bin(TimeGenerated, {TimeRange:grain})\",\"size\":0,\"aggregation\":3,\"showAnalytics\":true,\"title\":\"Events by error type over time\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"barchart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"RequestCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"EventResultDetails\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"EventCount\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"Count by errors type over time\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData = \\r\\n union isfuzzy=true\\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | where EventType =~ 'WebServerSession'\\r\\n | extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n | where isnotempty(User) and ipv4_is_private(SrcIpAddr)\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | summarize RequestCount=tolong(count()) by User, bin(TimeGenerated, {TimeRange:grain})\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where EventType_s =~ 'WebServerSession'\\r\\n | extend User = coalesce(SrcUsername_s, SrcIpAddr_s)\\r\\n | where isnotempty(User) and ipv4_is_private(SrcIpAddr_s)\\r\\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, EventTime=EventTime_t, EventCount=EventCount_d\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | summarize RequestCount=tolong(sum(EventCount)) by User, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n )\\r\\n | summarize RequestCount = sum(RequestCount) by User, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize RequestCount = sum(RequestCount) by User\\r\\n| order by RequestCount desc\\r\\n| take 10\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top internal users by request count\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\"},\"customWidth\":\"25\",\"name\":\"Top internal users by request count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData = \\r\\n union isfuzzy=true\\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | where EventType =~ 'WebServerSession'\\r\\n | extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n | where isnotempty(User) and not(ipv4_is_private(SrcIpAddr))\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | summarize RequestCount=tolong(count()) by User, bin(TimeGenerated, {TimeRange:grain})\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where EventType_s =~ 'WebServerSession'\\r\\n | extend User = coalesce(SrcUsername_s, SrcIpAddr_s)\\r\\n | where isnotempty(User) and not(ipv4_is_private(SrcIpAddr_s))\\r\\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, EventTime=EventTime_t, EventCount=EventCount_d\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | summarize RequestCount=tolong(sum(EventCount)) by User, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n )\\r\\n | summarize RequestCount = sum(RequestCount) by User, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize RequestCount = sum(RequestCount) by User\\r\\n| order by RequestCount desc\\r\\n| take 10\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top external users by request count\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\"},\"customWidth\":\"25\",\"name\":\"Top external clients by request count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"_Im_WebSession(starttime={TimeRange:start}, endtime=now())\\r\\n| where EventType =~ 'WebServerSession'\\r\\n| where isnotempty(EventSeverity)\\r\\n| extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize RequestCount=tolong(count()) by EventSeverity\",\"size\":1,\"showAnalytics\":true,\"title\":\"Events by Severity\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\"},\"customWidth\":\"25\",\"name\":\"query - 7\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData = \\r\\nunion isfuzzy=true \\r\\n(\\r\\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeDstIP}'), endtime=now())\\r\\n| where EventType =~ 'WebServerSession'\\r\\n| extend DstHostname = coalesce(DstHostname, DstIpAddr)\\r\\n | where isnotempty(DstHostname)\\r\\n| extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}))\\r\\n and ('*' in~ ({SrcUsername}))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(count()) by DstHostname, bin(TimeGenerated, {TimeRange:grain})\\r\\n),\\r\\n(\\r\\nWebSession_Summarized_DstIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where EventType_s =~ 'WebServerSession'\\r\\n | extend DstHostname_s = coalesce(DstHostname_s, DstIpAddr_s)\\r\\n | project EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, DstHostname=DstHostname_s, DestHostname=DestDomain_s\\r\\n | where isnotempty(DstHostname)\\r\\n | where ('*' in~ ({SrcIpAddr}))\\r\\n and ('*' in~ ({SrcUsername}))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(sum(EventCount)) by DstHostname, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n)\\r\\n| summarize EventCount = sum(EventCount) by DstHostname, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by DstHostname\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by DstHostname\\r\\n) on DstHostname\\r\\n| project WebServer=DstHostname, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top web hosts with most request count\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"25\",\"name\":\"Top web hosts with most request count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"_Im_WebSession(starttime={TimeRange:start}, eventresult='Failure')\\r\\n| where EventType =~ 'WebServerSession'\\r\\n| where isnotempty(Url)\\r\\n| extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=count() by Url\\r\\n| order by EventCount desc \\r\\n| take 25\",\"size\":3,\"showAnalytics\":true,\"title\":\"Urls with most failed requests\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Url\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"EventCount\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false}},\"name\":\"Urls with most failed requests\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData = \\r\\nunion isfuzzy=true \\r\\n(\\r\\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeDstIP}'), endtime=now())\\r\\n| where EventType =~ 'WebServerSession'\\r\\n | extend DstHostname = coalesce(DstHostname, DstIpAddr)\\r\\n | where isnotempty(DstHostname) and toint(EventResultDetails) between (500 .. 599)\\r\\n| extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}))\\r\\n and ('*' in~ ({SrcUsername}))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(count()) by DstHostname, bin(TimeGenerated, {TimeRange:grain})\\r\\n),\\r\\n(\\r\\nWebSession_Summarized_DstIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where EventType_s =~ 'WebServerSession'\\r\\n | extend DstHostname_s = coalesce(DstHostname_s, DstIpAddr_s)\\r\\n | project EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, DstHostname=DstHostname_s, DestHostname=DestDomain_s\\r\\n | where isnotempty(DstHostname) and toint(EventResultDetails) between (500 .. 599)\\r\\n | where ('*' in~ ({SrcIpAddr}))\\r\\n and ('*' in~ ({SrcUsername}))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(sum(EventCount)) by DstHostname, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n)\\r\\n| summarize EventCount = sum(EventCount) by DstHostname, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by DstHostname\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by DstHostname\\r\\n) on DstHostname\\r\\n| project WebServer=DstHostname, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top web hosts with most server errors\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top web hosts with most server errors\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData = \\r\\nunion isfuzzy=true \\r\\n(\\r\\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeDstIP}'), endtime=now())\\r\\n| where EventType =~ 'WebServerSession'\\r\\n| extend DstHostname = coalesce(DstHostname, DstIpAddr)\\r\\n | where isnotempty(DstHostname) and toint(EventResultDetails) between (400 .. 499)\\r\\n| extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}))\\r\\n and ('*' in~ ({SrcUsername}))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(count()) by DstHostname, bin(TimeGenerated, {TimeRange:grain})\\r\\n),\\r\\n(\\r\\nWebSession_Summarized_DstIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where EventType_s =~ 'WebServerSession'\\r\\n | extend DstHostname_s = coalesce(DstHostname_s, DstIpAddr_s)\\r\\n | project EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, DstHostname=DstHostname_s, DestHostname=DestDomain_s\\r\\n | where isnotempty(DstHostname) and toint(EventResultDetails) between (400 .. 499)\\r\\n | where ('*' in~ ({SrcIpAddr}))\\r\\n and ('*' in~ ({SrcUsername}))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(sum(EventCount)) by DstHostname, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n)\\r\\n| summarize EventCount = sum(EventCount) by DstHostname, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by DstHostname\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by DstHostname\\r\\n) on DstHostname\\r\\n| project WebServer=DstHostname, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top web hosts with most client errors\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top web hosts with most client errors\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData = \\r\\n_Im_WebSession(starttime={TimeRange:start}, endtime=now())\\r\\n| where EventType =~ 'WebServerSession'\\r\\n| extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n| extend DstHostname = coalesce(DstHostname, DstIpAddr)\\r\\n | where isnotempty(User) and toint(EventResultDetails) between (400 .. 499)\\r\\n| extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(count()) by User, DstHostname, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by User, DstHostname\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by User, DstHostname\\r\\n) on User, DstHostname\\r\\n| project User, WebServer=DstHostname, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top users with most client errors\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top users with most client errors\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData = \\r\\n_Im_WebSession(starttime={TimeRange:start}, endtime=now())\\r\\n| where EventType =~ 'WebServerSession'\\r\\n| extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n| extend DstHostname = coalesce(DstHostname, DstIpAddr)\\r\\n | where isnotempty(User) and toint(EventResultDetails) between (500 .. 599)\\r\\n| extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n| where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\nand ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\nand ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\nand ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(count()) by User, DstHostname, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by User, DstHostname\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by User, DstHostname\\r\\n) on User, DstHostname\\r\\n| project User, WebServer=DstHostname, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top users with most server errors\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top users with most server errors\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData = \\r\\n _Im_WebSession(starttime={TimeRange:start}, endtime=now(), eventresult='Success')\\r\\n | where EventType =~ 'WebServerSession'\\r\\n | extend DstHostname = coalesce(DstHostname, DstIpAddr)\\r\\n | where isnotempty(HttpUserAgent) and HttpUserAgent != 'Unknown'\\r\\n | summarize EventCount=tolong(count()) by HttpUserAgent, DstHostname, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by HttpUserAgent, DstHostname\\r\\n| join kind=inner (WebData\\r\\n | make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by HttpUserAgent, DstHostname\\r\\n )\\r\\n on HttpUserAgent, DstHostname\\r\\n| project HttpUserAgent, WebServer=DstHostname, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Rare User Agent requests resulted in success\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Rare User Agent requests resulted in success\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData = \\r\\n _Im_WebSession(starttime={TimeRange:start}, endtime=now(), eventresult='Failure')\\r\\n | where EventType =~ 'WebServerSession'\\r\\n | extend DstHostname = coalesce(DstHostname, DstIpAddr)\\r\\n | where isnotempty(HttpUserAgent) and HttpUserAgent != 'Unknown'\\r\\n | summarize EventCount=tolong(count()) by HttpUserAgent, DstHostname, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by HttpUserAgent, DstHostname\\r\\n| join kind=inner (WebData\\r\\n | make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by HttpUserAgent, DstHostname\\r\\n )\\r\\n on HttpUserAgent, DstHostname\\r\\n| project HttpUserAgent, WebServer=DstHostname, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Rare User Agent requests resulted in errors\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Rare User Agent requests resulted in errors\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData = \\r\\nunion isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeDstIP}'), endtime=now())\\r\\n | where EventType =~ 'WebServerSession'\\r\\n | extend DstHostname = coalesce(DstHostname, DstIpAddr)\\r\\n | where isnotempty(DstHostname) and isnotempty(DstBytes)\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | summarize DataReceived=tolong(sum(DstBytes)) by DstHostname, bin(TimeGenerated,{TimeRange:grain})\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_DstIP_CL\\r\\n| where EventTime_t >= {TimeRange:start}\\r\\n| where EventType_s =~ 'WebServerSession'\\r\\n| extend DstHostname_s = coalesce(DstHostname_s, DstIpAddr_s)\\r\\n| project EventCount=EventCount_d, EventTime=EventTime_t, DstHostname=DstHostname_s, DestHostname=DestDomain_s, DstBytes= DstBytes_d\\r\\n | where isnotempty(DstHostname) and isnotempty(DstBytes)\\r\\n | where ('*' in~ ({SrcIpAddr}))\\r\\n and ('*' in~ ({SrcUsername}))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | summarize DataReceived=tolong(sum(DstBytes)) by DstHostname, bin(TimeGenerated=EventTime,{TimeRange:grain})\\r\\n )\\r\\n | summarize DataReceived = sum(DataReceived) by DstHostname, bin(TimeGenerated, {TimeRange:grain});\\r\\n WebData\\r\\n | summarize DataReceived = sum(DataReceived) by DstHostname\\r\\n | join kind=inner (WebData\\r\\n | make-series Trend = sum(DataReceived) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by DstHostname\\r\\n ) on DstHostname\\r\\n | project WebServer=DstHostname, DataReceived=DataReceived, Trend\\r\\n | order by DataReceived desc\\r\\n | take 25\",\"size\":1,\"title\":\"Top Web servers with highest download\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top Web servers with highest download\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let common_file_ext_list = dynamic([\\\".txt\\\", \\\".xlsx\\\", \\\".doc\\\", \\\".docx\\\", \\\".csv\\\", \\\".pdf\\\", \\\".png\\\", \\\".jpg\\\", \\\".jpeg\\\"]); // Add list of common files as per your environment\\r\\n_Im_WebSession (starttime={TimeRange:start}, eventresult='Success')\\r\\n| where EventType =~ 'WebServerSession'\\r\\n| where HttpRequestMethod in~ (\\\"POST\\\", \\\"PUT\\\") \\r\\n| project\\r\\n Url,\\r\\n SrcIpAddr,\\r\\n SrcUsername,\\r\\n SrcHostname,\\r\\n DstIpAddr,\\r\\n DstPortNumber,\\r\\n DstHostname,\\r\\n TimeGenerated\\r\\n| extend requestedFileName=tostring(split(tostring(parse_url(Url)[\\\"Path\\\"]), '/')[-1])\\r\\n| extend FileWithdualextension = extract(@'([\\\\w-]+\\\\.\\\\w+\\\\.\\\\w+)$', 1, requestedFileName, typeof(string))\\r\\n| extend SecondExt = tostring(split(FileWithdualextension, '.')[-1])\\r\\n| where strcat('.', SecondExt) in~ (common_file_ext_list) // Second extension is mostly from the common files\\r\\n| summarize\\r\\n EventCount=count(),\\r\\n EventStartTime=min(TimeGenerated),\\r\\n EventEndTime=max(TimeGenerated)\\r\\n by\\r\\n SrcIpAddr,\\r\\n Url,\\r\\n FileWithdualextension,\\r\\n SrcUsername,\\r\\n SrcHostname,\\r\\n DstIpAddr,\\r\\n DstPortNumber,\\r\\n DstHostname\",\"size\":1,\"title\":\"Possible malicious double extension file upload\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"tabVisibility\",\"comparison\":\"isEqualTo\",\"value\":\"webservers\"},\"name\":\"Web servers\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let uniqueConnection = \\r\\nunion isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | where EventType =~ 'HTTPsession'\\r\\n\\t\\t| where isnotempty(SrcIpAddr) and isnotempty(Url)\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t\\t| summarize count() by SrcIpAddr, DestHostname\\r\\n ),\\r\\n ( \\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where EventType_s =~ 'HTTPsession'\\r\\n\\t\\t| where isnotempty(SrcIpAddr_s) and isnotempty(DestDomain_s)\\r\\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t\\t| summarize count() by SrcIpAddr, DestHostname\\r\\n )\\r\\n | summarize count() by SrcIpAddr, DestHostname\\r\\n | count\\r\\n | extend Metric = \\\"Unique Connections\\\", orderNum = 1;\\r\\nlet products = \\r\\n union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | where EventType =~ 'HTTPsession'\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where isnotempty(EventProduct)\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | distinct EventProduct\\r\\n ),\\r\\n ( \\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where EventType_s =~ 'HTTPsession'\\r\\n | where isnotempty(EventProduct_s)\\r\\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | distinct EventProduct=EventProduct_s\\r\\n )\\r\\n | distinct EventProduct\\r\\n | count\\r\\n | extend Metric = \\\"Product Count\\\", orderNum = 2;\\r\\nlet UserNames = \\r\\n union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | where EventType =~ 'HTTPsession'\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where isnotempty(SrcUsername)\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | distinct SrcUsername\\r\\n ),\\r\\n ( \\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where EventType_s =~ 'HTTPsession'\\r\\n | where isnotempty(SrcUsername_s)\\r\\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | distinct SrcUsername\\r\\n )\\r\\n | distinct SrcUsername\\r\\n | count\\r\\n | extend Metric = \\\"Unique UserNames\\\", orderNum = 3;\\r\\nlet Srchosts = \\r\\n union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | where EventType =~ 'HTTPsession'\\r\\n | where isnotempty(SrcHostname)\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | distinct SrcHostname\\r\\n ),\\r\\n ( \\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where EventType_s =~ 'HTTPsession'\\r\\n | where isnotempty(SrcHostname_s)\\r\\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | distinct SrcHostname=SrcHostname_s\\r\\n )\\r\\n | distinct SrcHostname\\r\\n | count\\r\\n | extend Metric = \\\"Source HostNames\\\", orderNum = 4;\\r\\nlet ClientIPs = \\r\\n union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | where EventType =~ 'HTTPsession'\\r\\n | where isnotempty(SrcIpAddr)\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | distinct SrcIpAddr\\r\\n ),\\r\\n ( \\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where EventType_s =~ 'HTTPsession'\\r\\n | where isnotempty(SrcIpAddr_s)\\r\\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | distinct SrcIpAddr=SrcIpAddr_s\\r\\n )\\r\\n | distinct SrcIpAddr\\r\\n | count\\r\\n | extend Metric = \\\"Unique Source IPs\\\", orderNum = 5;\\r\\nlet DestHostName = \\r\\n union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | where EventType =~ 'HTTPsession'\\r\\n | where isnotempty(Url)\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | distinct DestHostname\\r\\n ),\\r\\n ( \\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where EventType_s =~ 'HTTPsession'\\r\\n | where isnotempty(DestDomain_s)\\r\\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | distinct DestHostname\\r\\n )\\r\\n | distinct DestHostname\\r\\n | count\\r\\n | extend Metric = \\\"Unique Dest HostNames\\\", orderNum = 6;\\r\\nlet TotalUserAgents = \\r\\n union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | where EventType =~ 'HTTPsession'\\r\\n | where isnotempty(HttpUserAgent)\\r\\n | where ('*' in~ ({SrcIpAddr}))\\r\\n and ('*' in~ ({SrcUsername}))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}))\\r\\n | distinct HttpUserAgent\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_SrcInfo_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where EventType_s =~ 'HTTPsession'\\r\\n | where isnotempty(HttpUserAgent_s)\\r\\n | where ('*' in~ ({SrcIpAddr}))\\r\\n and ('*' in~ ({SrcUsername}))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}))\\r\\n | distinct HttpUserAgent=HttpUserAgent_s\\r\\n )\\r\\n | distinct HttpUserAgent\\r\\n | count\\r\\n | extend Metric = \\\"Unique UserAgents\\\", orderNum = 7;\\r\\nunion uniqueConnection, products, UserNames, Srchosts, ClientIPs, DestHostName, TotalUserAgents | where Count != 0\\r\\n| order by orderNum asc\",\"size\":4,\"showAnalytics\":true,\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Metric\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Unique Connections\",\"representation\":\"Connect\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Product Count\",\"representation\":\"Normal\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Unique UserNames\",\"representation\":\"AvatarDefault\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Source HostNames\",\"representation\":\"resource\"},{\"operator\":\"==\",\"thresholdValue\":\"Unique Source IPs\",\"representation\":\"Publish\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Unique UserAgents\",\"representation\":\"Important\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Unique Hosts\",\"representation\":\"Book\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":true,\"size\":\"auto\"}},\"name\":\"query - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | where EventType =~ 'HTTPsession'\\r\\n | where isnotempty(EventProduct)\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | summarize EventCount=tolong(count()) by EventProduct, bin(TimeGenerated,{TimeRange:grain})\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where EventType_s =~ 'HTTPsession'\\r\\n | extend EventProduct = EventProduct_s\\r\\n | where isnotempty(EventProduct)\\r\\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | summarize EventCount=tolong(sum(EventCount_d)) by EventProduct, bin(TimeGenerated=EventTime_t,{TimeRange:grain})\\r\\n )\\r\\n | summarize EventCount = sum(EventCount) by EventProduct, bin(TimeGenerated, {TimeRange:grain})\",\"size\":0,\"aggregation\":3,\"showAnalytics\":true,\"title\":\"Events by products over time\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"areachart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"EventProduct\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"EventCount\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"EventProduct\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"EventCount\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"EventCount\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"EventCount\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"EventCount\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"33\",\"name\":\"Events by products over time\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | where EventType =~ 'HTTPsession'\\r\\n | where isnotempty(EventResult)\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | summarize EventCount=tolong(count()) by EventResult, bin(TimeGenerated,{TimeRange:grain})\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where EventType_s =~ 'HTTPsession'\\r\\n | extend EventResult = EventResult_s\\r\\n | where isnotempty(EventResult)\\r\\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | summarize EventCount=tolong(sum(EventCount_d)) by EventResult, bin(TimeGenerated=EventTime_t,{TimeRange:grain})\\r\\n )\\r\\n | summarize EventCount = sum(EventCount) by EventResult, bin(TimeGenerated, {TimeRange:grain})\",\"size\":0,\"aggregation\":3,\"showAnalytics\":true,\"title\":\"Events by result over time\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"timechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"EventResult\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"EventCount\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Failure\",\"color\":\"red\"},{\"seriesName\":\"Success\",\"color\":\"green\"}]},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"EventCount\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"EventCount\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"EventCount\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"33\",\"name\":\"Events by result over time\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | where EventType =~ 'HTTPsession'\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | where toint(EventResultDetails) > 399 // Take events resulted in errors\\r\\n | summarize EventCount=tolong(count()) by EventResultDetails, bin(TimeGenerated, {TimeRange:grain})\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where EventType_s =~ 'HTTPsession'\\r\\n | extend\\r\\n SrcIpAddr=SrcIpAddr_s,\\r\\n DestHostname=DestDomain_s,\\r\\n SrcUsername=SrcUsername_s,\\r\\n SrcHostname=SrcHostname_s,\\r\\n SrcBytes = SrcBytes_d,\\r\\n DstBytes = DstBytes_d\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | where toint(EventResultDetails_s) > 399 // Take events resulted in errors\\r\\n | summarize EventCount=tolong(sum(EventCount_d)) by EventResultDetails=EventResultDetails_s, TimeGenerated=bin(EventTime_t, {TimeRange:grain})\\r\\n )\\r\\n| summarize EventCount = sum(EventCount) by EventResultDetails, bin(TimeGenerated, {TimeRange:grain})\",\"size\":0,\"aggregation\":3,\"showAnalytics\":true,\"title\":\"Errors by type over time\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"timechart\"},\"customWidth\":\"33\",\"name\":\"Errors by type over time\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | where EventType =~ 'HTTPsession'\\r\\n | where isnotempty(EventType)\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | summarize EventCount=tolong(count()) by EventType, bin(TimeGenerated,{TimeRange:grain})\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where EventType_s =~ 'HTTPsession'\\r\\n | extend EventType=EventType_s, EventCount=EventCount_d, EventTime=EventTime_t\\r\\n | where isnotempty(EventType)\\r\\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | summarize EventCount=tolong(sum(EventCount)) by EventType, bin(TimeGenerated=EventTime,{TimeRange:grain})\\r\\n )\\r\\n | summarize EventCount = sum(EventCount) by EventType, bin(TimeGenerated, {TimeRange:grain})\",\"size\":1,\"showAnalytics\":true,\"title\":\"Events by type\",\"color\":\"lightBlue\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"20\",\"name\":\"Events by type\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | where EventType =~ 'HTTPsession'\\r\\n | where isnotnull(SrcBytes) or isnotnull(DstBytes)\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | summarize DataSent=tolong(sum(SrcBytes)), DataReceived=tolong(sum(DstBytes)) by bin(TimeGenerated,{TimeRange:grain})\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where EventType_s =~ 'HTTPsession'\\r\\n | where isnotnull(SrcBytes_d) or isnotnull(DstBytes_d)\\r\\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, SrcBytes = SrcBytes_d, DstBytes = DstBytes_d\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | summarize DataSent=tolong(sum(SrcBytes)), DataReceived=tolong(sum(DstBytes)) by bin(TimeGenerated=EventTime_t,{TimeRange:grain})\\r\\n )\\r\\n | summarize DataSent = sum(DataSent), DataReceived=tolong(sum(DataReceived)) by bin(TimeGenerated, {TimeRange:grain})\\r\\n | project DataSentinGB = format_bytes(DataSent,0,'GB'), DataReceivedinGB=format_bytes(DataReceived,0,'GB'), TimeGenerated\\r\\n | extend DataSentinGB = toint(replace_string(DataSentinGB,\\\" GB\\\",\\\"\\\")), DataReceivedinGB = toint(replace_string(DataReceivedinGB,\\\" GB\\\",\\\"\\\"))\",\"size\":1,\"aggregation\":3,\"showAnalytics\":true,\"title\":\"Sent and Received data in GB over time\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"linechart\"},\"customWidth\":\"40\",\"name\":\"Sent and Received data in GB over time\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | where EventType =~ 'HTTPsession'\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | summarize DestHostnameSet = make_set(DestHostname, 1000000) by bin(TimeGenerated, {TimeRange:grain})\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where EventType_s =~ 'HTTPsession'\\r\\n| where isnotempty(DestDomain_s)\\r\\n| extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, SrcBytes = SrcBytes_d, DstBytes = DstBytes_d\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize DestHostnameSet = make_set(DestHostname, 1000000) by TimeGenerated=bin(EventTime_t, {TimeRange:grain})\\r\\n)\\r\\n| summarize TotalSites = array_length(make_set(DestHostnameSet, 1000000)) by bin(TimeGenerated, {TimeRange:grain})\\r\\n\",\"size\":1,\"aggregation\":3,\"showAnalytics\":true,\"title\":\"Distinct requested applications over time\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"customWidth\":\"40\",\"name\":\"Distinct requested applications over time\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"_Im_WebSession(starttime={TimeRange:start}, eventresult='Failure')\\r\\n| where EventType =~ 'HTTPsession'\\r\\n| where isnotempty(Url)\\r\\n| extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=count() by Url\\r\\n| order by EventCount desc \\r\\n| take 25\",\"size\":0,\"showAnalytics\":true,\"title\":\"Urls with most failed requests count\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Url\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"EventCount\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"name\":\"Urls with most failed requests count\"}]},\"conditionalVisibility\":{\"parameterName\":\"tabVisibility\",\"comparison\":\"isEqualTo\",\"value\":\"webproxies\"},\"name\":\"Group - Web Proxies and Security Gateways\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData = \\r\\n union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | extend DestDomain = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestDomain in~ ({DstHostname})))\\r\\n | extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n | where isnotempty(User) and isnotempty(DestDomain)\\r\\n | summarize RequestCount=tolong(count()) by User, DestDomain, bin(TimeGenerated, {TimeRange:grain})\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | project\\r\\n SrcUsername=SrcUsername_s,\\r\\n SrcIpAddr=SrcIpAddr_s,\\r\\n SrcHostname=SrcHostname_s,\\r\\n TimeGenerated=EventTime_t,\\r\\n DestDomain=DestDomain_s,\\r\\n EventCount=EventCount_d\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestDomain in~ ({DstHostname})))\\r\\n | extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n | where isnotempty(User) and isnotempty(DestDomain)\\r\\n | summarize RequestCount=tolong(sum(EventCount)) by User, DestDomain, bin(TimeGenerated, {TimeRange:grain})\\r\\n )\\r\\n | summarize RequestCount = sum(RequestCount) by User, DestDomain, bin(TimeGenerated, {TimeRange:grain});\\r\\nlet UserData = WebData\\r\\n | summarize RequestCount=sum(RequestCount) by User\\r\\n | join kind=inner (WebData\\r\\n | make-series Trend = sum(RequestCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by User)\\r\\n on User\\r\\n | order by RequestCount desc, User asc;\\r\\nWebData\\r\\n| summarize RequestCount=sum(RequestCount) by User, DestDomain\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(RequestCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by User, DestDomain\\r\\n) on User, DestDomain\\r\\n| order by RequestCount desc, User asc\\r\\n| project Id=DestDomain, Name=DestDomain, RequestCount, Trend, ParentId=User, Type='DestDomain'\\r\\n| union (UserData\\r\\n| project Id=User, Name=User, RequestCount, Trend, ParentId = 'root', Type='User'\\r\\n)\\r\\n| order by RequestCount desc, Name asc\\r\\n| take 25\",\"size\":1,\"title\":\"Top sites of the top users\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Id\",\"formatter\":5},{\"columnMatch\":\"RequestCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"ParentId\",\"formatter\":5}],\"hierarchySettings\":{\"idColumn\":\"Id\",\"parentColumn\":\"ParentId\",\"treeType\":0,\"expanderColumn\":\"Name\",\"expandTopLevel\":false}}},\"customWidth\":\"50\",\"name\":\"Top sites of the top users\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData = \\r\\nunion isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n | where isnotempty(User)\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | summarize EventCount=tolong(count()) by User, bin(TimeGenerated,{TimeRange:grain})\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | extend EventCount=EventCount_d, SrcIpAddr=SrcIpAddr_s, EventTime=EventTime_t, SrcUsername=SrcUsername_s, DestHostname=DestDomain_s, SrcHostname=SrcHostname_s\\r\\n | extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n | where isnotempty(User)\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | summarize EventCount=tolong(sum(EventCount)) by User, bin(TimeGenerated=EventTime,{TimeRange:grain})\\r\\n )\\r\\n | summarize EventCount = sum(EventCount) by User, bin(TimeGenerated, {TimeRange:grain});\\r\\n WebData\\r\\n | summarize EventCount = sum(EventCount) by User\\r\\n | join kind=inner (WebData\\r\\n | make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by User\\r\\n ) on User\\r\\n | project User, EventCount, Trend\\r\\n | order by EventCount desc\\r\\n | take 25\",\"size\":1,\"title\":\"Top Users with most request count\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"User\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"25%\"}},{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\",\"customColumnWidthSetting\":\"25%\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\",\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":\"[]\"},\"customColumnWidthSetting\":\"50%\"}},{\"columnMatch\":\"RequestCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top Users with most request count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData = \\r\\nunion isfuzzy=true \\r\\n(\\r\\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n| extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n | where isnotempty(User) and toint(EventResultDetails) between (400 .. 499)\\r\\n| extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(count()) by User, bin(TimeGenerated, {TimeRange:grain})\\r\\n),\\r\\n(\\r\\nWebSession_Summarized_SrcIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | project SrcIpAddr=SrcIpAddr_s, EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, DestHostname=DestDomain_s\\r\\n| extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n | where isnotempty(User) and toint(EventResultDetails) between (400 .. 499)\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(sum(EventCount)) by User, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n)\\r\\n| summarize EventCount = sum(EventCount) by User, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by User\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by User\\r\\n) on User\\r\\n| project User, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"title\":\"Top Users with most client errors\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"RequestCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top Users with most client errors\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData = \\r\\nunion isfuzzy=true \\r\\n(\\r\\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n| extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n | where isnotempty(User) and toint(EventResultDetails) between (500 .. 599)\\r\\n| extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(count()) by User, bin(TimeGenerated, {TimeRange:grain})\\r\\n),\\r\\n(\\r\\nWebSession_Summarized_SrcIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | project SrcIpAddr=SrcIpAddr_s, EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, DestHostname=DestDomain_s\\r\\n| extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n | where isnotempty(User) and toint(EventResultDetails) between (500 .. 599)\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(sum(EventCount)) by User, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n)\\r\\n| summarize EventCount = sum(EventCount) by User, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by User\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by User\\r\\n) on User\\r\\n| project User, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top Users with most server errors\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"RequestCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top Users with most server errors\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData = \\r\\nunion isfuzzy=true \\r\\n(\\r\\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n| extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n | where isnotempty(User) and toint(EventResultDetails) between (400 .. 499)\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(count()) by EventResultDetails=toint(EventResultDetails), bin(TimeGenerated, {TimeRange:grain})\\r\\n),\\r\\n(\\r\\nWebSession_Summarized_SrcIP_CL\\r\\n| where EventTime_t >= {TimeRange:start}\\r\\n| project SrcIpAddr=SrcIpAddr_s, EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, DestHostname=DestDomain_s\\r\\n| extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n | where isnotempty(User) and toint(EventResultDetails) between (400 .. 499)\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(sum(EventCount)) by EventResultDetails=toint(EventResultDetails), bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n)\\r\\n| summarize EventCount = sum(EventCount) by EventResultDetails, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by EventResultDetails\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by EventResultDetails\\r\\n) on EventResultDetails\\r\\n| project EventResultDetails, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"title\":\"Top client error types\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"RequestCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top client error types\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData = \\r\\nunion isfuzzy=true \\r\\n(\\r\\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n| extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n | where isnotempty(User) and toint(EventResultDetails) between (500 .. 599)\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(count()) by EventResultDetails=toint(EventResultDetails), bin(TimeGenerated, {TimeRange:grain})\\r\\n),\\r\\n(\\r\\nWebSession_Summarized_SrcIP_CL\\r\\n| where EventTime_t >= {TimeRange:start}\\r\\n| project SrcIpAddr=SrcIpAddr_s, EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, DestHostname=DestDomain_s\\r\\n| extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n | where isnotempty(User) and toint(EventResultDetails) between (500 .. 599)\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n| summarize EventCount=tolong(sum(EventCount)) by EventResultDetails=toint(EventResultDetails), bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n)\\r\\n| summarize EventCount = sum(EventCount) by EventResultDetails, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by EventResultDetails\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by EventResultDetails\\r\\n) on EventResultDetails\\r\\n| project EventResultDetails, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"title\":\"Top server error types\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"RequestCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top server error types\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Webdata = \\r\\nunion isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now(), eventresult='Success')\\r\\n | extend Website = case(\\r\\n isnotempty(DstDomain),DstDomain\\r\\n , isnotempty(Url),tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n ,\\\"NA\\\"\\r\\n )\\r\\n | where Website != \\\"NA\\\"\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (Website in~ ({DstHostname})))\\r\\n | summarize EventCount = count() by Website, bin(TimeGenerated,{TimeRange:grain})\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_SrcIP_CL\\r\\n| where EventTime_t >= {TimeRange:start}\\r\\n | project SrcIpAddr=SrcIpAddr_s, EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, DestHostname=DestDomain_s, DstBytes= DstBytes_d, EventResult_s\\r\\n | extend Website = case(\\r\\n isnotempty(DestHostname),DestHostname\\r\\n ,\\\"NA\\\"\\r\\n )\\r\\n | where Website != \\\"NA\\\" and EventResult_s =~ 'Success'\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (Website in~ ({DstHostname})))\\r\\n | summarize EventCount=tolong(sum(EventCount)) by Website, bin(TimeGenerated=EventTime,{TimeRange:grain})\\r\\n )\\r\\n | summarize EventCount = sum(EventCount) by Website, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebdata\\r\\n| summarize EventCount = sum(EventCount) by Website\\r\\n| join kind = inner (\\r\\nWebdata | make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by Website\\r\\n) \\r\\non Website\\r\\n| project Website, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"title\":\"Top websites by successful requests count\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"RequestCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top websites by successful requests count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Webdata = \\r\\nunion isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now(), eventresult='Failure')\\r\\n | extend Website = case(\\r\\n isnotempty(DstDomain),DstDomain\\r\\n , isnotempty(Url),tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n ,\\\"NA\\\"\\r\\n )\\r\\n | where Website != \\\"NA\\\"\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (Website in~ ({DstHostname})))\\r\\n | summarize EventCount = count() by Website, bin(TimeGenerated,{TimeRange:grain})\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_SrcIP_CL\\r\\n| where EventTime_t >= {TimeRange:start}\\r\\n | project SrcIpAddr=SrcIpAddr_s, EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, DestHostname=DestDomain_s, DstBytes= DstBytes_d, EventResult_s\\r\\n | extend Website = case(\\r\\n isnotempty(DestHostname),DestHostname\\r\\n ,\\\"NA\\\"\\r\\n )\\r\\n | where Website != \\\"NA\\\" and EventResult_s =~ 'Failure'\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (Website in~ ({DstHostname})))\\r\\n | summarize EventCount=tolong(sum(EventCount)) by Website, bin(TimeGenerated=EventTime,{TimeRange:grain})\\r\\n )\\r\\n | summarize EventCount = sum(EventCount) by Website, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebdata\\r\\n| summarize EventCount = sum(EventCount) by Website\\r\\n| join kind = inner (\\r\\nWebdata | make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by Website\\r\\n) \\r\\non Website\\r\\n| project Website, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"title\":\"Top websites by failed requests count\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"RequestCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top websites by failed requests count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData = \\r\\nunion isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n | where isnotempty(User) and isnotempty(SrcBytes)\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | summarize DataSent=tolong(sum(SrcBytes)) by User, bin(TimeGenerated,{TimeRange:grain})\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | project SrcIpAddr=SrcIpAddr_s, EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, DestHostname=DestDomain_s, SrcBytes= SrcBytes_d\\r\\n | extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n | where isnotempty(User) and isnotempty(SrcBytes)\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | summarize DataSent=tolong(sum(SrcBytes)) by User, bin(TimeGenerated=EventTime,{TimeRange:grain})\\r\\n )\\r\\n | summarize DataSent = sum(DataSent) by User, bin(TimeGenerated, {TimeRange:grain});\\r\\n WebData\\r\\n | summarize DataSent = sum(DataSent) by User\\r\\n | join kind=inner (WebData\\r\\n | make-series Trend = sum(DataSent) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by User\\r\\n ) on User\\r\\n | project User, DataSentinMB=DataSent/1048576, Trend\\r\\n | order by DataSentinMB desc\\r\\n | take 25\",\"size\":1,\"title\":\"Users with highest upload (MB)\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"DataSentinMB\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"SentData\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Users with highest upload (MB)\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData = \\r\\nunion isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n | where isnotempty(User) and isnotempty(DstBytes)\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | summarize DataReceived=tolong(sum(DstBytes)) by User, bin(TimeGenerated,{TimeRange:grain})\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_SrcIP_CL\\r\\n| where EventTime_t >= {TimeRange:start}\\r\\n| project SrcIpAddr=SrcIpAddr_s, EventResultDetails=EventResultDetails_s, EventCount=EventCount_d, EventTime=EventTime_t, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s, DestHostname=DestDomain_s, DstBytes= DstBytes_d\\r\\n | extend User = coalesce(SrcUsername, SrcIpAddr)\\r\\n | where isnotempty(User) and isnotempty(DstBytes)\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | summarize DataReceived=tolong(sum(DstBytes)) by User, bin(TimeGenerated=EventTime,{TimeRange:grain})\\r\\n )\\r\\n | summarize DataReceived = sum(DataReceived) by User, bin(TimeGenerated, {TimeRange:grain});\\r\\n WebData\\r\\n | summarize DataReceived = sum(DataReceived) by User\\r\\n | join kind=inner (WebData\\r\\n | make-series Trend = sum(DataReceived) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by User\\r\\n ) on User\\r\\n | project User, DataReceivedinMB=DataReceived/1048576, Trend\\r\\n | order by DataReceivedinMB desc\\r\\n | take 25\",\"size\":1,\"title\":\"Users with highest download (MB)\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"DataReceivedinMB\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Users with highest download (MB)\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData = \\r\\n union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | extend Website = case(\\r\\n isnotempty(DstDomain),\\r\\n DstDomain\\r\\n ,\\r\\n isnotempty(Url),\\r\\n tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n ,\\r\\n \\\"NA\\\"\\r\\n )\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (Website in~ ({DstHostname})))\\r\\n | where Website != \\\"NA\\\" and isnotempty(SrcBytes)\\r\\n | summarize DataSent=tolong(sum(SrcBytes)) by Website, bin(TimeGenerated, {TimeRange:grain})\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | project\\r\\n SrcIpAddr=SrcIpAddr_s,\\r\\n EventResultDetails=EventResultDetails_s,\\r\\n EventCount=EventCount_d,\\r\\n EventTime=EventTime_t,\\r\\n SrcUsername=SrcUsername_s,\\r\\n SrcHostname=SrcHostname_s,\\r\\n DestHostname=DestDomain_s,\\r\\n SrcBytes= SrcBytes_d\\r\\n | extend Website = case(\\r\\n isnotempty(DestHostname),\\r\\n DestHostname\\r\\n ,\\r\\n \\\"NA\\\"\\r\\n )\\r\\n | where Website != \\\"NA\\\" and isnotnull(SrcBytes)\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | summarize DataSent=tolong(sum(SrcBytes)) by Website, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n )\\r\\n | summarize DataSent = sum(DataSent) by Website, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize DataSent = sum(DataSent) by Website\\r\\n| join kind=inner (WebData\\r\\n | make-series Trend = sum(DataSent) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by Website\\r\\n )\\r\\n on Website\\r\\n| project Website, DataSentinMB=DataSent / 1048576, Trend\\r\\n| order by DataSentinMB desc\\r\\n| take 25\",\"size\":1,\"title\":\"Websites with highest upload (MB)\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"DataSentinMB\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Websites with highest upload (MB) (no summarization)\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData = \\r\\n union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | project DstDomain, Url, TimeGenerated, DstBytes, SrcIpAddr, SrcUsername, SrcHostname\\r\\n | extend Website = case(\\r\\n isnotempty(DstDomain),\\r\\n DstDomain\\r\\n ,\\r\\n isnotempty(Url),\\r\\n tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n ,\\r\\n \\\"NA\\\"\\r\\n )\\r\\n | where Website != \\\"NA\\\" and isnotempty(DstBytes)\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (Website in~ ({DstHostname})))\\r\\n | where Website != \\\"NA\\\" and isnotempty(DstBytes)\\r\\n | summarize DataReceived=tolong(sum(DstBytes)) by Website, bin(TimeGenerated, {TimeRange:grain})\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | project\\r\\n SrcIpAddr=SrcIpAddr_s,\\r\\n EventResultDetails=EventResultDetails_s,\\r\\n EventCount=EventCount_d,\\r\\n EventTime=EventTime_t,\\r\\n SrcUsername=SrcUsername_s,\\r\\n SrcHostname=SrcHostname_s,\\r\\n DestHostname=DestDomain_s,\\r\\n DstBytes= DstBytes_d\\r\\n | extend Website = case(\\r\\n isnotempty(DestHostname),\\r\\n DestHostname\\r\\n ,\\r\\n \\\"NA\\\"\\r\\n )\\r\\n | where Website != \\\"NA\\\" and isnotempty(DstBytes)\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (Website in~ ({DstHostname})))\\r\\n | summarize DataReceived=tolong(sum(DstBytes)) by Website, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n )\\r\\n | summarize DataReceived = sum(DataReceived) by Website, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize DataReceived = sum(DataReceived) by Website\\r\\n| join kind=inner (WebData\\r\\n | make-series Trend = sum(DataReceived) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by Website\\r\\n )\\r\\n on Website\\r\\n| project Website, DataReceivedinMB=DataReceived / 1048576, Trend\\r\\n| order by DataReceivedinMB desc\\r\\n| take 25\",\"size\":1,\"title\":\"Websites with highest download(MB)\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"DataReceivedinMB\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Websites with highest download(MB)\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData = \\r\\nunion isfuzzy=true \\r\\n(\\r\\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcInfo}'), endtime=now(), eventresult='Success')\\r\\n| where isnotempty(HttpRequestMethod) and HttpRequestMethod != \\\"NA\\\"\\r\\n| summarize EventCount=tolong(count()) by HttpRequestMethod, bin(TimeGenerated, {TimeRange:grain})\\r\\n),\\r\\n(\\r\\nWebSession_Summarized_SrcInfo_CL\\r\\n| where EventTime_t >= {TimeRange:start}\\r\\n| project HttpRequestMethod=HttpRequestMethod_s, EventCount=EventCount_d, EventTime=EventTime_t, EventResult=EventResult_s\\r\\n| where isnotempty(HttpRequestMethod) and HttpRequestMethod != \\\"NA\\\" and EventResult =~ 'Success'\\r\\n| summarize EventCount=tolong(sum(EventCount)) by HttpRequestMethod, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n)\\r\\n| summarize EventCount = sum(EventCount) by HttpRequestMethod, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by HttpRequestMethod\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by HttpRequestMethod\\r\\n) on HttpRequestMethod\\r\\n| project HttpRequestMethod, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"title\":\"Top HTTP request methods by successful requests count\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top HTTP request methods by successful requests count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData = \\r\\nunion isfuzzy=true \\r\\n(\\r\\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcInfo}'), endtime=now(), eventresult='Failure')\\r\\n| where isnotempty(HttpRequestMethod) and HttpRequestMethod != \\\"NA\\\"\\r\\n| summarize EventCount=tolong(count()) by HttpRequestMethod, bin(TimeGenerated, {TimeRange:grain})\\r\\n),\\r\\n(\\r\\nWebSession_Summarized_SrcInfo_CL\\r\\n| where EventTime_t >= {TimeRange:start}\\r\\n| project HttpRequestMethod=HttpRequestMethod_s, EventCount=EventCount_d, EventTime=EventTime_t, EventResult=EventResult_s\\r\\n| where isnotempty(HttpRequestMethod) and HttpRequestMethod != \\\"NA\\\" and EventResult =~ 'Failure'\\r\\n| summarize EventCount=tolong(sum(EventCount)) by HttpRequestMethod, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n)\\r\\n| summarize EventCount = sum(EventCount) by HttpRequestMethod, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by HttpRequestMethod\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by HttpRequestMethod\\r\\n) on HttpRequestMethod\\r\\n| project HttpRequestMethod, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"title\":\"Top HTTP request methods by failed requests count\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top HTTP request methods by failed requests count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData = \\r\\nunion isfuzzy=true \\r\\n(\\r\\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcInfo}'), endtime=now(), eventresult='Success')\\r\\n| where isnotempty(HttpContentType) and HttpContentType != \\\"None\\\"\\r\\n| summarize EventCount=tolong(count()) by HttpContentType, bin(TimeGenerated, {TimeRange:grain})\\r\\n),\\r\\n(\\r\\nWebSession_Summarized_SrcInfo_CL\\r\\n| where EventTime_t >= {TimeRange:start}\\r\\n| project HttpContentType=HttpContentType_s, EventCount=EventCount_d, EventTime=EventTime_t, EventResult=EventResult_s\\r\\n| where isnotempty(HttpContentType) and HttpContentType != \\\"None\\\" and EventResult =~ 'Success'\\r\\n| summarize EventCount=tolong(sum(EventCount)) by HttpContentType, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n)\\r\\n| summarize EventCount = sum(EventCount) by HttpContentType, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by HttpContentType\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by HttpContentType\\r\\n) on HttpContentType\\r\\n| project HttpContentType, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top HTTP content types by successful requests count\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top HTTP content types by successful requests count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData = \\r\\nunion isfuzzy=true \\r\\n(\\r\\n_Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcInfo}'), endtime=now(), eventresult='Failure')\\r\\n| where isnotempty(HttpContentType) and HttpContentType != \\\"None\\\"\\r\\n| summarize EventCount=tolong(count()) by HttpContentType, bin(TimeGenerated, {TimeRange:grain})\\r\\n),\\r\\n(\\r\\nWebSession_Summarized_SrcInfo_CL\\r\\n| where EventTime_t >= {TimeRange:start}\\r\\n| project HttpContentType=HttpContentType_s, EventCount=EventCount_d, EventTime=EventTime_t, EventResult=EventResult_s\\r\\n| where isnotempty(HttpContentType) and HttpContentType != \\\"None\\\" and EventResult =~ 'Failure'\\r\\n| summarize EventCount=tolong(sum(EventCount)) by HttpContentType, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n)\\r\\n| summarize EventCount = sum(EventCount) by HttpContentType, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by HttpContentType\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by HttpContentType\\r\\n) on HttpContentType\\r\\n| project HttpContentType, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top HTTP content types by failed requests count\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top HTTP content types by failed requests count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData = \\r\\n _Im_WebSession(starttime = {TimeRange:start}, endtime=now(), eventresult='Success')\\r\\n | where isnotempty(HttpReferrer)\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | summarize EventCount=tolong(count()) by HttpReferrer, bin(TimeGenerated,{TimeRange:grain})\\r\\n ;\\r\\n WebData\\r\\n | summarize EventCount = sum(EventCount) by HttpReferrer\\r\\n | join kind=inner (WebData\\r\\n | make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by HttpReferrer\\r\\n ) on HttpReferrer\\r\\n | project HttpReferrer, EventCount, Trend\\r\\n | order by EventCount desc\\r\\n | take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top HTTP referrers by successful requests count\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top HTTP referrers by successful requests count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData = \\r\\n _Im_WebSession(starttime = {TimeRange:start}, endtime=now(), eventresult='Failure')\\r\\n | where isnotempty(HttpReferrer)\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | summarize EventCount=tolong(count()) by HttpReferrer, bin(TimeGenerated,{TimeRange:grain})\\r\\n ;\\r\\n WebData\\r\\n | summarize EventCount = sum(EventCount) by HttpReferrer\\r\\n | join kind=inner (WebData\\r\\n | make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by HttpReferrer\\r\\n ) on HttpReferrer\\r\\n | project HttpReferrer, EventCount, Trend\\r\\n | order by EventCount desc\\r\\n | take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top HTTP referrers by failed requests count\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top HTTP referrers by failed requests count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData = \\r\\n union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcInfo}'), endtime=now(), eventresult=\\\"Failure\\\")\\r\\n | project UrlCategory, TimeGenerated\\r\\n | where isnotempty(UrlCategory)\\r\\n | summarize EventCount=tolong(count()) by UrlCategory, bin(TimeGenerated, {TimeRange:grain})\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_SrcInfo_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | project UrlCategory=UrlCategory_s, TimeGenerated=EventTime_t, EventCount=EventCount_d, EventResult = EventResult_s\\r\\n | where isnotempty(UrlCategory) and EventResult =~ \\\"Failure\\\"\\r\\n | summarize EventCount=tolong(sum(EventCount)) by UrlCategory, bin(TimeGenerated, {TimeRange:grain})\\r\\n )\\r\\n | summarize EventCount = sum(EventCount) by UrlCategory, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by UrlCategory\\r\\n| join kind=inner (WebData\\r\\n | make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by UrlCategory\\r\\n) on UrlCategory\\r\\n| project UrlCategory, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"title\":\"Top URL Categories by failed requests count\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top URL Categories by failed requests count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData = \\r\\n union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcInfo}'), endtime=now(), eventresult=\\\"Success\\\")\\r\\n | project UrlCategory, TimeGenerated\\r\\n | where isnotempty(UrlCategory)\\r\\n | summarize EventCount=tolong(count()) by UrlCategory, bin(TimeGenerated, {TimeRange:grain})\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_SrcInfo_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | project UrlCategory=UrlCategory_s, TimeGenerated=EventTime_t, EventCount=EventCount_d, EventResult = EventResult_s\\r\\n | where isnotempty(UrlCategory) and EventResult =~ \\\"Success\\\"\\r\\n | summarize EventCount=tolong(sum(EventCount)) by UrlCategory, bin(TimeGenerated, {TimeRange:grain})\\r\\n )\\r\\n | summarize EventCount = sum(EventCount) by UrlCategory, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by UrlCategory\\r\\n| join kind=inner (WebData\\r\\n| make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by UrlCategory\\r\\n) on UrlCategory\\r\\n| project UrlCategory, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"title\":\"Top URL Categories by successful requests count\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top URL Categories by successful requests count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData = \\r\\n union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcInfo}'), endtime=now(), eventresult='Success')\\r\\n | where isnotempty(HttpUserAgent) and HttpUserAgent != 'Unknown'\\r\\n | summarize EventCount=tolong(count()) by HttpUserAgent, bin(TimeGenerated, {TimeRange:grain})\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_SrcInfo_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | project\\r\\n HttpUserAgent=HttpUserAgent_s,\\r\\n EventCount=EventCount_d,\\r\\n EventTime=EventTime_t,\\r\\n EventResult=EventResult_s\\r\\n | where isnotempty(HttpUserAgent)\\r\\n and HttpUserAgent != 'Unknown'\\r\\n and EventResult =~ 'Success'\\r\\n | summarize EventCount=tolong(sum(EventCount)) by HttpUserAgent, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n )\\r\\n | summarize EventCount = sum(EventCount) by HttpUserAgent, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by HttpUserAgent\\r\\n| join kind=inner (WebData\\r\\n | make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by HttpUserAgent\\r\\n )\\r\\n on HttpUserAgent\\r\\n| project HttpUserAgent, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"title\":\"Top HTTP User Agents by successful request count\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top HTTP User Agents by successful request count\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let WebData = \\r\\n union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcInfo}'), endtime=now(), eventresult='Failure')\\r\\n | where isnotempty(HttpUserAgent) and HttpUserAgent != 'Unknown'\\r\\n | summarize EventCount=tolong(count()) by HttpUserAgent, bin(TimeGenerated, {TimeRange:grain})\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_SrcInfo_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | project\\r\\n HttpUserAgent=HttpUserAgent_s,\\r\\n EventCount=EventCount_d,\\r\\n EventTime=EventTime_t,\\r\\n EventResult=EventResult_s\\r\\n | where isnotempty(HttpUserAgent)\\r\\n and HttpUserAgent != 'Unknown'\\r\\n and EventResult =~ 'Failure'\\r\\n | summarize EventCount=tolong(sum(EventCount)) by HttpUserAgent, bin(TimeGenerated=EventTime, {TimeRange:grain})\\r\\n )\\r\\n | summarize EventCount = sum(EventCount) by HttpUserAgent, bin(TimeGenerated, {TimeRange:grain});\\r\\nWebData\\r\\n| summarize EventCount = sum(EventCount) by HttpUserAgent\\r\\n| join kind=inner (WebData\\r\\n | make-series Trend = sum(EventCount) on TimeGenerated from {TimeRange:start} to now() step {TimeRange:grain} by HttpUserAgent\\r\\n )\\r\\n on HttpUserAgent\\r\\n| project HttpUserAgent, EventCount, Trend\\r\\n| order by EventCount desc\\r\\n| take 25\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top HTTP User Agents by failed request count\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"Top HTTP User Agents by failed request count\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"tabVisibility\",\"comparison\":\"isEqualTo\",\"value\":\"topQueries\"},\"name\":\"Group - Top Queries\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let exludeString = dynamic ( [ \\\"/\\\", \\\"None\\\",\\\"\\\" ]);\\r\\nlet distinctThreats = \\r\\n union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeThreatInfo}'), endtime=now())\\r\\n | where (ThreatName !in~ (exludeString) and isnotempty(ThreatName))\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_ThreatInfo_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where (ThreatName_s !in~ (exludeString) and isnotempty(ThreatName_s))\\r\\n | extend ThreatName = ThreatName_s\\r\\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n )\\r\\n | summarize Result=tostring(dcount(ThreatName))\\r\\n | extend Query = \\\"Distinct ThreatNames\\\", orderNum = 1;\\r\\nlet distinctThreatCategory = \\r\\n union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeThreatInfo}'), endtime=now())\\r\\n | where (ThreatCategory !in~ (exludeString) and isnotempty(ThreatCategory))\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n ),\\r\\n ( \\r\\n WebSession_Summarized_ThreatInfo_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where (ThreatCategory_s !in~ (exludeString) and isnotempty(ThreatCategory_s))\\r\\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | extend ThreatCategory = ThreatCategory_s\\r\\n )\\r\\n | summarize Result=tostring(dcount(ThreatCategory))\\r\\n | extend Query = \\\"Distinct Threat Categories\\\", orderNum = 2;\\r\\nlet maxRiskLevel = \\r\\n union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeThreatInfo}'), endtime=now())\\r\\n | where ThreatRiskLevel > 60\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n ),\\r\\n ( \\r\\n WebSession_Summarized_ThreatInfo_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where ThreatRiskLevel_d > 60\\r\\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | extend ThreatRiskLevel = toint(ThreatRiskLevel_d)\\r\\n )\\r\\n | summarize Max_RiskLevel=max(ThreatRiskLevel)\\r\\n | extend Result=tostring(iff(isempty(Max_RiskLevel), 0, Max_RiskLevel))\\r\\n | extend Query = \\\"Maximum RiskLevel\\\", orderNum = 3;\\r\\nlet maxThreatConfidence = \\r\\n union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeThreatInfo}'), endtime=now())\\r\\n | extend ThreatOriginalConfidence=toint(ThreatOriginalConfidence)\\r\\n | where ThreatOriginalConfidence > 0\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n ),\\r\\n ( \\r\\n WebSession_Summarized_ThreatInfo_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where toint(ThreatOriginalConfidence_d) > 0\\r\\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, ThreatOriginalConfidence=ThreatOriginalConfidence_d\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | extend ThreatOriginalConfidence = toint(ThreatOriginalConfidence)\\r\\n )\\r\\n | summarize Max_ThreatOriginalConfidence=max(ThreatOriginalConfidence)\\r\\n | extend Result=tostring(iff(isempty(Max_ThreatOriginalConfidence), 0, Max_ThreatOriginalConfidence))\\r\\n | extend Query = \\\"Maximum ThreatConfidence\\\", orderNum = 4;\\r\\nlet MaxEventSeverity = \\r\\n union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeThreatInfo}'), endtime=now())\\r\\n | where isnotempty(EventSeverity) and EventSeverity != 'Informational'\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | distinct EventSeverity\\r\\n ),\\r\\n ( \\r\\n WebSession_Summarized_ThreatInfo_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where isnotempty(EventSeverity_s)\\r\\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | distinct EventSeverity=EventSeverity_s\\r\\n )\\r\\n | distinct EventSeverity\\r\\n | summarize EventSeverity=make_set(EventSeverity, 5)\\r\\n | extend Result=case(\\r\\n EventSeverity has 'High',\\r\\n 'High',\\r\\n EventSeverity has 'Medium',\\r\\n 'Medium',\\r\\n EventSeverity has 'Low',\\r\\n 'Low',\\r\\n EventSeverity has 'Informational',\\r\\n 'Informational',\\r\\n EventSeverity\\r\\n )\\r\\n | extend Query = \\\"Max Event Severity\\\", orderNum = 5;\\r\\nunion distinctThreatCategory, distinctThreats, maxRiskLevel, maxThreatConfidence, MaxEventSeverity\\r\\n| order by orderNum asc\",\"size\":4,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Query\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Result\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"2\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"4\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"0\",\"representation\":\"success\",\"text\":\"{0}{1}\"},{\"operator\":\"!=\",\"thresholdValue\":\"0\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"unknown\",\"text\":\"{0}{1}\"}]},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":true,\"size\":\"auto\"}},\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeThreatInfo}'), endtime=now())\\r\\n | where (ThreatName != 'None' and isnotempty(ThreatName))\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | summarize EventCount=count() by ThreatName, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult, bin(TimeGenerated, {TimeRange:grain})\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_ThreatInfo_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | project ThreatName=ThreatName_s, EventCount=EventCount_d, TimeGenerated=EventTime_t, ThreatField=ThreatField_s, SrcIpAddr=SrcIpAddr_s, SrcUsername=SrcUsername_s, DestHostname=DestDomain_s, EventResult=EventResult_s\\r\\n | where (ThreatName != 'None' and isnotempty(ThreatName))\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | summarize EventCount=tolong(sum(EventCount)) by ThreatName, bin(TimeGenerated, {TimeRange:grain})\\r\\n )\\r\\n| summarize EventCount = sum(EventCount) by ThreatName, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\\r\\n| order by EventCount\",\"size\":1,\"aggregation\":3,\"title\":\"Events by threat name\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\"},\"customWidth\":\"50\",\"name\":\"Events by threat name\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let exludeString = dynamic ( [ \\\"/\\\", \\\"None\\\",\\\"\\\" ]);\\r\\nunion isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeThreatInfo}'), endtime=now())\\r\\n | where ThreatCategory !in~ (exludeString)\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | summarize EventCount=count() by ThreatCategory, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_ThreatInfo_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | project ThreatCategory=ThreatCategory_s, EventCount=EventCount_d, ThreatField=ThreatField_s, SrcIpAddr=SrcIpAddr_s, SrcUsername=SrcUsername_s, DestHostname=DestDomain_s, EventResult=EventResult_s\\r\\n | where ThreatCategory !in~ (exludeString)\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | summarize EventCount=tolong(sum(EventCount)) by ThreatCategory, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\\r\\n )\\r\\n| summarize EventCount = sum(EventCount) by ThreatCategory, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\",\"size\":1,\"aggregation\":3,\"title\":\"Events by threat category\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\"},\"customWidth\":\"50\",\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeThreatInfo}'), endtime=now())\\r\\n | where isnotempty(EventSeverity) and EventSeverity != 'Informational'\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t\\t| summarize EventCount=tolong(count()) by EventSeverity, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_ThreatInfo_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | project EventSeverity=EventSeverity_s, EventCount=EventCount_d, ThreatField=ThreatField_s, SrcIpAddr=SrcIpAddr_s, SrcUsername=SrcUsername_s, DestHostname=DestDomain_s, EventResult=EventResult_s\\r\\n\\t | where isnotempty(EventSeverity) and EventSeverity != 'Informational'\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t | summarize EventCount=tolong(sum(EventCount)) by EventSeverity, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\\r\\n )\\r\\n | summarize EventCount=sum(EventCount) by EventSeverity, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\",\"size\":1,\"aggregation\":3,\"title\":\"Events by Severity over time\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\"},\"customWidth\":\"33\",\"name\":\"query - 6\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeThreatInfo}'), endtime=now())\\r\\n | where ThreatRiskLevel > 60\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t\\t| summarize EventCount=tolong(count()) by ThreatRiskLevel, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_ThreatInfo_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | project ThreatRiskLevel=toint(ThreatRiskLevel_d), EventCount=EventCount_d, ThreatField=ThreatField_s, SrcIpAddr=SrcIpAddr_s, SrcUsername=SrcUsername_s, DestHostname=DestDomain_s, EventResult=EventResult_s\\r\\n | where ThreatRiskLevel > 60\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t | summarize EventCount=tolong(sum(EventCount)) by ThreatRiskLevel, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\\r\\n )\\r\\n | summarize EventCount=sum(EventCount) by tostring(ThreatRiskLevel), ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\",\"size\":1,\"aggregation\":3,\"title\":\"Events by Risk Level over time\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\"},\"customWidth\":\"33\",\"name\":\"query - 4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeThreatInfo}'), endtime=now())\\r\\n | extend ThreatOriginalConfidence = toint(ThreatOriginalConfidence)\\r\\n | where ThreatOriginalConfidence > 0\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t\\t| summarize EventCount=tolong(count()) by ThreatOriginalConfidence, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_ThreatInfo_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where ThreatOriginalConfidence_d > 0\\r\\n | project ThreatOriginalConfidence=toint(ThreatOriginalConfidence_d), EventTime_t, EventCount_d, ThreatField=ThreatField_s, SrcIpAddr=SrcIpAddr_s, SrcUsername=SrcUsername_s, DestHostname=DestDomain_s, EventResult=EventResult_s\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | summarize EventCount=tolong(sum(EventCount_d)) by ThreatOriginalConfidence, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\\r\\n )\\r\\n | summarize EventCount=sum(EventCount) by ThreatOriginalConfidence, ThreatField, SrcIpAddr, SrcUsername, DestHostname, EventResult\",\"size\":1,\"title\":\"Events by Confidence over time\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"timechart\"},\"customWidth\":\"33\",\"name\":\"query - 5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let AllPublicIPs = \\r\\nunion isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | where not(ipv4_is_private(SrcIpAddr))\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | extend PublicIPAddress = SrcIpAddr\\r\\n | where PublicIPAddress != ''\\r\\n\\t\\t| project PublicIPAddress\\r\\n\\t\\t| distinct PublicIPAddress\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | project SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n | where not(ipv4_is_private(SrcIpAddr))\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | extend PublicIPAddress = SrcIpAddr\\r\\n | where PublicIPAddress != ''\\r\\n | project PublicIPAddress\\r\\n\\t\\t| distinct PublicIPAddress\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_DstIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | extend DstIpAddr=DstIpAddr_s, DestHostname=DestDomain_s\\r\\n | where not(ipv4_is_private(DstIpAddr))\\r\\n | where ('*' in~ ({SrcIpAddr}))\\r\\n and ('*' in~ ({SrcUsername}))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | extend PublicIPAddress = DstIpAddr\\r\\n | where PublicIPAddress != ''\\r\\n | project PublicIPAddress\\r\\n\\t\\t| distinct PublicIPAddress\\r\\n )\\r\\n | distinct PublicIPAddress;\\r\\n ThreatIntelligenceIndicator\\r\\n | where NetworkIP in~ (AllPublicIPs)\",\"size\":1,\"title\":\"Source or Destination IPs matching with Threat Intelligence indicators\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\"},\"customWidth\":\"50\",\"name\":\"query - 6\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let AllDstWebsites = \\r\\nunion isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | where isnotempty(Url)\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where isnotempty(DestHostname)\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | distinct DestHostname\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where isnotempty(DestDomain_s)\\r\\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | distinct DestHostname\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_DstIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where isnotempty(DestDomain_s)\\r\\n | extend DstIpAddr=DstIpAddr_s, DestHostname=DestDomain_s\\r\\n | where ('*' in~ ({SrcIpAddr}))\\r\\n and ('*' in~ ({SrcUsername}))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | distinct DestHostname\\r\\n )\\r\\n | distinct DestHostname;\\r\\n ThreatIntelligenceIndicator\\r\\n | where Url has_any(AllDstWebsites)\",\"size\":1,\"title\":\"Requested URL matching with Threat Intelligence Indicators\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\"},\"customWidth\":\"50\",\"name\":\"Requested URL with Threat Intelligence Indicators\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let AllSrcIPs = \\r\\nunion isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | where isnotempty(SrcIpAddr)\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t\\t| project SrcIpAddr\\r\\n\\t\\t| distinct SrcIpAddr\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where isnotempty(SrcIpAddr_s)\\r\\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t\\t| distinct SrcIpAddr=SrcIpAddr_s\\r\\n )\\r\\n | distinct SrcIpAddr;\\r\\nlet AllDstIPs = \\r\\nunion isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeDstIP}'), endtime=now())\\r\\n | where isnotempty(DstIpAddr)\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t\\t| distinct DstIpAddr\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_DstIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where isnotempty(DstIpAddr_s)\\r\\n | extend DstIpAddr=DstIpAddr_s, DestHostname=DestDomain_s\\r\\n | where ('*' in~ ({SrcIpAddr}))\\r\\n and ('*' in~ ({SrcUsername}))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n\\t\\t| distinct DstIpAddr\\r\\n )\\r\\n | distinct DstIpAddr;\\r\\nlet AllIPs =\\r\\nunion AllSrcIPs, AllDstIPs;\\r\\n SecurityAlert\\r\\n | where TimeGenerated > {TimeRange:start}\\r\\n | extend Parsed_Entities = parse_json(Entities)\\r\\n | mv-expand Parsed_Entities\\r\\n | extend Parsed_EntityType=tostring(Parsed_Entities.Type)\\r\\n | where Parsed_EntityType =~ 'ip'\\r\\n | extend IPEntity = tostring(Parsed_Entities.Address)\\r\\n | project-away Parsed_Entities\\r\\n | where IPEntity in~ (AllIPs)\\r\\n | project TimeGenerated, AlertSeverity, AlertName, Description, ProviderName, IPEntity, Status, Tactics, Techniques\",\"size\":1,\"title\":\"Source or Destination IPs matching with Entities in Security Alert table\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\"},\"customWidth\":\"33\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let AllDstWebsites = \\r\\nunion isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | where isnotempty(Url)\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | distinct DestHostname\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where isnotempty(DestDomain_s)\\r\\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | distinct DestHostname\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_DstIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where isnotempty(DestDomain_s)\\r\\n | extend DestHostname = DestDomain_s\\r\\n | where ('*' in~ ({SrcIpAddr}))\\r\\n and ('*' in~ ({SrcUsername}))\\r\\n and ('*' in~ ({SrcHostname}))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | distinct DestHostname\\r\\n )\\r\\n | distinct DestHostname;\\r\\nSecurityAlert\\r\\n| where TimeGenerated > {TimeRange:start}\\r\\n | extend Parsed_Entities = parse_json(Entities)\\r\\n | mv-expand Parsed_Entities\\r\\n | extend Parsed_EntityType=tostring(Parsed_Entities.Type)\\r\\n | where Parsed_EntityType =~ 'url'\\r\\n | extend UrlEntity = tostring(Parsed_Entities.Url)\\r\\n | project-away Parsed_Entities\\r\\n| where UrlEntity has_any (AllDstWebsites)\\r\\n| project TimeGenerated, AlertSeverity, AlertName, Description, ProviderName, UrlEntity, Status, Tactics, Techniques\",\"size\":1,\"title\":\"Request URLs matching with Entities in Security Alert table\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"33\",\"name\":\"query - 9\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let AllSrcHostnames = \\r\\n union isfuzzy=true \\r\\n (\\r\\n _Im_WebSession(starttime=todatetime('{LastIngestionTimeSrcIP}'), endtime=now())\\r\\n | where isnotempty(SrcHostname)\\r\\n | extend DestHostname = tostring(parse_url(Url)[\\\"Host\\\"])\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | distinct SrcHostname\\r\\n ),\\r\\n (\\r\\n WebSession_Summarized_SrcIP_CL\\r\\n | where EventTime_t >= {TimeRange:start}\\r\\n | where isnotempty(SrcHostname_s)\\r\\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\\r\\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\\r\\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\\r\\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\\r\\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\\r\\n | distinct SrcHostname=SrcHostname_s\\r\\n )\\r\\n | distinct SrcHostname;\\r\\nSecurityAlert\\r\\n| where TimeGenerated > {TimeRange:start}\\r\\n | extend Parsed_Entities = parse_json(Entities)\\r\\n | mv-expand Parsed_Entities\\r\\n | extend Parsed_EntityType=tostring(Parsed_Entities.Type)\\r\\n | where Parsed_EntityType =~ 'host'\\r\\n | extend HostEntity = tostring(Parsed_Entities.HostName)\\r\\n | project-away Parsed_Entities\\r\\n| where HostEntity in~ (AllSrcHostnames)\\r\\n| project TimeGenerated, AlertSeverity, AlertName, Description, ProviderName, HostEntity, Status, Tactics, Techniques\",\"size\":1,\"title\":\"Source HostNames matching with Entities in Security Alert table\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"query - 10\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"tabVisibility\",\"comparison\":\"isEqualTo\",\"value\":\"threatevents\"},\"name\":\"Threat Events\"}],\"fromTemplateId\":\"sentinel-WebSessionDomainSolution\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n",
"version": "1.0",
"sourceId": "[variables('workspaceResourceId')]",
"category": "sentinel"
diff --git a/Solutions/iboss/Data Connectors/iboss_cef.json b/Solutions/iboss/Data Connectors/iboss_cef.json
index 94dfc8a5765..a6fd6f3884b 100644
--- a/Solutions/iboss/Data Connectors/iboss_cef.json
+++ b/Solutions/iboss/Data Connectors/iboss_cef.json
@@ -1,6 +1,6 @@
{
"id": "iboss",
- "title": "iboss",
+ "title": "[Deprecated] iboss via Legacy Agent",
"publisher": "iboss",
"descriptionMarkdown": "The [iboss](https://www.iboss.com) data connector enables you to seamlessly connect your Threat Console to Microsoft Sentinel and enrich your instance with iboss URL event logs. Our logs are forwarded in Common Event Format (CEF) over Syslog and the configuration required can be completed on the iboss platform without the use of a proxy. Take advantage of our connector to garner critical data points and gain insight into security threats.",
"graphQueries": [
@@ -92,7 +92,7 @@
},
{
"title": "2. Forward Common Event Format (CEF) logs",
- "description": "Set your Threat Console to send Syslog messages in CEF format to your Azure workspace. Make note of your Workspace ID and Primary Key within your Log Analytics Workspace (Select the workspace from the Log Analytics workspaces menu in the Azure portal. Then select Agents management in the Settings section). \n\n>1. Navigate to Reporting & Analytics inside your iboss Console\n\n>2. Select Log Forwarding -> Forward From Reporter\n\n>3. Select Actions -> Add Service\n\n>4. Toggle to Microsoft Sentinel as a Service Type and input your Workspace ID/Primary Key along with other criteria. If a dedicated proxy Linux machine has been configured, toggle to Syslog as a Service Type and configure the settings to point to your dedicated proxy Linux machine\n\n>5. Wait one to two minutes for the setup to complete\n\n>6. Select your Microsoft Sentinel Service and verify the Sentinel Setup Status is Successful. If a dedicated proxy Linux machine has been configured, you may proceed with validating your connection"
+ "description": "Set your Threat Console to send Syslog messages in CEF format to your Azure workspace. Make note of your Workspace ID and Primary Key within your Log Analytics Workspace (Select the workspace from the Log Analytics workspaces menu in the Azure portal. Then select Agents management in the Settings section). \n\n>1. Navigate to Reporting & Analytics inside your iboss Console\n\n>2. Select Log Forwarding -> Forward From Reporter\n\n>3. Select Actions -> Add Service\n\n>4. Toggle to Microsoft Sentinel as a Service Type and input your Workspace ID/Primary Key along with other criteria. If a dedicated proxy Linux machine has been configured, toggle to Syslog as a Service Type and configure the settings to point to your dedicated proxy Linux machine\n\n>5. Wait one to two minutes for the setup to complete\n\n>6. Select your Microsoft Sentinel Service and verify the Microsoft Sentinel Setup Status is Successful. If a dedicated proxy Linux machine has been configured, you may proceed with validating your connection"
},
{
"title": "3. Validate connection",
diff --git a/Solutions/iboss/Data Connectors/template_ibossAMA.json b/Solutions/iboss/Data Connectors/template_ibossAMA.json
new file mode 100644
index 00000000000..8c5b7e0da70
--- /dev/null
+++ b/Solutions/iboss/Data Connectors/template_ibossAMA.json
@@ -0,0 +1,131 @@
+{
+ "id": "ibossAma",
+ "title": "[Recommended] iboss via AMA",
+ "publisher": "iboss",
+ "descriptionMarkdown": "The [iboss](https://www.iboss.com) data connector enables you to seamlessly connect your Threat Console to Microsoft Sentinel and enrich your instance with iboss URL event logs. Our logs are forwarded in Common Event Format (CEF) over Syslog and the configuration required can be completed on the iboss platform without the use of a proxy. Take advantage of our connector to garner critical data points and gain insight into security threats.",
+ "graphQueries": [
+ {
+ "metricName": "Total data received",
+ "legend": "ibossUrlEvent",
+ "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'iboss'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "Logs Received from the past week",
+ "query": "ibossUrlEvent | where TimeGenerated > ago(7d)"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "ibossUrlEvent",
+ "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'iboss'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriterias": [
+ {
+ "type": "IsConnectedQuery",
+ "value": [
+ "CommonSecurityLog\n |where DeviceVendor =~ 'iboss'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
+ ]
+ }
+ ],
+ "availability": {
+ "status": 1,
+ "isPreview": false
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "read and write permissions are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "read": true,
+ "write": true,
+ "delete": true
+ }
+ },
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+ "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+ "providerDisplayName": "Keys",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "action": true
+ }
+ }
+ ],
+ "customs": [
+ {
+ "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+ },
+ {
+ "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "title": "",
+ "description": "",
+
+ "instructions": [
+ {
+ "parameters": {
+ "title": "1. Kindly follow the steps to configure the data connector",
+ "instructionSteps": [
+ {
+ "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
+ "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine",
+ "instructions": [
+ ]
+ },
+ {
+ "title": "Step B. Forward Common Event Format (CEF) logs",
+ "description": "Set your Threat Console to send Syslog messages in CEF format to your Azure workspace. Make note of your Workspace ID and Primary Key within your Log Analytics Workspace (Select the workspace from the Log Analytics workspaces menu in the Azure portal. Then select Agents management in the Settings section). \n\n>1. Navigate to Reporting & Analytics inside your iboss Console\n\n>2. Select Log Forwarding -> Forward From Reporter\n\n>3. Select Actions -> Add Service\n\n>4. Toggle to Microsoft Sentinel as a Service Type and input your Workspace ID/Primary Key along with other criteria. If a dedicated proxy Linux machine has been configured, toggle to Syslog as a Service Type and configure the settings to point to your dedicated proxy Linux machine\n\n>5. Wait one to two minutes for the setup to complete\n\n>6. Select your Microsoft Sentinel Service and verify the Sentinel Setup Status is Successful. If a dedicated proxy Linux machine has been configured, you may proceed with validating your connection",
+ "instructions": [
+ ]
+ },
+ {
+ "title": "Step C. Validate connection",
+ "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
+ "instructions": [
+ {
+ "parameters": {
+ "label": "Run the following command to validate your connectivity:",
+ "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
+ },
+ "type": "CopyableLabel"
+ }
+ ]
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ]
+
+
+ },
+
+ {
+ "title": "2. Secure your machine ",
+ "description": "Make sure to configure the machine's security according to your organization's security policy (Only applicable if a dedicated proxy Linux machine has been configured).\n\n\n[Learn more >](https://aka.ms/SecureCEF)"
+ }
+ ],
+ "metadata": {
+ "id": "f8c448b1-3df4-444d-aded-63e4ad2aec08",
+ "version": "1.0.0",
+ "kind": "dataConnector",
+ "author": {
+ "name": "iboss"
+ },
+ "support": {
+ "tier": "Type of support for content item: microsoft | developer | community",
+ "name": "iboss",
+ "link": "https://www.iboss.com/"
+ }
+ }
+}
\ No newline at end of file
diff --git a/Solutions/iboss/Data/Solution_iboss.json b/Solutions/iboss/Data/Solution_iboss.json
index 26bb9448434..c558a43f60b 100644
--- a/Solutions/iboss/Data/Solution_iboss.json
+++ b/Solutions/iboss/Data/Solution_iboss.json
@@ -2,19 +2,20 @@
"Name": "iboss",
"Author": "iboss",
"Logo": "![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/iboss/Workbooks/Images/Logo/iboss_full-logo_2020_vector_black.svg\"){kind=logo}
",
- "Description": "The iboss Solution provides means to connect your Threat Console to Microsoft Sentinel and enrich your instance with iboss URL event logs. Our logs are forwarded in Common Event Format (CEF) over Syslog and the configuration required can be completed on the iboss platform without the use of a proxy. Take advantage of our connector to garner critical data points and gain insight into security threats.",
+ "Description": "The iboss Solution provides means to connect your Threat Console to Microsoft Sentinel and enrich your instance with iboss URL event logs. Our logs are forwarded in Common Event Format (CEF) over Syslog and the configuration required can be completed on the iboss platform without the use of a proxy. Take advantage of our connector to garner critical data points and gain insight into security threats.\n\r\n1. **Iboss via AMA** - This data connector helps in ingesting Iboss logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **Iboss via Legacy Agent** - This data connector helps in ingesting Iboss logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of Iboss via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).",
"Data Connectors": [
- "Data Connectors/iboss_cef.json"
+ "Data Connectors/iboss_cef.json",
+ "Data Connectors/template_ibossAMA.json"
],
"Parsers": [
- "Parsers/ibossUrlEvent.txt"
+ "Parsers/ibossUrlEvent.yaml"
],
"Workbooks": [
"Workbooks/ibossMalwareAndC2.json",
"Workbooks/ibossWebUsage.json"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\iboss",
- "Version": "2.0.2",
+ "Version": "3.0.0",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1Pconnector": false
diff --git a/Solutions/iboss/Data/system_generated_metadata.json b/Solutions/iboss/Data/system_generated_metadata.json
new file mode 100644
index 00000000000..568c759ad83
--- /dev/null
+++ b/Solutions/iboss/Data/system_generated_metadata.json
@@ -0,0 +1,31 @@
+{
+ "Name": "iboss",
+ "Author": "iboss",
+ "Logo": "",
+ "Description": "The iboss Solution provides means to connect your Threat Console to Microsoft Sentinel and enrich your instance with iboss URL event logs. Our logs are forwarded in Common Event Format (CEF) over Syslog and the configuration required can be completed on the iboss platform without the use of a proxy. Take advantage of our connector to garner critical data points and gain insight into security threats.\n\r\n1. **Iboss via AMA** - This data connector helps in ingesting Iboss logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **Iboss via Legacy Agent** - This data connector helps in ingesting Iboss logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of Iboss via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).",
+ "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\iboss",
+ "Version": "3.0.0",
+ "Metadata": "SolutionMetadata.json",
+ "TemplateSpec": true,
+ "Is1Pconnector": false,
+ "publisherId": "iboss",
+ "offerId": "iboss-sentinel-connector",
+ "providers": [
+ "iboss"
+ ],
+ "categories": {
+ "domains": [
+ "Security - Network"
+ ]
+ },
+ "firstPublishDate": "2022-02-15",
+ "support": {
+ "name": "iboss",
+ "email": "support@iboss.com",
+ "tier": "Partner",
+ "link": "https://www.iboss.com/contact-us/"
+ },
+ "Data Connectors": "[\n \"Data Connectors/iboss_cef.json\",\n \"Data Connectors/template_ibossAMA.json\"\n]",
+ "Parsers": "[\n \"ibossUrlEvent.yaml\"\n]",
+ "Workbooks": "[\n \"Workbooks/ibossMalwareAndC2.json\",\n \"Workbooks/ibossWebUsage.json\"\n]"
+}
diff --git a/Solutions/iboss/Package/3.0.0.zip b/Solutions/iboss/Package/3.0.0.zip
new file mode 100644
index 00000000000..292ad8562a3
Binary files /dev/null and b/Solutions/iboss/Package/3.0.0.zip differ
diff --git a/Solutions/iboss/Package/createUiDefinition.json b/Solutions/iboss/Package/createUiDefinition.json
index 8fbae192fd7..cddec712c27 100644
--- a/Solutions/iboss/Package/createUiDefinition.json
+++ b/Solutions/iboss/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe iboss Solution provides means to connect your Threat Console to Microsoft Sentinel and enrich your instance with iboss URL event logs. Our logs are forwarded in Common Event Format (CEF) over Syslog and the configuration required can be completed on the iboss platform without the use of a proxy. Take advantage of our connector to garner critical data points and gain insight into security threats.\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/iboss/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe iboss Solution provides means to connect your Threat Console to Microsoft Sentinel and enrich your instance with iboss URL event logs. Our logs are forwarded in Common Event Format (CEF) over Syslog and the configuration required can be completed on the iboss platform without the use of a proxy. Take advantage of our connector to garner critical data points and gain insight into security threats.\n\r\n1. **Iboss via AMA** - This data connector helps in ingesting Iboss logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **Iboss via Legacy Agent** - This data connector helps in ingesting Iboss logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of Iboss via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Data Connectors:** 2, **Parsers:** 1, **Workbooks:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -80,6 +80,7 @@
}
}
}
+
]
},
{
@@ -145,4 +146,4 @@
"workspace": "[basics('workspace')]"
}
}
-}
\ No newline at end of file
+}
diff --git a/Solutions/iboss/Package/mainTemplate.json b/Solutions/iboss/Package/mainTemplate.json
index 325d102c5e9..73f409c5bf3 100644
--- a/Solutions/iboss/Package/mainTemplate.json
+++ b/Solutions/iboss/Package/mainTemplate.json
@@ -48,63 +48,61 @@
"variables": {
"solutionId": "iboss.iboss-sentinel-connector",
"_solutionId": "[variables('solutionId')]",
- "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
+ "_solutionName": "iboss",
+ "_solutionVersion": "3.0.0",
"uiConfigId1": "iboss",
"_uiConfigId1": "[variables('uiConfigId1')]",
"dataConnectorContentId1": "iboss",
"_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
"dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
"_dataConnectorId1": "[variables('dataConnectorId1')]",
- "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1')))]",
+ "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
"dataConnectorVersion1": "1.0.0",
- "parserVersion1": "1.0.0",
- "parserContentId1": "ibossUrlEvent-Parser",
- "_parserContentId1": "[variables('parserContentId1')]",
+ "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
+ "uiConfigId2": "ibossAma",
+ "_uiConfigId2": "[variables('uiConfigId2')]",
+ "dataConnectorContentId2": "ibossAma",
+ "_dataConnectorContentId2": "[variables('dataConnectorContentId2')]",
+ "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
+ "_dataConnectorId2": "[variables('dataConnectorId2')]",
+ "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]",
+ "dataConnectorVersion2": "1.0.0",
+ "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]",
"parserName1": "ibossUrlEvent",
"_parserName1": "[concat(parameters('workspace'),'/',variables('parserName1'))]",
"parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
"_parserId1": "[variables('parserId1')]",
- "parserTemplateSpecName1": "[concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1')))]",
+ "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1'))))]",
+ "parserVersion1": "1.0.0",
+ "parserContentId1": "ibossUrlEvent-Parser",
+ "_parserContentId1": "[variables('parserContentId1')]",
+ "_parsercontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('_parserContentId1'),'-', variables('parserVersion1'))))]",
"workbookVersion1": "1.0.0",
"workbookContentId1": "ibossMalwareAndC2Workbook",
"workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]",
- "workbookTemplateSpecName1": "[concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1')))]",
+ "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]",
"_workbookContentId1": "[variables('workbookContentId1')]",
+ "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
+ "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]",
"workbookVersion2": "1.0.0",
"workbookContentId2": "ibossWebUsageWorkbook",
"workbookId2": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId2'))]",
- "workbookTemplateSpecName2": "[concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId2')))]",
- "_workbookContentId2": "[variables('workbookContentId2')]"
+ "workbookTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId2'))))]",
+ "_workbookContentId2": "[variables('workbookContentId2')]",
+ "_workbookcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId2'),'-', variables('workbookVersion2'))))]",
+ "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('dataConnectorTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "DataConnector"
- },
- "properties": {
- "description": "iboss data connector with template",
- "displayName": "iboss template"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('dataConnectorTemplateSpecName1'),'/',variables('dataConnectorVersion1'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "DataConnector"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "iboss data connector with template version 2.0.2",
+ "description": "iboss data connector with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
@@ -120,7 +118,7 @@
"properties": {
"connectorUiConfig": {
"id": "[variables('_uiConfigId1')]",
- "title": "iboss",
+ "title": "[Deprecated] iboss via Legacy Agent",
"publisher": "iboss",
"descriptionMarkdown": "The [iboss](https://www.iboss.com) data connector enables you to seamlessly connect your Threat Console to Microsoft Sentinel and enrich your instance with iboss URL event logs. Our logs are forwarded in Common Event Format (CEF) over Syslog and the configuration required can be completed on the iboss platform without the use of a proxy. Take advantage of our connector to garner critical data points and gain insight into security threats.",
"graphQueries": [
@@ -211,7 +209,7 @@
"title": "1. Configure a dedicated proxy Linux machine"
},
{
- "description": "Set your Threat Console to send Syslog messages in CEF format to your Azure workspace. Make note of your Workspace ID and Primary Key within your Log Analytics Workspace (Select the workspace from the Log Analytics workspaces menu in the Azure portal. Then select Agents management in the Settings section). \n\n>1. Navigate to Reporting & Analytics inside your iboss Console\n\n>2. Select Log Forwarding -> Forward From Reporter\n\n>3. Select Actions -> Add Service\n\n>4. Toggle to Microsoft Sentinel as a Service Type and input your Workspace ID/Primary Key along with other criteria. If a dedicated proxy Linux machine has been configured, toggle to Syslog as a Service Type and configure the settings to point to your dedicated proxy Linux machine\n\n>5. Wait one to two minutes for the setup to complete\n\n>6. Select your Microsoft Sentinel Service and verify the Sentinel Setup Status is Successful. If a dedicated proxy Linux machine has been configured, you may proceed with validating your connection",
+ "description": "Set your Threat Console to send Syslog messages in CEF format to your Azure workspace. Make note of your Workspace ID and Primary Key within your Log Analytics Workspace (Select the workspace from the Log Analytics workspaces menu in the Azure portal. Then select Agents management in the Settings section). \n\n>1. Navigate to Reporting & Analytics inside your iboss Console\n\n>2. Select Log Forwarding -> Forward From Reporter\n\n>3. Select Actions -> Add Service\n\n>4. Toggle to Microsoft Sentinel as a Service Type and input your Workspace ID/Primary Key along with other criteria. If a dedicated proxy Linux machine has been configured, toggle to Syslog as a Service Type and configure the settings to point to your dedicated proxy Linux machine\n\n>5. Wait one to two minutes for the setup to complete\n\n>6. Select your Microsoft Sentinel Service and verify the Microsoft Sentinel Setup Status is Successful. If a dedicated proxy Linux machine has been configured, you may proceed with validating your connection",
"title": "2. Forward Common Event Format (CEF) logs"
},
{
@@ -241,7 +239,7 @@
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
+ "apiVersion": "2023-04-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
"properties": {
"parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
@@ -265,12 +263,23 @@
}
}
]
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_dataConnectorContentId1')]",
+ "contentKind": "DataConnector",
+ "displayName": "[Deprecated] iboss via Legacy Agent",
+ "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
+ "id": "[variables('_dataConnectorcontentProductId1')]",
+ "version": "[variables('dataConnectorVersion1')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
+ "apiVersion": "2023-04-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
"dependsOn": [
"[variables('_dataConnectorId1')]"
@@ -305,7 +314,7 @@
"kind": "GenericUI",
"properties": {
"connectorUiConfig": {
- "title": "iboss",
+ "title": "[Deprecated] iboss via Legacy Agent",
"publisher": "iboss",
"descriptionMarkdown": "The [iboss](https://www.iboss.com) data connector enables you to seamlessly connect your Threat Console to Microsoft Sentinel and enrich your instance with iboss URL event logs. Our logs are forwarded in Common Event Format (CEF) over Syslog and the configuration required can be completed on the iboss platform without the use of a proxy. Take advantage of our connector to garner critical data points and gain insight into security threats.",
"graphQueries": [
@@ -396,7 +405,7 @@
"title": "1. Configure a dedicated proxy Linux machine"
},
{
- "description": "Set your Threat Console to send Syslog messages in CEF format to your Azure workspace. Make note of your Workspace ID and Primary Key within your Log Analytics Workspace (Select the workspace from the Log Analytics workspaces menu in the Azure portal. Then select Agents management in the Settings section). \n\n>1. Navigate to Reporting & Analytics inside your iboss Console\n\n>2. Select Log Forwarding -> Forward From Reporter\n\n>3. Select Actions -> Add Service\n\n>4. Toggle to Microsoft Sentinel as a Service Type and input your Workspace ID/Primary Key along with other criteria. If a dedicated proxy Linux machine has been configured, toggle to Syslog as a Service Type and configure the settings to point to your dedicated proxy Linux machine\n\n>5. Wait one to two minutes for the setup to complete\n\n>6. Select your Microsoft Sentinel Service and verify the Sentinel Setup Status is Successful. If a dedicated proxy Linux machine has been configured, you may proceed with validating your connection",
+ "description": "Set your Threat Console to send Syslog messages in CEF format to your Azure workspace. Make note of your Workspace ID and Primary Key within your Log Analytics Workspace (Select the workspace from the Log Analytics workspaces menu in the Azure portal. Then select Agents management in the Settings section). \n\n>1. Navigate to Reporting & Analytics inside your iboss Console\n\n>2. Select Log Forwarding -> Forward From Reporter\n\n>3. Select Actions -> Add Service\n\n>4. Toggle to Microsoft Sentinel as a Service Type and input your Workspace ID/Primary Key along with other criteria. If a dedicated proxy Linux machine has been configured, toggle to Syslog as a Service Type and configure the settings to point to your dedicated proxy Linux machine\n\n>5. Wait one to two minutes for the setup to complete\n\n>6. Select your Microsoft Sentinel Service and verify the Microsoft Sentinel Setup Status is Successful. If a dedicated proxy Linux machine has been configured, you may proceed with validating your connection",
"title": "2. Forward Common Event Format (CEF) logs"
},
{
@@ -413,33 +422,351 @@
}
},
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
- "name": "[variables('parserTemplateSpecName1')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('dataConnectorTemplateSpecName2')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "iboss data connector with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('dataConnectorVersion2')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
+ "apiVersion": "2021-03-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "location": "[parameters('workspace-location')]",
+ "kind": "GenericUI",
+ "properties": {
+ "connectorUiConfig": {
+ "id": "[variables('_uiConfigId2')]",
+ "title": "[Recommended] iboss via AMA",
+ "publisher": "iboss",
+ "descriptionMarkdown": "The [iboss](https://www.iboss.com) data connector enables you to seamlessly connect your Threat Console to Microsoft Sentinel and enrich your instance with iboss URL event logs. Our logs are forwarded in Common Event Format (CEF) over Syslog and the configuration required can be completed on the iboss platform without the use of a proxy. Take advantage of our connector to garner critical data points and gain insight into security threats.",
+ "graphQueries": [
+ {
+ "metricName": "Total data received",
+ "legend": "ibossUrlEvent",
+ "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'iboss'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "Logs Received from the past week",
+ "query": "ibossUrlEvent | where TimeGenerated > ago(7d)"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "ibossUrlEvent",
+ "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'iboss'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriterias": [
+ {
+ "type": "IsConnectedQuery",
+ "value": [
+ "CommonSecurityLog\n |where DeviceVendor =~ 'iboss'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
+ ]
+ }
+ ],
+ "availability": {
+ "status": 1,
+ "isPreview": false
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "read and write permissions are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "read": true,
+ "write": true,
+ "delete": true
+ }
+ },
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+ "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+ "providerDisplayName": "Keys",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "action": true
+ }
+ }
+ ],
+ "customs": [
+ {
+ "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+ },
+ {
+ "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "instructions": [
+ {
+ "parameters": {
+ "title": "1. Kindly follow the steps to configure the data connector",
+ "instructionSteps": [
+ {
+ "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
+ "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
+
+ },
+ {
+ "title": "Step B. Forward Common Event Format (CEF) logs",
+ "description": "Set your Threat Console to send Syslog messages in CEF format to your Azure workspace. Make note of your Workspace ID and Primary Key within your Log Analytics Workspace (Select the workspace from the Log Analytics workspaces menu in the Azure portal. Then select Agents management in the Settings section). \n\n>1. Navigate to Reporting & Analytics inside your iboss Console\n\n>2. Select Log Forwarding -> Forward From Reporter\n\n>3. Select Actions -> Add Service\n\n>4. Toggle to Microsoft Sentinel as a Service Type and input your Workspace ID/Primary Key along with other criteria. If a dedicated proxy Linux machine has been configured, toggle to Syslog as a Service Type and configure the settings to point to your dedicated proxy Linux machine\n\n>5. Wait one to two minutes for the setup to complete\n\n>6. Select your Microsoft Sentinel Service and verify the Microsoft Sentinel Setup Status is Successful. If a dedicated proxy Linux machine has been configured, you may proceed with validating your connection"
+
+ },
+ {
+ "title": "Step C. Validate connection",
+ "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
+ "instructions": [
+ {
+ "parameters": {
+ "label": "Run the following command to validate your connectivity:",
+ "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
+ },
+ "type": "CopyableLabel"
+ }
+ ]
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ]
+ },
+ {
+ "description": "Make sure to configure the machine's security according to your organization's security policy (Only applicable if a dedicated proxy Linux machine has been configured).\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
+ "title": "2. Secure your machine "
+ }
+ ],
+ "metadata": {
+ "id": "f8c448b1-3df4-444d-aded-63e4ad2aec08",
+ "version": "1.0.0",
+ "kind": "dataConnector",
+ "author": {
+ "name": "iboss"
+ },
+ "support": {
+ "tier": "Type of support for content item: microsoft | developer | community",
+ "name": "iboss",
+ "link": "https://www.iboss.com/"
+ }
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
+ "contentId": "[variables('_dataConnectorContentId2')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorVersion2')]",
+ "source": {
+ "kind": "Solution",
+ "name": "iboss",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "iboss"
+ },
+ "support": {
+ "name": "iboss",
+ "email": "support@iboss.com",
+ "tier": "Partner",
+ "link": "https://www.iboss.com/contact-us/"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_dataConnectorContentId2')]",
+ "contentKind": "DataConnector",
+ "displayName": "[Recommended] iboss via AMA",
+ "contentProductId": "[variables('_dataConnectorcontentProductId2')]",
+ "id": "[variables('_dataConnectorcontentProductId2')]",
+ "version": "[variables('dataConnectorVersion2')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
+ "dependsOn": [
+ "[variables('_dataConnectorId2')]"
+ ],
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Parser"
- },
"properties": {
- "description": "ibossUrlEvent Data Parser with template",
- "displayName": "ibossUrlEvent Data Parser template"
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
+ "contentId": "[variables('_dataConnectorContentId2')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorVersion2')]",
+ "source": {
+ "kind": "Solution",
+ "name": "iboss",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "iboss"
+ },
+ "support": {
+ "name": "iboss",
+ "email": "support@iboss.com",
+ "tier": "Partner",
+ "link": "https://www.iboss.com/contact-us/"
+ }
}
},
{
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('parserTemplateSpecName1'),'/',variables('parserVersion1'))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
+ "apiVersion": "2021-03-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "location": "[parameters('workspace-location')]",
+ "kind": "GenericUI",
+ "properties": {
+ "connectorUiConfig": {
+ "title": "[Recommended] iboss via AMA",
+ "publisher": "iboss",
+ "descriptionMarkdown": "The [iboss](https://www.iboss.com) data connector enables you to seamlessly connect your Threat Console to Microsoft Sentinel and enrich your instance with iboss URL event logs. Our logs are forwarded in Common Event Format (CEF) over Syslog and the configuration required can be completed on the iboss platform without the use of a proxy. Take advantage of our connector to garner critical data points and gain insight into security threats.",
+ "graphQueries": [
+ {
+ "metricName": "Total data received",
+ "legend": "ibossUrlEvent",
+ "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'iboss'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "ibossUrlEvent",
+ "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'iboss'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriterias": [
+ {
+ "type": "IsConnectedQuery",
+ "value": [
+ "CommonSecurityLog\n |where DeviceVendor =~ 'iboss'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
+ ]
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "Logs Received from the past week",
+ "query": "ibossUrlEvent | where TimeGenerated > ago(7d)"
+ }
+ ],
+ "availability": {
+ "status": 1,
+ "isPreview": false
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "read and write permissions are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "read": true,
+ "write": true,
+ "delete": true
+ }
+ },
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+ "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+ "providerDisplayName": "Keys",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "action": true
+ }
+ }
+ ],
+ "customs": [
+ {
+ "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+ },
+ {
+ "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "instructions": [
+ {
+ "parameters": {
+ "title": "1. Kindly follow the steps to configure the data connector",
+ "instructionSteps": [
+ {
+ "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
+ "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
+
+ },
+ {
+ "title": "Step B. Forward Common Event Format (CEF) logs",
+ "description": "Set your Threat Console to send Syslog messages in CEF format to your Azure workspace. Make note of your Workspace ID and Primary Key within your Log Analytics Workspace (Select the workspace from the Log Analytics workspaces menu in the Azure portal. Then select Agents management in the Settings section). \n\n>1. Navigate to Reporting & Analytics inside your iboss Console\n\n>2. Select Log Forwarding -> Forward From Reporter\n\n>3. Select Actions -> Add Service\n\n>4. Toggle to Microsoft Sentinel as a Service Type and input your Workspace ID/Primary Key along with other criteria. If a dedicated proxy Linux machine has been configured, toggle to Syslog as a Service Type and configure the settings to point to your dedicated proxy Linux machine\n\n>5. Wait one to two minutes for the setup to complete\n\n>6. Select your Microsoft Sentinel Service and verify the Microsoft Sentinel Setup Status is Successful. If a dedicated proxy Linux machine has been configured, you may proceed with validating your connection"
+
+ },
+ {
+ "title": "Step C. Validate connection",
+ "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
+ "instructions": [
+ {
+ "parameters": {
+ "label": "Run the following command to validate your connectivity:",
+ "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
+ },
+ "type": "CopyableLabel"
+ }
+ ]
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ]
+ },
+ {
+ "description": "Make sure to configure the machine's security according to your organization's security policy (Only applicable if a dedicated proxy Linux machine has been configured).\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
+ "title": "2. Secure your machine "
+ }
+ ],
+ "id": "[variables('_uiConfigId2')]"
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('parserTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Parser"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('parserTemplateSpecName1'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ibossUrlEvent Data Parser with template version 2.0.2",
+ "description": "ibossUrlEvent Data Parser with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserVersion1')]",
@@ -448,20 +775,21 @@
"resources": [
{
"name": "[variables('_parserName1')]",
- "apiVersion": "2020-08-01",
+ "apiVersion": "2022-10-01",
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
"displayName": "ibossUrlEvent",
- "category": "Samples",
+ "category": "Microsoft Sentinel Parser",
"functionAlias": "ibossUrlEvent",
- "query": "\nCommonSecurityLog\r\n| where DeviceVendor == \"iboss\" and FlexString2 == \"URL\"\r\n| extend DeviceCustomNumber1 = coalesce(column_ifexists(\"FieldDeviceCustomNumber1\", long(null)),DeviceCustomNumber1),\r\n DeviceCustomNumber2 = coalesce(column_ifexists(\"FieldDeviceCustomNumber2\", long(null)),DeviceCustomNumber2)\r\n| project-rename EventVendor=DeviceVendor\r\n , EventProduct=DeviceProduct\r\n , EventProductVersion=DeviceVersion\r\n , EventResult=DeviceEventClassID\r\n , EventResultDetails=FlexNumber1\r\n , DvcAction=DeviceAction\r\n , RuleName=FlexString1\r\n , SrcPortNumber=SourcePort\r\n , SrcIpAddr=SourceIP\r\n , SrcMacAddr=SourceMACAddress\r\n , SrcUsername=SourceUserName\r\n , SrcBytes=SentBytes\r\n , DstPortNumber=DestinationPort\r\n , DstIpAddr=DestinationIP\r\n , DstBytes=ReceivedBytes\r\n , Domain=DestinationHostName\r\n , Url=RequestURL\r\n , UrlCategory=DeviceCustomString2\r\n , HttpRequestMethod=RequestMethod\r\n , HttpUserAgent=RequestClientApplication\r\n , FileSHA256=DeviceCustomString3\r\n , ThreatName=DeviceCustomString1\r\n , MalwareDetected=DeviceCustomNumber1\r\n , CNCDetected=DeviceCustomNumber2\r\n| extend NetworkBytes=SrcBytes+DstBytes\r\n , EventTime=todatetime(DeviceCustomDate1)\r\n| project-away DeviceCustom*\r\n , FlexNumber*\r\n , FlexString*\r\n",
- "version": 1,
+ "query": "CommonSecurityLog\n| where DeviceVendor == \"iboss\" and FlexString2 == \"URL\"\n| extend DeviceCustomNumber1 = coalesce(column_ifexists(\"FieldDeviceCustomNumber1\", long(null)),DeviceCustomNumber1),\n DeviceCustomNumber2 = coalesce(column_ifexists(\"FieldDeviceCustomNumber2\", long(null)),DeviceCustomNumber2)\n| project-rename EventVendor=DeviceVendor\n , EventProduct=DeviceProduct\n , EventProductVersion=DeviceVersion\n , EventResult=DeviceEventClassID\n , EventResultDetails=FlexNumber1\n , DvcAction=DeviceAction\n , RuleName=FlexString1\n , SrcPortNumber=SourcePort\n , SrcIpAddr=SourceIP\n , SrcMacAddr=SourceMACAddress\n , SrcUsername=SourceUserName\n , SrcBytes=SentBytes\n , DstPortNumber=DestinationPort\n , DstIpAddr=DestinationIP\n , DstBytes=ReceivedBytes\n , Domain=DestinationHostName\n , Url=RequestURL\n , UrlCategory=DeviceCustomString2\n , HttpRequestMethod=RequestMethod\n , HttpUserAgent=RequestClientApplication\n , FileSHA256=DeviceCustomString3\n , ThreatName=DeviceCustomString1\n , MalwareDetected=DeviceCustomNumber1\n , CNCDetected=DeviceCustomNumber2\n| extend NetworkBytes=SrcBytes+DstBytes\n , EventTime=todatetime(DeviceCustomDate1)\n| project-away DeviceCustom*\n , FlexNumber*\n , FlexString*\n",
+ "functionParameters": "",
+ "version": 2,
"tags": [
{
"name": "description",
- "value": "ibossUrlEvent"
+ "value": ""
}
]
}
@@ -471,7 +799,7 @@
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]",
"dependsOn": [
- "[variables('_parserName1')]"
+ "[variables('_parserId1')]"
],
"properties": {
"parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
@@ -495,21 +823,39 @@
}
}
]
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_parserContentId1')]",
+ "contentKind": "Parser",
+ "displayName": "ibossUrlEvent",
+ "contentProductId": "[variables('_parsercontentProductId1')]",
+ "id": "[variables('_parsercontentProductId1')]",
+ "version": "[variables('parserVersion1')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
- "apiVersion": "2021-06-01",
+ "apiVersion": "2022-10-01",
"name": "[variables('_parserName1')]",
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
"displayName": "ibossUrlEvent",
- "category": "Samples",
+ "category": "Microsoft Sentinel Parser",
"functionAlias": "ibossUrlEvent",
- "query": "\nCommonSecurityLog\r\n| where DeviceVendor == \"iboss\" and FlexString2 == \"URL\"\r\n| extend DeviceCustomNumber1 = coalesce(column_ifexists(\"FieldDeviceCustomNumber1\", long(null)),DeviceCustomNumber1),\r\n DeviceCustomNumber2 = coalesce(column_ifexists(\"FieldDeviceCustomNumber2\", long(null)),DeviceCustomNumber2)\r\n| project-rename EventVendor=DeviceVendor\r\n , EventProduct=DeviceProduct\r\n , EventProductVersion=DeviceVersion\r\n , EventResult=DeviceEventClassID\r\n , EventResultDetails=FlexNumber1\r\n , DvcAction=DeviceAction\r\n , RuleName=FlexString1\r\n , SrcPortNumber=SourcePort\r\n , SrcIpAddr=SourceIP\r\n , SrcMacAddr=SourceMACAddress\r\n , SrcUsername=SourceUserName\r\n , SrcBytes=SentBytes\r\n , DstPortNumber=DestinationPort\r\n , DstIpAddr=DestinationIP\r\n , DstBytes=ReceivedBytes\r\n , Domain=DestinationHostName\r\n , Url=RequestURL\r\n , UrlCategory=DeviceCustomString2\r\n , HttpRequestMethod=RequestMethod\r\n , HttpUserAgent=RequestClientApplication\r\n , FileSHA256=DeviceCustomString3\r\n , ThreatName=DeviceCustomString1\r\n , MalwareDetected=DeviceCustomNumber1\r\n , CNCDetected=DeviceCustomNumber2\r\n| extend NetworkBytes=SrcBytes+DstBytes\r\n , EventTime=todatetime(DeviceCustomDate1)\r\n| project-away DeviceCustom*\r\n , FlexNumber*\r\n , FlexString*\r\n",
- "version": 1
+ "query": "CommonSecurityLog\n| where DeviceVendor == \"iboss\" and FlexString2 == \"URL\"\n| extend DeviceCustomNumber1 = coalesce(column_ifexists(\"FieldDeviceCustomNumber1\", long(null)),DeviceCustomNumber1),\n DeviceCustomNumber2 = coalesce(column_ifexists(\"FieldDeviceCustomNumber2\", long(null)),DeviceCustomNumber2)\n| project-rename EventVendor=DeviceVendor\n , EventProduct=DeviceProduct\n , EventProductVersion=DeviceVersion\n , EventResult=DeviceEventClassID\n , EventResultDetails=FlexNumber1\n , DvcAction=DeviceAction\n , RuleName=FlexString1\n , SrcPortNumber=SourcePort\n , SrcIpAddr=SourceIP\n , SrcMacAddr=SourceMACAddress\n , SrcUsername=SourceUserName\n , SrcBytes=SentBytes\n , DstPortNumber=DestinationPort\n , DstIpAddr=DestinationIP\n , DstBytes=ReceivedBytes\n , Domain=DestinationHostName\n , Url=RequestURL\n , UrlCategory=DeviceCustomString2\n , HttpRequestMethod=RequestMethod\n , HttpUserAgent=RequestClientApplication\n , FileSHA256=DeviceCustomString3\n , ThreatName=DeviceCustomString1\n , MalwareDetected=DeviceCustomNumber1\n , CNCDetected=DeviceCustomNumber2\n| extend NetworkBytes=SrcBytes+DstBytes\n , EventTime=todatetime(DeviceCustomDate1)\n| project-away DeviceCustom*\n , FlexNumber*\n , FlexString*\n",
+ "functionParameters": "",
+ "version": 2,
+ "tags": [
+ {
+ "name": "description",
+ "value": ""
+ }
+ ]
}
},
{
@@ -542,33 +888,15 @@
}
},
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('workbookTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Workbook"
- },
- "properties": {
- "description": "iboss Workbook with template",
- "displayName": "iboss workbook template"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('workbookTemplateSpecName1'),'/',variables('workbookVersion1'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Workbook"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('workbookTemplateSpecName1'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ibossMalwareAndC2Workbook Workbook with template version 2.0.2",
+ "description": "ibossMalwareAndC2Workbook Workbook with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@@ -586,7 +914,7 @@
},
"properties": {
"displayName": "[parameters('workbook1-name')]",
- "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## iboss Malware and C2 Detections\\n\\n**NOTE:** This workbook uses a parser based on a Kusto Function to normalize fields. [Follow these steps](https://aka.ms/sentinel-iboss-parser) to create the Kusto function alias **ibossUrlEvent**.\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"7cf056ef-64cd-41a5-85e0-90c0ec529434\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"time_range_picker\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":604800000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":3600000},{\"durationMs\":86400000},{\"durationMs\":604800000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"label\":\"Time Range Picker\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ibossUrlEvent\\r\\n| where EventTime {time_range_picker}\\r\\n| where EventResult == 'Blocked' and MalwareDetected == 1\\r\\n| where isnotempty(ThreatName)\\r\\n| summarize count() by ThreatName\",\"size\":2,\"showAnalytics\":true,\"title\":\"Top Malware Detection Families\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"name\":\"query - malware variants\",\"styleSettings\":{\"margin\":\"0px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ibossUrlEvent\\r\\n| where EventTime {time_range_picker}\\r\\n| where MalwareDetected == 1 or CNCDetected == 1\\r\\n| extend EventType = case(MalwareDetected == 1, \\\"Malware\\\", CNCDetected == 1, \\\"C2\\\", \\\"NA\\\")\\r\\n| make-series Detections = count() default = 0 on EventTime from {time_range_picker:start} to {time_range_picker:end} step {time_range_picker:grain} by EventType\",\"size\":0,\"showAnalytics\":true,\"title\":\"Malware & C2 Traffic\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"customWidth\":\"50\",\"name\":\"query - malware and c2 detections\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ibossUrlEvent\\r\\n| where EventTime {time_range_picker}\\r\\n| where MalwareDetected == 1\\r\\n| project EventTime\\r\\n , SrcUsername\\r\\n , SrcIpAddr\\r\\n , SrcPortNumber\\r\\n , DstIpAddr\\r\\n , DstPortNumber\\r\\n , FileName\\r\\n , FileSHA256\\r\\n , ThreatName\\r\\n| order by EventTime desc\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Malware Detections\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - malware detections\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ibossUrlEvent\\r\\n| where EventTime {time_range_picker}\\r\\n| where CNCDetected == 1\\r\\n| project EventTime\\r\\n , SrcUsername\\r\\n , SrcIpAddr\\r\\n , SrcPortNumber\\r\\n , DstIpAddr\\r\\n , DstPortNumber\\r\\n , Url\\r\\n| order by EventTime desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"C2 Detections\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - c2 detections\"}],\"fromTemplateId\":\"sentinel-ibossMalwareAndC2Workbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
+ "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## iboss Malware and C2 Detections\\n\\n**NOTE:** This workbook uses a parser based on a Kusto Function to normalize fields. [Follow these steps](https://aka.ms/sentinel-iboss-parser) to create the Kusto function alias **ibossUrlEvent**.\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"7cf056ef-64cd-41a5-85e0-90c0ec529434\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"time_range_picker\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":604800000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":3600000},{\"durationMs\":86400000},{\"durationMs\":604800000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"label\":\"Time Range Picker\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ibossUrlEvent\\r\\n| where EventTime {time_range_picker}\\r\\n| where EventResult == 'Blocked' and MalwareDetected == 1\\r\\n| where isnotempty(ThreatName)\\r\\n| summarize count() by ThreatName\",\"size\":2,\"showAnalytics\":true,\"title\":\"Top Malware Detection Families\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"name\":\"query - malware variants\",\"styleSettings\":{\"margin\":\"0px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ibossUrlEvent\\r\\n| where EventTime {time_range_picker}\\r\\n| where MalwareDetected == 1 or CNCDetected == 1\\r\\n| extend EventType = case(MalwareDetected == 1, \\\"Malware\\\", CNCDetected == 1, \\\"C2\\\", \\\"NA\\\")\\r\\n| make-series Detections = count() default = 0 on EventTime from {time_range_picker:start} to {time_range_picker:end} step {time_range_picker:grain} by EventType\",\"size\":0,\"showAnalytics\":true,\"title\":\"Malware & C2 Traffic\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"customWidth\":\"50\",\"name\":\"query - malware and c2 detections\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ibossUrlEvent\\r\\n| where EventTime {time_range_picker}\\r\\n| where MalwareDetected == 1\\r\\n| project EventTime\\r\\n , SrcUsername\\r\\n , SrcIpAddr\\r\\n , SrcPortNumber\\r\\n , DstIpAddr\\r\\n , DstPortNumber\\r\\n , FileName\\r\\n , FileSHA256\\r\\n , ThreatName\\r\\n| order by EventTime desc\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Malware Detections\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - malware detections\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ibossUrlEvent\\r\\n| where EventTime {time_range_picker}\\r\\n| where CNCDetected == 1\\r\\n| project EventTime\\r\\n , SrcUsername\\r\\n , SrcIpAddr\\r\\n , SrcPortNumber\\r\\n , DstIpAddr\\r\\n , DstPortNumber\\r\\n , Url\\r\\n| order by EventTime desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"C2 Detections\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - c2 detections\"}],\"fromTemplateId\":\"sentinel-ibossMalwareAndC2Workbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n",
"version": "1.0",
"sourceId": "[variables('workspaceResourceId')]",
"category": "sentinel"
@@ -615,41 +943,43 @@
"email": "support@iboss.com",
"tier": "Partner",
"link": "https://www.iboss.com/contact-us/"
+ },
+ "dependencies": {
+ "operator": "AND",
+ "criteria": [
+ {
+ "contentId": "ibossAma",
+ "kind": "DataConnector"
+ }
+ ]
}
}
}
]
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_workbookContentId1')]",
+ "contentKind": "Workbook",
+ "displayName": "[parameters('workbook1-name')]",
+ "contentProductId": "[variables('_workbookcontentProductId1')]",
+ "id": "[variables('_workbookcontentProductId1')]",
+ "version": "[variables('workbookVersion1')]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('workbookTemplateSpecName2')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Workbook"
- },
- "properties": {
- "description": "iboss Workbook with template",
- "displayName": "iboss workbook template"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('workbookTemplateSpecName2'),'/',variables('workbookVersion2'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Workbook"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('workbookTemplateSpecName2'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ibossWebUsageWorkbook Workbook with template version 2.0.2",
+ "description": "ibossWebUsageWorkbook Workbook with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion2')]",
@@ -667,7 +997,7 @@
},
"properties": {
"displayName": "[parameters('workbook2-name')]",
- "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## iboss Web Usage\\r\\n\\r\\n**NOTE:** This workbook uses a parser based on a Kusto Function to normalize fields. [Follow these steps](https://aka.ms/sentinel-iboss-parser) to create the Kusto function alias **ibossUrlEvent**.\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"7cf056ef-64cd-41a5-85e0-90c0ec529434\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"time_range_picker\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":604800000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":3600000},{\"durationMs\":86400000},{\"durationMs\":604800000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"label\":\"Time Range Picker\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ibossUrlEvent\\r\\n| where EventTime {time_range_picker}\\r\\n| where isnotempty(UrlCategory) and UrlCategory != \\\"-\\\"\\r\\n| extend UrlCategory = split(UrlCategory, \\\", \\\")\\r\\n| mv-expand UrlCategory\\r\\n| summarize count() by tostring(UrlCategory)\",\"size\":3,\"showAnalytics\":true,\"title\":\"URL Categories\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"UrlCategory\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"query - categories query\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ibossUrlEvent\\r\\n| where EventTime {time_range_picker}\\r\\n| sort by EventTime\\r\\n| summarize sum(DstBytes), sum(SrcBytes) by bin(EventTime,{time_range_picker:grain})\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Bandwidth ({time_range_picker:grain} interval)\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"sum_DstBytes\",\"label\":\"Received Bytes\"},{\"seriesName\":\"sum_SrcBytes\",\"label\":\"Sent Bytes\"}],\"showDataPoints\":true,\"ySettings\":{\"numberFormatSettings\":{\"unit\":2,\"options\":{\"style\":\"decimal\",\"useGrouping\":true}}}}},\"customWidth\":\"50\",\"name\":\"query - bandwidth\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ibossUrlEvent\\r\\n| where EventTime {time_range_picker}\\r\\n| where isnotempty(Domain)\\r\\n| summarize count() by Domain\\r\\n| sort by count_ desc\\r\\n| project Domain = Domain, count = count_\\r\\n| limit 20\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top 20 Domains\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Domain\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false,\"rowLimit\":20,\"sortCriteriaField\":\"count\",\"size\":\"auto\"}},\"name\":\"query - top 20 domains\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ibossUrlEvent\\r\\n| where EventTime {time_range_picker} and DvcAction == \\\"Blocked\\\"\\r\\n| make-series Trend = count() default = 0 on EventTime step {time_range_picker:grain} by Domain\\r\\n| join kind = inner (ibossUrlEvent\\r\\n | where EventTime {time_range_picker}\\r\\n | where DvcAction == \\\"Blocked\\\"\\r\\n | summarize Requests = count() by Domain\\r\\n ) on Domain\\r\\n| project Domain, Requests, Trend\\r\\n| order by Requests desc\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Top Blocked Domains\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Requests\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"redBright\",\"compositeBarSettings\":{\"labelText\":\"\"}},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"DeviceCustomDate1\",\"formatter\":5,\"formatOptions\":{\"aggregation\":\"Count\"}}]}},\"customWidth\":\"50\",\"name\":\"query - top blocked domains\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ibossUrlEvent\\r\\n| where EventTime {time_range_picker} and DvcAction == \\\"Blocked\\\"\\r\\n| make-series Trend = count() default = 0 on EventTime step {time_range_picker:grain} by SrcUsername\\r\\n| join kind = inner (ibossUrlEvent\\r\\n | where EventTime {time_range_picker}\\r\\n | where DvcAction == \\\"Blocked\\\"\\r\\n | summarize Requests = count() by SrcUsername\\r\\n ) on SrcUsername\\r\\n| extend User = SrcUsername\\r\\n| project User, Requests, Trend\\r\\n| order by Requests desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Top Blocked Users\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Requests\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"redBright\"}}]}},\"customWidth\":\"50\",\"name\":\"query - top blocked users\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ibossUrlEvent\\r\\n| where EventTime {time_range_picker}\\r\\n| summarize sum(DstBytes), sum(SrcBytes), sum(NetworkBytes) by SrcUsername\\r\\n| join kind = inner (ibossUrlEvent\\r\\n | where EventTime {time_range_picker}\\r\\n | make-series Trend = sum(NetworkBytes) default = 0 on EventTime step {time_range_picker:grain} by SrcUsername\\r\\n ) on SrcUsername\\r\\n| order by sum_NetworkBytes desc\\r\\n| project Username=SrcUsername\\r\\n, Received=sum_DstBytes\\r\\n, Sent=sum_SrcBytes\\r\\n, Total=sum_NetworkBytes\\r\\n, Trend\",\"size\":0,\"showAnalytics\":true,\"title\":\"Bandwidth By User\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Received\",\"formatter\":8,\"formatOptions\":{\"palette\":\"green\"},\"numberFormat\":{\"unit\":2,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"Sent\",\"formatter\":8,\"formatOptions\":{\"palette\":\"green\"},\"numberFormat\":{\"unit\":2,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"Total\",\"formatter\":8,\"formatOptions\":{\"palette\":\"green\"},\"numberFormat\":{\"unit\":2,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"query - bandwidth by user\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ibossUrlEvent\\r\\n| where EventTime {time_range_picker}\\r\\n| make-series Trend = count() default = 0 on EventTime step {time_range_picker:grain} by SrcUsername\\r\\n| join kind = inner (ibossUrlEvent\\r\\n | where EventTime {time_range_picker}\\r\\n | summarize Requests = count() by SrcUsername\\r\\n ) on SrcUsername\\r\\n| extend User = SrcUsername\\r\\n| project User, Requests, Trend\\r\\n| order by Requests desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Connections by User\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Requests\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"query - connections by user\"}],\"fromTemplateId\":\"sentinel-ibossWebUsageWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
+ "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## iboss Web Usage\\r\\n\\r\\n**NOTE:** This workbook uses a parser based on a Kusto Function to normalize fields. [Follow these steps](https://aka.ms/sentinel-iboss-parser) to create the Kusto function alias **ibossUrlEvent**.\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"7cf056ef-64cd-41a5-85e0-90c0ec529434\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"time_range_picker\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":604800000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":3600000},{\"durationMs\":86400000},{\"durationMs\":604800000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"label\":\"Time Range Picker\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ibossUrlEvent\\r\\n| where EventTime {time_range_picker}\\r\\n| where isnotempty(UrlCategory) and UrlCategory != \\\"-\\\"\\r\\n| extend UrlCategory = split(UrlCategory, \\\", \\\")\\r\\n| mv-expand UrlCategory\\r\\n| summarize count() by tostring(UrlCategory)\",\"size\":3,\"showAnalytics\":true,\"title\":\"URL Categories\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"UrlCategory\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"query - categories query\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ibossUrlEvent\\r\\n| where EventTime {time_range_picker}\\r\\n| sort by EventTime\\r\\n| summarize sum(DstBytes), sum(SrcBytes) by bin(EventTime,{time_range_picker:grain})\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Bandwidth ({time_range_picker:grain} interval)\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"sum_DstBytes\",\"label\":\"Received Bytes\"},{\"seriesName\":\"sum_SrcBytes\",\"label\":\"Sent Bytes\"}],\"showDataPoints\":true,\"ySettings\":{\"numberFormatSettings\":{\"unit\":2,\"options\":{\"style\":\"decimal\",\"useGrouping\":true}}}}},\"customWidth\":\"50\",\"name\":\"query - bandwidth\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ibossUrlEvent\\r\\n| where EventTime {time_range_picker}\\r\\n| where isnotempty(Domain)\\r\\n| summarize count() by Domain\\r\\n| sort by count_ desc\\r\\n| project Domain = Domain, count = count_\\r\\n| limit 20\",\"size\":1,\"showAnalytics\":true,\"title\":\"Top 20 Domains\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Domain\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false,\"rowLimit\":20,\"sortCriteriaField\":\"count\",\"size\":\"auto\"}},\"name\":\"query - top 20 domains\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ibossUrlEvent\\r\\n| where EventTime {time_range_picker} and DvcAction == \\\"Blocked\\\"\\r\\n| make-series Trend = count() default = 0 on EventTime step {time_range_picker:grain} by Domain\\r\\n| join kind = inner (ibossUrlEvent\\r\\n | where EventTime {time_range_picker}\\r\\n | where DvcAction == \\\"Blocked\\\"\\r\\n | summarize Requests = count() by Domain\\r\\n ) on Domain\\r\\n| project Domain, Requests, Trend\\r\\n| order by Requests desc\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Top Blocked Domains\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Requests\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"redBright\",\"compositeBarSettings\":{\"labelText\":\"\"}},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"DeviceCustomDate1\",\"formatter\":5,\"formatOptions\":{\"aggregation\":\"Count\"}}]}},\"customWidth\":\"50\",\"name\":\"query - top blocked domains\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ibossUrlEvent\\r\\n| where EventTime {time_range_picker} and DvcAction == \\\"Blocked\\\"\\r\\n| make-series Trend = count() default = 0 on EventTime step {time_range_picker:grain} by SrcUsername\\r\\n| join kind = inner (ibossUrlEvent\\r\\n | where EventTime {time_range_picker}\\r\\n | where DvcAction == \\\"Blocked\\\"\\r\\n | summarize Requests = count() by SrcUsername\\r\\n ) on SrcUsername\\r\\n| extend User = SrcUsername\\r\\n| project User, Requests, Trend\\r\\n| order by Requests desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Top Blocked Users\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Requests\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"redBright\"}}]}},\"customWidth\":\"50\",\"name\":\"query - top blocked users\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ibossUrlEvent\\r\\n| where EventTime {time_range_picker}\\r\\n| summarize sum(DstBytes), sum(SrcBytes), sum(NetworkBytes) by SrcUsername\\r\\n| join kind = inner (ibossUrlEvent\\r\\n | where EventTime {time_range_picker}\\r\\n | make-series Trend = sum(NetworkBytes) default = 0 on EventTime step {time_range_picker:grain} by SrcUsername\\r\\n ) on SrcUsername\\r\\n| order by sum_NetworkBytes desc\\r\\n| project Username=SrcUsername\\r\\n, Received=sum_DstBytes\\r\\n, Sent=sum_SrcBytes\\r\\n, Total=sum_NetworkBytes\\r\\n, Trend\",\"size\":0,\"showAnalytics\":true,\"title\":\"Bandwidth By User\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Received\",\"formatter\":8,\"formatOptions\":{\"palette\":\"green\"},\"numberFormat\":{\"unit\":2,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"Sent\",\"formatter\":8,\"formatOptions\":{\"palette\":\"green\"},\"numberFormat\":{\"unit\":2,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"Total\",\"formatter\":8,\"formatOptions\":{\"palette\":\"green\"},\"numberFormat\":{\"unit\":2,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"query - bandwidth by user\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ibossUrlEvent\\r\\n| where EventTime {time_range_picker}\\r\\n| make-series Trend = count() default = 0 on EventTime step {time_range_picker:grain} by SrcUsername\\r\\n| join kind = inner (ibossUrlEvent\\r\\n | where EventTime {time_range_picker}\\r\\n | summarize Requests = count() by SrcUsername\\r\\n ) on SrcUsername\\r\\n| extend User = SrcUsername\\r\\n| project User, Requests, Trend\\r\\n| order by Requests desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Connections by User\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Requests\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"query - connections by user\"}],\"fromTemplateId\":\"sentinel-ibossWebUsageWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n",
"version": "1.0",
"sourceId": "[variables('workspaceResourceId')]",
"category": "sentinel"
@@ -696,21 +1026,48 @@
"email": "support@iboss.com",
"tier": "Partner",
"link": "https://www.iboss.com/contact-us/"
+ },
+ "dependencies": {
+ "operator": "AND",
+ "criteria": [
+ {
+ "contentId": "ibossAma",
+ "kind": "DataConnector"
+ }
+ ]
}
}
}
]
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_workbookContentId2')]",
+ "contentKind": "Workbook",
+ "displayName": "[parameters('workbook2-name')]",
+ "contentProductId": "[variables('_workbookcontentProductId2')]",
+ "id": "[variables('_workbookcontentProductId2')]",
+ "version": "[variables('workbookVersion2')]"
}
},
{
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages",
+ "apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "2.0.2",
+ "version": "3.0.0",
"kind": "Solution",
- "contentSchemaVersion": "2.0.0",
+ "contentSchemaVersion": "3.0.0",
+ "displayName": "iboss",
+ "publisherDisplayName": "iboss",
+ "descriptionHtml": "Note: There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe iboss Solution provides means to connect your Threat Console to Microsoft Sentinel and enrich your instance with iboss URL event logs. Our logs are forwarded in Common Event Format (CEF) over Syslog and the configuration required can be completed on the iboss platform without the use of a proxy. Take advantage of our connector to garner critical data points and gain insight into security threats.
\n- \n
Iboss via AMA - This data connector helps in ingesting Iboss logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent here. Microsoft recommends using this Data Connector.
\n \nIboss via Legacy Agent - This data connector helps in ingesting Iboss logs into your Log Analytics Workspace using the legacy Log Analytics agent.
\n \n
NOTE: Microsoft recommends installation of Iboss via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024, and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.
\nData Connectors: 2, Parsers: 1, Workbooks: 2
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "",
"contentId": "[variables('_solutionId')]",
"parentId": "[variables('_solutionId')]",
"source": {
@@ -735,6 +1092,11 @@
"contentId": "[variables('_dataConnectorContentId1')]",
"version": "[variables('dataConnectorVersion1')]"
},
+ {
+ "kind": "DataConnector",
+ "contentId": "[variables('_dataConnectorContentId2')]",
+ "version": "[variables('dataConnectorVersion2')]"
+ },
{
"kind": "Parser",
"contentId": "[variables('_parserContentId1')]",
diff --git a/Solutions/iboss/ReleaseNotes.md b/Solutions/iboss/ReleaseNotes.md
new file mode 100644
index 00000000000..d5844af2e3b
--- /dev/null
+++ b/Solutions/iboss/ReleaseNotes.md
@@ -0,0 +1,5 @@
+| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
+|-------------|--------------------------------|--------------------------------------------------------------------|
+| 3.0.0 | 20-09-2023 | Addition of new Iboss AMA **Data Connector** | |
+
+
diff --git a/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json b/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json
index 8aad7a5b0af..e6cde3022d9 100644
--- a/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json
+++ b/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json
@@ -1544,7 +1544,8 @@
"CommonSecurityLog"
],
"dataConnectorsDependencies": [
- "CyberArk"
+ "CyberArk",
+ "CyberArkAma"
],
"previewImagesFileNames": [
"CyberArkActivitiesWhite.PNG",
@@ -1930,7 +1931,8 @@
"CommonSecurityLog"
],
"dataConnectorsDependencies": [
- "DelineaSecretServer_CEF"
+ "DelineaSecretServer_CEF",
+ "DelineaSecretServerAma"
],
"previewImagesFileNames": [
"DelineaWorkbookWhite.PNG",
@@ -2825,7 +2827,8 @@
"CommonSecurityLog"
],
"dataConnectorsDependencies": [
- "TrendMicroApexOne"
+ "TrendMicroApexOne",
+ "TrendMicroApexOneAma"
],
"previewImagesFileNames": [
"TrendMicroApexOneBlack.png",
@@ -2892,7 +2895,8 @@
"CommonSecurityLog"
],
"dataConnectorsDependencies": [
- "PaloAltoCDL"
+ "PaloAltoCDL",
+ "PaloAltoCDLAma"
],
"previewImagesFileNames": [
"PaloAltoBlack.png",
@@ -4793,7 +4797,9 @@
"logoFileName": "",
"description": "A workbook providing insights into malware and C2 activity detected by iboss.",
"dataTypesDependencies": [],
- "dataConnectorsDependencies": [],
+ "dataConnectorsDependencies": [
+ "ibossAma"
+ ],
"previewImagesFileNames": [],
"version": "1.0.0",
"title": "iboss Malware and C2",
@@ -4806,7 +4812,9 @@
"logoFileName": "",
"description": "A workbook providing insights into web usage activity detected by iboss.",
"dataTypesDependencies": [],
- "dataConnectorsDependencies": [],
+ "dataConnectorsDependencies": [
+ "ibossAma"
+ ],
"previewImagesFileNames": [],
"version": "1.0.0",
"title": "iboss Web Usage",
@@ -5024,7 +5032,7 @@
],
"dataConnectorsDependencies": [
"CyberArkEPM"
- ],
+ ],
"previewImagesFileNames": [
"CyberArkEPMBlack.png",
"CyberArkEPMWhite.png"
@@ -5408,6 +5416,24 @@
"subtitle": "",
"provider": "SalemCyber"
},
+{
+ "workbookKey": "MimecastSEGWorkbook",
+ "logoFileName": "Mimecast.svg",
+ "description": "A workbook providing insights into Mimecast Secure Email Gateway.",
+ "dataTypesDependencies": [
+ "MimecastDLP_CL",
+ "MimecastSIEM_CL"
+ ],
+ "previewImagesFileNames": [
+ "MimecastSEGBlack.png",
+ "MimecastSEGWhite.png"
+ ],
+ "version": "1.0.0",
+ "title": "MimecastSEG",
+ "templateRelativePath": "MimecastSEGworkbook.json",
+ "subtitle": "Mimecast Secure Email Gateway",
+ "provider": "Mimecast"
+},
{
"workbookKey": "MimecastTTPWorkbook",
"logoFileName": "Mimecast.svg",
diff --git a/Workbooks/Images/Logos/ionix-logo.svg b/Workbooks/Images/Logos/ionix-logo.svg
new file mode 100644
index 00000000000..26f7d3cb422
--- /dev/null
+++ b/Workbooks/Images/Logos/ionix-logo.svg
@@ -0,0 +1,14 @@
+
+
diff --git a/Workbooks/Images/Preview/IONIXActionItemsBlack.png b/Workbooks/Images/Preview/IONIXActionItemsBlack.png
new file mode 100644
index 00000000000..e3eb2a2621b
Binary files /dev/null and b/Workbooks/Images/Preview/IONIXActionItemsBlack.png differ
diff --git a/Workbooks/Images/Preview/IONIXActionItemsWhite.png b/Workbooks/Images/Preview/IONIXActionItemsWhite.png
new file mode 100644
index 00000000000..5887b4bcc5b
Binary files /dev/null and b/Workbooks/Images/Preview/IONIXActionItemsWhite.png differ
diff --git a/Workbooks/WorkbooksMetadata.json b/Workbooks/WorkbooksMetadata.json
index 1d56351eaed..69c72846082 100644
--- a/Workbooks/WorkbooksMetadata.json
+++ b/Workbooks/WorkbooksMetadata.json
@@ -2367,8 +2367,8 @@
},
{
"workbookKey": "CyberpionOverviewWorkbook",
- "logoFileName": "cyberpion_logo.svg",
- "description": "Use Cyberpion's Security Logs and this workbook, to get an overview of your online assets, gain insights into their current state, and find ways to better secure your ecosystem.",
+ "logoFileName": "ionix-logo.svg",
+ "description": "Use IONIX's Security Logs and this workbook, to get an overview of your online assets, gain insights into their current state, and find ways to better secure your ecosystem.",
"dataTypesDependencies": [
"CyberpionActionItems_CL"
],
@@ -2376,14 +2376,14 @@
"CyberpionSecurityLogs"
],
"previewImagesFileNames": [
- "CyberpionActionItemsBlack.png",
- "CyberpionActionItemsWhite.png"
+ "IONIXActionItemsBlack.png",
+ "IONIXActionItemsWhite.png"
],
- "version": "1.0.0",
- "title": "Cyberpion Overview",
- "templateRelativePath": "CyberpionOverviewWorkbook.json",
+ "version": "1.0.1",
+ "title": "IONIX Overview",
+ "templateRelativePath": "IONIXOverviewWorkbook.json",
"subtitle": "",
- "provider": "Cyberpion"
+ "provider": "IONIX"
},
{
"workbookKey": "SolarWindsPostCompromiseHuntingWorkbook",
@@ -6645,6 +6645,20 @@
"title": "DoD Zero Trust Strategy Workbook",
"templateRelativePath": "DoDZeroTrustWorkbook.json",
"subtitle": "",
- "provider": "Microsoft"
+ "provider": "Microsoft",
+ "support": {
+ "tier": "Microsoft"
+ },
+ "author": {
+ "name": "Lili Davoudian, Chhorn Lim, Jay Pelletier, Michael Crane"
+ },
+ "source": {
+ "kind": "Community"
+ },
+ "categories": {
+ "domains": [
+ "IT Operations"
+ ]
+}
}
]