diff --git a/Solutions/Malware Protection Essentials/Analytic Rules/SuspiciousProcessCreation.yaml b/Solutions/Malware Protection Essentials/Analytic Rules/SuspiciousProcessCreation.yaml
index af2a642b0a5..e276982e5c8 100644
--- a/Solutions/Malware Protection Essentials/Analytic Rules/SuspiciousProcessCreation.yaml
+++ b/Solutions/Malware Protection Essentials/Analytic Rules/SuspiciousProcessCreation.yaml
@@ -42,22 +42,19 @@ relevantTechniques:
query: |
_ASim_ProcessEvent
| where EventType == 'ProcessCreated'
- | extend CommandLineArgs = todynamic(array_slice(split(CommandLine, " "), 1, -1))
+ | extend CommandLineArgs = strcat_array(array_slice(split(CommandLine, " "), 1, -1), " ")
| where strlen(CommandLineArgs) > 0
- | mv-apply CommandLineArgs on
- (
- where CommandLineArgs contains "base64"
- )
+ | where CommandLineArgs contains "base64"
| project
- TimeGenerated,
- DvcHostname,
- DvcIpAddr,
- DvcDomain,
- TargetUsername,
- TargetUsernameType,
- TargetProcessName,
- TargetProcessId,
- CommandLine
+ TimeGenerated,
+ DvcHostname,
+ DvcIpAddr,
+ DvcDomain,
+ TargetUsername,
+ TargetUsernameType,
+ TargetProcessName,
+ TargetProcessId,
+ CommandLine
| extend Username = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\')[1]), TargetUsername)
| extend NTDomain = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\')[0]), TargetUsername)
| extend Username = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[0]), Username)
@@ -94,5 +91,5 @@ eventGroupingSettings:
alertDetailsOverride:
alertDisplayNameFormat: "Process with suspicious command line arguments was created on {{DvcHostname}} ({{DvcIpAddr}}) by ({{TargetUsername}})"
alertDescriptionFormat: "Process '{{TargetProcessName}}' ProcessId: '{{TargetProcessId}}' with commandline {{CommandLine}} was created."
-version: 1.0.0
+version: 1.0.1
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/Malware Protection Essentials/Data/Solution_MalwareProtectionEssentials.json b/Solutions/Malware Protection Essentials/Data/Solution_MalwareProtectionEssentials.json
index 9b2ae8d2858..c60bdcd7f72 100644
--- a/Solutions/Malware Protection Essentials/Data/Solution_MalwareProtectionEssentials.json
+++ b/Solutions/Malware Protection Essentials/Data/Solution_MalwareProtectionEssentials.json
@@ -28,7 +28,7 @@
],
"WorkbooksDescription": "This workbook provides details about Suspicious Malware Activities from File, Process and Registry events generated by EDR (Endpoint Detection and Response) solutions.",
"BasePath": "C:\\Github\\Azure-Sentinel\\Solutions\\Malware Protection Essentials\\",
- "Version": "3.0.0",
+ "Version": "3.0.1",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1PConnector": false
diff --git a/Solutions/Malware Protection Essentials/Package/3.0.1.zip b/Solutions/Malware Protection Essentials/Package/3.0.1.zip
new file mode 100644
index 00000000000..f6e72dbf7e2
Binary files /dev/null and b/Solutions/Malware Protection Essentials/Package/3.0.1.zip differ
diff --git a/Solutions/Malware Protection Essentials/Package/mainTemplate.json b/Solutions/Malware Protection Essentials/Package/mainTemplate.json
index 99a590341ff..ce74f166913 100644
--- a/Solutions/Malware Protection Essentials/Package/mainTemplate.json
+++ b/Solutions/Malware Protection Essentials/Package/mainTemplate.json
@@ -49,7 +49,7 @@
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"_solutionName": "Malware Protection Essentials",
- "_solutionVersion": "3.0.0",
+ "_solutionVersion": "3.0.1",
"solutionId": "azuresentinel.azure-sentinel-solution-malwareprotection",
"_solutionId": "[variables('solutionId')]",
"analyticRuleObject1": {
@@ -67,11 +67,11 @@
"_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','7edde3d4-9859-4a00-b93c-b19ddda55320','-', '1.0.0')))]"
},
"analyticRuleObject3": {
- "analyticRuleVersion3": "1.0.0",
+ "analyticRuleVersion3": "1.0.1",
"_analyticRulecontentId3": "fdbcc0eb-44fb-467e-a51d-a91df0780a81",
"analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'fdbcc0eb-44fb-467e-a51d-a91df0780a81')]",
"analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('fdbcc0eb-44fb-467e-a51d-a91df0780a81')))]",
- "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','fdbcc0eb-44fb-467e-a51d-a91df0780a81','-', '1.0.0')))]"
+ "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','fdbcc0eb-44fb-467e-a51d-a91df0780a81','-', '1.0.1')))]"
},
"analyticRuleObject4": {
"analyticRuleVersion4": "1.0.0",
@@ -145,7 +145,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "StartupRegistryModified_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "description": "StartupRegistryModified_AnalyticalRules Analytics Rule with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@@ -155,7 +155,7 @@
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
"name": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
- "apiVersion": "2022-04-01-preview",
+ "apiVersion": "2023-02-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
@@ -173,46 +173,46 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "CrowdStrikeFalconEndpointProtection",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "CrowdStrikeFalconEndpointProtection"
},
{
- "connectorId": "MicrosoftThreatProtection",
"dataTypes": [
"SecurityAlert"
- ]
+ ],
+ "connectorId": "MicrosoftThreatProtection"
},
{
- "connectorId": "SentinelOne",
"dataTypes": [
"SentinelOne_CL"
- ]
+ ],
+ "connectorId": "SentinelOne"
},
{
- "connectorId": "VMwareCarbonBlack",
"dataTypes": [
"CarbonBlackEvents_CL"
- ]
+ ],
+ "connectorId": "VMwareCarbonBlack"
},
{
- "connectorId": "CiscoSecureEndpoint",
"dataTypes": [
"CiscoSecureEndpoint_CL"
- ]
+ ],
+ "connectorId": "CiscoSecureEndpoint"
},
{
- "connectorId": "TrendMicroApexOne",
"dataTypes": [
"TMApexOneEvent"
- ]
+ ],
+ "connectorId": "TrendMicroApexOne"
},
{
- "connectorId": "TrendMicroApexOneAma",
"dataTypes": [
"TMApexOneEvent"
- ]
+ ],
+ "connectorId": "TrendMicroApexOneAma"
}
],
"tactics": [
@@ -228,16 +228,16 @@
{
"fieldMappings": [
{
- "columnName": "HostName",
- "identifier": "HostName"
+ "identifier": "HostName",
+ "columnName": "HostName"
},
{
- "columnName": "DnsDomain",
- "identifier": "DnsDomain"
+ "identifier": "DnsDomain",
+ "columnName": "DnsDomain"
},
{
- "columnName": "NTDomain",
- "identifier": "NTDomain"
+ "identifier": "NTDomain",
+ "columnName": "NTDomain"
}
],
"entityType": "Host"
@@ -245,16 +245,16 @@
{
"fieldMappings": [
{
- "columnName": "Username",
- "identifier": "Name"
+ "identifier": "Name",
+ "columnName": "Username"
},
{
- "columnName": "UPNSuffix",
- "identifier": "UPNSuffix"
+ "identifier": "UPNSuffix",
+ "columnName": "UPNSuffix"
},
{
- "columnName": "NTDomain",
- "identifier": "NTDomain"
+ "identifier": "NTDomain",
+ "columnName": "NTDomain"
}
],
"entityType": "Account"
@@ -262,12 +262,12 @@
{
"fieldMappings": [
{
- "columnName": "ActingProcessId",
- "identifier": "ProcessId"
+ "identifier": "ProcessId",
+ "columnName": "ActingProcessId"
},
{
- "columnName": "ActingProcessCommandLine",
- "identifier": "CommandLine"
+ "identifier": "CommandLine",
+ "columnName": "ActingProcessCommandLine"
}
],
"entityType": "Process"
@@ -275,12 +275,12 @@
{
"fieldMappings": [
{
- "columnName": "RegHive",
- "identifier": "Hive"
+ "identifier": "Hive",
+ "columnName": "RegHive"
},
{
- "columnName": "RegKey",
- "identifier": "Key"
+ "identifier": "Key",
+ "columnName": "RegKey"
}
],
"entityType": "RegistryKey"
@@ -288,16 +288,16 @@
{
"fieldMappings": [
{
- "columnName": "RegistryValue",
- "identifier": "Name"
+ "identifier": "Name",
+ "columnName": "RegistryValue"
},
{
- "columnName": "RegistryValueData",
- "identifier": "Value"
+ "identifier": "Value",
+ "columnName": "RegistryValueData"
},
{
- "columnName": "RegistryValueType",
- "identifier": "ValueType"
+ "identifier": "ValueType",
+ "columnName": "RegistryValueType"
}
],
"entityType": "RegistryValue"
@@ -363,7 +363,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PrintProcessersModified_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "description": "PrintProcessersModified_AnalyticalRules Analytics Rule with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@@ -373,7 +373,7 @@
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
"name": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
- "apiVersion": "2022-04-01-preview",
+ "apiVersion": "2023-02-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
@@ -391,46 +391,46 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "CrowdStrikeFalconEndpointProtection",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "CrowdStrikeFalconEndpointProtection"
},
{
- "connectorId": "MicrosoftThreatProtection",
"dataTypes": [
"SecurityAlert"
- ]
+ ],
+ "connectorId": "MicrosoftThreatProtection"
},
{
- "connectorId": "SentinelOne",
"dataTypes": [
"SentinelOne_CL"
- ]
+ ],
+ "connectorId": "SentinelOne"
},
{
- "connectorId": "VMwareCarbonBlack",
"dataTypes": [
"CarbonBlackEvents_CL"
- ]
+ ],
+ "connectorId": "VMwareCarbonBlack"
},
{
- "connectorId": "CiscoSecureEndpoint",
"dataTypes": [
"CiscoSecureEndpoint_CL"
- ]
+ ],
+ "connectorId": "CiscoSecureEndpoint"
},
{
- "connectorId": "TrendMicroApexOne",
"dataTypes": [
"TMApexOneEvent"
- ]
+ ],
+ "connectorId": "TrendMicroApexOne"
},
{
- "connectorId": "TrendMicroApexOneAma",
"dataTypes": [
"TMApexOneEvent"
- ]
+ ],
+ "connectorId": "TrendMicroApexOneAma"
}
],
"tactics": [
@@ -444,16 +444,16 @@
{
"fieldMappings": [
{
- "columnName": "HostName",
- "identifier": "HostName"
+ "identifier": "HostName",
+ "columnName": "HostName"
},
{
- "columnName": "DnsDomain",
- "identifier": "DnsDomain"
+ "identifier": "DnsDomain",
+ "columnName": "DnsDomain"
},
{
- "columnName": "NTDomain",
- "identifier": "NTDomain"
+ "identifier": "NTDomain",
+ "columnName": "NTDomain"
}
],
"entityType": "Host"
@@ -461,16 +461,16 @@
{
"fieldMappings": [
{
- "columnName": "Username",
- "identifier": "Name"
+ "identifier": "Name",
+ "columnName": "Username"
},
{
- "columnName": "UPNSuffix",
- "identifier": "UPNSuffix"
+ "identifier": "UPNSuffix",
+ "columnName": "UPNSuffix"
},
{
- "columnName": "NTDomain",
- "identifier": "NTDomain"
+ "identifier": "NTDomain",
+ "columnName": "NTDomain"
}
],
"entityType": "Account"
@@ -478,12 +478,12 @@
{
"fieldMappings": [
{
- "columnName": "ActingProcessId",
- "identifier": "ProcessId"
+ "identifier": "ProcessId",
+ "columnName": "ActingProcessId"
},
{
- "columnName": "ActingProcessCommandLine",
- "identifier": "CommandLine"
+ "identifier": "CommandLine",
+ "columnName": "ActingProcessCommandLine"
}
],
"entityType": "Process"
@@ -491,12 +491,12 @@
{
"fieldMappings": [
{
- "columnName": "RegHive",
- "identifier": "Hive"
+ "identifier": "Hive",
+ "columnName": "RegHive"
},
{
- "columnName": "RegKey",
- "identifier": "Key"
+ "identifier": "Key",
+ "columnName": "RegKey"
}
],
"entityType": "RegistryKey"
@@ -504,16 +504,16 @@
{
"fieldMappings": [
{
- "columnName": "RegistryValue",
- "identifier": "Name"
+ "identifier": "Name",
+ "columnName": "RegistryValue"
},
{
- "columnName": "RegistryValueData",
- "identifier": "Value"
+ "identifier": "Value",
+ "columnName": "RegistryValueData"
},
{
- "columnName": "RegistryValueType",
- "identifier": "ValueType"
+ "identifier": "ValueType",
+ "columnName": "RegistryValueType"
}
],
"entityType": "RegistryValue"
@@ -579,7 +579,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "SuspiciousProcessCreation_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "description": "SuspiciousProcessCreation_AnalyticalRules Analytics Rule with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
@@ -589,14 +589,14 @@
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
"name": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
- "apiVersion": "2022-04-01-preview",
+ "apiVersion": "2023-02-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
"description": "This analytic rule detects process creation events with base64 encoded command line arguments. This could be an indication of a malicious process being executed.",
"displayName": "Process Creation with Suspicious CommandLine Arguments",
"enabled": false,
- "query": "_ASim_ProcessEvent\n| where EventType == 'ProcessCreated'\n| extend CommandLineArgs = todynamic(array_slice(split(CommandLine, \" \"), 1, -1))\n| where strlen(CommandLineArgs) > 0\n| mv-apply CommandLineArgs on \n (\n where CommandLineArgs contains \"base64\"\n )\n| project\n TimeGenerated,\n DvcHostname,\n DvcIpAddr,\n DvcDomain,\n TargetUsername,\n TargetUsernameType,\n TargetProcessName,\n TargetProcessId,\n CommandLine\n| extend Username = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\\\')[1]), TargetUsername)\n| extend NTDomain = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\\\')[0]), TargetUsername)\n| extend Username = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[0]), Username)\n| extend UPNSuffix = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[1]), '')\n",
+ "query": "_ASim_ProcessEvent\n| where EventType == 'ProcessCreated'\n| extend CommandLineArgs = strcat_array(array_slice(split(CommandLine, \" \"), 1, -1), \" \")\n| where strlen(CommandLineArgs) > 0\n| where CommandLineArgs contains \"base64\"\n| project\nTimeGenerated,\nDvcHostname,\nDvcIpAddr,\nDvcDomain,\nTargetUsername,\nTargetUsernameType,\nTargetProcessName,\nTargetProcessId,\nCommandLine\n| extend Username = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\\\')), TargetUsername)\n| extend NTDomain = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\\\')), TargetUsername)\n| extend Username = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')), Username)\n| extend UPNSuffix = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')), '')\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "Medium",
@@ -607,46 +607,46 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "CrowdStrikeFalconEndpointProtection",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "CrowdStrikeFalconEndpointProtection"
},
{
- "connectorId": "MicrosoftThreatProtection",
"dataTypes": [
"SecurityAlert"
- ]
+ ],
+ "connectorId": "MicrosoftThreatProtection"
},
{
- "connectorId": "SentinelOne",
"dataTypes": [
"SentinelOne_CL"
- ]
+ ],
+ "connectorId": "SentinelOne"
},
{
- "connectorId": "VMwareCarbonBlack",
"dataTypes": [
"CarbonBlackEvents_CL"
- ]
+ ],
+ "connectorId": "VMwareCarbonBlack"
},
{
- "connectorId": "CiscoSecureEndpoint",
"dataTypes": [
"CiscoSecureEndpoint_CL"
- ]
+ ],
+ "connectorId": "CiscoSecureEndpoint"
},
{
- "connectorId": "TrendMicroApexOne",
"dataTypes": [
"TMApexOneEvent"
- ]
+ ],
+ "connectorId": "TrendMicroApexOne"
},
{
- "connectorId": "TrendMicroApexOneAma",
"dataTypes": [
"TMApexOneEvent"
- ]
+ ],
+ "connectorId": "TrendMicroApexOneAma"
}
],
"tactics": [
@@ -661,16 +661,16 @@
{
"fieldMappings": [
{
- "columnName": "DvcHostname",
- "identifier": "HostName"
+ "identifier": "HostName",
+ "columnName": "DvcHostname"
},
{
- "columnName": "DvcDomain",
- "identifier": "DnsDomain"
+ "identifier": "DnsDomain",
+ "columnName": "DvcDomain"
},
{
- "columnName": "NTDomain",
- "identifier": "NTDomain"
+ "identifier": "NTDomain",
+ "columnName": "NTDomain"
}
],
"entityType": "Host"
@@ -678,8 +678,8 @@
{
"fieldMappings": [
{
- "columnName": "DvcIpAddr",
- "identifier": "Address"
+ "identifier": "Address",
+ "columnName": "DvcIpAddr"
}
],
"entityType": "IP"
@@ -687,16 +687,16 @@
{
"fieldMappings": [
{
- "columnName": "Username",
- "identifier": "Name"
+ "identifier": "Name",
+ "columnName": "Username"
},
{
- "columnName": "UPNSuffix",
- "identifier": "UPNSuffix"
+ "identifier": "UPNSuffix",
+ "columnName": "UPNSuffix"
},
{
- "columnName": "NTDomain",
- "identifier": "NTDomain"
+ "identifier": "NTDomain",
+ "columnName": "NTDomain"
}
],
"entityType": "Account"
@@ -704,12 +704,12 @@
{
"fieldMappings": [
{
- "columnName": "TargetProcessId",
- "identifier": "ProcessId"
+ "identifier": "ProcessId",
+ "columnName": "TargetProcessId"
},
{
- "columnName": "CommandLine",
- "identifier": "CommandLine"
+ "identifier": "CommandLine",
+ "columnName": "CommandLine"
}
],
"entityType": "Process"
@@ -775,7 +775,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "BackupDeletionDetected_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "description": "BackupDeletionDetected_AnalyticalRules Analytics Rule with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]",
@@ -785,7 +785,7 @@
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
"name": "[variables('analyticRuleObject4')._analyticRulecontentId4]",
- "apiVersion": "2022-04-01-preview",
+ "apiVersion": "2023-02-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
@@ -803,46 +803,46 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "CrowdStrikeFalconEndpointProtection",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "CrowdStrikeFalconEndpointProtection"
},
{
- "connectorId": "MicrosoftThreatProtection",
"dataTypes": [
"SecurityAlert"
- ]
+ ],
+ "connectorId": "MicrosoftThreatProtection"
},
{
- "connectorId": "SentinelOne",
"dataTypes": [
"SentinelOne_CL"
- ]
+ ],
+ "connectorId": "SentinelOne"
},
{
- "connectorId": "VMwareCarbonBlack",
"dataTypes": [
"CarbonBlackEvents_CL"
- ]
+ ],
+ "connectorId": "VMwareCarbonBlack"
},
{
- "connectorId": "CiscoSecureEndpoint",
"dataTypes": [
"CiscoSecureEndpoint_CL"
- ]
+ ],
+ "connectorId": "CiscoSecureEndpoint"
},
{
- "connectorId": "TrendMicroApexOne",
"dataTypes": [
"TMApexOneEvent"
- ]
+ ],
+ "connectorId": "TrendMicroApexOne"
},
{
- "connectorId": "TrendMicroApexOneAma",
"dataTypes": [
"TMApexOneEvent"
- ]
+ ],
+ "connectorId": "TrendMicroApexOneAma"
}
],
"tactics": [
@@ -855,16 +855,16 @@
{
"fieldMappings": [
{
- "columnName": "DvcHostname",
- "identifier": "HostName"
+ "identifier": "HostName",
+ "columnName": "DvcHostname"
},
{
- "columnName": "DvcDomain",
- "identifier": "DnsDomain"
+ "identifier": "DnsDomain",
+ "columnName": "DvcDomain"
},
{
- "columnName": "NTDomain",
- "identifier": "NTDomain"
+ "identifier": "NTDomain",
+ "columnName": "NTDomain"
}
],
"entityType": "Host"
@@ -872,8 +872,8 @@
{
"fieldMappings": [
{
- "columnName": "DvcIpAddr",
- "identifier": "Address"
+ "identifier": "Address",
+ "columnName": "DvcIpAddr"
}
],
"entityType": "IP"
@@ -881,16 +881,16 @@
{
"fieldMappings": [
{
- "columnName": "Username",
- "identifier": "Name"
+ "identifier": "Name",
+ "columnName": "Username"
},
{
- "columnName": "UPNSuffix",
- "identifier": "UPNSuffix"
+ "identifier": "UPNSuffix",
+ "columnName": "UPNSuffix"
},
{
- "columnName": "NTDomain",
- "identifier": "NTDomain"
+ "identifier": "NTDomain",
+ "columnName": "NTDomain"
}
],
"entityType": "Account"
@@ -898,12 +898,12 @@
{
"fieldMappings": [
{
- "columnName": "TargetProcessId",
- "identifier": "ProcessId"
+ "identifier": "ProcessId",
+ "columnName": "TargetProcessId"
},
{
- "columnName": "CommandLine",
- "identifier": "CommandLine"
+ "identifier": "CommandLine",
+ "columnName": "CommandLine"
}
],
"entityType": "Process"
@@ -969,7 +969,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "WindowsUpdateDisabled_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "description": "WindowsUpdateDisabled_AnalyticalRules Analytics Rule with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]",
@@ -979,7 +979,7 @@
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
"name": "[variables('analyticRuleObject5')._analyticRulecontentId5]",
- "apiVersion": "2022-04-01-preview",
+ "apiVersion": "2023-02-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
@@ -997,46 +997,46 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "CrowdStrikeFalconEndpointProtection",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "CrowdStrikeFalconEndpointProtection"
},
{
- "connectorId": "MicrosoftThreatProtection",
"dataTypes": [
"SecurityAlert"
- ]
+ ],
+ "connectorId": "MicrosoftThreatProtection"
},
{
- "connectorId": "SentinelOne",
"dataTypes": [
"SentinelOne_CL"
- ]
+ ],
+ "connectorId": "SentinelOne"
},
{
- "connectorId": "VMwareCarbonBlack",
"dataTypes": [
"CarbonBlackEvents_CL"
- ]
+ ],
+ "connectorId": "VMwareCarbonBlack"
},
{
- "connectorId": "CiscoSecureEndpoint",
"dataTypes": [
"CiscoSecureEndpoint_CL"
- ]
+ ],
+ "connectorId": "CiscoSecureEndpoint"
},
{
- "connectorId": "TrendMicroApexOne",
"dataTypes": [
"TMApexOneEvent"
- ]
+ ],
+ "connectorId": "TrendMicroApexOne"
},
{
- "connectorId": "TrendMicroApexOneAma",
"dataTypes": [
"TMApexOneEvent"
- ]
+ ],
+ "connectorId": "TrendMicroApexOneAma"
}
],
"tactics": [
@@ -1049,16 +1049,16 @@
{
"fieldMappings": [
{
- "columnName": "HostName",
- "identifier": "HostName"
+ "identifier": "HostName",
+ "columnName": "HostName"
},
{
- "columnName": "DnsDomain",
- "identifier": "DnsDomain"
+ "identifier": "DnsDomain",
+ "columnName": "DnsDomain"
},
{
- "columnName": "NTDomain",
- "identifier": "NTDomain"
+ "identifier": "NTDomain",
+ "columnName": "NTDomain"
}
],
"entityType": "Host"
@@ -1066,16 +1066,16 @@
{
"fieldMappings": [
{
- "columnName": "Username",
- "identifier": "Name"
+ "identifier": "Name",
+ "columnName": "Username"
},
{
- "columnName": "UPNSuffix",
- "identifier": "UPNSuffix"
+ "identifier": "UPNSuffix",
+ "columnName": "UPNSuffix"
},
{
- "columnName": "NTDomain",
- "identifier": "NTDomain"
+ "identifier": "NTDomain",
+ "columnName": "NTDomain"
}
],
"entityType": "Account"
@@ -1083,12 +1083,12 @@
{
"fieldMappings": [
{
- "columnName": "ActingProcessId",
- "identifier": "ProcessId"
+ "identifier": "ProcessId",
+ "columnName": "ActingProcessId"
},
{
- "columnName": "ActingProcessCommandLine",
- "identifier": "CommandLine"
+ "identifier": "CommandLine",
+ "columnName": "ActingProcessCommandLine"
}
],
"entityType": "Process"
@@ -1096,12 +1096,12 @@
{
"fieldMappings": [
{
- "columnName": "RegHive",
- "identifier": "Hive"
+ "identifier": "Hive",
+ "columnName": "RegHive"
},
{
- "columnName": "RegKey",
- "identifier": "Key"
+ "identifier": "Key",
+ "columnName": "RegKey"
}
],
"entityType": "RegistryKey"
@@ -1109,16 +1109,16 @@
{
"fieldMappings": [
{
- "columnName": "RegistryValue",
- "identifier": "Name"
+ "identifier": "Name",
+ "columnName": "RegistryValue"
},
{
- "columnName": "RegistryValueData",
- "identifier": "Value"
+ "identifier": "Value",
+ "columnName": "RegistryValueData"
},
{
- "columnName": "RegistryValueType",
- "identifier": "ValueType"
+ "identifier": "ValueType",
+ "columnName": "RegistryValueType"
}
],
"entityType": "RegistryValue"
@@ -1184,7 +1184,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "WindowsAllowFirewallRuleAdded_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "description": "WindowsAllowFirewallRuleAdded_AnalyticalRules Analytics Rule with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]",
@@ -1194,7 +1194,7 @@
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
"name": "[variables('analyticRuleObject6')._analyticRulecontentId6]",
- "apiVersion": "2022-04-01-preview",
+ "apiVersion": "2023-02-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
@@ -1212,46 +1212,46 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "CrowdStrikeFalconEndpointProtection",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "CrowdStrikeFalconEndpointProtection"
},
{
- "connectorId": "MicrosoftThreatProtection",
"dataTypes": [
"SecurityAlert"
- ]
+ ],
+ "connectorId": "MicrosoftThreatProtection"
},
{
- "connectorId": "SentinelOne",
"dataTypes": [
"SentinelOne_CL"
- ]
+ ],
+ "connectorId": "SentinelOne"
},
{
- "connectorId": "VMwareCarbonBlack",
"dataTypes": [
"CarbonBlackEvents_CL"
- ]
+ ],
+ "connectorId": "VMwareCarbonBlack"
},
{
- "connectorId": "CiscoSecureEndpoint",
"dataTypes": [
"CiscoSecureEndpoint_CL"
- ]
+ ],
+ "connectorId": "CiscoSecureEndpoint"
},
{
- "connectorId": "TrendMicroApexOne",
"dataTypes": [
"TMApexOneEvent"
- ]
+ ],
+ "connectorId": "TrendMicroApexOne"
},
{
- "connectorId": "TrendMicroApexOneAma",
"dataTypes": [
"TMApexOneEvent"
- ]
+ ],
+ "connectorId": "TrendMicroApexOneAma"
}
],
"tactics": [
@@ -1264,16 +1264,16 @@
{
"fieldMappings": [
{
- "columnName": "HostName",
- "identifier": "HostName"
+ "identifier": "HostName",
+ "columnName": "HostName"
},
{
- "columnName": "DnsDomain",
- "identifier": "DnsDomain"
+ "identifier": "DnsDomain",
+ "columnName": "DnsDomain"
},
{
- "columnName": "NTDomain",
- "identifier": "NTDomain"
+ "identifier": "NTDomain",
+ "columnName": "NTDomain"
}
],
"entityType": "Host"
@@ -1281,16 +1281,16 @@
{
"fieldMappings": [
{
- "columnName": "Username",
- "identifier": "Name"
+ "identifier": "Name",
+ "columnName": "Username"
},
{
- "columnName": "UPNSuffix",
- "identifier": "UPNSuffix"
+ "identifier": "UPNSuffix",
+ "columnName": "UPNSuffix"
},
{
- "columnName": "NTDomain",
- "identifier": "NTDomain"
+ "identifier": "NTDomain",
+ "columnName": "NTDomain"
}
],
"entityType": "Account"
@@ -1298,12 +1298,12 @@
{
"fieldMappings": [
{
- "columnName": "ActingProcessId",
- "identifier": "ProcessId"
+ "identifier": "ProcessId",
+ "columnName": "ActingProcessId"
},
{
- "columnName": "ActingProcessCommandLine",
- "identifier": "CommandLine"
+ "identifier": "CommandLine",
+ "columnName": "ActingProcessCommandLine"
}
],
"entityType": "Process"
@@ -1311,12 +1311,12 @@
{
"fieldMappings": [
{
- "columnName": "RegHive",
- "identifier": "Hive"
+ "identifier": "Hive",
+ "columnName": "RegHive"
},
{
- "columnName": "RegKey",
- "identifier": "Key"
+ "identifier": "Key",
+ "columnName": "RegKey"
}
],
"entityType": "RegistryKey"
@@ -1324,16 +1324,16 @@
{
"fieldMappings": [
{
- "columnName": "RegistryValue",
- "identifier": "Name"
+ "identifier": "Name",
+ "columnName": "RegistryValue"
},
{
- "columnName": "RegistryValueData",
- "identifier": "Value"
+ "identifier": "Value",
+ "columnName": "RegistryValueData"
},
{
- "columnName": "RegistryValueType",
- "identifier": "ValueType"
+ "identifier": "ValueType",
+ "columnName": "RegistryValueType"
}
],
"entityType": "RegistryValue"
@@ -1399,7 +1399,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "NewMaliciousScheduledTask_HuntingQueries Hunting Query with template version 3.0.0",
+ "description": "NewMaliciousScheduledTask_HuntingQueries Hunting Query with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]",
@@ -1484,7 +1484,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "FileCretaedInStartupFolder_HuntingQueries Hunting Query with template version 3.0.0",
+ "description": "FileCretaedInStartupFolder_HuntingQueries Hunting Query with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]",
@@ -1569,7 +1569,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "FilesWithRansomwareExtensions_HuntingQueries Hunting Query with template version 3.0.0",
+ "description": "FilesWithRansomwareExtensions_HuntingQueries Hunting Query with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]",
@@ -1654,7 +1654,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "NewScheduledTaskCreation_HuntingQueries Hunting Query with template version 3.0.0",
+ "description": "NewScheduledTaskCreation_HuntingQueries Hunting Query with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]",
@@ -1739,7 +1739,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "SystemFilesModifiedByUser_HuntingQueries Hunting Query with template version 3.0.0",
+ "description": "SystemFilesModifiedByUser_HuntingQueries Hunting Query with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]",
@@ -1824,7 +1824,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ExecutableInUncommonLocation_HuntingQueries Hunting Query with template version 3.0.0",
+ "description": "ExecutableInUncommonLocation_HuntingQueries Hunting Query with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]",
@@ -1927,7 +1927,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "MalwareProtectionEssentialsWorkbook Workbook with template version 3.0.0",
+ "description": "MalwareProtectionEssentialsWorkbook Workbook with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@@ -2011,12 +2011,12 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.0",
+ "version": "3.0.1",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "Malware Protection Essentials",
"publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
- "descriptionHtml": "Note: There may be known issues pertaining to this Solution, please refer to them before installing.
\nMalware Protection Essentials is a domain solution and does not include any data connectors. The content in this solution requires one of the product solutions below , as well as any other connector or data source normalized to the ASIM.
\nPrerequisite :-
\nInstall one or more of the listed solutions, or develop your custom ASIM parsers to unlock the value provided by this solution.
\n\n- Amazon Web Services
\n- Azure Firewall
\n- Azure Network Security Groups
\n- Check Point
\n- Cisco ASA
\n- Cisco Meraki Security Events
\n- Corelight
\n- Fortinet FortiGate
\n- Microsoft Defender for IoT
\n- Microsoft Defender for Cloud
\n- Microsoft Sysmon For Linux
\n- Windows Firewall
\n- Palo Alto PANOS
\n- Vectra AI Stream
\n- WatchGuard Firebox
\n- Zscaler Internet Access
\n
\nUnderlying Microsoft Technologies used:
\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:
\n\n- Product solutions as described above
\n- Logic app for data summarization
\n
\nRecommendation :-
\nIt is highly recommended to use the Summarize data logic app playbook provided with this solution as it will significantly improve the performance of the Workbook, Analytic rules & Hunting queries.
\nWorkbooks: 1, Analytic Rules: 6, Hunting Queries: 6, Watchlists: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n",
+ "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nMalware Protection Essentials is a domain solution and does not include any data connectors. The content in this solution requires one of the product solutions below , as well as any other connector or data source normalized to the ASIM.
\nPrerequisite :-
\nInstall one or more of the listed solutions, or develop your custom ASIM parsers to unlock the value provided by this solution.
\n\n- Amazon Web Services
\n- Azure Firewall
\n- Azure Network Security Groups
\n- Check Point
\n- Cisco ASA
\n- Cisco Meraki Security Events
\n- Corelight
\n- Fortinet FortiGate
\n- Microsoft Defender for IoT
\n- Microsoft Defender for Cloud
\n- Microsoft Sysmon For Linux
\n- Windows Firewall
\n- Palo Alto PANOS
\n- Vectra AI Stream
\n- WatchGuard Firebox
\n- Zscaler Internet Access
\n
\nUnderlying Microsoft Technologies used:
\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:
\n\n- Product solutions as described above
\n- Logic app for data summarization
\n
\nRecommendation :-
\nIt is highly recommended to use the Summarize data logic app playbook provided with this solution as it will significantly improve the performance of the Workbook, Analytic rules & Hunting queries.
\nWorkbooks: 1, Analytic Rules: 6, Hunting Queries: 6, Watchlists: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n",
"contentKind": "Solution",
"contentProductId": "[variables('_solutioncontentProductId')]",
"id": "[variables('_solutioncontentProductId')]",
@@ -2104,7 +2104,7 @@
{
"kind": "Watchlist",
"contentId": "[variables('_Ransomware File Extensions')]",
- "version": "3.0.0"
+ "version": "3.0.1"
},
{
"kind": "Workbook",