diff --git a/Solutions/Microsoft Entra ID/Data/Solution_AAD.json b/Solutions/Microsoft Entra ID/Data/Solution_AAD.json index 01dd4303aa8..cd592e460e2 100644 --- a/Solutions/Microsoft Entra ID/Data/Solution_AAD.json +++ b/Solutions/Microsoft Entra ID/Data/Solution_AAD.json @@ -73,7 +73,7 @@ "Solutions/Microsoft Entra ID/Analytic Rules/UseraddedtoPrivilgedGroups.yaml", "Solutions/Microsoft Entra ID/Analytic Rules/UserAssignedNewPrivilegedRole.yaml", "Solutions/Microsoft Entra ID/Analytic Rules/UserAssignedPrivilegedRole.yaml" - ], + ], "Playbooks": [ "Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/alert-trigger/azuredeploy.json", "Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/incident-trigger/azuredeploy.json", @@ -88,7 +88,7 @@ "Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/entity-trigger/azuredeploy.json" ], "BasePath": "C:\\GitHub\\Azure-Sentinel", - "Version": "3.0.7", + "Version": "3.0.9", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "Is1PConnector": true diff --git a/Solutions/Microsoft Entra ID/Package/3.0.9.zip b/Solutions/Microsoft Entra ID/Package/3.0.9.zip index 5a84903cbc8..849ce762cf1 100644 Binary files a/Solutions/Microsoft Entra ID/Package/3.0.9.zip and b/Solutions/Microsoft Entra ID/Package/3.0.9.zip differ diff --git a/Solutions/Microsoft Entra ID/Package/mainTemplate.json b/Solutions/Microsoft Entra ID/Package/mainTemplate.json index 18e406625f4..63066eb9d19 100644 --- a/Solutions/Microsoft Entra ID/Package/mainTemplate.json +++ b/Solutions/Microsoft Entra ID/Package/mainTemplate.json @@ -74,378 +74,440 @@ "workbookTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId2'))))]", "_workbookContentId2": "[variables('workbookContentId2')]", "_workbookcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId2'),'-', variables('workbookVersion2'))))]", - "analyticRuleVersion1": "1.0.3", - "analyticRulecontentId1": "bb616d82-108f-47d3-9dec-9652ea0d3bf6", - "_analyticRulecontentId1": "[variables('analyticRulecontentId1')]", - "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]", - "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1'))))]", - "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId1'),'-', variables('analyticRuleVersion1'))))]", - "analyticRuleVersion2": "1.0.2", - "analyticRulecontentId2": "6d63efa6-7c25-4bd4-a486-aa6bf50fde8a", - "_analyticRulecontentId2": "[variables('analyticRulecontentId2')]", - "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId2'))]", - "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2'))))]", - "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId2'),'-', variables('analyticRuleVersion2'))))]", - "analyticRuleVersion3": "1.0.1", - "analyticRulecontentId3": "95dc4ae3-e0f2-48bd-b996-cdd22b90f9af", - "_analyticRulecontentId3": "[variables('analyticRulecontentId3')]", - "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId3'))]", - "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId3'))))]", - "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId3'),'-', variables('analyticRuleVersion3'))))]", - "analyticRuleVersion4": "1.0.1", - "analyticRulecontentId4": "5533fe80-905e-49d5-889a-df27d2c3976d", - "_analyticRulecontentId4": "[variables('analyticRulecontentId4')]", - "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId4'))]", - "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId4'))))]", - "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId4'),'-', variables('analyticRuleVersion4'))))]", - "analyticRuleVersion5": "1.0.4", - "analyticRulecontentId5": "f80d951a-eddc-4171-b9d0-d616bb83efdc", - "_analyticRulecontentId5": "[variables('analyticRulecontentId5')]", - "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId5'))]", - "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId5'))))]", - "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId5'),'-', variables('analyticRuleVersion5'))))]", - "analyticRuleVersion6": "2.0.1", - "analyticRulecontentId6": "7cb8f77d-c52f-4e46-b82f-3cf2e106224a", - "_analyticRulecontentId6": "[variables('analyticRulecontentId6')]", - "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId6'))]", - "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId6'))))]", - "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId6'),'-', variables('analyticRuleVersion6'))))]", - "analyticRuleVersion7": "1.0.9", - "analyticRulecontentId7": "694c91ee-d606-4ba9-928e-405a2dd0ff0f", - "_analyticRulecontentId7": "[variables('analyticRulecontentId7')]", - "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId7'))]", - "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId7'))))]", - "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId7'),'-', variables('analyticRuleVersion7'))))]", - "analyticRuleVersion8": "1.0.3", - "analyticRulecontentId8": "50574fac-f8d1-4395-81c7-78a463ff0c52", - "_analyticRulecontentId8": "[variables('analyticRulecontentId8')]", - "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId8'))]", - "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId8'))))]", - "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId8'),'-', variables('analyticRuleVersion8'))))]", - "analyticRuleVersion9": "1.0.5", - "analyticRulecontentId9": "1ff56009-db01-4615-8211-d4fda21da02d", - "_analyticRulecontentId9": "[variables('analyticRulecontentId9')]", - "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId9'))]", - "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId9'))))]", - "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId9'),'-', variables('analyticRuleVersion9'))))]", - "analyticRuleVersion10": "2.0.1", - "analyticRulecontentId10": "87210ca1-49a4-4a7d-bb4a-4988752f978c", - "_analyticRulecontentId10": "[variables('analyticRulecontentId10')]", - "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId10'))]", - "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId10'))))]", - "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId10'),'-', variables('analyticRuleVersion10'))))]", - "analyticRuleVersion11": "2.0.1", - "analyticRulecontentId11": "97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06", - "_analyticRulecontentId11": "[variables('analyticRulecontentId11')]", - "analyticRuleId11": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId11'))]", - "analyticRuleTemplateSpecName11": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId11'))))]", - "_analyticRulecontentProductId11": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId11'),'-', variables('analyticRuleVersion11'))))]", - "analyticRuleVersion12": "2.0.0", - "analyticRulecontentId12": "3fbc20a4-04c4-464e-8fcb-6667f53e4987", - "_analyticRulecontentId12": "[variables('analyticRulecontentId12')]", - "analyticRuleId12": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId12'))]", - "analyticRuleTemplateSpecName12": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId12'))))]", - "_analyticRulecontentProductId12": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId12'),'-', variables('analyticRuleVersion12'))))]", - "analyticRuleVersion13": "1.0.4", - "analyticRulecontentId13": "218f60de-c269-457a-b882-9966632b9dc6", - "_analyticRulecontentId13": "[variables('analyticRulecontentId13')]", - "analyticRuleId13": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId13'))]", - "analyticRuleTemplateSpecName13": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId13'))))]", - "_analyticRulecontentProductId13": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId13'),'-', variables('analyticRuleVersion13'))))]", - "analyticRuleVersion14": "1.0.5", - "analyticRulecontentId14": "3af9285d-bb98-4a35-ad29-5ea39ba0c628", - "_analyticRulecontentId14": "[variables('analyticRulecontentId14')]", - "analyticRuleId14": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId14'))]", - "analyticRuleTemplateSpecName14": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId14'))))]", - "_analyticRulecontentProductId14": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId14'),'-', variables('analyticRuleVersion14'))))]", - "analyticRuleVersion15": "1.0.2", - "analyticRulecontentId15": "707494a5-8e44-486b-90f8-155d1797a8eb", - "_analyticRulecontentId15": "[variables('analyticRulecontentId15')]", - "analyticRuleId15": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId15'))]", - "analyticRuleTemplateSpecName15": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId15'))))]", - "_analyticRulecontentProductId15": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId15'),'-', variables('analyticRuleVersion15'))))]", - "analyticRuleVersion16": "1.0.2", - "analyticRulecontentId16": "757e6a79-6d23-4ae6-9845-4dac170656b5", - "_analyticRulecontentId16": "[variables('analyticRulecontentId16')]", - "analyticRuleId16": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId16'))]", - "analyticRuleTemplateSpecName16": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId16'))))]", - "_analyticRulecontentProductId16": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId16'),'-', variables('analyticRuleVersion16'))))]", - "analyticRuleVersion17": "1.0.2", - "analyticRulecontentId17": "eb8a9c1c-f532-4630-817c-1ecd8a60ed80", - "_analyticRulecontentId17": "[variables('analyticRulecontentId17')]", - "analyticRuleId17": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId17'))]", - "analyticRuleTemplateSpecName17": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId17'))))]", - "_analyticRulecontentProductId17": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId17'),'-', variables('analyticRuleVersion17'))))]", - "analyticRuleVersion18": "1.0.1", - "analyticRulecontentId18": "c895c5b9-0fc6-40ce-9830-e8818862f2d5", - "_analyticRulecontentId18": "[variables('analyticRulecontentId18')]", - "analyticRuleId18": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId18'))]", - "analyticRuleTemplateSpecName18": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId18'))))]", - "_analyticRulecontentProductId18": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId18'),'-', variables('analyticRuleVersion18'))))]", - "analyticRuleVersion19": "1.0.1", - "analyticRulecontentId19": "276d5190-38de-4eb2-9933-b3b72f4a5737", - "_analyticRulecontentId19": "[variables('analyticRulecontentId19')]", - "analyticRuleId19": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId19'))]", - "analyticRuleTemplateSpecName19": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId19'))))]", - "_analyticRulecontentProductId19": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId19'),'-', variables('analyticRuleVersion19'))))]", - "analyticRuleVersion20": "1.0.1", - "analyticRulecontentId20": "229f71ba-d83b-42a5-b83b-11a641049ed1", - "_analyticRulecontentId20": "[variables('analyticRulecontentId20')]", - "analyticRuleId20": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId20'))]", - "analyticRuleTemplateSpecName20": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId20'))))]", - "_analyticRulecontentProductId20": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId20'),'-', variables('analyticRuleVersion20'))))]", - "analyticRuleVersion21": "1.0.1", - "analyticRulecontentId21": "0101e08d-99cd-4a97-a9e0-27649c4369ad", - "_analyticRulecontentId21": "[variables('analyticRulecontentId21')]", - "analyticRuleId21": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId21'))]", - "analyticRuleTemplateSpecName21": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId21'))))]", - "_analyticRulecontentProductId21": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId21'),'-', variables('analyticRuleVersion21'))))]", - "analyticRuleVersion22": "1.0.2", - "analyticRulecontentId22": "75ea5c39-93e5-489b-b1e1-68fa6c9d2d04", - "_analyticRulecontentId22": "[variables('analyticRulecontentId22')]", - "analyticRuleId22": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId22'))]", - "analyticRuleTemplateSpecName22": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId22'))))]", - "_analyticRulecontentProductId22": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId22'),'-', variables('analyticRuleVersion22'))))]", - "analyticRuleVersion23": "1.0.3", - "analyticRulecontentId23": "bfb1c90f-8006-4325-98be-c7fffbc254d6", - "_analyticRulecontentId23": "[variables('analyticRulecontentId23')]", - "analyticRuleId23": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId23'))]", - "analyticRuleTemplateSpecName23": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId23'))))]", - "_analyticRulecontentProductId23": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId23'),'-', variables('analyticRuleVersion23'))))]", - "analyticRuleVersion24": "1.0.3", - "analyticRulecontentId24": "a22740ec-fc1e-4c91-8de6-c29c6450ad00", - "_analyticRulecontentId24": "[variables('analyticRulecontentId24')]", - "analyticRuleId24": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId24'))]", - "analyticRuleTemplateSpecName24": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId24'))))]", - "_analyticRulecontentProductId24": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId24'),'-', variables('analyticRuleVersion24'))))]", - "analyticRuleVersion25": "1.0.0", - "analyticRulecontentId25": "54e22fed-0ec6-4fb2-8312-2a3809a93f63", - "_analyticRulecontentId25": "[variables('analyticRulecontentId25')]", - "analyticRuleId25": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId25'))]", - "analyticRuleTemplateSpecName25": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId25'))))]", - "_analyticRulecontentProductId25": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId25'),'-', variables('analyticRuleVersion25'))))]", - "analyticRuleVersion26": "1.0.5", - "analyticRulecontentId26": "223db5c1-1bf8-47d8-8806-bed401b356a4", - "_analyticRulecontentId26": "[variables('analyticRulecontentId26')]", - "analyticRuleId26": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId26'))]", - "analyticRuleTemplateSpecName26": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId26'))))]", - "_analyticRulecontentProductId26": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId26'),'-', variables('analyticRuleVersion26'))))]", - "analyticRuleVersion27": "1.1.4", - "analyticRulecontentId27": "2cfc3c6e-f424-4b88-9cc9-c89f482d016a", - "_analyticRulecontentId27": "[variables('analyticRulecontentId27')]", - "analyticRuleId27": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId27'))]", - "analyticRuleTemplateSpecName27": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId27'))))]", - "_analyticRulecontentProductId27": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId27'),'-', variables('analyticRuleVersion27'))))]", - "analyticRuleVersion28": "1.0.5", - "analyticRulecontentId28": "6ab1f7b2-61b8-442f-bc81-96afe7ad8c53", - "_analyticRulecontentId28": "[variables('analyticRulecontentId28')]", - "analyticRuleId28": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId28'))]", - "analyticRuleTemplateSpecName28": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId28'))))]", - "_analyticRulecontentProductId28": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId28'),'-', variables('analyticRuleVersion28'))))]", - "analyticRuleVersion29": "1.0.3", - "analyticRulecontentId29": "2560515c-07d1-434e-87fb-ebe3af267760", - "_analyticRulecontentId29": "[variables('analyticRulecontentId29')]", - "analyticRuleId29": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId29'))]", - "analyticRuleTemplateSpecName29": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId29'))))]", - "_analyticRulecontentProductId29": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId29'),'-', variables('analyticRuleVersion29'))))]", - "analyticRuleVersion30": "1.1.1", - "analyticRulecontentId30": "f948a32f-226c-4116-bddd-d95e91d97eb9", - "_analyticRulecontentId30": "[variables('analyticRulecontentId30')]", - "analyticRuleId30": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId30'))]", - "analyticRuleTemplateSpecName30": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId30'))))]", - "_analyticRulecontentProductId30": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId30'),'-', variables('analyticRuleVersion30'))))]", - "analyticRuleVersion31": "1.0.1", - "analyticRulecontentId31": "39198934-62a0-4781-8416-a81265c03fd6", - "_analyticRulecontentId31": "[variables('analyticRulecontentId31')]", - "analyticRuleId31": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId31'))]", - "analyticRuleTemplateSpecName31": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId31'))))]", - "_analyticRulecontentProductId31": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId31'),'-', variables('analyticRuleVersion31'))))]", - "analyticRuleVersion32": "2.0.1", - "analyticRulecontentId32": "d99cf5c3-d660-436c-895b-8a8f8448da23", - "_analyticRulecontentId32": "[variables('analyticRulecontentId32')]", - "analyticRuleId32": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId32'))]", - "analyticRuleTemplateSpecName32": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId32'))))]", - "_analyticRulecontentProductId32": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId32'),'-', variables('analyticRuleVersion32'))))]", - "analyticRuleVersion33": "1.0.2", - "analyticRulecontentId33": "a8cc6d5c-4e7e-4b48-b4ac-d8a116c62a8b", - "_analyticRulecontentId33": "[variables('analyticRulecontentId33')]", - "analyticRuleId33": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId33'))]", - "analyticRuleTemplateSpecName33": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId33'))))]", - "_analyticRulecontentProductId33": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId33'),'-', variables('analyticRuleVersion33'))))]", - "analyticRuleVersion34": "1.0.1", - "analyticRulecontentId34": "cda5928c-2c1e-4575-9dfa-07568bc27a4f", - "_analyticRulecontentId34": "[variables('analyticRulecontentId34')]", - "analyticRuleId34": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId34'))]", - "analyticRuleTemplateSpecName34": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId34'))))]", - "_analyticRulecontentProductId34": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId34'),'-', variables('analyticRuleVersion34'))))]", - "analyticRuleVersion35": "1.0.0", - "analyticRulecontentId35": "4f42b94f-b210-42d1-a023-7fa1c51d969f", - "_analyticRulecontentId35": "[variables('analyticRulecontentId35')]", - "analyticRuleId35": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId35'))]", - "analyticRuleTemplateSpecName35": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId35'))))]", - "_analyticRulecontentProductId35": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId35'),'-', variables('analyticRuleVersion35'))))]", - "analyticRuleVersion36": "1.1.1", - "analyticRulecontentId36": "79566f41-df67-4e10-a703-c38a6213afd8", - "_analyticRulecontentId36": "[variables('analyticRulecontentId36')]", - "analyticRuleId36": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId36'))]", - "analyticRuleTemplateSpecName36": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId36'))))]", - "_analyticRulecontentProductId36": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId36'),'-', variables('analyticRuleVersion36'))))]", - "analyticRuleVersion37": "1.0.1", - "analyticRulecontentId37": "8540c842-5bbc-4a24-9fb2-a836c0e55a51", - "_analyticRulecontentId37": "[variables('analyticRulecontentId37')]", - "analyticRuleId37": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId37'))]", - "analyticRuleTemplateSpecName37": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId37'))))]", - "_analyticRulecontentProductId37": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId37'),'-', variables('analyticRuleVersion37'))))]", - "analyticRuleVersion38": "1.0.2", - "analyticRulecontentId38": "29e99017-e28d-47be-8b9a-c8c711f8a903", - "_analyticRulecontentId38": "[variables('analyticRulecontentId38')]", - "analyticRuleId38": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId38'))]", - "analyticRuleTemplateSpecName38": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId38'))))]", - "_analyticRulecontentProductId38": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId38'),'-', variables('analyticRuleVersion38'))))]", - "analyticRuleVersion39": "1.0.4", - "analyticRulecontentId39": "b6988c32-4f3b-4a45-8313-b46b33061a74", - "_analyticRulecontentId39": "[variables('analyticRulecontentId39')]", - "analyticRuleId39": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId39'))]", - "analyticRuleTemplateSpecName39": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId39'))))]", - "_analyticRulecontentProductId39": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId39'),'-', variables('analyticRuleVersion39'))))]", - "analyticRuleVersion40": "1.0.2", - "analyticRulecontentId40": "e42e889a-caaf-4dbb-aec6-371b37d64298", - "_analyticRulecontentId40": "[variables('analyticRulecontentId40')]", - "analyticRuleId40": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId40'))]", - "analyticRuleTemplateSpecName40": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId40'))))]", - "_analyticRulecontentProductId40": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId40'),'-', variables('analyticRuleVersion40'))))]", - "analyticRuleVersion41": "1.0.2", - "analyticRulecontentId41": "5db427b2-f406-4274-b413-e9fcb29412f8", - "_analyticRulecontentId41": "[variables('analyticRulecontentId41')]", - "analyticRuleId41": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId41'))]", - "analyticRuleTemplateSpecName41": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId41'))))]", - "_analyticRulecontentProductId41": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId41'),'-', variables('analyticRuleVersion41'))))]", - "analyticRuleVersion42": "1.0.1", - "analyticRulecontentId42": "14f6da04-2f96-44ee-9210-9ccc1be6401e", - "_analyticRulecontentId42": "[variables('analyticRulecontentId42')]", - "analyticRuleId42": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId42'))]", - "analyticRuleTemplateSpecName42": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId42'))))]", - "_analyticRulecontentProductId42": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId42'),'-', variables('analyticRuleVersion42'))))]", - "analyticRuleVersion43": "1.0.4", - "analyticRulecontentId43": "70fc7201-f28e-4ba7-b9ea-c04b96701f13", - "_analyticRulecontentId43": "[variables('analyticRulecontentId43')]", - "analyticRuleId43": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId43'))]", - "analyticRuleTemplateSpecName43": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId43'))))]", - "_analyticRulecontentProductId43": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId43'),'-', variables('analyticRuleVersion43'))))]", - "analyticRuleVersion44": "1.0.7", - "analyticRulecontentId44": "7d7e20f8-3384-4b71-811c-f5e950e8306c", - "_analyticRulecontentId44": "[variables('analyticRulecontentId44')]", - "analyticRuleId44": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId44'))]", - "analyticRuleTemplateSpecName44": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId44'))))]", - "_analyticRulecontentProductId44": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId44'),'-', variables('analyticRuleVersion44'))))]", - "analyticRuleVersion45": "1.0.4", - "analyticRulecontentId45": "34c5aff9-a8c2-4601-9654-c7e46342d03b", - "_analyticRulecontentId45": "[variables('analyticRulecontentId45')]", - "analyticRuleId45": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId45'))]", - "analyticRuleTemplateSpecName45": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId45'))))]", - "_analyticRulecontentProductId45": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId45'),'-', variables('analyticRuleVersion45'))))]", - "analyticRuleVersion46": "1.0.4", - "analyticRulecontentId46": "269435e3-1db8-4423-9dfc-9bf59997da1c", - "_analyticRulecontentId46": "[variables('analyticRulecontentId46')]", - "analyticRuleId46": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId46'))]", - "analyticRuleTemplateSpecName46": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId46'))))]", - "_analyticRulecontentProductId46": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId46'),'-', variables('analyticRuleVersion46'))))]", - "analyticRuleVersion47": "1.1.4", - "analyticRulecontentId47": "83ba3057-9ea3-4759-bf6a-933f2e5bc7ee", - "_analyticRulecontentId47": "[variables('analyticRulecontentId47')]", - "analyticRuleId47": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId47'))]", - "analyticRuleTemplateSpecName47": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId47'))))]", - "_analyticRulecontentProductId47": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId47'),'-', variables('analyticRuleVersion47'))))]", - "analyticRuleVersion48": "1.0.3", - "analyticRulecontentId48": "fb7ca1c9-e14c-40a3-856e-28f3c14ea1ba", - "_analyticRulecontentId48": "[variables('analyticRulecontentId48')]", - "analyticRuleId48": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId48'))]", - "analyticRuleTemplateSpecName48": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId48'))))]", - "_analyticRulecontentProductId48": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId48'),'-', variables('analyticRuleVersion48'))))]", - "analyticRuleVersion49": "1.0.2", - "analyticRulecontentId49": "d3980830-dd9d-40a5-911f-76b44dfdce16", - "_analyticRulecontentId49": "[variables('analyticRulecontentId49')]", - "analyticRuleId49": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId49'))]", - "analyticRuleTemplateSpecName49": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId49'))))]", - "_analyticRulecontentProductId49": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId49'),'-', variables('analyticRuleVersion49'))))]", - "analyticRuleVersion50": "2.1.3", - "analyticRulecontentId50": "500c103a-0319-4d56-8e99-3cec8d860757", - "_analyticRulecontentId50": "[variables('analyticRulecontentId50')]", - "analyticRuleId50": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId50'))]", - "analyticRuleTemplateSpecName50": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId50'))))]", - "_analyticRulecontentProductId50": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId50'),'-', variables('analyticRuleVersion50'))))]", - "analyticRuleVersion51": "2.1.3", - "analyticRulecontentId51": "28b42356-45af-40a6-a0b4-a554cdfd5d8a", - "_analyticRulecontentId51": "[variables('analyticRulecontentId51')]", - "analyticRuleId51": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId51'))]", - "analyticRuleTemplateSpecName51": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId51'))))]", - "_analyticRulecontentProductId51": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId51'),'-', variables('analyticRuleVersion51'))))]", - "analyticRuleVersion52": "1.0.6", - "analyticRulecontentId52": "48607a29-a26a-4abf-8078-a06dbdd174a4", - "_analyticRulecontentId52": "[variables('analyticRulecontentId52')]", - "analyticRuleId52": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId52'))]", - "analyticRuleTemplateSpecName52": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId52'))))]", - "_analyticRulecontentProductId52": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId52'),'-', variables('analyticRuleVersion52'))))]", - "analyticRuleVersion53": "2.1.7", - "analyticRulecontentId53": "02ef8d7e-fc3a-4d86-a457-650fa571d8d2", - "_analyticRulecontentId53": "[variables('analyticRulecontentId53')]", - "analyticRuleId53": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId53'))]", - "analyticRuleTemplateSpecName53": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId53'))))]", - "_analyticRulecontentProductId53": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId53'),'-', variables('analyticRuleVersion53'))))]", - "analyticRuleVersion54": "1.0.2", - "analyticRulecontentId54": "3a3c6835-0086-40ca-b033-a93bf26d878f", - "_analyticRulecontentId54": "[variables('analyticRulecontentId54')]", - "analyticRuleId54": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId54'))]", - "analyticRuleTemplateSpecName54": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId54'))))]", - "_analyticRulecontentProductId54": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId54'),'-', variables('analyticRuleVersion54'))))]", - "analyticRuleVersion55": "1.0.1", - "analyticRulecontentId55": "3533f74c-9207-4047-96e2-0eb9383be587", - "_analyticRulecontentId55": "[variables('analyticRulecontentId55')]", - "analyticRuleId55": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId55'))]", - "analyticRuleTemplateSpecName55": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId55'))))]", - "_analyticRulecontentProductId55": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId55'),'-', variables('analyticRuleVersion55'))))]", - "analyticRuleVersion56": "1.0.2", - "analyticRulecontentId56": "6852d9da-8015-4b95-8ecf-d9572ee0395d", - "_analyticRulecontentId56": "[variables('analyticRulecontentId56')]", - "analyticRuleId56": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId56'))]", - "analyticRuleTemplateSpecName56": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId56'))))]", - "_analyticRulecontentProductId56": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId56'),'-', variables('analyticRuleVersion56'))))]", - "analyticRuleVersion57": "1.0.0", - "analyticRulecontentId57": "aec77100-25c5-4254-a20a-8027ed92c46c", - "_analyticRulecontentId57": "[variables('analyticRulecontentId57')]", - "analyticRuleId57": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId57'))]", - "analyticRuleTemplateSpecName57": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId57'))))]", - "_analyticRulecontentProductId57": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId57'),'-', variables('analyticRuleVersion57'))))]", - "analyticRuleVersion58": "1.0.8", - "analyticRulecontentId58": "acc4c247-aaf7-494b-b5da-17f18863878a", - "_analyticRulecontentId58": "[variables('analyticRulecontentId58')]", - "analyticRuleId58": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId58'))]", - "analyticRuleTemplateSpecName58": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId58'))))]", - "_analyticRulecontentProductId58": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId58'),'-', variables('analyticRuleVersion58'))))]", - "analyticRuleVersion59": "2.0.3", - "analyticRulecontentId59": "3a9d5ede-2b9d-43a2-acc4-d272321ff77c", - "_analyticRulecontentId59": "[variables('analyticRulecontentId59')]", - "analyticRuleId59": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId59'))]", - "analyticRuleTemplateSpecName59": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId59'))))]", - "_analyticRulecontentProductId59": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId59'),'-', variables('analyticRuleVersion59'))))]", - "analyticRuleVersion60": "1.0.5", - "analyticRulecontentId60": "4d94d4a9-dc96-410a-8dea-4d4d4584188b", - "_analyticRulecontentId60": "[variables('analyticRulecontentId60')]", - "analyticRuleId60": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId60'))]", - "analyticRuleTemplateSpecName60": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId60'))))]", - "_analyticRulecontentProductId60": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId60'),'-', variables('analyticRuleVersion60'))))]", - "analyticRuleVersion61": "1.0.0", - "analyticRulecontentId61": "746ddb63-f51b-4563-b449-a8b13cf302ec", - "_analyticRulecontentId61": "[variables('analyticRulecontentId61')]", - "analyticRuleId61": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId61'))]", - "analyticRuleTemplateSpecName61": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId61'))))]", - "_analyticRulecontentProductId61": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId61'),'-', variables('analyticRuleVersion61'))))]", - "analyticRuleVersion62": "1.0.9", - "analyticRulecontentId62": "050b9b3d-53d0-4364-a3da-1b678b8211ec", - "_analyticRulecontentId62": "[variables('analyticRulecontentId62')]", - "analyticRuleId62": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId62'))]", - "analyticRuleTemplateSpecName62": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId62'))))]", - "_analyticRulecontentProductId62": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId62'),'-', variables('analyticRuleVersion62'))))]", + "analyticRuleObject1": { + "analyticRuleVersion1": "1.0.3", + "_analyticRulecontentId1": "bb616d82-108f-47d3-9dec-9652ea0d3bf6", + "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'bb616d82-108f-47d3-9dec-9652ea0d3bf6')]", + "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('bb616d82-108f-47d3-9dec-9652ea0d3bf6')))]", + "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','bb616d82-108f-47d3-9dec-9652ea0d3bf6','-', '1.0.3')))]" + }, + "analyticRuleObject2": { + "analyticRuleVersion2": "1.0.2", + "_analyticRulecontentId2": "6d63efa6-7c25-4bd4-a486-aa6bf50fde8a", + "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '6d63efa6-7c25-4bd4-a486-aa6bf50fde8a')]", + "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('6d63efa6-7c25-4bd4-a486-aa6bf50fde8a')))]", + "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','6d63efa6-7c25-4bd4-a486-aa6bf50fde8a','-', '1.0.2')))]" + }, + "analyticRuleObject3": { + "analyticRuleVersion3": "1.0.1", + "_analyticRulecontentId3": "95dc4ae3-e0f2-48bd-b996-cdd22b90f9af", + "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '95dc4ae3-e0f2-48bd-b996-cdd22b90f9af')]", + "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('95dc4ae3-e0f2-48bd-b996-cdd22b90f9af')))]", + "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','95dc4ae3-e0f2-48bd-b996-cdd22b90f9af','-', '1.0.1')))]" + }, + "analyticRuleObject4": { + "analyticRuleVersion4": "1.0.1", + "_analyticRulecontentId4": "5533fe80-905e-49d5-889a-df27d2c3976d", + "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '5533fe80-905e-49d5-889a-df27d2c3976d')]", + "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('5533fe80-905e-49d5-889a-df27d2c3976d')))]", + "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','5533fe80-905e-49d5-889a-df27d2c3976d','-', '1.0.1')))]" + }, + "analyticRuleObject5": { + "analyticRuleVersion5": "1.0.4", + "_analyticRulecontentId5": "f80d951a-eddc-4171-b9d0-d616bb83efdc", + "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'f80d951a-eddc-4171-b9d0-d616bb83efdc')]", + "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('f80d951a-eddc-4171-b9d0-d616bb83efdc')))]", + "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f80d951a-eddc-4171-b9d0-d616bb83efdc','-', '1.0.4')))]" + }, + "analyticRuleObject6": { + "analyticRuleVersion6": "2.0.1", + "_analyticRulecontentId6": "7cb8f77d-c52f-4e46-b82f-3cf2e106224a", + "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '7cb8f77d-c52f-4e46-b82f-3cf2e106224a')]", + "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('7cb8f77d-c52f-4e46-b82f-3cf2e106224a')))]", + "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','7cb8f77d-c52f-4e46-b82f-3cf2e106224a','-', '2.0.1')))]" + }, + "analyticRuleObject7": { + "analyticRuleVersion7": "1.0.9", + "_analyticRulecontentId7": "694c91ee-d606-4ba9-928e-405a2dd0ff0f", + "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '694c91ee-d606-4ba9-928e-405a2dd0ff0f')]", + "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('694c91ee-d606-4ba9-928e-405a2dd0ff0f')))]", + "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','694c91ee-d606-4ba9-928e-405a2dd0ff0f','-', '1.0.9')))]" + }, + "analyticRuleObject8": { + "analyticRuleVersion8": "1.0.3", + "_analyticRulecontentId8": "50574fac-f8d1-4395-81c7-78a463ff0c52", + "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '50574fac-f8d1-4395-81c7-78a463ff0c52')]", + "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('50574fac-f8d1-4395-81c7-78a463ff0c52')))]", + "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','50574fac-f8d1-4395-81c7-78a463ff0c52','-', '1.0.3')))]" + }, + "analyticRuleObject9": { + "analyticRuleVersion9": "1.0.5", + "_analyticRulecontentId9": "1ff56009-db01-4615-8211-d4fda21da02d", + "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '1ff56009-db01-4615-8211-d4fda21da02d')]", + "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('1ff56009-db01-4615-8211-d4fda21da02d')))]", + "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','1ff56009-db01-4615-8211-d4fda21da02d','-', '1.0.5')))]" + }, + "analyticRuleObject10": { + "analyticRuleVersion10": "2.0.1", + "_analyticRulecontentId10": "87210ca1-49a4-4a7d-bb4a-4988752f978c", + "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '87210ca1-49a4-4a7d-bb4a-4988752f978c')]", + "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('87210ca1-49a4-4a7d-bb4a-4988752f978c')))]", + "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','87210ca1-49a4-4a7d-bb4a-4988752f978c','-', '2.0.1')))]" + }, + "analyticRuleObject11": { + "analyticRuleVersion11": "2.0.1", + "_analyticRulecontentId11": "97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06", + "analyticRuleId11": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06')]", + "analyticRuleTemplateSpecName11": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06')))]", + "_analyticRulecontentProductId11": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06','-', '2.0.1')))]" + }, + "analyticRuleObject12": { + "analyticRuleVersion12": "2.0.0", + "_analyticRulecontentId12": "3fbc20a4-04c4-464e-8fcb-6667f53e4987", + "analyticRuleId12": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '3fbc20a4-04c4-464e-8fcb-6667f53e4987')]", + "analyticRuleTemplateSpecName12": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('3fbc20a4-04c4-464e-8fcb-6667f53e4987')))]", + "_analyticRulecontentProductId12": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','3fbc20a4-04c4-464e-8fcb-6667f53e4987','-', '2.0.0')))]" + }, + "analyticRuleObject13": { + "analyticRuleVersion13": "1.0.4", + "_analyticRulecontentId13": "218f60de-c269-457a-b882-9966632b9dc6", + "analyticRuleId13": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '218f60de-c269-457a-b882-9966632b9dc6')]", + "analyticRuleTemplateSpecName13": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('218f60de-c269-457a-b882-9966632b9dc6')))]", + "_analyticRulecontentProductId13": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','218f60de-c269-457a-b882-9966632b9dc6','-', '1.0.4')))]" + }, + "analyticRuleObject14": { + "analyticRuleVersion14": "1.0.5", + "_analyticRulecontentId14": "3af9285d-bb98-4a35-ad29-5ea39ba0c628", + "analyticRuleId14": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '3af9285d-bb98-4a35-ad29-5ea39ba0c628')]", + "analyticRuleTemplateSpecName14": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('3af9285d-bb98-4a35-ad29-5ea39ba0c628')))]", + "_analyticRulecontentProductId14": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','3af9285d-bb98-4a35-ad29-5ea39ba0c628','-', '1.0.5')))]" + }, + "analyticRuleObject15": { + "analyticRuleVersion15": "1.0.2", + "_analyticRulecontentId15": "707494a5-8e44-486b-90f8-155d1797a8eb", + "analyticRuleId15": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '707494a5-8e44-486b-90f8-155d1797a8eb')]", + "analyticRuleTemplateSpecName15": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('707494a5-8e44-486b-90f8-155d1797a8eb')))]", + "_analyticRulecontentProductId15": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','707494a5-8e44-486b-90f8-155d1797a8eb','-', '1.0.2')))]" + }, + "analyticRuleObject16": { + "analyticRuleVersion16": "1.0.2", + "_analyticRulecontentId16": "757e6a79-6d23-4ae6-9845-4dac170656b5", + "analyticRuleId16": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '757e6a79-6d23-4ae6-9845-4dac170656b5')]", + "analyticRuleTemplateSpecName16": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('757e6a79-6d23-4ae6-9845-4dac170656b5')))]", + "_analyticRulecontentProductId16": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','757e6a79-6d23-4ae6-9845-4dac170656b5','-', '1.0.2')))]" + }, + "analyticRuleObject17": { + "analyticRuleVersion17": "1.0.2", + "_analyticRulecontentId17": "eb8a9c1c-f532-4630-817c-1ecd8a60ed80", + "analyticRuleId17": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'eb8a9c1c-f532-4630-817c-1ecd8a60ed80')]", + "analyticRuleTemplateSpecName17": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('eb8a9c1c-f532-4630-817c-1ecd8a60ed80')))]", + "_analyticRulecontentProductId17": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','eb8a9c1c-f532-4630-817c-1ecd8a60ed80','-', '1.0.2')))]" + }, + "analyticRuleObject18": { + "analyticRuleVersion18": "1.0.1", + "_analyticRulecontentId18": "c895c5b9-0fc6-40ce-9830-e8818862f2d5", + "analyticRuleId18": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'c895c5b9-0fc6-40ce-9830-e8818862f2d5')]", + "analyticRuleTemplateSpecName18": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('c895c5b9-0fc6-40ce-9830-e8818862f2d5')))]", + "_analyticRulecontentProductId18": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','c895c5b9-0fc6-40ce-9830-e8818862f2d5','-', '1.0.1')))]" + }, + "analyticRuleObject19": { + "analyticRuleVersion19": "1.0.1", + "_analyticRulecontentId19": "276d5190-38de-4eb2-9933-b3b72f4a5737", + "analyticRuleId19": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '276d5190-38de-4eb2-9933-b3b72f4a5737')]", + "analyticRuleTemplateSpecName19": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('276d5190-38de-4eb2-9933-b3b72f4a5737')))]", + "_analyticRulecontentProductId19": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','276d5190-38de-4eb2-9933-b3b72f4a5737','-', '1.0.1')))]" + }, + "analyticRuleObject20": { + "analyticRuleVersion20": "1.0.1", + "_analyticRulecontentId20": "229f71ba-d83b-42a5-b83b-11a641049ed1", + "analyticRuleId20": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '229f71ba-d83b-42a5-b83b-11a641049ed1')]", + "analyticRuleTemplateSpecName20": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('229f71ba-d83b-42a5-b83b-11a641049ed1')))]", + "_analyticRulecontentProductId20": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','229f71ba-d83b-42a5-b83b-11a641049ed1','-', '1.0.1')))]" + }, + "analyticRuleObject21": { + "analyticRuleVersion21": "1.0.1", + "_analyticRulecontentId21": "0101e08d-99cd-4a97-a9e0-27649c4369ad", + "analyticRuleId21": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '0101e08d-99cd-4a97-a9e0-27649c4369ad')]", + "analyticRuleTemplateSpecName21": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('0101e08d-99cd-4a97-a9e0-27649c4369ad')))]", + "_analyticRulecontentProductId21": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','0101e08d-99cd-4a97-a9e0-27649c4369ad','-', '1.0.1')))]" + }, + "analyticRuleObject22": { + "analyticRuleVersion22": "1.0.2", + "_analyticRulecontentId22": "75ea5c39-93e5-489b-b1e1-68fa6c9d2d04", + "analyticRuleId22": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '75ea5c39-93e5-489b-b1e1-68fa6c9d2d04')]", + "analyticRuleTemplateSpecName22": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('75ea5c39-93e5-489b-b1e1-68fa6c9d2d04')))]", + "_analyticRulecontentProductId22": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','75ea5c39-93e5-489b-b1e1-68fa6c9d2d04','-', '1.0.2')))]" + }, + "analyticRuleObject23": { + "analyticRuleVersion23": "1.0.3", + "_analyticRulecontentId23": "bfb1c90f-8006-4325-98be-c7fffbc254d6", + "analyticRuleId23": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'bfb1c90f-8006-4325-98be-c7fffbc254d6')]", + "analyticRuleTemplateSpecName23": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('bfb1c90f-8006-4325-98be-c7fffbc254d6')))]", + "_analyticRulecontentProductId23": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','bfb1c90f-8006-4325-98be-c7fffbc254d6','-', '1.0.3')))]" + }, + "analyticRuleObject24": { + "analyticRuleVersion24": "1.0.3", + "_analyticRulecontentId24": "a22740ec-fc1e-4c91-8de6-c29c6450ad00", + "analyticRuleId24": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'a22740ec-fc1e-4c91-8de6-c29c6450ad00')]", + "analyticRuleTemplateSpecName24": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('a22740ec-fc1e-4c91-8de6-c29c6450ad00')))]", + "_analyticRulecontentProductId24": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','a22740ec-fc1e-4c91-8de6-c29c6450ad00','-', '1.0.3')))]" + }, + "analyticRuleObject25": { + "analyticRuleVersion25": "1.0.0", + "_analyticRulecontentId25": "54e22fed-0ec6-4fb2-8312-2a3809a93f63", + "analyticRuleId25": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '54e22fed-0ec6-4fb2-8312-2a3809a93f63')]", + "analyticRuleTemplateSpecName25": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('54e22fed-0ec6-4fb2-8312-2a3809a93f63')))]", + "_analyticRulecontentProductId25": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','54e22fed-0ec6-4fb2-8312-2a3809a93f63','-', '1.0.0')))]" + }, + "analyticRuleObject26": { + "analyticRuleVersion26": "1.0.5", + "_analyticRulecontentId26": "223db5c1-1bf8-47d8-8806-bed401b356a4", + "analyticRuleId26": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '223db5c1-1bf8-47d8-8806-bed401b356a4')]", + "analyticRuleTemplateSpecName26": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('223db5c1-1bf8-47d8-8806-bed401b356a4')))]", + "_analyticRulecontentProductId26": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','223db5c1-1bf8-47d8-8806-bed401b356a4','-', '1.0.5')))]" + }, + "analyticRuleObject27": { + "analyticRuleVersion27": "1.1.4", + "_analyticRulecontentId27": "2cfc3c6e-f424-4b88-9cc9-c89f482d016a", + "analyticRuleId27": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '2cfc3c6e-f424-4b88-9cc9-c89f482d016a')]", + "analyticRuleTemplateSpecName27": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('2cfc3c6e-f424-4b88-9cc9-c89f482d016a')))]", + "_analyticRulecontentProductId27": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','2cfc3c6e-f424-4b88-9cc9-c89f482d016a','-', '1.1.4')))]" + }, + "analyticRuleObject28": { + "analyticRuleVersion28": "1.0.5", + "_analyticRulecontentId28": "6ab1f7b2-61b8-442f-bc81-96afe7ad8c53", + "analyticRuleId28": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '6ab1f7b2-61b8-442f-bc81-96afe7ad8c53')]", + "analyticRuleTemplateSpecName28": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('6ab1f7b2-61b8-442f-bc81-96afe7ad8c53')))]", + "_analyticRulecontentProductId28": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','6ab1f7b2-61b8-442f-bc81-96afe7ad8c53','-', '1.0.5')))]" + }, + "analyticRuleObject29": { + "analyticRuleVersion29": "1.0.3", + "_analyticRulecontentId29": "2560515c-07d1-434e-87fb-ebe3af267760", + "analyticRuleId29": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '2560515c-07d1-434e-87fb-ebe3af267760')]", + "analyticRuleTemplateSpecName29": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('2560515c-07d1-434e-87fb-ebe3af267760')))]", + "_analyticRulecontentProductId29": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','2560515c-07d1-434e-87fb-ebe3af267760','-', '1.0.3')))]" + }, + "analyticRuleObject30": { + "analyticRuleVersion30": "1.1.1", + "_analyticRulecontentId30": "f948a32f-226c-4116-bddd-d95e91d97eb9", + "analyticRuleId30": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'f948a32f-226c-4116-bddd-d95e91d97eb9')]", + "analyticRuleTemplateSpecName30": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('f948a32f-226c-4116-bddd-d95e91d97eb9')))]", + "_analyticRulecontentProductId30": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f948a32f-226c-4116-bddd-d95e91d97eb9','-', '1.1.1')))]" + }, + "analyticRuleObject31": { + "analyticRuleVersion31": "1.0.1", + "_analyticRulecontentId31": "39198934-62a0-4781-8416-a81265c03fd6", + "analyticRuleId31": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '39198934-62a0-4781-8416-a81265c03fd6')]", + "analyticRuleTemplateSpecName31": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('39198934-62a0-4781-8416-a81265c03fd6')))]", + "_analyticRulecontentProductId31": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','39198934-62a0-4781-8416-a81265c03fd6','-', '1.0.1')))]" + }, + "analyticRuleObject32": { + "analyticRuleVersion32": "2.0.1", + "_analyticRulecontentId32": "d99cf5c3-d660-436c-895b-8a8f8448da23", + "analyticRuleId32": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'd99cf5c3-d660-436c-895b-8a8f8448da23')]", + "analyticRuleTemplateSpecName32": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('d99cf5c3-d660-436c-895b-8a8f8448da23')))]", + "_analyticRulecontentProductId32": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','d99cf5c3-d660-436c-895b-8a8f8448da23','-', '2.0.1')))]" + }, + "analyticRuleObject33": { + "analyticRuleVersion33": "1.0.2", + "_analyticRulecontentId33": "a8cc6d5c-4e7e-4b48-b4ac-d8a116c62a8b", + "analyticRuleId33": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'a8cc6d5c-4e7e-4b48-b4ac-d8a116c62a8b')]", + "analyticRuleTemplateSpecName33": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('a8cc6d5c-4e7e-4b48-b4ac-d8a116c62a8b')))]", + "_analyticRulecontentProductId33": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','a8cc6d5c-4e7e-4b48-b4ac-d8a116c62a8b','-', '1.0.2')))]" + }, + "analyticRuleObject34": { + "analyticRuleVersion34": "1.0.1", + "_analyticRulecontentId34": "cda5928c-2c1e-4575-9dfa-07568bc27a4f", + "analyticRuleId34": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'cda5928c-2c1e-4575-9dfa-07568bc27a4f')]", + "analyticRuleTemplateSpecName34": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('cda5928c-2c1e-4575-9dfa-07568bc27a4f')))]", + "_analyticRulecontentProductId34": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','cda5928c-2c1e-4575-9dfa-07568bc27a4f','-', '1.0.1')))]" + }, + "analyticRuleObject35": { + "analyticRuleVersion35": "1.0.0", + "_analyticRulecontentId35": "4f42b94f-b210-42d1-a023-7fa1c51d969f", + "analyticRuleId35": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '4f42b94f-b210-42d1-a023-7fa1c51d969f')]", + "analyticRuleTemplateSpecName35": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('4f42b94f-b210-42d1-a023-7fa1c51d969f')))]", + "_analyticRulecontentProductId35": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4f42b94f-b210-42d1-a023-7fa1c51d969f','-', '1.0.0')))]" + }, + "analyticRuleObject36": { + "analyticRuleVersion36": "1.1.1", + "_analyticRulecontentId36": "79566f41-df67-4e10-a703-c38a6213afd8", + "analyticRuleId36": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '79566f41-df67-4e10-a703-c38a6213afd8')]", + "analyticRuleTemplateSpecName36": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('79566f41-df67-4e10-a703-c38a6213afd8')))]", + "_analyticRulecontentProductId36": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','79566f41-df67-4e10-a703-c38a6213afd8','-', '1.1.1')))]" + }, + "analyticRuleObject37": { + "analyticRuleVersion37": "1.0.1", + "_analyticRulecontentId37": "8540c842-5bbc-4a24-9fb2-a836c0e55a51", + "analyticRuleId37": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '8540c842-5bbc-4a24-9fb2-a836c0e55a51')]", + "analyticRuleTemplateSpecName37": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('8540c842-5bbc-4a24-9fb2-a836c0e55a51')))]", + "_analyticRulecontentProductId37": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','8540c842-5bbc-4a24-9fb2-a836c0e55a51','-', '1.0.1')))]" + }, + "analyticRuleObject38": { + "analyticRuleVersion38": "1.0.2", + "_analyticRulecontentId38": "29e99017-e28d-47be-8b9a-c8c711f8a903", + "analyticRuleId38": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '29e99017-e28d-47be-8b9a-c8c711f8a903')]", + "analyticRuleTemplateSpecName38": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('29e99017-e28d-47be-8b9a-c8c711f8a903')))]", + "_analyticRulecontentProductId38": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','29e99017-e28d-47be-8b9a-c8c711f8a903','-', '1.0.2')))]" + }, + "analyticRuleObject39": { + "analyticRuleVersion39": "1.0.4", + "_analyticRulecontentId39": "b6988c32-4f3b-4a45-8313-b46b33061a74", + "analyticRuleId39": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'b6988c32-4f3b-4a45-8313-b46b33061a74')]", + "analyticRuleTemplateSpecName39": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('b6988c32-4f3b-4a45-8313-b46b33061a74')))]", + "_analyticRulecontentProductId39": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','b6988c32-4f3b-4a45-8313-b46b33061a74','-', '1.0.4')))]" + }, + "analyticRuleObject40": { + "analyticRuleVersion40": "1.0.2", + "_analyticRulecontentId40": "e42e889a-caaf-4dbb-aec6-371b37d64298", + "analyticRuleId40": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'e42e889a-caaf-4dbb-aec6-371b37d64298')]", + "analyticRuleTemplateSpecName40": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('e42e889a-caaf-4dbb-aec6-371b37d64298')))]", + "_analyticRulecontentProductId40": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','e42e889a-caaf-4dbb-aec6-371b37d64298','-', '1.0.2')))]" + }, + "analyticRuleObject41": { + "analyticRuleVersion41": "1.0.2", + "_analyticRulecontentId41": "5db427b2-f406-4274-b413-e9fcb29412f8", + "analyticRuleId41": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '5db427b2-f406-4274-b413-e9fcb29412f8')]", + "analyticRuleTemplateSpecName41": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('5db427b2-f406-4274-b413-e9fcb29412f8')))]", + "_analyticRulecontentProductId41": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','5db427b2-f406-4274-b413-e9fcb29412f8','-', '1.0.2')))]" + }, + "analyticRuleObject42": { + "analyticRuleVersion42": "1.0.1", + "_analyticRulecontentId42": "14f6da04-2f96-44ee-9210-9ccc1be6401e", + "analyticRuleId42": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '14f6da04-2f96-44ee-9210-9ccc1be6401e')]", + "analyticRuleTemplateSpecName42": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('14f6da04-2f96-44ee-9210-9ccc1be6401e')))]", + "_analyticRulecontentProductId42": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','14f6da04-2f96-44ee-9210-9ccc1be6401e','-', '1.0.1')))]" + }, + "analyticRuleObject43": { + "analyticRuleVersion43": "1.0.4", + "_analyticRulecontentId43": "70fc7201-f28e-4ba7-b9ea-c04b96701f13", + "analyticRuleId43": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '70fc7201-f28e-4ba7-b9ea-c04b96701f13')]", + "analyticRuleTemplateSpecName43": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('70fc7201-f28e-4ba7-b9ea-c04b96701f13')))]", + "_analyticRulecontentProductId43": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','70fc7201-f28e-4ba7-b9ea-c04b96701f13','-', '1.0.4')))]" + }, + "analyticRuleObject44": { + "analyticRuleVersion44": "1.0.7", + "_analyticRulecontentId44": "7d7e20f8-3384-4b71-811c-f5e950e8306c", + "analyticRuleId44": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '7d7e20f8-3384-4b71-811c-f5e950e8306c')]", + "analyticRuleTemplateSpecName44": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('7d7e20f8-3384-4b71-811c-f5e950e8306c')))]", + "_analyticRulecontentProductId44": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','7d7e20f8-3384-4b71-811c-f5e950e8306c','-', '1.0.7')))]" + }, + "analyticRuleObject45": { + "analyticRuleVersion45": "1.0.4", + "_analyticRulecontentId45": "34c5aff9-a8c2-4601-9654-c7e46342d03b", + "analyticRuleId45": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '34c5aff9-a8c2-4601-9654-c7e46342d03b')]", + "analyticRuleTemplateSpecName45": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('34c5aff9-a8c2-4601-9654-c7e46342d03b')))]", + "_analyticRulecontentProductId45": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','34c5aff9-a8c2-4601-9654-c7e46342d03b','-', '1.0.4')))]" + }, + "analyticRuleObject46": { + "analyticRuleVersion46": "1.0.4", + "_analyticRulecontentId46": "269435e3-1db8-4423-9dfc-9bf59997da1c", + "analyticRuleId46": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '269435e3-1db8-4423-9dfc-9bf59997da1c')]", + "analyticRuleTemplateSpecName46": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('269435e3-1db8-4423-9dfc-9bf59997da1c')))]", + "_analyticRulecontentProductId46": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','269435e3-1db8-4423-9dfc-9bf59997da1c','-', '1.0.4')))]" + }, + "analyticRuleObject47": { + "analyticRuleVersion47": "1.1.4", + "_analyticRulecontentId47": "83ba3057-9ea3-4759-bf6a-933f2e5bc7ee", + "analyticRuleId47": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '83ba3057-9ea3-4759-bf6a-933f2e5bc7ee')]", + "analyticRuleTemplateSpecName47": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('83ba3057-9ea3-4759-bf6a-933f2e5bc7ee')))]", + "_analyticRulecontentProductId47": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','83ba3057-9ea3-4759-bf6a-933f2e5bc7ee','-', '1.1.4')))]" + }, + "analyticRuleObject48": { + "analyticRuleVersion48": "1.0.3", + "_analyticRulecontentId48": "fb7ca1c9-e14c-40a3-856e-28f3c14ea1ba", + "analyticRuleId48": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'fb7ca1c9-e14c-40a3-856e-28f3c14ea1ba')]", + "analyticRuleTemplateSpecName48": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('fb7ca1c9-e14c-40a3-856e-28f3c14ea1ba')))]", + "_analyticRulecontentProductId48": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','fb7ca1c9-e14c-40a3-856e-28f3c14ea1ba','-', '1.0.3')))]" + }, + "analyticRuleObject49": { + "analyticRuleVersion49": "1.0.2", + "_analyticRulecontentId49": "d3980830-dd9d-40a5-911f-76b44dfdce16", + "analyticRuleId49": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'd3980830-dd9d-40a5-911f-76b44dfdce16')]", + "analyticRuleTemplateSpecName49": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('d3980830-dd9d-40a5-911f-76b44dfdce16')))]", + "_analyticRulecontentProductId49": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','d3980830-dd9d-40a5-911f-76b44dfdce16','-', '1.0.2')))]" + }, + "analyticRuleObject50": { + "analyticRuleVersion50": "2.1.3", + "_analyticRulecontentId50": "500c103a-0319-4d56-8e99-3cec8d860757", + "analyticRuleId50": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '500c103a-0319-4d56-8e99-3cec8d860757')]", + "analyticRuleTemplateSpecName50": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('500c103a-0319-4d56-8e99-3cec8d860757')))]", + "_analyticRulecontentProductId50": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','500c103a-0319-4d56-8e99-3cec8d860757','-', '2.1.3')))]" + }, + "analyticRuleObject51": { + "analyticRuleVersion51": "2.1.3", + "_analyticRulecontentId51": "28b42356-45af-40a6-a0b4-a554cdfd5d8a", + "analyticRuleId51": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '28b42356-45af-40a6-a0b4-a554cdfd5d8a')]", + "analyticRuleTemplateSpecName51": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('28b42356-45af-40a6-a0b4-a554cdfd5d8a')))]", + "_analyticRulecontentProductId51": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','28b42356-45af-40a6-a0b4-a554cdfd5d8a','-', '2.1.3')))]" + }, + "analyticRuleObject52": { + "analyticRuleVersion52": "1.0.6", + "_analyticRulecontentId52": "48607a29-a26a-4abf-8078-a06dbdd174a4", + "analyticRuleId52": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '48607a29-a26a-4abf-8078-a06dbdd174a4')]", + "analyticRuleTemplateSpecName52": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('48607a29-a26a-4abf-8078-a06dbdd174a4')))]", + "_analyticRulecontentProductId52": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','48607a29-a26a-4abf-8078-a06dbdd174a4','-', '1.0.6')))]" + }, + "analyticRuleObject53": { + "analyticRuleVersion53": "2.1.7", + "_analyticRulecontentId53": "02ef8d7e-fc3a-4d86-a457-650fa571d8d2", + "analyticRuleId53": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '02ef8d7e-fc3a-4d86-a457-650fa571d8d2')]", + "analyticRuleTemplateSpecName53": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('02ef8d7e-fc3a-4d86-a457-650fa571d8d2')))]", + "_analyticRulecontentProductId53": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','02ef8d7e-fc3a-4d86-a457-650fa571d8d2','-', '2.1.7')))]" + }, + "analyticRuleObject54": { + "analyticRuleVersion54": "1.0.2", + "_analyticRulecontentId54": "3a3c6835-0086-40ca-b033-a93bf26d878f", + "analyticRuleId54": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '3a3c6835-0086-40ca-b033-a93bf26d878f')]", + "analyticRuleTemplateSpecName54": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('3a3c6835-0086-40ca-b033-a93bf26d878f')))]", + "_analyticRulecontentProductId54": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','3a3c6835-0086-40ca-b033-a93bf26d878f','-', '1.0.2')))]" + }, + "analyticRuleObject55": { + "analyticRuleVersion55": "1.0.1", + "_analyticRulecontentId55": "3533f74c-9207-4047-96e2-0eb9383be587", + "analyticRuleId55": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '3533f74c-9207-4047-96e2-0eb9383be587')]", + "analyticRuleTemplateSpecName55": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('3533f74c-9207-4047-96e2-0eb9383be587')))]", + "_analyticRulecontentProductId55": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','3533f74c-9207-4047-96e2-0eb9383be587','-', '1.0.1')))]" + }, + "analyticRuleObject56": { + "analyticRuleVersion56": "1.0.2", + "_analyticRulecontentId56": "6852d9da-8015-4b95-8ecf-d9572ee0395d", + "analyticRuleId56": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '6852d9da-8015-4b95-8ecf-d9572ee0395d')]", + "analyticRuleTemplateSpecName56": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('6852d9da-8015-4b95-8ecf-d9572ee0395d')))]", + "_analyticRulecontentProductId56": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','6852d9da-8015-4b95-8ecf-d9572ee0395d','-', '1.0.2')))]" + }, + "analyticRuleObject57": { + "analyticRuleVersion57": "1.0.0", + "_analyticRulecontentId57": "aec77100-25c5-4254-a20a-8027ed92c46c", + "analyticRuleId57": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'aec77100-25c5-4254-a20a-8027ed92c46c')]", + "analyticRuleTemplateSpecName57": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('aec77100-25c5-4254-a20a-8027ed92c46c')))]", + "_analyticRulecontentProductId57": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','aec77100-25c5-4254-a20a-8027ed92c46c','-', '1.0.0')))]" + }, + "analyticRuleObject58": { + "analyticRuleVersion58": "1.0.8", + "_analyticRulecontentId58": "acc4c247-aaf7-494b-b5da-17f18863878a", + "analyticRuleId58": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'acc4c247-aaf7-494b-b5da-17f18863878a')]", + "analyticRuleTemplateSpecName58": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('acc4c247-aaf7-494b-b5da-17f18863878a')))]", + "_analyticRulecontentProductId58": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','acc4c247-aaf7-494b-b5da-17f18863878a','-', '1.0.8')))]" + }, + "analyticRuleObject59": { + "analyticRuleVersion59": "2.0.3", + "_analyticRulecontentId59": "3a9d5ede-2b9d-43a2-acc4-d272321ff77c", + "analyticRuleId59": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '3a9d5ede-2b9d-43a2-acc4-d272321ff77c')]", + "analyticRuleTemplateSpecName59": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('3a9d5ede-2b9d-43a2-acc4-d272321ff77c')))]", + "_analyticRulecontentProductId59": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','3a9d5ede-2b9d-43a2-acc4-d272321ff77c','-', '2.0.3')))]" + }, + "analyticRuleObject60": { + "analyticRuleVersion60": "1.0.5", + "_analyticRulecontentId60": "4d94d4a9-dc96-410a-8dea-4d4d4584188b", + "analyticRuleId60": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '4d94d4a9-dc96-410a-8dea-4d4d4584188b')]", + "analyticRuleTemplateSpecName60": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('4d94d4a9-dc96-410a-8dea-4d4d4584188b')))]", + "_analyticRulecontentProductId60": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4d94d4a9-dc96-410a-8dea-4d4d4584188b','-', '1.0.5')))]" + }, + "analyticRuleObject61": { + "analyticRuleVersion61": "1.0.0", + "_analyticRulecontentId61": "746ddb63-f51b-4563-b449-a8b13cf302ec", + "analyticRuleId61": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '746ddb63-f51b-4563-b449-a8b13cf302ec')]", + "analyticRuleTemplateSpecName61": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('746ddb63-f51b-4563-b449-a8b13cf302ec')))]", + "_analyticRulecontentProductId61": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','746ddb63-f51b-4563-b449-a8b13cf302ec','-', '1.0.0')))]" + }, + "analyticRuleObject62": { + "analyticRuleVersion62": "1.0.9", + "_analyticRulecontentId62": "050b9b3d-53d0-4364-a3da-1b678b8211ec", + "analyticRuleId62": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '050b9b3d-53d0-4364-a3da-1b678b8211ec')]", + "analyticRuleTemplateSpecName62": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('050b9b3d-53d0-4364-a3da-1b678b8211ec')))]", + "_analyticRulecontentProductId62": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','050b9b3d-53d0-4364-a3da-1b678b8211ec','-', '1.0.9')))]" + }, "Block-AADUser-alert-trigger": "Block-AADUser-alert-trigger", "_Block-AADUser-alert-trigger": "[variables('Block-AADUser-alert-trigger')]", "playbookVersion1": "1.1", @@ -1096,7 +1158,7 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName1')]", + "name": "[variables('analyticRuleObject1').analyticRuleTemplateSpecName1]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -1105,13 +1167,13 @@ "description": "AccountCreatedandDeletedinShortTimeframe_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion1')]", + "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId1')]", + "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -1130,10 +1192,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -1144,7 +1206,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -1154,16 +1215,17 @@ "identifier": "UPNSuffix", "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "DeletedByIPAddress" } - ] + ], + "entityType": "IP" } ] } @@ -1171,13 +1233,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId1'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 1", - "parentId": "[variables('analyticRuleId1')]", - "contentId": "[variables('_analyticRulecontentId1')]", + "parentId": "[variables('analyticRuleObject1').analyticRuleId1]", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion1')]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -1202,18 +1264,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId1')]", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", "contentKind": "AnalyticsRule", "displayName": "Account Created and Deleted in Short Timeframe", - "contentProductId": "[variables('_analyticRulecontentProductId1')]", - "id": "[variables('_analyticRulecontentProductId1')]", - "version": "[variables('analyticRuleVersion1')]" + "contentProductId": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", + "id": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName2')]", + "name": "[variables('analyticRuleObject2').analyticRuleTemplateSpecName2]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -1222,13 +1284,13 @@ "description": "AccountCreatedDeletedByNonApprovedUser_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion2')]", + "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId2')]", + "name": "[variables('analyticRuleObject2')._analyticRulecontentId2]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -1247,10 +1309,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -1261,7 +1323,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -1271,16 +1332,17 @@ "identifier": "UPNSuffix", "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "InitiatedUserIpAddress" } - ] + ], + "entityType": "IP" } ] } @@ -1288,13 +1350,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId2'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject2').analyticRuleId2,'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 2", - "parentId": "[variables('analyticRuleId2')]", - "contentId": "[variables('_analyticRulecontentId2')]", + "parentId": "[variables('analyticRuleObject2').analyticRuleId2]", + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion2')]", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -1319,18 +1381,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId2')]", + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", "contentKind": "AnalyticsRule", "displayName": "Account created or deleted by non-approved user", - "contentProductId": "[variables('_analyticRulecontentProductId2')]", - "id": "[variables('_analyticRulecontentProductId2')]", - "version": "[variables('analyticRuleVersion2')]" + "contentProductId": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", + "id": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName3')]", + "name": "[variables('analyticRuleObject3').analyticRuleTemplateSpecName3]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -1339,13 +1401,13 @@ "description": "ADFSDomainTrustMods_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion3')]", + "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId3')]", + "name": "[variables('analyticRuleObject3')._analyticRulecontentId3]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -1364,10 +1426,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -1375,7 +1437,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -1385,16 +1446,17 @@ "identifier": "UPNSuffix", "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "InitiatingIpAddress" } - ] + ], + "entityType": "IP" } ] } @@ -1402,13 +1464,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId3'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject3').analyticRuleId3,'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 3", - "parentId": "[variables('analyticRuleId3')]", - "contentId": "[variables('_analyticRulecontentId3')]", + "parentId": "[variables('analyticRuleObject3').analyticRuleId3]", + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion3')]", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -1433,18 +1495,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId3')]", + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", "contentKind": "AnalyticsRule", "displayName": "Modified domain federation trust settings", - "contentProductId": "[variables('_analyticRulecontentProductId3')]", - "id": "[variables('_analyticRulecontentProductId3')]", - "version": "[variables('analyticRuleVersion3')]" + "contentProductId": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]", + "id": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName4')]", + "name": "[variables('analyticRuleObject4').analyticRuleTemplateSpecName4]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -1453,13 +1515,13 @@ "description": "ADFSSignInLogsPasswordSpray_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion4')]", + "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId4')]", + "name": "[variables('analyticRuleObject4')._analyticRulecontentId4]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -1478,10 +1540,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "ADFSSignInLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -1492,13 +1554,13 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "IPAddress" } - ] + ], + "entityType": "IP" } ] } @@ -1506,13 +1568,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId4'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject4').analyticRuleId4,'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 4", - "parentId": "[variables('analyticRuleId4')]", - "contentId": "[variables('_analyticRulecontentId4')]", + "parentId": "[variables('analyticRuleObject4').analyticRuleId4]", + "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion4')]", + "version": "[variables('analyticRuleObject4').analyticRuleVersion4]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -1537,18 +1599,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId4')]", + "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", "contentKind": "AnalyticsRule", "displayName": "Password spray attack against ADFSSignInLogs", - "contentProductId": "[variables('_analyticRulecontentProductId4')]", - "id": "[variables('_analyticRulecontentProductId4')]", - "version": "[variables('analyticRuleVersion4')]" + "contentProductId": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]", + "id": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]", + "version": "[variables('analyticRuleObject4').analyticRuleVersion4]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName5')]", + "name": "[variables('analyticRuleObject5').analyticRuleTemplateSpecName5]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -1557,13 +1619,13 @@ "description": "AdminPromoAfterRoleMgmtAppPermissionGrant_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion5')]", + "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId5')]", + "name": "[variables('analyticRuleObject5')._analyticRulecontentId5]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -1582,10 +1644,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -1598,16 +1660,15 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", "columnName": "AppDisplayName" } - ] + ], + "entityType": "Account" }, { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -1617,7 +1678,8 @@ "identifier": "UPNSuffix", "columnName": "TargetUPNSuffix" } - ] + ], + "entityType": "Account" } ] } @@ -1625,13 +1687,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId5'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject5').analyticRuleId5,'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 5", - "parentId": "[variables('analyticRuleId5')]", - "contentId": "[variables('_analyticRulecontentId5')]", + "parentId": "[variables('analyticRuleObject5').analyticRuleId5]", + "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion5')]", + "version": "[variables('analyticRuleObject5').analyticRuleVersion5]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -1656,18 +1718,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId5')]", + "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", "contentKind": "AnalyticsRule", "displayName": "Admin promotion after Role Management Application Permission Grant", - "contentProductId": "[variables('_analyticRulecontentProductId5')]", - "id": "[variables('_analyticRulecontentProductId5')]", - "version": "[variables('analyticRuleVersion5')]" + "contentProductId": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]", + "id": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]", + "version": "[variables('analyticRuleObject5').analyticRuleVersion5]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName6')]", + "name": "[variables('analyticRuleObject6').analyticRuleTemplateSpecName6]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -1676,13 +1738,13 @@ "description": "AnomalousUserAppSigninLocationIncrease-detection_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion6')]", + "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId6')]", + "name": "[variables('analyticRuleObject6')._analyticRulecontentId6]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -1701,16 +1763,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AADNonInteractiveUserSignInLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -1721,7 +1783,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -1735,7 +1796,8 @@ "identifier": "AadUserId", "columnName": "UserId" } - ] + ], + "entityType": "Account" } ], "eventGroupingSettings": { @@ -1745,21 +1807,21 @@ "Application": "AppDisplayName" }, "alertDetailsOverride": { - "alertDisplayNameFormat": "Anomalous sign-in location by {{UserPrincipalName}} to {{AppDisplayName}}", - "alertDescriptionFormat": "This query over Microsoft Entra ID sign-in considers all user sign-ins for each Microsoft Entra ID application and picks out the most anomalous change in location profile for a user within an\nindividual application. This has detected {{UserPrincipalName}} signing into {{AppDisplayName}} from {{CountOfLocations}} \ndifferent locations.\n" + "alertDescriptionFormat": "This query over Microsoft Entra ID sign-in considers all user sign-ins for each Microsoft Entra ID application and picks out the most anomalous change in location profile for a user within an\nindividual application. This has detected {{UserPrincipalName}} signing into {{AppDisplayName}} from {{CountOfLocations}} \ndifferent locations.\n", + "alertDisplayNameFormat": "Anomalous sign-in location by {{UserPrincipalName}} to {{AppDisplayName}}" } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId6'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject6').analyticRuleId6,'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 6", - "parentId": "[variables('analyticRuleId6')]", - "contentId": "[variables('_analyticRulecontentId6')]", + "parentId": "[variables('analyticRuleObject6').analyticRuleId6]", + "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion6')]", + "version": "[variables('analyticRuleObject6').analyticRuleVersion6]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -1784,18 +1846,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId6')]", + "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", "contentKind": "AnalyticsRule", "displayName": "Anomalous sign-in location by user account and authenticating application", - "contentProductId": "[variables('_analyticRulecontentProductId6')]", - "id": "[variables('_analyticRulecontentProductId6')]", - "version": "[variables('analyticRuleVersion6')]" + "contentProductId": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]", + "id": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]", + "version": "[variables('analyticRuleObject6').analyticRuleVersion6]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName7')]", + "name": "[variables('analyticRuleObject7').analyticRuleTemplateSpecName7]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -1804,13 +1866,13 @@ "description": "AuthenticationMethodsChangedforPrivilegedAccount_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion7')]", + "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId7')]", + "name": "[variables('analyticRuleObject7')._analyticRulecontentId7]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -1829,16 +1891,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "BehaviorAnalytics", "dataTypes": [ "IdentityInfo" - ], - "connectorId": "BehaviorAnalytics" + ] } ], "tactics": [ @@ -1849,7 +1911,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -1859,10 +1920,10 @@ "identifier": "UPNSuffix", "columnName": "InitiatorUPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -1872,16 +1933,17 @@ "identifier": "UPNSuffix", "columnName": "TargetUPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "IP" } - ] + ], + "entityType": "IP" } ] } @@ -1889,13 +1951,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId7'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject7').analyticRuleId7,'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 7", - "parentId": "[variables('analyticRuleId7')]", - "contentId": "[variables('_analyticRulecontentId7')]", + "parentId": "[variables('analyticRuleObject7').analyticRuleId7]", + "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion7')]", + "version": "[variables('analyticRuleObject7').analyticRuleVersion7]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -1920,18 +1982,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId7')]", + "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", "contentKind": "AnalyticsRule", "displayName": "Authentication Methods Changed for Privileged Account", - "contentProductId": "[variables('_analyticRulecontentProductId7')]", - "id": "[variables('_analyticRulecontentProductId7')]", - "version": "[variables('analyticRuleVersion7')]" + "contentProductId": "[variables('analyticRuleObject7')._analyticRulecontentProductId7]", + "id": "[variables('analyticRuleObject7')._analyticRulecontentProductId7]", + "version": "[variables('analyticRuleObject7').analyticRuleVersion7]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName8')]", + "name": "[variables('analyticRuleObject8').analyticRuleTemplateSpecName8]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -1940,13 +2002,13 @@ "description": "AzureAADPowerShellAnomaly_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion8')]", + "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId8')]", + "name": "[variables('analyticRuleObject8')._analyticRulecontentId8]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -1965,16 +2027,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AADNonInteractiveUserSignInLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -1985,7 +2047,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -1999,16 +2060,17 @@ "identifier": "AadUserId", "columnName": "UserId" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "IPAddress" } - ] + ], + "entityType": "IP" } ] } @@ -2016,13 +2078,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId8'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject8').analyticRuleId8,'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 8", - "parentId": "[variables('analyticRuleId8')]", - "contentId": "[variables('_analyticRulecontentId8')]", + "parentId": "[variables('analyticRuleObject8').analyticRuleId8]", + "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion8')]", + "version": "[variables('analyticRuleObject8').analyticRuleVersion8]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -2047,18 +2109,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId8')]", + "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]", "contentKind": "AnalyticsRule", "displayName": "Microsoft Entra ID PowerShell accessing non-Entra ID resources", - "contentProductId": "[variables('_analyticRulecontentProductId8')]", - "id": "[variables('_analyticRulecontentProductId8')]", - "version": "[variables('analyticRuleVersion8')]" + "contentProductId": "[variables('analyticRuleObject8')._analyticRulecontentProductId8]", + "id": "[variables('analyticRuleObject8')._analyticRulecontentProductId8]", + "version": "[variables('analyticRuleObject8').analyticRuleVersion8]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName9')]", + "name": "[variables('analyticRuleObject9').analyticRuleTemplateSpecName9]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -2067,13 +2129,13 @@ "description": "AzureADRoleManagementPermissionGrant_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion9')]", + "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId9')]", + "name": "[variables('analyticRuleObject9')._analyticRulecontentId9]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -2092,10 +2154,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -2108,7 +2170,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -2118,16 +2179,17 @@ "identifier": "UPNSuffix", "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", "columnName": "AppDisplayName" } - ] + ], + "entityType": "Account" } ] } @@ -2135,13 +2197,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId9'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject9').analyticRuleId9,'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 9", - "parentId": "[variables('analyticRuleId9')]", - "contentId": "[variables('_analyticRulecontentId9')]", + "parentId": "[variables('analyticRuleObject9').analyticRuleId9]", + "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion9')]", + "version": "[variables('analyticRuleObject9').analyticRuleVersion9]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -2166,18 +2228,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId9')]", + "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", "contentKind": "AnalyticsRule", "displayName": "Microsoft Entra ID Role Management Permission Grant", - "contentProductId": "[variables('_analyticRulecontentProductId9')]", - "id": "[variables('_analyticRulecontentProductId9')]", - "version": "[variables('analyticRuleVersion9')]" + "contentProductId": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]", + "id": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]", + "version": "[variables('analyticRuleObject9').analyticRuleVersion9]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName10')]", + "name": "[variables('analyticRuleObject10').analyticRuleTemplateSpecName10]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -2186,13 +2248,13 @@ "description": "AzurePortalSigninfromanotherAzureTenant_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion10')]", + "contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId10')]", + "name": "[variables('analyticRuleObject10')._analyticRulecontentId10]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -2211,10 +2273,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -2225,7 +2287,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -2239,34 +2300,35 @@ "identifier": "AadUserId", "columnName": "UserId" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "IPAddress" } - ] + ], + "entityType": "IP" } ], "alertDetailsOverride": { - "alertDisplayNameFormat": "Azure Portal sign in by {{UserPrincipalName}} from another Azure Tenant with IP Address {{IPAddress}}", - "alertDescriptionFormat": "This query looks for successful sign in attempts to the Azure Portal where the user who is signing in from another Azure tenant,\nand the IP address the login attempt is from is an Azure IP. A threat actor who compromises an Azure tenant may look\nto pivot to other tenants leveraging cross-tenant delegated access in this manner.\nIn this instance {{UserPrincipalName}} logged in at {{FirstSeen}} from IP Address {{IPAddress}}.\n" + "alertDescriptionFormat": "This query looks for successful sign in attempts to the Azure Portal where the user who is signing in from another Azure tenant,\nand the IP address the login attempt is from is an Azure IP. A threat actor who compromises an Azure tenant may look\nto pivot to other tenants leveraging cross-tenant delegated access in this manner.\nIn this instance {{UserPrincipalName}} logged in at {{FirstSeen}} from IP Address {{IPAddress}}.\n", + "alertDisplayNameFormat": "Azure Portal sign in by {{UserPrincipalName}} from another Azure Tenant with IP Address {{IPAddress}}" } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId10'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject10').analyticRuleId10,'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 10", - "parentId": "[variables('analyticRuleId10')]", - "contentId": "[variables('_analyticRulecontentId10')]", + "parentId": "[variables('analyticRuleObject10').analyticRuleId10]", + "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion10')]", + "version": "[variables('analyticRuleObject10').analyticRuleVersion10]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -2291,18 +2353,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId10')]", + "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]", "contentKind": "AnalyticsRule", "displayName": "Azure Portal sign in from another Azure Tenant", - "contentProductId": "[variables('_analyticRulecontentProductId10')]", - "id": "[variables('_analyticRulecontentProductId10')]", - "version": "[variables('analyticRuleVersion10')]" + "contentProductId": "[variables('analyticRuleObject10')._analyticRulecontentProductId10]", + "id": "[variables('analyticRuleObject10')._analyticRulecontentProductId10]", + "version": "[variables('analyticRuleObject10').analyticRuleVersion10]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName11')]", + "name": "[variables('analyticRuleObject11').analyticRuleTemplateSpecName11]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -2311,13 +2373,13 @@ "description": "Brute Force Attack against GitHub Account_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion11')]", + "contentVersion": "[variables('analyticRuleObject11').analyticRuleVersion11]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId11')]", + "name": "[variables('analyticRuleObject11')._analyticRulecontentId11]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -2336,16 +2398,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AADNonInteractiveUserSignInLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -2356,7 +2418,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -2366,7 +2427,8 @@ "identifier": "UPNSuffix", "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" } ] } @@ -2374,13 +2436,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId11'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject11').analyticRuleId11,'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 11", - "parentId": "[variables('analyticRuleId11')]", - "contentId": "[variables('_analyticRulecontentId11')]", + "parentId": "[variables('analyticRuleObject11').analyticRuleId11]", + "contentId": "[variables('analyticRuleObject11')._analyticRulecontentId11]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion11')]", + "version": "[variables('analyticRuleObject11').analyticRuleVersion11]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -2405,18 +2467,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId11')]", + "contentId": "[variables('analyticRuleObject11')._analyticRulecontentId11]", "contentKind": "AnalyticsRule", "displayName": "Brute Force Attack against GitHub Account", - "contentProductId": "[variables('_analyticRulecontentProductId11')]", - "id": "[variables('_analyticRulecontentProductId11')]", - "version": "[variables('analyticRuleVersion11')]" + "contentProductId": "[variables('analyticRuleObject11')._analyticRulecontentProductId11]", + "id": "[variables('analyticRuleObject11')._analyticRulecontentProductId11]", + "version": "[variables('analyticRuleObject11').analyticRuleVersion11]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName12')]", + "name": "[variables('analyticRuleObject12').analyticRuleTemplateSpecName12]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -2425,13 +2487,13 @@ "description": "BruteForceCloudPC_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion12')]", + "contentVersion": "[variables('analyticRuleObject12').analyticRuleVersion12]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId12')]", + "name": "[variables('analyticRuleObject12')._analyticRulecontentId12]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -2450,10 +2512,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -2464,7 +2526,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -2474,16 +2535,17 @@ "identifier": "UPNSuffix", "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "IPAddressFirst" } - ] + ], + "entityType": "IP" } ] } @@ -2491,13 +2553,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId12'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject12').analyticRuleId12,'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 12", - "parentId": "[variables('analyticRuleId12')]", - "contentId": "[variables('_analyticRulecontentId12')]", + "parentId": "[variables('analyticRuleObject12').analyticRuleId12]", + "contentId": "[variables('analyticRuleObject12')._analyticRulecontentId12]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion12')]", + "version": "[variables('analyticRuleObject12').analyticRuleVersion12]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -2522,18 +2584,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId12')]", + "contentId": "[variables('analyticRuleObject12')._analyticRulecontentId12]", "contentKind": "AnalyticsRule", "displayName": "Brute force attack against a Cloud PC", - "contentProductId": "[variables('_analyticRulecontentProductId12')]", - "id": "[variables('_analyticRulecontentProductId12')]", - "version": "[variables('analyticRuleVersion12')]" + "contentProductId": "[variables('analyticRuleObject12')._analyticRulecontentProductId12]", + "id": "[variables('analyticRuleObject12')._analyticRulecontentProductId12]", + "version": "[variables('analyticRuleObject12').analyticRuleVersion12]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName13')]", + "name": "[variables('analyticRuleObject13').analyticRuleTemplateSpecName13]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -2542,13 +2604,13 @@ "description": "BulkChangestoPrivilegedAccountPermissions_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion13')]", + "contentVersion": "[variables('analyticRuleObject13').analyticRuleVersion13]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId13')]", + "name": "[variables('analyticRuleObject13')._analyticRulecontentId13]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -2567,10 +2629,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -2581,7 +2643,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -2591,10 +2652,10 @@ "identifier": "UPNSuffix", "columnName": "TargetUPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -2604,25 +2665,26 @@ "identifier": "UPNSuffix", "columnName": "InitiatedByUserUPNSuffix" } - ] + ], + "entityType": "Account" } ], "customDetails": { - "TargetUser": "Target", - "InitiatedByUser": "InitiatedByUser" + "InitiatedByUser": "InitiatedByUser", + "TargetUser": "Target" } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId13'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject13').analyticRuleId13,'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 13", - "parentId": "[variables('analyticRuleId13')]", - "contentId": "[variables('_analyticRulecontentId13')]", + "parentId": "[variables('analyticRuleObject13').analyticRuleId13]", + "contentId": "[variables('analyticRuleObject13')._analyticRulecontentId13]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion13')]", + "version": "[variables('analyticRuleObject13').analyticRuleVersion13]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -2647,18 +2709,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId13')]", + "contentId": "[variables('analyticRuleObject13')._analyticRulecontentId13]", "contentKind": "AnalyticsRule", "displayName": "Bulk Changes to Privileged Account Permissions", - "contentProductId": "[variables('_analyticRulecontentProductId13')]", - "id": "[variables('_analyticRulecontentProductId13')]", - "version": "[variables('analyticRuleVersion13')]" + "contentProductId": "[variables('analyticRuleObject13')._analyticRulecontentProductId13]", + "id": "[variables('analyticRuleObject13')._analyticRulecontentProductId13]", + "version": "[variables('analyticRuleObject13').analyticRuleVersion13]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName14')]", + "name": "[variables('analyticRuleObject14').analyticRuleTemplateSpecName14]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -2667,13 +2729,13 @@ "description": "BypassCondAccessRule_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion14')]", + "contentVersion": "[variables('analyticRuleObject14').analyticRuleVersion14]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId14')]", + "name": "[variables('analyticRuleObject14')._analyticRulecontentId14]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -2692,16 +2754,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AADNonInteractiveUserSignInLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -2714,7 +2776,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -2724,16 +2785,17 @@ "identifier": "UPNSuffix", "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "IPAddresses" } - ] + ], + "entityType": "IP" } ] } @@ -2741,13 +2803,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId14'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject14').analyticRuleId14,'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 14", - "parentId": "[variables('analyticRuleId14')]", - "contentId": "[variables('_analyticRulecontentId14')]", + "parentId": "[variables('analyticRuleObject14').analyticRuleId14]", + "contentId": "[variables('analyticRuleObject14')._analyticRulecontentId14]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion14')]", + "version": "[variables('analyticRuleObject14').analyticRuleVersion14]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -2772,18 +2834,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId14')]", + "contentId": "[variables('analyticRuleObject14')._analyticRulecontentId14]", "contentKind": "AnalyticsRule", "displayName": "Attempt to bypass conditional access rule in Microsoft Entra ID", - "contentProductId": "[variables('_analyticRulecontentProductId14')]", - "id": "[variables('_analyticRulecontentProductId14')]", - "version": "[variables('analyticRuleVersion14')]" + "contentProductId": "[variables('analyticRuleObject14')._analyticRulecontentProductId14]", + "id": "[variables('analyticRuleObject14')._analyticRulecontentProductId14]", + "version": "[variables('analyticRuleObject14').analyticRuleVersion14]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName15')]", + "name": "[variables('analyticRuleObject15').analyticRuleTemplateSpecName15]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -2792,13 +2854,13 @@ "description": "CredentialAddedAfterAdminConsent_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion15')]", + "contentVersion": "[variables('analyticRuleObject15').analyticRuleVersion15]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId15')]", + "name": "[variables('analyticRuleObject15')._analyticRulecontentId15]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -2817,10 +2879,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -2828,7 +2890,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -2838,16 +2899,17 @@ "identifier": "UPNSuffix", "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "Consent_InitiatingIpAddress" } - ] + ], + "entityType": "IP" } ] } @@ -2855,13 +2917,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId15'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject15').analyticRuleId15,'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 15", - "parentId": "[variables('analyticRuleId15')]", - "contentId": "[variables('_analyticRulecontentId15')]", + "parentId": "[variables('analyticRuleObject15').analyticRuleId15]", + "contentId": "[variables('analyticRuleObject15')._analyticRulecontentId15]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion15')]", + "version": "[variables('analyticRuleObject15').analyticRuleVersion15]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -2886,18 +2948,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId15')]", + "contentId": "[variables('analyticRuleObject15')._analyticRulecontentId15]", "contentKind": "AnalyticsRule", "displayName": "Credential added after admin consented to Application", - "contentProductId": "[variables('_analyticRulecontentProductId15')]", - "id": "[variables('_analyticRulecontentProductId15')]", - "version": "[variables('analyticRuleVersion15')]" + "contentProductId": "[variables('analyticRuleObject15')._analyticRulecontentProductId15]", + "id": "[variables('analyticRuleObject15')._analyticRulecontentProductId15]", + "version": "[variables('analyticRuleObject15').analyticRuleVersion15]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName16')]", + "name": "[variables('analyticRuleObject16').analyticRuleTemplateSpecName16]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -2906,13 +2968,13 @@ "description": "Cross-tenantAccessSettingsOrganizationAdded_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion16')]", + "contentVersion": "[variables('analyticRuleObject16').analyticRuleVersion16]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId16')]", + "name": "[variables('analyticRuleObject16')._analyticRulecontentId16]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -2931,10 +2993,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -2949,7 +3011,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -2959,16 +3020,17 @@ "identifier": "UPNSuffix", "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "InitiatedByIPAdress" } - ] + ], + "entityType": "IP" } ] } @@ -2976,13 +3038,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId16'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject16').analyticRuleId16,'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 16", - "parentId": "[variables('analyticRuleId16')]", - "contentId": "[variables('_analyticRulecontentId16')]", + "parentId": "[variables('analyticRuleObject16').analyticRuleId16]", + "contentId": "[variables('analyticRuleObject16')._analyticRulecontentId16]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion16')]", + "version": "[variables('analyticRuleObject16').analyticRuleVersion16]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -3007,18 +3069,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId16')]", + "contentId": "[variables('analyticRuleObject16')._analyticRulecontentId16]", "contentKind": "AnalyticsRule", "displayName": "Cross-tenant Access Settings Organization Added", - "contentProductId": "[variables('_analyticRulecontentProductId16')]", - "id": "[variables('_analyticRulecontentProductId16')]", - "version": "[variables('analyticRuleVersion16')]" + "contentProductId": "[variables('analyticRuleObject16')._analyticRulecontentProductId16]", + "id": "[variables('analyticRuleObject16')._analyticRulecontentProductId16]", + "version": "[variables('analyticRuleObject16').analyticRuleVersion16]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName17')]", + "name": "[variables('analyticRuleObject17').analyticRuleTemplateSpecName17]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -3027,13 +3089,13 @@ "description": "Cross-tenantAccessSettingsOrganizationDeleted_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion17')]", + "contentVersion": "[variables('analyticRuleObject17').analyticRuleVersion17]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId17')]", + "name": "[variables('analyticRuleObject17')._analyticRulecontentId17]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -3052,10 +3114,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -3070,7 +3132,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -3080,16 +3141,17 @@ "identifier": "UPNSuffix", "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "InitiatedByIPAdress" } - ] + ], + "entityType": "IP" } ] } @@ -3097,13 +3159,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId17'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject17').analyticRuleId17,'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 17", - "parentId": "[variables('analyticRuleId17')]", - "contentId": "[variables('_analyticRulecontentId17')]", + "parentId": "[variables('analyticRuleObject17').analyticRuleId17]", + "contentId": "[variables('analyticRuleObject17')._analyticRulecontentId17]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion17')]", + "version": "[variables('analyticRuleObject17').analyticRuleVersion17]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -3128,18 +3190,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId17')]", + "contentId": "[variables('analyticRuleObject17')._analyticRulecontentId17]", "contentKind": "AnalyticsRule", "displayName": "Cross-tenant Access Settings Organization Deleted", - "contentProductId": "[variables('_analyticRulecontentProductId17')]", - "id": "[variables('_analyticRulecontentProductId17')]", - "version": "[variables('analyticRuleVersion17')]" + "contentProductId": "[variables('analyticRuleObject17')._analyticRulecontentProductId17]", + "id": "[variables('analyticRuleObject17')._analyticRulecontentProductId17]", + "version": "[variables('analyticRuleObject17').analyticRuleVersion17]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName18')]", + "name": "[variables('analyticRuleObject18').analyticRuleTemplateSpecName18]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -3148,13 +3210,13 @@ "description": "Cross-tenantAccessSettingsOrganizationInboundCollaborationSettingsChanged_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion18')]", + "contentVersion": "[variables('analyticRuleObject18').analyticRuleVersion18]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId18')]", + "name": "[variables('analyticRuleObject18')._analyticRulecontentId18]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -3173,10 +3235,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -3191,7 +3253,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -3201,16 +3262,17 @@ "identifier": "UPNSuffix", "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "InitiatedByIPAdress" } - ] + ], + "entityType": "IP" } ] } @@ -3218,13 +3280,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId18'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject18').analyticRuleId18,'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 18", - "parentId": "[variables('analyticRuleId18')]", - "contentId": "[variables('_analyticRulecontentId18')]", + "parentId": "[variables('analyticRuleObject18').analyticRuleId18]", + "contentId": "[variables('analyticRuleObject18')._analyticRulecontentId18]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion18')]", + "version": "[variables('analyticRuleObject18').analyticRuleVersion18]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -3249,18 +3311,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId18')]", + "contentId": "[variables('analyticRuleObject18')._analyticRulecontentId18]", "contentKind": "AnalyticsRule", "displayName": "Cross-tenant Access Settings Organization Inbound Collaboration Settings Changed", - "contentProductId": "[variables('_analyticRulecontentProductId18')]", - "id": "[variables('_analyticRulecontentProductId18')]", - "version": "[variables('analyticRuleVersion18')]" + "contentProductId": "[variables('analyticRuleObject18')._analyticRulecontentProductId18]", + "id": "[variables('analyticRuleObject18')._analyticRulecontentProductId18]", + "version": "[variables('analyticRuleObject18').analyticRuleVersion18]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName19')]", + "name": "[variables('analyticRuleObject19').analyticRuleTemplateSpecName19]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -3269,13 +3331,13 @@ "description": "Cross-tenantAccessSettingsOrganizationInboundDirectSettingsChanged_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion19')]", + "contentVersion": "[variables('analyticRuleObject19').analyticRuleVersion19]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId19')]", + "name": "[variables('analyticRuleObject19')._analyticRulecontentId19]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -3294,10 +3356,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -3312,7 +3374,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -3322,16 +3383,17 @@ "identifier": "UPNSuffix", "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "InitiatedByIPAdress" } - ] + ], + "entityType": "IP" } ] } @@ -3339,13 +3401,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId19'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject19').analyticRuleId19,'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 19", - "parentId": "[variables('analyticRuleId19')]", - "contentId": "[variables('_analyticRulecontentId19')]", + "parentId": "[variables('analyticRuleObject19').analyticRuleId19]", + "contentId": "[variables('analyticRuleObject19')._analyticRulecontentId19]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion19')]", + "version": "[variables('analyticRuleObject19').analyticRuleVersion19]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -3370,18 +3432,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId19')]", + "contentId": "[variables('analyticRuleObject19')._analyticRulecontentId19]", "contentKind": "AnalyticsRule", "displayName": "Cross-tenant Access Settings Organization Inbound Direct Settings Changed", - "contentProductId": "[variables('_analyticRulecontentProductId19')]", - "id": "[variables('_analyticRulecontentProductId19')]", - "version": "[variables('analyticRuleVersion19')]" + "contentProductId": "[variables('analyticRuleObject19')._analyticRulecontentProductId19]", + "id": "[variables('analyticRuleObject19')._analyticRulecontentProductId19]", + "version": "[variables('analyticRuleObject19').analyticRuleVersion19]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName20')]", + "name": "[variables('analyticRuleObject20').analyticRuleTemplateSpecName20]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -3390,13 +3452,13 @@ "description": "Cross-tenantAccessSettingsOrganizationOutboundCollaborationSettingsChanged_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion20')]", + "contentVersion": "[variables('analyticRuleObject20').analyticRuleVersion20]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId20')]", + "name": "[variables('analyticRuleObject20')._analyticRulecontentId20]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -3415,10 +3477,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -3433,7 +3495,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -3443,16 +3504,17 @@ "identifier": "UPNSuffix", "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "InitiatedByIPAdress" } - ] + ], + "entityType": "IP" } ] } @@ -3460,13 +3522,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId20'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject20').analyticRuleId20,'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 20", - "parentId": "[variables('analyticRuleId20')]", - "contentId": "[variables('_analyticRulecontentId20')]", + "parentId": "[variables('analyticRuleObject20').analyticRuleId20]", + "contentId": "[variables('analyticRuleObject20')._analyticRulecontentId20]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion20')]", + "version": "[variables('analyticRuleObject20').analyticRuleVersion20]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -3491,18 +3553,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId20')]", + "contentId": "[variables('analyticRuleObject20')._analyticRulecontentId20]", "contentKind": "AnalyticsRule", "displayName": "Cross-tenant Access Settings Organization Outbound Collaboration Settings Changed", - "contentProductId": "[variables('_analyticRulecontentProductId20')]", - "id": "[variables('_analyticRulecontentProductId20')]", - "version": "[variables('analyticRuleVersion20')]" + "contentProductId": "[variables('analyticRuleObject20')._analyticRulecontentProductId20]", + "id": "[variables('analyticRuleObject20')._analyticRulecontentProductId20]", + "version": "[variables('analyticRuleObject20').analyticRuleVersion20]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName21')]", + "name": "[variables('analyticRuleObject21').analyticRuleTemplateSpecName21]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -3511,13 +3573,13 @@ "description": "Cross-tenantAccessSettingsOrganizationOutboundDirectSettingsChanged_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion21')]", + "contentVersion": "[variables('analyticRuleObject21').analyticRuleVersion21]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId21')]", + "name": "[variables('analyticRuleObject21')._analyticRulecontentId21]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -3536,10 +3598,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -3554,7 +3616,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -3564,16 +3625,17 @@ "identifier": "UPNSuffix", "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "InitiatedByIPAdress" } - ] + ], + "entityType": "IP" } ] } @@ -3581,13 +3643,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId21'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject21').analyticRuleId21,'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 21", - "parentId": "[variables('analyticRuleId21')]", - "contentId": "[variables('_analyticRulecontentId21')]", + "parentId": "[variables('analyticRuleObject21').analyticRuleId21]", + "contentId": "[variables('analyticRuleObject21')._analyticRulecontentId21]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion21')]", + "version": "[variables('analyticRuleObject21').analyticRuleVersion21]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -3612,18 +3674,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId21')]", + "contentId": "[variables('analyticRuleObject21')._analyticRulecontentId21]", "contentKind": "AnalyticsRule", "displayName": "Cross-tenant Access Settings Organization Outbound Direct Settings Changed", - "contentProductId": "[variables('_analyticRulecontentProductId21')]", - "id": "[variables('_analyticRulecontentProductId21')]", - "version": "[variables('analyticRuleVersion21')]" + "contentProductId": "[variables('analyticRuleObject21')._analyticRulecontentProductId21]", + "id": "[variables('analyticRuleObject21')._analyticRulecontentProductId21]", + "version": "[variables('analyticRuleObject21').analyticRuleVersion21]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName22')]", + "name": "[variables('analyticRuleObject22').analyticRuleTemplateSpecName22]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -3632,13 +3694,13 @@ "description": "DisabledAccountSigninsAcrossManyApplications_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion22')]", + "contentVersion": "[variables('analyticRuleObject22').analyticRuleVersion22]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId22')]", + "name": "[variables('analyticRuleObject22')._analyticRulecontentId22]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -3657,16 +3719,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AADNonInteractiveUserSignInLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -3677,7 +3739,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -3687,16 +3748,17 @@ "identifier": "UPNSuffix", "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "IPAddress" } - ] + ], + "entityType": "IP" } ] } @@ -3704,13 +3766,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId22'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject22').analyticRuleId22,'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 22", - "parentId": "[variables('analyticRuleId22')]", - "contentId": "[variables('_analyticRulecontentId22')]", + "parentId": "[variables('analyticRuleObject22').analyticRuleId22]", + "contentId": "[variables('analyticRuleObject22')._analyticRulecontentId22]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion22')]", + "version": "[variables('analyticRuleObject22').analyticRuleVersion22]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -3735,18 +3797,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId22')]", + "contentId": "[variables('analyticRuleObject22')._analyticRulecontentId22]", "contentKind": "AnalyticsRule", "displayName": "Attempts to sign in to disabled accounts", - "contentProductId": "[variables('_analyticRulecontentProductId22')]", - "id": "[variables('_analyticRulecontentProductId22')]", - "version": "[variables('analyticRuleVersion22')]" + "contentProductId": "[variables('analyticRuleObject22')._analyticRulecontentProductId22]", + "id": "[variables('analyticRuleObject22')._analyticRulecontentProductId22]", + "version": "[variables('analyticRuleObject22').analyticRuleVersion22]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName23')]", + "name": "[variables('analyticRuleObject23').analyticRuleTemplateSpecName23]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -3755,13 +3817,13 @@ "description": "DistribPassCrackAttempt_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion23')]", + "contentVersion": "[variables('analyticRuleObject23').analyticRuleVersion23]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId23')]", + "name": "[variables('analyticRuleObject23')._analyticRulecontentId23]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -3780,16 +3842,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AADNonInteractiveUserSignInLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -3800,7 +3862,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -3810,16 +3871,17 @@ "identifier": "UPNSuffix", "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "IPAddress" } - ] + ], + "entityType": "IP" } ] } @@ -3827,13 +3889,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId23'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject23').analyticRuleId23,'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 23", - "parentId": "[variables('analyticRuleId23')]", - "contentId": "[variables('_analyticRulecontentId23')]", + "parentId": "[variables('analyticRuleObject23').analyticRuleId23]", + "contentId": "[variables('analyticRuleObject23')._analyticRulecontentId23]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion23')]", + "version": "[variables('analyticRuleObject23').analyticRuleVersion23]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -3858,18 +3920,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId23')]", + "contentId": "[variables('analyticRuleObject23')._analyticRulecontentId23]", "contentKind": "AnalyticsRule", "displayName": "Distributed Password cracking attempts in Microsoft Entra ID", - "contentProductId": "[variables('_analyticRulecontentProductId23')]", - "id": "[variables('_analyticRulecontentProductId23')]", - "version": "[variables('analyticRuleVersion23')]" + "contentProductId": "[variables('analyticRuleObject23')._analyticRulecontentProductId23]", + "id": "[variables('analyticRuleObject23')._analyticRulecontentProductId23]", + "version": "[variables('analyticRuleObject23').analyticRuleVersion23]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName24')]", + "name": "[variables('analyticRuleObject24').analyticRuleTemplateSpecName24]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -3878,13 +3940,13 @@ "description": "ExplicitMFADeny_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion24')]", + "contentVersion": "[variables('analyticRuleObject24').analyticRuleVersion24]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId24')]", + "name": "[variables('analyticRuleObject24')._analyticRulecontentId24]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -3903,22 +3965,22 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AADNonInteractiveUserSignInLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceInfo" - ], - "connectorId": "MicrosoftThreatProtection" + ] } ], "tactics": [ @@ -3929,7 +3991,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -3939,34 +4000,35 @@ "identifier": "UPNSuffix", "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "IPAddress" } - ] + ], + "entityType": "IP" }, { - "entityType": "AzureResource", "fieldMappings": [ { "identifier": "ResourceID", "columnName": "ResourceID" } - ] + ], + "entityType": "AzureResource" }, { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "ClientAppUsed" } - ] + ], + "entityType": "URL" } ] } @@ -3974,13 +4036,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId24'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject24').analyticRuleId24,'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 24", - "parentId": "[variables('analyticRuleId24')]", - "contentId": "[variables('_analyticRulecontentId24')]", + "parentId": "[variables('analyticRuleObject24').analyticRuleId24]", + "contentId": "[variables('analyticRuleObject24')._analyticRulecontentId24]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion24')]", + "version": "[variables('analyticRuleObject24').analyticRuleVersion24]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -4005,18 +4067,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId24')]", + "contentId": "[variables('analyticRuleObject24')._analyticRulecontentId24]", "contentKind": "AnalyticsRule", "displayName": "Explicit MFA Deny", - "contentProductId": "[variables('_analyticRulecontentProductId24')]", - "id": "[variables('_analyticRulecontentProductId24')]", - "version": "[variables('analyticRuleVersion24')]" + "contentProductId": "[variables('analyticRuleObject24')._analyticRulecontentProductId24]", + "id": "[variables('analyticRuleObject24')._analyticRulecontentProductId24]", + "version": "[variables('analyticRuleObject24').analyticRuleVersion24]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName25')]", + "name": "[variables('analyticRuleObject25').analyticRuleTemplateSpecName25]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -4025,13 +4087,13 @@ "description": "ExchangeFullAccessGrantedToApp_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion25')]", + "contentVersion": "[variables('analyticRuleObject25').analyticRuleVersion25]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId25')]", + "name": "[variables('analyticRuleObject25')._analyticRulecontentId25]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -4050,10 +4112,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -4064,7 +4126,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -4074,16 +4135,17 @@ "identifier": "UPNSuffix", "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "GrantIpAddress" } - ] + ], + "entityType": "IP" } ], "customDetails": { @@ -4092,21 +4154,21 @@ "OAuthAppId": "AppId" }, "alertDetailsOverride": { - "alertDisplayNameFormat": "User {{GrantInitiatedBy}} granted full_access_as_app to {{OAuthAppName}}", - "alertDescriptionFormat": "This detection looks for the full_access_as_app permission being granted to an OAuth application with Admin Consent.\nThis permission provide access to all Exchange mailboxes via the EWS API can could be exploited to access sensitive data \nby being added to a compromised application. The application granted this permission should be reviewed to ensure that it \nis absolutely necessary for the applications function.\nIn this case {{GrantInitiatedBy}} granted full_access_as_app to {{OAuthAppName}} from {{GrantIpAddress}}\nRef: https://learn.microsoft.com/graph/auth-limit-mailbox-access\n" + "alertDescriptionFormat": "This detection looks for the full_access_as_app permission being granted to an OAuth application with Admin Consent.\nThis permission provide access to all Exchange mailboxes via the EWS API can could be exploited to access sensitive data \nby being added to a compromised application. The application granted this permission should be reviewed to ensure that it \nis absolutely necessary for the applications function.\nIn this case {{GrantInitiatedBy}} granted full_access_as_app to {{OAuthAppName}} from {{GrantIpAddress}}\nRef: https://learn.microsoft.com/graph/auth-limit-mailbox-access\n", + "alertDisplayNameFormat": "User {{GrantInitiatedBy}} granted full_access_as_app to {{OAuthAppName}}" } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId25'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject25').analyticRuleId25,'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 25", - "parentId": "[variables('analyticRuleId25')]", - "contentId": "[variables('_analyticRulecontentId25')]", + "parentId": "[variables('analyticRuleObject25').analyticRuleId25]", + "contentId": "[variables('analyticRuleObject25')._analyticRulecontentId25]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion25')]", + "version": "[variables('analyticRuleObject25').analyticRuleVersion25]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -4131,18 +4193,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId25')]", + "contentId": "[variables('analyticRuleObject25')._analyticRulecontentId25]", "contentKind": "AnalyticsRule", "displayName": "full_access_as_app Granted To Application", - "contentProductId": "[variables('_analyticRulecontentProductId25')]", - "id": "[variables('_analyticRulecontentProductId25')]", - "version": "[variables('analyticRuleVersion25')]" + "contentProductId": "[variables('analyticRuleObject25')._analyticRulecontentProductId25]", + "id": "[variables('analyticRuleObject25')._analyticRulecontentProductId25]", + "version": "[variables('analyticRuleObject25').analyticRuleVersion25]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName26')]", + "name": "[variables('analyticRuleObject26').analyticRuleTemplateSpecName26]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -4151,13 +4213,13 @@ "description": "FailedLogonToAzurePortal_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion26')]", + "contentVersion": "[variables('analyticRuleObject26').analyticRuleVersion26]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId26')]", + "name": "[variables('analyticRuleObject26')._analyticRulecontentId26]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -4176,16 +4238,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AADNonInteractiveUserSignInLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -4196,7 +4258,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -4206,16 +4267,17 @@ "identifier": "UPNSuffix", "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "IPAddress" } - ] + ], + "entityType": "IP" } ] } @@ -4223,13 +4285,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId26'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject26').analyticRuleId26,'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 26", - "parentId": "[variables('analyticRuleId26')]", - "contentId": "[variables('_analyticRulecontentId26')]", + "parentId": "[variables('analyticRuleObject26').analyticRuleId26]", + "contentId": "[variables('analyticRuleObject26')._analyticRulecontentId26]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion26')]", + "version": "[variables('analyticRuleObject26').analyticRuleVersion26]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -4254,18 +4316,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId26')]", + "contentId": "[variables('analyticRuleObject26')._analyticRulecontentId26]", "contentKind": "AnalyticsRule", "displayName": "Failed login attempts to Azure Portal", - "contentProductId": "[variables('_analyticRulecontentProductId26')]", - "id": "[variables('_analyticRulecontentProductId26')]", - "version": "[variables('analyticRuleVersion26')]" + "contentProductId": "[variables('analyticRuleObject26')._analyticRulecontentProductId26]", + "id": "[variables('analyticRuleObject26')._analyticRulecontentProductId26]", + "version": "[variables('analyticRuleObject26').analyticRuleVersion26]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName27')]", + "name": "[variables('analyticRuleObject27').analyticRuleTemplateSpecName27]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -4274,13 +4336,13 @@ "description": "FirstAppOrServicePrincipalCredential_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion27')]", + "contentVersion": "[variables('analyticRuleObject27').analyticRuleVersion27]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId27')]", + "name": "[variables('analyticRuleObject27')._analyticRulecontentId27]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -4299,10 +4361,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -4313,7 +4375,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -4323,25 +4384,26 @@ "identifier": "UPNSuffix", "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "InitiatingIpAddress" } - ] + ], + "entityType": "IP" }, { - "entityType": "CloudApplication", "fieldMappings": [ { "identifier": "Name", "columnName": "targetDisplayName" } - ] + ], + "entityType": "CloudApplication" } ] } @@ -4349,13 +4411,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId27'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject27').analyticRuleId27,'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 27", - "parentId": "[variables('analyticRuleId27')]", - "contentId": "[variables('_analyticRulecontentId27')]", + "parentId": "[variables('analyticRuleObject27').analyticRuleId27]", + "contentId": "[variables('analyticRuleObject27')._analyticRulecontentId27]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion27')]", + "version": "[variables('analyticRuleObject27').analyticRuleVersion27]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -4380,18 +4442,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId27')]", + "contentId": "[variables('analyticRuleObject27')._analyticRulecontentId27]", "contentKind": "AnalyticsRule", "displayName": "First access credential added to Application or Service Principal where no credential was present", - "contentProductId": "[variables('_analyticRulecontentProductId27')]", - "id": "[variables('_analyticRulecontentProductId27')]", - "version": "[variables('analyticRuleVersion27')]" + "contentProductId": "[variables('analyticRuleObject27')._analyticRulecontentProductId27]", + "id": "[variables('analyticRuleObject27')._analyticRulecontentProductId27]", + "version": "[variables('analyticRuleObject27').analyticRuleVersion27]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName28')]", + "name": "[variables('analyticRuleObject28').analyticRuleTemplateSpecName28]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -4400,13 +4462,13 @@ "description": "GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion28')]", + "contentVersion": "[variables('analyticRuleObject28').analyticRuleVersion28]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId28')]", + "name": "[variables('analyticRuleObject28')._analyticRulecontentId28]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -4425,10 +4487,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -4443,16 +4505,15 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", "columnName": "InvitedUser" } - ] + ], + "entityType": "Account" }, { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -4462,19 +4523,19 @@ "identifier": "UPNSuffix", "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "InitiatedByIPAdress" } - ] + ], + "entityType": "IP" }, { - "entityType": "SecurityGroup", "fieldMappings": [ { "identifier": "DistinguishedName", @@ -4484,7 +4545,8 @@ "identifier": "ObjectGuid", "columnName": "AADGroupId" } - ] + ], + "entityType": "SecurityGroup" } ] } @@ -4492,13 +4554,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId28'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject28').analyticRuleId28,'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 28", - "parentId": "[variables('analyticRuleId28')]", - "contentId": "[variables('_analyticRulecontentId28')]", + "parentId": "[variables('analyticRuleObject28').analyticRuleId28]", + "contentId": "[variables('analyticRuleObject28')._analyticRulecontentId28]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion28')]", + "version": "[variables('analyticRuleObject28').analyticRuleVersion28]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -4523,18 +4585,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId28')]", + "contentId": "[variables('analyticRuleObject28')._analyticRulecontentId28]", "contentKind": "AnalyticsRule", "displayName": "Guest accounts added in Entra ID Groups other than the ones specified", - "contentProductId": "[variables('_analyticRulecontentProductId28')]", - "id": "[variables('_analyticRulecontentProductId28')]", - "version": "[variables('analyticRuleVersion28')]" + "contentProductId": "[variables('analyticRuleObject28')._analyticRulecontentProductId28]", + "id": "[variables('analyticRuleObject28')._analyticRulecontentProductId28]", + "version": "[variables('analyticRuleObject28').analyticRuleVersion28]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName29')]", + "name": "[variables('analyticRuleObject29').analyticRuleTemplateSpecName29]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -4543,13 +4605,13 @@ "description": "MailPermissionsAddedToApplication_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion29')]", + "contentVersion": "[variables('analyticRuleObject29').analyticRuleVersion29]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId29')]", + "name": "[variables('analyticRuleObject29')._analyticRulecontentId29]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -4568,10 +4630,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -4582,7 +4644,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -4592,16 +4653,17 @@ "identifier": "UPNSuffix", "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "UserIPAddress" } - ] + ], + "entityType": "IP" } ] } @@ -4609,13 +4671,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId29'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject29').analyticRuleId29,'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 29", - "parentId": "[variables('analyticRuleId29')]", - "contentId": "[variables('_analyticRulecontentId29')]", + "parentId": "[variables('analyticRuleObject29').analyticRuleId29]", + "contentId": "[variables('analyticRuleObject29')._analyticRulecontentId29]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion29')]", + "version": "[variables('analyticRuleObject29').analyticRuleVersion29]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -4640,18 +4702,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId29')]", + "contentId": "[variables('analyticRuleObject29')._analyticRulecontentId29]", "contentKind": "AnalyticsRule", "displayName": "Mail.Read Permissions Granted to Application", - "contentProductId": "[variables('_analyticRulecontentProductId29')]", - "id": "[variables('_analyticRulecontentProductId29')]", - "version": "[variables('analyticRuleVersion29')]" + "contentProductId": "[variables('analyticRuleObject29')._analyticRulecontentProductId29]", + "id": "[variables('analyticRuleObject29')._analyticRulecontentProductId29]", + "version": "[variables('analyticRuleObject29').analyticRuleVersion29]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName30')]", + "name": "[variables('analyticRuleObject30').analyticRuleTemplateSpecName30]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -4660,13 +4722,13 @@ "description": "MaliciousOAuthApp_O365AttackToolkit_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion30')]", + "contentVersion": "[variables('analyticRuleObject30').analyticRuleVersion30]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId30')]", + "name": "[variables('analyticRuleObject30')._analyticRulecontentId30]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -4685,10 +4747,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -4701,7 +4763,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -4711,25 +4772,26 @@ "identifier": "UPNSuffix", "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "GrantIpAddress" } - ] + ], + "entityType": "IP" }, { - "entityType": "CloudApplication", "fieldMappings": [ { "identifier": "Name", "columnName": "AppDisplayName" } - ] + ], + "entityType": "CloudApplication" } ] } @@ -4737,13 +4799,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId30'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject30').analyticRuleId30,'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 30", - "parentId": "[variables('analyticRuleId30')]", - "contentId": "[variables('_analyticRulecontentId30')]", + "parentId": "[variables('analyticRuleObject30').analyticRuleId30]", + "contentId": "[variables('analyticRuleObject30')._analyticRulecontentId30]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion30')]", + "version": "[variables('analyticRuleObject30').analyticRuleVersion30]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -4768,18 +4830,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId30')]", + "contentId": "[variables('analyticRuleObject30')._analyticRulecontentId30]", "contentKind": "AnalyticsRule", "displayName": "Suspicious application consent similar to O365 Attack Toolkit", - "contentProductId": "[variables('_analyticRulecontentProductId30')]", - "id": "[variables('_analyticRulecontentProductId30')]", - "version": "[variables('analyticRuleVersion30')]" + "contentProductId": "[variables('analyticRuleObject30')._analyticRulecontentProductId30]", + "id": "[variables('analyticRuleObject30')._analyticRulecontentProductId30]", + "version": "[variables('analyticRuleObject30').analyticRuleVersion30]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName31')]", + "name": "[variables('analyticRuleObject31').analyticRuleTemplateSpecName31]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -4788,13 +4850,13 @@ "description": "MaliciousOAuthApp_PwnAuth_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion31')]", + "contentVersion": "[variables('analyticRuleObject31').analyticRuleVersion31]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId31')]", + "name": "[variables('analyticRuleObject31')._analyticRulecontentId31]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -4813,10 +4875,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -4829,7 +4891,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -4839,16 +4900,17 @@ "identifier": "UPNSuffix", "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "GrantIpAddress" } - ] + ], + "entityType": "IP" } ] } @@ -4856,13 +4918,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId31'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject31').analyticRuleId31,'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 31", - "parentId": "[variables('analyticRuleId31')]", - "contentId": "[variables('_analyticRulecontentId31')]", + "parentId": "[variables('analyticRuleObject31').analyticRuleId31]", + "contentId": "[variables('analyticRuleObject31')._analyticRulecontentId31]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion31')]", + "version": "[variables('analyticRuleObject31').analyticRuleVersion31]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -4887,18 +4949,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId31')]", + "contentId": "[variables('analyticRuleObject31')._analyticRulecontentId31]", "contentKind": "AnalyticsRule", "displayName": "Suspicious application consent similar to PwnAuth", - "contentProductId": "[variables('_analyticRulecontentProductId31')]", - "id": "[variables('_analyticRulecontentProductId31')]", - "version": "[variables('analyticRuleVersion31')]" + "contentProductId": "[variables('analyticRuleObject31')._analyticRulecontentProductId31]", + "id": "[variables('analyticRuleObject31')._analyticRulecontentProductId31]", + "version": "[variables('analyticRuleObject31').analyticRuleVersion31]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName32')]", + "name": "[variables('analyticRuleObject32').analyticRuleTemplateSpecName32]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -4907,13 +4969,13 @@ "description": "MFARejectedbyUser_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion32')]", + "contentVersion": "[variables('analyticRuleObject32').analyticRuleVersion32]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId32')]", + "name": "[variables('analyticRuleObject32')._analyticRulecontentId32]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -4932,22 +4994,22 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "BehaviorAnalytics", "dataTypes": [ "BehaviorAnalytics" - ], - "connectorId": "BehaviorAnalytics" + ] }, { + "connectorId": "BehaviorAnalytics", "dataTypes": [ "IdentityInfo" - ], - "connectorId": "BehaviorAnalytics" + ] } ], "tactics": [ @@ -4958,7 +5020,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -4972,16 +5033,17 @@ "identifier": "AadUserId", "columnName": "UserId" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "IPAddress" } - ] + ], + "entityType": "IP" } ] } @@ -4989,13 +5051,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId32'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject32').analyticRuleId32,'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 32", - "parentId": "[variables('analyticRuleId32')]", - "contentId": "[variables('_analyticRulecontentId32')]", + "parentId": "[variables('analyticRuleObject32').analyticRuleId32]", + "contentId": "[variables('analyticRuleObject32')._analyticRulecontentId32]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion32')]", + "version": "[variables('analyticRuleObject32').analyticRuleVersion32]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -5020,18 +5082,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId32')]", + "contentId": "[variables('analyticRuleObject32')._analyticRulecontentId32]", "contentKind": "AnalyticsRule", "displayName": "MFA Rejected by User", - "contentProductId": "[variables('_analyticRulecontentProductId32')]", - "id": "[variables('_analyticRulecontentProductId32')]", - "version": "[variables('analyticRuleVersion32')]" + "contentProductId": "[variables('analyticRuleObject32')._analyticRulecontentProductId32]", + "id": "[variables('analyticRuleObject32')._analyticRulecontentProductId32]", + "version": "[variables('analyticRuleObject32').analyticRuleVersion32]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName33')]", + "name": "[variables('analyticRuleObject33').analyticRuleTemplateSpecName33]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -5040,13 +5102,13 @@ "description": "MFASpammingfollowedbySuccessfullogin_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion33')]", + "contentVersion": "[variables('analyticRuleObject33').analyticRuleVersion33]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId33')]", + "name": "[variables('analyticRuleObject33')._analyticRulecontentId33]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -5065,10 +5127,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -5079,7 +5141,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -5089,16 +5150,17 @@ "identifier": "UPNSuffix", "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "IPAddress" } - ] + ], + "entityType": "IP" } ] } @@ -5106,13 +5168,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId33'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject33').analyticRuleId33,'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 33", - "parentId": "[variables('analyticRuleId33')]", - "contentId": "[variables('_analyticRulecontentId33')]", + "parentId": "[variables('analyticRuleObject33').analyticRuleId33]", + "contentId": "[variables('analyticRuleObject33')._analyticRulecontentId33]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion33')]", + "version": "[variables('analyticRuleObject33').analyticRuleVersion33]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -5137,18 +5199,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId33')]", + "contentId": "[variables('analyticRuleObject33')._analyticRulecontentId33]", "contentKind": "AnalyticsRule", "displayName": "MFA Spamming followed by Successful login", - "contentProductId": "[variables('_analyticRulecontentProductId33')]", - "id": "[variables('_analyticRulecontentProductId33')]", - "version": "[variables('analyticRuleVersion33')]" + "contentProductId": "[variables('analyticRuleObject33')._analyticRulecontentProductId33]", + "id": "[variables('analyticRuleObject33')._analyticRulecontentProductId33]", + "version": "[variables('analyticRuleObject33').analyticRuleVersion33]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName34')]", + "name": "[variables('analyticRuleObject34').analyticRuleTemplateSpecName34]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -5157,13 +5219,13 @@ "description": "MultipleAdmin_membership_removals_from_NewAdmin_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion34')]", + "contentVersion": "[variables('analyticRuleObject34').analyticRuleVersion34]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId34')]", + "name": "[variables('analyticRuleObject34')._analyticRulecontentId34]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -5182,10 +5244,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -5196,7 +5258,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -5206,7 +5267,8 @@ "identifier": "UPNSuffix", "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" } ] } @@ -5214,13 +5276,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId34'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject34').analyticRuleId34,'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 34", - "parentId": "[variables('analyticRuleId34')]", - "contentId": "[variables('_analyticRulecontentId34')]", + "parentId": "[variables('analyticRuleObject34').analyticRuleId34]", + "contentId": "[variables('analyticRuleObject34')._analyticRulecontentId34]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion34')]", + "version": "[variables('analyticRuleObject34').analyticRuleVersion34]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -5245,18 +5307,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId34')]", + "contentId": "[variables('analyticRuleObject34')._analyticRulecontentId34]", "contentKind": "AnalyticsRule", "displayName": "Multiple admin membership removals from newly created admin.", - "contentProductId": "[variables('_analyticRulecontentProductId34')]", - "id": "[variables('_analyticRulecontentProductId34')]", - "version": "[variables('analyticRuleVersion34')]" + "contentProductId": "[variables('analyticRuleObject34')._analyticRulecontentProductId34]", + "id": "[variables('analyticRuleObject34')._analyticRulecontentProductId34]", + "version": "[variables('analyticRuleObject34').analyticRuleVersion34]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName35')]", + "name": "[variables('analyticRuleObject35').analyticRuleTemplateSpecName35]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -5265,13 +5327,13 @@ "description": "NewOnmicrosoftDomainAdded_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion35')]", + "contentVersion": "[variables('analyticRuleObject35').analyticRuleVersion35]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId35')]", + "name": "[variables('analyticRuleObject35')._analyticRulecontentId35]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -5290,10 +5352,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -5304,7 +5366,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -5318,46 +5379,47 @@ "identifier": "AadUserId", "columnName": "InitiatingSPID" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "InitiatingIp" } - ] + ], + "entityType": "IP" }, { - "entityType": "DNS", "fieldMappings": [ { "identifier": "DomainName", "columnName": "DomainAdded" } - ] + ], + "entityType": "DNS" } ], "eventGroupingSettings": { "aggregationKind": "SingleAlert" }, "alertDetailsOverride": { - "alertDisplayNameFormat": "{{DomainAdded}} added to tenant by {{ActionInitiatedBy}}", - "alertDescriptionFormat": "This detection looks for new onmicrosoft domains being added to a tenant. An attacker who compromises a tenant may register a new onmicrosoft domain in order to masquerade as a service provider for launching phishing accounts. Domain additions are not a common occurrence and users should validate that {{ActionInitiatedBy}} added {{DomainAdded}} with a legitimate purpose." + "alertDescriptionFormat": "This detection looks for new onmicrosoft domains being added to a tenant. An attacker who compromises a tenant may register a new onmicrosoft domain in order to masquerade as a service provider for launching phishing accounts. Domain additions are not a common occurrence and users should validate that {{ActionInitiatedBy}} added {{DomainAdded}} with a legitimate purpose.", + "alertDisplayNameFormat": "{{DomainAdded}} added to tenant by {{ActionInitiatedBy}}" } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId35'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject35').analyticRuleId35,'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 35", - "parentId": "[variables('analyticRuleId35')]", - "contentId": "[variables('_analyticRulecontentId35')]", + "parentId": "[variables('analyticRuleObject35').analyticRuleId35]", + "contentId": "[variables('analyticRuleObject35')._analyticRulecontentId35]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion35')]", + "version": "[variables('analyticRuleObject35').analyticRuleVersion35]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -5382,18 +5444,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId35')]", + "contentId": "[variables('analyticRuleObject35')._analyticRulecontentId35]", "contentKind": "AnalyticsRule", "displayName": "New onmicrosoft domain added to tenant", - "contentProductId": "[variables('_analyticRulecontentProductId35')]", - "id": "[variables('_analyticRulecontentProductId35')]", - "version": "[variables('analyticRuleVersion35')]" + "contentProductId": "[variables('analyticRuleObject35')._analyticRulecontentProductId35]", + "id": "[variables('analyticRuleObject35')._analyticRulecontentProductId35]", + "version": "[variables('analyticRuleObject35').analyticRuleVersion35]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName36')]", + "name": "[variables('analyticRuleObject36').analyticRuleTemplateSpecName36]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -5402,13 +5464,13 @@ "description": "NewAppOrServicePrincipalCredential_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion36')]", + "contentVersion": "[variables('analyticRuleObject36').analyticRuleVersion36]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId36')]", + "name": "[variables('analyticRuleObject36')._analyticRulecontentId36]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -5427,10 +5489,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -5441,7 +5503,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -5451,16 +5512,17 @@ "identifier": "UPNSuffix", "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "InitiatingIpAddress" } - ] + ], + "entityType": "IP" } ] } @@ -5468,13 +5530,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId36'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject36').analyticRuleId36,'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 36", - "parentId": "[variables('analyticRuleId36')]", - "contentId": "[variables('_analyticRulecontentId36')]", + "parentId": "[variables('analyticRuleObject36').analyticRuleId36]", + "contentId": "[variables('analyticRuleObject36')._analyticRulecontentId36]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion36')]", + "version": "[variables('analyticRuleObject36').analyticRuleVersion36]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -5499,18 +5561,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId36')]", + "contentId": "[variables('analyticRuleObject36')._analyticRulecontentId36]", "contentKind": "AnalyticsRule", "displayName": "New access credential added to Application or Service Principal", - "contentProductId": "[variables('_analyticRulecontentProductId36')]", - "id": "[variables('_analyticRulecontentProductId36')]", - "version": "[variables('analyticRuleVersion36')]" + "contentProductId": "[variables('analyticRuleObject36')._analyticRulecontentProductId36]", + "id": "[variables('analyticRuleObject36')._analyticRulecontentProductId36]", + "version": "[variables('analyticRuleObject36').analyticRuleVersion36]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName37')]", + "name": "[variables('analyticRuleObject37').analyticRuleTemplateSpecName37]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -5519,13 +5581,13 @@ "description": "NRT_ADFSDomainTrustMods_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion37')]", + "contentVersion": "[variables('analyticRuleObject37').analyticRuleVersion37]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId37')]", + "name": "[variables('analyticRuleObject37')._analyticRulecontentId37]", "apiVersion": "2022-04-01-preview", "kind": "NRT", "location": "[parameters('workspace-location')]", @@ -5540,10 +5602,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -5551,7 +5613,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -5561,16 +5622,17 @@ "identifier": "UPNSuffix", "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "InitiatingIpAddress" } - ] + ], + "entityType": "IP" } ] } @@ -5578,13 +5640,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId37'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject37').analyticRuleId37,'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 37", - "parentId": "[variables('analyticRuleId37')]", - "contentId": "[variables('_analyticRulecontentId37')]", + "parentId": "[variables('analyticRuleObject37').analyticRuleId37]", + "contentId": "[variables('analyticRuleObject37')._analyticRulecontentId37]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion37')]", + "version": "[variables('analyticRuleObject37').analyticRuleVersion37]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -5609,18 +5671,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId37')]", + "contentId": "[variables('analyticRuleObject37')._analyticRulecontentId37]", "contentKind": "AnalyticsRule", "displayName": "NRT Modified domain federation trust settings", - "contentProductId": "[variables('_analyticRulecontentProductId37')]", - "id": "[variables('_analyticRulecontentProductId37')]", - "version": "[variables('analyticRuleVersion37')]" + "contentProductId": "[variables('analyticRuleObject37')._analyticRulecontentProductId37]", + "id": "[variables('analyticRuleObject37')._analyticRulecontentProductId37]", + "version": "[variables('analyticRuleObject37').analyticRuleVersion37]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName38')]", + "name": "[variables('analyticRuleObject38').analyticRuleTemplateSpecName38]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -5629,13 +5691,13 @@ "description": "NRT_AuthenticationMethodsChangedforVIPUsers_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion38')]", + "contentVersion": "[variables('analyticRuleObject38').analyticRuleVersion38]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId38')]", + "name": "[variables('analyticRuleObject38')._analyticRulecontentId38]", "apiVersion": "2022-04-01-preview", "kind": "NRT", "location": "[parameters('workspace-location')]", @@ -5650,10 +5712,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -5664,7 +5726,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -5674,16 +5735,17 @@ "identifier": "UPNSuffix", "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "IP" } - ] + ], + "entityType": "IP" } ] } @@ -5691,13 +5753,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId38'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject38').analyticRuleId38,'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 38", - "parentId": "[variables('analyticRuleId38')]", - "contentId": "[variables('_analyticRulecontentId38')]", + "parentId": "[variables('analyticRuleObject38').analyticRuleId38]", + "contentId": "[variables('analyticRuleObject38')._analyticRulecontentId38]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion38')]", + "version": "[variables('analyticRuleObject38').analyticRuleVersion38]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -5722,18 +5784,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId38')]", + "contentId": "[variables('analyticRuleObject38')._analyticRulecontentId38]", "contentKind": "AnalyticsRule", "displayName": "NRT Authentication Methods Changed for VIP Users", - "contentProductId": "[variables('_analyticRulecontentProductId38')]", - "id": "[variables('_analyticRulecontentProductId38')]", - "version": "[variables('analyticRuleVersion38')]" + "contentProductId": "[variables('analyticRuleObject38')._analyticRulecontentProductId38]", + "id": "[variables('analyticRuleObject38')._analyticRulecontentProductId38]", + "version": "[variables('analyticRuleObject38').analyticRuleVersion38]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName39')]", + "name": "[variables('analyticRuleObject39').analyticRuleTemplateSpecName39]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -5742,13 +5804,13 @@ "description": "nrt_FirstAppOrServicePrincipalCredential_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion39')]", + "contentVersion": "[variables('analyticRuleObject39').analyticRuleVersion39]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId39')]", + "name": "[variables('analyticRuleObject39')._analyticRulecontentId39]", "apiVersion": "2022-04-01-preview", "kind": "NRT", "location": "[parameters('workspace-location')]", @@ -5763,10 +5825,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -5777,7 +5839,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -5787,16 +5848,17 @@ "identifier": "UPNSuffix", "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "InitiatingIpAddress" } - ] + ], + "entityType": "IP" } ] } @@ -5804,13 +5866,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId39'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject39').analyticRuleId39,'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 39", - "parentId": "[variables('analyticRuleId39')]", - "contentId": "[variables('_analyticRulecontentId39')]", + "parentId": "[variables('analyticRuleObject39').analyticRuleId39]", + "contentId": "[variables('analyticRuleObject39')._analyticRulecontentId39]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion39')]", + "version": "[variables('analyticRuleObject39').analyticRuleVersion39]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -5835,18 +5897,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId39')]", + "contentId": "[variables('analyticRuleObject39')._analyticRulecontentId39]", "contentKind": "AnalyticsRule", "displayName": "NRT First access credential added to Application or Service Principal where no credential was present", - "contentProductId": "[variables('_analyticRulecontentProductId39')]", - "id": "[variables('_analyticRulecontentProductId39')]", - "version": "[variables('analyticRuleVersion39')]" + "contentProductId": "[variables('analyticRuleObject39')._analyticRulecontentProductId39]", + "id": "[variables('analyticRuleObject39')._analyticRulecontentProductId39]", + "version": "[variables('analyticRuleObject39').analyticRuleVersion39]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName40')]", + "name": "[variables('analyticRuleObject40').analyticRuleTemplateSpecName40]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -5855,13 +5917,13 @@ "description": "NRT_NewAppOrServicePrincipalCredential_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion40')]", + "contentVersion": "[variables('analyticRuleObject40').analyticRuleVersion40]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId40')]", + "name": "[variables('analyticRuleObject40')._analyticRulecontentId40]", "apiVersion": "2022-04-01-preview", "kind": "NRT", "location": "[parameters('workspace-location')]", @@ -5876,10 +5938,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -5890,7 +5952,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -5900,16 +5961,17 @@ "identifier": "UPNSuffix", "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "InitiatingIpAddress" } - ] + ], + "entityType": "IP" } ] } @@ -5917,13 +5979,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId40'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject40').analyticRuleId40,'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 40", - "parentId": "[variables('analyticRuleId40')]", - "contentId": "[variables('_analyticRulecontentId40')]", + "parentId": "[variables('analyticRuleObject40').analyticRuleId40]", + "contentId": "[variables('analyticRuleObject40')._analyticRulecontentId40]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion40')]", + "version": "[variables('analyticRuleObject40').analyticRuleVersion40]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -5948,18 +6010,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId40')]", + "contentId": "[variables('analyticRuleObject40')._analyticRulecontentId40]", "contentKind": "AnalyticsRule", "displayName": "NRT New access credential added to Application or Service Principal", - "contentProductId": "[variables('_analyticRulecontentProductId40')]", - "id": "[variables('_analyticRulecontentProductId40')]", - "version": "[variables('analyticRuleVersion40')]" + "contentProductId": "[variables('analyticRuleObject40')._analyticRulecontentProductId40]", + "id": "[variables('analyticRuleObject40')._analyticRulecontentProductId40]", + "version": "[variables('analyticRuleObject40').analyticRuleVersion40]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName41')]", + "name": "[variables('analyticRuleObject41').analyticRuleTemplateSpecName41]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -5968,13 +6030,13 @@ "description": "NRT_PIMElevationRequestRejected_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion41')]", + "contentVersion": "[variables('analyticRuleObject41').analyticRuleVersion41]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId41')]", + "name": "[variables('analyticRuleObject41')._analyticRulecontentId41]", "apiVersion": "2022-04-01-preview", "kind": "NRT", "location": "[parameters('workspace-location')]", @@ -5989,10 +6051,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -6003,7 +6065,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -6013,10 +6074,10 @@ "identifier": "UPNSuffix", "columnName": "InitiatingUPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -6026,16 +6087,17 @@ "identifier": "UPNSuffix", "columnName": "UserUPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "InitiatingIpAddress" } - ] + ], + "entityType": "IP" } ] } @@ -6043,13 +6105,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId41'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject41').analyticRuleId41,'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 41", - "parentId": "[variables('analyticRuleId41')]", - "contentId": "[variables('_analyticRulecontentId41')]", + "parentId": "[variables('analyticRuleObject41').analyticRuleId41]", + "contentId": "[variables('analyticRuleObject41')._analyticRulecontentId41]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion41')]", + "version": "[variables('analyticRuleObject41').analyticRuleVersion41]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -6074,18 +6136,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId41')]", + "contentId": "[variables('analyticRuleObject41')._analyticRulecontentId41]", "contentKind": "AnalyticsRule", "displayName": "NRT PIM Elevation Request Rejected", - "contentProductId": "[variables('_analyticRulecontentProductId41')]", - "id": "[variables('_analyticRulecontentProductId41')]", - "version": "[variables('analyticRuleVersion41')]" + "contentProductId": "[variables('analyticRuleObject41')._analyticRulecontentProductId41]", + "id": "[variables('analyticRuleObject41')._analyticRulecontentProductId41]", + "version": "[variables('analyticRuleObject41').analyticRuleVersion41]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName42')]", + "name": "[variables('analyticRuleObject42').analyticRuleTemplateSpecName42]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -6094,13 +6156,13 @@ "description": "NRT_PrivlegedRoleAssignedOutsidePIM_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion42')]", + "contentVersion": "[variables('analyticRuleObject42').analyticRuleVersion42]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId42')]", + "name": "[variables('analyticRuleObject42')._analyticRulecontentId42]", "apiVersion": "2022-04-01-preview", "kind": "NRT", "location": "[parameters('workspace-location')]", @@ -6115,10 +6177,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -6129,7 +6191,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -6139,16 +6200,17 @@ "identifier": "UPNSuffix", "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "IpAddress" } - ] + ], + "entityType": "IP" } ] } @@ -6156,13 +6218,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId42'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject42').analyticRuleId42,'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 42", - "parentId": "[variables('analyticRuleId42')]", - "contentId": "[variables('_analyticRulecontentId42')]", + "parentId": "[variables('analyticRuleObject42').analyticRuleId42]", + "contentId": "[variables('analyticRuleObject42')._analyticRulecontentId42]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion42')]", + "version": "[variables('analyticRuleObject42').analyticRuleVersion42]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -6187,18 +6249,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId42')]", + "contentId": "[variables('analyticRuleObject42')._analyticRulecontentId42]", "contentKind": "AnalyticsRule", "displayName": "NRT Privileged Role Assigned Outside PIM", - "contentProductId": "[variables('_analyticRulecontentProductId42')]", - "id": "[variables('_analyticRulecontentProductId42')]", - "version": "[variables('analyticRuleVersion42')]" + "contentProductId": "[variables('analyticRuleObject42')._analyticRulecontentProductId42]", + "id": "[variables('analyticRuleObject42')._analyticRulecontentProductId42]", + "version": "[variables('analyticRuleObject42').analyticRuleVersion42]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName43')]", + "name": "[variables('analyticRuleObject43').analyticRuleTemplateSpecName43]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -6207,13 +6269,13 @@ "description": "NRT_UseraddedtoPrivilgedGroups_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion43')]", + "contentVersion": "[variables('analyticRuleObject43').analyticRuleVersion43]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId43')]", + "name": "[variables('analyticRuleObject43')._analyticRulecontentId43]", "apiVersion": "2022-04-01-preview", "kind": "NRT", "location": "[parameters('workspace-location')]", @@ -6228,10 +6290,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -6244,7 +6306,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -6254,10 +6315,10 @@ "identifier": "UPNSuffix", "columnName": "AccountUPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -6267,7 +6328,8 @@ "identifier": "UPNSuffix", "columnName": "TargetUPNSuffix" } - ] + ], + "entityType": "Account" } ] } @@ -6275,13 +6337,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId43'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject43').analyticRuleId43,'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 43", - "parentId": "[variables('analyticRuleId43')]", - "contentId": "[variables('_analyticRulecontentId43')]", + "parentId": "[variables('analyticRuleObject43').analyticRuleId43]", + "contentId": "[variables('analyticRuleObject43')._analyticRulecontentId43]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion43')]", + "version": "[variables('analyticRuleObject43').analyticRuleVersion43]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -6306,18 +6368,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId43')]", + "contentId": "[variables('analyticRuleObject43')._analyticRulecontentId43]", "contentKind": "AnalyticsRule", "displayName": "NRT User added to Microsoft Entra ID Privileged Groups", - "contentProductId": "[variables('_analyticRulecontentProductId43')]", - "id": "[variables('_analyticRulecontentProductId43')]", - "version": "[variables('analyticRuleVersion43')]" + "contentProductId": "[variables('analyticRuleObject43')._analyticRulecontentProductId43]", + "id": "[variables('analyticRuleObject43')._analyticRulecontentProductId43]", + "version": "[variables('analyticRuleObject43').analyticRuleVersion43]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName44')]", + "name": "[variables('analyticRuleObject44').analyticRuleTemplateSpecName44]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -6326,13 +6388,13 @@ "description": "PIMElevationRequestRejected_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion44')]", + "contentVersion": "[variables('analyticRuleObject44').analyticRuleVersion44]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId44')]", + "name": "[variables('analyticRuleObject44')._analyticRulecontentId44]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -6351,10 +6413,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -6365,7 +6427,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -6375,10 +6436,10 @@ "identifier": "UPNSuffix", "columnName": "InitiatingUPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -6388,16 +6449,17 @@ "identifier": "UPNSuffix", "columnName": "UserUPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "InitiatingIpAddress" } - ] + ], + "entityType": "IP" } ] } @@ -6405,13 +6467,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId44'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject44').analyticRuleId44,'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 44", - "parentId": "[variables('analyticRuleId44')]", - "contentId": "[variables('_analyticRulecontentId44')]", + "parentId": "[variables('analyticRuleObject44').analyticRuleId44]", + "contentId": "[variables('analyticRuleObject44')._analyticRulecontentId44]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion44')]", + "version": "[variables('analyticRuleObject44').analyticRuleVersion44]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -6436,18 +6498,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId44')]", + "contentId": "[variables('analyticRuleObject44')._analyticRulecontentId44]", "contentKind": "AnalyticsRule", "displayName": "PIM Elevation Request Rejected", - "contentProductId": "[variables('_analyticRulecontentProductId44')]", - "id": "[variables('_analyticRulecontentProductId44')]", - "version": "[variables('analyticRuleVersion44')]" + "contentProductId": "[variables('analyticRuleObject44')._analyticRulecontentProductId44]", + "id": "[variables('analyticRuleObject44')._analyticRulecontentProductId44]", + "version": "[variables('analyticRuleObject44').analyticRuleVersion44]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName45')]", + "name": "[variables('analyticRuleObject45').analyticRuleTemplateSpecName45]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -6456,13 +6518,13 @@ "description": "PrivilegedAccountsSigninFailureSpikes_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion45')]", + "contentVersion": "[variables('analyticRuleObject45').analyticRuleVersion45]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId45')]", + "name": "[variables('analyticRuleObject45')._analyticRulecontentId45]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -6481,22 +6543,22 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AADNonInteractiveUserSignInLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "BehaviorAnalytics", "dataTypes": [ "IdentityInfo" - ], - "connectorId": "BehaviorAnalytics" + ] } ], "tactics": [ @@ -6507,7 +6569,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -6517,16 +6578,17 @@ "identifier": "UPNSuffix", "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "IPAddress" } - ] + ], + "entityType": "IP" } ] } @@ -6534,13 +6596,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId45'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject45').analyticRuleId45,'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 45", - "parentId": "[variables('analyticRuleId45')]", - "contentId": "[variables('_analyticRulecontentId45')]", + "parentId": "[variables('analyticRuleObject45').analyticRuleId45]", + "contentId": "[variables('analyticRuleObject45')._analyticRulecontentId45]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion45')]", + "version": "[variables('analyticRuleObject45').analyticRuleVersion45]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -6565,18 +6627,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId45')]", + "contentId": "[variables('analyticRuleObject45')._analyticRulecontentId45]", "contentKind": "AnalyticsRule", "displayName": "Privileged Accounts - Sign in Failure Spikes", - "contentProductId": "[variables('_analyticRulecontentProductId45')]", - "id": "[variables('_analyticRulecontentProductId45')]", - "version": "[variables('analyticRuleVersion45')]" + "contentProductId": "[variables('analyticRuleObject45')._analyticRulecontentProductId45]", + "id": "[variables('analyticRuleObject45')._analyticRulecontentProductId45]", + "version": "[variables('analyticRuleObject45').analyticRuleVersion45]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName46')]", + "name": "[variables('analyticRuleObject46').analyticRuleTemplateSpecName46]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -6585,13 +6647,13 @@ "description": "PrivlegedRoleAssignedOutsidePIM_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion46')]", + "contentVersion": "[variables('analyticRuleObject46').analyticRuleVersion46]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId46')]", + "name": "[variables('analyticRuleObject46')._analyticRulecontentId46]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -6610,10 +6672,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -6624,7 +6686,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -6634,16 +6695,17 @@ "identifier": "UPNSuffix", "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "IpAddress" } - ] + ], + "entityType": "IP" } ] } @@ -6651,13 +6713,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId46'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject46').analyticRuleId46,'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 46", - "parentId": "[variables('analyticRuleId46')]", - "contentId": "[variables('_analyticRulecontentId46')]", + "parentId": "[variables('analyticRuleObject46').analyticRuleId46]", + "contentId": "[variables('analyticRuleObject46')._analyticRulecontentId46]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion46')]", + "version": "[variables('analyticRuleObject46').analyticRuleVersion46]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -6682,18 +6744,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId46')]", + "contentId": "[variables('analyticRuleObject46')._analyticRulecontentId46]", "contentKind": "AnalyticsRule", "displayName": "Privileged Role Assigned Outside PIM", - "contentProductId": "[variables('_analyticRulecontentProductId46')]", - "id": "[variables('_analyticRulecontentProductId46')]", - "version": "[variables('analyticRuleVersion46')]" + "contentProductId": "[variables('analyticRuleObject46')._analyticRulecontentProductId46]", + "id": "[variables('analyticRuleObject46')._analyticRulecontentProductId46]", + "version": "[variables('analyticRuleObject46').analyticRuleVersion46]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName47')]", + "name": "[variables('analyticRuleObject47').analyticRuleTemplateSpecName47]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -6702,13 +6764,13 @@ "description": "RareApplicationConsent_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion47')]", + "contentVersion": "[variables('analyticRuleObject47').analyticRuleVersion47]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId47')]", + "name": "[variables('analyticRuleObject47')._analyticRulecontentId47]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -6727,10 +6789,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -6743,7 +6805,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -6753,25 +6814,26 @@ "identifier": "UPNSuffix", "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "CloudApplication", "fieldMappings": [ { "identifier": "Name", "columnName": "TargetResourceName" } - ] + ], + "entityType": "CloudApplication" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "IpAddress" } - ] + ], + "entityType": "IP" } ] } @@ -6779,13 +6841,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId47'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject47').analyticRuleId47,'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 47", - "parentId": "[variables('analyticRuleId47')]", - "contentId": "[variables('_analyticRulecontentId47')]", + "parentId": "[variables('analyticRuleObject47').analyticRuleId47]", + "contentId": "[variables('analyticRuleObject47')._analyticRulecontentId47]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion47')]", + "version": "[variables('analyticRuleObject47').analyticRuleVersion47]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -6810,18 +6872,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId47')]", + "contentId": "[variables('analyticRuleObject47')._analyticRulecontentId47]", "contentKind": "AnalyticsRule", "displayName": "Rare application consent", - "contentProductId": "[variables('_analyticRulecontentProductId47')]", - "id": "[variables('_analyticRulecontentProductId47')]", - "version": "[variables('analyticRuleVersion47')]" + "contentProductId": "[variables('analyticRuleObject47')._analyticRulecontentProductId47]", + "id": "[variables('analyticRuleObject47')._analyticRulecontentProductId47]", + "version": "[variables('analyticRuleObject47').analyticRuleVersion47]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName48')]", + "name": "[variables('analyticRuleObject48').analyticRuleTemplateSpecName48]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -6830,13 +6892,13 @@ "description": "SeamlessSSOPasswordSpray_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion48')]", + "contentVersion": "[variables('analyticRuleObject48').analyticRuleVersion48]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId48')]", + "name": "[variables('analyticRuleObject48')._analyticRulecontentId48]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -6855,10 +6917,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AADNonInteractiveUserSignInLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -6869,7 +6931,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -6879,16 +6940,17 @@ "identifier": "UPNSuffix", "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "IPAddress" } - ] + ], + "entityType": "IP" } ] } @@ -6896,13 +6958,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId48'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject48').analyticRuleId48,'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 48", - "parentId": "[variables('analyticRuleId48')]", - "contentId": "[variables('_analyticRulecontentId48')]", + "parentId": "[variables('analyticRuleObject48').analyticRuleId48]", + "contentId": "[variables('analyticRuleObject48')._analyticRulecontentId48]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion48')]", + "version": "[variables('analyticRuleObject48').analyticRuleVersion48]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -6927,18 +6989,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId48')]", + "contentId": "[variables('analyticRuleObject48')._analyticRulecontentId48]", "contentKind": "AnalyticsRule", "displayName": "Password spray attack against Microsoft Entra ID Seamless SSO", - "contentProductId": "[variables('_analyticRulecontentProductId48')]", - "id": "[variables('_analyticRulecontentProductId48')]", - "version": "[variables('analyticRuleVersion48')]" + "contentProductId": "[variables('analyticRuleObject48')._analyticRulecontentProductId48]", + "id": "[variables('analyticRuleObject48')._analyticRulecontentProductId48]", + "version": "[variables('analyticRuleObject48').analyticRuleVersion48]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName49')]", + "name": "[variables('analyticRuleObject49').analyticRuleTemplateSpecName49]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -6947,13 +7009,13 @@ "description": "Sign-in Burst from Multiple Locations_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion49')]", + "contentVersion": "[variables('analyticRuleObject49').analyticRuleVersion49]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId49')]", + "name": "[variables('analyticRuleObject49')._analyticRulecontentId49]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -6972,16 +7034,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AADNonInteractiveUserSignInLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -6992,7 +7054,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -7002,7 +7063,8 @@ "identifier": "UPNSuffix", "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" } ] } @@ -7010,13 +7072,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId49'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject49').analyticRuleId49,'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 49", - "parentId": "[variables('analyticRuleId49')]", - "contentId": "[variables('_analyticRulecontentId49')]", + "parentId": "[variables('analyticRuleObject49').analyticRuleId49]", + "contentId": "[variables('analyticRuleObject49')._analyticRulecontentId49]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion49')]", + "version": "[variables('analyticRuleObject49').analyticRuleVersion49]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -7041,18 +7103,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId49')]", + "contentId": "[variables('analyticRuleObject49')._analyticRulecontentId49]", "contentKind": "AnalyticsRule", "displayName": "GitHub Signin Burst from Multiple Locations", - "contentProductId": "[variables('_analyticRulecontentProductId49')]", - "id": "[variables('_analyticRulecontentProductId49')]", - "version": "[variables('analyticRuleVersion49')]" + "contentProductId": "[variables('analyticRuleObject49')._analyticRulecontentProductId49]", + "id": "[variables('analyticRuleObject49')._analyticRulecontentProductId49]", + "version": "[variables('analyticRuleObject49').analyticRuleVersion49]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName50')]", + "name": "[variables('analyticRuleObject50').analyticRuleTemplateSpecName50]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -7061,13 +7123,13 @@ "description": "SigninAttemptsByIPviaDisabledAccounts_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion50')]", + "contentVersion": "[variables('analyticRuleObject50').analyticRuleVersion50]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId50')]", + "name": "[variables('analyticRuleObject50')._analyticRulecontentId50]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -7086,22 +7148,22 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AADNonInteractiveUserSignInLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "BehaviorAnalytics", "dataTypes": [ "BehaviorAnalytics" - ], - "connectorId": "BehaviorAnalytics" + ] } ], "tactics": [ @@ -7114,13 +7176,13 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "IPAddress" } - ] + ], + "entityType": "IP" } ] } @@ -7128,13 +7190,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId50'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject50').analyticRuleId50,'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 50", - "parentId": "[variables('analyticRuleId50')]", - "contentId": "[variables('_analyticRulecontentId50')]", + "parentId": "[variables('analyticRuleObject50').analyticRuleId50]", + "contentId": "[variables('analyticRuleObject50')._analyticRulecontentId50]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion50')]", + "version": "[variables('analyticRuleObject50').analyticRuleVersion50]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -7159,18 +7221,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId50')]", + "contentId": "[variables('analyticRuleObject50')._analyticRulecontentId50]", "contentKind": "AnalyticsRule", "displayName": "Sign-ins from IPs that attempt sign-ins to disabled accounts", - "contentProductId": "[variables('_analyticRulecontentProductId50')]", - "id": "[variables('_analyticRulecontentProductId50')]", - "version": "[variables('analyticRuleVersion50')]" + "contentProductId": "[variables('analyticRuleObject50')._analyticRulecontentProductId50]", + "id": "[variables('analyticRuleObject50')._analyticRulecontentProductId50]", + "version": "[variables('analyticRuleObject50').analyticRuleVersion50]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName51')]", + "name": "[variables('analyticRuleObject51').analyticRuleTemplateSpecName51]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -7179,13 +7241,13 @@ "description": "SigninBruteForce-AzurePortal_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion51')]", + "contentVersion": "[variables('analyticRuleObject51').analyticRuleVersion51]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId51')]", + "name": "[variables('analyticRuleObject51')._analyticRulecontentId51]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -7204,16 +7266,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AADNonInteractiveUserSignInLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -7224,7 +7286,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -7238,16 +7299,17 @@ "identifier": "AadUserId", "columnName": "UserId" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "IPAddress" } - ] + ], + "entityType": "IP" } ] } @@ -7255,13 +7317,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId51'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject51').analyticRuleId51,'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 51", - "parentId": "[variables('analyticRuleId51')]", - "contentId": "[variables('_analyticRulecontentId51')]", + "parentId": "[variables('analyticRuleObject51').analyticRuleId51]", + "contentId": "[variables('analyticRuleObject51')._analyticRulecontentId51]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion51')]", + "version": "[variables('analyticRuleObject51').analyticRuleVersion51]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -7286,18 +7348,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId51')]", + "contentId": "[variables('analyticRuleObject51')._analyticRulecontentId51]", "contentKind": "AnalyticsRule", "displayName": "Brute force attack against Azure Portal", - "contentProductId": "[variables('_analyticRulecontentProductId51')]", - "id": "[variables('_analyticRulecontentProductId51')]", - "version": "[variables('analyticRuleVersion51')]" + "contentProductId": "[variables('analyticRuleObject51')._analyticRulecontentProductId51]", + "id": "[variables('analyticRuleObject51')._analyticRulecontentProductId51]", + "version": "[variables('analyticRuleObject51').analyticRuleVersion51]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName52')]", + "name": "[variables('analyticRuleObject52').analyticRuleTemplateSpecName52]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -7306,13 +7368,13 @@ "description": "SigninPasswordSpray_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion52')]", + "contentVersion": "[variables('analyticRuleObject52').analyticRuleVersion52]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId52')]", + "name": "[variables('analyticRuleObject52')._analyticRulecontentId52]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -7331,16 +7393,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AADNonInteractiveUserSignInLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -7351,13 +7413,13 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "IPAddress" } - ] + ], + "entityType": "IP" } ] } @@ -7365,13 +7427,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId52'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject52').analyticRuleId52,'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 52", - "parentId": "[variables('analyticRuleId52')]", - "contentId": "[variables('_analyticRulecontentId52')]", + "parentId": "[variables('analyticRuleObject52').analyticRuleId52]", + "contentId": "[variables('analyticRuleObject52')._analyticRulecontentId52]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion52')]", + "version": "[variables('analyticRuleObject52').analyticRuleVersion52]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -7396,18 +7458,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId52')]", + "contentId": "[variables('analyticRuleObject52')._analyticRulecontentId52]", "contentKind": "AnalyticsRule", "displayName": "Password spray attack against Microsoft Entra ID application", - "contentProductId": "[variables('_analyticRulecontentProductId52')]", - "id": "[variables('_analyticRulecontentProductId52')]", - "version": "[variables('analyticRuleVersion52')]" + "contentProductId": "[variables('analyticRuleObject52')._analyticRulecontentProductId52]", + "id": "[variables('analyticRuleObject52')._analyticRulecontentProductId52]", + "version": "[variables('analyticRuleObject52').analyticRuleVersion52]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName53')]", + "name": "[variables('analyticRuleObject53').analyticRuleTemplateSpecName53]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -7416,13 +7478,13 @@ "description": "SuccessThenFail_DiffIP_SameUserandApp_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion53')]", + "contentVersion": "[variables('analyticRuleObject53').analyticRuleVersion53]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId53')]", + "name": "[variables('analyticRuleObject53')._analyticRulecontentId53]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -7441,28 +7503,28 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AADNonInteractiveUserSignInLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "BehaviorAnalytics", "dataTypes": [ "BehaviorAnalytics" - ], - "connectorId": "BehaviorAnalytics" + ] }, { + "connectorId": "BehaviorAnalytics", "dataTypes": [ "IdentityInfo" - ], - "connectorId": "BehaviorAnalytics" + ] } ], "tactics": [ @@ -7475,7 +7537,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -7485,25 +7546,26 @@ "identifier": "UPNSuffix", "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "SuccessIPAddress" } - ] + ], + "entityType": "IP" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "FailedIPAddress" } - ] + ], + "entityType": "IP" } ] } @@ -7511,13 +7573,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId53'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject53').analyticRuleId53,'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 53", - "parentId": "[variables('analyticRuleId53')]", - "contentId": "[variables('_analyticRulecontentId53')]", + "parentId": "[variables('analyticRuleObject53').analyticRuleId53]", + "contentId": "[variables('analyticRuleObject53')._analyticRulecontentId53]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion53')]", + "version": "[variables('analyticRuleObject53').analyticRuleVersion53]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -7542,18 +7604,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId53')]", + "contentId": "[variables('analyticRuleObject53')._analyticRulecontentId53]", "contentKind": "AnalyticsRule", "displayName": "Successful logon from IP and failure from a different IP", - "contentProductId": "[variables('_analyticRulecontentProductId53')]", - "id": "[variables('_analyticRulecontentProductId53')]", - "version": "[variables('analyticRuleVersion53')]" + "contentProductId": "[variables('analyticRuleObject53')._analyticRulecontentProductId53]", + "id": "[variables('analyticRuleObject53')._analyticRulecontentProductId53]", + "version": "[variables('analyticRuleObject53').analyticRuleVersion53]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName54')]", + "name": "[variables('analyticRuleObject54').analyticRuleTemplateSpecName54]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -7562,13 +7624,13 @@ "description": "SuspiciousAADJoinedDeviceUpdate_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion54')]", + "contentVersion": "[variables('analyticRuleObject54').analyticRuleVersion54]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId54')]", + "name": "[variables('analyticRuleObject54')._analyticRulecontentId54]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -7587,10 +7649,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -7601,58 +7663,58 @@ ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { "identifier": "HostName", "columnName": "NewDeviceName" } - ] + ], + "entityType": "Host" }, { - "entityType": "Host", "fieldMappings": [ { "identifier": "HostName", "columnName": "OldDeviceName" } - ] + ], + "entityType": "Host" }, { - "entityType": "Host", "fieldMappings": [ { "identifier": "AzureID", "columnName": "DeviceId" } - ] + ], + "entityType": "Host" }, { - "entityType": "Account", "fieldMappings": [ { "identifier": "AadUserId", "columnName": "InitiatedByUser" } - ] + ], + "entityType": "Account" } ], "alertDetailsOverride": { - "alertDisplayNameFormat": "Suspicious AAD Joined Device Update {{OldDeviceName}} renamed to {{NewDeviceName}} and {{UpdatedPropertiesCount}} properties changed", - "alertDescriptionFormat": "This query looks for suspicious updates to an Microsoft Entra ID joined device where the device name is changed and the device falls out of compliance.\nIn this case {{OldDeviceName}} was renamed to {{NewDeviceName}} and {{UpdatedPropertiesCount}} properties were changed.\nThis could occur when a threat actor steals a Device ticket from an Autopilot provisioned device and uses it to AAD Join a new device.\nRef: https://dirkjanm.io/assets/raw/Insomnihack%20Breaking%20and%20fixing%20Azure%20AD%20device%20identity%20security.pdf\n" + "alertDescriptionFormat": "This query looks for suspicious updates to an Microsoft Entra ID joined device where the device name is changed and the device falls out of compliance.\nIn this case {{OldDeviceName}} was renamed to {{NewDeviceName}} and {{UpdatedPropertiesCount}} properties were changed.\nThis could occur when a threat actor steals a Device ticket from an Autopilot provisioned device and uses it to AAD Join a new device.\nRef: https://dirkjanm.io/assets/raw/Insomnihack%20Breaking%20and%20fixing%20Azure%20AD%20device%20identity%20security.pdf\n", + "alertDisplayNameFormat": "Suspicious AAD Joined Device Update {{OldDeviceName}} renamed to {{NewDeviceName}} and {{UpdatedPropertiesCount}} properties changed" } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId54'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject54').analyticRuleId54,'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 54", - "parentId": "[variables('analyticRuleId54')]", - "contentId": "[variables('_analyticRulecontentId54')]", + "parentId": "[variables('analyticRuleObject54').analyticRuleId54]", + "contentId": "[variables('analyticRuleObject54')._analyticRulecontentId54]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion54')]", + "version": "[variables('analyticRuleObject54').analyticRuleVersion54]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -7677,18 +7739,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId54')]", + "contentId": "[variables('analyticRuleObject54')._analyticRulecontentId54]", "contentKind": "AnalyticsRule", "displayName": "Suspicious Entra ID Joined Device Update", - "contentProductId": "[variables('_analyticRulecontentProductId54')]", - "id": "[variables('_analyticRulecontentProductId54')]", - "version": "[variables('analyticRuleVersion54')]" + "contentProductId": "[variables('analyticRuleObject54')._analyticRulecontentProductId54]", + "id": "[variables('analyticRuleObject54')._analyticRulecontentProductId54]", + "version": "[variables('analyticRuleObject54').analyticRuleVersion54]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName55')]", + "name": "[variables('analyticRuleObject55').analyticRuleTemplateSpecName55]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -7697,13 +7759,13 @@ "description": "SuspiciousOAuthApp_OfflineAccess_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion55')]", + "contentVersion": "[variables('analyticRuleObject55').analyticRuleVersion55]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId55')]", + "name": "[variables('analyticRuleObject55')._analyticRulecontentId55]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -7722,10 +7784,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -7736,7 +7798,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -7746,16 +7807,17 @@ "identifier": "UPNSuffix", "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "GrantIpAddress" } - ] + ], + "entityType": "IP" } ] } @@ -7763,13 +7825,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId55'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject55').analyticRuleId55,'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 55", - "parentId": "[variables('analyticRuleId55')]", - "contentId": "[variables('_analyticRulecontentId55')]", + "parentId": "[variables('analyticRuleObject55').analyticRuleId55]", + "contentId": "[variables('analyticRuleObject55')._analyticRulecontentId55]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion55')]", + "version": "[variables('analyticRuleObject55').analyticRuleVersion55]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -7794,18 +7856,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId55')]", + "contentId": "[variables('analyticRuleObject55')._analyticRulecontentId55]", "contentKind": "AnalyticsRule", "displayName": "Suspicious application consent for offline access", - "contentProductId": "[variables('_analyticRulecontentProductId55')]", - "id": "[variables('_analyticRulecontentProductId55')]", - "version": "[variables('analyticRuleVersion55')]" + "contentProductId": "[variables('analyticRuleObject55')._analyticRulecontentProductId55]", + "id": "[variables('analyticRuleObject55')._analyticRulecontentProductId55]", + "version": "[variables('analyticRuleObject55').analyticRuleVersion55]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName56')]", + "name": "[variables('analyticRuleObject56').analyticRuleTemplateSpecName56]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -7814,13 +7876,13 @@ "description": "SuspiciousServicePrincipalcreationactivity_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion56')]", + "contentVersion": "[variables('analyticRuleObject56').analyticRuleVersion56]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId56')]", + "name": "[variables('analyticRuleObject56')._analyticRulecontentId56]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -7839,11 +7901,11 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs", "AADServicePrincipalSignInLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -7857,40 +7919,40 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", "columnName": "userPrincipalName_creator" } - ] + ], + "entityType": "Account" }, { - "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", "columnName": "userPrincipalName_deleter" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "ipAddress_creator" } - ] + ], + "entityType": "IP" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "ipAddress_deleter" } - ] + ], + "entityType": "IP" } ] } @@ -7898,13 +7960,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId56'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject56').analyticRuleId56,'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 56", - "parentId": "[variables('analyticRuleId56')]", - "contentId": "[variables('_analyticRulecontentId56')]", + "parentId": "[variables('analyticRuleObject56').analyticRuleId56]", + "contentId": "[variables('analyticRuleObject56')._analyticRulecontentId56]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion56')]", + "version": "[variables('analyticRuleObject56').analyticRuleVersion56]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -7929,18 +7991,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId56')]", + "contentId": "[variables('analyticRuleObject56')._analyticRulecontentId56]", "contentKind": "AnalyticsRule", "displayName": "Suspicious Service Principal creation activity", - "contentProductId": "[variables('_analyticRulecontentProductId56')]", - "id": "[variables('_analyticRulecontentProductId56')]", - "version": "[variables('analyticRuleVersion56')]" + "contentProductId": "[variables('analyticRuleObject56')._analyticRulecontentProductId56]", + "id": "[variables('analyticRuleObject56')._analyticRulecontentProductId56]", + "version": "[variables('analyticRuleObject56').analyticRuleVersion56]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName57')]", + "name": "[variables('analyticRuleObject57').analyticRuleTemplateSpecName57]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -7949,13 +8011,13 @@ "description": "SuspiciousSignInFollowedByMFAModification_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion57')]", + "contentVersion": "[variables('analyticRuleObject57').analyticRuleVersion57]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId57')]", + "name": "[variables('analyticRuleObject57')._analyticRulecontentId57]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -7974,16 +8036,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "BehaviorAnalytics", "dataTypes": [ "BehaviorAnalytics" - ], - "connectorId": "BehaviorAnalytics" + ] } ], "tactics": [ @@ -7996,7 +8058,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "AadUserId", @@ -8010,10 +8071,10 @@ "identifier": "UPNSuffix", "columnName": "InitiatorSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "Account", "fieldMappings": [ { "identifier": "AadUserId", @@ -8027,46 +8088,47 @@ "identifier": "UPNSuffix", "columnName": "TargetSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "FromIP" } - ] + ], + "entityType": "IP" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "SourceIPAddress" } - ] + ], + "entityType": "IP" } ], "eventGroupingSettings": { "aggregationKind": "AlertPerResult" }, "alertDetailsOverride": { - "alertDisplayNameFormat": "Suspicious Sign In by {{InitiatorUPN}} Followed by MFA Modification to {{TargetUPN}}", - "alertDescriptionFormat": "This query looks uses Microsoft Sentinel's UEBA features to look for suspicious logons followed by modifications to MFA settings by that user.\nIn this case {{InitiatorUPN}} logged in followed by a modification to MFA settings for {{TargetUPN}}.\nThe sign in was from {{SourceIPAddress}}.\n" + "alertDescriptionFormat": "This query looks uses Microsoft Sentinel's UEBA features to look for suspicious logons followed by modifications to MFA settings by that user.\nIn this case {{InitiatorUPN}} logged in followed by a modification to MFA settings for {{TargetUPN}}.\nThe sign in was from {{SourceIPAddress}}.\n", + "alertDisplayNameFormat": "Suspicious Sign In by {{InitiatorUPN}} Followed by MFA Modification to {{TargetUPN}}" } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId57'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject57').analyticRuleId57,'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 57", - "parentId": "[variables('analyticRuleId57')]", - "contentId": "[variables('_analyticRulecontentId57')]", + "parentId": "[variables('analyticRuleObject57').analyticRuleId57]", + "contentId": "[variables('analyticRuleObject57')._analyticRulecontentId57]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion57')]", + "version": "[variables('analyticRuleObject57').analyticRuleVersion57]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -8091,18 +8153,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId57')]", + "contentId": "[variables('analyticRuleObject57')._analyticRulecontentId57]", "contentKind": "AnalyticsRule", "displayName": "Suspicious Sign In Followed by MFA Modification", - "contentProductId": "[variables('_analyticRulecontentProductId57')]", - "id": "[variables('_analyticRulecontentProductId57')]", - "version": "[variables('analyticRuleVersion57')]" + "contentProductId": "[variables('analyticRuleObject57')._analyticRulecontentProductId57]", + "id": "[variables('analyticRuleObject57')._analyticRulecontentProductId57]", + "version": "[variables('analyticRuleObject57').analyticRuleVersion57]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName58')]", + "name": "[variables('analyticRuleObject58').analyticRuleTemplateSpecName58]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -8111,13 +8173,13 @@ "description": "UnusualGuestActivity_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion58')]", + "contentVersion": "[variables('analyticRuleObject58').analyticRuleVersion58]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId58')]", + "name": "[variables('analyticRuleObject58')._analyticRulecontentId58]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -8136,16 +8198,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -8160,7 +8222,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -8170,10 +8231,10 @@ "identifier": "UPNSuffix", "columnName": "InvitedUserUPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -8183,16 +8244,17 @@ "identifier": "UPNSuffix", "columnName": "InitiatedByUPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "IPAddress" } - ] + ], + "entityType": "IP" } ] } @@ -8200,13 +8262,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId58'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject58').analyticRuleId58,'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 58", - "parentId": "[variables('analyticRuleId58')]", - "contentId": "[variables('_analyticRulecontentId58')]", + "parentId": "[variables('analyticRuleObject58').analyticRuleId58]", + "contentId": "[variables('analyticRuleObject58')._analyticRulecontentId58]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion58')]", + "version": "[variables('analyticRuleObject58').analyticRuleVersion58]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -8231,18 +8293,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId58')]", + "contentId": "[variables('analyticRuleObject58')._analyticRulecontentId58]", "contentKind": "AnalyticsRule", "displayName": "External guest invitation followed by Microsoft Entra ID PowerShell signin", - "contentProductId": "[variables('_analyticRulecontentProductId58')]", - "id": "[variables('_analyticRulecontentProductId58')]", - "version": "[variables('analyticRuleVersion58')]" + "contentProductId": "[variables('analyticRuleObject58')._analyticRulecontentProductId58]", + "id": "[variables('analyticRuleObject58')._analyticRulecontentProductId58]", + "version": "[variables('analyticRuleObject58').analyticRuleVersion58]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName59')]", + "name": "[variables('analyticRuleObject59').analyticRuleTemplateSpecName59]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -8251,13 +8313,13 @@ "description": "UserAccounts-CABlockedSigninSpikes_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion59')]", + "contentVersion": "[variables('analyticRuleObject59').analyticRuleVersion59]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId59')]", + "name": "[variables('analyticRuleObject59')._analyticRulecontentId59]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -8276,28 +8338,28 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AADNonInteractiveUserSignInLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "BehaviorAnalytics", "dataTypes": [ "BehaviorAnalytics" - ], - "connectorId": "BehaviorAnalytics" + ] }, { + "connectorId": "BehaviorAnalytics", "dataTypes": [ "IdentityInfo" - ], - "connectorId": "BehaviorAnalytics" + ] } ], "tactics": [ @@ -8308,7 +8370,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -8318,16 +8379,17 @@ "identifier": "UPNSuffix", "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "IPAddress" } - ] + ], + "entityType": "IP" } ] } @@ -8335,13 +8397,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId59'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject59').analyticRuleId59,'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 59", - "parentId": "[variables('analyticRuleId59')]", - "contentId": "[variables('_analyticRulecontentId59')]", + "parentId": "[variables('analyticRuleObject59').analyticRuleId59]", + "contentId": "[variables('analyticRuleObject59')._analyticRulecontentId59]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion59')]", + "version": "[variables('analyticRuleObject59').analyticRuleVersion59]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -8366,18 +8428,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId59')]", + "contentId": "[variables('analyticRuleObject59')._analyticRulecontentId59]", "contentKind": "AnalyticsRule", "displayName": "User Accounts - Sign in Failure due to CA Spikes", - "contentProductId": "[variables('_analyticRulecontentProductId59')]", - "id": "[variables('_analyticRulecontentProductId59')]", - "version": "[variables('analyticRuleVersion59')]" + "contentProductId": "[variables('analyticRuleObject59')._analyticRulecontentProductId59]", + "id": "[variables('analyticRuleObject59')._analyticRulecontentProductId59]", + "version": "[variables('analyticRuleObject59').analyticRuleVersion59]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName60')]", + "name": "[variables('analyticRuleObject60').analyticRuleTemplateSpecName60]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -8386,13 +8448,13 @@ "description": "UseraddedtoPrivilgedGroups_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion60')]", + "contentVersion": "[variables('analyticRuleObject60').analyticRuleVersion60]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId60')]", + "name": "[variables('analyticRuleObject60')._analyticRulecontentId60]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -8411,10 +8473,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -8427,7 +8489,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -8437,10 +8498,10 @@ "identifier": "UPNSuffix", "columnName": "AccountUPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -8450,7 +8511,8 @@ "identifier": "UPNSuffix", "columnName": "TargetUPNSuffix" } - ] + ], + "entityType": "Account" } ] } @@ -8458,13 +8520,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId60'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject60').analyticRuleId60,'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 60", - "parentId": "[variables('analyticRuleId60')]", - "contentId": "[variables('_analyticRulecontentId60')]", + "parentId": "[variables('analyticRuleObject60').analyticRuleId60]", + "contentId": "[variables('analyticRuleObject60')._analyticRulecontentId60]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion60')]", + "version": "[variables('analyticRuleObject60').analyticRuleVersion60]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -8489,18 +8551,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId60')]", + "contentId": "[variables('analyticRuleObject60')._analyticRulecontentId60]", "contentKind": "AnalyticsRule", "displayName": "User added to Microsoft Entra ID Privileged Groups", - "contentProductId": "[variables('_analyticRulecontentProductId60')]", - "id": "[variables('_analyticRulecontentProductId60')]", - "version": "[variables('analyticRuleVersion60')]" + "contentProductId": "[variables('analyticRuleObject60')._analyticRulecontentProductId60]", + "id": "[variables('analyticRuleObject60')._analyticRulecontentProductId60]", + "version": "[variables('analyticRuleObject60').analyticRuleVersion60]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName61')]", + "name": "[variables('analyticRuleObject61').analyticRuleTemplateSpecName61]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -8509,13 +8571,13 @@ "description": "UserAssignedNewPrivilegedRole_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion61')]", + "contentVersion": "[variables('analyticRuleObject61').analyticRuleVersion61]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId61')]", + "name": "[variables('analyticRuleObject61')._analyticRulecontentId61]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -8534,10 +8596,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -8548,7 +8610,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -8558,10 +8619,10 @@ "identifier": "UPNSuffix", "columnName": "TargetUPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -8571,7 +8632,8 @@ "identifier": "UPNSuffix", "columnName": "InitiatorUPNSuffix" } - ] + ], + "entityType": "Account" } ] } @@ -8579,13 +8641,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId61'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject61').analyticRuleId61,'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 61", - "parentId": "[variables('analyticRuleId61')]", - "contentId": "[variables('_analyticRulecontentId61')]", + "parentId": "[variables('analyticRuleObject61').analyticRuleId61]", + "contentId": "[variables('analyticRuleObject61')._analyticRulecontentId61]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion61')]", + "version": "[variables('analyticRuleObject61').analyticRuleVersion61]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -8610,18 +8672,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId61')]", + "contentId": "[variables('analyticRuleObject61')._analyticRulecontentId61]", "contentKind": "AnalyticsRule", "displayName": "User Assigned New Privileged Role", - "contentProductId": "[variables('_analyticRulecontentProductId61')]", - "id": "[variables('_analyticRulecontentProductId61')]", - "version": "[variables('analyticRuleVersion61')]" + "contentProductId": "[variables('analyticRuleObject61')._analyticRulecontentProductId61]", + "id": "[variables('analyticRuleObject61')._analyticRulecontentProductId61]", + "version": "[variables('analyticRuleObject61').analyticRuleVersion61]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName62')]", + "name": "[variables('analyticRuleObject62').analyticRuleTemplateSpecName62]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -8630,13 +8692,13 @@ "description": "UserAssignedPrivilegedRole_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion62')]", + "contentVersion": "[variables('analyticRuleObject62').analyticRuleVersion62]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId62')]", + "name": "[variables('analyticRuleObject62')._analyticRulecontentId62]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -8655,10 +8717,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -8669,7 +8731,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -8679,10 +8740,10 @@ "identifier": "UPNSuffix", "columnName": "TargetUPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -8692,7 +8753,8 @@ "identifier": "UPNSuffix", "columnName": "InitiatorUPNSuffix" } - ] + ], + "entityType": "Account" } ] } @@ -8700,13 +8762,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId62'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject62').analyticRuleId62,'/'))))]", "properties": { "description": "Microsoft Entra ID Analytics Rule 62", - "parentId": "[variables('analyticRuleId62')]", - "contentId": "[variables('_analyticRulecontentId62')]", + "parentId": "[variables('analyticRuleObject62').analyticRuleId62]", + "contentId": "[variables('analyticRuleObject62')._analyticRulecontentId62]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion62')]", + "version": "[variables('analyticRuleObject62').analyticRuleVersion62]", "source": { "kind": "Solution", "name": "Microsoft Entra ID", @@ -8731,12 +8793,12 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId62')]", + "contentId": "[variables('analyticRuleObject62')._analyticRulecontentId62]", "contentKind": "AnalyticsRule", "displayName": "New User Assigned to Privileged Role", - "contentProductId": "[variables('_analyticRulecontentProductId62')]", - "id": "[variables('_analyticRulecontentProductId62')]", - "version": "[variables('analyticRuleVersion62')]" + "contentProductId": "[variables('analyticRuleObject62')._analyticRulecontentProductId62]", + "id": "[variables('analyticRuleObject62')._analyticRulecontentProductId62]", + "version": "[variables('analyticRuleObject62').analyticRuleVersion62]" } }, { @@ -9285,7 +9347,6 @@ }, "triggers": { "Microsoft_Sentinel_incident": { - "type": "ApiConnectionWebhook", "inputs": { "body": { "callback_url": "@{listCallbackUrl()}" @@ -9296,7 +9357,8 @@ } }, "path": "/incident-creation" - } + }, + "type": "ApiConnectionWebhook" } }, "actions": { @@ -12660,17 +12722,17 @@ } }, "triggers": { - "Microsoft_Sentinel_alert": { + "Microsoft_Sentinel_incident": { "inputs": { "body": { "callback_url": "@{listCallbackUrl()}" }, "host": { "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" } }, - "path": "/subscribe" + "path": "/incident-creation" }, "type": "ApiConnectionWebhook" } @@ -13031,313 +13093,313 @@ }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId1')]", - "version": "[variables('analyticRuleVersion1')]" + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId2')]", - "version": "[variables('analyticRuleVersion2')]" + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId3')]", - "version": "[variables('analyticRuleVersion3')]" + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId4')]", - "version": "[variables('analyticRuleVersion4')]" + "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", + "version": "[variables('analyticRuleObject4').analyticRuleVersion4]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId5')]", - "version": "[variables('analyticRuleVersion5')]" + "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", + "version": "[variables('analyticRuleObject5').analyticRuleVersion5]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId6')]", - "version": "[variables('analyticRuleVersion6')]" + "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", + "version": "[variables('analyticRuleObject6').analyticRuleVersion6]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId7')]", - "version": "[variables('analyticRuleVersion7')]" + "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", + "version": "[variables('analyticRuleObject7').analyticRuleVersion7]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId8')]", - "version": "[variables('analyticRuleVersion8')]" + "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]", + "version": "[variables('analyticRuleObject8').analyticRuleVersion8]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId9')]", - "version": "[variables('analyticRuleVersion9')]" + "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", + "version": "[variables('analyticRuleObject9').analyticRuleVersion9]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId10')]", - "version": "[variables('analyticRuleVersion10')]" + "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]", + "version": "[variables('analyticRuleObject10').analyticRuleVersion10]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId11')]", - "version": "[variables('analyticRuleVersion11')]" + "contentId": "[variables('analyticRuleObject11')._analyticRulecontentId11]", + "version": "[variables('analyticRuleObject11').analyticRuleVersion11]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId12')]", - "version": "[variables('analyticRuleVersion12')]" + "contentId": "[variables('analyticRuleObject12')._analyticRulecontentId12]", + "version": "[variables('analyticRuleObject12').analyticRuleVersion12]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId13')]", - "version": "[variables('analyticRuleVersion13')]" + "contentId": "[variables('analyticRuleObject13')._analyticRulecontentId13]", + "version": "[variables('analyticRuleObject13').analyticRuleVersion13]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId14')]", - "version": "[variables('analyticRuleVersion14')]" + "contentId": "[variables('analyticRuleObject14')._analyticRulecontentId14]", + "version": "[variables('analyticRuleObject14').analyticRuleVersion14]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId15')]", - "version": "[variables('analyticRuleVersion15')]" + "contentId": "[variables('analyticRuleObject15')._analyticRulecontentId15]", + "version": "[variables('analyticRuleObject15').analyticRuleVersion15]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId16')]", - "version": "[variables('analyticRuleVersion16')]" + "contentId": "[variables('analyticRuleObject16')._analyticRulecontentId16]", + "version": "[variables('analyticRuleObject16').analyticRuleVersion16]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId17')]", - "version": "[variables('analyticRuleVersion17')]" + "contentId": "[variables('analyticRuleObject17')._analyticRulecontentId17]", + "version": "[variables('analyticRuleObject17').analyticRuleVersion17]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId18')]", - "version": "[variables('analyticRuleVersion18')]" + "contentId": "[variables('analyticRuleObject18')._analyticRulecontentId18]", + "version": "[variables('analyticRuleObject18').analyticRuleVersion18]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId19')]", - "version": "[variables('analyticRuleVersion19')]" + "contentId": "[variables('analyticRuleObject19')._analyticRulecontentId19]", + "version": "[variables('analyticRuleObject19').analyticRuleVersion19]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId20')]", - "version": "[variables('analyticRuleVersion20')]" + "contentId": "[variables('analyticRuleObject20')._analyticRulecontentId20]", + "version": "[variables('analyticRuleObject20').analyticRuleVersion20]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId21')]", - "version": "[variables('analyticRuleVersion21')]" + "contentId": "[variables('analyticRuleObject21')._analyticRulecontentId21]", + "version": "[variables('analyticRuleObject21').analyticRuleVersion21]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId22')]", - "version": "[variables('analyticRuleVersion22')]" + "contentId": "[variables('analyticRuleObject22')._analyticRulecontentId22]", + "version": "[variables('analyticRuleObject22').analyticRuleVersion22]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId23')]", - "version": "[variables('analyticRuleVersion23')]" + "contentId": "[variables('analyticRuleObject23')._analyticRulecontentId23]", + "version": "[variables('analyticRuleObject23').analyticRuleVersion23]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId24')]", - "version": "[variables('analyticRuleVersion24')]" + "contentId": "[variables('analyticRuleObject24')._analyticRulecontentId24]", + "version": "[variables('analyticRuleObject24').analyticRuleVersion24]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId25')]", - "version": "[variables('analyticRuleVersion25')]" + "contentId": "[variables('analyticRuleObject25')._analyticRulecontentId25]", + "version": "[variables('analyticRuleObject25').analyticRuleVersion25]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId26')]", - "version": "[variables('analyticRuleVersion26')]" + "contentId": "[variables('analyticRuleObject26')._analyticRulecontentId26]", + "version": "[variables('analyticRuleObject26').analyticRuleVersion26]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId27')]", - "version": "[variables('analyticRuleVersion27')]" + "contentId": "[variables('analyticRuleObject27')._analyticRulecontentId27]", + "version": "[variables('analyticRuleObject27').analyticRuleVersion27]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId28')]", - "version": "[variables('analyticRuleVersion28')]" + "contentId": "[variables('analyticRuleObject28')._analyticRulecontentId28]", + "version": "[variables('analyticRuleObject28').analyticRuleVersion28]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId29')]", - "version": "[variables('analyticRuleVersion29')]" + "contentId": "[variables('analyticRuleObject29')._analyticRulecontentId29]", + "version": "[variables('analyticRuleObject29').analyticRuleVersion29]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId30')]", - "version": "[variables('analyticRuleVersion30')]" + "contentId": "[variables('analyticRuleObject30')._analyticRulecontentId30]", + "version": "[variables('analyticRuleObject30').analyticRuleVersion30]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId31')]", - "version": "[variables('analyticRuleVersion31')]" + "contentId": "[variables('analyticRuleObject31')._analyticRulecontentId31]", + "version": "[variables('analyticRuleObject31').analyticRuleVersion31]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId32')]", - "version": "[variables('analyticRuleVersion32')]" + "contentId": "[variables('analyticRuleObject32')._analyticRulecontentId32]", + "version": "[variables('analyticRuleObject32').analyticRuleVersion32]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId33')]", - "version": "[variables('analyticRuleVersion33')]" + "contentId": "[variables('analyticRuleObject33')._analyticRulecontentId33]", + "version": "[variables('analyticRuleObject33').analyticRuleVersion33]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId34')]", - "version": "[variables('analyticRuleVersion34')]" + "contentId": "[variables('analyticRuleObject34')._analyticRulecontentId34]", + "version": "[variables('analyticRuleObject34').analyticRuleVersion34]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId35')]", - "version": "[variables('analyticRuleVersion35')]" + "contentId": "[variables('analyticRuleObject35')._analyticRulecontentId35]", + "version": "[variables('analyticRuleObject35').analyticRuleVersion35]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId36')]", - "version": "[variables('analyticRuleVersion36')]" + "contentId": "[variables('analyticRuleObject36')._analyticRulecontentId36]", + "version": "[variables('analyticRuleObject36').analyticRuleVersion36]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId37')]", - "version": "[variables('analyticRuleVersion37')]" + "contentId": "[variables('analyticRuleObject37')._analyticRulecontentId37]", + "version": "[variables('analyticRuleObject37').analyticRuleVersion37]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId38')]", - "version": "[variables('analyticRuleVersion38')]" + "contentId": "[variables('analyticRuleObject38')._analyticRulecontentId38]", + "version": "[variables('analyticRuleObject38').analyticRuleVersion38]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId39')]", - "version": "[variables('analyticRuleVersion39')]" + "contentId": "[variables('analyticRuleObject39')._analyticRulecontentId39]", + "version": "[variables('analyticRuleObject39').analyticRuleVersion39]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId40')]", - "version": "[variables('analyticRuleVersion40')]" + "contentId": "[variables('analyticRuleObject40')._analyticRulecontentId40]", + "version": "[variables('analyticRuleObject40').analyticRuleVersion40]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId41')]", - "version": "[variables('analyticRuleVersion41')]" + "contentId": "[variables('analyticRuleObject41')._analyticRulecontentId41]", + "version": "[variables('analyticRuleObject41').analyticRuleVersion41]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId42')]", - "version": "[variables('analyticRuleVersion42')]" + "contentId": "[variables('analyticRuleObject42')._analyticRulecontentId42]", + "version": "[variables('analyticRuleObject42').analyticRuleVersion42]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId43')]", - "version": "[variables('analyticRuleVersion43')]" + "contentId": "[variables('analyticRuleObject43')._analyticRulecontentId43]", + "version": "[variables('analyticRuleObject43').analyticRuleVersion43]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId44')]", - "version": "[variables('analyticRuleVersion44')]" + "contentId": "[variables('analyticRuleObject44')._analyticRulecontentId44]", + "version": "[variables('analyticRuleObject44').analyticRuleVersion44]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId45')]", - "version": "[variables('analyticRuleVersion45')]" + "contentId": "[variables('analyticRuleObject45')._analyticRulecontentId45]", + "version": "[variables('analyticRuleObject45').analyticRuleVersion45]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId46')]", - "version": "[variables('analyticRuleVersion46')]" + "contentId": "[variables('analyticRuleObject46')._analyticRulecontentId46]", + "version": "[variables('analyticRuleObject46').analyticRuleVersion46]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId47')]", - "version": "[variables('analyticRuleVersion47')]" + "contentId": "[variables('analyticRuleObject47')._analyticRulecontentId47]", + "version": "[variables('analyticRuleObject47').analyticRuleVersion47]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId48')]", - "version": "[variables('analyticRuleVersion48')]" + "contentId": "[variables('analyticRuleObject48')._analyticRulecontentId48]", + "version": "[variables('analyticRuleObject48').analyticRuleVersion48]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId49')]", - "version": "[variables('analyticRuleVersion49')]" + "contentId": "[variables('analyticRuleObject49')._analyticRulecontentId49]", + "version": "[variables('analyticRuleObject49').analyticRuleVersion49]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId50')]", - "version": "[variables('analyticRuleVersion50')]" + "contentId": "[variables('analyticRuleObject50')._analyticRulecontentId50]", + "version": "[variables('analyticRuleObject50').analyticRuleVersion50]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId51')]", - "version": "[variables('analyticRuleVersion51')]" + "contentId": "[variables('analyticRuleObject51')._analyticRulecontentId51]", + "version": "[variables('analyticRuleObject51').analyticRuleVersion51]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId52')]", - "version": "[variables('analyticRuleVersion52')]" + "contentId": "[variables('analyticRuleObject52')._analyticRulecontentId52]", + "version": "[variables('analyticRuleObject52').analyticRuleVersion52]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId53')]", - "version": "[variables('analyticRuleVersion53')]" + "contentId": "[variables('analyticRuleObject53')._analyticRulecontentId53]", + "version": "[variables('analyticRuleObject53').analyticRuleVersion53]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId54')]", - "version": "[variables('analyticRuleVersion54')]" + "contentId": "[variables('analyticRuleObject54')._analyticRulecontentId54]", + "version": "[variables('analyticRuleObject54').analyticRuleVersion54]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId55')]", - "version": "[variables('analyticRuleVersion55')]" + "contentId": "[variables('analyticRuleObject55')._analyticRulecontentId55]", + "version": "[variables('analyticRuleObject55').analyticRuleVersion55]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId56')]", - "version": "[variables('analyticRuleVersion56')]" + "contentId": "[variables('analyticRuleObject56')._analyticRulecontentId56]", + "version": "[variables('analyticRuleObject56').analyticRuleVersion56]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId57')]", - "version": "[variables('analyticRuleVersion57')]" + "contentId": "[variables('analyticRuleObject57')._analyticRulecontentId57]", + "version": "[variables('analyticRuleObject57').analyticRuleVersion57]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId58')]", - "version": "[variables('analyticRuleVersion58')]" + "contentId": "[variables('analyticRuleObject58')._analyticRulecontentId58]", + "version": "[variables('analyticRuleObject58').analyticRuleVersion58]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId59')]", - "version": "[variables('analyticRuleVersion59')]" + "contentId": "[variables('analyticRuleObject59')._analyticRulecontentId59]", + "version": "[variables('analyticRuleObject59').analyticRuleVersion59]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId60')]", - "version": "[variables('analyticRuleVersion60')]" + "contentId": "[variables('analyticRuleObject60')._analyticRulecontentId60]", + "version": "[variables('analyticRuleObject60').analyticRuleVersion60]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId61')]", - "version": "[variables('analyticRuleVersion61')]" + "contentId": "[variables('analyticRuleObject61')._analyticRulecontentId61]", + "version": "[variables('analyticRuleObject61').analyticRuleVersion61]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId62')]", - "version": "[variables('analyticRuleVersion62')]" + "contentId": "[variables('analyticRuleObject62')._analyticRulecontentId62]", + "version": "[variables('analyticRuleObject62').analyticRuleVersion62]" }, { "kind": "Playbook", diff --git a/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/incident-trigger/azuredeploy.json b/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/incident-trigger/azuredeploy.json index 6c0a3d4c17d..76e88b1c1f6 100644 --- a/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/incident-trigger/azuredeploy.json +++ b/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/incident-trigger/azuredeploy.json @@ -4,11 +4,21 @@ "metadata": { "title": "Block Entra ID user - Incident", "description": "For each account entity included in the incident, this playbook will disable the user in Microsoft Entra ID, add a comment to the incident that contains this alert and notify manager if available. Note: This playbook will not disable admin user!", - "prerequisites": [ "None" ], - "postDeployment": [ "1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity.", "2. Grant User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All permissions to the managed identity.", "3. Authorize Microsoft Entra ID and Office 365 Outlook Logic App connections." ], + "prerequisites": [ + "None" + ], + "postDeployment": [ + "1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity.", + "2. Grant User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All permissions to the managed identity.", + "3. Authorize Microsoft Entra ID and Office 365 Outlook Logic App connections." + ], "lastUpdateTime": "2022-07-11T00:00:00.000Z", - "entities": [ "Account" ], - "tags": [ "Remediation" ], + "entities": [ + "Account" + ], + "tags": [ + "Remediation" + ], "support": { "tier": "community" }, @@ -19,7 +29,9 @@ { "version": "1.0.0", "title": "Added manager notification action", - "notes": [ "Initial version" ] + "notes": [ + "Initial version" + ] } ] }, @@ -107,7 +119,6 @@ }, "triggers": { "Microsoft_Sentinel_incident": { - "type": "ApiConnectionWebhook", "inputs": { "body": { "callback_url": "@{listCallbackUrl()}" @@ -118,7 +129,8 @@ } }, "path": "/incident-creation" - } + }, + "type": "ApiConnectionWebhook" } }, "actions": { diff --git a/Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/incident-trigger/azuredeploy.json b/Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/incident-trigger/azuredeploy.json index 01e90ec6546..90c31d1e79b 100644 --- a/Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/incident-trigger/azuredeploy.json +++ b/Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/incident-trigger/azuredeploy.json @@ -6,8 +6,12 @@ "description": "This playbook will revoke all signin sessions for the user using Graph API. It will send an email to the user's manager.", "prerequisites": "1. You will need to grant User.ReadWrite.All permissions to the managed identity.", "lastUpdateTime": "2021-07-14T00:00:00.000Z", - "entities": [ "Account" ], - "tags": [ "Remediation" ], + "entities": [ + "Account" + ], + "tags": [ + "Remediation" + ], "support": { "tier": "community" }, @@ -219,17 +223,17 @@ } }, "triggers": { - "Microsoft_Sentinel_alert": { + "Microsoft_Sentinel_incident": { "inputs": { "body": { "callback_url": "@{listCallbackUrl()}" }, "host": { "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" } }, - "path": "/subscribe" + "path": "/incident-creation" }, "type": "ApiConnectionWebhook" } @@ -264,4 +268,4 @@ } } ] -} +} \ No newline at end of file