From d105d1dc35a71d0477106afa5807c1a01689dc3b Mon Sep 17 00:00:00 2001
From: doc352 <doc352@gmail.com>
Date: Wed, 9 Aug 2023 19:21:22 -0400
Subject: [PATCH 1/3] Support sovereign clouds and other minor changes

Calculates StorageSuffix, LogAnalyticsUri, and LoginEndpoint from the environment function and collects the O365 Management Activities API uri as a parameter.
---
 .../O365APItoAS-Template/TimerTrigger/run.ps1 | 29 +++++++++++++++----
 DataConnectors/O365 Data/azuredeploy.json     | 18 +++++++++---
 .../O365 Data/azuredeploy.parameters.json     |  3 --
 3 files changed, 38 insertions(+), 12 deletions(-)

diff --git a/DataConnectors/O365 Data/O365APItoAS-Template/TimerTrigger/run.ps1 b/DataConnectors/O365 Data/O365APItoAS-Template/TimerTrigger/run.ps1
index 744592f9e15..4aa63e17a8f 100644
--- a/DataConnectors/O365 Data/O365APItoAS-Template/TimerTrigger/run.ps1	
+++ b/DataConnectors/O365 Data/O365APItoAS-Template/TimerTrigger/run.ps1	
@@ -104,14 +104,23 @@ function Write-OMSLogfile {
                 -method $method `
                 -contentType $ContentType `
                 -resource $resource
-            $uri = "https://" + $customerId + ".ods.opinsights.azure.com" + $resource + "?api-version=2016-04-01"
+
+		    # Compatible with previous version
+		    if ([string]::IsNullOrEmpty($LAURI)){
+		    	$LAURI = "https://" + $CustomerId + ".ods.opinsights.azure.com" + $resource + "?api-version=2016-04-01"
+		    }
+		    else
+		    {
+		    	$LAURI = $LAURI + $resource + "?api-version=2016-04-01"
+		    }
+		
             $headers = @{
                 "Authorization" = $signature;
                 "Log-Type" = $type;
                 "x-ms-date" = $rfc1123date
                 "time-generated-field" = $dateTime
             }
-            $response = Invoke-WebRequest -Uri $uri -Method $method -ContentType $ContentType -Headers $headers -Body $body -UseBasicParsing
+            $response = Invoke-WebRequest -Uri $LAURI -Method $method -ContentType $ContentType -Headers $headers -Body $body -UseBasicParsing
             Write-Verbose -message ('Post Function Return Code ' + $response.statuscode)
             return $response.statuscode
         }
@@ -150,9 +159,9 @@ function Get-AuthToken{
             [string]$TenantGUID
         )
     # Create app of type Web app / API in Azure AD, generate a Client Secret, and update the client id and client secret here
-    $loginURL = "https://login.microsoftonline.com/"
+    $loginURL = "$env:loginEndpoint"
     # Get the tenant GUID from Properties | Directory ID under the Azure Active Directory section
-    $resource = "https://manage.office.com"
+    $resource = "https://$env:managementApi"
     # auth
     $body = @{grant_type="client_credentials";resource=$resource;client_id=$ClientID;client_secret=$ClientSecret}
     $oauth = Invoke-RestMethod -Method Post -Uri $loginURL/$tenantdomain/oauth2/token?api-version=1.0 -Body $body
@@ -176,7 +185,7 @@ function Get-O365Data{
     $contentTypes = $env:contentTypes.split(",")
     #Loop for each content Type like Audit.General
     foreach($contentType in $contentTypes){
-        $listAvailableContentUri = "https://manage.office.com/api/v1.0/$tenantGUID/activity/feed/subscriptions/content?contentType=$contentType&PublisherIdentifier=$env:publisher&startTime=$startTime&endTime=$endTime"
+        $listAvailableContentUri = "https://$env:managementApi/api/v1.0/$tenantGUID/activity/feed/subscriptions/content?contentType=$contentType&PublisherIdentifier=$env:publisher&startTime=$startTime&endTime=$endTime"
         do {
             #List Available Content
             $contentResult = Invoke-RestMethod -Method GET -Headers $headerParams -Uri $listAvailableContentUri
@@ -232,6 +241,16 @@ if ($Timer.IsPastDue) {
     Write-Host "PowerShell timer is running late!"
 }
 
+$LAURI = $env:LAURI
+if (-Not [string]::IsNullOrEmpty($LAURI)){
+	if($LAURI.Trim() -notmatch 'https:\/\/([\w\-]+)\.ods\.opinsights\.azure.([a-zA-Z\.]+)$')
+	{
+		Write-Error -Message "MCASActivity-SecurityEvents: Invalid Log Analytics Uri." -ErrorAction Stop
+		Exit
+	}
+}
+
+
 #add last run time to blob file to ensure no missed packages
 $endTime = $currentUTCtime | Get-Date -Format yyyy-MM-ddTHH:mm:ss
 $azstoragestring = $Env:WEBSITE_CONTENTAZUREFILECONNECTIONSTRING
diff --git a/DataConnectors/O365 Data/azuredeploy.json b/DataConnectors/O365 Data/azuredeploy.json
index caf1a107fe7..ce67e54cd5b 100644
--- a/DataConnectors/O365 Data/azuredeploy.json	
+++ b/DataConnectors/O365 Data/azuredeploy.json	
@@ -37,12 +37,19 @@
         "workspaceKey": {
             "type": "string",
             "defaultValue": "<workspaceKey>"
+        },
+        "office365Environment": {
+            "type": "string",
+            "defaultValue": "manage.office.com",
+            "allowedValues": ["manage.office.com", "manage-gcc.office.com", "manage.office365.us", "manage.protection.apps.mil"]
         }
     },
     "variables": {
             "Name": "O365Data",
             "FunctionName": "[concat(variables('Name'), 'fn', uniqueString(resourceGroup().id, subscription().id))]",
             "StorageAccountName": "[tolower(concat(variables('Name'), 'sa', uniqueString(resourceGroup().id, subscription().id)))]",
+            "StorageSuffix": "[environment().suffixes.storage]",
+            "LogAnaltyicsUri": "[replace(environment().portal, 'https://portal', concat('https://', toLower(parameters('WorkspaceId')), '.ods.opinsights'))]",
             "KeyVaultName": "[concat(variables('Name'), 'kv', uniqueString(resourceGroup().id, subscription().id))]"
     },
     "resources": [
@@ -231,8 +238,8 @@
                         "FUNCTIONS_WORKER_RUNTIME": "powershell",
                         "APPINSIGHTS_INSTRUMENTATIONKEY": "[reference(resourceId('Microsoft.insights/components', variables('FunctionName')), '2015-05-01').InstrumentationKey]",
                         "APPLICATIONINSIGHTS_CONNECTION_STRING": "[reference(resourceId('microsoft.insights/components', variables('FunctionName')), '2015-05-01').ConnectionString]",
-                        "AzureWebJobsStorage": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('StorageAccountName'),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(variables('StorageAccountName'))), '2019-06-01').keys[0].value, ';EndpointSuffix=core.windows.net')]",
-                        "WEBSITE_CONTENTAZUREFILECONNECTIONSTRING": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('StorageAccountName'),';AccountKey=', listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(variables('StorageAccountName'))), '2019-06-01').keys[0].value, ';EndpointSuffix=core.windows.net')]",
+                        "AzureWebJobsStorage": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('StorageAccountName'),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(variables('StorageAccountName'))), '2019-06-01').keys[0].value, ';EndpointSuffix=',toLower(variables('StorageSuffix')))]",
+                        "WEBSITE_CONTENTAZUREFILECONNECTIONSTRING": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('StorageAccountName'),';AccountKey=', listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(variables('StorageAccountName'))), '2019-06-01').keys[0].value, ';EndpointSuffix=',toLower(variables('StorageSuffix')))]",
                         "WEBSITE_CONTENTSHARE": "[variables('StorageAccountName')]",
                         "clientID": "[parameters('clientID')]",
                         "clientSecret": "[concat('@Microsoft.KeyVault(SecretUri=', reference(resourceId('Microsoft.KeyVault/vaults/secrets', variables('KeyVaultName'), 'clientSecret')).SecretUriWithVersion, ')')]",
@@ -244,8 +251,11 @@
                         "recordTypes": "[parameters('recordTypes')]",
                         "workspaceID": "[parameters('workspaceID')]",
                         "workspaceKey": "[concat('@Microsoft.KeyVault(SecretUri=', reference(resourceId('Microsoft.KeyVault/vaults/secrets', variables('KeyVaultName'), 'workspaceKey')).SecretUriWithVersion, ')')]",
-                        "WEBSITE_RUN_FROM_PACKAGE": "https://aka.ms/sentinel-O365APItoAS-functionapp",
-                        "customLogName": "O365"
+                        "WEBSITE_RUN_FROM_PACKAGE": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/O365%20Data/O365APItoAS-Template.zip",
+                        "LAURI": "[variables('LogAnaltyicsUri')]",
+                        "customLogName": "O365",
+                        "managementApi": "[parameters('office365Environment')]",
+                        "loginEndpoint": "[environment().authentication.loginEndpoint]"
                     }
                 }
             ]
diff --git a/DataConnectors/O365 Data/azuredeploy.parameters.json b/DataConnectors/O365 Data/azuredeploy.parameters.json
index f187eaa8600..22b4f3c2cf1 100644
--- a/DataConnectors/O365 Data/azuredeploy.parameters.json	
+++ b/DataConnectors/O365 Data/azuredeploy.parameters.json	
@@ -2,9 +2,6 @@
   "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
   "contentVersion": "1.0.0.0",
   "parameters": {
-    "FunctionName": {
-      "value": "O365Data"
-    },
     "clientID": {
       "value": "<AADclientId>"
     },

From 4087ccb882dcc13c6cf3b6ff49d080ddd0593b6c Mon Sep 17 00:00:00 2001
From: doc352 <doc352@gmail.com>
Date: Wed, 9 Aug 2023 19:24:41 -0400
Subject: [PATCH 2/3] Updated the zip

---
 .../O365 Data/O365APItoAS-Template.zip        | Bin 10053 -> 11206 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)

diff --git a/DataConnectors/O365 Data/O365APItoAS-Template.zip b/DataConnectors/O365 Data/O365APItoAS-Template.zip
index 1f2844daf6b03e0cc5bf796dad309f8d6e654a87..a6cfacd13d51d7cf60240a37faa168421d88837e 100644
GIT binary patch
delta 6343
zcmaKwWmHss*T!e)Mp8nWp#_xg5|I!F1PP_2M!HL2NTq8?ky3^R326Zdk(6#kQd(L{
z;2rSxX5GB-?6vkf=fidFbN$agGar7Rm0L7<z>3Hy#DKH<;g6{~WDx$A6>)#ow1`&W
z;pdYA%RAagJ-V%KVr6S-=xD+fMJ>*HCRX7e8NY`RDI=QZTCwe8(?7Ejihqj=ad+ix
zPG<)r8)Fl$zp*gRV;!fi>penPED+6cofTHca5HLK_dHr6R!w~=LdXmR09dXy7z2CG
z)r6}bGTafWYDBYLtA2o#c&=uR%hiS=R8@#(zE-`9lyt7H$t+RRL#S*JO?|C81KI9e
z?UWmZH-yL>i2Og^e<>@<3h-Q>*dR78ff%ZUXu4~Mv!H35s|jJQwlN6R*)f@}RY#!}
zAYSv?ei4#?iym=z<-*jTTbbCa+dnrmGqJz4wV^<elL^9?f@rSm{IDVr1<V@V<~$)n
z^lx3ih)r~wbM=Ru#AP5R0H8?@0Ei=eSLTClqLaYDOvI%RF|aYuZ6mTTWh)Wy_yh?6
zV86~*YDq8xgwBOvYHECDRF=PiSRl`zpT(6=`OjOhce3WRb-2^@WW{B?oaFS)8`vo@
z){||iGh;PlN!Vp9vsEE~D9(wadX#h_gBVjWn^hVlDWW`c>bW-~<vZ|BTyJmcl@_DV
z5wvk#+_qsg(y+P{lvu)Rx}+4z{mz&iOUkHG&Av&xvZE0-kx8`rSE`tXOTjnq+mIoz
zUpu4y$<xo;c$RLvzG05pk6+e^EFKLtjX%t(^hmlRUt8MWhMB5c?0=|e2XKI%Vh0lT
zQQ~8A(?=5-<aqt+<F0~n5YFB1F8q8qbP);-hDyA<1AAr6Ij?rhS(t}u;b0(Q|1E=T
zOBUCj2(2pJ4U8jU6^1s~!_}qO1KDLXhSXFsknORX-03d!DOqwDb5l^AMjl3<+>i8x
z4%^o~VuY`vqq)P{3I-EeYv6AFbEt-dR>amNkv6VWxJ<{}(}H9vVLLE^)t8yv5fe~<
z`EYN;#2F<V3n4RK;_8VK#@<`gsIpbkpZRr5g)8_bJzuxoh$1t^c^)E0zXeg2mO8A8
zyj67nrJO=m+pSNOFq)-g>0+(EK;2>tZMr9O8amRLKxt*xPkNZlQVeal;|3Z&F^YL8
z%psytmWcz|SgDbkLW<8+inJ-(Mf-=KdiHd+MLor7FJd=Qg-ldiQ0t=^f2h`_<>2s<
zg2Tb2+`bi!`Xdck%DlVwy_gcfROLo9P{?xft9Ew+6+#O66u0T<!~m+juP?Iv3~ZId
z0UV1}hq6E_%!pQ!?if@b78Z!ya+y9IF`#*;NfpCyKQ=iRj1!Z)^6k?mF6|SjA5cg1
zDJN^|Mmp5jS@NzcHZeol)&un$ccaKTr&TQAz+76J?9{!$G;-t-<RA<8iiI>yfZJ61
zh;oh}x}04MnAK;o{SjTMXd@`Rjdyqks7n7sROJ~X;ift_&^W^sifsn~!Re+nH$>T~
zECng_QHZd`a*a4+c^{Rq<&QxJN7$3enj1BBc(EZ<?#SZEYCanhN?-5qYtHot{Mrpp
zynR#}lGc9egnB@Z%J&F9ZFeIy2;l#tl{J&1ao-e&jG1=(%@=V_1);fv6Y+)}!T>UR
zTg&^<E>@g+RIaa(dvvdxAIJ4-b8|=kMmhAm@v8Z0_pxVbq)<^?@B(8iw2=~g{6<B}
z!4OIAek={^$HpEB=aT`qI_O5Sm&jKhTZOTu?j}dH_ebP7FUv4hg}AK}HeyJ_%}pqO
z*SZLclMB*4+qm=8fDG*HyUXHBnL7$F>h?AVRP&nyG=0>F#x$_UKo8Aa`#%O3lsdIh
zvWX4AJ%}3n>k~hE57TzILP>if2)&SnK(tL6v^hGIbdBUzLoE?os9Lx!G{2W>;t#*o
z8m14|Mp%sKK70VT)B)a(LJ#3b?VxDQlNXKGG7{X`8BeZ{Dft*eY9|fPk<nS(o6jp|
z6Ka3K=V2+9;e@q9BCS<}Oy|<T+#mx8Q7Z6^U#*E5P$H(JTJlW)1l6-@-tzf?{}_Tz
z5;Do|H;^N)KC{5C9`CCH_31hG8g~6{Bws(mQq%=+diSO8#FW7*IiBuz{QCI3N*KEz
z#Z0n!O!Ui#Jg-1K6!k)RgCF|6P-v<6+i2QHPxwUL0Y*v>UQzVpHI3uGd+6(fX=+8G
zMLe!8LY|ysUYISSQ~*^gZc*N?eOOUplCBf#NQ$NF!QIHX_iOd{m$u4bnyJ;<hJ!Ti
zs0Pye3CU^-Mn0RETd*{>&9_Uq9j?_Zgs~~R!A!s7=8&H8tDEzNmDGSTNuC5P^?Yxd
zK}No-FK7~yX&WUS<!c-(%!<b3)*;`h#v%6JoB!p6Fly`EOCSZb9UkfbmVVk=OUYL#
zcS15L127aF=<cD!Be2n+ZYcGf-l7`>H*;rI)-{>wlR}aR0ORCJVuNOGxnfhKD|qCD
zh;rY_Ph?XAV`o|R@hSrp%Y>8)diz+}6Ta4~5{M2?^i>R{Pk(8U82SV>X9;Vkc(4Wf
zISW=uIu1ChW5I+<7GXH#asFr!26v8_SG)laRPMT0&bLsgu>tCPU8Yr1v$S}VdmNb-
zY~P0jZ=nh=QkxR#%9I7ckT%DT1+xr8%ZNti-c^8ixdt23l+r#!s4|hfLXYALP0;-)
zC9-he5LIpEi_6))$)btC-QJ3d{m|m-j_y`9b)@VI-A9Jnk}G+y<KuJr4u3xYbZH9a
zYY>#`zC!`1zKc}SABIX!@$E0<fqQJ~dqMVjyw1r0*QV|G?~OYIwYy){OXy%C*}6AR
zP<-0vlE2HHE|hXS{kr~pwqFlwKj9~D!Fn)^6%}AmCZ(Ei&kae@(8}6$_W+6eeM<S$
z?Sap52uK8apsNnKwUJv#BJM<=&PG3))x%h1x}=!8w~jACGa(S<BKx#bI5e+WDc~tw
z8?WjVSFYs6y$V6jEMlUf=3f&-K+_Z}yxrh0`{)GK%OJD`-9EC^hrajM3T7=Jlq10)
ztxtYr$@(ZNNoCWdGlJ#FM~V~P!Ld@By$uc9Hy6X8+=Uv(KgwxrOO3nowe_<U1SN~o
z9@o_s_`MIj`z^L|+rf!LPtO?lW=+ROXGkK~n}izcw7$Z(%Q|04;O4@GNd}KQ3dcxa
zo42v8R9M><8z?)v|JrFI@~D#OAuue?GB-meyv^g@Bxt#4y%X0N?$0<`;xsuu4G!I6
z6zV_=fx<sptflO5etos}%S>cH$jdjdR1BAd`e>d_vUA6c!=ui)$R(u<zM<iQTtgKL
z4rVyT65I}z)Eyb~Tv>z8uF>#v)W10LW2&U-tsj11<R$vj9T#dcc`&}9ktE=5?Fh-P
zG@Cv+emy<4l(HP2?M~^HPpLj9z}N2c?R9bG3Ut$y7hW_9FLwD1A<TO|M3Cq3(_+lW
zDGp4W=78Hz>GiO-!qMHjd}~s+B_EV7T<ATxVk4bt1~V}f#;>KcXE<5W#lQk4%NC(G
zs1>uR6nN<qKLHE|vH1R|!s{}>InEoBKd|9MiHz)idu{|$XKD<}tWm9%$m-=g^jl7l
zf*v~)?Cb@~w~#GQQ|rqFE!J#LP<eG&Z&JDSH03@a)3;x<E8vgGP8$daeZA)H=+YY3
zkL(q7x7jga$}_Ka@U3%1DH=83{0qCM<)~7_Z!y<!N{$#LLT4Wr*I2B^&QU#IHP}LZ
z?#GxbXL!Ok7h0Jy8_LyC4ItK-i@z6?RSoqioC{}U<H=Uf8#5Z|%(gENc3C?_oj3wU
z>#@eU+>5_Knz|lOBtZT?LzCdyGhzEonx7cprRsc@gA`c)MDzT^Arsa$wE~ySH0<)>
zMEFOmPw~#$+B=RFkTI~=t1yXNXUoD_AqAm;`%7knb&=AV#Xj6MrEUNMW<KuIbth;@
zFq(X$WX|BP*81=4eKF~sXgs3j2PI=XY{II%xR1!2@Z#VR@VY81VwPna&X;oYfY}z2
zYGlRYkoU^K8}gCd1D<kJy$vZtmM7`9Wo|+K_n!EZ!LpYH^;?|3kS|qm3>^bKnFq9x
zYHY@7P;Zs)%=|{_z|9`F!5j3GqTqrGDVj84VJ@nvmnCE5zNMsOs+_WGxM|;f*U8cT
z6;+&QfD)XEd<mE(FhGvn7_(ddgyN=C1R;bVb4p;5y%xld(s<iHF(;aKh_Gl$VIKX1
zK}9;r31GQpBR(Jq;$frhh;8~k$&lkGX-`@Ahk|O7snIwt&7%YQhEy4Ifwl=KlhgdX
z@c0uV7dDm^7K&~W!s9YES*rabYcBx~ryrVH1F?@v)tLEe!oJ1Db!aliQjKM}lHDh`
zmxjNrTVqIEoDP@%J=#CmYX56yJf7@P1$vx2*sW+q9Z6xDAFLv&mgAg4b5kBGnm23(
zg@(-t<SN)@I_w-lu=80*icftKI>#}@WmPF?=$$wDu$6GogGb|SLttr{R4B`yUFrc+
zc~;5bhz0SSp#Jhtrj+u;;$_=t##M@=usg8GU)+m~?s%as4Fw8D=+D#xYMwyWm}nj7
zN}|ZbjPkPb);4kXeVr&ng_3XhVZdCH*%fBPTeIlf6U@<q!>3O*<-!Zup##IS9$0TX
z?XUyx0I`np^T@c?Lf&JyIw|gWT1oboE!x>Tbgtm~6|k!(GzX&kASb;YM`}xwDpEV8
zl;fK=sdcKjvvVZ+K1AKGQKvWrj=ox>SeP>uVj)Y?o)p@fgzNmNgSuC25=DVpf=%7V
z#-K#m>f?uH`;<)&{^8}+erTXsu@$pTOf5GCB(RNtFmy;;`i^@SAqK{X=zSSv7*3Tz
z1}UYf!3-{}8H?DGy1h^bt22=z$H-d_3JN=JVRG9TbHj%7EoOZcP0O5eQ*sBt7<tLG
z1aj3;nt8gWt$b9A*%G7<+UzoxqA((XK0EBL#J0%4JHke#Cz2aI1YLQ%W{JO8(LJv5
zN;M#);7w=T(E}pZK|J7Ou2r<Q+HR)cvqn6vd8v7C^KWId3dL@V$A_Af)J9pR<I(gG
z*VhwKtsbNqcZzW#t~t0kOyMN7Wtw-tRCj1^Z$IPA7pV@&Hw$nYhGK-c9*4U&TP*yt
zOK4s>MT&P7yOHE-1%S@je01l|wumsV7_3P)V#y->v?S<XUG41eJ<Lg+-q_LCY;kCd
zuXG!~qfiD#Gd9mA@Q`79pI(u7&bePye#kIC&7h;1Pli8U4S%YBuoXF!m4u+sp#NU7
z>Ru5X#z6<qWvgGbW8#>|>yoL`M~QF0QCMY_o!FB4HSbQX+AC;d_2TC@l^DRl8q*=!
zp7`Ck@6|tU-EHnJel2qcFF>^YIgG<CGf7V=l8K^J-g<$z07GNdmTXEUb!^I36tgMJ
zB7u;gi`6SJBvm(ul%b^ax37xb(~RVOG6B!9JN58UV`ZWO%a^>Rq7PMNGmbTyR*Tw)
zgbxd=do4c_#Lv+|(a{pN2McJ7Ez^aQpZem`vGF-Q_Z+QS{V=IJspr0a+Eds3$WL)$
zWUB8C<%h|D$*h#UZbh2=Ycr#LL{3O)gK9LALR1`~HDZqfU+`PvadQO8?38gE+O3Ij
ze#-t%`&vzf(v$vx&<#iYuGTj5UJFZ6g5j;a2(lh?3a)+7eQ0CWVU2WUdd{af>Gn3?
zoQNX2AG&^)krS3t;id)Ci;A0eWSe^I`B5U3ANwD1h5OCUHhrD}(*|u2c?Egz@N)YM
z03I){O${28;fU{a-)}G=-Z^oz6L%F8CI55`>G{&_#oTaUyMxBUGW<KR7(F8RMJm(l
z6wlCt6ZHy-P8VpRQwoNEoUf<JT}Fr14ISY)m2u4~sbs5$8&VXIdjIZV<8mHg1P9Ba
zS<U;N%pXm79kOCi4AW8}KPlmTYbG6Tr7^()R133O3=wX|@%Zr*G`TookA5?FB{7MH
z7V}voZO!xJnpL7uSC0h;qjuf2k5gRdYgDRe@@-h!x7UCU$bU0tA|+Zk@0j>L7@Vhw
zqBC>ASV=${$j`f$(7&BszCX>j&Ij>K1E2En6sk6<RE(RE@DB=3@6C|CrBE^I-O^iK
zub{yJ6?w>4;>d1v05kFIcfIuBo;J(k{gICAj+AN=y`J}up9rtfSLiRW>EtWN?zMX)
zgLgC8o9A@0x9_%Cf~8U&Yo4o*u8#H>u!5IQ7u7N+IF#z?8#WwmwFD$2XZ8QWvj2~5
zu7_n93=9HS5x+D30tC>WT@ZC8?0`LFxCy-q0G>Jic+IZ!a+*DNd~RlKV{Zah1R@aw
zF3{td`EQ-!!9T@~xGW<2auD!2iM*hNe`j6I3(sc#3C4f`KbL2nk3!HxhVw&RMu!*P
zPuF?>#;`PWvNnQnnmgE7U!3kwqRWW!VrmrvL;aHo@4uWCc8`(nd`Fjw<AwPJf)ieS
zoL7w0=f}CsA1}NTDA#x)HV%$g9^x{cyqGn5)hv`VSPVO1{PVF~W|bG_HMDDj*xK8;
zJ~wf=GRtL{c`?oc{qi{Uf50`&4n&C{w^y;vGdloq_O;1iT(<w?{tx53yx+^L^K9Cm
zFV643^RO;BIs$z%o$vQd{I|}q=bt(Y!-v3|SMPTd{U!{b3G3W{8HAqs|2*9DfB4U^
zDDAobG7-J-j}cz?{Aeb6fvfQ7g?AkB+rB#c&_B;T)Bdfqf2u!4i?~>TuJe*H)8G*T
P2mwc^06-Z+1pxdXK~hEa

delta 5252
zcmZvgby!qUx5kIgp+gC!%MlnFBqgLfL_!$4hZJP+0Mgyv-61I5l2Q@^B1nU%w1f)Y
z8NA=;bG`2Ktmo{r*8A?Y&pzj`-+)2C`YlZr3``0TY6N21YQHm!Dd0rTQ9*!=cz#I=
zR9-`9eo+qjtd0zPR6awW3isM^nY(YQgUmP}gBlr$%WTw%PG~0Awsicqt_Eb19SsB`
zM-`9JCa()*UmA;^A``91phOkEpr>CKI8!PN0c4^D8DywJ4Mrvf!Bb(KwvrdxrpSZ~
zGVo9ZH%!-Shi64R(L3b&VHm%++(3x+8SQuX9*IRMq*N6dgeVIGj^6L?iQe!eWCGQl
z6jjK<ss7*Bc^Ag&X@yMXAcF=~dW9Q)?Lp4}JFa(Jhew&{hlhV%Y%EXTMMLh&;O6h6
zYpBB$z`L%@%ZJD}BX@U&4gygj7ia*J&!YjJmd|x`ZPreo5raU5P!I_90d(!0tlV_n
z>}+hT+<4qPow?!e&@tLYx5a^POZ-=%;9|Vta*(py7dGXEpc0PAdO24)4rhDc53F@8
zqyZ1H2^3SDE`28!2<kvG3WaP=ha?2PqG$Kg==q`y43$gF>4FZ8Niuj}6x^@#2ZEq2
zc%1F59!e#oXSGYE8XHCqa|EdnJ1M`Tli_iA%bL<I#3xQZs(F7SB{k?+RAsqb?{H6z
ztYoxBBsc5u0uq(hMur1Fiv>U&j2(w@Af^O2bdJs3jx>cQb~^+|A?$N7dB0Pe)qQpd
z?lkiY#pz^`U5_pE)}fM`iPUUBmj&@1(S<>=iHTOvZuq5?F*a8+{Zp5sp4rCnG&^Qa
z*Vi&&X_%)l^3YO5t5!QQPvS)$EPl%F^{Jw?j)E;+oKYWCX<z>-UJn6T2?ukl(*2qN
zPw})9o=^)HZ>aX2+Fn|!J_$G3LP9W`DvNc2R%xVWTvqBLZv=(HyqO|Eoou^K^Yw#1
z{LC;xyHPG92-oNfY5WDjeXLJ5Oq*s7mfjGb3`n;(#!<$S(jBThTcHh;4|Kz*TqzUc
z<UsK{*w#GZDglK_4vouV7*Gu`c^0IB18ks$RRPEINe|Xq34`C77EnoQG%zkA8uJ-l
z9VhE#+0M^}_t<daHRl3%4YRbZ2o!PD-1!4dR=LN_?bIP&d~fq}K^p99$LR7GV=~tC
zxerK>b#g>JDDC@Wd{aA)1B9Dd2F)NlE%wa9*%T>5QS91*Ac`9T?8$p`ARjZBy{p_R
zNp5=OR0Nu~;YYCeM^GIlzjXNYYy=wk_IDc&9L(pnptq?R5AuM(IHim{e4wTnI}g1>
zxB4v1ObOSTn4xB2DaWb<y&Hol+-n5lTX*9DJ}bGci6LZ)<yfm9E!{do9Hjg@&_>H&
z8gVO96O^W#-xVz4pTviMddEA3f=Gxiy0$$WDp3OCRxxC<OMYeFSZ^Q#jSDu45U`l^
z|AvjgE<;}fG63VKgU9h|sUveLFrgiuns&ac#Dq<D!ucrH(9#@XHgt%9tSXugThu*^
zI#+Z79`BU`?Fi=3A3rdsBQ>BKD+@uFDNvDT1g2TMxiSKHgm()GT=F<CZl2>X#e_X0
zTJozNBAjHo5IZD$ic$6Wh!f83v7(rE!faOyKdH^$7Xw0n;C!rDa!v8qd7%!-tcyCH
zk&6(v<`2<@r6`D7w-nO6$NsgG9Xo-oA9e##q(X?Ht)3Sv-prT@COM_cd)n<#2wUOP
z<dSaF&NrEAj1m5(Z<bZ9Vp=~VV;Vt^Un#ZQ?mxkx<h@oO%lQ+$!V<v97M!HCge$XM
zWhg2&k^(RYiU0>oO%t=r9SZp;%Ma+i=E${WGGWqM8~#%z42DieM`RP)RZxhx{gdr|
zth+9kRwVVhbBxueKVS|Jm6$b?TeoS6?XsVDas<7+$KXbdAQQ)QgeJA_C-~7Ow1-<3
zGIvbeoUhD!C_!@CL*vM3@z$3!j%y}V8_|sI$qJmG7~n4LKY2MQMRn2;jhSgICjJca
z#YL!B-{<C(Tm47wD_yVR>JX9b5oM*mqV&SvNt!O-%2|Oq)8~xzg2Rs^7WV`p5+EpB
z5wq1aRqrCW)H5)E;E^yG5;0bt9W-Vom^w$_s?VupQQGb@_0>tMY>WM_e10UcLfXc%
zu`$q@6Xkn}wk%0+Oq9V&qiP<sz-bL3xsl5tg_oji4C%xpzr}MbSM1zjN!rDl?w<xu
zrir}Va1OTX*M)JNoYkFo`;VsTFBC8s_iGk0JRDY!3gGP6WWl$9NZ5dAWt}O}E#0C)
zSXQ!OWgJ?~D#t4D2Pw21i8rENf|yb@3;`I9WHVQk*6z^z2AT3q^(ce6_<1-<_XI_R
z%uU;TIb)D>55h9MRyQ7p2|Ih339F@Ugbiz*(6QW&JxT15p_P2uQEe`chELN$wU~pq
z#Ch=mU0#T`z9BThG1!kz+wMhI-Pv&h2=^G;Q~|qHgwY>W?iESk6Kzx-YUEYL2w-6x
z2!H4PIlT>~QnP{NloEIw$jjFU5VeLb$jxdx!HT63UQ*mQz;#~e=?IUM7gttXHz@D~
zq^f(91~uw|Pc$Cz=EK_NfG3E|oNt~igO4t~E8?kDLZ<N7KGAP%((Nx&{OqIme`AJ@
z06aW4vk{*I?K)puRFkED#b@Cq0etX#PV_EuK<eF6kF|SD5rxVd`ix(=KnEdx+dM1Z
z!<NLT`4-}a>1S$Go&<*6EP3L5`!aWey!FwCmeTExtBppSRC~sjxhW?1Uan9C&4nRm
z1ux%R({}`(5RZY;EANU8zNCbfpYJ9_PrcJWlI3uba77Lskk8^(8J<sVUjjc0CveWx
z)<(meYN*!ucug2n&8Z&j0fX_Xv9{EM{mDPkQ|4nN#JWct#_~;%K)+-NOwP!hwoRsP
zJXUR2u$ns(OaeE;NU08_6}Am})~z?2p|0YK0as+Sn)P0`Tes=xBxPNK+^fa;n@nOI
zk_8j3^)!m%{sV!=ExRx65r9w9r<(q3AbDbK{agVaP`&lOP`<Mc=DZ{`Y!W{EXq2^t
zOZ=V5<a@qHi|9HPRYhH`eJ#C0^6c=ZjbMI1P14#pYB}LloZih!lGYCwOq4ZQvMa^~
z6ekB8#Ac-9(Ysr%lR+Ku(=OLj;tC;yps%;3Y7;-~ER4^_nfKYA{Qxr7S2$wmxQE;*
zugdNvmE!n}Og$Pibfn1=jl6jh0fAdHMxy(S&AVQV`vu=48NzqtdcVcnxjHxM(^rz(
zO72x7{Xu(6^HGYx*AwCLS!g;Nb=LD5v~a9npN;Xb-}0X1`wxm$s;U*An{0h+a9lqQ
zb1z@Za74>|RGENhFa`p6Y4m^22K8nn7W><VzP<{)n0rV%;z~{-Wnc=#?x=>ik}bQ^
z?%tW}v}qc=JAK>eq&r!^<?4w}4Vhgf_!~X1XY%(kFF}DvW|5z7bw$Vuz-U%|D?9WG
zN@U8QG5E(F3>?<>-42pHFNxB(dW&TyM~n&wOwpDL2I$xxlL%=7Otgs0+QuwWjRld_
zJ8|4MBC6sD@+N!V)Tha}$cGbF@@Wh&kg21Oq=DB>3Z-K2Ny!Xw47tTD;1_&Yedg+#
zc!2NC%Eb0Gt2lI+3avO^-mlZ6O3~$kpN%&4TC&Q^<z4%sMbje6lUF^RNpDInq&)~q
z!JnRp2wJ>Ys;8fT0V5G<!MVwyTvM$_yGBhy1jK7<RbxN9gzbk*3AAukt0$<gj%6YP
z2?e>rR_hZZzXhmB4wyrur$O(#c%MN|#`vi<?gO5J;@m{G!pmCgDk02p(fbcn0zDW%
z-aGn1B@oo=9#S!3$$CFL0rxFae6iIleATwC$|YXSv6oNDj{r!(yIDf&o|wM#-J{VO
z(8i-fw7|jn!8a2mU|E5OnXd~r6ygL0Ston2ZT24zxuy;6lROcr8G;QNA0=#Ie>n{?
zwDE5)NPG2pG^>s^x+mCJGBdcdLW)r0Va(@9K6aQn8dx>!nRI{`ZNx9)Za>hk5CO92
zeQ=0#%x7Oe2qDng!kQ__+Uh(^G<Kf!W?5w7G&OG9(^**5RIEe!QeiDS;jJf2RG)gp
zo>4^s(FebKOAbjDBylC>BW2d*w)S4MZFl8U@5m^NHY#;0`rSsK!fBavwpCCq;zR?!
zTS`nCi~AnZ$$mK%(TRo<pB8B&hC6Ua2!^1WoO|o&Dnvj+zYOJytR1AE%mME3W)B)9
zS;?xKK2ixGoGA&vWy3hHw;vJ`PiOh5Kx;8<mMt$D)Fk}iG~-U*tcp=|hXPT|adHO5
zTIwA?{bxJOTHetOZ49c61Teyg8G4cEP@`f-yr3#FueQDS(f(UmmTHH3EjWhm9t(EM
z{&#NF_Jje``8V$Op49MLKz70$xqh-FxeLC1y93k>?YtN8lNc|N9!B@2BgE6(U^n3`
zNM1M>Yif2jM?7}O{6w=}&*#})*>R?iwMq8YQszVV#o8;8Bm0$VPmK2(o*w1YdqP3Z
zxi)$UTq&9=UNt_ven#u~_Ah5rH1p?`?t3-J5S^z1wI;FD0Y!t~+}|zI#?916$HF8`
zSj01VD1M}lZY!CwHPG5kV4>5&cB3f^#FP}}*v&ByLECj4w$cd<RD?6IKCo(=Km?)8
z@>bz$6>GF;Ji8t)eBPy~{^PtHvE)6Myh-e<jctrFUT><nTe?ivLW)mGpLw&&u-!{L
ze&!Mgm@}ntBKRNXDX8>k?`UzKT1I<f8kP6iJa{*&%%eQMWpsAx+ji8Zz6W!-EgD&)
zjibE4(_Q13(Wtzse)SSNRH-<4swt<{X0QZy{PxH9YVaEfnPaB%Tid*lHs;Q&;OH0O
zP9Y(&jyAk5RX4SL@4C)Nq>S?%x8*(Yh-}QD0CsbvhN%uOFus!JW-ksdut@%*_6ncC
za3aqIhn(LtA{N>m(cXOd^OZaPtS+XPSc#^-LCN9ym$f;?d5D}bf1<CMz0X50`U2PF
z`c|5<dsA-=l!{cHg~toZ#s}PROO&fbU$i7V1zlC&zh$P%8PEGXC)}`fFF#+UFN~sU
z<R?%t{;3Ym;~QFFgqf;5Y0S@WI&C4HY=9w@_|ZUbEK<}}sfXmrx9U5!x%xQ%o`qs^
zVO@^)MEz+ICn6SVFV@0o0)hhtw9?ev+RR+T%i4SJdL(CXNW^1qC)YU@LrJd!S7VJ2
zsa4%p!Z^r<2NMAwEp<eM#AAz57ehY7Iz<4Q$uP<iX<<of4$Mx1-w}b)FIH)rlFbf2
z`@JsRZL&S+g#~20j}G%CNqxZD?!+FJr4XLwsHkA7<GCP?2y<r&R^D529iPZ%I8fJ!
zO?kr{z_7#q^J(-!5;kZC)H{^f^JaLG7P0d<s=a6E^X2ib8=Oy^w)=<e<X~=udOPrD
zb%#<qPUxI8n^219R8oyXydjEw@1f_#_a=m17RP+bjLRoJ%e!=rG$Pm<i^(#Y&xiw<
z0|hjnO`2_M`P!hDq{?bKwDD+_d>;g1M;aT+=IK+MM(dWBSM;=}D~I=HxgS=QJm9(c
zEq`PwUsc|_Ut+7t^|hTpxe|XQ_jgjD-5kTa>=i48g}~z>`4lmBTWfH-SbNXK`I1<9
zV#SchB;&Z_n<XjTh|gT;+=rP|BBc8F2XLO8P#bg=AX;PE1|Hp3ocX01CFt0E=yg$*
zsV1u4+`-^q5jq%PD>`v{wn!|*8izn@#+5%vwMx6OW>(DC#HCj48BmDha+*nF(Ns<;
z$fE<4zI*sOM`a;u>pkbXX<IE{=q@*hHCnPiFBn8{B-~MqV6-|t8GiRLx8j#*!O&g2
z=q{$^0|Z=`QYvkr3+?}slmEg2<m8%z<ghXW|3WG#AsUDQbwdtrYfonjI~!*gH!DpQ
zG<1q<6!4p@{LNfY^4~^nl+nh{<KMnNL<Wf!P+LKb-^Nbl3<+qMnNS=18_xWZDIkGG
zq6qu#YuVqZ=8udE$utsU*cq>7e}kJpvN@D&i~SbxFO2g?7J}qAwl3}--1hD+&VQf9
z-;n2zjQ|q_g1fm`+c{dHh{@l^^gj#;xQ0M~ocP$+PH#Ia_kZ>z`->9&ak?X&ZdR_I
zc5YTqR?Z&o$i|lcuk+s|2?Rzi@cT0e;UG_Bh?DL5;84r{XQ05+??HmRO`~Ke%p}G|
zcrE=KGohrvSH#A>mU43c{r-RRr#}{TB>77G#KmO!FBtVlCWhp8|3XuL8vQ1RD93-s
ie||d9^>4n*glv?<dXoYRd2ApM3F<<AwA;+6r~d)^r-ADL


From cff6e8c6634e907a73c8465b7cab27c5756f392c Mon Sep 17 00:00:00 2001
From: doc352 <doc352@gmail.com>
Date: Mon, 21 Aug 2023 17:14:52 -0400
Subject: [PATCH 3/3] minor fixes

removed locale from doc link, fixed WEBSITE_RUN_FROM_PACKAGE to point back to the original aka.ms short link.
---
 .../O365 Data/O365APItoAS-Template/TimerTrigger/run.ps1         | 2 +-
 DataConnectors/O365 Data/azuredeploy.json                       | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/DataConnectors/O365 Data/O365APItoAS-Template/TimerTrigger/run.ps1 b/DataConnectors/O365 Data/O365APItoAS-Template/TimerTrigger/run.ps1
index 4aa63e17a8f..ea02a010837 100644
--- a/DataConnectors/O365 Data/O365APItoAS-Template/TimerTrigger/run.ps1	
+++ b/DataConnectors/O365 Data/O365APItoAS-Template/TimerTrigger/run.ps1	
@@ -14,7 +14,7 @@ function Write-OMSLogfile {
     Given a  value pair hash table, this function will write the data to an OMS Log Analytics workspace.
     Certain variables, such as Customer ID and Shared Key are specific to the OMS workspace data is being written to.
     This function will not write to multiple OMS workspaces.  Build-signature and post-analytics function from Microsoft documentation
-    at https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-data-collector-api
+    at https://docs.microsoft.com/azure/log-analytics/log-analytics-data-collector-api
     .PARAMETER DateTime
     date and time for the log.  DateTime value
     .PARAMETER Type
diff --git a/DataConnectors/O365 Data/azuredeploy.json b/DataConnectors/O365 Data/azuredeploy.json
index ce67e54cd5b..29a54dd027e 100644
--- a/DataConnectors/O365 Data/azuredeploy.json	
+++ b/DataConnectors/O365 Data/azuredeploy.json	
@@ -251,7 +251,7 @@
                         "recordTypes": "[parameters('recordTypes')]",
                         "workspaceID": "[parameters('workspaceID')]",
                         "workspaceKey": "[concat('@Microsoft.KeyVault(SecretUri=', reference(resourceId('Microsoft.KeyVault/vaults/secrets', variables('KeyVaultName'), 'workspaceKey')).SecretUriWithVersion, ')')]",
-                        "WEBSITE_RUN_FROM_PACKAGE": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/O365%20Data/O365APItoAS-Template.zip",
+                        "WEBSITE_RUN_FROM_PACKAGE": "https://aka.ms/sentinel-O365APItoAS-functionapp",
                         "LAURI": "[variables('LogAnaltyicsUri')]",
                         "customLogName": "O365",
                         "managementApi": "[parameters('office365Environment')]",