From 9627f4e3dcce2f301a73ff9cfb4063d2524184a1 Mon Sep 17 00:00:00 2001
From: Github Bot <noreply@github.com>
Date: Mon, 4 Sep 2023 12:01:48 +0000
Subject: [PATCH] [skip ci] Github Bot Added package to Pull Request!

---
 .../Data/system_generated_metadata.json       |   33 +
 Solutions/PingFederate/Package/3.0.0.zip      |  Bin 0 -> 17884 bytes
 .../Package/createUiDefinition.json           |   49 +-
 .../PingFederate/Package/mainTemplate.json    | 3887 +++++++++--------
 4 files changed, 2173 insertions(+), 1796 deletions(-)
 create mode 100644 Solutions/PingFederate/Data/system_generated_metadata.json
 create mode 100644 Solutions/PingFederate/Package/3.0.0.zip

diff --git a/Solutions/PingFederate/Data/system_generated_metadata.json b/Solutions/PingFederate/Data/system_generated_metadata.json
new file mode 100644
index 00000000000..997c7455ae4
--- /dev/null
+++ b/Solutions/PingFederate/Data/system_generated_metadata.json
@@ -0,0 +1,33 @@
+{
+  "Name": "PingFederate",
+  "Author": "Microsoft - support@microsoft.com",
+  "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/PingFederate/Data%20Connectors/Logo/PingIdentity.svg\" width=\"75px\" height=\"75px\">",
+  "Description": "The [PingFederate](https://www.pingidentity.com/en/pingone/pingfederate.html) solution provides the capability to ingest [PingFederate](https://docs.pingidentity.com/bundle/pingfederate-102/page/lly1564002980532.html) events into Microsoft Sentinel. Refer to [PingFederate documentation](https://docs.pingidentity.com/bundle/pingfederate-102/page/tle1564002955874.html) for more information.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Agent-based log collection (CEF over Syslog)](https://docs.microsoft.com/azure/sentinel/connect-common-event-format)",
+  "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\PingFederate",
+  "Version": "3.0.0",
+  "Metadata": "SolutionMetadata.json",
+  "TemplateSpec": true,
+  "Is1Pconnector": false,
+  "publisherId": "azuresentinel",
+  "offerId": "azure-sentinel-solution-pingfederate",
+  "providers": [
+    "Ping Identity"
+  ],
+  "categories": {
+    "domains": [
+      "Identity"
+    ]
+  },
+  "firstPublishDate": "2022-06-01",
+  "support": {
+    "name": "Microsoft Corporation",
+    "email": "support@microsoft.com",
+    "tier": "Microsoft",
+    "link": "https://support.microsoft.com"
+  },
+  "Data Connectors": "[\n  \"Data Connectors/Connector_CEF_PingFederate.json\",\n  \"Data Connectors/template_CEF_PingFederateAMA.json\"\n]",
+  "Parsers": "[\n  \"PingFederateEvent.yaml\"\n]",
+  "Workbooks": "[\n  \"Workbooks/PingFederate.json\"\n]",
+  "Analytic Rules": "[\n  \"PingFederateAbnormalPasswordResetsAttempts.yaml\",\n  \"PingFederateAuthFromNewSource.yaml\",\n  \"PingFederateForbiddenCountry.yaml\",\n  \"PingFederateMultiplePasswordResetsForUser.yaml\",\n  \"PingFederateNewUserSSO.yaml\",\n  \"PingFederateOauthOld.yaml\",\n  \"PingFederatePasswordRstReqUnexpectedSource.yaml\",\n  \"PingFederateSamlOld.yaml\",\n  \"PingFederateUnexpectedAuthUrl.yaml\",\n  \"PingFederateUnexpectedUserCountry.yaml\",\n  \"PingFederateUnusualMailDomain.yaml\"\n]",
+  "Hunting Queries": "[\n  \"PingFederateAuthUrls.yaml\",\n  \"PingFederateFailedAuthentications.yaml\",\n  \"PingFederateNewUsers.yaml\",\n  \"PingFederatePasswordResetRequests.yaml\",\n  \"PingFederateRareSources.yaml\",\n  \"PingFederateSAMLSubjects.yaml\",\n  \"PingFederateTopSources.yaml\",\n  \"PingFederateUnusualCountry.yaml\",\n  \"PingFederateUnusualSources.yaml\",\n  \"PingFederateUsersPaswordsReset.yaml\"\n]"
+}
diff --git a/Solutions/PingFederate/Package/3.0.0.zip b/Solutions/PingFederate/Package/3.0.0.zip
new file mode 100644
index 0000000000000000000000000000000000000000..9cf759ab7f7ca31f173eddebfb68ccf834e2f84b
GIT binary patch
literal 17884
zcmY(KQ;;Z2)2_$H8r!yQ+qP}nwr$U>v2EL4W82o5{eM^Isv<fwqMv*-tGlwRT3!km
z1Q`GT00MwbpIB|LS?~B08UO%B761V4_o|VjiGj0;iiNO=sfDeDvxS{4t)-Kl?UlBT
z(<Uq8_qATY{8kJ}obb48c58dn!K73cM%mrEEEAh6DR4r3Feb4&KvUu2=Z+m3K1E`o
zbs1_&Q;)AXH2}!-QGa6;Xi2SBaMO3q7bLXB1%`!8bi`Am?@qHjLCk4-2sI<_S0efG
z8>94xv)}HOr&qUnz0^$U7h0sk;C8RaxG492=;WAJ7Q~<*Z1+x6^!Lj7z9JGPXds35
zIn7JTlB01KFqew~5ZiMi1?=MP+Ja&YTWMtIR3AF}EsAFTblQA)+{5hLz!Ug)$X|dB
zQDyU$Y0gk(Cq1-KL9M=~T6gOOk)QEFhWQCU-`p&b`3kmU(?l4gX=G}%Ic9U@%AgOw
z8xTy7Az{2K5TIwdVsU%LEx!HvR~G1WAej%kih`dttgd*4A#b9TYrKj2CZlZ-_K*yZ
zcSrASLM7aE$nZONzHb;jvgkN6(x1;k4`<w~%TGdBua-t3-W=I<L*im4M&rXv!o<aJ
z`)Z_8z7{5tQ&4ub7Z=Kk8RDj*tzEc?3`XQ^jF^aoA?Y^K3`!kDXi*lT$e47;E$U!U
zF~pVQ1Xg7T_qmVYfdJvds`3x*_%rA8;kiMknE7<-bEB;2^e?w$-Xj@la!z8T)FDaT
z0Vm8=Qr?)e_}>sp0?N`^CsARGYthtjNW-TWBD=Txb@@VR=FkjVI)6_0^y^+8$Mt{u
zbt$1cgCUuz!L5${NihJp9kVmah#>(15&x+mKeZ)ki`Gfke0`C{;gvcDV2Ph<1Nw!!
z;>_+H`hYlvV|cpI-cdY|B_KOa^=JEE0mL72gUims+Ma?sD<RgU_fseE5v@V3;7Jf1
zE)kZ{E2Z_hhK&k|9zu))>ff6=kbrqXUM3l)i0PBIjzWt!AO1NuHozc{FshK&t7Aa<
zN=EfuqomeQm=E#+e+8>UZ(`E~eu3#z0jAiKWQL%YQb-5{MG1Cb6ou}D)3YqfE5Ioi
zn}HjlcYzNN0tI;t(k0M8*mt@@tJOt<3>J|!#eC;P$x9t>r9ASgz2O2n6;LBD$_-JT
z^{7734wV)-<__reu9b3ijV%YlY{+xFdjPMX4OP^g(t_iU$=KuNkOgs?ZuvR^LBmV(
zBa^;sGV+hg!D0MM7>2`{98nSQ1Qeql!sx?!*lX;Nnhjj*$4*8_uT{33<J2e{D&m;i
z$oklSz^K5><>;+XG@xMsKmnHJmf`ob$=&w!U;-^g>lGWxmLN)h_Kkd5ZFJ7G71!AO
zfxMqpf2_-^VF7kge`G{JZodPE-H*ChJ<t~Swxb5B1bMc|$t2KJ42WN`5UY>@UPr`m
z{51s}EW#?1CXIo?v_>BqoeXoOD|Wevtd@DmN)F|!vQ+9a&VmP(I=rh{z=Zc*Y>cQz
zQYKDY%j*=A9wJ+mI6$p6?6=5qa>oNKNH8N7&z|3qzqZ#Oru`krY>L|G7@K&o$|b)i
zFlE4oNg{GaKru`qwx^ZKDyFUPDHz(=o<OgvAcTG%NFDslEvrJN>Q;!+00kYX1T4bd
zGB7?n!m6Zb(_dJh(Ii!B<;JaCyNKh=+ame=g=5%J(LW??=(_ZNwrl|z6tABVp#z5s
z&fFBm^+$D2z^&8&ebY7>&tl5U!t}-4u8!>#Hun*%a})onP^@#(hpjtjQ&(N~NtY6%
zH+ZU)U44!KiM<0Au--p30y#iRRjx`2|8coi>&_cs5;Waaru~m_eys^H6g_!9zaJJ%
zlR|tVhEAu5`Yjd8uIWWf{D=*Bf6FG!)fMAzE7vv&+)bjhb{O|hfW9I$)oDvY7=4lC
zN8e5k?f8Zz!D;}Yjjg)*NdyCHv(lxtACKEJuN@DUosAnLT%(-J__If)*LFkV(u=Om
z;1b^Ct}wgPa3Clnxw@4sR|o-|7M@b7|08!#0C7CS7x&`|P&s05lu>9P*kv*n)rbpl
z#-#S&f=a=qC&4ShmWOp^qOpZ(d#IovP#8Z2AHfk?Fx3NK*-&WX+nF}{$p;;vSjGfx
z@~i+<C*8PDG1B-FG1lDV1_QEH$Oj})4!R*OHnhtqjQlE6zzjR$IP7SEoDih26p@or
zWH(}IdiVh4WD(>)d$Eit9swmM5|`|IfHB@#i5<)axgbV0XU&pe9hBabAw62{wPvl6
znq^2DG4K_e4HFJXbJE2OkS;SW6pX|@6=s%kT*L##Dz|j>Ge@<!{mrPEN__n0#$eqi
zQYGp6w4iti{&BlYAW4YIdYh!$E2j7lvYW^5;s*#+@}G(QO9HcFxSvA!H^JGMoGe8I
z)MWvI{RNz$n8jrX;NbqYI*bmG4EFHZ(zlPGe%kvL`j<n3j{q0L`kH-#@KEHmG;XWd
zAF7dX08hiZMQwd3mK#yXt?{#EK>MZ??*$Eib3meXsA;yo`Gb*O8X~A3bgSovynaq*
zZ^HQ=dK(v~Wi0fcK9y%KQ9TLbc%;FT8Ozlf#&Y?usb_r?Dq~42_$rzWD`ej4(-<kU
zLuyh<ftv?>v@qi*n@j;NKmp7Wn_R#v+y{iCcZrO|NgR@Sz}ngZMwnIQicB>SKm~<(
zQnrKT%vD2)IWNXREXW;aX>27PIt`9eZfhjyF%{>ffQ{hK1{-cI*V&l%udA=z_Rp=C
z@7f6>oz-!gjHPHM)aZ=1RyuUoOlDf-Xx!Sen72&HrrOH&-60^6AxwY+X*$h&{=in^
zR``CmsjNC-1x`crG=q4_uYQ0-w%C?%Ay`-2?}*m5OJk9(IVSKVMU{gLGC&)R<!1D7
zWNuC<FeIm$F2L3w|BLoBS%FFKuUeL#8|yeB+ZekYg)h@R_1o`%AgZ`EBwW2u>Zblw
z?t0dym^2mDqnS+PzPL;XD&Si0?^m$Gm-Z42JWR$EF4icw_+cQOd0K-(>TS{uIk<zJ
z(DWVAGVmJ8_HVrVPM+-3^#P3XawEL5vwyvUkJ`Ds1vv%Lzo7;H=fQ2LbbmaiRb6W(
zXS{mRps1JjByDxlQBJ>&2L$lA(e<9sP}`GgX-?;lk0D1WKB0Co37++2vhGn7S(9Bo
z8w9^9Gvp+zSuKWVyHZ5Zqlzqat!S_>z23~>+{+O54TNoEG(JAgRfx0$UfS=a)<ZwM
z#ogYkAtx%etepjq$8tRAhE5ZK3^=Z9tW|M=>qFLbE=iZbe7yz09hxp}B<+)pVMr45
zXwu9a`@?duIvVr#R6fO7L7?p}LHNw!dQ|nu*cwk!#V+RAr2#P1Y&zFkH`sxHTg(8F
zjorm#ZEME&mUL-t71C^XSr+5*^o8A&0^Ij;Fo<HeU6%Fa;Mo1w%JJx0AE!qeo(1-3
zpfl*kxK)*Q^x;6JnbrWg-_2<C<nZ`h?xskX%>Epb0*yHSR<3E^rlWJOP^qE3z{jn<
zhu48E&sIgNwi8ucFYR@!n^)V5P2OYJ{Y^_@73Q<W(nq8Grph=EN=)(0mU_98SaK)5
zmfPY+tzg{tvT3cW$yV-KwXIhDkxso^jz!z%tXscDBk1TQWURX|(o5oV`VYQiKg`ai
z;x}=OK~zNKM=4Z~5!gp<o0REUt2DDOPs!t7>AOJz@k+Y-rl_yl+bHzn(&27W@Ikpd
zsOm*$Vw#Sk_Kj~V2!?o?6oF<>ZkzH3y`ZuLr8c0-M`)cF2*qg~YGaitFmnr`G$<DO
z3Cr|%-8*?FH;kvFW-$Dw0<CCF2pXyq4%!a2Hp^?tqjbs^^=R$S#O<ws<^rh{O#KQH
zPNOGUv2`9nHK#P57Sz8<dv@;DdOXFf&g)9R6^VtcKO>DNJ|Id?Y|>?ny6{Rir%)AO
zsxHJVN2Z2Rgau2-x`I{hSXBoTE;&?8$07&ILN-Eanl1u&p365X9n1erG`A`PGpa9o
zsak;IZBA9I!HiK<81^X9Ft1UjGP_O(i`XtL@SKsE+yVo$iMbS6<o|5Vh3MgoRb4Me
zXfNUAkDP!{@^MtysAx^<?WaXVBrVVpPWj;!s=YEKudIht*=+dTh9Q_EH{IMGK<Gel
zDW6_Keq4a9-!HyRr06Ns^#;eE$$z2*t4h>g3U#s@ek-A{7n@c;lCjNYs%fcd{Q%4V
ze+@$rm+JjKI{-k!1`q(kZ^K|?U}39lVq<Up+cx~KRq**x`^VmLee<PuO8<h34=$8)
zk#lVv8c>|I=s_RgT-zy#deES<8&Rok)0v-Pdu-RMmAI4o`4?OzIbFk|?rEj0x|`3&
z=I0Jakn3l3+3rq#(<8#wmdEbAhnv$-4sLWqxU=7g`wp(zZx-9TeADPB$E%n%6S!nv
z6?2*hSdQi+pty7BprXX%^;WNj=WTKZkV3DO47ckYl&i)<PMl?W5bO=li)SR))Eu|s
z2mTc+*PQ8Q#Z`RZrSy8OhUY#$@ZY+#CD-=ONI%m8rY1<Wk@R0TiBjmzOb>aa`_Ga5
zgsXffC&vd=thE4euK2SARo-Q6SWEz!sK2e&IuGhn>qzd$Jkksln@`x}qqQl_+u2=%
zNmw_ix~zj`V7L}clOH0Drp&8o;GNG?^LKHvJXzOQcwj2tF)7KoV7<g@Zc`OI**Wkn
zVWzaKaC7#@1(2cN=wprZ%1%1P97e+rJp!#d@Lvx(dLfPuR<qPX0aX(__4i4~=pC@@
z-yY#}wdfg0tAm*Wk|NtQqCZ`&Id<2|i}i@i_j#w^D@%3>XN2gy4{(36IiAx={oJAl
zV7Po6@y`74zB0yB)l9V)iPRmkdjO8}8@jjTUPB4{MPZ7@VEYiHBchP|P)Ygm#R+hr
zF`?pUs*-kG;R*9EufT5HUS4`pojJGF9P)xsDHm7uf;#3vG{x(`XL<xik)}OwrME)X
z2jN8L6+8Sx3}x#?NSB7Uttqbu=URGMP!w%*B&4X@14)$Nz6HP`9|NCDH1TM!xTYDJ
z3qp*jxY9qFf|5l=GB4o4knAOI%MgiGO6MXJ8j!eF#{+wURj#f??Ob1imb-!P7n)AP
zkH+gR=ry|d-|1CV)nC9_sk#(m5r>0qsgT>_^-Xivk`g?eOqoMWiWi2kP`psAFf;hv
zc>`FCxX7f>PgLTQcy%-IGs^e#K|Z;NiF1AqYaf}6W+QyJV9|#5Mky@NikGUG#vGh3
z+Qs&uT;1U1z3;;4^q=tZ)hW=_^EgUh{-7q9qfn5pkSXj`i0{S9&G#Kfi`P-;N!QED
zFGfd+3+%wT#yNJhc*!SgF*uvN=(95TWf_o?Jx{p!>CHjnjZe$_?ZPM3T4!^$Ff0l&
zzg0gq*|E<@zgqH~GK+V*!Mnoxq<sgfKhUW^d@%;ETdXX)YpGL|bWEQkP20@99Nr2?
z$;;5y8_AzEOsb>M88zEuoU9}ymAI2YU%*MO4W(2aS08=`jAJA`N~*59kW>y+X;il*
zF2kyiTaKq>W8$KFp>Y+M$JR0mZv@O(1lngSo<#x1n|o2e*p?y$3{^Gu#A?Gv2SHbH
z=o21SwG7=tXgcLs%aRH?b{fs*8s}wkdQ=9nNH_J@w+`gc<Z#5qu({o8?->eJ$(U#*
z<35O37bulI4;X!o*R)v=GD*>J<c`<FO@Z#2gF_A-d|Bx`6gwW)W()}uj4NS@w`}Xk
zHs*nBz6^3(J7MAK4SXVeDbBqJuUcpo+VC+=9ca%#T4hx8ZElND`+pc*f&S^E?gVik
zOwj<b$R{Hcd9VnOV}dSA6HH1Imy^b|b!*bCTvk=~SySEE5)e9L<I*u%l6R50X^xid
z#fdFzOJ@grt#EylnbEVvh{n@eyA$uxe=A<eEw}YOl4}5K{`V!a7QkM^5pg`wqN>*x
zR)uUKg}PgKZOlIt<UlaD?8sj>t{EfS8xqrE$gI_|U<>;(A&*rNIe!ry+E(_wWJ-j0
zib0Z>Ckf%~a>lPV3FJd!DhiuliQ=z2>aET&=dl6|KN7-kmjcWwwPM?}tWaCMD{EBV
z<kDR6*et4K5#6NVHFs$qs)|3aRpP&m2-Mx|oZmX}JCyR<sQ`FdeFbb&f<LMf%xxa|
z%O<&GUBTgE;7@r`mec-SQ32zT*WnZ@;#ktG7SJ1h<F`u#^3;NOd|n9HriFfd&IIb#
z0X)5W0{861p4$xJzext>lvz0~_ff%PPRT8eNp6`3&bOKlSYUaC)9<Qm&YJelcasF{
zCIay^JNxwp^)!<S*scJ0oOuWCR)Rat5zKd+1k545a1-qob(&M!__76$o>vu{-w;xn
z2lFfo`yi@f347zeNd@v$gLu6D#h`(Hy#B?|0zBRN#c0Kz>-@#|6+@;J)3V6I-*o!|
zVPzO#44$(nwa_&Tr<;q}-iUqz+_M&W&Py==B^B;bS0n#r1^KiaivOmXZ_ew;f13)#
zvln~Lq9MTmz1p|4z`Ub?@`{u-8L&^sqQ&dVK<MJkr#cJ%(U&6s<@aWEIHz9?{5Q1}
za~~-F+j@TaFOz`XdJvBS9QljJL9(@RV%-Ua@DakJz%m$^mTDGHkEUWbO`%t&RCuRB
ziu`yG0ley*bKoYwgHk>`C4f)eH$Pr7@O%DiU%A5lP<ZJ@i$m+8wKH-z&jMus8aNFO
zeDYphMYHq23s>c$-LZ0o>#1@AUS><`pQUnz_qFo+Qui_)av%F8b-$q`xD-xKOJt*-
zO9~1Zv(xT?0I$$OS1?$5IW9_twXliuIIQ!!W!z@iYJdllSqUdNNi};#&F^w&n^{RJ
zoK)KZ3ybxG1?5pYv!REtV?3ryZU`Ua{RqWa!0HkHo2Ly)za`7S<C@mwf(<Kj9_|J3
z>XrcTEr`2)!+rmgvW+9Q_KqFR4GkLJhQhyZE_@MseOGoK>S(U`a4xci?Vmulew8tg
zd4@9MKsrlVFf$(bw80)L2q{{4GOX534wWo({nRS3C0m4^oi)$MM&b3Gr>x+Xa<gF`
zBQ*ZMbK-%!)jy<9n+EzJ#T|6X-(!OcAO6^-3rH2(DOU*qekg?AE+vRVrZhly`=%Lo
zcy1HN-@~sMMk^?mQ65%)<4zv$spE})mL2p~3DO|<1i9`{dh5i1HwiBwi+=7i<XDgg
zPM-hrK=uh@AFu<#)aH@CY*KTkko-uPjmTB3r=-`K9ff8q^g<WY>Aom9{IYMrLZSoY
zZW-bL_biD%0li&X$eScLkYykD6+%4t11BzEWeCSCfj{`ZV7l8xfA(*sKlQAfTTSG1
zfs~YNF(miQE2I27hw(bkpSP<R^iDU!270Xsrk{0!P=}b}GBM~u^z+B0m-_%d?C*-@
z>$5bNaRT2BX!~=#<w$?SxTUSc)xjW-`K6#`@q!u3$c%Z&CZx3N+sJSkeQ%KK0RBHR
zoL{n=)L*hL!2if#|0CN5_>T<Z|HxkcBU`-Vzxtb>Wz|-MSOQ8VRK2XC*~Y{is#DEo
zjzUg@VFut!Nig-04TuW#psSHyJA{@GHnrFT;6Yz|09~h<{-6!${$DbCv8OB=RBPk7
zXtv~?<p)w+S5GOvOj`?>!7YVs*g}g&08R$E51{(wNP<0bsrm%<x9R>%CeVM$MEWn8
z+<^Zjlj#4FiI@DF%oX%=VOut29Xq&W*U7%fmHAL%3ygD|?n*bTnEwO={GVVTzk-4P
zCm7%V2?qF|V0iy081S!PukPgva3?)j{BCo2EXpeLFoiim0)NeYgp`_Gi;67Y_36=D
z9s+V*fd3F9;UOHg15zJH|4y!Wa}r$u7ukpfU4ZscVV5odRd3lLC!pN{j^&&DXXiYt
z$F*k57xr+|^eY=un*Hu4ualRnPJB*H^lv!NhY(kGr0r_wwYUnSoeZ!gr$cy^Q=#2B
z5(l{S%zAa>{DEfmOL3F)T`r^@F^Vs9r~Oy<j1=T*x8(5cwug{T`ebrnJ?gxGGIzr^
zJhDCixluVhZ*u><Qolu8Mn!VCKyu8z)jBPDwmItA=#c)0&aCjNGzbnMQLM9m`y#K!
z&KN_B?RpL2JA22bp?Xu<zzT__kW^el=BiP=O7w+b^2pe*UeZbNP!J#KE@<e<o(bCW
z-IKT>J%`{~vd;s0ayT-yO1?(aEXkr_ttf+74q-t?SJjr&%nO#OpXqG*h)<$i{m~`9
zJd-4d6@F}%Dv!J`ck_S7@pDtbUR}qcg3@uhXByT6attsG&R|%2NPrgeITZzNucC{1
zb9b;)IKBC2*5(=4G_HXpQ8O^&Fm=0SaWwZYnGe%-H)r&E+lG%Mx?ii^`YPKyJ9vrV
zX{CC!I<fAK!pEPwPPYo&*vEU-Y%R}=`vZBNX<%nd%@wT7G~^LO`XOD!tTu(V!4k+s
zY?grr7q%_1gX=?eiOW>ep`Og3XAZ_1@YAxbTju3KzD0|QU!fUD<xE&FkAHjyh%V#7
zNVI@hX2XLG3Or6M{!F>e<;#}sSbe|}7D$b@2o+ur)Ea5d68N1n57MvSzX$teWx$~%
z_^s;4<FJMhW7;|He&N6b*suJ74has;jDo#CJjsCm^5M!lrDkrBIVdBX7I}4B69Y^*
zos2@uI8~(66+X!K0d|1ptmliC<gOn$-;4``A_c;VG}#=bVFR+s{|5oKH!@$^DlEpt
zVaW2jSFN0h1p)~Xj4yp&a%F*v#i$;b9?Wp8D%q%sj#`kgjXr!fPOqfHm=glG568Ai
zbaJM4P2Yxj>E8CtUfl97<rSF;>kL(>JE{?YZTcazmRAY+j?~_Ghkm%*YY?-UFMV@W
zv<J-Dz3A7V6K8GDoG^MG$i_VX)I}svdV}~}h*|W<x`XW5-C8d2Dp^=^JIc+T4;(r3
zBEj4{&-*o;jGKi&?HIjC&AjTXN6fc`3uPVnxt7%LeLh3R%@7G?(kox$`2>etk22kD
zZWQU1oL{Vx!Mwl6@AzHIea>nRf9tJ3?+s<1SY+@CZUp0)1l@FRtY7qj&Kxn41#Y3#
zsaJF(rhC;AJ&+*;A={~{nQOY~Q%5$RBVGh%b0S(=Ac@bFtJLedQjcz4yit2f;(1IB
zx{irer*QTT1v`^`PHxs`n%XQ@*k1pya(rhKBRPmv!&zA=wCC3#3A%Q%bC__+DrueH
zpVvZlK@d-fG5ZcG%+DO6WzF7GeJY5-fukcA7cWg-m$~c*L?r~%`7yWy4kl_^^o9BF
zGzoKk=rD>9NRPJCSrHRDbXc)#nyI`yCf{^$bO&~S+QA9oo%}grZ+BEQz5ukxBcMh(
z9O5M&#mEpAvjJpg8}r#Nb%f%>WYP5SJzwD%wdY!(k0?l}bp!^bh+MZ~gcRL&aH-)Q
zw;w}z9{QA&u^t9kQ2!c!oDY{>ZRTVtv4+x*4iTPRhrEYiM!ok0I(2rYjbLbaxf8W`
z-Cp;*y@R8yG&<e<3Cot2=SWt+#slEO%kX|i@S}~wea*6CdTQWjpFd8FA2<r1Nd<E@
zQQiu`JbkLc>7=3NFY{WK@CDsTY<4g6!$DR7hO8qsQsi`+wA94({IH7W=yz8gmE+5Y
zEbsbW`D=ol<gv6)j6RQ@xWy50U-;qBL7;vx41wc>iG$g5O_xD<#?;VhP`hx+3Eo3T
zF$6S3#$cIYGN<4;SpMm7jBwA~(|A4gr8|P)PO3Jpl95nG2ZI7oIOz8*=rJ0%_|Cq5
z{t5Tj47qg?PCiE*@99t(__7+f8oUA_9jpYvwjUw!a#sE-QMZRP&X<q~L*S?BV{!}T
zSbsxHwVtQ!LDNb224pHf+bYTV>CR~S=m01zhKa%UIUE1babo7ZSo`6B!jgCmFi6bE
zyRw8hfqSK#dD7$gLJKe_H1Bic-+Lqsc|xKg7#F789&_`55Ohqz1pZ`6;f0k53^)Ci
zZH%FnoB3*9<rcnawyTR(k7DUqn6GvXn|}*(vyvOA0n^E7H%1r76P1tik^3gZa|)#G
z5>`qTyW=qHMSS}6#YgS}6PStuE8k0`Dj-O;=42MyomWF==O=Sb@>baaVbH`pGg{)f
z7^i>sWw`)<aJYI|2LJNF#E_COW`CWoZ^Yw2fUm3A55Kx1kpiv?Uy4`t#+-F~5?}8-
zf1NK=wj$(O(oH@8J=gS)fGO(Qt}ZM&PJFb;su%1MTNY2gE{b#GYY#U1*qS{mFjGk<
zMiS$>7O^Uzh+!>ejYBf{%PlTHMeGdo`=i$a*xTOp{HN$H{M(!tHO4;n^!@`2eTVG%
zF<@@`=G6S;81YQ~FwE}w_y|!DpO(+3;K**>x(vP;mFPLGz`@%?DnT^<Fi{5Eb*~*_
z6Uz;eVJt{?lFYhd0#SSyL=9#lL%_af8fH<b_#$|~ZJpeoRbY3TUAKNLA{0S*LrYIL
zs+o{HL-Oubp3cO+s9wY&K>R$E#T>KvN4b1NqclyJJ?M;0!pA2XW{+m2m%vF_s<>Mp
zHDh*8Sc^Y3>p>2(VwdlMKQibR9}A{&b_om<_?>$#Zp?#s(=13d;ilCi|0CK5mUr!^
za5^^GGu3i==y@O&2S1ExwU8FPNT9M1_|*|*6TjLhSB74$jHdnP$WjgExtr2U*RXd|
zMyt*(<zK5~oo=1ZUCUqn+Iws-(HS^9n@z0^*Ob4+okk^E0<P6v4AWcHf3KCDF4?Mu
z9;N7M<^}a4k)x~ivueX`Iua;~&pNK=a0ud=TAYexru-U{F4QL~Y%<;lQFKQ1wndT`
zFJJ)qK?z73dWTRKc!jBb6zi1P#mBg%$|S#YFt?-A2C;d8_eSxfbkKxtg$-gsIkaBe
zlk!3cdDRY;&1Z8oO&1cVK5TgJF-qHlG^%1m;GpJA&u0Zb?hfH3oP1a5=Nspw=nm8s
zUYAFOIRenc4L#i<Z;tI@@1yjEXzmdpH4*7;Ka;KiQbI;2xgz9t!nu2UOw%~T-bL_K
zk6XCSmDry?!5n%OJ#l<Xo0Nq<Z}L-ZA<aYKjOT`cHP4YME4b@+vk`Gxrp8-?PcSP9
zJOKL6+<G3PzfdH$*VOw9%i#R@qVAB15!yOUbohH68U1$Kv`BjxCTCS4#?(>$67=MC
zbZ<pA+y^=q@W+0f0_fKm62Zxv|1|_oB--{5u$p0)Dao9)rK(KmsnqzOg%!Yeins%q
zwOn)N_FlBAKyL*-K<~33t~|-1a@_NBZRy)m$QMIT6#(D9e1G!vy4TirjgGcLUgzr8
zrKN2T9-!R4Tta!dr0{g;+tqZC@f}BYlHHHe-h_37{9J4}ieK8%AS;M`FFSFGr@2I@
z!p&oy{K>fi&L+V5`|+9j^i+L#kTrLm1cB^X2UQ!P{H*RHD5v5uI_XgirBN&hzl1%z
z*nG$SrRi98kJH0sq&(g41sc1xpL_H^0p(-t<YSbyT6gblF!|bdzt%eZ+C@9M+8i5a
z#SzyBmFq9kQx(En1=>@IK}n)B5@<@Z!>00H>=@dbO?SSJkapvgIos`nA{i&Bw?Mew
zDbiCUa>A!|Nu+s*H6il&*^|F{1U$i^Mvl1}^6DvxHyiVKM}4wM=nO}Gwy3z0SJHH2
zN|85>?U%OvYR-$aBVCXtg#w@E*@Kcnkv%xtus_o^-;)geQc%V2zM$qf=}i*#f>491
zX!t|k=!X2k5A_^a^2W`JrziIPG?19s8^}#}FsQBoRoz@`D1s-#;Gs_QIkOTXPvNoA
zZn3wejIk{f>Spw$41ZI~dva_07v?5($O=C;6ExUu5}yLId(LYQiS#e>7)H&<z}<%t
z#)=JBH~K)uCTmVG7ep4u3XPF{Qjq;IQh)4*&yF@dgH97xtv;G!AzwwQ!Jme~PF!AX
zD<jx$!pjY7?sitOSGUC{{{3taXDklevg=jw&dv`76^556bqS|Y=p=&Ufto6l@b+df
zyb6MMiZi+7sRkc~+Z7+t$`3IDj6}LA3ZZ+HCe_fxC|_go9vLUU378kv;6o&FiJUe3
zgD!Uj4)<yE*n%Iq!z8A9GN=crx1(+^e*gPFTvG;iu{b>JLnG4SdyowKkR62k9gMo<
z(*F*HLJUT0uWEByo%L}1Jmt2yXRf?1wf`ATa)$eUr4&$qfMELA-(OR^<9$KV1$!Cc
zRK#PN+`X00D$M~t&WZ<#Ni;5*FwqayE1bYF>-7IifTNxv>XjE6B?4`V>+Rb}C#Rp3
zRL>Hevg;tsAVc!8I*oOYe}$m!_M6O4bjo@=bI?}c&uH5OX@{`pc_qu4@`#f*eU7K*
zz!I6)kqj!*ep!GeGbua}a!xciyvwX!g48sDDq6+sLv^o^_lvrX-$5HijxeT<;5WS{
zSKe)3J+%Ha@*d=Bw*99gMrvmG*+xV`m#kZDt!VKu5?wPh0O5&Ce!QOG4Gc|%*cDpL
zkgdBToS8@vGy|8W4m3#Wi#lBlxH(8aO<>8A@bltqybOXs^dA+=T2w#o90s6e+^IfJ
zep27KW8jSiq*s$v52Wb(n}z9~k7wpNsFBZcLPt(Gd#smH%ya}tZj8c%{8b1UlRRF^
z+!Azo;TTPKd%Y7@OKbhh5R!c3Tu*Q7`!(kL8b)J<Nn(~)(*=HpbX<qmIi>?K306d&
zpkIEx1zuqv62UFsZA!)5V(M-@yshwa&?V!sr*mq=W`@q1vqF^6aedwZx^GI_*Nznz
zgNoiY*44}K+4kb>HsnrY(fd+Wnc8|OdrEa*nKi}Ui=lfta(D~1ro}i)(87CrDh>mk
zD#}g@yF77?0h4--9!An%F%J|{pDD+z(m$1@>>IRi6v<-W0L$Uf7i#k9rSitdJ+qTK
zwEnvql8xU8qE4Db@%VYX$838UBf!cg+<h#u;N`Y%-26Q!h<|ZE#CB5}limFbJB+#c
zG2rD#fVIQi{m%pU0afn~vY6oXJH}NG07@U!Qp|RS_s9+aP;KU2_5uDf!s+AW=wC1Q
zj<NfnHJD)c4P+W)_a(}wIRF%m*PKYu9sKZU&Aze3{IsrYXJsKo*;j|zi_lJAV9+{j
znH@`LCz)J|Vst8u*dCI^*JH6wdU!M%v6U7_t-YlOQJq<9udKICQEp+D8Dj7_Q^*cT
zMHe@5lkHN@^m4$xRXRPV$o4FZt8u=m+QU~n^_srPcFit%xP>$-u5+ky9!ZvI(~5>r
zL}lAoa_rRfow<Hw+dyYqS8}aJ>KKL;Mt^jDZVg4wG-Qk=OLWxsSve(T>r-*|uD~#7
zz*4l@2;@lOmem^MORPLN2alIV)3?t-BuQ_UxXyC~JvT-$i~|tA^S@FCNsXMuH&X&1
z(JPtGm*>9@##7@X7DIcc_QSYsdn|YD;YD%p-Ia)TiM#6FlAk4OnGJYH6eL}Q!CBZ^
zyDp6+gzQHX=~?1wU3R5Dl<>>e>;#AHlfU2V-mPEcjq!PwpnL)K_NzWj%#M9alR-s#
zrBLg}Pl+j1N$b7ImiF}34UM;aN2>Gm>(wix#rm@Hu)-{KK$AkwCe;QZP0|b4OJ++y
zuaEkqQ@h98E_gjFAc>#+q*^>!i+d9c)XayGr5<;fm7O*D4jAdp#&+|%bgL)HG8kl%
zcZ@Fz3&h`xS?9$gsfWQJbGtHcZGLRl%;a{zf7g1cslEI(`q{q%8M{6J;DmXOWa-N}
zye!%T>6n^&l&vjFPs$`?C9Tyy!|8oCd-vBP9ol=3UG|HQ@I|GwyTtt?fZMm9;)Vkp
z^}{8ke&Wm?UUFh&$q4)YH<C9>O8LZ|nKBeLMBw@N_0R5n)StbIur5JE_L=0I^cmrx
zQ|j!wgIee~Z}V~qo0LH2x7uYyk@B}%Es{v{qh8xI^1_^-4yD3y+3yS62*QrL)h-q1
zVWRW_nSJgW+RH;dIYkaTo-0vdaR@k3peKTwZb&#zK}-LS>fouyrmv3JG+-4&@~T@$
zd?h5u8f^OE7~d}Z6Hfe{1_-^Aia?7^zn;oam#Ng^P;yp7L{*7GG!;9jhAFc8xSA7P
z1mp|Hzz@JTR{uP<A4UDQ3*Vy}_z9_id&PVJ5-n#6dcVCgJ7CilA6T#Y*LyrGB~FbF
z3+#b<?U4mS%X(>?opZWl49a;l=w8B6B4|q)PZ7s_ObYyQ00}U0M*k1(M8HHCcUoh9
z2FO0PZx2zw^S{FN3A1e1L@o~(hRY$627tn%o;EJ})zR;YfFOn>%IpbRY)aidrL@e`
z7wL!hHQ!EMmA#=epv4UZHhxLhpp!0iugiF5$lv$Y|Db^&cnX39Tn$M21T{xFPG+^>
z-=r@Gdj5=GU#75w0$df&y7)q*AkiY_3Lb(!s|$n2X+xB)%!O|Y&Q*c0Iz!VbqcGl_
z<tv{R5D0B5lVaS{Q1_9zjnF*otg)NqY`h&%uJPBp>gry_Z$cI)7abcMSf1=!js~+F
z4ph>`$L|98+6)-sHQu6elckrouj`bc(djmHN(v;gex@!g&k#MPW118v;fAXf<EL=P
zf|<nQCcl<{e`cZleKe!b-#ZmWI)$&dn1d<Wt}Af$#3`wTb1vCBM~_@#)r{P*z#I%H
zh<S&Vh9*~$T5~q^_gf%kqpsb#XQc=|{jS;y_2W3<u}Iv&D2IK2I5h)^PRe4WmAW)^
zJPD+}))R*mphGla{_q7nL#wXY70J`)-0eAI-6&kxmyzkcc=FWw*;3m;KnJG`^nGE^
zfvfcUgtE}N={GE5W1*q1A0JcTyiSDG1OA3HuJ}2%BwNtCG!J8G<g$j+M8F2npC<0p
z1O<?qVz<HfNrHv4Khj1}G_CR(jFb{W#K%Mq>2a}82SX+6>m#x;ML4e&Sg{D~HhAg(
zh5&q8cw!#)BDP|C{)75O)E$oK=YG(a`|-+SQwCi)h9`7hE|qo3Hq=9OXEwzETxqM-
zBBZy&jxHz5a)JfyaIMU$*!YF2iBp3xlc>Hsl&E6T!9-|d!I+8DLL?I=Gybq?Te7-X
z?epWd$zXn9ZX7JO0PI@yrnY!%Yr(K3>!`D6YG$ISG(9Mde_j#i9-fVLuePRRo$l-s
z)e<NY#E5iE)ZcmqKK{x;gSey(qf-sife#z#v*a|j7d<^WQebXrh$qZ#|A^^r&zwud
z4y2n59J9{S9xMow*)N|cPCEoHv2Tk{?mW%#DZv<1tZd+RZKw$b-SwdR;0%^Ai-eRJ
zR#+3p0U`g%gY=$`sJb`9&TL28co$FX=S>~ZT|z`;yvotW&J|}sm?|G0-sp6QXSy2$
zHloecW^7a3u$!lIu{W>Y)N`N_{4lPVuEm`pEcZIG$)#D*9R%g=_xy&z`3X}EyKYT=
z3GV3;GGWBTE&lH(w}gPim_X72b+Jr9EFu>FYw4$98j{c%w3uo9ioOXAMO6AZx$s&)
z)0u?Qv#|d|At`Y3LV+*%2Wl0+6JD4I)^?YYIMQqGx(Q0|!yQq~(6coLEbiP671yKv
zj3TySvjLO$RUCu7_qzft{aKx@Im7IOF~8Vkp0<pe_Y4eIOKzT`BQFx9;X>HqatMG}
z;VE5gj1-7|2S^<Hi0t2>)8hkOCp9V+(~Da#DT&FyA41kvYH<Tjt8eC6R^_6&=T1yY
zAMekF!Xh1Nj?iRy?_zriG#tDSP7^PtlhzEIj;6p`ZHD6GKiGOmlrs7DO=y8v*6E8N
zElIepwckNCHHjAipE$+^1F88e?NmujLHH3jyibr;v@V$kABGBiwT!vCg)U<g@H<Xh
z^>B!}RvKunz`ZGk8`n4->`#AOu|M8u*cJ_A2=^f0I9<Z{ll<{I5VD_h7+CYXC=s%i
z7cjqyL^C<r7xV*|Pv;HYIUSt2P3BYc=OyhS%0NWg#e^nt!3<c`6ZRmt2)If-4)ypV
zITV<Y$cpFZ6Z+Z-uvbs(H0)oIUlL$LiTP@_U3C$lN|i3<kf$u>X$l4&h7RA3cD^B?
zzA^Z^_5+^05PwE}p(W|o)y)&}|9%&ExjpbiPF4pV%-txUTYo0!!tY1G(fGLB0o>x?
z`C=myJRMO<p$><Q%U#UQucyD_fLt9GKiqx)mB0q-5mSyN@%;2T<-Ua+>^;WeUG3Tw
zM(il;0go{qYw*JZVRX_BdH8fs_p7EoD<H|-k8I7E$Y~gz84o(Ewm+yCqv@Ze;R`0c
z;ZA9P7=m8@qjg$1(-@O0yEt<frsSLD%%|G3t7$!R!iywTCA|d3r}xPuB-{ttQ#U@V
z*UfT-iRg1<-d@dtYsR*$3A@i-{Rz0Rrgz_>&1eu4L*%0u+i17+tU%erhIUxv;8bJ1
z0+qE@+Foesn=OGDrP@(MyNdJV&Q5?F?gCfJ#JuPq8$|1Uso?dm8&1&I5;X&c4HYQ)
z^UGUX?I2!@>SY;5FqS5L?{$LwY!>sTAh*)SX?o&wRxxaYVJa37<(5~u`A}VxB05j-
zj1%1@GtN#u4rX_Z075J?&ff9_VIxKO%S9mOS-eeUkyZSUl_9KSuRwphYt(>OD-<Vf
zd9qsZ4{RvT4-->1^4_$jBjV{6C$VF>NbFi>%uOw6w%j?$r)D(m2mA)l&(q`kVpbGe
z+U*S=Z*P0szv%}hsPuJUW@a)k3f!7y^c%6|IwzP%PD`z5cJ7rkE7yZdSe8LZ547G6
zau}NDRAFZDt4trx^6|wSjR7Z4Cyom3A5S8Qd!#BdTg*D(aBxt7vn4V>i-@%8JgCH8
zifqAI20Poj2L@B<PjR6JuC!K6H-Jy<wElR(RIpl<{+B4%*mbwqs(-WD#0P6oRj>ko
za_M2rEv|S^lx*sSHHt#A8k~#Q&!^F{fG2MRjx|WvU;%;Oo}+0k2WKFss14efp;fW?
z8MSy?<*RlS%P0-n)22-u6>8{3>$+D<iDkV+^kby0F+eqj*DVmJ4L`@o0LtA_*WHkz
z4x7mT>|;ZcL}pWm2T=FHVI@iVS-n&y7*w1)&J;jNGGj2@VXwNOO7oHxS{F0#Uk+zu
zA2TnGL|$5W<j|HDk&M&=#b}C(JWItZ|1DNDc`aW?G&C_5$V5hp2n5|=8`j1s+f#XM
zpj@YtY&jXqsz_whqP7FW0(Ag>^S{Zk+h$cVS&x(C=KD*%DE1w=W&9TgU&b0mmGLVY
z+Z9qsl#e>{W`3PxVeKkWvsk_1RlVZh0_DBI4(apP;f9OzBh*o%fdpDB!SnC;-F%+=
zy-U;0HL<WT^ID6`n}<^-r+YjQu(6ZLJYH=)J>4D;KVQg1)0h4IgKOUeJNrN*qS*U7
zgOTktliOo!ATONZst-D(cih-5UzPz{X)jh8lBf_Es_}EkwPu*=RocU+?e%pPGK=n0
zu?0`6%YH)h?#76A7}?tS3n^K;cMa4sHNZh=JnA1>^S3)msCyHb<@I)BUbPADzm<l(
z%kNWUYOOUhuHlgyKo1muB^mP)-;$?JFzNHo6VqoEMK8UJ%{tCdBxaqTBL%NG5^`xI
zJZY03y{))}76DKe<FxCiv(2oa*=MEk-Y#5%IA)2*IiPN*z1PLDqd28cHkBFRp?BE^
zOLcbivp^C({56=Ly6HN}_^y0u^5KX3EeD8muNLTUD?p;{q?LQVi3`FPl4kr8Ns_4z
zs)WZ8B~#@af)h!KGq)|(2ULAh<11rS&A^0*sRKxmRY)`h|MReiRUcS!R3G35w&%5_
z-`b7*r_bpnqVSyE*57gnhBg7)lc$l((QJQD$WR3$2x`rwu(l0UNdKGK{Vn}M`^!PD
zt9x8+Jl$QEy;IqHAooGge@L`0eCoQusnYqzKquGz`x*Q-0*<mn4bW7IXlv0Yu^wic
zuVB3n2D7H8dgNte)hN2K!L^yyEyjdJcpl&$i|j4Wf7x4HePUxO$5dJ?MSgjWkW@%G
zSjX!nVr^i5&5rCXlp~AY*;*aIC>*W7;uc<UIN0Khx6>p$efZx*Y<WA}Ib=b$%%J|U
z&fvXQI|oCu9*W8w*#l-KaubbFLmb%3UMg7Og^<z$C>yz+oY8(C9s$*3MfFJv_3~lQ
zEre<ovxP3(?hXSC6p6NFLA!bfMwLRUr0_LMj}{Q|>l^NPAOGk}+^O97q&av|71(6a
z(ixu?;Y-ZgWVWqoq_nM3%F8-9_g}tpP+*YSJr-7xu$6UmO3cy%{xxIU)+9f%;8CR6
zdWa~}=5!ZId&w4St0g)@lN|9T^6VFxSTm8VZUITs{>sd`r7ua_h0Wy@;h(pL`z2a9
z+>?umzk*v3M@$X$R-A7ZG_4#~Yee#gt(hNjR%|h)3r4CJXOg<(cT1}o#jMdh3~{Gp
ztLW;VnO+Oc7%Yy&ad!vfcNspFRe|1(-yCf<t>|C^;}3LhWz1GtXGkacZ0E}wy&3ng
zqN7uP+~Kk6TF|hQ6LisbCh*%=%vxMm$cN(gfKMp3v6~9DaVszMxQbUL6MUgzYM)@_
z-$d$SV*(QBcCcSF2eomo3<us@x~;v)J;QI9<X*CeMskU9&?I<+o2@l3kU!5Jfqr2D
z&vgX73JaS+l8nFcp8v+n=<>me(PM`?fKyMA`4B~N@^3<NsreX>S>qgBawrcyHIFnQ
zy3ClH<bdJ;PI5$vF*os!*xJxeCEBc(_h5YaZ)GF)e?acPK>zb=2a7hd<A^>Hgjsnj
zpLd?6R4h8XL^0WRDir-l#MB{Y@hpg`rg59Rv;zdsJR|bUu%!pr+@N{bfBoug?_#t7
zytql0$ZY4#lUB@f9!~}_X@HTCx5W^k&|yU4OUzFOIdUQ<|EMG+_ozpaL`>FBY2~CK
zpfrU9DJiFvke3WpL`=5gmw!$Zl0QaIewdFvdsZ#RS^Ry3Hk=4^!4Y4z$!{>+_Y+@_
z<>6RmL5}sK{)zuBT(nCtr1<(G;=<?O4P});UO!K@FtbnX_CC#-<WL#Z>BJybQ}rR!
zZ2#>3_pk^@hBsX3uOm#{l<{HAJbgNNJ#8JF>v_Lk^NHSGFlp0Qnv?RD!Mxq|p1yG=
z%ANtY;?<tKs_}Y4Be)V?#A2li{Psg@60;8&4y`lg%-4kM>O<>1A~P;^6f>^!*>%V2
z;B)Sn@^ljWmcqZpW>g$n<Lfnmzh*cytqu0PxPF<|9>Sok8C``M9x|}j^?2m#L~`u`
z(Cj+74m+lpEa7xI@I0)ztSe%_EnE78tS(-=^dbb(4yupfM&ObVJSCxHkoMM=6M*8J
zyKHPas&9jYymr$j-KA>|@@@aUZWO=N6EW)#MgC8NT=mTRV$0Ig+Y7Gw2lhA&S9joa
zX$fOVLM6lu63JxYQesAu1d0gh(!iR~acfq0FC`Ajq*`*d6T09d>VPTa6_R!7aZ^cF
zC)l;AM<^YjoD8F|nNbtd4c&yPsl!^zwOo{(^<?Mcz_Y0guEnYsd?mRGyd_nojA@&E
zMy8y@+I84cMl+bDaC4|Jx7VPbGTADifkxbbj0%Hl9VMU8xN})ZH_7+I<?X$w-fKMU
z9{rkReVa__rf$eXgFq$hhfl^IFq7As^d@OuJxpU1`H};|)y3vZa4)XZnv%qXY2Kvh
zDr4i25D8IMtr%ltCceZ39XZjKc1F<_4sfE$<rgb^`a;Ll{;|mO#Q!`=h&th-t(`QY
zt!oT;$WXFuomD7Vb9(;@Z!%Lpqbk#-=llJ!Vh|dZBy}y2uEIm;>;9&|bl&ei{)spx
z=Ei$xfveV!sRI3&7)+|%GB^OTf{O+X^ExW8od$zRR=0_f^QPZhb*8T2Xit?X+LyWt
zP5vqbL-NdS2kT>sblqj?smEBv5NjI8kW;3WHc$NVj)AzVXtAr*8IEHYw=}!{?@R&N
zyIE3kh`}e?3eSR=;JOJCPQKLUA_Rj3bZ4xBM_q%GHg58O*<GQG$Ppu^N<<)llfya@
zJ^2l@mFOa)!NGfYSy<uv2QKj`H7ndn^K{TNsJ4v4rYyF!j01z6QsZ~{I)&wcN#pvV
zuy^u`D~A<V%OFp9%+)I#V8`l$_0=Jm*7(8<bA4d}&MaQV3aG2A_akNcx(TaxFNlSS
z6qT0ddS!FNWO!gx0!=)~LxuG)DQj6pLWH)pf!esPLMjj0hi1z2?@v<~t@yke|GFVQ
zw5+Ww7uLXxw6>^?vJBWs`d0h?J;!Kg0)tFU-OKjB)6=l+X(DN5oA9_Wx_Y-n`hbj3
z_<Z6<3#coGSAm}MyEHQeBCBy33gun6Dh-I31zkQP3`$RUj~e%(nsKHvZ$W?3sOq=6
zb?8{M)-KqpsTsGLk$6~i@-(8nw^LDG6dI!1wMJPcx^^~gmTdKaxpsCScXo?^WX(Ft
zwYC=?<^E2^OdhhyZW5Z85Y216Tb}u@)-`oI2_u~7rxjC-3ji(8B<F&Yy?Gh}%|~pv
zV9l6;+oyzKDmWYD(lK~z<*Pbg6$kWJa(B#LBcaiPeb_8m#vL-iNLAmN@5d3&7u*o$
zl{B-eR#oGw|G<p?2WENtA6V5d*hmNSN=bbW*odbU#R#X|FBrdEYhz)+e_(+;WWe1t
zu#X{_rze>gf)CMhL*%cAVJd67R^2q!E_ExLStixs=%R3d4(Qm%uyCsyP?-VRPa?k^
zsOzjBPxtrZ@%}W)=SSSE9WAZfpweyBIz8EXB%wl81q09TVO&4V?<Umeehv&Kv{0<7
zK(dAw_}!g=rgk+;r&cv%C$l35i!83jg128GH~!;w`sHP9ZE7!>?gnFZ^P*sNtA}ID
z1I@K{5rO9ZeRpwt$)dW8Y3@Qd_wn`f`u1B7Up04fEnI_jb~b9bvI)={4#v#PB#i7^
z-qD<u^$6o)cJEgnFm%4k9j+@aS;voF^0F^zf4yNW$LfP6@I<!kmNiu!tv|7@&F7%3
z&uhGCZp6-5%llqOPBfOM4{y#FW)|bnT$x*l)dt{fX++}a2$E&Z#>=vG782zA>X*+$
zCe%R%dlrJZfHr!wqcassJhO<ZwV-1m5k#`JMJ<)dj~1;My2V1D=R@@(h^6%%DfthK
zY`VMW_4DP&$I0>Se0h6$`Riw?{SPh`?<i#)A`Y?4<B3Tm89skeW5P`?cM3ueYQP5P
z-=;w|%P==J<1n)lCkrm_#_s<_+xbtlu>Y#Bt!c0X=ePRY-6&k!#EY_KUu9dH3-A7e
zjN~CZ=p>7|3BlY+dv?BnulHJb1Y7KE)hJ~Hcxlfy;G+Z1aFd=c9;XpC+I%{Ua4FTb
zpr9L9ysjQooPk<gNOd%2yLVDkj{98$ZY!cL6VsSjP)JF6z)~M=D^edBf?D%tacrGO
zvO4{)Sv{V!t&e+}GSDoUKJccv2+q0CWwor>UP`uL7I${2J2}Ep{6%AVM45gz<Cc(7
zFoqt$Wjp(y8wN|i!fpHnB7w_>7pPgCHUHkzyK6pj<MP6a8ub?E{74g3alGLtJFE_P
zk|5O)ljipllHzyrB%1;;epKdl7QWL_n%+tKmy?czh?DX&0$TNfJf;nRB&$)J7=bKQ
z*N#CHH>xFD%|;-gi;L=GME9-a6~hw~?Q(0wvqm9^`(!Z^3<YVZLs9K=zAI_~&bNE@
zK?vWVje!wUnbZ!NIiLb~>ZO9N;ZO2{VmlJ>ykRg~Y=%8aZu&~JeCdm{_^8gMwOlcA
zmHeUz{)f`iT~2DTDYdD)@oc5P37=}Xsip*X(s;ATQ*ORf_KRXOJKkf*S{%@;4xHz$
zx~pAO0H=fL<l`0dN!;em(B`A++n6xjGGodcLho1ymt@0J=bocK19sQGI^v-F$E6#8
z!*iJYBFk7|(WA4sxzPz+s}Vy)J*|Jqg#L+)zGd9C4$&%$$X+UIbDd{$R##yhHMP+_
zNJ~AXsjXy~hUS{3u5FRZS%B2dL&S#HiEHsQ^4XQtPi4KuIEt$d?gIUv3yo=lg-2RY
z2X=%GZU?rs!{PgkGi#GH+T-P-@w@nf&Yu>uz-nM+;;((J7rE_p$zHtDT0eW9(cFJs
z-}+v!NAP0bdZ*yrzCIEtpY_lFq3B=v1zO;7x;i0&G9O_7Z`*Vw3hTI=zP`Ei+30eq
zBk!JDmA?O--kg{3+j6~w$KuAt6wykv7e|(LH!ZYr2<Fb#YjZU@#8=&WJiuDx8fXX2
zWgUU_=I!<}j-Tr+X6@St%xMee&UtnhxK7beaigcQP9^`9H^(L`e>yWS;n)3%_Rre4
z8z@}3@x$iAF}Ar*b}_M4ykXau-MX-)V<A&+i_ML%7P<yGch8z7TFjOR+f-$ceRZ*B
z!~YYT<Yvvy+kG*B{jb~drCid-_8n&_b!Og_Vc{~rNifD^vkf=<*;ggM_L{Aa<Ty1~
z@LLm8zuBZ4&dFw_A70Op)o8mcrttnV3)coY4uwVYVuXSZZF?i_bZvq`te{!)XTBSp
z=_izrAMtSRVP)R@jB(;}gIML;o8DA&?TA>(?!o-{^48-s=2SUZ9f+MV{YsZ_#S4}n
z=IVP?9e&O^a!&5ecXzRU7uP7qhiE=o>FTL)Hps#3;337w$L|@fs7w(!*&!I|`EBCN
zrxUZb8eE#qZ+a=(Bi)@z?B%xCJN5rg+^Fkv#BfV+v(<yf)O}(H6mFK>np@x~e9-3L
zuH^?-Z?p~6cp_ppG2q=t-k-%QCJJO3EV{sQy6MW2!fN&WdrHzR8oMeA9^SQk`GDX3
z0#C-7iMguJ|BLi!Pl(*2ce^mz$-~ycaZ&ME#osw^QjM#AYJ2<y&UOgzv1=2oV&Imn
zopq2;++WyxijvQxl~RH!u1*vBVhjolEZ%Q;<|FZK>q6Vl7THt$e$7wXIZMMxWSv3w
zo=41_uQp9oJA3wGNzpdFjd?;QigPzaXlu?6PM`gh|Je_=oqclBLhifm_cT7WkQS;s
zs^9MPZHCjdf2&!Pt4-LfC9K^aE|59;^oroY+y6tQ1t0a@yJ>FbTP)_`^8MYjEcUyz
z+se7mz9?O`|M2|nGuE8>@c#PKlE8)Yw2fMiTJBhuvX3(|$12QB@^KjZbr&52Uhmm0
zAG?02C9qyz-*qxP;Z>;VM>%1yh%JYgSRZDwl07%~G5>PSd-n|)FE0x_vzNU>!Ghm$
zUTW2m4%0`H{!X7ey&JiEI$Q)BMJH|qE^XMY`qgFbcJ-{c^ETwJ@e*HV;=VUBq4K#L
zFe9zK^rqV0e{UQ6&gXem8@}#NdA<HZ-P!Z*n_h0+C7_?UcUK_izd3nV-2Xf6zBp^M
z^xCg4*uFc@5#4n$u0O9}e{;}6>A655^PZg6yprpSrSC}C1LdNDa{3x!FWl;FcOCqC
zbj^j{gH<KX^@l=J|7Wl9bbog5#OwD@cCz<P^*34drTO^l_3q|cnkqnR!ac-p^?Gq}
zE|>l)I;pj6@g%39532Xn-?*u^E_q<>;eP`t>FMb55+b5-;<_+cO@Z-G&fS5Yikbxn
z>JH_F1bcLy+xoZf$iGL{Q9VA#zn;5!@Qr3M%eUJ7yFBk-nfsx``shtV@ur6CzE}UH
zPQU(LR21QKSS{~F<nv>5a~eDKYNo$BwP?;ouG*cRXSZZqe>*e#oXxYyKX)IO|CbN&
wW@Hj!#(jnga91P}z;U7qx*_QMDiJ0a@?hCz8Q{&z22#QVge^eY$rZ!{0Kd<jB>(^b

literal 0
HcmV?d00001

diff --git a/Solutions/PingFederate/Package/createUiDefinition.json b/Solutions/PingFederate/Package/createUiDefinition.json
index f59bdc1f961..f823643596e 100644
--- a/Solutions/PingFederate/Package/createUiDefinition.json
+++ b/Solutions/PingFederate/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/PingFederate/Data%20Connectors/Logo/PingIdentity.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [PingFederate](https://www.pingidentity.com/en/pingone/pingfederate.html) solution provides the capability to ingest [PingFederate](https://docs.pingidentity.com/bundle/pingfederate-102/page/lly1564002980532.html) events into Microsoft Sentinel. Refer to [PingFederate documentation](https://docs.pingidentity.com/bundle/pingfederate-102/page/tle1564002955874.html) for more information.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Agent-based log collection (CEF over Syslog)](https://docs.microsoft.com/azure/sentinel/connect-common-event-format)\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 11, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/PingFederate/Data%20Connectors/Logo/PingIdentity.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [PingFederate](https://www.pingidentity.com/en/pingone/pingfederate.html) solution provides the capability to ingest [PingFederate](https://docs.pingidentity.com/bundle/pingfederate-102/page/lly1564002980532.html) events into Microsoft Sentinel. Refer to [PingFederate documentation](https://docs.pingidentity.com/bundle/pingfederate-102/page/tle1564002955874.html) for more information.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Agent-based log collection (CEF over Syslog)](https://docs.microsoft.com/azure/sentinel/connect-common-event-format)\n\n**Data Connectors:** 2, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 11, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",
@@ -60,14 +60,14 @@
             "name": "dataconnectors1-text",
             "type": "Microsoft.Common.TextBlock",
             "options": {
-              "text": "This solution installs the data connector that ingest PingFederate events into Microsoft Sentinel. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+              "text": "This Solution installs the data connector for PingFederate. You can get PingFederate CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
             }
           },
           {
             "name": "dataconnectors-parser-text",
             "type": "Microsoft.Common.TextBlock",
             "options": {
-              "text": "The solution installs a parser that transforms ingested data. The transformed logs can be accessed using the PingFederateEvent Kusto Function alias."
+              "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel."
             }
           },
           {
@@ -79,6 +79,13 @@
                 "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
               }
             }
+          },
+          {
+            "name": "dataconnectors2-text",
+            "type": "Microsoft.Common.TextBlock",
+            "options": {
+              "text": "This Solution installs the data connector for PingFederate. You can get PingFederate CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+            }
           }
         ]
       },
@@ -95,7 +102,7 @@
             "name": "workbooks-text",
             "type": "Microsoft.Common.TextBlock",
             "options": {
-              "text": "The workbook installed with the PingFederate help’s you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view."
+              "text": "This solution installs workbook(s) to help you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view."
             }
           },
           {
@@ -107,6 +114,20 @@
                 "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data"
               }
             }
+          },
+          {
+            "name": "workbook1",
+            "type": "Microsoft.Common.Section",
+            "label": "PingFederate",
+            "elements": [
+              {
+                "name": "workbook1-text",
+                "type": "Microsoft.Common.TextBlock",
+                "options": {
+                  "text": "Sets the time name for analysis"
+                }
+              }
+            ]
           }
         ]
       },
@@ -323,7 +344,7 @@
                 "name": "huntingquery1-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query searches for authentication URLs used. It depends on the PingFederate data connector and PingFederateEvent data type and PingFederate parser."
+                  "text": "Query searches for authentication URLs used. This hunting query depends on PingFederate PingFederateAma data connector (PingFederateEvent PingFederateEvent Parser or Table)"
                 }
               }
             ]
@@ -337,7 +358,7 @@
                 "name": "huntingquery2-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query searches for failed authentication events It depends on the PingFederate data connector and PingFederateEvent data type and PingFederate parser."
+                  "text": "Query searches for failed authentication events This hunting query depends on PingFederate PingFederateAma data connector (PingFederateEvent PingFederateEvent Parser or Table)"
                 }
               }
             ]
@@ -351,7 +372,7 @@
                 "name": "huntingquery3-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query searches for new users. It depends on the PingFederate data connector and PingFederateEvent data type and PingFederate parser."
+                  "text": "Query searches for new users. This hunting query depends on PingFederate PingFederateAma data connector (PingFederateEvent PingFederateEvent Parser or Table)"
                 }
               }
             ]
@@ -365,7 +386,7 @@
                 "name": "huntingquery4-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query searches for password reset requests events. It depends on the PingFederate data connector and PingFederateEvent data type and PingFederate parser."
+                  "text": "Query searches for password reset requests events. This hunting query depends on PingFederate PingFederateAma data connector (PingFederateEvent PingFederateEvent Parser or Table)"
                 }
               }
             ]
@@ -379,7 +400,7 @@
                 "name": "huntingquery5-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query searches for rare source IP addresses of requests It depends on the PingFederate data connector and PingFederateEvent data type and PingFederate parser."
+                  "text": "Query searches for rare source IP addresses of requests This hunting query depends on PingFederate PingFederateAma data connector (PingFederateEvent PingFederateEvent Parser or Table)"
                 }
               }
             ]
@@ -393,7 +414,7 @@
                 "name": "huntingquery6-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query searches for SAML subjects used in requests It depends on the PingFederate data connector and PingFederateEvent data type and PingFederate parser."
+                  "text": "Query searches for SAML subjects used in requests This hunting query depends on PingFederate PingFederateAma data connector (PingFederateEvent PingFederateEvent Parser or Table)"
                 }
               }
             ]
@@ -407,7 +428,7 @@
                 "name": "huntingquery7-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query searches for source IP addresses with the most requests It depends on the PingFederate data connector and PingFederateEvent data type and PingFederate parser."
+                  "text": "Query searches for source IP addresses with the most requests This hunting query depends on PingFederate PingFederateAma data connector (PingFederateEvent PingFederateEvent Parser or Table)"
                 }
               }
             ]
@@ -421,7 +442,7 @@
                 "name": "huntingquery8-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query searches for requests from unusual countries. It depends on the PingFederate data connector and PingFederateEvent data type and PingFederate parser."
+                  "text": "Query searches for requests from unusual countries. This hunting query depends on PingFederate PingFederateAma data connector (PingFederateEvent PingFederateEvent Parser or Table)"
                 }
               }
             ]
@@ -435,7 +456,7 @@
                 "name": "huntingquery9-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query searches for unusual sources of authentication. It depends on the PingFederate data connector and PingFederateEvent data type and PingFederate parser."
+                  "text": "Query searches for unusual sources of authentication. This hunting query depends on PingFederate PingFederateAma data connector (PingFederateEvent PingFederateEvent Parser or Table)"
                 }
               }
             ]
@@ -449,7 +470,7 @@
                 "name": "huntingquery10-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query searches for users who recently reseted their passwords. It depends on the PingFederate data connector and PingFederateEvent data type and PingFederate parser."
+                  "text": "Query searches for users who recently reseted their passwords. This hunting query depends on PingFederate PingFederateAma data connector (PingFederateEvent PingFederateEvent Parser or Table)"
                 }
               }
             ]
diff --git a/Solutions/PingFederate/Package/mainTemplate.json b/Solutions/PingFederate/Package/mainTemplate.json
index 3a8fd148225..77d99b18f8a 100644
--- a/Solutions/PingFederate/Package/mainTemplate.json
+++ b/Solutions/PingFederate/Package/mainTemplate.json
@@ -42,196 +42,323 @@
     "_solutionId": "[variables('solutionId')]",
     "email": "support@microsoft.com",
     "_email": "[variables('email')]",
+    "_solutionName": "PingFederate",
+    "_solutionVersion": "3.0.0",
+    "uiConfigId1": "PingFederate",
+    "_uiConfigId1": "[variables('uiConfigId1')]",
+    "dataConnectorContentId1": "PingFederate",
+    "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
+    "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
+    "_dataConnectorId1": "[variables('dataConnectorId1')]",
+    "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
+    "dataConnectorVersion1": "1.0.0",
+    "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
+    "uiConfigId2": "PingFederateAma",
+    "_uiConfigId2": "[variables('uiConfigId2')]",
+    "dataConnectorContentId2": "PingFederateAma",
+    "_dataConnectorContentId2": "[variables('dataConnectorContentId2')]",
+    "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
+    "_dataConnectorId2": "[variables('dataConnectorId2')]",
+    "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]",
+    "dataConnectorVersion2": "1.0.0",
+    "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]",
+    "parserName1": "PingFederate Data Parser",
+    "_parserName1": "[concat(parameters('workspace'),'/',variables('parserName1'))]",
+    "parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
+    "_parserId1": "[variables('parserId1')]",
+    "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1'))))]",
+    "parserVersion1": "1.0.0",
+    "parserContentId1": "PingFederateEvent-Parser",
+    "_parserContentId1": "[variables('parserContentId1')]",
+    "_parsercontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('_parserContentId1'),'-', variables('parserVersion1'))))]",
     "workbookVersion1": "1.0.0",
     "workbookContentId1": "PingFederateWorkbook",
     "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]",
-    "workbookTemplateSpecName1": "[concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1')))]",
+    "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]",
     "_workbookContentId1": "[variables('workbookContentId1')]",
     "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
+    "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]",
+    "analyticRuleVersion1": "1.0.1",
+    "analyticRulecontentId1": "e45a7334-2cb4-4690-8156-f02cac73d584",
+    "_analyticRulecontentId1": "[variables('analyticRulecontentId1')]",
+    "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]",
+    "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1'))))]",
+    "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId1'),'-', variables('analyticRuleVersion1'))))]",
+    "analyticRuleVersion2": "1.0.1",
+    "analyticRulecontentId2": "30583ed4-d13c-43b8-baf2-d75fbe727210",
+    "_analyticRulecontentId2": "[variables('analyticRulecontentId2')]",
+    "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId2'))]",
+    "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2'))))]",
+    "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId2'),'-', variables('analyticRuleVersion2'))))]",
+    "analyticRuleVersion3": "1.0.1",
+    "analyticRulecontentId3": "14042f74-e50b-4c21-8a01-0faf4915ada4",
+    "_analyticRulecontentId3": "[variables('analyticRulecontentId3')]",
+    "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId3'))]",
+    "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId3'))))]",
+    "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId3'),'-', variables('analyticRuleVersion3'))))]",
+    "analyticRuleVersion4": "1.0.1",
+    "analyticRulecontentId4": "6145efdc-4724-42a6-9756-5bd1ba33982e",
+    "_analyticRulecontentId4": "[variables('analyticRulecontentId4')]",
+    "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId4'))]",
+    "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId4'))))]",
+    "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId4'),'-', variables('analyticRuleVersion4'))))]",
+    "analyticRuleVersion5": "1.0.1",
+    "analyticRulecontentId5": "05282c91-7aaf-4d76-9a19-6dc582e6a411",
+    "_analyticRulecontentId5": "[variables('analyticRulecontentId5')]",
+    "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId5'))]",
+    "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId5'))))]",
+    "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId5'),'-', variables('analyticRuleVersion5'))))]",
+    "analyticRuleVersion6": "1.0.1",
+    "analyticRulecontentId6": "85f70197-4865-4635-a4b2-a9c57e8fea1b",
+    "_analyticRulecontentId6": "[variables('analyticRulecontentId6')]",
+    "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId6'))]",
+    "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId6'))))]",
+    "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId6'),'-', variables('analyticRuleVersion6'))))]",
+    "analyticRuleVersion7": "1.0.1",
+    "analyticRulecontentId7": "2d201d21-77b4-4d97-95f3-26b5c6bde09f",
+    "_analyticRulecontentId7": "[variables('analyticRulecontentId7')]",
+    "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId7'))]",
+    "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId7'))))]",
+    "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId7'),'-', variables('analyticRuleVersion7'))))]",
+    "analyticRuleVersion8": "1.0.1",
+    "analyticRulecontentId8": "fddd3840-acd2-41ed-94d9-1474b0a7c8a6",
+    "_analyticRulecontentId8": "[variables('analyticRulecontentId8')]",
+    "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId8'))]",
+    "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId8'))))]",
+    "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId8'),'-', variables('analyticRuleVersion8'))))]",
+    "analyticRuleVersion9": "1.0.1",
+    "analyticRulecontentId9": "9578ef7f-cbb4-4e9a-bd26-37c15c53b413",
+    "_analyticRulecontentId9": "[variables('analyticRulecontentId9')]",
+    "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId9'))]",
+    "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId9'))))]",
+    "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId9'),'-', variables('analyticRuleVersion9'))))]",
+    "analyticRuleVersion10": "1.0.1",
+    "analyticRulecontentId10": "64e65105-c4fc-4c28-a4e9-bb1a3ce7652d",
+    "_analyticRulecontentId10": "[variables('analyticRulecontentId10')]",
+    "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId10'))]",
+    "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId10'))))]",
+    "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId10'),'-', variables('analyticRuleVersion10'))))]",
+    "analyticRuleVersion11": "1.0.1",
+    "analyticRulecontentId11": "dc79de7d-2590-4852-95fb-f8e02b34f4da",
+    "_analyticRulecontentId11": "[variables('analyticRulecontentId11')]",
+    "analyticRuleId11": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId11'))]",
+    "analyticRuleTemplateSpecName11": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId11'))))]",
+    "_analyticRulecontentProductId11": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId11'),'-', variables('analyticRuleVersion11'))))]",
     "huntingQueryVersion1": "1.0.0",
     "huntingQuerycontentId1": "e309c774-8f31-41c3-b270-7efc934de96a",
     "_huntingQuerycontentId1": "[variables('huntingQuerycontentId1')]",
     "huntingQueryId1": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId1'))]",
-    "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId1')))]",
+    "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId1'))))]",
+    "_huntingQuerycontentProductId1": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId1'),'-', variables('huntingQueryVersion1'))))]",
     "huntingQueryVersion2": "1.0.0",
     "huntingQuerycontentId2": "b04e339c-942d-439a-bc27-dbee2961927c",
     "_huntingQuerycontentId2": "[variables('huntingQuerycontentId2')]",
     "huntingQueryId2": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId2'))]",
-    "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId2')))]",
+    "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId2'))))]",
+    "_huntingQuerycontentProductId2": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId2'),'-', variables('huntingQueryVersion2'))))]",
     "huntingQueryVersion3": "1.0.0",
     "huntingQuerycontentId3": "a52d874d-dc45-438f-b395-92d1a3ebcf76",
     "_huntingQuerycontentId3": "[variables('huntingQuerycontentId3')]",
     "huntingQueryId3": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId3'))]",
-    "huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId3')))]",
+    "huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId3'))))]",
+    "_huntingQuerycontentProductId3": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId3'),'-', variables('huntingQueryVersion3'))))]",
     "huntingQueryVersion4": "1.0.0",
     "huntingQuerycontentId4": "31bb34b4-26f7-4b83-a667-d596e05eb28a",
     "_huntingQuerycontentId4": "[variables('huntingQuerycontentId4')]",
     "huntingQueryId4": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId4'))]",
-    "huntingQueryTemplateSpecName4": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId4')))]",
+    "huntingQueryTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId4'))))]",
+    "_huntingQuerycontentProductId4": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId4'),'-', variables('huntingQueryVersion4'))))]",
     "huntingQueryVersion5": "1.0.0",
     "huntingQuerycontentId5": "86c8a38a-96bd-445d-8d12-e35b7290832b",
     "_huntingQuerycontentId5": "[variables('huntingQuerycontentId5')]",
     "huntingQueryId5": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId5'))]",
-    "huntingQueryTemplateSpecName5": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId5')))]",
+    "huntingQueryTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId5'))))]",
+    "_huntingQuerycontentProductId5": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId5'),'-', variables('huntingQueryVersion5'))))]",
     "huntingQueryVersion6": "1.0.0",
     "huntingQuerycontentId6": "b0a25cd9-08f4-470d-bd04-47da22810b5f",
     "_huntingQuerycontentId6": "[variables('huntingQuerycontentId6')]",
     "huntingQueryId6": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId6'))]",
-    "huntingQueryTemplateSpecName6": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId6')))]",
+    "huntingQueryTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId6'))))]",
+    "_huntingQuerycontentProductId6": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId6'),'-', variables('huntingQueryVersion6'))))]",
     "huntingQueryVersion7": "1.0.0",
     "huntingQuerycontentId7": "ce92624d-ae52-4b8e-ba36-3e5bdb6a793a",
     "_huntingQuerycontentId7": "[variables('huntingQuerycontentId7')]",
     "huntingQueryId7": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId7'))]",
-    "huntingQueryTemplateSpecName7": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId7')))]",
+    "huntingQueryTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId7'))))]",
+    "_huntingQuerycontentProductId7": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId7'),'-', variables('huntingQueryVersion7'))))]",
     "huntingQueryVersion8": "1.0.0",
     "huntingQuerycontentId8": "378e53cd-c28a-46d7-8160-1920240bf09e",
     "_huntingQuerycontentId8": "[variables('huntingQuerycontentId8')]",
     "huntingQueryId8": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId8'))]",
-    "huntingQueryTemplateSpecName8": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId8')))]",
+    "huntingQueryTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId8'))))]",
+    "_huntingQuerycontentProductId8": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId8'),'-', variables('huntingQueryVersion8'))))]",
     "huntingQueryVersion9": "1.0.0",
     "huntingQuerycontentId9": "0bce5bd0-cc19-43de-a5ab-47dbc5c6c600",
     "_huntingQuerycontentId9": "[variables('huntingQuerycontentId9')]",
     "huntingQueryId9": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId9'))]",
-    "huntingQueryTemplateSpecName9": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId9')))]",
+    "huntingQueryTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId9'))))]",
+    "_huntingQuerycontentProductId9": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId9'),'-', variables('huntingQueryVersion9'))))]",
     "huntingQueryVersion10": "1.0.0",
     "huntingQuerycontentId10": "6698f022-adf4-48a3-a8da-a4052ac999b4",
     "_huntingQuerycontentId10": "[variables('huntingQuerycontentId10')]",
     "huntingQueryId10": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId10'))]",
-    "huntingQueryTemplateSpecName10": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId10')))]",
-    "uiConfigId1": "PingFederate",
-    "_uiConfigId1": "[variables('uiConfigId1')]",
-    "dataConnectorContentId1": "PingFederate",
-    "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
-    "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
-    "_dataConnectorId1": "[variables('dataConnectorId1')]",
-    "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1')))]",
-    "dataConnectorVersion1": "1.0.0",
-    "analyticRuleVersion1": "1.0.0",
-    "analyticRulecontentId1": "e45a7334-2cb4-4690-8156-f02cac73d584",
-    "_analyticRulecontentId1": "[variables('analyticRulecontentId1')]",
-    "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]",
-    "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1')))]",
-    "analyticRuleVersion2": "1.0.0",
-    "analyticRulecontentId2": "30583ed4-d13c-43b8-baf2-d75fbe727210",
-    "_analyticRulecontentId2": "[variables('analyticRulecontentId2')]",
-    "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId2'))]",
-    "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2')))]",
-    "analyticRuleVersion3": "1.0.0",
-    "analyticRulecontentId3": "14042f74-e50b-4c21-8a01-0faf4915ada4",
-    "_analyticRulecontentId3": "[variables('analyticRulecontentId3')]",
-    "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId3'))]",
-    "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId3')))]",
-    "analyticRuleVersion4": "1.0.0",
-    "analyticRulecontentId4": "6145efdc-4724-42a6-9756-5bd1ba33982e",
-    "_analyticRulecontentId4": "[variables('analyticRulecontentId4')]",
-    "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId4'))]",
-    "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId4')))]",
-    "analyticRuleVersion5": "1.0.0",
-    "analyticRulecontentId5": "05282c91-7aaf-4d76-9a19-6dc582e6a411",
-    "_analyticRulecontentId5": "[variables('analyticRulecontentId5')]",
-    "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId5'))]",
-    "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId5')))]",
-    "analyticRuleVersion6": "1.0.0",
-    "analyticRulecontentId6": "85f70197-4865-4635-a4b2-a9c57e8fea1b",
-    "_analyticRulecontentId6": "[variables('analyticRulecontentId6')]",
-    "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId6'))]",
-    "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId6')))]",
-    "analyticRuleVersion7": "1.0.0",
-    "analyticRulecontentId7": "2d201d21-77b4-4d97-95f3-26b5c6bde09f",
-    "_analyticRulecontentId7": "[variables('analyticRulecontentId7')]",
-    "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId7'))]",
-    "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId7')))]",
-    "analyticRuleVersion8": "1.0.0",
-    "analyticRulecontentId8": "fddd3840-acd2-41ed-94d9-1474b0a7c8a6",
-    "_analyticRulecontentId8": "[variables('analyticRulecontentId8')]",
-    "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId8'))]",
-    "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId8')))]",
-    "analyticRuleVersion9": "1.0.0",
-    "analyticRulecontentId9": "9578ef7f-cbb4-4e9a-bd26-37c15c53b413",
-    "_analyticRulecontentId9": "[variables('analyticRulecontentId9')]",
-    "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId9'))]",
-    "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId9')))]",
-    "analyticRuleVersion10": "1.0.0",
-    "analyticRulecontentId10": "64e65105-c4fc-4c28-a4e9-bb1a3ce7652d",
-    "_analyticRulecontentId10": "[variables('analyticRulecontentId10')]",
-    "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId10'))]",
-    "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId10')))]",
-    "analyticRuleVersion11": "1.0.0",
-    "analyticRulecontentId11": "dc79de7d-2590-4852-95fb-f8e02b34f4da",
-    "_analyticRulecontentId11": "[variables('analyticRulecontentId11')]",
-    "analyticRuleId11": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId11'))]",
-    "analyticRuleTemplateSpecName11": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId11')))]",
-    "parserVersion1": "1.0.0",
-    "parserContentId1": "PingFederateEvent-Parser",
-    "_parserContentId1": "[variables('parserContentId1')]",
-    "parserName1": "PingFederate Data Parser",
-    "_parserName1": "[concat(parameters('workspace'),'/',variables('parserName1'))]",
-    "parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
-    "_parserId1": "[variables('parserId1')]",
-    "parserTemplateSpecName1": "[concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1')))]"
+    "huntingQueryTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId10'))))]",
+    "_huntingQuerycontentProductId10": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId10'),'-', variables('huntingQueryVersion10'))))]",
+    "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
   },
   "resources": [
     {
-      "type": "Microsoft.Resources/templateSpecs",
-      "apiVersion": "2021-05-01",
-      "name": "[variables('workbookTemplateSpecName1')]",
-      "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "Workbook"
-      },
-      "properties": {
-        "description": "PingFederate Workbook with template",
-        "displayName": "PingFederate workbook template"
-      }
-    },
-    {
-      "type": "Microsoft.Resources/templateSpecs/versions",
-      "apiVersion": "2021-05-01",
-      "name": "[concat(variables('workbookTemplateSpecName1'),'/',variables('workbookVersion1'))]",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('dataConnectorTemplateSpecName1')]",
       "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "Workbook"
-      },
       "dependsOn": [
-        "[resourceId('Microsoft.Resources/templateSpecs', variables('workbookTemplateSpecName1'))]"
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "PingFederateWorkbook Workbook with template version 2.0.0",
+        "description": "PingFederate data connector with template version 3.0.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('workbookVersion1')]",
+          "contentVersion": "[variables('dataConnectorVersion1')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
-              "type": "Microsoft.Insights/workbooks",
-              "name": "[variables('workbookContentId1')]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
+              "apiVersion": "2021-03-01-preview",
+              "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
               "location": "[parameters('workspace-location')]",
-              "kind": "shared",
-              "apiVersion": "2021-08-01",
-              "metadata": {
-                "description": "Sets the time name for analysis"
-              },
+              "kind": "GenericUI",
               "properties": {
-                "displayName": "[parameters('workbook1-name')]",
-                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"**NOTE**: This workbook depends on a parser based on a Kusto Function to work as expected [**PingFederateEvent**](https://aka.ms/sentinel-PingFederate-parser) which is deployed with the Microsoft Sentinel Solution.\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"f7b02575-829c-435d-a4d3-251db9daf80e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"value\":{\"durationMs\":2592000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":86400000},{\"durationMs\":604800000},{\"durationMs\":2592000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PingFederateEvent\\r\\n| make-series TotalEvents = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain};\",\"size\":0,\"title\":\"Events over time\",\"color\":\"greenDark\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\",\"tileSettings\":{\"showBorder\":false}},\"customWidth\":\"65\",\"name\":\"query - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PingFederateEvent\\r\\n| where isnotempty(DstGeoCountry)\\r\\n| summarize count() by DstGeoCountry\",\"size\":3,\"title\":\"Geo distribution\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"70\",\"name\":\"query - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PingFederateEvent\\r\\n| where isnotempty(DstUserName)\\r\\n| summarize u_users = dcount(DstUserName)\",\"size\":3,\"title\":\"Users\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Unique Users\",\"formatter\":1}]},\"textSettings\":{\"style\":\"bignumber\"}},\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PingFederateEvent\\r\\n| where isnotempty(SrcIpAddr)\\r\\n| summarize IPs = dcount(SrcIpAddr)\",\"size\":3,\"title\":\"IP Addresses\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PingFederateEvent\\r\\n| where isnotempty(DstGeoCountry)\\r\\n| summarize u_country = dcount(DstGeoCountry)\",\"size\":3,\"title\":\"Countries\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"name\":\"query - 2\"}]},\"customWidth\":\"30\",\"name\":\"group - 1\"}]},\"customWidth\":\"35\",\"name\":\"group - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let data = PingFederateEvent\\r\\n| where isnotempty(EventType);\\r\\ndata\\r\\n| summarize Count = count() by EventType\\r\\n| join kind = inner (data\\r\\n    | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by EventType)\\r\\n    on EventType\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":3,\"title\":\"Event Types\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"EventType\"},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":false}},\"customWidth\":\"40\",\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PingFederateEvent\\r\\n| where isnotempty(SrcIpAddr)\\r\\n| summarize count() by SrcIpAddr\\r\\n| top 5 by count_\",\"size\":3,\"title\":\"Top Sources\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"35\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PingFederateEvent\\r\\n| where isnotempty(DstUserName)\\r\\n| summarize ['Total Events'] = count() by DstUserName\\r\\n| top 10 by ['Total Events']\",\"size\":3,\"title\":\"Top users\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"DstUserName\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Total Events\",\"formatter\":4,\"formatOptions\":{\"palette\":\"turquoise\"}}]}},\"customWidth\":\"25\",\"name\":\"query - 2\"}]},\"name\":\"group - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceProduct =~ \\\"PingFederate\\\"\\r\\n| order by TimeGenerated desc\\r\\n| extend Reason = extract(@'description=;?(\\\\w+),.*', 1, AdditionalExtensions)\\r\\n| where isnotempty(Reason)\\r\\n| project TimeGenerated, EventType = DeviceEventClassID, Reason\",\"size\":0,\"title\":\"Latest errors\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"filter\":true}},\"name\":\"query - 5\"}],\"fromTemplateId\":\"sentinel-PingFederateWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
-                "version": "1.0",
-                "sourceId": "[variables('workspaceResourceId')]",
-                "category": "sentinel"
+                "connectorUiConfig": {
+                  "id": "[variables('_uiConfigId1')]",
+                  "title": "[Deprecated] PingFederate via Legacy Agent",
+                  "publisher": "Ping Identity",
+                  "descriptionMarkdown": "The [PingFederate](https://www.pingidentity.com/en/software/pingfederate.html) data connector provides the capability to ingest [PingFederate events](https://docs.pingidentity.com/bundle/pingfederate-102/page/lly1564002980532.html) into Microsoft Sentinel. Refer to [PingFederate documentation](https://docs.pingidentity.com/bundle/pingfederate-102/page/tle1564002955874.html) for more information.",
+                  "additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected [**PingFederateEvent**](https://aka.ms/sentinel-PingFederate-parser) which is deployed with the Microsoft Sentinel Solution.",
+                  "graphQueries": [
+                    {
+                      "metricName": "Total data received",
+                      "legend": "PingFederate",
+                      "baseQuery": "PingFederateEvent"
+                    }
+                  ],
+                  "sampleQueries": [
+                    {
+                      "description": "Top 10 Devices",
+                      "query": "PingFederateEvent\n | summarize count() by DvcHostname\n | top 10 by count_"
+                    }
+                  ],
+                  "dataTypes": [
+                    {
+                      "name": "CommonSecurityLog (PingFederate)",
+                      "lastDataReceivedQuery": "PingFederateEvent\n | summarize Time = max(TimeGenerated)\n| where isnotempty(Time)"
+                    }
+                  ],
+                  "connectivityCriterias": [
+                    {
+                      "type": "IsConnectedQuery",
+                      "value": [
+                        "PingFederateEvent\n | summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(30d)"
+                      ]
+                    }
+                  ],
+                  "availability": {
+                    "status": 1,
+                    "isPreview": false
+                  },
+                  "permissions": {
+                    "resourceProvider": [
+                      {
+                        "provider": "Microsoft.OperationalInsights/workspaces",
+                        "permissionsDisplayText": "read and write permissions are required.",
+                        "providerDisplayName": "Workspace",
+                        "scope": "Workspace",
+                        "requiredPermissions": {
+                          "read": true,
+                          "write": true,
+                          "delete": true
+                        }
+                      },
+                      {
+                        "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+                        "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+                        "providerDisplayName": "Keys",
+                        "scope": "Workspace",
+                        "requiredPermissions": {
+                          "action": true
+                        }
+                      }
+                    ]
+                  },
+                  "instructionSteps": [
+                    {
+                      "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**PingFederateEvent**](https://aka.ms/sentinel-PingFederate-parser) which is deployed with the Microsoft Sentinel Solution."
+                    },
+                    {
+                      "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
+                      "innerSteps": [
+                        {
+                          "title": "1.1 Select or create a Linux machine",
+                          "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
+                        },
+                        {
+                          "title": "1.2 Install the CEF collector on the Linux machine",
+                          "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
+                          "instructions": [
+                            {
+                              "parameters": {
+                                "fillWith": [
+                                  "WorkspaceId",
+                                  "PrimaryKey"
+                                ],
+                                "label": "Run the following command to install and apply the CEF collector:",
+                                "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
+                              },
+                              "type": "CopyableLabel"
+                            }
+                          ]
+                        }
+                      ],
+                      "title": "1. Linux Syslog agent configuration"
+                    },
+                    {
+                      "description": "[Follow these steps](https://docs.pingidentity.com/bundle/pingfederate-102/page/gsn1564002980953.html) to configure PingFederate sending audit log via syslog in CEF format.",
+                      "title": "2. Forward Common Event Format (CEF) logs to Syslog agent"
+                    },
+                    {
+                      "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine",
+                      "instructions": [
+                        {
+                          "parameters": {
+                            "fillWith": [
+                              "WorkspaceId"
+                            ],
+                            "label": "Run the following command to validate your connectivity:",
+                            "value": "sudo wget  -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py  {0}"
+                          },
+                          "type": "CopyableLabel"
+                        }
+                      ],
+                      "title": "3. Validate connection"
+                    },
+                    {
+                      "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
+                      "title": "4. Secure your machine "
+                    }
+                  ]
+                }
               }
             },
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
-              "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]",
+              "apiVersion": "2023-04-01-preview",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
               "properties": {
-                "description": "@{workbookKey=PingFederateWorkbook; logoFileName=PingIdentity.svg; description=Sets the time name for analysis; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=PingFederate; templateRelativePath=PingFederate.json; subtitle=; provider=Microsoft}.description",
-                "parentId": "[variables('workbookId1')]",
-                "contentId": "[variables('_workbookContentId1')]",
-                "kind": "Workbook",
-                "version": "[variables('workbookVersion1')]",
+                "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
+                "contentId": "[variables('_dataConnectorContentId1')]",
+                "kind": "DataConnector",
+                "version": "[variables('dataConnectorVersion1')]",
                 "source": {
                   "kind": "Solution",
                   "name": "PingFederate",
@@ -246,196 +373,334 @@
                   "email": "support@microsoft.com",
                   "tier": "Microsoft",
                   "link": "https://support.microsoft.com"
-                },
-                "dependencies": {
-                  "operator": "AND",
-                  "criteria": [
-                    {
-                      "contentId": "PingFederateEvent",
-                      "kind": "DataType"
-                    },
-                    {
-                      "contentId": "PingFederate",
-                      "kind": "DataConnector"
-                    }
-                  ]
                 }
               }
             }
           ]
-        }
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('_dataConnectorContentId1')]",
+        "contentKind": "DataConnector",
+        "displayName": "[Deprecated] PingFederate via Legacy Agent",
+        "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
+        "id": "[variables('_dataConnectorcontentProductId1')]",
+        "version": "[variables('dataConnectorVersion1')]"
       }
     },
     {
-      "type": "Microsoft.Resources/templateSpecs",
-      "apiVersion": "2021-05-01",
-      "name": "[variables('huntingQueryTemplateSpecName1')]",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
+      "dependsOn": [
+        "[variables('_dataConnectorId1')]"
+      ],
       "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "HuntingQuery"
-      },
       "properties": {
-        "description": "PingFederate Hunting Query 1 with template",
-        "displayName": "PingFederate Hunting Query template"
+        "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
+        "contentId": "[variables('_dataConnectorContentId1')]",
+        "kind": "DataConnector",
+        "version": "[variables('dataConnectorVersion1')]",
+        "source": {
+          "kind": "Solution",
+          "name": "PingFederate",
+          "sourceId": "[variables('_solutionId')]"
+        },
+        "author": {
+          "name": "Microsoft",
+          "email": "[variables('_email')]"
+        },
+        "support": {
+          "name": "Microsoft Corporation",
+          "email": "support@microsoft.com",
+          "tier": "Microsoft",
+          "link": "https://support.microsoft.com"
+        }
       }
     },
     {
-      "type": "Microsoft.Resources/templateSpecs/versions",
-      "apiVersion": "2021-05-01",
-      "name": "[concat(variables('huntingQueryTemplateSpecName1'),'/',variables('huntingQueryVersion1'))]",
+      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
+      "apiVersion": "2021-03-01-preview",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
       "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "HuntingQuery"
-      },
-      "dependsOn": [
-        "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName1'))]"
-      ],
+      "kind": "GenericUI",
       "properties": {
-        "description": "PingFederateAuthUrls_HuntingQueries Hunting Query with template version 2.0.0",
-        "mainTemplate": {
-          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('huntingQueryVersion1')]",
-          "parameters": {},
-          "variables": {},
-          "resources": [
+        "connectorUiConfig": {
+          "title": "[Deprecated] PingFederate via Legacy Agent",
+          "publisher": "Ping Identity",
+          "descriptionMarkdown": "The [PingFederate](https://www.pingidentity.com/en/software/pingfederate.html) data connector provides the capability to ingest [PingFederate events](https://docs.pingidentity.com/bundle/pingfederate-102/page/lly1564002980532.html) into Microsoft Sentinel. Refer to [PingFederate documentation](https://docs.pingidentity.com/bundle/pingfederate-102/page/tle1564002955874.html) for more information.",
+          "graphQueries": [
             {
-              "type": "Microsoft.OperationalInsights/savedSearches",
-              "apiVersion": "2020-08-01",
-              "name": "PingFederate_Hunting_Query_1",
-              "location": "[parameters('workspace-location')]",
-              "properties": {
-                "eTag": "*",
-                "displayName": "Ping Federate - Authentication URLs",
-                "category": "Hunting Queries",
-                "query": "PingFederateEvent\n| where TimeGenerated > ago(24h)\n| where isnotempty(DeviceCustomString1)\n| summarize count() by DeviceCustomString1\n| project URL = DeviceCustomString1, Total = count_\n| extend UrlCustomEntity = URL\n",
-                "version": 2,
-                "tags": [
-                  {
-                    "name": "description",
-                    "value": "Query searches for authentication URLs used."
-                  },
-                  {
-                    "name": "tactics",
-                    "value": "CredentialAccess"
-                  },
-                  {
-                    "name": "techniques",
-                    "value": "T1110"
-                  }
-                ]
+              "metricName": "Total data received",
+              "legend": "PingFederate",
+              "baseQuery": "PingFederateEvent"
+            }
+          ],
+          "dataTypes": [
+            {
+              "name": "CommonSecurityLog (PingFederate)",
+              "lastDataReceivedQuery": "PingFederateEvent\n | summarize Time = max(TimeGenerated)\n| where isnotempty(Time)"
+            }
+          ],
+          "connectivityCriterias": [
+            {
+              "type": "IsConnectedQuery",
+              "value": [
+                "PingFederateEvent\n | summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(30d)"
+              ]
+            }
+          ],
+          "sampleQueries": [
+            {
+              "description": "Top 10 Devices",
+              "query": "PingFederateEvent\n | summarize count() by DvcHostname\n | top 10 by count_"
+            }
+          ],
+          "availability": {
+            "status": 1,
+            "isPreview": false
+          },
+          "permissions": {
+            "resourceProvider": [
+              {
+                "provider": "Microsoft.OperationalInsights/workspaces",
+                "permissionsDisplayText": "read and write permissions are required.",
+                "providerDisplayName": "Workspace",
+                "scope": "Workspace",
+                "requiredPermissions": {
+                  "read": true,
+                  "write": true,
+                  "delete": true
+                }
+              },
+              {
+                "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+                "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+                "providerDisplayName": "Keys",
+                "scope": "Workspace",
+                "requiredPermissions": {
+                  "action": true
+                }
               }
+            ]
+          },
+          "instructionSteps": [
+            {
+              "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**PingFederateEvent**](https://aka.ms/sentinel-PingFederate-parser) which is deployed with the Microsoft Sentinel Solution."
             },
             {
-              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
-              "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId1'),'/'))))]",
-              "properties": {
-                "description": "PingFederate Hunting Query 1",
-                "parentId": "[variables('huntingQueryId1')]",
-                "contentId": "[variables('_huntingQuerycontentId1')]",
-                "kind": "HuntingQuery",
-                "version": "[variables('huntingQueryVersion1')]",
-                "source": {
-                  "kind": "Solution",
-                  "name": "PingFederate",
-                  "sourceId": "[variables('_solutionId')]"
-                },
-                "author": {
-                  "name": "Microsoft",
-                  "email": "[variables('_email')]"
+              "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
+              "innerSteps": [
+                {
+                  "title": "1.1 Select or create a Linux machine",
+                  "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
                 },
-                "support": {
-                  "name": "Microsoft Corporation",
-                  "email": "support@microsoft.com",
-                  "tier": "Microsoft",
-                  "link": "https://support.microsoft.com"
+                {
+                  "title": "1.2 Install the CEF collector on the Linux machine",
+                  "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
+                  "instructions": [
+                    {
+                      "parameters": {
+                        "fillWith": [
+                          "WorkspaceId",
+                          "PrimaryKey"
+                        ],
+                        "label": "Run the following command to install and apply the CEF collector:",
+                        "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
+                      },
+                      "type": "CopyableLabel"
+                    }
+                  ]
                 }
-              }
+              ],
+              "title": "1. Linux Syslog agent configuration"
+            },
+            {
+              "description": "[Follow these steps](https://docs.pingidentity.com/bundle/pingfederate-102/page/gsn1564002980953.html) to configure PingFederate sending audit log via syslog in CEF format.",
+              "title": "2. Forward Common Event Format (CEF) logs to Syslog agent"
+            },
+            {
+              "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine",
+              "instructions": [
+                {
+                  "parameters": {
+                    "fillWith": [
+                      "WorkspaceId"
+                    ],
+                    "label": "Run the following command to validate your connectivity:",
+                    "value": "sudo wget  -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py  {0}"
+                  },
+                  "type": "CopyableLabel"
+                }
+              ],
+              "title": "3. Validate connection"
+            },
+            {
+              "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
+              "title": "4. Secure your machine "
             }
-          ]
+          ],
+          "id": "[variables('_uiConfigId1')]",
+          "additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected [**PingFederateEvent**](https://aka.ms/sentinel-PingFederate-parser) which is deployed with the Microsoft Sentinel Solution."
         }
       }
     },
     {
-      "type": "Microsoft.Resources/templateSpecs",
-      "apiVersion": "2021-05-01",
-      "name": "[variables('huntingQueryTemplateSpecName2')]",
-      "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "HuntingQuery"
-      },
-      "properties": {
-        "description": "PingFederate Hunting Query 2 with template",
-        "displayName": "PingFederate Hunting Query template"
-      }
-    },
-    {
-      "type": "Microsoft.Resources/templateSpecs/versions",
-      "apiVersion": "2021-05-01",
-      "name": "[concat(variables('huntingQueryTemplateSpecName2'),'/',variables('huntingQueryVersion2'))]",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('dataConnectorTemplateSpecName2')]",
       "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "HuntingQuery"
-      },
       "dependsOn": [
-        "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName2'))]"
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "PingFederateFailedAuthentications_HuntingQueries Hunting Query with template version 2.0.0",
+        "description": "PingFederate data connector with template version 3.0.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('huntingQueryVersion2')]",
+          "contentVersion": "[variables('dataConnectorVersion2')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
-              "type": "Microsoft.OperationalInsights/savedSearches",
-              "apiVersion": "2020-08-01",
-              "name": "PingFederate_Hunting_Query_2",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
+              "apiVersion": "2021-03-01-preview",
+              "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
               "location": "[parameters('workspace-location')]",
+              "kind": "GenericUI",
               "properties": {
-                "eTag": "*",
-                "displayName": "Ping Federate - Failed Authentication",
-                "category": "Hunting Queries",
-                "query": "PingFederateEvent\n| where TimeGenerated > ago(24h)\n| extend EventResultDetails = extract(@'description=(.*?),.*', 1, AdditionalExtensions)\n| where isnotempty(EventResultDetails) or EventMessage contains \"fail\"\n| summarize count() by DstUserName\n| extend AccountCustomEntity = DstUserName\n",
-                "version": 2,
-                "tags": [
-                  {
-                    "name": "description",
-                    "value": "Query searches for failed authentication events"
-                  },
-                  {
-                    "name": "tactics",
-                    "value": "InitialAccess"
-                  },
-                  {
-                    "name": "techniques",
-                    "value": "T1566"
-                  }
-                ]
-              }
-            },
-            {
-              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
-              "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId2'),'/'))))]",
-              "properties": {
-                "description": "PingFederate Hunting Query 2",
-                "parentId": "[variables('huntingQueryId2')]",
-                "contentId": "[variables('_huntingQuerycontentId2')]",
-                "kind": "HuntingQuery",
-                "version": "[variables('huntingQueryVersion2')]",
-                "source": {
-                  "kind": "Solution",
-                  "name": "PingFederate",
-                  "sourceId": "[variables('_solutionId')]"
-                },
-                "author": {
-                  "name": "Microsoft",
+                "connectorUiConfig": {
+                  "id": "[variables('_uiConfigId2')]",
+                  "title": "[Recommended] PingFederate via AMA",
+                  "publisher": "Ping Identity",
+                  "descriptionMarkdown": "The [PingFederate](https://www.pingidentity.com/en/software/pingfederate.html) data connector provides the capability to ingest [PingFederate events](https://docs.pingidentity.com/bundle/pingfederate-102/page/lly1564002980532.html) into Microsoft Sentinel. Refer to [PingFederate documentation](https://docs.pingidentity.com/bundle/pingfederate-102/page/tle1564002955874.html) for more information.",
+                  "additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected [**PingFederateEvent**](https://aka.ms/sentinel-PingFederate-parser) which is deployed with the Microsoft Sentinel Solution.",
+                  "graphQueries": [
+                    {
+                      "metricName": "Total data received",
+                      "legend": "PingFederate",
+                      "baseQuery": "CommonSecurityLog\n |where DeviceProduct has 'PingFederate'\n  |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
+                    }
+                  ],
+                  "sampleQueries": [
+                    {
+                      "description": "Top 10 Devices",
+                      "query": "PingFederateEvent\n | summarize count() by DvcHostname\n | top 10 by count_"
+                    }
+                  ],
+                  "dataTypes": [
+                    {
+                      "name": "CommonSecurityLog (PingFederate)",
+                      "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceProduct has 'PingFederate'\n  |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
+                    }
+                  ],
+                  "connectivityCriterias": [
+                    {
+                      "type": "IsConnectedQuery",
+                      "value": [
+                        "CommonSecurityLog\n |where DeviceProduct has 'PingFederate'\n  |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
+                      ]
+                    }
+                  ],
+                  "availability": {
+                    "status": 1,
+                    "isPreview": false
+                  },
+                  "permissions": {
+                    "resourceProvider": [
+                      {
+                        "provider": "Microsoft.OperationalInsights/workspaces",
+                        "permissionsDisplayText": "read and write permissions are required.",
+                        "providerDisplayName": "Workspace",
+                        "scope": "Workspace",
+                        "requiredPermissions": {
+                          "read": true,
+                          "write": true,
+                          "delete": true
+                        }
+                      },
+                      {
+                        "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+                        "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+                        "providerDisplayName": "Keys",
+                        "scope": "Workspace",
+                        "requiredPermissions": {
+                          "action": true
+                        }
+                      }
+                    ],
+                    "customs": [
+                      {
+                        "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+                      },
+                      {
+                        "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
+                      }
+                    ]
+                  },
+                  "instructionSteps": [
+                    {
+                      "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**PingFederateEvent**](https://aka.ms/sentinel-PingFederate-parser) which is deployed with the Microsoft Sentinel Solution.",
+                      "instructions": [
+                        {
+                          "parameters": {
+                            "title": "1. Kindly follow the steps to configure the data connector",
+                            "instructionSteps": [
+                              {
+                                "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
+                                "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine",
+                                "instructions": []
+                              },
+                              {
+                                "title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent",
+                                "description": "[Follow these steps](https://docs.pingidentity.com/bundle/pingfederate-102/page/gsn1564002980953.html) to configure PingFederate sending audit log via syslog in CEF format.",
+                                "instructions": []
+                              },
+                              {
+                                "title": "Step C. Validate connection",
+                                "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
+                                "instructions": [
+                                  {
+                                    "parameters": {
+                                      "label": "Run the following command to validate your connectivity:",
+                                      "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
+                                    },
+                                    "type": "CopyableLabel"
+                                  }
+                                ]
+                              }
+                            ]
+                          },
+                          "type": "InstructionStepsGroup"
+                        }
+                      ]
+                    },
+                    {
+                      "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
+                      "title": "2. Secure your machine "
+                    }
+                  ]
+                }
+              }
+            },
+            {
+              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+              "apiVersion": "2023-04-01-preview",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
+              "properties": {
+                "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
+                "contentId": "[variables('_dataConnectorContentId2')]",
+                "kind": "DataConnector",
+                "version": "[variables('dataConnectorVersion2')]",
+                "source": {
+                  "kind": "Solution",
+                  "name": "PingFederate",
+                  "sourceId": "[variables('_solutionId')]"
+                },
+                "author": {
+                  "name": "Microsoft",
                   "email": "[variables('_email')]"
                 },
                 "support": {
@@ -447,66 +712,204 @@
               }
             }
           ]
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('_dataConnectorContentId2')]",
+        "contentKind": "DataConnector",
+        "displayName": "[Recommended] PingFederate via AMA",
+        "contentProductId": "[variables('_dataConnectorcontentProductId2')]",
+        "id": "[variables('_dataConnectorcontentProductId2')]",
+        "version": "[variables('dataConnectorVersion2')]"
+      }
+    },
+    {
+      "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
+      "dependsOn": [
+        "[variables('_dataConnectorId2')]"
+      ],
+      "location": "[parameters('workspace-location')]",
+      "properties": {
+        "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
+        "contentId": "[variables('_dataConnectorContentId2')]",
+        "kind": "DataConnector",
+        "version": "[variables('dataConnectorVersion2')]",
+        "source": {
+          "kind": "Solution",
+          "name": "PingFederate",
+          "sourceId": "[variables('_solutionId')]"
+        },
+        "author": {
+          "name": "Microsoft",
+          "email": "[variables('_email')]"
+        },
+        "support": {
+          "name": "Microsoft Corporation",
+          "email": "support@microsoft.com",
+          "tier": "Microsoft",
+          "link": "https://support.microsoft.com"
         }
       }
     },
     {
-      "type": "Microsoft.Resources/templateSpecs",
-      "apiVersion": "2021-05-01",
-      "name": "[variables('huntingQueryTemplateSpecName3')]",
+      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
+      "apiVersion": "2021-03-01-preview",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
       "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "HuntingQuery"
-      },
+      "kind": "GenericUI",
       "properties": {
-        "description": "PingFederate Hunting Query 3 with template",
-        "displayName": "PingFederate Hunting Query template"
+        "connectorUiConfig": {
+          "title": "[Recommended] PingFederate via AMA",
+          "publisher": "Ping Identity",
+          "descriptionMarkdown": "The [PingFederate](https://www.pingidentity.com/en/software/pingfederate.html) data connector provides the capability to ingest [PingFederate events](https://docs.pingidentity.com/bundle/pingfederate-102/page/lly1564002980532.html) into Microsoft Sentinel. Refer to [PingFederate documentation](https://docs.pingidentity.com/bundle/pingfederate-102/page/tle1564002955874.html) for more information.",
+          "graphQueries": [
+            {
+              "metricName": "Total data received",
+              "legend": "PingFederate",
+              "baseQuery": "CommonSecurityLog\n |where DeviceProduct has 'PingFederate'\n  |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
+            }
+          ],
+          "dataTypes": [
+            {
+              "name": "CommonSecurityLog (PingFederate)",
+              "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceProduct has 'PingFederate'\n  |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
+            }
+          ],
+          "connectivityCriterias": [
+            {
+              "type": "IsConnectedQuery",
+              "value": [
+                "CommonSecurityLog\n |where DeviceProduct has 'PingFederate'\n  |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
+              ]
+            }
+          ],
+          "sampleQueries": [
+            {
+              "description": "Top 10 Devices",
+              "query": "PingFederateEvent\n | summarize count() by DvcHostname\n | top 10 by count_"
+            }
+          ],
+          "availability": {
+            "status": 1,
+            "isPreview": false
+          },
+          "permissions": {
+            "resourceProvider": [
+              {
+                "provider": "Microsoft.OperationalInsights/workspaces",
+                "permissionsDisplayText": "read and write permissions are required.",
+                "providerDisplayName": "Workspace",
+                "scope": "Workspace",
+                "requiredPermissions": {
+                  "read": true,
+                  "write": true,
+                  "delete": true
+                }
+              },
+              {
+                "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+                "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+                "providerDisplayName": "Keys",
+                "scope": "Workspace",
+                "requiredPermissions": {
+                  "action": true
+                }
+              }
+            ],
+            "customs": [
+              {
+                "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+              },
+              {
+                "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
+              }
+            ]
+          },
+          "instructionSteps": [
+            {
+              "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**PingFederateEvent**](https://aka.ms/sentinel-PingFederate-parser) which is deployed with the Microsoft Sentinel Solution.",
+              "instructions": [
+                {
+                  "parameters": {
+                    "title": "1. Kindly follow the steps to configure the data connector",
+                    "instructionSteps": [
+                      {
+                        "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
+                        "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine",
+                        "instructions": []
+                      },
+                      {
+                        "title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent",
+                        "description": "[Follow these steps](https://docs.pingidentity.com/bundle/pingfederate-102/page/gsn1564002980953.html) to configure PingFederate sending audit log via syslog in CEF format.",
+                        "instructions": []
+                      },
+                      {
+                        "title": "Step C. Validate connection",
+                        "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
+                        "instructions": [
+                          {
+                            "parameters": {
+                              "label": "Run the following command to validate your connectivity:",
+                              "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
+                            },
+                            "type": "CopyableLabel"
+                          }
+                        ]
+                      }
+                    ]
+                  },
+                  "type": "InstructionStepsGroup"
+                }
+              ]
+            },
+            {
+              "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
+              "title": "2. Secure your machine "
+            }
+          ],
+          "id": "[variables('_uiConfigId2')]",
+          "additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected [**PingFederateEvent**](https://aka.ms/sentinel-PingFederate-parser) which is deployed with the Microsoft Sentinel Solution."
+        }
       }
     },
     {
-      "type": "Microsoft.Resources/templateSpecs/versions",
-      "apiVersion": "2021-05-01",
-      "name": "[concat(variables('huntingQueryTemplateSpecName3'),'/',variables('huntingQueryVersion3'))]",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('parserTemplateSpecName1')]",
       "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "HuntingQuery"
-      },
       "dependsOn": [
-        "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName3'))]"
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "PingFederateNewUsers_HuntingQueries Hunting Query with template version 2.0.0",
+        "description": "PingFederateEvent Data Parser with template version 3.0.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('huntingQueryVersion3')]",
+          "contentVersion": "[variables('parserVersion1')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
-              "type": "Microsoft.OperationalInsights/savedSearches",
-              "apiVersion": "2020-08-01",
-              "name": "PingFederate_Hunting_Query_3",
+              "name": "[variables('_parserName1')]",
+              "apiVersion": "2022-10-01",
+              "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
               "location": "[parameters('workspace-location')]",
               "properties": {
                 "eTag": "*",
-                "displayName": "Ping Federate - New users",
-                "category": "Hunting Queries",
-                "query": "let known_users = \nPingFederateEvent\n| where TimeGenerated between (ago(30d) .. (1d))\n| where isnotempty(DstUserName)\n| summarize makeset(DstUserName);\nPingFederateEvent\n| where TimeGenerated > ago(24h)\n| where isnotempty(DstUserName)\n| where DstUserName !in (known_users)\n| extend AccountCustomEntity = DstUserName\n",
+                "displayName": "PingFederate Data Parser",
+                "category": "Microsoft Sentinel Parser",
+                "functionAlias": "PingFederateEvent",
+                "query": "CommonSecurityLog \n| where DeviceProduct has 'PingFederate'\n| extend EventVendor = DeviceVendor\n| extend EventProduct = DeviceProduct\n| extend EventProductVersion = DeviceVersion\n| extend EventSeverity = LogSeverity\n| extend SrcIpAddr = SourceIP\n| extend SrcHostname = SourceHostName\n| extend SrcUserName = SourceUserName\n| extend EventMessage = Message\n| extend EventSubType = DeviceEventClassID\n| extend EventType = Activity\n| extend DstUserName = DestinationUserID\n| extend DstGeoCountry = extract(@'country=;?(\\w+),.*', 1, AdditionalExtensions)\n| extend EventResultDetails = extract(@'description=(.*?),.*', 1, AdditionalExtensions)\n| extend DvcHostname = DeviceAddress\n| project TimeGenerated\n        , EventVendor\n        , EventProduct\n        , EventProductVersion\n        , EventMessage\n        , EventType\n        , EventSubType\n        , DstUserName\n        , DstGeoCountry\n        , DvcHostname\n        , EventSeverity\n        , SrcIpAddr\n        , SrcHostname\n        , SrcUserName\n        , EventResultDetails\n        , DeviceCustomString1Label\n        , DeviceCustomString1\n        , DeviceCustomString2Label\n        , DeviceCustomString2\n        , DeviceCustomString3Label\n        , DeviceCustomString3\n        , DeviceCustomString4Label\n        , DeviceCustomString4\n        , DeviceCustomString5Label\n        , DeviceCustomString5\n        , DeviceCustomString6Label\n        , DeviceCustomString6\n        , AdditionalExtensions\n",
+                "functionParameters": "",
                 "version": 2,
                 "tags": [
                   {
                     "name": "description",
-                    "value": "Query searches for new users."
-                  },
-                  {
-                    "name": "tactics",
-                    "value": "InitialAccess"
-                  },
-                  {
-                    "name": "techniques",
-                    "value": "T1078"
+                    "value": ""
                   }
                 ]
               }
@@ -514,16 +917,18 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId3'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]",
+              "dependsOn": [
+                "[variables('_parserName1')]"
+              ],
               "properties": {
-                "description": "PingFederate Hunting Query 3",
-                "parentId": "[variables('huntingQueryId3')]",
-                "contentId": "[variables('_huntingQuerycontentId3')]",
-                "kind": "HuntingQuery",
-                "version": "[variables('huntingQueryVersion3')]",
+                "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
+                "contentId": "[variables('_parserContentId1')]",
+                "kind": "Parser",
+                "version": "[variables('parserVersion1')]",
                 "source": {
-                  "kind": "Solution",
                   "name": "PingFederate",
+                  "kind": "Solution",
                   "sourceId": "[variables('_solutionId')]"
                 },
                 "author": {
@@ -539,80 +944,114 @@
               }
             }
           ]
-        }
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('_parserContentId1')]",
+        "contentKind": "Parser",
+        "displayName": "PingFederate Data Parser",
+        "contentProductId": "[variables('_parsercontentProductId1')]",
+        "id": "[variables('_parsercontentProductId1')]",
+        "version": "[variables('parserVersion1')]"
       }
     },
     {
-      "type": "Microsoft.Resources/templateSpecs",
-      "apiVersion": "2021-05-01",
-      "name": "[variables('huntingQueryTemplateSpecName4')]",
+      "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
+      "apiVersion": "2022-10-01",
+      "name": "[variables('_parserName1')]",
       "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "HuntingQuery"
-      },
       "properties": {
-        "description": "PingFederate Hunting Query 4 with template",
-        "displayName": "PingFederate Hunting Query template"
+        "eTag": "*",
+        "displayName": "PingFederate Data Parser",
+        "category": "Microsoft Sentinel Parser",
+        "functionAlias": "PingFederateEvent",
+        "query": "CommonSecurityLog \n| where DeviceProduct has 'PingFederate'\n| extend EventVendor = DeviceVendor\n| extend EventProduct = DeviceProduct\n| extend EventProductVersion = DeviceVersion\n| extend EventSeverity = LogSeverity\n| extend SrcIpAddr = SourceIP\n| extend SrcHostname = SourceHostName\n| extend SrcUserName = SourceUserName\n| extend EventMessage = Message\n| extend EventSubType = DeviceEventClassID\n| extend EventType = Activity\n| extend DstUserName = DestinationUserID\n| extend DstGeoCountry = extract(@'country=;?(\\w+),.*', 1, AdditionalExtensions)\n| extend EventResultDetails = extract(@'description=(.*?),.*', 1, AdditionalExtensions)\n| extend DvcHostname = DeviceAddress\n| project TimeGenerated\n        , EventVendor\n        , EventProduct\n        , EventProductVersion\n        , EventMessage\n        , EventType\n        , EventSubType\n        , DstUserName\n        , DstGeoCountry\n        , DvcHostname\n        , EventSeverity\n        , SrcIpAddr\n        , SrcHostname\n        , SrcUserName\n        , EventResultDetails\n        , DeviceCustomString1Label\n        , DeviceCustomString1\n        , DeviceCustomString2Label\n        , DeviceCustomString2\n        , DeviceCustomString3Label\n        , DeviceCustomString3\n        , DeviceCustomString4Label\n        , DeviceCustomString4\n        , DeviceCustomString5Label\n        , DeviceCustomString5\n        , DeviceCustomString6Label\n        , DeviceCustomString6\n        , AdditionalExtensions\n",
+        "functionParameters": "",
+        "version": 2,
+        "tags": [
+          {
+            "name": "description",
+            "value": ""
+          }
+        ]
       }
     },
     {
-      "type": "Microsoft.Resources/templateSpecs/versions",
-      "apiVersion": "2021-05-01",
-      "name": "[concat(variables('huntingQueryTemplateSpecName4'),'/',variables('huntingQueryVersion4'))]",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+      "apiVersion": "2022-01-01-preview",
       "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "HuntingQuery"
-      },
+      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]",
       "dependsOn": [
-        "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName4'))]"
+        "[variables('_parserId1')]"
       ],
       "properties": {
-        "description": "PingFederatePasswordResetRequests_HuntingQueries Hunting Query with template version 2.0.0",
-        "mainTemplate": {
-          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('huntingQueryVersion4')]",
+        "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
+        "contentId": "[variables('_parserContentId1')]",
+        "kind": "Parser",
+        "version": "[variables('parserVersion1')]",
+        "source": {
+          "kind": "Solution",
+          "name": "PingFederate",
+          "sourceId": "[variables('_solutionId')]"
+        },
+        "author": {
+          "name": "Microsoft",
+          "email": "[variables('_email')]"
+        },
+        "support": {
+          "name": "Microsoft Corporation",
+          "email": "support@microsoft.com",
+          "tier": "Microsoft",
+          "link": "https://support.microsoft.com"
+        }
+      }
+    },
+    {
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('workbookTemplateSpecName1')]",
+      "location": "[parameters('workspace-location')]",
+      "dependsOn": [
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+      ],
+      "properties": {
+        "description": "PingFederateWorkbook Workbook with template version 3.0.0",
+        "mainTemplate": {
+          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+          "contentVersion": "[variables('workbookVersion1')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
-              "type": "Microsoft.OperationalInsights/savedSearches",
-              "apiVersion": "2020-08-01",
-              "name": "PingFederate_Hunting_Query_4",
+              "type": "Microsoft.Insights/workbooks",
+              "name": "[variables('workbookContentId1')]",
               "location": "[parameters('workspace-location')]",
+              "kind": "shared",
+              "apiVersion": "2021-08-01",
+              "metadata": {
+                "description": "Sets the time name for analysis"
+              },
               "properties": {
-                "eTag": "*",
-                "displayName": "Ping Federate - Password reset requests",
-                "category": "Hunting Queries",
-                "query": "PingFederateEvent\n| where TimeGenerated > ago(24h)\n| where EventType =~ 'PWD_RESET_REQUEST' or EventSubType =~ 'PWD_RESET_REQUEST'\n| extend AccountCustomEntity = DstUserName\n| extend IpCustomEntity = SrcIpAddr\n",
-                "version": 2,
-                "tags": [
-                  {
-                    "name": "description",
-                    "value": "Query searches for password reset requests events."
-                  },
-                  {
-                    "name": "tactics",
-                    "value": "InitialAccess,Persistence"
-                  },
-                  {
-                    "name": "techniques",
-                    "value": "T1078,T1098"
-                  }
-                ]
+                "displayName": "[parameters('workbook1-name')]",
+                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"**NOTE**: This workbook depends on a parser based on a Kusto Function to work as expected [**PingFederateEvent**](https://aka.ms/sentinel-PingFederate-parser) which is deployed with the Microsoft Sentinel Solution.\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"f7b02575-829c-435d-a4d3-251db9daf80e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"value\":{\"durationMs\":2592000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":86400000},{\"durationMs\":604800000},{\"durationMs\":2592000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PingFederateEvent\\r\\n| make-series TotalEvents = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain};\",\"size\":0,\"title\":\"Events over time\",\"color\":\"greenDark\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\",\"tileSettings\":{\"showBorder\":false}},\"customWidth\":\"65\",\"name\":\"query - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PingFederateEvent\\r\\n| where isnotempty(DstGeoCountry)\\r\\n| summarize count() by DstGeoCountry\",\"size\":3,\"title\":\"Geo distribution\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"70\",\"name\":\"query - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PingFederateEvent\\r\\n| where isnotempty(DstUserName)\\r\\n| summarize u_users = dcount(DstUserName)\",\"size\":3,\"title\":\"Users\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Unique Users\",\"formatter\":1}]},\"textSettings\":{\"style\":\"bignumber\"}},\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PingFederateEvent\\r\\n| where isnotempty(SrcIpAddr)\\r\\n| summarize IPs = dcount(SrcIpAddr)\",\"size\":3,\"title\":\"IP Addresses\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PingFederateEvent\\r\\n| where isnotempty(DstGeoCountry)\\r\\n| summarize u_country = dcount(DstGeoCountry)\",\"size\":3,\"title\":\"Countries\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"name\":\"query - 2\"}]},\"customWidth\":\"30\",\"name\":\"group - 1\"}]},\"customWidth\":\"35\",\"name\":\"group - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let data = PingFederateEvent\\r\\n| where isnotempty(EventType);\\r\\ndata\\r\\n| summarize Count = count() by EventType\\r\\n| join kind = inner (data\\r\\n    | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by EventType)\\r\\n    on EventType\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":3,\"title\":\"Event Types\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"EventType\"},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":false}},\"customWidth\":\"40\",\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PingFederateEvent\\r\\n| where isnotempty(SrcIpAddr)\\r\\n| summarize count() by SrcIpAddr\\r\\n| top 5 by count_\",\"size\":3,\"title\":\"Top Sources\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"35\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PingFederateEvent\\r\\n| where isnotempty(DstUserName)\\r\\n| summarize ['Total Events'] = count() by DstUserName\\r\\n| top 10 by ['Total Events']\",\"size\":3,\"title\":\"Top users\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"DstUserName\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Total Events\",\"formatter\":4,\"formatOptions\":{\"palette\":\"turquoise\"}}]}},\"customWidth\":\"25\",\"name\":\"query - 2\"}]},\"name\":\"group - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceProduct =~ \\\"PingFederate\\\"\\r\\n| order by TimeGenerated desc\\r\\n| extend Reason = extract(@'description=;?(\\\\w+),.*', 1, AdditionalExtensions)\\r\\n| where isnotempty(Reason)\\r\\n| project TimeGenerated, EventType = DeviceEventClassID, Reason\",\"size\":0,\"title\":\"Latest errors\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"filter\":true}},\"name\":\"query - 5\"}],\"fromTemplateId\":\"sentinel-PingFederateWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n",
+                "version": "1.0",
+                "sourceId": "[variables('workspaceResourceId')]",
+                "category": "sentinel"
               }
             },
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId4'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]",
               "properties": {
-                "description": "PingFederate Hunting Query 4",
-                "parentId": "[variables('huntingQueryId4')]",
-                "contentId": "[variables('_huntingQuerycontentId4')]",
-                "kind": "HuntingQuery",
-                "version": "[variables('huntingQueryVersion4')]",
+                "description": "@{workbookKey=PingFederateWorkbook; logoFileName=PingIdentity.svg; description=Sets the time name for analysis; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=PingFederate; templateRelativePath=PingFederate.json; subtitle=; provider=Microsoft}.description",
+                "parentId": "[variables('workbookId1')]",
+                "contentId": "[variables('_workbookContentId1')]",
+                "kind": "Workbook",
+                "version": "[variables('workbookVersion1')]",
                 "source": {
                   "kind": "Solution",
                   "name": "PingFederate",
@@ -627,70 +1066,105 @@
                   "email": "support@microsoft.com",
                   "tier": "Microsoft",
                   "link": "https://support.microsoft.com"
+                },
+                "dependencies": {
+                  "operator": "AND",
+                  "criteria": [
+                    {
+                      "contentId": "PingFederateEvent",
+                      "kind": "DataType"
+                    },
+                    {
+                      "contentId": "PingFederate",
+                      "kind": "DataConnector"
+                    },
+                    {
+                      "contentId": "PingFederateAma",
+                      "kind": "DataConnector"
+                    }
+                  ]
                 }
               }
             }
           ]
-        }
-      }
-    },
-    {
-      "type": "Microsoft.Resources/templateSpecs",
-      "apiVersion": "2021-05-01",
-      "name": "[variables('huntingQueryTemplateSpecName5')]",
-      "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "HuntingQuery"
-      },
-      "properties": {
-        "description": "PingFederate Hunting Query 5 with template",
-        "displayName": "PingFederate Hunting Query template"
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('_workbookContentId1')]",
+        "contentKind": "Workbook",
+        "displayName": "[parameters('workbook1-name')]",
+        "contentProductId": "[variables('_workbookcontentProductId1')]",
+        "id": "[variables('_workbookcontentProductId1')]",
+        "version": "[variables('workbookVersion1')]"
       }
     },
     {
-      "type": "Microsoft.Resources/templateSpecs/versions",
-      "apiVersion": "2021-05-01",
-      "name": "[concat(variables('huntingQueryTemplateSpecName5'),'/',variables('huntingQueryVersion5'))]",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('analyticRuleTemplateSpecName1')]",
       "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "HuntingQuery"
-      },
       "dependsOn": [
-        "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName5'))]"
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "PingFederateRareSources_HuntingQueries Hunting Query with template version 2.0.0",
+        "description": "PingFederateAbnormalPasswordResetsAttempts_AnalyticalRules Analytics Rule with template version 3.0.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('huntingQueryVersion5')]",
+          "contentVersion": "[variables('analyticRuleVersion1')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
-              "type": "Microsoft.OperationalInsights/savedSearches",
-              "apiVersion": "2020-08-01",
-              "name": "PingFederate_Hunting_Query_5",
+              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+              "name": "[variables('analyticRulecontentId1')]",
+              "apiVersion": "2022-04-01-preview",
+              "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "eTag": "*",
-                "displayName": "Ping Federate - Rare source IP addresses",
-                "category": "Hunting Queries",
-                "query": "PingFederateEvent\n| where TimeGenerated > ago(24h)\n| where isnotempty(SrcIpAddr)\n| summarize count() by SrcIpAddr\n| top 10 by count_ asc\n| extend IpCustomEntity = SrcIpAddr\n",
-                "version": 2,
-                "tags": [
+                "description": "Detects abnormal password reset attempts for user in short period of time.",
+                "displayName": "Ping Federate - Abnormal password reset attempts",
+                "enabled": false,
+                "query": "let threshold = 10;\nPingFederateEvent\n| where EventType =~ 'PWD_RESET_REQUEST'\n| summarize count() by DstUserName, bin(TimeGenerated, 30m)\n| where count_ > threshold\n| extend AccountCustomEntity = DstUserName\n",
+                "queryFrequency": "P1D",
+                "queryPeriod": "P1D",
+                "severity": "High",
+                "suppressionDuration": "PT1H",
+                "suppressionEnabled": false,
+                "triggerOperator": "GreaterThan",
+                "triggerThreshold": 0,
+                "status": "Available",
+                "requiredDataConnectors": [
                   {
-                    "name": "description",
-                    "value": "Query searches for rare source IP addresses of requests"
+                    "connectorId": "PingFederate",
+                    "dataTypes": [
+                      "PingFederateEvent"
+                    ]
                   },
                   {
-                    "name": "tactics",
-                    "value": "InitialAccess"
-                  },
+                    "connectorId": "PingFederateAma",
+                    "dataTypes": [
+                      "PingFederateEvent"
+                    ]
+                  }
+                ],
+                "tactics": [
+                  "CredentialAccess"
+                ],
+                "techniques": [
+                  "T1110"
+                ],
+                "entityMappings": [
                   {
-                    "name": "techniques",
-                    "value": "T1078"
+                    "fieldMappings": [
+                      {
+                        "identifier": "Name",
+                        "columnName": "AccountCustomEntity"
+                      }
+                    ],
+                    "entityType": "Account"
                   }
                 ]
               }
@@ -698,13 +1172,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId5'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId1'),'/'))))]",
               "properties": {
-                "description": "PingFederate Hunting Query 5",
-                "parentId": "[variables('huntingQueryId5')]",
-                "contentId": "[variables('_huntingQuerycontentId5')]",
-                "kind": "HuntingQuery",
-                "version": "[variables('huntingQueryVersion5')]",
+                "description": "PingFederate Analytics Rule 1",
+                "parentId": "[variables('analyticRuleId1')]",
+                "contentId": "[variables('_analyticRulecontentId1')]",
+                "kind": "AnalyticsRule",
+                "version": "[variables('analyticRuleVersion1')]",
                 "source": {
                   "kind": "Solution",
                   "name": "PingFederate",
@@ -723,66 +1197,93 @@
               }
             }
           ]
-        }
-      }
-    },
-    {
-      "type": "Microsoft.Resources/templateSpecs",
-      "apiVersion": "2021-05-01",
-      "name": "[variables('huntingQueryTemplateSpecName6')]",
-      "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "HuntingQuery"
-      },
-      "properties": {
-        "description": "PingFederate Hunting Query 6 with template",
-        "displayName": "PingFederate Hunting Query template"
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('_analyticRulecontentId1')]",
+        "contentKind": "AnalyticsRule",
+        "displayName": "Ping Federate - Abnormal password reset attempts",
+        "contentProductId": "[variables('_analyticRulecontentProductId1')]",
+        "id": "[variables('_analyticRulecontentProductId1')]",
+        "version": "[variables('analyticRuleVersion1')]"
       }
     },
     {
-      "type": "Microsoft.Resources/templateSpecs/versions",
-      "apiVersion": "2021-05-01",
-      "name": "[concat(variables('huntingQueryTemplateSpecName6'),'/',variables('huntingQueryVersion6'))]",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('analyticRuleTemplateSpecName2')]",
       "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "HuntingQuery"
-      },
       "dependsOn": [
-        "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName6'))]"
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "PingFederateSAMLSubjects_HuntingQueries Hunting Query with template version 2.0.0",
+        "description": "PingFederateAuthFromNewSource_AnalyticalRules Analytics Rule with template version 3.0.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('huntingQueryVersion6')]",
+          "contentVersion": "[variables('analyticRuleVersion2')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
-              "type": "Microsoft.OperationalInsights/savedSearches",
-              "apiVersion": "2020-08-01",
-              "name": "PingFederate_Hunting_Query_6",
+              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+              "name": "[variables('analyticRulecontentId2')]",
+              "apiVersion": "2022-04-01-preview",
+              "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "eTag": "*",
-                "displayName": "Ping Federate - SAML subjects",
-                "category": "Hunting Queries",
-                "query": "PingFederateEvent\n| where TimeGenerated > ago(24h)\n| extend SamlSubject = extract(@'SAML_SUBJECT==(\\w+),.*', 1, AdditionalExtensions)\n| where isnotempty(SamlSubject)\n| summarize count() by SamlSubject, SrcIpAddr\n| extend IpCustomEntity = SrcIpAddr\n",
-                "version": 2,
-                "tags": [
+                "description": "Detects authentication requests from new IP address.",
+                "displayName": "Ping Federate - Authentication from new IP.",
+                "enabled": false,
+                "query": "let known_src = \nPingFederateEvent\n| where TimeGenerated between (ago(14d) .. (1d))\n| where EventType in~ ('AUTHN_ATTEMPT', 'SSO')\n| where isnotempty(SrcIpAddr)\n| summarize makeset(SrcIpAddr);\nPingFederateEvent\n| where EventType in~ ('AUTHN_ATTEMPT', 'SSO')\n| where isnotempty(SrcIpAddr)\n| where SrcIpAddr !in (known_src)\n| extend AccountCustomEntity = DstUserName\n| extend IpCustomEntity = SrcIpAddr\n",
+                "queryFrequency": "PT1H",
+                "queryPeriod": "P14D",
+                "severity": "Low",
+                "suppressionDuration": "PT1H",
+                "suppressionEnabled": false,
+                "triggerOperator": "GreaterThan",
+                "triggerThreshold": 0,
+                "status": "Available",
+                "requiredDataConnectors": [
                   {
-                    "name": "description",
-                    "value": "Query searches for SAML subjects used in requests"
+                    "connectorId": "PingFederate",
+                    "dataTypes": [
+                      "PingFederateEvent"
+                    ]
                   },
                   {
-                    "name": "tactics",
-                    "value": "CredentialAccess"
+                    "connectorId": "PingFederateAma",
+                    "dataTypes": [
+                      "PingFederateEvent"
+                    ]
+                  }
+                ],
+                "tactics": [
+                  "InitialAccess"
+                ],
+                "techniques": [
+                  "T1078"
+                ],
+                "entityMappings": [
+                  {
+                    "fieldMappings": [
+                      {
+                        "identifier": "Name",
+                        "columnName": "AccountCustomEntity"
+                      }
+                    ],
+                    "entityType": "Account"
                   },
                   {
-                    "name": "techniques",
-                    "value": "T1528"
+                    "fieldMappings": [
+                      {
+                        "identifier": "Address",
+                        "columnName": "IpCustomEntity"
+                      }
+                    ],
+                    "entityType": "IP"
                   }
                 ]
               }
@@ -790,13 +1291,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId6'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId2'),'/'))))]",
               "properties": {
-                "description": "PingFederate Hunting Query 6",
-                "parentId": "[variables('huntingQueryId6')]",
-                "contentId": "[variables('_huntingQuerycontentId6')]",
-                "kind": "HuntingQuery",
-                "version": "[variables('huntingQueryVersion6')]",
+                "description": "PingFederate Analytics Rule 2",
+                "parentId": "[variables('analyticRuleId2')]",
+                "contentId": "[variables('_analyticRulecontentId2')]",
+                "kind": "AnalyticsRule",
+                "version": "[variables('analyticRuleVersion2')]",
                 "source": {
                   "kind": "Solution",
                   "name": "PingFederate",
@@ -815,66 +1316,93 @@
               }
             }
           ]
-        }
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('_analyticRulecontentId2')]",
+        "contentKind": "AnalyticsRule",
+        "displayName": "Ping Federate - Authentication from new IP.",
+        "contentProductId": "[variables('_analyticRulecontentProductId2')]",
+        "id": "[variables('_analyticRulecontentProductId2')]",
+        "version": "[variables('analyticRuleVersion2')]"
       }
     },
     {
-      "type": "Microsoft.Resources/templateSpecs",
-      "apiVersion": "2021-05-01",
-      "name": "[variables('huntingQueryTemplateSpecName7')]",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('analyticRuleTemplateSpecName3')]",
       "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "HuntingQuery"
-      },
+      "dependsOn": [
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+      ],
       "properties": {
-        "description": "PingFederate Hunting Query 7 with template",
-        "displayName": "PingFederate Hunting Query template"
-      }
-    },
-    {
-      "type": "Microsoft.Resources/templateSpecs/versions",
-      "apiVersion": "2021-05-01",
-      "name": "[concat(variables('huntingQueryTemplateSpecName7'),'/',variables('huntingQueryVersion7'))]",
-      "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "HuntingQuery"
-      },
-      "dependsOn": [
-        "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName7'))]"
-      ],
-      "properties": {
-        "description": "PingFederateTopSources_HuntingQueries Hunting Query with template version 2.0.0",
+        "description": "PingFederateForbiddenCountry_AnalyticalRules Analytics Rule with template version 3.0.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('huntingQueryVersion7')]",
+          "contentVersion": "[variables('analyticRuleVersion3')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
-              "type": "Microsoft.OperationalInsights/savedSearches",
-              "apiVersion": "2020-08-01",
-              "name": "PingFederate_Hunting_Query_7",
+              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+              "name": "[variables('analyticRulecontentId3')]",
+              "apiVersion": "2022-04-01-preview",
+              "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "eTag": "*",
-                "displayName": "Ping Federate - Top source IP addresses",
-                "category": "Hunting Queries",
-                "query": "PingFederateEvent\n| where TimeGenerated > ago(24h)\n| where isnotempty(SrcIpAddr)\n| summarize count() by SrcIpAddr\n| extend IpCustomEntity = SrcIpAddr\n",
-                "version": 2,
-                "tags": [
+                "description": "Detects requests from forbidden countries.",
+                "displayName": "Ping Federate - Forbidden country",
+                "enabled": false,
+                "query": "let forbidden_geo = dynamic(['CH']);\nPingFederateEvent\n| where isnotempty(DstGeoCountry)\n| where tostring(DstGeoCountry) in~ (forbidden_geo)\n| extend AccountCustomEntity = DstUserName\n| extend IpCustomEntity = SrcIpAddr\n",
+                "queryFrequency": "PT1H",
+                "queryPeriod": "PT1H",
+                "severity": "High",
+                "suppressionDuration": "PT1H",
+                "suppressionEnabled": false,
+                "triggerOperator": "GreaterThan",
+                "triggerThreshold": 0,
+                "status": "Available",
+                "requiredDataConnectors": [
                   {
-                    "name": "description",
-                    "value": "Query searches for source IP addresses with the most requests"
+                    "connectorId": "PingFederate",
+                    "dataTypes": [
+                      "PingFederateEvent"
+                    ]
                   },
                   {
-                    "name": "tactics",
-                    "value": "InitialAccess"
+                    "connectorId": "PingFederateAma",
+                    "dataTypes": [
+                      "PingFederateEvent"
+                    ]
+                  }
+                ],
+                "tactics": [
+                  "InitialAccess"
+                ],
+                "techniques": [
+                  "T1078"
+                ],
+                "entityMappings": [
+                  {
+                    "fieldMappings": [
+                      {
+                        "identifier": "Name",
+                        "columnName": "AccountCustomEntity"
+                      }
+                    ],
+                    "entityType": "Account"
                   },
                   {
-                    "name": "techniques",
-                    "value": "T1078"
+                    "fieldMappings": [
+                      {
+                        "identifier": "Address",
+                        "columnName": "IpCustomEntity"
+                      }
+                    ],
+                    "entityType": "IP"
                   }
                 ]
               }
@@ -882,13 +1410,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId7'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId3'),'/'))))]",
               "properties": {
-                "description": "PingFederate Hunting Query 7",
-                "parentId": "[variables('huntingQueryId7')]",
-                "contentId": "[variables('_huntingQuerycontentId7')]",
-                "kind": "HuntingQuery",
-                "version": "[variables('huntingQueryVersion7')]",
+                "description": "PingFederate Analytics Rule 3",
+                "parentId": "[variables('analyticRuleId3')]",
+                "contentId": "[variables('_analyticRulecontentId3')]",
+                "kind": "AnalyticsRule",
+                "version": "[variables('analyticRuleVersion3')]",
                 "source": {
                   "kind": "Solution",
                   "name": "PingFederate",
@@ -907,66 +1435,88 @@
               }
             }
           ]
-        }
-      }
-    },
-    {
-      "type": "Microsoft.Resources/templateSpecs",
-      "apiVersion": "2021-05-01",
-      "name": "[variables('huntingQueryTemplateSpecName8')]",
-      "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "HuntingQuery"
-      },
-      "properties": {
-        "description": "PingFederate Hunting Query 8 with template",
-        "displayName": "PingFederate Hunting Query template"
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('_analyticRulecontentId3')]",
+        "contentKind": "AnalyticsRule",
+        "displayName": "Ping Federate - Forbidden country",
+        "contentProductId": "[variables('_analyticRulecontentProductId3')]",
+        "id": "[variables('_analyticRulecontentProductId3')]",
+        "version": "[variables('analyticRuleVersion3')]"
       }
     },
     {
-      "type": "Microsoft.Resources/templateSpecs/versions",
-      "apiVersion": "2021-05-01",
-      "name": "[concat(variables('huntingQueryTemplateSpecName8'),'/',variables('huntingQueryVersion8'))]",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('analyticRuleTemplateSpecName4')]",
       "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "HuntingQuery"
-      },
       "dependsOn": [
-        "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName8'))]"
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "PingFederateUnusualCountry_HuntingQueries Hunting Query with template version 2.0.0",
+        "description": "PingFederateMultiplePasswordResetsForUser_AnalyticalRules Analytics Rule with template version 3.0.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('huntingQueryVersion8')]",
+          "contentVersion": "[variables('analyticRuleVersion4')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
-              "type": "Microsoft.OperationalInsights/savedSearches",
-              "apiVersion": "2020-08-01",
-              "name": "PingFederate_Hunting_Query_8",
+              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+              "name": "[variables('analyticRulecontentId4')]",
+              "apiVersion": "2022-04-01-preview",
+              "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "eTag": "*",
-                "displayName": "Ping Federate - Requests from unusual countries",
-                "category": "Hunting Queries",
-                "query": "let known_geo = \nPingFederateEvent\n| where TimeGenerated between (ago(30d) .. (1d))\n| where isnotempty(DstGeoCountry)\n| summarize makeset(DstGeoCountry);\nPingFederateEvent\n| where TimeGenerated > ago(24h)\n| where isnotempty(DstGeoCountry)\n| where DstGeoCountry !in (known_geo)\n| extend IpCustomEntity = SrcIpAddr\n| extend AccountCustomEntity = DstUserName\n",
-                "version": 2,
-                "tags": [
+                "description": "Detects multiple password reset for user.",
+                "displayName": "Ping Federate - Abnormal password resets for user",
+                "enabled": false,
+                "query": "let threshold = 10;\nPingFederateEvent\n| where EventType =~ 'PWD_RESET'\n| summarize count() by DstUserName\n| where count_ > threshold\n| extend AccountCustomEntity = DstUserName\n",
+                "queryFrequency": "P1D",
+                "queryPeriod": "P1D",
+                "severity": "High",
+                "suppressionDuration": "PT1H",
+                "suppressionEnabled": false,
+                "triggerOperator": "GreaterThan",
+                "triggerThreshold": 0,
+                "status": "Available",
+                "requiredDataConnectors": [
                   {
-                    "name": "description",
-                    "value": "Query searches for requests from unusual countries."
+                    "connectorId": "PingFederate",
+                    "dataTypes": [
+                      "PingFederateEvent"
+                    ]
                   },
                   {
-                    "name": "tactics",
-                    "value": "InitialAccess"
-                  },
+                    "connectorId": "PingFederateAma",
+                    "dataTypes": [
+                      "PingFederateEvent"
+                    ]
+                  }
+                ],
+                "tactics": [
+                  "InitialAccess",
+                  "Persistence",
+                  "PrivilegeEscalation"
+                ],
+                "techniques": [
+                  "T1078",
+                  "T1098",
+                  "T1134"
+                ],
+                "entityMappings": [
                   {
-                    "name": "techniques",
-                    "value": "T1078"
+                    "fieldMappings": [
+                      {
+                        "identifier": "Name",
+                        "columnName": "AccountCustomEntity"
+                      }
+                    ],
+                    "entityType": "Account"
                   }
                 ]
               }
@@ -974,13 +1524,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId8'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId4'),'/'))))]",
               "properties": {
-                "description": "PingFederate Hunting Query 8",
-                "parentId": "[variables('huntingQueryId8')]",
-                "contentId": "[variables('_huntingQuerycontentId8')]",
-                "kind": "HuntingQuery",
-                "version": "[variables('huntingQueryVersion8')]",
+                "description": "PingFederate Analytics Rule 4",
+                "parentId": "[variables('analyticRuleId4')]",
+                "contentId": "[variables('_analyticRulecontentId4')]",
+                "kind": "AnalyticsRule",
+                "version": "[variables('analyticRuleVersion4')]",
                 "source": {
                   "kind": "Solution",
                   "name": "PingFederate",
@@ -999,66 +1549,86 @@
               }
             }
           ]
-        }
-      }
-    },
-    {
-      "type": "Microsoft.Resources/templateSpecs",
-      "apiVersion": "2021-05-01",
-      "name": "[variables('huntingQueryTemplateSpecName9')]",
-      "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "HuntingQuery"
-      },
-      "properties": {
-        "description": "PingFederate Hunting Query 9 with template",
-        "displayName": "PingFederate Hunting Query template"
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('_analyticRulecontentId4')]",
+        "contentKind": "AnalyticsRule",
+        "displayName": "Ping Federate - Abnormal password resets for user",
+        "contentProductId": "[variables('_analyticRulecontentProductId4')]",
+        "id": "[variables('_analyticRulecontentProductId4')]",
+        "version": "[variables('analyticRuleVersion4')]"
       }
     },
     {
-      "type": "Microsoft.Resources/templateSpecs/versions",
-      "apiVersion": "2021-05-01",
-      "name": "[concat(variables('huntingQueryTemplateSpecName9'),'/',variables('huntingQueryVersion9'))]",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('analyticRuleTemplateSpecName5')]",
       "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "HuntingQuery"
-      },
       "dependsOn": [
-        "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName9'))]"
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "PingFederateUnusualSources_HuntingQueries Hunting Query with template version 2.0.0",
+        "description": "PingFederateNewUserSSO_AnalyticalRules Analytics Rule with template version 3.0.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('huntingQueryVersion9')]",
+          "contentVersion": "[variables('analyticRuleVersion5')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
-              "type": "Microsoft.OperationalInsights/savedSearches",
-              "apiVersion": "2020-08-01",
-              "name": "PingFederate_Hunting_Query_9",
+              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+              "name": "[variables('analyticRulecontentId5')]",
+              "apiVersion": "2022-04-01-preview",
+              "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "eTag": "*",
-                "displayName": "Ping Federate - Authentication from unusual sources",
-                "category": "Hunting Queries",
-                "query": "let known_src = \nPingFederateEvent\n| where TimeGenerated between (ago(30d) .. (1d))\n| where isnotempty(SrcIpAddr)\n| summarize makeset(SrcIpAddr);\nPingFederateEvent\n| where TimeGenerated > ago(24h)\n| where isnotempty(SrcIpAddr)\n| where SrcIpAddr !in (known_src)\n| extend IpCustomEntity = SrcIpAddr\n",
-                "version": 2,
-                "tags": [
+                "description": "Detects new user SSO success login.",
+                "displayName": "Ping Federate - New user SSO success login",
+                "enabled": false,
+                "query": "let known_usrs = \nPingFederateEvent\n| where TimeGenerated between (ago(14d) .. (1d))\n| where isnotempty(DstUserName)\n| summarize makeset(DstUserName);\nPingFederateEvent\n| where EventType =~ 'SSO'\n| where EventMessage has 'success'\n| where DstUserName !in (known_usrs)\n| extend AccountCustomEntity = DstUserName\n",
+                "queryFrequency": "PT1H",
+                "queryPeriod": "P14D",
+                "severity": "Low",
+                "suppressionDuration": "PT1H",
+                "suppressionEnabled": false,
+                "triggerOperator": "GreaterThan",
+                "triggerThreshold": 0,
+                "status": "Available",
+                "requiredDataConnectors": [
                   {
-                    "name": "description",
-                    "value": "Query searches for unusual sources of authentication."
+                    "connectorId": "PingFederate",
+                    "dataTypes": [
+                      "PingFederateEvent"
+                    ]
                   },
                   {
-                    "name": "tactics",
-                    "value": "InitialAccess"
-                  },
+                    "connectorId": "PingFederateAma",
+                    "dataTypes": [
+                      "PingFederateEvent"
+                    ]
+                  }
+                ],
+                "tactics": [
+                  "InitialAccess",
+                  "Persistence"
+                ],
+                "techniques": [
+                  "T1078",
+                  "T1136"
+                ],
+                "entityMappings": [
                   {
-                    "name": "techniques",
-                    "value": "T1078"
+                    "fieldMappings": [
+                      {
+                        "identifier": "Name",
+                        "columnName": "AccountCustomEntity"
+                      }
+                    ],
+                    "entityType": "Account"
                   }
                 ]
               }
@@ -1066,13 +1636,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId9'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId5'),'/'))))]",
               "properties": {
-                "description": "PingFederate Hunting Query 9",
-                "parentId": "[variables('huntingQueryId9')]",
-                "contentId": "[variables('_huntingQuerycontentId9')]",
-                "kind": "HuntingQuery",
-                "version": "[variables('huntingQueryVersion9')]",
+                "description": "PingFederate Analytics Rule 5",
+                "parentId": "[variables('analyticRuleId5')]",
+                "contentId": "[variables('_analyticRulecontentId5')]",
+                "kind": "AnalyticsRule",
+                "version": "[variables('analyticRuleVersion5')]",
                 "source": {
                   "kind": "Solution",
                   "name": "PingFederate",
@@ -1091,66 +1661,93 @@
               }
             }
           ]
-        }
-      }
-    },
-    {
-      "type": "Microsoft.Resources/templateSpecs",
-      "apiVersion": "2021-05-01",
-      "name": "[variables('huntingQueryTemplateSpecName10')]",
-      "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "HuntingQuery"
-      },
-      "properties": {
-        "description": "PingFederate Hunting Query 10 with template",
-        "displayName": "PingFederate Hunting Query template"
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('_analyticRulecontentId5')]",
+        "contentKind": "AnalyticsRule",
+        "displayName": "Ping Federate - New user SSO success login",
+        "contentProductId": "[variables('_analyticRulecontentProductId5')]",
+        "id": "[variables('_analyticRulecontentProductId5')]",
+        "version": "[variables('analyticRuleVersion5')]"
       }
     },
     {
-      "type": "Microsoft.Resources/templateSpecs/versions",
-      "apiVersion": "2021-05-01",
-      "name": "[concat(variables('huntingQueryTemplateSpecName10'),'/',variables('huntingQueryVersion10'))]",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('analyticRuleTemplateSpecName6')]",
       "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "HuntingQuery"
-      },
       "dependsOn": [
-        "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName10'))]"
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "PingFederateUsersPaswordsReset_HuntingQueries Hunting Query with template version 2.0.0",
+        "description": "PingFederateOauthOld_AnalyticalRules Analytics Rule with template version 3.0.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('huntingQueryVersion10')]",
+          "contentVersion": "[variables('analyticRuleVersion6')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
-              "type": "Microsoft.OperationalInsights/savedSearches",
-              "apiVersion": "2020-08-01",
-              "name": "PingFederate_Hunting_Query_10",
+              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+              "name": "[variables('analyticRulecontentId6')]",
+              "apiVersion": "2022-04-01-preview",
+              "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "eTag": "*",
-                "displayName": "Ping Federate - Users recently reseted password",
-                "category": "Hunting Queries",
-                "query": "PingFederateEvent\n| where TimeGenerated > ago(24h)\n| where EventType =~ 'PWD_RESET' or EventSubType =~ 'PWD_RESET'\n| extend AccountCustomEntity = DstUserName\n",
-                "version": 2,
-                "tags": [
-                  {
-                    "name": "description",
-                    "value": "Query searches for users who recently reseted their passwords."
+                "description": "Detects requests using not the latest version of OAuth protocol.",
+                "displayName": "Ping Federate - OAuth old version",
+                "enabled": false,
+                "query": "PingFederateEvent\n| where isnotempty(DeviceCustomString3)\n| extend proto = extract(@'(OAuth)', 1, DeviceCustomString3)\n| extend ver = extract(@'(\\d+)', 1, DeviceCustomString3)\n| where proto =~ 'OAuth'\n| where ver !~ '20'\n| extend AccountCustomEntity = DstUserName\n| extend IpCustomEntity = SrcIpAddr\n",
+                "queryFrequency": "P1D",
+                "queryPeriod": "P1D",
+                "severity": "Medium",
+                "suppressionDuration": "PT1H",
+                "suppressionEnabled": false,
+                "triggerOperator": "GreaterThan",
+                "triggerThreshold": 0,
+                "status": "Available",
+                "requiredDataConnectors": [
+                  {
+                    "connectorId": "PingFederate",
+                    "dataTypes": [
+                      "PingFederateEvent"
+                    ]
                   },
                   {
-                    "name": "tactics",
-                    "value": "InitialAccess,Persistence"
+                    "connectorId": "PingFederateAma",
+                    "dataTypes": [
+                      "PingFederateEvent"
+                    ]
+                  }
+                ],
+                "tactics": [
+                  "InitialAccess"
+                ],
+                "techniques": [
+                  "T1190"
+                ],
+                "entityMappings": [
+                  {
+                    "fieldMappings": [
+                      {
+                        "identifier": "Name",
+                        "columnName": "AccountCustomEntity"
+                      }
+                    ],
+                    "entityType": "Account"
                   },
                   {
-                    "name": "techniques",
-                    "value": "T1078,T1098"
+                    "fieldMappings": [
+                      {
+                        "identifier": "Address",
+                        "columnName": "IpCustomEntity"
+                      }
+                    ],
+                    "entityType": "IP"
                   }
                 ]
               }
@@ -1158,13 +1755,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId10'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId6'),'/'))))]",
               "properties": {
-                "description": "PingFederate Hunting Query 10",
-                "parentId": "[variables('huntingQueryId10')]",
-                "contentId": "[variables('_huntingQuerycontentId10')]",
-                "kind": "HuntingQuery",
-                "version": "[variables('huntingQueryVersion10')]",
+                "description": "PingFederate Analytics Rule 6",
+                "parentId": "[variables('analyticRuleId6')]",
+                "contentId": "[variables('_analyticRulecontentId6')]",
+                "kind": "AnalyticsRule",
+                "version": "[variables('analyticRuleVersion6')]",
                 "source": {
                   "kind": "Solution",
                   "name": "PingFederate",
@@ -1183,179 +1780,107 @@
               }
             }
           ]
-        }
-      }
-    },
-    {
-      "type": "Microsoft.Resources/templateSpecs",
-      "apiVersion": "2021-05-01",
-      "name": "[variables('dataConnectorTemplateSpecName1')]",
-      "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "DataConnector"
-      },
-      "properties": {
-        "description": "PingFederate data connector with template",
-        "displayName": "PingFederate template"
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('_analyticRulecontentId6')]",
+        "contentKind": "AnalyticsRule",
+        "displayName": "Ping Federate - OAuth old version",
+        "contentProductId": "[variables('_analyticRulecontentProductId6')]",
+        "id": "[variables('_analyticRulecontentProductId6')]",
+        "version": "[variables('analyticRuleVersion6')]"
       }
     },
     {
-      "type": "Microsoft.Resources/templateSpecs/versions",
-      "apiVersion": "2021-05-01",
-      "name": "[concat(variables('dataConnectorTemplateSpecName1'),'/',variables('dataConnectorVersion1'))]",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('analyticRuleTemplateSpecName7')]",
       "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "DataConnector"
-      },
       "dependsOn": [
-        "[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]"
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "PingFederate data connector with template version 2.0.0",
+        "description": "PingFederatePasswordRstReqUnexpectedSource_AnalyticalRules Analytics Rule with template version 3.0.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('dataConnectorVersion1')]",
+          "contentVersion": "[variables('analyticRuleVersion7')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
-              "apiVersion": "2021-03-01-preview",
-              "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+              "name": "[variables('analyticRulecontentId7')]",
+              "apiVersion": "2022-04-01-preview",
+              "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
-              "kind": "GenericUI",
               "properties": {
-                "connectorUiConfig": {
-                  "id": "[variables('_uiConfigId1')]",
-                  "title": "PingFederate",
-                  "publisher": "Ping Identity",
-                  "descriptionMarkdown": "The [PingFederate](https://www.pingidentity.com/en/software/pingfederate.html) data connector provides the capability to ingest [PingFederate events](https://docs.pingidentity.com/bundle/pingfederate-102/page/lly1564002980532.html) into Microsoft Sentinel. Refer to [PingFederate documentation](https://docs.pingidentity.com/bundle/pingfederate-102/page/tle1564002955874.html) for more information.",
-                  "additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected [**PingFederateEvent**](https://aka.ms/sentinel-PingFederate-parser) which is deployed with the Microsoft Sentinel Solution.",
-                  "graphQueries": [
-                    {
-                      "metricName": "Total data received",
-                      "legend": "PingFederate",
-                      "baseQuery": "PingFederateEvent"
-                    }
-                  ],
-                  "sampleQueries": [
-                    {
-                      "description": "Top 10 Devices",
-                      "query": "PingFederateEvent\n | summarize count() by DvcHostname\n | top 10 by count_"
-                    }
-                  ],
-                  "dataTypes": [
-                    {
-                      "name": "CommonSecurityLog (PingFederate)",
-                      "lastDataReceivedQuery": "PingFederateEvent\n | summarize Time = max(TimeGenerated)\n| where isnotempty(Time)"
-                    }
-                  ],
-                  "connectivityCriterias": [
-                    {
-                      "type": "IsConnectedQuery",
-                      "value": [
-                        "PingFederateEvent\n | summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(30d)"
-                      ]
-                    }
-                  ],
-                  "availability": {
-                    "status": 1,
-                    "isPreview": false
+                "description": "Detects password reset requests from unexpected source IP address.",
+                "displayName": "Ping Federate - Password reset request from unexpected source IP address..",
+                "enabled": false,
+                "query": "let known_src = \nPingFederateEvent\n| where TimeGenerated between (ago(14d) .. (1d))\n| where isnotempty(SrcIpAddr)\n| summarize makeset(SrcIpAddr);\nPingFederateEvent\n| where EventType =~ 'PWD_RESET_REQUEST'\n| where isnotempty(SrcIpAddr)\n| where SrcIpAddr !in (known_src)\n| extend AccountCustomEntity = DstUserName\n| extend IpCustomEntity = SrcIpAddr\n",
+                "queryFrequency": "PT1H",
+                "queryPeriod": "P14D",
+                "severity": "Medium",
+                "suppressionDuration": "PT1H",
+                "suppressionEnabled": false,
+                "triggerOperator": "GreaterThan",
+                "triggerThreshold": 0,
+                "status": "Available",
+                "requiredDataConnectors": [
+                  {
+                    "connectorId": "PingFederate",
+                    "dataTypes": [
+                      "PingFederateEvent"
+                    ]
                   },
-                  "permissions": {
-                    "resourceProvider": [
-                      {
-                        "provider": "Microsoft.OperationalInsights/workspaces",
-                        "permissionsDisplayText": "read and write permissions are required.",
-                        "providerDisplayName": "Workspace",
-                        "scope": "Workspace",
-                        "requiredPermissions": {
-                          "read": true,
-                          "write": true,
-                          "delete": true
-                        }
-                      },
+                  {
+                    "connectorId": "PingFederateAma",
+                    "dataTypes": [
+                      "PingFederateEvent"
+                    ]
+                  }
+                ],
+                "tactics": [
+                  "InitialAccess"
+                ],
+                "techniques": [
+                  "T1078"
+                ],
+                "entityMappings": [
+                  {
+                    "fieldMappings": [
                       {
-                        "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
-                        "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
-                        "providerDisplayName": "Keys",
-                        "scope": "Workspace",
-                        "requiredPermissions": {
-                          "action": true
-                        }
+                        "identifier": "Name",
+                        "columnName": "AccountCustomEntity"
                       }
-                    ]
+                    ],
+                    "entityType": "Account"
                   },
-                  "instructionSteps": [
-                    {
-                      "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**PingFederateEvent**](https://aka.ms/sentinel-PingFederate-parser) which is deployed with the Microsoft Sentinel Solution."
-                    },
-                    {
-                      "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
-                      "innerSteps": [
-                        {
-                          "title": "1.1 Select or create a Linux machine",
-                          "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
-                        },
-                        {
-                          "title": "1.2 Install the CEF collector on the Linux machine",
-                          "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
-                          "instructions": [
-                            {
-                              "parameters": {
-                                "fillWith": [
-                                  "WorkspaceId",
-                                  "PrimaryKey"
-                                ],
-                                "label": "Run the following command to install and apply the CEF collector:",
-                                "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
-                              },
-                              "type": "CopyableLabel"
-                            }
-                          ]
-                        }
-                      ],
-                      "title": "1. Linux Syslog agent configuration"
-                    },
-                    {
-                      "description": "[Follow these steps](https://docs.pingidentity.com/bundle/pingfederate-102/page/gsn1564002980953.html) to configure PingFederate sending audit log via syslog in CEF format.",
-                      "title": "2. Forward Common Event Format (CEF) logs to Syslog agent"
-                    },
-                    {
-                      "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine",
-                      "instructions": [
-                        {
-                          "parameters": {
-                            "fillWith": [
-                              "WorkspaceId"
-                            ],
-                            "label": "Run the following command to validate your connectivity:",
-                            "value": "sudo wget  -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py  {0}"
-                          },
-                          "type": "CopyableLabel"
-                        }
-                      ],
-                      "title": "3. Validate connection"
-                    },
-                    {
-                      "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
-                      "title": "4. Secure your machine "
-                    }
-                  ]
-                }
+                  {
+                    "fieldMappings": [
+                      {
+                        "identifier": "Address",
+                        "columnName": "IpCustomEntity"
+                      }
+                    ],
+                    "entityType": "IP"
+                  }
+                ]
               }
             },
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId7'),'/'))))]",
               "properties": {
-                "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
-                "contentId": "[variables('_dataConnectorContentId1')]",
-                "kind": "DataConnector",
-                "version": "[variables('dataConnectorVersion1')]",
+                "description": "PingFederate Analytics Rule 7",
+                "parentId": "[variables('analyticRuleId7')]",
+                "contentId": "[variables('_analyticRulecontentId7')]",
+                "kind": "AnalyticsRule",
+                "version": "[variables('analyticRuleVersion7')]",
                 "source": {
                   "kind": "Solution",
                   "name": "PingFederate",
@@ -1374,214 +1899,169 @@
               }
             }
           ]
-        }
-      }
-    },
-    {
-      "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
-      "apiVersion": "2022-01-01-preview",
-      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
-      "dependsOn": [
-        "[variables('_dataConnectorId1')]"
-      ],
-      "location": "[parameters('workspace-location')]",
-      "properties": {
-        "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
-        "contentId": "[variables('_dataConnectorContentId1')]",
-        "kind": "DataConnector",
-        "version": "[variables('dataConnectorVersion1')]",
-        "source": {
-          "kind": "Solution",
-          "name": "PingFederate",
-          "sourceId": "[variables('_solutionId')]"
         },
-        "author": {
-          "name": "Microsoft",
-          "email": "[variables('_email')]"
-        },
-        "support": {
-          "name": "Microsoft Corporation",
-          "email": "support@microsoft.com",
-          "tier": "Microsoft",
-          "link": "https://support.microsoft.com"
-        }
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('_analyticRulecontentId7')]",
+        "contentKind": "AnalyticsRule",
+        "displayName": "Ping Federate - Password reset request from unexpected source IP address..",
+        "contentProductId": "[variables('_analyticRulecontentProductId7')]",
+        "id": "[variables('_analyticRulecontentProductId7')]",
+        "version": "[variables('analyticRuleVersion7')]"
       }
     },
     {
-      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
-      "apiVersion": "2021-03-01-preview",
-      "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('analyticRuleTemplateSpecName8')]",
       "location": "[parameters('workspace-location')]",
-      "kind": "GenericUI",
+      "dependsOn": [
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+      ],
       "properties": {
-        "connectorUiConfig": {
-          "title": "PingFederate",
-          "publisher": "Ping Identity",
-          "descriptionMarkdown": "The [PingFederate](https://www.pingidentity.com/en/software/pingfederate.html) data connector provides the capability to ingest [PingFederate events](https://docs.pingidentity.com/bundle/pingfederate-102/page/lly1564002980532.html) into Microsoft Sentinel. Refer to [PingFederate documentation](https://docs.pingidentity.com/bundle/pingfederate-102/page/tle1564002955874.html) for more information.",
-          "graphQueries": [
-            {
-              "metricName": "Total data received",
-              "legend": "PingFederate",
-              "baseQuery": "PingFederateEvent"
-            }
-          ],
-          "dataTypes": [
-            {
-              "name": "CommonSecurityLog (PingFederate)",
-              "lastDataReceivedQuery": "PingFederateEvent\n | summarize Time = max(TimeGenerated)\n| where isnotempty(Time)"
-            }
-          ],
-          "connectivityCriterias": [
-            {
-              "type": "IsConnectedQuery",
-              "value": [
-                "PingFederateEvent\n | summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(30d)"
-              ]
-            }
-          ],
-          "sampleQueries": [
+        "description": "PingFederateSamlOld_AnalyticalRules Analytics Rule with template version 3.0.0",
+        "mainTemplate": {
+          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+          "contentVersion": "[variables('analyticRuleVersion8')]",
+          "parameters": {},
+          "variables": {},
+          "resources": [
             {
-              "description": "Top 10 Devices",
-              "query": "PingFederateEvent\n | summarize count() by DvcHostname\n | top 10 by count_"
-            }
-          ],
-          "availability": {
-            "status": 1,
-            "isPreview": false
-          },
-          "permissions": {
-            "resourceProvider": [
-              {
-                "provider": "Microsoft.OperationalInsights/workspaces",
-                "permissionsDisplayText": "read and write permissions are required.",
-                "providerDisplayName": "Workspace",
-                "scope": "Workspace",
-                "requiredPermissions": {
-                  "read": true,
-                  "write": true,
-                  "delete": true
-                }
-              },
-              {
-                "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
-                "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
-                "providerDisplayName": "Keys",
-                "scope": "Workspace",
-                "requiredPermissions": {
-                  "action": true
-                }
+              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+              "name": "[variables('analyticRulecontentId8')]",
+              "apiVersion": "2022-04-01-preview",
+              "kind": "Scheduled",
+              "location": "[parameters('workspace-location')]",
+              "properties": {
+                "description": "Detects requests using not the latest version of SAML protocol.",
+                "displayName": "Ping Federate - SAML old version",
+                "enabled": false,
+                "query": "PingFederateEvent\n| where isnotempty(DeviceCustomString3)\n| extend proto = extract(@'(SAML)', 1, DeviceCustomString3)\n| extend ver = extract(@'(\\d+)', 1, DeviceCustomString3)\n| where proto =~ 'SAML'\n| where ver !~ '20'\n| extend AccountCustomEntity = DstUserName\n| extend IpCustomEntity = SrcIpAddr\n",
+                "queryFrequency": "P1D",
+                "queryPeriod": "P1D",
+                "severity": "Medium",
+                "suppressionDuration": "PT1H",
+                "suppressionEnabled": false,
+                "triggerOperator": "GreaterThan",
+                "triggerThreshold": 0,
+                "status": "Available",
+                "requiredDataConnectors": [
+                  {
+                    "connectorId": "PingFederate",
+                    "dataTypes": [
+                      "PingFederateEvent"
+                    ]
+                  },
+                  {
+                    "connectorId": "PingFederateAma",
+                    "dataTypes": [
+                      "PingFederateEvent"
+                    ]
+                  }
+                ],
+                "tactics": [
+                  "InitialAccess"
+                ],
+                "techniques": [
+                  "T1190"
+                ],
+                "entityMappings": [
+                  {
+                    "fieldMappings": [
+                      {
+                        "identifier": "Name",
+                        "columnName": "AccountCustomEntity"
+                      }
+                    ],
+                    "entityType": "Account"
+                  },
+                  {
+                    "fieldMappings": [
+                      {
+                        "identifier": "Address",
+                        "columnName": "IpCustomEntity"
+                      }
+                    ],
+                    "entityType": "IP"
+                  }
+                ]
               }
-            ]
-          },
-          "instructionSteps": [
-            {
-              "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**PingFederateEvent**](https://aka.ms/sentinel-PingFederate-parser) which is deployed with the Microsoft Sentinel Solution."
             },
             {
-              "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
-              "innerSteps": [
-                {
-                  "title": "1.1 Select or create a Linux machine",
-                  "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
+              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+              "apiVersion": "2022-01-01-preview",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId8'),'/'))))]",
+              "properties": {
+                "description": "PingFederate Analytics Rule 8",
+                "parentId": "[variables('analyticRuleId8')]",
+                "contentId": "[variables('_analyticRulecontentId8')]",
+                "kind": "AnalyticsRule",
+                "version": "[variables('analyticRuleVersion8')]",
+                "source": {
+                  "kind": "Solution",
+                  "name": "PingFederate",
+                  "sourceId": "[variables('_solutionId')]"
                 },
-                {
-                  "title": "1.2 Install the CEF collector on the Linux machine",
-                  "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
-                  "instructions": [
-                    {
-                      "parameters": {
-                        "fillWith": [
-                          "WorkspaceId",
-                          "PrimaryKey"
-                        ],
-                        "label": "Run the following command to install and apply the CEF collector:",
-                        "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
-                      },
-                      "type": "CopyableLabel"
-                    }
-                  ]
-                }
-              ],
-              "title": "1. Linux Syslog agent configuration"
-            },
-            {
-              "description": "[Follow these steps](https://docs.pingidentity.com/bundle/pingfederate-102/page/gsn1564002980953.html) to configure PingFederate sending audit log via syslog in CEF format.",
-              "title": "2. Forward Common Event Format (CEF) logs to Syslog agent"
-            },
-            {
-              "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine",
-              "instructions": [
-                {
-                  "parameters": {
-                    "fillWith": [
-                      "WorkspaceId"
-                    ],
-                    "label": "Run the following command to validate your connectivity:",
-                    "value": "sudo wget  -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py  {0}"
-                  },
-                  "type": "CopyableLabel"
+                "author": {
+                  "name": "Microsoft",
+                  "email": "[variables('_email')]"
+                },
+                "support": {
+                  "name": "Microsoft Corporation",
+                  "email": "support@microsoft.com",
+                  "tier": "Microsoft",
+                  "link": "https://support.microsoft.com"
                 }
-              ],
-              "title": "3. Validate connection"
-            },
-            {
-              "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
-              "title": "4. Secure your machine "
-            }
-          ],
-          "id": "[variables('_uiConfigId1')]",
-          "additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected [**PingFederateEvent**](https://aka.ms/sentinel-PingFederate-parser) which is deployed with the Microsoft Sentinel Solution."
-        }
-      }
-    },
-    {
-      "type": "Microsoft.Resources/templateSpecs",
-      "apiVersion": "2021-05-01",
-      "name": "[variables('analyticRuleTemplateSpecName1')]",
-      "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "AnalyticsRule"
-      },
-      "properties": {
-        "description": "PingFederate Analytics Rule 1 with template",
-        "displayName": "PingFederate Analytics Rule template"
+              }
+            }
+          ]
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('_analyticRulecontentId8')]",
+        "contentKind": "AnalyticsRule",
+        "displayName": "Ping Federate - SAML old version",
+        "contentProductId": "[variables('_analyticRulecontentProductId8')]",
+        "id": "[variables('_analyticRulecontentProductId8')]",
+        "version": "[variables('analyticRuleVersion8')]"
       }
     },
     {
-      "type": "Microsoft.Resources/templateSpecs/versions",
-      "apiVersion": "2021-05-01",
-      "name": "[concat(variables('analyticRuleTemplateSpecName1'),'/',variables('analyticRuleVersion1'))]",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('analyticRuleTemplateSpecName9')]",
       "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "AnalyticsRule"
-      },
       "dependsOn": [
-        "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName1'))]"
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "PingFederateAbnormalPasswordResetsAttempts_AnalyticalRules Analytics Rule with template version 2.0.0",
+        "description": "PingFederateUnexpectedAuthUrl_AnalyticalRules Analytics Rule with template version 3.0.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion1')]",
+          "contentVersion": "[variables('analyticRuleVersion9')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('AnalyticRulecontentId1')]",
+              "name": "[variables('analyticRulecontentId9')]",
               "apiVersion": "2022-04-01-preview",
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "Detects abnormal password reset attempts for user in short period of time.",
-                "displayName": "Ping Federate - Abnormal password reset attempts",
+                "description": "Detects unexpected authentication URL.",
+                "displayName": "Ping Federate - Unexpected authentication URL.",
                 "enabled": false,
-                "query": "let threshold = 10;\nPingFederateEvent\n| where EventType =~ 'PWD_RESET_REQUEST'\n| summarize count() by DstUserName, bin(TimeGenerated, 30m)\n| where count_ > threshold\n| extend AccountCustomEntity = DstUserName\n",
-                "queryFrequency": "P1D",
-                "queryPeriod": "P1D",
-                "severity": "High",
+                "query": "let known_domains = \nPingFederateEvent\n| where TimeGenerated between (ago(14d) .. (1d))\n| where isnotempty(DeviceCustomString1)\n| extend url_parsed = parse_url(DeviceCustomString1)\n| extend url_domain = extract(@'.*\\.(.*\\.[a-z]+)', 1, tostring(url_parsed.Host))\n| summarize makeset(url_domain);\nPingFederateEvent\n| where isnotempty(DeviceCustomString1)\n| extend url_parsed = parse_url(DeviceCustomString1)\n| extend url_domain = extract(@'.*\\.(.*\\.[a-z]+)', 1, tostring(url_parsed.Host))\n| where url_domain !in (known_domains)\n| extend AccountCustomEntity = DstUserName\n| extend IpCustomEntity = SrcIpAddr\n",
+                "queryFrequency": "PT1H",
+                "queryPeriod": "P14D",
+                "severity": "Medium",
                 "suppressionDuration": "PT1H",
                 "suppressionEnabled": false,
                 "triggerOperator": "GreaterThan",
@@ -1589,24 +2069,42 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
+                    "connectorId": "PingFederate",
                     "dataTypes": [
                       "PingFederateEvent"
-                    ],
-                    "connectorId": "PingFederate"
+                    ]
+                  },
+                  {
+                    "connectorId": "PingFederateAma",
+                    "dataTypes": [
+                      "PingFederateEvent"
+                    ]
                   }
                 ],
                 "tactics": [
-                  "CredentialAccess"
+                  "InitialAccess"
+                ],
+                "techniques": [
+                  "T1078"
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Account",
                     "fieldMappings": [
                       {
                         "identifier": "Name",
                         "columnName": "AccountCustomEntity"
                       }
-                    ]
+                    ],
+                    "entityType": "Account"
+                  },
+                  {
+                    "fieldMappings": [
+                      {
+                        "identifier": "Address",
+                        "columnName": "IpCustomEntity"
+                      }
+                    ],
+                    "entityType": "IP"
                   }
                 ]
               }
@@ -1614,13 +2112,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId1'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId9'),'/'))))]",
               "properties": {
-                "description": "PingFederate Analytics Rule 1",
-                "parentId": "[variables('analyticRuleId1')]",
-                "contentId": "[variables('_analyticRulecontentId1')]",
+                "description": "PingFederate Analytics Rule 9",
+                "parentId": "[variables('analyticRuleId9')]",
+                "contentId": "[variables('_analyticRulecontentId9')]",
                 "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion1')]",
+                "version": "[variables('analyticRuleVersion9')]",
                 "source": {
                   "kind": "Solution",
                   "name": "PingFederate",
@@ -1639,57 +2137,50 @@
               }
             }
           ]
-        }
-      }
-    },
-    {
-      "type": "Microsoft.Resources/templateSpecs",
-      "apiVersion": "2021-05-01",
-      "name": "[variables('analyticRuleTemplateSpecName2')]",
-      "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "AnalyticsRule"
-      },
-      "properties": {
-        "description": "PingFederate Analytics Rule 2 with template",
-        "displayName": "PingFederate Analytics Rule template"
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('_analyticRulecontentId9')]",
+        "contentKind": "AnalyticsRule",
+        "displayName": "Ping Federate - Unexpected authentication URL.",
+        "contentProductId": "[variables('_analyticRulecontentProductId9')]",
+        "id": "[variables('_analyticRulecontentProductId9')]",
+        "version": "[variables('analyticRuleVersion9')]"
       }
     },
     {
-      "type": "Microsoft.Resources/templateSpecs/versions",
-      "apiVersion": "2021-05-01",
-      "name": "[concat(variables('analyticRuleTemplateSpecName2'),'/',variables('analyticRuleVersion2'))]",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('analyticRuleTemplateSpecName10')]",
       "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "AnalyticsRule"
-      },
       "dependsOn": [
-        "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName2'))]"
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "PingFederateAuthFromNewSource_AnalyticalRules Analytics Rule with template version 2.0.0",
+        "description": "PingFederateUnexpectedUserCountry_AnalyticalRules Analytics Rule with template version 3.0.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion2')]",
+          "contentVersion": "[variables('analyticRuleVersion10')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('AnalyticRulecontentId2')]",
+              "name": "[variables('analyticRulecontentId10')]",
               "apiVersion": "2022-04-01-preview",
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "Detects authentication requests from new IP address.",
-                "displayName": "Ping Federate - Authentication from new IP.",
+                "description": "Detects requests from different countries for user in shotr term.",
+                "displayName": "Ping Federate - Unexpected country for user",
                 "enabled": false,
-                "query": "let known_src = \nPingFederateEvent\n| where TimeGenerated between (ago(14d) .. (1d))\n| where EventType in~ ('AUTHN_ATTEMPT', 'SSO')\n| where isnotempty(SrcIpAddr)\n| summarize makeset(SrcIpAddr);\nPingFederateEvent\n| where EventType in~ ('AUTHN_ATTEMPT', 'SSO')\n| where isnotempty(SrcIpAddr)\n| where SrcIpAddr !in (known_src)\n| extend AccountCustomEntity = DstUserName\n| extend IpCustomEntity = SrcIpAddr\n",
+                "query": "let known_countries = \nPingFederateEvent\n| where TimeGenerated between (ago(1d) .. (1h))\n| where isnotempty(DstGeoCountry)\n| summarize makeset(DstGeoCountry);\nPingFederateEvent\n| where isnotempty(DstGeoCountry)\n| where DstGeoCountry !in (known_countries)\n| extend AccountCustomEntity = DstUserName\n| extend IpCustomEntity = SrcIpAddr\n",
                 "queryFrequency": "PT1H",
-                "queryPeriod": "P14D",
-                "severity": "Low",
+                "queryPeriod": "P1D",
+                "severity": "Medium",
                 "suppressionDuration": "PT1H",
                 "suppressionEnabled": false,
                 "triggerOperator": "GreaterThan",
@@ -1697,33 +2188,42 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
+                    "connectorId": "PingFederate",
                     "dataTypes": [
                       "PingFederateEvent"
-                    ],
-                    "connectorId": "PingFederate"
+                    ]
+                  },
+                  {
+                    "connectorId": "PingFederateAma",
+                    "dataTypes": [
+                      "PingFederateEvent"
+                    ]
                   }
                 ],
                 "tactics": [
                   "InitialAccess"
                 ],
+                "techniques": [
+                  "T1078"
+                ],
                 "entityMappings": [
                   {
-                    "entityType": "Account",
                     "fieldMappings": [
                       {
                         "identifier": "Name",
                         "columnName": "AccountCustomEntity"
                       }
-                    ]
+                    ],
+                    "entityType": "Account"
                   },
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
                         "identifier": "Address",
                         "columnName": "IpCustomEntity"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   }
                 ]
               }
@@ -1731,13 +2231,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId2'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId10'),'/'))))]",
               "properties": {
-                "description": "PingFederate Analytics Rule 2",
-                "parentId": "[variables('analyticRuleId2')]",
-                "contentId": "[variables('_analyticRulecontentId2')]",
+                "description": "PingFederate Analytics Rule 10",
+                "parentId": "[variables('analyticRuleId10')]",
+                "contentId": "[variables('_analyticRulecontentId10')]",
                 "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion2')]",
+                "version": "[variables('analyticRuleVersion10')]",
                 "source": {
                   "kind": "Solution",
                   "name": "PingFederate",
@@ -1756,57 +2256,50 @@
               }
             }
           ]
-        }
-      }
-    },
-    {
-      "type": "Microsoft.Resources/templateSpecs",
-      "apiVersion": "2021-05-01",
-      "name": "[variables('analyticRuleTemplateSpecName3')]",
-      "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "AnalyticsRule"
-      },
-      "properties": {
-        "description": "PingFederate Analytics Rule 3 with template",
-        "displayName": "PingFederate Analytics Rule template"
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('_analyticRulecontentId10')]",
+        "contentKind": "AnalyticsRule",
+        "displayName": "Ping Federate - Unexpected country for user",
+        "contentProductId": "[variables('_analyticRulecontentProductId10')]",
+        "id": "[variables('_analyticRulecontentProductId10')]",
+        "version": "[variables('analyticRuleVersion10')]"
       }
     },
     {
-      "type": "Microsoft.Resources/templateSpecs/versions",
-      "apiVersion": "2021-05-01",
-      "name": "[concat(variables('analyticRuleTemplateSpecName3'),'/',variables('analyticRuleVersion3'))]",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('analyticRuleTemplateSpecName11')]",
       "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "AnalyticsRule"
-      },
       "dependsOn": [
-        "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName3'))]"
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "PingFederateForbiddenCountry_AnalyticalRules Analytics Rule with template version 2.0.0",
+        "description": "PingFederateUnusualMailDomain_AnalyticalRules Analytics Rule with template version 3.0.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion3')]",
+          "contentVersion": "[variables('analyticRuleVersion11')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('AnalyticRulecontentId3')]",
+              "name": "[variables('analyticRulecontentId11')]",
               "apiVersion": "2022-04-01-preview",
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "Detects requests from forbidden countries.",
-                "displayName": "Ping Federate - Forbidden country",
+                "description": "Detects unusual mail domain in authentication requests.",
+                "displayName": "Ping Federate - Unusual mail domain.",
                 "enabled": false,
-                "query": "let forbidden_geo = dynamic(['CH']);\nPingFederateEvent\n| where isnotempty(DstGeoCountry)\n| where tostring(DstGeoCountry) in~ (forbidden_geo)\n| extend AccountCustomEntity = DstUserName\n| extend IpCustomEntity = SrcIpAddr\n",
+                "query": "let known_domains = \nPingFederateEvent\n| where TimeGenerated between (ago(14d) .. (1d))\n| extend email = extract(@'email=(.*?),.*', 1, AdditionalExtensions)\n| extend m_domain = extract(@'@(.*)', 1, email)\n| where isnotempty(m_domain)\n| summarize makeset(m_domain);\nPingFederateEvent\n| extend email = extract(@'email=(.*?),.*', 1, AdditionalExtensions)\n| extend m_domain = extract(@'@(.*)', 1, email)\n| where isnotempty(m_domain)\n| where m_domain !in (known_domains)\n| extend AccountCustomEntity = DstUserName\n| extend IpCustomEntity = SrcIpAddr\n",
                 "queryFrequency": "PT1H",
-                "queryPeriod": "PT1H",
-                "severity": "High",
+                "queryPeriod": "P14D",
+                "severity": "Medium",
                 "suppressionDuration": "PT1H",
                 "suppressionEnabled": false,
                 "triggerOperator": "GreaterThan",
@@ -1814,33 +2307,42 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
+                    "connectorId": "PingFederate",
                     "dataTypes": [
                       "PingFederateEvent"
-                    ],
-                    "connectorId": "PingFederate"
+                    ]
+                  },
+                  {
+                    "connectorId": "PingFederateAma",
+                    "dataTypes": [
+                      "PingFederateEvent"
+                    ]
                   }
                 ],
                 "tactics": [
                   "InitialAccess"
                 ],
+                "techniques": [
+                  "T1078"
+                ],
                 "entityMappings": [
                   {
-                    "entityType": "Account",
                     "fieldMappings": [
                       {
                         "identifier": "Name",
                         "columnName": "AccountCustomEntity"
                       }
-                    ]
+                    ],
+                    "entityType": "Account"
                   },
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
                         "identifier": "Address",
                         "columnName": "IpCustomEntity"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   }
                 ]
               }
@@ -1848,13 +2350,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId3'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId11'),'/'))))]",
               "properties": {
-                "description": "PingFederate Analytics Rule 3",
-                "parentId": "[variables('analyticRuleId3')]",
-                "contentId": "[variables('_analyticRulecontentId3')]",
+                "description": "PingFederate Analytics Rule 11",
+                "parentId": "[variables('analyticRuleId11')]",
+                "contentId": "[variables('_analyticRulecontentId11')]",
                 "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion3')]",
+                "version": "[variables('analyticRuleVersion11')]",
                 "source": {
                   "kind": "Solution",
                   "name": "PingFederate",
@@ -1873,84 +2375,144 @@
               }
             }
           ]
-        }
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('_analyticRulecontentId11')]",
+        "contentKind": "AnalyticsRule",
+        "displayName": "Ping Federate - Unusual mail domain.",
+        "contentProductId": "[variables('_analyticRulecontentProductId11')]",
+        "id": "[variables('_analyticRulecontentProductId11')]",
+        "version": "[variables('analyticRuleVersion11')]"
       }
     },
     {
-      "type": "Microsoft.Resources/templateSpecs",
-      "apiVersion": "2021-05-01",
-      "name": "[variables('analyticRuleTemplateSpecName4')]",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('huntingQueryTemplateSpecName1')]",
       "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "AnalyticsRule"
-      },
+      "dependsOn": [
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+      ],
       "properties": {
-        "description": "PingFederate Analytics Rule 4 with template",
-        "displayName": "PingFederate Analytics Rule template"
+        "description": "PingFederateAuthUrls_HuntingQueries Hunting Query with template version 3.0.0",
+        "mainTemplate": {
+          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+          "contentVersion": "[variables('huntingQueryVersion1')]",
+          "parameters": {},
+          "variables": {},
+          "resources": [
+            {
+              "type": "Microsoft.OperationalInsights/savedSearches",
+              "apiVersion": "2022-10-01",
+              "name": "PingFederate_Hunting_Query_1",
+              "location": "[parameters('workspace-location')]",
+              "properties": {
+                "eTag": "*",
+                "displayName": "Ping Federate - Authentication URLs",
+                "category": "Hunting Queries",
+                "query": "PingFederateEvent\n| where TimeGenerated > ago(24h)\n| where isnotempty(DeviceCustomString1)\n| summarize count() by DeviceCustomString1\n| project URL = DeviceCustomString1, Total = count_\n| extend UrlCustomEntity = URL\n",
+                "version": 2,
+                "tags": [
+                  {
+                    "name": "description",
+                    "value": "Query searches for authentication URLs used."
+                  },
+                  {
+                    "name": "tactics",
+                    "value": "CredentialAccess"
+                  },
+                  {
+                    "name": "techniques",
+                    "value": "T1110"
+                  }
+                ]
+              }
+            },
+            {
+              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+              "apiVersion": "2022-01-01-preview",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId1'),'/'))))]",
+              "properties": {
+                "description": "PingFederate Hunting Query 1",
+                "parentId": "[variables('huntingQueryId1')]",
+                "contentId": "[variables('_huntingQuerycontentId1')]",
+                "kind": "HuntingQuery",
+                "version": "[variables('huntingQueryVersion1')]",
+                "source": {
+                  "kind": "Solution",
+                  "name": "PingFederate",
+                  "sourceId": "[variables('_solutionId')]"
+                },
+                "author": {
+                  "name": "Microsoft",
+                  "email": "[variables('_email')]"
+                },
+                "support": {
+                  "name": "Microsoft Corporation",
+                  "email": "support@microsoft.com",
+                  "tier": "Microsoft",
+                  "link": "https://support.microsoft.com"
+                }
+              }
+            }
+          ]
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('_huntingQuerycontentId1')]",
+        "contentKind": "HuntingQuery",
+        "displayName": "Ping Federate - Authentication URLs",
+        "contentProductId": "[variables('_huntingQuerycontentProductId1')]",
+        "id": "[variables('_huntingQuerycontentProductId1')]",
+        "version": "[variables('huntingQueryVersion1')]"
       }
     },
     {
-      "type": "Microsoft.Resources/templateSpecs/versions",
-      "apiVersion": "2021-05-01",
-      "name": "[concat(variables('analyticRuleTemplateSpecName4'),'/',variables('analyticRuleVersion4'))]",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('huntingQueryTemplateSpecName2')]",
       "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "AnalyticsRule"
-      },
       "dependsOn": [
-        "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName4'))]"
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "PingFederateMultiplePasswordResetsForUser_AnalyticalRules Analytics Rule with template version 2.0.0",
+        "description": "PingFederateFailedAuthentications_HuntingQueries Hunting Query with template version 3.0.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion4')]",
+          "contentVersion": "[variables('huntingQueryVersion2')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
-              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('AnalyticRulecontentId4')]",
-              "apiVersion": "2022-04-01-preview",
-              "kind": "Scheduled",
+              "type": "Microsoft.OperationalInsights/savedSearches",
+              "apiVersion": "2022-10-01",
+              "name": "PingFederate_Hunting_Query_2",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "Detects multiple password reset for user.",
-                "displayName": "Ping Federate - Abnormal password resets for user",
-                "enabled": false,
-                "query": "let threshold = 10;\nPingFederateEvent\n| where EventType =~ 'PWD_RESET'\n| summarize count() by DstUserName\n| where count_ > threshold\n| extend AccountCustomEntity = DstUserName\n",
-                "queryFrequency": "P1D",
-                "queryPeriod": "P1D",
-                "severity": "High",
-                "suppressionDuration": "PT1H",
-                "suppressionEnabled": false,
-                "triggerOperator": "GreaterThan",
-                "triggerThreshold": 0,
-                "status": "Available",
-                "requiredDataConnectors": [
-                  {
-                    "dataTypes": [
-                      "PingFederateEvent"
-                    ],
-                    "connectorId": "PingFederate"
-                  }
-                ],
-                "tactics": [
-                  "InitialAccess",
-                  "Persistence",
-                  "PrivilegeEscalation"
-                ],
-                "entityMappings": [
+                "eTag": "*",
+                "displayName": "Ping Federate - Failed Authentication",
+                "category": "Hunting Queries",
+                "query": "PingFederateEvent\n| where TimeGenerated > ago(24h)\n| extend EventResultDetails = extract(@'description=(.*?),.*', 1, AdditionalExtensions)\n| where isnotempty(EventResultDetails) or EventMessage contains \"fail\"\n| summarize count() by DstUserName\n| extend AccountCustomEntity = DstUserName\n",
+                "version": 2,
+                "tags": [
                   {
-                    "entityType": "Account",
-                    "fieldMappings": [
-                      {
-                        "identifier": "Name",
-                        "columnName": "AccountCustomEntity"
-                      }
-                    ]
+                    "name": "description",
+                    "value": "Query searches for failed authentication events"
+                  },
+                  {
+                    "name": "tactics",
+                    "value": "InitialAccess"
+                  },
+                  {
+                    "name": "techniques",
+                    "value": "T1566"
                   }
                 ]
               }
@@ -1958,13 +2520,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId4'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId2'),'/'))))]",
               "properties": {
-                "description": "PingFederate Analytics Rule 4",
-                "parentId": "[variables('analyticRuleId4')]",
-                "contentId": "[variables('_analyticRulecontentId4')]",
-                "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion4')]",
+                "description": "PingFederate Hunting Query 2",
+                "parentId": "[variables('huntingQueryId2')]",
+                "contentId": "[variables('_huntingQuerycontentId2')]",
+                "kind": "HuntingQuery",
+                "version": "[variables('huntingQueryVersion2')]",
                 "source": {
                   "kind": "Solution",
                   "name": "PingFederate",
@@ -1983,83 +2545,59 @@
               }
             }
           ]
-        }
-      }
-    },
-    {
-      "type": "Microsoft.Resources/templateSpecs",
-      "apiVersion": "2021-05-01",
-      "name": "[variables('analyticRuleTemplateSpecName5')]",
-      "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "AnalyticsRule"
-      },
-      "properties": {
-        "description": "PingFederate Analytics Rule 5 with template",
-        "displayName": "PingFederate Analytics Rule template"
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('_huntingQuerycontentId2')]",
+        "contentKind": "HuntingQuery",
+        "displayName": "Ping Federate - Failed Authentication",
+        "contentProductId": "[variables('_huntingQuerycontentProductId2')]",
+        "id": "[variables('_huntingQuerycontentProductId2')]",
+        "version": "[variables('huntingQueryVersion2')]"
       }
     },
     {
-      "type": "Microsoft.Resources/templateSpecs/versions",
-      "apiVersion": "2021-05-01",
-      "name": "[concat(variables('analyticRuleTemplateSpecName5'),'/',variables('analyticRuleVersion5'))]",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('huntingQueryTemplateSpecName3')]",
       "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "AnalyticsRule"
-      },
       "dependsOn": [
-        "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName5'))]"
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "PingFederateNewUserSSO_AnalyticalRules Analytics Rule with template version 2.0.0",
+        "description": "PingFederateNewUsers_HuntingQueries Hunting Query with template version 3.0.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion5')]",
+          "contentVersion": "[variables('huntingQueryVersion3')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
-              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('AnalyticRulecontentId5')]",
-              "apiVersion": "2022-04-01-preview",
-              "kind": "Scheduled",
+              "type": "Microsoft.OperationalInsights/savedSearches",
+              "apiVersion": "2022-10-01",
+              "name": "PingFederate_Hunting_Query_3",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "Detects new user SSO success login.",
-                "displayName": "Ping Federate - New user SSO success login",
-                "enabled": false,
-                "query": "let known_usrs = \nPingFederateEvent\n| where TimeGenerated between (ago(14d) .. (1d))\n| where isnotempty(DstUserName)\n| summarize makeset(DstUserName);\nPingFederateEvent\n| where EventType =~ 'SSO'\n| where EventMessage has 'success'\n| where DstUserName !in (known_usrs)\n| extend AccountCustomEntity = DstUserName\n",
-                "queryFrequency": "PT1H",
-                "queryPeriod": "P14D",
-                "severity": "Low",
-                "suppressionDuration": "PT1H",
-                "suppressionEnabled": false,
-                "triggerOperator": "GreaterThan",
-                "triggerThreshold": 0,
-                "status": "Available",
-                "requiredDataConnectors": [
+                "eTag": "*",
+                "displayName": "Ping Federate - New users",
+                "category": "Hunting Queries",
+                "query": "let known_users = \nPingFederateEvent\n| where TimeGenerated between (ago(30d) .. (1d))\n| where isnotempty(DstUserName)\n| summarize makeset(DstUserName);\nPingFederateEvent\n| where TimeGenerated > ago(24h)\n| where isnotempty(DstUserName)\n| where DstUserName !in (known_users)\n| extend AccountCustomEntity = DstUserName\n",
+                "version": 2,
+                "tags": [
                   {
-                    "dataTypes": [
-                      "PingFederateEvent"
-                    ],
-                    "connectorId": "PingFederate"
-                  }
-                ],
-                "tactics": [
-                  "InitialAccess",
-                  "Persistence"
-                ],
-                "entityMappings": [
+                    "name": "description",
+                    "value": "Query searches for new users."
+                  },
                   {
-                    "entityType": "Account",
-                    "fieldMappings": [
-                      {
-                        "identifier": "Name",
-                        "columnName": "AccountCustomEntity"
-                      }
-                    ]
+                    "name": "tactics",
+                    "value": "InitialAccess"
+                  },
+                  {
+                    "name": "techniques",
+                    "value": "T1078"
                   }
                 ]
               }
@@ -2067,13 +2605,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId5'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId3'),'/'))))]",
               "properties": {
-                "description": "PingFederate Analytics Rule 5",
-                "parentId": "[variables('analyticRuleId5')]",
-                "contentId": "[variables('_analyticRulecontentId5')]",
-                "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion5')]",
+                "description": "PingFederate Hunting Query 3",
+                "parentId": "[variables('huntingQueryId3')]",
+                "contentId": "[variables('_huntingQuerycontentId3')]",
+                "kind": "HuntingQuery",
+                "version": "[variables('huntingQueryVersion3')]",
                 "source": {
                   "kind": "Solution",
                   "name": "PingFederate",
@@ -2092,91 +2630,59 @@
               }
             }
           ]
-        }
-      }
-    },
-    {
-      "type": "Microsoft.Resources/templateSpecs",
-      "apiVersion": "2021-05-01",
-      "name": "[variables('analyticRuleTemplateSpecName6')]",
-      "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "AnalyticsRule"
-      },
-      "properties": {
-        "description": "PingFederate Analytics Rule 6 with template",
-        "displayName": "PingFederate Analytics Rule template"
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('_huntingQuerycontentId3')]",
+        "contentKind": "HuntingQuery",
+        "displayName": "Ping Federate - New users",
+        "contentProductId": "[variables('_huntingQuerycontentProductId3')]",
+        "id": "[variables('_huntingQuerycontentProductId3')]",
+        "version": "[variables('huntingQueryVersion3')]"
       }
     },
     {
-      "type": "Microsoft.Resources/templateSpecs/versions",
-      "apiVersion": "2021-05-01",
-      "name": "[concat(variables('analyticRuleTemplateSpecName6'),'/',variables('analyticRuleVersion6'))]",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('huntingQueryTemplateSpecName4')]",
       "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "AnalyticsRule"
-      },
       "dependsOn": [
-        "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName6'))]"
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "PingFederateOauthOld_AnalyticalRules Analytics Rule with template version 2.0.0",
+        "description": "PingFederatePasswordResetRequests_HuntingQueries Hunting Query with template version 3.0.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion6')]",
+          "contentVersion": "[variables('huntingQueryVersion4')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
-              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('AnalyticRulecontentId6')]",
-              "apiVersion": "2022-04-01-preview",
-              "kind": "Scheduled",
+              "type": "Microsoft.OperationalInsights/savedSearches",
+              "apiVersion": "2022-10-01",
+              "name": "PingFederate_Hunting_Query_4",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "Detects requests using not the latest version of OAuth protocol.",
-                "displayName": "Ping Federate - OAuth old version",
-                "enabled": false,
-                "query": "PingFederateEvent\n| where isnotempty(DeviceCustomString3)\n| extend proto = extract(@'(OAuth)', 1, DeviceCustomString3)\n| extend ver = extract(@'(\\d+)', 1, DeviceCustomString3)\n| where proto =~ 'OAuth'\n| where ver !~ '20'\n| extend AccountCustomEntity = DstUserName\n| extend IpCustomEntity = SrcIpAddr\n",
-                "queryFrequency": "P1D",
-                "queryPeriod": "P1D",
-                "severity": "Medium",
-                "suppressionDuration": "PT1H",
-                "suppressionEnabled": false,
-                "triggerOperator": "GreaterThan",
-                "triggerThreshold": 0,
-                "status": "Available",
-                "requiredDataConnectors": [
+                "eTag": "*",
+                "displayName": "Ping Federate - Password reset requests",
+                "category": "Hunting Queries",
+                "query": "PingFederateEvent\n| where TimeGenerated > ago(24h)\n| where EventType =~ 'PWD_RESET_REQUEST' or EventSubType =~ 'PWD_RESET_REQUEST'\n| extend AccountCustomEntity = DstUserName\n| extend IpCustomEntity = SrcIpAddr\n",
+                "version": 2,
+                "tags": [
                   {
-                    "dataTypes": [
-                      "PingFederateEvent"
-                    ],
-                    "connectorId": "PingFederate"
-                  }
-                ],
-                "tactics": [
-                  "InitialAccess"
-                ],
-                "entityMappings": [
+                    "name": "description",
+                    "value": "Query searches for password reset requests events."
+                  },
                   {
-                    "entityType": "Account",
-                    "fieldMappings": [
-                      {
-                        "identifier": "Name",
-                        "columnName": "AccountCustomEntity"
-                      }
-                    ]
+                    "name": "tactics",
+                    "value": "InitialAccess,Persistence"
                   },
                   {
-                    "entityType": "IP",
-                    "fieldMappings": [
-                      {
-                        "identifier": "Address",
-                        "columnName": "IpCustomEntity"
-                      }
-                    ]
+                    "name": "techniques",
+                    "value": "T1078,T1098"
                   }
                 ]
               }
@@ -2184,13 +2690,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId6'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId4'),'/'))))]",
               "properties": {
-                "description": "PingFederate Analytics Rule 6",
-                "parentId": "[variables('analyticRuleId6')]",
-                "contentId": "[variables('_analyticRulecontentId6')]",
-                "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion6')]",
+                "description": "PingFederate Hunting Query 4",
+                "parentId": "[variables('huntingQueryId4')]",
+                "contentId": "[variables('_huntingQuerycontentId4')]",
+                "kind": "HuntingQuery",
+                "version": "[variables('huntingQueryVersion4')]",
                 "source": {
                   "kind": "Solution",
                   "name": "PingFederate",
@@ -2209,91 +2715,59 @@
               }
             }
           ]
-        }
-      }
-    },
-    {
-      "type": "Microsoft.Resources/templateSpecs",
-      "apiVersion": "2021-05-01",
-      "name": "[variables('analyticRuleTemplateSpecName7')]",
-      "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "AnalyticsRule"
-      },
-      "properties": {
-        "description": "PingFederate Analytics Rule 7 with template",
-        "displayName": "PingFederate Analytics Rule template"
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('_huntingQuerycontentId4')]",
+        "contentKind": "HuntingQuery",
+        "displayName": "Ping Federate - Password reset requests",
+        "contentProductId": "[variables('_huntingQuerycontentProductId4')]",
+        "id": "[variables('_huntingQuerycontentProductId4')]",
+        "version": "[variables('huntingQueryVersion4')]"
       }
     },
     {
-      "type": "Microsoft.Resources/templateSpecs/versions",
-      "apiVersion": "2021-05-01",
-      "name": "[concat(variables('analyticRuleTemplateSpecName7'),'/',variables('analyticRuleVersion7'))]",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('huntingQueryTemplateSpecName5')]",
       "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "AnalyticsRule"
-      },
       "dependsOn": [
-        "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName7'))]"
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "PingFederatePasswordRstReqUnexpectedSource_AnalyticalRules Analytics Rule with template version 2.0.0",
+        "description": "PingFederateRareSources_HuntingQueries Hunting Query with template version 3.0.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion7')]",
+          "contentVersion": "[variables('huntingQueryVersion5')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
-              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('AnalyticRulecontentId7')]",
-              "apiVersion": "2022-04-01-preview",
-              "kind": "Scheduled",
+              "type": "Microsoft.OperationalInsights/savedSearches",
+              "apiVersion": "2022-10-01",
+              "name": "PingFederate_Hunting_Query_5",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "Detects password reset requests from unexpected source IP address.",
-                "displayName": "Ping Federate - Password reset request from unexpected source IP address..",
-                "enabled": false,
-                "query": "let known_src = \nPingFederateEvent\n| where TimeGenerated between (ago(14d) .. (1d))\n| where isnotempty(SrcIpAddr)\n| summarize makeset(SrcIpAddr);\nPingFederateEvent\n| where EventType =~ 'PWD_RESET_REQUEST'\n| where isnotempty(SrcIpAddr)\n| where SrcIpAddr !in (known_src)\n| extend AccountCustomEntity = DstUserName\n| extend IpCustomEntity = SrcIpAddr\n",
-                "queryFrequency": "PT1H",
-                "queryPeriod": "P14D",
-                "severity": "Medium",
-                "suppressionDuration": "PT1H",
-                "suppressionEnabled": false,
-                "triggerOperator": "GreaterThan",
-                "triggerThreshold": 0,
-                "status": "Available",
-                "requiredDataConnectors": [
+                "eTag": "*",
+                "displayName": "Ping Federate - Rare source IP addresses",
+                "category": "Hunting Queries",
+                "query": "PingFederateEvent\n| where TimeGenerated > ago(24h)\n| where isnotempty(SrcIpAddr)\n| summarize count() by SrcIpAddr\n| top 10 by count_ asc\n| extend IpCustomEntity = SrcIpAddr\n",
+                "version": 2,
+                "tags": [
                   {
-                    "dataTypes": [
-                      "PingFederateEvent"
-                    ],
-                    "connectorId": "PingFederate"
-                  }
-                ],
-                "tactics": [
-                  "InitialAccess"
-                ],
-                "entityMappings": [
+                    "name": "description",
+                    "value": "Query searches for rare source IP addresses of requests"
+                  },
                   {
-                    "entityType": "Account",
-                    "fieldMappings": [
-                      {
-                        "identifier": "Name",
-                        "columnName": "AccountCustomEntity"
-                      }
-                    ]
+                    "name": "tactics",
+                    "value": "InitialAccess"
                   },
                   {
-                    "entityType": "IP",
-                    "fieldMappings": [
-                      {
-                        "identifier": "Address",
-                        "columnName": "IpCustomEntity"
-                      }
-                    ]
+                    "name": "techniques",
+                    "value": "T1078"
                   }
                 ]
               }
@@ -2301,13 +2775,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId7'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId5'),'/'))))]",
               "properties": {
-                "description": "PingFederate Analytics Rule 7",
-                "parentId": "[variables('analyticRuleId7')]",
-                "contentId": "[variables('_analyticRulecontentId7')]",
-                "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion7')]",
+                "description": "PingFederate Hunting Query 5",
+                "parentId": "[variables('huntingQueryId5')]",
+                "contentId": "[variables('_huntingQuerycontentId5')]",
+                "kind": "HuntingQuery",
+                "version": "[variables('huntingQueryVersion5')]",
                 "source": {
                   "kind": "Solution",
                   "name": "PingFederate",
@@ -2326,91 +2800,59 @@
               }
             }
           ]
-        }
-      }
-    },
-    {
-      "type": "Microsoft.Resources/templateSpecs",
-      "apiVersion": "2021-05-01",
-      "name": "[variables('analyticRuleTemplateSpecName8')]",
-      "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "AnalyticsRule"
-      },
-      "properties": {
-        "description": "PingFederate Analytics Rule 8 with template",
-        "displayName": "PingFederate Analytics Rule template"
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('_huntingQuerycontentId5')]",
+        "contentKind": "HuntingQuery",
+        "displayName": "Ping Federate - Rare source IP addresses",
+        "contentProductId": "[variables('_huntingQuerycontentProductId5')]",
+        "id": "[variables('_huntingQuerycontentProductId5')]",
+        "version": "[variables('huntingQueryVersion5')]"
       }
     },
     {
-      "type": "Microsoft.Resources/templateSpecs/versions",
-      "apiVersion": "2021-05-01",
-      "name": "[concat(variables('analyticRuleTemplateSpecName8'),'/',variables('analyticRuleVersion8'))]",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('huntingQueryTemplateSpecName6')]",
       "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "AnalyticsRule"
-      },
       "dependsOn": [
-        "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName8'))]"
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "PingFederateSamlOld_AnalyticalRules Analytics Rule with template version 2.0.0",
+        "description": "PingFederateSAMLSubjects_HuntingQueries Hunting Query with template version 3.0.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion8')]",
+          "contentVersion": "[variables('huntingQueryVersion6')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
-              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('AnalyticRulecontentId8')]",
-              "apiVersion": "2022-04-01-preview",
-              "kind": "Scheduled",
+              "type": "Microsoft.OperationalInsights/savedSearches",
+              "apiVersion": "2022-10-01",
+              "name": "PingFederate_Hunting_Query_6",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "Detects requests using not the latest version of SAML protocol.",
-                "displayName": "Ping Federate - SAML old version",
-                "enabled": false,
-                "query": "PingFederateEvent\n| where isnotempty(DeviceCustomString3)\n| extend proto = extract(@'(SAML)', 1, DeviceCustomString3)\n| extend ver = extract(@'(\\d+)', 1, DeviceCustomString3)\n| where proto =~ 'SAML'\n| where ver !~ '20'\n| extend AccountCustomEntity = DstUserName\n| extend IpCustomEntity = SrcIpAddr\n",
-                "queryFrequency": "P1D",
-                "queryPeriod": "P1D",
-                "severity": "Medium",
-                "suppressionDuration": "PT1H",
-                "suppressionEnabled": false,
-                "triggerOperator": "GreaterThan",
-                "triggerThreshold": 0,
-                "status": "Available",
-                "requiredDataConnectors": [
+                "eTag": "*",
+                "displayName": "Ping Federate - SAML subjects",
+                "category": "Hunting Queries",
+                "query": "PingFederateEvent\n| where TimeGenerated > ago(24h)\n| extend SamlSubject = extract(@'SAML_SUBJECT==(\\w+),.*', 1, AdditionalExtensions)\n| where isnotempty(SamlSubject)\n| summarize count() by SamlSubject, SrcIpAddr\n| extend IpCustomEntity = SrcIpAddr\n",
+                "version": 2,
+                "tags": [
                   {
-                    "dataTypes": [
-                      "PingFederateEvent"
-                    ],
-                    "connectorId": "PingFederate"
-                  }
-                ],
-                "tactics": [
-                  "InitialAccess"
-                ],
-                "entityMappings": [
+                    "name": "description",
+                    "value": "Query searches for SAML subjects used in requests"
+                  },
                   {
-                    "entityType": "Account",
-                    "fieldMappings": [
-                      {
-                        "identifier": "Name",
-                        "columnName": "AccountCustomEntity"
-                      }
-                    ]
+                    "name": "tactics",
+                    "value": "CredentialAccess"
                   },
                   {
-                    "entityType": "IP",
-                    "fieldMappings": [
-                      {
-                        "identifier": "Address",
-                        "columnName": "IpCustomEntity"
-                      }
-                    ]
+                    "name": "techniques",
+                    "value": "T1528"
                   }
                 ]
               }
@@ -2418,13 +2860,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId8'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId6'),'/'))))]",
               "properties": {
-                "description": "PingFederate Analytics Rule 8",
-                "parentId": "[variables('analyticRuleId8')]",
-                "contentId": "[variables('_analyticRulecontentId8')]",
-                "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion8')]",
+                "description": "PingFederate Hunting Query 6",
+                "parentId": "[variables('huntingQueryId6')]",
+                "contentId": "[variables('_huntingQuerycontentId6')]",
+                "kind": "HuntingQuery",
+                "version": "[variables('huntingQueryVersion6')]",
                 "source": {
                   "kind": "Solution",
                   "name": "PingFederate",
@@ -2443,91 +2885,59 @@
               }
             }
           ]
-        }
-      }
-    },
-    {
-      "type": "Microsoft.Resources/templateSpecs",
-      "apiVersion": "2021-05-01",
-      "name": "[variables('analyticRuleTemplateSpecName9')]",
-      "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "AnalyticsRule"
-      },
-      "properties": {
-        "description": "PingFederate Analytics Rule 9 with template",
-        "displayName": "PingFederate Analytics Rule template"
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('_huntingQuerycontentId6')]",
+        "contentKind": "HuntingQuery",
+        "displayName": "Ping Federate - SAML subjects",
+        "contentProductId": "[variables('_huntingQuerycontentProductId6')]",
+        "id": "[variables('_huntingQuerycontentProductId6')]",
+        "version": "[variables('huntingQueryVersion6')]"
       }
     },
     {
-      "type": "Microsoft.Resources/templateSpecs/versions",
-      "apiVersion": "2021-05-01",
-      "name": "[concat(variables('analyticRuleTemplateSpecName9'),'/',variables('analyticRuleVersion9'))]",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('huntingQueryTemplateSpecName7')]",
       "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "AnalyticsRule"
-      },
       "dependsOn": [
-        "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName9'))]"
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "PingFederateUnexpectedAuthUrl_AnalyticalRules Analytics Rule with template version 2.0.0",
+        "description": "PingFederateTopSources_HuntingQueries Hunting Query with template version 3.0.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion9')]",
+          "contentVersion": "[variables('huntingQueryVersion7')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
-              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('AnalyticRulecontentId9')]",
-              "apiVersion": "2022-04-01-preview",
-              "kind": "Scheduled",
+              "type": "Microsoft.OperationalInsights/savedSearches",
+              "apiVersion": "2022-10-01",
+              "name": "PingFederate_Hunting_Query_7",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "Detects unexpected authentication URL.",
-                "displayName": "Ping Federate - Unexpected authentication URL.",
-                "enabled": false,
-                "query": "let known_domains = \nPingFederateEvent\n| where TimeGenerated between (ago(14d) .. (1d))\n| where isnotempty(DeviceCustomString1)\n| extend url_parsed = parse_url(DeviceCustomString1)\n| extend url_domain = extract(@'.*\\.(.*\\.[a-z]+)', 1, tostring(url_parsed.Host))\n| summarize makeset(url_domain);\nPingFederateEvent\n| where isnotempty(DeviceCustomString1)\n| extend url_parsed = parse_url(DeviceCustomString1)\n| extend url_domain = extract(@'.*\\.(.*\\.[a-z]+)', 1, tostring(url_parsed.Host))\n| where url_domain !in (known_domains)\n| extend AccountCustomEntity = DstUserName\n| extend IpCustomEntity = SrcIpAddr\n",
-                "queryFrequency": "PT1H",
-                "queryPeriod": "P14D",
-                "severity": "Medium",
-                "suppressionDuration": "PT1H",
-                "suppressionEnabled": false,
-                "triggerOperator": "GreaterThan",
-                "triggerThreshold": 0,
-                "status": "Available",
-                "requiredDataConnectors": [
+                "eTag": "*",
+                "displayName": "Ping Federate - Top source IP addresses",
+                "category": "Hunting Queries",
+                "query": "PingFederateEvent\n| where TimeGenerated > ago(24h)\n| where isnotempty(SrcIpAddr)\n| summarize count() by SrcIpAddr\n| extend IpCustomEntity = SrcIpAddr\n",
+                "version": 2,
+                "tags": [
                   {
-                    "dataTypes": [
-                      "PingFederateEvent"
-                    ],
-                    "connectorId": "PingFederate"
-                  }
-                ],
-                "tactics": [
-                  "InitialAccess"
-                ],
-                "entityMappings": [
+                    "name": "description",
+                    "value": "Query searches for source IP addresses with the most requests"
+                  },
                   {
-                    "entityType": "Account",
-                    "fieldMappings": [
-                      {
-                        "identifier": "Name",
-                        "columnName": "AccountCustomEntity"
-                      }
-                    ]
+                    "name": "tactics",
+                    "value": "InitialAccess"
                   },
                   {
-                    "entityType": "IP",
-                    "fieldMappings": [
-                      {
-                        "identifier": "Address",
-                        "columnName": "IpCustomEntity"
-                      }
-                    ]
+                    "name": "techniques",
+                    "value": "T1078"
                   }
                 ]
               }
@@ -2535,13 +2945,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId9'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId7'),'/'))))]",
               "properties": {
-                "description": "PingFederate Analytics Rule 9",
-                "parentId": "[variables('analyticRuleId9')]",
-                "contentId": "[variables('_analyticRulecontentId9')]",
-                "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion9')]",
+                "description": "PingFederate Hunting Query 7",
+                "parentId": "[variables('huntingQueryId7')]",
+                "contentId": "[variables('_huntingQuerycontentId7')]",
+                "kind": "HuntingQuery",
+                "version": "[variables('huntingQueryVersion7')]",
                 "source": {
                   "kind": "Solution",
                   "name": "PingFederate",
@@ -2560,91 +2970,59 @@
               }
             }
           ]
-        }
-      }
-    },
-    {
-      "type": "Microsoft.Resources/templateSpecs",
-      "apiVersion": "2021-05-01",
-      "name": "[variables('analyticRuleTemplateSpecName10')]",
-      "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "AnalyticsRule"
-      },
-      "properties": {
-        "description": "PingFederate Analytics Rule 10 with template",
-        "displayName": "PingFederate Analytics Rule template"
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('_huntingQuerycontentId7')]",
+        "contentKind": "HuntingQuery",
+        "displayName": "Ping Federate - Top source IP addresses",
+        "contentProductId": "[variables('_huntingQuerycontentProductId7')]",
+        "id": "[variables('_huntingQuerycontentProductId7')]",
+        "version": "[variables('huntingQueryVersion7')]"
       }
     },
     {
-      "type": "Microsoft.Resources/templateSpecs/versions",
-      "apiVersion": "2021-05-01",
-      "name": "[concat(variables('analyticRuleTemplateSpecName10'),'/',variables('analyticRuleVersion10'))]",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('huntingQueryTemplateSpecName8')]",
       "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "AnalyticsRule"
-      },
       "dependsOn": [
-        "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName10'))]"
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "PingFederateUnexpectedUserCountry_AnalyticalRules Analytics Rule with template version 2.0.0",
+        "description": "PingFederateUnusualCountry_HuntingQueries Hunting Query with template version 3.0.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion10')]",
+          "contentVersion": "[variables('huntingQueryVersion8')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
-              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('AnalyticRulecontentId10')]",
-              "apiVersion": "2022-04-01-preview",
-              "kind": "Scheduled",
+              "type": "Microsoft.OperationalInsights/savedSearches",
+              "apiVersion": "2022-10-01",
+              "name": "PingFederate_Hunting_Query_8",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "Detects requests from different countries for user in shotr term.",
-                "displayName": "Ping Federate - Unexpected country for user",
-                "enabled": false,
-                "query": "let known_countries = \nPingFederateEvent\n| where TimeGenerated between (ago(1d) .. (1h))\n| where isnotempty(DstGeoCountry)\n| summarize makeset(DstGeoCountry);\nPingFederateEvent\n| where isnotempty(DstGeoCountry)\n| where DstGeoCountry !in (known_countries)\n| extend AccountCustomEntity = DstUserName\n| extend IpCustomEntity = SrcIpAddr\n",
-                "queryFrequency": "PT1H",
-                "queryPeriod": "P1D",
-                "severity": "Medium",
-                "suppressionDuration": "PT1H",
-                "suppressionEnabled": false,
-                "triggerOperator": "GreaterThan",
-                "triggerThreshold": 0,
-                "status": "Available",
-                "requiredDataConnectors": [
+                "eTag": "*",
+                "displayName": "Ping Federate - Requests from unusual countries",
+                "category": "Hunting Queries",
+                "query": "let known_geo = \nPingFederateEvent\n| where TimeGenerated between (ago(30d) .. (1d))\n| where isnotempty(DstGeoCountry)\n| summarize makeset(DstGeoCountry);\nPingFederateEvent\n| where TimeGenerated > ago(24h)\n| where isnotempty(DstGeoCountry)\n| where DstGeoCountry !in (known_geo)\n| extend IpCustomEntity = SrcIpAddr\n| extend AccountCustomEntity = DstUserName\n",
+                "version": 2,
+                "tags": [
                   {
-                    "dataTypes": [
-                      "PingFederateEvent"
-                    ],
-                    "connectorId": "PingFederate"
-                  }
-                ],
-                "tactics": [
-                  "InitialAccess"
-                ],
-                "entityMappings": [
+                    "name": "description",
+                    "value": "Query searches for requests from unusual countries."
+                  },
                   {
-                    "entityType": "Account",
-                    "fieldMappings": [
-                      {
-                        "identifier": "Name",
-                        "columnName": "AccountCustomEntity"
-                      }
-                    ]
+                    "name": "tactics",
+                    "value": "InitialAccess"
                   },
                   {
-                    "entityType": "IP",
-                    "fieldMappings": [
-                      {
-                        "identifier": "Address",
-                        "columnName": "IpCustomEntity"
-                      }
-                    ]
+                    "name": "techniques",
+                    "value": "T1078"
                   }
                 ]
               }
@@ -2652,13 +3030,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId10'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId8'),'/'))))]",
               "properties": {
-                "description": "PingFederate Analytics Rule 10",
-                "parentId": "[variables('analyticRuleId10')]",
-                "contentId": "[variables('_analyticRulecontentId10')]",
-                "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion10')]",
+                "description": "PingFederate Hunting Query 8",
+                "parentId": "[variables('huntingQueryId8')]",
+                "contentId": "[variables('_huntingQuerycontentId8')]",
+                "kind": "HuntingQuery",
+                "version": "[variables('huntingQueryVersion8')]",
                 "source": {
                   "kind": "Solution",
                   "name": "PingFederate",
@@ -2677,91 +3055,59 @@
               }
             }
           ]
-        }
-      }
-    },
-    {
-      "type": "Microsoft.Resources/templateSpecs",
-      "apiVersion": "2021-05-01",
-      "name": "[variables('analyticRuleTemplateSpecName11')]",
-      "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "AnalyticsRule"
-      },
-      "properties": {
-        "description": "PingFederate Analytics Rule 11 with template",
-        "displayName": "PingFederate Analytics Rule template"
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('_huntingQuerycontentId8')]",
+        "contentKind": "HuntingQuery",
+        "displayName": "Ping Federate - Requests from unusual countries",
+        "contentProductId": "[variables('_huntingQuerycontentProductId8')]",
+        "id": "[variables('_huntingQuerycontentProductId8')]",
+        "version": "[variables('huntingQueryVersion8')]"
       }
     },
     {
-      "type": "Microsoft.Resources/templateSpecs/versions",
-      "apiVersion": "2021-05-01",
-      "name": "[concat(variables('analyticRuleTemplateSpecName11'),'/',variables('analyticRuleVersion11'))]",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('huntingQueryTemplateSpecName9')]",
       "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "AnalyticsRule"
-      },
       "dependsOn": [
-        "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName11'))]"
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "PingFederateUnusualMailDomain_AnalyticalRules Analytics Rule with template version 2.0.0",
+        "description": "PingFederateUnusualSources_HuntingQueries Hunting Query with template version 3.0.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion11')]",
+          "contentVersion": "[variables('huntingQueryVersion9')]",
           "parameters": {},
-          "variables": {},
-          "resources": [
-            {
-              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('AnalyticRulecontentId11')]",
-              "apiVersion": "2022-04-01-preview",
-              "kind": "Scheduled",
-              "location": "[parameters('workspace-location')]",
-              "properties": {
-                "description": "Detects unusual mail domain in authentication requests.",
-                "displayName": "Ping Federate - Unusual mail domain.",
-                "enabled": false,
-                "query": "let known_domains = \nPingFederateEvent\n| where TimeGenerated between (ago(14d) .. (1d))\n| extend email = extract(@'email=(.*?),.*', 1, AdditionalExtensions)\n| extend m_domain = extract(@'@(.*)', 1, email)\n| where isnotempty(m_domain)\n| summarize makeset(m_domain);\nPingFederateEvent\n| extend email = extract(@'email=(.*?),.*', 1, AdditionalExtensions)\n| extend m_domain = extract(@'@(.*)', 1, email)\n| where isnotempty(m_domain)\n| where m_domain !in (known_domains)\n| extend AccountCustomEntity = DstUserName\n| extend IpCustomEntity = SrcIpAddr\n",
-                "queryFrequency": "PT1H",
-                "queryPeriod": "P14D",
-                "severity": "Medium",
-                "suppressionDuration": "PT1H",
-                "suppressionEnabled": false,
-                "triggerOperator": "GreaterThan",
-                "triggerThreshold": 0,
-                "status": "Available",
-                "requiredDataConnectors": [
+          "variables": {},
+          "resources": [
+            {
+              "type": "Microsoft.OperationalInsights/savedSearches",
+              "apiVersion": "2022-10-01",
+              "name": "PingFederate_Hunting_Query_9",
+              "location": "[parameters('workspace-location')]",
+              "properties": {
+                "eTag": "*",
+                "displayName": "Ping Federate - Authentication from unusual sources",
+                "category": "Hunting Queries",
+                "query": "let known_src = \nPingFederateEvent\n| where TimeGenerated between (ago(30d) .. (1d))\n| where isnotempty(SrcIpAddr)\n| summarize makeset(SrcIpAddr);\nPingFederateEvent\n| where TimeGenerated > ago(24h)\n| where isnotempty(SrcIpAddr)\n| where SrcIpAddr !in (known_src)\n| extend IpCustomEntity = SrcIpAddr\n",
+                "version": 2,
+                "tags": [
                   {
-                    "dataTypes": [
-                      "PingFederateEvent"
-                    ],
-                    "connectorId": "PingFederate"
-                  }
-                ],
-                "tactics": [
-                  "InitialAccess"
-                ],
-                "entityMappings": [
+                    "name": "description",
+                    "value": "Query searches for unusual sources of authentication."
+                  },
                   {
-                    "entityType": "Account",
-                    "fieldMappings": [
-                      {
-                        "identifier": "Name",
-                        "columnName": "AccountCustomEntity"
-                      }
-                    ]
+                    "name": "tactics",
+                    "value": "InitialAccess"
                   },
                   {
-                    "entityType": "IP",
-                    "fieldMappings": [
-                      {
-                        "identifier": "Address",
-                        "columnName": "IpCustomEntity"
-                      }
-                    ]
+                    "name": "techniques",
+                    "value": "T1078"
                   }
                 ]
               }
@@ -2769,13 +3115,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId11'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId9'),'/'))))]",
               "properties": {
-                "description": "PingFederate Analytics Rule 11",
-                "parentId": "[variables('analyticRuleId11')]",
-                "contentId": "[variables('_analyticRulecontentId11')]",
-                "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion11')]",
+                "description": "PingFederate Hunting Query 9",
+                "parentId": "[variables('huntingQueryId9')]",
+                "contentId": "[variables('_huntingQuerycontentId9')]",
+                "kind": "HuntingQuery",
+                "version": "[variables('huntingQueryVersion9')]",
                 "source": {
                   "kind": "Solution",
                   "name": "PingFederate",
@@ -2794,59 +3140,59 @@
               }
             }
           ]
-        }
-      }
-    },
-    {
-      "type": "Microsoft.Resources/templateSpecs",
-      "apiVersion": "2021-05-01",
-      "name": "[variables('parserTemplateSpecName1')]",
-      "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "Parser"
-      },
-      "properties": {
-        "description": "PingFederateEvent Data Parser with template",
-        "displayName": "PingFederateEvent Data Parser template"
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('_huntingQuerycontentId9')]",
+        "contentKind": "HuntingQuery",
+        "displayName": "Ping Federate - Authentication from unusual sources",
+        "contentProductId": "[variables('_huntingQuerycontentProductId9')]",
+        "id": "[variables('_huntingQuerycontentProductId9')]",
+        "version": "[variables('huntingQueryVersion9')]"
       }
     },
     {
-      "type": "Microsoft.Resources/templateSpecs/versions",
-      "apiVersion": "2021-05-01",
-      "name": "[concat(variables('parserTemplateSpecName1'),'/',variables('parserVersion1'))]",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('huntingQueryTemplateSpecName10')]",
       "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "Parser"
-      },
       "dependsOn": [
-        "[resourceId('Microsoft.Resources/templateSpecs', variables('parserTemplateSpecName1'))]"
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "PingFederateEvent Data Parser with template version 2.0.0",
+        "description": "PingFederateUsersPaswordsReset_HuntingQueries Hunting Query with template version 3.0.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('parserVersion1')]",
+          "contentVersion": "[variables('huntingQueryVersion10')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
-              "name": "[variables('_parserName1')]",
-              "apiVersion": "2020-08-01",
-              "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
+              "type": "Microsoft.OperationalInsights/savedSearches",
+              "apiVersion": "2022-10-01",
+              "name": "PingFederate_Hunting_Query_10",
               "location": "[parameters('workspace-location')]",
               "properties": {
                 "eTag": "*",
-                "displayName": "PingFederate Data Parser",
-                "category": "Samples",
-                "functionAlias": "PingFederateEvent",
-                "query": "\nCommonSecurityLog \r\n| where DeviceProduct has 'PingFederate'\r\n| extend EventVendor = DeviceVendor\r\n| extend EventProduct = DeviceProduct\r\n| extend EventProductVersion = DeviceVersion\r\n| extend EventSeverity = LogSeverity\r\n| extend SrcIpAddr = SourceIP\r\n| extend SrcHostname = SourceHostName\r\n| extend SrcUserName = SourceUserName\r\n| extend EventMessage = Message\r\n| extend EventSubType = DeviceEventClassID\r\n| extend EventType = Activity\r\n| extend DstUserName = DestinationUserID\r\n| extend DstGeoCountry = extract(@'country=;?(\\w+),.*', 1, AdditionalExtensions)\r\n| extend EventResultDetails = extract(@'description=(.*?),.*', 1, AdditionalExtensions)\r\n| extend DvcHostname = DeviceAddress\r\n| project TimeGenerated\r\n        , EventVendor\r\n        , EventProduct\r\n        , EventProductVersion\r\n        , EventMessage\r\n        , EventType\r\n        , EventSubType\r\n        , DstUserName\r\n        , DstGeoCountry\r\n        , DvcHostname\r\n        , EventSeverity\r\n        , SrcIpAddr\r\n        , SrcHostname\r\n        , SrcUserName\r\n        , EventResultDetails\r\n        , DeviceCustomString1Label\r\n        , DeviceCustomString1\r\n        , DeviceCustomString2Label\r\n        , DeviceCustomString2\r\n        , DeviceCustomString3Label\r\n        , DeviceCustomString3\r\n        , DeviceCustomString4Label\r\n        , DeviceCustomString4\r\n        , DeviceCustomString5Label\r\n        , DeviceCustomString5\r\n        , DeviceCustomString6Label\r\n        , DeviceCustomString6\r\n        , AdditionalExtensions\r\n",
-                "version": 1,
+                "displayName": "Ping Federate - Users recently reseted password",
+                "category": "Hunting Queries",
+                "query": "PingFederateEvent\n| where TimeGenerated > ago(24h)\n| where EventType =~ 'PWD_RESET' or EventSubType =~ 'PWD_RESET'\n| extend AccountCustomEntity = DstUserName\n",
+                "version": 2,
                 "tags": [
                   {
                     "name": "description",
-                    "value": "PingFederate Data Parser"
+                    "value": "Query searches for users who recently reseted their passwords."
+                  },
+                  {
+                    "name": "tactics",
+                    "value": "InitialAccess,Persistence"
+                  },
+                  {
+                    "name": "techniques",
+                    "value": "T1078,T1098"
                   }
                 ]
               }
@@ -2854,18 +3200,16 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]",
-              "dependsOn": [
-                "[variables('_parserName1')]"
-              ],
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId10'),'/'))))]",
               "properties": {
-                "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
-                "contentId": "[variables('_parserContentId1')]",
-                "kind": "Parser",
-                "version": "[variables('parserVersion1')]",
+                "description": "PingFederate Hunting Query 10",
+                "parentId": "[variables('huntingQueryId10')]",
+                "contentId": "[variables('_huntingQuerycontentId10')]",
+                "kind": "HuntingQuery",
+                "version": "[variables('huntingQueryVersion10')]",
                 "source": {
-                  "name": "PingFederate",
                   "kind": "Solution",
+                  "name": "PingFederate",
                   "sourceId": "[variables('_solutionId')]"
                 },
                 "author": {
@@ -2881,61 +3225,35 @@
               }
             }
           ]
-        }
-      }
-    },
-    {
-      "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
-      "apiVersion": "2021-06-01",
-      "name": "[variables('_parserName1')]",
-      "location": "[parameters('workspace-location')]",
-      "properties": {
-        "eTag": "*",
-        "displayName": "PingFederate Data Parser",
-        "category": "Samples",
-        "functionAlias": "PingFederateEvent",
-        "query": "\nCommonSecurityLog \r\n| where DeviceProduct has 'PingFederate'\r\n| extend EventVendor = DeviceVendor\r\n| extend EventProduct = DeviceProduct\r\n| extend EventProductVersion = DeviceVersion\r\n| extend EventSeverity = LogSeverity\r\n| extend SrcIpAddr = SourceIP\r\n| extend SrcHostname = SourceHostName\r\n| extend SrcUserName = SourceUserName\r\n| extend EventMessage = Message\r\n| extend EventSubType = DeviceEventClassID\r\n| extend EventType = Activity\r\n| extend DstUserName = DestinationUserID\r\n| extend DstGeoCountry = extract(@'country=;?(\\w+),.*', 1, AdditionalExtensions)\r\n| extend EventResultDetails = extract(@'description=(.*?),.*', 1, AdditionalExtensions)\r\n| extend DvcHostname = DeviceAddress\r\n| project TimeGenerated\r\n        , EventVendor\r\n        , EventProduct\r\n        , EventProductVersion\r\n        , EventMessage\r\n        , EventType\r\n        , EventSubType\r\n        , DstUserName\r\n        , DstGeoCountry\r\n        , DvcHostname\r\n        , EventSeverity\r\n        , SrcIpAddr\r\n        , SrcHostname\r\n        , SrcUserName\r\n        , EventResultDetails\r\n        , DeviceCustomString1Label\r\n        , DeviceCustomString1\r\n        , DeviceCustomString2Label\r\n        , DeviceCustomString2\r\n        , DeviceCustomString3Label\r\n        , DeviceCustomString3\r\n        , DeviceCustomString4Label\r\n        , DeviceCustomString4\r\n        , DeviceCustomString5Label\r\n        , DeviceCustomString5\r\n        , DeviceCustomString6Label\r\n        , DeviceCustomString6\r\n        , AdditionalExtensions\r\n",
-        "version": 1
-      }
-    },
-    {
-      "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
-      "apiVersion": "2022-01-01-preview",
-      "location": "[parameters('workspace-location')]",
-      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]",
-      "dependsOn": [
-        "[variables('_parserId1')]"
-      ],
-      "properties": {
-        "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
-        "contentId": "[variables('_parserContentId1')]",
-        "kind": "Parser",
-        "version": "[variables('parserVersion1')]",
-        "source": {
-          "kind": "Solution",
-          "name": "PingFederate",
-          "sourceId": "[variables('_solutionId')]"
-        },
-        "author": {
-          "name": "Microsoft",
-          "email": "[variables('_email')]"
         },
-        "support": {
-          "name": "Microsoft Corporation",
-          "email": "support@microsoft.com",
-          "tier": "Microsoft",
-          "link": "https://support.microsoft.com"
-        }
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('_huntingQuerycontentId10')]",
+        "contentKind": "HuntingQuery",
+        "displayName": "Ping Federate - Users recently reseted password",
+        "contentProductId": "[variables('_huntingQuerycontentProductId10')]",
+        "id": "[variables('_huntingQuerycontentProductId10')]",
+        "version": "[variables('huntingQueryVersion10')]"
       }
     },
     {
-      "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
-      "apiVersion": "2022-01-01-preview",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages",
+      "apiVersion": "2023-04-01-preview",
       "location": "[parameters('workspace-location')]",
       "properties": {
-        "version": "2.0.0",
+        "version": "3.0.0",
         "kind": "Solution",
-        "contentSchemaVersion": "2.0.0",
+        "contentSchemaVersion": "3.0.0",
+        "displayName": "PingFederate",
+        "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
+        "descriptionHtml": "<p><strong>Note:</strong> <em>There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</em></p>\n<p>The <a href=\"https://www.pingidentity.com/en/pingone/pingfederate.html\">PingFederate</a> solution provides the capability to ingest <a href=\"https://docs.pingidentity.com/bundle/pingfederate-102/page/lly1564002980532.html\">PingFederate</a> events into Microsoft Sentinel. Refer to <a href=\"https://docs.pingidentity.com/bundle/pingfederate-102/page/tle1564002955874.html\">PingFederate documentation</a> for more information.</p>\n<p><strong>Underlying Microsoft Technologies used:</strong></p>\n<p>This solution takes a dependency on the following technologies, and some of these dependencies either may be in <a href=\"https://azure.microsoft.com/support/legal/preview-supplemental-terms/\">Preview</a> state or might result in additional ingestion or operational costs:</p>\n<ol type=\"a\">\n<li><a href=\"https://docs.microsoft.com/azure/sentinel/connect-common-event-format\">Agent-based log collection (CEF over Syslog)</a></li>\n</ol>\n<p><strong>Data Connectors:</strong> 2, <strong>Parsers:</strong> 1, <strong>Workbooks:</strong> 1, <strong>Analytic Rules:</strong> 11, <strong>Hunting Queries:</strong> 10</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
+        "contentKind": "Solution",
+        "contentProductId": "[variables('_solutioncontentProductId')]",
+        "id": "[variables('_solutioncontentProductId')]",
+        "icon": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/PingFederate/Data%20Connectors/Logo/PingIdentity.svg\" width=\"75px\" height=\"75px\">",
         "contentId": "[variables('_solutionId')]",
         "parentId": "[variables('_solutionId')]",
         "source": {
@@ -2957,64 +3275,24 @@
           "operator": "AND",
           "criteria": [
             {
-              "kind": "Workbook",
-              "contentId": "[variables('_workbookContentId1')]",
-              "version": "[variables('workbookVersion1')]"
-            },
-            {
-              "kind": "HuntingQuery",
-              "contentId": "[variables('_huntingQuerycontentId1')]",
-              "version": "[variables('huntingQueryVersion1')]"
-            },
-            {
-              "kind": "HuntingQuery",
-              "contentId": "[variables('_huntingQuerycontentId2')]",
-              "version": "[variables('huntingQueryVersion2')]"
-            },
-            {
-              "kind": "HuntingQuery",
-              "contentId": "[variables('_huntingQuerycontentId3')]",
-              "version": "[variables('huntingQueryVersion3')]"
-            },
-            {
-              "kind": "HuntingQuery",
-              "contentId": "[variables('_huntingQuerycontentId4')]",
-              "version": "[variables('huntingQueryVersion4')]"
-            },
-            {
-              "kind": "HuntingQuery",
-              "contentId": "[variables('_huntingQuerycontentId5')]",
-              "version": "[variables('huntingQueryVersion5')]"
-            },
-            {
-              "kind": "HuntingQuery",
-              "contentId": "[variables('_huntingQuerycontentId6')]",
-              "version": "[variables('huntingQueryVersion6')]"
-            },
-            {
-              "kind": "HuntingQuery",
-              "contentId": "[variables('_huntingQuerycontentId7')]",
-              "version": "[variables('huntingQueryVersion7')]"
-            },
-            {
-              "kind": "HuntingQuery",
-              "contentId": "[variables('_huntingQuerycontentId8')]",
-              "version": "[variables('huntingQueryVersion8')]"
+              "kind": "DataConnector",
+              "contentId": "[variables('_dataConnectorContentId1')]",
+              "version": "[variables('dataConnectorVersion1')]"
             },
             {
-              "kind": "HuntingQuery",
-              "contentId": "[variables('_huntingQuerycontentId9')]",
-              "version": "[variables('huntingQueryVersion9')]"
+              "kind": "DataConnector",
+              "contentId": "[variables('_dataConnectorContentId2')]",
+              "version": "[variables('dataConnectorVersion2')]"
             },
             {
-              "kind": "HuntingQuery",
-              "contentId": "[variables('_huntingQuerycontentId10')]",
-              "version": "[variables('huntingQueryVersion10')]"
+              "kind": "Parser",
+              "contentId": "[variables('_parserContentId1')]",
+              "version": "[variables('parserVersion1')]"
             },
             {
-              "kind": "DataConnector",
-              "contentId": "[variables('_dataConnectorContentId1')]",
-              "version": "[variables('dataConnectorVersion1')]"
+              "kind": "Workbook",
+              "contentId": "[variables('_workbookContentId1')]",
+              "version": "[variables('workbookVersion1')]"
             },
             {
               "kind": "AnalyticsRule",
@@ -3072,9 +3350,54 @@
               "version": "[variables('analyticRuleVersion11')]"
             },
             {
-              "kind": "Parser",
-              "contentId": "[variables('_parserContentId1')]",
-              "version": "[variables('parserVersion1')]"
+              "kind": "HuntingQuery",
+              "contentId": "[variables('_huntingQuerycontentId1')]",
+              "version": "[variables('huntingQueryVersion1')]"
+            },
+            {
+              "kind": "HuntingQuery",
+              "contentId": "[variables('_huntingQuerycontentId2')]",
+              "version": "[variables('huntingQueryVersion2')]"
+            },
+            {
+              "kind": "HuntingQuery",
+              "contentId": "[variables('_huntingQuerycontentId3')]",
+              "version": "[variables('huntingQueryVersion3')]"
+            },
+            {
+              "kind": "HuntingQuery",
+              "contentId": "[variables('_huntingQuerycontentId4')]",
+              "version": "[variables('huntingQueryVersion4')]"
+            },
+            {
+              "kind": "HuntingQuery",
+              "contentId": "[variables('_huntingQuerycontentId5')]",
+              "version": "[variables('huntingQueryVersion5')]"
+            },
+            {
+              "kind": "HuntingQuery",
+              "contentId": "[variables('_huntingQuerycontentId6')]",
+              "version": "[variables('huntingQueryVersion6')]"
+            },
+            {
+              "kind": "HuntingQuery",
+              "contentId": "[variables('_huntingQuerycontentId7')]",
+              "version": "[variables('huntingQueryVersion7')]"
+            },
+            {
+              "kind": "HuntingQuery",
+              "contentId": "[variables('_huntingQuerycontentId8')]",
+              "version": "[variables('huntingQueryVersion8')]"
+            },
+            {
+              "kind": "HuntingQuery",
+              "contentId": "[variables('_huntingQuerycontentId9')]",
+              "version": "[variables('huntingQueryVersion9')]"
+            },
+            {
+              "kind": "HuntingQuery",
+              "contentId": "[variables('_huntingQuerycontentId10')]",
+              "version": "[variables('huntingQueryVersion10')]"
             }
           ]
         },