![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Aws.svg\")
\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Amazon%20Web%20Services/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Amazon Web Services solution for Microsoft Sentinel allows you to enable Security monitoring of AWS services by allowing ingestion of logs from the AWS CloudTrail platform, VPC Flow Logs, AWS GuardDuty and AWS CloudWatch. \n\n**Data Connectors:** 2, **Workbooks:** 2, **Analytic Rules:** 57, **Hunting Queries:** 36\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Amazon%20Web%20Services/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Amazon Web Services solution for Microsoft Sentinel allows you to enable Security monitoring of AWS services by allowing ingestion of logs from the AWS CloudTrail platform, VPC Flow Logs, AWS GuardDuty and AWS CloudWatch. \n\n**Data Connectors:** 3, **Workbooks:** 2, **Analytic Rules:** 57, **Hunting Queries:** 36\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -63,13 +63,6 @@
"text": "This Solution installs the data connector for Amazon Web Services. You can get Amazon Web Services custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
- {
- "name": "dataconnectors2-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "This Solution installs the data connector for Amazon Web Services. You can get Amazon Web Services custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
- }
- },
{
"name": "dataconnectors-link2",
"type": "Microsoft.Common.TextBlock",
diff --git a/Solutions/Amazon Web Services/Package/mainTemplate.json b/Solutions/Amazon Web Services/Package/mainTemplate.json
index 14c8a265dab..34b4f258c68 100644
--- a/Solutions/Amazon Web Services/Package/mainTemplate.json
+++ b/Solutions/Amazon Web Services/Package/mainTemplate.json
@@ -28,6 +28,20 @@
"description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
}
},
+ "resourceGroupName": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().name]",
+ "metadata": {
+ "description": "resource group name where Microsoft Sentinel is setup"
+ }
+ },
+ "subscription": {
+ "type": "string",
+ "defaultValue": "[last(split(subscription().id, '/'))]",
+ "metadata": {
+ "description": "subscription id where Microsoft Sentinel is setup"
+ }
+ },
"workbook1-name": {
"type": "string",
"defaultValue": "AWS Network Activities",
@@ -68,12 +82,19 @@
"dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]",
"dataConnectorVersion2": "1.0.0",
"_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]",
+ "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
+ "dataConnectorCCPVersion": "1.0.0",
+ "_dataConnectorContentIdConnectorDefinition3": "AwsS3WafCcpDefinition",
+ "dataConnectorTemplateNameConnectorDefinition3": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnectorDefinition3')))]",
+ "_dataConnectorContentIdConnections3": "AwsS3WafCcpDefinitionConnections",
+ "dataConnectorTemplateNameConnections3": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnections3')))]",
+ "dataCollectionEndpointId3": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]",
+ "blanks": "[replace('b', 'b', '')]",
"workbookVersion1": "1.0.0",
"workbookContentId1": "AmazonWebServicesNetworkActivitiesWorkbook",
"workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]",
"workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]",
"_workbookContentId1": "[variables('workbookContentId1')]",
- "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
"_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]",
"workbookVersion2": "1.0.0",
"workbookContentId2": "AmazonWebServicesUserActivitiesWorkbook",
@@ -292,11 +313,11 @@
"_analyticRulecontentProductId30": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f8ea7d50-e33b-4b9d-9c3e-a59fcbcee281','-', '1.0.2')))]"
},
"analyticRuleObject31": {
- "analyticRuleVersion31": "1.0.4",
+ "analyticRuleVersion31": "1.0.2",
"_analyticRulecontentId31": "60dfc193-0f73-4279-b43c-110ade02b201",
"analyticRuleId31": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '60dfc193-0f73-4279-b43c-110ade02b201')]",
"analyticRuleTemplateSpecName31": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('60dfc193-0f73-4279-b43c-110ade02b201')))]",
- "_analyticRulecontentProductId31": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','60dfc193-0f73-4279-b43c-110ade02b201','-', '1.0.4')))]"
+ "_analyticRulecontentProductId31": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','60dfc193-0f73-4279-b43c-110ade02b201','-', '1.0.2')))]"
},
"analyticRuleObject32": {
"analyticRuleVersion32": "1.0.1",
@@ -870,6 +891,20 @@
"baseQuery": "AWSCloudWatch"
}
],
+ "sampleQueries": [
+ {
+ "description": "High severity findings summarized by activity type",
+ "query": "AWSGuardDuty\n | where Severity > 7\n | summarize count() by ActivityType"
+ },
+ {
+ "description": "Top 10 rejected actions of type IPv4",
+ "query": "AWSVPCFlow\n | where Action == \"REJECT\"\n | where Type == \"IPv4\"\n | take 10"
+ },
+ {
+ "description": "User creation events summarized by region",
+ "query": "AWSCloudTrail\n | where EventName == \"CreateUser\"\n | summarize count() by AWSRegion"
+ }
+ ],
"connectivityCriterias": [
{
"type": "SentinelKinds",
@@ -1031,6 +1066,592 @@
}
}
},
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnectorDefinition3'), variables('dataConnectorCCPVersion'))]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "contentId": "[variables('_dataConnectorContentIdConnectorDefinition3')]",
+ "displayName": "Amazon Web Services S3 WAF",
+ "contentKind": "DataConnector",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('dataConnectorCCPVersion')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition3'))]",
+ "apiVersion": "2022-09-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions",
+ "location": "[parameters('workspace-location')]",
+ "kind": "Customizable",
+ "properties": {
+ "connectorUiConfig": {
+ "id": "AwsS3WafCcpDefinition",
+ "title": "Amazon Web Services S3 WAF",
+ "logo": "amazon_web_services_Logo.svg",
+ "publisher": "Microsoft",
+ "descriptionMarkdown": "This connector allows you to ingest AWS WAF logs, collected in AWS S3 buckets, to Microsoft Sentinel. AWS WAF logs are detailed records of traffic that web access control lists (ACLs) analyze, which are essential for maintaining the security and performance of web applications. These logs contain information such as the time AWS WAF received the request, the specifics of the request, and the action taken by the rule that the request matched.",
+ "graphQueriesTableName": "AWSWAF",
+ "graphQueries": [
+ {
+ "metricName": "Total events received",
+ "legend": "Amazon Web Services S3 WAF",
+ "baseQuery": "{{graphQueriesTableName}}"
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "Get Sample of logs",
+ "query": "{{graphQueriesTableName}}\n | take 10"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "{{graphQueriesTableName}}",
+ "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(12h) | where name_s == \"no data test\" | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriteria": [
+ {
+ "type": "HasDataConnectors",
+ "value": null
+ }
+ ],
+ "availability": {
+ "status": 1,
+ "isPreview": false
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "Read and Write permissions are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "read": true,
+ "write": true,
+ "delete": true,
+ "action": false
+ }
+ },
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+ "permissionsDisplayText": "Read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)",
+ "providerDisplayName": "Keys",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "read": false,
+ "write": false,
+ "delete": false,
+ "action": true
+ }
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "instructions": [
+ {
+ "type": "Markdown",
+ "parameters": {
+ "content": "#### 1. AWS CloudFormation Deployment \n To configure access on AWS, two templates has been generated to set up the AWS environment to send logs from an S3 bucket to your Log Analytics Workspace.\n #### For each template, create Stack in AWS: \n 1. Go to [AWS CloudFormation Stacks](https://aka.ms/awsCloudFormationLink#/stacks/create). \n 2. Choose the ‘Specify template’ option, then ‘Upload a template file’ by clicking on ‘Choose file’ and selecting the appropriate CloudFormation template file provided below. click ‘Choose file’ and select the downloaded template. \n 3. Click 'Next' and 'Create stack'."
+ }
+ },
+ {
+ "type": "CopyableLabel",
+ "parameters": {
+ "label": "Template 1: OpenID connect authentication deployment",
+ "isMultiLine": true,
+ "fillWith": [
+ "Oidc"
+ ]
+ }
+ },
+ {
+ "type": "CopyableLabel",
+ "parameters": {
+ "label": "Template 2: AWS WAF resources deployment",
+ "isMultiLine": true,
+ "fillWith": [
+ "AwsWAF"
+ ]
+ }
+ },
+ {
+ "type": "Markdown",
+ "parameters": {
+ "content": "#### 2. Connect new collectors \n To enable AWS S3 for Microsoft Sentinel, click the Add new collector button, fill the required information in the context pane and click on Connect."
+ }
+ },
+ {
+ "type": "DataConnectorsGrid",
+ "parameters": {
+ "mapping": [
+ {
+ "columnValue": "properties.roleArn",
+ "columnName": "Role ARN"
+ },
+ {
+ "columnValue": "properties.sqsUrls[0]",
+ "columnName": "Queue URL"
+ }
+ ],
+ "menuItems": [
+ "DeleteConnector"
+ ]
+ }
+ },
+ {
+ "type": "ContextPane",
+ "parameters": {
+ "contextPaneType": "DataConnectorsContextPane",
+ "title": "Add new controller",
+ "subtitle": "AWS S3 connector",
+ "label": "Add new collector",
+ "instructionSteps": [
+ {
+ "title": "Account details",
+ "instructions": [
+ {
+ "type": "Textbox",
+ "parameters": {
+ "label": "Role ARN",
+ "type": "text",
+ "name": "roleArn",
+ "validations": {
+ "required": true
+ }
+ }
+ },
+ {
+ "type": "Textbox",
+ "parameters": {
+ "label": "Queue URL",
+ "type": "text",
+ "name": "queueUrl",
+ "validations": {
+ "required": true
+ }
+ }
+ }
+ ]
+ }
+ ]
+ }
+ }
+ ]
+ }
+ ],
+ "isConnectivityCriteriasMatchSome": false
+ }
+ }
+ },
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition3')))]",
+ "apiVersion": "2022-01-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition3'))]",
+ "contentId": "[variables('_dataConnectorContentIdConnectorDefinition3')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorCCPVersion')]",
+ "source": {
+ "sourceId": "[variables('_solutionId')]",
+ "name": "[variables('_solutionName')]",
+ "kind": "Solution"
+ },
+ "author": {
+ "name": "Microsoft"
+ },
+ "support": {
+ "name": "Microsoft Corporation",
+ "email": "support@microsoft.com",
+ "tier": "Microsoft",
+ "link": "https://support.microsoft.com"
+ },
+ "dependencies": {
+ "criteria": [
+ {
+ "version": "[variables('dataConnectorCCPVersion')]",
+ "contentId": "[variables('_dataConnectorContentIdConnections3')]",
+ "kind": "ResourcesDataConnector"
+ }
+ ]
+ }
+ }
+ },
+ {
+ "name": "AWSWAF_DCR",
+ "apiVersion": "2022-06-01",
+ "type": "Microsoft.Insights/dataCollectionRules",
+ "location": "[parameters('workspace-location')]",
+ "kind": "[variables('blanks')]",
+ "properties": {
+ "destinations": {
+ "logAnalytics": [
+ {
+ "workspaceResourceId": "[variables('workspaceResourceId')]",
+ "name": "clv2ws1"
+ }
+ ]
+ },
+ "dataFlows": [
+ {
+ "streams": [
+ "Microsoft-AWSWAF"
+ ],
+ "destinations": [
+ "clv2ws1"
+ ]
+ }
+ ],
+ "dataCollectionEndpointId": "[variables('dataCollectionEndpointId3')]"
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentIdConnectorDefinition3'),'-', variables('dataConnectorCCPVersion'))))]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "version": "[variables('dataConnectorCCPVersion')]"
+ }
+ },
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition3'))]",
+ "apiVersion": "2022-09-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions",
+ "location": "[parameters('workspace-location')]",
+ "kind": "Customizable",
+ "properties": {
+ "connectorUiConfig": {
+ "id": "AwsS3WafCcpDefinition",
+ "title": "Amazon Web Services S3 WAF",
+ "logo": "amazon_web_services_Logo.svg",
+ "publisher": "Microsoft",
+ "descriptionMarkdown": "This connector allows you to ingest AWS WAF logs, collected in AWS S3 buckets, to Microsoft Sentinel. AWS WAF logs are detailed records of traffic that web access control lists (ACLs) analyze, which are essential for maintaining the security and performance of web applications. These logs contain information such as the time AWS WAF received the request, the specifics of the request, and the action taken by the rule that the request matched.",
+ "graphQueriesTableName": "AWSWAF",
+ "graphQueries": [
+ {
+ "metricName": "Total events received",
+ "legend": "Amazon Web Services S3 WAF",
+ "baseQuery": "{{graphQueriesTableName}}"
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "Get Sample of logs",
+ "query": "{{graphQueriesTableName}}\n | take 10"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "{{graphQueriesTableName}}",
+ "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(12h) | where name_s == \"no data test\" | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriteria": [
+ {
+ "type": "HasDataConnectors",
+ "value": null
+ }
+ ],
+ "availability": {
+ "status": 1,
+ "isPreview": false
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "Read and Write permissions are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "read": true,
+ "write": true,
+ "delete": true,
+ "action": false
+ }
+ },
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+ "permissionsDisplayText": "Read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)",
+ "providerDisplayName": "Keys",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "read": false,
+ "write": false,
+ "delete": false,
+ "action": true
+ }
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "instructions": [
+ {
+ "type": "Markdown",
+ "parameters": {
+ "content": "#### 1. AWS CloudFormation Deployment \n To configure access on AWS, two templates has been generated to set up the AWS environment to send logs from an S3 bucket to your Log Analytics Workspace.\n #### For each template, create Stack in AWS: \n 1. Go to [AWS CloudFormation Stacks](https://aka.ms/awsCloudFormationLink#/stacks/create). \n 2. Choose the ‘Specify template’ option, then ‘Upload a template file’ by clicking on ‘Choose file’ and selecting the appropriate CloudFormation template file provided below. click ‘Choose file’ and select the downloaded template. \n 3. Click 'Next' and 'Create stack'."
+ }
+ },
+ {
+ "type": "CopyableLabel",
+ "parameters": {
+ "label": "Template 1: OpenID connect authentication deployment",
+ "isMultiLine": true,
+ "fillWith": [
+ "Oidc"
+ ]
+ }
+ },
+ {
+ "type": "CopyableLabel",
+ "parameters": {
+ "label": "Template 2: AWS WAF resources deployment",
+ "isMultiLine": true,
+ "fillWith": [
+ "AwsWAF"
+ ]
+ }
+ },
+ {
+ "type": "Markdown",
+ "parameters": {
+ "content": "#### 2. Connect new collectors \n To enable AWS S3 for Microsoft Sentinel, click the Add new collector button, fill the required information in the context pane and click on Connect."
+ }
+ },
+ {
+ "type": "DataConnectorsGrid",
+ "parameters": {
+ "mapping": [
+ {
+ "columnValue": "properties.roleArn",
+ "columnName": "Role ARN"
+ },
+ {
+ "columnValue": "properties.sqsUrls[0]",
+ "columnName": "Queue URL"
+ }
+ ],
+ "menuItems": [
+ "DeleteConnector"
+ ]
+ }
+ },
+ {
+ "type": "ContextPane",
+ "parameters": {
+ "contextPaneType": "DataConnectorsContextPane",
+ "title": "Add new controller",
+ "subtitle": "AWS S3 connector",
+ "label": "Add new collector",
+ "instructionSteps": [
+ {
+ "title": "Account details",
+ "instructions": [
+ {
+ "type": "Textbox",
+ "parameters": {
+ "label": "Role ARN",
+ "type": "text",
+ "name": "roleArn",
+ "validations": {
+ "required": true
+ }
+ }
+ },
+ {
+ "type": "Textbox",
+ "parameters": {
+ "label": "Queue URL",
+ "type": "text",
+ "name": "queueUrl",
+ "validations": {
+ "required": true
+ }
+ }
+ }
+ ]
+ }
+ ]
+ }
+ }
+ ]
+ }
+ ],
+ "isConnectivityCriteriasMatchSome": false
+ }
+ }
+ },
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition3')))]",
+ "apiVersion": "2022-01-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition3'))]",
+ "contentId": "[variables('_dataConnectorContentIdConnectorDefinition3')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorCCPVersion')]",
+ "source": {
+ "sourceId": "[variables('_solutionId')]",
+ "name": "[variables('_solutionName')]",
+ "kind": "Solution"
+ },
+ "author": {
+ "name": "Microsoft"
+ },
+ "support": {
+ "name": "Microsoft Corporation",
+ "email": "support@microsoft.com",
+ "tier": "Microsoft",
+ "link": "https://support.microsoft.com"
+ },
+ "dependencies": {
+ "criteria": [
+ {
+ "version": "[variables('dataConnectorCCPVersion')]",
+ "contentId": "[variables('_dataConnectorContentIdConnections3')]",
+ "kind": "ResourcesDataConnector"
+ }
+ ]
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnections3'), variables('dataConnectorCCPVersion'))]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "contentId": "[variables('_dataConnectorContentIdConnections3')]",
+ "displayName": "Amazon Web Services S3 WAF",
+ "contentKind": "ResourcesDataConnector",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('dataConnectorCCPVersion')]",
+ "parameters": {
+ "apikey": {
+ "defaultValue": "-NA-",
+ "type": "securestring",
+ "minLength": 1
+ },
+ "baseUrl": {
+ "defaultValue": "Enter baseUrl value",
+ "type": "string",
+ "minLength": 1
+ },
+ "connectorDefinitionName": {
+ "defaultValue": "Amazon Web Services S3 WAF",
+ "type": "string",
+ "minLength": 1
+ },
+ "workspace": {
+ "defaultValue": "[parameters('workspace')]",
+ "type": "string"
+ },
+ "dcrConfig": {
+ "defaultValue": {
+ "dataCollectionEndpoint": "data collection Endpoint",
+ "dataCollectionRuleImmutableId": "data collection rule immutableId"
+ },
+ "type": "object"
+ },
+ "roleArn": {
+ "defaultValue": "roleArn",
+ "type": "string",
+ "minLength": 1
+ },
+ "queueUrl": {
+ "defaultValue": "queueUrl",
+ "type": "string",
+ "minLength": 1
+ }
+ },
+ "variables": {
+ "_dataConnectorContentIdConnections3": "[variables('_dataConnectorContentIdConnections3')]"
+ },
+ "resources": [
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnections3')))]",
+ "apiVersion": "2022-01-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentIdConnections3'))]",
+ "contentId": "[variables('_dataConnectorContentIdConnections3')]",
+ "kind": "ResourcesDataConnector",
+ "version": "[variables('dataConnectorCCPVersion')]",
+ "source": {
+ "sourceId": "[variables('_solutionId')]",
+ "name": "[variables('_solutionName')]",
+ "kind": "Solution"
+ },
+ "author": {
+ "name": "Microsoft"
+ },
+ "support": {
+ "name": "Microsoft Corporation",
+ "email": "support@microsoft.com",
+ "tier": "Microsoft",
+ "link": "https://support.microsoft.com"
+ }
+ }
+ },
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'AwsS3 WAF Pollinf Config')]",
+ "apiVersion": "2023-02-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "location": "[parameters('workspace-location')]",
+ "kind": "AmazonWebServicesS3",
+ "properties": {
+ "connectorDefinitionName": "AwsS3WafCcpDefinition",
+ "dataTypes": {
+ "logs": {
+ "state": "enabled"
+ }
+ },
+ "dcrConfig": {
+ "streamName": "SENTINEL_AWSWAF",
+ "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]",
+ "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]"
+ },
+ "destinationTable": "",
+ "dataFormat": {
+ "Format": "Json",
+ "IsCompressed": true,
+ "compressType": "Gzip"
+ },
+ "roleArn": "[[parameters('roleArn')]",
+ "sqsUrls": [
+ "[[parameters('queueUrl')]"
+ ]
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','rdc','-', uniqueString(concat(variables('_solutionId'),'-','ResourcesDataConnector','-',variables('_dataConnectorContentIdConnections3'),'-', variables('dataConnectorCCPVersion'))))]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "version": "[variables('dataConnectorCCPVersion')]"
+ }
+ },
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
@@ -2564,11 +3185,11 @@
}
],
"customDetails": {
+ "DetectionMechanism": "DetectionMechanism",
"ThreatFamilyName": "ThreatFamilyName",
"ResourceTypeAffected": "ResourceTypeAffected",
- "Artifact": "Artifact",
"ThreatPurpose": "ThreatPurpose",
- "DetectionMechanism": "DetectionMechanism"
+ "Artifact": "Artifact"
},
"alertDetailsOverride": {
"alertDescriptionFormat": "{{Description}}",
@@ -4925,7 +5546,7 @@
"description": "An overly permissive key policy was created, resulting in KMS keys where the kms:Encrypt action is accessible to everyone (even outside of the organization). This could mean that your account is compromised and that the attacker is using the encryption key to compromise other organizations.",
"displayName": "Suspicious overly permissive KMS key policy created",
"enabled": false,
- "query": "let kmsActions = dynamic([\"kms:Encrypt\", \"kms:*\"]); //Add other overly permissive APIs to this list.\nAWSCloudTrail\n| where EventName in (\"CreateKey\",\"PutKeyPolicy\") and isempty(ErrorCode) and isempty(ErrorMessage)\n| extend Statement = parse_json(tostring((parse_json(RequestParameters).policy))).Statement\n| mvexpand Statement\n| extend Action = tostring(parse_json(Statement).Action), Effect = tostring(parse_json(Statement).Effect), Principal = iff(isnotempty(tostring(parse_json(Statement).Principal.AWS)),tostring(parse_json(Statement).Principal.AWS), tostring(parse_json(Statement).Principal))\n| where Effect =~ \"Allow\" and Action has_any (kmsActions) and Principal == \"*\" \n| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)\n| extend UserName = tostring(split(UserIdentityArn, '/')[-1])\n| extend AccountName = case( UserIdentityPrincipalid == \"Anonymous\", \"Anonymous\", isempty(UserIdentityUserName), UserName, UserIdentityUserName)\n| extend AccountName = iif(AccountName contains \"@\", tostring(split(AccountName, '@', 0)[0]), AccountName),\n AccountUPNSuffix = iif(AccountName contains \"@\", tostring(split(AccountName, '@', 1)[0]), \"\")\n| extend timestamp = TimeGenerated\n",
+ "query": "AWSCloudTrail\n| where EventName in (\"CreateKey\",\"PutKeyPolicy\") and isempty(ErrorCode) and isempty(ErrorMessage)\n| extend Statement = parse_json(tostring((parse_json(RequestParameters).policy))).Statement\n| mvexpand Statement\n| extend Action = tostring(parse_json(Statement).Action), Effect = tostring(parse_json(Statement).Effect), Principal = iff(isnotempty(tostring(parse_json(Statement).Principal.AWS)),tostring(parse_json(Statement).Principal.AWS), tostring(parse_json(Statement).Principal))\n| where Effect =~ \"Allow\" and (Action == \"kms:Encrypt\" or Action == \"kms:*\") and Principal == \"*\"\n| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)\n| extend UserName = tostring(split(UserIdentityArn, '/')[-1])\n| extend AccountName = case( UserIdentityPrincipalid == \"Anonymous\", \"Anonymous\", isempty(UserIdentityUserName), UserName, UserIdentityUserName)\n| extend AccountName = iif(AccountName contains \"@\", tostring(split(AccountName, '@', 0)[0]), AccountName),\n AccountUPNSuffix = iif(AccountName contains \"@\", tostring(split(AccountName, '@', 1)[0]), \"\")\n| extend timestamp = TimeGenerated\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"severity": "High",
@@ -8104,9 +8725,9 @@
}
],
"customDetails": {
+ "SourceIpAddress": "SourceIpAddress",
"AWSUser": "UserIdentityArn",
- "UserAgent": "UserAgent",
- "SourceIpAddress": "SourceIpAddress"
+ "UserAgent": "UserAgent"
}
}
},
@@ -11185,7 +11806,7 @@
"contentSchemaVersion": "3.0.0",
"displayName": "Amazon Web Services",
"publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
- "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Amazon Web Services solution for Microsoft Sentinel allows you to enable Security monitoring of AWS services by allowing ingestion of logs from the AWS CloudTrail platform, VPC Flow Logs, AWS GuardDuty and AWS CloudWatch.
\nData Connectors: 2, Workbooks: 2, Analytic Rules: 57, Hunting Queries: 36
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Amazon Web Services solution for Microsoft Sentinel allows you to enable Security monitoring of AWS services by allowing ingestion of logs from the AWS CloudTrail platform, VPC Flow Logs, AWS GuardDuty and AWS CloudWatch.
\nData Connectors: 3, Workbooks: 2, Analytic Rules: 57, Hunting Queries: 36
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -11219,6 +11840,11 @@ "contentId": "[variables('_dataConnectorContentId2')]", "version": "[variables('dataConnectorVersion2')]" }, + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentIdConnections3')]", + "version": "[variables('dataConnectorCCPVersion')]" + }, { "kind": "Workbook", "contentId": "[variables('_workbookContentId1')]", @@ -11710,4 +12336,4 @@ } ], "outputs": {} -} +} \ No newline at end of file diff --git a/Solutions/Amazon Web Services/Package/testParameters.json b/Solutions/Amazon Web Services/Package/testParameters.json index 55796e4d5e2..4bcaa52613e 100644 --- a/Solutions/Amazon Web Services/Package/testParameters.json +++ b/Solutions/Amazon Web Services/Package/testParameters.json @@ -21,6 +21,20 @@ "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" } }, + "resourceGroupName": { + "type": "string", + "defaultValue": "[resourceGroup().name]", + "metadata": { + "description": "resource group name where Microsoft Sentinel is setup" + } + }, + "subscription": { + "type": "string", + "defaultValue": "[last(split(subscription().id, '/'))]", + "metadata": { + "description": "subscription id where Microsoft Sentinel is setup" + } + }, "workbook1-name": { "type": "string", "defaultValue": "AWS Network Activities", diff --git a/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicatorCLv2/CrowdstrikeFalconAPISentinelConn.zip b/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicatorCLv2/CrowdstrikeFalconAPISentinelConn.zip index f78fab29def..9878cbaf859 100644 Binary files a/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicatorCLv2/CrowdstrikeFalconAPISentinelConn.zip and b/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicatorCLv2/CrowdstrikeFalconAPISentinelConn.zip differ diff --git a/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicatorCLv2/CrowdstrikeFalconAPISentinelConn/Replicator/main_aws_queue.py b/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicatorCLv2/CrowdstrikeFalconAPISentinelConn/Replicator/main_aws_queue.py index cc24aa45cdf..bce10d3d3af 100644 --- a/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicatorCLv2/CrowdstrikeFalconAPISentinelConn/Replicator/main_aws_queue.py +++ b/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicatorCLv2/CrowdstrikeFalconAPISentinelConn/Replicator/main_aws_queue.py @@ -107,7 +107,7 @@ async def main(mytimer: func.TimerRequest): logging.info("Got message with MessageId {}. Start processing {} files from Bucket: {}. Path prefix: {}. Timestamp: {}.".format(msg["MessageId"], body_obj["fileCount"], body_obj["bucket"], body_obj["pathPrefix"], body_obj["timestamp"])) diffFromNow = int(time.time()*1000) - int(body_obj["timestamp"]) - if diffFromNow >= 3600: + if diffFromNow >= 3600000: logging.warn("More than 1 hour old records are getting processed now. This indicates requirement for additional function app.") await download_message_files_queue(mainQueueHelper, backlogQueueHelper, msg["MessageId"], body_obj) diff --git a/Solutions/Google Threat Intelligence/Data/Solution_GoogleThreatIntelligence.json b/Solutions/Google Threat Intelligence/Data/Solution_GoogleThreatIntelligence.json new file mode 100644 index 00000000000..b0b5912d6ec --- /dev/null +++ b/Solutions/Google Threat Intelligence/Data/Solution_GoogleThreatIntelligence.json @@ -0,0 +1,25 @@ +{ + "Name": "Google Threat Intelligence", + "Author": "Google", + "Logo": "![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/GoogleThreatIntelligence.svg\")
",
+ "Description": "This Google Threat Intelligence Solution contains Playbooks that can help enrich incident information with threat information and intelligence for IPs, file hashes and URLs from Google Threat Intelligence. Enriched information can help drive focused investigations in Security Operations.",
+ "Data Connectors": [],
+ "Parsers": [],
+ "Hunting Queries": [],
+ "Analytic Rules": [],
+ "Workbooks": [],
+ "Playbooks": [
+ "Playbooks/CustomConnector/GTICustomConnector/azuredeploy.json",
+ "Playbooks/GTIEnrichment/GTI-EnrichIncident/azuredeploy.json",
+ "Playbooks/GTIEnrichment/GTI-EnrichAlert/azuredeploy.json",
+ "Playbooks/GTIEnrichment/GTI-EnrichEntity/GTI-EnrichIP/azuredeploy.json",
+ "Playbooks/GTIEnrichment/GTI-EnrichEntity/GTI-EnrichURL/azuredeploy.json",
+ "Playbooks/GTIEnrichment/GTI-EnrichEntity/GTI-EnrichFilehash/azuredeploy.json",
+ "Playbooks/GTIEnrichment/GTI-EnrichEntity/GTI-EnrichDomain/azuredeploy.json"
+ ],
+ "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Google Threat Intelligence",
+ "Version": "3.0.0",
+ "Metadata": "SolutionMetadata.json",
+ "TemplateSpec": true,
+ "StaticDataConnectorIds": []
+}
\ No newline at end of file
diff --git a/Solutions/Google Threat Intelligence/Package/3.0.0.zip b/Solutions/Google Threat Intelligence/Package/3.0.0.zip
new file mode 100644
index 00000000000..1d2f78108f0
Binary files /dev/null and b/Solutions/Google Threat Intelligence/Package/3.0.0.zip differ
diff --git a/Solutions/Google Threat Intelligence/Package/createUiDefinition.json b/Solutions/Google Threat Intelligence/Package/createUiDefinition.json
new file mode 100644
index 00000000000..724e2e699ed
--- /dev/null
+++ b/Solutions/Google Threat Intelligence/Package/createUiDefinition.json
@@ -0,0 +1,89 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
+ "handler": "Microsoft.Azure.CreateUIDef",
+ "version": "0.1.2-preview",
+ "parameters": {
+ "config": {
+ "isWizard": false,
+ "basics": {
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Google%20Threat%20Intelligence/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThis Google Threat Intelligence Solution contains Playbooks that can help enrich incident information with threat information and intelligence for IPs, file hashes and URLs from Google Threat Intelligence. Enriched information can help drive focused investigations in Security Operations.\n\n**Custom Azure Logic Apps Connectors:** 1, **Playbooks:** 6\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "subscription": {
+ "resourceProviders": [
+ "Microsoft.OperationsManagement/solutions",
+ "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "Microsoft.Insights/workbooks",
+ "Microsoft.Logic/workflows"
+ ]
+ },
+ "location": {
+ "metadata": {
+ "hidden": "Hiding location, we get it from the log analytics workspace"
+ },
+ "visible": false
+ },
+ "resourceGroup": {
+ "allowExisting": true
+ }
+ }
+ },
+ "basics": [
+ {
+ "name": "getLAWorkspace",
+ "type": "Microsoft.Solutions.ArmApiControl",
+ "toolTip": "This filters by workspaces that exist in the Resource Group selected",
+ "condition": "[greater(length(resourceGroup().name),0)]",
+ "request": {
+ "method": "GET",
+ "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
+ }
+ },
+ {
+ "name": "workspace",
+ "type": "Microsoft.Common.DropDown",
+ "label": "Workspace",
+ "placeholder": "Select a workspace",
+ "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
+ "constraints": {
+ "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
+ "required": true
+ },
+ "visible": true
+ }
+ ],
+ "steps": [
+ {
+ "name": "playbooks",
+ "label": "Playbooks",
+ "subLabel": {
+ "preValidation": "Configure the playbooks",
+ "postValidation": "Done"
+ },
+ "bladeTitle": "Playbooks",
+ "elements": [
+ {
+ "name": "playbooks-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This solution installs the Playbook templates to help implement your Security Orchestration, Automation and Response (SOAR) operations. After installing the solution, these will be deployed under Playbook Templates in the Automation blade in Microsoft Sentinel. They can be configured and managed from the Manage solution view in Content Hub."
+ }
+ },
+ {
+ "name": "playbooks-link",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "link": {
+ "label": "Learn more",
+ "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
+ }
+ }
+ }
+ ]
+ }
+ ],
+ "outputs": {
+ "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
+ "location": "[location()]",
+ "workspace": "[basics('workspace')]"
+ }
+ }
+}
diff --git a/Solutions/Google Threat Intelligence/Package/mainTemplate.json b/Solutions/Google Threat Intelligence/Package/mainTemplate.json
new file mode 100644
index 00000000000..67378ee9a68
--- /dev/null
+++ b/Solutions/Google Threat Intelligence/Package/mainTemplate.json
@@ -0,0 +1,3363 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "author": "Google",
+ "comments": "Solution template for Google Threat Intelligence"
+ },
+ "parameters": {
+ "location": {
+ "type": "string",
+ "minLength": 1,
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
+ }
+ },
+ "workspace-location": {
+ "type": "string",
+ "defaultValue": "",
+ "metadata": {
+ "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
+ }
+ },
+ "workspace": {
+ "defaultValue": "",
+ "type": "string",
+ "metadata": {
+ "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
+ }
+ }
+ },
+ "variables": {
+ "_solutionName": "Google Threat Intelligence",
+ "_solutionVersion": "3.0.0",
+ "solutionId": "google.azure-sentinel-solution-google",
+ "_solutionId": "[variables('solutionId')]",
+ "GTICustomConnector": "GTICustomConnector",
+ "_GTICustomConnector": "[variables('GTICustomConnector')]",
+ "TemplateEmptyArray": "[json('[]')]",
+ "playbookVersion1": "1.0",
+ "playbookContentId1": "GTICustomConnector",
+ "_playbookContentId1": "[variables('playbookContentId1')]",
+ "playbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-lc-',uniquestring(variables('_playbookContentId1'))))]",
+ "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
+ "_playbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','lc','-', uniqueString(concat(variables('_solutionId'),'-','LogicAppsCustomConnector','-',variables('_playbookContentId1'),'-', variables('playbookVersion1'))))]",
+ "GTI-EnrichIncident": "GTI-EnrichIncident",
+ "_GTI-EnrichIncident": "[variables('GTI-EnrichIncident')]",
+ "playbookVersion2": "2.8",
+ "playbookContentId2": "GTI-EnrichIncident",
+ "_playbookContentId2": "[variables('playbookContentId2')]",
+ "playbookId2": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId2'))]",
+ "playbookTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId2'))))]",
+ "_playbookcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId2'),'-', variables('playbookVersion2'))))]",
+ "GTI-EnrichAlert": "GTI-EnrichAlert",
+ "_GTI-EnrichAlert": "[variables('GTI-EnrichAlert')]",
+ "playbookVersion3": "2.8",
+ "playbookContentId3": "GTI-EnrichAlert",
+ "_playbookContentId3": "[variables('playbookContentId3')]",
+ "playbookId3": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId3'))]",
+ "playbookTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId3'))))]",
+ "_playbookcontentProductId3": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId3'),'-', variables('playbookVersion3'))))]",
+ "GTI-EnrichIP": "GTI-EnrichIP",
+ "_GTI-EnrichIP": "[variables('GTI-EnrichIP')]",
+ "playbookVersion4": "2.8",
+ "playbookContentId4": "GTI-EnrichIP",
+ "_playbookContentId4": "[variables('playbookContentId4')]",
+ "playbookId4": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId4'))]",
+ "playbookTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId4'))))]",
+ "_playbookcontentProductId4": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId4'),'-', variables('playbookVersion4'))))]",
+ "GTI-EnrichURL": "GTI-EnrichURL",
+ "_GTI-EnrichURL": "[variables('GTI-EnrichURL')]",
+ "playbookVersion5": "2.8",
+ "playbookContentId5": "GTI-EnrichURL",
+ "_playbookContentId5": "[variables('playbookContentId5')]",
+ "playbookId5": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId5'))]",
+ "playbookTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId5'))))]",
+ "_playbookcontentProductId5": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId5'),'-', variables('playbookVersion5'))))]",
+ "GTI-EnrichFilehash": "GTI-EnrichFilehash",
+ "_GTI-EnrichFilehash": "[variables('GTI-EnrichFilehash')]",
+ "playbookVersion6": "2.8",
+ "playbookContentId6": "GTI-EnrichFilehash",
+ "_playbookContentId6": "[variables('playbookContentId6')]",
+ "playbookId6": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId6'))]",
+ "playbookTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId6'))))]",
+ "_playbookcontentProductId6": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId6'),'-', variables('playbookVersion6'))))]",
+ "GTI-EnrichDomain": "GTI-EnrichDomain",
+ "_GTI-EnrichDomain": "[variables('GTI-EnrichDomain')]",
+ "playbookVersion7": "2.8",
+ "playbookContentId7": "GTI-EnrichDomain",
+ "_playbookContentId7": "[variables('playbookContentId7')]",
+ "playbookId7": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId7'))]",
+ "playbookTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId7'))))]",
+ "_playbookcontentProductId7": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId7'),'-', variables('playbookVersion7'))))]",
+ "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
+ },
+ "resources": [
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('playbookTemplateSpecName1')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "GTICustomConnector Playbook with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('playbookVersion1')]",
+ "parameters": {
+ "ConnectorName": {
+ "defaultValue": "GoogleThreatIntelligence-CustomConnector",
+ "type": "String",
+ "metadata": {
+ "description": "Google Threat Intelligence Custom Connector"
+ }
+ },
+ "BackendService": {
+ "defaultValue": "https://www.virustotal.com/api/v3",
+ "type": "String",
+ "metadata": {
+ "description": "Google Threat Intelligence API"
+ }
+ }
+ },
+ "variables": {
+ "operationId-get_file": "get_file",
+ "_operationId-get_file": "[[variables('operationId-get_file')]",
+ "operationId-get_ip": "get_ip",
+ "_operationId-get_ip": "[[variables('operationId-get_ip')]",
+ "operationId-get_domain": "get_domain",
+ "_operationId-get_domain": "[[variables('operationId-get_domain')]",
+ "operationId-get_url": "get_url",
+ "_operationId-get_url": "[[variables('operationId-get_url')]",
+ "operationId-post_file": "post_file",
+ "_operationId-post_file": "[[variables('operationId-post_file')]",
+ "operationId-retrieve_url_file": "retrieve_url_file",
+ "_operationId-retrieve_url_file": "[[variables('operationId-retrieve_url_file')]",
+ "operationId-analyze_url": "analyze_url",
+ "_operationId-analyze_url": "[[variables('operationId-analyze_url')]",
+ "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
+ "playbookContentId1": "GTICustomConnector",
+ "playbookId1": "[[resourceId('Microsoft.Web/customApis', parameters('ConnectorName'))]",
+ "workspace-name": "[parameters('workspace')]",
+ "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
+ },
+ "resources": [
+ {
+ "type": "Microsoft.Web/customApis",
+ "apiVersion": "2016-06-01",
+ "name": "[[parameters('ConnectorName')]",
+ "location": "[[variables('workspace-location-inline')]",
+ "properties": {
+ "connectionParameters": {
+ "api_key": {
+ "type": "securestring"
+ }
+ },
+ "backendService": {
+ "serviceUrl": "[[parameters('BackendService')]"
+ },
+ "capabilities": "[variables('TemplateEmptyArray')]",
+ "brandColor": "#FFFFFF",
+ "description": "This connector provides access to various Google Threat Intelligence API endpoints for retrieving file, IP, domain, and URL analysis reports.",
+ "displayName": "[[parameters('ConnectorName')]",
+ "iconUri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/GoogleThreatIntelligence.svg",
+ "swagger": {
+ "swagger": "2.0",
+ "info": {
+ "title": "Google Threat Intelligence",
+ "description": "This connector provides access to various Google Threat Intelligence API endpoints for retrieving file, IP, domain, and URL analysis reports.",
+ "version": "1.0",
+ "contact": {
+ "name": "Google Threat Intelligence",
+ "url": "https://www.virustotal.com/gui/contact-us/support"
+ }
+ },
+ "x-ms-connector-metadata": [
+ {
+ "propertyName": "Website",
+ "propertyValue": "https://www.virustotal.com"
+ },
+ {
+ "propertyName": "Privacy policy",
+ "propertyValue": "https://virustotal.readme.io/docs/historic-privacy-policy"
+ },
+ {
+ "propertyName": "Categories",
+ "propertyValue": "Data"
+ }
+ ],
+ "host": "www.virustotal.com",
+ "basePath": "/api/v3",
+ "schemes": [
+ "https"
+ ],
+ "consumes": "[variables('TemplateEmptyArray')]",
+ "produces": "[variables('TemplateEmptyArray')]",
+ "paths": {
+ "/files/{id}": {
+ "get": {
+ "summary": "Get File Report",
+ "description": "Retrieve detailed analysis report for a specific file by its ID.",
+ "responses": {
+ "200": {
+ "description": "OK",
+ "schema": {
+ "type": "object",
+ "properties": {
+ "data": {
+ "type": "object",
+ "properties": {
+ "id": {
+ "type": "string",
+ "description": "The unique identifier (SHA-256 hash) of the file."
+ },
+ "type": {
+ "type": "string",
+ "description": "The type of object being analyzed (in this case, \"file\")."
+ },
+ "links": {
+ "type": "object",
+ "properties": {
+ "self": {
+ "type": "string",
+ "description": "The URL to retrieve this file's report."
+ }
+ },
+ "description": "Links to related resources."
+ },
+ "attributes": {
+ "type": "object",
+ "properties": {
+ "type_extension": {
+ "type": "string",
+ "description": "The file extension (if available)."
+ },
+ "times_submitted": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The number of times this file has been submitted to Google Threat Intelligence."
+ },
+ "meaningful_name": {
+ "type": "string",
+ "description": "A human-readable name for the file (if available)."
+ },
+ "sha1": {
+ "type": "string",
+ "description": "The SHA-1 hash of the file."
+ },
+ "magic": {
+ "type": "string",
+ "description": "A textual description of the file type, as determined by libmagic."
+ },
+ "total_votes": {
+ "type": "object",
+ "properties": {
+ "harmless": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The number of votes classifying this file as harmless.",
+ "title": "total votes harmless"
+ },
+ "malicious": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The number of votes classifying this file as malicious.",
+ "title": "total votes malicious"
+ }
+ },
+ "description": "Aggregated votes from the community."
+ },
+ "type_tag": {
+ "type": "string",
+ "description": "A high-level categorization of the file type (e.g., \"PE executable\", \"PDF document\")."
+ },
+ "last_analysis_stats": {
+ "type": "object",
+ "properties": {
+ "malicious": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The number of antivirus engines that detected the file as malicious in the latest analysis.",
+ "title": "last analysis malicious"
+ },
+ "suspicious": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The number of antivirus engines that detected the file as suspicious in the latest analysis.",
+ "title": "last analysis suspicious"
+ },
+ "undetected": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The number of antivirus engines that did not detect any threats in the file in the latest analysis.",
+ "title": "last analysis undetected"
+ },
+ "harmless": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The number of antivirus engines that explicitly classified the file as harmless in the latest analysis.",
+ "title": "last analysis harmless"
+ },
+ "timeout": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The number of antivirus engines that timed out during the latest analysis.",
+ "title": "last analysis timeout"
+ },
+ "confirmed-timeout": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The number of antivirus engines that experienced a confirmed timeout during the latest analysis.",
+ "title": "last analysis confirmed-timeout"
+ },
+ "failure": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The number of antivirus engines that encountered an error during the latest analysis.",
+ "title": "last analysis failure"
+ },
+ "type-unsupported": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The number of antivirus engines that do not support the analysis of this file type.",
+ "title": "last analysis type-unsupported"
+ }
+ },
+ "description": "Statistics from the latest analysis."
+ },
+ "ssdeep": {
+ "type": "string",
+ "description": "The ssdeep fuzzy hash of the file, used for similarity comparison."
+ },
+ "type_description": {
+ "type": "string",
+ "description": "A more detailed description of the file type (e.g., \"Microsoft Word Document\")."
+ },
+ "tlsh": {
+ "type": "string",
+ "description": "The TLSH fuzzy hash of the file, used for similarity comparison."
+ },
+ "reputation": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The reputation score of the file, calculated based on various factors."
+ },
+ "sha256": {
+ "type": "string",
+ "description": "The SHA-256 hash of the file."
+ },
+ "unique_sources": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The number of unique sources from which this file has been submitted."
+ },
+ "names": {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "description": "A list of names associated with the file."
+ },
+ "tags": {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "description": "Tags associated with the file, providing additional context or categorization."
+ },
+ "last_submission_date": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The Unix timestamp of the last time this file was submitted to Google Threat Intelligence."
+ },
+ "last_modification_date": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The Unix timestamp of the last modification date of the file (if available)."
+ },
+ "size": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The size of the file in bytes."
+ },
+ "md5": {
+ "type": "string",
+ "description": "The MD5 hash of the file."
+ },
+ "gti_assessment": {
+ "type": "object",
+ "properties": {
+ "severity": {
+ "type": "object",
+ "properties": {
+ "value": {
+ "type": "string",
+ "description": "The severity level assigned by Google Threat Intelligence's GTI (e.g., \"SEVERITY_NONE\", \"SEVERITY_LOW\", etc.).",
+ "title": "severity"
+ }
+ },
+ "description": "The severity assessment of the file."
+ },
+ "threat_score": {
+ "type": "object",
+ "properties": {
+ "value": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The threat score assigned by Google Threat Intelligence's GTI, indicating the likelihood of the file being malicious.",
+ "title": "threat score"
+ }
+ },
+ "description": "The threat score assessment of the file."
+ },
+ "verdict": {
+ "type": "object",
+ "properties": {
+ "value": {
+ "type": "string",
+ "description": "The overall verdict of the file's analysis by Google Threat Intelligence's GTI (e.g., \"VERDICT_UNDETECTED\", \"VERDICT_MALICIOUS\", etc.).",
+ "title": "verdict"
+ }
+ },
+ "description": "The overall verdict of the file's analysis."
+ },
+ "description": {
+ "type": "string",
+ "description": "A textual description of the GTI assessment."
+ }
+ },
+ "description": "GTI's (Google Threat Intelligence) assessment of the file."
+ }
+ },
+ "description": "Attributes and metadata associated with the file."
+ }
+ },
+ "description": "Data containing the file report."
+ }
+ }
+ }
+ },
+ "default": {
+ "description": "default"
+ }
+ },
+ "operationId": "[[variables('_operationId-get_file')]",
+ "parameters": [
+ {
+ "name": "id",
+ "in": "path",
+ "required": true,
+ "type": "string",
+ "x-ms-summary": "File ID",
+ "description": "Hash value of the file",
+ "x-ms-url-encoding": "single"
+ },
+ {
+ "in": "header",
+ "name": "x-tool",
+ "type": "string",
+ "required": true,
+ "default": "MSFTSentinel"
+ }
+ ]
+ }
+ },
+ "/ip_addresses/{ip}": {
+ "get": {
+ "summary": "Get IP Report",
+ "description": "Retrieve analysis and reputation information about a specific IP address.",
+ "responses": {
+ "200": {
+ "description": "OK",
+ "schema": {
+ "type": "object",
+ "properties": {
+ "data": {
+ "type": "object",
+ "properties": {
+ "id": {
+ "type": "string",
+ "description": "The unique identifier for this IP address report."
+ },
+ "type": {
+ "type": "string",
+ "description": "The type of object represented."
+ },
+ "links": {
+ "type": "object",
+ "properties": {
+ "self": {
+ "type": "string",
+ "description": "The URL to retrieve this IP address report."
+ }
+ },
+ "description": "Links to related resources."
+ },
+ "attributes": {
+ "type": "object",
+ "properties": {
+ "asn": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The Autonomous System Number (ASN) associated with the IP address."
+ },
+ "network": {
+ "type": "string",
+ "description": "The network or CIDR block the IP address belongs to."
+ },
+ "last_https_certificate_date": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The date of the last HTTPS certificate seen for this IP address (Unix timestamp)."
+ },
+ "country": {
+ "type": "string",
+ "description": "The country associated with the IP address."
+ },
+ "as_owner": {
+ "type": "string",
+ "description": "The name of the organization that owns the ASN associated with the IP address."
+ },
+ "reputation": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The reputation score of the IP address (-100 to 100)."
+ },
+ "total_votes": {
+ "type": "object",
+ "properties": {
+ "harmless": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The number of votes classifying the IP address as harmless.",
+ "title": "total votes harmless"
+ },
+ "malicious": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The number of votes classifying the IP address as malicious.",
+ "title": "total votes malicious"
+ }
+ },
+ "description": "The breakdown of votes on the IP address's maliciousness."
+ },
+ "whois": {
+ "type": "string",
+ "description": "The raw WHOIS data for the IP address."
+ },
+ "tags": {
+ "type": "array",
+ "description": "Tags associated with the IP address based on community analysis."
+ },
+ "last_analysis_stats": {
+ "type": "object",
+ "properties": {
+ "malicious": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The number of engines that detected the IP address as malicious.",
+ "title": "last analysis malicious"
+ },
+ "suspicious": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The number of engines that detected the IP address as suspicious.",
+ "title": "last analysis suspicious"
+ },
+ "undetected": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The number of engines that did not detect the IP address as malicious or suspicious.",
+ "title": "last analysis undetected"
+ },
+ "harmless": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The number of engines that detected the IP address as harmless.",
+ "title": "last analysis harmless"
+ },
+ "timeout": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The number of engines that timed out during the analysis of the IP address.",
+ "title": "last analysis timeout"
+ }
+ },
+ "description": "Statistics from the last analysis of the IP address."
+ },
+ "whois_date": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The date the WHOIS data was last updated."
+ },
+ "regional_internet_registry": {
+ "type": "string",
+ "description": "The Regional Internet Registry (RIR) responsible for the IP address."
+ },
+ "last_modification_date": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The date the IP address report was last modified."
+ },
+ "continent": {
+ "type": "string",
+ "description": "The continent where the IP address is located."
+ },
+ "gti_assessment": {
+ "type": "object",
+ "properties": {
+ "severity": {
+ "type": "object",
+ "properties": {
+ "value": {
+ "type": "string",
+ "description": "The severity level assigned by GTI.",
+ "title": "severity"
+ }
+ },
+ "description": "The severity level assigned by GTI."
+ },
+ "threat_score": {
+ "type": "object",
+ "properties": {
+ "value": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The threat score assigned by GTI (0-100).",
+ "title": "threat score"
+ }
+ },
+ "description": "The threat score assigned by GTI (0-100)."
+ },
+ "verdict": {
+ "type": "object",
+ "properties": {
+ "value": {
+ "type": "string",
+ "description": "The overall verdict from GTI.",
+ "title": "verdict"
+ }
+ },
+ "description": "The overall verdict from GTI."
+ },
+ "contributing_factors": {
+ "type": "object",
+ "properties": {
+ "mandiant_confidence_score": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The confidence score assigned by Mandiant (0-100)."
+ },
+ "normalised_categories": {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "description": "Normalized categories associated with the IP address."
+ },
+ "pervasive_indicator": {
+ "type": "boolean",
+ "description": "Indicates if the IP address is a pervasive indicator."
+ },
+ "safebrowsing_verdict": {
+ "type": "string",
+ "description": "The verdict from Google Safe Browsing."
+ }
+ },
+ "description": "Factors contributing to the GTI assessment."
+ },
+ "description": {
+ "type": "string",
+ "description": "A description of the GTI assessment."
+ }
+ },
+ "description": "Google Threat Intelligence (GTI) assessment of the IP address."
+ }
+ },
+ "description": "attributes"
+ }
+ },
+ "description": "data"
+ }
+ }
+ }
+ },
+ "default": {
+ "description": "default"
+ }
+ },
+ "operationId": "[[variables('_operationId-get_ip')]",
+ "parameters": [
+ {
+ "name": "ip",
+ "in": "path",
+ "required": true,
+ "type": "string",
+ "x-ms-summary": "Ip address",
+ "description": "Ip address to obtain the report",
+ "x-ms-url-encoding": "single"
+ },
+ {
+ "in": "header",
+ "name": "x-tool",
+ "type": "string",
+ "required": true,
+ "default": "MSFTSentinel"
+ }
+ ]
+ }
+ },
+ "/domains/{id}": {
+ "get": {
+ "summary": "Get Domain Report",
+ "description": "Retrieve analysis and reputation information about a specific domain.",
+ "responses": {
+ "200": {
+ "description": "OK",
+ "schema": {
+ "type": "object",
+ "properties": {
+ "data": {
+ "type": "object",
+ "properties": {
+ "id": {
+ "type": "string",
+ "description": "The id of the domain"
+ },
+ "type": {
+ "type": "string",
+ "description": "The type of the domain"
+ },
+ "links": {
+ "type": "object",
+ "properties": {
+ "self": {
+ "type": "string",
+ "description": "The url to retrieve this domain report."
+ }
+ },
+ "description": "links to related resources."
+ },
+ "attributes": {
+ "type": "object",
+ "properties": {
+ "total_votes": {
+ "type": "object",
+ "properties": {
+ "harmless": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The count of votes indicating the domain is safe.",
+ "title": "total votes harmless"
+ },
+ "malicious": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The count of votes suggesting the domain is harmful.",
+ "title": "total votes malicious"
+ }
+ },
+ "description": "his object provides a summary of community votes regarding the domain's potential maliciousness."
+ },
+ "reputation": {
+ "type": "integer",
+ "format": "int32",
+ "description": "A numerical score ranging from -100 to 100, reflecting the domain's overall reputation based on various factors."
+ },
+ "whois": {
+ "type": "string",
+ "description": "The raw WHOIS data associated with the domain, containing registration details and contact information."
+ },
+ "last_https_certificate_date": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The Unix timestamp indicating when the last HTTPS certificate for this domain was observed."
+ },
+ "last_dns_records_date": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The Unix timestamp representing the last time DNS records were fetched for this domain."
+ },
+ "registrar": {
+ "type": "string",
+ "description": "The entity responsible for registering the domain name."
+ },
+ "last_modification_date": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The Unix timestamp showing when the domain report was last updated."
+ },
+ "creation_date": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The Unix timestamp marking the domain's initial registration date."
+ },
+ "tags": {
+ "type": "array",
+ "description": "An array of tags assigned to the domain based on community analysis and observations."
+ },
+ "last_update_date": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The Unix timestamp indicating the most recent update to the domain's information."
+ },
+ "last_analysis_stats": {
+ "type": "object",
+ "properties": {
+ "malicious": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The number of analysis engines flagging the domain as malicious.",
+ "title": "last analysis malicious"
+ },
+ "suspicious": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The count of engines raising suspicion about the domain.",
+ "title": "last analysis suspicious"
+ },
+ "undetected": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The number of engines that didn't detect any malicious or suspicious activity.",
+ "title": "last analysis undetected"
+ },
+ "harmless": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The count of engines explicitly classifying the domain as safe.",
+ "title": "last analysis harmless"
+ },
+ "timeout": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The number of engines that timed out during the analysis.",
+ "title": "last analysis timeout"
+ }
+ },
+ "description": "Statistics derived from the latest analysis of the domain."
+ },
+ "gti_assessment": {
+ "type": "object",
+ "properties": {
+ "severity": {
+ "type": "object",
+ "properties": {
+ "value": {
+ "type": "string",
+ "description": "The severity level assigned by GTI.",
+ "title": "severity"
+ }
+ },
+ "description": "The severity level assigned by GTI."
+ },
+ "threat_score": {
+ "type": "object",
+ "properties": {
+ "value": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The threat score assigned by GTI (0-100).",
+ "title": "threat score"
+ }
+ },
+ "description": "The threat score assigned by GTI (0-100)."
+ },
+ "verdict": {
+ "type": "object",
+ "properties": {
+ "value": {
+ "type": "string",
+ "description": "The overall verdict from GTI.",
+ "title": "verdict"
+ }
+ },
+ "description": "The overall verdict from GTI."
+ },
+ "contributing_factors": {
+ "type": "object",
+ "properties": {
+ "mandiant_confidence_score": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The confidence score assigned by Mandiant (0-100)."
+ },
+ "normalised_categories": {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "description": "Normalized categories associated with the IP address."
+ },
+ "pervasive_indicator": {
+ "type": "boolean",
+ "description": "Indicates if the IP address is a pervasive indicator."
+ },
+ "safebrowsing_verdict": {
+ "type": "string",
+ "description": "The verdict from Google Safe Browsing."
+ }
+ },
+ "description": "Factors contributing to the GTI assessment."
+ },
+ "description": {
+ "type": "string",
+ "description": "A description of the GTI assessment."
+ }
+ },
+ "description": "Google Threat Intelligence (GTI) assessment of the IP address."
+ }
+ },
+ "description": "attributes"
+ }
+ },
+ "description": "data"
+ }
+ }
+ }
+ },
+ "default": {
+ "description": "default"
+ }
+ },
+ "operationId": "[[variables('_operationId-get_domain')]",
+ "parameters": [
+ {
+ "name": "id",
+ "in": "path",
+ "required": true,
+ "type": "string",
+ "x-ms-summary": "Domain name",
+ "description": "Domain to obtain the report",
+ "x-ms-url-encoding": "single"
+ },
+ {
+ "in": "header",
+ "name": "x-tool",
+ "type": "string",
+ "required": true,
+ "default": "MSFTSentinel"
+ }
+ ]
+ }
+ },
+ "/urls/{id}": {
+ "get": {
+ "summary": "Get URL Report",
+ "description": "Retrieve analysis and reputation information about a specific URL.",
+ "responses": {
+ "200": {
+ "description": "OK",
+ "schema": {
+ "type": "object",
+ "properties": {
+ "data": {
+ "type": "object",
+ "properties": {
+ "id": {
+ "type": "string",
+ "description": "The id of the url"
+ },
+ "type": {
+ "type": "string",
+ "description": "The type of object being analyzed"
+ },
+ "links": {
+ "type": "object",
+ "properties": {
+ "self": {
+ "type": "string",
+ "description": "Url to retrieve this url report"
+ }
+ },
+ "description": "Links to related resources"
+ },
+ "attributes": {
+ "type": "object",
+ "properties": {
+ "last_final_url": {
+ "type": "string",
+ "description": "The final URL after any redirects."
+ },
+ "total_votes": {
+ "type": "object",
+ "properties": {
+ "harmless": {
+ "type": "integer",
+ "format": "int32",
+ "description": "Number of votes indicating the URL is safe.",
+ "title": "total votes harmless"
+ },
+ "malicious": {
+ "type": "integer",
+ "format": "int32",
+ "description": "Number of votes indicating the URL is harmful.",
+ "title": "total votes malicious"
+ }
+ },
+ "description": "The breakdown of votes from the Google Threat Intelligence community on whether the URL is considered harmless or malicious."
+ },
+ "tags": {
+ "type": "array",
+ "description": "Community-assigned tags providing additional context or categorization for the URL."
+ },
+ "times_submitted": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The total number of times this URL has been submitted to Google Threat Intelligence for analysis."
+ },
+ "last_modification_date": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The date (in Unix timestamp format) when the URL report was last modified."
+ },
+ "reputation": {
+ "type": "integer",
+ "format": "int32",
+ "description": "A score ranging from -100 to 100, representing the URL's reputation based on various factors and community assessments."
+ },
+ "last_analysis_date": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The date (in Unix timestamp format) when the last analysis of the URL was performed."
+ },
+ "last_analysis_stats": {
+ "type": "object",
+ "properties": {
+ "malicious": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The number of engines that detected the URL as malicious.",
+ "title": "last analysis malicious"
+ },
+ "suspicious": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The number of engines that flagged the URL as suspicious.",
+ "title": "last analysis suspicious"
+ },
+ "undetected": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The number of engines that did not detect any threats in the URL.",
+ "title": "last analysis undetected"
+ },
+ "harmless": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The number of engines that explicitly classified the URL as harmless.",
+ "title": "last analysis harmless"
+ },
+ "timeout": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The number of engines that timed out during the analysis.",
+ "title": "last analysis timeout"
+ }
+ },
+ "description": "A summary of the results from the most recent analysis of the URL by different antivirus engines."
+ },
+ "last_submission_date": {
+ "type": "integer",
+ "format": "int32",
+ "description": "he date (in Unix timestamp format) when the URL was last submitted for analysis."
+ },
+ "url": {
+ "type": "string",
+ "description": "The actual URL that was analyzed."
+ },
+ "first_submission_date": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The date (in Unix timestamp format) of the very first time this URL was submitted to Google Threat Intelligence."
+ },
+ "title": {
+ "type": "string",
+ "description": "The title or webpage name extracted from the URL"
+ },
+ "gti_assessment": {
+ "type": "object",
+ "properties": {
+ "severity": {
+ "type": "object",
+ "properties": {
+ "value": {
+ "type": "string",
+ "description": "The severity level assigned by GTI.",
+ "title": "severity"
+ }
+ },
+ "description": "The severity level assigned by GTI."
+ },
+ "threat_score": {
+ "type": "object",
+ "properties": {
+ "value": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The threat score assigned by GTI (0-100).",
+ "title": "threat score"
+ }
+ },
+ "description": "The threat score assigned by GTI (0-100)."
+ },
+ "verdict": {
+ "type": "object",
+ "properties": {
+ "value": {
+ "type": "string",
+ "description": "The overall verdict from GTI.",
+ "title": "verdict"
+ }
+ },
+ "description": "The overall verdict from GTI."
+ },
+ "contributing_factors": {
+ "type": "object",
+ "properties": {
+ "mandiant_confidence_score": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The confidence score assigned by Mandiant (0-100)."
+ },
+ "normalised_categories": {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "description": "Normalized categories associated with the IP address."
+ },
+ "pervasive_indicator": {
+ "type": "boolean",
+ "description": "Indicates if the IP address is a pervasive indicator."
+ },
+ "safebrowsing_verdict": {
+ "type": "string",
+ "description": "The verdict from Google Safe Browsing."
+ }
+ },
+ "description": "Factors contributing to the GTI assessment."
+ },
+ "description": {
+ "type": "string",
+ "description": "A description of the GTI assessment."
+ }
+ },
+ "description": "Google Threat Intelligence (GTI) assessment of the IP address."
+ }
+ },
+ "description": "attributes"
+ }
+ },
+ "description": "data"
+ }
+ }
+ }
+ },
+ "default": {
+ "description": "default"
+ }
+ },
+ "operationId": "[[variables('_operationId-get_url')]",
+ "parameters": [
+ {
+ "name": "id",
+ "in": "path",
+ "required": true,
+ "type": "string",
+ "x-ms-summary": "URL id",
+ "description": "URL id to obtain the report",
+ "x-ms-url-encoding": "single"
+ },
+ {
+ "in": "header",
+ "name": "x-tool",
+ "type": "string",
+ "required": true,
+ "default": "MSFTSentinel"
+ }
+ ]
+ }
+ },
+ "/files/": {
+ "post": {
+ "summary": "Upload File",
+ "description": "Upload a file for analysis.",
+ "consumes": [
+ "multipart/form-data"
+ ],
+ "parameters": [
+ {
+ "in": "formData",
+ "name": "file",
+ "description": "The file to upload for analysis",
+ "required": true,
+ "type": "file",
+ "x-ms-summary": "File"
+ }
+ ],
+ "responses": {
+ "default": {
+ "description": "default"
+ }
+ },
+ "operationId": "[[variables('_operationId-post_file')]"
+ }
+ },
+ "/analyses/{id}": {
+ "get": {
+ "summary": "Retrieve information about a file or URL analysis",
+ "description": "Get the status and results of a file or URL analysis.",
+ "responses": {
+ "200": {
+ "description": "OK",
+ "schema": {
+ "type": "object",
+ "properties": {
+ "data": {
+ "type": "object",
+ "properties": {
+ "id": {
+ "type": "string",
+ "description": "The unique identifier for this analysis request."
+ },
+ "type": {
+ "type": "string",
+ "description": "Indicates the type of analysis performed, either \"file\" or \"url\"."
+ },
+ "links": {
+ "type": "object",
+ "properties": {
+ "self": {
+ "type": "string",
+ "description": "The URL to retrieve the analysis information itself."
+ },
+ "item": {
+ "type": "string",
+ "description": "The URL to access the analyzed file or URL."
+ }
+ },
+ "description": "Provides URLs related to the analysis."
+ },
+ "attributes": {
+ "type": "object",
+ "properties": {
+ "stats": {
+ "type": "object",
+ "properties": {
+ "malicious": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The number of engines that flagged the item as malicious."
+ },
+ "suspicious": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The number of engines that flagged the item as malicious."
+ },
+ "undetected": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The number of engines that didn't detect any threats."
+ },
+ "harmless": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The number of engines that explicitly classified the item as harmless."
+ },
+ "timeout": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The number of engines that timed out during the analysis."
+ },
+ "confirmed-timeout": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The number of engines that experienced a confirmed timeout."
+ },
+ "failure": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The number of engines that encountered an error during analysis."
+ },
+ "type-unsupported": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The number of engines that don't support analyzing this type of item."
+ }
+ },
+ "description": "Summarizes the detection results from various antivirus engines."
+ },
+ "date": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The date (in Unix timestamp format) when the analysis was completed."
+ },
+ "status": {
+ "type": "string",
+ "description": "The current status of the analysis."
+ }
+ },
+ "description": "attributes"
+ }
+ },
+ "description": "data"
+ }
+ }
+ }
+ },
+ "default": {
+ "description": "default"
+ }
+ },
+ "operationId": "[[variables('_operationId-retrieve_url_file')]",
+ "parameters": [
+ {
+ "name": "id",
+ "in": "path",
+ "required": true,
+ "type": "string",
+ "x-ms-summary": "Id of the analysis",
+ "description": "Analysis id to obtain the report",
+ "x-ms-url-encoding": "single"
+ },
+ {
+ "in": "header",
+ "name": "x-tool",
+ "type": "string",
+ "required": true,
+ "default": "MSFTSentinel"
+ }
+ ]
+ }
+ },
+ "/urls": {
+ "post": {
+ "summary": "Analyse URL",
+ "description": "Submit a URL for analysis.",
+ "consumes": [
+ "multipart/form-data"
+ ],
+ "responses": {
+ "200": {
+ "description": "OK",
+ "schema": {
+ "type": "object",
+ "properties": {
+ "data": {
+ "type": "object",
+ "properties": {
+ "type": {
+ "type": "string",
+ "description": "type"
+ },
+ "id": {
+ "type": "string",
+ "description": "id"
+ }
+ },
+ "description": "data"
+ }
+ }
+ }
+ },
+ "default": {
+ "description": "default"
+ }
+ },
+ "operationId": "[[variables('_operationId-analyze_url')]",
+ "parameters": [
+ {
+ "name": "url",
+ "in": "formData",
+ "required": true,
+ "type": "string",
+ "description": "URL to scan",
+ "x-ms-summary": "URL",
+ "x-ms-url-encoding": "single"
+ },
+ {
+ "in": "header",
+ "name": "x-tool",
+ "type": "string",
+ "required": true,
+ "default": "MSFTSentinel"
+ }
+ ]
+ }
+ }
+ },
+ "securityDefinitions": {
+ "api_key": {
+ "type": "apiKey",
+ "in": "header",
+ "name": "x-apikey"
+ }
+ },
+ "security": [
+ {
+ "api_key": "[variables('TemplateEmptyArray')]"
+ }
+ ],
+ "tags": "[variables('TemplateEmptyArray')]"
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[[concat(variables('workspace-name'),'/Microsoft.SecurityInsights/',concat('LogicAppsCustomConnector-', last(split(variables('playbookId1'),'/'))))]",
+ "properties": {
+ "parentId": "[[variables('playbookId1')]",
+ "contentId": "[variables('_playbookContentId1')]",
+ "kind": "LogicAppsCustomConnector",
+ "version": "[variables('playbookVersion1')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Google Threat Intelligence",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Google"
+ },
+ "support": {
+ "name": "Google",
+ "email": "contact@virustotal.com",
+ "tier": "Partner",
+ "link": "https://www.virustotal.com/gui/contact-us"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_playbookContentId1')]",
+ "contentKind": "LogicAppsCustomConnector",
+ "displayName": "GTICustomConnector",
+ "contentProductId": "[variables('_playbookcontentProductId1')]",
+ "id": "[variables('_playbookcontentProductId1')]",
+ "version": "[variables('playbookVersion1')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('playbookTemplateSpecName2')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "GoogleThreatIntelligence-IOCEnrichmentIncident Playbook with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('playbookVersion2')]",
+ "parameters": {
+ "PlaybookName": {
+ "defaultValue": "GoogleThreatIntelligence-IOCEnrichmentIncident",
+ "type": "string"
+ }
+ },
+ "variables": {
+ "GoogleThreatIntelligenceConnectionName": "GoogleThreatIntelligence-CustomConnector",
+ "AzureSentinelConnectionName": "GoogleThreatIntelligence-MicrosoftSentinelConnection",
+ "connection-2": "[[concat(resourceGroup().id,'/providers/Microsoft.Web/customApis/GoogleThreatIntelligence-CustomConnector')]",
+ "_connection-2": "[[variables('connection-2')]",
+ "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]",
+ "_connection-3": "[[variables('connection-3')]",
+ "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
+ "workspace-name": "[parameters('workspace')]",
+ "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
+ },
+ "resources": [
+ {
+ "type": "Microsoft.Logic/workflows",
+ "apiVersion": "2017-07-01",
+ "name": "[[parameters('PlaybookName')]",
+ "location": "[[variables('workspace-location-inline')]",
+ "tags": {
+ "hidden-SentinelTemplateVersion": "2.8",
+ "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
+ },
+ "identity": {
+ "type": "SystemAssigned"
+ },
+ "dependsOn": [
+ "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
+ "[[resourceId('Microsoft.Web/connections', variables('GoogleThreatIntelligenceConnectionName'))]"
+ ],
+ "properties": {
+ "definition": {
+ "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
+ "contentVersion": "1.0.0.0",
+ "triggers": {
+ "Microsoft_Sentinel_incident": {
+ "type": "ApiConnectionWebhook",
+ "inputs": {
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ }
+ },
+ "body": {
+ "callback_url": "@{listCallbackUrl()}"
+ },
+ "path": "/incident-creation"
+ }
+ }
+ },
+ "actions": {
+ "For_each_IP": {
+ "type": "Foreach",
+ "foreach": "@body('Entities_-_Get_IPs')?['IPs']",
+ "actions": {
+ "Get_IP_Report": {
+ "type": "ApiConnection",
+ "inputs": {
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['googlethreatintelligence']['connectionId']"
+ }
+ },
+ "method": "get",
+ "path": "/ip_addresses/@{encodeURIComponent(item()?['Address'])}"
+ }
+ },
+ "Add_comment_to_incident_(V3)_Ip": {
+ "type": "ApiConnection",
+ "inputs": {
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ }
+ },
+ "method": "post",
+ "body": {
+ "incidentArmId": "@triggerBody()?['object']?['id']",
+ "message": "
IP: @{body('Get_IP_Report')?['data']?['id']}
Reputation is: @{body('Get_IP_Report')?['data']?['attributes']?['reputation']}
- Score: @{body('Get_IP_Report')?['data']?['attributes']?['gti_assessment']?['threat_score']?['value']}
- Verdict: @{body('Get_IP_Report')?['data']?['attributes']?['gti_assessment']?['verdict']?['value']}
- Severity: @{body('Get_IP_Report')?['data']?['attributes']?['gti_assessment']?['severity']?['value']}
Hash: @{body('Get_File_Report')?['data']?['id']}
Reputation is: @{body('Get_File_Report')?['data']?['attributes']?['reputation']}
-Score: @{body('Get_File_Report')?['data']?['attributes']?['gti_assessment']?['threat_score']?['value']}
-Verdict: @{body('Get_File_Report')?['data']?['attributes']?['gti_assessment']?['verdict']?['value']}
-Severity: @{body('Get_File_Report')?['data']?['attributes']?['gti_assessment']?['severity']?['value']}
URL: @{body('Get_URL_Report')?['data']?['attributes']?['url']}
ID: @{body('Get_URL_Report')?['data']?['id']}
Suspicious:
Malicious:
- Score: @{body('Get_URL_Report')?['data']?['attributes']?['gti_assessment']?['threat_score']?['value']}
- Severity: @{body('Get_URL_Report')?['data']?['attributes']?['gti_assessment']?['severity']?['value']}
- Verdict: @{body('Get_URL_Report')?['data']?['attributes']?['gti_assessment']?['verdict']?['value']}
Domain: @{body('Get_Domain_Report')?['data']?['id']}
Reputation is: @{body('Get_Domain_Report')?['data']?['attributes']?['reputation']}
- Score: @{body('Get_Domain_Report')?['data']?['attributes']?['gti_assessment']?['threat_score']?['value']}
- Verdict: @{body('Get_Domain_Report')?['data']?['attributes']?['gti_assessment']?['verdict']?['value']}
- Severity: @{body('Get_Domain_Report')?['data']?['attributes']?['gti_assessment']?['severity']?['value']}
IP: @{body('Get_IP_Report')?['data']?['id']}
Reputation is: @{body('Get_IP_Report')?['data']?['attributes']?['reputation']}
- Score: @{body('Get_IP_Report')?['data']?['attributes']?['gti_assessment']?['threat_score']?['value']}
- Verdict: @{body('Get_IP_Report')?['data']?['attributes']?['gti_assessment']?['verdict']?['value']}
- Severity: @{body('Get_IP_Report')?['data']?['attributes']?['gti_assessment']?['severity']?['value']}
Hash: @{body('Get_File_Report')?['data']?['id']}
Reputation is: @{body('Get_File_Report')?['data']?['attributes']?['reputation']}
-Score: @{body('Get_File_Report')?['data']?['attributes']?['gti_assessment']?['threat_score']?['value']}
-Verdict: @{body('Get_File_Report')?['data']?['attributes']?['gti_assessment']?['verdict']?['value']}
-Severity: @{body('Get_File_Report')?['data']?['attributes']?['gti_assessment']?['severity']?['value']}
URL: @{body('Get_URL_Report')?['data']?['attributes']?['url']}
ID: @{body('Get_URL_Report')?['data']?['id']}
Suspicious:
Malicious:
- Score: @{body('Get_URL_Report')?['data']?['attributes']?['gti_assessment']?['threat_score']?['value']}
- Severity: @{body('Get_URL_Report')?['data']?['attributes']?['gti_assessment']?['severity']?['value']}
- Verdict: @{body('Get_URL_Report')?['data']?['attributes']?['gti_assessment']?['verdict']?['value']}
Domain:
Reputation is:
- Score:
- Verdict:
- Severity:
Id: @{body('Get_IP_Report')?['data']?['id']}
Reputation is: @{body('Get_IP_Report')?['data']?['attributes']?['reputation']}
Harmless: @{body('Get_IP_Report')?['data']?['attributes']?['last_analysis_stats']?['harmless']}
Malicious: @{body('Get_IP_Report')?['data']?['attributes']?['last_analysis_stats']?['malicious']}
Suspicious: @{body('Get_IP_Report')?['data']?['attributes']?['last_analysis_stats']?['suspicious']}
Timeout: @{body('Get_IP_Report')?['data']?['attributes']?['last_analysis_stats']?['timeout']}
Undetected: @{body('Get_IP_Report')?['data']?['attributes']?['last_analysis_stats']?['undetected']}
Country: @{body('Get_IP_Report')?['data']?['attributes']?['country']}
Continent: @{body('Get_IP_Report')?['data']?['attributes']?['continent']}
Owner: @{body('Get_IP_Report')?['data']?['attributes']?['as_owner']}
Total votes harmless: @{body('Get_IP_Report')?['data']?['attributes']?['total_votes']?['harmless']}
Total votes malicious: @{body('Get_IP_Report')?['data']?['attributes']?['total_votes']?['malicious']}
-Score: @{body('Get_IP_Report')?['data']?['attributes']?['gti_assessment']?['threat_score']?['value']}
-Verdict: @{body('Get_IP_Report')?['data']?['attributes']?['gti_assessment']?['verdict']?['value']}
-Severity: @{body('Get_IP_Report')?['data']?['attributes']?['gti_assessment']?['severity']?['value']}
URL: @{body('Get_URL_Report')?['data']?['attributes']?['url']}
ID: @{body('Get_URL_Report')?['data']?['id']}
Reputation is: @{body('Get_URL_Report')?['data']?['attributes']?['reputation']}
Harmless: @{body('Get_URL_Report')?['data']?['attributes']?['last_analysis_stats']?['harmless']}
Malicious: @{body('Get_URL_Report')?['data']?['attributes']?['last_analysis_stats']?['malicious']}
Suspicious: @{body('Get_URL_Report')?['data']?['attributes']?['last_analysis_stats']?['suspicious']}
Timeout: @{body('Get_URL_Report')?['data']?['attributes']?['last_analysis_stats']?['timeout']}
Undetected: @{body('Get_URL_Report')?['data']?['attributes']?['last_analysis_stats']?['undetected']}
Total votes harmless: @{body('Get_URL_Report')?['data']?['attributes']?['total_votes']?['harmless']}
Total votes malicious: @{body('Get_URL_Report')?['data']?['attributes']?['total_votes']?['malicious']}
- Threat score: @{body('Get_URL_Report')?['data']?['attributes']?['gti_assessment']?['threat_score']?['value']}
- Verdict: @{body('Get_URL_Report')?['data']?['attributes']?['gti_assessment']?['verdict']?['value']}
- Severity: @{body('Get_URL_Report')?['data']?['attributes']?['gti_assessment']?['severity']?['value']}
" + }, + "path": "/Incidents/Comment" + } + } + }, + "runAfter": { + "Get_URL_Report": [ + "Succeeded" + ] + } + }, + "Get_URL_Report": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['googlethreatintelligence']['connectionId']" + } + }, + "method": "get", + "path": "/urls/@{encodeURIComponent(replace(base64(triggerBody()?['Entity']?['properties']?['Url']),'=',''))}" + } + } + }, + "parameters": { + "$connections": { + "type": "Object" + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "id": "[[concat('/subscriptions/',subscription().subscriptionId,'/providers/Microsoft.Web/locations/',variables('workspace-location-inline'),'/managedApis/azuresentinel')]", + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", + "connectionName": "[[variables('AzureSentinelConnectionName')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "googlethreatintelligence": { + "id": "[[concat(resourceGroup().id,'/providers/Microsoft.Web/customApis/GoogleThreatIntelligence-CustomConnector')]", + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('GoogleThreatIntelligenceConnectionName'))]", + "connectionName": "[[variables('GoogleThreatIntelligenceConnectionName')]" + } + } + } + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('GoogleThreatIntelligenceConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "properties": { + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('AzureSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('AzureSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-3')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId5'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId5')]", + "contentId": "[variables('_playbookContentId5')]", + "kind": "Playbook", + "version": "[variables('playbookVersion5')]", + "source": { + "kind": "Solution", + "name": "Google Threat Intelligence", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Google" + }, + "support": { + "name": "Google", + "email": "contact@virustotal.com", + "tier": "Partner", + "link": "https://www.virustotal.com/gui/contact-us" + } + } + } + ], + "metadata": { + "title": "Google Threat Intelligence - URL Enrichment", + "description": "This playbook will enrich URL entities.", + "prerequisites": [ + "You will need to register to Google Threat Intelligence for an API key" + ], + "postDeployment": [ + "You can trigger manually in entities" + ], + "lastUpdateTime": "2024-11-15T00:00:00Z", + "entities": [ + "url" + ], + "tags": [ + "Enrichment" + ], + "releaseNotes": [ + { + "version": "1.0.0", + "title": "URL Enrichment - Google Threat Intelligence report", + "notes": [ + "Initial version" + ] + } + ] + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId5')]", + "contentKind": "Playbook", + "displayName": "GoogleThreatIntelligence-IOCEnrichmentURL", + "contentProductId": "[variables('_playbookcontentProductId5')]", + "id": "[variables('_playbookcontentProductId5')]", + "version": "[variables('playbookVersion5')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName6')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "GoogleThreatIntelligence-IOCEnrichmentFileHash Playbook with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion6')]", + "parameters": { + "PlaybookName": { + "defaultValue": "GoogleThreatIntelligence-IOCEnrichmentFileHash", + "type": "string" + } + }, + "variables": { + "GoogleThreatIntelligenceConnectionName": "GoogleThreatIntelligence-Connector", + "AzureSentinelConnectionName": "GoogleThreatIntelligence-MicrosoftSentinelConnection", + "connection-2": "[[concat(resourceGroup().id,'/providers/Microsoft.Web/customApis/GoogleThreatIntelligence-CustomConnector')]", + "_connection-2": "[[variables('connection-2')]", + "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", + "_connection-3": "[[variables('connection-3')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[[parameters('PlaybookName')]", + "location": "[[variables('workspace-location-inline')]", + "tags": { + "hidden-SentinelTemplateVersion": "2.8", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "identity": { + "type": "SystemAssigned" + }, + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('GoogleThreatIntelligenceConnectionName'))]" + ], + "properties": { + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "triggers": { + "Microsoft_Sentinel_entity": { + "type": "ApiConnectionWebhook", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "path": "/entity/@{encodeURIComponent('FileHash')}" + } + } + }, + "actions": { + "Get_File_Report": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['googlethreatintelligence']['connectionId']" + } + }, + "method": "get", + "path": "/files/@{encodeURIComponent(triggerBody()?['Entity']?['properties']?['Value'])}" + } + }, + "Condition": { + "type": "If", + "expression": { + "and": [ + { + "not": { + "equals": [ + "@triggerBody()?['IncidentArmID']", + "@null" + ] + } + } + ] + }, + "actions": { + "Add_comment_to_incident_(V3)": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "body": { + "incidentArmId": "@triggerBody()?['IncidentArmID']", + "message": "Hash: @{body('Get_File_Report')?['data']?['id']}
Reputation is: @{body('Get_File_Report')?['data']?['attributes']?['reputation']}
Harmless: @{body('Get_File_Report')?['data']?['attributes']?['last_analysis_stats']?['harmless']}
Malicious: @{body('Get_File_Report')?['data']?['attributes']?['last_analysis_stats']?['malicious']}
Suspicious: @{body('Get_File_Report')?['data']?['attributes']?['last_analysis_stats']?['suspicious']}
Timeout: @{body('Get_File_Report')?['data']?['attributes']?['last_analysis_stats']?['timeout']}
Undetected: @{body('Get_File_Report')?['data']?['attributes']?['last_analysis_stats']?['undetected']}
Total votes harmless: @{body('Get_File_Report')?['data']?['attributes']?['total_votes']?['harmless']}
Total votes malicious: @{body('Get_File_Report')?['data']?['attributes']?['total_votes']?['malicious']}
-Score: @{body('Get_File_Report')?['data']?['attributes']?['gti_assessment']?['threat_score']?['value']}
-Verdict: @{body('Get_File_Report')?['data']?['attributes']?['gti_assessment']?['verdict']?['value']}
-Severity: @{body('Get_File_Report')?['data']?['attributes']?['gti_assessment']?['severity']?['value']}
Domain: @{body('Get_Domain_Report')?['data']?['id']}
Reputation is: @{body('Get_Domain_Report')?['data']?['attributes']?['reputation']}
Harmless: @{body('Get_Domain_Report')?['data']?['attributes']?['last_analysis_stats']?['harmless']}
Malicious: @{body('Get_Domain_Report')?['data']?['attributes']?['last_analysis_stats']?['malicious']}
Suspicious: @{body('Get_Domain_Report')?['data']?['attributes']?['last_analysis_stats']?['suspicious']}
Timeout: @{body('Get_Domain_Report')?['data']?['attributes']?['last_analysis_stats']?['timeout']}
Undetected: @{body('Get_Domain_Report')?['data']?['attributes']?['last_analysis_stats']?['undetected']}
Total votes harmless: @{body('Get_Domain_Report')?['data']?['attributes']?['total_votes']?['harmless']}
Total votes malicious: @{body('Get_Domain_Report')?['data']?['attributes']?['total_votes']?['malicious']}
- Threat score: @{body('Get_Domain_Report')?['data']?['attributes']?['gti_assessment']?['threat_score']?['value']}
- Verdict: @{body('Get_Domain_Report')?['data']?['attributes']?['gti_assessment']?['verdict']?['value']}
- Severity: @{body('Get_Domain_Report')?['data']?['attributes']?['gti_assessment']?['severity']?['value']}
" + }, + "path": "/Incidents/Comment" + } + } + }, + "runAfter": { + "Get_Domain_Report": [ + "Succeeded" + ] + } + } + }, + "parameters": { + "$connections": { + "type": "Object" + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "id": "[[concat('/subscriptions/',subscription().subscriptionId,'/providers/Microsoft.Web/locations/',variables('workspace-location-inline'),'/managedApis/azuresentinel')]", + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", + "connectionName": "[[variables('AzureSentinelConnectionName')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "googlethreatintelligence": { + "id": "[[concat(resourceGroup().id,'/providers/Microsoft.Web/customApis/GoogleThreatIntelligence-CustomConnector')]", + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('GoogleThreatIntelligenceConnectionName'))]", + "connectionName": "[[variables('GoogleThreatIntelligenceConnectionName')]" + } + } + } + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('GoogleThreatIntelligenceConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "properties": { + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('AzureSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('AzureSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-3')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId7'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId7')]", + "contentId": "[variables('_playbookContentId7')]", + "kind": "Playbook", + "version": "[variables('playbookVersion7')]", + "source": { + "kind": "Solution", + "name": "Google Threat Intelligence", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Google" + }, + "support": { + "name": "Google", + "email": "contact@virustotal.com", + "tier": "Partner", + "link": "https://www.virustotal.com/gui/contact-us" + } + } + } + ], + "metadata": { + "title": "Google Threat Intelligence - Domain Enrichment", + "description": "This playbook will enrich Domain entities.", + "prerequisites": [ + "You will need to register to Google Threat Intelligence for an API key" + ], + "postDeployment": [ + "You can trigger manually in entities" + ], + "lastUpdateTime": "2024-11-15T00:00:00Z", + "entities": [ + "dnsresolution" + ], + "tags": [ + "Enrichment" + ], + "releaseNotes": [ + { + "version": "1.0.0", + "title": "Domain Enrichment - Google Threat Intelligence report", + "notes": [ + "Initial version" + ] + } + ] + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId7')]", + "contentKind": "Playbook", + "displayName": "GoogleThreatIntelligence-IOCEnrichmentDomain", + "contentProductId": "[variables('_playbookcontentProductId7')]", + "id": "[variables('_playbookcontentProductId7')]", + "version": "[variables('playbookVersion7')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", + "apiVersion": "2023-04-01-preview", + "location": "[parameters('workspace-location')]", + "properties": { + "version": "3.0.0", + "kind": "Solution", + "contentSchemaVersion": "3.0.0", + "displayName": "Google Threat Intelligence", + "publisherDisplayName": "Google", + "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThis Google Threat Intelligence Solution contains Playbooks that can help enrich incident information with threat information and intelligence for IPs, file hashes and URLs from Google Threat Intelligence. Enriched information can help drive focused investigations in Security Operations.
\nCustom Azure Logic Apps Connectors: 1, Playbooks: 6
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "",
+ "contentId": "[variables('_solutionId')]",
+ "parentId": "[variables('_solutionId')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Google Threat Intelligence",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Google"
+ },
+ "support": {
+ "name": "Google",
+ "email": "contact@virustotal.com",
+ "tier": "Partner",
+ "link": "https://www.virustotal.com/gui/contact-us"
+ },
+ "dependencies": {
+ "operator": "AND",
+ "criteria": [
+ {
+ "kind": "LogicAppsCustomConnector",
+ "contentId": "[variables('_GTICustomConnector')]",
+ "version": "[variables('playbookVersion1')]"
+ },
+ {
+ "kind": "Playbook",
+ "contentId": "[variables('_GTI-EnrichIncident')]",
+ "version": "[variables('playbookVersion2')]"
+ },
+ {
+ "kind": "Playbook",
+ "contentId": "[variables('_GTI-EnrichAlert')]",
+ "version": "[variables('playbookVersion3')]"
+ },
+ {
+ "kind": "Playbook",
+ "contentId": "[variables('_GTI-EnrichIP')]",
+ "version": "[variables('playbookVersion4')]"
+ },
+ {
+ "kind": "Playbook",
+ "contentId": "[variables('_GTI-EnrichURL')]",
+ "version": "[variables('playbookVersion5')]"
+ },
+ {
+ "kind": "Playbook",
+ "contentId": "[variables('_GTI-EnrichFilehash')]",
+ "version": "[variables('playbookVersion6')]"
+ },
+ {
+ "kind": "Playbook",
+ "contentId": "[variables('_GTI-EnrichDomain')]",
+ "version": "[variables('playbookVersion7')]"
+ }
+ ]
+ },
+ "firstPublishDate": "2024-10-26",
+ "lastPublishDate": "2024-10-26",
+ "providers": [
+ "Google"
+ ],
+ "categories": {
+ "domains": [
+ "Security - Threat Intelligence"
+ ]
+ }
+ },
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]"
+ }
+ ],
+ "outputs": {}
+}
diff --git a/Solutions/Google Threat Intelligence/Package/testParameters.json b/Solutions/Google Threat Intelligence/Package/testParameters.json
new file mode 100644
index 00000000000..e55ec41a9ac
--- /dev/null
+++ b/Solutions/Google Threat Intelligence/Package/testParameters.json
@@ -0,0 +1,24 @@
+{
+ "location": {
+ "type": "string",
+ "minLength": 1,
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
+ }
+ },
+ "workspace-location": {
+ "type": "string",
+ "defaultValue": "",
+ "metadata": {
+ "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
+ }
+ },
+ "workspace": {
+ "defaultValue": "",
+ "type": "string",
+ "metadata": {
+ "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
+ }
+ }
+}
diff --git a/Solutions/Google Threat Intelligence/Playbooks/CustomConnector/GTICustomConnector/azuredeploy.json b/Solutions/Google Threat Intelligence/Playbooks/CustomConnector/GTICustomConnector/azuredeploy.json
new file mode 100644
index 00000000000..42ed64d38f3
--- /dev/null
+++ b/Solutions/Google Threat Intelligence/Playbooks/CustomConnector/GTICustomConnector/azuredeploy.json
@@ -0,0 +1,1293 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "ConnectorName": {
+ "defaultValue": "GoogleThreatIntelligence-CustomConnector",
+ "type": "String",
+ "metadata": {
+ "description": "Google Threat Intelligence Custom Connector"
+ }
+ },
+ "BackendService": {
+ "defaultValue": "https://www.virustotal.com/api/v3",
+ "type": "String",
+ "metadata": {
+ "description": "Google Threat Intelligence API"
+ }
+ }
+ },
+ "functions": [],
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.Web/customApis",
+ "apiVersion": "2016-06-01",
+ "name": "[parameters('ConnectorName')]",
+ "location": "[resourceGroup().location]",
+ "properties": {
+ "connectionParameters": {
+ "api_key": {
+ "type": "securestring"
+ }
+ },
+ "backendService": {
+ "serviceUrl": "[parameters('BackendService')]"
+ },
+ "capabilities": [],
+ "brandColor": "#FFFFFF",
+ "description": "This connector provides access to various Google Threat Intelligence API endpoints for retrieving file, IP, domain, and URL analysis reports.",
+ "displayName": "[parameters('ConnectorName')]",
+ "iconUri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/GoogleThreatIntelligence.svg",
+ "swagger": {
+ "swagger": "2.0",
+ "info": {
+ "title": "Google Threat Intelligence",
+ "description": "This connector provides access to various Google Threat Intelligence API endpoints for retrieving file, IP, domain, and URL analysis reports.",
+ "version": "1.0",
+ "contact": {
+ "name": "Google Threat Intelligence",
+ "url": "https://www.virustotal.com/gui/contact-us/support"
+ }
+ },
+ "x-ms-connector-metadata": [
+ {
+ "propertyName": "Website",
+ "propertyValue": "https://www.virustotal.com"
+ },
+ {
+ "propertyName": "Privacy policy",
+ "propertyValue": "https://virustotal.readme.io/docs/historic-privacy-policy"
+ },
+ {
+ "propertyName": "Categories",
+ "propertyValue": "Data"
+ }
+ ],
+ "host": "www.virustotal.com",
+ "basePath": "/api/v3",
+ "schemes": [
+ "https"
+ ],
+ "consumes": [],
+ "produces": [],
+ "paths": {
+ "/files/{id}": {
+ "get": {
+ "summary": "Get File Report",
+ "description": "Retrieve detailed analysis report for a specific file by its ID.",
+ "responses": {
+ "200": {
+ "description": "OK",
+ "schema": {
+ "type": "object",
+ "properties": {
+ "data": {
+ "type": "object",
+ "properties": {
+ "id": {
+ "type": "string",
+ "description": "The unique identifier (SHA-256 hash) of the file."
+ },
+ "type": {
+ "type": "string",
+ "description": "The type of object being analyzed (in this case, \"file\")."
+ },
+ "links": {
+ "type": "object",
+ "properties": {
+ "self": {
+ "type": "string",
+ "description": "The URL to retrieve this file's report."
+ }
+ },
+ "description": "Links to related resources."
+ },
+ "attributes": {
+ "type": "object",
+ "properties": {
+ "type_extension": {
+ "type": "string",
+ "description": "The file extension (if available)."
+ },
+ "times_submitted": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The number of times this file has been submitted to Google Threat Intelligence."
+ },
+ "meaningful_name": {
+ "type": "string",
+ "description": "A human-readable name for the file (if available)."
+ },
+ "sha1": {
+ "type": "string",
+ "description": "The SHA-1 hash of the file."
+ },
+ "magic": {
+ "type": "string",
+ "description": "A textual description of the file type, as determined by libmagic."
+ },
+ "total_votes": {
+ "type": "object",
+ "properties": {
+ "harmless": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The number of votes classifying this file as harmless.",
+ "title": "total votes harmless"
+ },
+ "malicious": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The number of votes classifying this file as malicious.",
+ "title": "total votes malicious"
+ }
+ },
+ "description": "Aggregated votes from the community."
+ },
+ "type_tag": {
+ "type": "string",
+ "description": "A high-level categorization of the file type (e.g., \"PE executable\", \"PDF document\")."
+ },
+ "last_analysis_stats": {
+ "type": "object",
+ "properties": {
+ "malicious": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The number of antivirus engines that detected the file as malicious in the latest analysis.",
+ "title": "last analysis malicious"
+ },
+ "suspicious": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The number of antivirus engines that detected the file as suspicious in the latest analysis.",
+ "title": "last analysis suspicious"
+ },
+ "undetected": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The number of antivirus engines that did not detect any threats in the file in the latest analysis.",
+ "title": "last analysis undetected"
+ },
+ "harmless": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The number of antivirus engines that explicitly classified the file as harmless in the latest analysis.",
+ "title": "last analysis harmless"
+ },
+ "timeout": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The number of antivirus engines that timed out during the latest analysis.",
+ "title": "last analysis timeout"
+ },
+ "confirmed-timeout": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The number of antivirus engines that experienced a confirmed timeout during the latest analysis.",
+ "title": "last analysis confirmed-timeout"
+ },
+ "failure": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The number of antivirus engines that encountered an error during the latest analysis.",
+ "title": "last analysis failure"
+ },
+ "type-unsupported": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The number of antivirus engines that do not support the analysis of this file type.",
+ "title": "last analysis type-unsupported"
+ }
+ },
+ "description": "Statistics from the latest analysis."
+ },
+ "ssdeep": {
+ "type": "string",
+ "description": "The ssdeep fuzzy hash of the file, used for similarity comparison."
+ },
+ "type_description": {
+ "type": "string",
+ "description": "A more detailed description of the file type (e.g., \"Microsoft Word Document\")."
+ },
+ "tlsh": {
+ "type": "string",
+ "description": "The TLSH fuzzy hash of the file, used for similarity comparison."
+ },
+ "reputation": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The reputation score of the file, calculated based on various factors."
+ },
+ "sha256": {
+ "type": "string",
+ "description": "The SHA-256 hash of the file."
+ },
+ "unique_sources": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The number of unique sources from which this file has been submitted."
+ },
+ "names": {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "description": "A list of names associated with the file."
+ },
+ "tags": {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "description": "Tags associated with the file, providing additional context or categorization."
+ },
+ "last_submission_date": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The Unix timestamp of the last time this file was submitted to Google Threat Intelligence."
+ },
+ "last_modification_date": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The Unix timestamp of the last modification date of the file (if available)."
+ },
+ "size": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The size of the file in bytes."
+ },
+ "md5": {
+ "type": "string",
+ "description": "The MD5 hash of the file."
+ },
+ "gti_assessment": {
+ "type": "object",
+ "properties": {
+ "severity": {
+ "type": "object",
+ "properties": {
+ "value": {
+ "type": "string",
+ "description": "The severity level assigned by Google Threat Intelligence's GTI (e.g., \"SEVERITY_NONE\", \"SEVERITY_LOW\", etc.).",
+ "title": "severity"
+ }
+ },
+ "description": "The severity assessment of the file."
+ },
+ "threat_score": {
+ "type": "object",
+ "properties": {
+ "value": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The threat score assigned by Google Threat Intelligence's GTI, indicating the likelihood of the file being malicious.",
+ "title": "threat score"
+ }
+ },
+ "description": "The threat score assessment of the file."
+ },
+ "verdict": {
+ "type": "object",
+ "properties": {
+ "value": {
+ "type": "string",
+ "description": "The overall verdict of the file's analysis by Google Threat Intelligence's GTI (e.g., \"VERDICT_UNDETECTED\", \"VERDICT_MALICIOUS\", etc.).",
+ "title": "verdict"
+ }
+ },
+ "description": "The overall verdict of the file's analysis."
+ },
+ "description": {
+ "type": "string",
+ "description": "A textual description of the GTI assessment."
+ }
+ },
+ "description": "GTI's (Google Threat Intelligence) assessment of the file."
+ }
+ },
+ "description": "Attributes and metadata associated with the file."
+ }
+ },
+ "description": "Data containing the file report."
+ }
+ }
+ }
+ },
+ "default": {
+ "description": "default"
+ }
+ },
+ "operationId": "get_file",
+ "parameters": [
+ {
+ "name": "id",
+ "in": "path",
+ "required": true,
+ "type": "string",
+ "x-ms-summary": "File ID",
+ "description": "Hash value of the file",
+ "x-ms-url-encoding": "single"
+ },
+ {
+ "in": "header",
+ "name": "x-tool",
+ "type": "string",
+ "required": true,
+ "default": "MSFTSentinel"
+ }
+ ]
+ }
+ },
+ "/ip_addresses/{ip}": {
+ "get": {
+ "summary": "Get IP Report",
+ "description": "Retrieve analysis and reputation information about a specific IP address.",
+ "responses": {
+ "200": {
+ "description": "OK",
+ "schema": {
+ "type": "object",
+ "properties": {
+ "data": {
+ "type": "object",
+ "properties": {
+ "id": {
+ "type": "string",
+ "description": "The unique identifier for this IP address report."
+ },
+ "type": {
+ "type": "string",
+ "description": "The type of object represented."
+ },
+ "links": {
+ "type": "object",
+ "properties": {
+ "self": {
+ "type": "string",
+ "description": "The URL to retrieve this IP address report."
+ }
+ },
+ "description": "Links to related resources."
+ },
+ "attributes": {
+ "type": "object",
+ "properties": {
+ "asn": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The Autonomous System Number (ASN) associated with the IP address."
+ },
+ "network": {
+ "type": "string",
+ "description": "The network or CIDR block the IP address belongs to."
+ },
+ "last_https_certificate_date": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The date of the last HTTPS certificate seen for this IP address (Unix timestamp)."
+ },
+ "country": {
+ "type": "string",
+ "description": "The country associated with the IP address."
+ },
+ "as_owner": {
+ "type": "string",
+ "description": "The name of the organization that owns the ASN associated with the IP address."
+ },
+ "reputation": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The reputation score of the IP address (-100 to 100)."
+ },
+ "total_votes": {
+ "type": "object",
+ "properties": {
+ "harmless": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The number of votes classifying the IP address as harmless.",
+ "title": "total votes harmless"
+ },
+ "malicious": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The number of votes classifying the IP address as malicious.",
+ "title": "total votes malicious"
+ }
+ },
+ "description": "The breakdown of votes on the IP address's maliciousness."
+ },
+ "whois": {
+ "type": "string",
+ "description": "The raw WHOIS data for the IP address."
+ },
+ "tags": {
+ "type": "array",
+ "items": {},
+ "description": "Tags associated with the IP address based on community analysis."
+ },
+ "last_analysis_stats": {
+ "type": "object",
+ "properties": {
+ "malicious": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The number of engines that detected the IP address as malicious.",
+ "title": "last analysis malicious"
+ },
+ "suspicious": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The number of engines that detected the IP address as suspicious.",
+ "title": "last analysis suspicious"
+ },
+ "undetected": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The number of engines that did not detect the IP address as malicious or suspicious.",
+ "title": "last analysis undetected"
+ },
+ "harmless": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The number of engines that detected the IP address as harmless.",
+ "title": "last analysis harmless"
+ },
+ "timeout": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The number of engines that timed out during the analysis of the IP address.",
+ "title": "last analysis timeout"
+ }
+ },
+ "description": "Statistics from the last analysis of the IP address."
+ },
+ "whois_date": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The date the WHOIS data was last updated."
+ },
+ "regional_internet_registry": {
+ "type": "string",
+ "description": "The Regional Internet Registry (RIR) responsible for the IP address."
+ },
+ "last_modification_date": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The date the IP address report was last modified."
+ },
+ "continent": {
+ "type": "string",
+ "description": "The continent where the IP address is located."
+ },
+ "gti_assessment": {
+ "type": "object",
+ "properties": {
+ "severity": {
+ "type": "object",
+ "properties": {
+ "value": {
+ "type": "string",
+ "description": "The severity level assigned by GTI.",
+ "title": "severity"
+ }
+ },
+ "description": "The severity level assigned by GTI."
+ },
+ "threat_score": {
+ "type": "object",
+ "properties": {
+ "value": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The threat score assigned by GTI (0-100).",
+ "title": "threat score"
+ }
+ },
+ "description": "The threat score assigned by GTI (0-100)."
+ },
+ "verdict": {
+ "type": "object",
+ "properties": {
+ "value": {
+ "type": "string",
+ "description": "The overall verdict from GTI.",
+ "title": "verdict"
+ }
+ },
+ "description": "The overall verdict from GTI."
+ },
+ "contributing_factors": {
+ "type": "object",
+ "properties": {
+ "mandiant_confidence_score": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The confidence score assigned by Mandiant (0-100)."
+ },
+ "normalised_categories": {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "description": "Normalized categories associated with the IP address."
+ },
+ "pervasive_indicator": {
+ "type": "boolean",
+ "description": "Indicates if the IP address is a pervasive indicator."
+ },
+ "safebrowsing_verdict": {
+ "type": "string",
+ "description": "The verdict from Google Safe Browsing."
+ }
+ },
+ "description": "Factors contributing to the GTI assessment."
+ },
+ "description": {
+ "type": "string",
+ "description": "A description of the GTI assessment."
+ }
+ },
+ "description": "Google Threat Intelligence (GTI) assessment of the IP address."
+ }
+ },
+ "description": "attributes"
+ }
+ },
+ "description": "data"
+ }
+ }
+ }
+ },
+ "default": {
+ "description": "default"
+ }
+ },
+ "operationId": "get_ip",
+ "parameters": [
+ {
+ "name": "ip",
+ "in": "path",
+ "required": true,
+ "type": "string",
+ "x-ms-summary": "Ip address",
+ "description": "Ip address to obtain the report",
+ "x-ms-url-encoding": "single"
+ },
+ {
+ "in": "header",
+ "name": "x-tool",
+ "type": "string",
+ "required": true,
+ "default": "MSFTSentinel"
+ }
+ ]
+ }
+ },
+ "/domains/{id}": {
+ "get": {
+ "summary": "Get Domain Report",
+ "description": "Retrieve analysis and reputation information about a specific domain.",
+ "responses": {
+ "200": {
+ "description": "OK",
+ "schema": {
+ "type": "object",
+ "properties": {
+ "data": {
+ "type": "object",
+ "properties": {
+ "id": {
+ "type": "string",
+ "description": "The id of the domain"
+ },
+ "type": {
+ "type": "string",
+ "description": "The type of the domain"
+ },
+ "links": {
+ "type": "object",
+ "properties": {
+ "self": {
+ "type": "string",
+ "description": "The url to retrieve this domain report."
+ }
+ },
+ "description": "links to related resources."
+ },
+ "attributes": {
+ "type": "object",
+ "properties": {
+ "total_votes": {
+ "type": "object",
+ "properties": {
+ "harmless": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The count of votes indicating the domain is safe.",
+ "title": "total votes harmless"
+ },
+ "malicious": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The count of votes suggesting the domain is harmful.",
+ "title": "total votes malicious"
+ }
+ },
+ "description": "his object provides a summary of community votes regarding the domain's potential maliciousness."
+ },
+ "reputation": {
+ "type": "integer",
+ "format": "int32",
+ "description": "A numerical score ranging from -100 to 100, reflecting the domain's overall reputation based on various factors."
+ },
+ "whois": {
+ "type": "string",
+ "description": "The raw WHOIS data associated with the domain, containing registration details and contact information."
+ },
+ "last_https_certificate_date": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The Unix timestamp indicating when the last HTTPS certificate for this domain was observed."
+ },
+ "last_dns_records_date": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The Unix timestamp representing the last time DNS records were fetched for this domain."
+ },
+ "registrar": {
+ "type": "string",
+ "description": "The entity responsible for registering the domain name."
+ },
+ "last_modification_date": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The Unix timestamp showing when the domain report was last updated."
+ },
+ "creation_date": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The Unix timestamp marking the domain's initial registration date."
+ },
+ "tags": {
+ "type": "array",
+ "items": {},
+ "description": "An array of tags assigned to the domain based on community analysis and observations."
+ },
+ "last_update_date": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The Unix timestamp indicating the most recent update to the domain's information."
+ },
+ "last_analysis_stats": {
+ "type": "object",
+ "properties": {
+ "malicious": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The number of analysis engines flagging the domain as malicious.",
+ "title": "last analysis malicious"
+ },
+ "suspicious": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The count of engines raising suspicion about the domain.",
+ "title": "last analysis suspicious"
+ },
+ "undetected": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The number of engines that didn't detect any malicious or suspicious activity.",
+ "title": "last analysis undetected"
+ },
+ "harmless": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The count of engines explicitly classifying the domain as safe.",
+ "title": "last analysis harmless"
+ },
+ "timeout": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The number of engines that timed out during the analysis.",
+ "title": "last analysis timeout"
+ }
+ },
+ "description": "Statistics derived from the latest analysis of the domain."
+ },
+ "gti_assessment": {
+ "type": "object",
+ "properties": {
+ "severity": {
+ "type": "object",
+ "properties": {
+ "value": {
+ "type": "string",
+ "description": "The severity level assigned by GTI.",
+ "title": "severity"
+ }
+ },
+ "description": "The severity level assigned by GTI."
+ },
+ "threat_score": {
+ "type": "object",
+ "properties": {
+ "value": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The threat score assigned by GTI (0-100).",
+ "title": "threat score"
+ }
+ },
+ "description": "The threat score assigned by GTI (0-100)."
+ },
+ "verdict": {
+ "type": "object",
+ "properties": {
+ "value": {
+ "type": "string",
+ "description": "The overall verdict from GTI.",
+ "title": "verdict"
+ }
+ },
+ "description": "The overall verdict from GTI."
+ },
+ "contributing_factors": {
+ "type": "object",
+ "properties": {
+ "mandiant_confidence_score": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The confidence score assigned by Mandiant (0-100)."
+ },
+ "normalised_categories": {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "description": "Normalized categories associated with the IP address."
+ },
+ "pervasive_indicator": {
+ "type": "boolean",
+ "description": "Indicates if the IP address is a pervasive indicator."
+ },
+ "safebrowsing_verdict": {
+ "type": "string",
+ "description": "The verdict from Google Safe Browsing."
+ }
+ },
+ "description": "Factors contributing to the GTI assessment."
+ },
+ "description": {
+ "type": "string",
+ "description": "A description of the GTI assessment."
+ }
+ },
+ "description": "Google Threat Intelligence (GTI) assessment of the IP address."
+ }
+ },
+ "description": "attributes"
+ }
+ },
+ "description": "data"
+ }
+ }
+ }
+ },
+ "default": {
+ "description": "default"
+ }
+ },
+ "operationId": "get_domain",
+ "parameters": [
+ {
+ "name": "id",
+ "in": "path",
+ "required": true,
+ "type": "string",
+ "x-ms-summary": "Domain name",
+ "description": "Domain to obtain the report",
+ "x-ms-url-encoding": "single"
+ },
+ {
+ "in": "header",
+ "name": "x-tool",
+ "type": "string",
+ "required": true,
+ "default": "MSFTSentinel"
+ }
+ ]
+ }
+ },
+ "/urls/{id}": {
+ "get": {
+ "summary": "Get URL Report",
+ "description": "Retrieve analysis and reputation information about a specific URL.",
+ "responses": {
+ "200": {
+ "description": "OK",
+ "schema": {
+ "type": "object",
+ "properties": {
+ "data": {
+ "type": "object",
+ "properties": {
+ "id": {
+ "type": "string",
+ "description": "The id of the url"
+ },
+ "type": {
+ "type": "string",
+ "description": "The type of object being analyzed"
+ },
+ "links": {
+ "type": "object",
+ "properties": {
+ "self": {
+ "type": "string",
+ "description": "Url to retrieve this url report"
+ }
+ },
+ "description": "Links to related resources"
+ },
+ "attributes": {
+ "type": "object",
+ "properties": {
+ "last_final_url": {
+ "type": "string",
+ "description": "The final URL after any redirects."
+ },
+ "total_votes": {
+ "type": "object",
+ "properties": {
+ "harmless": {
+ "type": "integer",
+ "format": "int32",
+ "description": "Number of votes indicating the URL is safe.",
+ "title": "total votes harmless"
+ },
+ "malicious": {
+ "type": "integer",
+ "format": "int32",
+ "description": "Number of votes indicating the URL is harmful.",
+ "title": "total votes malicious"
+ }
+ },
+ "description": "The breakdown of votes from the Google Threat Intelligence community on whether the URL is considered harmless or malicious."
+ },
+ "tags": {
+ "type": "array",
+ "items": {},
+ "description": "Community-assigned tags providing additional context or categorization for the URL."
+ },
+ "times_submitted": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The total number of times this URL has been submitted to Google Threat Intelligence for analysis."
+ },
+ "last_modification_date": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The date (in Unix timestamp format) when the URL report was last modified."
+ },
+ "reputation": {
+ "type": "integer",
+ "format": "int32",
+ "description": "A score ranging from -100 to 100, representing the URL's reputation based on various factors and community assessments."
+ },
+ "last_analysis_date": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The date (in Unix timestamp format) when the last analysis of the URL was performed."
+ },
+ "last_analysis_stats": {
+ "type": "object",
+ "properties": {
+ "malicious": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The number of engines that detected the URL as malicious.",
+ "title": "last analysis malicious"
+ },
+ "suspicious": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The number of engines that flagged the URL as suspicious.",
+ "title": "last analysis suspicious"
+ },
+ "undetected": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The number of engines that did not detect any threats in the URL.",
+ "title": "last analysis undetected"
+ },
+ "harmless": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The number of engines that explicitly classified the URL as harmless.",
+ "title": "last analysis harmless"
+ },
+ "timeout": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The number of engines that timed out during the analysis.",
+ "title": "last analysis timeout"
+ }
+ },
+ "description": "A summary of the results from the most recent analysis of the URL by different antivirus engines."
+ },
+ "last_submission_date": {
+ "type": "integer",
+ "format": "int32",
+ "description": "he date (in Unix timestamp format) when the URL was last submitted for analysis."
+ },
+ "url": {
+ "type": "string",
+ "description": "The actual URL that was analyzed."
+ },
+ "first_submission_date": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The date (in Unix timestamp format) of the very first time this URL was submitted to Google Threat Intelligence."
+ },
+ "title": {
+ "type": "string",
+ "description": "The title or webpage name extracted from the URL"
+ },
+ "gti_assessment": {
+ "type": "object",
+ "properties": {
+ "severity": {
+ "type": "object",
+ "properties": {
+ "value": {
+ "type": "string",
+ "description": "The severity level assigned by GTI.",
+ "title": "severity"
+ }
+ },
+ "description": "The severity level assigned by GTI."
+ },
+ "threat_score": {
+ "type": "object",
+ "properties": {
+ "value": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The threat score assigned by GTI (0-100).",
+ "title": "threat score"
+ }
+ },
+ "description": "The threat score assigned by GTI (0-100)."
+ },
+ "verdict": {
+ "type": "object",
+ "properties": {
+ "value": {
+ "type": "string",
+ "description": "The overall verdict from GTI.",
+ "title": "verdict"
+ }
+ },
+ "description": "The overall verdict from GTI."
+ },
+ "contributing_factors": {
+ "type": "object",
+ "properties": {
+ "mandiant_confidence_score": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The confidence score assigned by Mandiant (0-100)."
+ },
+ "normalised_categories": {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "description": "Normalized categories associated with the IP address."
+ },
+ "pervasive_indicator": {
+ "type": "boolean",
+ "description": "Indicates if the IP address is a pervasive indicator."
+ },
+ "safebrowsing_verdict": {
+ "type": "string",
+ "description": "The verdict from Google Safe Browsing."
+ }
+ },
+ "description": "Factors contributing to the GTI assessment."
+ },
+ "description": {
+ "type": "string",
+ "description": "A description of the GTI assessment."
+ }
+ },
+ "description": "Google Threat Intelligence (GTI) assessment of the IP address."
+ }
+ },
+ "description": "attributes"
+ }
+ },
+ "description": "data"
+ }
+ }
+ }
+ },
+ "default": {
+ "description": "default"
+ }
+ },
+ "operationId": "get_url",
+ "parameters": [
+ {
+ "name": "id",
+ "in": "path",
+ "required": true,
+ "type": "string",
+ "x-ms-summary": "URL id",
+ "description": "URL id to obtain the report",
+ "x-ms-url-encoding": "single"
+ },
+ {
+ "in": "header",
+ "name": "x-tool",
+ "type": "string",
+ "required": true,
+ "default": "MSFTSentinel"
+ }
+ ]
+ }
+ },
+ "/files/": {
+ "post": {
+ "summary": "Upload File",
+ "description": "Upload a file for analysis.",
+ "consumes": [
+ "multipart/form-data"
+ ],
+ "parameters": [
+ {
+ "in": "formData",
+ "name": "file",
+ "description": "The file to upload for analysis",
+ "required": true,
+ "type": "file",
+ "x-ms-summary": "File"
+ }
+ ],
+ "responses": {
+ "default": {
+ "description": "default",
+ "schema": {}
+ }
+ },
+ "operationId": "post_file"
+ }
+ },
+ "/analyses/{id}": {
+ "get": {
+ "summary": "Retrieve information about a file or URL analysis",
+ "description": "Get the status and results of a file or URL analysis.",
+ "responses": {
+ "200": {
+ "description": "OK",
+ "schema": {
+ "type": "object",
+ "properties": {
+ "data": {
+ "type": "object",
+ "properties": {
+ "id": {
+ "type": "string",
+ "description": "The unique identifier for this analysis request."
+ },
+ "type": {
+ "type": "string",
+ "description": "Indicates the type of analysis performed, either \"file\" or \"url\"."
+ },
+ "links": {
+ "type": "object",
+ "properties": {
+ "self": {
+ "type": "string",
+ "description": "The URL to retrieve the analysis information itself."
+ },
+ "item": {
+ "type": "string",
+ "description": "The URL to access the analyzed file or URL."
+ }
+ },
+ "description": "Provides URLs related to the analysis."
+ },
+ "attributes": {
+ "type": "object",
+ "properties": {
+ "stats": {
+ "type": "object",
+ "properties": {
+ "malicious": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The number of engines that flagged the item as malicious."
+ },
+ "suspicious": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The number of engines that flagged the item as malicious."
+ },
+ "undetected": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The number of engines that didn't detect any threats."
+ },
+ "harmless": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The number of engines that explicitly classified the item as harmless."
+ },
+ "timeout": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The number of engines that timed out during the analysis."
+ },
+ "confirmed-timeout": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The number of engines that experienced a confirmed timeout."
+ },
+ "failure": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The number of engines that encountered an error during analysis."
+ },
+ "type-unsupported": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The number of engines that don't support analyzing this type of item."
+ }
+ },
+ "description": "Summarizes the detection results from various antivirus engines."
+ },
+ "date": {
+ "type": "integer",
+ "format": "int32",
+ "description": "The date (in Unix timestamp format) when the analysis was completed."
+ },
+ "status": {
+ "type": "string",
+ "description": "The current status of the analysis."
+ }
+ },
+ "description": "attributes"
+ }
+ },
+ "description": "data"
+ }
+ }
+ }
+ },
+ "default": {
+ "description": "default"
+ }
+ },
+ "operationId": "retrieve_url_file",
+ "parameters": [
+ {
+ "name": "id",
+ "in": "path",
+ "required": true,
+ "type": "string",
+ "x-ms-summary": "Id of the analysis",
+ "description": "Analysis id to obtain the report",
+ "x-ms-url-encoding": "single"
+ },
+ {
+ "in": "header",
+ "name": "x-tool",
+ "type": "string",
+ "required": true,
+ "default": "MSFTSentinel"
+ }
+ ]
+ }
+ },
+ "/urls": {
+ "post": {
+ "summary": "Analyse URL",
+ "description": "Submit a URL for analysis.",
+ "consumes": [
+ "multipart/form-data"
+ ],
+ "responses": {
+ "200": {
+ "description": "OK",
+ "schema": {
+ "type": "object",
+ "properties": {
+ "data": {
+ "type": "object",
+ "properties": {
+ "type": {
+ "type": "string",
+ "description": "type"
+ },
+ "id": {
+ "type": "string",
+ "description": "id"
+ }
+ },
+ "description": "data"
+ }
+ }
+ }
+ },
+ "default": {
+ "description": "default"
+ }
+ },
+ "operationId": "analyze_url",
+ "parameters": [
+ {
+ "name": "url",
+ "in": "formData",
+ "required": true,
+ "type": "string",
+ "description": "URL to scan",
+ "x-ms-summary": "URL",
+ "x-ms-url-encoding": "single"
+ },
+ {
+ "in": "header",
+ "name": "x-tool",
+ "type": "string",
+ "required": true,
+ "default": "MSFTSentinel"
+ }
+ ]
+ }
+ }
+ },
+ "definitions": {},
+ "parameters": {},
+ "responses": {},
+ "securityDefinitions": {
+ "api_key": {
+ "type": "apiKey",
+ "in": "header",
+ "name": "x-apikey"
+ }
+ },
+ "security": [
+ {
+ "api_key": []
+ }
+ ],
+ "tags": []
+ }
+ }
+ }
+ ],
+ "outputs": {}
+}
\ No newline at end of file
diff --git a/Solutions/Google Threat Intelligence/Playbooks/CustomConnector/GTICustomConnector/readme.md b/Solutions/Google Threat Intelligence/Playbooks/CustomConnector/GTICustomConnector/readme.md
new file mode 100644
index 00000000000..101b9dadc31
--- /dev/null
+++ b/Solutions/Google Threat Intelligence/Playbooks/CustomConnector/GTICustomConnector/readme.md
@@ -0,0 +1,97 @@
+# Google Threat Intelligence - Custom Connector
+
+
IP: @{body('Get_IP_Report')?['data']?['id']}
Reputation is: @{body('Get_IP_Report')?['data']?['attributes']?['reputation']}
- Score: @{body('Get_IP_Report')?['data']?['attributes']?['gti_assessment']?['threat_score']?['value']}
- Verdict: @{body('Get_IP_Report')?['data']?['attributes']?['gti_assessment']?['verdict']?['value']}
- Severity: @{body('Get_IP_Report')?['data']?['attributes']?['gti_assessment']?['severity']?['value']}
Hash: @{body('Get_File_Report')?['data']?['id']}
Reputation is: @{body('Get_File_Report')?['data']?['attributes']?['reputation']}
-Score: @{body('Get_File_Report')?['data']?['attributes']?['gti_assessment']?['threat_score']?['value']}
-Verdict: @{body('Get_File_Report')?['data']?['attributes']?['gti_assessment']?['verdict']?['value']}
-Severity: @{body('Get_File_Report')?['data']?['attributes']?['gti_assessment']?['severity']?['value']}
URL: @{body('Get_URL_Report')?['data']?['attributes']?['url']}
ID: @{body('Get_URL_Report')?['data']?['id']}
Suspicious:
Malicious:
- Score: @{body('Get_URL_Report')?['data']?['attributes']?['gti_assessment']?['threat_score']?['value']}
- Severity: @{body('Get_URL_Report')?['data']?['attributes']?['gti_assessment']?['severity']?['value']}
- Verdict: @{body('Get_URL_Report')?['data']?['attributes']?['gti_assessment']?['verdict']?['value']}
Domain:
Reputation is:
- Score:
- Verdict:
- Severity:
Domain: @{body('Get_Domain_Report')?['data']?['id']}
Reputation is: @{body('Get_Domain_Report')?['data']?['attributes']?['reputation']}
Harmless: @{body('Get_Domain_Report')?['data']?['attributes']?['last_analysis_stats']?['harmless']}
Malicious: @{body('Get_Domain_Report')?['data']?['attributes']?['last_analysis_stats']?['malicious']}
Suspicious: @{body('Get_Domain_Report')?['data']?['attributes']?['last_analysis_stats']?['suspicious']}
Timeout: @{body('Get_Domain_Report')?['data']?['attributes']?['last_analysis_stats']?['timeout']}
Undetected: @{body('Get_Domain_Report')?['data']?['attributes']?['last_analysis_stats']?['undetected']}
Total votes harmless: @{body('Get_Domain_Report')?['data']?['attributes']?['total_votes']?['harmless']}
Total votes malicious: @{body('Get_Domain_Report')?['data']?['attributes']?['total_votes']?['malicious']}
- Threat score: @{body('Get_Domain_Report')?['data']?['attributes']?['gti_assessment']?['threat_score']?['value']}
- Verdict: @{body('Get_Domain_Report')?['data']?['attributes']?['gti_assessment']?['verdict']?['value']}
- Severity: @{body('Get_Domain_Report')?['data']?['attributes']?['gti_assessment']?['severity']?['value']}
" + }, + "path": "/Incidents/Comment" + } + } + }, + "else": { + "actions": {} + }, + "runAfter": { + "Get_Domain_Report": [ + "Succeeded" + ] + } + } + }, + "outputs": {}, + "parameters": { + "$connections": { + "type": "Object", + "defaultValue": {} + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "id": "[concat('/subscriptions/',subscription().subscriptionId,'/providers/Microsoft.Web/locations/',resourceGroup().location,'/managedApis/azuresentinel')]", + "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", + "connectionName": "[variables('AzureSentinelConnectionName')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "googlethreatintelligence": { + "id": "[concat(resourceGroup().id,'/providers/Microsoft.Web/customApis/GoogleThreatIntelligence-CustomConnector')]", + "connectionId": "[resourceId('Microsoft.Web/connections', variables('GoogleThreatIntelligenceConnectionName'))]", + "connectionName": "[variables('GoogleThreatIntelligenceConnectionName')]" + } + } + } + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('GoogleThreatIntelligenceConnectionName')]", + "location": "[resourceGroup().location]", + "properties": { + "api": { + "id": "[concat(resourceGroup().id,'/providers/Microsoft.Web/customApis/GoogleThreatIntelligence-CustomConnector')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('AzureSentinelConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[variables('AzureSentinelConnectionName')]", + "customParameterValues": {}, + "parameterValueType": "Alternative", + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]" + } + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/Solutions/Google Threat Intelligence/Playbooks/GTIEnrichment/GTI-EnrichEntity/GTI-EnrichFilehash/azuredeploy.json b/Solutions/Google Threat Intelligence/Playbooks/GTIEnrichment/GTI-EnrichEntity/GTI-EnrichFilehash/azuredeploy.json new file mode 100644 index 00000000000..f4d1425b78b --- /dev/null +++ b/Solutions/Google Threat Intelligence/Playbooks/GTIEnrichment/GTI-EnrichEntity/GTI-EnrichFilehash/azuredeploy.json @@ -0,0 +1,197 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "title": "Google Threat Intelligence - FileHash Enrichment", + "description": "This playbook will enrich FileHash entities.", + "prerequisites": [ + "You will need to register to Google Threat Intelligence for an API key" + ], + "postDeployment": [ + "You can trigger manually in entities" + ], + "prerequisitesDeployTemplateFile": "", + "lastUpdateTime": "2024-11-15T00:00:00Z", + "entities": [ + "filehash" + ], + "tags": [ "Enrichment" ], + "support": { + "tier": "Partner" + }, + "author": { + "name": "Google" + }, + "releaseNotes": [ + { + "version": "1.0.0", + "title": "FileHash Enrichment - Google Threat Intelligence report", + "notes": [ + "Initial version" + ] + } + ] + }, + "parameters": { + "PlaybookName": { + "defaultValue": "GoogleThreatIntelligence-IOCEnrichmentFileHash", + "type": "string" + } + }, + "variables": { + "GoogleThreatIntelligenceConnectionName": "GoogleThreatIntelligence-Connector", + "AzureSentinelConnectionName": "GoogleThreatIntelligence-MicrosoftSentinelConnection" + }, + "functions": [], + "resources": [ + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[parameters('PlaybookName')]", + "location": "[resourceGroup().location]", + "tags": { + "hidden-SentinelTemplateVersion": "2.8" + }, + "identity": { + "type": "SystemAssigned" + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('GoogleThreatIntelligenceConnectionName'))]" + ], + "properties": { + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "triggers": { + "Microsoft_Sentinel_entity": { + "type": "ApiConnectionWebhook", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "path": "/entity/@{encodeURIComponent('FileHash')}" + } + } + }, + "actions": { + "Get_File_Report": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['googlethreatintelligence']['connectionId']" + } + }, + "method": "get", + "path": "/files/@{encodeURIComponent(triggerBody()?['Entity']?['properties']?['Value'])}" + }, + "runAfter": {} + }, + "Condition": { + "type": "If", + "expression": { + "and": [ + { + "not": { + "equals": [ + "@triggerBody()?['IncidentArmID']", + "@null" + ] + } + } + ] + }, + "actions": { + "Add_comment_to_incident_(V3)": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "body": { + "incidentArmId": "@triggerBody()?['IncidentArmID']", + "message": "Hash: @{body('Get_File_Report')?['data']?['id']}
Reputation is: @{body('Get_File_Report')?['data']?['attributes']?['reputation']}
Harmless: @{body('Get_File_Report')?['data']?['attributes']?['last_analysis_stats']?['harmless']}
Malicious: @{body('Get_File_Report')?['data']?['attributes']?['last_analysis_stats']?['malicious']}
Suspicious: @{body('Get_File_Report')?['data']?['attributes']?['last_analysis_stats']?['suspicious']}
Timeout: @{body('Get_File_Report')?['data']?['attributes']?['last_analysis_stats']?['timeout']}
Undetected: @{body('Get_File_Report')?['data']?['attributes']?['last_analysis_stats']?['undetected']}
Total votes harmless: @{body('Get_File_Report')?['data']?['attributes']?['total_votes']?['harmless']}
Total votes malicious: @{body('Get_File_Report')?['data']?['attributes']?['total_votes']?['malicious']}
-Score: @{body('Get_File_Report')?['data']?['attributes']?['gti_assessment']?['threat_score']?['value']}
-Verdict: @{body('Get_File_Report')?['data']?['attributes']?['gti_assessment']?['verdict']?['value']}
-Severity: @{body('Get_File_Report')?['data']?['attributes']?['gti_assessment']?['severity']?['value']}
Id: @{body('Get_IP_Report')?['data']?['id']}
Reputation is: @{body('Get_IP_Report')?['data']?['attributes']?['reputation']}
Harmless: @{body('Get_IP_Report')?['data']?['attributes']?['last_analysis_stats']?['harmless']}
Malicious: @{body('Get_IP_Report')?['data']?['attributes']?['last_analysis_stats']?['malicious']}
Suspicious: @{body('Get_IP_Report')?['data']?['attributes']?['last_analysis_stats']?['suspicious']}
Timeout: @{body('Get_IP_Report')?['data']?['attributes']?['last_analysis_stats']?['timeout']}
Undetected: @{body('Get_IP_Report')?['data']?['attributes']?['last_analysis_stats']?['undetected']}
Country: @{body('Get_IP_Report')?['data']?['attributes']?['country']}
Continent: @{body('Get_IP_Report')?['data']?['attributes']?['continent']}
Owner: @{body('Get_IP_Report')?['data']?['attributes']?['as_owner']}
Total votes harmless: @{body('Get_IP_Report')?['data']?['attributes']?['total_votes']?['harmless']}
Total votes malicious: @{body('Get_IP_Report')?['data']?['attributes']?['total_votes']?['malicious']}
-Score: @{body('Get_IP_Report')?['data']?['attributes']?['gti_assessment']?['threat_score']?['value']}
-Verdict: @{body('Get_IP_Report')?['data']?['attributes']?['gti_assessment']?['verdict']?['value']}
-Severity: @{body('Get_IP_Report')?['data']?['attributes']?['gti_assessment']?['severity']?['value']}
URL: @{body('Get_URL_Report')?['data']?['attributes']?['url']}
ID: @{body('Get_URL_Report')?['data']?['id']}
Reputation is: @{body('Get_URL_Report')?['data']?['attributes']?['reputation']}
Harmless: @{body('Get_URL_Report')?['data']?['attributes']?['last_analysis_stats']?['harmless']}
Malicious: @{body('Get_URL_Report')?['data']?['attributes']?['last_analysis_stats']?['malicious']}
Suspicious: @{body('Get_URL_Report')?['data']?['attributes']?['last_analysis_stats']?['suspicious']}
Timeout: @{body('Get_URL_Report')?['data']?['attributes']?['last_analysis_stats']?['timeout']}
Undetected: @{body('Get_URL_Report')?['data']?['attributes']?['last_analysis_stats']?['undetected']}
Total votes harmless: @{body('Get_URL_Report')?['data']?['attributes']?['total_votes']?['harmless']}
Total votes malicious: @{body('Get_URL_Report')?['data']?['attributes']?['total_votes']?['malicious']}
- Threat score: @{body('Get_URL_Report')?['data']?['attributes']?['gti_assessment']?['threat_score']?['value']}
- Verdict: @{body('Get_URL_Report')?['data']?['attributes']?['gti_assessment']?['verdict']?['value']}
- Severity: @{body('Get_URL_Report')?['data']?['attributes']?['gti_assessment']?['severity']?['value']}
" + }, + "path": "/Incidents/Comment" + } + } + }, + "else": { + "actions": {} + }, + "runAfter": { + "Get_URL_Report": [ + "Succeeded" + ] + } + }, + "Get_URL_Report": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['googlethreatintelligence']['connectionId']" + } + }, + "method": "get", + "path": "/urls/@{encodeURIComponent(replace(base64(triggerBody()?['Entity']?['properties']?['Url']),'=',''))}" + }, + "runAfter": {} + } + }, + "outputs": {}, + "parameters": { + "$connections": { + "type": "Object", + "defaultValue": {} + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "id": "[concat('/subscriptions/',subscription().subscriptionId,'/providers/Microsoft.Web/locations/',resourceGroup().location,'/managedApis/azuresentinel')]", + "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", + "connectionName": "[variables('AzureSentinelConnectionName')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "googlethreatintelligence": { + "id": "[concat(resourceGroup().id,'/providers/Microsoft.Web/customApis/GoogleThreatIntelligence-CustomConnector')]", + "connectionId": "[resourceId('Microsoft.Web/connections', variables('GoogleThreatIntelligenceConnectionName'))]", + "connectionName": "[variables('GoogleThreatIntelligenceConnectionName')]" + } + } + } + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('GoogleThreatIntelligenceConnectionName')]", + "location": "[resourceGroup().location]", + "properties": { + "api": { + "id": "[concat(resourceGroup().id,'/providers/Microsoft.Web/customApis/GoogleThreatIntelligence-CustomConnector')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('AzureSentinelConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[variables('AzureSentinelConnectionName')]", + "customParameterValues": {}, + "parameterValueType": "Alternative", + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]" + } + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/Solutions/Google Threat Intelligence/Playbooks/GTIEnrichment/GTI-EnrichIncident/azuredeploy.json b/Solutions/Google Threat Intelligence/Playbooks/GTIEnrichment/GTI-EnrichIncident/azuredeploy.json new file mode 100644 index 00000000000..0b61eb50c83 --- /dev/null +++ b/Solutions/Google Threat Intelligence/Playbooks/GTIEnrichment/GTI-EnrichIncident/azuredeploy.json @@ -0,0 +1,378 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "title": "Google Threat Intelligence - IOC Enrichment", + "description": "This playbook will enrich IP, Hash, URL & Domain entities found in incidents.", + "prerequisites": [ + "You will need to register to Google Threat Intelligence for an API key" + ], + "postDeployment": [ + "After deployment, attach this playbook to an **automation rule** so it runs when the incident is created." + ], + "prerequisitesDeployTemplateFile": "", + "lastUpdateTime": "2024-11-15T00:00:00Z", + "entities": [ + "ip", + "url", + "dnsresolution", + "filehash" + ], + "tags": [ "Enrichment" ], + "support": { + "tier": "Partner" + }, + "author": { + "name": "Google" + }, + "releaseNotes": [ + { + "version": "1.0.0", + "title": "IOC Enrichment - Google Threat Intelligence report", + "notes": [ + "Initial version" + ] + } + ] + }, + "parameters": { + "PlaybookName": { + "defaultValue": "GoogleThreatIntelligence-IOCEnrichmentIncident", + "type": "string" + } + }, + "variables": { + "GoogleThreatIntelligenceConnectionName": "GoogleThreatIntelligence-CustomConnector", + "AzureSentinelConnectionName": "GoogleThreatIntelligence-MicrosoftSentinelConnection" + }, + "functions": [], + "resources": [ + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[parameters('PlaybookName')]", + "location": "[resourceGroup().location]", + "tags": { + "hidden-SentinelTemplateVersion": "2.8" + }, + "identity": { + "type": "SystemAssigned" + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('GoogleThreatIntelligenceConnectionName'))]" + ], + "properties": { + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "triggers": { + "Microsoft_Sentinel_incident": { + "type": "ApiConnectionWebhook", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "path": "/incident-creation" + } + } + }, + "actions": { + "For_each_IP": { + "type": "Foreach", + "foreach": "@body('Entities_-_Get_IPs')?['IPs']", + "actions": { + "Get_IP_Report": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['googlethreatintelligence']['connectionId']" + } + }, + "method": "get", + "path": "/ip_addresses/@{encodeURIComponent(item()?['Address'])}" + } + }, + "Add_comment_to_incident_(V3)_Ip": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "
IP: @{body('Get_IP_Report')?['data']?['id']}
Reputation is: @{body('Get_IP_Report')?['data']?['attributes']?['reputation']}
- Score: @{body('Get_IP_Report')?['data']?['attributes']?['gti_assessment']?['threat_score']?['value']}
- Verdict: @{body('Get_IP_Report')?['data']?['attributes']?['gti_assessment']?['verdict']?['value']}
- Severity: @{body('Get_IP_Report')?['data']?['attributes']?['gti_assessment']?['severity']?['value']}
Hash: @{body('Get_File_Report')?['data']?['id']}
Reputation is: @{body('Get_File_Report')?['data']?['attributes']?['reputation']}
-Score: @{body('Get_File_Report')?['data']?['attributes']?['gti_assessment']?['threat_score']?['value']}
-Verdict: @{body('Get_File_Report')?['data']?['attributes']?['gti_assessment']?['verdict']?['value']}
-Severity: @{body('Get_File_Report')?['data']?['attributes']?['gti_assessment']?['severity']?['value']}
URL: @{body('Get_URL_Report')?['data']?['attributes']?['url']}
ID: @{body('Get_URL_Report')?['data']?['id']}
Suspicious:
Malicious:
- Score: @{body('Get_URL_Report')?['data']?['attributes']?['gti_assessment']?['threat_score']?['value']}
- Severity: @{body('Get_URL_Report')?['data']?['attributes']?['gti_assessment']?['severity']?['value']}
- Verdict: @{body('Get_URL_Report')?['data']?['attributes']?['gti_assessment']?['verdict']?['value']}
Domain: @{body('Get_Domain_Report')?['data']?['id']}
Reputation is: @{body('Get_Domain_Report')?['data']?['attributes']?['reputation']}
- Score: @{body('Get_Domain_Report')?['data']?['attributes']?['gti_assessment']?['threat_score']?['value']}
- Verdict: @{body('Get_Domain_Report')?['data']?['attributes']?['gti_assessment']?['verdict']?['value']}
- Severity: @{body('Get_Domain_Report')?['data']?['attributes']?['gti_assessment']?['severity']?['value']}
+
+## Playbooks
+
+Google Threat Intelligence solution provides the following playbooks.
+
+### Google Threat Intelligence Enrichment
+
+* **Entity trigger**: Add a comment to the the incident associated with the corresponding entity.
+ * **Domain** - GoogleThreatIntelligence-IOCEnrichmentDomain
+ * **URL** - GoogleThreatIntelligence-IOCEnrichmentURL
+ * **IP** - GoogleThreatIntelligence-IOCEnrichmentIP
+ * **Filehash** - GoogleThreatIntelligence-IOCEnrichmentFile
+
+* **Alert trigger - GoogleThreatIntelligence-IOCEnrichmentAlert:** Iterate over all entities associated with the alert, adding enrichment comments to the associated incident.
+
+* **Incident trigger - GoogleThreatIntelligence-IOCEnrichmentIncident**: Iterate over all entities associated with the incident, adding enrichment comments to the incident.
+
+## Deployment
+
+### Custom Connector
+
+#### Pre-requisites
+
+To use this integration, you need:
+
+A GTI account: Follow the steps on https://developers.virustotal.com/v3.0/reference#getting-started to get your API key.
+
+#### Deploy
+
+
+
+
+Once you have deployed your Google Threat Intelligence Custom Connector, you can configure your API Connection with the API key previously mentioned.
+
+### Playbooks
+
+#### Pre-requisites
+
+To use this integration, you need:
+
+A GTI account: Follow the steps on https://developers.virustotal.com/v3.0/reference#getting-started to get your API key.
+
+To install and authorize playbooks in Microsoft Sentinel, you need specific permissions on the resource group. While the **Microsoft Sentinel Contributor** and **Logic App Contributor** roles grant access to Sentinel features, they don't provide the necessary resource group level permissions.
+
+For playbook authorization, Microsoft recommends using managed identity. This method requires the user performing the installation to have either the Owner or Role Based Access Control Administrator role on the resource group. This approach enhances security by allowing playbooks to run without relying on user credentials.
+
+After installing a playbook or logic app in Microsoft Sentinel, you'll need to authorize its connectors. Here's how:
+
+1. Open all nodes: Open the logic app and expand all the collapsed nodes to see the full workflow.
+2. Look for warning signs: Identify any blocks with a sign. These indicate connectors that require authorization.
+3. Setup connections: Open each warning block and follow the prompts to authorize the connection.
+
+This ensures that your playbook has all the necessary permissions to access data and perform actions.
+
+#### Deploy
+
+To install the Google Threat Intelligence playbooks, we recommend using the Content Hub and the templates provided.
+
+## Automate
+
+Automation process could be found [here](https://learn.microsoft.com/en-us/azure/sentinel/automation/run-playbooks?tabs=after-onboarding%2Cincidents%2Cazure%2Cincident-details-new)
\ No newline at end of file
diff --git a/Solutions/Google Threat Intelligence/SolutionMetadata.json b/Solutions/Google Threat Intelligence/SolutionMetadata.json
new file mode 100644
index 00000000000..c1d52e1a27d
--- /dev/null
+++ b/Solutions/Google Threat Intelligence/SolutionMetadata.json
@@ -0,0 +1,17 @@
+{
+ "publisherId": "google",
+ "offerId": "azure-sentinel-solution-google",
+ "firstPublishDate": "2024-10-26",
+ "lastPublishDate": "2024-10-26",
+ "providers": ["Google"],
+ "categories": {
+ "domains" : ["Security - Threat Intelligence"],
+ "verticals": []
+ },
+ "support": {
+ "name": "Google",
+ "email": "contact@virustotal.com",
+ "tier": "Partner",
+ "link": "https://www.virustotal.com/gui/contact-us"
+ }
+}
\ No newline at end of file
diff --git a/Solutions/Google Threat Intelligence/readme.md b/Solutions/Google Threat Intelligence/readme.md
new file mode 100644
index 00000000000..eca23e90cd8
--- /dev/null
+++ b/Solutions/Google Threat Intelligence/readme.md
@@ -0,0 +1,4 @@
+# Google Threat Intelligence Solution
+
+
+
diff --git a/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Anomalous application user activity.yaml b/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Anomalous application user activity.yaml
new file mode 100644
index 00000000000..eda410b1b7d
--- /dev/null
+++ b/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Anomalous application user activity.yaml
@@ -0,0 +1,96 @@
+id: 0820da12-e895-417f-9175-7c256fcfb33e
+kind: Scheduled
+name: Dataverse - Anomalous application user activity
+description: Identifies anomalies in activity patterns of Dataverse application (non-interactive)
+ users, based on activity falling outside the normal pattern of use.
+severity: Medium
+status: Available
+requiredDataConnectors:
+ - connectorId: Dataverse
+ dataTypes:
+ - DataverseActivity
+queryFrequency: 5h
+queryPeriod: 14d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+ - CredentialAccess
+ - Execution
+ - Persistence
+relevantTechniques:
+ - T1528
+ - T1569
+ - T0871
+ - T0834
+ - T0859
+query: |
+ let query_lookback = 14d;
+ let query_frequency = 5h;
+ let anomaly_threshold = 2.5;
+ let seasonality = -1;
+ let trend = 'linefit';
+ let step_duration = 5h;
+ let app_user_regex = "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}\\.com$";
+ let guid_regex = "([0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12})";
+ let application_users = DataverseActivity
+ | where TimeGenerated >= ago(query_frequency)
+ | where UserId !endswith "@onmicrosoft.com" and UserId != "Unknown"
+ | summarize by UserId
+ | where split(UserId, "@")[1] matches regex app_user_regex;
+ DataverseActivity
+ | where TimeGenerated >= startofday(ago(query_lookback))
+ | where UserId in (application_users)
+ | where isnotempty(OriginalObjectId)
+ | make-series TotalEvents = count() default=0 on TimeGenerated from startofday(ago(query_lookback)) to now() step step_duration by UserId, InstanceUrl, OriginalObjectId
+ | extend (Anomalies, Score, Baseline) = series_decompose_anomalies(TotalEvents, anomaly_threshold, seasonality, trend)
+ | mv-expand
+ TotalEvents to typeof(double),
+ AnomalyTimeGenerated = TimeGenerated to typeof(datetime),
+ Anomalies to typeof(double),
+ Score to typeof(double),
+ Baseline to typeof(long)
+ | where Anomalies > 0
+ | extend Details = bag_pack(
+ "TotalEvents",
+ TotalEvents,
+ "Anomalies",
+ Anomalies,
+ "Baseline",
+ Baseline,
+ "Score",
+ Score,
+ "OriginalObjectId",
+ OriginalObjectId
+ )
+ | summarize Details = make_set(Details, 100) by UserId, InstanceUrl, AnomalyTimeGenerated
+ | extend
+ CloudAppId = int(32780),
+ AadUserId = extract(guid_regex, 1, tostring(split(UserId, "@")[0]))
+ | project
+ AnomalyTimeGenerated,
+ UserId,
+ AadUserId,
+ InstanceUrl,
+ Details,
+ CloudAppId
+eventGroupingSettings:
+ aggregationKind: AlertPerResult
+entityMappings:
+ - entityType: Account
+ fieldMappings:
+ - identifier: AadUserId
+ columnName: AadUserId
+ - entityType: CloudApplication
+ fieldMappings:
+ - identifier: AppId
+ columnName: CloudAppId
+ - identifier: InstanceName
+ columnName: InstanceUrl
+alertDetailsOverride:
+ alertDisplayNameFormat: 'Dataverse - Non-interactive account anomaly detected in
+ {{InstanceUrl}} '
+ alertDescriptionFormat: 'Anomaly detected on {{UserId}} in {{InstanceUrl}}. Details:
+ {{Details}}'
+customDetails:
+ InstranceUrl: InstanceUrl
+version: 3.2.0
diff --git a/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Audit log data deletion.yaml b/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Audit log data deletion.yaml
new file mode 100644
index 00000000000..d22a1a68aa4
--- /dev/null
+++ b/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Audit log data deletion.yaml
@@ -0,0 +1,61 @@
+id: f1634822-b7e9-44f5-95ac-fa4a04f14513
+kind: Scheduled
+name: Dataverse - Audit log data deletion
+description: Identifies audit log data deletion activity in Dataverse.
+severity: Low
+status: Available
+requiredDataConnectors:
+ - connectorId: Dataverse
+ dataTypes:
+ - DataverseActivity
+queryFrequency: 1h
+queryPeriod: 14d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+ - DefenseEvasion
+relevantTechniques:
+ - T1070
+query: |
+ let query_frequency = 1h;
+ DataverseActivity
+ | where TimeGenerated >= ago(query_frequency)
+ | where Message =~ 'DeleteRecordChangeHistory' or Message =~ 'DeleteAuditData'
+ | extend CloudAppId = int(32780)
+ | extend AccountName = tostring(split(UserId, "@")[0])
+ | extend UPNSuffix = tostring(split(UserId, "@")[1])
+ | project
+ TimeGenerated,
+ UserId,
+ ClientIp,
+ UserAgent,
+ Message,
+ EntityName,
+ InstanceUrl,
+ AccountName,
+ UPNSuffix,
+ CloudAppId
+eventGroupingSettings:
+ aggregationKind: SingleAlert
+entityMappings:
+ - entityType: Account
+ fieldMappings:
+ - identifier: Name
+ columnName: AccountName
+ - identifier: UPNSuffix
+ columnName: UPNSuffix
+ - entityType: CloudApplication
+ fieldMappings:
+ - identifier: AppId
+ columnName: CloudAppId
+ - identifier: InstanceName
+ columnName: InstanceUrl
+ - entityType: IP
+ fieldMappings:
+ - identifier: Address
+ columnName: ClientIp
+alertDetailsOverride:
+ alertDisplayNameFormat: Dataverse - Audit logs deleted in {{InstanceUrl}}
+ alertDescriptionFormat: User {{UserId}} deleted audit log data in {{InstanceUrl}}.
+ The message type is {{Message}}.
+version: 3.2.0
diff --git a/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Audit logging disabled.yaml b/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Audit logging disabled.yaml
new file mode 100644
index 00000000000..765a5dea0e2
--- /dev/null
+++ b/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Audit logging disabled.yaml
@@ -0,0 +1,66 @@
+id: ea07523b-e6b8-469b-9e25-cdef1ae6fb45
+kind: Scheduled
+name: Dataverse - Audit logging disabled
+description: Identifies a change in system audit configuration whereby audit logging
+ is turned off.
+severity: Low
+status: Available
+requiredDataConnectors:
+ - connectorId: Dataverse
+ dataTypes:
+ - DataverseActivity
+queryFrequency: 1h
+queryPeriod: 14d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+ - DefenseEvasion
+relevantTechniques:
+ - T1562
+query: |
+ let query_frequency = 1h;
+ DataverseActivity
+ | where TimeGenerated >= ago(query_frequency)
+ | where Message =~ 'UpdateAuditSettings'
+ | mv-expand Fields
+ | extend AuditValue = Fields.Name, AuditEnabled = tobool(Fields.Value)
+ | where not (AuditEnabled)
+ | extend
+ CloudAppId = int(32780),
+ AccountName = tostring(split(UserId, '@')[0]),
+ UPNSuffix = tostring(split(UserId, '@')[1])
+ | project
+ TimeGenerated,
+ UserId,
+ ClientIp,
+ OriginalObjectId,
+ AuditValue,
+ AuditEnabled,
+ InstanceUrl,
+ CloudAppId,
+ AccountName,
+ UPNSuffix
+eventGroupingSettings:
+ aggregationKind: SingleAlert
+entityMappings:
+ - entityType: Account
+ fieldMappings:
+ - identifier: Name
+ columnName: AccountName
+ - identifier: UPNSuffix
+ columnName: UPNSuffix
+ - entityType: IP
+ fieldMappings:
+ - identifier: Address
+ columnName: ClientIp
+ - entityType: CloudApplication
+ fieldMappings:
+ - identifier: AppId
+ columnName: CloudAppId
+ - identifier: InstanceName
+ columnName: InstanceUrl
+alertDetailsOverride:
+ alertDisplayNameFormat: 'Dataverse - Audit logging was disabled in {{InstanceUrl}} '
+ alertDescriptionFormat: 'Audit settings changes were detected in {{InstanceUrl}}.
+ {{AuditValue}} enabled: was set to {{AuditEnabled}}.'
+version: 3.2.0
diff --git a/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Bulk record ownership re-assignment or sharing.yaml b/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Bulk record ownership re-assignment or sharing.yaml
new file mode 100644
index 00000000000..6fe381ef285
--- /dev/null
+++ b/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Bulk record ownership re-assignment or sharing.yaml
@@ -0,0 +1,72 @@
+id: 6e480329-84bc-409a-b97b-22e8102af3ca
+kind: Scheduled
+name: Dataverse - Bulk record ownership re-assignment or sharing
+description: Identifies individual record ownership changes including sharing of records
+ with other users/teams or re-assignment of ownership exceeding a pre-defined threshold.
+severity: Medium
+status: Available
+requiredDataConnectors:
+ - connectorId: Dataverse
+ dataTypes:
+ - DataverseActivity
+queryFrequency: 1h
+queryPeriod: 1d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+ - PrivilegeEscalation
+relevantTechniques:
+ - T1548
+query: |
+ // Set threshold for number of shared/assigned records
+ let detection_threshold = 100;
+ let query_frequency = 1h;
+ DataverseActivity
+ | where TimeGenerated >= ago(query_frequency)
+ | where Message in ("ModifyAccess", "Assign", "GrantAccess")
+ | summarize
+ FirstEvent = min(TimeGenerated),
+ LastEvent = max(TimeGenerated),
+ Events = count()
+ by UserId, Message, InstanceUrl, ClientIp
+ | where Events > detection_threshold
+ | extend
+ CloudAppId = int(32780),
+ AccountName = tostring(split(UserId, '@')[0]),
+ UPNSuffix = tostring(split(UserId, '@')[1])
+ | project
+ FirstEvent,
+ LastEvent,
+ Message,
+ Events,
+ UserId,
+ ClientIp,
+ InstanceUrl,
+ CloudAppId,
+ AccountName,
+ UPNSuffix
+eventGroupingSettings:
+ aggregationKind: AlertPerResult
+entityMappings:
+ - entityType: Account
+ fieldMappings:
+ - identifier: Name
+ columnName: AccountName
+ - identifier: UPNSuffix
+ columnName: UPNSuffix
+ - entityType: IP
+ fieldMappings:
+ - identifier: Address
+ columnName: ClientIp
+ - entityType: CloudApplication
+ fieldMappings:
+ - identifier: AppId
+ columnName: CloudAppId
+ - identifier: InstanceName
+ columnName: InstanceUrl
+alertDetailsOverride:
+ alertDisplayNameFormat: Dataverse - High number of record access modification events
+ detected
+ alertDescriptionFormat: '{{Events}} events of type {{Message}} detected in {{InstanceUrl}}
+ could indicate suspicious or malicious activity.'
+version: 3.2.0
diff --git a/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Executable uploaded to SharePoint document management site.yaml b/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Executable uploaded to SharePoint document management site.yaml
new file mode 100644
index 00000000000..a8834f58443
--- /dev/null
+++ b/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Executable uploaded to SharePoint document management site.yaml
@@ -0,0 +1,83 @@
+id: ba5e608f-7879-4927-8b0d-a9948b4fe6f3
+kind: Scheduled
+name: Dataverse - Executable uploaded to SharePoint document management site
+description: Identifies executable files and scripts uploaded to SharePoint sites
+ used for Dynamics document management, circumventing native file extension restrictions
+ in Dataverse.
+severity: Low
+status: Available
+requiredDataConnectors:
+ - connectorId: Office365
+ dataTypes:
+ - OfficeActivity (SharePoint)
+queryFrequency: 1h
+queryPeriod: 14d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+ - Execution
+ - Persistence
+relevantTechniques:
+ - T0863
+ - T0873
+query: |
+ let file_extensions = dynamic(['com', 'exe', 'bat', 'cmd', 'vbs', 'vbe', 'js', 'jse', 'wsf', 'wsh', 'msc', 'cpl', 'ps1', 'scr']);
+ let query_frequency = 1h;
+ DataverseSharePointSites
+ | join kind=inner (
+ OfficeActivity
+ | where TimeGenerated >= ago(query_frequency)
+ | where OfficeWorkload == "SharePoint" and Operation == "FileUploaded")
+ on $left.SharePointUrl == $right.Site_Url
+ | where SourceFileExtension in (file_extensions)
+ | extend
+ CloudAppId = int(32780),
+ SharePointId = int(20892),
+ AccountName = tostring(split(UserId, '@')[0]),
+ UPNSuffix = tostring(split(UserId, '@')[1])
+ | project
+ TimeGenerated,
+ UserId,
+ ClientIP,
+ InstanceUrl,
+ SourceFileName,
+ SharePointUrl,
+ CloudAppId,
+ SharePointId,
+ AccountName,
+ UPNSuffix
+eventGroupingSettings:
+ aggregationKind: SingleAlert
+entityMappings:
+ - entityType: Account
+ fieldMappings:
+ - identifier: Name
+ columnName: AccountName
+ - identifier: UPNSuffix
+ columnName: UPNSuffix
+ - entityType: IP
+ fieldMappings:
+ - identifier: Address
+ columnName: ClientIP
+ - entityType: CloudApplication
+ fieldMappings:
+ - identifier: AppId
+ columnName: CloudAppId
+ - identifier: InstanceName
+ columnName: InstanceUrl
+ - entityType: File
+ fieldMappings:
+ - identifier: Name
+ columnName: SourceFileName
+ - entityType: CloudApplication
+ fieldMappings:
+ - identifier: AppId
+ columnName: SharePointId
+ - identifier: InstanceName
+ columnName: SharePointUrl
+alertDetailsOverride:
+ alertDisplayNameFormat: Dataverse - Executable files uploaded in document management
+ for {{InstanceUrl}}
+ alertDescriptionFormat: Executable/script {{SourceFileName}} was uploaded by {{UserId}}
+ in SharePoint site {{SharePointUrl}}
+version: 3.2.0
diff --git a/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Export activity from terminated or notified employee.yaml b/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Export activity from terminated or notified employee.yaml
new file mode 100644
index 00000000000..371189e56fb
--- /dev/null
+++ b/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Export activity from terminated or notified employee.yaml
@@ -0,0 +1,76 @@
+id: 0881b209-62c9-4b15-9f9a-e0c1d1b1eb7b
+kind: Scheduled
+name: Dataverse - Export activity from terminated or notified employee
+description: This query identifies Dataverse export activity triggered by terminated,
+ or employees about to leave the organization. This analytics rule uses the TerminatedEmployees
+ watchlist template.
+severity: Medium
+status: Available
+requiredDataConnectors:
+ - connectorId: Dataverse
+ dataTypes:
+ - DataverseActivity
+queryFrequency: 1h
+queryPeriod: 1d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+ - Exfiltration
+relevantTechniques:
+ - T1567
+ - T1048
+query: |
+ // Set a time period before employee terminatation date to search for export events
+ let termination_watch_period = 7d;
+ let query_frequency = 1h;
+ let exportEvents = dynamic(['ExportToExcel', 'ExportPdfDocument', 'ExportWordDocument', 'ExecutePowerBISql']);
+ MSBizAppsTerminatedEmployees
+ | where (UserState =~ "Terminated") or (UserState =~ "Notified" and TerminationDate <= startofday(now()) + termination_watch_period)
+ | join kind=inner (DataverseActivity
+ | where TimeGenerated >= ago(query_frequency)
+ | where Message in (exportEvents))
+ on $left.UserPrincipalName == $right.UserId
+ | summarize
+ FirstEvent = min(TimeGenerated),
+ LastEvent = max(TimeGenerated),
+ Event = make_set(Message, 4)
+ by UserId, InstanceUrl, ClientIp, UserState
+ | extend
+ CloudAppId = int(32780),
+ AccountName = tostring(split(UserId, '@')[0]),
+ UPNSuffix = tostring(split(UserId, '@')[1])
+ | project
+ FirstEvent,
+ LastEvent,
+ UserId,
+ ClientIp,
+ UserState,
+ InstanceUrl,
+ CloudAppId,
+ AccountName,
+ UPNSuffix
+eventGroupingSettings:
+ aggregationKind: AlertPerResult
+entityMappings:
+ - entityType: Account
+ fieldMappings:
+ - identifier: Name
+ columnName: AccountName
+ - identifier: UPNSuffix
+ columnName: UPNSuffix
+ - entityType: IP
+ fieldMappings:
+ - identifier: Address
+ columnName: ClientIp
+ - entityType: CloudApplication
+ fieldMappings:
+ - identifier: AppId
+ columnName: CloudAppId
+ - identifier: InstanceName
+ columnName: InstanceUrl
+alertDetailsOverride:
+ alertDisplayNameFormat: 'Dataverse - Export events detected from a terminated employee
+ in {{InstanceUrl}} '
+ alertDescriptionFormat: Export events where employee state found matching {{UserState}}
+ found in {{InstanceUrl}}.
+version: 3.2.0
diff --git a/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Guest user exfiltration following Power Platform defense impairment.yaml b/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Guest user exfiltration following Power Platform defense impairment.yaml
new file mode 100644
index 00000000000..a32f650b280
--- /dev/null
+++ b/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Guest user exfiltration following Power Platform defense impairment.yaml
@@ -0,0 +1,130 @@
+id: 39efbf4b-b347-4cc7-895e-99a868bf29ea
+kind: Scheduled
+name: Dataverse - Guest user exfiltration following Power Platform defense impairment
+description: |
+ Identifies a chain of events starting with disablement of Power Platform tenant isolation and removal of an environment's access security group. These events are correlated with Dataverse exfiltration alerts associated with the impacted environment and recently created Microsoft Entra guest users.
+
+ Note: Activate other Dataverse analytics rules with the MITRE tactic 'Exfiltration' before enabling this rule.
+severity: High
+status: Available
+requiredDataConnectors:
+ - connectorId: PowerPlatformAdmin
+ dataTypes:
+ - PowerPlatformAdminActivity
+ - connectorId: AzureActiveDirectory
+ dataTypes:
+ - AuditLogs
+ - connectorId: AzureActiveDirectoryIdentityProtection
+ dataTypes:
+ - SecurityAlert
+queryFrequency: 1h
+queryPeriod: 14d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+ - DefenseEvasion
+ - Exfiltration
+relevantTechniques:
+ - T1629
+ - T1567
+query: |
+ let query_lookback = 14d;
+ let query_frequncy = 1h;
+ let defense_evasion_events = PowerPlatformAdminActivity
+ | where TimeGenerated >= ago(query_lookback)
+ | where EventOriginalType == "TenantIsolationOperation"
+ | mv-expand PropertyCollection
+ | where PropertyCollection.Name == "powerplatform.analytics.resource.tenant.isolation_policy.enabled"
+ | where PropertyCollection.Value == "False"
+ | summarize
+ TenantIsolationRemovalTimestamp = max(TimeGenerated)
+ by SecurityDisablingUser = ActorName
+ | join kind=inner (
+ PowerPlatformAdminActivity
+ | where TimeGenerated >= ago(query_lookback)
+ | where EventOriginalType == "EnvironmentPropertyChange"
+ | where PropertyCollection has "Property: SecurityGroupId, Old Value: , New Value: "
+ | mv-expand PropertyCollection
+ | extend
+ GroupRemovalTimestamp = TimeGenerated,
+ InstanceUrl = tostring(iif(PropertyCollection.Name == "powerplatform.analytics.resource.environment.url", PropertyCollection.Value, "")),
+ EnvironmentId = tostring(iif(PropertyCollection.Name == "powerplatform.analytics.resource.environment.name", PropertyCollection.Value, ""))
+ | summarize InstanceUrl = max(InstanceUrl), EnvironmentId = max(EnvironmentId) by GroupRemovalTimestamp, SecurityDisablingUser = ActorName)
+ on SecurityDisablingUser
+ | summarize
+ GroupRemovalTimestamp = max(GroupRemovalTimestamp),
+ TenantIsolationRemovalTimestamp = max(TenantIsolationRemovalTimestamp)
+ by SecurityDisablingUser, InstanceUrl, EnvironmentId;
+ let exfiltration_alerts = SecurityAlert
+ | where TimeGenerated >= ago(query_frequncy)
+ | where Tactics has "Exfiltration"
+ | where Entities has ('"AppId":32780')
+ | mv-expand todynamic(Entities)
+ | extend AlertUPN = iif(Entities.Type == "account", strcat(Entities.Name, "@", Entities.UPNSuffix), "")
+ | extend InstanceUrl = tostring(iif(Entities.AppId == 32780, Entities.InstanceName, ""))
+ | join kind=inner defense_evasion_events on InstanceUrl
+ | where StartTime > TenantIsolationRemovalTimestamp and StartTime > GroupRemovalTimestamp
+ | summarize InstanceUrl = max(InstanceUrl), AlertUPN = max(AlertUPN) by AlertName, SystemAlertId
+ | extend AlertDetails = bag_pack("AlertName", AlertName, "SystemAlertId", SystemAlertId)
+ | summarize AlertDetails = make_set(AlertDetails, 100) by AlertUPN, InstanceUrl
+ | join kind=inner (
+ AuditLogs
+ | where OperationName == "Update user"
+ | where Identity == "Microsoft Invitation Acceptance Portal"
+ | mv-expand TargetResources
+ | extend ModifiedProperties = TargetResources.modifiedProperties
+ | mv-expand ModifiedProperties
+ | where ModifiedProperties.displayName == "AcceptedAs"
+ | summarize RedeemTime = max(TimeGenerated) by GuestUser = tostring(parse_json(replace_regex(tostring(ModifiedProperties.newValue), "\\r", ""))[0]))
+ on $left.AlertUPN == $right.GuestUser;
+ defense_evasion_events
+ | join kind=inner exfiltration_alerts on InstanceUrl
+ | extend
+ AccountName = tostring(split(SecurityDisablingUser, "@")[0]),
+ UPNSuffix = tostring(split(SecurityDisablingUser, "@")[1]),
+ GuestAccountName = tostring(split(GuestUser, "@")[0]),
+ GuestUPNSuffix = tostring(split(GuestUser, "@")[0]),
+ DataverseId = 32780
+ | project
+ SecurityDisablingUser,
+ GuestUser,
+ AlertDetails,
+ TenantIsolationRemovalTimestamp,
+ GroupRemovalTimestamp,
+ InstanceUrl,
+ EnvironmentId,
+ AccountName,
+ UPNSuffix,
+ GuestAccountName,
+ GuestUPNSuffix,
+ DataverseId
+eventGroupingSettings:
+ aggregationKind: SingleAlert
+entityMappings:
+ - entityType: Account
+ fieldMappings:
+ - identifier: Name
+ columnName: AccountName
+ - identifier: UPNSuffix
+ columnName: UPNSuffix
+ - entityType: Account
+ fieldMappings:
+ - identifier: Name
+ columnName: GuestAccountName
+ - identifier: UPNSuffix
+ columnName: GuestUPNSuffix
+ - entityType: CloudApplication
+ fieldMappings:
+ - identifier: AppId
+ columnName: DataverseId
+ - identifier: InstanceName
+ columnName: InstanceUrl
+alertDetailsOverride:
+ alertDisplayNameFormat: 'Dataverse - exfiltration alerts following defense impairment
+ in {{InstanceUrl}} '
+ alertDescriptionFormat: '{{SecurityDisablingUser}} disabled Power Platform tenant
+ isolation and removed the security group used to control access to {{{InstanceUrl}}.
+ Exfiltration alerts associated with guest users were then detected from user {{{GuestUser}}'
+customDetails:
+ Environment: EnvironmentId
+version: 3.2.0
diff --git a/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Hierarchy security manipulation.yaml b/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Hierarchy security manipulation.yaml
new file mode 100644
index 00000000000..0a39f3e79cd
--- /dev/null
+++ b/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Hierarchy security manipulation.yaml
@@ -0,0 +1,99 @@
+id: 2df0adf5-92a8-4ee0-a123-3eb5be1eed02
+kind: Scheduled
+name: Dataverse - Hierarchy security manipulation
+description: |
+ Identifies suspicious behaviors in hierarchy security including:
+ - Hierarchy security disabled.
+ - User assigns themselves as a manager.
+ - User assigns themselves to a monitored position.
+severity: Medium
+status: Available
+requiredDataConnectors:
+ - connectorId: Dataverse
+ dataTypes:
+ - DataverseActivity
+queryFrequency: 1h
+queryPeriod: 1d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+ - PrivilegeEscalation
+relevantTechniques:
+ - T1548
+ - T1078
+query: |
+ let monitored_position_ids = dynamic([
+ // Enter a list of monitored position ID (guids)
+ //"79380ac5-da2a-ed11-9db1-000d3a58d546"
+ ]);
+ let query_frequency = 1h;
+ let security_disabled_events = DataverseActivity
+ | where TimeGenerated >= ago(query_frequency)
+ | where Message == "Update" and EntityName == "organization"
+ | mv-expand Fields
+ | where Fields.Name == "ishierarchicalsecuritymodelenabled"
+ | where Fields.Value == "False"
+ | extend Message = "Hierarchy security has been disabled"
+ | project TimeGenerated, UserId, ClientIp, InstanceUrl, Message;
+ let assign_self_as_manager_events = DataverseActivity
+ | where TimeGenerated >= ago(query_frequency)
+ | where Message == "Update" and EntityName == "systemuser"
+ | mv-expand Fields
+ | where Fields.Name == "parentsystemuserid"
+ | extend ModifiedManager = tostring(Fields.Value)
+ | where SystemUserId == ModifiedManager
+ | extend Message = "User added self as manager of another user";
+ let assign_self_to_position_events = DataverseActivity
+ | where TimeGenerated >= ago(query_frequency)
+ | where Message == "Update" and EntityName == "systemuser"
+ | mv-expand Position = Fields
+ | where Position.Name == "positionid" and tostring(Position.Value) in (monitored_position_ids)
+ | mv-expand Target = Fields
+ | where Target.Name == "systemuserid"
+ | extend UserAssigned = tostring(Target.Value)
+ | where SystemUserId == UserAssigned
+ | extend
+ Message = "User assigned self to a monitored position",
+ PositionId = tostring(Position.Value);
+ union
+ security_disabled_events,
+ assign_self_as_manager_events,
+ assign_self_to_position_events
+ | extend
+ CloudAppId = int(32780),
+ AccountName = tostring(split(UserId, '@')[0]),
+ UPNSuffix = tostring(split(UserId, '@')[1])
+ | project
+ TimeGenerated,
+ UserId,
+ ClientIp,
+ InstanceUrl,
+ Message,
+ PositionId,
+ CloudAppId,
+ AccountName,
+ UPNSuffix
+eventGroupingSettings:
+ aggregationKind: AlertPerResult
+entityMappings:
+ - entityType: Account
+ fieldMappings:
+ - identifier: Name
+ columnName: AccountName
+ - identifier: UPNSuffix
+ columnName: UPNSuffix
+ - entityType: IP
+ fieldMappings:
+ - identifier: Address
+ columnName: ClientIp
+ - entityType: CloudApplication
+ fieldMappings:
+ - identifier: AppId
+ columnName: CloudAppId
+ - identifier: InstanceName
+ columnName: InstanceUrl
+alertDetailsOverride:
+ alertDisplayNameFormat: 'Dataverse - Suspicious hierarchy security modifications
+ in {{InstanceUrl}} '
+ alertDescriptionFormat: '{{Message}}. Events detected for user {{UserId}}.'
+version: 3.2.0
diff --git a/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Honeypot instance activity.yaml b/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Honeypot instance activity.yaml
new file mode 100644
index 00000000000..ebe635b1245
--- /dev/null
+++ b/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Honeypot instance activity.yaml
@@ -0,0 +1,84 @@
+id: 11650b85-d8cc-49c4-8c04-a8a739635983
+kind: Scheduled
+name: Dataverse - Honeypot instance activity
+description: |
+ Identifies activities in a predefined Honeypot Dataverse instance. Alerts when either sign-in to the Honeypot is detected or when monitored Dataverse tables in the Honeypot are accessed.
+
+ Note: Requires a dedicated Honeypot Dataverse instance in Power Platform with auditing enabled.
+severity: Medium
+status: Available
+requiredDataConnectors:
+ - connectorId: Dataverse
+ dataTypes:
+ - DataverseActivity
+queryFrequency: 1h
+queryPeriod: 1d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+ - Discovery
+ - Exfiltration
+relevantTechniques:
+ - T1538
+ - T1526
+ - T1567
+query: |
+ let honeypot_dataverse_instances = dynamic(["https://myinstance.crm.dynamics.com/"]);
+ let honeypot_authorized_users = dynamic(["scanner@mydomain.com"]);
+ let monitored_dataverse_entities = dynamic(["contact", "account", "opportunity", "lead", "competitor"]);
+ let query_frequency = 1h;
+ DataverseActivity
+ | where TimeGenerated >= ago(query_frequency)
+ | where InstanceUrl in (honeypot_dataverse_instances)
+ | where UserId !in (honeypot_authorized_users)
+ | where UserId !endswith "@onmicrosoft.com"
+ and UserId != "Unknown"
+ and isnotempty(ClientIp)
+ | where Message in ("UserSignIn") or EntityName in (monitored_dataverse_entities)
+ | summarize
+ TimeStart = min(TimeGenerated),
+ TimeEnd = max(TimeGenerated),
+ Entities = make_set(EntityName, 10),
+ Messages = make_set(Message, 10)
+ by UserId, ClientIp, InstanceUrl
+ | extend Severity = iif(array_length(set_difference(Messages, dynamic(["UserSignIn"]))) > 0, "Medium", "Low")
+ | extend CloudAppId = int(32780)
+ | extend AccountName = tostring(split(UserId, '@')[0])
+ | extend UPNSuffix = tostring(split(UserId, '@')[1])
+ | project
+ TimeStart,
+ TimeEnd,
+ UserId,
+ ClientIp,
+ InstanceUrl,
+ Messages,
+ Entities,
+ Severity,
+ CloudAppId,
+ AccountName,
+ UPNSuffix
+eventGroupingSettings:
+ aggregationKind: SingleAlert
+entityMappings:
+ - entityType: Account
+ fieldMappings:
+ - identifier: Name
+ columnName: AccountName
+ - identifier: UPNSuffix
+ columnName: UPNSuffix
+ - entityType: IP
+ fieldMappings:
+ - identifier: Address
+ columnName: ClientIp
+ - entityType: CloudApplication
+ fieldMappings:
+ - identifier: AppId
+ columnName: CloudAppId
+ - identifier: InstanceName
+ columnName: InstanceUrl
+alertDetailsOverride:
+ alertDisplayNameFormat: 'Dataverse - Honeytoken activity detected in {{InstanceUrl}} '
+ alertDescriptionFormat: '{{UserId}} from {{ClientIp}} was detected in the Dataverse
+ honeypot instance: {{InstanceUrl}}'
+ alertSeverityColumnName: Severity
+version: 3.2.0
diff --git a/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Login by a sensitive privileged user.yaml b/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Login by a sensitive privileged user.yaml
new file mode 100644
index 00000000000..24a6194f0ab
--- /dev/null
+++ b/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Login by a sensitive privileged user.yaml
@@ -0,0 +1,73 @@
+id: f327816b-9328-4b17-9290-a02adc2f4928
+kind: Scheduled
+name: Dataverse - Login by a sensitive privileged user
+description: Identifies Dataverse and Dynamics 365 logons by sensitive users.
+severity: High
+status: Available
+requiredDataConnectors:
+ - connectorId: Dataverse
+ dataTypes:
+ - DataverseActivity
+queryFrequency: 1h
+queryPeriod: 14d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+ - InitialAccess
+ - CredentialAccess
+ - PrivilegeEscalation
+relevantTechniques:
+ - T1133
+ - T1190
+ - T1078
+ - T1212
+query: |
+ # Sensitive users are marked in the VIP Users watchlist using the Tags field.
+ # Enter the tags values to monitor
+ let monitored_tags = dynamic(["DataverseSensitive"]);
+ let query_frequency = 1h;
+ let sensitive_users = MSBizAppsVIPUsers()
+ | where Tags in (monitored_tags);
+ sensitive_users
+ | join kind=inner (DataverseActivity
+ | where TimeGenerated >= ago(query_frequency)
+ | where Message == "UserSignIn")
+ on $left.UserPrincipalName == $right.UserId
+ | summarize FirstSeen = arg_max(TimeGenerated, *) by UserId
+ | extend
+ CloudAppId = int(32780),
+ AccountName = tostring(split(UserId, '@')[0]),
+ UPNSuffix = tostring(split(UserId, '@')[1])
+ | project
+ FirstSeen,
+ UserId,
+ ClientIp,
+ UserAgent,
+ InstanceUrl,
+ CloudAppId,
+ AccountName,
+ UPNSuffix
+eventGroupingSettings:
+ aggregationKind: SingleAlert
+entityMappings:
+ - entityType: Account
+ fieldMappings:
+ - identifier: Name
+ columnName: AccountName
+ - identifier: UPNSuffix
+ columnName: UPNSuffix
+ - entityType: CloudApplication
+ fieldMappings:
+ - identifier: AppId
+ columnName: CloudAppId
+ - identifier: InstanceName
+ columnName: InstanceUrl
+ - entityType: IP
+ fieldMappings:
+ - identifier: Address
+ columnName: ClientIp
+alertDetailsOverride:
+ alertDisplayNameFormat: 'Dataverse - Sensitive user logged in in at {{InstanceUrl}} '
+ alertDescriptionFormat: A user marked as sensitive for Dataverse in the VIPUsers
+ watchlist signed in at {{InstanceUrl}}.
+version: 3.2.0
diff --git a/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Login from IP in the block list.yaml b/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Login from IP in the block list.yaml
new file mode 100644
index 00000000000..12f6229fa23
--- /dev/null
+++ b/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Login from IP in the block list.yaml
@@ -0,0 +1,75 @@
+id: 666fef96-1bb8-4abf-ad72-e5cb49561381
+kind: Scheduled
+name: Dataverse - Login from IP in the block list
+description: Identifies Dataverse sign-in activity from IPv4 addresses which are on
+ a predefined block list. Blocked network ranges are maintained in the NetworkAddresses
+ watchlist template.
+severity: High
+status: Available
+requiredDataConnectors:
+ - connectorId: Dataverse
+ dataTypes:
+ - DataverseActivity
+queryFrequency: 1h
+queryPeriod: 1d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+ - InitialAccess
+relevantTechniques:
+ - T1190
+ - T1133
+ - T1078
+query: |
+ // Use static IP address or CIDR list specified in the
+ // NetworkAddresses watchlist (from watchlist template)
+ // with tag "BlockDataverse"
+ let query_frequency = 1h;
+ let blocked_networks = MSBizAppsNetworkAddresses()
+ | where Tags has "BlockDataverse"
+ | summarize by IPSubnet;
+ let watchlist_entries_count = toscalar (blocked_networks
+ | summarize count());
+ DataverseActivity
+ | where watchlist_entries_count > 0
+ | where TimeGenerated >= ago(query_frequency)
+ | where Message == "UserSignIn" and isnotempty(ClientIp)
+ | summarize FirstEvent = arg_min(TimeGenerated, *) by UserId, ClientIp, InstanceUrl
+ | evaluate ipv4_lookup(blocked_networks, ClientIp, IPSubnet)
+ | extend
+ CloudAppId = int(32780),
+ AccountName = tostring(split(UserId, '@')[0]),
+ UPNSuffix = tostring(split(UserId, '@')[1])
+ | project
+ FirstEvent,
+ UserId,
+ ClientIp,
+ Message,
+ InstanceUrl,
+ CloudAppId,
+ AccountName,
+ UPNSuffix
+eventGroupingSettings:
+ aggregationKind: AlertPerResult
+entityMappings:
+ - entityType: Account
+ fieldMappings:
+ - identifier: Name
+ columnName: AccountName
+ - identifier: UPNSuffix
+ columnName: UPNSuffix
+ - entityType: IP
+ fieldMappings:
+ - identifier: Address
+ columnName: ClientIp
+ - entityType: CloudApplication
+ fieldMappings:
+ - identifier: AppId
+ columnName: CloudAppId
+ - identifier: InstanceName
+ columnName: InstanceUrl
+alertDetailsOverride:
+ alertDisplayNameFormat: 'Dataverse - Login from IP in the block list at {{InstanceUrl}} '
+ alertDescriptionFormat: Sign-in activity by {{UserId}} in {{InstanceUrl}} was detected
+ from an IP {{ClientIp}} on the block list.
+version: 3.2.0
diff --git a/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Login from IP not in the allow list.yaml b/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Login from IP not in the allow list.yaml
new file mode 100644
index 00000000000..871b6104458
--- /dev/null
+++ b/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Login from IP not in the allow list.yaml
@@ -0,0 +1,77 @@
+id: 81c693fe-f6c4-4352-bc10-3526f6e22637
+kind: Scheduled
+name: Dataverse - Login from IP not in the allow list
+description: Identifies logons from IPv4 addresses not matching IPv4 subnets maintained
+ on an allow list. This analytics rule uses the NetworkAddresses watchlist template.
+severity: High
+status: Available
+requiredDataConnectors:
+ - connectorId: Dataverse
+ dataTypes:
+ - DataverseActivity
+queryFrequency: 1h
+queryPeriod: 1d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+ - InitialAccess
+relevantTechniques:
+ - T1078
+ - T1190
+ - T1133
+query: |
+ // Use static IP address or CIDR list specified in the
+ // NetworkAddresses watchlist template with tag "AllowDataverse"
+ let allowed_networks = MSBizAppsNetworkAddresses()
+ | where Tags has "AllowDataverse"
+ | summarize by IPSubnet;
+ let query_frequency = 1h;
+ let watchlist_entries_count = toscalar (allowed_networks
+ | summarize count());
+ let dataverse_signin_activity = materialize(
+ DataverseActivity
+ | where watchlist_entries_count > 0
+ | where TimeGenerated >= ago (query_frequency)
+ | where Message == "UserSignIn" and isnotempty(ClientIp)
+ | summarize FirstEvent = arg_min(TimeGenerated, *) by UserId, ClientIp, InstanceUrl
+ );
+ let authorized_ip_addresses = dataverse_signin_activity
+ | evaluate ipv4_lookup(allowed_networks, ClientIp, IPSubnet);
+ dataverse_signin_activity
+ | join kind=leftanti(authorized_ip_addresses) on ClientIp
+ | extend
+ CloudAppId = int(32780),
+ AccountName = tostring(split(UserId, '@')[0]),
+ UPNSuffix = tostring(split(UserId, '@')[1])
+ | project
+ FirstEvent,
+ UserId,
+ ClientIp,
+ InstanceUrl,
+ CloudAppId,
+ AccountName,
+ UPNSuffix
+eventGroupingSettings:
+ aggregationKind: AlertPerResult
+entityMappings:
+ - entityType: Account
+ fieldMappings:
+ - identifier: Name
+ columnName: AccountName
+ - identifier: UPNSuffix
+ columnName: UPNSuffix
+ - entityType: IP
+ fieldMappings:
+ - identifier: Address
+ columnName: ClientIp
+ - entityType: CloudApplication
+ fieldMappings:
+ - identifier: AppId
+ columnName: CloudAppId
+ - identifier: InstanceName
+ columnName: InstanceUrl
+alertDetailsOverride:
+ alertDisplayNameFormat: 'Dataverse - Login from IP not on the allow list in {{InstanceUrl}} '
+ alertDescriptionFormat: Sign-in activity detected in {{InstanceUrl}} from an IP
+ {{ClientIp}} not on the allow list.
+version: 3.2.0
diff --git a/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Malware found in SharePoint document management site.yaml b/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Malware found in SharePoint document management site.yaml
new file mode 100644
index 00000000000..8b0d40bda63
--- /dev/null
+++ b/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Malware found in SharePoint document management site.yaml
@@ -0,0 +1,90 @@
+id: 2e3878bb-d519-43aa-9992-ea069df099e4
+kind: Scheduled
+name: Dataverse - Malware found in SharePoint document management site
+description: This query identifies malware uploaded via Dynamics 365 document management
+ or directly in SharePoint impacting Dataverse associated SharePoint sites.
+severity: Medium
+status: Available
+requiredDataConnectors:
+ - connectorId: Dataverse
+ dataTypes:
+ - DataverseActivity
+ - connectorId: Office365
+ dataTypes:
+ - OfficeActivity (SharePoint)
+queryFrequency: 1h
+queryPeriod: 14d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+ - Execution
+relevantTechniques:
+ - T1204
+query: |
+ let query_frequency = 15m;
+ let malware_events = OfficeActivity
+ | where OfficeWorkload == "SharePoint" and Operation == "FileMalwareDetected"
+ | summarize by MalwareUserId = UserId, SourceFileName, Site_Url
+ | join kind=inner (DataverseSharePointSites) on $left.Site_Url == $right.SharePointUrl;
+ let file_upload_events = OfficeActivity
+ | where OfficeWorkload == "SharePoint" and Operation == "FileUploaded"
+ | project TimeGenerated, UserId, Site_Url, SourceFileName, ApplicationId, ClientIP;
+ let d365_upload_events = DataverseActivity
+ | where TimeGenerated >= ago(query_frequency)
+ | where Message == "UploadDocument"
+ | summarize by UserId, D365ClientIp = ClientIp;
+ malware_events
+ | join kind=inner (file_upload_events) on SourceFileName, Site_Url
+ | lookup (d365_upload_events) on UserId
+ | extend ClientIp = iif(ApplicationId == "00000007-0000-0000-c000-000000000000", D365ClientIp, ClientIP)
+ | extend
+ CloudAppId = int(32780),
+ SharePointId = int(20892),
+ AccountName = tostring(split(UserId, '@')[0]),
+ UPNSuffix = tostring(split(UserId, '@')[1])
+ | project
+ TimeGenerated,
+ UserId,
+ ClientIp,
+ InstanceUrl,
+ SharePointUrl,
+ SourceFileName,
+ CloudAppId,
+ SharePointId,
+ AccountName,
+ UPNSuffix
+eventGroupingSettings:
+ aggregationKind: SingleAlert
+entityMappings:
+ - entityType: Account
+ fieldMappings:
+ - identifier: Name
+ columnName: AccountName
+ - identifier: UPNSuffix
+ columnName: UPNSuffix
+ - entityType: IP
+ fieldMappings:
+ - identifier: Address
+ columnName: ClientIp
+ - entityType: File
+ fieldMappings:
+ - identifier: Name
+ columnName: SourceFileName
+ - entityType: CloudApplication
+ fieldMappings:
+ - identifier: AppId
+ columnName: CloudAppId
+ - identifier: InstanceName
+ columnName: InstanceUrl
+ - entityType: CloudApplication
+ fieldMappings:
+ - identifier: AppId
+ columnName: SharePointId
+ - identifier: InstanceName
+ columnName: SharePointUrl
+alertDetailsOverride:
+ alertDisplayNameFormat: 'Dataverse - Malware was found in SharePoint document management
+ site for {{InstanceUrl}} '
+ alertDescriptionFormat: A malicious file {{SourceFileName}} was found in SharePoint
+ site {{SharePointUrl}}. The file was uploaded by {{UserId}}
+version: 3.2.0
diff --git a/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Mass deletion of records.yaml b/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Mass deletion of records.yaml
new file mode 100644
index 00000000000..570c87fb937
--- /dev/null
+++ b/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Mass deletion of records.yaml
@@ -0,0 +1,83 @@
+id: 716cf6d4-97ad-407b-923e-6790083acb58
+kind: Scheduled
+name: Dataverse - Mass deletion of records
+description: Identifies large scale record delete operations based on a predefined
+ threshold and also detects scheduled bulk deletion jobs.
+severity: Medium
+status: Available
+requiredDataConnectors:
+ - connectorId: Dataverse
+ dataTypes:
+ - DataverseActivity
+queryFrequency: 1h
+queryPeriod: 14d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+ - Impact
+relevantTechniques:
+ - T1485
+query: |
+ let mass_delete_threshold = 10000;
+ let query_frequency = 1d;
+ let delete_activities = DataverseActivity
+ | where TimeGenerated >= ago(query_frequency)
+ | where Message == "Delete";
+ union
+ (
+ delete_activities
+ | summarize FirstEvent = min(TimeGenerated), TotalEvents = count() by UserId, InstanceUrl
+ | where TotalEvents > mass_delete_threshold
+ | join kind=inner (
+ delete_activities
+ | summarize DeleteCount = count() by UserId, InstanceUrl, ClientIp, EntityName)
+ on UserId, InstanceUrl
+ | extend Entities = bag_pack("Entity", EntityName, "Count", DeleteCount)
+ | summarize Details = make_set(Entities, 100), FirstEvent = min(FirstEvent) by UserId, InstanceUrl, ClientIp, TotalEvents
+ ),
+ (
+ DataverseActivity
+ | where TimeGenerated >= ago(query_frequency)
+ | where Message == "BulkDelete"
+ | summarize FirstEvent = min(TimeGenerated), TotalEvents = count() by UserId, InstanceUrl, ClientIp
+ | extend Details = todynamic("Bulk delete scheduled")
+ )
+ | extend
+ CloudAppId = int(32780),
+ AccountName = tostring(split(UserId, '@')[0]),
+ UPNSuffix = tostring(split(UserId, '@')[1])
+ | project
+ FirstEvent,
+ UserId,
+ ClientIp,
+ TotalEvents,
+ Details,
+ InstanceUrl,
+ CloudAppId,
+ AccountName,
+ UPNSuffix
+eventGroupingSettings:
+ aggregationKind: AlertPerResult
+entityMappings:
+ - entityType: Account
+ fieldMappings:
+ - identifier: Name
+ columnName: AccountName
+ - identifier: UPNSuffix
+ columnName: UPNSuffix
+ - entityType: CloudApplication
+ fieldMappings:
+ - identifier: AppId
+ columnName: CloudAppId
+ - identifier: InstanceName
+ columnName: InstanceUrl
+ - entityType: IP
+ fieldMappings:
+ - identifier: Address
+ columnName: ClientIp
+alertDetailsOverride:
+ alertDisplayNameFormat: 'Dataverse - mass deletion or bulk deletion job detected
+ in {{InstanceUrl}} '
+ alertDescriptionFormat: '{{UserId}} triggered the mass deletion detection with the
+ following information: {{Details}}'
+version: 3.2.0
diff --git a/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Mass download from SharePoint document management.yaml b/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Mass download from SharePoint document management.yaml
new file mode 100644
index 00000000000..ab4a87f4559
--- /dev/null
+++ b/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Mass download from SharePoint document management.yaml
@@ -0,0 +1,79 @@
+id: 95e02f1b-5886-4043-8f0e-a42e6e23330f
+kind: Scheduled
+name: Dataverse - Mass download from SharePoint document management
+description: Identifies mass download (in the last hour) of files from SharePoint
+ sites configured for document management in Dynamics 365. This analytics rule utilizes
+ the MSBizApps-Configuration watchlist to identify SharePoint sites used for Document
+ Management.
+severity: Low
+status: Available
+requiredDataConnectors:
+ - connectorId: Office365
+ dataTypes:
+ - OfficeActivity (SharePoint)
+queryFrequency: 1h
+queryPeriod: 14d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+ - Exfiltration
+relevantTechniques:
+ - T1567
+query: |
+ // Set threshold for number of downloaded files
+ let detection_threshold = 10000;
+ let query_frequency = 1h;
+ DataverseSharePointSites
+ | join kind=inner (
+ OfficeActivity
+ | where TimeGenerated >= ago(query_frequency)
+ | where OfficeWorkload == "SharePoint" and Operation == "FileDownloaded")
+ on $left.SharePointUrl == $right.Site_Url
+ | summarize FileDownloadCount = count() by UserId, SharePointUrl, InstanceUrl, ClientIP
+ | where FileDownloadCount > detection_threshold
+ | extend
+ CloudAppId = int(32780),
+ SharePointId = int(20892),
+ AccountName = tostring(split(UserId, '@')[0]),
+ UPNSuffix = tostring(split(UserId, '@')[1])
+ | project
+ UserId,
+ ClientIP,
+ FileDownloadCount,
+ SharePointUrl,
+ InstanceUrl,
+ CloudAppId,
+ SharePointId,
+ AccountName,
+ UPNSuffix
+eventGroupingSettings:
+ aggregationKind: SingleAlert
+entityMappings:
+ - entityType: Account
+ fieldMappings:
+ - identifier: Name
+ columnName: AccountName
+ - identifier: UPNSuffix
+ columnName: UPNSuffix
+ - entityType: IP
+ fieldMappings:
+ - identifier: Address
+ columnName: ClientIP
+ - entityType: CloudApplication
+ fieldMappings:
+ - identifier: AppId
+ columnName: CloudAppId
+ - identifier: InstanceName
+ columnName: InstanceUrl
+ - entityType: CloudApplication
+ fieldMappings:
+ - identifier: AppId
+ columnName: SharePointId
+ - identifier: InstanceName
+ columnName: SharePointUrl
+alertDetailsOverride:
+ alertDisplayNameFormat: 'Dataverse - Mass download detected from document management
+ in {{{InstanceUrl}} '
+ alertDescriptionFormat: '{{{FileDownloadCount}} files were downloaded from {{SharePointUrl}} by
+ {{{UserId}}.'
+version: 3.2.0
diff --git a/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Mass export of records to Excel.yaml b/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Mass export of records to Excel.yaml
new file mode 100644
index 00000000000..77a7c2b4b67
--- /dev/null
+++ b/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Mass export of records to Excel.yaml
@@ -0,0 +1,90 @@
+id: 57000f0d-ff5d-4166-94b6-aa5fb62b16ec
+kind: Scheduled
+name: Dataverse - Mass export of records to Excel
+description: Identifies users exporting a large amount of records from Dynamics 365
+ to Excel, significantly more records exported than any other recent activity by
+ that user. Large exports from users with no recent activity are identified using
+ a predefined threshold.
+severity: Low
+status: Available
+requiredDataConnectors:
+ - connectorId: Dataverse
+ dataTypes:
+ - DataverseActivity
+queryFrequency: 1h
+queryPeriod: 14d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+ - Exfiltration
+relevantTechniques:
+ - T1567
+query: |
+ // Set a mass export threshold for users who have no historical activity.
+ let mass_export_threshold = 10000;
+ let query_lookback = 14d;
+ let query_frequency = 1h;
+ let export_activity = DataverseActivity
+ | where Message == "ExportToExcel"
+ | extend QueryCount = iif(QueryResults has ",", todouble(countof(tostring(QueryResults), ',') + 1), double(1));
+ let current_activity = export_activity
+ | where TimeGenerated > ago(query_frequency)
+ | extend RecordId = split(QueryResults, ",")
+ | summarize
+ FirstEvent = min(TimeGenerated),
+ CurrentExportRate = sum(QueryCount),
+ SampleRecordIds = make_set(RecordId, 1000)
+ by UserId, InstanceUrl;
+ let historical_activity = export_activity
+ | where TimeGenerated between(ago(query_lookback) .. ago(query_frequency))
+ | summarize HistoricalBaseline = sum(QueryCount) by HistoricalUserId = UserId, InstanceUrl;
+ current_activity
+ | join kind=leftouter(historical_activity) on $left.UserId == $right.HistoricalUserId, InstanceUrl
+ | extend BaselineThreshold = iif(isnotnull(HistoricalBaseline), HistoricalBaseline, todouble(mass_export_threshold))
+ | where CurrentExportRate > BaselineThreshold
+ | join kind=inner(export_activity
+ | where TimeGenerated > ago(query_frequency)
+ | summarize EntityCount = sum(QueryCount) by UserId, ClientIp, InstanceUrl, EntityName
+ | extend Details = bag_pack("EntityName", EntityName, "EntityCount", EntityCount)
+ | summarize Details = make_set(Details, 100) by UserId, ClientIp, InstanceUrl)
+ on UserId, InstanceUrl
+ | extend
+ CloudAppId = int(32780),
+ AccountName = tostring(split(UserId, '@')[0]),
+ UPNSuffix = tostring(split(UserId, '@')[1])
+ | project
+ FirstEvent,
+ UserId,
+ ClientIp,
+ BaselineThreshold,
+ CurrentExportRate,
+ Details,
+ SampleRecordIds,
+ InstanceUrl,
+ AccountName,
+ UPNSuffix,
+ CloudAppId
+eventGroupingSettings:
+ aggregationKind: AlertPerResult
+entityMappings:
+ - entityType: Account
+ fieldMappings:
+ - identifier: Name
+ columnName: AccountName
+ - identifier: UPNSuffix
+ columnName: UPNSuffix
+ - entityType: CloudApplication
+ fieldMappings:
+ - identifier: AppId
+ columnName: CloudAppId
+ - identifier: InstanceName
+ columnName: InstanceUrl
+ - entityType: IP
+ fieldMappings:
+ - identifier: Address
+ columnName: ClientIp
+alertDetailsOverride:
+ alertDisplayNameFormat: 'Dataverse - mass export to Excel activity in {{{InstanceUrl}} '
+ alertDescriptionFormat: User {{UserId}} exported {{{CurrentExportRate}} records
+ using the ExportToExcel function in Dataverse.
+version: 3.2.0
diff --git a/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Mass record updates.yaml b/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Mass record updates.yaml
new file mode 100644
index 00000000000..9999dedb665
--- /dev/null
+++ b/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Mass record updates.yaml
@@ -0,0 +1,85 @@
+id: df577f0f-1d8a-4420-9057-a07f0edb15c8
+kind: Scheduled
+name: Dataverse - Mass record updates
+description: This query detects mass record update changes in Dataverse and Dynamics
+ 365, exceeding a pre-defined threshold.
+severity: Medium
+status: Available
+requiredDataConnectors:
+ - connectorId: Dataverse
+ dataTypes:
+ - DataverseActivity
+queryFrequency: 1h
+queryPeriod: 14d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+ - Impact
+relevantTechniques:
+ - T1641
+ - T1485
+ - T1565
+query: |
+ // Set threshold for number of updated records
+ let detection_threshold = 10000;
+ let query_frequency = 1h;
+ DataverseActivity
+ | where TimeGenerated >= ago(query_frequency)
+ | where Message == "Update"
+ | summarize EventCount = count() by InstanceUrl, UserId, ClientIp, Message
+ | where EventCount > detection_threshold
+ | join kind=inner(
+ DataverseActivity
+ | where TimeGenerated >= ago(query_frequency))
+ on InstanceUrl, UserId, ClientIp, Message
+ | mv-expand Fields
+ | summarize
+ UpdatedFields = make_set(Fields.Name, 100),
+ FirstEvent = min(TimeGenerated)
+ by UserId, ClientIp, InstanceUrl, EventCount, EntityName
+ | extend Details = bag_pack("Entity", EntityName, "Count", EventCount, "FieldsUpdated", UpdatedFields)
+ | summarize
+ TotalEvents = sum(EventCount),
+ FirstEvent = min(FirstEvent),
+ Details = make_list(Details, 100)
+ by UserId, ClientIp, InstanceUrl
+ | extend
+ CloudAppId = int(32780),
+ AccountName = tostring(split(UserId, '@')[0]),
+ UPNSuffix = tostring(split(UserId, '@')[1])
+ | project
+ FirstEvent,
+ UserId,
+ ClientIp,
+ TotalEvents,
+ Details,
+ InstanceUrl,
+ CloudAppId,
+ AccountName,
+ UPNSuffix
+eventGroupingSettings:
+ aggregationKind: AlertPerResult
+entityMappings:
+ - entityType: Account
+ fieldMappings:
+ - identifier: Name
+ columnName: AccountName
+ - identifier: UPNSuffix
+ columnName: UPNSuffix
+ - entityType: IP
+ fieldMappings:
+ - identifier: Address
+ columnName: ClientIp
+ - entityType: CloudApplication
+ fieldMappings:
+ - identifier: AppId
+ columnName: CloudAppId
+ - identifier: InstanceName
+ columnName: InstanceUrl
+alertDetailsOverride:
+ alertDisplayNameFormat: 'Dataverse - Mass record changes detected in {{{InstanceUrl}} '
+ alertDescriptionFormat: A total of {{TotalEvents}} records were updated by {{UserId}}
+ , breaching the mass update threshold in {{InstanceUrl}} .
+customDetails:
+ Details: Details
+version: 3.2.0
diff --git a/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - New Dataverse application user activity type.yaml b/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - New Dataverse application user activity type.yaml
new file mode 100644
index 00000000000..3ef657b2f9f
--- /dev/null
+++ b/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - New Dataverse application user activity type.yaml
@@ -0,0 +1,77 @@
+id: 5c768e7d-7e5e-4d57-80d4-3f50c96fbf70
+kind: Scheduled
+name: Dataverse - New Dataverse application user activity type
+description: Identifies new or previously unseen activity types associated with Dataverse
+ application (non-interactive) user.
+severity: Medium
+status: Available
+requiredDataConnectors:
+ - connectorId: Dataverse
+ dataTypes:
+ - DataverseActivity
+queryFrequency: 1h
+queryPeriod: 14d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+ - CredentialAccess
+ - Execution
+ - PrivilegeEscalation
+relevantTechniques:
+ - T1635
+ - T0871
+ - T1078
+query: |
+ let query_frequency = 1h;
+ let query_lookback = 14d;
+ let app_user_regex = "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}\\.com$";
+ let guid_regex = "([0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12})";
+ let application_users = DataverseActivity
+ | where UserId !endswith "@onmicrosoft.com" and UserId != "Unknown"
+ | summarize by UserId
+ | where split(UserId, "@")[1] matches regex app_user_regex;
+ let historical_app_activity = application_users
+ | join kind = inner (
+ DataverseActivity
+ | where TimeGenerated between(ago(query_lookback) .. ago(query_frequency))
+ | summarize by UserId, EntityName, Message, InstanceUrl)
+ on
+ UserId;
+ let current_activity = application_users
+ | join kind= inner (
+ DataverseActivity
+ | where TimeGenerated >= ago(query_frequency)
+ | summarize by UserId, EntityName, Message, InstanceUrl)
+ on
+ UserId;
+ current_activity
+ | join kind = leftanti (historical_app_activity) on UserId, Message, EntityName, InstanceUrl
+ | summarize NewActivities = make_set(strcat(Message, " ", EntityName), 1000) by UserId, InstanceUrl
+ | extend
+ AadUserId = extract(guid_regex, 1, tostring(split(UserId, "@")[0])),
+ CloudAppId = int(32780)
+ | project
+ UserId,
+ NewActivities,
+ InstanceUrl,
+ AadUserId,
+ CloudAppId
+eventGroupingSettings:
+ aggregationKind: SingleAlert
+entityMappings:
+ - entityType: Account
+ fieldMappings:
+ - identifier: AadUserId
+ columnName: AadUserId
+ - entityType: CloudApplication
+ fieldMappings:
+ - identifier: AppId
+ columnName: CloudAppId
+ - identifier: InstanceName
+ columnName: InstanceUrl
+alertDetailsOverride:
+ alertDisplayNameFormat: 'Dataverse - Unusual non-interactive account activity in
+ {{InstanceUrl}} '
+ alertDescriptionFormat: '{{UserId}} generated new activities in {{InstanceUrl}}
+ which had not been seen previously in the Dataverse.'
+version: 3.2.0
diff --git a/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - New non-interactive identity granted access.yaml b/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - New non-interactive identity granted access.yaml
new file mode 100644
index 00000000000..29753e44b3a
--- /dev/null
+++ b/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - New non-interactive identity granted access.yaml
@@ -0,0 +1,87 @@
+id: 682e230c-e5da-4085-8666-701d1f1be7de
+kind: Scheduled
+name: Dataverse - New non-interactive identity granted access
+description: Identifies API level access grants, either via the delegated permissions
+ of a Microsoft Entra application or direct assignment within Dataverse as an application
+ user.
+severity: Informational
+status: Available
+requiredDataConnectors:
+ - connectorId: Dataverse
+ dataTypes:
+ - DataverseActivity
+ - connectorId: AzureActiveDirectory
+ dataTypes:
+ - AuditLogs
+queryFrequency: 1h
+queryPeriod: 14d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+ - Persistence
+ - LateralMovement
+ - PrivilegeEscalation
+relevantTechniques:
+ - T1098
+ - T0859
+ - T1078
+query: |
+ let dataverse_app_id = "00000007-0000-0000-c000-000000000000";
+ let query_frequency = 1h;
+ let azure_ad_changes = AuditLogs
+ | where TimeGenerated >= ago(query_frequency)
+ | where OperationName =~ 'Update application'
+ | where TargetResources has dataverse_app_id
+ | extend TargetAppName = tostring(TargetResources[0].displayName)
+ | extend TargetAppId = tostring(TargetResources[0].id)
+ | extend UserId = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
+ | extend ClientIp = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)
+ | extend NewData = tostring(parse_json(tostring(parse_json(TargetResources)[0].modifiedProperties))[0].newValue)
+ | where NewData has dataverse_app_id;
+ let dataverse_changes = DataverseActivity
+ | where TimeGenerated >= ago(query_frequency)
+ | where (Message == "Create" and EntityName == "systemuser" and parse_json(Fields)[0].Name == "applicationid")
+ | extend TargetAppId = tostring(Fields[0].Value);
+ union azure_ad_changes, dataverse_changes
+ | extend
+ CloudAppId = int(32780),
+ AccountName = tostring(split(UserId, '@')[0]),
+ UPNSuffix = tostring(split(UserId, '@')[1])
+ | project
+ TimeGenerated,
+ UserId,
+ ClientIp,
+ TargetAppName,
+ TargetAppId,
+ InstanceUrl,
+ CloudAppId,
+ AccountName,
+ UPNSuffix
+eventGroupingSettings:
+ aggregationKind: AlertPerResult
+entityMappings:
+ - entityType: Account
+ fieldMappings:
+ - identifier: Name
+ columnName: AccountName
+ - identifier: UPNSuffix
+ columnName: UPNSuffix
+ - entityType: CloudApplication
+ fieldMappings:
+ - identifier: AppId
+ columnName: CloudAppId
+ - identifier: InstanceName
+ columnName: InstanceUrl
+ - entityType: IP
+ fieldMappings:
+ - identifier: Address
+ columnName: ClientIp
+ - entityType: Account
+ fieldMappings:
+ - identifier: AadUserId
+ columnName: TargetAppId
+alertDetailsOverride:
+ alertDisplayNameFormat: Dataverse - new non-interactive access granted
+ alertDescriptionFormat: '{{UserId}} granted access to an Azure AD app {{{TargetAppName}}.
+ Check to validate this access was authorized.'
+version: 3.2.0
diff --git a/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - New sign-in from an unauthorized domain.yaml b/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - New sign-in from an unauthorized domain.yaml
new file mode 100644
index 00000000000..6709649ce3a
--- /dev/null
+++ b/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - New sign-in from an unauthorized domain.yaml
@@ -0,0 +1,84 @@
+id: 4c1c9aee-8e44-4bb9-bd53-f3e7d6761282
+kind: Scheduled
+name: Dataverse - New sign-in from an unauthorized domain
+description: Identifies Dataverse sign-in activity originating from users with UPN
+ suffixes that have not been seen previously in the last 14 days and are not present
+ on a predefined list of authorized domains. Common internal Power Platform system
+ users are excluded by default.
+severity: Medium
+status: Available
+requiredDataConnectors:
+ - connectorId: Dataverse
+ dataTypes:
+ - DataverseActivity
+queryFrequency: 1h
+queryPeriod: 14d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+ - InitialAccess
+relevantTechniques:
+ - T1078
+ - T1190
+ - T1133
+query: |
+ // Allow list of UPN suffixes allowed by the organization.
+ let allowed_domains = dynamic([
+ 'onmicrosoft.com',
+ 'microsoft.com'
+ ]);
+ // All list of users allowed by the organization
+ let allowed_users = dynamic([
+ 'user1@mydomain.com',
+ 'user2@mydomain.com'
+ ]);
+ let query_frequency = 1h;
+ let query_lookback = 14d;
+ let historical_users = DataverseActivity
+ | where TimeGenerated between(ago(query_lookback) .. ago(query_frequency))
+ | where Message == 'UserSignIn'
+ | summarize by UserId;
+ DataverseActivity
+ | where TimeGenerated >= ago (query_frequency)
+ | where Message == 'UserSignIn'
+ | join kind=leftanti (historical_users) on UserId
+ | summarize FirstEvent = min(TimeGenerated), LastEvent = max(TimeGenerated) by UserId, ClientIp, InstanceUrl
+ | where isnotempty(ClientIp)
+ | extend CloudAppId = int(32780)
+ | extend AccountName = tostring(split(UserId, '@')[0])
+ | extend UPNSuffix = tostring(split(UserId, '@')[1])
+ | where UPNSuffix !in (allowed_domains) and UserId !in (allowed_users)
+ | project
+ FirstEvent,
+ LastEvent,
+ UserId,
+ ClientIp,
+ InstanceUrl,
+ AccountName,
+ UPNSuffix,
+ CloudAppId
+eventGroupingSettings:
+ aggregationKind: SingleAlert
+entityMappings:
+ - entityType: Account
+ fieldMappings:
+ - identifier: Name
+ columnName: AccountName
+ - identifier: UPNSuffix
+ columnName: UPNSuffix
+ - entityType: IP
+ fieldMappings:
+ - identifier: Address
+ columnName: ClientIp
+ - entityType: CloudApplication
+ fieldMappings:
+ - identifier: AppId
+ columnName: CloudAppId
+ - identifier: InstanceName
+ columnName: InstanceUrl
+alertDetailsOverride:
+ alertDisplayNameFormat: Dataverse - Unauthorized sign-in activity
+ alertDescriptionFormat: New user sign-in activity was detected in {{InstanceUrl}}
+ originating from user {{UserId}}. This user's UPN suffix is not on the authorized
+ list of domains.
+version: 3.2.0
diff --git a/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - New user agent type that was not used before.yaml b/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - New user agent type that was not used before.yaml
new file mode 100644
index 00000000000..622599ea10f
--- /dev/null
+++ b/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - New user agent type that was not used before.yaml
@@ -0,0 +1,91 @@
+id: 34a5d79b-8f9a-420c-aa64-7f4d262ac29a
+kind: Scheduled
+name: Dataverse - New user agent type that was not used before
+description: Identifies users accessing Dataverse from a User Agent that has not been
+ seen in any Dataverse instance in the last 14 days.
+severity: Low
+status: Available
+requiredDataConnectors:
+ - connectorId: Dataverse
+ dataTypes:
+ - DataverseActivity
+queryFrequency: 1h
+queryPeriod: 14d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+ - InitialAccess
+ - DefenseEvasion
+relevantTechniques:
+ - T1078
+ - T0866
+ - T0819
+ - T1036
+query: |
+ let query_lookback = 14d;
+ let query_frequency = 1h;
+ let known_useragents = dynamic([
+ // Enter known user agents to exclude.
+ // example:
+ // "Agent1", "Agent2", "Agent3"
+ ]);
+ DataverseActivity
+ | where TimeGenerated between(ago(query_lookback) .. ago(query_frequency))
+ | where isnotempty(UserAgent)
+ | summarize by UserAgent
+ | join kind = rightanti (DataverseActivity
+ | where TimeGenerated > ago(query_frequency)
+ | where not (UserId has_any ("@onmicrosoft.com", "@microsoft.com", "Unknown"))
+ | where isnotempty(UserAgent)
+ | where UserAgent !in~ (known_useragents)
+ | where UserAgent !hasprefix "azure-logic-apps" and UserAgent !hasprefix "PowerApps")
+ on UserAgent
+ // Exclude user agents with a render agent to reduce noise.
+ | join kind = leftanti(
+ DataverseActivity
+ | where TimeGenerated > ago(query_frequency)
+ | where UserAgent has_any ("Gecko", "WebKit", "Presto", "Trident", "EdgeHTML", "Blink"))
+ on UserAgent
+ | summarize
+ FirstSeen = min(TimeGenerated),
+ LatestIP = arg_max(ClientIp, TimeGenerated)
+ by UserAgent, UserId, InstanceUrl
+ | extend
+ AccountName = tostring(split(UserId, '@')[0]),
+ UPNSuffix = tostring(split(UserId, '@')[1]),
+ CloudAppId = int(32780)
+ | project
+ FirstSeen,
+ UserId,
+ UserAgent,
+ LatestIP,
+ InstanceUrl,
+ CloudAppId,
+ AccountName,
+ UPNSuffix
+eventGroupingSettings:
+ aggregationKind: AlertPerResult
+entityMappings:
+ - entityType: Account
+ fieldMappings:
+ - identifier: Name
+ columnName: AccountName
+ - identifier: UPNSuffix
+ columnName: UPNSuffix
+ - entityType: CloudApplication
+ fieldMappings:
+ - identifier: AppId
+ columnName: CloudAppId
+ - identifier: InstanceName
+ columnName: InstanceUrl
+ - entityType: IP
+ fieldMappings:
+ - identifier: Address
+ columnName: LatestIP
+alertDetailsOverride:
+ alertDisplayNameFormat: 'Dataverse - new user agent detected in {{{InstanceUrl}} '
+ alertDescriptionFormat: |
+ {{UserId}} with new agent not seen previously in the Dataverse activity log.
+ Agent: {{UserAgent}}
+ Latest IP: {{LatestIP}}
+version: 3.2.0
diff --git a/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - New user agent type that was not used with Office 365.yaml b/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - New user agent type that was not used with Office 365.yaml
new file mode 100644
index 00000000000..ba18d320864
--- /dev/null
+++ b/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - New user agent type that was not used with Office 365.yaml
@@ -0,0 +1,81 @@
+id: 094b3c0a-1f63-42f7-9535-c8c7b7198328
+kind: Scheduled
+name: Dataverse - New user agent type that was not used with Office 365
+description: Identifies users accessing Dynamics with a User Agent that has not been
+ seen in any Office 365 workloads in the last 14 days.
+severity: Low
+status: Available
+requiredDataConnectors:
+ - connectorId: Dataverse
+ dataTypes:
+ - DataverseActivity
+queryFrequency: 1h
+queryPeriod: 14d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+ - InitialAccess
+relevantTechniques:
+ - T1190
+ - T1133
+query: |
+ let query_lookback = 14d;
+ let query_frequency = 1h;
+ let known_useragents = dynamic([
+ // Enter known user agents to exclude.
+ // example:
+ // "Agent1", "Agent2", "Agent3"
+ ]);
+ DataverseActivity
+ | where TimeGenerated > ago(query_frequency)
+ | where not (UserId has_any ("@onmicrosoft.com", "@microsoft.com", "Unknown"))
+ | where isnotempty(UserAgent)
+ | where UserAgent !in~ (known_useragents)
+ | where UserAgent !hasprefix "azure-logic-apps" and UserAgent !hasprefix "PowerApps"
+ | join kind = leftanti (
+ OfficeActivity
+ | where TimeGenerated between(ago(query_lookback) .. ago(query_frequency))
+ | where isnotempty(UserAgent)
+ | summarize by UserAgent)
+ on UserAgent
+ // Exclude user agents with a render agent to reduce noise.
+ | join kind = leftanti(
+ DataverseActivity
+ | where TimeGenerated > ago(query_frequency)
+ | where UserAgent has_any ("Gecko", "WebKit", "Presto", "Trident", "EdgeHTML", "Blink"))
+ on UserAgent
+ | summarize
+ FirstSeen = min(TimeGenerated),
+ LatestIP = arg_max(ClientIp, TimeGenerated)
+ by UserAgent, UserId, InstanceUrl
+ | extend
+ AccountName = tostring(split(UserId, '@')[0]),
+ UPNSuffix = tostring(split(UserId, '@')[1]),
+ CloudAppId = int(32780)
+ | project
+ FirstSeen,
+ UserId,
+ UserAgent,
+ LatestIP,
+ InstanceUrl,
+ CloudAppId,
+ AccountName,
+ UPNSuffix
+eventGroupingSettings:
+ aggregationKind: AlertPerResult
+entityMappings:
+ - entityType: CloudApplication
+ fieldMappings:
+ - identifier: AppId
+ columnName: CloudAppId
+ - entityType: Account
+ fieldMappings:
+ - identifier: Name
+ columnName: AccountName
+ - identifier: UPNSuffix
+ columnName: UPNSuffix
+ - entityType: IP
+ fieldMappings:
+ - identifier: Address
+ columnName: LatestIP
+version: 3.2.0
diff --git a/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Organization settings modified.yaml b/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Organization settings modified.yaml
new file mode 100644
index 00000000000..82d7cfd6929
--- /dev/null
+++ b/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Organization settings modified.yaml
@@ -0,0 +1,68 @@
+id: a6f6b734-3db8-4259-a988-69e0b8eac0c2
+kind: Scheduled
+name: Dataverse - Organization settings modified
+description: Identifies changes made at organization level in the Dataverse environment.
+severity: Informational
+status: Available
+requiredDataConnectors:
+ - connectorId: Dataverse
+ dataTypes:
+ - DataverseActivity
+queryFrequency: 1h
+queryPeriod: 14d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+ - Persistence
+relevantTechniques:
+ - T1078
+query: |
+ let query_frequency = 1h;
+ DataverseActivity
+ | where TimeGenerated >= ago(query_frequency)
+ | where Message == "Update" and EntityName == "organization"
+ | mv-expand Fields
+ | extend FieldName = tostring(Fields.Name)
+ | extend Value = tostring(Fields.Value)
+ | where FieldName != "organizationid"
+ | lookup MSBizAppsOrgSettings on FieldName
+ | extend
+ CloudAppId = int(32780),
+ AccountName = tostring(split(UserId, '@')[0]),
+ UPNSuffix = tostring(split(UserId, '@')[1])
+ | project
+ TimeGenerated,
+ UserId,
+ ClientIp,
+ FieldName,
+ Value,
+ DisplayName,
+ Description,
+ InstanceUrl,
+ CloudAppId,
+ AccountName,
+ UPNSuffix
+eventGroupingSettings:
+ aggregationKind: AlertPerResult
+entityMappings:
+ - entityType: Account
+ fieldMappings:
+ - identifier: Name
+ columnName: AccountName
+ - identifier: UPNSuffix
+ columnName: UPNSuffix
+ - entityType: IP
+ fieldMappings:
+ - identifier: Address
+ columnName: ClientIp
+ - entityType: CloudApplication
+ fieldMappings:
+ - identifier: AppId
+ columnName: CloudAppId
+ - identifier: InstanceName
+ columnName: InstanceUrl
+alertDetailsOverride:
+ alertDisplayNameFormat: 'Dataverse - {{DisplayName}} changed in {{InstanceUrl}} '
+ alertDescriptionFormat: 'Organization setting {{DisplayName}} : {{Description}}
+ changed by {{UserId}}'
+version: 3.2.0
diff --git a/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Removal of blocked file extensions.yaml b/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Removal of blocked file extensions.yaml
new file mode 100644
index 00000000000..0000a2ec270
--- /dev/null
+++ b/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Removal of blocked file extensions.yaml
@@ -0,0 +1,66 @@
+id: 1b1061be-2595-4492-af6d-1c8a5fc9576d
+kind: Scheduled
+name: Dataverse - Removal of blocked file extensions
+description: Identifies modifications to an environment's blocked file extensions
+ and extracts the removed extension.
+severity: Medium
+status: Available
+requiredDataConnectors:
+ - connectorId: Dataverse
+ dataTypes:
+ - DataverseActivity
+queryFrequency: 1h
+queryPeriod: 1d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+ - DefenseEvasion
+relevantTechniques:
+ - T1629
+query: |
+ let query_frequency = 1h;
+ let default_attachments = split('ade;adp;app;asa;ashx;asmx;asp;bas;bat;cdx;cer;chm;class;cmd;com;config;cpl;crt;csh;dll;exe;fxp;hlp;hta;htr;htw;ida;idc;idq;inf;ins;isp;its;jar;js;jse;ksh;lnk;mad;maf;mag;mam;maq;mar;mas;mat;mau;mav;maw;mda;mdb;mde;mdt;mdw;mdz;msc;msh;msh1;msh1xml;msh2;msh2xml;mshxml;msi;msp;mst;ops;pcd;pif;prf;prg;printer;pst;reg;rem;scf;scr;sct;shb;shs;shtm;shtml;soap;stm;tmp;url;vb;vbe;vbs;vsmacros;vss;vst;vsw;ws;wsc;wsf;wsh', ";");
+ DataverseActivity
+ | where TimeGenerated >= ago(query_frequency)
+ | where Message == "Update" and EntityName =~ 'organization'
+ | mv-expand Fields
+ | where Fields.Name == "blockedattachments"
+ | extend
+ UpdatedAttachments = split(tostring(Fields.Value), ";"),
+ CloudAppId = int(32780),
+ AccountName = tostring(split(UserId, '@')[0]),
+ UPNSuffix = tostring(split(UserId, '@')[1])
+ | extend RemovedAttachments = set_difference(default_attachments, UpdatedAttachments)
+ | project
+ TimeGenerated,
+ UserId,
+ ClientIp,
+ InstanceUrl,
+ RemovedAttachments,
+ CloudAppId,
+ AccountName,
+ UPNSuffix
+eventGroupingSettings:
+ aggregationKind: AlertPerResult
+entityMappings:
+ - entityType: Account
+ fieldMappings:
+ - identifier: Name
+ columnName: AccountName
+ - identifier: UPNSuffix
+ columnName: UPNSuffix
+ - entityType: IP
+ fieldMappings:
+ - identifier: Address
+ columnName: ClientIp
+ - entityType: CloudApplication
+ fieldMappings:
+ - identifier: AppId
+ columnName: CloudAppId
+ - identifier: InstanceName
+ columnName: InstanceUrl
+alertDetailsOverride:
+ alertDisplayNameFormat: 'Dataverse - Blocked file extension removed in {{InstanceUrl}} '
+ alertDescriptionFormat: '{{UserId}} modified environment blocked extensions list.
+ {{UserId}} removed the following extensions {{RemovedAttachments}}.'
+version: 3.2.0
diff --git a/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - SharePoint document management site added or updated.yaml b/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - SharePoint document management site added or updated.yaml
new file mode 100644
index 00000000000..e3d6cb326f1
--- /dev/null
+++ b/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - SharePoint document management site added or updated.yaml
@@ -0,0 +1,79 @@
+id: c4c3510a-0ee0-4561-9835-47882ffa7f46
+kind: Scheduled
+name: Dataverse - SharePoint document management site added or updated
+description: Identifies modifications of SharePoint document management integration.
+ Document management allows storage of data located externally to Dataverse. Combine
+ this analytics rule with the MSBizApps-Add-SharePointSite-To-Watchlist Playbook
+ to automatically update the Dataverse-SharePointSites watchlist. This watchlist
+ can be used to correlate events between Dataverse and SharePoint when using the
+ Office 365 data connector.
+severity: Informational
+status: Available
+requiredDataConnectors:
+ - connectorId: Dataverse
+ dataTypes:
+ - DataverseActivity
+queryFrequency: 1h
+queryPeriod: 1d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+ - Exfiltration
+relevantTechniques:
+ - T1567
+ - T1537
+query: |
+ let query_frequency = 1h;
+ DataverseActivity
+ | where TimeGenerated >= ago(query_frequency)
+ | where Message in ("Create", "Update") and EntityName == "sharepointsite"
+ | mv-expand Fields
+ | where Fields.Name == "absoluteurl"
+ | extend
+ SharePointAppId = int(20892),
+ CloudAppId = int(32780),
+ AccountName = tostring(split(UserId, '@')[0]),
+ UPNSuffix = tostring(split(UserId, '@')[1]),
+ SharePointUrl = tostring(Fields.Value)
+ | project
+ TimeGenerated,
+ UserId,
+ ClientIp,
+ Message,
+ SharePointUrl,
+ InstanceUrl,
+ CloudAppId,
+ SharePointAppId,
+ AccountName,
+ UPNSuffix
+eventGroupingSettings:
+ aggregationKind: AlertPerResult
+entityMappings:
+ - entityType: Account
+ fieldMappings:
+ - identifier: Name
+ columnName: AccountName
+ - identifier: UPNSuffix
+ columnName: UPNSuffix
+ - entityType: IP
+ fieldMappings:
+ - identifier: Address
+ columnName: ClientIp
+ - entityType: CloudApplication
+ fieldMappings:
+ - identifier: AppId
+ columnName: CloudAppId
+ - identifier: InstanceName
+ columnName: InstanceUrl
+ - entityType: CloudApplication
+ fieldMappings:
+ - identifier: AppId
+ columnName: SharePointAppId
+ - identifier: InstanceName
+ columnName: SharePointUrl
+alertDetailsOverride:
+ alertDisplayNameFormat: 'Dataverse - Document management enabled or modified in
+ {{{InstanceUrl}} '
+ alertDescriptionFormat: '{{UserId}} made changes to document management in {{{InstanceUrl}}.
+ Sharepoint site {{{SharePointUrl}} was added.'
+version: 3.2.0
diff --git a/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Suspicious security role modifications.yaml b/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Suspicious security role modifications.yaml
new file mode 100644
index 00000000000..908d70871fe
--- /dev/null
+++ b/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Suspicious security role modifications.yaml
@@ -0,0 +1,100 @@
+id: e44a58b2-b63a-4eb9-92da-85660d73495c
+kind: Scheduled
+name: Dataverse - Suspicious security role modifications
+description: Identifies an unusual pattern of events whereby a new role is created
+ followed by the creator adding members to the role and subsequently removing the
+ member or deleting the role after a short time period.
+severity: Medium
+status: Available
+requiredDataConnectors:
+ - connectorId: Dataverse
+ dataTypes:
+ - DataverseActivity
+queryFrequency: 1h
+queryPeriod: 14d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+ - PrivilegeEscalation
+relevantTechniques:
+ - T1404
+ - T1626
+ - T1548
+query: |
+ let role_create_watch_period = 2d;
+ let query_frequency = 1h;
+ let role_create_add_events= DataverseActivity
+ | where Message == "Create" and EntityName == "role"
+ | mv-expand Role = Fields
+ | extend RoleName = Role.Value
+ | where Role.Name == "name"
+ | mv-expand Role = Fields
+ | extend RoleCreateTime = TimeGenerated, RoleId = tostring(Role.Value)
+ | where Role.Name == "roleid"
+ | join kind=inner (
+ DataverseActivity
+ | where Message == "Associate" and EntityName == "systemuser"
+ | mv-expand Role = Fields
+ | where Role.Name == "role"
+ | extend RoleMemberAddedTime = TimeGenerated, MemberAddedRoleId = tostring(Role.Value))
+ on $left.RoleId == $right.MemberAddedRoleId, InstanceUrl, UserId
+ | where RoleMemberAddedTime between (RoleCreateTime .. (RoleCreateTime + role_create_watch_period));
+ let remove_role_member_events = DataverseActivity
+ | where TimeGenerated >= ago(query_frequency)
+ | where Message == "Disassociate" and EntityName == "systemuser"
+ | mv-expand Role = Fields
+ | where Role.Name == "role"
+ | extend ActionTime = TimeGenerated, MemberRemovedRoleId = tostring(Role.Value);
+ let role_delete_events = DataverseActivity
+ | where TimeGenerated >= ago(query_frequency)
+ | where Message == "Delete" and EntityName == "role"
+ | extend DeletedRoleID = EntityId, Action = "Role deleted within defined time window"
+ | project Action, ActionTime = TimeGenerated, UserId, ClientIp, DeletedRoleID, InstanceUrl;
+ let role_member_removals = role_create_add_events
+ | join kind=inner (remove_role_member_events) on $left.RoleId == $right.MemberRemovedRoleId
+ | where ActionTime between (RoleCreateTime .. (RoleCreateTime + role_create_watch_period))
+ | extend Action = "Role membership removed within defined time window";
+ let role_deletions = role_create_add_events
+ | join kind=inner (role_delete_events) on $left.RoleId == $right.DeletedRoleID
+ | where ActionTime between (RoleCreateTime .. (RoleCreateTime + role_create_watch_period));
+ union isfuzzy=true role_member_removals, role_deletions
+ | extend
+ CloudAppId = int(32780),
+ AccountName = tostring(split(UserId, '@')[0]),
+ UPNSuffix = tostring(split(UserId, '@')[1])
+ | project
+ UserId,
+ InstanceUrl,
+ ClientIp,
+ Action,
+ RoleCreateTime,
+ RoleName,
+ ActionTime,
+ CloudAppId,
+ AccountName,
+ UPNSuffix
+eventGroupingSettings:
+ aggregationKind: AlertPerResult
+entityMappings:
+ - entityType: Account
+ fieldMappings:
+ - identifier: Name
+ columnName: AccountName
+ - identifier: UPNSuffix
+ columnName: UPNSuffix
+ - entityType: IP
+ fieldMappings:
+ - identifier: Address
+ columnName: ClientIp
+ - entityType: CloudApplication
+ fieldMappings:
+ - identifier: AppId
+ columnName: CloudAppId
+ - identifier: InstanceName
+ columnName: InstanceUrl
+alertDetailsOverride:
+ alertDisplayNameFormat: Dataverse - suspicious role modifications in {{InstanceUrl}}
+ alertDescriptionFormat: 'The following action ocurred following role modifications
+ changes in {{InstanceUrl}}: {{Action}}.'
+ alertSeverityColumnName: Severity
+version: 3.2.0
diff --git a/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Suspicious use of TDS endpoint.yaml b/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Suspicious use of TDS endpoint.yaml
new file mode 100644
index 00000000000..bd065bf2c4d
--- /dev/null
+++ b/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Suspicious use of TDS endpoint.yaml
@@ -0,0 +1,101 @@
+id: d875af10-6bb9-4d6a-a6e4-78439a98bf4b
+kind: Scheduled
+name: Dataverse - Suspicious use of TDS endpoint
+description: Identifies Dataverse TDS (Tabular Data Stream) protocol based queries
+ where the source user or IP address has recent security alerts and the TDS protocol
+ has not been used previously in the target environment.
+severity: Low
+status: Available
+requiredDataConnectors:
+ - connectorId: Dataverse
+ dataTypes:
+ - DataverseActivity
+ - connectorId: AzureActiveDirectoryIdentityProtection
+ dataTypes:
+ - SecurityAlert
+queryFrequency: 1h
+queryPeriod: 14d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+ - Exfiltration
+ - InitialAccess
+relevantTechniques:
+ - T1048
+ - T1190
+query: |
+ let query_frequency = 1h;
+ let query_lookback = 14d;
+ DataverseActivity
+ | where TimeGenerated >= ago(query_frequency)
+ | where Message == 'ExecutePowerBISql'
+ | summarize FirstEvent = min(TimeGenerated) by UserId, ClientIp, InstanceUrl
+ | join kind=inner(
+ DataverseActivity
+ | where TimeGenerated >= ago(query_lookback)
+ | where Message == 'ExecutePowerBISql'
+ | summarize UniqueUsers = dcount(UserId, 4) by InstanceUrl)
+ on InstanceUrl
+ | where UniqueUsers == 1
+ | join kind=inner (
+ SecurityAlert
+ | where Entities has ('"Type":"ip"')
+ | project AlertName, SystemAlertId, Entities
+ | mv-expand todynamic(Entities)
+ | where Entities.Type == "ip"
+ | extend IPAddress = tostring(Entities.Address)
+ | summarize SystemAlerts = make_set(SystemAlertId, 100), Alerts = make_set(AlertName, 100) by IPAddress)
+ on $left.ClientIp == $right.IPAddress
+ | extend
+ CloudAppId = int(32780),
+ AccountName = tostring(split(UserId, '@')[0]),
+ UPNSuffix = tostring(split(UserId, '@')[1])
+ | join kind = inner (
+ SecurityAlert
+ | where Entities has ('Type":"account"')
+ | project AlertName, SystemAlertId, Entities
+ | mv-expand todynamic(Entities)
+ | where Entities.Type == "account"
+ | extend
+ UPNSuffix = tostring(Entities.UPNSuffix),
+ AccountName = tostring(Entities.Name)
+ | summarize SystemAlerts = make_set(SystemAlertId, 100), Alerts = make_set(AlertName, 100) by AccountName, UPNSuffix
+ | where isnotempty(AccountName) and isnotempty(UPNSuffix))
+ on AccountName, UPNSuffix
+ | summarize SystemAlerts = make_set(SystemAlerts, 100), Alerts = make_set(Alerts, 100) by FirstEvent, UserId, ClientIp, InstanceUrl, AccountName, UPNSuffix
+ | extend CloudAppId = int(32780)
+ | project
+ FirstEvent,
+ UserId,
+ ClientIp,
+ InstanceUrl,
+ Alerts,
+ SystemAlerts,
+ CloudAppId,
+ AccountName,
+ UPNSuffix
+eventGroupingSettings:
+ aggregationKind: AlertPerResult
+entityMappings:
+ - entityType: Account
+ fieldMappings:
+ - identifier: Name
+ columnName: AccountName
+ - identifier: UPNSuffix
+ columnName: UPNSuffix
+ - entityType: CloudApplication
+ fieldMappings:
+ - identifier: AppId
+ columnName: CloudAppId
+ - identifier: InstanceName
+ columnName: InstanceUrl
+ - entityType: IP
+ fieldMappings:
+ - identifier: Address
+ columnName: ClientIp
+alertDetailsOverride:
+ alertDisplayNameFormat: 'Dataverse - Suspicious use of TDS endpoint in {{InstanceUrl}} '
+ alertDescriptionFormat: 'The TDS endpoint was used to query Dataverse instance {{InstanceUrl}}
+ . The use of this protocol was not seen previously and the following alerts were
+ associated with the caller: {{Alerts}}'
+version: 3.2.0
diff --git a/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Suspicious use of Web API.yaml b/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Suspicious use of Web API.yaml
new file mode 100644
index 00000000000..3ded96675f6
--- /dev/null
+++ b/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Suspicious use of Web API.yaml
@@ -0,0 +1,89 @@
+id: 8a6ecba2-ccfe-4c8c-b086-fa3e6ff7fa86
+kind: Scheduled
+name: Dataverse - Suspicious use of Web API
+description: Identifies sign-in across multiple Dataverse environments, breaching
+ a predefined threshold, originating from a user with IP address that was used to
+ sign-into the well known Microsoft Entra app registration.
+severity: Medium
+status: Available
+requiredDataConnectors:
+ - connectorId: Dataverse
+ dataTypes:
+ - DataverseActivity
+ - connectorId: AzureActiveDirectory
+ dataTypes:
+ - SigninLogs
+queryFrequency: 1h
+queryPeriod: 14d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+ - Execution
+ - Exfiltration
+ - Reconnaissance
+ - Discovery
+relevantTechniques:
+ - T1106
+ - T1567
+ - T1595
+ - T1526
+ - T1580
+query: |
+ let query_frequency = 1h;
+ let query_lookback = 24h;
+ // AppID of the multi-tenant Dynamics 365 Example Client Application
+ let well_known_app_id = "51f81489-12ee-4a9e-aaae-a2591f45987d";
+ let environment_count_threshold = 10;
+ SigninLogs
+ | where TimeGenerated >= ago(query_lookback)
+ // Comment out the line below to monitor activity from all Azure AD apps
+ | where AppId == well_known_app_id
+ | where ResourceIdentity == '00000007-0000-0000-c000-000000000000'
+ | summarize FirstSeen = min(TimeGenerated) by AppId, UserPrincipalName, IPAddress, AppDisplayName
+ | join kind=inner (
+ DataverseActivity
+ | where TimeGenerated >= ago(query_frequency)
+ | where Message == "UserSignIn")
+ on $left.UserPrincipalName == $right.UserId, $left.IPAddress == $right.ClientIp
+ | where TimeGenerated between (FirstSeen .. (FirstSeen + 2h))
+ | summarize InstanceCount = dcount(InstanceUrl, 4), FirstSeen = min(FirstSeen) by UserId, ClientIp, InstanceUrl, AppDisplayName, AppId
+ | where InstanceCount > environment_count_threshold
+ | extend
+ CloudAppId = int(32780),
+ AccountName = tostring(split(UserId, '@')[0]),
+ UPNSuffix = tostring(split(UserId, '@')[1])
+ | project
+ FirstSeen,
+ UserId,
+ ClientIp,
+ AppDisplayName,
+ AppId,
+ InstanceUrl,
+ CloudAppId,
+ AccountName,
+ UPNSuffix
+eventGroupingSettings:
+ aggregationKind: AlertPerResult
+entityMappings:
+ - entityType: Account
+ fieldMappings:
+ - identifier: Name
+ columnName: AccountName
+ - identifier: UPNSuffix
+ columnName: UPNSuffix
+ - entityType: IP
+ fieldMappings:
+ - identifier: Address
+ columnName: ClientIp
+ - entityType: CloudApplication
+ fieldMappings:
+ - identifier: AppId
+ columnName: CloudAppId
+ - identifier: InstanceName
+ columnName: InstanceUrl
+alertDetailsOverride:
+ alertDisplayNameFormat: Dataverse - Suspicious Web API sign-in activity
+ alertDescriptionFormat: '{{UserId}} sign-in activity generated in {{InstanceUrl}}.
+ The app used was a well known multi-tenant app not owned or registered by the
+ organization.'
+version: 3.2.0
diff --git a/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - TI map IP to DataverseActivity.yaml b/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - TI map IP to DataverseActivity.yaml
new file mode 100644
index 00000000000..1a150e5020e
--- /dev/null
+++ b/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - TI map IP to DataverseActivity.yaml
@@ -0,0 +1,121 @@
+id: 56d5aa0c-d871-4167-ba13-61c2f0fd17bf
+kind: Scheduled
+name: Dataverse - TI map IP to DataverseActivity
+description: Identifies a match in DataverseActivity from any IP IOC from Microsoft
+ Sentinel Threat Intelligence.
+severity: Medium
+status: Available
+requiredDataConnectors:
+ - connectorId: Dataverse
+ dataTypes:
+ - DataverseActivity
+ - connectorId: ThreatIntelligence
+ dataTypes:
+ - ThreatIntelligenceIndicator
+ - connectorId: ThreatIntelligenceTaxii
+ dataTypes:
+ - ThreatIntelligenceIndicator
+ - connectorId: MicrosoftDefenderThreatIntelligence
+ dataTypes:
+ - ThreatIntelligenceIndicator
+ - connectorId: ThreatIntelligence
+ dataTypes:
+ - ThreatIntelligenceIndicator
+ - connectorId: ThreatIntelligenceTaxii
+ dataTypes:
+ - ThreatIntelligenceIndicator
+ - connectorId: MicrosoftDefenderThreatIntelligence
+ dataTypes:
+ - ThreatIntelligenceIndicator
+queryFrequency: 1h
+queryPeriod: 14d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+ - InitialAccess
+ - LateralMovement
+ - Discovery
+relevantTechniques:
+ - T1078
+ - T1199
+ - T1133
+ - T0886
+ - T0859
+ - T1428
+ - T1021
+ - T1210
+ - T1526
+ - T1580
+query: |
+ let dt_lookBack = 1h;
+ let ioc_lookBack = 14d;
+ ThreatIntelligenceIndicator
+ | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
+ | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
+ | where Active == true
+ // Picking up only IOC's that contain the entities we want
+ | where isnotempty(NetworkIP)
+ or isnotempty(EmailSourceIpAddress)
+ or isnotempty(NetworkDestinationIP)
+ or isnotempty(NetworkSourceIP)
+ // As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.
+ // Taking the first non-empty value based on potential IOC match availability
+ | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)
+ | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)
+ | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)
+ //Exclude local addresses, using the ipv4_is_private operator
+ | where ipv4_is_private(TI_ipEntity) == false
+ and TI_ipEntity !startswith "fe80"
+ and TI_ipEntity !startswith "::"
+ and TI_ipEntity !startswith "127."
+ // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated
+ | join kind=innerunique (
+ DataverseActivity
+ | where TimeGenerated >= ago(dt_lookBack)
+ | where isnotempty(ClientIp)
+ //Exclude local addresses, using the ipv4_is_private operator
+ | where ipv4_is_private(ClientIp) == false
+ and ClientIp !startswith "fe80"
+ and ClientIp !startswith "::"
+ and ClientIp !startswith "127."
+ // renaming time column so it is clear the log this came from
+ | extend DataverseActivity_TimeGenerated = TimeGenerated
+ )
+ on $left.TI_ipEntity == $right.ClientIp
+ | where DataverseActivity_TimeGenerated < ExpirationDateTime
+ | summarize DataverseActivity_TimeGenerated = arg_max(DataverseActivity_TimeGenerated, *) by IndicatorId, ClientIp
+ | project DataverseActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,
+ TI_ipEntity, ClientIp, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, InstanceUrl, UserId
+ | extend
+ timestamp = DataverseActivity_TimeGenerated,
+ AccountName = tostring(split(UserId, '@')[0]),
+ UPNSuffix = tostring(split(UserId, '@')[0]),
+ CloudAppId = int(32780)
+eventGroupingSettings:
+ aggregationKind: AlertPerResult
+entityMappings:
+ - entityType: Account
+ fieldMappings:
+ - identifier: Name
+ columnName: AccountName
+ - identifier: UPNSuffix
+ columnName: UPNSuffix
+ - entityType: IP
+ fieldMappings:
+ - identifier: Address
+ columnName: ClientIp
+ - entityType: URL
+ fieldMappings:
+ - identifier: Url
+ columnName: Url
+ - entityType: CloudApplication
+ fieldMappings:
+ - identifier: AppId
+ columnName: CloudAppId
+ - identifier: InstanceName
+ columnName: InstanceUrl
+alertDetailsOverride:
+ alertDisplayNameFormat: 'Dataverse - TI map IP in {{InstanceUrl}} '
+ alertDescriptionFormat: Malicous IP {{ClientIp}} was found in {{InstanceUrl}} .
+ User affected is {{UserId}}
+version: 3.2.0
diff --git a/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - TI map URL to DataverseActivity.yaml b/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - TI map URL to DataverseActivity.yaml
new file mode 100644
index 00000000000..1e727e154a4
--- /dev/null
+++ b/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - TI map URL to DataverseActivity.yaml
@@ -0,0 +1,123 @@
+id: d88a0e22-3b6a-40c2-af28-c064b44d03b7
+kind: Scheduled
+name: Dataverse - TI map URL to DataverseActivity
+description: Identifies a match in DataverseActivity from any URL IOC from Microsoft
+ Sentinel Threat Intelligence.
+severity: Medium
+status: Available
+requiredDataConnectors:
+ - connectorId: Dataverse
+ dataTypes:
+ - DataverseActivity
+ - connectorId: ThreatIntelligence
+ dataTypes:
+ - ThreatIntelligenceIndicator
+ - connectorId: ThreatIntelligenceTaxii
+ dataTypes:
+ - ThreatIntelligenceIndicator
+ - connectorId: MicrosoftDefenderThreatIntelligence
+ dataTypes:
+ - ThreatIntelligenceIndicator
+ - connectorId: ThreatIntelligence
+ dataTypes:
+ - ThreatIntelligenceIndicator
+ - connectorId: ThreatIntelligenceTaxii
+ dataTypes:
+ - ThreatIntelligenceIndicator
+ - connectorId: MicrosoftDefenderThreatIntelligence
+ dataTypes:
+ - ThreatIntelligenceIndicator
+queryFrequency: 1h
+queryPeriod: 14d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+ - InitialAccess
+ - Execution
+ - Persistence
+relevantTechniques:
+ - T1566
+ - T1456
+ - T1474
+ - T0819
+ - T0865
+ - T0862
+ - T0863
+ - T1204
+ - T1574
+ - T0873
+query: |
+ let dt_lookBack = 1h;
+ let ioc_lookBack = 14d;
+ ThreatIntelligenceIndicator
+ | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
+ | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
+ | where Active == true
+ | where isnotempty(Url)
+ | join kind=innerunique (
+ DataverseActivity
+ | where TimeGenerated >= ago(dt_lookBack)
+ | where Message in ("Create", "Update")
+ | where isnotempty(Fields) and Fields has "http"
+ | extend
+ ExtractedUrls = extract_all("(http[s]?://(?:[a-zA-Z\\.-]|[0-9])+)", tostring(Fields)),
+ DataverseActivity_TimeGenerated = TimeGenerated
+ | mv-expand Url = ExtractedUrls
+ | project
+ DataverseActivity_TimeGenerated,
+ tostring(Url),
+ UserId,
+ ClientIp,
+ InstanceUrl,
+ EntityName
+ )
+ on Url
+ | where DataverseActivity_TimeGenerated < ExpirationDateTime
+ | summarize DataverseActivity_TimeGenerated = arg_max(DataverseActivity_TimeGenerated, *) by IndicatorId, Url
+ | extend
+ CloudAppId = int(32780),
+ AccountName = tostring(split(UserId, '@')[0]),
+ UPNSuffix = tostring(split(UserId, '@')[1])
+ | project
+ DataverseActivity_TimeGenerated,
+ Description,
+ ActivityGroupNames,
+ IndicatorId,
+ ThreatType,
+ ExpirationDateTime,
+ ConfidenceScore,
+ UserId,
+ ClientIp,
+ InstanceUrl,
+ CloudAppId,
+ AccountName,
+ UPNSuffix,
+ Url
+eventGroupingSettings:
+ aggregationKind: AlertPerResult
+entityMappings:
+ - entityType: Account
+ fieldMappings:
+ - identifier: Name
+ columnName: AccountName
+ - identifier: UPNSuffix
+ columnName: UPNSuffix
+ - entityType: IP
+ fieldMappings:
+ - identifier: Address
+ columnName: ClientIp
+ - entityType: URL
+ fieldMappings:
+ - identifier: Url
+ columnName: Url
+ - entityType: CloudApplication
+ fieldMappings:
+ - identifier: AppId
+ columnName: CloudAppId
+ - identifier: InstanceName
+ columnName: InstanceUrl
+alertDetailsOverride:
+ alertDisplayNameFormat: Dataverse - TI match on URL in {{InstanceUrl}}
+ alertDescriptionFormat: Malicous IP {{Url}} was found in {{InstanceUrl}}. Associated
+ user is {{UserId}}
+version: 3.2.0
diff --git a/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Terminated employee exfiltration over email.yaml b/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Terminated employee exfiltration over email.yaml
new file mode 100644
index 00000000000..923c91ff2b9
--- /dev/null
+++ b/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Terminated employee exfiltration over email.yaml
@@ -0,0 +1,107 @@
+id: de039242-47e0-43fa-84d7-b6be24305349
+kind: Scheduled
+name: Dataverse - Terminated employee exfiltration over email
+description: This query identifies Dataverse exfiltration via email by terminated
+ employees.
+severity: High
+status: Available
+requiredDataConnectors:
+ - connectorId: MicrosoftThreatProtection
+ dataTypes:
+ - EmailEvents
+ - connectorId: AzureActiveDirectoryIdentityProtection
+ dataTypes:
+ - SecurityAlert
+ - connectorId: IdentityInfo
+ dataTypes:
+ - IdentityInfo
+queryFrequency: 1h
+queryPeriod: 14d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+ - Exfiltration
+relevantTechniques:
+ - T1639
+ - T1567
+query: |
+ // Note this detection relies upon the user's UPN matching their email address.
+ // UEBA can provide more accurate data if enabled.
+ let query_frequency = 1h;
+ let allowed_destination_smtp_domains = dynamic([
+ // Specify a list of recipient domains to exclude from alerting.
+ // Example:
+ // "microsoft.com", "contoso.com"
+ ]);
+ let exfiltration_alert_users = SecurityAlert
+ | where Tactics has 'Exfiltration' and Entities has_all ('account', '32780')
+ | mv-expand DataverseEntities = todynamic(Entities)
+ | where DataverseEntities.AppId == 32780
+ | extend InstanceUrl = tostring(DataverseEntities.InstanceName)
+ | mv-expand AccountEntities = todynamic(Entities)
+ | where AccountEntities.Type == 'account'
+ | extend
+ AccountName = tostring(AccountEntities.Name),
+ UPNSuffix = tostring(AccountEntities.UPNSuffix)
+ | summarize InstanceUrls = make_set(InstanceUrl, 100) by AccountName, UPNSuffix
+ | extend UserId = tolower(strcat(AccountName, "@", UPNSuffix));
+ exfiltration_alert_users
+ | join kind=inner (
+ MSBizAppsTerminatedEmployees
+ | project UserId = tolower(UserPrincipalName), NotificationDate
+ | where startofday(NotificationDate) <= startofday(now()))
+ // Uncomment the below KQL if UEBA is available to gain more accurate
+ // email address data:
+ // | join kind=leftouter (_ASIM_IdentityInfo) on $left.UserId == $right.Username
+ // | extend UserId = iif(UserId == UserMailAddress or isempty(UserMailAddress), UserId, UserMailAddress))
+ on UserId
+ | join kind=inner (
+ EmailEvents
+ | where TimeGenerated >= ago (query_frequency)
+ | where EmailDirection == "Outbound" and AttachmentCount > 0
+ | extend RecipientDomain = tolower(split(RecipientEmailAddress, '@')[1])
+ | where RecipientDomain !in (allowed_destination_smtp_domains)
+ | summarize
+ RecipientAddresses = make_set(RecipientEmailAddress, 1000),
+ Subject = make_set(Subject, 1000)
+ by SenderAddress = tolower(SenderMailFromAddress), SenderIPv4)
+ on $left.UserId == $right.SenderAddress
+ | mv-expand InstanceUrl = InstanceUrls to typeof(string)
+ | extend
+ CloudAppId = int(32780),
+ AccountName = tostring(split(UserId, "@")[0]),
+ UPNSuffix = tostring(split(UserId, "@")[1])
+ | project
+ UserId,
+ InstanceUrl,
+ SenderIPv4,
+ RecipientAddresses,
+ Subject,
+ AccountName,
+ UPNSuffix,
+ CloudAppId
+eventGroupingSettings:
+ aggregationKind: AlertPerResult
+entityMappings:
+ - entityType: Account
+ fieldMappings:
+ - identifier: Name
+ columnName: AccountName
+ - identifier: UPNSuffix
+ columnName: UPNSuffix
+ - entityType: IP
+ fieldMappings:
+ - identifier: Address
+ columnName: SenderIPv4
+ - entityType: CloudApplication
+ fieldMappings:
+ - identifier: AppId
+ columnName: CloudAppId
+ - identifier: InstanceName
+ columnName: InstanceUrl
+alertDetailsOverride:
+ alertDisplayNameFormat: Email attachment sent externally by terminated user following
+ Dataverse exfiltration alerts
+ alertDescriptionFormat: 'Departing or terminated user {{UserId}} was found to send
+ email to external domains not on the allowed list: {{RecipientAddresses}}'
+version: 3.2.0
diff --git a/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Terminated employee exfiltration to USB drive.yaml b/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Terminated employee exfiltration to USB drive.yaml
new file mode 100644
index 00000000000..c4fa805993c
--- /dev/null
+++ b/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Terminated employee exfiltration to USB drive.yaml
@@ -0,0 +1,86 @@
+id: c5e75cb6-cea0-49c2-a998-da414035aac1
+kind: Scheduled
+name: Dataverse - Terminated employee exfiltration to USB drive
+description: Identifies files downloaded from Dataverse by departing or terminated
+ employees which are copied to USB mounted drives.
+severity: High
+status: Available
+requiredDataConnectors:
+ - connectorId: Dataverse
+ dataTypes:
+ - DataverseActivity
+ - connectorId: MicrosoftThreatProtection
+ dataTypes:
+ - DeviceInfo
+ - DeviceEvents
+ - DeviceFileEvents
+queryFrequency: 1h
+queryPeriod: 14d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+ - Exfiltration
+relevantTechniques:
+ - T1052
+query: |
+ let drive_mount_lookback = 14d;
+ let query_frequency = 1h;
+ DataverseActivity
+ | distinct InstanceUrl
+ | join kind=inner (DeviceFileEvents
+ | where TimeGenerated >= ago(query_frequency))
+ on $left.InstanceUrl == $right.FileOriginUrl
+ | join kind=inner (MSBizAppsTerminatedEmployees()) on $left.InitiatingProcessAccountUpn == $right.UserPrincipalName
+ | join kind=inner (DeviceEvents
+ | where TimeGenerated >= ago(drive_mount_lookback)
+ | where ActionType == "UsbDriveMounted"
+ | extend DriveLetter = tostring(AdditionalFields.DriveLetter)
+ | summarize MountedDriveLetters = make_set(DriveLetter, 26) by DeviceId, DeviceName)
+ on DeviceId
+ | extend TargetDriveLetter = tostring(split(FolderPath, "\\")[0])
+ | where set_has_element(MountedDriveLetters, TargetDriveLetter)
+ | join kind=inner (DeviceInfo
+ | summarize arg_max(TimeGenerated, DeviceId, PublicIP) by DeviceName)
+ on DeviceId
+ | project-rename
+ UserId = UserPrincipalName
+ | summarize LatestEvent = arg_max(TimeGenerated, *), Files = make_set(FileName, 100) by UserId, InstanceUrl
+ | extend
+ CloudAppId = int(32780),
+ AccountName = tostring(split(UserId, '@')[0]),
+ UPNSuffix = tostring(split(UserId, '@')[1])
+ | project
+ LatestEvent,
+ UserId,
+ PublicIP,
+ Files,
+ InstanceUrl,
+ CloudAppId,
+ AccountName,
+ UPNSuffix
+eventGroupingSettings:
+ aggregationKind: AlertPerResult
+entityMappings:
+ - entityType: Account
+ fieldMappings:
+ - identifier: Name
+ columnName: AccountName
+ - identifier: UPNSuffix
+ columnName: UPNSuffix
+ - entityType: IP
+ fieldMappings:
+ - identifier: Address
+ columnName: PublicIP
+ - entityType: CloudApplication
+ fieldMappings:
+ - identifier: AppId
+ columnName: CloudAppId
+ - identifier: InstanceName
+ columnName: InstanceUrl
+alertDetailsOverride:
+ alertDisplayNameFormat: Dataverse - terminated user copied files from {{InstanceUrl}}
+ to USB
+ alertDescriptionFormat: '{{UserId}} , on the TerminatedUsers watchlist, was found
+ to copy files to a USB mounted drive.'
+customDetails: {}
+version: 3.2.0
diff --git a/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Unusual sign-in following disabled IP address-based cookie binding protection.yaml b/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Unusual sign-in following disabled IP address-based cookie binding protection.yaml
new file mode 100644
index 00000000000..c14e42c472f
--- /dev/null
+++ b/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Unusual sign-in following disabled IP address-based cookie binding protection.yaml
@@ -0,0 +1,108 @@
+id: d7c9549c-7246-4555-8e53-d7b0db546764
+kind: Scheduled
+name: Dataverse - Unusual sign-in following disabled IP address-based cookie binding
+ protection
+description: Identifies previously unseen IP and user agents in a Dataverse instance
+ following disabling of cookie binding protection. See https://docs.microsoft.com/power-platform/admin/block-cookie-replay-attack
+severity: Medium
+status: Available
+requiredDataConnectors:
+ - connectorId: Dataverse
+ dataTypes:
+ - DataverseActivity
+queryFrequency: 1h
+queryPeriod: 14d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+ - DefenseEvasion
+relevantTechniques:
+ - T1629
+query: |
+ let query_frequency = 1h;
+ let query_lookback = 14d;
+ let cookie_lifetime = 24h;
+ let cookie_binding_disabled_events = DataverseActivity
+ | where TimeGenerated >= ago(query_lookback)
+ | where Message == "Update" and EntityName == "organization"
+ | mv-expand Fields
+ | where Fields.Name == "enableipbasedcookiebinding" and Fields.Value == 'False'
+ | summarize CookieBindingDisabled = min(TimeGenerated) by CookieBindingDisabledBy = UserId, InstanceUrl;
+ let current_activity = cookie_binding_disabled_events
+ | join kind=inner(DataverseActivity
+ | where UserId !endswith "@onmicrosoft.com" and UserId !endswith "@microsoft.com"
+ | where isnotempty(ClientIp) and isnotempty(UserAgent)
+ | where TimeGenerated >= ago(query_frequency + cookie_lifetime)
+ | summarize LatestEvent = arg_max(TimeGenerated, *) by UserId, ClientIp, InstanceUrl)
+ on InstanceUrl;
+ let users_switched_ip = current_activity
+ | summarize IPCount = count() by UserId, InstanceUrl
+ | where IPCount > 1
+ | join kind=inner (current_activity) on UserId, InstanceUrl
+ | summarize arg_max(LatestEvent, *) by UserId, InstanceUrl;
+ users_switched_ip
+ | join kind = inner (DataverseActivity
+ | where TimeGenerated >= ago (query_lookback)
+ | where UserId !endswith "@onmicrosoft.com" and UserId !endswith "@microsoft.com"
+ | where isnotempty(ClientIp) and isnotempty(UserAgent)
+ | project-rename
+ HistoricalTime = TimeGenerated,
+ HistoricalIP = ClientIp,
+ HistoricalAgent = UserAgent)
+ on UserId, InstanceUrl
+ | where HistoricalTime >= ago(query_lookback) and HistoricalTime < LatestEvent
+ | summarize
+ HistoricalIPs = make_set(HistoricalIP, 100),
+ HistoricalAgents = make_set(HistoricalAgent, 100)
+ by
+ UserId,
+ UserAgent,
+ ClientIp,
+ InstanceUrl,
+ LatestEvent,
+ CookieBindingDisabled,
+ CookieBindingDisabledBy
+ | where (HistoricalIPs !has ClientIp) and (HistoricalAgents !has UserAgent)
+ | extend
+ CloudAppId = int(32780),
+ AccountName = tostring(split(UserId, '@')[0]),
+ UPNSuffix = tostring(split(UserId, '@')[1])
+ | project
+ LatestEvent,
+ UserId,
+ ClientIp,
+ UserAgent,
+ InstanceUrl,
+ HistoricalIPs,
+ HistoricalAgents,
+ CookieBindingDisabled,
+ CookieBindingDisabledBy,
+ AccountName,
+ UPNSuffix,
+ CloudAppId
+eventGroupingSettings:
+ aggregationKind: AlertPerResult
+entityMappings:
+ - entityType: Account
+ fieldMappings:
+ - identifier: Name
+ columnName: AccountName
+ - identifier: UPNSuffix
+ columnName: UPNSuffix
+ - entityType: IP
+ fieldMappings:
+ - identifier: Address
+ columnName: ClientIp
+ - entityType: CloudApplication
+ fieldMappings:
+ - identifier: AppId
+ columnName: CloudAppId
+ - identifier: InstanceName
+ columnName: InstanceUrl
+alertDetailsOverride:
+ alertDisplayNameFormat: Dataverse - Unusual sign-in after IP address-based cookie
+ binding disabled
+ alertDescriptionFormat: IP address-based cookie binding was disabled by in {{InstanceUrl}}.
+ Following this, sign-in events from new IP {{ClientIp}} for {{UserId}} were detected.
+customDetails: {}
+version: 3.2.0
diff --git a/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - User bulk retrieval outside normal activity.yaml b/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - User bulk retrieval outside normal activity.yaml
new file mode 100644
index 00000000000..d919825e1cd
--- /dev/null
+++ b/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - User bulk retrieval outside normal activity.yaml
@@ -0,0 +1,97 @@
+id: 08cb7ffc-59c6-4e7d-88e0-327371c9431b
+kind: Scheduled
+name: Dataverse - User bulk retrieval outside normal activity
+description: Identifies users retrieving significantly more records from Dataverse
+ than they have previously in the past 2 weeks.
+severity: Low
+status: Available
+requiredDataConnectors:
+ - connectorId: Dataverse
+ dataTypes:
+ - DataverseActivity
+queryFrequency: 1d
+queryPeriod: 14d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+ - Exfiltration
+relevantTechniques:
+ - T1048
+query: |
+ let baseline_time = 14d;
+ let detection_time = 1d;
+ DataverseActivity
+ | where TimeGenerated between(ago(baseline_time) .. ago(detection_time - 1d))
+ | where Message == "RetrieveMultiple"
+ | extend numQueryCount = todouble(QueryResults)
+ | extend QueryCount = iif(QueryResults contains ",", todouble(countof(tostring(QueryResults), ',') + 1), numQueryCount)
+ | extend QueryCount = iif(isnotempty(QueryCount), QueryCount, double(1))
+ | summarize sum(QueryCount) by UserId
+ | extend HistoricalBaseline = sum_QueryCount
+ | join kind=inner (
+ DataverseActivity
+ | where TimeGenerated > ago(detection_time)
+ | where Message == "RetrieveMultiple"
+ | extend numQueryCount = todouble(QueryResults)
+ | extend QueryCount = iif(QueryResults contains ",", todouble(countof(tostring(QueryResults), ',') + 1), numQueryCount)
+ | extend QueryCount = iif(isnotempty(QueryCount), QueryCount, double(1))
+ | summarize sum(QueryCount) by UserId
+ | extend CurrentExportRate = sum_QueryCount)
+ on UserId
+ | where CurrentExportRate > HistoricalBaseline
+ | project UserId, HistoricalBaseline, CurrentExportRate
+ | join kind=inner(
+ DataverseActivity
+ | where TimeGenerated > ago(detection_time)
+ | where Message == "RetrieveMultiple"
+ | extend numQueryCount = todouble(QueryResults)
+ | extend QueryCount = iif(QueryResults contains ",", todouble(countof(tostring(QueryResults), ',') + 1), numQueryCount)
+ | extend QueryCount = iif(isnotempty(QueryCount), QueryCount, double(1)))
+ on UserId
+ | summarize
+ QuerySizes = make_set(QueryCount),
+ MostRecentQuery = max(TimeGenerated),
+ IPs = make_set(ClientIp),
+ UserAgents = make_set(UserAgent),
+ Entities = make_set(EntityName),
+ Queries = make_set(Query)
+ by UserId, InstanceUrl, HistoricalBaseline, CurrentExportRate
+ | extend
+ AccountName = tostring(split(UserId, '@')[0]),
+ UPNSuffix = tostring(split(UserId, '@')[1]),
+ CloudAppId = int(32780)
+ | project
+ MostRecentQuery,
+ UserId,
+ IPs,
+ UserAgents,
+ InstanceUrl,
+ Queries,
+ QuerySizes,
+ Entities,
+ HistoricalBaseline,
+ CurrentExportRate,
+ AccountName,
+ UPNSuffix,
+ CloudAppId
+eventGroupingSettings:
+ aggregationKind: AlertPerResult
+entityMappings:
+ - entityType: Account
+ fieldMappings:
+ - identifier: Name
+ columnName: AccountName
+ - identifier: UPNSuffix
+ columnName: UPNSuffix
+ - entityType: CloudApplication
+ fieldMappings:
+ - identifier: AppId
+ columnName: CloudAppId
+ - identifier: InstanceName
+ columnName: InstanceUrl
+alertDetailsOverride:
+ alertDisplayNameFormat: Dataverse - Bulk record retrieval outside of normal activity
+ alertDescriptionFormat: '{{UserId}} exported {{CurrentExportRate}} records, far
+ beyond the historical baseline of {{{HistoricalBaseline}}.'
+customDetails: {}
+version: 3.2.0
diff --git a/Solutions/Microsoft Business Applications/Analytic Rules/F&O - Bank account change following network alias reassignment.yaml b/Solutions/Microsoft Business Applications/Analytic Rules/F&O - Bank account change following network alias reassignment.yaml
new file mode 100644
index 00000000000..3fac3e7d616
--- /dev/null
+++ b/Solutions/Microsoft Business Applications/Analytic Rules/F&O - Bank account change following network alias reassignment.yaml
@@ -0,0 +1,87 @@
+id: dccbdb5b-2ce7-4931-bfbe-f1ad6523ee64
+kind: Scheduled
+name: F&O - Bank account change following network alias reassignment
+description: Identifies changes to user accounts where the network alias was modified
+ to a new value. Shortly afterwards, the updated alias is used to update a bank account
+ number.
+severity: Low
+status: Available
+requiredDataConnectors:
+ - connectorId: Dynamics365Finance
+ dataTypes:
+ - FinanceOperationsActivity_CL
+queryFrequency: 15m
+queryPeriod: 1d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+ - CredentialAccess
+ - LateralMovement
+ - PrivilegeEscalation
+relevantTechniques:
+ - T1556
+ - T0859
+ - T1078
+query: |
+ let query_frequency = 15m;
+ FinanceOperationsActivity_CL
+ | where LogType == "Update" and TableName == "UserInfo"
+ | extend UserId = tostring(parse_json(tostring(FormattedData.["03::id"])).NewData)
+ | extend NetworkAlias = parse_json(tostring(FormattedData.networkAlias))
+ | extend
+ CurrentAlias = tostring(NetworkAlias.NewData),
+ PreviousAlias = tostring(NetworkAlias.OldData)
+ | where CurrentAlias != PreviousAlias
+ | extend
+ AliasUpdated = LogCreatedDateTime,
+ AliasChangedBy = Username
+ | join kind=inner(FinanceOperationsActivity_CL
+ | where TimeGenerated >= ago (query_frequency)
+ | where LogType == "Update" and TableName == "BankAccountTable"
+ | extend AccountId = tostring(parse_json(tostring(FormattedData.AccountID)).NewData)
+ | extend AccountNum = parse_json(tostring(FormattedData.AccountNum))
+ | extend
+ CurrentAccountNum = tostring(AccountNum.NewData),
+ OldAccountNum = tostring(AccountNum.OldData)
+ | where CurrentAccountNum != OldAccountNum
+ | extend BankUpdated = LogCreatedDateTime)
+ on $left.UserId == $right.Username
+ | where BankUpdated > AliasUpdated
+ | extend
+ FinOpsAppId = 32780,
+ AccountName = tostring(split(CurrentAlias, "@")[0]),
+ UPNSuffix = tostring(split(CurrentAlias, "@")[1])
+ | project
+ AliasUpdated,
+ AliasChangedBy,
+ Username,
+ AccountId,
+ CurrentAccountNum,
+ OldAccountNum,
+ CurrentAlias,
+ PreviousAlias,
+ FinOpsAppId,
+ AccountName,
+ UPNSuffix
+eventGroupingSettings:
+ aggregationKind: SingleAlert
+entityMappings:
+ - entityType: Account
+ fieldMappings:
+ - identifier: FullName
+ columnName: AliasChangedBy
+ - entityType: Account
+ fieldMappings:
+ - identifier: Name
+ columnName: AccountName
+ - identifier: UPNSuffix
+ columnName: UPNSuffix
+ - entityType: Account
+ fieldMappings:
+ - identifier: FullName
+ columnName: Username
+alertDetailsOverride:
+ alertDisplayNameFormat: F&O - Suspicious bank account changes
+ alertDescriptionFormat: A user account alias was reassigned for {{Username}} by
+ {{AliasChangedBy}} and shortly afterwards, bank account {{AccountId}} was modified.
+version: 3.2.0
diff --git a/Solutions/Microsoft Business Applications/Analytic Rules/F&O - Mass update or deletion of user records.yaml b/Solutions/Microsoft Business Applications/Analytic Rules/F&O - Mass update or deletion of user records.yaml
new file mode 100644
index 00000000000..0016f2e717b
--- /dev/null
+++ b/Solutions/Microsoft Business Applications/Analytic Rules/F&O - Mass update or deletion of user records.yaml
@@ -0,0 +1,50 @@
+id: 5ab00fbb-ba2c-44dc-b02e-f119639b9a11
+kind: Scheduled
+name: F&O - Mass update or deletion of user records
+description: Identifies large delete or update operations on Finance & Operations
+ user records based on predefined thresholds.
+severity: Medium
+status: Available
+requiredDataConnectors:
+ - connectorId: Dynamics365Finance
+ dataTypes:
+ - FinanceOperationsActivity_CL
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+ - Impact
+relevantTechniques:
+ - T1485
+ - T1565
+ - T1491
+query: |
+ // Set threshold for number of updated or deleted records
+ let update_detection_threshold = 50;
+ let deleted_detection_threshold = 10;
+ FinanceOperationsActivity_CL
+ | where TableName == "UserInfo" and LogType in ("Update", "Delete")
+ | summarize
+ TotalEvents = count(),
+ StartTime = min(LogCreatedDateTime),
+ EndTime = max(LogCreatedDateTime)
+ by TableName, Username, LogType
+ | where (LogType == "Update" and TotalEvents > update_detection_threshold) or (LogType == "Delete" and TotalEvents > deleted_detection_threshold)
+ | extend FinOpsAppId = 32780
+ | project StartTime, EndTime, Username, LogType, TableName, TotalEvents, FinOpsAppId
+eventGroupingSettings:
+ aggregationKind: SingleAlert
+entityMappings:
+ - entityType: Account
+ fieldMappings:
+ - identifier: FullName
+ columnName: Username
+ - entityType: CloudApplication
+ fieldMappings:
+ - identifier: AppId
+ columnName: FinOpsAppId
+alertDetailsOverride:
+ alertDisplayNameFormat: F&O - many user account records deleted
+ alertDescriptionFormat: '{{TotalEvents}} user records deleted in F&O by user {{Username}}'
+version: 3.2.0
diff --git a/Solutions/Microsoft Business Applications/Analytic Rules/F&O - Non-interactive account mapped to self or sensitive privileged user.yaml b/Solutions/Microsoft Business Applications/Analytic Rules/F&O - Non-interactive account mapped to self or sensitive privileged user.yaml
new file mode 100644
index 00000000000..9fd74e61ebc
--- /dev/null
+++ b/Solutions/Microsoft Business Applications/Analytic Rules/F&O - Non-interactive account mapped to self or sensitive privileged user.yaml
@@ -0,0 +1,75 @@
+id: 5b7cc7f9-fe54-4138-9fb0-d650807345d3
+kind: Scheduled
+name: F&O - Non-interactive account mapped to self or sensitive privileged user
+description: Identifies changes to Microsoft Entra client apps registered for Finance
+ & Operations, specifically when a new client is mapped to a predefined list of sensitive
+ privileged user accounts, or when a user associates a client app with their own
+ account.
+severity: Medium
+status: Available
+requiredDataConnectors:
+ - connectorId: Dynamics365Finance
+ dataTypes:
+ - FinanceOperationsActivity_CL
+queryFrequency: 15m
+queryPeriod: 15m
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+ - CredentialAccess
+ - Persistence
+ - PrivilegeEscalation
+relevantTechniques:
+ - T1556
+ - T1098
+ - T1136
+ - T1078
+ - T0859
+query: |
+ // Add sensitive privilege accounts to the privileged_user_accounts variable.
+ // Example: let privileged_user_accounts = dynamic(["Admin1", "Admin"]);
+ let privileged_user_accounts = dynamic([]);
+ FinanceOperationsActivity_CL
+ | where TableName == "SysAADClientTable" and LogType in ("Insert", "Update")
+ | extend ClientId = tostring(parse_json(tostring(FormattedData.["03::AADClientId"])).NewData)
+ | extend User = parse_json(tostring(FormattedData.UserId))
+ | extend
+ MappedUser = tostring(User.NewData),
+ PreviousUserId = tostring(User.OldData),
+ TargetAppName = tostring(parse_json(tostring(FormattedData.Name)).NewData),
+ FinOpsAppId = 32780
+ | where MappedUser in (privileged_user_accounts) or LogCreatedBy == MappedUser
+ | project
+ LogCreatedDateTime,
+ LogCreatedBy,
+ LogType,
+ TargetAppName,
+ MappedUser,
+ PreviousUserId,
+ ClientId,
+ FinOpsAppId
+eventGroupingSettings:
+ aggregationKind: AlertPerResult
+entityMappings:
+ - entityType: Account
+ fieldMappings:
+ - identifier: FullName
+ columnName: LogCreatedBy
+ - entityType: Account
+ fieldMappings:
+ - identifier: AadUserId
+ columnName: ClientId
+ - entityType: CloudApplication
+ fieldMappings:
+ - identifier: AppId
+ columnName: FinOpsAppId
+ - entityType: Account
+ fieldMappings:
+ - identifier: FullName
+ columnName: MappedUser
+alertDetailsOverride:
+ alertDisplayNameFormat: F&O - Sensitive non-interactive user mapping detected
+ alertDescriptionFormat: User account {{LogCreatedBy}} mapped an Azure AD App to
+ senstitive privileged user account {{MappedUser}}. The associated Azure AD client
+ ID is {{ClientId}}
+version: 3.2.0
diff --git a/Solutions/Microsoft Business Applications/Analytic Rules/F&O - Reverted bank account number modifications.yaml b/Solutions/Microsoft Business Applications/Analytic Rules/F&O - Reverted bank account number modifications.yaml
new file mode 100644
index 00000000000..c74b2750cf7
--- /dev/null
+++ b/Solutions/Microsoft Business Applications/Analytic Rules/F&O - Reverted bank account number modifications.yaml
@@ -0,0 +1,67 @@
+id: 44b1021c-d517-4b7a-9ba6-a91eab94e632
+kind: Scheduled
+name: F&O - Reverted bank account number modifications
+description: Identifies changes to bank account numbers in Finance & Operations, whereby
+ a bank account number is modified but then subsequently reverted a short time later.
+severity: Low
+status: Available
+requiredDataConnectors:
+ - connectorId: Dynamics365Finance
+ dataTypes:
+ - FinanceOperationsActivity_CL
+queryFrequency: 15m
+queryPeriod: 1d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+ - Impact
+relevantTechniques:
+ - T1565
+ - T1496
+ - T0828
+ - T0831
+query: |
+ let detection_window = 24h;
+ let query_frequency = 15m;
+ let bank_changes = FinanceOperationsActivity_CL
+ | where LogType == "Update" and TableName == "BankAccountTable"
+ | extend AccountId = tostring(parse_json(tostring(FormattedData.AccountID)).NewData)
+ | extend AccountNum = parse_json(tostring(FormattedData.AccountNum))
+ | extend
+ CurrentAccountNum = tostring(AccountNum.NewData),
+ OldAccountNum = tostring(AccountNum.OldData)
+ | where CurrentAccountNum != OldAccountNum;
+ bank_changes
+ | join kind=inner (bank_changes
+ | where TimeGenerated >= ago(query_frequency)
+ | project-rename UpdatedTime = LogCreatedDateTime, UpdatedAccount = CurrentAccountNum)
+ on $left.OldAccountNum == $right.UpdatedAccount
+ | where UpdatedTime between (LogCreatedDateTime .. (LogCreatedDateTime + detection_window))
+ | extend FinOpsAppId = 32780
+ | project
+ TimeGenerated,
+ LogCreatedDateTime,
+ LogType,
+ TableName,
+ Username,
+ AccountId,
+ CurrentAccountNum,
+ OldAccountNum,
+ FinOpsAppId
+eventGroupingSettings:
+ aggregationKind: SingleAlert
+entityMappings:
+ - entityType: Account
+ fieldMappings:
+ - identifier: FullName
+ columnName: Username
+ - entityType: CloudApplication
+ fieldMappings:
+ - identifier: AppId
+ columnName: FinOpsAppId
+alertDetailsOverride:
+ alertDisplayNameFormat: F&O - Suspicious bank account number changes
+ alertDescriptionFormat: A suspicous bank account change was made in F&O, the bank
+ account number was updated and then changed back to the orginal number a short
+ time later. {{AccountId}} was changed by {{Username}}
+version: 3.2.0
diff --git a/Solutions/Microsoft Business Applications/Analytic Rules/F&O - Unusual sign-in activity using single factor authentication.yaml b/Solutions/Microsoft Business Applications/Analytic Rules/F&O - Unusual sign-in activity using single factor authentication.yaml
new file mode 100644
index 00000000000..834dabf68cb
--- /dev/null
+++ b/Solutions/Microsoft Business Applications/Analytic Rules/F&O - Unusual sign-in activity using single factor authentication.yaml
@@ -0,0 +1,79 @@
+id: 919e939f-95e2-4978-846e-13a721c89ea1
+kind: Scheduled
+name: F&O - Unusual sign-in activity using single factor authentication
+description: Identifies sucessful sign-in events to Finance & Operations and Lifecycle
+ Services using single factor/password authentication. Sign-in events from tenants
+ not using MFA, coming from a Microsoft Entra trusted network location, or from geolocations
+ seen previously in the last 14 days are excluded.
+severity: Low
+status: Available
+requiredDataConnectors:
+ - connectorId: AzureActiveDirectory
+ dataTypes:
+ - SigninLogs
+queryFrequency: 1h
+queryPeriod: 14d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+ - CredentialAccess
+ - InitialAccess
+relevantTechniques:
+ - T1552
+ - T1078
+query: |
+ // Dynamics Lifecycle services: 913c6de4-2a4a-4a61-a9ce-945d2b2ce2e0
+ // Microsoft Dynamics ERP: 00000015-0000-0000-c000-000000000000
+ let appid_list = dynamic(["913c6de4-2a4a-4a61-a9ce-945d2b2ce2e0", "00000015-0000-0000-c000-000000000000"]);
+ let query_frequency = 1h;
+ let query_lookback = 14d;
+ let historical_sign_in_activity = SigninLogs
+ | where TimeGenerated between (ago(query_lookback) .. ago(query_frequency));
+ let historical_sign_in_locations = historical_sign_in_activity
+ | summarize by Location;
+ let multifactor_sign_in_count = toscalar(historical_sign_in_activity
+ | where AppId in (appid_list) and ResultType == 0
+ | where AuthenticationRequirement == "multiFactorAuthentication"
+ | summarize count());
+ SigninLogs
+ | where TimeGenerated >= ago(query_frequency)
+ | where AppId in (appid_list) and ResultType == 0
+ | where multifactor_sign_in_count > 0
+ | where Location !in (historical_sign_in_locations)
+ | where NetworkLocationDetails !has "trustedNamedLocation"
+ | summarize by UserPrincipalName, AppDisplayName, IPAddress, Location
+ | extend
+ CloudAppId = 32780,
+ AccountName = tostring(split(UserPrincipalName, "@")[0]),
+ UPNSuffix = tostring(split(UserPrincipalName, "@")[1])
+ | project
+ UserPrincipalName,
+ AppDisplayName,
+ IPAddress,
+ Location,
+ CloudAppId,
+ AccountName,
+ UPNSuffix
+eventGroupingSettings:
+ aggregationKind: SingleAlert
+entityMappings:
+ - entityType: Account
+ fieldMappings:
+ - identifier: Name
+ columnName: AccountName
+ - identifier: UPNSuffix
+ columnName: UPNSuffix
+ - entityType: IP
+ fieldMappings:
+ - identifier: Address
+ columnName: IPAddress
+ - entityType: CloudApplication
+ fieldMappings:
+ - identifier: AppId
+ columnName: CloudAppId
+alertDetailsOverride:
+ alertDisplayNameFormat: Dynamics 365 F&O - Unusual sign-in without multi-factor
+ authentication
+ alertDescriptionFormat: Successful sign in by {{UserPrincipalName}} to {{AppDisplayName}}
+ from location {{Location}} which has not been seen before in the last 14 days.
+version: 3.2.0
diff --git a/Solutions/Microsoft Business Applications/Analytic Rules/Power Apps - App activity from unauthorized geo.yaml b/Solutions/Microsoft Business Applications/Analytic Rules/Power Apps - App activity from unauthorized geo.yaml
new file mode 100644
index 00000000000..9855f4b771d
--- /dev/null
+++ b/Solutions/Microsoft Business Applications/Analytic Rules/Power Apps - App activity from unauthorized geo.yaml
@@ -0,0 +1,94 @@
+id: 7ec1e61d-f3b7-4f40-bb1a-357a63913c23
+kind: Scheduled
+name: Power Apps - App activity from unauthorized geo
+description: Identifies Power Apps activity from countries in a predefined list of
+ unauthorized countries.
+severity: Low
+status: Available
+requiredDataConnectors:
+ - connectorId: PowerPlatformAdmin
+ dataTypes:
+ - PowerPlatformAdminActivity
+ - connectorId: AzureActiveDirectory
+ dataTypes:
+ - SigninLogs
+queryFrequency: 1h
+queryPeriod: 14d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+ - InitialAccess
+relevantTechniques:
+ - T1078
+query: |
+ let unauthorized_country_codes = dynamic([
+ // Specify the disallowed two letter country codes
+ // example: disallowed_country_codes = dynamic(["RU", "KP", "IR"])
+ ]);
+ let query_frequency = 1h;
+ let query_lookback = 14d;
+ let powerapps_events = dynamic(["LaunchPowerApp", "AppDlpEvaluationResultChange", "UpdatePowerApp", "PublishPowerApp", "RecordScopesConsent", "CreatePowerApp", "PowerAppPermissionEdited", "PowerAppPermissionDeleted", "ImportExistingCanvasApp", "DeletePowerApp", "ImportNewCanvasApp", "PromotePowerAppVersion", "RemoveHeroApp", "DeletePowerAppVersion", "PublishSolutionCanvasAppVersion", "AdminModifyAppPermissions", "AdminModifyAppOwner", "AdminQuarantineApp", "AdminDeleteApp", "AdminSetAppBypassConsent", "PatchPowerApp"]);
+ PowerPlatformAdminActivity
+ | where TimeGenerated >= ago(query_frequency)
+ | where EventOriginalType in (powerapps_events)
+ | extend Properties = tostring(PropertyCollection)
+ | extend SrcIpAddr = extract(@'"enduser.ip_address","Value":"([^"]+)"', 1, Properties)
+ | extend SrcIpAddr = iif(SrcIpAddr startswith '::ffff:', replace_string(SrcIpAddr, '::ffff:', ''), SrcIpAddr)
+ | extend AppId = extract(@'"powerplatform.analytics.resource.power_app.id","Value":"([^"]+)"', 1, Properties)
+ | extend AppId = tolower(replace_string(AppId, '/providers/Microsoft.PowerApps/apps/', ''))
+ | extend
+ AppName = extract(@'"powerplatform.analytics.resource.power_app.display_name","Value":"([^"]+)"', 1, Properties),
+ EnvironmentId = extract(@'"powerplatform.analytics.resource.environment.id","Value":"([^"]+)"', 1, Properties),
+ EnvironmentName = extract(@'"powerplatform.analytics.resource.environment.name","Value":"([^"]+)"', 1, Properties)
+ | summarize FirstEvent = min(TimeGenerated) by ActorName, SrcIpAddr, AppName, AppId, EnvironmentId, EnvironmentName
+ | join kind=inner (
+ SigninLogs
+ | where TimeGenerated >= ago(query_lookback)
+ | where Location in (unauthorized_country_codes)
+ | summarize by IPAddress, Location)
+ on $left.SrcIpAddr == $right.IPAddress
+ | extend
+ PowerAppsEntityId = 27593,
+ DataverseId = 32780,
+ AccountName = tostring(split(ActorName, '@')[0]),
+ UPNSuffix = tostring(split(ActorName, '@')[1])
+ | project
+ FirstEvent,
+ ActorName,
+ SrcIpAddr,
+ Location,
+ AppName,
+ AppId,
+ EnvironmentId,
+ EnvironmentName,
+ PowerAppsEntityId,
+ AccountName,
+ UPNSuffix
+eventGroupingSettings:
+ aggregationKind: SingleAlert
+entityMappings:
+ - entityType: Account
+ fieldMappings:
+ - identifier: Name
+ columnName: AccountName
+ - identifier: UPNSuffix
+ columnName: UPNSuffix
+ - entityType: IP
+ fieldMappings:
+ - identifier: Address
+ columnName: SrcIpAddr
+ - entityType: CloudApplication
+ fieldMappings:
+ - identifier: AppId
+ columnName: PowerAppsEntityId
+ - identifier: Name
+ columnName: AppName
+alertDetailsOverride:
+ alertDisplayNameFormat: Power Apps activity from an unauthorized location
+ alertDescriptionFormat: 'User {{ActorName}} activity associated with app {{AppName}}
+ from an unauthorized geolocation: {{Location}}'
+customDetails:
+ Environment: EnvironmentId
+ App: AppId
+ EnvironmentName: EnvironmentName
+version: 3.2.0
diff --git a/Solutions/Microsoft Business Applications/Analytic Rules/Power Apps - Bulk sharing of Power Apps to newly created guest users.yaml b/Solutions/Microsoft Business Applications/Analytic Rules/Power Apps - Bulk sharing of Power Apps to newly created guest users.yaml
new file mode 100644
index 00000000000..3ddcddb1459
--- /dev/null
+++ b/Solutions/Microsoft Business Applications/Analytic Rules/Power Apps - Bulk sharing of Power Apps to newly created guest users.yaml
@@ -0,0 +1,113 @@
+id: 943acfa0-9285-4eb0-a9c0-42e36177ef19
+kind: Scheduled
+name: Power Apps - Bulk sharing of Power Apps to newly created guest users
+description: Identifies unusual bulk sharing, based on a predefined threshold in the
+ query, of Power Apps to newly created Microsoft Entra guest users.
+severity: Medium
+status: Available
+requiredDataConnectors:
+ - connectorId: PowerPlatformAdmin
+ dataTypes:
+ - PowerPlatformAdminActivity
+ - connectorId: AzureActiveDirectory
+ dataTypes:
+ - AuditLogs
+queryFrequency: 1h
+queryPeriod: 14d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+ - ResourceDevelopment
+ - InitialAccess
+ - LateralMovement
+relevantTechniques:
+ - T1587
+ - T1566
+ - T1534
+query: |
+ ////////////
+ // threshold = If the number of unique accounts that a power app is shared with is greater than
+ // threshold than it'll trigger an alert. A threshold of 5 is good to start with.
+ // However, if this is giving too many false positives, please adjust the threshold.
+ ////////////
+ let threshold = 5;
+ ////////////
+ // Please replace the allowed_domains with a list of domains of your partners/sibling orgs
+ // with whom you generally share power apps with. This will allow us to filter
+ // legitimate bulk sharing attempts. Avoid using domains such as gmail, outlook, etc.
+ ///////////
+ let allowed_domains = pack_array("contoso.com");
+ let query_frequency = 1h;
+ let query_lookback = 14d;
+ PowerPlatformAdminActivity
+ | where TimeGenerated >= ago(query_frequency)
+ | where EventOriginalType == "PowerAppPermissionEdited"
+ | extend Properties = tostring(PropertyCollection)
+ | extend AppId = extract(@'"powerplatform.analytics.resource.power_app.id","Value":"([^"]+)"', 1, Properties)
+ | extend AppId = tolower(replace_string(AppId, '/providers/Microsoft.PowerApps/apps/', ''))
+ | extend TargetPrincipalId = extract(@'"targetuser.id","Value":"([^"]+)"', 1, Properties)
+ | join kind=leftouter (
+ AuditLogs
+ | where ActivityDateTime >= ago(query_lookback)
+ | where SourceSystem =~ "Azure AD" and OperationName == "Invite external user"
+ | where Result =~ "success"
+ | extend InvitedOrgEmail = tostring(parse_json(AdditionalDetails[5])['value'])
+ | extend InvitedOrgDomain = tostring(split(InvitedOrgEmail, "@")[1])
+ | where not(InvitedOrgDomain has_any(allowed_domains))
+ | extend
+ InvitedById = tostring(parse_json(InitiatedBy)['user']['id']),
+ InvitedByUPN = tostring(parse_json(InitiatedBy)['user']['userPrincipalName']),
+ InvitedEmail = tostring(parse_json(TargetResources[0])['userPrincipalName']),
+ InvitedId = tostring(parse_json(TargetResources[0])['id'])
+ | summarize by InvitedById, InvitedByUPN, InvitedEmail, InvitedId, InvitedOrgDomain)
+ on $left.TargetPrincipalId == $right.InvitedId
+ | where isnotempty(InvitedId)
+ | summarize
+ StartTime = min(TimeGenerated),
+ EndTime = max(TimeGenerated),
+ TargetedUsersCount=dcount(TargetPrincipalId),
+ TargetedObjectIds = make_set(TargetPrincipalId, 1000),
+ InvitedDomains = make_set(InvitedOrgDomain, 1000),
+ InvitedEmailAddresses = make_set(InvitedEmail, 1000)
+ by AppId, InvitedById, InvitedByUPN
+ | extend
+ PowerAppsEntityId = 27593,
+ AccountName = tostring(split(InvitedByUPN, '@')[0]),
+ UPNSuffix = tostring(split(InvitedByUPN, '@')[1])
+ | project
+ StartTime,
+ EndTime,
+ InvitedByUPN,
+ InvitedById,
+ InvitedDomains,
+ InvitedEmailAddresses,
+ TargetedUsersCount,
+ TargetedObjectIds,
+ AppId,
+ PowerAppsEntityId,
+ AccountName,
+ UPNSuffix
+eventGroupingSettings:
+ aggregationKind: SingleAlert
+entityMappings:
+ - entityType: Account
+ fieldMappings:
+ - identifier: Name
+ columnName: AccountName
+ - identifier: UPNSuffix
+ columnName: UPNSuffix
+ - entityType: CloudApplication
+ fieldMappings:
+ - identifier: AppId
+ columnName: PowerAppsEntityId
+ - identifier: InstanceName
+ columnName: AppId
+alertDetailsOverride:
+ alertDisplayNameFormat: Power Apps - app shared with recently created external guest
+ accounts
+ alertDescriptionFormat: '{{InvitedByUPN}} shared an app with {{TargetedUsersCount}}
+ recently added guest user accounts that are not on the list of allowed partner
+ domains. List of domain s {{InvitedDomains}}'
+customDetails:
+ PowerAppsApp: AppId
+version: 3.2.0
diff --git a/Solutions/Microsoft Business Applications/Analytic Rules/Power Apps - Multiple apps deleted.yaml b/Solutions/Microsoft Business Applications/Analytic Rules/Power Apps - Multiple apps deleted.yaml
new file mode 100644
index 00000000000..6119641b1b4
--- /dev/null
+++ b/Solutions/Microsoft Business Applications/Analytic Rules/Power Apps - Multiple apps deleted.yaml
@@ -0,0 +1,82 @@
+id: ed88638d-8627-4c20-ba08-67c13807a9b1
+kind: Scheduled
+name: Power Apps - Multiple apps deleted
+description: Identifies mass delete activity where multiple Power Apps are deleted,
+ matching a predefined threshold of total apps deleted or app delete events across
+ multiple Power Platform environments.
+severity: Medium
+status: Available
+requiredDataConnectors:
+ - connectorId: PowerPlatformAdmin
+ dataTypes:
+ - PowerPlatformAdminActivity
+queryFrequency: 1h
+queryPeriod: 7d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+ - Impact
+relevantTechniques:
+ - T1485
+ - T0826
+query: |
+ let total_app_mass_delete_threshold = 25;
+ let cross_environment_delete_threshold = 10;
+ let query_frequency = 1h;
+ let app_delete_events = materialize(
+ PowerPlatformAdminActivity
+ | where TimeGenerated >= ago (query_frequency)
+ | where EventOriginalType == "DeletePowerApp"
+ | extend Properties = tostring(PropertyCollection)
+ | extend AppId = extract(@'"powerplatform.analytics.resource.power_app.id","Value":"([^"]+)"', 1, Properties)
+ | extend AppId = tolower(replace_string(AppId, '/providers/Microsoft.PowerApps/apps/', ''))
+ | extend EnvironmentId = extract(@'"powerplatform.analytics.resource.environment.id","Value":"([^"]+)"', 1, Properties)
+ );
+ app_delete_events
+ | summarize AppCount = count(), EnvCount = dcount(EnvironmentId) by ActorName
+ | where AppCount >= total_app_mass_delete_threshold or EnvCount >= cross_environment_delete_threshold
+ | join kind=inner app_delete_events on ActorName
+ | summarize
+ Apps = make_set(AppId, 1000),
+ Environments = make_set(EnvironmentId, 1000),
+ StartTime = min(TimeGenerated)
+ by AppCount, EnvCount, ActorName
+ | extend
+ PowerAppsEntityId = 27593,
+ DataverseId = 32780,
+ AccountName = tostring(split(ActorName, '@')[0]),
+ UPNSuffix = tostring(split(ActorName, '@')[1])
+ | project
+ StartTime,
+ ActorName,
+ AppCount,
+ Apps,
+ EnvCount,
+ Environments,
+ PowerAppsEntityId,
+ DataverseId,
+ AccountName,
+ UPNSuffix
+eventGroupingSettings:
+ aggregationKind: SingleAlert
+entityMappings:
+ - entityType: CloudApplication
+ fieldMappings:
+ - identifier: AppId
+ columnName: PowerAppsEntityId
+ - entityType: Account
+ fieldMappings:
+ - identifier: Name
+ columnName: AccountName
+ - identifier: UPNSuffix
+ columnName: UPNSuffix
+alertDetailsOverride:
+ alertDisplayNameFormat: Power Apps - mass deletion of apps
+ alertDescriptionFormat: '{{AppCount}} apps were deleted in {{EnvCount}} environments
+ by {{ActorName}} , exceeding the mass delete threshold.'
+customDetails:
+ EnvironmentsImpacted: Environments
+ AppsDeleted: Apps
+ AppDeleteCount: AppCount
+ EnvironmentsCount: EnvCount
+version: 3.2.0
diff --git a/Solutions/Microsoft Business Applications/Analytic Rules/Power Apps - Multiple users access a malicious link after launching new app.yaml b/Solutions/Microsoft Business Applications/Analytic Rules/Power Apps - Multiple users access a malicious link after launching new app.yaml
new file mode 100644
index 00000000000..f1ae8800002
--- /dev/null
+++ b/Solutions/Microsoft Business Applications/Analytic Rules/Power Apps - Multiple users access a malicious link after launching new app.yaml
@@ -0,0 +1,203 @@
+id: 4bd7e93a-0646-4e02-8dcb-aa16d16618f4
+kind: Scheduled
+name: Power Apps - Multiple users access a malicious link after launching new app
+description: Identifies a chain of events, where a new Power App is created, followed
+ by mulitple users launching the app within the detection window and clicking on
+ the same malicious URL.
+severity: High
+status: Available
+requiredDataConnectors:
+ - connectorId: PowerPlatformAdmin
+ dataTypes:
+ - PowerPlatformAdminActivity
+ - connectorId: MicrosoftThreatProtection
+ dataTypes:
+ - UrlClickEvents
+ - connectorId: ThreatIntelligence
+ dataTypes:
+ - ThreatIntelligenceIndicator
+ - connectorId: ThreatIntelligenceTaxii
+ dataTypes:
+ - ThreatIntelligenceIndicator
+ - connectorId: MicrosoftDefenderThreatIntelligence
+ dataTypes:
+ - ThreatIntelligenceIndicator
+ - connectorId: ThreatIntelligence
+ dataTypes:
+ - ThreatIntelligenceIndicator
+ - connectorId: ThreatIntelligenceTaxii
+ dataTypes:
+ - ThreatIntelligenceIndicator
+ - connectorId: MicrosoftDefenderThreatIntelligence
+ dataTypes:
+ - ThreatIntelligenceIndicator
+ - connectorId: MicrosoftThreatProtection
+ dataTypes:
+ - UrlClickEvents
+ - connectorId: AzureActiveDirectoryIdentityProtection
+ dataTypes:
+ - SecurityAlert
+queryFrequency: 1h
+queryPeriod: 14d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+ - InitialAccess
+relevantTechniques:
+ - T1189
+ - T1566
+query: |
+ // Define a threshold (distinct_user_launch_threshold) for
+ // the minimum number of users who launched an app
+ // to be in scope of this detection
+ let distinct_user_launch_threshold = 2;
+ // Define a threshold for the minumum number of users
+ // who clicked the same malicious link after launching the app
+ // to be in scope of this detection
+ let distinct_user_url_click_threshold = 2;
+ let query_frequency = 1h;
+ let query_lookback = 14d;
+ let new_app_creation_activity = materialize(
+ PowerPlatformAdminActivity
+ | where TimeGenerated >= ago (query_lookback)
+ | where EventOriginalType == "CreatePowerApp"
+ | extend Properties = tostring(PropertyCollection)
+ | extend SrcIpAddr = extract(@'"enduser.ip_address","Value":"([^"]+)"', 1, Properties)
+ | extend SrcIpAddr = iif(SrcIpAddr startswith '::ffff:', replace_string(SrcIpAddr, '::ffff:', ''), SrcIpAddr)
+ | extend AppId = extract(@'"powerplatform.analytics.resource.power_app.id","Value":"([^"]+)"', 1, Properties)
+ | extend AppId = tolower(replace_string(AppId, '/providers/Microsoft.PowerApps/apps/', ''))
+ | extend
+ AppName = extract(@'"powerplatform.analytics.resource.power_app.display_name","Value":"([^"]+)"', 1, Properties),
+ EnvironmentId = extract(@'"powerplatform.analytics.resource.environment.id","Value":"([^"]+)"', 1, Properties)
+ | project-rename
+ AppCreatedTime = TimeGenerated,
+ AppCreator = ActorName,
+ AppCreatorIpAddr = SrcIpAddr
+ );
+ let distinct_apps = new_app_creation_activity
+ | distinct AppName;
+ let new_app_launch_activity = materialize(
+ new_app_creation_activity
+ | join kind=inner (
+ PowerPlatformAdminActivity
+ | where TimeGenerated >= ago (query_lookback)
+ | where EventOriginalType == "LaunchPowerApp"
+ | where PropertyCollection has_any (distinct_apps)
+ | extend Properties = tostring(PropertyCollection)
+ | extend AppName = extract(@'"powerplatform.analytics.resource.power_app.display_name","Value":"([^"]+)"', 1, Properties)
+ | summarize FirstAppLaunchTime = min(TimeGenerated) by ActorName, AppName)
+ on AppName
+ | where FirstAppLaunchTime > AppCreatedTime
+ );
+ let new_app_launch_users = new_app_launch_activity
+ | summarize LaunchCount = dcount(ActorName) by AppName
+ | where LaunchCount > distinct_user_launch_threshold
+ | join kind=inner new_app_launch_activity on AppName
+ | summarize
+ by
+ ActorName,
+ FirstAppLaunchTime,
+ AppName,
+ AppId,
+ EnvironmentId,
+ AppCreator,
+ AppCreatorIpAddr;
+ let detected_urls = union isfuzzy=true
+ (
+ SecurityAlert
+ | where TimeGenerated >= ago (query_lookback)
+ | where Entities has_cs '"Type":"url"'
+ | mv-expand todynamic(Entities)
+ | where tostring(Entities.Type) == "url"
+ | project Url = tostring(Entities.Url), Source = "SecurityAlert"
+ ),
+ (
+ ThreatIntelligenceIndicator
+ | where TimeGenerated >= ago(query_lookback)
+ | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
+ | where Active == true and ExpirationDateTime > now()
+ | where isnotempty(isnotempty(Url))
+ | project Url, Source = "ThreatIntelligence"
+ )
+ | summarize by Url, Source;
+ let url_click_events = materialize(
+ union isfuzzy=true
+ (
+ UrlClickEvents
+ | where TimeGenerated >= ago(query_frequency)
+ | where isnotempty(ThreatTypes)
+ | join kind=inner (new_app_launch_users) on $left.AccountUpn == $right.ActorName
+ | where TimeGenerated between (FirstAppLaunchTime .. (FirstAppLaunchTime + 1h))
+ | summarize by ActorName, Url, Source = "MicrosoftDefender"
+ ),
+ (
+ _Im_WebSession
+ | where TimeGenerated >= ago(query_frequency)
+ | join kind=inner (new_app_launch_users) on $left.SrcUsername == $right.ActorName
+ | join kind=inner (detected_urls) on Url
+ | where TimeGenerated between (FirstAppLaunchTime .. (FirstAppLaunchTime + 1h))
+ | summarize by ActorName, Url, Source
+ )
+ );
+ let distinct_url_click_events_count = toscalar(
+ url_click_events
+ | summarize DistinctUserCount = dcount(ActorName) by Url
+ | where DistinctUserCount > distinct_user_url_click_threshold
+ | summarize sum(DistinctUserCount)
+ );
+ url_click_events
+ | summarize DistinctUserCount = dcount(ActorName) by Url
+ | where DistinctUserCount >= distinct_user_url_click_threshold
+ | join kind=inner url_click_events on Url
+ | join kind=inner (new_app_launch_users) on ActorName
+ | extend
+ PowerAppsEntityId = 27593,
+ DataverseId = 32780,
+ AccountName = tostring(split(ActorName, '@')[0]),
+ UPNSuffix = tostring(split(ActorName, '@')[1])
+ | project
+ FirstAppLaunchTime,
+ AppCreator,
+ AppName,
+ AppId,
+ ImpactedUser = ActorName,
+ AccountName,
+ UPNSuffix,
+ EnvironmentId,
+ Url,
+ Source,
+ PowerAppsEntityId
+eventGroupingSettings:
+ aggregationKind: AlertPerResult
+entityMappings:
+ - entityType: CloudApplication
+ fieldMappings:
+ - identifier: AppId
+ columnName: PowerAppsEntityId
+ - identifier: InstanceName
+ columnName: AppName
+ - entityType: URL
+ fieldMappings:
+ - identifier: Url
+ columnName: Url
+ - entityType: Account
+ fieldMappings:
+ - identifier: FullName
+ columnName: AppCreator
+ - entityType: Account
+ fieldMappings:
+ - identifier: UPNSuffix
+ columnName: UPNSuffix
+ - identifier: Name
+ columnName: AccountName
+alertDetailsOverride:
+ alertDisplayNameFormat: 'Possible malicious app detected - {{AppName}} '
+ alertDescriptionFormat: 'Multiple users opened a malicious link after launching
+ app {{AppName}}. Click here to navigate to the Power Apps Portal to examine the
+ app: https://make.powerapps.com/environments/{{EnvironmentId}}/apps'
+customDetails:
+ Environment: EnvironmentId
+ PowerAppsAppName: AppName
+ PowerAppsApp: AppId
+ AppCreator: AppCreator
+version: 3.2.0
diff --git a/Solutions/Microsoft Business Applications/Analytic Rules/Power Automate - Departing employee flow activity.yaml b/Solutions/Microsoft Business Applications/Analytic Rules/Power Automate - Departing employee flow activity.yaml
new file mode 100644
index 00000000000..afec33504a0
--- /dev/null
+++ b/Solutions/Microsoft Business Applications/Analytic Rules/Power Automate - Departing employee flow activity.yaml
@@ -0,0 +1,71 @@
+id: b1e11b8c-545a-4dea-a912-0008e160d183
+kind: Scheduled
+name: Power Automate - Departing employee flow activity
+description: Identifies instances where an employee who has been notified or is already
+ terminated, on the TerminatedEmployees watchlist, creates or modifies a Power Automate
+ flow.
+severity: High
+status: Available
+requiredDataConnectors:
+ - connectorId: PowerAutomate
+ dataTypes:
+ - PowerAutomateActivity
+queryFrequency: 1h
+queryPeriod: 7d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+ - Exfiltration
+ - Impact
+relevantTechniques:
+ - T1567
+ - T1485
+ - T1491
+ - T0813
+ - T0879
+ - T0826
+query: |
+ let query_frequency = 1h;
+ PowerAutomateActivity
+ | where TimeGenerated >= ago(query_frequency)
+ | where EventOriginalType in ("CreateFlow", "EditFlow")
+ | join kind=inner (MSBizAppsTerminatedEmployees()) on $left.ActorName == $right.UserPrincipalName
+ | extend path = parse_url(FlowDetailsUrl).Path
+ | extend EnvironmentId = tostring(split(path, "/")[2])
+ | extend FlowId = tostring(split(path, "/")[-2])
+ | extend
+ AccountName = tostring(split(ActorName, "@")[0]),
+ UPNSuffix = tostring(split(ActorName, "@")[1]),
+ PowerAutomateAppId = 27592,
+ CloudAppId = 32780
+ | project
+ TimeGenerated,
+ EventOriginalType,
+ ActorName,
+ EnvironmentId,
+ AccountName,
+ UPNSuffix,
+ PowerAutomateAppId,
+ CloudAppId,
+ FlowId
+eventGroupingSettings:
+ aggregationKind: SingleAlert
+entityMappings:
+ - entityType: Account
+ fieldMappings:
+ - identifier: Name
+ columnName: AccountName
+ - identifier: UPNSuffix
+ columnName: UPNSuffix
+ - entityType: CloudApplication
+ fieldMappings:
+ - identifier: AppId
+ columnName: PowerAutomateAppId
+alertDetailsOverride:
+ alertDisplayNameFormat: PowerAutomate - Terminated user {{EventOriginalType}} detected
+ alertDescriptionFormat: '{{ActorName}} is on the terminated employees watchlist
+ and carried out {{EventOriginalType}} in environment id {{EnvironmentId}}.'
+customDetails:
+ Environment: EnvironmentId
+ FlowDetails: FlowId
+version: 3.2.0
diff --git a/Solutions/Microsoft Business Applications/Analytic Rules/Power Automate - Unusual bulk deletion of flow resources.yaml b/Solutions/Microsoft Business Applications/Analytic Rules/Power Automate - Unusual bulk deletion of flow resources.yaml
new file mode 100644
index 00000000000..d4a27940232
--- /dev/null
+++ b/Solutions/Microsoft Business Applications/Analytic Rules/Power Automate - Unusual bulk deletion of flow resources.yaml
@@ -0,0 +1,88 @@
+id: 56cb646e-56a0-4f0e-8866-9bc1dd15da78
+kind: Scheduled
+name: Power Automate - Unusual bulk deletion of flow resources
+description: Identifies bulk deletion of Power Automate flows that exceed a predefined
+ threshold defined in the query and deviate from activity patterns observed in the
+ last 14 days.
+severity: Medium
+status: Available
+requiredDataConnectors:
+ - connectorId: PowerAutomate
+ dataTypes:
+ - PowerAutomateActivity
+queryFrequency: 1h
+queryPeriod: 14d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+ - Impact
+ - DefenseEvasion
+relevantTechniques:
+ - T1485
+ - T0828
+ - T1562
+query: |
+ // minThreshold: Minimum number of apps to be deleted to be considered an anomaly;
+ // This is to prevent one-off isolated delete flow to be considered outlier.
+ // The Min Threshold can be reduced or increased according to the traffic in the organization.
+ let minThreshold=10;
+ let interval = 1h;
+ let startTime = ago(14d);
+ let endTime = now();
+ let query_frequency = 1h;
+ let flow_deletion_events = PowerAutomateActivity
+ | where TimeGenerated >= startTime
+ | where EventOriginalType =~ "DeleteFlow"
+ | extend IngestionTimeGenerated = TimeGenerated;
+ flow_deletion_events
+ | make-series DeletedFlowCount=count() on IngestionTimeGenerated from startTime to endTime step interval by ActorName, UserUpn, ActorUserId
+ | extend(Anomalies, AnomalyScore, ExpectedUsage) = series_decompose_anomalies(DeletedFlowCount)
+ | mv-expand
+ DeletedFlowCount to typeof(double),
+ IngestionTimeGenerated to typeof(datetime),
+ Anomalies to typeof(double),
+ AnomalyScore to typeof(double),
+ ExpectedUsage to typeof(long)
+ | where IngestionTimeGenerated >= ago(query_frequency)
+ | where Anomalies != 0 and DeletedFlowCount >= minThreshold
+ | lookup (flow_deletion_events
+ | where IngestionTimeGenerated >= ago(query_frequency))
+ on ActorName, UserUpn, ActorUserId
+ | extend
+ AccountName = tostring(split(ActorName, "@")[0]),
+ UPNSuffix = tostring(split(ActorName, "@")[1]),
+ PowerAutomateAppId = 27592
+ | project
+ TimeGenerated,
+ ActorName,
+ DeletedFlowCount,
+ ExpectedUsage,
+ Anomalies,
+ AnomalyScore,
+ AccountName,
+ UPNSuffix,
+ PowerAutomateAppId,
+ UserUpn,
+ ActorUserId
+eventGroupingSettings:
+ aggregationKind: SingleAlert
+entityMappings:
+ - entityType: Account
+ fieldMappings:
+ - identifier: Name
+ columnName: AccountName
+ - identifier: UPNSuffix
+ columnName: UPNSuffix
+ - entityType: CloudApplication
+ fieldMappings:
+ - identifier: AppId
+ columnName: PowerAutomateAppId
+alertDetailsOverride:
+ alertDisplayNameFormat: Power Automate - unusual bulk deletion of {{DeletedFlowCount}}
+ flows
+ alertDescriptionFormat: User {{ActorName}} deleted {{DeletedFlowCount}} flows in
+ the last hour, surpassing the bulk delete threshold. This is anomalous compared
+ to the past 14 days.
+customDetails:
+ DeletedFlowCount: DeletedFlowCount
+version: 3.2.0
diff --git a/Solutions/Microsoft Business Applications/Analytic Rules/Power Platform - Account added to privileged Microsoft Entra roles.yaml b/Solutions/Microsoft Business Applications/Analytic Rules/Power Platform - Account added to privileged Microsoft Entra roles.yaml
new file mode 100644
index 00000000000..29b4fd5f8bd
--- /dev/null
+++ b/Solutions/Microsoft Business Applications/Analytic Rules/Power Platform - Account added to privileged Microsoft Entra roles.yaml
@@ -0,0 +1,79 @@
+id: 71d829d6-eb50-4a17-8a64-655fae8d71e1
+kind: Scheduled
+name: Power Platform - Account added to privileged Microsoft Entra roles
+description: |
+ Identifies changes to privileged directory roles impacting Power Platform:
+ - Dynamics 365 Admins
+ - Power Platform Admins
+ - Fabric Admins
+severity: Low
+status: Available
+requiredDataConnectors:
+ - connectorId: AzureActiveDirectory
+ dataTypes:
+ - AuditLogs
+queryFrequency: 1h
+queryPeriod: 1d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+ - PrivilegeEscalation
+relevantTechniques:
+ - T1078
+ - T1068
+ - T1548
+query: |
+ // 44367163-eba1-44c3-98af-f5787879f96a = Dynamics 365 Administrator
+ // 11648597-926c-4cf3-9c36-bcebb0ba8dcc = Power Platform Administrator
+ // a9ea8996-122f-4c74-9520-8edcd192826c = Fabric Administrator
+ let query_frequency = 1h;
+ let role_template_ids = dynamic(["44367163-eba1-44c3-98af-f5787879f96a", "11648597-926c-4cf3-9c36-bcebb0ba8dcc", "a9ea8996-122f-4c74-9520-8edcd192826c"]);
+ let monitored_activities = dynamic(["Assign", "AssignGrantedRole", "AssignPermanentGrantedRole", "AssignPermanentEligibleRole", "RoleElevatedOutsidePimAlert"]);
+ AuditLogs
+ | where TimeGenerated >= ago(query_frequency)
+ | where Category == "RoleManagement"
+ and TargetResources has_any (role_template_ids)
+ and AADOperationType in (monitored_activities)
+ and Identity != "MS-PIM"
+ | extend
+ UserPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName),
+ AadUserId = tostring(parse_json(tostring(InitiatedBy.user)).id),
+ IPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress),
+ RoleName = tostring(TargetResources[0].displayName),
+ UserAdded = tostring(TargetResources[2].userPrincipalName)
+ | extend
+ RoleName = iif(isempty(RoleName), tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue), RoleName),
+ UserAdded = iif(isempty(UserAdded), tostring(parse_json(tostring(TargetResources[0].userPrincipalName))), UserAdded),
+ CloudAppId = int(32780),
+ AccountName = tostring(split(UserPrincipalName, '@')[0]),
+ UPNSuffix = tostring(split(UserPrincipalName, '@')[1])
+ | project
+ TimeGenerated,
+ Identity,
+ UserPrincipalName,
+ AadUserId,
+ RoleName,
+ OperationName,
+ UserAdded,
+ TargetResources,
+ CloudAppId,
+ AccountName,
+ UPNSuffix
+eventGroupingSettings:
+ aggregationKind: SingleAlert
+entityMappings:
+ - entityType: CloudApplication
+ fieldMappings:
+ - identifier: AppId
+ columnName: CloudAppId
+ - entityType: Account
+ fieldMappings:
+ - identifier: Name
+ columnName: AccountName
+ - identifier: UPNSuffix
+ columnName: UPNSuffix
+alertDetailsOverride:
+ alertDisplayNameFormat: Power Platform - Account added to privileged role {{RoleName}}
+ alertDescriptionFormat: 'A user {{UserAdded}} was added to one of the Power Platform
+ administrative roles: {{{RoleName}}'
+version: 3.2.0
diff --git a/Solutions/Microsoft Business Applications/Analytic Rules/Power Platform - Connector added to a sensitive environment.yaml b/Solutions/Microsoft Business Applications/Analytic Rules/Power Platform - Connector added to a sensitive environment.yaml
new file mode 100644
index 00000000000..0517fadda95
--- /dev/null
+++ b/Solutions/Microsoft Business Applications/Analytic Rules/Power Platform - Connector added to a sensitive environment.yaml
@@ -0,0 +1,71 @@
+id: 886a5655-3d12-42f1-8927-4095789c575e
+kind: Scheduled
+name: Power Platform - Connector added to a sensitive environment
+description: Identifies occurrences of new API connector creations within Power Platform,
+ specifically targeting a predefined list of sensitive environments.
+severity: Low
+status: Available
+requiredDataConnectors:
+ - connectorId: PowerPlatformAdmin
+ dataTypes:
+ - PowerPlatformAdminActivity
+queryFrequency: 1h
+queryPeriod: 7d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+ - Execution
+ - Exfiltration
+relevantTechniques:
+ - T0871
+ - T1567
+ - T1537
+query: |
+ let sensitive_environment_id = dynamic([
+ // Specify the list of sensitive power platform environment ID's to monitor here.
+ // Example: "10e72012-8886-41ec-b973-250286419b38", "183c7056-7ed0-426f-8ae6-69819cf72259"
+ ]);
+ let query_frequency = 11h;
+ PowerPlatformAdminActivity
+ | where TimeGenerated >= ago (query_frequency)
+ | where EventOriginalType == "PutConnection"
+ | extend Properties = tostring(PropertyCollection)
+ | extend SrcIpAddr = extract(@'"enduser.ip_address","Value":"([^"]+)"', 1, Properties)
+ | extend SrcIpAddr = iif(SrcIpAddr startswith '::ffff:', replace_string('::ffff:', '', SrcIpAddr), SrcIpAddr)
+ | extend
+ EnvironmentId = extract(@'"powerplatform.analytics.resource.environment.id","Value":"([^"]+)"', 1, Properties),
+ ConnectionId = extract(@'"powerplatform.analytics.resource.connection.id","Value":"([^"]+)"', 1, Properties)
+ | where EnvironmentId in~ (sensitive_environment_id)
+ | extend
+ AccountName = tostring(split(ActorName, "@")[0]),
+ UPNSuffix = tostring(split(ActorName, "@")[1])
+ | project
+ TimeGenerated,
+ EventOriginalType,
+ ActorName,
+ SrcIpAddr,
+ ConnectionId,
+ EnvironmentId,
+ AccountName,
+ UPNSuffix
+eventGroupingSettings:
+ aggregationKind: SingleAlert
+entityMappings:
+ - entityType: Account
+ fieldMappings:
+ - identifier: Name
+ columnName: AccountName
+ - identifier: UPNSuffix
+ columnName: UPNSuffix
+ - entityType: IP
+ fieldMappings:
+ - identifier: Address
+ columnName: SrcIpAddr
+alertDetailsOverride:
+ alertDisplayNameFormat: New Power Platform connector added in a sensitive environment
+ alertDescriptionFormat: '{{ActorName}} added a new API connector in environment
+ id {{EnvironmentId}}. This environment has been listed as sensitive.'
+customDetails:
+ Environment: EnvironmentId
+ Connection: ConnectionId
+version: 3.2.0
diff --git a/Solutions/Microsoft Business Applications/Analytic Rules/Power Platform - DLP policy updated or removed.yaml b/Solutions/Microsoft Business Applications/Analytic Rules/Power Platform - DLP policy updated or removed.yaml
new file mode 100644
index 00000000000..3428a45258e
--- /dev/null
+++ b/Solutions/Microsoft Business Applications/Analytic Rules/Power Platform - DLP policy updated or removed.yaml
@@ -0,0 +1,87 @@
+id: 1b2e6172-85c5-417a-90c3-7cc80cb787f5
+kind: Scheduled
+name: Power Platform - DLP policy updated or removed
+description: Identifies changes to DLP policy, specifically policies which are updated
+ or removed.
+severity: Low
+status: Available
+requiredDataConnectors:
+ - connectorId: PowerPlatformAdmin
+ dataTypes:
+ - PowerPlatformAdminActivity
+queryFrequency: 1h
+queryPeriod: 1d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+ - DefenseEvasion
+relevantTechniques:
+ - T1480
+query: |
+ let create_policy_ignore_time_window = 10m;
+ let query_frequency = 1h;
+ let dlp_policy_events = PowerPlatformAdminActivity
+ | where TimeGenerated >= ago(query_frequency)
+ | where EventOriginalType == "GovernanceApiPolicyOperation"
+ | where PropertyCollection has_any ("DeleteDlpPolicy", "UpdateDlpPolicy", "CreateDlpPolicy")
+ | mv-expand PropertyCollection
+ | extend
+ Name = tostring(PropertyCollection.Name),
+ Value = tostring(PropertyCollection.Value)
+ | summarize Properties = make_bag(bag_pack(Name, Value))
+ by
+ TimeGenerated,
+ EventOriginalUid
+ | extend
+ PolicyName = tostring(Properties['powerplatform.analytics.resource.display_name']),
+ EventType = tostring(Properties['powerplatform.analytics.resource.tenant.governance.api_policy.operation_name']),
+ ActorName = tostring(Properties['enduser.principal_name']),
+ PolicyId = tostring(Properties['powerplatform.analytics.resource.id']),
+ AdditionalInfo = Properties['powerplatform.analytics.resource.tenant.governance.api_policy.additional_resources'];
+ let delete_events = dlp_policy_events
+ | where EventType == "DeleteDlpPolicy";
+ let update_events = dlp_policy_events
+ | where EventType == "UpdateDlpPolicy";
+ let create_events = dlp_policy_events
+ | where EventType == "CreateDlpPolicy"
+ | extend ignore_time = TimeGenerated + create_policy_ignore_time_window;
+ union
+ delete_events,
+ (update_events
+ | join kind=leftouter (
+ create_events
+ | project-away TimeGenerated
+ )
+ on PolicyId
+ | where isempty(ignore_time) or TimeGenerated > ignore_time
+ | project-away ignore_time)
+ | where TimeGenerated >= ago(query_frequency)
+ | extend
+ AccountName = tostring(split(ActorName, "@")[0]),
+ UPNSuffix = tostring(split(ActorName, "@")[1])
+ | project
+ TimeGenerated,
+ ActorName,
+ EventType,
+ PolicyName,
+ PolicyId,
+ AccountName,
+ UPNSuffix,
+ AdditionalInfo
+eventGroupingSettings:
+ aggregationKind: SingleAlert
+entityMappings:
+ - entityType: Account
+ fieldMappings:
+ - identifier: Name
+ columnName: AccountName
+ - identifier: UPNSuffix
+ columnName: UPNSuffix
+alertDetailsOverride:
+ alertDisplayNameFormat: PowerPlatform - DLP policy {{EventType}} event detected.
+ alertDescriptionFormat: A DLP policy {{PolicyName}} was as modfiied or deleted.
+ Event type {{EventType}}
+customDetails:
+ Policy: PolicyId
+ PolicyName: PolicyName
+version: 3.2.0
diff --git a/Solutions/Microsoft Business Applications/Analytic Rules/Power Platform - Possibly compromised user accesses Power Platform services.yaml b/Solutions/Microsoft Business Applications/Analytic Rules/Power Platform - Possibly compromised user accesses Power Platform services.yaml
new file mode 100644
index 00000000000..0687ac55bb5
--- /dev/null
+++ b/Solutions/Microsoft Business Applications/Analytic Rules/Power Platform - Possibly compromised user accesses Power Platform services.yaml
@@ -0,0 +1,89 @@
+id: 54d48840-1c64-4399-afee-ad39a069118d
+kind: Scheduled
+name: Power Platform - Possibly compromised user accesses Power Platform services
+description: Identifies user accounts flagged at risk in Microsoft Entra Identity
+ Protection and correlates these users with sign-in activity in Power Platform, including
+ Power Apps, Power Automate and Power Platform Admin Center.
+severity: High
+status: Available
+requiredDataConnectors:
+ - connectorId: AzureActiveDirectory
+ dataTypes:
+ - SigninLogs
+queryFrequency: 1h
+queryPeriod: 1d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+ - InitialAccess
+ - LateralMovement
+relevantTechniques:
+ - T1078
+ - T1210
+query: |
+ let power_automate_appid = "6204c1d1-4712-4c46-a7d9-3ed63d992682";
+ let power_apps_appid = "a8f7a65c-f5ba-4859-b2d6-df772c264e9d";
+ let ppac_appid = "065d9450-1e87-434e-ac2f-69af271549ed";
+ let query_frequency = 1h;
+ SigninLogs
+ | where ingestion_time() >= ago(query_frequency)
+ | where array_length(todynamic(RiskEventTypes)) != 0 or array_length(todynamic(RiskEventTypes_V2)) != 0
+ | where AppId in (power_automate_appid, power_apps_appid, ppac_appid)
+ | extend AffectedPlatform = case(
+ AppId == ppac_appid,
+ "Power Platform Admin Center",
+ AppId == power_apps_appid,
+ "Power Apps",
+ AppId == power_automate_appid,
+ "Power Automate",
+ "Unknown"
+ )
+ | extend
+ Severity = iif(AffectedPlatform in ("Power Apps", "Power Automate"), "Medium", "High"),
+ CloudAppId = case(AffectedPlatform == "Power Apps", int(27593), AffectedPlatform == "Power Automate", int(27592), 0),
+ AccountName = tostring(split(UserPrincipalName, '@')[0]),
+ UPNSuffix = tostring(split(UserPrincipalName, '@')[1])
+ | project
+ TimeGenerated,
+ UserId,
+ UniqueTokenIdentifier,
+ Identity,
+ RiskEventTypes,
+ RiskEventTypes_V2,
+ UserPrincipalName,
+ AppId,
+ AppDisplayName,
+ AffectedPlatform,
+ IPAddress,
+ Severity,
+ CloudAppId,
+ AccountName,
+ UPNSuffix
+eventGroupingSettings:
+ aggregationKind: SingleAlert
+entityMappings:
+ - entityType: Account
+ fieldMappings:
+ - identifier: Name
+ columnName: AccountName
+ - identifier: UPNSuffix
+ columnName: UPNSuffix
+ - entityType: IP
+ fieldMappings:
+ - identifier: Address
+ columnName: IPAddress
+ - entityType: CloudApplication
+ fieldMappings:
+ - identifier: Name
+ columnName: AffectedPlatform
+ - identifier: AppId
+ columnName: AppId
+alertDetailsOverride:
+ alertDisplayNameFormat: 'Risky user sign-in activity in {{{AffectedPlatform}} '
+ alertDescriptionFormat: The user {{UserPrincipalName}} has sign-in risk events associated
+ and successfully signed in to {{{AffectedPlatform}} from {{IPAddress}}
+ alertSeverityColumnName: Severity
+customDetails:
+ RiskEventTypes: RiskEventTypes
+ RiskEventTypes_V2: RiskEventTypes_V2
+version: 3.0.0
diff --git a/Solutions/Microsoft Business Applications/Data Connectors/DynamicsFinOpsFunctionApp/azuredeploy_FinanceOperations_API_FunctionApp.json b/Solutions/Microsoft Business Applications/Data Connectors/DynamicsFinOpsFunctionApp/azuredeploy_FinanceOperations_API_FunctionApp.json
new file mode 100644
index 00000000000..36dc850df9e
--- /dev/null
+++ b/Solutions/Microsoft Business Applications/Data Connectors/DynamicsFinOpsFunctionApp/azuredeploy_FinanceOperations_API_FunctionApp.json
@@ -0,0 +1,465 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "functionAppName": {
+ "type": "string",
+ "metadata": {
+ "description": "Name of the Function App"
+ }
+ },
+ "location": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "Location of Microsoft Sentinel workspace"
+ }
+ },
+ "workspaceName": {
+ "type": "string",
+ "metadata": {
+ "description": "Name of Microsoft Sentinel workspace"
+ }
+ },
+ "financeOperationsApiHost": {
+ "type": "string",
+ "metadata": {
+ "description": "Organization URL for Finance & Operations OData API endpoint. In the format https://yourdomain.dynamics.com (do not include trailing slash '/')"
+ }
+ },
+ "roleNameGuid": {
+ "defaultValue": "[newGuid()]",
+ "type": "string",
+ "metadata": {
+ "description": "A new GUID to identify the DCR role assignment to managed identity"
+ }
+ },
+ "logAnalyticWorkspaceResourceId": {
+ "type": "string",
+ "metadata": {
+ "description": "Migrate Classic Application Insights to Log Analytic Workspace which is retiring by 29 Febraury 2024. Use 'Log Analytic Workspace-->Properties' blade having 'Resource ID' property value. This is a fully qualified resourceId which is in format '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}'"
+ }
+ }
+ },
+ "variables": {
+ "storageAccountName": "[concat(replace(toLower(parameters('functionAppName')),'-',''),'sa')]",
+ "storageSuffix": "[environment().suffixes.storage]",
+ "serverFarmName": "[concat('serverfarm_', parameters('functionAppName'))]",
+ "appInsightsLogName": "[concat(parameters('functionAppName'),'Logs')]",
+ "clv2TableName": "FinanceOperationsActivity_CL",
+ "dataCollectionEndpointName": "Microsoft-Sentinel-FinanceOperations-DCE",
+ "dataCollectionRuleName": "Microsoft-Sentinel-FinanceOperations-DCR",
+ "dCRStreamName": "[concat('Custom-', variables('clv2TableName'))]",
+ "monitoringMetricsPublisherRoleId": "3913510d-42f4-4e42-8a64-420c390055eb"
+ },
+ "resources": [
+ {
+ "type": "microsoft.insights/components",
+ "apiVersion": "2020-02-02",
+ "name": "[variables('appInsightsLogName')]",
+ "location": "[parameters('location')]",
+ "kind": "web",
+ "properties": {
+ "Application_Type": "web",
+ "ApplicationId": "[parameters('functionAppName')]",
+ "WorkspaceResourceId": "[parameters('logAnalyticWorkspaceResourceId')]"
+ }
+ },
+ {
+ "type": "Microsoft.Web/serverfarms",
+ "apiVersion": "2022-03-01",
+ "name": "[variables('serverFarmName')]",
+ "location": "[parameters('location')]",
+ "sku": {
+ "name": "Y1",
+ "tier": "Dynamic",
+ "size": "Y1",
+ "family": "Y",
+ "capacity": 0
+ },
+ "kind": "functionapp",
+ "properties": {
+ "perSiteScaling": false,
+ "elasticScaleEnabled": false,
+ "maximumElasticWorkerCount": 1,
+ "isSpot": false,
+ "reserved": true,
+ "isXenon": false,
+ "hyperV": false,
+ "targetWorkerCount": 0,
+ "targetWorkerSizeId": 0,
+ "zoneRedundant": false
+ }
+ },
+ {
+ "name": "[variables('storageAccountName')]",
+ "type": "Microsoft.Storage/storageAccounts",
+ "apiVersion": "2021-04-01",
+ "location": "[parameters('location')]",
+ "kind": "StorageV2",
+ "sku": {
+ "name": "Standard_LRS",
+ "tier": "Standard"
+ }
+ },
+ {
+ "name": "[parameters('functionAppName')]",
+ "type": "Microsoft.Web/sites",
+ "apiVersion": "2022-03-01",
+ "location": "[parameters('location')]",
+ "kind": "functionapp,linux",
+ "dependsOn": [
+ "[resourceId('Microsoft.Web/serverfarms', variables('serverFarmName'))]",
+ "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]",
+ "[resourceId('Microsoft.Insights/components', variables('appInsightsLogName'))]",
+ "[resourceId('Microsoft.Insights/dataCollectionRules', variables('dataCollectionRuleName'))]"
+ ],
+ "identity": {
+ "type": "SystemAssigned"
+ },
+ "properties": {
+ "httpsOnly": true,
+ "publicNetworkAccess": "Disabled",
+ "keyVaultReferenceIdentity": "SystemAssigned",
+ "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('serverFarmName'))]",
+ "siteProperties": {
+ "properties": [
+ {
+ "name": "LinuxFxVersion",
+ "value": "Python|3.10"
+ }
+ ]
+ },
+ "siteConfig": {
+ "linuxFxVersion": "Python|3.10",
+ "ftpsState": "Disabled",
+ "appSettings": [
+ {
+ "name": "AzureWebJobsStorage",
+ "value": "[concat('DefaultEndpointsProtocol=https;AccountName=', toLower(variables('storageAccountName')),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(variables('storageAccountName'))), '2021-06-01').keys[0].value, ';EndpointSuffix=',toLower(variables('storageSuffix')))]"
+ },
+ {
+ "name": "WEBSITE_CONTENTAZUREFILECONNECTIONSTRING",
+ "value": "[concat('DefaultEndpointsProtocol=https;AccountName=', toLower(variables('storageAccountName')),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(variables('storageAccountName'))), '2021-06-01').keys[0].value, ';EndpointSuffix=',toLower(variables('storageSuffix')))]"
+ },
+ {
+ "name": "WEBSITE_CONTENTSHARE",
+ "value": "[toLower(parameters('functionAppName'))]"
+ },
+ {
+ "name": "FUNCTIONS_EXTENSION_VERSION",
+ "value": "~4"
+ },
+ {
+ "name": "APPINSIGHTS_INSTRUMENTATIONKEY",
+ "value": "[reference(resourceId('Microsoft.insights/components', variables('appInsightsLogName'))).InstrumentationKey]"
+ },
+ {
+ "name": "APPLICATIONINSIGHTS_CONNECTION_STRING",
+ "value": "[reference(resourceId('microsoft.insights/components', variables('appInsightsLogName'))).ConnectionString]"
+ },
+ {
+ "name": "FUNCTIONS_WORKER_RUNTIME",
+ "value": "python"
+ },
+ {
+ "name": "AzureWebJobsFeatureFlags",
+ "value": "EnableWorkerIndexing",
+ "slotSetting": false
+ },
+ {
+ "name": "ODATA_API_HOST",
+ "value": "[parameters('financeOperationsApiHost')]",
+ "slotSetting": false
+ },
+ {
+ "name": "ODATA_API_TIMEOUT_SECONDS",
+ "value": "180",
+ "slotSetting": false
+ },
+ {
+ "name": "ODATA_API_MAX_PAGE_SIZE",
+ "value": "10000",
+ "slotSetting": false
+ },
+ {
+ "name": "ODATA_API_MAX_CONCURRENCY",
+ "value": "50",
+ "slotSetting": false
+ },
+ {
+ "name": "DCR_DCE_URL",
+ "value": "[reference(variables('dataCollectionEndpointName')).logsIngestion.endpoint]",
+ "slotSetting": false
+ },
+ {
+ "name": "DCR_IMMUTABLE_ID",
+ "value": "[reference(variables('dataCollectionRuleName')).immutableId]",
+ "slotSetting": false
+ },
+ {
+ "name": "DCR_STREAM_NAME",
+ "value": "[variables('dCRStreamName')]",
+ "slotSetting": false
+ },
+ {
+ "name": "FUNCTION_SHUTDOWN_TIMEOUT_MINS",
+ "value": "5",
+ "slotSetting": false
+ },
+ {
+ "name": "TIMER_SCHEDULE_MINS",
+ "value": "10",
+ "slotSetting": false
+ },
+ {
+ "name": "MAX_LOOKBACK_DURATION_HOURS",
+ "value": "8",
+ "slotSetting": false
+ },
+ {
+ "name": "QUERY_WINDOW_OFFSET_MINS",
+ "value": "1",
+ "slotSetting": false
+ },
+ {
+ "name": "QUERY_WINDOW_CHUNK_DURATION_SEC",
+ "value": "60",
+ "slotSetting": false
+ },
+ {
+ "name": "CROSS_COMPANY_QUERY",
+ "value": "true",
+ "slotSetting": false
+ },
+ {
+ "name": "WEBSITE_RUN_FROM_PACKAGE",
+ "value": "https://aka.ms/sentinel-financeoperations-functionapp"
+ }
+ ]
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Insights/dataCollectionRules",
+ "apiVersion": "2021-09-01-preview",
+ "name": "[variables('dataCollectionRuleName')]",
+ "location": "[parameters('location')]",
+ "dependsOn": [
+ "[resourceId('Microsoft.Insights/dataCollectionEndpoints', variables('dataCollectionEndpointName'))]"
+ ],
+ "properties": {
+ "dataCollectionEndpointId": "[resourceId('Microsoft.Insights/dataCollectionEndpoints',variables('dataCollectionEndpointName'))]",
+ "streamDeclarations": {
+ "[variables('dCRStreamName')]": {
+ "columns": [
+ {
+ "name": "dataAreaId",
+ "type": "string"
+ },
+ {
+ "name": "LogCreatedDateTime",
+ "type": "datetime"
+ },
+ {
+ "name": "LogType",
+ "type": "string"
+ },
+ {
+ "name": "TableName",
+ "type": "string"
+ },
+ {
+ "name": "Username",
+ "type": "string"
+ },
+ {
+ "name": "Description",
+ "type": "string"
+ },
+ {
+ "name": "Data",
+ "type": "dynamic"
+ },
+ {
+ "name": "FormattedData",
+ "type": "dynamic"
+ },
+ {
+ "name": "NewData",
+ "type": "string"
+ },
+ {
+ "name": "LogCreatedBy",
+ "type": "string"
+ },
+ {
+ "name": "LogCreatedTransactionId",
+ "type": "string"
+ },
+ {
+ "name": "LogDataAreaId",
+ "type": "string"
+ },
+ {
+ "name": "LogPartition",
+ "type": "long"
+ },
+ {
+ "name": "LogRecId",
+ "type": "long"
+ },
+ {
+ "name": "SequenceNumber",
+ "type": "int"
+ },
+ {
+ "name": "TableIdNumber",
+ "type": "int"
+ },
+ {
+ "name": "TableRecId",
+ "type": "long"
+ },
+ {
+ "name": "TableRecVersion",
+ "type": "int"
+ }
+ ]
+ }
+ },
+ "dataSources": {},
+ "destinations": {
+ "logAnalytics": [
+ {
+ "workspaceResourceId": "[concat(resourceGroup().id, '/providers/Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]",
+ "name": "clv2ws1"
+ }
+ ]
+ },
+ "dataFlows": [
+ {
+ "streams": [
+ "[variables('dCRStreamName')]"
+ ],
+ "destinations": [
+ "clv2ws1"
+ ],
+ "transformKql": "source\n| extend TimeGenerated = now()\n| project-away dataAreaId,NewData\n",
+ "outputStream": "[variables('dCRStreamName')]"
+ }
+ ]
+ }
+ },
+ {
+ "type": "Microsoft.Insights/dataCollectionEndpoints",
+ "apiVersion": "2021-09-01-preview",
+ "name": "[variables('dataCollectionEndpointName')]",
+ "location": "[parameters('location')]",
+ "dependsOn": [
+ "[resourceId('Microsoft.OperationalInsights/workspaces/tables', parameters('workspaceName'), variables('clv2TableName'))]"
+ ],
+ "properties": {
+ "networkAcls": {
+ "publicNetworkAccess": "Enabled"
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/tables",
+ "apiVersion": "2021-12-01-preview",
+ "name": "[concat(parameters('workspaceName'), '/', variables('clv2TableName'))]",
+ "properties": {
+ "schema": {
+ "name": "[variables('clv2TableName')]",
+ "columns": [
+ {
+ "name": "TimeGenerated",
+ "type": "datetime"
+ },
+ {
+ "name": "LogCreatedDateTime",
+ "type": "datetime"
+ },
+ {
+ "name": "LogType",
+ "type": "string"
+ },
+ {
+ "name": "TableName",
+ "type": "string"
+ },
+ {
+ "name": "Username",
+ "type": "string"
+ },
+ {
+ "name": "Description",
+ "type": "string"
+ },
+ {
+ "name": "Data",
+ "type": "dynamic"
+ },
+ {
+ "name": "FormattedData",
+ "type": "dynamic"
+ },
+ {
+ "name": "LogCreatedBy",
+ "type": "string"
+ },
+ {
+ "name": "LogCreatedTransactionId",
+ "type": "string"
+ },
+ {
+ "name": "LogDataAreaId",
+ "type": "string"
+ },
+ {
+ "name": "LogPartition",
+ "type": "long"
+ },
+ {
+ "name": "LogRecId",
+ "type": "long"
+ },
+ {
+ "name": "SequenceNumber",
+ "type": "int"
+ },
+ {
+ "name": "TableIdNumber",
+ "type": "int"
+ },
+ {
+ "name": "TableRecId",
+ "type": "long"
+ },
+ {
+ "name": "TableRecVersion",
+ "type": "int"
+ }
+ ]
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Authorization/roleAssignments",
+ "apiVersion": "2022-04-01",
+ "name": "[parameters('roleNameGuid')]",
+ "dependsOn": [
+ "[resourceId('Microsoft.Web/sites', parameters('functionAppName'))]",
+ "[resourceId('Microsoft.Insights/dataCollectionRules', variables('dataCollectionRuleName'))]"
+ ],
+ "properties": {
+ "roleDefinitionId": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', variables('monitoringMetricsPublisherRoleId') )]",
+ "principalId": "[reference(resourceId('Microsoft.Web/sites', parameters('functionAppName')), '2022-03-01', 'full').identity.principalId]",
+ "principalType": "ServicePrincipal"
+ },
+ "scope": "[concat('Microsoft.Insights/dataCollectionRules', '/', variables('dataCollectionRuleName'))]"
+ }
+ ],
+ "outputs": {}
+}
\ No newline at end of file
diff --git a/Solutions/Microsoft Business Applications/Data Connectors/DynamicsFinOpsFunctionApp/finopsfunction.zip b/Solutions/Microsoft Business Applications/Data Connectors/DynamicsFinOpsFunctionApp/finopsfunction.zip
new file mode 100644
index 00000000000..d4c705d0043
Binary files /dev/null and b/Solutions/Microsoft Business Applications/Data Connectors/DynamicsFinOpsFunctionApp/finopsfunction.zip differ
diff --git a/Solutions/Microsoft Business Applications/Data Connectors/DynamicsFinOpsPollerConnector/DynamicsFinOps_DCR.json b/Solutions/Microsoft Business Applications/Data Connectors/DynamicsFinOpsPollerConnector/DynamicsFinOps_DCR.json
new file mode 100644
index 00000000000..42868ce96ab
--- /dev/null
+++ b/Solutions/Microsoft Business Applications/Data Connectors/DynamicsFinOpsPollerConnector/DynamicsFinOps_DCR.json
@@ -0,0 +1,115 @@
+[
+ {
+ "name": "FinOps-DCR",
+ "apiVersion": "2021-09-01-preview",
+ "type": "Microsoft.Insights/dataCollectionRules",
+ "location": "{{location}}",
+ "kind": null,
+ "properties": {
+ "streamDeclarations": {
+ "Custom-FinanceOperationsActivity_CL": {
+ "columns": [
+ {
+ "name": "dataAreaId",
+ "type": "string"
+ },
+ {
+ "name": "InstanceName",
+ "type": "string"
+ },
+ {
+ "name": "LogCreatedDateTime",
+ "type": "datetime"
+ },
+ {
+ "name": "LogType",
+ "type": "string"
+ },
+ {
+ "name": "TableName",
+ "type": "string"
+ },
+ {
+ "name": "Username",
+ "type": "string"
+ },
+ {
+ "name": "Description",
+ "type": "string"
+ },
+ {
+ "name": "Data",
+ "type": "dynamic"
+ },
+ {
+ "name": "FormattedData",
+ "type": "string"
+ },
+ {
+ "name": "NewData",
+ "type": "string"
+ },
+ {
+ "name": "LogCreatedBy",
+ "type": "string"
+ },
+ {
+ "name": "LogCreatedTransactionId",
+ "type": "string"
+ },
+ {
+ "name": "LogDataAreaId",
+ "type": "string"
+ },
+ {
+ "name": "LogPartition",
+ "type": "long"
+ },
+ {
+ "name": "LogRecId",
+ "type": "long"
+ },
+ {
+ "name": "SequenceNumber",
+ "type": "int"
+ },
+ {
+ "name": "TableIdNumber",
+ "type": "int"
+ },
+ {
+ "name": "TableRecId",
+ "type": "long"
+ },
+ {
+ "name": "TableRecVersion",
+ "type": "int"
+ }
+ ]
+ }
+ },
+ "dataSources": {},
+ "destinations": {
+ "logAnalytics": [
+ {
+ "workspaceResourceId": "{{workspaceResourceId}}",
+ "name": "clv2ws1"
+ }
+ ]
+ },
+ "dataFlows": [
+ {
+ "streams": [
+ "Custom-FinanceOperationsActivity_CL"
+ ],
+ "destinations": [
+ "clv2ws1"
+ ],
+ "transformKql": "source | extend TimeGenerated = now() | project-away dataAreaId, NewData",
+ "outputStream": "Custom-FinanceOperationsActivity_CL"
+ }
+ ],
+ "dataCollectionEndpointId": "{{dataCollectionEndpointId}}"
+ }
+ }
+]
\ No newline at end of file
diff --git a/Solutions/Microsoft Business Applications/Data Connectors/DynamicsFinOpsPollerConnector/DynamicsFinOps_DataConnectorDefinition.json b/Solutions/Microsoft Business Applications/Data Connectors/DynamicsFinOpsPollerConnector/DynamicsFinOps_DataConnectorDefinition.json
new file mode 100644
index 00000000000..73031b05ec5
--- /dev/null
+++ b/Solutions/Microsoft Business Applications/Data Connectors/DynamicsFinOpsPollerConnector/DynamicsFinOps_DataConnectorDefinition.json
@@ -0,0 +1,176 @@
+{
+ "name": "Dynamics365Finance",
+ "apiVersion": "2022-09-01-preview",
+ "type": "Microsoft.SecurityInsights/dataConnectorDefinitions",
+ "location": "{{location}}",
+ "kind": "Customizable",
+ "properties": {
+ "connectorUiConfig": {
+ "id": "Dynamics365Finance",
+ "title": "Dynamics 365 Finance and Operations",
+ "publisher": "Microsoft",
+ "logo": "Dynamics365.svg",
+ "descriptionMarkdown": "Dynamics 365 for Finance and Operations is a comprehensive Enterprise Resource Planning (ERP) solution that combines financial and operational capabilities to help businesses manage their day-to-day operations. It offers a range of features that enable businesses to streamline workflows, automate tasks, and gain insights into operational performance.\n\nThe Dynamics 365 Finance and Operations data connector ingests Dynamics 365 Finance and Operations admin activities and audit logs as well as user business process and application activities logs into Microsoft Sentinel.",
+ "graphQueriesTableName": "FinanceOperationsActivity_CL",
+ "graphQueries": [
+ {
+ "metricName": "Total data received",
+ "legend": "{{graphQueriesTableName}}",
+ "baseQuery": "{{graphQueriesTableName}}"
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "Finance and Operations Audited Tables",
+ "query": "{{graphQueriesTableName}}\n | summarize by TableName"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "{{graphQueriesTableName}}",
+ "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriteria": [
+ {
+ "type": "HasDataConnectors"
+ }
+ ],
+ "availability": {
+ "isPreview": true
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "Read and Write permissions are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "write": true,
+ "read": true,
+ "delete": true
+ }
+ },
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+ "permissionsDisplayText": "Read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)",
+ "providerDisplayName": "Keys",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "action": true
+ }
+ }
+ ],
+ "customs": [
+ {
+ "name": "Microsoft Entra app registration",
+ "description": "Application client ID and secret used to access Dynamics 365 Finance and Operations."
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "description": ">Connectivity to Finance and Operations requires a Microsoft Entra app registration (client ID and secret). You'll also need the Microsoft Entra tenant ID and the Finance Operations Organization URL."
+ },
+ {
+ "description": "To enable data collection, create a role in Dynamics 365 Finance and Operations with permissions to view the Database Log entity. Assign this role to a dedicated Finance and Operations user, mapped to the client ID of a Microsoft Entra app registration. Follow these steps to complete the process:"
+ },
+ {
+ "title": "Step 1 - Microsoft Entra app registration",
+ "description": "1. Navigate to the [Microsoft Entra portal](https://entra.microsoft.com). \n2. Under Applications, click on **App Registrations** and create a new app registration (leave all defaults).\n3. Open the new app registration and create a new secret.\n4. Retain the **Tenant ID**, **Application (client) ID**, and **Client secret** for later use."
+ },
+ {
+ "title": "Step 2 - Create a role for data collection in Finance and Operations",
+ "description": "1. In the Finance and Operations portal, navigate to **Workspaces > System administration** and click **Security Configuration**\n2. Under **Roles** click **Create new** and give the new role a name e.g. Database Log Viewer.\n3. Select the new role in the list of roles and click **Privileges** and than **Add references**.\n4. Select **Database log Entity View** from the list of privileges.\n5. Click on **Unpublished objects** and then **Publish all** to publish the role."
+ },
+ {
+ "title": "Step 3 - Create a user for data collection in Finance and Operations",
+ "description": "1. In the Finance and Operations portal, navigate to **Modules > System administration** and click **Users**\n2. Create a new user and assign the role created in the previous step to the user."
+ },
+ {
+ "title": "Step 4 - Register the Microsoft Entra app in Finance and Operations",
+ "description": "1. In the F&O portal, navigate to **System administration > Setup > Microsoft Entra applications** (Azure Active Directory applications)\n2. Create a new entry in the table. In the **Client Id** field, enter the application ID of the app registered in Step 1.\n3. In the **Name** field, enter a name for the application.\n4. In the **User ID** field, select the user ID created in the previous step."
+ },
+ {
+ "description": "Connect using client credentials",
+ "title": "Connect events from Dyanmics 365 Finance and Operations to Microsoft Sentinel",
+ "instructions": [
+ {
+ "type": "ContextPane",
+ "parameters": {
+ "contextPaneType": "DataConnectorsContextPane",
+ "label": "Add environment",
+ "isPrimary": true,
+ "title": "Dynamics 365 Finance and Operations connection",
+ "instructionSteps": [
+ {
+ "title": "Environment details",
+ "instructions": [
+ {
+ "type": "Textbox",
+ "parameters": {
+ "label": "Microsoft Entra tenant ID.",
+ "placeholder": "Tenant ID (GUID)",
+ "type": "text",
+ "name": "tenantId"
+ }
+ },
+ {
+ "type": "Textbox",
+ "parameters": {
+ "label": "App registration client ID",
+ "placeholder": "Finance and Operations client ID",
+ "type": "text",
+ "name": "clientId"
+ }
+ },
+ {
+ "type": "Textbox",
+ "parameters": {
+ "label": "App registration client secret",
+ "placeholder": "Finance and Operations client secret",
+ "type": "password",
+ "name": "clientSecret"
+ }
+ },
+ {
+ "type": "Textbox",
+ "parameters": {
+ "label": "Finance and Operations organization URL",
+ "placeholder": "https://dynamics-dev.axcloud.dynamics.com",
+ "type": "text",
+ "name": "auditHost"
+ }
+ }
+ ]
+ }
+ ]
+ }
+ }
+ ]
+ },
+ {
+ "title": "Organizations",
+ "description": "Each row represents an Finance and Operations connection",
+ "instructions": [
+ {
+ "type": "DataConnectorsGrid",
+ "parameters": {
+ "mapping": [
+ {
+ "columnName": "Environment URL",
+ "columnValue": "properties.request.apiEndpoint"
+ }
+ ],
+ "menuItems": [
+ "DeleteConnector"
+ ]
+ }
+ }
+ ]
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
diff --git a/Solutions/Microsoft Business Applications/Data Connectors/DynamicsFinOpsPollerConnector/DynamicsFinOps_PollingConfig.json b/Solutions/Microsoft Business Applications/Data Connectors/DynamicsFinOpsPollerConnector/DynamicsFinOps_PollingConfig.json
new file mode 100644
index 00000000000..7a83e5c9010
--- /dev/null
+++ b/Solutions/Microsoft Business Applications/Data Connectors/DynamicsFinOpsPollerConnector/DynamicsFinOps_PollingConfig.json
@@ -0,0 +1,58 @@
+[
+ {
+ "name": "{{innerWorkspace}}/Microsoft.SecurityInsights/D365_{{instanceName}}",
+ "apiVersion": "2022-12-01-preview",
+ "type": "Microsoft.SecurityInsights/dataConnectors",
+ "location": "{{location}}",
+ "kind": "RestApiPoller",
+ "properties": {
+ "connectorDefinitionName": "Dynamics365Finance",
+ "dcrConfig": {
+ "dataCollectionEndpoint": "{{dataCollectionEndpoint}}",
+ "dataCollectionRuleImmutableId": "{{dataCollectionRuleImmutableId}}",
+ "streamName": "Custom-FinanceOperationsActivity_CL"
+ },
+ "dataType": "FinanceOperationsActivity_CL",
+ "addOnAttributes": {
+ "InstanceName": "[[parameters('auditHost')]"
+ },
+ "auth": {
+ "type": "OAuth2",
+ "ClientSecret": "[[parameters('clientSecret')]",
+ "ClientId": "[[parameters('clientId')]",
+ "GrantType": "client_credentials",
+ "TokenEndpoint": "[[concat('https://login.', 'microsoftonline.com/', parameters('tenantId'), '/oauth2/v2.0/token')]",
+ "TokenEndpointHeaders": {
+ "Content-Type": "application/x-www-form-urlencoded"
+ },
+ "TokenEndpointQueryParameters": {},
+ "Scope": "[[concat(parameters('auditHost'), '/.default')]"
+ },
+ "request": {
+ "apiEndpoint": "[[concat(parameters('auditHost'), '/data/DatabaseLogs')]",
+ "queryWindowInMin": 10,
+ "httpMethod": "Get",
+ "retryCount": 3,
+ "timeoutInSeconds": 60,
+ "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ",
+ "queryParameters": {
+ "$filter": "LogCreatedDateTime gt {_QueryWindowStartTime} and LogCreatedDateTime le {_QueryWindowEndTime}",
+ "cross-company": "true"
+ },
+ "headers": {
+ "Accept": "application/json;odata.metadata=none",
+ "User-Agent": "Scuba"
+ }
+ },
+ "response": {
+ "eventsJsonPaths": [
+ "$.value"
+ ]
+ },
+ "paging": {
+ "pagingType": "LinkHeader",
+ "linkHeaderTokenJsonPath": "$.['@odata.nextLink']"
+ }
+ }
+ }
+]
\ No newline at end of file
diff --git a/Solutions/Microsoft Business Applications/Data Connectors/DynamicsFinOpsPollerConnector/DynamicsFinOps_Tables.json b/Solutions/Microsoft Business Applications/Data Connectors/DynamicsFinOpsPollerConnector/DynamicsFinOps_Tables.json
new file mode 100644
index 00000000000..1f7c0bcfc97
--- /dev/null
+++ b/Solutions/Microsoft Business Applications/Data Connectors/DynamicsFinOpsPollerConnector/DynamicsFinOps_Tables.json
@@ -0,0 +1,87 @@
+[
+ {
+ "name": "FinanceOperationsActivity_CL",
+ "apiVersion": "2021-03-01-privatepreview",
+ "type": "Microsoft.OperationalInsights/workspaces/tables",
+ "location": "{{location}}",
+ "properties": {
+ "schema": {
+ "name": "FinanceOperationsActivity_CL",
+ "columns": [
+ {
+ "name": "TimeGenerated",
+ "type": "datetime"
+ },
+ {
+ "name": "InstanceName",
+ "type": "string"
+ },
+ {
+ "name": "LogCreatedDateTime",
+ "type": "datetime"
+ },
+ {
+ "name": "LogType",
+ "type": "string"
+ },
+ {
+ "name": "TableName",
+ "type": "string"
+ },
+ {
+ "name": "Username",
+ "type": "string"
+ },
+ {
+ "name": "Description",
+ "type": "string"
+ },
+ {
+ "name": "Data",
+ "type": "dynamic"
+ },
+ {
+ "name": "FormattedData",
+ "type": "dynamic"
+ },
+ {
+ "name": "LogCreatedBy",
+ "type": "string"
+ },
+ {
+ "name": "LogCreatedTransactionId",
+ "type": "string"
+ },
+ {
+ "name": "LogDataAreaId",
+ "type": "string"
+ },
+ {
+ "name": "LogPartition",
+ "type": "long"
+ },
+ {
+ "name": "LogRecId",
+ "type": "long"
+ },
+ {
+ "name": "SequenceNumber",
+ "type": "int"
+ },
+ {
+ "name": "TableIdNumber",
+ "type": "int"
+ },
+ {
+ "name": "TableRecId",
+ "type": "long"
+ },
+ {
+ "name": "TableRecVersion",
+ "type": "int"
+ }
+ ]
+ }
+ }
+ }
+]
\ No newline at end of file
diff --git a/Solutions/Microsoft Business Applications/Data/Solution_PowerPlatform.json b/Solutions/Microsoft Business Applications/Data/Solution_PowerPlatform.json
new file mode 100644
index 00000000000..c177b74f1f7
--- /dev/null
+++ b/Solutions/Microsoft Business Applications/Data/Solution_PowerPlatform.json
@@ -0,0 +1,98 @@
+{
+ "Name": "Microsoft Business Applications",
+ "Author": "Microsoft",
+ "Logo": "![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/PowerPlatform.svg\")
",
+ "Description": "Microsoft Power Platform provides a wide range of tools for citizen developers to build, run and manage low-code and no-code applications quickly, simply and at scale. With that, it also introduces a concern around the risk of security vulnerabilities introduced by citizen developers, some of whom may lack the security awareness of traditional pro-dev community. To counter this, early threat detection is crucial and can complement preventative guardrails to enable frictionless productivity while minimizing cyber risk.\n\nThe Microsoft Sentinel solution for Microsoft Power Platform allows customers to monitor and detect various suspicious or malicious activities in their Power Platform environments.\n\nIt collects activity logs from the different Power Platform components (Power Apps, Power Automate, Power Platform Connectors, Power Platform DLP, Dataverse) as well as the Power Platform inventory data and analyzes those activity logs to detect threats and suspicious activities such as: Power Apps execution from unauthorized geographies, suspicious data destruction by Power Apps, mass deletion of Power Apps, phishing attacks made possible through Power Apps, Power Automate flows activity by departing employees, Microsoft Power Platform connectors added to the an environment, and the update or removal of Microsoft Power Platform data loss prevention policies.\n\nDue to the integration of the Power Platform inventory data, in addition to the activity logs, the solution also allows customers to investigate the detected threats in a full human readable context and understand for example what the name of the suspicious app is, the name of Power Platform environment it belongs to, the details of the user who created or modified the suspicious app, the details of the users using the app, and more.\n\n**Important**\n\n- The Microsoft Sentinel Solution for Power Platform is currently in PREVIEW. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.\n\n- This solution is a premium offering. Pricing information will be available before the solution becomes generally available.\n\nPlease review the solution [documentation](https://learn.microsoft.com/azure/sentinel/business-applications/power-platform-solution-overview) to learn more about deploying, configuring and using this solution.",
+ "Data Connectors": [
+ "/Data Connectors/DynamicsFinOpsPollerConnector/DynamicsFinOps_DataConnectorDefinition.json"
+ ],
+ "Workbooks": [
+ "/Workbooks/Dynamics365Activity.json"
+ ],
+ "Analytic Rules": [
+ "/Analytic Rules/Dataverse - Anomalous application user activity.yaml",
+ "/Analytic Rules/Dataverse - Audit log data deletion.yaml",
+ "/Analytic Rules/Dataverse - Audit logging disabled.yaml",
+ "/Analytic Rules/Dataverse - Bulk record ownership re-assignment or sharing.yaml",
+ "/Analytic Rules/Dataverse - Executable uploaded to SharePoint document management site.yaml",
+ "/Analytic Rules/Dataverse - Export activity from terminated or notified employee.yaml",
+ "/Analytic Rules/Dataverse - Guest user exfiltration following Power Platform defense impairment.yaml",
+ "/Analytic Rules/Dataverse - Hierarchy security manipulation.yaml",
+ "/Analytic Rules/Dataverse - Honeypot instance activity.yaml",
+ "/Analytic Rules/Dataverse - Login by a sensitive privileged user.yaml",
+ "/Analytic Rules/Dataverse - Login from IP in the block list.yaml",
+ "/Analytic Rules/Dataverse - Login from IP not in the allow list.yaml",
+ "/Analytic Rules/Dataverse - Malware found in SharePoint document management site.yaml",
+ "/Analytic Rules/Dataverse - Mass deletion of records.yaml",
+ "/Analytic Rules/Dataverse - Mass download from SharePoint document management.yaml",
+ "/Analytic Rules/Dataverse - Mass export of records to Excel.yaml",
+ "/Analytic Rules/Dataverse - Mass record updates.yaml",
+ "/Analytic Rules/Dataverse - New Dataverse application user activity type.yaml",
+ "/Analytic Rules/Dataverse - New non-interactive identity granted access.yaml",
+ "/Analytic Rules/Dataverse - New sign-in from an unauthorized domain.yaml",
+ "/Analytic Rules/Dataverse - New user agent type that was not used before.yaml",
+ "/Analytic Rules/Dataverse - New user agent type that was not used with Office 365.yaml",
+ "/Analytic Rules/Dataverse - Organization settings modified.yaml",
+ "/Analytic Rules/Dataverse - Removal of blocked file extensions.yaml",
+ "/Analytic Rules/Dataverse - SharePoint document management site added or updated.yaml",
+ "/Analytic Rules/Dataverse - Suspicious security role modifications.yaml",
+ "/Analytic Rules/Dataverse - Suspicious use of TDS endpoint.yaml",
+ "/Analytic Rules/Dataverse - Suspicious use of Web API.yaml",
+ "/Analytic Rules/Dataverse - TI map IP to DataverseActivity.yaml",
+ "/Analytic Rules/Dataverse - TI map URL to DataverseActivity.yaml",
+ "/Analytic Rules/Dataverse - Terminated employee exfiltration over email.yaml",
+ "/Analytic Rules/Dataverse - Terminated employee exfiltration to USB drive.yaml",
+ "/Analytic Rules/Dataverse - Unusual sign-in following disabled IP address-based cookie binding protection.yaml",
+ "/Analytic Rules/Dataverse - User bulk retrieval outside normal activity.yaml",
+ "/Analytic Rules/F&O - Bank account change following network alias reassignment.yaml",
+ "/Analytic Rules/F&O - Mass update or deletion of user records.yaml",
+ "/Analytic Rules/F&O - Non-interactive account mapped to self or sensitive privileged user.yaml",
+ "/Analytic Rules/F&O - Reverted bank account number modifications.yaml",
+ "/Analytic Rules/F&O - Unusual sign-in activity using single factor authentication.yaml",
+ "/Analytic Rules/Power Apps - App activity from unauthorized geo.yaml",
+ "/Analytic Rules/Power Apps - Bulk sharing of Power Apps to newly created guest users.yaml",
+ "/Analytic Rules/Power Apps - Multiple apps deleted.yaml",
+ "/Analytic Rules/Power Apps - Multiple users access a malicious link after launching new app.yaml",
+ "/Analytic Rules/Power Automate - Departing employee flow activity.yaml",
+ "/Analytic Rules/Power Automate - Unusual bulk deletion of flow resources.yaml",
+ "/Analytic Rules/Power Platform - Account added to privileged Microsoft Entra roles.yaml",
+ "/Analytic Rules/Power Platform - Connector added to a sensitive environment.yaml",
+ "/Analytic Rules/Power Platform - DLP policy updated or removed.yaml",
+ "/Analytic Rules/Power Platform - Possibly compromised user accesses Power Platform services.yaml"
+ ],
+ "Hunting Queries": [
+ "/Hunting Queries/Dataverse - Activity after Microsoft Entra alerts.yaml",
+ "/Hunting Queries/Dataverse - Activity after failed logons.yaml",
+ "/Hunting Queries/Dataverse - Cross-environment data export activity.yaml",
+ "/Hunting Queries/Dataverse - Dataverse export copied to USB devices.yaml",
+ "/Hunting Queries/Dataverse - Generic client app used to access production environments.yaml",
+ "/Hunting Queries/Dataverse - Identity management activity outside of privileged directory role membership.yaml",
+ "/Hunting Queries/Dataverse - Identity management changes without MFA.yaml",
+ "/Hunting Queries/Power Apps - Anomalous bulk sharing of Power App to newly created guest users.yaml"
+ ],
+ "Playbooks": [
+ "/Playbooks/Dataverse-Add-SharePoint-Site/azuredeploy.json",
+ "/Playbooks/Dataverse-Blocklist-Add-User-AlertTrigger/azuredeploy.json",
+ "/Playbooks/Dataverse-Blocklist-Add-User-Via-Outlook/azuredeploy.json",
+ "/Playbooks/Dataverse-Blocklist-Add-User-Via-Teams/azuredeploy.json",
+ "/Playbooks/Dataverse-Blocklist-Add-User/azuredeploy.json",
+ "/Playbooks/Dataverse-Blocklist-Remove-User-AlertTrigger/azuredeploy.json",
+ "/Playbooks/Dataverse-Send-Manager-Notification/azuredeploy.json",
+ "/Playbooks/MSBizApps-Incident-From-Alert-Teams/azuredeploy.json"
+ ],
+ "Parsers": [
+ "/Parsers/DataverseSharePointSites.yaml",
+ "/Parsers/MSBizAppsNetworkAddresses.yaml",
+ "/Parsers/MSBizAppsOrgSettings.yaml",
+ "/Parsers/MSBizAppsTerminatedEmployees.yaml",
+ "/Parsers/MSBizAppsVIPUsers.yaml"
+ ],
+ "Watchlists": [
+ "/Watchlists/MSBizApps-Configuration.json"
+ ],
+ "BasePath": "/__w/1/s/Artifacts/Power Platform",
+ "Version": "3.2.0",
+ "Metadata": "SolutionMetadata.json",
+ "TemplateSpec": true,
+ "Is1PConnector": false
+}
\ No newline at end of file
diff --git a/Solutions/Microsoft Business Applications/Hunting Queries/Dataverse - Activity after Microsoft Entra alerts.yaml b/Solutions/Microsoft Business Applications/Hunting Queries/Dataverse - Activity after Microsoft Entra alerts.yaml
new file mode 100644
index 00000000000..414f1c36434
--- /dev/null
+++ b/Solutions/Microsoft Business Applications/Hunting Queries/Dataverse - Activity after Microsoft Entra alerts.yaml
@@ -0,0 +1,46 @@
+id: 428c3d41-e441-4244-994e-b059d6316bc4
+name: Dataverse - Activity after Microsoft Entra alerts
+description: This hunting query looks for users conducting Dataverse/Dynamics 365
+ activity shortly after a Microsoft Entra Identity Protection alert for that user.
+ The query only looks for users not seen before or conducting Dynamics activity not
+ previously seen.
+requiredDataConnectors:
+ - connectorId: Dataverse
+ dataTypes:
+ - DataverseActivity
+ - connectorId: AzureActiveDirectoryIdentityProtection
+ dataTypes:
+ - SecurityAlert
+tactics:
+ - InitialAccess
+relevantTechniques:
+ - T1078
+query: |
+ let match_window = 1h;
+ let analysis_window = 1d;
+ let lookback_window = 7d;
+ SecurityAlert
+ | where TimeGenerated > ago(analysis_window)
+ | where ProviderName == 'IPC'
+ | extend UserName = tostring(parse_json(ExtendedProperties).["User Account"])
+ | extend UserName = tolower(UserName)
+ | extend TimeKey = bin(TimeGenerated, match_window)
+ | join kind=inner(DataverseActivity
+ | where TimeGenerated > ago(analysis_window)
+ | extend UserName = tolower(UserId)
+ | extend TimeKey = bin(TimeGenerated, match_window))
+ on UserName, TimeKey
+ | join kind=leftanti(DataverseActivity
+ | where TimeGenerated between(ago(lookback_window) .. ago(analysis_window))
+ | extend UserName = tolower(UserId))
+ on UserName, OriginalObjectId
+ | summarize
+ Actions = make_set(OriginalObjectId),
+ MostRecentAction = max(TimeGenerated1),
+ IPs = make_set(split(tostring(ClientIp), ':')[0]),
+ AADAlerts=make_set(Description),
+ MostRecentAlert = max(TimeGenerated)
+ by UserName
+ | extend timestamp = MostRecentAction, AccountCustomEntity = UserName
+entityMappings: []
+version: 3.2.0
diff --git a/Solutions/Microsoft Business Applications/Hunting Queries/Dataverse - Activity after failed logons.yaml b/Solutions/Microsoft Business Applications/Hunting Queries/Dataverse - Activity after failed logons.yaml
new file mode 100644
index 00000000000..997b818736c
--- /dev/null
+++ b/Solutions/Microsoft Business Applications/Hunting Queries/Dataverse - Activity after failed logons.yaml
@@ -0,0 +1,48 @@
+id: dafcc598-2987-4aa0-947e-7d0449677689
+name: Dataverse - Activity after failed logons
+description: This hunting query looks for users conducting Dataverse/Dynamics 365
+ activity shortly after a number of failed logons. Use this to look for potential
+ post brute force activity. Adjust the threshold figure based on false positive rate.
+requiredDataConnectors:
+ - connectorId: Dataverse
+ dataTypes:
+ - DataverseActivity
+ - connectorId: AzureActiveDirectory
+ dataTypes:
+ - SigninLogs
+tactics:
+ - InitialAccess
+relevantTechniques:
+ - T1078
+ - T0819
+ - T1078.004
+query: |
+ let threshold = 10;
+ SigninLogs
+ | where ResultType in ("50125", "50140", "70043", "70044")
+ | summarize FailedSignInCount = count() by IPAddress
+ | where FailedSignInCount >= threshold
+ | join kind=inner (
+ DataverseActivity
+ | extend IPAddress = tostring(split(ClientIp, ":")[0]))
+ on IPAddress
+ | extend
+ CloudAppId = int(32780),
+ AccountName = tostring(split(UserId, '@')[0]),
+ UPNSuffix = tostring(split(UserId, '@')[1])
+entityMappings:
+ - entityType: IP
+ fieldMappings:
+ - columnName: IPAddress
+ identifier: Address
+ - entityType: Account
+ fieldMappings:
+ - columnName: UPNSuffix
+ identifier: UPNSuffix
+ - columnName: AccountName
+ identifier: Name
+ - entityType: CloudApplication
+ fieldMappings:
+ - columnName: CloudAppId
+ identifier: AppId
+version: 3.2.0
diff --git a/Solutions/Microsoft Business Applications/Hunting Queries/Dataverse - Cross-environment data export activity.yaml b/Solutions/Microsoft Business Applications/Hunting Queries/Dataverse - Cross-environment data export activity.yaml
new file mode 100644
index 00000000000..cbd8d5b8be6
--- /dev/null
+++ b/Solutions/Microsoft Business Applications/Hunting Queries/Dataverse - Cross-environment data export activity.yaml
@@ -0,0 +1,54 @@
+id: 74a48db8-dc1d-414e-9709-39fa3f8a2246
+name: Dataverse - Cross-environment data export activity
+description: This query searches for data export activity across a predetermined number
+ of Dataverse instances. Data export activity across multiple environments could
+ indicate suspicious activity as users typically work on a small number of environments.
+requiredDataConnectors:
+ - connectorId: Dataverse
+ dataTypes:
+ - DataverseActivity
+tactics:
+ - Exfiltration
+ - Collection
+relevantTechniques:
+ - T1567
+ - T1409
+query: |
+ //Modify environment_count_threshold to scale number of Dataverse instances to omit before including in results
+ let environment_count_threshold = 2;
+ let export_events = dynamic(['ExportToExcel', 'ExportPdfDocument', 'ExportWordDocument', 'ExecutePowerBISql']);
+ DataverseActivity
+ | where Message in (export_events)
+ | summarize InstanceCount = dcount(InstanceUrl) by UserId
+ | where InstanceCount > environment_count_threshold
+ | join kind=inner (DataverseActivity
+ | where Message in (export_events))
+ on UserId
+ | summarize FirstEvent = min(TimeGenerated), LastEvent = max(TimeGenerated) by UserId, InstanceCount, InstanceUrl, Message, ClientIp
+ | extend CloudAppId = int(32780),
+ AccountName = tostring(split(UserId, '@')[0]),
+ UPNSuffix = tostring(split(UserId, '@')[1])
+ | project
+ FirstEvent,
+ LastEvent,
+ UserId,
+ Message,
+ ClientIp,
+ InstanceUrl,
+ CloudAppId,
+ AccountName,
+ UPNSuffix
+entityMappings:
+ - entityType: Account
+ fieldMappings:
+ - columnName: UPNSuffix
+ identifier: UPNSuffix
+ - columnName: AccountName
+ identifier: Name
+ - entityType: CloudApplication
+ fieldMappings:
+ - columnName: InstanceUrl
+ identifier: InstanceName
+ - columnName: CloudAppId
+ identifier: AppId
+version: 3.2.0
diff --git a/Solutions/Microsoft Business Applications/Hunting Queries/Dataverse - Dataverse export copied to USB devices.yaml b/Solutions/Microsoft Business Applications/Hunting Queries/Dataverse - Dataverse export copied to USB devices.yaml
new file mode 100644
index 00000000000..dff82c1198c
--- /dev/null
+++ b/Solutions/Microsoft Business Applications/Hunting Queries/Dataverse - Dataverse export copied to USB devices.yaml
@@ -0,0 +1,61 @@
+id: f9658e11-e277-4a65-8f91-2cb94cf7497c
+name: Dataverse - Dataverse export copied to USB devices
+description: This query uses XDR data from M365 Defender to detect files downloaded
+ from a Dataverse instance and copied to USB drive.
+requiredDataConnectors:
+ - connectorId: Dataverse
+ dataTypes:
+ - DataverseActivity
+ - connectorId: MicrosoftThreatProtection
+ dataTypes:
+ - DeviceInfo
+ - DeviceEvents
+ - DeviceFileEvents
+tactics:
+ - Exfiltration
+relevantTechniques:
+ - T1052
+ - T1052.001
+query: |
+ DataverseActivity
+ | distinct InstanceUrl
+ | join kind=inner (DeviceFileEvents)
+ on $left.InstanceUrl == $right.FileOriginUrl
+ | join kind=inner (DeviceEvents
+ | where ActionType == "UsbDriveMounted"
+ | extend DriveLetter = tostring(AdditionalFields.DriveLetter)
+ | summarize MountedDriveLetters = make_set(DriveLetter, 26) by DeviceId, DeviceName)
+ on DeviceId
+ | extend TargetDriveLetter = tostring(split(FolderPath, "\\")[0])
+ | where set_has_element(MountedDriveLetters, TargetDriveLetter)
+ | join kind=inner (DeviceInfo
+ | summarize arg_max(TimeGenerated, DeviceId, PublicIP) by DeviceName)
+ on DeviceId
+ | summarize LatestEvent = arg_max(TimeGenerated, *) by FileName, UserId = InitiatingProcessAccountUpn, InstanceUrl
+ | extend
+ CloudAppId = int(32780),
+ AccountName = tostring(split(UserId, '@')[0]),
+ UPNSuffix = tostring(split(UserId, '@')[1])
+ | project
+ LatestEvent,
+ UserId,
+ PublicIP,
+ FolderPath,
+ InstanceUrl,
+ AccountName,
+ UPNSuffix,
+ CloudAppId
+entityMappings:
+ - entityType: CloudApplication
+ fieldMappings:
+ - columnName: InstanceUrl
+ identifier: InstanceName
+ - columnName: CloudAppId
+ identifier: AppId
+ - entityType: Account
+ fieldMappings:
+ - columnName: UPNSuffix
+ identifier: UPNSuffix
+ - columnName: AccountName
+ identifier: Name
+version: 3.2.0
diff --git a/Solutions/Microsoft Business Applications/Hunting Queries/Dataverse - Generic client app used to access production environments.yaml b/Solutions/Microsoft Business Applications/Hunting Queries/Dataverse - Generic client app used to access production environments.yaml
new file mode 100644
index 00000000000..eafc9ddcd3d
--- /dev/null
+++ b/Solutions/Microsoft Business Applications/Hunting Queries/Dataverse - Generic client app used to access production environments.yaml
@@ -0,0 +1,56 @@
+id: 90bcbd4e-e8b5-4a5d-9fe6-d0f9f0220b4a
+name: Dataverse - Generic client app used to access production environments
+description: This query detects the use of the built-in "Dynamics 365 Example Application"
+ to access production environments. This generic app can not be restricted by Azure
+ AD authorization controls and could be abused to gain unauthorized access via Web
+ API.
+requiredDataConnectors:
+ - connectorId: Dataverse
+ dataTypes:
+ - DataverseActivity
+ - connectorId: AzureActiveDirectory
+ dataTypes:
+ - SigninLogs
+tactics:
+ - Execution
+relevantTechniques:
+ - T1106
+ - T0834
+query: |
+ SigninLogs
+ | where AppId == "51f81489-12ee-4a9e-aaae-a2591f45987d"
+ | where ResourceIdentity == "00000007-0000-0000-c000-000000000000"
+ | project-rename SigninTime = TimeGenerated
+ | where ResultType == 0
+ | join kind=inner(DataverseActivity
+ | where Message == "UserSignIn")
+ on $left.UserPrincipalName == $right.UserId
+ | where TimeGenerated between (SigninTime .. (SigninTime + 1h))
+ | summarize D365SigninTime = arg_min(TimeGenerated, *) by SigninTime, UserPrincipalName, IPAddress, UserAgent
+ | extend CloudAppId = int(32780),
+ AccountName = tostring(split(UserId, '@')[0]),
+ UPNSuffix = tostring(split(UserId, '@')[1])
+ | project
+ SigninTime,
+ D365SigninTime,
+ UserPrincipalName,
+ IPAddress,
+ UserAgent,
+ InstanceUrl,
+ CloudAppId,
+ AccountName,
+ UPNSuffix
+entityMappings:
+ - entityType: CloudApplication
+ fieldMappings:
+ - columnName: InstanceUrl
+ identifier: InstanceName
+ - columnName: CloudAppId
+ identifier: AppId
+ - entityType: Account
+ fieldMappings:
+ - columnName: UPNSuffix
+ identifier: UPNSuffix
+ - columnName: AccountName
+ identifier: Name
+version: 3.2.0
diff --git a/Solutions/Microsoft Business Applications/Hunting Queries/Dataverse - Identity management activity outside of privileged directory role membership.yaml b/Solutions/Microsoft Business Applications/Hunting Queries/Dataverse - Identity management activity outside of privileged directory role membership.yaml
new file mode 100644
index 00000000000..89f878c6bba
--- /dev/null
+++ b/Solutions/Microsoft Business Applications/Hunting Queries/Dataverse - Identity management activity outside of privileged directory role membership.yaml
@@ -0,0 +1,59 @@
+id: c7e6e48a-0514-4989-bc90-4a3c9207ede1
+name: Dataverse - Identity management activity outside of privileged directory role
+ membership
+description: This query detects identity administration events in Dataverse/Dynamics
+ 365 made by accounts which are not members of privileged directory roles 'Dynamics
+ 365 Admins', 'Power Platform Admins' or 'Global Admins
+requiredDataConnectors:
+ - connectorId: Dataverse
+ dataTypes:
+ - DataverseActivity
+ - connectorId: IdentityInfo
+ dataTypes:
+ - IdentityInfo
+tactics:
+ - PrivilegeEscalation
+relevantTechniques:
+ - T1078
+ - T1078.004
+query: |
+ let admin_role_names = dynamic(['Dynamics 365 Administrator', 'Power Platform Administrator', 'Global Administrator']);
+ let event_types = dynamic(['Associate', 'Disassociate', 'Create', 'Delete', 'Upsert', 'Update']);
+ let excluded_accounts = dynamic(['cdsusermanagement@onmicrosoft.com', 'unknown', 'powervirtualagentsprod@onmicrosoft.com']);
+ IdentityInfo
+ | where TimeGenerated > ago(14d)
+ | where array_length(AssignedRoles) > 0
+ | mv-expand AssignedRoles
+ | where AssignedRoles in (admin_role_names)
+ | summarize by UserId = tolower(AccountUPN)
+ | join kind=rightanti (DataverseActivity
+ | where EntityName =~ 'systemuser' and Message in (event_types)
+ | project TimeGenerated, UserId = tolower(UserId), ClientIp, InstanceUrl, OriginalObjectId
+ | where UserId !in (excluded_accounts))
+ on UserId
+ | extend CloudAppId = int(32780),
+ AccountName = tostring(split(UserId, '@')[0]),
+ UPNSuffix = tostring(split(UserId, '@')[1])
+ | project
+ TimeGenerated,
+ UserId,
+ ClientIp,
+ OriginalObjectId,
+ InstanceUrl,
+ CloudAppId,
+ AccountName,
+ UPNSuffix
+entityMappings:
+ - entityType: CloudApplication
+ fieldMappings:
+ - columnName: InstanceUrl
+ identifier: InstanceName
+ - columnName: CloudAppId
+ identifier: AppId
+ - entityType: Account
+ fieldMappings:
+ - columnName: UPNSuffix
+ identifier: UPNSuffix
+ - columnName: AccountName
+ identifier: Name
+version: 3.2.0
diff --git a/Solutions/Microsoft Business Applications/Hunting Queries/Dataverse - Identity management changes without MFA.yaml b/Solutions/Microsoft Business Applications/Hunting Queries/Dataverse - Identity management changes without MFA.yaml
new file mode 100644
index 00000000000..f8b3bc11bba
--- /dev/null
+++ b/Solutions/Microsoft Business Applications/Hunting Queries/Dataverse - Identity management changes without MFA.yaml
@@ -0,0 +1,54 @@
+id: 385234b7-d96c-4dc3-9c0e-ceb46048d487
+name: Dataverse - Identity management changes without MFA
+description: This query is used to show privileged identity administration operations
+ in Dataverse made by accounts that signed in without using MFA
+requiredDataConnectors:
+ - connectorId: Dataverse
+ dataTypes:
+ - DataverseActivity
+ - connectorId: AzureActiveDirectory
+ dataTypes:
+ - SigninLogs
+tactics:
+ - InitialAccess
+relevantTechniques:
+ - T1078
+ - T0819
+ - T1078.004
+query: |
+ let event_types = dynamic(['Associate', 'Disassociate', 'Create', 'Delete', 'Upsert', 'Update']);
+ let excluded_accounts = dynamic(['cdsusermanagement@onmicrosoft.com', 'unknown', 'powervirtualagentsprod@onmicrosoft.com']);
+ SigninLogs
+ | where AuthenticationRequirement == "singleFactorAuthentication"
+ | where ResourceIdentity == "00000007-0000-0000-c000-000000000000" or AppId == "00000007-0000-0000-c000-000000000000"
+ | where ResultType == 0
+ | summarize by UserId = tolower(UserPrincipalName)
+ | join kind=inner (DataverseActivity
+ | where EntityName =~ 'systemuser' and Message in (event_types)
+ | project TimeGenerated, UserId = tolower(UserId), ClientIp, InstanceUrl, OriginalObjectId
+ | where UserId !in (excluded_accounts))
+ on UserId
+ | extend CloudAppId = int(32780),
+ AccountName = tostring(split(UserId, '@')[0]),
+ UPNSuffix = tostring(split(UserId, '@')[1])
+ | project
+ TimeGenerated,
+ UserId,
+ ClientIp,
+ OriginalObjectId,
+ InstanceUrl,
+ CloudAppId,
+ AccountName,
+ UPNSuffix
+entityMappings:
+ - entityType: CloudApplication
+ fieldMappings:
+ - columnName: CloudAppId
+ identifier: AppId
+ - entityType: Account
+ fieldMappings:
+ - columnName: UPNSuffix
+ identifier: UPNSuffix
+ - columnName: AccountName
+ identifier: Name
+version: 3.2.0
diff --git a/Solutions/Microsoft Business Applications/Hunting Queries/Power Apps - Anomalous bulk sharing of Power App to newly created guest users.yaml b/Solutions/Microsoft Business Applications/Hunting Queries/Power Apps - Anomalous bulk sharing of Power App to newly created guest users.yaml
new file mode 100644
index 00000000000..431e79b2ea2
--- /dev/null
+++ b/Solutions/Microsoft Business Applications/Hunting Queries/Power Apps - Anomalous bulk sharing of Power App to newly created guest users.yaml
@@ -0,0 +1,89 @@
+id: 169428be-5ed0-4230-9103-c83df89c789a
+name: Power Apps - Anomalous bulk sharing of Power App to newly created guest users
+description: The query detects anomalous attempts to perform bulk sharing of Power
+ App to newly created guest users.
+requiredDataConnectors:
+ - connectorId: PowerPlatformAdmin
+ dataTypes:
+ - PowerPlatformAdminActivity
+ - connectorId: AzureActiveDirectory
+ dataTypes:
+ - AuditLogs
+tactics:
+ - InitialAccess
+ - LateralMovement
+ - ResourceDevelopment
+relevantTechniques:
+ - T1566
+ - T1534
+ - T1587
+query: |
+ ////////////
+ // Please replace the allowed_domains with a list of domains of your partners/sibling orgs
+ // with whom you generally share power apps with. This will allow us to filter
+ // legitimate bulk sharing attempts. Avoid using domains such as gmail, outlook, etc.
+ ///////////
+ let allowed_domains = pack_array("contoso.com");
+ let start = ago(14d);
+ let end = now();
+ let interval = 1h;
+ PowerPlatformAdminActivity
+ | where EventOriginalType == "PowerAppPermissionEdited"
+ | extend Properties = tostring(PropertyCollection)
+ | extend AppId = extract(@'"powerplatform.analytics.resource.power_app.id","Value":"([^"]+)"', 1, Properties)
+ | extend AppId = tolower(replace_string(AppId, '/providers/Microsoft.PowerApps/apps/', ''))
+ | extend TargetPrincipalId = extract(@'"targetuser.id","Value":"([^"]+)"', 1, Properties)
+ | extend
+ PowerAppsAppId = AppId
+ | join kind=leftouter (AuditLogs
+ | where ActivityDateTime >= ago(14d)
+ | where SourceSystem =~ "Azure AD" and OperationName == "Invite external user"
+ | where Result =~ "success"
+ | extend InvitedOrgEmail = tostring(parse_json(AdditionalDetails[5])['value'])
+ | extend InvitedOrgDomain = tostring(split(InvitedOrgEmail, "@")[1])
+ | where not(InvitedOrgDomain has_any(allowed_domains))
+ | extend
+ InvitedById = tostring(parse_json(InitiatedBy)['user']['id']),
+ InvitedByUPN = tostring(parse_json(InitiatedBy)['user']['userPrincipalName']),
+ InvitedEmail = tostring(parse_json(TargetResources[0])['userPrincipalName']),
+ InvitedId = tostring(parse_json(TargetResources[0])['id'])
+ | summarize by InvitedById, InvitedByUPN, InvitedEmail, InvitedId, InvitedOrgDomain)
+ on $left.TargetPrincipalId == $right.InvitedId
+ | where isnotempty(InvitedId)
+ | make-series counter=dcount(TargetPrincipalId) default=0 on TimeGenerated in range(start, end, interval) by PowerAppsAppId, InvitedById, InvitedByUPN
+ | extend(Anomalies, AnomalyScore, ExpectedUsage) = series_decompose_anomalies(counter)
+ | mv-expand
+ counter to typeof(double),
+ TimeGenerated to typeof(datetime),
+ Anomalies to typeof(double),
+ AnomalyScore to typeof(double),
+ ExpectedUsage to typeof(long)
+ | where Anomalies != 0
+ | extend
+ PowerAppsEntityId = 27593,
+ AccountName = tostring(split(InvitedByUPN, '@')[0]),
+ UPNSuffix = tostring(split(InvitedByUPN, '@')[1])
+ | project
+ TimeGenerated,
+ ActualUsage=counter,
+ ExpectedUsage,
+ AnomalyScore,
+ Anomalies,
+ PowerAppsAppId,
+ InvitedById,
+ InvitedByUPN,
+ PowerAppsEntityId,
+ AccountName,
+ UPNSuffix
+entityMappings:
+ - entityType: CloudApplication
+ fieldMappings:
+ - columnName: PowerAppsEntityId
+ identifier: AppId
+ - entityType: Account
+ fieldMappings:
+ - columnName: UPNSuffix
+ identifier: UPNSuffix
+ - columnName: AccountName
+ identifier: Name
+version: 3.2.0
diff --git a/Solutions/Microsoft Business Applications/Package/3.2.0.zip b/Solutions/Microsoft Business Applications/Package/3.2.0.zip
new file mode 100644
index 00000000000..84fbdbfc395
Binary files /dev/null and b/Solutions/Microsoft Business Applications/Package/3.2.0.zip differ
diff --git a/Solutions/Microsoft Business Applications/Package/createUiDefinition.json b/Solutions/Microsoft Business Applications/Package/createUiDefinition.json
new file mode 100644
index 00000000000..e8cfd840669
--- /dev/null
+++ b/Solutions/Microsoft Business Applications/Package/createUiDefinition.json
@@ -0,0 +1,1041 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
+ "handler": "Microsoft.Azure.CreateUIDef",
+ "version": "0.1.2-preview",
+ "parameters": {
+ "config": {
+ "isWizard": false,
+ "basics": {
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Business%20Applications/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nMicrosoft Power Platform provides a wide range of tools for citizen developers to build, run and manage low-code and no-code applications quickly, simply and at scale. With that, it also introduces a concern around the risk of security vulnerabilities introduced by citizen developers, some of whom may lack the security awareness of traditional pro-dev community. To counter this, early threat detection is crucial and can complement preventative guardrails to enable frictionless productivity while minimizing cyber risk.\n\nThe Microsoft Sentinel solution for Microsoft Power Platform allows customers to monitor and detect various suspicious or malicious activities in their Power Platform environments.\n\nIt collects activity logs from the different Power Platform components (Power Apps, Power Automate, Power Platform Connectors, Power Platform DLP, Dataverse) as well as the Power Platform inventory data and analyzes those activity logs to detect threats and suspicious activities such as: Power Apps execution from unauthorized geographies, suspicious data destruction by Power Apps, mass deletion of Power Apps, phishing attacks made possible through Power Apps, Power Automate flows activity by departing employees, Microsoft Power Platform connectors added to the an environment, and the update or removal of Microsoft Power Platform data loss prevention policies.\n\nDue to the integration of the Power Platform inventory data, in addition to the activity logs, the solution also allows customers to investigate the detected threats in a full human readable context and understand for example what the name of the suspicious app is, the name of Power Platform environment it belongs to, the details of the user who created or modified the suspicious app, the details of the users using the app, and more.\n\n**Important**\n\n- The Microsoft Sentinel Solution for Power Platform is currently in PREVIEW. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.\n\n- This solution is a premium offering. Pricing information will be available before the solution becomes generally available.\n\nPlease review the solution [documentation](https://learn.microsoft.com/azure/sentinel/business-applications/power-platform-solution-overview) to learn more about deploying, configuring and using this solution.\n\n**Data Connectors:** 4, **Parsers:** 5, **Workbooks:** 1, **Analytic Rules:** 49, **Hunting Queries:** 8, **Watchlists:** 1, **Playbooks:** 8\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "subscription": {
+ "resourceProviders": [
+ "Microsoft.OperationsManagement/solutions",
+ "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "Microsoft.Insights/workbooks",
+ "Microsoft.Logic/workflows"
+ ]
+ },
+ "location": {
+ "metadata": {
+ "hidden": "Hiding location, we get it from the log analytics workspace"
+ },
+ "visible": false
+ },
+ "resourceGroup": {
+ "allowExisting": true
+ }
+ }
+ },
+ "basics": [
+ {
+ "name": "getLAWorkspace",
+ "type": "Microsoft.Solutions.ArmApiControl",
+ "toolTip": "This filters by workspaces that exist in the Resource Group selected",
+ "condition": "[greater(length(resourceGroup().name),0)]",
+ "request": {
+ "method": "GET",
+ "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
+ }
+ },
+ {
+ "name": "workspace",
+ "type": "Microsoft.Common.DropDown",
+ "label": "Workspace",
+ "placeholder": "Select a workspace",
+ "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
+ "constraints": {
+ "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
+ "required": true
+ },
+ "visible": true
+ }
+ ],
+ "steps": [
+ {
+ "name": "dataconnectors",
+ "label": "Data Connectors",
+ "bladeTitle": "Data Connectors",
+ "elements": [
+ {
+ "name": "dataconnectors1-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This Solution installs the data connector for Microsoft Business Applications. You can get Microsoft Business Applications data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+ }
+ },
+ {
+ "name": "dataconnectors-link2",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "link": {
+ "label": "Learn more about connecting data sources",
+ "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
+ }
+ }
+ }
+ ]
+ },
+ {
+ "name": "workbooks",
+ "label": "Workbooks",
+ "subLabel": {
+ "preValidation": "Configure the workbooks",
+ "postValidation": "Done"
+ },
+ "bladeTitle": "Workbooks",
+ "elements": [
+ {
+ "name": "workbooks-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This solution installs workbook(s) to help you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view."
+ }
+ },
+ {
+ "name": "workbooks-link",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "link": {
+ "label": "Learn more",
+ "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data"
+ }
+ }
+ },
+ {
+ "name": "workbook1",
+ "type": "Microsoft.Common.Section",
+ "label": "Dynamics 365 Activity",
+ "elements": [
+ {
+ "name": "workbook1-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This workbook brings together queries and visualizations to assist you in identifying potential threats in your Dynamics 365 audit data."
+ }
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "name": "analytics",
+ "label": "Analytics",
+ "subLabel": {
+ "preValidation": "Configure the analytics",
+ "postValidation": "Done"
+ },
+ "bladeTitle": "Analytics",
+ "elements": [
+ {
+ "name": "analytics-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view."
+ }
+ },
+ {
+ "name": "analytics-link",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "link": {
+ "label": "Learn more",
+ "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
+ }
+ }
+ },
+ {
+ "name": "analytic1",
+ "type": "Microsoft.Common.Section",
+ "label": "Dataverse - Anomalous application user activity",
+ "elements": [
+ {
+ "name": "analytic1-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Identifies anomalies in activity patterns of Dataverse application (non-interactive) users, based on activity falling outside the normal pattern of use."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic2",
+ "type": "Microsoft.Common.Section",
+ "label": "Dataverse - Audit log data deletion",
+ "elements": [
+ {
+ "name": "analytic2-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Identifies audit log data deletion activity in Dataverse."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic3",
+ "type": "Microsoft.Common.Section",
+ "label": "Dataverse - Audit logging disabled",
+ "elements": [
+ {
+ "name": "analytic3-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Identifies a change in system audit configuration whereby audit logging is turned off."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic4",
+ "type": "Microsoft.Common.Section",
+ "label": "Dataverse - Bulk record ownership re-assignment or sharing",
+ "elements": [
+ {
+ "name": "analytic4-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Identifies individual record ownership changes including sharing of records with other users/teams or re-assignment of ownership exceeding a pre-defined threshold."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic5",
+ "type": "Microsoft.Common.Section",
+ "label": "Dataverse - Executable uploaded to SharePoint document management site",
+ "elements": [
+ {
+ "name": "analytic5-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Identifies executable files and scripts uploaded to SharePoint sites used for Dynamics document management, circumventing native file extension restrictions in Dataverse."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic6",
+ "type": "Microsoft.Common.Section",
+ "label": "Dataverse - Export activity from terminated or notified employee",
+ "elements": [
+ {
+ "name": "analytic6-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This query identifies Dataverse export activity triggered by terminated, or employees about to leave the organization. This analytics rule uses the TerminatedEmployees watchlist template."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic7",
+ "type": "Microsoft.Common.Section",
+ "label": "Dataverse - Guest user exfiltration following Power Platform defense impairment",
+ "elements": [
+ {
+ "name": "analytic7-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Identifies a chain of events starting with disablement of Power Platform tenant isolation and removal of an environment's access security group. These events are correlated with Dataverse exfiltration alerts associated with the impacted environment and recently created Microsoft Entra guest users.\n\nNote: Activate other Dataverse analytics rules with the MITRE tactic 'Exfiltration' before enabling this rule."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic8",
+ "type": "Microsoft.Common.Section",
+ "label": "Dataverse - Hierarchy security manipulation",
+ "elements": [
+ {
+ "name": "analytic8-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Identifies suspicious behaviors in hierarchy security including:\n- Hierarchy security disabled.\n- User assigns themselves as a manager.\n- User assigns themselves to a monitored position."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic9",
+ "type": "Microsoft.Common.Section",
+ "label": "Dataverse - Honeypot instance activity",
+ "elements": [
+ {
+ "name": "analytic9-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Identifies activities in a predefined Honeypot Dataverse instance. Alerts when either sign-in to the Honeypot is detected or when monitored Dataverse tables in the Honeypot are accessed.\n\nNote: Requires a dedicated Honeypot Dataverse instance in Power Platform with auditing enabled."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic10",
+ "type": "Microsoft.Common.Section",
+ "label": "Dataverse - Login by a sensitive privileged user",
+ "elements": [
+ {
+ "name": "analytic10-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Identifies Dataverse and Dynamics 365 logons by sensitive users."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic11",
+ "type": "Microsoft.Common.Section",
+ "label": "Dataverse - Login from IP in the block list",
+ "elements": [
+ {
+ "name": "analytic11-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Identifies Dataverse sign-in activity from IPv4 addresses which are on a predefined block list. Blocked network ranges are maintained in the NetworkAddresses watchlist template."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic12",
+ "type": "Microsoft.Common.Section",
+ "label": "Dataverse - Login from IP not in the allow list",
+ "elements": [
+ {
+ "name": "analytic12-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Identifies logons from IPv4 addresses not matching IPv4 subnets maintained on an allow list. This analytics rule uses the NetworkAddresses watchlist template."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic13",
+ "type": "Microsoft.Common.Section",
+ "label": "Dataverse - Malware found in SharePoint document management site",
+ "elements": [
+ {
+ "name": "analytic13-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This query identifies malware uploaded via Dynamics 365 document management or directly in SharePoint impacting Dataverse associated SharePoint sites."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic14",
+ "type": "Microsoft.Common.Section",
+ "label": "Dataverse - Mass deletion of records",
+ "elements": [
+ {
+ "name": "analytic14-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Identifies large scale record delete operations based on a predefined threshold and also detects scheduled bulk deletion jobs."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic15",
+ "type": "Microsoft.Common.Section",
+ "label": "Dataverse - Mass download from SharePoint document management",
+ "elements": [
+ {
+ "name": "analytic15-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Identifies mass download (in the last hour) of files from SharePoint sites configured for document management in Dynamics 365. This analytics rule utilizes the MSBizApps-Configuration watchlist to identify SharePoint sites used for Document Management."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic16",
+ "type": "Microsoft.Common.Section",
+ "label": "Dataverse - Mass export of records to Excel",
+ "elements": [
+ {
+ "name": "analytic16-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Identifies users exporting a large amount of records from Dynamics 365 to Excel, significantly more records exported than any other recent activity by that user. Large exports from users with no recent activity are identified using a predefined threshold."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic17",
+ "type": "Microsoft.Common.Section",
+ "label": "Dataverse - Mass record updates",
+ "elements": [
+ {
+ "name": "analytic17-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This query detects mass record update changes in Dataverse and Dynamics 365, exceeding a pre-defined threshold."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic18",
+ "type": "Microsoft.Common.Section",
+ "label": "Dataverse - New Dataverse application user activity type",
+ "elements": [
+ {
+ "name": "analytic18-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Identifies new or previously unseen activity types associated with Dataverse application (non-interactive) user."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic19",
+ "type": "Microsoft.Common.Section",
+ "label": "Dataverse - New non-interactive identity granted access",
+ "elements": [
+ {
+ "name": "analytic19-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Identifies API level access grants, either via the delegated permissions of a Microsoft Entra application or direct assignment within Dataverse as an application user."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic20",
+ "type": "Microsoft.Common.Section",
+ "label": "Dataverse - New sign-in from an unauthorized domain",
+ "elements": [
+ {
+ "name": "analytic20-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Identifies Dataverse sign-in activity originating from users with UPN suffixes that have not been seen previously in the last 14 days and are not present on a predefined list of authorized domains. Common internal Power Platform system users are excluded by default."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic21",
+ "type": "Microsoft.Common.Section",
+ "label": "Dataverse - New user agent type that was not used before",
+ "elements": [
+ {
+ "name": "analytic21-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Identifies users accessing Dataverse from a User Agent that has not been seen in any Dataverse instance in the last 14 days."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic22",
+ "type": "Microsoft.Common.Section",
+ "label": "Dataverse - New user agent type that was not used with Office 365",
+ "elements": [
+ {
+ "name": "analytic22-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Identifies users accessing Dynamics with a User Agent that has not been seen in any Office 365 workloads in the last 14 days."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic23",
+ "type": "Microsoft.Common.Section",
+ "label": "Dataverse - Organization settings modified",
+ "elements": [
+ {
+ "name": "analytic23-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Identifies changes made at organization level in the Dataverse environment."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic24",
+ "type": "Microsoft.Common.Section",
+ "label": "Dataverse - Removal of blocked file extensions",
+ "elements": [
+ {
+ "name": "analytic24-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Identifies modifications to an environment's blocked file extensions and extracts the removed extension."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic25",
+ "type": "Microsoft.Common.Section",
+ "label": "Dataverse - SharePoint document management site added or updated",
+ "elements": [
+ {
+ "name": "analytic25-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Identifies modifications of SharePoint document management integration. Document management allows storage of data located externally to Dataverse. Combine this analytics rule with the MSBizApps-Add-SharePointSite-To-Watchlist Playbook to automatically update the Dataverse-SharePointSites watchlist. This watchlist can be used to correlate events between Dataverse and SharePoint when using the Office 365 data connector."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic26",
+ "type": "Microsoft.Common.Section",
+ "label": "Dataverse - Suspicious security role modifications",
+ "elements": [
+ {
+ "name": "analytic26-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Identifies an unusual pattern of events whereby a new role is created followed by the creator adding members to the role and subsequently removing the member or deleting the role after a short time period."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic27",
+ "type": "Microsoft.Common.Section",
+ "label": "Dataverse - Suspicious use of TDS endpoint",
+ "elements": [
+ {
+ "name": "analytic27-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Identifies Dataverse TDS (Tabular Data Stream) protocol based queries where the source user or IP address has recent security alerts and the TDS protocol has not been used previously in the target environment."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic28",
+ "type": "Microsoft.Common.Section",
+ "label": "Dataverse - Suspicious use of Web API",
+ "elements": [
+ {
+ "name": "analytic28-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Identifies sign-in across multiple Dataverse environments, breaching a predefined threshold, originating from a user with IP address that was used to sign-into the well known Microsoft Entra app registration."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic29",
+ "type": "Microsoft.Common.Section",
+ "label": "Dataverse - TI map IP to DataverseActivity",
+ "elements": [
+ {
+ "name": "analytic29-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Identifies a match in DataverseActivity from any IP IOC from Microsoft Sentinel Threat Intelligence."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic30",
+ "type": "Microsoft.Common.Section",
+ "label": "Dataverse - TI map URL to DataverseActivity",
+ "elements": [
+ {
+ "name": "analytic30-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Identifies a match in DataverseActivity from any URL IOC from Microsoft Sentinel Threat Intelligence."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic31",
+ "type": "Microsoft.Common.Section",
+ "label": "Dataverse - Terminated employee exfiltration over email",
+ "elements": [
+ {
+ "name": "analytic31-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This query identifies Dataverse exfiltration via email by terminated employees."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic32",
+ "type": "Microsoft.Common.Section",
+ "label": "Dataverse - Terminated employee exfiltration to USB drive",
+ "elements": [
+ {
+ "name": "analytic32-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Identifies files downloaded from Dataverse by departing or terminated employees which are copied to USB mounted drives."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic33",
+ "type": "Microsoft.Common.Section",
+ "label": "Dataverse - Unusual sign-in following disabled IP address-based cookie binding protection",
+ "elements": [
+ {
+ "name": "analytic33-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Identifies previously unseen IP and user agents in a Dataverse instance following disabling of cookie binding protection. See https://docs.microsoft.com/power-platform/admin/block-cookie-replay-attack"
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic34",
+ "type": "Microsoft.Common.Section",
+ "label": "Dataverse - User bulk retrieval outside normal activity",
+ "elements": [
+ {
+ "name": "analytic34-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Identifies users retrieving significantly more records from Dataverse than they have previously in the past 2 weeks."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic35",
+ "type": "Microsoft.Common.Section",
+ "label": "F&O - Bank account change following network alias reassignment",
+ "elements": [
+ {
+ "name": "analytic35-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Identifies changes to user accounts where the network alias was modified to a new value. Shortly afterwards, the updated alias is used to update a bank account number."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic36",
+ "type": "Microsoft.Common.Section",
+ "label": "F&O - Mass update or deletion of user records",
+ "elements": [
+ {
+ "name": "analytic36-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Identifies large delete or update operations on Finance & Operations user records based on predefined thresholds."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic37",
+ "type": "Microsoft.Common.Section",
+ "label": "F&O - Non-interactive account mapped to self or sensitive privileged user",
+ "elements": [
+ {
+ "name": "analytic37-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Identifies changes to Microsoft Entra client apps registered for Finance & Operations, specifically when a new client is mapped to a predefined list of sensitive privileged user accounts, or when a user associates a client app with their own account."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic38",
+ "type": "Microsoft.Common.Section",
+ "label": "F&O - Reverted bank account number modifications",
+ "elements": [
+ {
+ "name": "analytic38-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Identifies changes to bank account numbers in Finance & Operations, whereby a bank account number is modified but then subsequently reverted a short time later."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic39",
+ "type": "Microsoft.Common.Section",
+ "label": "F&O - Unusual sign-in activity using single factor authentication",
+ "elements": [
+ {
+ "name": "analytic39-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Identifies sucessful sign-in events to Finance & Operations and Lifecycle Services using single factor/password authentication. Sign-in events from tenants not using MFA, coming from a Microsoft Entra trusted network location, or from geolocations seen previously in the last 14 days are excluded."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic40",
+ "type": "Microsoft.Common.Section",
+ "label": "Power Apps - App activity from unauthorized geo",
+ "elements": [
+ {
+ "name": "analytic40-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Identifies Power Apps activity from countries in a predefined list of unauthorized countries."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic41",
+ "type": "Microsoft.Common.Section",
+ "label": "Power Apps - Bulk sharing of Power Apps to newly created guest users",
+ "elements": [
+ {
+ "name": "analytic41-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Identifies unusual bulk sharing, based on a predefined threshold in the query, of Power Apps to newly created Microsoft Entra guest users."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic42",
+ "type": "Microsoft.Common.Section",
+ "label": "Power Apps - Multiple apps deleted",
+ "elements": [
+ {
+ "name": "analytic42-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Identifies mass delete activity where multiple Power Apps are deleted, matching a predefined threshold of total apps deleted or app delete events across multiple Power Platform environments."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic43",
+ "type": "Microsoft.Common.Section",
+ "label": "Power Apps - Multiple users access a malicious link after launching new app",
+ "elements": [
+ {
+ "name": "analytic43-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Identifies a chain of events, where a new Power App is created, followed by mulitple users launching the app within the detection window and clicking on the same malicious URL."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic44",
+ "type": "Microsoft.Common.Section",
+ "label": "Power Automate - Departing employee flow activity",
+ "elements": [
+ {
+ "name": "analytic44-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Identifies instances where an employee who has been notified or is already terminated, on the TerminatedEmployees watchlist, creates or modifies a Power Automate flow."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic45",
+ "type": "Microsoft.Common.Section",
+ "label": "Power Automate - Unusual bulk deletion of flow resources",
+ "elements": [
+ {
+ "name": "analytic45-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Identifies bulk deletion of Power Automate flows that exceed a predefined threshold defined in the query and deviate from activity patterns observed in the last 14 days."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic46",
+ "type": "Microsoft.Common.Section",
+ "label": "Power Platform - Account added to privileged Microsoft Entra roles",
+ "elements": [
+ {
+ "name": "analytic46-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Identifies changes to privileged directory roles impacting Power Platform:\n- Dynamics 365 Admins\n- Power Platform Admins\n- Fabric Admins"
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic47",
+ "type": "Microsoft.Common.Section",
+ "label": "Power Platform - Connector added to a sensitive environment",
+ "elements": [
+ {
+ "name": "analytic47-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Identifies occurrences of new API connector creations within Power Platform, specifically targeting a predefined list of sensitive environments."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic48",
+ "type": "Microsoft.Common.Section",
+ "label": "Power Platform - DLP policy updated or removed",
+ "elements": [
+ {
+ "name": "analytic48-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Identifies changes to DLP policy, specifically policies which are updated or removed."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic49",
+ "type": "Microsoft.Common.Section",
+ "label": "Power Platform - Possibly compromised user accesses Power Platform services",
+ "elements": [
+ {
+ "name": "analytic49-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Identifies user accounts flagged at risk in Microsoft Entra Identity Protection and correlates these users with sign-in activity in Power Platform, including Power Apps, Power Automate and Power Platform Admin Center."
+ }
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "name": "huntingqueries",
+ "label": "Hunting Queries",
+ "bladeTitle": "Hunting Queries",
+ "elements": [
+ {
+ "name": "huntingqueries-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This solution installs the following hunting queries. After installing the solution, run these hunting queries to hunt for threats in Manage solution view. "
+ }
+ },
+ {
+ "name": "huntingqueries-link",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "link": {
+ "label": "Learn more",
+ "uri": "https://docs.microsoft.com/azure/sentinel/hunting"
+ }
+ }
+ },
+ {
+ "name": "huntingquery1",
+ "type": "Microsoft.Common.Section",
+ "label": "Dataverse - Activity after Microsoft Entra alerts",
+ "elements": [
+ {
+ "name": "huntingquery1-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This hunting query looks for users conducting Dataverse/Dynamics 365 activity shortly after a Microsoft Entra Identity Protection alert for that user. The query only looks for users not seen before or conducting Dynamics activity not previously seen. This hunting query depends on Dataverse AzureActiveDirectoryIdentityProtection data connector (DataverseActivity SecurityAlert Parser or Table)"
+ }
+ }
+ ]
+ },
+ {
+ "name": "huntingquery2",
+ "type": "Microsoft.Common.Section",
+ "label": "Dataverse - Activity after failed logons",
+ "elements": [
+ {
+ "name": "huntingquery2-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This hunting query looks for users conducting Dataverse/Dynamics 365 activity shortly after a number of failed logons. Use this to look for potential post brute force activity. Adjust the threshold figure based on false positive rate. This hunting query depends on Dataverse AzureActiveDirectory data connector (DataverseActivity SigninLogs Parser or Table)"
+ }
+ }
+ ]
+ },
+ {
+ "name": "huntingquery3",
+ "type": "Microsoft.Common.Section",
+ "label": "Dataverse - Cross-environment data export activity",
+ "elements": [
+ {
+ "name": "huntingquery3-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This query searches for data export activity across a predetermined number of Dataverse instances. Data export activity across multiple environments could indicate suspicious activity as users typically work on a small number of environments. This hunting query depends on Dataverse data connector (DataverseActivity Parser or Table)"
+ }
+ }
+ ]
+ },
+ {
+ "name": "huntingquery4",
+ "type": "Microsoft.Common.Section",
+ "label": "Dataverse - Dataverse export copied to USB devices",
+ "elements": [
+ {
+ "name": "huntingquery4-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This query uses XDR data from M365 Defender to detect files downloaded from a Dataverse instance and copied to USB drive. This hunting query depends on Dataverse MicrosoftThreatProtection data connector (DataverseActivity DeviceInfo DeviceEvents DeviceFileEvents Parser or Table)"
+ }
+ }
+ ]
+ },
+ {
+ "name": "huntingquery5",
+ "type": "Microsoft.Common.Section",
+ "label": "Dataverse - Generic client app used to access production environments",
+ "elements": [
+ {
+ "name": "huntingquery5-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This query detects the use of the built-in \"Dynamics 365 Example Application\" to access production environments. This generic app can not be restricted by Azure AD authorization controls and could be abused to gain unauthorized access via Web API. This hunting query depends on Dataverse AzureActiveDirectory data connector (DataverseActivity SigninLogs Parser or Table)"
+ }
+ }
+ ]
+ },
+ {
+ "name": "huntingquery6",
+ "type": "Microsoft.Common.Section",
+ "label": "Dataverse - Identity management activity outside of privileged directory role membership",
+ "elements": [
+ {
+ "name": "huntingquery6-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This query detects identity administration events in Dataverse/Dynamics 365 made by accounts which are not members of privileged directory roles 'Dynamics 365 Admins', 'Power Platform Admins' or 'Global Admins This hunting query depends on Dataverse IdentityInfo data connector (DataverseActivity IdentityInfo Parser or Table)"
+ }
+ }
+ ]
+ },
+ {
+ "name": "huntingquery7",
+ "type": "Microsoft.Common.Section",
+ "label": "Dataverse - Identity management changes without MFA",
+ "elements": [
+ {
+ "name": "huntingquery7-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This query is used to show privileged identity administration operations in Dataverse made by accounts that signed in without using MFA This hunting query depends on Dataverse AzureActiveDirectory data connector (DataverseActivity SigninLogs Parser or Table)"
+ }
+ }
+ ]
+ },
+ {
+ "name": "huntingquery8",
+ "type": "Microsoft.Common.Section",
+ "label": "Power Apps - Anomalous bulk sharing of Power App to newly created guest users",
+ "elements": [
+ {
+ "name": "huntingquery8-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "The query detects anomalous attempts to perform bulk sharing of Power App to newly created guest users. This hunting query depends on PowerPlatformAdmin AzureActiveDirectory data connector (PowerPlatformAdminActivity AuditLogs Parser or Table)"
+ }
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "name": "watchlists",
+ "label": "Watchlists",
+ "subLabel": {
+ "preValidation": "Configure the watchlists",
+ "postValidation": "Done"
+ },
+ "bladeTitle": "Watchlists",
+ "elements": [
+ {
+ "name": "watchlists-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Microsoft Sentinel watchlists enable the collection of data from external data sources for correlation with the events in your Microsoft Sentinel environment. Once created, you can use watchlists in your search, detection rules, threat hunting, and response playbooks. Watchlists are stored in your Microsoft Sentinel workspace as name-value pairs and are cached for optimal query performance and low latency. Once deployment is successful, the installed watchlists will be available in the Watchlists blade under 'My Watchlists'.",
+ "link": {
+ "label": "Learn more",
+ "uri": "https://aka.ms/sentinelwatchlists"
+ }
+ }
+ },
+ {
+ "name": "watchlist1",
+ "type": "Microsoft.Common.Section",
+ "label": "MSBizApps-Configuration",
+ "elements": [
+ {
+ "name": "watchlist1-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Configuration for Microsoft Business Applications solution"
+ }
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "name": "playbooks",
+ "label": "Playbooks",
+ "subLabel": {
+ "preValidation": "Configure the playbooks",
+ "postValidation": "Done"
+ },
+ "bladeTitle": "Playbooks",
+ "elements": [
+ {
+ "name": "playbooks-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This solution installs the Playbook templates to help implement your Security Orchestration, Automation and Response (SOAR) operations. After installing the solution, these will be deployed under Playbook Templates in the Automation blade in Microsoft Sentinel. They can be configured and managed from the Manage solution view in Content Hub."
+ }
+ },
+ {
+ "name": "playbooks-link",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "link": {
+ "label": "Learn more",
+ "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
+ }
+ }
+ }
+ ]
+ }
+ ],
+ "outputs": {
+ "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
+ "location": "[location()]",
+ "workspace": "[basics('workspace')]"
+ }
+ }
+}
\ No newline at end of file
diff --git a/Solutions/Microsoft Business Applications/Package/mainTemplate.json b/Solutions/Microsoft Business Applications/Package/mainTemplate.json
new file mode 100644
index 00000000000..2d61fea23b4
--- /dev/null
+++ b/Solutions/Microsoft Business Applications/Package/mainTemplate.json
@@ -0,0 +1,14620 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "author": "Microsoft",
+ "comments": "Solution template for Microsoft Business Applications"
+ },
+ "parameters": {
+ "location": {
+ "type": "string",
+ "minLength": 1,
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
+ }
+ },
+ "workspace-location": {
+ "type": "string",
+ "defaultValue": "",
+ "metadata": {
+ "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
+ }
+ },
+ "workspace": {
+ "defaultValue": "",
+ "type": "string",
+ "metadata": {
+ "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
+ }
+ },
+ "resourceGroupName": {
+ "defaultValue": "[resourceGroup().name]",
+ "type": "String",
+ "metadata": {
+ "description": "resource group name where Microsoft Sentinel is setup"
+ }
+ },
+ "subscription": {
+ "defaultValue": "[last(split(subscription().id, '/'))]",
+ "type": "String",
+ "metadata": {
+ "description": "subscription id where Microsoft Sentinel is setup"
+ }
+ },
+ "workbook1-name": {
+ "type": "string",
+ "defaultValue": "Dynamics 365 Activity",
+ "minLength": 1,
+ "metadata": {
+ "description": "Name for the workbook"
+ }
+ },
+ "watchlist1-id": {
+ "type": "string",
+ "defaultValue": "MSBizApps-Configuration",
+ "minLength": 1,
+ "metadata": {
+ "description": "Unique id for the watchlist"
+ }
+ }
+ },
+ "variables": {
+ "_solutionName": "Microsoft Business Applications",
+ "_solutionVersion": "3.2.0",
+ "solutionId": "sentinel4dynamics365.powerplatform",
+ "_solutionId": "[variables('solutionId')]",
+ "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
+ "dataConnectorCCPVersion": "1.0.0",
+ "_dataConnectorContentIdConnectorDefinition1": "Dynamics365Finance",
+ "dataConnectorTemplateNameConnectorDefinition1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnectorDefinition1')))]",
+ "_dataConnectorContentIdConnections1": "Dynamics365FinanceConnections",
+ "dataConnectorTemplateNameConnections1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnections1')))]",
+ "dataCollectionEndpointId1": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]",
+ "blanks": "[replace('b', 'b', '')]",
+ "TemplateEmptyObject": "[json('{}')]",
+ "workbookVersion1": "1.0.4",
+ "workbookContentId1": "Dynamics365Activity",
+ "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]",
+ "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]",
+ "_workbookContentId1": "[variables('workbookContentId1')]",
+ "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]",
+ "analyticRuleObject1": {
+ "analyticRuleVersion1": "3.2.0",
+ "_analyticRulecontentId1": "0820da12-e895-417f-9175-7c256fcfb33e",
+ "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '0820da12-e895-417f-9175-7c256fcfb33e')]",
+ "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('0820da12-e895-417f-9175-7c256fcfb33e')))]",
+ "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','0820da12-e895-417f-9175-7c256fcfb33e','-', '3.2.0')))]"
+ },
+ "analyticRuleObject2": {
+ "analyticRuleVersion2": "3.2.0",
+ "_analyticRulecontentId2": "f1634822-b7e9-44f5-95ac-fa4a04f14513",
+ "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'f1634822-b7e9-44f5-95ac-fa4a04f14513')]",
+ "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('f1634822-b7e9-44f5-95ac-fa4a04f14513')))]",
+ "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f1634822-b7e9-44f5-95ac-fa4a04f14513','-', '3.2.0')))]"
+ },
+ "analyticRuleObject3": {
+ "analyticRuleVersion3": "3.2.0",
+ "_analyticRulecontentId3": "ea07523b-e6b8-469b-9e25-cdef1ae6fb45",
+ "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'ea07523b-e6b8-469b-9e25-cdef1ae6fb45')]",
+ "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('ea07523b-e6b8-469b-9e25-cdef1ae6fb45')))]",
+ "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','ea07523b-e6b8-469b-9e25-cdef1ae6fb45','-', '3.2.0')))]"
+ },
+ "analyticRuleObject4": {
+ "analyticRuleVersion4": "3.2.0",
+ "_analyticRulecontentId4": "6e480329-84bc-409a-b97b-22e8102af3ca",
+ "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '6e480329-84bc-409a-b97b-22e8102af3ca')]",
+ "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('6e480329-84bc-409a-b97b-22e8102af3ca')))]",
+ "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','6e480329-84bc-409a-b97b-22e8102af3ca','-', '3.2.0')))]"
+ },
+ "analyticRuleObject5": {
+ "analyticRuleVersion5": "3.2.0",
+ "_analyticRulecontentId5": "ba5e608f-7879-4927-8b0d-a9948b4fe6f3",
+ "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'ba5e608f-7879-4927-8b0d-a9948b4fe6f3')]",
+ "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('ba5e608f-7879-4927-8b0d-a9948b4fe6f3')))]",
+ "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','ba5e608f-7879-4927-8b0d-a9948b4fe6f3','-', '3.2.0')))]"
+ },
+ "analyticRuleObject6": {
+ "analyticRuleVersion6": "3.2.0",
+ "_analyticRulecontentId6": "0881b209-62c9-4b15-9f9a-e0c1d1b1eb7b",
+ "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '0881b209-62c9-4b15-9f9a-e0c1d1b1eb7b')]",
+ "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('0881b209-62c9-4b15-9f9a-e0c1d1b1eb7b')))]",
+ "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','0881b209-62c9-4b15-9f9a-e0c1d1b1eb7b','-', '3.2.0')))]"
+ },
+ "analyticRuleObject7": {
+ "analyticRuleVersion7": "3.2.0",
+ "_analyticRulecontentId7": "39efbf4b-b347-4cc7-895e-99a868bf29ea",
+ "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '39efbf4b-b347-4cc7-895e-99a868bf29ea')]",
+ "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('39efbf4b-b347-4cc7-895e-99a868bf29ea')))]",
+ "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','39efbf4b-b347-4cc7-895e-99a868bf29ea','-', '3.2.0')))]"
+ },
+ "analyticRuleObject8": {
+ "analyticRuleVersion8": "3.2.0",
+ "_analyticRulecontentId8": "2df0adf5-92a8-4ee0-a123-3eb5be1eed02",
+ "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '2df0adf5-92a8-4ee0-a123-3eb5be1eed02')]",
+ "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('2df0adf5-92a8-4ee0-a123-3eb5be1eed02')))]",
+ "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','2df0adf5-92a8-4ee0-a123-3eb5be1eed02','-', '3.2.0')))]"
+ },
+ "analyticRuleObject9": {
+ "analyticRuleVersion9": "3.2.0",
+ "_analyticRulecontentId9": "11650b85-d8cc-49c4-8c04-a8a739635983",
+ "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '11650b85-d8cc-49c4-8c04-a8a739635983')]",
+ "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('11650b85-d8cc-49c4-8c04-a8a739635983')))]",
+ "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','11650b85-d8cc-49c4-8c04-a8a739635983','-', '3.2.0')))]"
+ },
+ "analyticRuleObject10": {
+ "analyticRuleVersion10": "3.2.0",
+ "_analyticRulecontentId10": "f327816b-9328-4b17-9290-a02adc2f4928",
+ "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'f327816b-9328-4b17-9290-a02adc2f4928')]",
+ "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('f327816b-9328-4b17-9290-a02adc2f4928')))]",
+ "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f327816b-9328-4b17-9290-a02adc2f4928','-', '3.2.0')))]"
+ },
+ "analyticRuleObject11": {
+ "analyticRuleVersion11": "3.2.0",
+ "_analyticRulecontentId11": "666fef96-1bb8-4abf-ad72-e5cb49561381",
+ "analyticRuleId11": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '666fef96-1bb8-4abf-ad72-e5cb49561381')]",
+ "analyticRuleTemplateSpecName11": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('666fef96-1bb8-4abf-ad72-e5cb49561381')))]",
+ "_analyticRulecontentProductId11": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','666fef96-1bb8-4abf-ad72-e5cb49561381','-', '3.2.0')))]"
+ },
+ "analyticRuleObject12": {
+ "analyticRuleVersion12": "3.2.0",
+ "_analyticRulecontentId12": "81c693fe-f6c4-4352-bc10-3526f6e22637",
+ "analyticRuleId12": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '81c693fe-f6c4-4352-bc10-3526f6e22637')]",
+ "analyticRuleTemplateSpecName12": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('81c693fe-f6c4-4352-bc10-3526f6e22637')))]",
+ "_analyticRulecontentProductId12": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','81c693fe-f6c4-4352-bc10-3526f6e22637','-', '3.2.0')))]"
+ },
+ "analyticRuleObject13": {
+ "analyticRuleVersion13": "3.2.0",
+ "_analyticRulecontentId13": "2e3878bb-d519-43aa-9992-ea069df099e4",
+ "analyticRuleId13": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '2e3878bb-d519-43aa-9992-ea069df099e4')]",
+ "analyticRuleTemplateSpecName13": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('2e3878bb-d519-43aa-9992-ea069df099e4')))]",
+ "_analyticRulecontentProductId13": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','2e3878bb-d519-43aa-9992-ea069df099e4','-', '3.2.0')))]"
+ },
+ "analyticRuleObject14": {
+ "analyticRuleVersion14": "3.2.0",
+ "_analyticRulecontentId14": "716cf6d4-97ad-407b-923e-6790083acb58",
+ "analyticRuleId14": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '716cf6d4-97ad-407b-923e-6790083acb58')]",
+ "analyticRuleTemplateSpecName14": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('716cf6d4-97ad-407b-923e-6790083acb58')))]",
+ "_analyticRulecontentProductId14": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','716cf6d4-97ad-407b-923e-6790083acb58','-', '3.2.0')))]"
+ },
+ "analyticRuleObject15": {
+ "analyticRuleVersion15": "3.2.0",
+ "_analyticRulecontentId15": "95e02f1b-5886-4043-8f0e-a42e6e23330f",
+ "analyticRuleId15": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '95e02f1b-5886-4043-8f0e-a42e6e23330f')]",
+ "analyticRuleTemplateSpecName15": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('95e02f1b-5886-4043-8f0e-a42e6e23330f')))]",
+ "_analyticRulecontentProductId15": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','95e02f1b-5886-4043-8f0e-a42e6e23330f','-', '3.2.0')))]"
+ },
+ "analyticRuleObject16": {
+ "analyticRuleVersion16": "3.2.0",
+ "_analyticRulecontentId16": "57000f0d-ff5d-4166-94b6-aa5fb62b16ec",
+ "analyticRuleId16": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '57000f0d-ff5d-4166-94b6-aa5fb62b16ec')]",
+ "analyticRuleTemplateSpecName16": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('57000f0d-ff5d-4166-94b6-aa5fb62b16ec')))]",
+ "_analyticRulecontentProductId16": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','57000f0d-ff5d-4166-94b6-aa5fb62b16ec','-', '3.2.0')))]"
+ },
+ "analyticRuleObject17": {
+ "analyticRuleVersion17": "3.2.0",
+ "_analyticRulecontentId17": "df577f0f-1d8a-4420-9057-a07f0edb15c8",
+ "analyticRuleId17": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'df577f0f-1d8a-4420-9057-a07f0edb15c8')]",
+ "analyticRuleTemplateSpecName17": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('df577f0f-1d8a-4420-9057-a07f0edb15c8')))]",
+ "_analyticRulecontentProductId17": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','df577f0f-1d8a-4420-9057-a07f0edb15c8','-', '3.2.0')))]"
+ },
+ "analyticRuleObject18": {
+ "analyticRuleVersion18": "3.2.0",
+ "_analyticRulecontentId18": "5c768e7d-7e5e-4d57-80d4-3f50c96fbf70",
+ "analyticRuleId18": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '5c768e7d-7e5e-4d57-80d4-3f50c96fbf70')]",
+ "analyticRuleTemplateSpecName18": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('5c768e7d-7e5e-4d57-80d4-3f50c96fbf70')))]",
+ "_analyticRulecontentProductId18": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','5c768e7d-7e5e-4d57-80d4-3f50c96fbf70','-', '3.2.0')))]"
+ },
+ "analyticRuleObject19": {
+ "analyticRuleVersion19": "3.2.0",
+ "_analyticRulecontentId19": "682e230c-e5da-4085-8666-701d1f1be7de",
+ "analyticRuleId19": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '682e230c-e5da-4085-8666-701d1f1be7de')]",
+ "analyticRuleTemplateSpecName19": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('682e230c-e5da-4085-8666-701d1f1be7de')))]",
+ "_analyticRulecontentProductId19": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','682e230c-e5da-4085-8666-701d1f1be7de','-', '3.2.0')))]"
+ },
+ "analyticRuleObject20": {
+ "analyticRuleVersion20": "3.2.0",
+ "_analyticRulecontentId20": "4c1c9aee-8e44-4bb9-bd53-f3e7d6761282",
+ "analyticRuleId20": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '4c1c9aee-8e44-4bb9-bd53-f3e7d6761282')]",
+ "analyticRuleTemplateSpecName20": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('4c1c9aee-8e44-4bb9-bd53-f3e7d6761282')))]",
+ "_analyticRulecontentProductId20": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4c1c9aee-8e44-4bb9-bd53-f3e7d6761282','-', '3.2.0')))]"
+ },
+ "analyticRuleObject21": {
+ "analyticRuleVersion21": "3.2.0",
+ "_analyticRulecontentId21": "34a5d79b-8f9a-420c-aa64-7f4d262ac29a",
+ "analyticRuleId21": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '34a5d79b-8f9a-420c-aa64-7f4d262ac29a')]",
+ "analyticRuleTemplateSpecName21": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('34a5d79b-8f9a-420c-aa64-7f4d262ac29a')))]",
+ "_analyticRulecontentProductId21": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','34a5d79b-8f9a-420c-aa64-7f4d262ac29a','-', '3.2.0')))]"
+ },
+ "analyticRuleObject22": {
+ "analyticRuleVersion22": "3.2.0",
+ "_analyticRulecontentId22": "094b3c0a-1f63-42f7-9535-c8c7b7198328",
+ "analyticRuleId22": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '094b3c0a-1f63-42f7-9535-c8c7b7198328')]",
+ "analyticRuleTemplateSpecName22": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('094b3c0a-1f63-42f7-9535-c8c7b7198328')))]",
+ "_analyticRulecontentProductId22": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','094b3c0a-1f63-42f7-9535-c8c7b7198328','-', '3.2.0')))]"
+ },
+ "analyticRuleObject23": {
+ "analyticRuleVersion23": "3.2.0",
+ "_analyticRulecontentId23": "a6f6b734-3db8-4259-a988-69e0b8eac0c2",
+ "analyticRuleId23": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'a6f6b734-3db8-4259-a988-69e0b8eac0c2')]",
+ "analyticRuleTemplateSpecName23": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('a6f6b734-3db8-4259-a988-69e0b8eac0c2')))]",
+ "_analyticRulecontentProductId23": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','a6f6b734-3db8-4259-a988-69e0b8eac0c2','-', '3.2.0')))]"
+ },
+ "analyticRuleObject24": {
+ "analyticRuleVersion24": "3.2.0",
+ "_analyticRulecontentId24": "1b1061be-2595-4492-af6d-1c8a5fc9576d",
+ "analyticRuleId24": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '1b1061be-2595-4492-af6d-1c8a5fc9576d')]",
+ "analyticRuleTemplateSpecName24": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('1b1061be-2595-4492-af6d-1c8a5fc9576d')))]",
+ "_analyticRulecontentProductId24": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','1b1061be-2595-4492-af6d-1c8a5fc9576d','-', '3.2.0')))]"
+ },
+ "analyticRuleObject25": {
+ "analyticRuleVersion25": "3.2.0",
+ "_analyticRulecontentId25": "c4c3510a-0ee0-4561-9835-47882ffa7f46",
+ "analyticRuleId25": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'c4c3510a-0ee0-4561-9835-47882ffa7f46')]",
+ "analyticRuleTemplateSpecName25": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('c4c3510a-0ee0-4561-9835-47882ffa7f46')))]",
+ "_analyticRulecontentProductId25": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','c4c3510a-0ee0-4561-9835-47882ffa7f46','-', '3.2.0')))]"
+ },
+ "analyticRuleObject26": {
+ "analyticRuleVersion26": "3.2.0",
+ "_analyticRulecontentId26": "e44a58b2-b63a-4eb9-92da-85660d73495c",
+ "analyticRuleId26": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'e44a58b2-b63a-4eb9-92da-85660d73495c')]",
+ "analyticRuleTemplateSpecName26": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('e44a58b2-b63a-4eb9-92da-85660d73495c')))]",
+ "_analyticRulecontentProductId26": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','e44a58b2-b63a-4eb9-92da-85660d73495c','-', '3.2.0')))]"
+ },
+ "analyticRuleObject27": {
+ "analyticRuleVersion27": "3.2.0",
+ "_analyticRulecontentId27": "d875af10-6bb9-4d6a-a6e4-78439a98bf4b",
+ "analyticRuleId27": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'd875af10-6bb9-4d6a-a6e4-78439a98bf4b')]",
+ "analyticRuleTemplateSpecName27": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('d875af10-6bb9-4d6a-a6e4-78439a98bf4b')))]",
+ "_analyticRulecontentProductId27": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','d875af10-6bb9-4d6a-a6e4-78439a98bf4b','-', '3.2.0')))]"
+ },
+ "analyticRuleObject28": {
+ "analyticRuleVersion28": "3.2.0",
+ "_analyticRulecontentId28": "8a6ecba2-ccfe-4c8c-b086-fa3e6ff7fa86",
+ "analyticRuleId28": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '8a6ecba2-ccfe-4c8c-b086-fa3e6ff7fa86')]",
+ "analyticRuleTemplateSpecName28": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('8a6ecba2-ccfe-4c8c-b086-fa3e6ff7fa86')))]",
+ "_analyticRulecontentProductId28": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','8a6ecba2-ccfe-4c8c-b086-fa3e6ff7fa86','-', '3.2.0')))]"
+ },
+ "analyticRuleObject29": {
+ "analyticRuleVersion29": "3.2.0",
+ "_analyticRulecontentId29": "56d5aa0c-d871-4167-ba13-61c2f0fd17bf",
+ "analyticRuleId29": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '56d5aa0c-d871-4167-ba13-61c2f0fd17bf')]",
+ "analyticRuleTemplateSpecName29": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('56d5aa0c-d871-4167-ba13-61c2f0fd17bf')))]",
+ "_analyticRulecontentProductId29": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','56d5aa0c-d871-4167-ba13-61c2f0fd17bf','-', '3.2.0')))]"
+ },
+ "analyticRuleObject30": {
+ "analyticRuleVersion30": "3.2.0",
+ "_analyticRulecontentId30": "d88a0e22-3b6a-40c2-af28-c064b44d03b7",
+ "analyticRuleId30": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'd88a0e22-3b6a-40c2-af28-c064b44d03b7')]",
+ "analyticRuleTemplateSpecName30": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('d88a0e22-3b6a-40c2-af28-c064b44d03b7')))]",
+ "_analyticRulecontentProductId30": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','d88a0e22-3b6a-40c2-af28-c064b44d03b7','-', '3.2.0')))]"
+ },
+ "analyticRuleObject31": {
+ "analyticRuleVersion31": "3.2.0",
+ "_analyticRulecontentId31": "de039242-47e0-43fa-84d7-b6be24305349",
+ "analyticRuleId31": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'de039242-47e0-43fa-84d7-b6be24305349')]",
+ "analyticRuleTemplateSpecName31": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('de039242-47e0-43fa-84d7-b6be24305349')))]",
+ "_analyticRulecontentProductId31": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','de039242-47e0-43fa-84d7-b6be24305349','-', '3.2.0')))]"
+ },
+ "analyticRuleObject32": {
+ "analyticRuleVersion32": "3.2.0",
+ "_analyticRulecontentId32": "c5e75cb6-cea0-49c2-a998-da414035aac1",
+ "analyticRuleId32": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'c5e75cb6-cea0-49c2-a998-da414035aac1')]",
+ "analyticRuleTemplateSpecName32": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('c5e75cb6-cea0-49c2-a998-da414035aac1')))]",
+ "_analyticRulecontentProductId32": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','c5e75cb6-cea0-49c2-a998-da414035aac1','-', '3.2.0')))]"
+ },
+ "analyticRuleObject33": {
+ "analyticRuleVersion33": "3.2.0",
+ "_analyticRulecontentId33": "d7c9549c-7246-4555-8e53-d7b0db546764",
+ "analyticRuleId33": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'd7c9549c-7246-4555-8e53-d7b0db546764')]",
+ "analyticRuleTemplateSpecName33": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('d7c9549c-7246-4555-8e53-d7b0db546764')))]",
+ "_analyticRulecontentProductId33": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','d7c9549c-7246-4555-8e53-d7b0db546764','-', '3.2.0')))]"
+ },
+ "analyticRuleObject34": {
+ "analyticRuleVersion34": "3.2.0",
+ "_analyticRulecontentId34": "08cb7ffc-59c6-4e7d-88e0-327371c9431b",
+ "analyticRuleId34": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '08cb7ffc-59c6-4e7d-88e0-327371c9431b')]",
+ "analyticRuleTemplateSpecName34": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('08cb7ffc-59c6-4e7d-88e0-327371c9431b')))]",
+ "_analyticRulecontentProductId34": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','08cb7ffc-59c6-4e7d-88e0-327371c9431b','-', '3.2.0')))]"
+ },
+ "analyticRuleObject35": {
+ "analyticRuleVersion35": "3.2.0",
+ "_analyticRulecontentId35": "dccbdb5b-2ce7-4931-bfbe-f1ad6523ee64",
+ "analyticRuleId35": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'dccbdb5b-2ce7-4931-bfbe-f1ad6523ee64')]",
+ "analyticRuleTemplateSpecName35": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('dccbdb5b-2ce7-4931-bfbe-f1ad6523ee64')))]",
+ "_analyticRulecontentProductId35": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','dccbdb5b-2ce7-4931-bfbe-f1ad6523ee64','-', '3.2.0')))]"
+ },
+ "analyticRuleObject36": {
+ "analyticRuleVersion36": "3.2.0",
+ "_analyticRulecontentId36": "5ab00fbb-ba2c-44dc-b02e-f119639b9a11",
+ "analyticRuleId36": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '5ab00fbb-ba2c-44dc-b02e-f119639b9a11')]",
+ "analyticRuleTemplateSpecName36": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('5ab00fbb-ba2c-44dc-b02e-f119639b9a11')))]",
+ "_analyticRulecontentProductId36": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','5ab00fbb-ba2c-44dc-b02e-f119639b9a11','-', '3.2.0')))]"
+ },
+ "analyticRuleObject37": {
+ "analyticRuleVersion37": "3.2.0",
+ "_analyticRulecontentId37": "5b7cc7f9-fe54-4138-9fb0-d650807345d3",
+ "analyticRuleId37": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '5b7cc7f9-fe54-4138-9fb0-d650807345d3')]",
+ "analyticRuleTemplateSpecName37": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('5b7cc7f9-fe54-4138-9fb0-d650807345d3')))]",
+ "_analyticRulecontentProductId37": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','5b7cc7f9-fe54-4138-9fb0-d650807345d3','-', '3.2.0')))]"
+ },
+ "analyticRuleObject38": {
+ "analyticRuleVersion38": "3.2.0",
+ "_analyticRulecontentId38": "44b1021c-d517-4b7a-9ba6-a91eab94e632",
+ "analyticRuleId38": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '44b1021c-d517-4b7a-9ba6-a91eab94e632')]",
+ "analyticRuleTemplateSpecName38": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('44b1021c-d517-4b7a-9ba6-a91eab94e632')))]",
+ "_analyticRulecontentProductId38": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','44b1021c-d517-4b7a-9ba6-a91eab94e632','-', '3.2.0')))]"
+ },
+ "analyticRuleObject39": {
+ "analyticRuleVersion39": "3.2.0",
+ "_analyticRulecontentId39": "919e939f-95e2-4978-846e-13a721c89ea1",
+ "analyticRuleId39": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '919e939f-95e2-4978-846e-13a721c89ea1')]",
+ "analyticRuleTemplateSpecName39": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('919e939f-95e2-4978-846e-13a721c89ea1')))]",
+ "_analyticRulecontentProductId39": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','919e939f-95e2-4978-846e-13a721c89ea1','-', '3.2.0')))]"
+ },
+ "analyticRuleObject40": {
+ "analyticRuleVersion40": "3.2.0",
+ "_analyticRulecontentId40": "7ec1e61d-f3b7-4f40-bb1a-357a63913c23",
+ "analyticRuleId40": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '7ec1e61d-f3b7-4f40-bb1a-357a63913c23')]",
+ "analyticRuleTemplateSpecName40": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('7ec1e61d-f3b7-4f40-bb1a-357a63913c23')))]",
+ "_analyticRulecontentProductId40": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','7ec1e61d-f3b7-4f40-bb1a-357a63913c23','-', '3.2.0')))]"
+ },
+ "analyticRuleObject41": {
+ "analyticRuleVersion41": "3.2.0",
+ "_analyticRulecontentId41": "943acfa0-9285-4eb0-a9c0-42e36177ef19",
+ "analyticRuleId41": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '943acfa0-9285-4eb0-a9c0-42e36177ef19')]",
+ "analyticRuleTemplateSpecName41": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('943acfa0-9285-4eb0-a9c0-42e36177ef19')))]",
+ "_analyticRulecontentProductId41": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','943acfa0-9285-4eb0-a9c0-42e36177ef19','-', '3.2.0')))]"
+ },
+ "analyticRuleObject42": {
+ "analyticRuleVersion42": "3.2.0",
+ "_analyticRulecontentId42": "ed88638d-8627-4c20-ba08-67c13807a9b1",
+ "analyticRuleId42": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'ed88638d-8627-4c20-ba08-67c13807a9b1')]",
+ "analyticRuleTemplateSpecName42": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('ed88638d-8627-4c20-ba08-67c13807a9b1')))]",
+ "_analyticRulecontentProductId42": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','ed88638d-8627-4c20-ba08-67c13807a9b1','-', '3.2.0')))]"
+ },
+ "analyticRuleObject43": {
+ "analyticRuleVersion43": "3.2.0",
+ "_analyticRulecontentId43": "4bd7e93a-0646-4e02-8dcb-aa16d16618f4",
+ "analyticRuleId43": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '4bd7e93a-0646-4e02-8dcb-aa16d16618f4')]",
+ "analyticRuleTemplateSpecName43": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('4bd7e93a-0646-4e02-8dcb-aa16d16618f4')))]",
+ "_analyticRulecontentProductId43": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4bd7e93a-0646-4e02-8dcb-aa16d16618f4','-', '3.2.0')))]"
+ },
+ "analyticRuleObject44": {
+ "analyticRuleVersion44": "3.2.0",
+ "_analyticRulecontentId44": "b1e11b8c-545a-4dea-a912-0008e160d183",
+ "analyticRuleId44": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'b1e11b8c-545a-4dea-a912-0008e160d183')]",
+ "analyticRuleTemplateSpecName44": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('b1e11b8c-545a-4dea-a912-0008e160d183')))]",
+ "_analyticRulecontentProductId44": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','b1e11b8c-545a-4dea-a912-0008e160d183','-', '3.2.0')))]"
+ },
+ "analyticRuleObject45": {
+ "analyticRuleVersion45": "3.2.0",
+ "_analyticRulecontentId45": "56cb646e-56a0-4f0e-8866-9bc1dd15da78",
+ "analyticRuleId45": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '56cb646e-56a0-4f0e-8866-9bc1dd15da78')]",
+ "analyticRuleTemplateSpecName45": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('56cb646e-56a0-4f0e-8866-9bc1dd15da78')))]",
+ "_analyticRulecontentProductId45": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','56cb646e-56a0-4f0e-8866-9bc1dd15da78','-', '3.2.0')))]"
+ },
+ "analyticRuleObject46": {
+ "analyticRuleVersion46": "3.2.0",
+ "_analyticRulecontentId46": "71d829d6-eb50-4a17-8a64-655fae8d71e1",
+ "analyticRuleId46": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '71d829d6-eb50-4a17-8a64-655fae8d71e1')]",
+ "analyticRuleTemplateSpecName46": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('71d829d6-eb50-4a17-8a64-655fae8d71e1')))]",
+ "_analyticRulecontentProductId46": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','71d829d6-eb50-4a17-8a64-655fae8d71e1','-', '3.2.0')))]"
+ },
+ "analyticRuleObject47": {
+ "analyticRuleVersion47": "3.2.0",
+ "_analyticRulecontentId47": "886a5655-3d12-42f1-8927-4095789c575e",
+ "analyticRuleId47": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '886a5655-3d12-42f1-8927-4095789c575e')]",
+ "analyticRuleTemplateSpecName47": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('886a5655-3d12-42f1-8927-4095789c575e')))]",
+ "_analyticRulecontentProductId47": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','886a5655-3d12-42f1-8927-4095789c575e','-', '3.2.0')))]"
+ },
+ "analyticRuleObject48": {
+ "analyticRuleVersion48": "3.2.0",
+ "_analyticRulecontentId48": "1b2e6172-85c5-417a-90c3-7cc80cb787f5",
+ "analyticRuleId48": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '1b2e6172-85c5-417a-90c3-7cc80cb787f5')]",
+ "analyticRuleTemplateSpecName48": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('1b2e6172-85c5-417a-90c3-7cc80cb787f5')))]",
+ "_analyticRulecontentProductId48": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','1b2e6172-85c5-417a-90c3-7cc80cb787f5','-', '3.2.0')))]"
+ },
+ "analyticRuleObject49": {
+ "analyticRuleVersion49": "3.0.0",
+ "_analyticRulecontentId49": "54d48840-1c64-4399-afee-ad39a069118d",
+ "analyticRuleId49": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '54d48840-1c64-4399-afee-ad39a069118d')]",
+ "analyticRuleTemplateSpecName49": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('54d48840-1c64-4399-afee-ad39a069118d')))]",
+ "_analyticRulecontentProductId49": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','54d48840-1c64-4399-afee-ad39a069118d','-', '3.0.0')))]"
+ },
+ "huntingQueryObject1": {
+ "huntingQueryVersion1": "3.2.0",
+ "_huntingQuerycontentId1": "428c3d41-e441-4244-994e-b059d6316bc4",
+ "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('428c3d41-e441-4244-994e-b059d6316bc4')))]"
+ },
+ "huntingQueryObject2": {
+ "huntingQueryVersion2": "3.2.0",
+ "_huntingQuerycontentId2": "dafcc598-2987-4aa0-947e-7d0449677689",
+ "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('dafcc598-2987-4aa0-947e-7d0449677689')))]"
+ },
+ "huntingQueryObject3": {
+ "huntingQueryVersion3": "3.2.0",
+ "_huntingQuerycontentId3": "74a48db8-dc1d-414e-9709-39fa3f8a2246",
+ "huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('74a48db8-dc1d-414e-9709-39fa3f8a2246')))]"
+ },
+ "huntingQueryObject4": {
+ "huntingQueryVersion4": "3.2.0",
+ "_huntingQuerycontentId4": "f9658e11-e277-4a65-8f91-2cb94cf7497c",
+ "huntingQueryTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('f9658e11-e277-4a65-8f91-2cb94cf7497c')))]"
+ },
+ "huntingQueryObject5": {
+ "huntingQueryVersion5": "3.2.0",
+ "_huntingQuerycontentId5": "90bcbd4e-e8b5-4a5d-9fe6-d0f9f0220b4a",
+ "huntingQueryTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('90bcbd4e-e8b5-4a5d-9fe6-d0f9f0220b4a')))]"
+ },
+ "huntingQueryObject6": {
+ "huntingQueryVersion6": "3.2.0",
+ "_huntingQuerycontentId6": "c7e6e48a-0514-4989-bc90-4a3c9207ede1",
+ "huntingQueryTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('c7e6e48a-0514-4989-bc90-4a3c9207ede1')))]"
+ },
+ "huntingQueryObject7": {
+ "huntingQueryVersion7": "3.2.0",
+ "_huntingQuerycontentId7": "385234b7-d96c-4dc3-9c0e-ceb46048d487",
+ "huntingQueryTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('385234b7-d96c-4dc3-9c0e-ceb46048d487')))]"
+ },
+ "huntingQueryObject8": {
+ "huntingQueryVersion8": "3.2.0",
+ "_huntingQuerycontentId8": "169428be-5ed0-4230-9103-c83df89c789a",
+ "huntingQueryTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('169428be-5ed0-4230-9103-c83df89c789a')))]"
+ },
+ "Dataverse-Add-SharePoint-Site": "Dataverse-Add-SharePoint-Site",
+ "_Dataverse-Add-SharePoint-Site": "[variables('Dataverse-Add-SharePoint-Site')]",
+ "playbookVersion1": "1.0",
+ "playbookContentId1": "Dataverse-Add-SharePoint-Site",
+ "_playbookContentId1": "[variables('playbookContentId1')]",
+ "playbookId1": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId1'))]",
+ "playbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId1'))))]",
+ "_playbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId1'),'-', variables('playbookVersion1'))))]",
+ "Dataverse-Blocklist-Add-User-AlertTrigger": "Dataverse-Blocklist-Add-User-AlertTrigger",
+ "_Dataverse-Blocklist-Add-User-AlertTrigger": "[variables('Dataverse-Blocklist-Add-User-AlertTrigger')]",
+ "playbookVersion2": "1.0",
+ "playbookContentId2": "Dataverse-Blocklist-Add-User-AlertTrigger",
+ "_playbookContentId2": "[variables('playbookContentId2')]",
+ "playbookId2": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId2'))]",
+ "playbookTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId2'))))]",
+ "_playbookcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId2'),'-', variables('playbookVersion2'))))]",
+ "Dataverse-Blocklist-Add-User-Via-Outlook": "Dataverse-Blocklist-Add-User-Via-Outlook",
+ "_Dataverse-Blocklist-Add-User-Via-Outlook": "[variables('Dataverse-Blocklist-Add-User-Via-Outlook')]",
+ "playbookVersion3": "1.0",
+ "playbookContentId3": "Dataverse-Blocklist-Add-User-Via-Outlook",
+ "_playbookContentId3": "[variables('playbookContentId3')]",
+ "playbookId3": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId3'))]",
+ "playbookTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId3'))))]",
+ "_playbookcontentProductId3": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId3'),'-', variables('playbookVersion3'))))]",
+ "Dataverse-Blocklist-Add-User-Via-Teams": "Dataverse-Blocklist-Add-User-Via-Teams",
+ "_Dataverse-Blocklist-Add-User-Via-Teams": "[variables('Dataverse-Blocklist-Add-User-Via-Teams')]",
+ "playbookVersion4": "1.0",
+ "playbookContentId4": "Dataverse-Blocklist-Add-User-Via-Teams",
+ "_playbookContentId4": "[variables('playbookContentId4')]",
+ "playbookId4": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId4'))]",
+ "playbookTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId4'))))]",
+ "_playbookcontentProductId4": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId4'),'-', variables('playbookVersion4'))))]",
+ "Dataverse-Blocklist-Add-User": "Dataverse-Blocklist-Add-User",
+ "_Dataverse-Blocklist-Add-User": "[variables('Dataverse-Blocklist-Add-User')]",
+ "playbookVersion5": "1.0",
+ "playbookContentId5": "Dataverse-Blocklist-Add-User",
+ "_playbookContentId5": "[variables('playbookContentId5')]",
+ "playbookId5": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId5'))]",
+ "playbookTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId5'))))]",
+ "_playbookcontentProductId5": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId5'),'-', variables('playbookVersion5'))))]",
+ "Dataverse-Blocklist-Remove-User-AlertTrigger": "Dataverse-Blocklist-Remove-User-AlertTrigger",
+ "_Dataverse-Blocklist-Remove-User-AlertTrigger": "[variables('Dataverse-Blocklist-Remove-User-AlertTrigger')]",
+ "playbookVersion6": "1.0",
+ "playbookContentId6": "Dataverse-Blocklist-Remove-User-AlertTrigger",
+ "_playbookContentId6": "[variables('playbookContentId6')]",
+ "playbookId6": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId6'))]",
+ "playbookTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId6'))))]",
+ "_playbookcontentProductId6": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId6'),'-', variables('playbookVersion6'))))]",
+ "Dataverse-Send-Manager-Notification": "Dataverse-Send-Manager-Notification",
+ "_Dataverse-Send-Manager-Notification": "[variables('Dataverse-Send-Manager-Notification')]",
+ "playbookVersion7": "1.0",
+ "playbookContentId7": "Dataverse-Send-Manager-Notification",
+ "_playbookContentId7": "[variables('playbookContentId7')]",
+ "playbookId7": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId7'))]",
+ "playbookTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId7'))))]",
+ "_playbookcontentProductId7": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId7'),'-', variables('playbookVersion7'))))]",
+ "MSBizApps-Incident-From-Alert-Teams": "MSBizApps-Incident-From-Alert-Teams",
+ "_MSBizApps-Incident-From-Alert-Teams": "[variables('MSBizApps-Incident-From-Alert-Teams')]",
+ "playbookVersion8": "1.0",
+ "playbookContentId8": "MSBizApps-Incident-From-Alert-Teams",
+ "_playbookContentId8": "[variables('playbookContentId8')]",
+ "playbookId8": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId8'))]",
+ "playbookTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId8'))))]",
+ "_playbookcontentProductId8": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId8'),'-', variables('playbookVersion8'))))]",
+ "parserObject1": {
+ "_parserName1": "[concat(parameters('workspace'),'/','DataverseSharePointSites')]",
+ "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'DataverseSharePointSites')]",
+ "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('DataverseSharePointSites-Parser')))]",
+ "parserVersion1": "3.2.0",
+ "parserContentId1": "DataverseSharePointSites-Parser"
+ },
+ "parserObject2": {
+ "_parserName2": "[concat(parameters('workspace'),'/','MSBizAppsNetworkAddresses')]",
+ "_parserId2": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MSBizAppsNetworkAddresses')]",
+ "parserTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('MSBizAppsNetworkAddresses-Parser')))]",
+ "parserVersion2": "3.2.0",
+ "parserContentId2": "MSBizAppsNetworkAddresses-Parser"
+ },
+ "parserObject3": {
+ "_parserName3": "[concat(parameters('workspace'),'/','MSBizAppsOrgSettings')]",
+ "_parserId3": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MSBizAppsOrgSettings')]",
+ "parserTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('MSBizAppsOrgSettings-Parser')))]",
+ "parserVersion3": "3.2.0",
+ "parserContentId3": "MSBizAppsOrgSettings-Parser"
+ },
+ "parserObject4": {
+ "_parserName4": "[concat(parameters('workspace'),'/','MSBizAppsTerminatedEmployees')]",
+ "_parserId4": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MSBizAppsTerminatedEmployees')]",
+ "parserTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('MSBizAppsTerminatedEmployees-Parser')))]",
+ "parserVersion4": "3.0.1",
+ "parserContentId4": "MSBizAppsTerminatedEmployees-Parser"
+ },
+ "parserObject5": {
+ "_parserName5": "[concat(parameters('workspace'),'/','MSBizAppsVIPUsers')]",
+ "_parserId5": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MSBizAppsVIPUsers')]",
+ "parserTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('MSBizAppsVIPUsers-Parser')))]",
+ "parserVersion5": "3.2.0",
+ "parserContentId5": "MSBizAppsVIPUsers-Parser"
+ },
+ "MSBizApps-Configuration": "MSBizApps-Configuration",
+ "_MSBizApps-Configuration": "[variables('MSBizApps-Configuration')]",
+ "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]",
+ "dataConnectorVersion10": "1.0.0",
+ "dataConnectorVersionConnections10": "1.0.0",
+ "_uiConfigId10": "PowerAutomate",
+ "_dataConnectorContentId10": "PowerAutomate",
+ "dataConnectorTemplateNameConnectorDefinition10": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId10')))]",
+ "_dataConnectorContentIdConnections10": "PowerAutomateTemplateConnections",
+ "dataConnectorTemplateNameConnections10": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnections10')))]",
+ "_dataConnectorcontentProductId10": "[concat(take(variables('_solutionId'), 50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId10'),'-', variables('dataConnectorVersion10'))))]",
+ "dataConnectorDataCollectionRulePrefix10": "PP-Automate",
+ "_dataConnectorDataCollectionRulePrefix10": "[variables('dataConnectorDataCollectionRulePrefix10')]",
+ "dataConnectorVersion14": "1.0.0",
+ "dataConnectorVersionConnections14": "1.0.0",
+ "_uiConfigId14": "Dataverse",
+ "_dataConnectorContentId14": "Dataverse",
+ "dataConnectorTemplateNameConnectorDefinition14": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId14')))]",
+ "_dataConnectorContentIdConnections14": "DataverseTemplateConnections",
+ "dataConnectorTemplateNameConnections14": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnections14')))]",
+ "_dataConnectorcontentProductId14": "[concat(take(variables('_solutionId'), 50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId14'),'-', variables('dataConnectorVersion14'))))]",
+ "dataConnectorDataCollectionRulePrefix14": "PP-Dataverse",
+ "_dataConnectorDataCollectionRulePrefix14": "[variables('dataConnectorDataCollectionRulePrefix14')]",
+ "dataConnectorVersion15": "1.0.0",
+ "dataConnectorVersionConnections15": "1.0.0",
+ "_uiConfigId15": "PowerPlatformAdmin",
+ "_dataConnectorContentId15": "PowerPlatformAdmin",
+ "dataConnectorTemplateNameConnectorDefinition15": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId15')))]",
+ "_dataConnectorContentIdConnections15": "PowerPlatformAdminTemplateConnections",
+ "dataConnectorTemplateNameConnections15": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnections15')))]",
+ "_dataConnectorcontentProductId15": "[concat(take(variables('_solutionId'), 50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId15'),'-', variables('dataConnectorVersion15'))))]",
+ "dataConnectorDataCollectionRulePrefix15": "PP-Admin",
+ "_dataConnectorDataCollectionRulePrefix15": "[variables('dataConnectorDataCollectionRulePrefix15')]",
+ "destinationName": "clv2ws1",
+ "_destinationName": "[variables('destinationName')]",
+ "_workspaceResourceId": "[variables('workspaceResourceId')]"
+ },
+ "resources": [
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnectorDefinition1'), variables('dataConnectorCCPVersion'))]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "contentId": "[variables('_dataConnectorContentIdConnectorDefinition1')]",
+ "displayName": "Dynamics 365 Finance and Operations",
+ "contentKind": "DataConnector",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('dataConnectorCCPVersion')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition1'))]",
+ "apiVersion": "2022-09-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions",
+ "location": "[parameters('workspace-location')]",
+ "kind": "Customizable",
+ "properties": {
+ "connectorUiConfig": {
+ "id": "Dynamics365Finance",
+ "title": "Dynamics 365 Finance and Operations",
+ "publisher": "Microsoft",
+ "logo": "Dynamics365.svg",
+ "descriptionMarkdown": "Dynamics 365 for Finance and Operations is a comprehensive Enterprise Resource Planning (ERP) solution that combines financial and operational capabilities to help businesses manage their day-to-day operations. It offers a range of features that enable businesses to streamline workflows, automate tasks, and gain insights into operational performance.\n\nThe Dynamics 365 Finance and Operations data connector ingests Dynamics 365 Finance and Operations admin activities and audit logs as well as user business process and application activities logs into Microsoft Sentinel.",
+ "graphQueriesTableName": "FinanceOperationsActivity_CL",
+ "graphQueries": [
+ {
+ "metricName": "Total data received",
+ "legend": "{{graphQueriesTableName}}",
+ "baseQuery": "{{graphQueriesTableName}}"
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "Finance and Operations Audited Tables",
+ "query": "{{graphQueriesTableName}}\n | summarize by TableName"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "{{graphQueriesTableName}}",
+ "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriteria": [
+ {
+ "type": "HasDataConnectors"
+ }
+ ],
+ "availability": {
+ "isPreview": true
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "Read and Write permissions are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "write": true,
+ "read": true,
+ "delete": true
+ }
+ },
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+ "permissionsDisplayText": "Read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)",
+ "providerDisplayName": "Keys",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "action": true
+ }
+ }
+ ],
+ "customs": [
+ {
+ "name": "Microsoft Entra app registration",
+ "description": "Application client ID and secret used to access Dynamics 365 Finance and Operations."
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "description": ">Connectivity to Finance and Operations requires a Microsoft Entra app registration (client ID and secret). You'll also need the Microsoft Entra tenant ID and the Finance Operations Organization URL."
+ },
+ {
+ "description": "To enable data collection, create a role in Dynamics 365 Finance and Operations with permissions to view the Database Log entity. Assign this role to a dedicated Finance and Operations user, mapped to the client ID of a Microsoft Entra app registration. Follow these steps to complete the process:"
+ },
+ {
+ "title": "Step 1 - Microsoft Entra app registration",
+ "description": "1. Navigate to the [Microsoft Entra portal](https://entra.microsoft.com). \n2. Under Applications, click on **App Registrations** and create a new app registration (leave all defaults).\n3. Open the new app registration and create a new secret.\n4. Retain the **Tenant ID**, **Application (client) ID**, and **Client secret** for later use."
+ },
+ {
+ "title": "Step 2 - Create a role for data collection in Finance and Operations",
+ "description": "1. In the Finance and Operations portal, navigate to **Workspaces > System administration** and click **Security Configuration**\n2. Under **Roles** click **Create new** and give the new role a name e.g. Database Log Viewer.\n3. Select the new role in the list of roles and click **Privileges** and than **Add references**.\n4. Select **Database log Entity View** from the list of privileges.\n5. Click on **Unpublished objects** and then **Publish all** to publish the role."
+ },
+ {
+ "title": "Step 3 - Create a user for data collection in Finance and Operations",
+ "description": "1. In the Finance and Operations portal, navigate to **Modules > System administration** and click **Users**\n2. Create a new user and assign the role created in the previous step to the user."
+ },
+ {
+ "title": "Step 4 - Register the Microsoft Entra app in Finance and Operations",
+ "description": "1. In the F&O portal, navigate to **System administration > Setup > Microsoft Entra applications** (Azure Active Directory applications)\n2. Create a new entry in the table. In the **Client Id** field, enter the application ID of the app registered in Step 1.\n3. In the **Name** field, enter a name for the application.\n4. In the **User ID** field, select the user ID created in the previous step."
+ },
+ {
+ "description": "Connect using client credentials",
+ "title": "Connect events from Dyanmics 365 Finance and Operations to Microsoft Sentinel",
+ "instructions": [
+ {
+ "type": "ContextPane",
+ "parameters": {
+ "contextPaneType": "DataConnectorsContextPane",
+ "label": "Add environment",
+ "isPrimary": true,
+ "title": "Dynamics 365 Finance and Operations connection",
+ "instructionSteps": [
+ {
+ "title": "Environment details",
+ "instructions": [
+ {
+ "type": "Textbox",
+ "parameters": {
+ "label": "Microsoft Entra tenant ID.",
+ "placeholder": "Tenant ID (GUID)",
+ "type": "text",
+ "name": "tenantId"
+ }
+ },
+ {
+ "type": "Textbox",
+ "parameters": {
+ "label": "App registration client ID",
+ "placeholder": "Finance and Operations client ID",
+ "type": "text",
+ "name": "clientId"
+ }
+ },
+ {
+ "type": "Textbox",
+ "parameters": {
+ "label": "App registration client secret",
+ "placeholder": "Finance and Operations client secret",
+ "type": "password",
+ "name": "clientSecret"
+ }
+ },
+ {
+ "type": "Textbox",
+ "parameters": {
+ "label": "Finance and Operations organization URL",
+ "placeholder": "https://dynamics-dev.axcloud.dynamics.com",
+ "type": "text",
+ "name": "auditHost"
+ }
+ }
+ ]
+ }
+ ]
+ }
+ }
+ ]
+ },
+ {
+ "title": "Organizations",
+ "description": "Each row represents an Finance and Operations connection",
+ "instructions": [
+ {
+ "type": "DataConnectorsGrid",
+ "parameters": {
+ "mapping": [
+ {
+ "columnName": "Environment URL",
+ "columnValue": "properties.request.apiEndpoint"
+ }
+ ],
+ "menuItems": [
+ "DeleteConnector"
+ ]
+ }
+ }
+ ]
+ }
+ ]
+ }
+ }
+ },
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition1')))]",
+ "apiVersion": "2022-01-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition1'))]",
+ "contentId": "[variables('_dataConnectorContentIdConnectorDefinition1')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorCCPVersion')]",
+ "source": {
+ "sourceId": "[variables('_solutionId')]",
+ "name": "[variables('_solutionName')]",
+ "kind": "Solution"
+ },
+ "author": {
+ "name": "Microsoft"
+ },
+ "support": {
+ "tier": "Microsoft",
+ "name": "Microsoft Corporation",
+ "email": "support@microsoft.com",
+ "link": "https://support.microsoft.com"
+ },
+ "dependencies": {
+ "criteria": [
+ {
+ "version": "[variables('dataConnectorCCPVersion')]",
+ "contentId": "[variables('_dataConnectorContentIdConnections1')]",
+ "kind": "ResourcesDataConnector"
+ }
+ ]
+ }
+ }
+ },
+ {
+ "name": "FinOps-DCR",
+ "apiVersion": "2022-06-01",
+ "type": "Microsoft.Insights/dataCollectionRules",
+ "location": "[parameters('workspace-location')]",
+ "kind": "[variables('blanks')]",
+ "properties": {
+ "streamDeclarations": {
+ "Custom-FinanceOperationsActivity_CL": {
+ "columns": [
+ {
+ "name": "dataAreaId",
+ "type": "string"
+ },
+ {
+ "name": "InstanceName",
+ "type": "string"
+ },
+ {
+ "name": "LogCreatedDateTime",
+ "type": "datetime"
+ },
+ {
+ "name": "LogType",
+ "type": "string"
+ },
+ {
+ "name": "TableName",
+ "type": "string"
+ },
+ {
+ "name": "Username",
+ "type": "string"
+ },
+ {
+ "name": "Description",
+ "type": "string"
+ },
+ {
+ "name": "Data",
+ "type": "dynamic"
+ },
+ {
+ "name": "FormattedData",
+ "type": "string"
+ },
+ {
+ "name": "NewData",
+ "type": "string"
+ },
+ {
+ "name": "LogCreatedBy",
+ "type": "string"
+ },
+ {
+ "name": "LogCreatedTransactionId",
+ "type": "string"
+ },
+ {
+ "name": "LogDataAreaId",
+ "type": "string"
+ },
+ {
+ "name": "LogPartition",
+ "type": "long"
+ },
+ {
+ "name": "LogRecId",
+ "type": "long"
+ },
+ {
+ "name": "SequenceNumber",
+ "type": "int"
+ },
+ {
+ "name": "TableIdNumber",
+ "type": "int"
+ },
+ {
+ "name": "TableRecId",
+ "type": "long"
+ },
+ {
+ "name": "TableRecVersion",
+ "type": "int"
+ }
+ ]
+ }
+ },
+ "dataSources": "[variables('TemplateEmptyObject')]",
+ "destinations": {
+ "logAnalytics": [
+ {
+ "workspaceResourceId": "[variables('workspaceResourceId')]",
+ "name": "clv2ws1"
+ }
+ ]
+ },
+ "dataFlows": [
+ {
+ "streams": [
+ "Custom-FinanceOperationsActivity_CL"
+ ],
+ "destinations": [
+ "clv2ws1"
+ ],
+ "transformKql": "source | extend TimeGenerated = now() | project-away dataAreaId, NewData",
+ "outputStream": "Custom-FinanceOperationsActivity_CL"
+ }
+ ],
+ "dataCollectionEndpointId": "[variables('dataCollectionEndpointId1')]"
+ }
+ },
+ {
+ "name": "FinanceOperationsActivity_CL",
+ "apiVersion": "2022-10-01",
+ "type": "Microsoft.OperationalInsights/workspaces/tables",
+ "location": "[parameters('workspace-location')]",
+ "kind": null,
+ "properties": {
+ "schema": {
+ "name": "FinanceOperationsActivity_CL",
+ "columns": [
+ {
+ "name": "TimeGenerated",
+ "type": "datetime"
+ },
+ {
+ "name": "InstanceName",
+ "type": "string"
+ },
+ {
+ "name": "LogCreatedDateTime",
+ "type": "datetime"
+ },
+ {
+ "name": "LogType",
+ "type": "string"
+ },
+ {
+ "name": "TableName",
+ "type": "string"
+ },
+ {
+ "name": "Username",
+ "type": "string"
+ },
+ {
+ "name": "Description",
+ "type": "string"
+ },
+ {
+ "name": "Data",
+ "type": "dynamic"
+ },
+ {
+ "name": "FormattedData",
+ "type": "dynamic"
+ },
+ {
+ "name": "LogCreatedBy",
+ "type": "string"
+ },
+ {
+ "name": "LogCreatedTransactionId",
+ "type": "string"
+ },
+ {
+ "name": "LogDataAreaId",
+ "type": "string"
+ },
+ {
+ "name": "LogPartition",
+ "type": "long"
+ },
+ {
+ "name": "LogRecId",
+ "type": "long"
+ },
+ {
+ "name": "SequenceNumber",
+ "type": "int"
+ },
+ {
+ "name": "TableIdNumber",
+ "type": "int"
+ },
+ {
+ "name": "TableRecId",
+ "type": "long"
+ },
+ {
+ "name": "TableRecVersion",
+ "type": "int"
+ }
+ ]
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentIdConnectorDefinition1'),'-', variables('dataConnectorCCPVersion'))))]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "version": "[variables('dataConnectorCCPVersion')]"
+ }
+ },
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition1'))]",
+ "apiVersion": "2022-09-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions",
+ "location": "[parameters('workspace-location')]",
+ "kind": "Customizable",
+ "properties": {
+ "connectorUiConfig": {
+ "id": "Dynamics365Finance",
+ "title": "Dynamics 365 Finance and Operations",
+ "publisher": "Microsoft",
+ "logo": "Dynamics365.svg",
+ "descriptionMarkdown": "Dynamics 365 for Finance and Operations is a comprehensive Enterprise Resource Planning (ERP) solution that combines financial and operational capabilities to help businesses manage their day-to-day operations. It offers a range of features that enable businesses to streamline workflows, automate tasks, and gain insights into operational performance.\n\nThe Dynamics 365 Finance and Operations data connector ingests Dynamics 365 Finance and Operations admin activities and audit logs as well as user business process and application activities logs into Microsoft Sentinel.",
+ "graphQueriesTableName": "FinanceOperationsActivity_CL",
+ "graphQueries": [
+ {
+ "metricName": "Total data received",
+ "legend": "{{graphQueriesTableName}}",
+ "baseQuery": "{{graphQueriesTableName}}"
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "Finance and Operations Audited Tables",
+ "query": "{{graphQueriesTableName}}\n | summarize by TableName"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "{{graphQueriesTableName}}",
+ "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriteria": [
+ {
+ "type": "HasDataConnectors"
+ }
+ ],
+ "availability": {
+ "isPreview": true
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "Read and Write permissions are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "write": true,
+ "read": true,
+ "delete": true
+ }
+ },
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+ "permissionsDisplayText": "Read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)",
+ "providerDisplayName": "Keys",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "action": true
+ }
+ }
+ ],
+ "customs": [
+ {
+ "name": "Microsoft Entra app registration",
+ "description": "Application client ID and secret used to access Dynamics 365 Finance and Operations."
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "description": ">Connectivity to Finance and Operations requires a Microsoft Entra app registration (client ID and secret). You'll also need the Microsoft Entra tenant ID and the Finance Operations Organization URL."
+ },
+ {
+ "description": "To enable data collection, create a role in Dynamics 365 Finance and Operations with permissions to view the Database Log entity. Assign this role to a dedicated Finance and Operations user, mapped to the client ID of a Microsoft Entra app registration. Follow these steps to complete the process:"
+ },
+ {
+ "title": "Step 1 - Microsoft Entra app registration",
+ "description": "1. Navigate to the [Microsoft Entra portal](https://entra.microsoft.com). \n2. Under Applications, click on **App Registrations** and create a new app registration (leave all defaults).\n3. Open the new app registration and create a new secret.\n4. Retain the **Tenant ID**, **Application (client) ID**, and **Client secret** for later use."
+ },
+ {
+ "title": "Step 2 - Create a role for data collection in Finance and Operations",
+ "description": "1. In the Finance and Operations portal, navigate to **Workspaces > System administration** and click **Security Configuration**\n2. Under **Roles** click **Create new** and give the new role a name e.g. Database Log Viewer.\n3. Select the new role in the list of roles and click **Privileges** and than **Add references**.\n4. Select **Database log Entity View** from the list of privileges.\n5. Click on **Unpublished objects** and then **Publish all** to publish the role."
+ },
+ {
+ "title": "Step 3 - Create a user for data collection in Finance and Operations",
+ "description": "1. In the Finance and Operations portal, navigate to **Modules > System administration** and click **Users**\n2. Create a new user and assign the role created in the previous step to the user."
+ },
+ {
+ "title": "Step 4 - Register the Microsoft Entra app in Finance and Operations",
+ "description": "1. In the F&O portal, navigate to **System administration > Setup > Microsoft Entra applications** (Azure Active Directory applications)\n2. Create a new entry in the table. In the **Client Id** field, enter the application ID of the app registered in Step 1.\n3. In the **Name** field, enter a name for the application.\n4. In the **User ID** field, select the user ID created in the previous step."
+ },
+ {
+ "description": "Connect using client credentials",
+ "title": "Connect events from Dyanmics 365 Finance and Operations to Microsoft Sentinel",
+ "instructions": [
+ {
+ "type": "ContextPane",
+ "parameters": {
+ "contextPaneType": "DataConnectorsContextPane",
+ "label": "Add environment",
+ "isPrimary": true,
+ "title": "Dynamics 365 Finance and Operations connection",
+ "instructionSteps": [
+ {
+ "title": "Environment details",
+ "instructions": [
+ {
+ "type": "Textbox",
+ "parameters": {
+ "label": "Microsoft Entra tenant ID.",
+ "placeholder": "Tenant ID (GUID)",
+ "type": "text",
+ "name": "tenantId"
+ }
+ },
+ {
+ "type": "Textbox",
+ "parameters": {
+ "label": "App registration client ID",
+ "placeholder": "Finance and Operations client ID",
+ "type": "text",
+ "name": "clientId"
+ }
+ },
+ {
+ "type": "Textbox",
+ "parameters": {
+ "label": "App registration client secret",
+ "placeholder": "Finance and Operations client secret",
+ "type": "password",
+ "name": "clientSecret"
+ }
+ },
+ {
+ "type": "Textbox",
+ "parameters": {
+ "label": "Finance and Operations organization URL",
+ "placeholder": "https://dynamics-dev.axcloud.dynamics.com",
+ "type": "text",
+ "name": "auditHost"
+ }
+ }
+ ]
+ }
+ ]
+ }
+ }
+ ]
+ },
+ {
+ "title": "Organizations",
+ "description": "Each row represents an Finance and Operations connection",
+ "instructions": [
+ {
+ "type": "DataConnectorsGrid",
+ "parameters": {
+ "mapping": [
+ {
+ "columnName": "Environment URL",
+ "columnValue": "properties.request.apiEndpoint"
+ }
+ ],
+ "menuItems": [
+ "DeleteConnector"
+ ]
+ }
+ }
+ ]
+ }
+ ]
+ }
+ }
+ },
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition1')))]",
+ "apiVersion": "2022-01-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition1'))]",
+ "contentId": "[variables('_dataConnectorContentIdConnectorDefinition1')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorCCPVersion')]",
+ "source": {
+ "sourceId": "[variables('_solutionId')]",
+ "name": "[variables('_solutionName')]",
+ "kind": "Solution"
+ },
+ "author": {
+ "name": "Microsoft"
+ },
+ "support": {
+ "tier": "Microsoft",
+ "name": "Microsoft Corporation",
+ "email": "support@microsoft.com",
+ "link": "https://support.microsoft.com"
+ },
+ "dependencies": {
+ "criteria": [
+ {
+ "version": "[variables('dataConnectorCCPVersion')]",
+ "contentId": "[variables('_dataConnectorContentIdConnections1')]",
+ "kind": "ResourcesDataConnector"
+ }
+ ]
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnections1'), variables('dataConnectorCCPVersion'))]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "contentId": "[variables('_dataConnectorContentIdConnections1')]",
+ "displayName": "Dynamics 365 Finance and Operations",
+ "contentKind": "ResourcesDataConnector",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('dataConnectorCCPVersion')]",
+ "parameters": {
+ "connectorDefinitionName": {
+ "defaultValue": "Dynamics 365 Finance and Operations",
+ "type": "string",
+ "minLength": 1
+ },
+ "workspace": {
+ "defaultValue": "[parameters('workspace')]",
+ "type": "string"
+ },
+ "dcrConfig": {
+ "defaultValue": {
+ "dataCollectionEndpoint": "data collection Endpoint",
+ "dataCollectionRuleImmutableId": "data collection rule immutableId"
+ },
+ "type": "object"
+ },
+ "tenantId": {
+ "defaultValue": "tenantId",
+ "type": "string",
+ "minLength": 1
+ },
+ "clientId": {
+ "defaultValue": "clientId",
+ "type": "string",
+ "minLength": 1
+ },
+ "clientSecret": {
+ "defaultValue": "clientSecret",
+ "type": "securestring",
+ "minLength": 1
+ },
+ "auditHost": {
+ "defaultValue": "auditHost",
+ "type": "string",
+ "minLength": 1
+ },
+ "innerWorkspace": {
+ "defaultValue": "[parameters('workspace')]",
+ "type": "string"
+ }
+ },
+ "variables": {
+ "_dataConnectorContentIdConnections1": "[variables('_dataConnectorContentIdConnections1')]",
+ "connectorName": "[[concat('D365_', guid(parameters('auditHost')))]"
+ },
+ "resources": [
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnections1')))]",
+ "apiVersion": "2022-01-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentIdConnections1'))]",
+ "contentId": "[variables('_dataConnectorContentIdConnections1')]",
+ "kind": "ResourcesDataConnector",
+ "version": "[variables('dataConnectorCCPVersion')]",
+ "source": {
+ "sourceId": "[variables('_solutionId')]",
+ "name": "[variables('_solutionName')]",
+ "kind": "Solution"
+ },
+ "author": {
+ "name": "Microsoft"
+ },
+ "support": {
+ "tier": "Microsoft",
+ "name": "Microsoft Corporation",
+ "email": "support@microsoft.com",
+ "link": "https://support.microsoft.com"
+ }
+ }
+ },
+ {
+ "name": "[[concat(parameters('innerWorkspace'),'/Microsoft.SecurityInsights/',variables('connectorName'))]",
+ "apiVersion": "2023-02-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "location": "[parameters('workspace-location')]",
+ "kind": "RestApiPoller",
+ "properties": {
+ "connectorDefinitionName": "Dynamics365Finance",
+ "dcrConfig": {
+ "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]",
+ "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]",
+ "streamName": "Custom-FinanceOperationsActivity_CL"
+ },
+ "dataType": "FinanceOperationsActivity_CL",
+ "addOnAttributes": {
+ "InstanceName": "[[parameters('auditHost')]"
+ },
+ "auth": {
+ "type": "OAuth2",
+ "ClientSecret": "[[parameters('clientSecret')]",
+ "ClientId": "[[parameters('clientId')]",
+ "GrantType": "client_credentials",
+ "TokenEndpoint": "[[concat('https://login.', 'microsoftonline.com/', parameters('tenantId'), '/oauth2/v2.0/token')]",
+ "TokenEndpointHeaders": {
+ "Content-Type": "application/x-www-form-urlencoded"
+ },
+ "TokenEndpointQueryParameters": {},
+ "Scope": "[[concat(parameters('auditHost'), '/.default')]"
+ },
+ "request": {
+ "apiEndpoint": "[[concat(parameters('auditHost'), '/data/DatabaseLogs')]",
+ "queryWindowInMin": 10,
+ "httpMethod": "Get",
+ "retryCount": 3,
+ "timeoutInSeconds": 60,
+ "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ",
+ "queryParameters": {
+ "$filter": "LogCreatedDateTime gt {_QueryWindowStartTime} and LogCreatedDateTime le {_QueryWindowEndTime}",
+ "cross-company": "true"
+ },
+ "headers": {
+ "Accept": "application/json;odata.metadata=none",
+ "User-Agent": "Scuba"
+ }
+ },
+ "response": {
+ "eventsJsonPaths": [
+ "$.value"
+ ]
+ },
+ "paging": {
+ "pagingType": "LinkHeader",
+ "linkHeaderTokenJsonPath": "$.['@odata.nextLink']"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','rdc','-', uniqueString(concat(variables('_solutionId'),'-','ResourcesDataConnector','-',variables('_dataConnectorContentIdConnections1'),'-', variables('dataConnectorCCPVersion'))))]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "version": "[variables('dataConnectorCCPVersion')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('workbookTemplateSpecName1')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "Dynamics365Activity Workbook with template version 3.2.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('workbookVersion1')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.Insights/workbooks",
+ "name": "[variables('workbookContentId1')]",
+ "location": "[parameters('workspace-location')]",
+ "kind": "shared",
+ "apiVersion": "2021-08-01",
+ "metadata": {
+ "description": "This workbook brings together queries and visualizations to assist you in identifying potential threats in your Dynamics 365 audit data."
+ },
+ "properties": {
+ "displayName": "[parameters('workbook1-name')]",
+ "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Dynamics 365 Workbook\\n---\\n\\nThis workbook brings together queries and visualizations to assist you in identifying potential threats in your Dynamics 365 audit data. This workbook is separated into 5 distinct sections and within each section there are several queries and visualizations. Many of the queries build on data from previous queries so may not appear if no data is present.\\n\\nTo begin select the desired TimeRange to filter the data to the timeframe you want to focus on. Note if you have a large amount of Dynamics 365 data queries may timeout with a large time range, if this is the case simply select a smaller time range.: \"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"412a09a0-64ae-4614-aec6-cbfc9273b82b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":2592000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 32\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"ae90d1dc-20da-4948-80da-127b210bf152\",\"cellValue\":\"view_tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Record Retrieval Events\",\"subTarget\":\"1\",\"style\":\"link\"},{\"id\":\"a1862467-36e9-4191-89ee-0a7479ec6114\",\"cellValue\":\"view_tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Record Deletion Events\",\"subTarget\":\"2\",\"style\":\"link\"},{\"id\":\"06df36ec-4c5b-456d-b5d3-45fcd4662c6b\",\"cellValue\":\"view_tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Record Export Events\",\"subTarget\":\"3\",\"style\":\"link\"},{\"id\":\"5bb7d870-a9d8-4905-a7c5-41b94c89edf4\",\"cellValue\":\"view_tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Email Events\",\"subTarget\":\"4\",\"style\":\"link\"},{\"id\":\"fa9a364b-0ffc-4023-a7cc-087345da4ba8\",\"cellValue\":\"view_tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Other Events\",\"subTarget\":\"5\",\"style\":\"link\"}]},\"name\":\"links - 34\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Record Retrieval Events\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DataverseActivity\\n| extend Message = split(OriginalObjectId, ' ')[0]\\n| where Message =~ \\\"RetrieveMultiple\\\"\\n| extend numQueryCount = todouble(QueryResults)\\n| extend QueryCount = iif(QueryResults contains \\\",\\\", todouble(countof(tostring(QueryResults), ',') + 1), numQueryCount)\\n| extend QueryCount = iif(isnotempty(QueryCount), QueryCount, double(1))\\n| union (\\n DataverseActivity\\n | extend Message = split(OriginalObjectId, ' ')[0]\\n | where Message =~ \\\"Retrieve\\\" \\n | extend QueryCount = double(1))\\n| make-series TotalRetrieves=sum(QueryCount) on TimeGenerated from startofday(ago(30d)) to startofday(ago(0d)) step 1h by UserId\\n| extend (baseline) = series_decompose(TotalRetrieves)\\n| extend (anomalies, baseline) = series_decompose_anomalies(TotalRetrieves, 3, -1, 'linefit')\",\"size\":0,\"title\":\"Total record retrievals by users - {TimeRange:label}\",\"timeContextFromParameter\":\"TimeRange\",\"exportedParameters\":[{\"fieldName\":\"TimeGenerated\",\"parameterName\":\"RetTime\"},{\"parameterType\":1}],\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"chartSettings\":{\"showLegend\":true}},\"customWidth\":\"75\",\"name\":\"query - 2\"},{\"type\":1,\"content\":{\"json\":\"This timeline shows a break down of anomolies in data retrieval sizes by all users. Look for spikes that might indicate suspicious activity by users in terms of accessing records.\\r\\n\\r\\nUser was added to CA block group in AAD: @{items('For_each')?['Name']}
" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + } + }, + "runAfter": { + "Add_user_to_group": [ + "Succeeded", + "Failed" + ] + }, + "else": { + "actions": { + "Add_comment_to_incident_(V3)_4": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "Account name: @{items('For_each')?['Name']}
\nError: @{body('Add_user_to_group')['error']['message']}
Account name: @{items('For_each')?['Name']}
\nSOC Action: Ignore
Incident Url: @{triggerBody()?['object']?['properties']?['incidentUrl']}
\nIncident#: @{triggerBody()?['object']?['properties']?['incidentNumber']}
\nUser Id: @{items('For_each')?['Name']}
\nThe account will be added to the CA block group in AAD.
\n", + "HideHTMLMessage": false, + "Importance": "High", + "Options": "Approve, Deny", + "ShowHTMLConfirmationDialog": false, + "Subject": "Dynamics 365 block user in Conditional Access", + "To": "@parameters('ToAlias')", + "UseOnlyHTMLMessage": true + }, + "NotificationUrl": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['office365']['connectionId']" + } + }, + "path": "/mailwithoptions/$subscriptions" + } + } + }, + "runAfter": { + "Entities_-_Get_Accounts": [ + "Succeeded" + ] + }, + "type": "Foreach", + "description": "Iterate on each Dynamics 365 user account" + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "office365": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]", + "connectionName": "[[variables('Office365ConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Office365')]" + }, + "azuread": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureadConnectionName'))]", + "connectionName": "[[variables('AzureadConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuread')]" + } + } + } + } + }, + "name": "[[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[[variables('workspace-location-inline')]", + "identity": { + "type": "SystemAssigned" + }, + "tags": { + "hidden-SentinelTemplateName": "D365-Blocklist-Add-User-Via-Outlook", + "hidden-SentinelTemplateVersion": "1.0", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('AzureadConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('MicrosoftSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('MicrosoftSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('Office365ConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('Office365ConnectionName')]", + "api": { + "id": "[[variables('_connection-3')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('AzureadConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('AzureadConnectionName')]", + "api": { + "id": "[[variables('_connection-4')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId3'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId3')]", + "contentId": "[variables('_playbookContentId3')]", + "kind": "Playbook", + "version": "[variables('playbookVersion3')]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + } + ], + "metadata": { + "title": "Dataverse: Add user to blocklist using Outlook approval workflow", + "description": "This playbook can be triggered when a Microsoft Sentinel incident is raised and will automatically add affected user entitites to a pre-defined Microsoft Entra group, using an Outlook based approval workflow, resulting in blocked access. The Microsoft Entra group is used with Conditional Access to block sign-in to the Dataverse.", + "prerequisites": [ + "1. An email address for SOC to receieve approval requests.", + "2. Create a security group in Microsoft Entra used to block access and take note of the group's object ID.", + "3. Create a Conditional Access policy in Microsoft Entra.", + "4. Configure the Conditional Access Policy to block access to Common Data Service (appid 00000007-0000-0000-c000-000000000000) for members of the group created in step 1." + ], + "postDeployment": [ + "1. Grant permissions to Sentinel for Playbook managed identity.", + "2. Authorize connection for Microsoft Entra.", + "3. Authorize connection for Microsoft Outlook." + ], + "entities": [ + "Account" + ], + "tags": [ + "Remediation" + ], + "lastUpdateTime": "2022-10-11T00:00:00Z", + "releaseNotes": { + "version": "1.0", + "title": "[variables('blanks')]", + "notes": [ + "Initial version" + ] + } + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId3')]", + "contentKind": "Playbook", + "displayName": "Dataverse-Blocklist-Add-User-Via-Outlook", + "contentProductId": "[variables('_playbookcontentProductId3')]", + "id": "[variables('_playbookcontentProductId3')]", + "version": "[variables('playbookVersion3')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName4')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Dataverse-Blocklist-Add-User-Via-Teams Playbook with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion4')]", + "parameters": { + "PlaybookName": { + "defaultValue": "Dataverse-Blocklist-Add-User-Via-Teams", + "type": "string" + }, + "GroupId": { + "type": "string", + "metadata": { + "description": "Enter object ID for Microsoft Entra group" + } + }, + "TeamsChannelId": { + "type": "string", + "metadata": { + "description": "Enter value for TeamsChannelId" + } + }, + "TeamsGroupId": { + "type": "string", + "metadata": { + "description": "Enter value for TeamsGroupId" + } + } + }, + "variables": { + "MicrosoftSentinelConnectionName": "[[concat('MicrosoftSentinel-', parameters('PlaybookName'))]", + "TeamsConnectionName": "[[concat('Teams-', parameters('PlaybookName'))]", + "AzureadConnectionName": "[[concat('Azuread-', parameters('PlaybookName'))]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", + "_connection-2": "[[variables('connection-2')]", + "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Teams')]", + "_connection-3": "[[variables('connection-3')]", + "connection-4": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuread')]", + "_connection-4": "[[variables('connection-4')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + }, + "GroupId": { + "type": "string", + "defaultValue": "[[parameters('GroupId')]" + }, + "TeamsChannelId": { + "type": "string", + "defaultValue": "[[parameters('TeamsChannelId')]" + }, + "TeamsGroupId": { + "type": "string", + "defaultValue": "[[parameters('TeamsGroupId')]" + } + }, + "triggers": { + "When_Azure_Sentinel_incident_creation_rule_was_triggered": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/incident-creation" + } + } + }, + "actions": { + "Entities_-_Get_Accounts": { + "type": "ApiConnection", + "inputs": { + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/account" + } + }, + "For_each": { + "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']", + "actions": { + "Condition_to_check_the_SOC_selected_option": { + "actions": { + "Add_user_to_group": { + "runAfter": { + "Get_user": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "@@odata.id": "@body('Get_user')?['id']" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuread']['connectionId']" + } + }, + "method": "post", + "path": "/v1.0/groups/@{encodeURIComponent(parameters('GroupId'))}/members/$ref" + } + }, + "Condition": { + "actions": { + "Add_comment_to_incident_(V3)_2": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "User was added to CA block group in AAD: @{items('For_each')?['Name']}
" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + } + }, + "runAfter": { + "Add_user_to_group": [ + "Succeeded", + "Failed" + ] + }, + "else": { + "actions": { + "Add_comment_to_incident_(V3)_3": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "Account name: @{items('For_each')?['Name']}
\nError: @{body('Add_user_to_group')['error']['message']}
Account name: @{items('For_each')?['Name']}
\nSOC Action: Ignore
User was added to CA block group in AAD: @{items('For_each')?['Name']}
" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + } + }, + "runAfter": { + "Add_user_to_group": [ + "Succeeded", + "Failed" + ] + }, + "else": { + "actions": { + "Add_comment_to_incident_(V3)_2": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "Account name: @{items('For_each')?['Name']}
\nError: @{body('Add_user_to_group')['error']['message']}
Microsoft Sentinel incident was triggered for a user reporting to you. Information is listed below:
\n
\nDescription: @{triggerBody()?['object']?['properties']?['description']}
\nUser: @{items('For_each_D365_account')?['Name']}
Title: @{triggerBody()?['object']?['properties']?['title']}
\nDescription: @{triggerBody()?['object']?['properties']?['description']}
\nUser: @{items('For_each_D365_account')?['Name']}
\n
\nAlert generated for user . However, this user has no manager assignment in Dynamics 365.
Microsoft Sentinel incident was triggered for a user reporting to you. Information is listed below:
\n
\nDescription: @{triggerBody()?['object']?['properties']?['description']}
\nUser: @{items('For_each_O365_account')?['Name']}
Title: @{triggerBody()?['object']?['properties']?['title']}
\nDescription: @{triggerBody()?['object']?['properties']?['description']}
\nUser: @{items('For_each_O365_account')?['Name']}
\n
\nAlert generated for user . However, this user has no manager assignment in Office 365.
Title: @{triggerBody()?['object']?['properties']?['title']}
\nDescription: @{triggerBody()?['object']?['properties']?['description']}
\nUser: @{items('For_each_account_(Missing_Instance)')?['Name']}
\n
\nPlease ensure incidents triggering this playbook contain Cloud App type entity mappings with the InstanceUrl set in the InstanceName property of the entity mapping.
@{variables('OutlookMessage')}
", + "Importance": "High", + "MailboxAddress": "@parameters('SharedMailboxAddress')", + "Subject": "ESCALATION: Security Process Impaired Due to Lack of Response", + "To": "@parameters('EscalationsAddress')" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['office365']['connectionId']" + } + }, + "method": "post", + "path": "/v2/SharedMailbox/Mail" + } + }, + "Send_an_email_from_a_shared_mailbox_(V2)": { + "runAfter": { + "Initialize_OutlookMessage": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "Body": "@{variables('OutlookMessage')}
", + "Importance": "High", + "MailboxAddress": "@parameters('SharedMailboxAddress')", + "Subject": "ACTION REQUIRED: Microsoft Sentinel Security Alert", + "To": "@parameters('WorkloadOwnersAddress')" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['office365']['connectionId']" + } + }, + "method": "post", + "path": "/v2/SharedMailbox/Mail" + } + }, + "Send_an_email_notification_of_failure": { + "runAfter": { + "Set_Failure_Message": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "Body": "@{variables('OutlookMessage')}
", + "Importance": "High", + "MailboxAddress": "@parameters('SharedMailboxAddress')", + "Subject": "FAILURE: Security Process Impaired Due to Playbook Failure", + "To": "@parameters('SharedMailboxAddress')" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['office365']['connectionId']" + } + }, + "method": "post", + "path": "/v2/SharedMailbox/Mail" + } + }, + "Set_Escalation_Message": { + "runAfter": { + "Post_adaptive_card_and_wait_for_a_response": [ + "TimedOut" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "OutlookMessage", + "value": "\n\n \n \n\n\n Visit the Outlook Dev Portal to learn more\n about Actionable Messages.\n\n" + } + }, + "Set_Failure_Message": { + "runAfter": { + "Post_adaptive_card_and_wait_for_a_response": [ + "Skipped", + "Failed" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "OutlookMessage", + "value": "\n\n \n \n\n\n Visit the Outlook Dev Portal to learn more\n about Actionable Messages.\n\n" + } + }, + "Terminate_Failed": { + "runAfter": { + "Send_an_email_notification_of_failure": [ + "Succeeded" + ] + }, + "type": "Terminate", + "inputs": { + "runError": { + "code": "PlaybookFailed", + "message": "Playbook failed to post a message in Teams" + }, + "runStatus": "Failed" + } + }, + "Terminate_Succeeded": { + "runAfter": { + "Send_an_email_escalation_due_to_timeout": [ + "Succeeded" + ] + }, + "type": "Terminate", + "inputs": { + "runStatus": "Succeeded" + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel_1": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "office365": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]", + "connectionName": "[[variables('Office365ConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Office365')]" + }, + "teams_1": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]", + "connectionName": "[[variables('TeamsConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Teams')]" + } + } + } + } + }, + "name": "[[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[[variables('workspace-location-inline')]", + "tags": { + "hidden-SentinelTemplateName": "MSBizApps-Admin-Teams-Approval-AlertTrigger", + "hidden-SentinelTemplateVersion": "1.0", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('MicrosoftSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('MicrosoftSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('Office365ConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('Office365ConnectionName')]", + "api": { + "id": "[[variables('_connection-3')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('TeamsConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('TeamsConnectionName')]", + "api": { + "id": "[[variables('_connection-4')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId8'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId8')]", + "contentId": "[variables('_playbookContentId8')]", + "kind": "Playbook", + "version": "[variables('playbookVersion8')]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + } + ], + "metadata": { + "title": "Security workflow: alert verification with workload owners", + "description": "This playbook can reduce burden on the SOC by offloading alert verification to IT admins for specific analytics rules. It is triggered when a Microsoft Sentinel alert is generated, creates a message (and associated notification email) in the workload owner's Microsoft Teams channel containing details of the alert. If the workload owner responds that the activity is not authorized, the alert will be converted to an incident in Microsoft Sentinel for the SOC to handle.", + "prerequisites": [ + "1. Take note of the Microsoft Teams channel URL (right click channel and 'Get link to channel').", + "2. An Exchange Online shared mailbox for the SOC.", + "3. Email address for the workload owners to send alert notifications.", + "4. Email address to send escalation notifications if workload owners do not respond.", + "5. Register a new provider at the [Actionable Email Developer Dashboard](https://aka.ms/publishoam) \n a. Add the SOC mailbox as the sender address. \n b. Add the Teams channel URL as the target URL. \n c. Select the workload owner and escalation email address as test users for validation. \n d. Take note of the Provider Id (originator)." + ], + "postDeployment": [ + "1. In Logic Apps designer view, edit the 'Post adaptive card and wait for a reponse' action.", + "2. In the 'Team' and 'Channel' boxes, click on the 'X' to reveal the dropdown selector menu.", + "3. Select the appropriate Teams channel to receive notifications.", + "4. Assign Microsoft Sentinel Responder role to the playbook's managed identity on the Microsoft Sentinel workspace resource group." + ], + "entities": [ + "Account" + ], + "tags": [ + "Notification" + ], + "lastUpdateTime": "2022-11-01T00:00:00Z", + "releaseNotes": { + "version": "1.0", + "title": "[variables('blanks')]", + "notes": [ + "Initial version" + ] + } + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId8')]", + "contentKind": "Playbook", + "displayName": "MSBizApps-Incident-From-Alert-Teams", + "contentProductId": "[variables('_playbookcontentProductId8')]", + "id": "[variables('_playbookcontentProductId8')]", + "version": "[variables('playbookVersion8')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('parserObject1').parserTemplateSpecName1]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "DataverseSharePointSites Data Parser with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('parserObject1').parserVersion1]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[variables('parserObject1')._parserName1]", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "DataverseSharePointSites", + "category": "MSBizAppsFunctions", + "functionAlias": "DataverseSharePointSites", + "query": "let DataverseSharepointSites_definition = datatable(InstanceUrl: string, SharePointUrl: string)['_', '_'];\nlet DataverseSharepointSites_data = (\n _GetWatchlist(MSBizAppsConfigurationWatchlistAlias)\n | where SearchKey == \"SharePoint\"\n | extend Data = todynamic(column_ifexists('Data', dynamic({\"InstanceUrl\": \"_\", \"SharePointUrl\": \"_\"})))\n | project\n InstanceUrl = tostring(Data.InstanceUrl),\n SharePointUrl = tostring(Data.SharePointUrl)\n );\nDataverseSharepointSites_data\n| union isfuzzy = true (DataverseSharepointSites_definition)\n| where InstanceUrl != '_'\n| extend InstanceUrl = tolower(iff(InstanceUrl endswith '/', InstanceUrl, strcat(InstanceUrl, '/')))\n| extend SharePointUrl = tolower(iff(SharePointUrl endswith '/', SharePointUrl, strcat(SharePointUrl, '/')))\n| project InstanceUrl, SharePointUrl\n", + "functionParameters": "MSBizAppsConfigurationWatchlistAlias:string='MSBizApps-Configuration'", + "version": 2, + "tags": [ + { + "name": "description", + "value": "DataverseSharePointSites" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]", + "dependsOn": [ + "[variables('parserObject1')._parserId1]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'DataverseSharePointSites')]", + "contentId": "[variables('parserObject1').parserContentId1]", + "kind": "Parser", + "version": "[variables('parserObject1').parserVersion1]", + "source": { + "name": "Microsoft Business Applications", + "kind": "Solution", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('parserObject1').parserContentId1]", + "contentKind": "Parser", + "displayName": "DataverseSharePointSites", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '3.2.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '3.2.0')))]", + "version": "[variables('parserObject1').parserVersion1]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2022-10-01", + "name": "[variables('parserObject1')._parserName1]", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "DataverseSharePointSites", + "category": "MSBizAppsFunctions", + "functionAlias": "DataverseSharePointSites", + "query": "let DataverseSharepointSites_definition = datatable(InstanceUrl: string, SharePointUrl: string)['_', '_'];\nlet DataverseSharepointSites_data = (\n _GetWatchlist(MSBizAppsConfigurationWatchlistAlias)\n | where SearchKey == \"SharePoint\"\n | extend Data = todynamic(column_ifexists('Data', dynamic({\"InstanceUrl\": \"_\", \"SharePointUrl\": \"_\"})))\n | project\n InstanceUrl = tostring(Data.InstanceUrl),\n SharePointUrl = tostring(Data.SharePointUrl)\n );\nDataverseSharepointSites_data\n| union isfuzzy = true (DataverseSharepointSites_definition)\n| where InstanceUrl != '_'\n| extend InstanceUrl = tolower(iff(InstanceUrl endswith '/', InstanceUrl, strcat(InstanceUrl, '/')))\n| extend SharePointUrl = tolower(iff(SharePointUrl endswith '/', SharePointUrl, strcat(SharePointUrl, '/')))\n| project InstanceUrl, SharePointUrl\n", + "functionParameters": "MSBizAppsConfigurationWatchlistAlias:string='MSBizApps-Configuration'", + "version": 2, + "tags": [ + { + "name": "description", + "value": "DataverseSharePointSites" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "location": "[parameters('workspace-location')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]", + "dependsOn": [ + "[variables('parserObject1')._parserId1]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'DataverseSharePointSites')]", + "contentId": "[variables('parserObject1').parserContentId1]", + "kind": "Parser", + "version": "[variables('parserObject1').parserVersion1]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('parserObject2').parserTemplateSpecName2]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "MSBizAppsNetworkAddresses Data Parser with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('parserObject2').parserVersion2]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[variables('parserObject2')._parserName2]", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "MSBizAppsNetworkAddresses", + "category": "MSBizAppsFunctions", + "functionAlias": "MSBizAppsNetworkAddresses", + "query": "let MsBizAppsNetworkAddresses_definition = datatable (\n IPSubnet: string,\n RangeName: string,\n Tags: string\n) [\n '_', '_', '_'\n];\nlet MsBizAppsNetworkAddresses_data = (\n _GetWatchlist(NetworkAddressesWatchlistAlias)\n | project\n IPSubnet = tostring(column_ifexists('IP Subnet', '_')),\n RangeName = tostring(column_ifexists('Range Name', '_')),\n Tags = tostring(column_ifexists('Tags', '_'))\n );\nMsBizAppsNetworkAddresses_data\n| union isfuzzy = true (MsBizAppsNetworkAddresses_definition)\n| where IPSubnet != '_'\n| project IPSubnet, RangeName, Tags\n", + "functionParameters": "NetworkAddressesWatchlistAlias:string='NetworkAddresses'", + "version": 2, + "tags": [ + { + "name": "description", + "value": "MSBizAppsNetworkAddresses" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject2')._parserId2,'/'))))]", + "dependsOn": [ + "[variables('parserObject2')._parserId2]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MSBizAppsNetworkAddresses')]", + "contentId": "[variables('parserObject2').parserContentId2]", + "kind": "Parser", + "version": "[variables('parserObject2').parserVersion2]", + "source": { + "name": "Microsoft Business Applications", + "kind": "Solution", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('parserObject2').parserContentId2]", + "contentKind": "Parser", + "displayName": "MSBizAppsNetworkAddresses", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject2').parserContentId2,'-', '3.2.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject2').parserContentId2,'-', '3.2.0')))]", + "version": "[variables('parserObject2').parserVersion2]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2022-10-01", + "name": "[variables('parserObject2')._parserName2]", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "MSBizAppsNetworkAddresses", + "category": "MSBizAppsFunctions", + "functionAlias": "MSBizAppsNetworkAddresses", + "query": "let MsBizAppsNetworkAddresses_definition = datatable (\n IPSubnet: string,\n RangeName: string,\n Tags: string\n) [\n '_', '_', '_'\n];\nlet MsBizAppsNetworkAddresses_data = (\n _GetWatchlist(NetworkAddressesWatchlistAlias)\n | project\n IPSubnet = tostring(column_ifexists('IP Subnet', '_')),\n RangeName = tostring(column_ifexists('Range Name', '_')),\n Tags = tostring(column_ifexists('Tags', '_'))\n );\nMsBizAppsNetworkAddresses_data\n| union isfuzzy = true (MsBizAppsNetworkAddresses_definition)\n| where IPSubnet != '_'\n| project IPSubnet, RangeName, Tags\n", + "functionParameters": "NetworkAddressesWatchlistAlias:string='NetworkAddresses'", + "version": 2, + "tags": [ + { + "name": "description", + "value": "MSBizAppsNetworkAddresses" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "location": "[parameters('workspace-location')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject2')._parserId2,'/'))))]", + "dependsOn": [ + "[variables('parserObject2')._parserId2]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MSBizAppsNetworkAddresses')]", + "contentId": "[variables('parserObject2').parserContentId2]", + "kind": "Parser", + "version": "[variables('parserObject2').parserVersion2]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('parserObject3').parserTemplateSpecName3]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "MSBizAppsOrgSettings Data Parser with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('parserObject3').parserVersion3]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[variables('parserObject3')._parserName3]", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "MSBizAppsOrgSettings", + "category": "MSBizAppsFunctions", + "functionAlias": "MSBizAppsOrgSettings", + "query": "datatable (Field: string, DisplayName: string, Description: string)[\n \"ACIWebEndpointUrl\", \"ACI Tenant URL.\", \"ACI Web Endpoint URL.\",\n \"AcknowledgementTemplateId\", \"Acknowledgement Template\", \"Unique identifier of the template to be used for acknowledgement when a user unsubscribes.\",\n \"ActivityTypeFilter\", \"Enable Rich Editing Experience for Appointment\", \"Information on whether filtering activity based on entity in app.\",\n \"ActivityTypeFilterV2\", \"Show only activities configured in the app when accessing 'New activity' button\", \"Whether to show only activities configured in this app or all activities in the 'New activity' button.\",\n \"AdvancedColumnEditorEnabled\", \"Advanced column editor enabled\", \"Flag to indicate if the display column options on a view in model-driven apps is enabled\",\n \"AdvancedColumnFilteringEnabled\", \"Advanced column filtering enabled\", \"Flag to indicate if the advanced column filtering in a view in model-driven apps is enabled\",\n \"AdvancedFilteringEnabled\", \"Advanced filtering enabled\", \"Flag to indicate if the advanced filtering on all tables in a model-driven app is enabled\",\n \"AdvancedLookupEnabled\", \"Advanced lookup enabled\", \"Flag to indicate if the Advanced Lookup feature is enabled for lookup controls\",\n \"AdvancedLookupInEditFilter\", \"Enable Advanced Lookup In Edit Filter\", \"Enables advanced lookup in grid edit filter panel\",\n \"AllowAddressBookSyncs\", \"Allow Address Book Synchronization\", \"Indicates whether background address book synchronization in Microsoft Office Outlook is allowed.\",\n \"AllowApplicationUserAccess\", \"Allow All Application Users Access.\", \"Information that specifies whether all application users are allowed to access the environment\",\n \"AllowAutoResponseCreation\", \"Allow Automatic Response Creation\", \"Indicates whether automatic response creation is allowed.\",\n \"AllowAutoUnsubscribe\", \"Allow Automatic Unsubscribe\", \"Indicates whether automatic unsubscribe is allowed.\",\n \"AllowAutoUnsubscribeAcknowledgement\", \"Allow Automatic Unsubscribe Acknowledgement\", \"Indicates whether automatic unsubscribe acknowledgement email is allowed to send.\",\n \"AllowClientMessageBarAd\", \"Allow Outlook Client Message Bar Advertisement\", \"Indicates whether Outlook Client message bar advertisement is allowed.\",\n \"AllowConnectorsOnPowerFXActions\", \"Enable connectors on power fx actions.\", \"Information on whether connectors on power fx actions is enabled.\",\n \"AllowedIpRangeForFirewall\", \"List of IP Ranges to be allowed by the firewall rule\", \"Information that specifies the range of IP addresses that are in allow list for the firewall.\",\n \"AllowedIpRangeForStorageAccessSignatures\", \"List of IP Ranges to be allowed for generating the SAS URIs.\", \"Information that specifies the range of IP addresses that are in allowed list for generating the SAS URIs.\",\n \"AllowedMimeTypes\", \"List of allowed mime types.\", \"Allow upload or download of certain mime types.\",\n \"AllowedServiceTagsForFirewall\", \"List of Service Tags to be allowed by the firewall rule\", \"Information that specifies the List of Service Tags that should be allowed by the firewall.\",\n \"AllowEntityOnlyAudit\", \"Allow Entity Level Auditing\", \"Indicates whether auditing of changes to entity is allowed when no attributes have changed.\",\n \"AllowLeadingWildcardsInGridSearch\", \"Allow Leading Wildcards In Grid Search\", \"Enables ends-with searches in grids with the use of a leading wildcard on all tables in the environment\",\n \"AllowLeadingWildcardsInQuickFind\", \"Allow Leading Wildcards In Quick Find\", \"Enables ends-with searches in grids with the use of a leading wildcard on all tables in the environment\",\n \"AllowLegacyClientExperience\", \"Enable access to legacy web client UI\", \"Enable access to legacy web client UI\",\n \"AllowLegacyDialogsEmbedding\", \"Enable embedding of certain legacy dialogs in Unified Interface browser client\", \"Enable embedding of certain legacy dialogs in Unified Interface browser client\",\n \"AllowMarketingEmailExecution\", \"Allow Marketing Email Execution\", \"Indicates whether marketing emails execution is allowed.\",\n \"AllowMicrosoftTrustedServiceTags\", \"Allow Microsoft Trusted Service Tags\", \"Information that specifies whether Microsoft Trusted Service Tags are allowed\",\n \"AllowOfflineScheduledSyncs\", \"Allow Offline Scheduled Synchronization\", \"Indicates whether background offline synchronization in Microsoft Office Outlook is allowed.\",\n \"AllowOutlookScheduledSyncs\", \"Allow Scheduled Synchronization\", \"Indicates whether scheduled synchronizations to Outlook are allowed.\",\n \"AllowRedirectAdminSettingsToModernUI\", \"Allow Redirect Legacy Admin Settings To Modern UI\", \"Control whether the organization Allow Redirect Legacy Admin Settings To Modern UI\",\n \"AllowUnresolvedPartiesOnEmailSend\", \"Allow Unresolved Address Email Send\", \"Indicates whether users are allowed to send email to unresolved parties (parties must still have an email address).\",\n \"AllowUserFormModePreference\", \"Allow User Form Mode Preference\", \"Indicates whether individuals can select their form mode preference in their personal options.\",\n \"AllowUsersHidingSystemViews\", \"Allow users hiding system views\", \"Flag to indicate if allow end users to hide system views in model-driven apps is enabled\",\n \"AllowUsersSeeAppdownloadMessage\", \"Allow the showing tablet application notification bars in a browser.\", \"Indicates whether the showing tablet application notification bars in a browser is allowed.\",\n \"AllowWebExcelExport\", \"Allow Export to Excel\", \"Indicates whether Web-based export of grids to Microsoft Office Excel is allowed.\",\n \"AMDesignator\", \"AM Designator\", \"AM designator to use throughout Microsoft Dynamics CRM.\",\n \"AppDesignerExperienceEnabled\", \"Enable App Designer Experience for this Organization\", \"Indicates whether the appDesignerExperience is enabled for the organization.\",\n \"AppointmentRichEditorExperience\", \"Enable Rich Editing Experience for Appointment\", \"Information on whether rich editing experience for Appointment is enabled.\",\n \"AppointmentWithTeamsMeeting\", \"Enable teams Meeting experience for appointment\", \"Information on whether Teams meeting experience for Appointment is enabled.\",\n \"AppointmentWithTeamsMeetingV2\", \"Enable Teams meetings for appointments\", \"Whether Teams meetings experience for appointments is enabled.\",\n \"AuditRetentionPeriod\", \"Audit Retention Period Settings\", \"Audit Retention Period settings stored in Organization Database.\",\n \"AuditRetentionPeriodV2\", \"Audit Retention Period Settings\", \"Audit Retention Period settings stored in Organization Database.\",\n \"AutoApplyDefaultonCaseCreate\", \"Auto Apply Default Entitlement on Case Create\", \"Select whether to auto apply the default customer entitlement on case creation.\",\n \"AutoApplyDefaultonCaseUpdate\", \"Auto Apply Default Entitlement on Case Update\", \"Select whether to auto apply the default customer entitlement on case update.\",\n \"AutoApplySLA\", \"Is Auto-apply SLA After Manually Over-riding\", \"Indicates whether to Auto-apply SLA on case record update after SLA was manually applied.\",\n \"AzureSchedulerJobCollectionName\", \"For internal use only.\", \"For internal use only.\",\n \"BaseCurrencyId\", \"Currency\", \"Unique identifier of the base currency of the organization.\",\n \"BingMapsApiKey\", \"Bing Maps API Key\", \"Api Key to be used in requests to Bing Maps services.\",\n \"BlockedAttachments\", \"Block Attachments\", \"Prevent upload or download of certain attachment types that are considered dangerous.\",\n \"BlockedMimeTypes\", \"List of blocked mime types.\", \"Prevent upload or download of certain mime types that are considered dangerous.\",\n \"BoundDashboardDefaultCardExpanded\", \"Display cards in expanded state for Interactive Dashboard\", \"Display cards in expanded state for interactive dashboard\",\n \"BulkOperationPrefix\", \"Bulk Operation Prefix\", \"Prefix used for bulk operation numbering.\",\n \"BusinessCardOptions\", \"Enable New BusinessCardOptions\", \"BusinessCardOptions\",\n \"BusinessClosureCalendarId\", \"Business Closure Calendar\", \"Unique identifier of the business closure calendar of organization.\",\n \"CalendarType\", \"Calendar Type\", \"Calendar type for the system. Set to Gregorian US by default.\",\n \"CampaignPrefix\", \"Campaign Prefix\", \"Prefix used for campaign numbering.\",\n \"CanOptOutNewSearchExperience\", \"Can disable Oct 2020 Search\", \"Indicates whether the organization can opt out of the new Relevance search experience (released in Oct 2020)\",\n \"CascadeStatusUpdate\", \"Cascade Status Update\", \"Flag to cascade Update on incident.\",\n \"CasePrefix\", \"Case Prefix\", \"Prefix to use for all cases throughout Microsoft Dynamics 365.\",\n \"CategoryPrefix\", \"Category Prefix\", \"Type the prefix to use for all categories in Microsoft Dynamics 365.\",\n \"ClientFeatureSet\", \"Client Feature Set\", \"Client Features to be enabled as an XML BLOB.\",\n \"ContentSecurityPolicyConfiguration\", \"Content Security Policy Configuration\", \"Policy configuration for CSP\",\n \"ContentSecurityPolicyConfigurationForCanvas\", \"Content Security Policy Configuration for Canvas apps\", \"Content Security Policy configuration for Canvas apps.\",\n \"ContentSecurityPolicyOptions\", \"Content Security Policy Options\", \"Content Security Policy Options.\",\n \"ContentSecurityPolicyReportUri\", \"Content Security Policy Report Uri\", \"Content Security Policy Report Uri.\",\n \"ContractPrefix\", \"Contract Prefix\", \"Prefix to use for all contracts throughout Microsoft Dynamics 365.\",\n \"CopresenceRefreshRate\", \"CopresenceRefreshRate\", \"Refresh rate for copresence data in seconds.\",\n \"CortanaProactiveExperienceEnabled\", \"Enable Cortana Proactive Experience Flow processes for this Organization\", \"Indicates whether the feature CortanaProactiveExperience Flow processes should be enabled for the organization.\",\n \"CreateProductsWithoutParentInActiveState\", \"Enable Active Initial Product State\", \"Enable Initial state of newly created products to be Active instead of Draft\",\n \"CurrencyDecimalPrecision\", \"Currency Decimal Precision\", \"Number of decimal places that can be used for currency.\",\n \"CurrencyDisplayOption\", \"Display Currencies Using\", \"Indicates whether to display money fields with currency code or currency symbol.\",\n \"CurrencyFormatCode\", \"Currency Format Code\", \"Information about how currency symbols are placed throughout Microsoft Dynamics CRM.\",\n \"CurrencySymbol\", \"Currency Symbol\", \"Symbol used for currency throughout Microsoft Dynamics 365.\",\n \"CurrentBulkOperationNumber\", \"Current Bulk Operation Number\", \"Current bulk operation number. Deprecated. Use SetAutoNumberSeed message.\",\n \"CurrentCampaignNumber\", \"Current Campaign Number\", \"Current campaign number. Deprecated. Use SetAutoNumberSeed message.\",\n \"CurrentCaseNumber\", \"Current Case Number\", \"First case number to use. Deprecated. Use SetAutoNumberSeed message.\",\n \"CurrentCategoryNumber\", \"Current Category Number\", \"Enter the first number to use for Categories. Deprecated. Use SetAutoNumberSeed message.\",\n \"CurrentContractNumber\", \"Current Contract Number\", \"First contract number to use. Deprecated. Use SetAutoNumberSeed message.\",\n \"CurrentInvoiceNumber\", \"Current Invoice Number\", \"First invoice number to use. Deprecated. Use SetAutoNumberSeed message.\",\n \"CurrentKaNumber\", \"Current Knowledge Article Number\", \"Enter the first number to use for knowledge articles. Deprecated. Use SetAutoNumberSeed message.\",\n \"CurrentKbNumber\", \"Current Article Number\", \"First article number to use. Deprecated. Use SetAutoNumberSeed message.\",\n \"CurrentOrderNumber\", \"Current Order Number\", \"First order number to use. Deprecated. Use SetAutoNumberSeed message.\",\n \"CurrentQuoteNumber\", \"Current Quote Number\", \"First quote number to use. Deprecated. Use SetAutoNumberSeed message.\",\n \"DateFormatCode\", \"Date Format Code\", \"Information about how the date is displayed throughout Microsoft CRM.\",\n \"DateFormatString\", \"Date Format String\", \"String showing how the date is displayed throughout Microsoft CRM.\",\n \"DateSeparator\", \"Date Separator\", \"Character used to separate the month, the day, and the year in dates throughout Microsoft Dynamics 365.\",\n \"DaysBeforeEmailDescriptionIsMigrated\", \"Number of days before we migrate email description to blob.\", \"Number of days before we migrate email description to blob.\",\n \"DaysBeforeInactiveTeamsChatSyncDisabled\", \"Days Before Inactive Teams Chat Sync Disabled\", \"Days of inactivity before sync is disabled for a Teams Chat.\",\n \"DecimalSymbol\", \"Decimal Symbol\", \"Symbol used for decimal in Microsoft Dynamics 365.\",\n \"DefaultCountryCode\", \"Default Country Code\", \"Text area to enter default country code.\",\n \"DefaultCrmCustomName\", \"Name of the default app\", \"Name of the default crm custom.\",\n \"DefaultEmailServerProfileId\", \"Email Server Profile\", \"Unique identifier of the default email server profile.\",\n \"DefaultEmailSettings\", \"Default Email Settings\", \"XML string containing the default email settings that are applied when a user or queue is created.\",\n \"DefaultMobileOfflineProfileId\", \"Default Mobile Offline Profile\", \"Unique identifier of the default mobile offline profile.\",\n \"DefaultRecurrenceEndRangeType\", \"Default Recurrence End Range Type\", \"Type of default recurrence end range date.\",\n \"DefaultThemeData\", \"Default Theme Data\", \"Default theme data for the organization.\",\n \"DelegatedAdminUserId\", \"Delegated Admin\", \"Unique identifier of the delegated admin user for the organization.\",\n \"DisableSocialCare\", \"Is Social Care disabled\", \"Indicates whether Social Care is disabled.\",\n \"DiscountCalculationMethod\", \"Discount calculation method\", \"Discount calculation method for the QOOI product.\",\n \"DisplayNavigationTour\", \"Display Navigation Tour\", \"Indicates whether or not navigation tour is displayed.\",\n \"EmailConnectionChannel\", \"Email Connection Channel\", \"Select if you want to use the Email Router or server-side synchronization for email processing.\",\n \"EmailCorrelationEnabled\", \"Use Email Correlation\", \"Flag to turn email correlation on or off.\",\n \"EmailSendPollingPeriod\", \"Email Send Polling Frequency\", \"Normal polling frequency used for sending email in Microsoft Office Outlook.\",\n \"EnableAsyncMergeAPIForUCI\", \"Asynchronous merge enabled for UCI\", \"Determines whether records merged through the merge dialog in UCI are merged asynchronously\",\n \"EnableBingMapsIntegration\", \"Enable Integration with Bing Maps\", \"Enable Integration with Bing Maps\",\n \"EnableCanvasAppsInSolutionsByDefault\", \"Enable the creation of Canvas apps in Dataverse / Solution by default\", \"Note: By enabling this feature, you will also enable the automatic creation of enviornment variables when adding data sources for your apps.\",\n \"EnableFlowsInSolutionByDefault\", \"Enable the creation of flows within a solution by default.\", \"Indicates whether the creation of flows is within a solution by default for this organization.\",\n \"EnableFlowsInSolutionByDefaultGracePeriod\", \"Indicates whether the organization is opted into a grace period for auto-enablement of 'creation of flows within a solution by default' functionality.\", \"Organizations with this attribute set to true will be granted a grace period and excluded from the initial world wide enablement of 'creation of flows within a solution by default' functionality. Once the grace period expires, the functionality will be enabled in your organization.\",\n \"EnableImmersiveSkypeIntegration\", \"Enable Integration with Immersive Skype\", \"Enable Integration with Immersive Skype\",\n \"EnableIpBasedCookieBinding\", \"Enable IP Address Based Cookie Binding\", \"Information that specifies whether IP based cookie binding is enabled\",\n \"EnableIpBasedFirewallRule\", \"Enable IP Range based Firewall\", \"Information that specifies whether IP based firewall rule is enabled\",\n \"EnableIpBasedFirewallRuleInAuditMode\", \"Enable IP Range based Firewall In Audit Only Mode\", \"Information that specifies whether IP based firewall rule is enabled in Audit Only Mode\",\n \"EnableIpBasedStorageAccessSignatureRule\", \"Enable IP SAS URI generation rule\", \"Information that specifies whether IP based SAS URI generation rule is enabled\",\n \"EnableLivePersonaCardUCI\", \"Indicates whether the user has enabled or disabled Live Persona Card feature in UCI.\", \"Indicates whether the user has enabled or disabled Live Persona Card feature in UCI.\",\n \"EnableLivePersonCardIntegrationInOffice\", \"Indicates whether the user has enabled or disabled LivePersonCardIntegration in Office.\", \"Indicates whether the user has enabled or disabled LivePersonCardIntegration in Office.\",\n \"EnableLPAuthoring\", \"Enable Learning Path Authoring\", \"Select to enable learning path auhtoring.\",\n \"EnableMakerSwitchToClassic\", \"Switch Maker Portal to Classic\", \"Control whether the organization Switch Maker Portal to Classic\",\n \"EnableMicrosoftFlowIntegration\", \"Enable Integration with Microsoft Flow\", \"Enable Integration with Microsoft Flow\",\n \"EnablePricingOnCreate\", \"Enable Pricing On Create\", \"Enable pricing calculations on a Create call.\",\n \"EnableSmartMatching\", \"Enable Smart Matching\", \"Use Smart Matching.\",\n \"EnableUnifiedClientCDN\", \"Enable UCI CDN for organization\", \"Leave empty to use default setting. Set to on/off to enable/disable CDN for UCI.\",\n \"EnableUnifiedInterfaceShellRefresh\", \"Enable site map and commanding update\", \"Enable site map and commanding update\",\n \"EnforceReadOnlyPlugins\", \"Organization setting to enforce read only plugins.\", \"Organization setting to enforce read only plugins.\",\n \"EntityImage\", \"Entity Image\", \"The default image for the entity.\",\n \"ExpireChangeTrackingInDays\", \"Days to Expire Change Tracking Deleted Records\", \"Maximum number of days to keep change tracking deleted records\",\n \"ExpireSubscriptionsInDays\", \"Days to Expire Subscriptions\", \"Maximum number of days before deleting inactive subscriptions.\",\n \"ExternalBaseUrl\", \"External Base URL\", \"Specify the base URL to use to look for external document suggestions.\",\n \"ExternalPartyCorrelationKeys\", \"ExternalPartyEnabled Entities correlation Keys\", \"XML string containing the ExternalPartyEnabled entities correlation keys for association of existing External Party instance entities to newly created IsExternalPartyEnabled entities.For internal use only\",\n \"ExternalPartyEntitySettings\", \"ExternalPartyEnabled Entities Settings.For internal use only\", \"XML string containing the ExternalPartyEnabled entities settings.\",\n \"FeatureSet\", \"Feature Set\", \"Features to be enabled as an XML BLOB.\",\n \"FiscalCalendarStart\", \"Fiscal Calendar Start\", \"Start date for the fiscal period that is to be used throughout Microsoft CRM.\",\n \"FiscalPeriodFormat\", \"Fiscal Period Format\", \"Information that specifies how the name of the fiscal period is displayed throughout Microsoft CRM.\",\n \"FiscalPeriodFormatPeriod\", \"Format for Fiscal Period\", \"Format in which the fiscal period will be displayed.\",\n \"FiscalPeriodType\", \"Fiscal Period Type\", \"Type of fiscal period used throughout Microsoft CRM.\",\n \"FiscalYearDisplayCode\", \"Fiscal Year Display\", \"Information that specifies whether the fiscal year should be displayed based on the start date or the end date of the fiscal year.\",\n \"FiscalYearFormat\", \"Fiscal Year Format\", \"Information that specifies how the name of the fiscal year is displayed throughout Microsoft CRM.\",\n \"FiscalYearFormatPrefix\", \"Prefix for Fiscal Year\", \"Prefix for the display of the fiscal year.\",\n \"FiscalYearFormatSuffix\", \"Suffix for Fiscal Year\", \"Suffix for the display of the fiscal year.\",\n \"FiscalYearFormatYear\", \"Fiscal Year Format Year\", \"Format for the year.\",\n \"FiscalYearPeriodConnect\", \"Fiscal Year Period Connector\", \"Information that specifies how the names of the fiscal year and the fiscal period should be connected when displayed together.\",\n \"FullNameConventionCode\", \"Full Name Display Order\", \"Order in which names are to be displayed throughout Microsoft CRM.\",\n \"FutureExpansionWindow\", \"Future Expansion Window\", \"Specifies the maximum number of months in future for which the recurring activities can be created.\",\n \"GenerateAlertsForErrors\", \"Generate Alerts For Errors\", \"Indicates whether alerts will be generated for errors.\",\n \"GenerateAlertsForInformation\", \"Generate Alerts For Information\", \"Indicates whether alerts will be generated for information.\",\n \"GenerateAlertsForWarnings\", \"Generate Alerts For Warnings\", \"Indicates whether alerts will be generated for warnings.\",\n \"GetStartedPaneContentEnabled\", \"Is Get Started Pane Content Enabled\", \"Indicates whether Get Started content is enabled for this organization.\",\n \"GlobalAppendUrlParametersEnabled\", \"Is AppendUrl Parameters enabled\", \"Indicates whether the append URL parameters is enabled.\",\n \"GlobalHelpUrl\", \"Global Help URL.\", \"URL for the web page global help.\",\n \"GlobalHelpUrlEnabled\", \"Is Customizable Global Help enabled\", \"Indicates whether the customizable global help is enabled.\",\n \"GoalRollupExpiryTime\", \"Rollup Expiration Time for Goal\", \"Number of days after the goal's end date after which the rollup of the goal stops automatically.\",\n \"GoalRollupFrequency\", \"Automatic Rollup Frequency for Goal\", \"Number of hours between automatic rollup jobs .\",\n \"GrantAccessToNetworkService\", \"Grant Access To Network Service\", \"For internal use only.\",\n \"HashDeltaSubjectCount\", \"Hash Delta Subject Count\", \"Maximum difference allowed between subject keywords count of the email messaged to be correlated\",\n \"HashFilterKeywords\", \"Hash Filter Keywords\", \"Filter Subject Keywords\",\n \"HashMaxCount\", \"Hash Max Count\", \"Maximum number of subject keywords or recipients used for correlation\",\n \"HashMinAddressCount\", \"Hash Min Address Count\", \"Minimum number of recipients required to match for email messaged to be correlated\",\n \"HighContrastThemeData\", \"High contrast Theme Data\", \"High contrast theme data for the organization.\",\n \"IgnoreInternalEmail\", \"Ignore Internal Email\", \"Indicates whether incoming email sent by internal Microsoft Dynamics 365 users or queues should be tracked.\",\n \"ImproveSearchLoggingEnabled\", \"Share search query data\", \"Indicates whether an organization has consented to sharing search query data to help improve search results\",\n \"InactivityTimeoutEnabled\", \"Inactivity timeout enabled\", \"Information that specifies whether Inactivity timeout is enabled\",\n \"InactivityTimeoutInMins\", \"Inactivity timeout in minutes\", \"Inactivity timeout in minutes\",\n \"InactivityTimeoutReminderInMins\", \"Inactivity timeout reminder in minutes\", \"Inactivity timeout reminder in minutes\",\n \"IncomingEmailExchangeEmailRetrievalBatchSize\", \"Exchange Email Retrieval Batch Size\", \"Setting for the Async Service Mailbox Queue. Defines the retrieval batch size of exchange server.\",\n \"InitialVersion\", \"Initial Version\", \"Initial version of the organization.\",\n \"IntegrationUserId\", \"Integration User\", \"Unique identifier of the integration user for the organization.\",\n \"InvoicePrefix\", \"Invoice Prefix\", \"Prefix to use for all invoice numbers throughout Microsoft Dynamics 365.\",\n \"IpBasedStorageAccessSignatureMode\", \"IP Based SAS mode\", \"IP Based SAS mode.\",\n \"IsActionCardEnabled\", \"Enable Action Card for this Organization\", \"Indicates whether the feature Action Card should be enabled for the organization.\",\n \"IsActionSupportFeatureEnabled\", \"Action Support Feature enabled\", \"Information that specifies whether Action Support Feature is enabled\",\n \"IsActivityAnalysisEnabled\", \"Enable Relationship Analytics for this Organization\", \"Indicates whether the feature Relationship Analytics should be enabled for the organization.\",\n \"IsAppMode\", \"Is Application Mode Enabled\", \"Indicates whether loading of Microsoft Dynamics 365 in a browser window that does not have address, tool, and menu bars is enabled.\",\n \"IsAppointmentAttachmentSyncEnabled\", \"Is Attachment Sync Enabled\", \"Enable or disable attachments sync for outlook and exchange.\",\n \"IsAssignedTasksSyncEnabled\", \"Is Assigned Tasks Sync Enabled\", \"Enable or disable assigned tasks sync for outlook and exchange.\",\n \"IsAuditEnabled\", \"Is Auditing Enabled\", \"Enable or disable auditing of changes.\",\n \"IsAutoDataCaptureEnabled\", \"Enable Auto Capture for this Organization\", \"Indicates whether the feature Auto Capture should be enabled for the organization.\",\n \"IsAutoDataCaptureV2Enabled\", \"Enable Auto Capture V2 for this Organization\", \"Indicates whether the V2 feature of Auto Capture should be enabled for the organization.\",\n \"IsAutoInstallAppForD365InTeamsEnabled\", \"IsAutoInstallAppForD365InTeamsEnabled\", \"\",\n \"IsAutoSaveEnabled\", \"Auto Save Enabled\", \"Information on whether auto save is enabled.\",\n \"IsBaseCardStaticFieldDataEnabled\", \"IsBaseCardStaticFieldDataEnabled\", \"\",\n \"IsBasicGeospatialIntegrationEnabled\", \"Enable the basic Geospatial features in Canvas Apps\", \"Determines whether users can make use of basic Geospatial featuers in Canvas apps.\",\n \"IsBPFEntityCustomizationFeatureEnabled\", \"BPF Entity Customization Feature enabled\", \"Information that specifies whether BPF Entity Customization Feature is enabled\",\n \"IsCollaborationExperienceEnabled\", \"IsCollaborationExperienceEnabled\", \"\",\n \"IsConflictDetectionEnabledForMobileClient\", \"Is Conflict Detection for Mobile Client enabled\", \"Information that specifies whether conflict detection for mobile client is enabled.\",\n \"IsContactMailingAddressSyncEnabled\", \"Is Mailing Address Sync Enabled\", \"Enable or disable mailing address sync for outlook and exchange.\",\n \"IsContentSecurityPolicyEnabled\", \"Enable Content Security Policy for this organization\", \"Indicates whether Content Security Policy has been enabled for the organization.\",\n \"IsContentSecurityPolicyEnabledForCanvas\", \"Enable Content Security Policy for this organization's Canvas apps\", \"Indicates whether Content Security Policy has been enabled for this organization's Canvas apps.\",\n \"IsContextualEmailEnabled\", \"Indicates whether Contextual email experience is enabled on this organization\", \"Indicates whether Contextual email experience is enabled on this organization\",\n \"IsContextualHelpEnabled\", \"Enables Contextual Help in UCI\", \"Select to enable Contextual Help in UCI.\",\n \"IsCopilotFeedbackEnabled\", \"Allow users to provide feedback for App Copilot\", \"Determines whether users can provide feedback for App Copilot.\",\n \"IsCustomControlsInCanvasAppsEnabled\", \"Enable Custom Controls in canvas PowerApps feature for this organization\", \"Indicates whether Custom Controls in canvas PowerApps feature has been enabled for the organization.\",\n \"IsDefaultCountryCodeCheckEnabled\", \"Enable or disable country code selection\", \"Enable or disable country code selection.\",\n \"IsDelegateAccessEnabled\", \"Is Delegation Access Enabled\", \"Enable Delegation Access content\",\n \"IsDelveActionHubIntegrationEnabled\", \"Enable Action Hub for this Organization\", \"Indicates whether the feature Action Hub should be enabled for the organization.\",\n \"IsDesktopFlowSchemaV2Enabled\", \"Enable v2 schema for Desktop Flows in this organization.\", \"Indicates whether v2 schema for Desktop Flows is enabled in this organization.\",\n \"IsDuplicateDetectionEnabled\", \"Is Duplicate Detection Enabled\", \"Indicates whether duplicate detection of records is enabled.\",\n \"IsDuplicateDetectionEnabledForImport\", \"Is Duplicate Detection Enabled For Import\", \"Indicates whether duplicate detection of records during import is enabled.\",\n \"IsDuplicateDetectionEnabledForOfflineSync\", \"Is Duplicate Detection Enabled For Offline Synchronization\", \"Indicates whether duplicate detection of records during offline synchronization is enabled.\",\n \"IsDuplicateDetectionEnabledForOnlineCreateUpdate\", \"Is Duplicate Detection Enabled for Online Create/Update\", \"Indicates whether duplicate detection during online create or update is enabled.\",\n \"IsEmailAddressValidationEnabled\", \"Enable Smart Email Address Validation.\", \"Information on whether Smart Email Address Validation is enabled.\",\n \"IsEmailMonitoringAllowed\", \"Allow tracking recipient activity on sent emails\", \"Allow tracking recipient activity on sent emails.\",\n \"IsEmailServerProfileContentFilteringEnabled\", \"Is Email Server Profile Content Filtering Enabled\", \"Enable Email Server Profile content filtering\",\n \"IsEnabledForAllRoles\", \"option set values for isenabledforallroles\", \"Indicates whether appmodule is enabled for all roles\",\n \"IsExternalFileStorageEnabled\", \"Enable external file storage\", \"Indicates whether the organization's files are being stored in Azure.\",\n \"IsExternalSearchIndexEnabled\", \"Enable external search data syncing\", \"Select whether data can be synchronized with an external search index.\",\n \"IsFiscalPeriodMonthBased\", \"Is Fiscal Period Monthly\", \"Indicates whether the fiscal period is displayed as the month number.\",\n \"IsFolderAutoCreatedonSP\", \"Automatically create folders\", \"Select whether folders should be automatically created on SharePoint.\",\n \"IsFolderBasedTrackingEnabled\", \"Is Folder Based Tracking Enabled\", \"Enable or disable folder based tracking for Server Side Sync.\",\n \"IsFullTextSearchEnabled\", \"Enable Full-text search for Quick Find\", \"Indicates whether full-text search for Quick Find entities should be enabled for the organization.\",\n \"IsGeospatialAzureMapsIntegrationEnabled\", \"Enable geospatial Azure Maps integration.\", \"Indicates whether geospatial capabilities leveraging Azure Maps are enabled.\",\n \"IsHierarchicalSecurityModelEnabled\", \"Enable Hierarchical Security Model\", \"Enable Hierarchical Security Model\",\n \"IsIdeasDataCollectionEnabled\", \"Enable Ideas data collection.\", \"Indicates whether data collection for ideas in canvas PowerApps has been enabled.\",\n \"IsLUISEnabledforD365Bot\", \"LUIS Consent for Dynamics 365 Bot\", \"Give Consent to use LUIS in Dynamics 365 Bot\",\n \"IsMailboxForcedUnlockingEnabled\", \"Is Mailbox Forced Unlocking Enabled\", \"Enable or disable forced unlocking for Server Side Sync mailboxes.\",\n \"IsMailboxInactiveBackoffEnabled\", \"Is Mailbox Keep Alive Enabled\", \"Enable or disable mailbox keep alive for Server Side Sync.\",\n \"IsManualSalesForecastingEnabled\", \"Enable Manual Sales Forecasting feature for this organization\", \"Indicates whether Manual Sales Forecasting feature has been enabled for the organization.\",\n \"IsMobileClientOnDemandSyncEnabled\", \"Is Mobile Client On Demand Sync enabled\", \"Information that specifies whether mobile client on demand sync is enabled.\",\n \"IsMobileOfflineEnabled\", \"Enable MobileOffline for this Organization\", \"Indicates whether the feature MobileOffline should be enabled for the organization.\",\n \"IsModelDrivenAppsInMSTeamsEnabled\", \"Enable embedding Model Apps in Microsoft Teams\", \"Indicates whether Model Apps can be embedded within Microsoft Teams. This is a tenant admin controlled preview/experimental feature.\",\n \"IsMSTeamsCollaborationEnabled\", \"Enable Microsoft Teams Collaboration for this organization\", \"Indicates whether Microsoft Teams Collaboration feature has been enabled for the organization.\",\n \"IsMSTeamsEnabled\", \"Enable Microsoft Teams integration\", \"Indicates whether Microsoft Teams integration has been enabled for the organization.\",\n \"IsMSTeamsSettingChangedByUser\", \"Microsoft Teams integration changed by user\", \"Indicates whether the user has enabled or disabled Microsoft Teams integration.\",\n \"IsMSTeamsUserSyncEnabled\", \"Enable Microsoft Teams User Sync for this organization\", \"Indicates whether Microsoft Teams User Sync feature has been enabled for the organization.\",\n \"IsNewAddProductExperienceEnabled\", \"Indicates whether new add product experience is enabled in opportunity form\", \"Indicates whether new add product experience is enabled.\",\n \"IsNotesAnalysisEnabled\", \"Enable Notes Analysis for this Organization\", \"Indicates whether the feature Notes Analysis should be enabled for the organization.\",\n \"IsNotificationForD365InTeamsEnabled\", \"IsNotificationForD365InTeamsEnabled\", \"\",\n \"IsOfficeGraphEnabled\", \"Enable OfficeGraph for this Organization\", \"Indicates whether the feature OfficeGraph should be enabled for the organization.\",\n \"IsOneDriveEnabled\", \"Enable One Drive for this Organization\", \"Indicates whether the feature One Drive should be enabled for the organization.\",\n \"IsPAIEnabled\", \"Enable PAI feature for this organization\", \"Indicates whether PAI feature has been enabled for the organization.\",\n \"IsPDFGenerationEnabled\", \"Enable PDF Generation feature for this organization\", \"Indicates whether PDF Generation feature has been enabled for the organization.\",\n \"IsPlaybookEnabled\", \"Enable playbook feature for this organization\", \"Indicates whether playbook feature has been enabled for the organization.\",\n \"IsPresenceEnabled\", \"Presence Enabled\", \"Information on whether IM presence is enabled.\",\n \"IsPreviewEnabledForActionCard\", \"Enable Preview Action Card feature for this Organization\", \"Indicates whether the Preview feature for Action Card should be enabled for the organization.\",\n \"IsPreviewForAutoCaptureEnabled\", \"Enable Auto Capture for this Organization at Preview Settings\", \"Indicates whether the feature Auto Capture should be enabled for the organization at Preview Settings.\",\n \"IsPreviewForEmailMonitoringAllowed\", \"Allows Preview For Email Monitoring\", \"Is Preview For Email Monitoring Allowed.\",\n \"IsPriceListMandatory\", \"Indicates whether PriceList is mandatory for adding existing products to sales entities\", \"Indicates whether PriceList is mandatory for adding existing products to sales entities.\",\n \"IsQuickCreateEnabledForOpportunityClose\", \"Enable quick create form for opportunity close feature for this organization\", \"Select whether to use the standard Out-of-box Opportunity Close experience or opt to for a customized experience.\",\n \"IsReadAuditEnabled\", \"Is Read Auditing Enabled\", \"Enable or disable auditing of read operations.\",\n \"IsRelationshipInsightsEnabled\", \"Enable Relationship Insights for this Organization\", \"Indicates whether the feature Relationship Insights should be enabled for the organization.\",\n \"IsResourceBookingExchangeSyncEnabled\", \"Resource booking synchronization enabled\", \"Indicates if the synchronization of user resource booking with Exchange is enabled at organization level.\",\n \"IsRichTextNotesEnabled\", \"Indicates whether rich text editor for notes experience is enabled on this organization\", \"Indicates whether rich text editor for notes experience is enabled on this organization\",\n \"IsRpaAutoscaleAadJoinEnabled\", \"Enable AAD Join for RPA Autoscale feature for this organization.\", \"Indicates whether AAD Join for RPA Autoscale is enabled in this organization..\",\n \"IsRpaAutoscaleEnabled\", \"Enable RPA Autoscale feature for this organization\", \"Indicates whether Autoscale feature for RPA is enabled in this organization.\",\n \"IsRpaBoxCrossGeoEnabled\", \"Enable RPA Box cross geo feature for this organization\", \"Indicates whether RPA Box feature is enabled in this organization in locations outside the tenant's geographical location.\",\n \"IsRpaBoxEnabled\", \"Enable RPA Box feature for this organization\", \"Indicates whether RPA Box feature is enabled in this organization.\",\n \"IsRpaUnattendedEnabled\", \"Enable RPA Unattended feature for this organization\", \"Indicates whether Unattended runs feature for RPA is enabled in this organization.\",\n \"IsSalesAssistantEnabled\", \"Enable Sales Assistant mobile app\", \"Indicates whether Sales Assistant mobile app has been enabled for the organization.\",\n \"IsSharingInOrgAllowed\", \"IsSharingInOrgAllowed\", \"\",\n \"IsSOPIntegrationEnabled\", \"Is Sales Order Integration Enabled\", \"Enable sales order processing integration.\",\n \"IsTextWrapEnabled\", \"Enable Text Wrap\", \"Information on whether text wrap is enabled.\",\n \"IsUserAccessAuditEnabled\", \"Is User Access Auditing Enabled\", \"Enable or disable auditing of user access.\",\n \"ISVIntegrationCode\", \"ISV Integration Mode\", \"Indicates whether loading of Microsoft Dynamics 365 in a browser window that does not have address, tool, and menu bars is enabled.\",\n \"IsWriteInProductsAllowed\", \"Indicates whether Write-in Products can be added to Opportunity/Quote/Order/Invoice or not\", \"Indicates whether Write-in Products can be added to Opportunity/Quote/Order/Invoice or not.\",\n \"KaPrefix\", \"Knowledge Article Prefix\", \"Type the prefix to use for all knowledge articles in Microsoft Dynamics 365.\",\n \"KbPrefix\", \"Article Prefix\", \"Prefix to use for all articles in Microsoft Dynamics 365.\",\n \"KMSettings\", \"Knowledge Management Settings\", \"XML string containing the Knowledge Management settings that are applied in Knowledge Management Wizard.\",\n \"LanguageCode\", \"Language\", \"Preferred language for the organization.\",\n \"LocaleId\", \"Locale\", \"Unique identifier of the locale of the organization.\",\n \"LongDateFormatCode\", \"Long Date Format\", \"Information that specifies how the Long Date format is displayed in Microsoft Dynamics 365.\",\n \"LookupCharacterCountBeforeResolve\", \"Minimum number of characters before resolving suggestions in lookup\", \"Minimum number of characters that should be entered in the lookup control before resolving for suggestions\",\n \"LookupResolveDelayMS\", \"Minimum delay (in milliseconds) for debouncing lookup control input\", \"Minimum delay (in milliseconds) between consecutive inputs in a lookup control that will trigger a search for suggestions\",\n \"MailboxIntermittentIssueMinRange\", \"Lower Threshold For Mailbox Intermittent Issue\", \"Lower Threshold For Mailbox Intermittent Issue.\",\n \"MailboxPermanentIssueMinRange\", \"Lower Threshold For Mailbox Permanent Issue.\", \"Lower Threshold For Mailbox Permanent Issue.\",\n \"MaxActionStepsInBPF\", \"Maximum number of actionsteps allowed in a BPF\", \"Maximum number of actionsteps allowed in a BPF\",\n \"MaxAllowedPendingRollupJobCount\", \"MaxAllowedPendingRollupJobCount\", \"Maximum Allowed Pending Rollup Job Count\",\n \"MaxAllowedPendingRollupJobPercentage\", \"MaxAllowedPendingRollupJobPercentage\", \"Percentage Of Entity Table Size For Kicking Off Bootstrap Job\",\n \"MaxAppointmentDurationDays\", \"Max Appointment Duration\", \"Maximum number of days an appointment can last.\",\n \"MaxConditionsForMobileOfflineFilters\", \"Maximum number of conditions allowed for mobile offline filters\", \"Maximum number of conditions allowed for mobile offline filters\",\n \"MaxDepthForHierarchicalSecurityModel\", \"Maximum depth for hierarchy security propagation.\", \"Maximum depth for hierarchy security propagation.\",\n \"MaxFolderBasedTrackingMappings\", \"Max Folder Based Tracking Mappings\", \"Maximum number of Folder Based Tracking mappings user can add\",\n \"MaximumActiveBusinessProcessFlowsAllowedPerEntity\", \"Maximum active business process flows per entity\", \"Maximum number of active business process flows allowed per entity\",\n \"MaximumDynamicPropertiesAllowed\", \"Product Properties Item Limit\", \"Restrict the maximum number of product properties for a product family/bundle\",\n \"MaximumEntitiesWithActiveSLA\", \"Maximum number of active SLA allowed per entity in online\", \"Maximum number of active SLA allowed per entity in online\",\n \"MaximumSLAKPIPerEntityWithActiveSLA\", \"Maximum number of active SLA KPI allowed per entity in online\", \"Maximum number of SLA KPI per active SLA allowed for entity in online\",\n \"MaximumTrackingNumber\", \"Max Tracking Number\", \"Maximum tracking number before recycling takes place.\",\n \"MaxProductsInBundle\", \"Bundle Item Limit\", \"Restrict the maximum no of items in a bundle\",\n \"MaxRecordsForExportToExcel\", \"Max Records For Excel Export\", \"Maximum number of records that will be exported to a static Microsoft Office Excel worksheet when exporting from the grid.\",\n \"MaxRecordsForLookupFilters\", \"Max Records Filter Selection\", \"Maximum number of lookup and picklist records that can be selected by user for filtering.\",\n \"MaxRollupFieldsPerEntity\", \"MaxRollupFieldsPerEntity\", \"Maximum Rollup Fields Per Entity\",\n \"MaxRollupFieldsPerOrg\", \"MaxRollupFieldsPerOrg\", \"Maximum Rollup Fields Per Organization\",\n \"MaxSLAItemsPerSLA\", \"Max SLA Items Per SLA\", \"\",\n \"MaxUploadFileSize\", \"Max Upload File Size\", \"Maximum allowed size of an attachment.\",\n \"MicrosoftFlowEnvironment\", \"(Deprecated) Environment selected for Integration with Microsoft Flow\", \"(Deprecated) Environment selected for Integration with Microsoft Flow\",\n \"MinAddressBookSyncInterval\", \"Min Address Synchronization Frequency\", \"Normal polling frequency used for address book synchronization in Microsoft Office Outlook.\",\n \"MinOfflineSyncInterval\", \"Min Offline Synchronization Frequency\", \"Normal polling frequency used for background offline synchronization in Microsoft Office Outlook.\",\n \"MinOutlookSyncInterval\", \"Min Synchronization Frequency\", \"Minimum allowed time between scheduled Outlook synchronizations.\",\n \"MobileOfflineSyncInterval\", \"Sync interval for mobile offline.\", \"Sync interval for mobile offline.\",\n \"ModernAdvancedFindFiltering\", \"Modern advanced find filtering\", \"Flag to indicate if the modern advanced find filtering on all tables in a model-driven app is enabled\",\n \"ModernAppDesignerCoauthoringEnabled\", \"Coauthoring in Modern App Designer Enabled\", \"Indicates whether coauthoring is enabled in modern app designer\",\n \"MultiColumnSortEnabled\", \"Enable Multi Column Sort Editor In Views\", \"Show the sort by button on views\",\n \"Name\", \"Organization Name\", \"Name of the organization. The name is set when Microsoft CRM is installed and should not be changed.\",\n \"NaturalLanguageAssistFilter\", \"Natural Language Assist\", \"Enables Natural Language Assist Filter.\",\n \"NegativeCurrencyFormatCode\", \"Negative Currency Format\", \"Information that specifies how negative currency numbers are displayed throughout Microsoft Dynamics 365.\",\n \"NegativeFormatCode\", \"Negative Format\", \"Information that specifies how negative numbers are displayed throughout Microsoft CRM.\",\n \"NewSearchExperienceEnabled\", \"Oct 2020 Search enabled\", \"Indicates whether an organization has enabled the new Relevance search experience (released in Oct 2020) for the organization\",\n \"NextTrackingNumber\", \"Next Tracking Number\", \"Next token to be placed on the subject line of an email message.\",\n \"NotifyMailboxOwnerOfEmailServerLevelAlerts\", \"Notify Mailbox Owner Of Email Server Level Alerts\", \"Indicates whether mailbox owners will be notified of email server profile level alerts.\",\n \"NumberFormat\", \"Number Format\", \"Specification of how numbers are displayed throughout Microsoft CRM.\",\n \"NumberGroupFormat\", \"Number Grouping Format\", \"Specifies how numbers are grouped in Microsoft Dynamics 365.\",\n \"NumberSeparator\", \"Number Separator\", \"Symbol used for number separation in Microsoft Dynamics 365.\",\n \"OfficeAppsAutoDeploymentEnabled\", \"Enable Office Apps Auto Deployment for this Organization\", \"Indicates whether the Office Apps auto deployment is enabled for the organization.\",\n \"OfficeGraphDelveUrl\", \"The url to open the Delve\", \"The url to open the Delve for the organization.\",\n \"OOBPriceCalculationEnabled\", \"Enable OOB Price calculation\", \"Enable OOB pricing calculation logic for Opportunity, Quote, Order and Invoice entities.\",\n \"OptOutSchemaV2EnabledByDefault\", \"Opt-out of schema v2 being automatically enabled for this organization.\", \"Indicates if this organization will opt-out from automatically enabling schema v2 on the organization.\",\n \"OrderPrefix\", \"Order Prefix\", \"Prefix to use for all orders throughout Microsoft Dynamics 365.\",\n \"OrgDbOrgSettings\", \"Organization Database Organization Settings\", \"Organization settings stored in Organization Database.\",\n \"OrgInsightsEnabled\", \"Enable OrgInsights for this Organization\", \"Select whether to turn on OrgInsights for the organization.\",\n \"PaiPreviewScenarioEnabled\", \"Display Preview Feature for this organization\", \"Indicates whether Preview feature has been enabled for the organization.\",\n \"PastExpansionWindow\", \"Past Expansion Window\", \"Specifies the maximum number of months in past for which the recurring activities can be created.\",\n \"PcfDatasetGridEnabled\", \"Enable modern grids in model-driven apps\", \"Leave empty to use default setting. Set to on/off to enable/disable replacement of default grids with modern ones in model-driven apps.\",\n \"PerformACTSyncAfter\", \"PerformACTSyncAfter\", \"This setting contains the date time before an ACT sync can execute.\",\n \"Picture\", \"Picture\", \"For internal use only.\",\n \"PinpointLanguageCode\", \"\", \"\",\n \"PluginTraceLogSetting\", \"Plug-in Trace Log Setting\", \"Plug-in Trace Log Setting for the Organization.\",\n \"PMDesignator\", \"PM Designator\", \"PM designator to use throughout Microsoft Dynamics 365.\",\n \"PostMessageWhitelistDomains\", \"For internal use only.\", \"For internal use only.\",\n \"PowerAppsMakerBotEnabled\", \"Enable bot for makers.\", \"Indicates whether bot for makers is enabled.\",\n \"PowerBIAllowCrossRegionOperations\", \"Power BI allow cross region operations\", \"Indicates whether cross region operations are allowed for the organization\",\n \"PowerBIAutomaticPermissionsAssignment\", \"Power BI automatic permissions assignment\", \"Indicates whether automatic permissions assignment to Power BI has been enabled for the organization\",\n \"PowerBIComponentsCreate\", \"Power BI components creation\", \"Indicates whether creation of Power BI components has been enabled for the organization\",\n \"PowerBiFeatureEnabled\", \"Enable Power BI feature for this Organization\", \"Indicates whether the Power BI feature should be enabled for the organization.\",\n \"PricingDecimalPrecision\", \"Pricing Decimal Precision\", \"Number of decimal places that can be used for prices.\",\n \"PrivacyStatementUrl\", \"Privacy Statement URL\", \"Privacy Statement URL\",\n \"PrivilegeUserGroupId\", \"Privilege User Group\", \"Unique identifier of the default privilege for users in the organization.\",\n \"PrivReportingGroupId\", \"Privilege Reporting Group\", \"For internal use only.\",\n \"PrivReportingGroupName\", \"Privilege Reporting Group Name\", \"For internal use only.\",\n \"ProductRecommendationsEnabled\", \"Enable Product Recommendations for this Organization\", \"Select whether to turn on product recommendations for the organization.\",\n \"QualifyLeadAdditionalOptions\", \"Enable New Qualify Lead Experience with configuration MDD\", \"Indicates whether prompt should be shown for new Qualify Lead Experience\",\n \"QuickActionToOpenRecordsInSidePaneEnabled\", \"Enable quick actions to open records in search side pane\", \"Flag to indicate if the feature to use quick action to open records in search side pane is enabled\",\n \"QuickFindRecordLimitEnabled\", \"Quick Find Record Limit Enabled\", \"Indicates whether a quick find record limit should be enabled for this organization (allows for faster Quick Find queries but prevents overly broad searches).\",\n \"QuotePrefix\", \"Quote Prefix\", \"Prefix to use for all quotes throughout Microsoft Dynamics 365.\",\n \"RecalculateSLA\", \"Indicates whether SLA Recalculation has been enabled for the organization\", \"Indicates whether SLA Recalculation has been enabled for the organization\",\n \"RecurrenceDefaultNumberOfOccurrences\", \"Recurrence Default Number of Occurrences\", \"Specifies the default value for number of occurrences field in the recurrence dialog.\",\n \"RecurrenceExpansionJobBatchInterval\", \"Recurrence Expansion Job Batch Interval\", \"Specifies the interval (in seconds) for pausing expansion job.\",\n \"RecurrenceExpansionJobBatchSize\", \"Recurrence Expansion On Demand Job Batch Size\", \"Specifies the value for number of instances created in on demand job in one shot.\",\n \"RecurrenceExpansionSynchCreateMax\", \"Recurrence Expansion Synchronization Create Maximum\", \"Specifies the maximum number of instances to be created synchronously after creating a recurring appointment.\",\n \"ReferenceSiteMapXml\", \"Reference SiteMap XML\", \"XML string that defines the navigation structure for the application. This is the site map from the previously upgraded build and is used in a 3-way merge during upgrade.\",\n \"ReleaseCadence\", \"Current orgnization release cadence value\", \"Current orgnization release cadence value\",\n \"ReleaseChannel\", \"Model app refresh channel\", \"Model app refresh channel\",\n \"ReleaseWaveName\", \"Release Wave\", \"Release Wave Applied to Environment.\",\n \"RelevanceSearchEnabledByPlatform\", \"Relevance search enabled automatically by Dataverse\", \"Indicates whether relevance search was enabled for the environment as part of Dataverse's relevance search on-by-default sweep\",\n \"RelevanceSearchModifiedOn\", \"RelevanceSearchModifiedOnDate\", \"This setting contains the last modified date for relevance search setting that appears as a toggle in PPAC.\",\n \"RenderSecureIFrameForEmail\", \"Render Secure Frame For Email\", \"Flag to render the body of email in the Web form in an IFRAME with the security='restricted' attribute set. This is additional security but can cause a credentials prompt.\",\n \"ReportingGroupId\", \"Reporting Group\", \"For internal use only.\",\n \"ReportingGroupName\", \"Reporting Group Name\", \"For internal use only.\",\n \"ReportScriptErrors\", \"Report Script Errors\", \"Picklist for selecting the organization preference for reporting scripting errors.\",\n \"RequireApprovalForQueueEmail\", \"Is Approval For Queue Email Required\", \"Indicates whether Send As Other User privilege is enabled.\",\n \"RequireApprovalForUserEmail\", \"Is Approval For User Email Required\", \"Indicates whether Send As Other User privilege is enabled.\",\n \"ResolveSimilarUnresolvedEmailAddress\", \"Apply same email address to all unresolved matches when you manually resolve it for one\", \"Apply same email address to all unresolved matches when you manually resolve it for one\",\n \"RestrictStatusUpdate\", \"Restrict Status Update\", \"Flag to restrict Update on incident.\",\n \"ReverseProxyIpAddresses\", \"List of reverse proxy IP addresses to be allowed.\", \"Information that specifies Reverse Proxy IP addresses from which requests have to be allowed.\",\n \"RiErrorStatus\", \"Error status of Relationship Insights provisioning.\", \"Error status of Relationship Insights provisioning.\",\n \"SampleDataImportId\", \"Sample Data Import\", \"Unique identifier of the sample data import job.\",\n \"SchemaNamePrefix\", \"Customization Name Prefix\", \"Prefix used for custom entities and attributes.\",\n \"SendBulkEmailInUCI\", \"Send Bulk Email in UCI\", \"Indicates whether Send Bulk Email in UCI is enabled for the org.\",\n \"ServeStaticResourcesFromAzureCDN\", \"Serve Static Content From CDN\", \"Serve Static Content From CDN\",\n \"SessionRecordingEnabled\", \"Enable the session recording feature\", \"Enable the session recording feature to record user sessions in UCI\",\n \"SessionTimeoutEnabled\", \"Session timeout enabled\", \"Information that specifies whether session timeout is enabled\",\n \"SessionTimeoutInMins\", \"Session timeout in minutes\", \"Session timeout in minutes\",\n \"SessionTimeoutReminderInMins\", \"Session timeout reminder in minutes\", \"Session timeout reminder in minutes\",\n \"SharePointDeploymentType\", \"Choose SharePoint Deployment Type\", \"Indicates which SharePoint deployment type is configured for Server to Server. (Online or On-Premises)\",\n \"ShareToPreviousOwnerOnAssign\", \"Share To Previous Owner On Assign\", \"Information that specifies whether to share to previous owner on assign.\",\n \"ShowKBArticleDeprecationNotification\", \"Show KBArticle deprecation message to user\", \"Select whether to display a KB article deprecation notification to the user.\",\n \"ShowWeekNumber\", \"Show Week Number\", \"Information that specifies whether to display the week number in calendar displays throughout Microsoft CRM.\",\n \"SignupOutlookDownloadFWLink\", \"CRMForOutlookDownloadURL\", \"CRM for Outlook Download URL\",\n \"SiteMapXml\", \"SiteMap XML\", \"XML string that defines the navigation structure for the application.\",\n \"SlaPauseStates\", \"SLA pause states\", \"Contains the on hold case status values.\",\n \"SocialInsightsEnabled\", \"Social Insights Enabled\", \"Flag for whether the organization is using Social Insights.\",\n \"SocialInsightsInstance\", \"Social Insights instance identifier\", \"Identifier for the Social Insights instance for the organization.\",\n \"SocialInsightsTermsAccepted\", \"Social Insights Terms of Use\", \"Flag for whether the organization has accepted the Social Insights terms of use.\",\n \"SortId\", \"Sort\", \"For internal use only.\",\n \"SqlAccessGroupId\", \"SQL Access Group\", \"For internal use only.\",\n \"SqlAccessGroupName\", \"SQL Access Group Name\", \"For internal use only.\",\n \"SQMEnabled\", \"Is SQM Enabled\", \"Setting for SQM data collection, 0 no, 1 yes enabled\",\n \"SupportUserId\", \"Support User\", \"Unique identifier of the support user for the organization.\",\n \"SuppressSLA\", \"Is SLA suppressed\", \"Indicates whether SLA is suppressed.\",\n \"SuppressValidationEmails\", \"Whether Admin emails are sent when Solution Checker validation fails\", \"Leave empty to use default setting. Set to on/off to enable/disable Admin emails when Solution Checker validation fails.\",\n \"SyncBulkOperationBatchSize\", \"Number of records to update per operation in Sync Bulk Pause/Resume/Cancel\", \"Number of records to update per operation in Sync Bulk Pause/Resume/Cancel\",\n \"SyncBulkOperationMaxLimit\", \"Max total number of records to update in database for Sync Bulk Pause/Resume/Cancel\", \"Max total number of records to update in database for Sync Bulk Pause/Resume/Cancel\",\n \"SyncOptInSelection\", \"Enable dynamics 365 azure sync framework for this organization.\", \"Indicates the selection to use the dynamics 365 azure sync framework or server side sync.\",\n \"SyncOptInSelectionStatus\", \"Status of opt-in or opt-out operation for dynamics 365 azure sync.\", \"Indicates the status of the opt-in or opt-out operation for dynamics 365 azure sync.\",\n \"SystemUserId\", \"System User\", \"Unique identifier of the system user for the organization.\",\n \"TableScopedDVSearchInApps\", \"Table Scoped Dataverse Search In Apps\", \"Controls the appearance of option to search over a single DV search indexed table in model-driven apps global search in the header.\",\n \"TagMaxAggressiveCycles\", \"Auto-Tag Max Cycles\", \"Maximum number of aggressive polling cycles executed for email auto-tagging when a new email is received.\",\n \"TagPollingPeriod\", \"Auto-Tag Interval\", \"Normal polling frequency used for email receive auto-tagging in outlook.\",\n \"TaskBasedFlowEnabled\", \"Enable Task Flow processes for this Organization\", \"Select whether to turn on task flows for the organization.\",\n \"TeamsChatDataSync\", \"Enable Teams Chat Data Sync.\", \"Information on whether Teams Chat Data Sync is enabled.\",\n \"TelemetryInstrumentationKey\", \"Telemetry Instrumentation Key\", \"Instrumentation key for Application Insights used to log plugins telemetry.\",\n \"TextAnalyticsEnabled\", \"Enable Text Analytics for this Organization\", \"Select whether to turn on text analytics for the organization.\",\n \"TimeFormatCode\", \"Time Format Code\", \"Information that specifies how the time is displayed throughout Microsoft CRM.\",\n \"TimeFormatString\", \"Time Format String\", \"Text for how time is displayed in Microsoft Dynamics 365.\",\n \"TimeSeparator\", \"Time Separator\", \"Text for how the time separator is displayed throughout Microsoft Dynamics 365.\",\n \"TimeZoneRuleVersionNumber\", \"Time Zone Rule Version Number\", \"For internal use only.\",\n \"TokenExpiry\", \"Token Expiration Duration\", \"Duration used for token expiration.\",\n \"TokenKey\", \"Token Key\", \"Token key.\",\n \"TraceLogMaximumAgeInDays\", \"Tracelog record maximum age in days\", \"Tracelog record maximum age in days\",\n \"TrackingPrefix\", \"Tracking Prefix\", \"History list of tracking token prefixes.\",\n \"TrackingTokenIdBase\", \"Tracking Token Base\", \"Base number used to provide separate tracking token identifiers to users belonging to different deployments.\",\n \"TrackingTokenIdDigits\", \"Tracking Token Digits\", \"Number of digits used to represent a tracking token identifier.\",\n \"UniqueSpecifierLength\", \"Unique String Length\", \"Number of characters appended to invoice, quote, and order numbers.\",\n \"UnresolveEmailAddressIfMultipleMatch\", \"Set To,cc,bcc fields as unresolved if multiple matches are found\", \"Indicates whether email address should be unresolved if multiple matches are found\",\n \"UseInbuiltRuleForDefaultPricelistSelection\", \"Use Inbuilt Rule For Default Pricelist Selection\", \"Flag indicates whether to Use Inbuilt Rule For DefaultPricelist.\",\n \"UseLegacyRendering\", \"Legacy Form Rendering\", \"Select whether to use legacy form rendering.\",\n \"UsePositionHierarchy\", \"Use position hierarchy\", \"Use position hierarchy\",\n \"UseQuickFindViewForGridSearch\", \"Use Quick Find view when searching in grids\", \"Indicates whether searching in a grid should use the Quick Find view for the entity.\",\n \"UserAccessAuditingInterval\", \"User Authentication Auditing Interval\", \"The interval at which user access is checked for auditing.\",\n \"UseReadForm\", \"Use Read-Optimized Form\", \"Indicates whether the read-optimized form should be enabled for this organization.\",\n \"UserGroupId\", \"User Group\", \"Unique identifier of the default group of users in the organization.\",\n \"UserRatingEnabled\", \"Enable the user rating feature\", \"Enable the user rating feature to show the NSAT score and comment to maker\",\n \"UseSkypeProtocol\", \"User Skype Protocol\", \"Indicates default protocol selected for organization.\",\n \"UTCConversionTimeZoneCode\", \"UTC Conversion Time Zone Code\", \"Time zone code that was in use when the record was created.\",\n \"ValidationMode\", \"Validation mode for apps in this environment\", \"Validation mode for apps in this environment\",\n \"WebResourceHash\", \"Web resource hash\", \"Hash value of web resources.\",\n \"WeekStartDayCode\", \"Week Start Day Code\", \"Designated first day of the week throughout Microsoft Dynamics 365.\",\n \"WidgetProperties\", \"For Internal use only.\", \"For Internal use only.\",\n \"YammerGroupId\", \"Yammer Group Id\", \"Denotes the Yammer group ID\",\n \"YammerNetworkPermalink\", \"Yammer Network Permalink\", \"Denotes the Yammer network permalink\",\n \"YammerOAuthAccessTokenExpired\", \"Yammer OAuth Access Token Expired\", \"Denotes whether the OAuth access token for Yammer network has expired\",\n \"YammerPostMethod\", \"Internal Use Only\", \"Internal Use Only\",\n \"YearStartWeekCode\", \"Year Start Week Code\", \"Information that specifies how the first week of the year is specified in Microsoft Dynamics 365.\",\n \"AcknowledgementTemplateIdName\", \"\", \"Name of the template to be used for unsubscription acknowledgement.\",\n \"BaseCurrencyIdName\", \"\", \"\",\n \"BaseCurrencyPrecision\", \"Base Currency Precision\", \"Number of decimal places that can be used for the base currency.\",\n \"BaseCurrencySymbol\", \"Base Currency Symbol\", \"Symbol used for the base currency.\",\n \"BaseISOCurrencyCode\", \"Base ISO Currency Code\", \"\",\n \"CreatedBy\", \"Created By\", \"Unique identifier of the user who created the organization.\",\n \"CreatedByName\", \"\", \"\",\n \"CreatedByYomiName\", \"\", \"\",\n \"CreatedOn\", \"Created On\", \"Date and time when the organization was created.\",\n \"CreatedOnBehalfBy\", \"Created By (Delegate)\", \"Unique identifier of the delegate user who created the organization.\",\n \"CreatedOnBehalfByName\", \"\", \"\",\n \"CreatedOnBehalfByYomiName\", \"\", \"\",\n \"CurrentImportSequenceNumber\", \"Current Import Sequence Number\", \"Import sequence to use.\",\n \"CurrentParsedTableNumber\", \"Current Parsed Table Number\", \"First parsed table number to use.\",\n \"DaysSinceRecordLastModifiedMaxValue\", \"Max value of Days since record last modified\", \"The maximum value for the Mobile Offline setting Days since record last modified\",\n \"DefaultEmailServerProfileIdName\", \"\", \"Name of the email server profile to be used as default profile for the mailboxes.\",\n \"DefaultMobileOfflineProfileIdName\", \"\", \"Name of the default mobile offline profile to be used as default profile for mobile offline.\",\n \"DisabledReason\", \"Disabled Reason\", \"Reason for disabling the organization.\",\n \"EntityImage_Timestamp\", \"\", \"\",\n \"EntityImage_URL\", \"\", \"\",\n \"EntityImageId\", \"Entity Image Id\", \"For internal use only.\",\n \"FiscalSettingsUpdated\", \"Is Fiscal Settings Updated\", \"Information that specifies whether the fiscal settings have been updated.\",\n \"IsAllMoneyDecimal\", \"Set if all money attributes are converted to decimal\", \"Indicates whether all money attributes are converted to decimal.\",\n \"IsDisabled\", \"Is Organization Disabled\", \"Information that specifies whether the organization is disabled.\",\n \"MaxSupportedInternetExplorerVersion\", \"Max supported IE version\", \"The maximum version of IE to run browser emulation for in Outlook client\",\n \"MaxVerboseLoggingMailbox\", \"Max No Of Mailboxes To Enable For Verbose Logging\", \"Maximum number of mailboxes that can be toggled for verbose logging\",\n \"MaxVerboseLoggingSyncCycles\", \"Maximum number of sync cycles for which verbose logging will be enabled by default\", \"Maximum number of sync cycles for which verbose logging will be enabled by default\",\n \"MetadataSyncLastTimeOfNeverExpiredDeletedObjects\", \"The last date/time for never expired metadata tracking deleted objects\", \"What is the last date/time where there are metadata tracking deleted objects that have never been outside of the expiration period.\",\n \"MetadataSyncTimestamp\", \"Metadata sync version\", \"Contains the maximum version number for attributes used by metadata synchronization that have changed.\",\n \"MobileOfflineMinLicenseProd\", \"Minimum number of user license required for mobile offline service by production/preview organization\", \"Minimum number of user license required for mobile offline service by production/preview organization\",\n \"MobileOfflineMinLicenseTrial\", \"Minimum number of user license required for mobile offline service by trial organization\", \"Minimum number of user license required for mobile offline service by trial organization\",\n \"ModifiedBy\", \"Modified By\", \"Unique identifier of the user who last modified the organization.\",\n \"ModifiedByName\", \"\", \"\",\n \"ModifiedByYomiName\", \"\", \"\",\n \"ModifiedOn\", \"Modified On\", \"Date and time when the organization was last modified.\",\n \"ModifiedOnBehalfBy\", \"Modified By (Delegate)\", \"Unique identifier of the delegate user who last modified the organization.\",\n \"ModifiedOnBehalfByName\", \"\", \"\",\n \"ModifiedOnBehalfByYomiName\", \"\", \"\",\n \"NextCustomObjectTypeCode\", \"Next Entity Type Code\", \"Next entity type code to use for custom entities.\",\n \"OrganizationId\", \"Organization\", \"Unique identifier of the organization.\",\n \"OrganizationState\", \"Organization State\", \"Indicates the organization lifecycle state\",\n \"ParsedTableColumnPrefix\", \"Parsed Table Column Prefix\", \"Prefix used for parsed table columns.\",\n \"ParsedTablePrefix\", \"Parsed Table Prefix\", \"Prefix used for parsed tables.\",\n \"V3CalloutConfigHash\", \"V3 Callout Hash\", \"Hash of the V3 callout configuration file.\",\n \"VersionNumber\", \"Version Number\", \"Version number of the organization.\"\n]\n| project FieldName = tolower(Field), DisplayName, Description\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "MSBizAppsOrgSettings" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject3')._parserId3,'/'))))]", + "dependsOn": [ + "[variables('parserObject3')._parserId3]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MSBizAppsOrgSettings')]", + "contentId": "[variables('parserObject3').parserContentId3]", + "kind": "Parser", + "version": "[variables('parserObject3').parserVersion3]", + "source": { + "name": "Microsoft Business Applications", + "kind": "Solution", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('parserObject3').parserContentId3]", + "contentKind": "Parser", + "displayName": "MSBizAppsOrgSettings", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject3').parserContentId3,'-', '3.2.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject3').parserContentId3,'-', '3.2.0')))]", + "version": "[variables('parserObject3').parserVersion3]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2022-10-01", + "name": "[variables('parserObject3')._parserName3]", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "MSBizAppsOrgSettings", + "category": "MSBizAppsFunctions", + "functionAlias": "MSBizAppsOrgSettings", + "query": "datatable (Field: string, DisplayName: string, Description: string)[\n \"ACIWebEndpointUrl\", \"ACI Tenant URL.\", \"ACI Web Endpoint URL.\",\n \"AcknowledgementTemplateId\", \"Acknowledgement Template\", \"Unique identifier of the template to be used for acknowledgement when a user unsubscribes.\",\n \"ActivityTypeFilter\", \"Enable Rich Editing Experience for Appointment\", \"Information on whether filtering activity based on entity in app.\",\n \"ActivityTypeFilterV2\", \"Show only activities configured in the app when accessing 'New activity' button\", \"Whether to show only activities configured in this app or all activities in the 'New activity' button.\",\n \"AdvancedColumnEditorEnabled\", \"Advanced column editor enabled\", \"Flag to indicate if the display column options on a view in model-driven apps is enabled\",\n \"AdvancedColumnFilteringEnabled\", \"Advanced column filtering enabled\", \"Flag to indicate if the advanced column filtering in a view in model-driven apps is enabled\",\n \"AdvancedFilteringEnabled\", \"Advanced filtering enabled\", \"Flag to indicate if the advanced filtering on all tables in a model-driven app is enabled\",\n \"AdvancedLookupEnabled\", \"Advanced lookup enabled\", \"Flag to indicate if the Advanced Lookup feature is enabled for lookup controls\",\n \"AdvancedLookupInEditFilter\", \"Enable Advanced Lookup In Edit Filter\", \"Enables advanced lookup in grid edit filter panel\",\n \"AllowAddressBookSyncs\", \"Allow Address Book Synchronization\", \"Indicates whether background address book synchronization in Microsoft Office Outlook is allowed.\",\n \"AllowApplicationUserAccess\", \"Allow All Application Users Access.\", \"Information that specifies whether all application users are allowed to access the environment\",\n \"AllowAutoResponseCreation\", \"Allow Automatic Response Creation\", \"Indicates whether automatic response creation is allowed.\",\n \"AllowAutoUnsubscribe\", \"Allow Automatic Unsubscribe\", \"Indicates whether automatic unsubscribe is allowed.\",\n \"AllowAutoUnsubscribeAcknowledgement\", \"Allow Automatic Unsubscribe Acknowledgement\", \"Indicates whether automatic unsubscribe acknowledgement email is allowed to send.\",\n \"AllowClientMessageBarAd\", \"Allow Outlook Client Message Bar Advertisement\", \"Indicates whether Outlook Client message bar advertisement is allowed.\",\n \"AllowConnectorsOnPowerFXActions\", \"Enable connectors on power fx actions.\", \"Information on whether connectors on power fx actions is enabled.\",\n \"AllowedIpRangeForFirewall\", \"List of IP Ranges to be allowed by the firewall rule\", \"Information that specifies the range of IP addresses that are in allow list for the firewall.\",\n \"AllowedIpRangeForStorageAccessSignatures\", \"List of IP Ranges to be allowed for generating the SAS URIs.\", \"Information that specifies the range of IP addresses that are in allowed list for generating the SAS URIs.\",\n \"AllowedMimeTypes\", \"List of allowed mime types.\", \"Allow upload or download of certain mime types.\",\n \"AllowedServiceTagsForFirewall\", \"List of Service Tags to be allowed by the firewall rule\", \"Information that specifies the List of Service Tags that should be allowed by the firewall.\",\n \"AllowEntityOnlyAudit\", \"Allow Entity Level Auditing\", \"Indicates whether auditing of changes to entity is allowed when no attributes have changed.\",\n \"AllowLeadingWildcardsInGridSearch\", \"Allow Leading Wildcards In Grid Search\", \"Enables ends-with searches in grids with the use of a leading wildcard on all tables in the environment\",\n \"AllowLeadingWildcardsInQuickFind\", \"Allow Leading Wildcards In Quick Find\", \"Enables ends-with searches in grids with the use of a leading wildcard on all tables in the environment\",\n \"AllowLegacyClientExperience\", \"Enable access to legacy web client UI\", \"Enable access to legacy web client UI\",\n \"AllowLegacyDialogsEmbedding\", \"Enable embedding of certain legacy dialogs in Unified Interface browser client\", \"Enable embedding of certain legacy dialogs in Unified Interface browser client\",\n \"AllowMarketingEmailExecution\", \"Allow Marketing Email Execution\", \"Indicates whether marketing emails execution is allowed.\",\n \"AllowMicrosoftTrustedServiceTags\", \"Allow Microsoft Trusted Service Tags\", \"Information that specifies whether Microsoft Trusted Service Tags are allowed\",\n \"AllowOfflineScheduledSyncs\", \"Allow Offline Scheduled Synchronization\", \"Indicates whether background offline synchronization in Microsoft Office Outlook is allowed.\",\n \"AllowOutlookScheduledSyncs\", \"Allow Scheduled Synchronization\", \"Indicates whether scheduled synchronizations to Outlook are allowed.\",\n \"AllowRedirectAdminSettingsToModernUI\", \"Allow Redirect Legacy Admin Settings To Modern UI\", \"Control whether the organization Allow Redirect Legacy Admin Settings To Modern UI\",\n \"AllowUnresolvedPartiesOnEmailSend\", \"Allow Unresolved Address Email Send\", \"Indicates whether users are allowed to send email to unresolved parties (parties must still have an email address).\",\n \"AllowUserFormModePreference\", \"Allow User Form Mode Preference\", \"Indicates whether individuals can select their form mode preference in their personal options.\",\n \"AllowUsersHidingSystemViews\", \"Allow users hiding system views\", \"Flag to indicate if allow end users to hide system views in model-driven apps is enabled\",\n \"AllowUsersSeeAppdownloadMessage\", \"Allow the showing tablet application notification bars in a browser.\", \"Indicates whether the showing tablet application notification bars in a browser is allowed.\",\n \"AllowWebExcelExport\", \"Allow Export to Excel\", \"Indicates whether Web-based export of grids to Microsoft Office Excel is allowed.\",\n \"AMDesignator\", \"AM Designator\", \"AM designator to use throughout Microsoft Dynamics CRM.\",\n \"AppDesignerExperienceEnabled\", \"Enable App Designer Experience for this Organization\", \"Indicates whether the appDesignerExperience is enabled for the organization.\",\n \"AppointmentRichEditorExperience\", \"Enable Rich Editing Experience for Appointment\", \"Information on whether rich editing experience for Appointment is enabled.\",\n \"AppointmentWithTeamsMeeting\", \"Enable teams Meeting experience for appointment\", \"Information on whether Teams meeting experience for Appointment is enabled.\",\n \"AppointmentWithTeamsMeetingV2\", \"Enable Teams meetings for appointments\", \"Whether Teams meetings experience for appointments is enabled.\",\n \"AuditRetentionPeriod\", \"Audit Retention Period Settings\", \"Audit Retention Period settings stored in Organization Database.\",\n \"AuditRetentionPeriodV2\", \"Audit Retention Period Settings\", \"Audit Retention Period settings stored in Organization Database.\",\n \"AutoApplyDefaultonCaseCreate\", \"Auto Apply Default Entitlement on Case Create\", \"Select whether to auto apply the default customer entitlement on case creation.\",\n \"AutoApplyDefaultonCaseUpdate\", \"Auto Apply Default Entitlement on Case Update\", \"Select whether to auto apply the default customer entitlement on case update.\",\n \"AutoApplySLA\", \"Is Auto-apply SLA After Manually Over-riding\", \"Indicates whether to Auto-apply SLA on case record update after SLA was manually applied.\",\n \"AzureSchedulerJobCollectionName\", \"For internal use only.\", \"For internal use only.\",\n \"BaseCurrencyId\", \"Currency\", \"Unique identifier of the base currency of the organization.\",\n \"BingMapsApiKey\", \"Bing Maps API Key\", \"Api Key to be used in requests to Bing Maps services.\",\n \"BlockedAttachments\", \"Block Attachments\", \"Prevent upload or download of certain attachment types that are considered dangerous.\",\n \"BlockedMimeTypes\", \"List of blocked mime types.\", \"Prevent upload or download of certain mime types that are considered dangerous.\",\n \"BoundDashboardDefaultCardExpanded\", \"Display cards in expanded state for Interactive Dashboard\", \"Display cards in expanded state for interactive dashboard\",\n \"BulkOperationPrefix\", \"Bulk Operation Prefix\", \"Prefix used for bulk operation numbering.\",\n \"BusinessCardOptions\", \"Enable New BusinessCardOptions\", \"BusinessCardOptions\",\n \"BusinessClosureCalendarId\", \"Business Closure Calendar\", \"Unique identifier of the business closure calendar of organization.\",\n \"CalendarType\", \"Calendar Type\", \"Calendar type for the system. Set to Gregorian US by default.\",\n \"CampaignPrefix\", \"Campaign Prefix\", \"Prefix used for campaign numbering.\",\n \"CanOptOutNewSearchExperience\", \"Can disable Oct 2020 Search\", \"Indicates whether the organization can opt out of the new Relevance search experience (released in Oct 2020)\",\n \"CascadeStatusUpdate\", \"Cascade Status Update\", \"Flag to cascade Update on incident.\",\n \"CasePrefix\", \"Case Prefix\", \"Prefix to use for all cases throughout Microsoft Dynamics 365.\",\n \"CategoryPrefix\", \"Category Prefix\", \"Type the prefix to use for all categories in Microsoft Dynamics 365.\",\n \"ClientFeatureSet\", \"Client Feature Set\", \"Client Features to be enabled as an XML BLOB.\",\n \"ContentSecurityPolicyConfiguration\", \"Content Security Policy Configuration\", \"Policy configuration for CSP\",\n \"ContentSecurityPolicyConfigurationForCanvas\", \"Content Security Policy Configuration for Canvas apps\", \"Content Security Policy configuration for Canvas apps.\",\n \"ContentSecurityPolicyOptions\", \"Content Security Policy Options\", \"Content Security Policy Options.\",\n \"ContentSecurityPolicyReportUri\", \"Content Security Policy Report Uri\", \"Content Security Policy Report Uri.\",\n \"ContractPrefix\", \"Contract Prefix\", \"Prefix to use for all contracts throughout Microsoft Dynamics 365.\",\n \"CopresenceRefreshRate\", \"CopresenceRefreshRate\", \"Refresh rate for copresence data in seconds.\",\n \"CortanaProactiveExperienceEnabled\", \"Enable Cortana Proactive Experience Flow processes for this Organization\", \"Indicates whether the feature CortanaProactiveExperience Flow processes should be enabled for the organization.\",\n \"CreateProductsWithoutParentInActiveState\", \"Enable Active Initial Product State\", \"Enable Initial state of newly created products to be Active instead of Draft\",\n \"CurrencyDecimalPrecision\", \"Currency Decimal Precision\", \"Number of decimal places that can be used for currency.\",\n \"CurrencyDisplayOption\", \"Display Currencies Using\", \"Indicates whether to display money fields with currency code or currency symbol.\",\n \"CurrencyFormatCode\", \"Currency Format Code\", \"Information about how currency symbols are placed throughout Microsoft Dynamics CRM.\",\n \"CurrencySymbol\", \"Currency Symbol\", \"Symbol used for currency throughout Microsoft Dynamics 365.\",\n \"CurrentBulkOperationNumber\", \"Current Bulk Operation Number\", \"Current bulk operation number. Deprecated. Use SetAutoNumberSeed message.\",\n \"CurrentCampaignNumber\", \"Current Campaign Number\", \"Current campaign number. Deprecated. Use SetAutoNumberSeed message.\",\n \"CurrentCaseNumber\", \"Current Case Number\", \"First case number to use. Deprecated. Use SetAutoNumberSeed message.\",\n \"CurrentCategoryNumber\", \"Current Category Number\", \"Enter the first number to use for Categories. Deprecated. Use SetAutoNumberSeed message.\",\n \"CurrentContractNumber\", \"Current Contract Number\", \"First contract number to use. Deprecated. Use SetAutoNumberSeed message.\",\n \"CurrentInvoiceNumber\", \"Current Invoice Number\", \"First invoice number to use. Deprecated. Use SetAutoNumberSeed message.\",\n \"CurrentKaNumber\", \"Current Knowledge Article Number\", \"Enter the first number to use for knowledge articles. Deprecated. Use SetAutoNumberSeed message.\",\n \"CurrentKbNumber\", \"Current Article Number\", \"First article number to use. Deprecated. Use SetAutoNumberSeed message.\",\n \"CurrentOrderNumber\", \"Current Order Number\", \"First order number to use. Deprecated. Use SetAutoNumberSeed message.\",\n \"CurrentQuoteNumber\", \"Current Quote Number\", \"First quote number to use. Deprecated. Use SetAutoNumberSeed message.\",\n \"DateFormatCode\", \"Date Format Code\", \"Information about how the date is displayed throughout Microsoft CRM.\",\n \"DateFormatString\", \"Date Format String\", \"String showing how the date is displayed throughout Microsoft CRM.\",\n \"DateSeparator\", \"Date Separator\", \"Character used to separate the month, the day, and the year in dates throughout Microsoft Dynamics 365.\",\n \"DaysBeforeEmailDescriptionIsMigrated\", \"Number of days before we migrate email description to blob.\", \"Number of days before we migrate email description to blob.\",\n \"DaysBeforeInactiveTeamsChatSyncDisabled\", \"Days Before Inactive Teams Chat Sync Disabled\", \"Days of inactivity before sync is disabled for a Teams Chat.\",\n \"DecimalSymbol\", \"Decimal Symbol\", \"Symbol used for decimal in Microsoft Dynamics 365.\",\n \"DefaultCountryCode\", \"Default Country Code\", \"Text area to enter default country code.\",\n \"DefaultCrmCustomName\", \"Name of the default app\", \"Name of the default crm custom.\",\n \"DefaultEmailServerProfileId\", \"Email Server Profile\", \"Unique identifier of the default email server profile.\",\n \"DefaultEmailSettings\", \"Default Email Settings\", \"XML string containing the default email settings that are applied when a user or queue is created.\",\n \"DefaultMobileOfflineProfileId\", \"Default Mobile Offline Profile\", \"Unique identifier of the default mobile offline profile.\",\n \"DefaultRecurrenceEndRangeType\", \"Default Recurrence End Range Type\", \"Type of default recurrence end range date.\",\n \"DefaultThemeData\", \"Default Theme Data\", \"Default theme data for the organization.\",\n \"DelegatedAdminUserId\", \"Delegated Admin\", \"Unique identifier of the delegated admin user for the organization.\",\n \"DisableSocialCare\", \"Is Social Care disabled\", \"Indicates whether Social Care is disabled.\",\n \"DiscountCalculationMethod\", \"Discount calculation method\", \"Discount calculation method for the QOOI product.\",\n \"DisplayNavigationTour\", \"Display Navigation Tour\", \"Indicates whether or not navigation tour is displayed.\",\n \"EmailConnectionChannel\", \"Email Connection Channel\", \"Select if you want to use the Email Router or server-side synchronization for email processing.\",\n \"EmailCorrelationEnabled\", \"Use Email Correlation\", \"Flag to turn email correlation on or off.\",\n \"EmailSendPollingPeriod\", \"Email Send Polling Frequency\", \"Normal polling frequency used for sending email in Microsoft Office Outlook.\",\n \"EnableAsyncMergeAPIForUCI\", \"Asynchronous merge enabled for UCI\", \"Determines whether records merged through the merge dialog in UCI are merged asynchronously\",\n \"EnableBingMapsIntegration\", \"Enable Integration with Bing Maps\", \"Enable Integration with Bing Maps\",\n \"EnableCanvasAppsInSolutionsByDefault\", \"Enable the creation of Canvas apps in Dataverse / Solution by default\", \"Note: By enabling this feature, you will also enable the automatic creation of enviornment variables when adding data sources for your apps.\",\n \"EnableFlowsInSolutionByDefault\", \"Enable the creation of flows within a solution by default.\", \"Indicates whether the creation of flows is within a solution by default for this organization.\",\n \"EnableFlowsInSolutionByDefaultGracePeriod\", \"Indicates whether the organization is opted into a grace period for auto-enablement of 'creation of flows within a solution by default' functionality.\", \"Organizations with this attribute set to true will be granted a grace period and excluded from the initial world wide enablement of 'creation of flows within a solution by default' functionality. Once the grace period expires, the functionality will be enabled in your organization.\",\n \"EnableImmersiveSkypeIntegration\", \"Enable Integration with Immersive Skype\", \"Enable Integration with Immersive Skype\",\n \"EnableIpBasedCookieBinding\", \"Enable IP Address Based Cookie Binding\", \"Information that specifies whether IP based cookie binding is enabled\",\n \"EnableIpBasedFirewallRule\", \"Enable IP Range based Firewall\", \"Information that specifies whether IP based firewall rule is enabled\",\n \"EnableIpBasedFirewallRuleInAuditMode\", \"Enable IP Range based Firewall In Audit Only Mode\", \"Information that specifies whether IP based firewall rule is enabled in Audit Only Mode\",\n \"EnableIpBasedStorageAccessSignatureRule\", \"Enable IP SAS URI generation rule\", \"Information that specifies whether IP based SAS URI generation rule is enabled\",\n \"EnableLivePersonaCardUCI\", \"Indicates whether the user has enabled or disabled Live Persona Card feature in UCI.\", \"Indicates whether the user has enabled or disabled Live Persona Card feature in UCI.\",\n \"EnableLivePersonCardIntegrationInOffice\", \"Indicates whether the user has enabled or disabled LivePersonCardIntegration in Office.\", \"Indicates whether the user has enabled or disabled LivePersonCardIntegration in Office.\",\n \"EnableLPAuthoring\", \"Enable Learning Path Authoring\", \"Select to enable learning path auhtoring.\",\n \"EnableMakerSwitchToClassic\", \"Switch Maker Portal to Classic\", \"Control whether the organization Switch Maker Portal to Classic\",\n \"EnableMicrosoftFlowIntegration\", \"Enable Integration with Microsoft Flow\", \"Enable Integration with Microsoft Flow\",\n \"EnablePricingOnCreate\", \"Enable Pricing On Create\", \"Enable pricing calculations on a Create call.\",\n \"EnableSmartMatching\", \"Enable Smart Matching\", \"Use Smart Matching.\",\n \"EnableUnifiedClientCDN\", \"Enable UCI CDN for organization\", \"Leave empty to use default setting. Set to on/off to enable/disable CDN for UCI.\",\n \"EnableUnifiedInterfaceShellRefresh\", \"Enable site map and commanding update\", \"Enable site map and commanding update\",\n \"EnforceReadOnlyPlugins\", \"Organization setting to enforce read only plugins.\", \"Organization setting to enforce read only plugins.\",\n \"EntityImage\", \"Entity Image\", \"The default image for the entity.\",\n \"ExpireChangeTrackingInDays\", \"Days to Expire Change Tracking Deleted Records\", \"Maximum number of days to keep change tracking deleted records\",\n \"ExpireSubscriptionsInDays\", \"Days to Expire Subscriptions\", \"Maximum number of days before deleting inactive subscriptions.\",\n \"ExternalBaseUrl\", \"External Base URL\", \"Specify the base URL to use to look for external document suggestions.\",\n \"ExternalPartyCorrelationKeys\", \"ExternalPartyEnabled Entities correlation Keys\", \"XML string containing the ExternalPartyEnabled entities correlation keys for association of existing External Party instance entities to newly created IsExternalPartyEnabled entities.For internal use only\",\n \"ExternalPartyEntitySettings\", \"ExternalPartyEnabled Entities Settings.For internal use only\", \"XML string containing the ExternalPartyEnabled entities settings.\",\n \"FeatureSet\", \"Feature Set\", \"Features to be enabled as an XML BLOB.\",\n \"FiscalCalendarStart\", \"Fiscal Calendar Start\", \"Start date for the fiscal period that is to be used throughout Microsoft CRM.\",\n \"FiscalPeriodFormat\", \"Fiscal Period Format\", \"Information that specifies how the name of the fiscal period is displayed throughout Microsoft CRM.\",\n \"FiscalPeriodFormatPeriod\", \"Format for Fiscal Period\", \"Format in which the fiscal period will be displayed.\",\n \"FiscalPeriodType\", \"Fiscal Period Type\", \"Type of fiscal period used throughout Microsoft CRM.\",\n \"FiscalYearDisplayCode\", \"Fiscal Year Display\", \"Information that specifies whether the fiscal year should be displayed based on the start date or the end date of the fiscal year.\",\n \"FiscalYearFormat\", \"Fiscal Year Format\", \"Information that specifies how the name of the fiscal year is displayed throughout Microsoft CRM.\",\n \"FiscalYearFormatPrefix\", \"Prefix for Fiscal Year\", \"Prefix for the display of the fiscal year.\",\n \"FiscalYearFormatSuffix\", \"Suffix for Fiscal Year\", \"Suffix for the display of the fiscal year.\",\n \"FiscalYearFormatYear\", \"Fiscal Year Format Year\", \"Format for the year.\",\n \"FiscalYearPeriodConnect\", \"Fiscal Year Period Connector\", \"Information that specifies how the names of the fiscal year and the fiscal period should be connected when displayed together.\",\n \"FullNameConventionCode\", \"Full Name Display Order\", \"Order in which names are to be displayed throughout Microsoft CRM.\",\n \"FutureExpansionWindow\", \"Future Expansion Window\", \"Specifies the maximum number of months in future for which the recurring activities can be created.\",\n \"GenerateAlertsForErrors\", \"Generate Alerts For Errors\", \"Indicates whether alerts will be generated for errors.\",\n \"GenerateAlertsForInformation\", \"Generate Alerts For Information\", \"Indicates whether alerts will be generated for information.\",\n \"GenerateAlertsForWarnings\", \"Generate Alerts For Warnings\", \"Indicates whether alerts will be generated for warnings.\",\n \"GetStartedPaneContentEnabled\", \"Is Get Started Pane Content Enabled\", \"Indicates whether Get Started content is enabled for this organization.\",\n \"GlobalAppendUrlParametersEnabled\", \"Is AppendUrl Parameters enabled\", \"Indicates whether the append URL parameters is enabled.\",\n \"GlobalHelpUrl\", \"Global Help URL.\", \"URL for the web page global help.\",\n \"GlobalHelpUrlEnabled\", \"Is Customizable Global Help enabled\", \"Indicates whether the customizable global help is enabled.\",\n \"GoalRollupExpiryTime\", \"Rollup Expiration Time for Goal\", \"Number of days after the goal's end date after which the rollup of the goal stops automatically.\",\n \"GoalRollupFrequency\", \"Automatic Rollup Frequency for Goal\", \"Number of hours between automatic rollup jobs .\",\n \"GrantAccessToNetworkService\", \"Grant Access To Network Service\", \"For internal use only.\",\n \"HashDeltaSubjectCount\", \"Hash Delta Subject Count\", \"Maximum difference allowed between subject keywords count of the email messaged to be correlated\",\n \"HashFilterKeywords\", \"Hash Filter Keywords\", \"Filter Subject Keywords\",\n \"HashMaxCount\", \"Hash Max Count\", \"Maximum number of subject keywords or recipients used for correlation\",\n \"HashMinAddressCount\", \"Hash Min Address Count\", \"Minimum number of recipients required to match for email messaged to be correlated\",\n \"HighContrastThemeData\", \"High contrast Theme Data\", \"High contrast theme data for the organization.\",\n \"IgnoreInternalEmail\", \"Ignore Internal Email\", \"Indicates whether incoming email sent by internal Microsoft Dynamics 365 users or queues should be tracked.\",\n \"ImproveSearchLoggingEnabled\", \"Share search query data\", \"Indicates whether an organization has consented to sharing search query data to help improve search results\",\n \"InactivityTimeoutEnabled\", \"Inactivity timeout enabled\", \"Information that specifies whether Inactivity timeout is enabled\",\n \"InactivityTimeoutInMins\", \"Inactivity timeout in minutes\", \"Inactivity timeout in minutes\",\n \"InactivityTimeoutReminderInMins\", \"Inactivity timeout reminder in minutes\", \"Inactivity timeout reminder in minutes\",\n \"IncomingEmailExchangeEmailRetrievalBatchSize\", \"Exchange Email Retrieval Batch Size\", \"Setting for the Async Service Mailbox Queue. Defines the retrieval batch size of exchange server.\",\n \"InitialVersion\", \"Initial Version\", \"Initial version of the organization.\",\n \"IntegrationUserId\", \"Integration User\", \"Unique identifier of the integration user for the organization.\",\n \"InvoicePrefix\", \"Invoice Prefix\", \"Prefix to use for all invoice numbers throughout Microsoft Dynamics 365.\",\n \"IpBasedStorageAccessSignatureMode\", \"IP Based SAS mode\", \"IP Based SAS mode.\",\n \"IsActionCardEnabled\", \"Enable Action Card for this Organization\", \"Indicates whether the feature Action Card should be enabled for the organization.\",\n \"IsActionSupportFeatureEnabled\", \"Action Support Feature enabled\", \"Information that specifies whether Action Support Feature is enabled\",\n \"IsActivityAnalysisEnabled\", \"Enable Relationship Analytics for this Organization\", \"Indicates whether the feature Relationship Analytics should be enabled for the organization.\",\n \"IsAppMode\", \"Is Application Mode Enabled\", \"Indicates whether loading of Microsoft Dynamics 365 in a browser window that does not have address, tool, and menu bars is enabled.\",\n \"IsAppointmentAttachmentSyncEnabled\", \"Is Attachment Sync Enabled\", \"Enable or disable attachments sync for outlook and exchange.\",\n \"IsAssignedTasksSyncEnabled\", \"Is Assigned Tasks Sync Enabled\", \"Enable or disable assigned tasks sync for outlook and exchange.\",\n \"IsAuditEnabled\", \"Is Auditing Enabled\", \"Enable or disable auditing of changes.\",\n \"IsAutoDataCaptureEnabled\", \"Enable Auto Capture for this Organization\", \"Indicates whether the feature Auto Capture should be enabled for the organization.\",\n \"IsAutoDataCaptureV2Enabled\", \"Enable Auto Capture V2 for this Organization\", \"Indicates whether the V2 feature of Auto Capture should be enabled for the organization.\",\n \"IsAutoInstallAppForD365InTeamsEnabled\", \"IsAutoInstallAppForD365InTeamsEnabled\", \"\",\n \"IsAutoSaveEnabled\", \"Auto Save Enabled\", \"Information on whether auto save is enabled.\",\n \"IsBaseCardStaticFieldDataEnabled\", \"IsBaseCardStaticFieldDataEnabled\", \"\",\n \"IsBasicGeospatialIntegrationEnabled\", \"Enable the basic Geospatial features in Canvas Apps\", \"Determines whether users can make use of basic Geospatial featuers in Canvas apps.\",\n \"IsBPFEntityCustomizationFeatureEnabled\", \"BPF Entity Customization Feature enabled\", \"Information that specifies whether BPF Entity Customization Feature is enabled\",\n \"IsCollaborationExperienceEnabled\", \"IsCollaborationExperienceEnabled\", \"\",\n \"IsConflictDetectionEnabledForMobileClient\", \"Is Conflict Detection for Mobile Client enabled\", \"Information that specifies whether conflict detection for mobile client is enabled.\",\n \"IsContactMailingAddressSyncEnabled\", \"Is Mailing Address Sync Enabled\", \"Enable or disable mailing address sync for outlook and exchange.\",\n \"IsContentSecurityPolicyEnabled\", \"Enable Content Security Policy for this organization\", \"Indicates whether Content Security Policy has been enabled for the organization.\",\n \"IsContentSecurityPolicyEnabledForCanvas\", \"Enable Content Security Policy for this organization's Canvas apps\", \"Indicates whether Content Security Policy has been enabled for this organization's Canvas apps.\",\n \"IsContextualEmailEnabled\", \"Indicates whether Contextual email experience is enabled on this organization\", \"Indicates whether Contextual email experience is enabled on this organization\",\n \"IsContextualHelpEnabled\", \"Enables Contextual Help in UCI\", \"Select to enable Contextual Help in UCI.\",\n \"IsCopilotFeedbackEnabled\", \"Allow users to provide feedback for App Copilot\", \"Determines whether users can provide feedback for App Copilot.\",\n \"IsCustomControlsInCanvasAppsEnabled\", \"Enable Custom Controls in canvas PowerApps feature for this organization\", \"Indicates whether Custom Controls in canvas PowerApps feature has been enabled for the organization.\",\n \"IsDefaultCountryCodeCheckEnabled\", \"Enable or disable country code selection\", \"Enable or disable country code selection.\",\n \"IsDelegateAccessEnabled\", \"Is Delegation Access Enabled\", \"Enable Delegation Access content\",\n \"IsDelveActionHubIntegrationEnabled\", \"Enable Action Hub for this Organization\", \"Indicates whether the feature Action Hub should be enabled for the organization.\",\n \"IsDesktopFlowSchemaV2Enabled\", \"Enable v2 schema for Desktop Flows in this organization.\", \"Indicates whether v2 schema for Desktop Flows is enabled in this organization.\",\n \"IsDuplicateDetectionEnabled\", \"Is Duplicate Detection Enabled\", \"Indicates whether duplicate detection of records is enabled.\",\n \"IsDuplicateDetectionEnabledForImport\", \"Is Duplicate Detection Enabled For Import\", \"Indicates whether duplicate detection of records during import is enabled.\",\n \"IsDuplicateDetectionEnabledForOfflineSync\", \"Is Duplicate Detection Enabled For Offline Synchronization\", \"Indicates whether duplicate detection of records during offline synchronization is enabled.\",\n \"IsDuplicateDetectionEnabledForOnlineCreateUpdate\", \"Is Duplicate Detection Enabled for Online Create/Update\", \"Indicates whether duplicate detection during online create or update is enabled.\",\n \"IsEmailAddressValidationEnabled\", \"Enable Smart Email Address Validation.\", \"Information on whether Smart Email Address Validation is enabled.\",\n \"IsEmailMonitoringAllowed\", \"Allow tracking recipient activity on sent emails\", \"Allow tracking recipient activity on sent emails.\",\n \"IsEmailServerProfileContentFilteringEnabled\", \"Is Email Server Profile Content Filtering Enabled\", \"Enable Email Server Profile content filtering\",\n \"IsEnabledForAllRoles\", \"option set values for isenabledforallroles\", \"Indicates whether appmodule is enabled for all roles\",\n \"IsExternalFileStorageEnabled\", \"Enable external file storage\", \"Indicates whether the organization's files are being stored in Azure.\",\n \"IsExternalSearchIndexEnabled\", \"Enable external search data syncing\", \"Select whether data can be synchronized with an external search index.\",\n \"IsFiscalPeriodMonthBased\", \"Is Fiscal Period Monthly\", \"Indicates whether the fiscal period is displayed as the month number.\",\n \"IsFolderAutoCreatedonSP\", \"Automatically create folders\", \"Select whether folders should be automatically created on SharePoint.\",\n \"IsFolderBasedTrackingEnabled\", \"Is Folder Based Tracking Enabled\", \"Enable or disable folder based tracking for Server Side Sync.\",\n \"IsFullTextSearchEnabled\", \"Enable Full-text search for Quick Find\", \"Indicates whether full-text search for Quick Find entities should be enabled for the organization.\",\n \"IsGeospatialAzureMapsIntegrationEnabled\", \"Enable geospatial Azure Maps integration.\", \"Indicates whether geospatial capabilities leveraging Azure Maps are enabled.\",\n \"IsHierarchicalSecurityModelEnabled\", \"Enable Hierarchical Security Model\", \"Enable Hierarchical Security Model\",\n \"IsIdeasDataCollectionEnabled\", \"Enable Ideas data collection.\", \"Indicates whether data collection for ideas in canvas PowerApps has been enabled.\",\n \"IsLUISEnabledforD365Bot\", \"LUIS Consent for Dynamics 365 Bot\", \"Give Consent to use LUIS in Dynamics 365 Bot\",\n \"IsMailboxForcedUnlockingEnabled\", \"Is Mailbox Forced Unlocking Enabled\", \"Enable or disable forced unlocking for Server Side Sync mailboxes.\",\n \"IsMailboxInactiveBackoffEnabled\", \"Is Mailbox Keep Alive Enabled\", \"Enable or disable mailbox keep alive for Server Side Sync.\",\n \"IsManualSalesForecastingEnabled\", \"Enable Manual Sales Forecasting feature for this organization\", \"Indicates whether Manual Sales Forecasting feature has been enabled for the organization.\",\n \"IsMobileClientOnDemandSyncEnabled\", \"Is Mobile Client On Demand Sync enabled\", \"Information that specifies whether mobile client on demand sync is enabled.\",\n \"IsMobileOfflineEnabled\", \"Enable MobileOffline for this Organization\", \"Indicates whether the feature MobileOffline should be enabled for the organization.\",\n \"IsModelDrivenAppsInMSTeamsEnabled\", \"Enable embedding Model Apps in Microsoft Teams\", \"Indicates whether Model Apps can be embedded within Microsoft Teams. This is a tenant admin controlled preview/experimental feature.\",\n \"IsMSTeamsCollaborationEnabled\", \"Enable Microsoft Teams Collaboration for this organization\", \"Indicates whether Microsoft Teams Collaboration feature has been enabled for the organization.\",\n \"IsMSTeamsEnabled\", \"Enable Microsoft Teams integration\", \"Indicates whether Microsoft Teams integration has been enabled for the organization.\",\n \"IsMSTeamsSettingChangedByUser\", \"Microsoft Teams integration changed by user\", \"Indicates whether the user has enabled or disabled Microsoft Teams integration.\",\n \"IsMSTeamsUserSyncEnabled\", \"Enable Microsoft Teams User Sync for this organization\", \"Indicates whether Microsoft Teams User Sync feature has been enabled for the organization.\",\n \"IsNewAddProductExperienceEnabled\", \"Indicates whether new add product experience is enabled in opportunity form\", \"Indicates whether new add product experience is enabled.\",\n \"IsNotesAnalysisEnabled\", \"Enable Notes Analysis for this Organization\", \"Indicates whether the feature Notes Analysis should be enabled for the organization.\",\n \"IsNotificationForD365InTeamsEnabled\", \"IsNotificationForD365InTeamsEnabled\", \"\",\n \"IsOfficeGraphEnabled\", \"Enable OfficeGraph for this Organization\", \"Indicates whether the feature OfficeGraph should be enabled for the organization.\",\n \"IsOneDriveEnabled\", \"Enable One Drive for this Organization\", \"Indicates whether the feature One Drive should be enabled for the organization.\",\n \"IsPAIEnabled\", \"Enable PAI feature for this organization\", \"Indicates whether PAI feature has been enabled for the organization.\",\n \"IsPDFGenerationEnabled\", \"Enable PDF Generation feature for this organization\", \"Indicates whether PDF Generation feature has been enabled for the organization.\",\n \"IsPlaybookEnabled\", \"Enable playbook feature for this organization\", \"Indicates whether playbook feature has been enabled for the organization.\",\n \"IsPresenceEnabled\", \"Presence Enabled\", \"Information on whether IM presence is enabled.\",\n \"IsPreviewEnabledForActionCard\", \"Enable Preview Action Card feature for this Organization\", \"Indicates whether the Preview feature for Action Card should be enabled for the organization.\",\n \"IsPreviewForAutoCaptureEnabled\", \"Enable Auto Capture for this Organization at Preview Settings\", \"Indicates whether the feature Auto Capture should be enabled for the organization at Preview Settings.\",\n \"IsPreviewForEmailMonitoringAllowed\", \"Allows Preview For Email Monitoring\", \"Is Preview For Email Monitoring Allowed.\",\n \"IsPriceListMandatory\", \"Indicates whether PriceList is mandatory for adding existing products to sales entities\", \"Indicates whether PriceList is mandatory for adding existing products to sales entities.\",\n \"IsQuickCreateEnabledForOpportunityClose\", \"Enable quick create form for opportunity close feature for this organization\", \"Select whether to use the standard Out-of-box Opportunity Close experience or opt to for a customized experience.\",\n \"IsReadAuditEnabled\", \"Is Read Auditing Enabled\", \"Enable or disable auditing of read operations.\",\n \"IsRelationshipInsightsEnabled\", \"Enable Relationship Insights for this Organization\", \"Indicates whether the feature Relationship Insights should be enabled for the organization.\",\n \"IsResourceBookingExchangeSyncEnabled\", \"Resource booking synchronization enabled\", \"Indicates if the synchronization of user resource booking with Exchange is enabled at organization level.\",\n \"IsRichTextNotesEnabled\", \"Indicates whether rich text editor for notes experience is enabled on this organization\", \"Indicates whether rich text editor for notes experience is enabled on this organization\",\n \"IsRpaAutoscaleAadJoinEnabled\", \"Enable AAD Join for RPA Autoscale feature for this organization.\", \"Indicates whether AAD Join for RPA Autoscale is enabled in this organization..\",\n \"IsRpaAutoscaleEnabled\", \"Enable RPA Autoscale feature for this organization\", \"Indicates whether Autoscale feature for RPA is enabled in this organization.\",\n \"IsRpaBoxCrossGeoEnabled\", \"Enable RPA Box cross geo feature for this organization\", \"Indicates whether RPA Box feature is enabled in this organization in locations outside the tenant's geographical location.\",\n \"IsRpaBoxEnabled\", \"Enable RPA Box feature for this organization\", \"Indicates whether RPA Box feature is enabled in this organization.\",\n \"IsRpaUnattendedEnabled\", \"Enable RPA Unattended feature for this organization\", \"Indicates whether Unattended runs feature for RPA is enabled in this organization.\",\n \"IsSalesAssistantEnabled\", \"Enable Sales Assistant mobile app\", \"Indicates whether Sales Assistant mobile app has been enabled for the organization.\",\n \"IsSharingInOrgAllowed\", \"IsSharingInOrgAllowed\", \"\",\n \"IsSOPIntegrationEnabled\", \"Is Sales Order Integration Enabled\", \"Enable sales order processing integration.\",\n \"IsTextWrapEnabled\", \"Enable Text Wrap\", \"Information on whether text wrap is enabled.\",\n \"IsUserAccessAuditEnabled\", \"Is User Access Auditing Enabled\", \"Enable or disable auditing of user access.\",\n \"ISVIntegrationCode\", \"ISV Integration Mode\", \"Indicates whether loading of Microsoft Dynamics 365 in a browser window that does not have address, tool, and menu bars is enabled.\",\n \"IsWriteInProductsAllowed\", \"Indicates whether Write-in Products can be added to Opportunity/Quote/Order/Invoice or not\", \"Indicates whether Write-in Products can be added to Opportunity/Quote/Order/Invoice or not.\",\n \"KaPrefix\", \"Knowledge Article Prefix\", \"Type the prefix to use for all knowledge articles in Microsoft Dynamics 365.\",\n \"KbPrefix\", \"Article Prefix\", \"Prefix to use for all articles in Microsoft Dynamics 365.\",\n \"KMSettings\", \"Knowledge Management Settings\", \"XML string containing the Knowledge Management settings that are applied in Knowledge Management Wizard.\",\n \"LanguageCode\", \"Language\", \"Preferred language for the organization.\",\n \"LocaleId\", \"Locale\", \"Unique identifier of the locale of the organization.\",\n \"LongDateFormatCode\", \"Long Date Format\", \"Information that specifies how the Long Date format is displayed in Microsoft Dynamics 365.\",\n \"LookupCharacterCountBeforeResolve\", \"Minimum number of characters before resolving suggestions in lookup\", \"Minimum number of characters that should be entered in the lookup control before resolving for suggestions\",\n \"LookupResolveDelayMS\", \"Minimum delay (in milliseconds) for debouncing lookup control input\", \"Minimum delay (in milliseconds) between consecutive inputs in a lookup control that will trigger a search for suggestions\",\n \"MailboxIntermittentIssueMinRange\", \"Lower Threshold For Mailbox Intermittent Issue\", \"Lower Threshold For Mailbox Intermittent Issue.\",\n \"MailboxPermanentIssueMinRange\", \"Lower Threshold For Mailbox Permanent Issue.\", \"Lower Threshold For Mailbox Permanent Issue.\",\n \"MaxActionStepsInBPF\", \"Maximum number of actionsteps allowed in a BPF\", \"Maximum number of actionsteps allowed in a BPF\",\n \"MaxAllowedPendingRollupJobCount\", \"MaxAllowedPendingRollupJobCount\", \"Maximum Allowed Pending Rollup Job Count\",\n \"MaxAllowedPendingRollupJobPercentage\", \"MaxAllowedPendingRollupJobPercentage\", \"Percentage Of Entity Table Size For Kicking Off Bootstrap Job\",\n \"MaxAppointmentDurationDays\", \"Max Appointment Duration\", \"Maximum number of days an appointment can last.\",\n \"MaxConditionsForMobileOfflineFilters\", \"Maximum number of conditions allowed for mobile offline filters\", \"Maximum number of conditions allowed for mobile offline filters\",\n \"MaxDepthForHierarchicalSecurityModel\", \"Maximum depth for hierarchy security propagation.\", \"Maximum depth for hierarchy security propagation.\",\n \"MaxFolderBasedTrackingMappings\", \"Max Folder Based Tracking Mappings\", \"Maximum number of Folder Based Tracking mappings user can add\",\n \"MaximumActiveBusinessProcessFlowsAllowedPerEntity\", \"Maximum active business process flows per entity\", \"Maximum number of active business process flows allowed per entity\",\n \"MaximumDynamicPropertiesAllowed\", \"Product Properties Item Limit\", \"Restrict the maximum number of product properties for a product family/bundle\",\n \"MaximumEntitiesWithActiveSLA\", \"Maximum number of active SLA allowed per entity in online\", \"Maximum number of active SLA allowed per entity in online\",\n \"MaximumSLAKPIPerEntityWithActiveSLA\", \"Maximum number of active SLA KPI allowed per entity in online\", \"Maximum number of SLA KPI per active SLA allowed for entity in online\",\n \"MaximumTrackingNumber\", \"Max Tracking Number\", \"Maximum tracking number before recycling takes place.\",\n \"MaxProductsInBundle\", \"Bundle Item Limit\", \"Restrict the maximum no of items in a bundle\",\n \"MaxRecordsForExportToExcel\", \"Max Records For Excel Export\", \"Maximum number of records that will be exported to a static Microsoft Office Excel worksheet when exporting from the grid.\",\n \"MaxRecordsForLookupFilters\", \"Max Records Filter Selection\", \"Maximum number of lookup and picklist records that can be selected by user for filtering.\",\n \"MaxRollupFieldsPerEntity\", \"MaxRollupFieldsPerEntity\", \"Maximum Rollup Fields Per Entity\",\n \"MaxRollupFieldsPerOrg\", \"MaxRollupFieldsPerOrg\", \"Maximum Rollup Fields Per Organization\",\n \"MaxSLAItemsPerSLA\", \"Max SLA Items Per SLA\", \"\",\n \"MaxUploadFileSize\", \"Max Upload File Size\", \"Maximum allowed size of an attachment.\",\n \"MicrosoftFlowEnvironment\", \"(Deprecated) Environment selected for Integration with Microsoft Flow\", \"(Deprecated) Environment selected for Integration with Microsoft Flow\",\n \"MinAddressBookSyncInterval\", \"Min Address Synchronization Frequency\", \"Normal polling frequency used for address book synchronization in Microsoft Office Outlook.\",\n \"MinOfflineSyncInterval\", \"Min Offline Synchronization Frequency\", \"Normal polling frequency used for background offline synchronization in Microsoft Office Outlook.\",\n \"MinOutlookSyncInterval\", \"Min Synchronization Frequency\", \"Minimum allowed time between scheduled Outlook synchronizations.\",\n \"MobileOfflineSyncInterval\", \"Sync interval for mobile offline.\", \"Sync interval for mobile offline.\",\n \"ModernAdvancedFindFiltering\", \"Modern advanced find filtering\", \"Flag to indicate if the modern advanced find filtering on all tables in a model-driven app is enabled\",\n \"ModernAppDesignerCoauthoringEnabled\", \"Coauthoring in Modern App Designer Enabled\", \"Indicates whether coauthoring is enabled in modern app designer\",\n \"MultiColumnSortEnabled\", \"Enable Multi Column Sort Editor In Views\", \"Show the sort by button on views\",\n \"Name\", \"Organization Name\", \"Name of the organization. The name is set when Microsoft CRM is installed and should not be changed.\",\n \"NaturalLanguageAssistFilter\", \"Natural Language Assist\", \"Enables Natural Language Assist Filter.\",\n \"NegativeCurrencyFormatCode\", \"Negative Currency Format\", \"Information that specifies how negative currency numbers are displayed throughout Microsoft Dynamics 365.\",\n \"NegativeFormatCode\", \"Negative Format\", \"Information that specifies how negative numbers are displayed throughout Microsoft CRM.\",\n \"NewSearchExperienceEnabled\", \"Oct 2020 Search enabled\", \"Indicates whether an organization has enabled the new Relevance search experience (released in Oct 2020) for the organization\",\n \"NextTrackingNumber\", \"Next Tracking Number\", \"Next token to be placed on the subject line of an email message.\",\n \"NotifyMailboxOwnerOfEmailServerLevelAlerts\", \"Notify Mailbox Owner Of Email Server Level Alerts\", \"Indicates whether mailbox owners will be notified of email server profile level alerts.\",\n \"NumberFormat\", \"Number Format\", \"Specification of how numbers are displayed throughout Microsoft CRM.\",\n \"NumberGroupFormat\", \"Number Grouping Format\", \"Specifies how numbers are grouped in Microsoft Dynamics 365.\",\n \"NumberSeparator\", \"Number Separator\", \"Symbol used for number separation in Microsoft Dynamics 365.\",\n \"OfficeAppsAutoDeploymentEnabled\", \"Enable Office Apps Auto Deployment for this Organization\", \"Indicates whether the Office Apps auto deployment is enabled for the organization.\",\n \"OfficeGraphDelveUrl\", \"The url to open the Delve\", \"The url to open the Delve for the organization.\",\n \"OOBPriceCalculationEnabled\", \"Enable OOB Price calculation\", \"Enable OOB pricing calculation logic for Opportunity, Quote, Order and Invoice entities.\",\n \"OptOutSchemaV2EnabledByDefault\", \"Opt-out of schema v2 being automatically enabled for this organization.\", \"Indicates if this organization will opt-out from automatically enabling schema v2 on the organization.\",\n \"OrderPrefix\", \"Order Prefix\", \"Prefix to use for all orders throughout Microsoft Dynamics 365.\",\n \"OrgDbOrgSettings\", \"Organization Database Organization Settings\", \"Organization settings stored in Organization Database.\",\n \"OrgInsightsEnabled\", \"Enable OrgInsights for this Organization\", \"Select whether to turn on OrgInsights for the organization.\",\n \"PaiPreviewScenarioEnabled\", \"Display Preview Feature for this organization\", \"Indicates whether Preview feature has been enabled for the organization.\",\n \"PastExpansionWindow\", \"Past Expansion Window\", \"Specifies the maximum number of months in past for which the recurring activities can be created.\",\n \"PcfDatasetGridEnabled\", \"Enable modern grids in model-driven apps\", \"Leave empty to use default setting. Set to on/off to enable/disable replacement of default grids with modern ones in model-driven apps.\",\n \"PerformACTSyncAfter\", \"PerformACTSyncAfter\", \"This setting contains the date time before an ACT sync can execute.\",\n \"Picture\", \"Picture\", \"For internal use only.\",\n \"PinpointLanguageCode\", \"\", \"\",\n \"PluginTraceLogSetting\", \"Plug-in Trace Log Setting\", \"Plug-in Trace Log Setting for the Organization.\",\n \"PMDesignator\", \"PM Designator\", \"PM designator to use throughout Microsoft Dynamics 365.\",\n \"PostMessageWhitelistDomains\", \"For internal use only.\", \"For internal use only.\",\n \"PowerAppsMakerBotEnabled\", \"Enable bot for makers.\", \"Indicates whether bot for makers is enabled.\",\n \"PowerBIAllowCrossRegionOperations\", \"Power BI allow cross region operations\", \"Indicates whether cross region operations are allowed for the organization\",\n \"PowerBIAutomaticPermissionsAssignment\", \"Power BI automatic permissions assignment\", \"Indicates whether automatic permissions assignment to Power BI has been enabled for the organization\",\n \"PowerBIComponentsCreate\", \"Power BI components creation\", \"Indicates whether creation of Power BI components has been enabled for the organization\",\n \"PowerBiFeatureEnabled\", \"Enable Power BI feature for this Organization\", \"Indicates whether the Power BI feature should be enabled for the organization.\",\n \"PricingDecimalPrecision\", \"Pricing Decimal Precision\", \"Number of decimal places that can be used for prices.\",\n \"PrivacyStatementUrl\", \"Privacy Statement URL\", \"Privacy Statement URL\",\n \"PrivilegeUserGroupId\", \"Privilege User Group\", \"Unique identifier of the default privilege for users in the organization.\",\n \"PrivReportingGroupId\", \"Privilege Reporting Group\", \"For internal use only.\",\n \"PrivReportingGroupName\", \"Privilege Reporting Group Name\", \"For internal use only.\",\n \"ProductRecommendationsEnabled\", \"Enable Product Recommendations for this Organization\", \"Select whether to turn on product recommendations for the organization.\",\n \"QualifyLeadAdditionalOptions\", \"Enable New Qualify Lead Experience with configuration MDD\", \"Indicates whether prompt should be shown for new Qualify Lead Experience\",\n \"QuickActionToOpenRecordsInSidePaneEnabled\", \"Enable quick actions to open records in search side pane\", \"Flag to indicate if the feature to use quick action to open records in search side pane is enabled\",\n \"QuickFindRecordLimitEnabled\", \"Quick Find Record Limit Enabled\", \"Indicates whether a quick find record limit should be enabled for this organization (allows for faster Quick Find queries but prevents overly broad searches).\",\n \"QuotePrefix\", \"Quote Prefix\", \"Prefix to use for all quotes throughout Microsoft Dynamics 365.\",\n \"RecalculateSLA\", \"Indicates whether SLA Recalculation has been enabled for the organization\", \"Indicates whether SLA Recalculation has been enabled for the organization\",\n \"RecurrenceDefaultNumberOfOccurrences\", \"Recurrence Default Number of Occurrences\", \"Specifies the default value for number of occurrences field in the recurrence dialog.\",\n \"RecurrenceExpansionJobBatchInterval\", \"Recurrence Expansion Job Batch Interval\", \"Specifies the interval (in seconds) for pausing expansion job.\",\n \"RecurrenceExpansionJobBatchSize\", \"Recurrence Expansion On Demand Job Batch Size\", \"Specifies the value for number of instances created in on demand job in one shot.\",\n \"RecurrenceExpansionSynchCreateMax\", \"Recurrence Expansion Synchronization Create Maximum\", \"Specifies the maximum number of instances to be created synchronously after creating a recurring appointment.\",\n \"ReferenceSiteMapXml\", \"Reference SiteMap XML\", \"XML string that defines the navigation structure for the application. This is the site map from the previously upgraded build and is used in a 3-way merge during upgrade.\",\n \"ReleaseCadence\", \"Current orgnization release cadence value\", \"Current orgnization release cadence value\",\n \"ReleaseChannel\", \"Model app refresh channel\", \"Model app refresh channel\",\n \"ReleaseWaveName\", \"Release Wave\", \"Release Wave Applied to Environment.\",\n \"RelevanceSearchEnabledByPlatform\", \"Relevance search enabled automatically by Dataverse\", \"Indicates whether relevance search was enabled for the environment as part of Dataverse's relevance search on-by-default sweep\",\n \"RelevanceSearchModifiedOn\", \"RelevanceSearchModifiedOnDate\", \"This setting contains the last modified date for relevance search setting that appears as a toggle in PPAC.\",\n \"RenderSecureIFrameForEmail\", \"Render Secure Frame For Email\", \"Flag to render the body of email in the Web form in an IFRAME with the security='restricted' attribute set. This is additional security but can cause a credentials prompt.\",\n \"ReportingGroupId\", \"Reporting Group\", \"For internal use only.\",\n \"ReportingGroupName\", \"Reporting Group Name\", \"For internal use only.\",\n \"ReportScriptErrors\", \"Report Script Errors\", \"Picklist for selecting the organization preference for reporting scripting errors.\",\n \"RequireApprovalForQueueEmail\", \"Is Approval For Queue Email Required\", \"Indicates whether Send As Other User privilege is enabled.\",\n \"RequireApprovalForUserEmail\", \"Is Approval For User Email Required\", \"Indicates whether Send As Other User privilege is enabled.\",\n \"ResolveSimilarUnresolvedEmailAddress\", \"Apply same email address to all unresolved matches when you manually resolve it for one\", \"Apply same email address to all unresolved matches when you manually resolve it for one\",\n \"RestrictStatusUpdate\", \"Restrict Status Update\", \"Flag to restrict Update on incident.\",\n \"ReverseProxyIpAddresses\", \"List of reverse proxy IP addresses to be allowed.\", \"Information that specifies Reverse Proxy IP addresses from which requests have to be allowed.\",\n \"RiErrorStatus\", \"Error status of Relationship Insights provisioning.\", \"Error status of Relationship Insights provisioning.\",\n \"SampleDataImportId\", \"Sample Data Import\", \"Unique identifier of the sample data import job.\",\n \"SchemaNamePrefix\", \"Customization Name Prefix\", \"Prefix used for custom entities and attributes.\",\n \"SendBulkEmailInUCI\", \"Send Bulk Email in UCI\", \"Indicates whether Send Bulk Email in UCI is enabled for the org.\",\n \"ServeStaticResourcesFromAzureCDN\", \"Serve Static Content From CDN\", \"Serve Static Content From CDN\",\n \"SessionRecordingEnabled\", \"Enable the session recording feature\", \"Enable the session recording feature to record user sessions in UCI\",\n \"SessionTimeoutEnabled\", \"Session timeout enabled\", \"Information that specifies whether session timeout is enabled\",\n \"SessionTimeoutInMins\", \"Session timeout in minutes\", \"Session timeout in minutes\",\n \"SessionTimeoutReminderInMins\", \"Session timeout reminder in minutes\", \"Session timeout reminder in minutes\",\n \"SharePointDeploymentType\", \"Choose SharePoint Deployment Type\", \"Indicates which SharePoint deployment type is configured for Server to Server. (Online or On-Premises)\",\n \"ShareToPreviousOwnerOnAssign\", \"Share To Previous Owner On Assign\", \"Information that specifies whether to share to previous owner on assign.\",\n \"ShowKBArticleDeprecationNotification\", \"Show KBArticle deprecation message to user\", \"Select whether to display a KB article deprecation notification to the user.\",\n \"ShowWeekNumber\", \"Show Week Number\", \"Information that specifies whether to display the week number in calendar displays throughout Microsoft CRM.\",\n \"SignupOutlookDownloadFWLink\", \"CRMForOutlookDownloadURL\", \"CRM for Outlook Download URL\",\n \"SiteMapXml\", \"SiteMap XML\", \"XML string that defines the navigation structure for the application.\",\n \"SlaPauseStates\", \"SLA pause states\", \"Contains the on hold case status values.\",\n \"SocialInsightsEnabled\", \"Social Insights Enabled\", \"Flag for whether the organization is using Social Insights.\",\n \"SocialInsightsInstance\", \"Social Insights instance identifier\", \"Identifier for the Social Insights instance for the organization.\",\n \"SocialInsightsTermsAccepted\", \"Social Insights Terms of Use\", \"Flag for whether the organization has accepted the Social Insights terms of use.\",\n \"SortId\", \"Sort\", \"For internal use only.\",\n \"SqlAccessGroupId\", \"SQL Access Group\", \"For internal use only.\",\n \"SqlAccessGroupName\", \"SQL Access Group Name\", \"For internal use only.\",\n \"SQMEnabled\", \"Is SQM Enabled\", \"Setting for SQM data collection, 0 no, 1 yes enabled\",\n \"SupportUserId\", \"Support User\", \"Unique identifier of the support user for the organization.\",\n \"SuppressSLA\", \"Is SLA suppressed\", \"Indicates whether SLA is suppressed.\",\n \"SuppressValidationEmails\", \"Whether Admin emails are sent when Solution Checker validation fails\", \"Leave empty to use default setting. Set to on/off to enable/disable Admin emails when Solution Checker validation fails.\",\n \"SyncBulkOperationBatchSize\", \"Number of records to update per operation in Sync Bulk Pause/Resume/Cancel\", \"Number of records to update per operation in Sync Bulk Pause/Resume/Cancel\",\n \"SyncBulkOperationMaxLimit\", \"Max total number of records to update in database for Sync Bulk Pause/Resume/Cancel\", \"Max total number of records to update in database for Sync Bulk Pause/Resume/Cancel\",\n \"SyncOptInSelection\", \"Enable dynamics 365 azure sync framework for this organization.\", \"Indicates the selection to use the dynamics 365 azure sync framework or server side sync.\",\n \"SyncOptInSelectionStatus\", \"Status of opt-in or opt-out operation for dynamics 365 azure sync.\", \"Indicates the status of the opt-in or opt-out operation for dynamics 365 azure sync.\",\n \"SystemUserId\", \"System User\", \"Unique identifier of the system user for the organization.\",\n \"TableScopedDVSearchInApps\", \"Table Scoped Dataverse Search In Apps\", \"Controls the appearance of option to search over a single DV search indexed table in model-driven apps global search in the header.\",\n \"TagMaxAggressiveCycles\", \"Auto-Tag Max Cycles\", \"Maximum number of aggressive polling cycles executed for email auto-tagging when a new email is received.\",\n \"TagPollingPeriod\", \"Auto-Tag Interval\", \"Normal polling frequency used for email receive auto-tagging in outlook.\",\n \"TaskBasedFlowEnabled\", \"Enable Task Flow processes for this Organization\", \"Select whether to turn on task flows for the organization.\",\n \"TeamsChatDataSync\", \"Enable Teams Chat Data Sync.\", \"Information on whether Teams Chat Data Sync is enabled.\",\n \"TelemetryInstrumentationKey\", \"Telemetry Instrumentation Key\", \"Instrumentation key for Application Insights used to log plugins telemetry.\",\n \"TextAnalyticsEnabled\", \"Enable Text Analytics for this Organization\", \"Select whether to turn on text analytics for the organization.\",\n \"TimeFormatCode\", \"Time Format Code\", \"Information that specifies how the time is displayed throughout Microsoft CRM.\",\n \"TimeFormatString\", \"Time Format String\", \"Text for how time is displayed in Microsoft Dynamics 365.\",\n \"TimeSeparator\", \"Time Separator\", \"Text for how the time separator is displayed throughout Microsoft Dynamics 365.\",\n \"TimeZoneRuleVersionNumber\", \"Time Zone Rule Version Number\", \"For internal use only.\",\n \"TokenExpiry\", \"Token Expiration Duration\", \"Duration used for token expiration.\",\n \"TokenKey\", \"Token Key\", \"Token key.\",\n \"TraceLogMaximumAgeInDays\", \"Tracelog record maximum age in days\", \"Tracelog record maximum age in days\",\n \"TrackingPrefix\", \"Tracking Prefix\", \"History list of tracking token prefixes.\",\n \"TrackingTokenIdBase\", \"Tracking Token Base\", \"Base number used to provide separate tracking token identifiers to users belonging to different deployments.\",\n \"TrackingTokenIdDigits\", \"Tracking Token Digits\", \"Number of digits used to represent a tracking token identifier.\",\n \"UniqueSpecifierLength\", \"Unique String Length\", \"Number of characters appended to invoice, quote, and order numbers.\",\n \"UnresolveEmailAddressIfMultipleMatch\", \"Set To,cc,bcc fields as unresolved if multiple matches are found\", \"Indicates whether email address should be unresolved if multiple matches are found\",\n \"UseInbuiltRuleForDefaultPricelistSelection\", \"Use Inbuilt Rule For Default Pricelist Selection\", \"Flag indicates whether to Use Inbuilt Rule For DefaultPricelist.\",\n \"UseLegacyRendering\", \"Legacy Form Rendering\", \"Select whether to use legacy form rendering.\",\n \"UsePositionHierarchy\", \"Use position hierarchy\", \"Use position hierarchy\",\n \"UseQuickFindViewForGridSearch\", \"Use Quick Find view when searching in grids\", \"Indicates whether searching in a grid should use the Quick Find view for the entity.\",\n \"UserAccessAuditingInterval\", \"User Authentication Auditing Interval\", \"The interval at which user access is checked for auditing.\",\n \"UseReadForm\", \"Use Read-Optimized Form\", \"Indicates whether the read-optimized form should be enabled for this organization.\",\n \"UserGroupId\", \"User Group\", \"Unique identifier of the default group of users in the organization.\",\n \"UserRatingEnabled\", \"Enable the user rating feature\", \"Enable the user rating feature to show the NSAT score and comment to maker\",\n \"UseSkypeProtocol\", \"User Skype Protocol\", \"Indicates default protocol selected for organization.\",\n \"UTCConversionTimeZoneCode\", \"UTC Conversion Time Zone Code\", \"Time zone code that was in use when the record was created.\",\n \"ValidationMode\", \"Validation mode for apps in this environment\", \"Validation mode for apps in this environment\",\n \"WebResourceHash\", \"Web resource hash\", \"Hash value of web resources.\",\n \"WeekStartDayCode\", \"Week Start Day Code\", \"Designated first day of the week throughout Microsoft Dynamics 365.\",\n \"WidgetProperties\", \"For Internal use only.\", \"For Internal use only.\",\n \"YammerGroupId\", \"Yammer Group Id\", \"Denotes the Yammer group ID\",\n \"YammerNetworkPermalink\", \"Yammer Network Permalink\", \"Denotes the Yammer network permalink\",\n \"YammerOAuthAccessTokenExpired\", \"Yammer OAuth Access Token Expired\", \"Denotes whether the OAuth access token for Yammer network has expired\",\n \"YammerPostMethod\", \"Internal Use Only\", \"Internal Use Only\",\n \"YearStartWeekCode\", \"Year Start Week Code\", \"Information that specifies how the first week of the year is specified in Microsoft Dynamics 365.\",\n \"AcknowledgementTemplateIdName\", \"\", \"Name of the template to be used for unsubscription acknowledgement.\",\n \"BaseCurrencyIdName\", \"\", \"\",\n \"BaseCurrencyPrecision\", \"Base Currency Precision\", \"Number of decimal places that can be used for the base currency.\",\n \"BaseCurrencySymbol\", \"Base Currency Symbol\", \"Symbol used for the base currency.\",\n \"BaseISOCurrencyCode\", \"Base ISO Currency Code\", \"\",\n \"CreatedBy\", \"Created By\", \"Unique identifier of the user who created the organization.\",\n \"CreatedByName\", \"\", \"\",\n \"CreatedByYomiName\", \"\", \"\",\n \"CreatedOn\", \"Created On\", \"Date and time when the organization was created.\",\n \"CreatedOnBehalfBy\", \"Created By (Delegate)\", \"Unique identifier of the delegate user who created the organization.\",\n \"CreatedOnBehalfByName\", \"\", \"\",\n \"CreatedOnBehalfByYomiName\", \"\", \"\",\n \"CurrentImportSequenceNumber\", \"Current Import Sequence Number\", \"Import sequence to use.\",\n \"CurrentParsedTableNumber\", \"Current Parsed Table Number\", \"First parsed table number to use.\",\n \"DaysSinceRecordLastModifiedMaxValue\", \"Max value of Days since record last modified\", \"The maximum value for the Mobile Offline setting Days since record last modified\",\n \"DefaultEmailServerProfileIdName\", \"\", \"Name of the email server profile to be used as default profile for the mailboxes.\",\n \"DefaultMobileOfflineProfileIdName\", \"\", \"Name of the default mobile offline profile to be used as default profile for mobile offline.\",\n \"DisabledReason\", \"Disabled Reason\", \"Reason for disabling the organization.\",\n \"EntityImage_Timestamp\", \"\", \"\",\n \"EntityImage_URL\", \"\", \"\",\n \"EntityImageId\", \"Entity Image Id\", \"For internal use only.\",\n \"FiscalSettingsUpdated\", \"Is Fiscal Settings Updated\", \"Information that specifies whether the fiscal settings have been updated.\",\n \"IsAllMoneyDecimal\", \"Set if all money attributes are converted to decimal\", \"Indicates whether all money attributes are converted to decimal.\",\n \"IsDisabled\", \"Is Organization Disabled\", \"Information that specifies whether the organization is disabled.\",\n \"MaxSupportedInternetExplorerVersion\", \"Max supported IE version\", \"The maximum version of IE to run browser emulation for in Outlook client\",\n \"MaxVerboseLoggingMailbox\", \"Max No Of Mailboxes To Enable For Verbose Logging\", \"Maximum number of mailboxes that can be toggled for verbose logging\",\n \"MaxVerboseLoggingSyncCycles\", \"Maximum number of sync cycles for which verbose logging will be enabled by default\", \"Maximum number of sync cycles for which verbose logging will be enabled by default\",\n \"MetadataSyncLastTimeOfNeverExpiredDeletedObjects\", \"The last date/time for never expired metadata tracking deleted objects\", \"What is the last date/time where there are metadata tracking deleted objects that have never been outside of the expiration period.\",\n \"MetadataSyncTimestamp\", \"Metadata sync version\", \"Contains the maximum version number for attributes used by metadata synchronization that have changed.\",\n \"MobileOfflineMinLicenseProd\", \"Minimum number of user license required for mobile offline service by production/preview organization\", \"Minimum number of user license required for mobile offline service by production/preview organization\",\n \"MobileOfflineMinLicenseTrial\", \"Minimum number of user license required for mobile offline service by trial organization\", \"Minimum number of user license required for mobile offline service by trial organization\",\n \"ModifiedBy\", \"Modified By\", \"Unique identifier of the user who last modified the organization.\",\n \"ModifiedByName\", \"\", \"\",\n \"ModifiedByYomiName\", \"\", \"\",\n \"ModifiedOn\", \"Modified On\", \"Date and time when the organization was last modified.\",\n \"ModifiedOnBehalfBy\", \"Modified By (Delegate)\", \"Unique identifier of the delegate user who last modified the organization.\",\n \"ModifiedOnBehalfByName\", \"\", \"\",\n \"ModifiedOnBehalfByYomiName\", \"\", \"\",\n \"NextCustomObjectTypeCode\", \"Next Entity Type Code\", \"Next entity type code to use for custom entities.\",\n \"OrganizationId\", \"Organization\", \"Unique identifier of the organization.\",\n \"OrganizationState\", \"Organization State\", \"Indicates the organization lifecycle state\",\n \"ParsedTableColumnPrefix\", \"Parsed Table Column Prefix\", \"Prefix used for parsed table columns.\",\n \"ParsedTablePrefix\", \"Parsed Table Prefix\", \"Prefix used for parsed tables.\",\n \"V3CalloutConfigHash\", \"V3 Callout Hash\", \"Hash of the V3 callout configuration file.\",\n \"VersionNumber\", \"Version Number\", \"Version number of the organization.\"\n]\n| project FieldName = tolower(Field), DisplayName, Description\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "MSBizAppsOrgSettings" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "location": "[parameters('workspace-location')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject3')._parserId3,'/'))))]", + "dependsOn": [ + "[variables('parserObject3')._parserId3]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MSBizAppsOrgSettings')]", + "contentId": "[variables('parserObject3').parserContentId3]", + "kind": "Parser", + "version": "[variables('parserObject3').parserVersion3]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('parserObject4').parserTemplateSpecName4]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "MSBizAppsTerminatedEmployees Data Parser with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('parserObject4').parserVersion4]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[variables('parserObject4')._parserName4]", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "MSBizAppsTerminatedEmployees", + "category": "MSBizAppsFunctions", + "functionAlias": "MSBizAppsTerminatedEmployees", + "query": "let TerminatedEmployees_definition = datatable (\n UserIdentifier: string,\n UserAADObjectId: string,\n UserOnPremSid: string,\n UserPrincipalName: string,\n UserState: string,\n NotificationDate: datetime,\n TerminationDate: datetime,\n Tags: string\n) [\n '_', '_', '_', '_', '_', datetime(null), datetime(null), '_'\n];\nlet TerminatedEmployees_data = (\n _GetWatchlist(TerminatedEmployeesWatchlistAlias)\n | project\n UserIdentifier = column_ifexists('User Identifier', '_'),\n UserAADObjectId = column_ifexists('User AAD Object Id', '_'),\n UserOnPremSid = column_ifexists('User On-Prem Sid', '_'),\n UserPrincipalName = column_ifexists('User Principal Name', '_'),\n UserState = column_ifexists('UserState', '_'),\n NotificationDate = todatetime(column_ifexists('Notification date', datetime(null))),\n TerminationDate = todatetime(column_ifexists('Termination date', datetime(null))),\n Tags = column_ifexists('Tags', '_')\n );\nTerminatedEmployees_data\n| union isfuzzy = true (TerminatedEmployees_definition)\n| where UserPrincipalName != '_'\n| project\n UserIdentifier = tostring(UserIdentifier),\n UserAADObjectId = tostring(UserAADObjectId),\n UserOnPremSid = tostring(UserOnPremSid),\n UserPrincipalName = tostring(UserPrincipalName),\n UserState = tostring(UserState),\n NotificationDate = todatetime(NotificationDate),\n TerminationDate = todatetime(TerminationDate),\n Tags = tostring(Tags)\n", + "functionParameters": "TerminatedEmployeesWatchlistAlias:string='TerminatedEmployees'", + "version": 2, + "tags": [ + { + "name": "description", + "value": "MSBizAppsTerminatedEmployees" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject4')._parserId4,'/'))))]", + "dependsOn": [ + "[variables('parserObject4')._parserId4]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MSBizAppsTerminatedEmployees')]", + "contentId": "[variables('parserObject4').parserContentId4]", + "kind": "Parser", + "version": "[variables('parserObject4').parserVersion4]", + "source": { + "name": "Microsoft Business Applications", + "kind": "Solution", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('parserObject4').parserContentId4]", + "contentKind": "Parser", + "displayName": "MSBizAppsTerminatedEmployees", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject4').parserContentId4,'-', '3.0.1')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject4').parserContentId4,'-', '3.0.1')))]", + "version": "[variables('parserObject4').parserVersion4]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2022-10-01", + "name": "[variables('parserObject4')._parserName4]", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "MSBizAppsTerminatedEmployees", + "category": "MSBizAppsFunctions", + "functionAlias": "MSBizAppsTerminatedEmployees", + "query": "let TerminatedEmployees_definition = datatable (\n UserIdentifier: string,\n UserAADObjectId: string,\n UserOnPremSid: string,\n UserPrincipalName: string,\n UserState: string,\n NotificationDate: datetime,\n TerminationDate: datetime,\n Tags: string\n) [\n '_', '_', '_', '_', '_', datetime(null), datetime(null), '_'\n];\nlet TerminatedEmployees_data = (\n _GetWatchlist(TerminatedEmployeesWatchlistAlias)\n | project\n UserIdentifier = column_ifexists('User Identifier', '_'),\n UserAADObjectId = column_ifexists('User AAD Object Id', '_'),\n UserOnPremSid = column_ifexists('User On-Prem Sid', '_'),\n UserPrincipalName = column_ifexists('User Principal Name', '_'),\n UserState = column_ifexists('UserState', '_'),\n NotificationDate = todatetime(column_ifexists('Notification date', datetime(null))),\n TerminationDate = todatetime(column_ifexists('Termination date', datetime(null))),\n Tags = column_ifexists('Tags', '_')\n );\nTerminatedEmployees_data\n| union isfuzzy = true (TerminatedEmployees_definition)\n| where UserPrincipalName != '_'\n| project\n UserIdentifier = tostring(UserIdentifier),\n UserAADObjectId = tostring(UserAADObjectId),\n UserOnPremSid = tostring(UserOnPremSid),\n UserPrincipalName = tostring(UserPrincipalName),\n UserState = tostring(UserState),\n NotificationDate = todatetime(NotificationDate),\n TerminationDate = todatetime(TerminationDate),\n Tags = tostring(Tags)\n", + "functionParameters": "TerminatedEmployeesWatchlistAlias:string='TerminatedEmployees'", + "version": 2, + "tags": [ + { + "name": "description", + "value": "MSBizAppsTerminatedEmployees" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "location": "[parameters('workspace-location')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject4')._parserId4,'/'))))]", + "dependsOn": [ + "[variables('parserObject4')._parserId4]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MSBizAppsTerminatedEmployees')]", + "contentId": "[variables('parserObject4').parserContentId4]", + "kind": "Parser", + "version": "[variables('parserObject4').parserVersion4]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('parserObject5').parserTemplateSpecName5]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "MSBizAppsVIPUsers Data Parser with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('parserObject5').parserVersion5]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[variables('parserObject5')._parserName5]", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "MSBizAppsVIPUsers", + "category": "MSBizAppsFunctions", + "functionAlias": "MSBizAppsVIPUsers", + "query": "let MSBizAppsVIPUsers_definition = datatable (\n UserIdentifier: string,\n UserAADObjectId: string,\n UserOnPremSid: string,\n UserPrincipalName: string,\n Tags: string\n) [\n '_', '_', '_', '_', '_'\n];\nlet MSBizAppsVIPUsers_data = (\n _GetWatchlist(VIPUsersWatchlistAlias)\n | project\n UserIdentifier = tostring(column_ifexists('User Identifier', '_')),\n UserAADObjectId = tostring(column_ifexists('User AAD Object Id', '_')),\n UserOnPremSid = tostring(column_ifexists('User On-Prem Sid', '_')),\n UserPrincipalName = tostring(column_ifexists('User Principal Name', '_')),\n Tags = tostring(column_ifexists('Tags', '_'))\n );\nMSBizAppsVIPUsers_data\n| union isfuzzy = true (MSBizAppsVIPUsers_definition)\n| where UserPrincipalName != '_'\n| project\n UserIdentifier,\n UserAADObjectId,\n UserOnPremSid,\n UserPrincipalName,\n Tags\n", + "functionParameters": "VIPUsersWatchlistAlias:string='VIPUsers'", + "version": 2, + "tags": [ + { + "name": "description", + "value": "MSBizAppsVIPUsers" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject5')._parserId5,'/'))))]", + "dependsOn": [ + "[variables('parserObject5')._parserId5]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MSBizAppsVIPUsers')]", + "contentId": "[variables('parserObject5').parserContentId5]", + "kind": "Parser", + "version": "[variables('parserObject5').parserVersion5]", + "source": { + "name": "Microsoft Business Applications", + "kind": "Solution", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('parserObject5').parserContentId5]", + "contentKind": "Parser", + "displayName": "MSBizAppsVIPUsers", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject5').parserContentId5,'-', '3.2.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject5').parserContentId5,'-', '3.2.0')))]", + "version": "[variables('parserObject5').parserVersion5]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2022-10-01", + "name": "[variables('parserObject5')._parserName5]", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "MSBizAppsVIPUsers", + "category": "MSBizAppsFunctions", + "functionAlias": "MSBizAppsVIPUsers", + "query": "let MSBizAppsVIPUsers_definition = datatable (\n UserIdentifier: string,\n UserAADObjectId: string,\n UserOnPremSid: string,\n UserPrincipalName: string,\n Tags: string\n) [\n '_', '_', '_', '_', '_'\n];\nlet MSBizAppsVIPUsers_data = (\n _GetWatchlist(VIPUsersWatchlistAlias)\n | project\n UserIdentifier = tostring(column_ifexists('User Identifier', '_')),\n UserAADObjectId = tostring(column_ifexists('User AAD Object Id', '_')),\n UserOnPremSid = tostring(column_ifexists('User On-Prem Sid', '_')),\n UserPrincipalName = tostring(column_ifexists('User Principal Name', '_')),\n Tags = tostring(column_ifexists('Tags', '_'))\n );\nMSBizAppsVIPUsers_data\n| union isfuzzy = true (MSBizAppsVIPUsers_definition)\n| where UserPrincipalName != '_'\n| project\n UserIdentifier,\n UserAADObjectId,\n UserOnPremSid,\n UserPrincipalName,\n Tags\n", + "functionParameters": "VIPUsersWatchlistAlias:string='VIPUsers'", + "version": 2, + "tags": [ + { + "name": "description", + "value": "MSBizAppsVIPUsers" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "location": "[parameters('workspace-location')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject5')._parserId5,'/'))))]", + "dependsOn": [ + "[variables('parserObject5')._parserId5]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MSBizAppsVIPUsers')]", + "contentId": "[variables('parserObject5').parserContentId5]", + "kind": "Parser", + "version": "[variables('parserObject5').parserVersion5]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/Watchlists", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('watchlist1-id'))]", + "apiVersion": "2023-02-01", + "properties": { + "description": "Configuration for Microsoft Business Applications solution", + "displayName": "MSBizApps-Configuration", + "source": "ContentHub", + "provider": "Microsoft", + "numberOfLinesToSkip": 0, + "itemsSearchKey": "Category", + "rawContent": "Category,Data\n_,_\n", + "watchlistAlias": "MSBizApps-Configuration", + "contentType": "text/csv" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnectorDefinition10'), variables('dataConnectorVersion10'))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "contentId": "[variables('_dataConnectorContentId10')]", + "displayName": "Microsoft Power Automate", + "contentKind": "DataConnector", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorVersion10')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId10'))]", + "apiVersion": "2022-09-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", + "location": "[parameters('workspace-location')]", + "kind": "Customizable", + "properties": { + "connectorUiConfig": { + "id": "[variables('_uiConfigId10')]", + "title": "Microsoft Power Automate", + "publisher": "Microsoft", + "logo": "PowerAutomate.svg", + "descriptionMarkdown": "Power Automate is a Microsoft service that helps users create automated workflows between apps and services to synchronize files, get notifications, collect data, and more. It simplifies task automation, increasing efficiency by reducing manual, repetitive tasks, and enhancing productivity. The Power Automate data connector provides the capability to ingest Power Automate activity logs from the Microsoft Purview Audit log into Microsoft Sentinel.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "Microsoft Power Automate", + "baseQuery": "PowerAutomateActivity" + } + ], + "sampleQueries": [ + { + "description": "Microsoft Power Automate Logs", + "query": "PowerAutomateActivity\n | sort by TimeGenerated" + } + ], + "dataTypes": [ + { + "name": "PowerAutomateActivity", + "lastDataReceivedQuery": "PowerAutomateActivity\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "HasDataConnectors" + } + ], + "availability": { + "status": 2, + "isPreview": true + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and Write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "Read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Tenant Permissions", + "description": "'Security Administrator' or 'Global Administrator' on the workspace's tenant." + }, + { + "name": "Micorosft Purview Audit", + "description": "Microsoft Purview Audit (Standard or Premium) must be activated." + } + ] + }, + "instructionSteps": [ + { + "title": "Connect Microsoft Power Automate audit logs to Microsoft Sentinel", + "description": "This connector uses the Office Management API to get your Power Automate audit logs. The logs will be stored and processed in your existing Microsoft Sentinel workspace. You can find the data in the **PowerAutomateActivity** table.", + "instructions": [ + { + "parameters": { + "label": "toggle", + "name": "toggle" + }, + "type": "ConnectionToggleButton" + } + ] + } + ] + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentId10')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentId10'))]", + "contentId": "[variables('_dataConnectorContentId10')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion10')]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + }, + "dependencies": { + "criteria": [ + { + "version": "[variables('dataConnectorVersionConnections10')]", + "contentId": "[variables('_dataConnectorContentIdConnections10')]", + "kind": "ResourcesDataConnector" + } + ] + } + } + }, + { + "type": "Microsoft.Insights/dataCollectionRules", + "apiVersion": "2021-09-01-preview", + "name": "[variables('_dataConnectorDataCollectionRulePrefix10')]", + "location": "[parameters('workspace-location')]", + "properties": { + "dataCollectionEndpointId": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]", + "destinations": { + "logAnalytics": [ + { + "workspaceResourceId": "[variables('_workspaceResourceId')]", + "name": "[variables('_destinationName')]" + } + ] + }, + "dataFlows": [ + { + "streams": [ + "Microsoft-PowerAutomateActivity" + ], + "destinations": [ + "[variables('_destinationName')]" + ], + "transformKql": "source", + "outputStream": "Microsoft-PowerAutomateActivity" + } + ] + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "contentProductId": "[variables('_dataConnectorcontentProductId10')]", + "id": "[variables('_dataConnectorcontentProductId10')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "version": "[variables('dataConnectorVersion10')]" + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId10'))]", + "apiVersion": "2022-09-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", + "location": "[parameters('workspace-location')]", + "kind": "Customizable", + "properties": { + "connectorUiConfig": { + "id": "[variables('_uiConfigId10')]", + "title": "Microsoft Power Automate", + "publisher": "Microsoft", + "logo": "PowerAutomate.svg", + "descriptionMarkdown": "Power Automate is a Microsoft service that helps users create automated workflows between apps and services to synchronize files, get notifications, collect data, and more. It simplifies task automation, increasing efficiency by reducing manual, repetitive tasks, and enhancing productivity. The Power Automate data connector provides the capability to ingest Power Automate activity logs from the Microsoft Purview Audit log into Microsoft Sentinel.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "Microsoft Power Automate", + "baseQuery": "PowerAutomateActivity" + } + ], + "sampleQueries": [ + { + "description": "Microsoft Power Automate Logs", + "query": "PowerAutomateActivity\n | sort by TimeGenerated" + } + ], + "dataTypes": [ + { + "name": "PowerAutomateActivity", + "lastDataReceivedQuery": "PowerAutomateActivity\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "HasDataConnectors" + } + ], + "availability": { + "status": 2, + "isPreview": true + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and Write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "Read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Tenant Permissions", + "description": "'Security Administrator' or 'Global Administrator' on the workspace's tenant." + }, + { + "name": "Micorosft Purview Audit", + "description": "Microsoft Purview Audit (Standard or Premium) must be activated." + } + ] + }, + "instructionSteps": [ + { + "title": "Connect Microsoft Power Automate audit logs to Microsoft Sentinel", + "description": "This connector uses the Office Management API to get your Power Automate audit logs. The logs will be stored and processed in your existing Microsoft Sentinel workspace. You can find the data in the **PowerAutomateActivity** table.", + "instructions": [ + { + "parameters": { + "label": "toggle", + "name": "toggle" + }, + "type": "ConnectionToggleButton" + } + ] + } + ] + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentId10')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentId10'))]", + "contentId": "[variables('_dataConnectorContentId10')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion10')]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + }, + "dependencies": { + "criteria": [ + { + "version": "[variables('dataConnectorVersionConnections10')]", + "contentId": "[variables('_dataConnectorContentIdConnections10')]", + "kind": "ResourcesDataConnector" + } + ] + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnections10'), variables('dataConnectorVersionConnections10'))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "contentId": "[variables('_dataConnectorContentIdConnections10')]", + "displayName": "[concat(variables('_solutionName'), variables('dataConnectorTemplateNameConnections10'))]", + "contentKind": "ResourcesDataConnector", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorVersionConnections10')]", + "parameters": { + "connectorDefinitionName": { + "defaultValue": "connectorDefinitionName", + "type": "string", + "minLength": 1 + }, + "workspace": { + "defaultValue": "[parameters('workspace')]", + "type": "string" + }, + "dcrConfig": { + "defaultValue": { + "dataCollectionEndpoint": "data collection Endpoint", + "dataCollectionRuleImmutableId": "data collection rule immutableId" + }, + "type": "object" + } + }, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnections10')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentIdConnections10'))]", + "contentId": "[variables('_dataConnectorContentIdConnections10')]", + "kind": "ResourcesDataConnector", + "version": "[variables('dataConnectorVersionConnections10')]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_uiConfigId10'))]", + "apiVersion": "2022-12-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "PurviewAudit", + "properties": { + "TenantId": "[[subscription().tenantId]", + "SourceType": "MicrosoftFlow", + "ConnectorDefinitionName": "[[parameters('connectorDefinitionName')]", + "DataTypes": { + "Logs": { + "state": "Enabled" + } + }, + "DcrConfig": { + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]", + "StreamName": "OFFICEPOWERAUTOMATE_RESTAPI" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','rdc','-', uniqueString(concat(variables('_solutionId'),'-','ResourcesDataConnector','-',variables('_dataConnectorContentIdConnections10'),'-', variables('dataConnectorVersionConnections10'))))]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "version": "[variables('dataConnectorVersionConnections10')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnectorDefinition14'), variables('dataConnectorVersion14'))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "contentId": "[variables('_dataConnectorContentId14')]", + "displayName": "Microsoft Dataverse", + "contentKind": "DataConnector", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorVersion14')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId14'))]", + "apiVersion": "2022-09-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", + "location": "[parameters('workspace-location')]", + "kind": "Customizable", + "properties": { + "connectorUiConfig": { + "id": "[variables('_uiConfigId14')]", + "title": "Microsoft Dataverse", + "publisher": "Microsoft", + "logo": "Dataverse.svg", + "descriptionMarkdown": "Microsoft Dataverse is a scalable and secure data platform that enables organizations to store and manage data used by business applications. The Microsoft Dataverse data connector provides the capability to ingest Dataverse and Dynamics 365 CRM activity logs from the Microsoft Purview Audit log into Microsoft Sentinel.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "Microsoft Dataverse", + "baseQuery": "DataverseActivity" + } + ], + "sampleQueries": [ + { + "description": "Microsoft Dataverse Logs", + "query": "DataverseActivity\n | sort by TimeGenerated" + } + ], + "dataTypes": [ + { + "name": "DataverseActivity", + "lastDataReceivedQuery": "DataverseActivity\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "HasDataConnectors" + } + ], + "availability": { + "status": 2, + "isPreview": true + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and Write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "Read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Tenant Permissions", + "description": "'Security Administrator' or 'Global Administrator' on the workspace's tenant." + }, + { + "name": "Micorosft Purview Audit", + "description": "Microsoft Purview Audit (Standard or Premium) must be activated." + }, + { + "name": "Production Dataverse", + "description": "Activity logging is available only for Production environments. Other types, such as sandbox, do not support activity logging." + }, + { + "name": "Dataverse Audit Settings", + "description": "Audit settings must be configured both globally and at the entity/table level. [See the documentation to learn more about Dataverse audit settings](https://learn.microsoft.com/azure/sentinel/business-applications/deploy-power-platform-solution)." + } + ] + }, + "instructionSteps": [ + { + "title": "Connect Microsoft Dataverse audit logs to Microsoft Sentinel", + "description": "This connector uses the Office Management API to get your Dataverse audit logs. The logs will be stored and processed in your existing Microsoft Sentinel workspace. You can find the data in the **DataverseActivity** table.", + "instructions": [ + { + "parameters": { + "label": "toggle", + "name": "toggle" + }, + "type": "ConnectionToggleButton" + } + ] + } + ] + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentId14')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentId14'))]", + "contentId": "[variables('_dataConnectorContentId14')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion14')]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + }, + "dependencies": { + "criteria": [ + { + "version": "[variables('dataConnectorVersionConnections14')]", + "contentId": "[variables('_dataConnectorContentIdConnections14')]", + "kind": "ResourcesDataConnector" + } + ] + } + } + }, + { + "type": "Microsoft.Insights/dataCollectionRules", + "apiVersion": "2021-09-01-preview", + "name": "[variables('_dataConnectorDataCollectionRulePrefix14')]", + "location": "[parameters('workspace-location')]", + "properties": { + "dataCollectionEndpointId": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]", + "destinations": { + "logAnalytics": [ + { + "workspaceResourceId": "[variables('_workspaceResourceId')]", + "name": "[variables('_destinationName')]" + } + ] + }, + "dataFlows": [ + { + "streams": [ + "Microsoft-DataverseActivity" + ], + "destinations": [ + "[variables('_destinationName')]" + ], + "transformKql": "source", + "outputStream": "Microsoft-DataverseActivity" + } + ] + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "contentProductId": "[variables('_dataConnectorcontentProductId14')]", + "id": "[variables('_dataConnectorcontentProductId14')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "version": "[variables('dataConnectorVersion14')]" + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId14'))]", + "apiVersion": "2022-09-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", + "location": "[parameters('workspace-location')]", + "kind": "Customizable", + "properties": { + "connectorUiConfig": { + "id": "[variables('_uiConfigId14')]", + "title": "Microsoft Dataverse", + "publisher": "Microsoft", + "logo": "Dataverse.svg", + "descriptionMarkdown": "Microsoft Dataverse is a scalable and secure data platform that enables organizations to store and manage data used by business applications. The Microsoft Dataverse data connector provides the capability to ingest Dataverse and Dynamics 365 CRM activity logs from the Microsoft Purview Audit log into Microsoft Sentinel.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "Microsoft Dataverse", + "baseQuery": "DataverseActivity" + } + ], + "sampleQueries": [ + { + "description": "Microsoft Dataverse Logs", + "query": "DataverseActivity\n | sort by TimeGenerated" + } + ], + "dataTypes": [ + { + "name": "DataverseActivity", + "lastDataReceivedQuery": "DataverseActivity\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "HasDataConnectors" + } + ], + "availability": { + "status": 2, + "isPreview": true + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and Write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "Read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Tenant Permissions", + "description": "'Security Administrator' or 'Global Administrator' on the workspace's tenant." + }, + { + "name": "Micorosft Purview Audit", + "description": "Microsoft Purview Audit (Standard or Premium) must be activated." + }, + { + "name": "Production Dataverse", + "description": "Activity logging is available only for Production environments. Other types, such as sandbox, do not support activity logging." + }, + { + "name": "Dataverse Audit Settings", + "description": "Audit settings must be configured both globally and at the entity/table level. [See the documentation to learn more about Dataverse audit settings](https://learn.microsoft.com/azure/sentinel/business-applications/deploy-power-platform-solution)." + } + ] + }, + "instructionSteps": [ + { + "title": "Connect Microsoft Dataverse audit logs to Microsoft Sentinel", + "description": "This connector uses the Office Management API to get your Dataverse audit logs. The logs will be stored and processed in your existing Microsoft Sentinel workspace. You can find the data in the **DataverseActivity** table.", + "instructions": [ + { + "parameters": { + "label": "toggle", + "name": "toggle" + }, + "type": "ConnectionToggleButton" + } + ] + } + ] + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentId14')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentId14'))]", + "contentId": "[variables('_dataConnectorContentId14')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion14')]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + }, + "dependencies": { + "criteria": [ + { + "version": "[variables('dataConnectorVersionConnections14')]", + "contentId": "[variables('_dataConnectorContentIdConnections14')]", + "kind": "ResourcesDataConnector" + } + ] + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnections14'), variables('dataConnectorVersionConnections14'))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "contentId": "[variables('_dataConnectorContentIdConnections14')]", + "displayName": "[concat(variables('_solutionName'), variables('dataConnectorTemplateNameConnections14'))]", + "contentKind": "ResourcesDataConnector", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorVersionConnections14')]", + "parameters": { + "connectorDefinitionName": { + "defaultValue": "connectorDefinitionName", + "type": "string", + "minLength": 1 + }, + "workspace": { + "defaultValue": "[parameters('workspace')]", + "type": "string" + }, + "dcrConfig": { + "defaultValue": { + "dataCollectionEndpoint": "data collection Endpoint", + "dataCollectionRuleImmutableId": "data collection rule immutableId" + }, + "type": "object" + } + }, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnections14')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentIdConnections14'))]", + "contentId": "[variables('_dataConnectorContentIdConnections14')]", + "kind": "ResourcesDataConnector", + "version": "[variables('dataConnectorVersionConnections14')]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_uiConfigId14'))]", + "apiVersion": "2022-12-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "PurviewAudit", + "properties": { + "TenantId": "[[subscription().tenantId]", + "SourceType": "CRM", + "ConnectorDefinitionName": "[[parameters('connectorDefinitionName')]", + "DataTypes": { + "Logs": { + "state": "Enabled" + } + }, + "DcrConfig": { + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]", + "StreamName": "OFFICEDATAVERSE_RESTAPI" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','rdc','-', uniqueString(concat(variables('_solutionId'),'-','ResourcesDataConnector','-',variables('_dataConnectorContentIdConnections14'),'-', variables('dataConnectorVersionConnections14'))))]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "version": "[variables('dataConnectorVersionConnections14')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnectorDefinition15'), variables('dataConnectorVersion15'))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "contentId": "[variables('_dataConnectorContentId15')]", + "displayName": "Microsoft Power Platform Admin Activity", + "contentKind": "DataConnector", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorVersion15')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId15'))]", + "apiVersion": "2022-09-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", + "location": "[parameters('workspace-location')]", + "kind": "Customizable", + "properties": { + "connectorUiConfig": { + "id": "[variables('_uiConfigId15')]", + "title": "Microsoft Power Platform Admin Activity", + "publisher": "Microsoft", + "logo": "PowerPlatform.svg", + "descriptionMarkdown": "Microsoft Power Platform is a low-code/no-code suite empowering both citizen and pro developers to streamline business processes by enabling the creation of custom apps, automation of workflows, and data analysis with minimal coding. The Power Platform Admin data connector provides the capability to ingest Power Platform administrator activity logs from the Microsoft Purview Audit log into Microsoft Sentinel.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "Microsoft Power Platform Admin Activity", + "baseQuery": "PowerPlatformAdminActivity" + } + ], + "sampleQueries": [ + { + "description": "Microsoft Power Platform Admin Activity Logs", + "query": "PowerPlatformAdminActivity\n | sort by TimeGenerated" + } + ], + "dataTypes": [ + { + "name": "PowerPlatformAdminActivity", + "lastDataReceivedQuery": "PowerPlatformAdminActivity\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "HasDataConnectors" + } + ], + "availability": { + "status": 2, + "isPreview": true + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and Write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "Read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Tenant Permissions", + "description": "'Security Administrator' or 'Global Administrator' on the workspace's tenant." + }, + { + "name": "Micorosft Purview Audit", + "description": "Microsoft Purview Audit (Standard or Premium) must be activated." + } + ] + }, + "instructionSteps": [ + { + "title": "Connect Microsoft Power Platform Admin Activity audit logs to Microsoft Sentinel", + "description": "This connector uses the Office Management API to get your Power Platform administrator audit logs. The logs will be stored and processed in your existing Microsoft Sentinel workspace. You can find the data in the **PowerPlatformAdminActivity** table.", + "instructions": [ + { + "parameters": { + "label": "toggle", + "name": "toggle" + }, + "type": "ConnectionToggleButton" + } + ] + } + ] + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentId15')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentId15'))]", + "contentId": "[variables('_dataConnectorContentId15')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion15')]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + }, + "dependencies": { + "criteria": [ + { + "version": "[variables('dataConnectorVersionConnections15')]", + "contentId": "[variables('_dataConnectorContentIdConnections15')]", + "kind": "ResourcesDataConnector" + } + ] + } + } + }, + { + "type": "Microsoft.Insights/dataCollectionRules", + "apiVersion": "2021-09-01-preview", + "name": "[variables('_dataConnectorDataCollectionRulePrefix15')]", + "location": "[parameters('workspace-location')]", + "properties": { + "dataCollectionEndpointId": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]", + "destinations": { + "logAnalytics": [ + { + "workspaceResourceId": "[variables('_workspaceResourceId')]", + "name": "[variables('_destinationName')]" + } + ] + }, + "dataFlows": [ + { + "streams": [ + "Microsoft-PowerPlatformAdminActivity" + ], + "destinations": [ + "[variables('_destinationName')]" + ], + "transformKql": "source", + "outputStream": "Microsoft-PowerPlatformAdminActivity" + } + ] + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "contentProductId": "[variables('_dataConnectorcontentProductId15')]", + "id": "[variables('_dataConnectorcontentProductId15')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "version": "[variables('dataConnectorVersion15')]" + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId15'))]", + "apiVersion": "2022-09-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", + "location": "[parameters('workspace-location')]", + "kind": "Customizable", + "properties": { + "connectorUiConfig": { + "id": "[variables('_uiConfigId15')]", + "title": "Microsoft Power Platform Admin Activity", + "publisher": "Microsoft", + "logo": "PowerPlatform.svg", + "descriptionMarkdown": "Microsoft Power Platform is a low-code/no-code suite empowering both citizen and pro developers to streamline business processes by enabling the creation of custom apps, automation of workflows, and data analysis with minimal coding. The Power Platform Admin data connector provides the capability to ingest Power Platform administrator activity logs from the Microsoft Purview Audit log into Microsoft Sentinel.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "Microsoft Power Platform Admin Activity", + "baseQuery": "PowerPlatformAdminActivity" + } + ], + "sampleQueries": [ + { + "description": "Microsoft Power Platform Admin Activity Logs", + "query": "PowerPlatformAdminActivity\n | sort by TimeGenerated" + } + ], + "dataTypes": [ + { + "name": "PowerPlatformAdminActivity", + "lastDataReceivedQuery": "PowerPlatformAdminActivity\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "HasDataConnectors" + } + ], + "availability": { + "status": 2, + "isPreview": true + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and Write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "Read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Tenant Permissions", + "description": "'Security Administrator' or 'Global Administrator' on the workspace's tenant." + }, + { + "name": "Micorosft Purview Audit", + "description": "Microsoft Purview Audit (Standard or Premium) must be activated." + } + ] + }, + "instructionSteps": [ + { + "title": "Connect Microsoft Power Platform Admin Activity audit logs to Microsoft Sentinel", + "description": "This connector uses the Office Management API to get your Power Platform administrator audit logs. The logs will be stored and processed in your existing Microsoft Sentinel workspace. You can find the data in the **PowerPlatformAdminActivity** table.", + "instructions": [ + { + "parameters": { + "label": "toggle", + "name": "toggle" + }, + "type": "ConnectionToggleButton" + } + ] + } + ] + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentId15')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentId15'))]", + "contentId": "[variables('_dataConnectorContentId15')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion15')]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + }, + "dependencies": { + "criteria": [ + { + "version": "[variables('dataConnectorVersionConnections15')]", + "contentId": "[variables('_dataConnectorContentIdConnections15')]", + "kind": "ResourcesDataConnector" + } + ] + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnections15'), variables('dataConnectorVersionConnections15'))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "contentId": "[variables('_dataConnectorContentIdConnections15')]", + "displayName": "[concat(variables('_solutionName'), variables('dataConnectorTemplateNameConnections15'))]", + "contentKind": "ResourcesDataConnector", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorVersionConnections15')]", + "parameters": { + "connectorDefinitionName": { + "defaultValue": "connectorDefinitionName", + "type": "string", + "minLength": 1 + }, + "workspace": { + "defaultValue": "[parameters('workspace')]", + "type": "string" + }, + "dcrConfig": { + "defaultValue": { + "dataCollectionEndpoint": "data collection Endpoint", + "dataCollectionRuleImmutableId": "data collection rule immutableId" + }, + "type": "object" + } + }, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnections15')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentIdConnections15'))]", + "contentId": "[variables('_dataConnectorContentIdConnections15')]", + "kind": "ResourcesDataConnector", + "version": "[variables('dataConnectorVersionConnections15')]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_uiConfigId15'))]", + "apiVersion": "2022-12-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "PurviewAudit", + "properties": { + "TenantId": "[[subscription().tenantId]", + "SourceType": "PowerPlatformAdministratorActivity", + "ConnectorDefinitionName": "[[parameters('connectorDefinitionName')]", + "DataTypes": { + "Logs": { + "state": "Enabled" + } + }, + "DcrConfig": { + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]", + "StreamName": "OFFICEPOWERPLATFORMADMIN_RESTAPI" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','rdc','-', uniqueString(concat(variables('_solutionId'),'-','ResourcesDataConnector','-',variables('_dataConnectorContentIdConnections15'),'-', variables('dataConnectorVersionConnections15'))))]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "version": "[variables('dataConnectorVersionConnections15')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", + "apiVersion": "2023-04-01-preview", + "location": "[parameters('workspace-location')]", + "properties": { + "version": "3.2.0", + "kind": "Solution", + "contentSchemaVersion": "3.0.0", + "displayName": "Microsoft Business Applications", + "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", + "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nMicrosoft Power Platform provides a wide range of tools for citizen developers to build, run and manage low-code and no-code applications quickly, simply and at scale. With that, it also introduces a concern around the risk of security vulnerabilities introduced by citizen developers, some of whom may lack the security awareness of traditional pro-dev community. To counter this, early threat detection is crucial and can complement preventative guardrails to enable frictionless productivity while minimizing cyber risk.
\nThe Microsoft Sentinel solution for Microsoft Power Platform allows customers to monitor and detect various suspicious or malicious activities in their Power Platform environments.
\nIt collects activity logs from the different Power Platform components (Power Apps, Power Automate, Power Platform Connectors, Power Platform DLP, Dataverse) as well as the Power Platform inventory data and analyzes those activity logs to detect threats and suspicious activities such as: Power Apps execution from unauthorized geographies, suspicious data destruction by Power Apps, mass deletion of Power Apps, phishing attacks made possible through Power Apps, Power Automate flows activity by departing employees, Microsoft Power Platform connectors added to the an environment, and the update or removal of Microsoft Power Platform data loss prevention policies.
\nDue to the integration of the Power Platform inventory data, in addition to the activity logs, the solution also allows customers to investigate the detected threats in a full human readable context and understand for example what the name of the suspicious app is, the name of Power Platform environment it belongs to, the details of the user who created or modified the suspicious app, the details of the users using the app, and more.
\nImportant
\nThe Microsoft Sentinel Solution for Power Platform is currently in PREVIEW. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
\nThis solution is a premium offering. Pricing information will be available before the solution becomes generally available.
\nPlease review the solution documentation to learn more about deploying, configuring and using this solution.
\nData Connectors: 4, Parsers: 5, Workbooks: 1, Analytic Rules: 49, Hunting Queries: 8, Watchlists: 1, Playbooks: 8
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "",
+ "contentId": "[variables('_solutionId')]",
+ "parentId": "[variables('_solutionId')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Microsoft Business Applications",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Microsoft"
+ },
+ "support": {
+ "name": "Microsoft Corporation",
+ "email": "support@microsoft.com",
+ "tier": "Microsoft",
+ "link": "https://support.microsoft.com"
+ },
+ "dependencies": {
+ "operator": "AND",
+ "criteria": [
+ {
+ "kind": "DataConnector",
+ "contentId": "[variables('_dataConnectorContentIdConnections1')]",
+ "version": "[variables('dataConnectorCCPVersion')]"
+ },
+ {
+ "kind": "Workbook",
+ "contentId": "[variables('_workbookContentId1')]",
+ "version": "[variables('workbookVersion1')]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
+ "version": "[variables('analyticRuleObject1').analyticRuleVersion1]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
+ "version": "[variables('analyticRuleObject2').analyticRuleVersion2]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
+ "version": "[variables('analyticRuleObject3').analyticRuleVersion3]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]",
+ "version": "[variables('analyticRuleObject4').analyticRuleVersion4]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]",
+ "version": "[variables('analyticRuleObject5').analyticRuleVersion5]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]",
+ "version": "[variables('analyticRuleObject6').analyticRuleVersion6]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]",
+ "version": "[variables('analyticRuleObject7').analyticRuleVersion7]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]",
+ "version": "[variables('analyticRuleObject8').analyticRuleVersion8]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]",
+ "version": "[variables('analyticRuleObject9').analyticRuleVersion9]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]",
+ "version": "[variables('analyticRuleObject10').analyticRuleVersion10]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRuleObject11')._analyticRulecontentId11]",
+ "version": "[variables('analyticRuleObject11').analyticRuleVersion11]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRuleObject12')._analyticRulecontentId12]",
+ "version": "[variables('analyticRuleObject12').analyticRuleVersion12]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRuleObject13')._analyticRulecontentId13]",
+ "version": "[variables('analyticRuleObject13').analyticRuleVersion13]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRuleObject14')._analyticRulecontentId14]",
+ "version": "[variables('analyticRuleObject14').analyticRuleVersion14]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRuleObject15')._analyticRulecontentId15]",
+ "version": "[variables('analyticRuleObject15').analyticRuleVersion15]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRuleObject16')._analyticRulecontentId16]",
+ "version": "[variables('analyticRuleObject16').analyticRuleVersion16]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRuleObject17')._analyticRulecontentId17]",
+ "version": "[variables('analyticRuleObject17').analyticRuleVersion17]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRuleObject18')._analyticRulecontentId18]",
+ "version": "[variables('analyticRuleObject18').analyticRuleVersion18]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRuleObject19')._analyticRulecontentId19]",
+ "version": "[variables('analyticRuleObject19').analyticRuleVersion19]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRuleObject20')._analyticRulecontentId20]",
+ "version": "[variables('analyticRuleObject20').analyticRuleVersion20]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRuleObject21')._analyticRulecontentId21]",
+ "version": "[variables('analyticRuleObject21').analyticRuleVersion21]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRuleObject22')._analyticRulecontentId22]",
+ "version": "[variables('analyticRuleObject22').analyticRuleVersion22]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRuleObject23')._analyticRulecontentId23]",
+ "version": "[variables('analyticRuleObject23').analyticRuleVersion23]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRuleObject24')._analyticRulecontentId24]",
+ "version": "[variables('analyticRuleObject24').analyticRuleVersion24]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRuleObject25')._analyticRulecontentId25]",
+ "version": "[variables('analyticRuleObject25').analyticRuleVersion25]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRuleObject26')._analyticRulecontentId26]",
+ "version": "[variables('analyticRuleObject26').analyticRuleVersion26]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRuleObject27')._analyticRulecontentId27]",
+ "version": "[variables('analyticRuleObject27').analyticRuleVersion27]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRuleObject28')._analyticRulecontentId28]",
+ "version": "[variables('analyticRuleObject28').analyticRuleVersion28]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRuleObject29')._analyticRulecontentId29]",
+ "version": "[variables('analyticRuleObject29').analyticRuleVersion29]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRuleObject30')._analyticRulecontentId30]",
+ "version": "[variables('analyticRuleObject30').analyticRuleVersion30]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRuleObject31')._analyticRulecontentId31]",
+ "version": "[variables('analyticRuleObject31').analyticRuleVersion31]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRuleObject32')._analyticRulecontentId32]",
+ "version": "[variables('analyticRuleObject32').analyticRuleVersion32]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRuleObject33')._analyticRulecontentId33]",
+ "version": "[variables('analyticRuleObject33').analyticRuleVersion33]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRuleObject34')._analyticRulecontentId34]",
+ "version": "[variables('analyticRuleObject34').analyticRuleVersion34]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRuleObject35')._analyticRulecontentId35]",
+ "version": "[variables('analyticRuleObject35').analyticRuleVersion35]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRuleObject36')._analyticRulecontentId36]",
+ "version": "[variables('analyticRuleObject36').analyticRuleVersion36]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRuleObject37')._analyticRulecontentId37]",
+ "version": "[variables('analyticRuleObject37').analyticRuleVersion37]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRuleObject38')._analyticRulecontentId38]",
+ "version": "[variables('analyticRuleObject38').analyticRuleVersion38]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRuleObject39')._analyticRulecontentId39]",
+ "version": "[variables('analyticRuleObject39').analyticRuleVersion39]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRuleObject40')._analyticRulecontentId40]",
+ "version": "[variables('analyticRuleObject40').analyticRuleVersion40]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRuleObject41')._analyticRulecontentId41]",
+ "version": "[variables('analyticRuleObject41').analyticRuleVersion41]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRuleObject42')._analyticRulecontentId42]",
+ "version": "[variables('analyticRuleObject42').analyticRuleVersion42]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRuleObject43')._analyticRulecontentId43]",
+ "version": "[variables('analyticRuleObject43').analyticRuleVersion43]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRuleObject44')._analyticRulecontentId44]",
+ "version": "[variables('analyticRuleObject44').analyticRuleVersion44]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRuleObject45')._analyticRulecontentId45]",
+ "version": "[variables('analyticRuleObject45').analyticRuleVersion45]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRuleObject46')._analyticRulecontentId46]",
+ "version": "[variables('analyticRuleObject46').analyticRuleVersion46]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRuleObject47')._analyticRulecontentId47]",
+ "version": "[variables('analyticRuleObject47').analyticRuleVersion47]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRuleObject48')._analyticRulecontentId48]",
+ "version": "[variables('analyticRuleObject48').analyticRuleVersion48]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRuleObject49')._analyticRulecontentId49]",
+ "version": "[variables('analyticRuleObject49').analyticRuleVersion49]"
+ },
+ {
+ "kind": "HuntingQuery",
+ "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]",
+ "version": "[variables('huntingQueryObject1').huntingQueryVersion1]"
+ },
+ {
+ "kind": "HuntingQuery",
+ "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]",
+ "version": "[variables('huntingQueryObject2').huntingQueryVersion2]"
+ },
+ {
+ "kind": "HuntingQuery",
+ "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]",
+ "version": "[variables('huntingQueryObject3').huntingQueryVersion3]"
+ },
+ {
+ "kind": "HuntingQuery",
+ "contentId": "[variables('huntingQueryObject4')._huntingQuerycontentId4]",
+ "version": "[variables('huntingQueryObject4').huntingQueryVersion4]"
+ },
+ {
+ "kind": "HuntingQuery",
+ "contentId": "[variables('huntingQueryObject5')._huntingQuerycontentId5]",
+ "version": "[variables('huntingQueryObject5').huntingQueryVersion5]"
+ },
+ {
+ "kind": "HuntingQuery",
+ "contentId": "[variables('huntingQueryObject6')._huntingQuerycontentId6]",
+ "version": "[variables('huntingQueryObject6').huntingQueryVersion6]"
+ },
+ {
+ "kind": "HuntingQuery",
+ "contentId": "[variables('huntingQueryObject7')._huntingQuerycontentId7]",
+ "version": "[variables('huntingQueryObject7').huntingQueryVersion7]"
+ },
+ {
+ "kind": "HuntingQuery",
+ "contentId": "[variables('huntingQueryObject8')._huntingQuerycontentId8]",
+ "version": "[variables('huntingQueryObject8').huntingQueryVersion8]"
+ },
+ {
+ "kind": "Playbook",
+ "contentId": "[variables('_Dataverse-Add-SharePoint-Site')]",
+ "version": "[variables('playbookVersion1')]"
+ },
+ {
+ "kind": "Playbook",
+ "contentId": "[variables('_Dataverse-Blocklist-Add-User-AlertTrigger')]",
+ "version": "[variables('playbookVersion2')]"
+ },
+ {
+ "kind": "Playbook",
+ "contentId": "[variables('_Dataverse-Blocklist-Add-User-Via-Outlook')]",
+ "version": "[variables('playbookVersion3')]"
+ },
+ {
+ "kind": "Playbook",
+ "contentId": "[variables('_Dataverse-Blocklist-Add-User-Via-Teams')]",
+ "version": "[variables('playbookVersion4')]"
+ },
+ {
+ "kind": "Playbook",
+ "contentId": "[variables('_Dataverse-Blocklist-Add-User')]",
+ "version": "[variables('playbookVersion5')]"
+ },
+ {
+ "kind": "Playbook",
+ "contentId": "[variables('_Dataverse-Blocklist-Remove-User-AlertTrigger')]",
+ "version": "[variables('playbookVersion6')]"
+ },
+ {
+ "kind": "Playbook",
+ "contentId": "[variables('_Dataverse-Send-Manager-Notification')]",
+ "version": "[variables('playbookVersion7')]"
+ },
+ {
+ "kind": "Playbook",
+ "contentId": "[variables('_MSBizApps-Incident-From-Alert-Teams')]",
+ "version": "[variables('playbookVersion8')]"
+ },
+ {
+ "kind": "Parser",
+ "contentId": "[variables('parserObject1').parserContentId1]",
+ "version": "[variables('parserObject1').parserVersion1]"
+ },
+ {
+ "kind": "Parser",
+ "contentId": "[variables('parserObject2').parserContentId2]",
+ "version": "[variables('parserObject2').parserVersion2]"
+ },
+ {
+ "kind": "Parser",
+ "contentId": "[variables('parserObject3').parserContentId3]",
+ "version": "[variables('parserObject3').parserVersion3]"
+ },
+ {
+ "kind": "Parser",
+ "contentId": "[variables('parserObject4').parserContentId4]",
+ "version": "[variables('parserObject4').parserVersion4]"
+ },
+ {
+ "kind": "Parser",
+ "contentId": "[variables('parserObject5').parserContentId5]",
+ "version": "[variables('parserObject5').parserVersion5]"
+ },
+ {
+ "kind": "Watchlist",
+ "contentId": "[variables('_MSBizApps-Configuration')]",
+ "version": "3.2.0"
+ },
+ {
+ "kind": "DataConnector",
+ "contentId": "[variables('_dataConnectorContentIdConnections10')]",
+ "version": "[variables('dataConnectorVersionConnections10')]"
+ },
+ {
+ "kind": "DataConnector",
+ "contentId": "[variables('_dataConnectorContentIdConnections14')]",
+ "version": "[variables('dataConnectorVersionConnections14')]"
+ },
+ {
+ "kind": "DataConnector",
+ "contentId": "[variables('_dataConnectorContentIdConnections15')]",
+ "version": "[variables('dataConnectorVersionConnections15')]"
+ }
+ ]
+ },
+ "firstPublishDate": "2023-04-19",
+ "providers": [
+ "Microsoft"
+ ],
+ "categories": {
+ "domains": [
+ "Application",
+ "Cloud Provider"
+ ]
+ }
+ },
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]"
+ }
+ ],
+ "outputs": {}
+}
\ No newline at end of file
diff --git a/Solutions/Microsoft Business Applications/Package/testParameters.json b/Solutions/Microsoft Business Applications/Package/testParameters.json
new file mode 100644
index 00000000000..c071ad44511
--- /dev/null
+++ b/Solutions/Microsoft Business Applications/Package/testParameters.json
@@ -0,0 +1,54 @@
+{
+ "location": {
+ "type": "string",
+ "minLength": 1,
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
+ }
+ },
+ "workspace-location": {
+ "type": "string",
+ "defaultValue": "",
+ "metadata": {
+ "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
+ }
+ },
+ "workspace": {
+ "defaultValue": "",
+ "type": "string",
+ "metadata": {
+ "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
+ }
+ },
+ "resourceGroupName": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().name]",
+ "metadata": {
+ "description": "resource group name where Microsoft Sentinel is setup"
+ }
+ },
+ "subscription": {
+ "type": "string",
+ "defaultValue": "[last(split(subscription().id, '/'))]",
+ "metadata": {
+ "description": "subscription id where Microsoft Sentinel is setup"
+ }
+ },
+ "workbook1-name": {
+ "type": "string",
+ "defaultValue": "Dynamics 365 Activity",
+ "minLength": 1,
+ "metadata": {
+ "description": "Name for the workbook"
+ }
+ },
+ "watchlist1-id": {
+ "type": "string",
+ "defaultValue": "MSBizApps-Configuration",
+ "minLength": 1,
+ "metadata": {
+ "description": "Unique id for the watchlist"
+ }
+ }
+}
diff --git a/Solutions/Microsoft Business Applications/Parsers/DataverseSharePointSites.yaml b/Solutions/Microsoft Business Applications/Parsers/DataverseSharePointSites.yaml
new file mode 100644
index 00000000000..8c8b16055c2
--- /dev/null
+++ b/Solutions/Microsoft Business Applications/Parsers/DataverseSharePointSites.yaml
@@ -0,0 +1,30 @@
+id: 2a51081a-e31d-4a29-9fd5-cf399b0d3cc1
+Contentkind: Function
+Description: DataverseSharePointSites
+Function:
+ Title: DataverseSharePointSites
+ Version: 3.2.0
+ LastUpdated: '2024-11-18'
+Category: MSBizAppsFunctions
+FunctionName: DataverseSharePointSites
+FunctionAlias: DataverseSharePointSites
+FunctionParams:
+ - Name: MSBizAppsConfigurationWatchlistAlias
+ Type: string
+ Default: 'MSBizApps-Configuration'
+FunctionQuery: |
+ let DataverseSharepointSites_definition = datatable(InstanceUrl: string, SharePointUrl: string)['_', '_'];
+ let DataverseSharepointSites_data = (
+ _GetWatchlist(MSBizAppsConfigurationWatchlistAlias)
+ | where SearchKey == "SharePoint"
+ | extend Data = todynamic(column_ifexists('Data', dynamic({"InstanceUrl": "_", "SharePointUrl": "_"})))
+ | project
+ InstanceUrl = tostring(Data.InstanceUrl),
+ SharePointUrl = tostring(Data.SharePointUrl)
+ );
+ DataverseSharepointSites_data
+ | union isfuzzy = true (DataverseSharepointSites_definition)
+ | where InstanceUrl != '_'
+ | extend InstanceUrl = tolower(iff(InstanceUrl endswith '/', InstanceUrl, strcat(InstanceUrl, '/')))
+ | extend SharePointUrl = tolower(iff(SharePointUrl endswith '/', SharePointUrl, strcat(SharePointUrl, '/')))
+ | project InstanceUrl, SharePointUrl
diff --git a/Solutions/Microsoft Business Applications/Parsers/MSBizAppsNetworkAddresses.yaml b/Solutions/Microsoft Business Applications/Parsers/MSBizAppsNetworkAddresses.yaml
new file mode 100644
index 00000000000..9cd966b96e4
--- /dev/null
+++ b/Solutions/Microsoft Business Applications/Parsers/MSBizAppsNetworkAddresses.yaml
@@ -0,0 +1,33 @@
+id: 7c9f20e6-1ba1-4c22-90d1-926c8b9749e2
+Contentkind: Function
+Description: MSBizAppsNetworkAddresses
+Function:
+ Title: MSBizAppsNetworkAddresses
+ Version: 3.2.0
+ LastUpdated: '2024-11-13'
+Category: MSBizAppsFunctions
+FunctionName: MSBizAppsNetworkAddresses
+FunctionAlias: MSBizAppsNetworkAddresses
+FunctionParams:
+ - Name: NetworkAddressesWatchlistAlias
+ Type: string
+ Default: 'NetworkAddresses'
+FunctionQuery: |
+ let MsBizAppsNetworkAddresses_definition = datatable (
+ IPSubnet: string,
+ RangeName: string,
+ Tags: string
+ ) [
+ '_', '_', '_'
+ ];
+ let MsBizAppsNetworkAddresses_data = (
+ _GetWatchlist(NetworkAddressesWatchlistAlias)
+ | project
+ IPSubnet = tostring(column_ifexists('IP Subnet', '_')),
+ RangeName = tostring(column_ifexists('Range Name', '_')),
+ Tags = tostring(column_ifexists('Tags', '_'))
+ );
+ MsBizAppsNetworkAddresses_data
+ | union isfuzzy = true (MsBizAppsNetworkAddresses_definition)
+ | where IPSubnet != '_'
+ | project IPSubnet, RangeName, Tags
diff --git a/Solutions/Microsoft Business Applications/Parsers/MSBizAppsOrgSettings.yaml b/Solutions/Microsoft Business Applications/Parsers/MSBizAppsOrgSettings.yaml
new file mode 100644
index 00000000000..d0375bc4a18
--- /dev/null
+++ b/Solutions/Microsoft Business Applications/Parsers/MSBizAppsOrgSettings.yaml
@@ -0,0 +1,478 @@
+id: ead143d3-a23a-4597-afe3-eb43d1f74828
+Contentkind: Function
+Description: MSBizAppsOrgSettings
+Function:
+ Title: MSBizAppsOrgSettings
+ Version: 3.2.0
+ LastUpdated: '2024-11-16'
+Category: MSBizAppsFunctions
+FunctionName: MSBizAppsOrgSettings
+FunctionAlias: MSBizAppsOrgSettings
+FunctionQuery: |
+ datatable (Field: string, DisplayName: string, Description: string)[
+ "ACIWebEndpointUrl", "ACI Tenant URL.", "ACI Web Endpoint URL.",
+ "AcknowledgementTemplateId", "Acknowledgement Template", "Unique identifier of the template to be used for acknowledgement when a user unsubscribes.",
+ "ActivityTypeFilter", "Enable Rich Editing Experience for Appointment", "Information on whether filtering activity based on entity in app.",
+ "ActivityTypeFilterV2", "Show only activities configured in the app when accessing 'New activity' button", "Whether to show only activities configured in this app or all activities in the 'New activity' button.",
+ "AdvancedColumnEditorEnabled", "Advanced column editor enabled", "Flag to indicate if the display column options on a view in model-driven apps is enabled",
+ "AdvancedColumnFilteringEnabled", "Advanced column filtering enabled", "Flag to indicate if the advanced column filtering in a view in model-driven apps is enabled",
+ "AdvancedFilteringEnabled", "Advanced filtering enabled", "Flag to indicate if the advanced filtering on all tables in a model-driven app is enabled",
+ "AdvancedLookupEnabled", "Advanced lookup enabled", "Flag to indicate if the Advanced Lookup feature is enabled for lookup controls",
+ "AdvancedLookupInEditFilter", "Enable Advanced Lookup In Edit Filter", "Enables advanced lookup in grid edit filter panel",
+ "AllowAddressBookSyncs", "Allow Address Book Synchronization", "Indicates whether background address book synchronization in Microsoft Office Outlook is allowed.",
+ "AllowApplicationUserAccess", "Allow All Application Users Access.", "Information that specifies whether all application users are allowed to access the environment",
+ "AllowAutoResponseCreation", "Allow Automatic Response Creation", "Indicates whether automatic response creation is allowed.",
+ "AllowAutoUnsubscribe", "Allow Automatic Unsubscribe", "Indicates whether automatic unsubscribe is allowed.",
+ "AllowAutoUnsubscribeAcknowledgement", "Allow Automatic Unsubscribe Acknowledgement", "Indicates whether automatic unsubscribe acknowledgement email is allowed to send.",
+ "AllowClientMessageBarAd", "Allow Outlook Client Message Bar Advertisement", "Indicates whether Outlook Client message bar advertisement is allowed.",
+ "AllowConnectorsOnPowerFXActions", "Enable connectors on power fx actions.", "Information on whether connectors on power fx actions is enabled.",
+ "AllowedIpRangeForFirewall", "List of IP Ranges to be allowed by the firewall rule", "Information that specifies the range of IP addresses that are in allow list for the firewall.",
+ "AllowedIpRangeForStorageAccessSignatures", "List of IP Ranges to be allowed for generating the SAS URIs.", "Information that specifies the range of IP addresses that are in allowed list for generating the SAS URIs.",
+ "AllowedMimeTypes", "List of allowed mime types.", "Allow upload or download of certain mime types.",
+ "AllowedServiceTagsForFirewall", "List of Service Tags to be allowed by the firewall rule", "Information that specifies the List of Service Tags that should be allowed by the firewall.",
+ "AllowEntityOnlyAudit", "Allow Entity Level Auditing", "Indicates whether auditing of changes to entity is allowed when no attributes have changed.",
+ "AllowLeadingWildcardsInGridSearch", "Allow Leading Wildcards In Grid Search", "Enables ends-with searches in grids with the use of a leading wildcard on all tables in the environment",
+ "AllowLeadingWildcardsInQuickFind", "Allow Leading Wildcards In Quick Find", "Enables ends-with searches in grids with the use of a leading wildcard on all tables in the environment",
+ "AllowLegacyClientExperience", "Enable access to legacy web client UI", "Enable access to legacy web client UI",
+ "AllowLegacyDialogsEmbedding", "Enable embedding of certain legacy dialogs in Unified Interface browser client", "Enable embedding of certain legacy dialogs in Unified Interface browser client",
+ "AllowMarketingEmailExecution", "Allow Marketing Email Execution", "Indicates whether marketing emails execution is allowed.",
+ "AllowMicrosoftTrustedServiceTags", "Allow Microsoft Trusted Service Tags", "Information that specifies whether Microsoft Trusted Service Tags are allowed",
+ "AllowOfflineScheduledSyncs", "Allow Offline Scheduled Synchronization", "Indicates whether background offline synchronization in Microsoft Office Outlook is allowed.",
+ "AllowOutlookScheduledSyncs", "Allow Scheduled Synchronization", "Indicates whether scheduled synchronizations to Outlook are allowed.",
+ "AllowRedirectAdminSettingsToModernUI", "Allow Redirect Legacy Admin Settings To Modern UI", "Control whether the organization Allow Redirect Legacy Admin Settings To Modern UI",
+ "AllowUnresolvedPartiesOnEmailSend", "Allow Unresolved Address Email Send", "Indicates whether users are allowed to send email to unresolved parties (parties must still have an email address).",
+ "AllowUserFormModePreference", "Allow User Form Mode Preference", "Indicates whether individuals can select their form mode preference in their personal options.",
+ "AllowUsersHidingSystemViews", "Allow users hiding system views", "Flag to indicate if allow end users to hide system views in model-driven apps is enabled",
+ "AllowUsersSeeAppdownloadMessage", "Allow the showing tablet application notification bars in a browser.", "Indicates whether the showing tablet application notification bars in a browser is allowed.",
+ "AllowWebExcelExport", "Allow Export to Excel", "Indicates whether Web-based export of grids to Microsoft Office Excel is allowed.",
+ "AMDesignator", "AM Designator", "AM designator to use throughout Microsoft Dynamics CRM.",
+ "AppDesignerExperienceEnabled", "Enable App Designer Experience for this Organization", "Indicates whether the appDesignerExperience is enabled for the organization.",
+ "AppointmentRichEditorExperience", "Enable Rich Editing Experience for Appointment", "Information on whether rich editing experience for Appointment is enabled.",
+ "AppointmentWithTeamsMeeting", "Enable teams Meeting experience for appointment", "Information on whether Teams meeting experience for Appointment is enabled.",
+ "AppointmentWithTeamsMeetingV2", "Enable Teams meetings for appointments", "Whether Teams meetings experience for appointments is enabled.",
+ "AuditRetentionPeriod", "Audit Retention Period Settings", "Audit Retention Period settings stored in Organization Database.",
+ "AuditRetentionPeriodV2", "Audit Retention Period Settings", "Audit Retention Period settings stored in Organization Database.",
+ "AutoApplyDefaultonCaseCreate", "Auto Apply Default Entitlement on Case Create", "Select whether to auto apply the default customer entitlement on case creation.",
+ "AutoApplyDefaultonCaseUpdate", "Auto Apply Default Entitlement on Case Update", "Select whether to auto apply the default customer entitlement on case update.",
+ "AutoApplySLA", "Is Auto-apply SLA After Manually Over-riding", "Indicates whether to Auto-apply SLA on case record update after SLA was manually applied.",
+ "AzureSchedulerJobCollectionName", "For internal use only.", "For internal use only.",
+ "BaseCurrencyId", "Currency", "Unique identifier of the base currency of the organization.",
+ "BingMapsApiKey", "Bing Maps API Key", "Api Key to be used in requests to Bing Maps services.",
+ "BlockedAttachments", "Block Attachments", "Prevent upload or download of certain attachment types that are considered dangerous.",
+ "BlockedMimeTypes", "List of blocked mime types.", "Prevent upload or download of certain mime types that are considered dangerous.",
+ "BoundDashboardDefaultCardExpanded", "Display cards in expanded state for Interactive Dashboard", "Display cards in expanded state for interactive dashboard",
+ "BulkOperationPrefix", "Bulk Operation Prefix", "Prefix used for bulk operation numbering.",
+ "BusinessCardOptions", "Enable New BusinessCardOptions", "BusinessCardOptions",
+ "BusinessClosureCalendarId", "Business Closure Calendar", "Unique identifier of the business closure calendar of organization.",
+ "CalendarType", "Calendar Type", "Calendar type for the system. Set to Gregorian US by default.",
+ "CampaignPrefix", "Campaign Prefix", "Prefix used for campaign numbering.",
+ "CanOptOutNewSearchExperience", "Can disable Oct 2020 Search", "Indicates whether the organization can opt out of the new Relevance search experience (released in Oct 2020)",
+ "CascadeStatusUpdate", "Cascade Status Update", "Flag to cascade Update on incident.",
+ "CasePrefix", "Case Prefix", "Prefix to use for all cases throughout Microsoft Dynamics 365.",
+ "CategoryPrefix", "Category Prefix", "Type the prefix to use for all categories in Microsoft Dynamics 365.",
+ "ClientFeatureSet", "Client Feature Set", "Client Features to be enabled as an XML BLOB.",
+ "ContentSecurityPolicyConfiguration", "Content Security Policy Configuration", "Policy configuration for CSP",
+ "ContentSecurityPolicyConfigurationForCanvas", "Content Security Policy Configuration for Canvas apps", "Content Security Policy configuration for Canvas apps.",
+ "ContentSecurityPolicyOptions", "Content Security Policy Options", "Content Security Policy Options.",
+ "ContentSecurityPolicyReportUri", "Content Security Policy Report Uri", "Content Security Policy Report Uri.",
+ "ContractPrefix", "Contract Prefix", "Prefix to use for all contracts throughout Microsoft Dynamics 365.",
+ "CopresenceRefreshRate", "CopresenceRefreshRate", "Refresh rate for copresence data in seconds.",
+ "CortanaProactiveExperienceEnabled", "Enable Cortana Proactive Experience Flow processes for this Organization", "Indicates whether the feature CortanaProactiveExperience Flow processes should be enabled for the organization.",
+ "CreateProductsWithoutParentInActiveState", "Enable Active Initial Product State", "Enable Initial state of newly created products to be Active instead of Draft",
+ "CurrencyDecimalPrecision", "Currency Decimal Precision", "Number of decimal places that can be used for currency.",
+ "CurrencyDisplayOption", "Display Currencies Using", "Indicates whether to display money fields with currency code or currency symbol.",
+ "CurrencyFormatCode", "Currency Format Code", "Information about how currency symbols are placed throughout Microsoft Dynamics CRM.",
+ "CurrencySymbol", "Currency Symbol", "Symbol used for currency throughout Microsoft Dynamics 365.",
+ "CurrentBulkOperationNumber", "Current Bulk Operation Number", "Current bulk operation number. Deprecated. Use SetAutoNumberSeed message.",
+ "CurrentCampaignNumber", "Current Campaign Number", "Current campaign number. Deprecated. Use SetAutoNumberSeed message.",
+ "CurrentCaseNumber", "Current Case Number", "First case number to use. Deprecated. Use SetAutoNumberSeed message.",
+ "CurrentCategoryNumber", "Current Category Number", "Enter the first number to use for Categories. Deprecated. Use SetAutoNumberSeed message.",
+ "CurrentContractNumber", "Current Contract Number", "First contract number to use. Deprecated. Use SetAutoNumberSeed message.",
+ "CurrentInvoiceNumber", "Current Invoice Number", "First invoice number to use. Deprecated. Use SetAutoNumberSeed message.",
+ "CurrentKaNumber", "Current Knowledge Article Number", "Enter the first number to use for knowledge articles. Deprecated. Use SetAutoNumberSeed message.",
+ "CurrentKbNumber", "Current Article Number", "First article number to use. Deprecated. Use SetAutoNumberSeed message.",
+ "CurrentOrderNumber", "Current Order Number", "First order number to use. Deprecated. Use SetAutoNumberSeed message.",
+ "CurrentQuoteNumber", "Current Quote Number", "First quote number to use. Deprecated. Use SetAutoNumberSeed message.",
+ "DateFormatCode", "Date Format Code", "Information about how the date is displayed throughout Microsoft CRM.",
+ "DateFormatString", "Date Format String", "String showing how the date is displayed throughout Microsoft CRM.",
+ "DateSeparator", "Date Separator", "Character used to separate the month, the day, and the year in dates throughout Microsoft Dynamics 365.",
+ "DaysBeforeEmailDescriptionIsMigrated", "Number of days before we migrate email description to blob.", "Number of days before we migrate email description to blob.",
+ "DaysBeforeInactiveTeamsChatSyncDisabled", "Days Before Inactive Teams Chat Sync Disabled", "Days of inactivity before sync is disabled for a Teams Chat.",
+ "DecimalSymbol", "Decimal Symbol", "Symbol used for decimal in Microsoft Dynamics 365.",
+ "DefaultCountryCode", "Default Country Code", "Text area to enter default country code.",
+ "DefaultCrmCustomName", "Name of the default app", "Name of the default crm custom.",
+ "DefaultEmailServerProfileId", "Email Server Profile", "Unique identifier of the default email server profile.",
+ "DefaultEmailSettings", "Default Email Settings", "XML string containing the default email settings that are applied when a user or queue is created.",
+ "DefaultMobileOfflineProfileId", "Default Mobile Offline Profile", "Unique identifier of the default mobile offline profile.",
+ "DefaultRecurrenceEndRangeType", "Default Recurrence End Range Type", "Type of default recurrence end range date.",
+ "DefaultThemeData", "Default Theme Data", "Default theme data for the organization.",
+ "DelegatedAdminUserId", "Delegated Admin", "Unique identifier of the delegated admin user for the organization.",
+ "DisableSocialCare", "Is Social Care disabled", "Indicates whether Social Care is disabled.",
+ "DiscountCalculationMethod", "Discount calculation method", "Discount calculation method for the QOOI product.",
+ "DisplayNavigationTour", "Display Navigation Tour", "Indicates whether or not navigation tour is displayed.",
+ "EmailConnectionChannel", "Email Connection Channel", "Select if you want to use the Email Router or server-side synchronization for email processing.",
+ "EmailCorrelationEnabled", "Use Email Correlation", "Flag to turn email correlation on or off.",
+ "EmailSendPollingPeriod", "Email Send Polling Frequency", "Normal polling frequency used for sending email in Microsoft Office Outlook.",
+ "EnableAsyncMergeAPIForUCI", "Asynchronous merge enabled for UCI", "Determines whether records merged through the merge dialog in UCI are merged asynchronously",
+ "EnableBingMapsIntegration", "Enable Integration with Bing Maps", "Enable Integration with Bing Maps",
+ "EnableCanvasAppsInSolutionsByDefault", "Enable the creation of Canvas apps in Dataverse / Solution by default", "Note: By enabling this feature, you will also enable the automatic creation of enviornment variables when adding data sources for your apps.",
+ "EnableFlowsInSolutionByDefault", "Enable the creation of flows within a solution by default.", "Indicates whether the creation of flows is within a solution by default for this organization.",
+ "EnableFlowsInSolutionByDefaultGracePeriod", "Indicates whether the organization is opted into a grace period for auto-enablement of 'creation of flows within a solution by default' functionality.", "Organizations with this attribute set to true will be granted a grace period and excluded from the initial world wide enablement of 'creation of flows within a solution by default' functionality. Once the grace period expires, the functionality will be enabled in your organization.",
+ "EnableImmersiveSkypeIntegration", "Enable Integration with Immersive Skype", "Enable Integration with Immersive Skype",
+ "EnableIpBasedCookieBinding", "Enable IP Address Based Cookie Binding", "Information that specifies whether IP based cookie binding is enabled",
+ "EnableIpBasedFirewallRule", "Enable IP Range based Firewall", "Information that specifies whether IP based firewall rule is enabled",
+ "EnableIpBasedFirewallRuleInAuditMode", "Enable IP Range based Firewall In Audit Only Mode", "Information that specifies whether IP based firewall rule is enabled in Audit Only Mode",
+ "EnableIpBasedStorageAccessSignatureRule", "Enable IP SAS URI generation rule", "Information that specifies whether IP based SAS URI generation rule is enabled",
+ "EnableLivePersonaCardUCI", "Indicates whether the user has enabled or disabled Live Persona Card feature in UCI.", "Indicates whether the user has enabled or disabled Live Persona Card feature in UCI.",
+ "EnableLivePersonCardIntegrationInOffice", "Indicates whether the user has enabled or disabled LivePersonCardIntegration in Office.", "Indicates whether the user has enabled or disabled LivePersonCardIntegration in Office.",
+ "EnableLPAuthoring", "Enable Learning Path Authoring", "Select to enable learning path auhtoring.",
+ "EnableMakerSwitchToClassic", "Switch Maker Portal to Classic", "Control whether the organization Switch Maker Portal to Classic",
+ "EnableMicrosoftFlowIntegration", "Enable Integration with Microsoft Flow", "Enable Integration with Microsoft Flow",
+ "EnablePricingOnCreate", "Enable Pricing On Create", "Enable pricing calculations on a Create call.",
+ "EnableSmartMatching", "Enable Smart Matching", "Use Smart Matching.",
+ "EnableUnifiedClientCDN", "Enable UCI CDN for organization", "Leave empty to use default setting. Set to on/off to enable/disable CDN for UCI.",
+ "EnableUnifiedInterfaceShellRefresh", "Enable site map and commanding update", "Enable site map and commanding update",
+ "EnforceReadOnlyPlugins", "Organization setting to enforce read only plugins.", "Organization setting to enforce read only plugins.",
+ "EntityImage", "Entity Image", "The default image for the entity.",
+ "ExpireChangeTrackingInDays", "Days to Expire Change Tracking Deleted Records", "Maximum number of days to keep change tracking deleted records",
+ "ExpireSubscriptionsInDays", "Days to Expire Subscriptions", "Maximum number of days before deleting inactive subscriptions.",
+ "ExternalBaseUrl", "External Base URL", "Specify the base URL to use to look for external document suggestions.",
+ "ExternalPartyCorrelationKeys", "ExternalPartyEnabled Entities correlation Keys", "XML string containing the ExternalPartyEnabled entities correlation keys for association of existing External Party instance entities to newly created IsExternalPartyEnabled entities.For internal use only",
+ "ExternalPartyEntitySettings", "ExternalPartyEnabled Entities Settings.For internal use only", "XML string containing the ExternalPartyEnabled entities settings.",
+ "FeatureSet", "Feature Set", "Features to be enabled as an XML BLOB.",
+ "FiscalCalendarStart", "Fiscal Calendar Start", "Start date for the fiscal period that is to be used throughout Microsoft CRM.",
+ "FiscalPeriodFormat", "Fiscal Period Format", "Information that specifies how the name of the fiscal period is displayed throughout Microsoft CRM.",
+ "FiscalPeriodFormatPeriod", "Format for Fiscal Period", "Format in which the fiscal period will be displayed.",
+ "FiscalPeriodType", "Fiscal Period Type", "Type of fiscal period used throughout Microsoft CRM.",
+ "FiscalYearDisplayCode", "Fiscal Year Display", "Information that specifies whether the fiscal year should be displayed based on the start date or the end date of the fiscal year.",
+ "FiscalYearFormat", "Fiscal Year Format", "Information that specifies how the name of the fiscal year is displayed throughout Microsoft CRM.",
+ "FiscalYearFormatPrefix", "Prefix for Fiscal Year", "Prefix for the display of the fiscal year.",
+ "FiscalYearFormatSuffix", "Suffix for Fiscal Year", "Suffix for the display of the fiscal year.",
+ "FiscalYearFormatYear", "Fiscal Year Format Year", "Format for the year.",
+ "FiscalYearPeriodConnect", "Fiscal Year Period Connector", "Information that specifies how the names of the fiscal year and the fiscal period should be connected when displayed together.",
+ "FullNameConventionCode", "Full Name Display Order", "Order in which names are to be displayed throughout Microsoft CRM.",
+ "FutureExpansionWindow", "Future Expansion Window", "Specifies the maximum number of months in future for which the recurring activities can be created.",
+ "GenerateAlertsForErrors", "Generate Alerts For Errors", "Indicates whether alerts will be generated for errors.",
+ "GenerateAlertsForInformation", "Generate Alerts For Information", "Indicates whether alerts will be generated for information.",
+ "GenerateAlertsForWarnings", "Generate Alerts For Warnings", "Indicates whether alerts will be generated for warnings.",
+ "GetStartedPaneContentEnabled", "Is Get Started Pane Content Enabled", "Indicates whether Get Started content is enabled for this organization.",
+ "GlobalAppendUrlParametersEnabled", "Is AppendUrl Parameters enabled", "Indicates whether the append URL parameters is enabled.",
+ "GlobalHelpUrl", "Global Help URL.", "URL for the web page global help.",
+ "GlobalHelpUrlEnabled", "Is Customizable Global Help enabled", "Indicates whether the customizable global help is enabled.",
+ "GoalRollupExpiryTime", "Rollup Expiration Time for Goal", "Number of days after the goal's end date after which the rollup of the goal stops automatically.",
+ "GoalRollupFrequency", "Automatic Rollup Frequency for Goal", "Number of hours between automatic rollup jobs .",
+ "GrantAccessToNetworkService", "Grant Access To Network Service", "For internal use only.",
+ "HashDeltaSubjectCount", "Hash Delta Subject Count", "Maximum difference allowed between subject keywords count of the email messaged to be correlated",
+ "HashFilterKeywords", "Hash Filter Keywords", "Filter Subject Keywords",
+ "HashMaxCount", "Hash Max Count", "Maximum number of subject keywords or recipients used for correlation",
+ "HashMinAddressCount", "Hash Min Address Count", "Minimum number of recipients required to match for email messaged to be correlated",
+ "HighContrastThemeData", "High contrast Theme Data", "High contrast theme data for the organization.",
+ "IgnoreInternalEmail", "Ignore Internal Email", "Indicates whether incoming email sent by internal Microsoft Dynamics 365 users or queues should be tracked.",
+ "ImproveSearchLoggingEnabled", "Share search query data", "Indicates whether an organization has consented to sharing search query data to help improve search results",
+ "InactivityTimeoutEnabled", "Inactivity timeout enabled", "Information that specifies whether Inactivity timeout is enabled",
+ "InactivityTimeoutInMins", "Inactivity timeout in minutes", "Inactivity timeout in minutes",
+ "InactivityTimeoutReminderInMins", "Inactivity timeout reminder in minutes", "Inactivity timeout reminder in minutes",
+ "IncomingEmailExchangeEmailRetrievalBatchSize", "Exchange Email Retrieval Batch Size", "Setting for the Async Service Mailbox Queue. Defines the retrieval batch size of exchange server.",
+ "InitialVersion", "Initial Version", "Initial version of the organization.",
+ "IntegrationUserId", "Integration User", "Unique identifier of the integration user for the organization.",
+ "InvoicePrefix", "Invoice Prefix", "Prefix to use for all invoice numbers throughout Microsoft Dynamics 365.",
+ "IpBasedStorageAccessSignatureMode", "IP Based SAS mode", "IP Based SAS mode.",
+ "IsActionCardEnabled", "Enable Action Card for this Organization", "Indicates whether the feature Action Card should be enabled for the organization.",
+ "IsActionSupportFeatureEnabled", "Action Support Feature enabled", "Information that specifies whether Action Support Feature is enabled",
+ "IsActivityAnalysisEnabled", "Enable Relationship Analytics for this Organization", "Indicates whether the feature Relationship Analytics should be enabled for the organization.",
+ "IsAppMode", "Is Application Mode Enabled", "Indicates whether loading of Microsoft Dynamics 365 in a browser window that does not have address, tool, and menu bars is enabled.",
+ "IsAppointmentAttachmentSyncEnabled", "Is Attachment Sync Enabled", "Enable or disable attachments sync for outlook and exchange.",
+ "IsAssignedTasksSyncEnabled", "Is Assigned Tasks Sync Enabled", "Enable or disable assigned tasks sync for outlook and exchange.",
+ "IsAuditEnabled", "Is Auditing Enabled", "Enable or disable auditing of changes.",
+ "IsAutoDataCaptureEnabled", "Enable Auto Capture for this Organization", "Indicates whether the feature Auto Capture should be enabled for the organization.",
+ "IsAutoDataCaptureV2Enabled", "Enable Auto Capture V2 for this Organization", "Indicates whether the V2 feature of Auto Capture should be enabled for the organization.",
+ "IsAutoInstallAppForD365InTeamsEnabled", "IsAutoInstallAppForD365InTeamsEnabled", "",
+ "IsAutoSaveEnabled", "Auto Save Enabled", "Information on whether auto save is enabled.",
+ "IsBaseCardStaticFieldDataEnabled", "IsBaseCardStaticFieldDataEnabled", "",
+ "IsBasicGeospatialIntegrationEnabled", "Enable the basic Geospatial features in Canvas Apps", "Determines whether users can make use of basic Geospatial featuers in Canvas apps.",
+ "IsBPFEntityCustomizationFeatureEnabled", "BPF Entity Customization Feature enabled", "Information that specifies whether BPF Entity Customization Feature is enabled",
+ "IsCollaborationExperienceEnabled", "IsCollaborationExperienceEnabled", "",
+ "IsConflictDetectionEnabledForMobileClient", "Is Conflict Detection for Mobile Client enabled", "Information that specifies whether conflict detection for mobile client is enabled.",
+ "IsContactMailingAddressSyncEnabled", "Is Mailing Address Sync Enabled", "Enable or disable mailing address sync for outlook and exchange.",
+ "IsContentSecurityPolicyEnabled", "Enable Content Security Policy for this organization", "Indicates whether Content Security Policy has been enabled for the organization.",
+ "IsContentSecurityPolicyEnabledForCanvas", "Enable Content Security Policy for this organization's Canvas apps", "Indicates whether Content Security Policy has been enabled for this organization's Canvas apps.",
+ "IsContextualEmailEnabled", "Indicates whether Contextual email experience is enabled on this organization", "Indicates whether Contextual email experience is enabled on this organization",
+ "IsContextualHelpEnabled", "Enables Contextual Help in UCI", "Select to enable Contextual Help in UCI.",
+ "IsCopilotFeedbackEnabled", "Allow users to provide feedback for App Copilot", "Determines whether users can provide feedback for App Copilot.",
+ "IsCustomControlsInCanvasAppsEnabled", "Enable Custom Controls in canvas PowerApps feature for this organization", "Indicates whether Custom Controls in canvas PowerApps feature has been enabled for the organization.",
+ "IsDefaultCountryCodeCheckEnabled", "Enable or disable country code selection", "Enable or disable country code selection.",
+ "IsDelegateAccessEnabled", "Is Delegation Access Enabled", "Enable Delegation Access content",
+ "IsDelveActionHubIntegrationEnabled", "Enable Action Hub for this Organization", "Indicates whether the feature Action Hub should be enabled for the organization.",
+ "IsDesktopFlowSchemaV2Enabled", "Enable v2 schema for Desktop Flows in this organization.", "Indicates whether v2 schema for Desktop Flows is enabled in this organization.",
+ "IsDuplicateDetectionEnabled", "Is Duplicate Detection Enabled", "Indicates whether duplicate detection of records is enabled.",
+ "IsDuplicateDetectionEnabledForImport", "Is Duplicate Detection Enabled For Import", "Indicates whether duplicate detection of records during import is enabled.",
+ "IsDuplicateDetectionEnabledForOfflineSync", "Is Duplicate Detection Enabled For Offline Synchronization", "Indicates whether duplicate detection of records during offline synchronization is enabled.",
+ "IsDuplicateDetectionEnabledForOnlineCreateUpdate", "Is Duplicate Detection Enabled for Online Create/Update", "Indicates whether duplicate detection during online create or update is enabled.",
+ "IsEmailAddressValidationEnabled", "Enable Smart Email Address Validation.", "Information on whether Smart Email Address Validation is enabled.",
+ "IsEmailMonitoringAllowed", "Allow tracking recipient activity on sent emails", "Allow tracking recipient activity on sent emails.",
+ "IsEmailServerProfileContentFilteringEnabled", "Is Email Server Profile Content Filtering Enabled", "Enable Email Server Profile content filtering",
+ "IsEnabledForAllRoles", "option set values for isenabledforallroles", "Indicates whether appmodule is enabled for all roles",
+ "IsExternalFileStorageEnabled", "Enable external file storage", "Indicates whether the organization's files are being stored in Azure.",
+ "IsExternalSearchIndexEnabled", "Enable external search data syncing", "Select whether data can be synchronized with an external search index.",
+ "IsFiscalPeriodMonthBased", "Is Fiscal Period Monthly", "Indicates whether the fiscal period is displayed as the month number.",
+ "IsFolderAutoCreatedonSP", "Automatically create folders", "Select whether folders should be automatically created on SharePoint.",
+ "IsFolderBasedTrackingEnabled", "Is Folder Based Tracking Enabled", "Enable or disable folder based tracking for Server Side Sync.",
+ "IsFullTextSearchEnabled", "Enable Full-text search for Quick Find", "Indicates whether full-text search for Quick Find entities should be enabled for the organization.",
+ "IsGeospatialAzureMapsIntegrationEnabled", "Enable geospatial Azure Maps integration.", "Indicates whether geospatial capabilities leveraging Azure Maps are enabled.",
+ "IsHierarchicalSecurityModelEnabled", "Enable Hierarchical Security Model", "Enable Hierarchical Security Model",
+ "IsIdeasDataCollectionEnabled", "Enable Ideas data collection.", "Indicates whether data collection for ideas in canvas PowerApps has been enabled.",
+ "IsLUISEnabledforD365Bot", "LUIS Consent for Dynamics 365 Bot", "Give Consent to use LUIS in Dynamics 365 Bot",
+ "IsMailboxForcedUnlockingEnabled", "Is Mailbox Forced Unlocking Enabled", "Enable or disable forced unlocking for Server Side Sync mailboxes.",
+ "IsMailboxInactiveBackoffEnabled", "Is Mailbox Keep Alive Enabled", "Enable or disable mailbox keep alive for Server Side Sync.",
+ "IsManualSalesForecastingEnabled", "Enable Manual Sales Forecasting feature for this organization", "Indicates whether Manual Sales Forecasting feature has been enabled for the organization.",
+ "IsMobileClientOnDemandSyncEnabled", "Is Mobile Client On Demand Sync enabled", "Information that specifies whether mobile client on demand sync is enabled.",
+ "IsMobileOfflineEnabled", "Enable MobileOffline for this Organization", "Indicates whether the feature MobileOffline should be enabled for the organization.",
+ "IsModelDrivenAppsInMSTeamsEnabled", "Enable embedding Model Apps in Microsoft Teams", "Indicates whether Model Apps can be embedded within Microsoft Teams. This is a tenant admin controlled preview/experimental feature.",
+ "IsMSTeamsCollaborationEnabled", "Enable Microsoft Teams Collaboration for this organization", "Indicates whether Microsoft Teams Collaboration feature has been enabled for the organization.",
+ "IsMSTeamsEnabled", "Enable Microsoft Teams integration", "Indicates whether Microsoft Teams integration has been enabled for the organization.",
+ "IsMSTeamsSettingChangedByUser", "Microsoft Teams integration changed by user", "Indicates whether the user has enabled or disabled Microsoft Teams integration.",
+ "IsMSTeamsUserSyncEnabled", "Enable Microsoft Teams User Sync for this organization", "Indicates whether Microsoft Teams User Sync feature has been enabled for the organization.",
+ "IsNewAddProductExperienceEnabled", "Indicates whether new add product experience is enabled in opportunity form", "Indicates whether new add product experience is enabled.",
+ "IsNotesAnalysisEnabled", "Enable Notes Analysis for this Organization", "Indicates whether the feature Notes Analysis should be enabled for the organization.",
+ "IsNotificationForD365InTeamsEnabled", "IsNotificationForD365InTeamsEnabled", "",
+ "IsOfficeGraphEnabled", "Enable OfficeGraph for this Organization", "Indicates whether the feature OfficeGraph should be enabled for the organization.",
+ "IsOneDriveEnabled", "Enable One Drive for this Organization", "Indicates whether the feature One Drive should be enabled for the organization.",
+ "IsPAIEnabled", "Enable PAI feature for this organization", "Indicates whether PAI feature has been enabled for the organization.",
+ "IsPDFGenerationEnabled", "Enable PDF Generation feature for this organization", "Indicates whether PDF Generation feature has been enabled for the organization.",
+ "IsPlaybookEnabled", "Enable playbook feature for this organization", "Indicates whether playbook feature has been enabled for the organization.",
+ "IsPresenceEnabled", "Presence Enabled", "Information on whether IM presence is enabled.",
+ "IsPreviewEnabledForActionCard", "Enable Preview Action Card feature for this Organization", "Indicates whether the Preview feature for Action Card should be enabled for the organization.",
+ "IsPreviewForAutoCaptureEnabled", "Enable Auto Capture for this Organization at Preview Settings", "Indicates whether the feature Auto Capture should be enabled for the organization at Preview Settings.",
+ "IsPreviewForEmailMonitoringAllowed", "Allows Preview For Email Monitoring", "Is Preview For Email Monitoring Allowed.",
+ "IsPriceListMandatory", "Indicates whether PriceList is mandatory for adding existing products to sales entities", "Indicates whether PriceList is mandatory for adding existing products to sales entities.",
+ "IsQuickCreateEnabledForOpportunityClose", "Enable quick create form for opportunity close feature for this organization", "Select whether to use the standard Out-of-box Opportunity Close experience or opt to for a customized experience.",
+ "IsReadAuditEnabled", "Is Read Auditing Enabled", "Enable or disable auditing of read operations.",
+ "IsRelationshipInsightsEnabled", "Enable Relationship Insights for this Organization", "Indicates whether the feature Relationship Insights should be enabled for the organization.",
+ "IsResourceBookingExchangeSyncEnabled", "Resource booking synchronization enabled", "Indicates if the synchronization of user resource booking with Exchange is enabled at organization level.",
+ "IsRichTextNotesEnabled", "Indicates whether rich text editor for notes experience is enabled on this organization", "Indicates whether rich text editor for notes experience is enabled on this organization",
+ "IsRpaAutoscaleAadJoinEnabled", "Enable AAD Join for RPA Autoscale feature for this organization.", "Indicates whether AAD Join for RPA Autoscale is enabled in this organization..",
+ "IsRpaAutoscaleEnabled", "Enable RPA Autoscale feature for this organization", "Indicates whether Autoscale feature for RPA is enabled in this organization.",
+ "IsRpaBoxCrossGeoEnabled", "Enable RPA Box cross geo feature for this organization", "Indicates whether RPA Box feature is enabled in this organization in locations outside the tenant's geographical location.",
+ "IsRpaBoxEnabled", "Enable RPA Box feature for this organization", "Indicates whether RPA Box feature is enabled in this organization.",
+ "IsRpaUnattendedEnabled", "Enable RPA Unattended feature for this organization", "Indicates whether Unattended runs feature for RPA is enabled in this organization.",
+ "IsSalesAssistantEnabled", "Enable Sales Assistant mobile app", "Indicates whether Sales Assistant mobile app has been enabled for the organization.",
+ "IsSharingInOrgAllowed", "IsSharingInOrgAllowed", "",
+ "IsSOPIntegrationEnabled", "Is Sales Order Integration Enabled", "Enable sales order processing integration.",
+ "IsTextWrapEnabled", "Enable Text Wrap", "Information on whether text wrap is enabled.",
+ "IsUserAccessAuditEnabled", "Is User Access Auditing Enabled", "Enable or disable auditing of user access.",
+ "ISVIntegrationCode", "ISV Integration Mode", "Indicates whether loading of Microsoft Dynamics 365 in a browser window that does not have address, tool, and menu bars is enabled.",
+ "IsWriteInProductsAllowed", "Indicates whether Write-in Products can be added to Opportunity/Quote/Order/Invoice or not", "Indicates whether Write-in Products can be added to Opportunity/Quote/Order/Invoice or not.",
+ "KaPrefix", "Knowledge Article Prefix", "Type the prefix to use for all knowledge articles in Microsoft Dynamics 365.",
+ "KbPrefix", "Article Prefix", "Prefix to use for all articles in Microsoft Dynamics 365.",
+ "KMSettings", "Knowledge Management Settings", "XML string containing the Knowledge Management settings that are applied in Knowledge Management Wizard.",
+ "LanguageCode", "Language", "Preferred language for the organization.",
+ "LocaleId", "Locale", "Unique identifier of the locale of the organization.",
+ "LongDateFormatCode", "Long Date Format", "Information that specifies how the Long Date format is displayed in Microsoft Dynamics 365.",
+ "LookupCharacterCountBeforeResolve", "Minimum number of characters before resolving suggestions in lookup", "Minimum number of characters that should be entered in the lookup control before resolving for suggestions",
+ "LookupResolveDelayMS", "Minimum delay (in milliseconds) for debouncing lookup control input", "Minimum delay (in milliseconds) between consecutive inputs in a lookup control that will trigger a search for suggestions",
+ "MailboxIntermittentIssueMinRange", "Lower Threshold For Mailbox Intermittent Issue", "Lower Threshold For Mailbox Intermittent Issue.",
+ "MailboxPermanentIssueMinRange", "Lower Threshold For Mailbox Permanent Issue.", "Lower Threshold For Mailbox Permanent Issue.",
+ "MaxActionStepsInBPF", "Maximum number of actionsteps allowed in a BPF", "Maximum number of actionsteps allowed in a BPF",
+ "MaxAllowedPendingRollupJobCount", "MaxAllowedPendingRollupJobCount", "Maximum Allowed Pending Rollup Job Count",
+ "MaxAllowedPendingRollupJobPercentage", "MaxAllowedPendingRollupJobPercentage", "Percentage Of Entity Table Size For Kicking Off Bootstrap Job",
+ "MaxAppointmentDurationDays", "Max Appointment Duration", "Maximum number of days an appointment can last.",
+ "MaxConditionsForMobileOfflineFilters", "Maximum number of conditions allowed for mobile offline filters", "Maximum number of conditions allowed for mobile offline filters",
+ "MaxDepthForHierarchicalSecurityModel", "Maximum depth for hierarchy security propagation.", "Maximum depth for hierarchy security propagation.",
+ "MaxFolderBasedTrackingMappings", "Max Folder Based Tracking Mappings", "Maximum number of Folder Based Tracking mappings user can add",
+ "MaximumActiveBusinessProcessFlowsAllowedPerEntity", "Maximum active business process flows per entity", "Maximum number of active business process flows allowed per entity",
+ "MaximumDynamicPropertiesAllowed", "Product Properties Item Limit", "Restrict the maximum number of product properties for a product family/bundle",
+ "MaximumEntitiesWithActiveSLA", "Maximum number of active SLA allowed per entity in online", "Maximum number of active SLA allowed per entity in online",
+ "MaximumSLAKPIPerEntityWithActiveSLA", "Maximum number of active SLA KPI allowed per entity in online", "Maximum number of SLA KPI per active SLA allowed for entity in online",
+ "MaximumTrackingNumber", "Max Tracking Number", "Maximum tracking number before recycling takes place.",
+ "MaxProductsInBundle", "Bundle Item Limit", "Restrict the maximum no of items in a bundle",
+ "MaxRecordsForExportToExcel", "Max Records For Excel Export", "Maximum number of records that will be exported to a static Microsoft Office Excel worksheet when exporting from the grid.",
+ "MaxRecordsForLookupFilters", "Max Records Filter Selection", "Maximum number of lookup and picklist records that can be selected by user for filtering.",
+ "MaxRollupFieldsPerEntity", "MaxRollupFieldsPerEntity", "Maximum Rollup Fields Per Entity",
+ "MaxRollupFieldsPerOrg", "MaxRollupFieldsPerOrg", "Maximum Rollup Fields Per Organization",
+ "MaxSLAItemsPerSLA", "Max SLA Items Per SLA", "",
+ "MaxUploadFileSize", "Max Upload File Size", "Maximum allowed size of an attachment.",
+ "MicrosoftFlowEnvironment", "(Deprecated) Environment selected for Integration with Microsoft Flow", "(Deprecated) Environment selected for Integration with Microsoft Flow",
+ "MinAddressBookSyncInterval", "Min Address Synchronization Frequency", "Normal polling frequency used for address book synchronization in Microsoft Office Outlook.",
+ "MinOfflineSyncInterval", "Min Offline Synchronization Frequency", "Normal polling frequency used for background offline synchronization in Microsoft Office Outlook.",
+ "MinOutlookSyncInterval", "Min Synchronization Frequency", "Minimum allowed time between scheduled Outlook synchronizations.",
+ "MobileOfflineSyncInterval", "Sync interval for mobile offline.", "Sync interval for mobile offline.",
+ "ModernAdvancedFindFiltering", "Modern advanced find filtering", "Flag to indicate if the modern advanced find filtering on all tables in a model-driven app is enabled",
+ "ModernAppDesignerCoauthoringEnabled", "Coauthoring in Modern App Designer Enabled", "Indicates whether coauthoring is enabled in modern app designer",
+ "MultiColumnSortEnabled", "Enable Multi Column Sort Editor In Views", "Show the sort by button on views",
+ "Name", "Organization Name", "Name of the organization. The name is set when Microsoft CRM is installed and should not be changed.",
+ "NaturalLanguageAssistFilter", "Natural Language Assist", "Enables Natural Language Assist Filter.",
+ "NegativeCurrencyFormatCode", "Negative Currency Format", "Information that specifies how negative currency numbers are displayed throughout Microsoft Dynamics 365.",
+ "NegativeFormatCode", "Negative Format", "Information that specifies how negative numbers are displayed throughout Microsoft CRM.",
+ "NewSearchExperienceEnabled", "Oct 2020 Search enabled", "Indicates whether an organization has enabled the new Relevance search experience (released in Oct 2020) for the organization",
+ "NextTrackingNumber", "Next Tracking Number", "Next token to be placed on the subject line of an email message.",
+ "NotifyMailboxOwnerOfEmailServerLevelAlerts", "Notify Mailbox Owner Of Email Server Level Alerts", "Indicates whether mailbox owners will be notified of email server profile level alerts.",
+ "NumberFormat", "Number Format", "Specification of how numbers are displayed throughout Microsoft CRM.",
+ "NumberGroupFormat", "Number Grouping Format", "Specifies how numbers are grouped in Microsoft Dynamics 365.",
+ "NumberSeparator", "Number Separator", "Symbol used for number separation in Microsoft Dynamics 365.",
+ "OfficeAppsAutoDeploymentEnabled", "Enable Office Apps Auto Deployment for this Organization", "Indicates whether the Office Apps auto deployment is enabled for the organization.",
+ "OfficeGraphDelveUrl", "The url to open the Delve", "The url to open the Delve for the organization.",
+ "OOBPriceCalculationEnabled", "Enable OOB Price calculation", "Enable OOB pricing calculation logic for Opportunity, Quote, Order and Invoice entities.",
+ "OptOutSchemaV2EnabledByDefault", "Opt-out of schema v2 being automatically enabled for this organization.", "Indicates if this organization will opt-out from automatically enabling schema v2 on the organization.",
+ "OrderPrefix", "Order Prefix", "Prefix to use for all orders throughout Microsoft Dynamics 365.",
+ "OrgDbOrgSettings", "Organization Database Organization Settings", "Organization settings stored in Organization Database.",
+ "OrgInsightsEnabled", "Enable OrgInsights for this Organization", "Select whether to turn on OrgInsights for the organization.",
+ "PaiPreviewScenarioEnabled", "Display Preview Feature for this organization", "Indicates whether Preview feature has been enabled for the organization.",
+ "PastExpansionWindow", "Past Expansion Window", "Specifies the maximum number of months in past for which the recurring activities can be created.",
+ "PcfDatasetGridEnabled", "Enable modern grids in model-driven apps", "Leave empty to use default setting. Set to on/off to enable/disable replacement of default grids with modern ones in model-driven apps.",
+ "PerformACTSyncAfter", "PerformACTSyncAfter", "This setting contains the date time before an ACT sync can execute.",
+ "Picture", "Picture", "For internal use only.",
+ "PinpointLanguageCode", "", "",
+ "PluginTraceLogSetting", "Plug-in Trace Log Setting", "Plug-in Trace Log Setting for the Organization.",
+ "PMDesignator", "PM Designator", "PM designator to use throughout Microsoft Dynamics 365.",
+ "PostMessageWhitelistDomains", "For internal use only.", "For internal use only.",
+ "PowerAppsMakerBotEnabled", "Enable bot for makers.", "Indicates whether bot for makers is enabled.",
+ "PowerBIAllowCrossRegionOperations", "Power BI allow cross region operations", "Indicates whether cross region operations are allowed for the organization",
+ "PowerBIAutomaticPermissionsAssignment", "Power BI automatic permissions assignment", "Indicates whether automatic permissions assignment to Power BI has been enabled for the organization",
+ "PowerBIComponentsCreate", "Power BI components creation", "Indicates whether creation of Power BI components has been enabled for the organization",
+ "PowerBiFeatureEnabled", "Enable Power BI feature for this Organization", "Indicates whether the Power BI feature should be enabled for the organization.",
+ "PricingDecimalPrecision", "Pricing Decimal Precision", "Number of decimal places that can be used for prices.",
+ "PrivacyStatementUrl", "Privacy Statement URL", "Privacy Statement URL",
+ "PrivilegeUserGroupId", "Privilege User Group", "Unique identifier of the default privilege for users in the organization.",
+ "PrivReportingGroupId", "Privilege Reporting Group", "For internal use only.",
+ "PrivReportingGroupName", "Privilege Reporting Group Name", "For internal use only.",
+ "ProductRecommendationsEnabled", "Enable Product Recommendations for this Organization", "Select whether to turn on product recommendations for the organization.",
+ "QualifyLeadAdditionalOptions", "Enable New Qualify Lead Experience with configuration MDD", "Indicates whether prompt should be shown for new Qualify Lead Experience",
+ "QuickActionToOpenRecordsInSidePaneEnabled", "Enable quick actions to open records in search side pane", "Flag to indicate if the feature to use quick action to open records in search side pane is enabled",
+ "QuickFindRecordLimitEnabled", "Quick Find Record Limit Enabled", "Indicates whether a quick find record limit should be enabled for this organization (allows for faster Quick Find queries but prevents overly broad searches).",
+ "QuotePrefix", "Quote Prefix", "Prefix to use for all quotes throughout Microsoft Dynamics 365.",
+ "RecalculateSLA", "Indicates whether SLA Recalculation has been enabled for the organization", "Indicates whether SLA Recalculation has been enabled for the organization",
+ "RecurrenceDefaultNumberOfOccurrences", "Recurrence Default Number of Occurrences", "Specifies the default value for number of occurrences field in the recurrence dialog.",
+ "RecurrenceExpansionJobBatchInterval", "Recurrence Expansion Job Batch Interval", "Specifies the interval (in seconds) for pausing expansion job.",
+ "RecurrenceExpansionJobBatchSize", "Recurrence Expansion On Demand Job Batch Size", "Specifies the value for number of instances created in on demand job in one shot.",
+ "RecurrenceExpansionSynchCreateMax", "Recurrence Expansion Synchronization Create Maximum", "Specifies the maximum number of instances to be created synchronously after creating a recurring appointment.",
+ "ReferenceSiteMapXml", "Reference SiteMap XML", "XML string that defines the navigation structure for the application. This is the site map from the previously upgraded build and is used in a 3-way merge during upgrade.",
+ "ReleaseCadence", "Current orgnization release cadence value", "Current orgnization release cadence value",
+ "ReleaseChannel", "Model app refresh channel", "Model app refresh channel",
+ "ReleaseWaveName", "Release Wave", "Release Wave Applied to Environment.",
+ "RelevanceSearchEnabledByPlatform", "Relevance search enabled automatically by Dataverse", "Indicates whether relevance search was enabled for the environment as part of Dataverse's relevance search on-by-default sweep",
+ "RelevanceSearchModifiedOn", "RelevanceSearchModifiedOnDate", "This setting contains the last modified date for relevance search setting that appears as a toggle in PPAC.",
+ "RenderSecureIFrameForEmail", "Render Secure Frame For Email", "Flag to render the body of email in the Web form in an IFRAME with the security='restricted' attribute set. This is additional security but can cause a credentials prompt.",
+ "ReportingGroupId", "Reporting Group", "For internal use only.",
+ "ReportingGroupName", "Reporting Group Name", "For internal use only.",
+ "ReportScriptErrors", "Report Script Errors", "Picklist for selecting the organization preference for reporting scripting errors.",
+ "RequireApprovalForQueueEmail", "Is Approval For Queue Email Required", "Indicates whether Send As Other User privilege is enabled.",
+ "RequireApprovalForUserEmail", "Is Approval For User Email Required", "Indicates whether Send As Other User privilege is enabled.",
+ "ResolveSimilarUnresolvedEmailAddress", "Apply same email address to all unresolved matches when you manually resolve it for one", "Apply same email address to all unresolved matches when you manually resolve it for one",
+ "RestrictStatusUpdate", "Restrict Status Update", "Flag to restrict Update on incident.",
+ "ReverseProxyIpAddresses", "List of reverse proxy IP addresses to be allowed.", "Information that specifies Reverse Proxy IP addresses from which requests have to be allowed.",
+ "RiErrorStatus", "Error status of Relationship Insights provisioning.", "Error status of Relationship Insights provisioning.",
+ "SampleDataImportId", "Sample Data Import", "Unique identifier of the sample data import job.",
+ "SchemaNamePrefix", "Customization Name Prefix", "Prefix used for custom entities and attributes.",
+ "SendBulkEmailInUCI", "Send Bulk Email in UCI", "Indicates whether Send Bulk Email in UCI is enabled for the org.",
+ "ServeStaticResourcesFromAzureCDN", "Serve Static Content From CDN", "Serve Static Content From CDN",
+ "SessionRecordingEnabled", "Enable the session recording feature", "Enable the session recording feature to record user sessions in UCI",
+ "SessionTimeoutEnabled", "Session timeout enabled", "Information that specifies whether session timeout is enabled",
+ "SessionTimeoutInMins", "Session timeout in minutes", "Session timeout in minutes",
+ "SessionTimeoutReminderInMins", "Session timeout reminder in minutes", "Session timeout reminder in minutes",
+ "SharePointDeploymentType", "Choose SharePoint Deployment Type", "Indicates which SharePoint deployment type is configured for Server to Server. (Online or On-Premises)",
+ "ShareToPreviousOwnerOnAssign", "Share To Previous Owner On Assign", "Information that specifies whether to share to previous owner on assign.",
+ "ShowKBArticleDeprecationNotification", "Show KBArticle deprecation message to user", "Select whether to display a KB article deprecation notification to the user.",
+ "ShowWeekNumber", "Show Week Number", "Information that specifies whether to display the week number in calendar displays throughout Microsoft CRM.",
+ "SignupOutlookDownloadFWLink", "CRMForOutlookDownloadURL", "CRM for Outlook Download URL",
+ "SiteMapXml", "SiteMap XML", "XML string that defines the navigation structure for the application.",
+ "SlaPauseStates", "SLA pause states", "Contains the on hold case status values.",
+ "SocialInsightsEnabled", "Social Insights Enabled", "Flag for whether the organization is using Social Insights.",
+ "SocialInsightsInstance", "Social Insights instance identifier", "Identifier for the Social Insights instance for the organization.",
+ "SocialInsightsTermsAccepted", "Social Insights Terms of Use", "Flag for whether the organization has accepted the Social Insights terms of use.",
+ "SortId", "Sort", "For internal use only.",
+ "SqlAccessGroupId", "SQL Access Group", "For internal use only.",
+ "SqlAccessGroupName", "SQL Access Group Name", "For internal use only.",
+ "SQMEnabled", "Is SQM Enabled", "Setting for SQM data collection, 0 no, 1 yes enabled",
+ "SupportUserId", "Support User", "Unique identifier of the support user for the organization.",
+ "SuppressSLA", "Is SLA suppressed", "Indicates whether SLA is suppressed.",
+ "SuppressValidationEmails", "Whether Admin emails are sent when Solution Checker validation fails", "Leave empty to use default setting. Set to on/off to enable/disable Admin emails when Solution Checker validation fails.",
+ "SyncBulkOperationBatchSize", "Number of records to update per operation in Sync Bulk Pause/Resume/Cancel", "Number of records to update per operation in Sync Bulk Pause/Resume/Cancel",
+ "SyncBulkOperationMaxLimit", "Max total number of records to update in database for Sync Bulk Pause/Resume/Cancel", "Max total number of records to update in database for Sync Bulk Pause/Resume/Cancel",
+ "SyncOptInSelection", "Enable dynamics 365 azure sync framework for this organization.", "Indicates the selection to use the dynamics 365 azure sync framework or server side sync.",
+ "SyncOptInSelectionStatus", "Status of opt-in or opt-out operation for dynamics 365 azure sync.", "Indicates the status of the opt-in or opt-out operation for dynamics 365 azure sync.",
+ "SystemUserId", "System User", "Unique identifier of the system user for the organization.",
+ "TableScopedDVSearchInApps", "Table Scoped Dataverse Search In Apps", "Controls the appearance of option to search over a single DV search indexed table in model-driven apps global search in the header.",
+ "TagMaxAggressiveCycles", "Auto-Tag Max Cycles", "Maximum number of aggressive polling cycles executed for email auto-tagging when a new email is received.",
+ "TagPollingPeriod", "Auto-Tag Interval", "Normal polling frequency used for email receive auto-tagging in outlook.",
+ "TaskBasedFlowEnabled", "Enable Task Flow processes for this Organization", "Select whether to turn on task flows for the organization.",
+ "TeamsChatDataSync", "Enable Teams Chat Data Sync.", "Information on whether Teams Chat Data Sync is enabled.",
+ "TelemetryInstrumentationKey", "Telemetry Instrumentation Key", "Instrumentation key for Application Insights used to log plugins telemetry.",
+ "TextAnalyticsEnabled", "Enable Text Analytics for this Organization", "Select whether to turn on text analytics for the organization.",
+ "TimeFormatCode", "Time Format Code", "Information that specifies how the time is displayed throughout Microsoft CRM.",
+ "TimeFormatString", "Time Format String", "Text for how time is displayed in Microsoft Dynamics 365.",
+ "TimeSeparator", "Time Separator", "Text for how the time separator is displayed throughout Microsoft Dynamics 365.",
+ "TimeZoneRuleVersionNumber", "Time Zone Rule Version Number", "For internal use only.",
+ "TokenExpiry", "Token Expiration Duration", "Duration used for token expiration.",
+ "TokenKey", "Token Key", "Token key.",
+ "TraceLogMaximumAgeInDays", "Tracelog record maximum age in days", "Tracelog record maximum age in days",
+ "TrackingPrefix", "Tracking Prefix", "History list of tracking token prefixes.",
+ "TrackingTokenIdBase", "Tracking Token Base", "Base number used to provide separate tracking token identifiers to users belonging to different deployments.",
+ "TrackingTokenIdDigits", "Tracking Token Digits", "Number of digits used to represent a tracking token identifier.",
+ "UniqueSpecifierLength", "Unique String Length", "Number of characters appended to invoice, quote, and order numbers.",
+ "UnresolveEmailAddressIfMultipleMatch", "Set To,cc,bcc fields as unresolved if multiple matches are found", "Indicates whether email address should be unresolved if multiple matches are found",
+ "UseInbuiltRuleForDefaultPricelistSelection", "Use Inbuilt Rule For Default Pricelist Selection", "Flag indicates whether to Use Inbuilt Rule For DefaultPricelist.",
+ "UseLegacyRendering", "Legacy Form Rendering", "Select whether to use legacy form rendering.",
+ "UsePositionHierarchy", "Use position hierarchy", "Use position hierarchy",
+ "UseQuickFindViewForGridSearch", "Use Quick Find view when searching in grids", "Indicates whether searching in a grid should use the Quick Find view for the entity.",
+ "UserAccessAuditingInterval", "User Authentication Auditing Interval", "The interval at which user access is checked for auditing.",
+ "UseReadForm", "Use Read-Optimized Form", "Indicates whether the read-optimized form should be enabled for this organization.",
+ "UserGroupId", "User Group", "Unique identifier of the default group of users in the organization.",
+ "UserRatingEnabled", "Enable the user rating feature", "Enable the user rating feature to show the NSAT score and comment to maker",
+ "UseSkypeProtocol", "User Skype Protocol", "Indicates default protocol selected for organization.",
+ "UTCConversionTimeZoneCode", "UTC Conversion Time Zone Code", "Time zone code that was in use when the record was created.",
+ "ValidationMode", "Validation mode for apps in this environment", "Validation mode for apps in this environment",
+ "WebResourceHash", "Web resource hash", "Hash value of web resources.",
+ "WeekStartDayCode", "Week Start Day Code", "Designated first day of the week throughout Microsoft Dynamics 365.",
+ "WidgetProperties", "For Internal use only.", "For Internal use only.",
+ "YammerGroupId", "Yammer Group Id", "Denotes the Yammer group ID",
+ "YammerNetworkPermalink", "Yammer Network Permalink", "Denotes the Yammer network permalink",
+ "YammerOAuthAccessTokenExpired", "Yammer OAuth Access Token Expired", "Denotes whether the OAuth access token for Yammer network has expired",
+ "YammerPostMethod", "Internal Use Only", "Internal Use Only",
+ "YearStartWeekCode", "Year Start Week Code", "Information that specifies how the first week of the year is specified in Microsoft Dynamics 365.",
+ "AcknowledgementTemplateIdName", "", "Name of the template to be used for unsubscription acknowledgement.",
+ "BaseCurrencyIdName", "", "",
+ "BaseCurrencyPrecision", "Base Currency Precision", "Number of decimal places that can be used for the base currency.",
+ "BaseCurrencySymbol", "Base Currency Symbol", "Symbol used for the base currency.",
+ "BaseISOCurrencyCode", "Base ISO Currency Code", "",
+ "CreatedBy", "Created By", "Unique identifier of the user who created the organization.",
+ "CreatedByName", "", "",
+ "CreatedByYomiName", "", "",
+ "CreatedOn", "Created On", "Date and time when the organization was created.",
+ "CreatedOnBehalfBy", "Created By (Delegate)", "Unique identifier of the delegate user who created the organization.",
+ "CreatedOnBehalfByName", "", "",
+ "CreatedOnBehalfByYomiName", "", "",
+ "CurrentImportSequenceNumber", "Current Import Sequence Number", "Import sequence to use.",
+ "CurrentParsedTableNumber", "Current Parsed Table Number", "First parsed table number to use.",
+ "DaysSinceRecordLastModifiedMaxValue", "Max value of Days since record last modified", "The maximum value for the Mobile Offline setting Days since record last modified",
+ "DefaultEmailServerProfileIdName", "", "Name of the email server profile to be used as default profile for the mailboxes.",
+ "DefaultMobileOfflineProfileIdName", "", "Name of the default mobile offline profile to be used as default profile for mobile offline.",
+ "DisabledReason", "Disabled Reason", "Reason for disabling the organization.",
+ "EntityImage_Timestamp", "", "",
+ "EntityImage_URL", "", "",
+ "EntityImageId", "Entity Image Id", "For internal use only.",
+ "FiscalSettingsUpdated", "Is Fiscal Settings Updated", "Information that specifies whether the fiscal settings have been updated.",
+ "IsAllMoneyDecimal", "Set if all money attributes are converted to decimal", "Indicates whether all money attributes are converted to decimal.",
+ "IsDisabled", "Is Organization Disabled", "Information that specifies whether the organization is disabled.",
+ "MaxSupportedInternetExplorerVersion", "Max supported IE version", "The maximum version of IE to run browser emulation for in Outlook client",
+ "MaxVerboseLoggingMailbox", "Max No Of Mailboxes To Enable For Verbose Logging", "Maximum number of mailboxes that can be toggled for verbose logging",
+ "MaxVerboseLoggingSyncCycles", "Maximum number of sync cycles for which verbose logging will be enabled by default", "Maximum number of sync cycles for which verbose logging will be enabled by default",
+ "MetadataSyncLastTimeOfNeverExpiredDeletedObjects", "The last date/time for never expired metadata tracking deleted objects", "What is the last date/time where there are metadata tracking deleted objects that have never been outside of the expiration period.",
+ "MetadataSyncTimestamp", "Metadata sync version", "Contains the maximum version number for attributes used by metadata synchronization that have changed.",
+ "MobileOfflineMinLicenseProd", "Minimum number of user license required for mobile offline service by production/preview organization", "Minimum number of user license required for mobile offline service by production/preview organization",
+ "MobileOfflineMinLicenseTrial", "Minimum number of user license required for mobile offline service by trial organization", "Minimum number of user license required for mobile offline service by trial organization",
+ "ModifiedBy", "Modified By", "Unique identifier of the user who last modified the organization.",
+ "ModifiedByName", "", "",
+ "ModifiedByYomiName", "", "",
+ "ModifiedOn", "Modified On", "Date and time when the organization was last modified.",
+ "ModifiedOnBehalfBy", "Modified By (Delegate)", "Unique identifier of the delegate user who last modified the organization.",
+ "ModifiedOnBehalfByName", "", "",
+ "ModifiedOnBehalfByYomiName", "", "",
+ "NextCustomObjectTypeCode", "Next Entity Type Code", "Next entity type code to use for custom entities.",
+ "OrganizationId", "Organization", "Unique identifier of the organization.",
+ "OrganizationState", "Organization State", "Indicates the organization lifecycle state",
+ "ParsedTableColumnPrefix", "Parsed Table Column Prefix", "Prefix used for parsed table columns.",
+ "ParsedTablePrefix", "Parsed Table Prefix", "Prefix used for parsed tables.",
+ "V3CalloutConfigHash", "V3 Callout Hash", "Hash of the V3 callout configuration file.",
+ "VersionNumber", "Version Number", "Version number of the organization."
+ ]
+ | project FieldName = tolower(Field), DisplayName, Description
diff --git a/Solutions/Microsoft Business Applications/Parsers/MSBizAppsTerminatedEmployees.yaml b/Solutions/Microsoft Business Applications/Parsers/MSBizAppsTerminatedEmployees.yaml
new file mode 100644
index 00000000000..870aa6ce3f0
--- /dev/null
+++ b/Solutions/Microsoft Business Applications/Parsers/MSBizAppsTerminatedEmployees.yaml
@@ -0,0 +1,51 @@
+id: 55052ba8-de53-4921-bb6d-63a4d6c67373
+Contentkind: Function
+Description: MSBizAppsTerminatedEmployees
+Function:
+ Title: MSBizAppsTerminatedEmployees
+ Version: 3.0.1
+ LastUpdated: '2024-01-26'
+Category: MSBizAppsFunctions
+FunctionName: MSBizAppsTerminatedEmployees
+FunctionAlias: MSBizAppsTerminatedEmployees
+FunctionParams:
+ - Name: TerminatedEmployeesWatchlistAlias
+ Type: string
+ Default: 'TerminatedEmployees'
+FunctionQuery: |
+ let TerminatedEmployees_definition = datatable (
+ UserIdentifier: string,
+ UserAADObjectId: string,
+ UserOnPremSid: string,
+ UserPrincipalName: string,
+ UserState: string,
+ NotificationDate: datetime,
+ TerminationDate: datetime,
+ Tags: string
+ ) [
+ '_', '_', '_', '_', '_', datetime(null), datetime(null), '_'
+ ];
+ let TerminatedEmployees_data = (
+ _GetWatchlist(TerminatedEmployeesWatchlistAlias)
+ | project
+ UserIdentifier = column_ifexists('User Identifier', '_'),
+ UserAADObjectId = column_ifexists('User AAD Object Id', '_'),
+ UserOnPremSid = column_ifexists('User On-Prem Sid', '_'),
+ UserPrincipalName = column_ifexists('User Principal Name', '_'),
+ UserState = column_ifexists('UserState', '_'),
+ NotificationDate = todatetime(column_ifexists('Notification date', datetime(null))),
+ TerminationDate = todatetime(column_ifexists('Termination date', datetime(null))),
+ Tags = column_ifexists('Tags', '_')
+ );
+ TerminatedEmployees_data
+ | union isfuzzy = true (TerminatedEmployees_definition)
+ | where UserPrincipalName != '_'
+ | project
+ UserIdentifier = tostring(UserIdentifier),
+ UserAADObjectId = tostring(UserAADObjectId),
+ UserOnPremSid = tostring(UserOnPremSid),
+ UserPrincipalName = tostring(UserPrincipalName),
+ UserState = tostring(UserState),
+ NotificationDate = todatetime(NotificationDate),
+ TerminationDate = todatetime(TerminationDate),
+ Tags = tostring(Tags)
diff --git a/Solutions/Microsoft Business Applications/Parsers/MSBizAppsVIPUsers.yaml b/Solutions/Microsoft Business Applications/Parsers/MSBizAppsVIPUsers.yaml
new file mode 100644
index 00000000000..7923b621350
--- /dev/null
+++ b/Solutions/Microsoft Business Applications/Parsers/MSBizAppsVIPUsers.yaml
@@ -0,0 +1,42 @@
+id: 82deb196-ecdd-4154-9f7f-ff6989cbd08a
+Contentkind: Function
+Description: MSBizAppsVIPUsers
+Function:
+ Title: MSBizAppsVIPUsers
+ Version: 3.2.0
+ LastUpdated: '2024-11-13'
+Category: MSBizAppsFunctions
+FunctionName: MSBizAppsVIPUsers
+FunctionAlias: MSBizAppsVIPUsers
+FunctionParams:
+ - Name: VIPUsersWatchlistAlias
+ Type: string
+ Default: 'VIPUsers'
+FunctionQuery: |
+ let MSBizAppsVIPUsers_definition = datatable (
+ UserIdentifier: string,
+ UserAADObjectId: string,
+ UserOnPremSid: string,
+ UserPrincipalName: string,
+ Tags: string
+ ) [
+ '_', '_', '_', '_', '_'
+ ];
+ let MSBizAppsVIPUsers_data = (
+ _GetWatchlist(VIPUsersWatchlistAlias)
+ | project
+ UserIdentifier = tostring(column_ifexists('User Identifier', '_')),
+ UserAADObjectId = tostring(column_ifexists('User AAD Object Id', '_')),
+ UserOnPremSid = tostring(column_ifexists('User On-Prem Sid', '_')),
+ UserPrincipalName = tostring(column_ifexists('User Principal Name', '_')),
+ Tags = tostring(column_ifexists('Tags', '_'))
+ );
+ MSBizAppsVIPUsers_data
+ | union isfuzzy = true (MSBizAppsVIPUsers_definition)
+ | where UserPrincipalName != '_'
+ | project
+ UserIdentifier,
+ UserAADObjectId,
+ UserOnPremSid,
+ UserPrincipalName,
+ Tags
diff --git a/Solutions/Microsoft Business Applications/Playbooks/Dataverse-Add-SharePoint-Site/azuredeploy.json b/Solutions/Microsoft Business Applications/Playbooks/Dataverse-Add-SharePoint-Site/azuredeploy.json
new file mode 100644
index 00000000000..68a32337f1c
--- /dev/null
+++ b/Solutions/Microsoft Business Applications/Playbooks/Dataverse-Add-SharePoint-Site/azuredeploy.json
@@ -0,0 +1,296 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "title": "Dataverse: Add SharePoint sites to watchlist",
+ "description": "This playbook is used to add new or updated SharePoint document management sites into the configuration watchlist. When combined with a scheduled analytics rule monitoring the Dataverse activity log, this Playbook will trigger when a new SharePoint document management site mapping is added. The site will be added to a watchlist to extend monitoring coverage.",
+ "prerequisites": [
+ "1. Collect the subscription ID, resource group name and workspace ID of the Sentinel workspace."
+ ],
+ "postDeployment": [
+ "1. Create a Sentinel automation rule to trigger this Playbook for the the Analytics Rule **Dataverse - SharePoint document management site added or updated**.",
+ "2. Configure Event Grouping settings for the Analytics rule to **Trigger an alert for each event**."
+ ],
+ "tags": [
+ "Remediation"
+ ],
+ "lastUpdateTime": "2022-10-11T00:00:00.000Z",
+ "support": {
+ "tier": "Microsoft"
+ },
+ "author": {
+ "name": "Microsoft"
+ }
+ },
+ "parameters": {
+ "PlaybookName": {
+ "defaultValue": "Dataverse-Add-SharePoint-Site",
+ "type": "string"
+ },
+ "resourceGroupName": {
+ "type": "string",
+ "metadata": {
+ "description": "Enter value for resourceGroupName"
+ }
+ },
+ "subscriptionId": {
+ "type": "string",
+ "metadata": {
+ "description": "Enter value for subscriptionId"
+ }
+ },
+ "watchlistAlias": {
+ "type": "string",
+ "defaultValue": "MSBizApps-Configuration",
+ "metadata": {
+ "description": "Enter value for watchlistAlias"
+ }
+ },
+ "workspaceId": {
+ "type": "string",
+ "metadata": {
+ "description": "Enter value for workspaceId"
+ }
+ }
+ },
+ "variables": {
+ "MicrosoftSentinelConnectionName": "[concat('MicrosoftSentinel-', parameters('PlaybookName'))]"
+ },
+ "resources": [
+ {
+ "properties": {
+ "provisioningState": "Succeeded",
+ "state": "Enabled",
+ "definition": {
+ "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "$connections": {
+ "defaultValue": {},
+ "type": "Object"
+ },
+ "resourceGroupName": {
+ "type": "string",
+ "defaultValue": "[parameters('resourceGroupName')]"
+ },
+ "subscriptionId": {
+ "type": "string",
+ "defaultValue": "[parameters('subscriptionId')]"
+ },
+ "watchlistAlias": {
+ "type": "string",
+ "defaultValue": "[parameters('watchlistAlias')]"
+ },
+ "workspaceId": {
+ "type": "string",
+ "defaultValue": "[parameters('workspaceId')]"
+ }
+ },
+ "triggers": {
+ "Microsoft_Sentinel_alert": {
+ "type": "ApiConnectionWebhook",
+ "inputs": {
+ "body": {
+ "callback_url": "@{listCallbackUrl()}"
+ },
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ }
+ },
+ "path": "/subscribe"
+ }
+ }
+ },
+ "actions": {
+ "Compose_Data": {
+ "runAfter": {
+ "For_each": [
+ "Succeeded"
+ ]
+ },
+ "type": "Compose",
+ "inputs": {
+ "InstanceUrl": "@variables('InstanceUrl')",
+ "SharePointUrl": "@variables('SharePointSiteUrl')"
+ }
+ },
+ "Condition": {
+ "actions": {
+ "Terminate": {
+ "runAfter": {},
+ "type": "Terminate",
+ "inputs": {
+ "runError": {
+ "code": "TooManyEntities",
+ "message": "Found more than 2 entities in a single alert. Please ensure the Analytics Rule Event Grouping is set to: Trigger an alert for each event"
+ },
+ "runStatus": "Failed"
+ }
+ }
+ },
+ "runAfter": {
+ "Initialize_InstanceUrl": [
+ "Succeeded"
+ ]
+ },
+ "expression": {
+ "and": [
+ {
+ "greater": [
+ "@length(triggerBody()?['Entities'])",
+ 2
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ },
+ "For_each": {
+ "foreach": "@triggerBody()?['Entities']",
+ "actions": {
+ "Switch": {
+ "runAfter": {},
+ "cases": {
+ "Case_Dataverse": {
+ "case": 32780,
+ "actions": {
+ "Set_SharePointSiteUrl": {
+ "runAfter": {},
+ "type": "SetVariable",
+ "inputs": {
+ "name": "InstanceUrl",
+ "value": "@{items('For_each')?['InstanceName']}"
+ }
+ }
+ }
+ },
+ "Case_SharePoint": {
+ "case": 20892,
+ "actions": {
+ "Set_InstanceUrl": {
+ "runAfter": {},
+ "type": "SetVariable",
+ "inputs": {
+ "name": "SharePointSiteUrl",
+ "value": "@{items('For_each')?['InstanceName']}"
+ }
+ }
+ }
+ }
+ },
+ "default": {
+ "actions": {}
+ },
+ "expression": "@items('For_each')['AppId']",
+ "type": "Switch"
+ }
+ },
+ "runAfter": {
+ "Condition": [
+ "Succeeded"
+ ]
+ },
+ "type": "Foreach"
+ },
+ "Initialize_InstanceUrl": {
+ "runAfter": {
+ "Initialize_SharePointSiteUrl": [
+ "Succeeded"
+ ]
+ },
+ "type": "InitializeVariable",
+ "inputs": {
+ "variables": [
+ {
+ "name": "InstanceUrl",
+ "type": "string"
+ }
+ ]
+ }
+ },
+ "Initialize_SharePointSiteUrl": {
+ "runAfter": {},
+ "type": "InitializeVariable",
+ "inputs": {
+ "variables": [
+ {
+ "name": "SharePointSiteUrl",
+ "type": "string"
+ }
+ ]
+ }
+ },
+ "Watchlists_-_Add_a_new_Watchlist_Item": {
+ "runAfter": {
+ "Compose_Data": [
+ "Succeeded"
+ ]
+ },
+ "type": "ApiConnection",
+ "inputs": {
+ "body": {
+ "Category": "SharePoint",
+ "Data": "@string(outputs('Compose_Data'))"
+ },
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ }
+ },
+ "method": "put",
+ "path": "/Watchlists/subscriptions/@{encodeURIComponent(parameters('subscriptionId'))}/resourceGroups/@{encodeURIComponent(parameters('resourceGroupName'))}/workspaces/@{encodeURIComponent(parameters('workspaceId'))}/watchlists/@{encodeURIComponent(parameters('watchlistAlias'))}/watchlistItem"
+ }
+ }
+ },
+ "outputs": {}
+ },
+ "parameters": {
+ "$connections": {
+ "value": {
+ "azuresentinel": {
+ "connectionId": "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
+ "connectionName": "[variables('MicrosoftSentinelConnectionName')]",
+ "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]",
+ "connectionProperties": {
+ "authentication": {
+ "type": "ManagedServiceIdentity"
+ }
+ }
+ }
+ }
+ }
+ }
+ },
+ "name": "[parameters('PlaybookName')]",
+ "type": "Microsoft.Logic/workflows",
+ "location": "[resourceGroup().location]",
+ "tags": {
+ "hidden-SentinelTemplateName": "MS-BizApps-Add-SharePoint-Site",
+ "hidden-SentinelTemplateVersion": "1.0"
+ },
+ "identity": {
+ "type": "SystemAssigned"
+ },
+ "apiVersion": "2017-07-01",
+ "dependsOn": [
+ "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]"
+ ]
+ },
+ {
+ "type": "Microsoft.Web/connections",
+ "apiVersion": "2016-06-01",
+ "name": "[variables('MicrosoftSentinelConnectionName')]",
+ "location": "[resourceGroup().location]",
+ "kind": "V1",
+ "properties": {
+ "displayName": "[variables('MicrosoftSentinelConnectionName')]",
+ "customParameterValues": {},
+ "parameterValueType": "Alternative",
+ "api": {
+ "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]"
+ }
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/Solutions/Microsoft Business Applications/Playbooks/Dataverse-Blocklist-Add-User-AlertTrigger/azuredeploy.json b/Solutions/Microsoft Business Applications/Playbooks/Dataverse-Blocklist-Add-User-AlertTrigger/azuredeploy.json
new file mode 100644
index 00000000000..60840157b2b
--- /dev/null
+++ b/Solutions/Microsoft Business Applications/Playbooks/Dataverse-Blocklist-Add-User-AlertTrigger/azuredeploy.json
@@ -0,0 +1,211 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "title": "Dataverse: Add user to blocklist (alert trigger)",
+ "description": "This playbook can be triggered on-demand when a Microsoft Sentinel alert is raised, allowing the analyst to add affected user entitites to a pre-defined Microsoft Entra group, resulting in blocked access. The Microsoft Entra group is used with Conditional Access to block sign-in to the Dataverse.",
+ "prerequisites": [
+ "1. Create a security group in Microsoft Entra used to block access and take note of the group's object ID.",
+ "2. Create a Conditional Access policy in Microsoft Entra.",
+ "3. Configure the Conditional Access Policy to block access to Common Data Service (appid 00000007-0000-0000-c000-000000000000) for members of the group created in step 1."
+ ],
+ "postDeployment": [
+ "1. Grant permissions to Sentinel for Playook managed identity.",
+ "2. Authorize connection for Microsoft Entra."
+ ],
+ "entities": [
+ "Account"
+ ],
+ "tags": [
+ "Remediation"
+ ],
+ "lastUpdateTime": "2022-10-11T00:00:00.000Z",
+ "support": {
+ "tier": "Microsoft"
+ },
+ "author": {
+ "name": "Microsoft"
+ }
+ },
+ "parameters": {
+ "PlaybookName": {
+ "defaultValue": "Dataverse-Blocklist-Add-User-AlertTrigger",
+ "type": "string"
+ },
+ "GroupId": {
+ "type": "string",
+ "metadata": {
+ "description": "Enter object ID for Microsoft Entra group"
+ }
+ }
+ },
+ "variables": {
+ "MicrosoftSentinelConnectionName": "[concat('MicrosoftSentinel-', parameters('PlaybookName'))]",
+ "AzureadConnectionName": "[concat('Azuread-', parameters('PlaybookName'))]"
+ },
+ "resources": [
+ {
+ "properties": {
+ "provisioningState": "Succeeded",
+ "state": "Enabled",
+ "definition": {
+ "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "$connections": {
+ "defaultValue": {},
+ "type": "Object"
+ },
+ "GroupId": {
+ "type": "string",
+ "defaultValue": "[parameters('GroupId')]"
+ }
+ },
+ "triggers": {
+ "When_a_response_to_an_Azure_Sentinel_alert_is_triggered": {
+ "type": "ApiConnectionWebhook",
+ "inputs": {
+ "body": {
+ "callback_url": "@{listCallbackUrl()}"
+ },
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ }
+ },
+ "path": "/subscribe"
+ }
+ }
+ },
+ "actions": {
+ "Entities_-_Get_Accounts": {
+ "runAfter": {},
+ "type": "ApiConnection",
+ "inputs": {
+ "body": "@triggerBody()?['Entities']",
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ }
+ },
+ "method": "post",
+ "path": "/entities/account"
+ }
+ },
+ "For_each": {
+ "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']",
+ "actions": {
+ "Add_user_to_group": {
+ "runAfter": {
+ "Get_user": [
+ "Succeeded"
+ ]
+ },
+ "type": "ApiConnection",
+ "inputs": {
+ "body": {
+ "@@odata.id": "@body('Get_user')?['id']"
+ },
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['azuread']['connectionId']"
+ }
+ },
+ "method": "post",
+ "path": "/v1.0/groups/@{encodeURIComponent(parameters('GroupId'))}/members/$ref"
+ }
+ },
+ "Get_user": {
+ "runAfter": {},
+ "type": "ApiConnection",
+ "inputs": {
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['azuread']['connectionId']"
+ }
+ },
+ "method": "get",
+ "path": "/v1.0/users/@{encodeURIComponent(concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix']))}"
+ }
+ }
+ },
+ "runAfter": {
+ "Entities_-_Get_Accounts": [
+ "Succeeded"
+ ]
+ },
+ "type": "Foreach",
+ "description": "Iterate on each Dynamics 365 user account"
+ }
+ },
+ "outputs": {}
+ },
+ "parameters": {
+ "$connections": {
+ "value": {
+ "azuresentinel": {
+ "connectionId": "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
+ "connectionName": "[variables('MicrosoftSentinelConnectionName')]",
+ "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]",
+ "connectionProperties": {
+ "authentication": {
+ "type": "ManagedServiceIdentity"
+ }
+ }
+ },
+ "azuread": {
+ "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureadConnectionName'))]",
+ "connectionName": "[variables('AzureadConnectionName')]",
+ "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuread')]"
+ }
+ }
+ }
+ }
+ },
+ "name": "[parameters('PlaybookName')]",
+ "type": "Microsoft.Logic/workflows",
+ "location": "[resourceGroup().location]",
+ "identity": {
+ "type": "SystemAssigned"
+ },
+ "tags": {
+ "hidden-SentinelTemplateName": "D365-Blocklist-Add-User-AlertTrigger",
+ "hidden-SentinelTemplateVersion": "1.0"
+ },
+ "apiVersion": "2017-07-01",
+ "dependsOn": [
+ "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
+ "[resourceId('Microsoft.Web/connections', variables('AzureadConnectionName'))]"
+ ]
+ },
+ {
+ "type": "Microsoft.Web/connections",
+ "apiVersion": "2016-06-01",
+ "name": "[variables('MicrosoftSentinelConnectionName')]",
+ "location": "[resourceGroup().location]",
+ "kind": "V1",
+ "properties": {
+ "displayName": "[variables('MicrosoftSentinelConnectionName')]",
+ "customParameterValues": {},
+ "parameterValueType": "Alternative",
+ "api": {
+ "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]"
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Web/connections",
+ "apiVersion": "2016-06-01",
+ "name": "[variables('AzureadConnectionName')]",
+ "location": "[resourceGroup().location]",
+ "kind": "V1",
+ "properties": {
+ "displayName": "[variables('AzureadConnectionName')]",
+ "customParameterValues": {},
+ "api": {
+ "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuread')]"
+ }
+ }
+ }
+ ]
+}
diff --git a/Solutions/Microsoft Business Applications/Playbooks/Dataverse-Blocklist-Add-User-Via-Outlook/azuredeploy.json b/Solutions/Microsoft Business Applications/Playbooks/Dataverse-Blocklist-Add-User-Via-Outlook/azuredeploy.json
new file mode 100644
index 00000000000..fc913ff06e5
--- /dev/null
+++ b/Solutions/Microsoft Business Applications/Playbooks/Dataverse-Blocklist-Add-User-Via-Outlook/azuredeploy.json
@@ -0,0 +1,370 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "title": "Dataverse: Add user to blocklist using Outlook approval workflow",
+ "description": "This playbook can be triggered when a Microsoft Sentinel incident is raised and will automatically add affected user entitites to a pre-defined Microsoft Entra group, using an Outlook based approval workflow, resulting in blocked access. The Microsoft Entra group is used with Conditional Access to block sign-in to the Dataverse.",
+ "prerequisites": [
+ "1. An email address for SOC to receieve approval requests.",
+ "2. Create a security group in Microsoft Entra used to block access and take note of the group's object ID.",
+ "3. Create a Conditional Access policy in Microsoft Entra.",
+ "4. Configure the Conditional Access Policy to block access to Common Data Service (appid 00000007-0000-0000-c000-000000000000) for members of the group created in step 1."
+ ],
+ "postDeployment": [
+ "1. Grant permissions to Sentinel for Playbook managed identity.",
+ "2. Authorize connection for Microsoft Entra.",
+ "3. Authorize connection for Microsoft Outlook."
+ ],
+ "entities": [
+ "Account"
+ ],
+ "tags": [
+ "Remediation"
+ ],
+ "lastUpdateTime": "2022-10-11T00:00:00.000Z",
+ "support": {
+ "tier": "Microsoft"
+ },
+ "author": {
+ "name": "Microsoft"
+ }
+ },
+ "parameters": {
+ "PlaybookName": {
+ "defaultValue": "Dataverse-Blocklist-Add-User-Via-Outlook",
+ "type": "string"
+ },
+ "GroupId": {
+ "type": "string",
+ "metadata": {
+ "description": "Enter object ID for Microsoft Entra group"
+ }
+ },
+ "ToAlias": {
+ "type": "string",
+ "metadata": {
+ "description": "Enter value for ToAlias"
+ }
+ }
+ },
+ "variables": {
+ "MicrosoftSentinelConnectionName": "[concat('MicrosoftSentinel-', parameters('PlaybookName'))]",
+ "Office365ConnectionName": "[concat('Office365-', parameters('PlaybookName'))]",
+ "AzureadConnectionName": "[concat('Azuread-', parameters('PlaybookName'))]"
+ },
+ "resources": [
+ {
+ "properties": {
+ "provisioningState": "Succeeded",
+ "state": "Enabled",
+ "definition": {
+ "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "$connections": {
+ "defaultValue": {},
+ "type": "Object"
+ },
+ "GroupId": {
+ "type": "string",
+ "defaultValue": "[parameters('GroupId')]"
+ },
+ "ToAlias": {
+ "type": "string",
+ "defaultValue": "[parameters('ToAlias')]"
+ }
+ },
+ "triggers": {
+ "When_Azure_Sentinel_incident_creation_rule_was_triggered": {
+ "type": "ApiConnectionWebhook",
+ "inputs": {
+ "body": {
+ "callback_url": "@{listCallbackUrl()}"
+ },
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ }
+ },
+ "path": "/incident-creation"
+ }
+ }
+ },
+ "actions": {
+ "Entities_-_Get_Accounts": {
+ "runAfter": {},
+ "type": "ApiConnection",
+ "inputs": {
+ "body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ }
+ },
+ "method": "post",
+ "path": "/entities/account"
+ }
+ },
+ "For_each": {
+ "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']",
+ "actions": {
+ "Condition_to_check_the_SOC_selected_option": {
+ "actions": {
+ "Add_user_to_group": {
+ "runAfter": {
+ "Get_user": [
+ "Succeeded"
+ ]
+ },
+ "type": "ApiConnection",
+ "inputs": {
+ "body": {
+ "@@odata.id": "@body('Get_user')?['id']"
+ },
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['azuread']['connectionId']"
+ }
+ },
+ "method": "post",
+ "path": "/v1.0/groups/@{encodeURIComponent(parameters('GroupId'))}/members/$ref"
+ }
+ },
+ "Condition": {
+ "actions": {
+ "Add_comment_to_incident_(V3)": {
+ "runAfter": {},
+ "type": "ApiConnection",
+ "inputs": {
+ "body": {
+ "incidentArmId": "@triggerBody()?['object']?['id']",
+ "message": "User was added to CA block group in AAD: @{items('For_each')?['Name']}
" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + } + }, + "runAfter": { + "Add_user_to_group": [ + "Succeeded", + "Failed" + ] + }, + "else": { + "actions": { + "Add_comment_to_incident_(V3)_4": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "Account name: @{items('For_each')?['Name']}
\nError: @{body('Add_user_to_group')['error']['message']}
Account name: @{items('For_each')?['Name']}
\nSOC Action: Ignore
Incident Url: @{triggerBody()?['object']?['properties']?['incidentUrl']}
\nIncident#: @{triggerBody()?['object']?['properties']?['incidentNumber']}
\nUser Id: @{items('For_each')?['Name']}
\nThe account will be added to the CA block group in AAD.
\n", + "HideHTMLMessage": false, + "Importance": "High", + "Options": "Approve, Deny", + "ShowHTMLConfirmationDialog": false, + "Subject": "Dynamics 365 block user in Conditional Access", + "To": "@parameters('ToAlias')", + "UseOnlyHTMLMessage": true + }, + "NotificationUrl": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['office365']['connectionId']" + } + }, + "path": "/mailwithoptions/$subscriptions" + } + } + }, + "runAfter": { + "Entities_-_Get_Accounts": [ + "Succeeded" + ] + }, + "type": "Foreach", + "description": "Iterate on each Dynamics 365 user account" + } + }, + "outputs": {} + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "connectionName": "[variables('MicrosoftSentinelConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "office365": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]", + "connectionName": "[variables('Office365ConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Office365')]" + }, + "azuread": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureadConnectionName'))]", + "connectionName": "[variables('AzureadConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuread')]" + } + } + } + } + }, + "name": "[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[resourceGroup().location]", + "identity": { + "type": "SystemAssigned" + }, + "tags": { + "hidden-SentinelTemplateName": "D365-Blocklist-Add-User-Via-Outlook", + "hidden-SentinelTemplateVersion": "1.0" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('AzureadConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('MicrosoftSentinelConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[variables('MicrosoftSentinelConnectionName')]", + "customParameterValues": {}, + "parameterValueType": "Alternative", + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('Office365ConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[variables('Office365ConnectionName')]", + "customParameterValues": {}, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Office365')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('AzureadConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[variables('AzureadConnectionName')]", + "customParameterValues": {}, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuread')]" + } + } + } + ] +} diff --git a/Solutions/Microsoft Business Applications/Playbooks/Dataverse-Blocklist-Add-User-Via-Teams/azuredeploy.json b/Solutions/Microsoft Business Applications/Playbooks/Dataverse-Blocklist-Add-User-Via-Teams/azuredeploy.json new file mode 100644 index 00000000000..9ca20f14c08 --- /dev/null +++ b/Solutions/Microsoft Business Applications/Playbooks/Dataverse-Blocklist-Add-User-Via-Teams/azuredeploy.json @@ -0,0 +1,381 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "title": "Dataverse: Add user to blocklist using Teams approval workflow", + "description": "This playbook can be triggered when a Microsoft Sentinel incident is raised and will automatically add affected user entitites to a pre-defined Microsoft Entra group, using a Teams adaptive card approval workflow, resulting in blocked access. The Microsoft Entra group is used with Conditional Access to block sign-in to the Dataverse.", + "prerequisites": [ + "1. Teams group and channel ID to receive approval requests.", + "2. Create a security group in Microsoft Entra used to block access and take note of the group's object ID.", + "3. Create a Conditional Access policy in Microsoft Entra.", + "4. Configure the Conditional Access Policy to block access to Common Data Service (appid 00000007-0000-0000-c000-000000000000) for members of the group created in step 1." + ], + "postDeployment": [ + "1. Grant permissions to Sentinel for Playook managed identity.", + "2. Authorize connection for Microsoft Entra.", + "3. Authorize connection for Microsoft Teams." + ], + "entities": [ + "Account" + ], + "tags": [ + "Remediation" + ], + "lastUpdateTime": "2022-10-11T00:00:00.000Z", + "support": { + "tier": "Microsoft" + }, + "author": { + "name": "Microsoft" + } + }, + "parameters": { + "PlaybookName": { + "defaultValue": "Dataverse-Blocklist-Add-User-Via-Teams", + "type": "string" + }, + "GroupId": { + "type": "string", + "metadata": { + "description": "Enter object ID for Microsoft Entra group" + } + }, + "TeamsChannelId": { + "type": "string", + "metadata": { + "description": "Enter value for TeamsChannelId" + } + }, + "TeamsGroupId": { + "type": "string", + "metadata": { + "description": "Enter value for TeamsGroupId" + } + } + }, + "variables": { + "MicrosoftSentinelConnectionName": "[concat('MicrosoftSentinel-', parameters('PlaybookName'))]", + "TeamsConnectionName": "[concat('Teams-', parameters('PlaybookName'))]", + "AzureadConnectionName": "[concat('Azuread-', parameters('PlaybookName'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "defaultValue": {}, + "type": "Object" + }, + "GroupId": { + "type": "string", + "defaultValue": "[parameters('GroupId')]" + }, + "TeamsChannelId": { + "type": "string", + "defaultValue": "[parameters('TeamsChannelId')]" + }, + "TeamsGroupId": { + "type": "string", + "defaultValue": "[parameters('TeamsGroupId')]" + } + }, + "triggers": { + "When_Azure_Sentinel_incident_creation_rule_was_triggered": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/incident-creation" + } + } + }, + "actions": { + "Entities_-_Get_Accounts": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/account" + } + }, + "For_each": { + "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']", + "actions": { + "Condition_to_check_the_SOC_selected_option": { + "actions": { + "Add_user_to_group": { + "runAfter": { + "Get_user": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "@@odata.id": "@body('Get_user')?['id']" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuread']['connectionId']" + } + }, + "method": "post", + "path": "/v1.0/groups/@{encodeURIComponent(parameters('GroupId'))}/members/$ref" + } + }, + "Condition": { + "actions": { + "Add_comment_to_incident_(V3)_2": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "User was added to CA block group in AAD: @{items('For_each')?['Name']}
" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + } + }, + "runAfter": { + "Add_user_to_group": [ + "Succeeded", + "Failed" + ] + }, + "else": { + "actions": { + "Add_comment_to_incident_(V3)_3": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "Account name: @{items('For_each')?['Name']}
\nError: @{body('Add_user_to_group')['error']['message']}
Account name: @{items('For_each')?['Name']}
\nSOC Action: Ignore
User was added to CA block group in AAD: @{items('For_each')?['Name']}
" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + } + }, + "runAfter": { + "Add_user_to_group": [ + "Succeeded", + "Failed" + ] + }, + "else": { + "actions": { + "Add_comment_to_incident_(V3)_2": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "Account name: @{items('For_each')?['Name']}
\nError: @{body('Add_user_to_group')['error']['message']}
Microsoft Sentinel incident was triggered for a user reporting to you. Information is listed below:
\n
\nDescription: @{triggerBody()?['object']?['properties']?['description']}
\nUser: @{items('For_each_D365_account')?['Name']}
Title: @{triggerBody()?['object']?['properties']?['title']}
\nDescription: @{triggerBody()?['object']?['properties']?['description']}
\nUser: @{items('For_each_D365_account')?['Name']}
\n
\nAlert generated for user . However, this user has no manager assignment in Dynamics 365.
Microsoft Sentinel incident was triggered for a user reporting to you. Information is listed below:
\n
\nDescription: @{triggerBody()?['object']?['properties']?['description']}
\nUser: @{items('For_each_O365_account')?['Name']}
Title: @{triggerBody()?['object']?['properties']?['title']}
\nDescription: @{triggerBody()?['object']?['properties']?['description']}
\nUser: @{items('For_each_O365_account')?['Name']}
\n
\nAlert generated for user . However, this user has no manager assignment in Office 365.
Title: @{triggerBody()?['object']?['properties']?['title']}
\nDescription: @{triggerBody()?['object']?['properties']?['description']}
\nUser: @{items('For_each_account_(Missing_Instance)')?['Name']}
\n
\nPlease ensure incidents triggering this playbook contain Cloud App type entity mappings with the InstanceUrl set in the InstanceName property of the entity mapping.
@{variables('OutlookMessage')}
", + "Importance": "High", + "MailboxAddress": "@parameters('SharedMailboxAddress')", + "Subject": "ESCALATION: Security Process Impaired Due to Lack of Response", + "To": "@parameters('EscalationsAddress')" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['office365']['connectionId']" + } + }, + "method": "post", + "path": "/v2/SharedMailbox/Mail" + } + }, + "Send_an_email_from_a_shared_mailbox_(V2)": { + "runAfter": { + "Initialize_OutlookMessage": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "Body": "@{variables('OutlookMessage')}
", + "Importance": "High", + "MailboxAddress": "@parameters('SharedMailboxAddress')", + "Subject": "ACTION REQUIRED: Microsoft Sentinel Security Alert", + "To": "@parameters('WorkloadOwnersAddress')" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['office365']['connectionId']" + } + }, + "method": "post", + "path": "/v2/SharedMailbox/Mail" + } + }, + "Send_an_email_notification_of_failure": { + "runAfter": { + "Set_Failure_Message": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "Body": "@{variables('OutlookMessage')}
", + "Importance": "High", + "MailboxAddress": "@parameters('SharedMailboxAddress')", + "Subject": "FAILURE: Security Process Impaired Due to Playbook Failure", + "To": "@parameters('SharedMailboxAddress')" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['office365']['connectionId']" + } + }, + "method": "post", + "path": "/v2/SharedMailbox/Mail" + } + }, + "Set_Escalation_Message": { + "runAfter": { + "Post_adaptive_card_and_wait_for_a_response": [ + "TimedOut" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "OutlookMessage", + "value": "\n\n \n \n\n\n Visit the Outlook Dev Portal to learn more\n about Actionable Messages.\n\n" + } + }, + "Set_Failure_Message": { + "runAfter": { + "Post_adaptive_card_and_wait_for_a_response": [ + "Skipped", + "Failed" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "OutlookMessage", + "value": "\n\n \n \n\n\n Visit the Outlook Dev Portal to learn more\n about Actionable Messages.\n\n" + } + }, + "Terminate_Failed": { + "runAfter": { + "Send_an_email_notification_of_failure": [ + "Succeeded" + ] + }, + "type": "Terminate", + "inputs": { + "runError": { + "code": "PlaybookFailed", + "message": "Playbook failed to post a message in Teams" + }, + "runStatus": "Failed" + } + }, + "Terminate_Succeeded": { + "runAfter": { + "Send_an_email_escalation_due_to_timeout": [ + "Succeeded" + ] + }, + "type": "Terminate", + "inputs": { + "runStatus": "Succeeded" + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel_1": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "connectionName": "[variables('MicrosoftSentinelConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "office365": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]", + "connectionName": "[variables('Office365ConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Office365')]" + }, + "teams_1": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]", + "connectionName": "[variables('TeamsConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Teams')]" + } + } + } + } + }, + "name": "[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[resourceGroup().location]", + "tags": { + "hidden-SentinelTemplateName": "MSBizApps-Admin-Teams-Approval-AlertTrigger", + "hidden-SentinelTemplateVersion": "1.0" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('MicrosoftSentinelConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[variables('MicrosoftSentinelConnectionName')]", + "customParameterValues": {}, + "parameterValueType": "Alternative", + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('Office365ConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[variables('Office365ConnectionName')]", + "customParameterValues": {}, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Office365')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('TeamsConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[variables('TeamsConnectionName')]", + "customParameterValues": {}, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Teams')]" + } + } + } + ] +} diff --git a/Solutions/Microsoft Business Applications/ReleaseNotes.md b/Solutions/Microsoft Business Applications/ReleaseNotes.md new file mode 100644 index 00000000000..1e49ceef7bc --- /dev/null +++ b/Solutions/Microsoft Business Applications/ReleaseNotes.md @@ -0,0 +1,4 @@ +| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | +|-------------|--------------------------------|---------------------------------------------------------------------| +| 3.1.3 | 12-07-2024 |![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\")
\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Oracle%20Cloud%20Infrastructure/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Oracle Cloud Infrastructure (OCI) solution provides the capability to ingest OCI Logs from [OCI Stream](https://docs.oracle.com/iaas/Content/Streaming/Concepts/streamingoverview.htm) into Microsoft Sentinel using the [OCI Streaming REST API](https://docs.oracle.com/iaas/api/#/streaming/streaming/20180418).\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\n\nb. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Oracle%20Cloud%20Infrastructure/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Oracle Cloud Infrastructure (OCI) solution provides the capability to ingest OCI Logs from [OCI Stream](https://docs.oracle.com/iaas/Content/Streaming/Concepts/streamingoverview.htm) into Microsoft Sentinel using the [OCI Streaming REST API](https://docs.oracle.com/iaas/api/#/streaming/streaming/20180418).\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\n\nb. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -60,14 +60,14 @@
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "This solution installs the data connector for ingesting Oracle Cloud Infrastructure logs into Microsoft Sentinel, using the Oracle Cloud Infrastructure API. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+ "text": "This Solution installs the data connector for Oracle Cloud Infrastructure. You can get Oracle Cloud Infrastructure custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
{
"name": "dataconnectors-parser-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "The solution installs a parser that transforms ingested data. The transformed logs can be accessed using the Oracle Cloud Infrastructure Kusto Function alias."
+ "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel."
}
},
{
@@ -301,7 +301,7 @@
"name": "huntingqueries-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "This solution installs the following hunting queries. After installing the solution, run these hunting queries to hunt for threats in Manage solution view."
+ "text": "This solution installs the following hunting queries. After installing the solution, run these hunting queries to hunt for threats in Manage solution view. "
}
},
{
diff --git a/Solutions/Oracle Cloud Infrastructure/Package/mainTemplate.json b/Solutions/Oracle Cloud Infrastructure/Package/mainTemplate.json
index d7baa0b09ac..2c8cee66a26 100644
--- a/Solutions/Oracle Cloud Infrastructure/Package/mainTemplate.json
+++ b/Solutions/Oracle Cloud Infrastructure/Package/mainTemplate.json
@@ -41,7 +41,7 @@
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"_solutionName": "Oracle Cloud Infrastructure",
- "_solutionVersion": "3.0.1",
+ "_solutionVersion": "3.0.2",
"solutionId": "azuresentinel.azure-sentinel-solution-ocilogs",
"_solutionId": "[variables('solutionId')]",
"workbookVersion1": "1.0.0",
@@ -51,66 +51,56 @@
"_workbookContentId1": "[variables('workbookContentId1')]",
"workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
"_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]",
- "huntingQueryVersion1": "1.0.0",
- "huntingQuerycontentId1": "3bdfa923-3fc8-4651-8954-dab2bef2bdd1",
- "_huntingQuerycontentId1": "[variables('huntingQuerycontentId1')]",
- "huntingQueryId1": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId1'))]",
- "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId1'))))]",
- "_huntingQuerycontentProductId1": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId1'),'-', variables('huntingQueryVersion1'))))]",
- "huntingQueryVersion2": "1.0.0",
- "huntingQuerycontentId2": "fff09b57-24ff-4e47-8a29-6292b0310e19",
- "_huntingQuerycontentId2": "[variables('huntingQuerycontentId2')]",
- "huntingQueryId2": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId2'))]",
- "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId2'))))]",
- "_huntingQuerycontentProductId2": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId2'),'-', variables('huntingQueryVersion2'))))]",
- "huntingQueryVersion3": "1.0.0",
- "huntingQuerycontentId3": "3df69415-2dec-4457-9433-97a3c15a4b70",
- "_huntingQuerycontentId3": "[variables('huntingQuerycontentId3')]",
- "huntingQueryId3": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId3'))]",
- "huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId3'))))]",
- "_huntingQuerycontentProductId3": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId3'),'-', variables('huntingQueryVersion3'))))]",
- "huntingQueryVersion4": "1.0.0",
- "huntingQuerycontentId4": "e4353276-19a5-4833-a271-be507170269e",
- "_huntingQuerycontentId4": "[variables('huntingQuerycontentId4')]",
- "huntingQueryId4": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId4'))]",
- "huntingQueryTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId4'))))]",
- "_huntingQuerycontentProductId4": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId4'),'-', variables('huntingQueryVersion4'))))]",
- "huntingQueryVersion5": "1.0.0",
- "huntingQuerycontentId5": "eed33749-85c4-47cc-9776-12eeb3172888",
- "_huntingQuerycontentId5": "[variables('huntingQuerycontentId5')]",
- "huntingQueryId5": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId5'))]",
- "huntingQueryTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId5'))))]",
- "_huntingQuerycontentProductId5": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId5'),'-', variables('huntingQueryVersion5'))))]",
- "huntingQueryVersion6": "1.0.0",
- "huntingQuerycontentId6": "4f7c20dc-702c-491d-908e-3b5f8bdc73ab",
- "_huntingQuerycontentId6": "[variables('huntingQuerycontentId6')]",
- "huntingQueryId6": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId6'))]",
- "huntingQueryTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId6'))))]",
- "_huntingQuerycontentProductId6": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId6'),'-', variables('huntingQueryVersion6'))))]",
- "huntingQueryVersion7": "1.0.0",
- "huntingQuerycontentId7": "c411dc09-a8ca-44f9-a594-242b5e90ada8",
- "_huntingQuerycontentId7": "[variables('huntingQuerycontentId7')]",
- "huntingQueryId7": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId7'))]",
- "huntingQueryTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId7'))))]",
- "_huntingQuerycontentProductId7": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId7'),'-', variables('huntingQueryVersion7'))))]",
- "huntingQueryVersion8": "1.0.0",
- "huntingQuerycontentId8": "01dc84d2-ef1d-4df6-9499-e1c4a305f01f",
- "_huntingQuerycontentId8": "[variables('huntingQuerycontentId8')]",
- "huntingQueryId8": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId8'))]",
- "huntingQueryTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId8'))))]",
- "_huntingQuerycontentProductId8": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId8'),'-', variables('huntingQueryVersion8'))))]",
- "huntingQueryVersion9": "1.0.0",
- "huntingQuerycontentId9": "51101a78-a802-4a83-ac02-ef31416ffbc7",
- "_huntingQuerycontentId9": "[variables('huntingQuerycontentId9')]",
- "huntingQueryId9": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId9'))]",
- "huntingQueryTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId9'))))]",
- "_huntingQuerycontentProductId9": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId9'),'-', variables('huntingQueryVersion9'))))]",
- "huntingQueryVersion10": "1.0.0",
- "huntingQuerycontentId10": "7b17d83a-7a88-4867-accf-494736bcec50",
- "_huntingQuerycontentId10": "[variables('huntingQuerycontentId10')]",
- "huntingQueryId10": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId10'))]",
- "huntingQueryTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId10'))))]",
- "_huntingQuerycontentProductId10": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId10'),'-', variables('huntingQueryVersion10'))))]",
+ "huntingQueryObject1": {
+ "huntingQueryVersion1": "1.0.0",
+ "_huntingQuerycontentId1": "3bdfa923-3fc8-4651-8954-dab2bef2bdd1",
+ "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('3bdfa923-3fc8-4651-8954-dab2bef2bdd1')))]"
+ },
+ "huntingQueryObject2": {
+ "huntingQueryVersion2": "1.0.0",
+ "_huntingQuerycontentId2": "fff09b57-24ff-4e47-8a29-6292b0310e19",
+ "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('fff09b57-24ff-4e47-8a29-6292b0310e19')))]"
+ },
+ "huntingQueryObject3": {
+ "huntingQueryVersion3": "1.0.0",
+ "_huntingQuerycontentId3": "3df69415-2dec-4457-9433-97a3c15a4b70",
+ "huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('3df69415-2dec-4457-9433-97a3c15a4b70')))]"
+ },
+ "huntingQueryObject4": {
+ "huntingQueryVersion4": "1.0.0",
+ "_huntingQuerycontentId4": "e4353276-19a5-4833-a271-be507170269e",
+ "huntingQueryTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('e4353276-19a5-4833-a271-be507170269e')))]"
+ },
+ "huntingQueryObject5": {
+ "huntingQueryVersion5": "1.0.0",
+ "_huntingQuerycontentId5": "eed33749-85c4-47cc-9776-12eeb3172888",
+ "huntingQueryTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('eed33749-85c4-47cc-9776-12eeb3172888')))]"
+ },
+ "huntingQueryObject6": {
+ "huntingQueryVersion6": "1.0.0",
+ "_huntingQuerycontentId6": "4f7c20dc-702c-491d-908e-3b5f8bdc73ab",
+ "huntingQueryTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('4f7c20dc-702c-491d-908e-3b5f8bdc73ab')))]"
+ },
+ "huntingQueryObject7": {
+ "huntingQueryVersion7": "1.0.0",
+ "_huntingQuerycontentId7": "c411dc09-a8ca-44f9-a594-242b5e90ada8",
+ "huntingQueryTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('c411dc09-a8ca-44f9-a594-242b5e90ada8')))]"
+ },
+ "huntingQueryObject8": {
+ "huntingQueryVersion8": "1.0.0",
+ "_huntingQuerycontentId8": "01dc84d2-ef1d-4df6-9499-e1c4a305f01f",
+ "huntingQueryTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('01dc84d2-ef1d-4df6-9499-e1c4a305f01f')))]"
+ },
+ "huntingQueryObject9": {
+ "huntingQueryVersion9": "1.0.0",
+ "_huntingQuerycontentId9": "51101a78-a802-4a83-ac02-ef31416ffbc7",
+ "huntingQueryTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('51101a78-a802-4a83-ac02-ef31416ffbc7')))]"
+ },
+ "huntingQueryObject10": {
+ "huntingQueryVersion10": "1.0.0",
+ "_huntingQuerycontentId10": "7b17d83a-7a88-4867-accf-494736bcec50",
+ "huntingQueryTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('7b17d83a-7a88-4867-accf-494736bcec50')))]"
+ },
"uiConfigId1": "OracleCloudInfrastructureLogsConnector",
"_uiConfigId1": "[variables('uiConfigId1')]",
"dataConnectorContentId1": "OracleCloudInfrastructureLogsConnector",
@@ -120,75 +110,83 @@
"dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
"dataConnectorVersion1": "1.0.0",
"_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
- "analyticRuleVersion1": "1.0.0",
- "analyticRulecontentId1": "61f995d7-8038-4ff0-ad2b-eccfd18fcc8c",
- "_analyticRulecontentId1": "[variables('analyticRulecontentId1')]",
- "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]",
- "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1'))))]",
- "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId1'),'-', variables('analyticRuleVersion1'))))]",
- "analyticRuleVersion2": "1.0.1",
- "analyticRulecontentId2": "31b15699-0b55-4246-851e-93f9cefb6f5c",
- "_analyticRulecontentId2": "[variables('analyticRulecontentId2')]",
- "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId2'))]",
- "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2'))))]",
- "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId2'),'-', variables('analyticRuleVersion2'))))]",
- "analyticRuleVersion3": "1.0.0",
- "analyticRulecontentId3": "eb6e07a1-2895-4c55-9c27-ac84294f0e46",
- "_analyticRulecontentId3": "[variables('analyticRulecontentId3')]",
- "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId3'))]",
- "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId3'))))]",
- "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId3'),'-', variables('analyticRuleVersion3'))))]",
- "analyticRuleVersion4": "1.0.1",
- "analyticRulecontentId4": "9c4b1b9c-6462-41ce-8f2e-ce8c104331fc",
- "_analyticRulecontentId4": "[variables('analyticRulecontentId4')]",
- "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId4'))]",
- "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId4'))))]",
- "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId4'),'-', variables('analyticRuleVersion4'))))]",
- "analyticRuleVersion5": "1.0.0",
- "analyticRulecontentId5": "a55b4bbe-a014-4ae9-a50d-441ba5e98b65",
- "_analyticRulecontentId5": "[variables('analyticRulecontentId5')]",
- "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId5'))]",
- "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId5'))))]",
- "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId5'),'-', variables('analyticRuleVersion5'))))]",
- "analyticRuleVersion6": "1.0.0",
- "analyticRulecontentId6": "a79cf2b9-a511-4282-ba5d-812e14b07831",
- "_analyticRulecontentId6": "[variables('analyticRulecontentId6')]",
- "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId6'))]",
- "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId6'))))]",
- "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId6'),'-', variables('analyticRuleVersion6'))))]",
- "analyticRuleVersion7": "1.0.1",
- "analyticRulecontentId7": "252e651d-d825-480c-bdeb-8b239354577d",
- "_analyticRulecontentId7": "[variables('analyticRulecontentId7')]",
- "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId7'))]",
- "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId7'))))]",
- "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId7'),'-', variables('analyticRuleVersion7'))))]",
- "analyticRuleVersion8": "1.0.0",
- "analyticRulecontentId8": "482c24b9-a700-4b2a-85d3-1c42110ba78c",
- "_analyticRulecontentId8": "[variables('analyticRulecontentId8')]",
- "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId8'))]",
- "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId8'))))]",
- "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId8'),'-', variables('analyticRuleVersion8'))))]",
- "analyticRuleVersion9": "1.0.1",
- "analyticRulecontentId9": "e087d4fb-af0b-4e08-a067-b9ba9e5f8840",
- "_analyticRulecontentId9": "[variables('analyticRulecontentId9')]",
- "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId9'))]",
- "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId9'))))]",
- "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId9'),'-', variables('analyticRuleVersion9'))))]",
- "analyticRuleVersion10": "1.0.0",
- "analyticRulecontentId10": "a0b9a7ca-3e6d-4996-ae35-759df1d67a54",
- "_analyticRulecontentId10": "[variables('analyticRulecontentId10')]",
- "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId10'))]",
- "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId10'))))]",
- "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId10'),'-', variables('analyticRuleVersion10'))))]",
- "parserName1": "OCILogs",
- "_parserName1": "[concat(parameters('workspace'),'/',variables('parserName1'))]",
- "parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
- "_parserId1": "[variables('parserId1')]",
- "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1'))))]",
- "parserVersion1": "1.0.0",
- "parserContentId1": "OCILogs-Parser",
- "_parserContentId1": "[variables('parserContentId1')]",
- "_parsercontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('_parserContentId1'),'-', variables('parserVersion1'))))]",
+ "analyticRuleObject1": {
+ "analyticRuleVersion1": "1.0.0",
+ "_analyticRulecontentId1": "61f995d7-8038-4ff0-ad2b-eccfd18fcc8c",
+ "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '61f995d7-8038-4ff0-ad2b-eccfd18fcc8c')]",
+ "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('61f995d7-8038-4ff0-ad2b-eccfd18fcc8c')))]",
+ "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','61f995d7-8038-4ff0-ad2b-eccfd18fcc8c','-', '1.0.0')))]"
+ },
+ "analyticRuleObject2": {
+ "analyticRuleVersion2": "1.0.1",
+ "_analyticRulecontentId2": "31b15699-0b55-4246-851e-93f9cefb6f5c",
+ "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '31b15699-0b55-4246-851e-93f9cefb6f5c')]",
+ "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('31b15699-0b55-4246-851e-93f9cefb6f5c')))]",
+ "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','31b15699-0b55-4246-851e-93f9cefb6f5c','-', '1.0.1')))]"
+ },
+ "analyticRuleObject3": {
+ "analyticRuleVersion3": "1.0.0",
+ "_analyticRulecontentId3": "eb6e07a1-2895-4c55-9c27-ac84294f0e46",
+ "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'eb6e07a1-2895-4c55-9c27-ac84294f0e46')]",
+ "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('eb6e07a1-2895-4c55-9c27-ac84294f0e46')))]",
+ "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','eb6e07a1-2895-4c55-9c27-ac84294f0e46','-', '1.0.0')))]"
+ },
+ "analyticRuleObject4": {
+ "analyticRuleVersion4": "1.0.1",
+ "_analyticRulecontentId4": "9c4b1b9c-6462-41ce-8f2e-ce8c104331fc",
+ "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9c4b1b9c-6462-41ce-8f2e-ce8c104331fc')]",
+ "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('9c4b1b9c-6462-41ce-8f2e-ce8c104331fc')))]",
+ "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','9c4b1b9c-6462-41ce-8f2e-ce8c104331fc','-', '1.0.1')))]"
+ },
+ "analyticRuleObject5": {
+ "analyticRuleVersion5": "1.0.0",
+ "_analyticRulecontentId5": "a55b4bbe-a014-4ae9-a50d-441ba5e98b65",
+ "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'a55b4bbe-a014-4ae9-a50d-441ba5e98b65')]",
+ "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('a55b4bbe-a014-4ae9-a50d-441ba5e98b65')))]",
+ "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','a55b4bbe-a014-4ae9-a50d-441ba5e98b65','-', '1.0.0')))]"
+ },
+ "analyticRuleObject6": {
+ "analyticRuleVersion6": "1.0.0",
+ "_analyticRulecontentId6": "a79cf2b9-a511-4282-ba5d-812e14b07831",
+ "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'a79cf2b9-a511-4282-ba5d-812e14b07831')]",
+ "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('a79cf2b9-a511-4282-ba5d-812e14b07831')))]",
+ "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','a79cf2b9-a511-4282-ba5d-812e14b07831','-', '1.0.0')))]"
+ },
+ "analyticRuleObject7": {
+ "analyticRuleVersion7": "1.0.1",
+ "_analyticRulecontentId7": "252e651d-d825-480c-bdeb-8b239354577d",
+ "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '252e651d-d825-480c-bdeb-8b239354577d')]",
+ "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('252e651d-d825-480c-bdeb-8b239354577d')))]",
+ "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','252e651d-d825-480c-bdeb-8b239354577d','-', '1.0.1')))]"
+ },
+ "analyticRuleObject8": {
+ "analyticRuleVersion8": "1.0.0",
+ "_analyticRulecontentId8": "482c24b9-a700-4b2a-85d3-1c42110ba78c",
+ "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '482c24b9-a700-4b2a-85d3-1c42110ba78c')]",
+ "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('482c24b9-a700-4b2a-85d3-1c42110ba78c')))]",
+ "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','482c24b9-a700-4b2a-85d3-1c42110ba78c','-', '1.0.0')))]"
+ },
+ "analyticRuleObject9": {
+ "analyticRuleVersion9": "1.0.1",
+ "_analyticRulecontentId9": "e087d4fb-af0b-4e08-a067-b9ba9e5f8840",
+ "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'e087d4fb-af0b-4e08-a067-b9ba9e5f8840')]",
+ "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('e087d4fb-af0b-4e08-a067-b9ba9e5f8840')))]",
+ "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','e087d4fb-af0b-4e08-a067-b9ba9e5f8840','-', '1.0.1')))]"
+ },
+ "analyticRuleObject10": {
+ "analyticRuleVersion10": "1.0.0",
+ "_analyticRulecontentId10": "a0b9a7ca-3e6d-4996-ae35-759df1d67a54",
+ "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'a0b9a7ca-3e6d-4996-ae35-759df1d67a54')]",
+ "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('a0b9a7ca-3e6d-4996-ae35-759df1d67a54')))]",
+ "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','a0b9a7ca-3e6d-4996-ae35-759df1d67a54','-', '1.0.0')))]"
+ },
+ "parserObject1": {
+ "_parserName1": "[concat(parameters('workspace'),'/','OCILogs')]",
+ "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'OCILogs')]",
+ "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('OCILogs-Parser')))]",
+ "parserVersion1": "1.0.0",
+ "parserContentId1": "OCILogs-Parser"
+ },
"_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
@@ -201,7 +199,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "OracleCloudInfrastructureOCIWorkbook Workbook with template version 3.0.1",
+ "description": "OracleCloudInfrastructureOCI Workbook with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@@ -283,16 +281,16 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('huntingQueryTemplateSpecName1')]",
+ "name": "[variables('huntingQueryObject1').huntingQueryTemplateSpecName1]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "OCIDestinationsIn_HuntingQueries Hunting Query with template version 3.0.1",
+ "description": "OCIDestinationsIn_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('huntingQueryVersion1')]",
+ "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]",
"parameters": {},
"variables": {},
"resources": [
@@ -326,13 +324,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId1'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject1')._huntingQuerycontentId1),'/'))))]",
"properties": {
"description": "Oracle Cloud Infrastructure Hunting Query 1",
- "parentId": "[variables('huntingQueryId1')]",
- "contentId": "[variables('_huntingQuerycontentId1')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject1')._huntingQuerycontentId1)]",
+ "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]",
"kind": "HuntingQuery",
- "version": "[variables('huntingQueryVersion1')]",
+ "version": "[variables('huntingQueryObject1').huntingQueryVersion1]",
"source": {
"kind": "Solution",
"name": "Oracle Cloud Infrastructure",
@@ -357,27 +355,27 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_huntingQuerycontentId1')]",
+ "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]",
"contentKind": "HuntingQuery",
"displayName": "OCI - Destination ports (inbound traffic)",
- "contentProductId": "[variables('_huntingQuerycontentProductId1')]",
- "id": "[variables('_huntingQuerycontentProductId1')]",
- "version": "[variables('huntingQueryVersion1')]"
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.0')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.0')))]",
+ "version": "1.0.0"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('huntingQueryTemplateSpecName2')]",
+ "name": "[variables('huntingQueryObject2').huntingQueryTemplateSpecName2]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "OCIDestinationsOut_HuntingQueries Hunting Query with template version 3.0.1",
+ "description": "OCIDestinationsOut_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('huntingQueryVersion2')]",
+ "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]",
"parameters": {},
"variables": {},
"resources": [
@@ -411,13 +409,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId2'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject2')._huntingQuerycontentId2),'/'))))]",
"properties": {
"description": "Oracle Cloud Infrastructure Hunting Query 2",
- "parentId": "[variables('huntingQueryId2')]",
- "contentId": "[variables('_huntingQuerycontentId2')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject2')._huntingQuerycontentId2)]",
+ "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]",
"kind": "HuntingQuery",
- "version": "[variables('huntingQueryVersion2')]",
+ "version": "[variables('huntingQueryObject2').huntingQueryVersion2]",
"source": {
"kind": "Solution",
"name": "Oracle Cloud Infrastructure",
@@ -442,27 +440,27 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_huntingQuerycontentId2')]",
+ "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]",
"contentKind": "HuntingQuery",
"displayName": "OCI - Destination ports (outbound traffic)",
- "contentProductId": "[variables('_huntingQuerycontentProductId2')]",
- "id": "[variables('_huntingQuerycontentProductId2')]",
- "version": "[variables('huntingQueryVersion2')]"
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '1.0.0')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '1.0.0')))]",
+ "version": "1.0.0"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('huntingQueryTemplateSpecName3')]",
+ "name": "[variables('huntingQueryObject3').huntingQueryTemplateSpecName3]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "OCILaunchedInstances_HuntingQueries Hunting Query with template version 3.0.1",
+ "description": "OCILaunchedInstances_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('huntingQueryVersion3')]",
+ "contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]",
"parameters": {},
"variables": {},
"resources": [
@@ -496,13 +494,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId3'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject3')._huntingQuerycontentId3),'/'))))]",
"properties": {
"description": "Oracle Cloud Infrastructure Hunting Query 3",
- "parentId": "[variables('huntingQueryId3')]",
- "contentId": "[variables('_huntingQuerycontentId3')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject3')._huntingQuerycontentId3)]",
+ "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]",
"kind": "HuntingQuery",
- "version": "[variables('huntingQueryVersion3')]",
+ "version": "[variables('huntingQueryObject3').huntingQueryVersion3]",
"source": {
"kind": "Solution",
"name": "Oracle Cloud Infrastructure",
@@ -527,27 +525,27 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_huntingQuerycontentId3')]",
+ "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]",
"contentKind": "HuntingQuery",
"displayName": "OCI - Launched instances",
- "contentProductId": "[variables('_huntingQuerycontentProductId3')]",
- "id": "[variables('_huntingQuerycontentProductId3')]",
- "version": "[variables('huntingQueryVersion3')]"
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject3')._huntingQuerycontentId3,'-', '1.0.0')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject3')._huntingQuerycontentId3,'-', '1.0.0')))]",
+ "version": "1.0.0"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('huntingQueryTemplateSpecName4')]",
+ "name": "[variables('huntingQueryObject4').huntingQueryTemplateSpecName4]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "OCIUpdateActivities_HuntingQueries Hunting Query with template version 3.0.1",
+ "description": "OCIUpdateActivities_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('huntingQueryVersion4')]",
+ "contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]",
"parameters": {},
"variables": {},
"resources": [
@@ -581,13 +579,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId4'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject4')._huntingQuerycontentId4),'/'))))]",
"properties": {
"description": "Oracle Cloud Infrastructure Hunting Query 4",
- "parentId": "[variables('huntingQueryId4')]",
- "contentId": "[variables('_huntingQuerycontentId4')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject4')._huntingQuerycontentId4)]",
+ "contentId": "[variables('huntingQueryObject4')._huntingQuerycontentId4]",
"kind": "HuntingQuery",
- "version": "[variables('huntingQueryVersion4')]",
+ "version": "[variables('huntingQueryObject4').huntingQueryVersion4]",
"source": {
"kind": "Solution",
"name": "Oracle Cloud Infrastructure",
@@ -612,27 +610,27 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_huntingQuerycontentId4')]",
+ "contentId": "[variables('huntingQueryObject4')._huntingQuerycontentId4]",
"contentKind": "HuntingQuery",
"displayName": "OCI - Update activities",
- "contentProductId": "[variables('_huntingQuerycontentProductId4')]",
- "id": "[variables('_huntingQuerycontentProductId4')]",
- "version": "[variables('huntingQueryVersion4')]"
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject4')._huntingQuerycontentId4,'-', '1.0.0')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject4')._huntingQuerycontentId4,'-', '1.0.0')))]",
+ "version": "1.0.0"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('huntingQueryTemplateSpecName5')]",
+ "name": "[variables('huntingQueryObject5').huntingQueryTemplateSpecName5]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "OCIUserDeleteActions_HuntingQueries Hunting Query with template version 3.0.1",
+ "description": "OCIUserDeleteActions_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('huntingQueryVersion5')]",
+ "contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]",
"parameters": {},
"variables": {},
"resources": [
@@ -666,13 +664,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId5'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject5')._huntingQuerycontentId5),'/'))))]",
"properties": {
"description": "Oracle Cloud Infrastructure Hunting Query 5",
- "parentId": "[variables('huntingQueryId5')]",
- "contentId": "[variables('_huntingQuerycontentId5')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject5')._huntingQuerycontentId5)]",
+ "contentId": "[variables('huntingQueryObject5')._huntingQuerycontentId5]",
"kind": "HuntingQuery",
- "version": "[variables('huntingQueryVersion5')]",
+ "version": "[variables('huntingQueryObject5').huntingQueryVersion5]",
"source": {
"kind": "Solution",
"name": "Oracle Cloud Infrastructure",
@@ -697,27 +695,27 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_huntingQuerycontentId5')]",
+ "contentId": "[variables('huntingQueryObject5')._huntingQuerycontentId5]",
"contentKind": "HuntingQuery",
"displayName": "OCI - Delete operations",
- "contentProductId": "[variables('_huntingQuerycontentProductId5')]",
- "id": "[variables('_huntingQuerycontentProductId5')]",
- "version": "[variables('huntingQueryVersion5')]"
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject5')._huntingQuerycontentId5,'-', '1.0.0')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject5')._huntingQuerycontentId5,'-', '1.0.0')))]",
+ "version": "1.0.0"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('huntingQueryTemplateSpecName6')]",
+ "name": "[variables('huntingQueryObject6').huntingQueryTemplateSpecName6]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "OCIUserDeletedUsers_HuntingQueries Hunting Query with template version 3.0.1",
+ "description": "OCIUserDeletedUsers_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('huntingQueryVersion6')]",
+ "contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]",
"parameters": {},
"variables": {},
"resources": [
@@ -751,13 +749,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId6'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject6')._huntingQuerycontentId6),'/'))))]",
"properties": {
"description": "Oracle Cloud Infrastructure Hunting Query 6",
- "parentId": "[variables('huntingQueryId6')]",
- "contentId": "[variables('_huntingQuerycontentId6')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject6')._huntingQuerycontentId6)]",
+ "contentId": "[variables('huntingQueryObject6')._huntingQuerycontentId6]",
"kind": "HuntingQuery",
- "version": "[variables('huntingQueryVersion6')]",
+ "version": "[variables('huntingQueryObject6').huntingQueryVersion6]",
"source": {
"kind": "Solution",
"name": "Oracle Cloud Infrastructure",
@@ -782,27 +780,27 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_huntingQuerycontentId6')]",
+ "contentId": "[variables('huntingQueryObject6')._huntingQuerycontentId6]",
"contentKind": "HuntingQuery",
"displayName": "OCI - Deleted users",
- "contentProductId": "[variables('_huntingQuerycontentProductId6')]",
- "id": "[variables('_huntingQuerycontentProductId6')]",
- "version": "[variables('huntingQueryVersion6')]"
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject6')._huntingQuerycontentId6,'-', '1.0.0')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject6')._huntingQuerycontentId6,'-', '1.0.0')))]",
+ "version": "1.0.0"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('huntingQueryTemplateSpecName7')]",
+ "name": "[variables('huntingQueryObject7').huntingQueryTemplateSpecName7]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "OCIUserNewUsers_HuntingQueries Hunting Query with template version 3.0.1",
+ "description": "OCIUserNewUsers_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('huntingQueryVersion7')]",
+ "contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]",
"parameters": {},
"variables": {},
"resources": [
@@ -836,13 +834,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId7'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject7')._huntingQuerycontentId7),'/'))))]",
"properties": {
"description": "Oracle Cloud Infrastructure Hunting Query 7",
- "parentId": "[variables('huntingQueryId7')]",
- "contentId": "[variables('_huntingQuerycontentId7')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject7')._huntingQuerycontentId7)]",
+ "contentId": "[variables('huntingQueryObject7')._huntingQuerycontentId7]",
"kind": "HuntingQuery",
- "version": "[variables('huntingQueryVersion7')]",
+ "version": "[variables('huntingQueryObject7').huntingQueryVersion7]",
"source": {
"kind": "Solution",
"name": "Oracle Cloud Infrastructure",
@@ -867,27 +865,27 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_huntingQuerycontentId7')]",
+ "contentId": "[variables('huntingQueryObject7')._huntingQuerycontentId7]",
"contentKind": "HuntingQuery",
"displayName": "OCI - New users",
- "contentProductId": "[variables('_huntingQuerycontentProductId7')]",
- "id": "[variables('_huntingQuerycontentProductId7')]",
- "version": "[variables('huntingQueryVersion7')]"
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject7')._huntingQuerycontentId7,'-', '1.0.0')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject7')._huntingQuerycontentId7,'-', '1.0.0')))]",
+ "version": "1.0.0"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('huntingQueryTemplateSpecName8')]",
+ "name": "[variables('huntingQueryObject8').huntingQueryTemplateSpecName8]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "OCIUserSources_HuntingQueries Hunting Query with template version 3.0.1",
+ "description": "OCIUserSources_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('huntingQueryVersion8')]",
+ "contentVersion": "[variables('huntingQueryObject8').huntingQueryVersion8]",
"parameters": {},
"variables": {},
"resources": [
@@ -921,13 +919,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId8'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject8')._huntingQuerycontentId8),'/'))))]",
"properties": {
"description": "Oracle Cloud Infrastructure Hunting Query 8",
- "parentId": "[variables('huntingQueryId8')]",
- "contentId": "[variables('_huntingQuerycontentId8')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject8')._huntingQuerycontentId8)]",
+ "contentId": "[variables('huntingQueryObject8')._huntingQuerycontentId8]",
"kind": "HuntingQuery",
- "version": "[variables('huntingQueryVersion8')]",
+ "version": "[variables('huntingQueryObject8').huntingQueryVersion8]",
"source": {
"kind": "Solution",
"name": "Oracle Cloud Infrastructure",
@@ -952,27 +950,27 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_huntingQuerycontentId8')]",
+ "contentId": "[variables('huntingQueryObject8')._huntingQuerycontentId8]",
"contentKind": "HuntingQuery",
"displayName": "OCI - User source IP addresses",
- "contentProductId": "[variables('_huntingQuerycontentProductId8')]",
- "id": "[variables('_huntingQuerycontentProductId8')]",
- "version": "[variables('huntingQueryVersion8')]"
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject8')._huntingQuerycontentId8,'-', '1.0.0')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject8')._huntingQuerycontentId8,'-', '1.0.0')))]",
+ "version": "1.0.0"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('huntingQueryTemplateSpecName9')]",
+ "name": "[variables('huntingQueryObject9').huntingQueryTemplateSpecName9]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "OCIUserTerminatedInstances_HuntingQueries Hunting Query with template version 3.0.1",
+ "description": "OCIUserTerminatedInstances_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('huntingQueryVersion9')]",
+ "contentVersion": "[variables('huntingQueryObject9').huntingQueryVersion9]",
"parameters": {},
"variables": {},
"resources": [
@@ -1006,13 +1004,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId9'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject9')._huntingQuerycontentId9),'/'))))]",
"properties": {
"description": "Oracle Cloud Infrastructure Hunting Query 9",
- "parentId": "[variables('huntingQueryId9')]",
- "contentId": "[variables('_huntingQuerycontentId9')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject9')._huntingQuerycontentId9)]",
+ "contentId": "[variables('huntingQueryObject9')._huntingQuerycontentId9]",
"kind": "HuntingQuery",
- "version": "[variables('huntingQueryVersion9')]",
+ "version": "[variables('huntingQueryObject9').huntingQueryVersion9]",
"source": {
"kind": "Solution",
"name": "Oracle Cloud Infrastructure",
@@ -1037,27 +1035,27 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_huntingQuerycontentId9')]",
+ "contentId": "[variables('huntingQueryObject9')._huntingQuerycontentId9]",
"contentKind": "HuntingQuery",
"displayName": "OCI - Terminated instances",
- "contentProductId": "[variables('_huntingQuerycontentProductId9')]",
- "id": "[variables('_huntingQuerycontentProductId9')]",
- "version": "[variables('huntingQueryVersion9')]"
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject9')._huntingQuerycontentId9,'-', '1.0.0')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject9')._huntingQuerycontentId9,'-', '1.0.0')))]",
+ "version": "1.0.0"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('huntingQueryTemplateSpecName10')]",
+ "name": "[variables('huntingQueryObject10').huntingQueryTemplateSpecName10]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "OCIUserUpdatedInstances_HuntingQueries Hunting Query with template version 3.0.1",
+ "description": "OCIUserUpdatedInstances_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('huntingQueryVersion10')]",
+ "contentVersion": "[variables('huntingQueryObject10').huntingQueryVersion10]",
"parameters": {},
"variables": {},
"resources": [
@@ -1091,13 +1089,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId10'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject10')._huntingQuerycontentId10),'/'))))]",
"properties": {
"description": "Oracle Cloud Infrastructure Hunting Query 10",
- "parentId": "[variables('huntingQueryId10')]",
- "contentId": "[variables('_huntingQuerycontentId10')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject10')._huntingQuerycontentId10)]",
+ "contentId": "[variables('huntingQueryObject10')._huntingQuerycontentId10]",
"kind": "HuntingQuery",
- "version": "[variables('huntingQueryVersion10')]",
+ "version": "[variables('huntingQueryObject10').huntingQueryVersion10]",
"source": {
"kind": "Solution",
"name": "Oracle Cloud Infrastructure",
@@ -1122,12 +1120,12 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_huntingQuerycontentId10')]",
+ "contentId": "[variables('huntingQueryObject10')._huntingQuerycontentId10]",
"contentKind": "HuntingQuery",
"displayName": "OCI - Updated instances",
- "contentProductId": "[variables('_huntingQuerycontentProductId10')]",
- "id": "[variables('_huntingQuerycontentProductId10')]",
- "version": "[variables('huntingQueryVersion10')]"
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject10')._huntingQuerycontentId10,'-', '1.0.0')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject10')._huntingQuerycontentId10,'-', '1.0.0')))]",
+ "version": "1.0.0"
}
},
{
@@ -1139,7 +1137,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Oracle Cloud Infrastructure data connector with template version 3.0.1",
+ "description": "Oracle Cloud Infrastructure data connector with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
@@ -1225,6 +1223,9 @@
]
},
"instructionSteps": [
+ {
+ "description": ">**NOTE:** This connector can go over the 500 column limit of log Analytics. When this happens some logs will be dropped. For this reason the connector can be unrealiable depending on the logs that are being generated and collected."
+ },
{
"description": ">**NOTE:** This connector uses Azure Functions to connect to the Azure Blob Storage API to pull logs into Microsoft Sentinel. This might result in additional costs for data ingestion and for storing data in Azure Blob Storage costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) and [Azure Blob Storage pricing page](https://azure.microsoft.com/pricing/details/storage/blobs/) for details."
},
@@ -1451,6 +1452,9 @@
]
},
"instructionSteps": [
+ {
+ "description": ">**NOTE:** This connector can go over the 500 column limit of log Analytics. When this happens some logs will be dropped. For this reason the connector can be unrealiable depending on the logs that are being generated and collected."
+ },
{
"description": ">**NOTE:** This connector uses Azure Functions to connect to the Azure Blob Storage API to pull logs into Microsoft Sentinel. This might result in additional costs for data ingestion and for storing data in Azure Blob Storage costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) and [Azure Blob Storage pricing page](https://azure.microsoft.com/pricing/details/storage/blobs/) for details."
},
@@ -1534,23 +1538,23 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName1')]",
+ "name": "[variables('analyticRuleObject1').analyticRuleTemplateSpecName1]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "OCIDiscoveryActivity_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "OCIDiscoveryActivity_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion1')]",
+ "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId1')]",
- "apiVersion": "2022-04-01-preview",
+ "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
+ "apiVersion": "2023-02-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
@@ -1584,8 +1588,8 @@
{
"fieldMappings": [
{
- "identifier": "Name",
- "columnName": "AccountCustomEntity"
+ "columnName": "AccountCustomEntity",
+ "identifier": "Name"
}
],
"entityType": "Account"
@@ -1596,13 +1600,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId1'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]",
"properties": {
"description": "Oracle Cloud Infrastructure Analytics Rule 1",
- "parentId": "[variables('analyticRuleId1')]",
- "contentId": "[variables('_analyticRulecontentId1')]",
+ "parentId": "[variables('analyticRuleObject1').analyticRuleId1]",
+ "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion1')]",
+ "version": "[variables('analyticRuleObject1').analyticRuleVersion1]",
"source": {
"kind": "Solution",
"name": "Oracle Cloud Infrastructure",
@@ -1627,34 +1631,34 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId1')]",
+ "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
"contentKind": "AnalyticsRule",
"displayName": "OCI - Discovery activity",
- "contentProductId": "[variables('_analyticRulecontentProductId1')]",
- "id": "[variables('_analyticRulecontentProductId1')]",
- "version": "[variables('analyticRuleVersion1')]"
+ "contentProductId": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]",
+ "id": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]",
+ "version": "[variables('analyticRuleObject1').analyticRuleVersion1]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName2')]",
+ "name": "[variables('analyticRuleObject2').analyticRuleTemplateSpecName2]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "OCIEventRuleDeleted_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "OCIEventRuleDeleted_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion2')]",
+ "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId2')]",
- "apiVersion": "2022-04-01-preview",
+ "name": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
+ "apiVersion": "2023-02-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
@@ -1688,8 +1692,8 @@
{
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "IPCustomEntity"
+ "columnName": "IPCustomEntity",
+ "identifier": "Address"
}
],
"entityType": "IP"
@@ -1700,13 +1704,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId2'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject2').analyticRuleId2,'/'))))]",
"properties": {
"description": "Oracle Cloud Infrastructure Analytics Rule 2",
- "parentId": "[variables('analyticRuleId2')]",
- "contentId": "[variables('_analyticRulecontentId2')]",
+ "parentId": "[variables('analyticRuleObject2').analyticRuleId2]",
+ "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion2')]",
+ "version": "[variables('analyticRuleObject2').analyticRuleVersion2]",
"source": {
"kind": "Solution",
"name": "Oracle Cloud Infrastructure",
@@ -1731,34 +1735,34 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId2')]",
+ "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
"contentKind": "AnalyticsRule",
"displayName": "OCI - Event rule deleted",
- "contentProductId": "[variables('_analyticRulecontentProductId2')]",
- "id": "[variables('_analyticRulecontentProductId2')]",
- "version": "[variables('analyticRuleVersion2')]"
+ "contentProductId": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]",
+ "id": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]",
+ "version": "[variables('analyticRuleObject2').analyticRuleVersion2]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName3')]",
+ "name": "[variables('analyticRuleObject3').analyticRuleTemplateSpecName3]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "OCIInboundSSHConnection_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "OCIInboundSSHConnection_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion3')]",
+ "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId3')]",
- "apiVersion": "2022-04-01-preview",
+ "name": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
+ "apiVersion": "2023-02-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
@@ -1792,8 +1796,8 @@
{
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "IPCustomEntity"
+ "columnName": "IPCustomEntity",
+ "identifier": "Address"
}
],
"entityType": "IP"
@@ -1804,13 +1808,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId3'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject3').analyticRuleId3,'/'))))]",
"properties": {
"description": "Oracle Cloud Infrastructure Analytics Rule 3",
- "parentId": "[variables('analyticRuleId3')]",
- "contentId": "[variables('_analyticRulecontentId3')]",
+ "parentId": "[variables('analyticRuleObject3').analyticRuleId3]",
+ "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion3')]",
+ "version": "[variables('analyticRuleObject3').analyticRuleVersion3]",
"source": {
"kind": "Solution",
"name": "Oracle Cloud Infrastructure",
@@ -1835,34 +1839,34 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId3')]",
+ "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
"contentKind": "AnalyticsRule",
"displayName": "OCI - Inbound SSH connection",
- "contentProductId": "[variables('_analyticRulecontentProductId3')]",
- "id": "[variables('_analyticRulecontentProductId3')]",
- "version": "[variables('analyticRuleVersion3')]"
+ "contentProductId": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]",
+ "id": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]",
+ "version": "[variables('analyticRuleObject3').analyticRuleVersion3]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName4')]",
+ "name": "[variables('analyticRuleObject4').analyticRuleTemplateSpecName4]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "OCIInsecureMetadataEndpoint_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "OCIInsecureMetadataEndpoint_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion4')]",
+ "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId4')]",
- "apiVersion": "2022-04-01-preview",
+ "name": "[variables('analyticRuleObject4')._analyticRulecontentId4]",
+ "apiVersion": "2023-02-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
@@ -1896,8 +1900,8 @@
{
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "IPCustomEntity"
+ "columnName": "IPCustomEntity",
+ "identifier": "Address"
}
],
"entityType": "IP"
@@ -1908,13 +1912,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId4'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject4').analyticRuleId4,'/'))))]",
"properties": {
"description": "Oracle Cloud Infrastructure Analytics Rule 4",
- "parentId": "[variables('analyticRuleId4')]",
- "contentId": "[variables('_analyticRulecontentId4')]",
+ "parentId": "[variables('analyticRuleObject4').analyticRuleId4]",
+ "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion4')]",
+ "version": "[variables('analyticRuleObject4').analyticRuleVersion4]",
"source": {
"kind": "Solution",
"name": "Oracle Cloud Infrastructure",
@@ -1939,34 +1943,34 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId4')]",
+ "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]",
"contentKind": "AnalyticsRule",
"displayName": "OCI - Insecure metadata endpoint",
- "contentProductId": "[variables('_analyticRulecontentProductId4')]",
- "id": "[variables('_analyticRulecontentProductId4')]",
- "version": "[variables('analyticRuleVersion4')]"
+ "contentProductId": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]",
+ "id": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]",
+ "version": "[variables('analyticRuleObject4').analyticRuleVersion4]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName5')]",
+ "name": "[variables('analyticRuleObject5').analyticRuleTemplateSpecName5]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "OCIMetadataEndpointIpAccess_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "OCIMetadataEndpointIpAccess_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion5')]",
+ "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId5')]",
- "apiVersion": "2022-04-01-preview",
+ "name": "[variables('analyticRuleObject5')._analyticRulecontentId5]",
+ "apiVersion": "2023-02-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
@@ -2000,8 +2004,8 @@
{
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "IPCustomEntity"
+ "columnName": "IPCustomEntity",
+ "identifier": "Address"
}
],
"entityType": "IP"
@@ -2012,13 +2016,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId5'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject5').analyticRuleId5,'/'))))]",
"properties": {
"description": "Oracle Cloud Infrastructure Analytics Rule 5",
- "parentId": "[variables('analyticRuleId5')]",
- "contentId": "[variables('_analyticRulecontentId5')]",
+ "parentId": "[variables('analyticRuleObject5').analyticRuleId5]",
+ "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion5')]",
+ "version": "[variables('analyticRuleObject5').analyticRuleVersion5]",
"source": {
"kind": "Solution",
"name": "Oracle Cloud Infrastructure",
@@ -2043,34 +2047,34 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId5')]",
+ "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]",
"contentKind": "AnalyticsRule",
"displayName": "OCI - Instance metadata access",
- "contentProductId": "[variables('_analyticRulecontentProductId5')]",
- "id": "[variables('_analyticRulecontentProductId5')]",
- "version": "[variables('analyticRuleVersion5')]"
+ "contentProductId": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]",
+ "id": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]",
+ "version": "[variables('analyticRuleObject5').analyticRuleVersion5]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName6')]",
+ "name": "[variables('analyticRuleObject6').analyticRuleTemplateSpecName6]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "OCIMultipleInstancesLaunched_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "OCIMultipleInstancesLaunched_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion6')]",
+ "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId6')]",
- "apiVersion": "2022-04-01-preview",
+ "name": "[variables('analyticRuleObject6')._analyticRulecontentId6]",
+ "apiVersion": "2023-02-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
@@ -2104,8 +2108,8 @@
{
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "IPCustomEntity"
+ "columnName": "IPCustomEntity",
+ "identifier": "Address"
}
],
"entityType": "IP"
@@ -2116,13 +2120,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId6'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject6').analyticRuleId6,'/'))))]",
"properties": {
"description": "Oracle Cloud Infrastructure Analytics Rule 6",
- "parentId": "[variables('analyticRuleId6')]",
- "contentId": "[variables('_analyticRulecontentId6')]",
+ "parentId": "[variables('analyticRuleObject6').analyticRuleId6]",
+ "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion6')]",
+ "version": "[variables('analyticRuleObject6').analyticRuleVersion6]",
"source": {
"kind": "Solution",
"name": "Oracle Cloud Infrastructure",
@@ -2147,34 +2151,34 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId6')]",
+ "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]",
"contentKind": "AnalyticsRule",
"displayName": "OCI - Multiple instances launched",
- "contentProductId": "[variables('_analyticRulecontentProductId6')]",
- "id": "[variables('_analyticRulecontentProductId6')]",
- "version": "[variables('analyticRuleVersion6')]"
+ "contentProductId": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]",
+ "id": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]",
+ "version": "[variables('analyticRuleObject6').analyticRuleVersion6]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName7')]",
+ "name": "[variables('analyticRuleObject7').analyticRuleTemplateSpecName7]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "OCIMultipleInstancesTerminated_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "OCIMultipleInstancesTerminated_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion7')]",
+ "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId7')]",
- "apiVersion": "2022-04-01-preview",
+ "name": "[variables('analyticRuleObject7')._analyticRulecontentId7]",
+ "apiVersion": "2023-02-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
@@ -2208,8 +2212,8 @@
{
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "IPCustomEntity"
+ "columnName": "IPCustomEntity",
+ "identifier": "Address"
}
],
"entityType": "IP"
@@ -2220,13 +2224,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId7'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject7').analyticRuleId7,'/'))))]",
"properties": {
"description": "Oracle Cloud Infrastructure Analytics Rule 7",
- "parentId": "[variables('analyticRuleId7')]",
- "contentId": "[variables('_analyticRulecontentId7')]",
+ "parentId": "[variables('analyticRuleObject7').analyticRuleId7]",
+ "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion7')]",
+ "version": "[variables('analyticRuleObject7').analyticRuleVersion7]",
"source": {
"kind": "Solution",
"name": "Oracle Cloud Infrastructure",
@@ -2251,34 +2255,34 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId7')]",
+ "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]",
"contentKind": "AnalyticsRule",
"displayName": "OCI - Multiple instances terminated",
- "contentProductId": "[variables('_analyticRulecontentProductId7')]",
- "id": "[variables('_analyticRulecontentProductId7')]",
- "version": "[variables('analyticRuleVersion7')]"
+ "contentProductId": "[variables('analyticRuleObject7')._analyticRulecontentProductId7]",
+ "id": "[variables('analyticRuleObject7')._analyticRulecontentProductId7]",
+ "version": "[variables('analyticRuleObject7').analyticRuleVersion7]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName8')]",
+ "name": "[variables('analyticRuleObject8').analyticRuleTemplateSpecName8]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "OCIMultipleRejects_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "OCIMultipleRejects_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion8')]",
+ "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId8')]",
- "apiVersion": "2022-04-01-preview",
+ "name": "[variables('analyticRuleObject8')._analyticRulecontentId8]",
+ "apiVersion": "2023-02-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
@@ -2312,8 +2316,8 @@
{
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "IPCustomEntity"
+ "columnName": "IPCustomEntity",
+ "identifier": "Address"
}
],
"entityType": "IP"
@@ -2324,13 +2328,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId8'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject8').analyticRuleId8,'/'))))]",
"properties": {
"description": "Oracle Cloud Infrastructure Analytics Rule 8",
- "parentId": "[variables('analyticRuleId8')]",
- "contentId": "[variables('_analyticRulecontentId8')]",
+ "parentId": "[variables('analyticRuleObject8').analyticRuleId8]",
+ "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion8')]",
+ "version": "[variables('analyticRuleObject8').analyticRuleVersion8]",
"source": {
"kind": "Solution",
"name": "Oracle Cloud Infrastructure",
@@ -2355,34 +2359,34 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId8')]",
+ "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]",
"contentKind": "AnalyticsRule",
"displayName": "OCI - Multiple rejects on rare ports",
- "contentProductId": "[variables('_analyticRulecontentProductId8')]",
- "id": "[variables('_analyticRulecontentProductId8')]",
- "version": "[variables('analyticRuleVersion8')]"
+ "contentProductId": "[variables('analyticRuleObject8')._analyticRulecontentProductId8]",
+ "id": "[variables('analyticRuleObject8')._analyticRulecontentProductId8]",
+ "version": "[variables('analyticRuleObject8').analyticRuleVersion8]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName9')]",
+ "name": "[variables('analyticRuleObject9').analyticRuleTemplateSpecName9]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "OCISSHScan_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "OCISSHScan_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion9')]",
+ "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId9')]",
- "apiVersion": "2022-04-01-preview",
+ "name": "[variables('analyticRuleObject9')._analyticRulecontentId9]",
+ "apiVersion": "2023-02-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
@@ -2416,8 +2420,8 @@
{
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "IPCustomEntity"
+ "columnName": "IPCustomEntity",
+ "identifier": "Address"
}
],
"entityType": "IP"
@@ -2428,13 +2432,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId9'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject9').analyticRuleId9,'/'))))]",
"properties": {
"description": "Oracle Cloud Infrastructure Analytics Rule 9",
- "parentId": "[variables('analyticRuleId9')]",
- "contentId": "[variables('_analyticRulecontentId9')]",
+ "parentId": "[variables('analyticRuleObject9').analyticRuleId9]",
+ "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion9')]",
+ "version": "[variables('analyticRuleObject9').analyticRuleVersion9]",
"source": {
"kind": "Solution",
"name": "Oracle Cloud Infrastructure",
@@ -2459,34 +2463,34 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId9')]",
+ "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]",
"contentKind": "AnalyticsRule",
"displayName": "OCI - SSH scanner",
- "contentProductId": "[variables('_analyticRulecontentProductId9')]",
- "id": "[variables('_analyticRulecontentProductId9')]",
- "version": "[variables('analyticRuleVersion9')]"
+ "contentProductId": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]",
+ "id": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]",
+ "version": "[variables('analyticRuleObject9').analyticRuleVersion9]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName10')]",
+ "name": "[variables('analyticRuleObject10').analyticRuleTemplateSpecName10]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "OCIUnexpectedUserAgent_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "OCIUnexpectedUserAgent_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion10')]",
+ "contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId10')]",
- "apiVersion": "2022-04-01-preview",
+ "name": "[variables('analyticRuleObject10')._analyticRulecontentId10]",
+ "apiVersion": "2023-02-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
@@ -2520,8 +2524,8 @@
{
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "IPCustomEntity"
+ "columnName": "IPCustomEntity",
+ "identifier": "Address"
}
],
"entityType": "IP"
@@ -2532,13 +2536,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId10'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject10').analyticRuleId10,'/'))))]",
"properties": {
"description": "Oracle Cloud Infrastructure Analytics Rule 10",
- "parentId": "[variables('analyticRuleId10')]",
- "contentId": "[variables('_analyticRulecontentId10')]",
+ "parentId": "[variables('analyticRuleObject10').analyticRuleId10]",
+ "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion10')]",
+ "version": "[variables('analyticRuleObject10').analyticRuleVersion10]",
"source": {
"kind": "Solution",
"name": "Oracle Cloud Infrastructure",
@@ -2563,32 +2567,32 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId10')]",
+ "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]",
"contentKind": "AnalyticsRule",
"displayName": "OCI - Unexpected user agent",
- "contentProductId": "[variables('_analyticRulecontentProductId10')]",
- "id": "[variables('_analyticRulecontentProductId10')]",
- "version": "[variables('analyticRuleVersion10')]"
+ "contentProductId": "[variables('analyticRuleObject10')._analyticRulecontentProductId10]",
+ "id": "[variables('analyticRuleObject10')._analyticRulecontentProductId10]",
+ "version": "[variables('analyticRuleObject10').analyticRuleVersion10]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('parserTemplateSpecName1')]",
+ "name": "[variables('parserObject1').parserTemplateSpecName1]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "OCILogs Data Parser with template version 3.0.1",
+ "description": "OCILogs Data Parser with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('parserVersion1')]",
+ "contentVersion": "[variables('parserObject1').parserVersion1]",
"parameters": {},
"variables": {},
"resources": [
{
- "name": "[variables('_parserName1')]",
+ "name": "[variables('parserObject1')._parserName1]",
"apiVersion": "2022-10-01",
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"location": "[parameters('workspace-location')]",
@@ -2611,15 +2615,15 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]",
"dependsOn": [
- "[variables('_parserId1')]"
+ "[variables('parserObject1')._parserId1]"
],
"properties": {
- "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
- "contentId": "[variables('_parserContentId1')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'OCILogs')]",
+ "contentId": "[variables('parserObject1').parserContentId1]",
"kind": "Parser",
- "version": "[variables('parserVersion1')]",
+ "version": "[variables('parserObject1').parserVersion1]",
"source": {
"name": "Oracle Cloud Infrastructure",
"kind": "Solution",
@@ -2644,18 +2648,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_parserContentId1')]",
+ "contentId": "[variables('parserObject1').parserContentId1]",
"contentKind": "Parser",
"displayName": "OCILogs",
- "contentProductId": "[variables('_parsercontentProductId1')]",
- "id": "[variables('_parsercontentProductId1')]",
- "version": "[variables('parserVersion1')]"
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]",
+ "version": "[variables('parserObject1').parserVersion1]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"apiVersion": "2022-10-01",
- "name": "[variables('_parserName1')]",
+ "name": "[variables('parserObject1')._parserName1]",
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
@@ -2677,15 +2681,15 @@
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"location": "[parameters('workspace-location')]",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]",
"dependsOn": [
- "[variables('_parserId1')]"
+ "[variables('parserObject1')._parserId1]"
],
"properties": {
- "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
- "contentId": "[variables('_parserContentId1')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'OCILogs')]",
+ "contentId": "[variables('parserObject1').parserContentId1]",
"kind": "Parser",
- "version": "[variables('parserVersion1')]",
+ "version": "[variables('parserObject1').parserVersion1]",
"source": {
"kind": "Solution",
"name": "Oracle Cloud Infrastructure",
@@ -2708,12 +2712,12 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.1",
+ "version": "3.0.2",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "Oracle Cloud Infrastructure",
"publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
- "descriptionHtml": "Note: There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Oracle Cloud Infrastructure (OCI) solution provides the capability to ingest OCI Logs from OCI Stream into Microsoft Sentinel using the OCI Streaming REST API.
\nUnderlying Microsoft Technologies used:
\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:
\n\nData Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 10
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Oracle Cloud Infrastructure (OCI) solution provides the capability to ingest OCI Logs from OCI Stream into Microsoft Sentinel using the OCI Streaming REST API.
\nUnderlying Microsoft Technologies used:
\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:
\n\nData Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 10
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -2745,53 +2749,53 @@ }, { "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId1')]", - "version": "[variables('huntingQueryVersion1')]" + "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]", + "version": "[variables('huntingQueryObject1').huntingQueryVersion1]" }, { "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId2')]", - "version": "[variables('huntingQueryVersion2')]" + "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]", + "version": "[variables('huntingQueryObject2').huntingQueryVersion2]" }, { "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId3')]", - "version": "[variables('huntingQueryVersion3')]" + "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]", + "version": "[variables('huntingQueryObject3').huntingQueryVersion3]" }, { "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId4')]", - "version": "[variables('huntingQueryVersion4')]" + "contentId": "[variables('huntingQueryObject4')._huntingQuerycontentId4]", + "version": "[variables('huntingQueryObject4').huntingQueryVersion4]" }, { "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId5')]", - "version": "[variables('huntingQueryVersion5')]" + "contentId": "[variables('huntingQueryObject5')._huntingQuerycontentId5]", + "version": "[variables('huntingQueryObject5').huntingQueryVersion5]" }, { "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId6')]", - "version": "[variables('huntingQueryVersion6')]" + "contentId": "[variables('huntingQueryObject6')._huntingQuerycontentId6]", + "version": "[variables('huntingQueryObject6').huntingQueryVersion6]" }, { "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId7')]", - "version": "[variables('huntingQueryVersion7')]" + "contentId": "[variables('huntingQueryObject7')._huntingQuerycontentId7]", + "version": "[variables('huntingQueryObject7').huntingQueryVersion7]" }, { "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId8')]", - "version": "[variables('huntingQueryVersion8')]" + "contentId": "[variables('huntingQueryObject8')._huntingQuerycontentId8]", + "version": "[variables('huntingQueryObject8').huntingQueryVersion8]" }, { "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId9')]", - "version": "[variables('huntingQueryVersion9')]" + "contentId": "[variables('huntingQueryObject9')._huntingQuerycontentId9]", + "version": "[variables('huntingQueryObject9').huntingQueryVersion9]" }, { "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId10')]", - "version": "[variables('huntingQueryVersion10')]" + "contentId": "[variables('huntingQueryObject10')._huntingQuerycontentId10]", + "version": "[variables('huntingQueryObject10').huntingQueryVersion10]" }, { "kind": "DataConnector", @@ -2800,58 +2804,58 @@ }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId1')]", - "version": "[variables('analyticRuleVersion1')]" + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId2')]", - "version": "[variables('analyticRuleVersion2')]" + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId3')]", - "version": "[variables('analyticRuleVersion3')]" + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId4')]", - "version": "[variables('analyticRuleVersion4')]" + "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", + "version": "[variables('analyticRuleObject4').analyticRuleVersion4]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId5')]", - "version": "[variables('analyticRuleVersion5')]" + "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", + "version": "[variables('analyticRuleObject5').analyticRuleVersion5]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId6')]", - "version": "[variables('analyticRuleVersion6')]" + "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", + "version": "[variables('analyticRuleObject6').analyticRuleVersion6]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId7')]", - "version": "[variables('analyticRuleVersion7')]" + "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", + "version": "[variables('analyticRuleObject7').analyticRuleVersion7]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId8')]", - "version": "[variables('analyticRuleVersion8')]" + "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]", + "version": "[variables('analyticRuleObject8').analyticRuleVersion8]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId9')]", - "version": "[variables('analyticRuleVersion9')]" + "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", + "version": "[variables('analyticRuleObject9').analyticRuleVersion9]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId10')]", - "version": "[variables('analyticRuleVersion10')]" + "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]", + "version": "[variables('analyticRuleObject10').analyticRuleVersion10]" }, { "kind": "Parser", - "contentId": "[variables('_parserContentId1')]", - "version": "[variables('parserVersion1')]" + "contentId": "[variables('parserObject1').parserContentId1]", + "version": "[variables('parserObject1').parserVersion1]" } ] }, diff --git a/Solutions/Oracle Cloud Infrastructure/Package/testParameters.json b/Solutions/Oracle Cloud Infrastructure/Package/testParameters.json new file mode 100644 index 00000000000..e3717d3ac0e --- /dev/null +++ b/Solutions/Oracle Cloud Infrastructure/Package/testParameters.json @@ -0,0 +1,32 @@ +{ + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + }, + "workbook1-name": { + "type": "string", + "defaultValue": "Oracle Cloud Infrastructure", + "minLength": 1, + "metadata": { + "description": "Name for the workbook" + } + } +} diff --git a/Workbooks/Images/Preview/Dynamics365ActivityBlack.png b/Workbooks/Images/Preview/Dynamics365ActivityBlack.png new file mode 100644 index 00000000000..e7e2b79de3b Binary files /dev/null and b/Workbooks/Images/Preview/Dynamics365ActivityBlack.png differ diff --git a/Workbooks/Images/Preview/Dynamics365ActivityWhite.png b/Workbooks/Images/Preview/Dynamics365ActivityWhite.png new file mode 100644 index 00000000000..b12e8f5e8e8 Binary files /dev/null and b/Workbooks/Images/Preview/Dynamics365ActivityWhite.png differ diff --git a/Workbooks/WorkbooksMetadata.json b/Workbooks/WorkbooksMetadata.json index ca52096d5af..903118b9495 100644 --- a/Workbooks/WorkbooksMetadata.json +++ b/Workbooks/WorkbooksMetadata.json @@ -8410,5 +8410,25 @@ "author": { "name": "Inspira Enterprise" } - } + }, + { + "workbookKey": "Dynamics365Activity", + "logoFileName": "DynamicsLogo.svg", + "description": "This workbook brings together queries and visualizations to assist you in identifying potential threats in your Dynamics 365 audit data.", + "dataTypesDependencies": [ + "DataverseActivity" + ], + "dataConnectorsDependencies": [ + "Dataverse" + ], + "previewImagesFileNames": [ + "Dynamics365ActivityBlack.png", + "Dynamics365ActivityWhite.png" + ], + "version": "1.0.4", + "title": "Dynamics 365 Activity", + "templateRelativePath": "Dynamics365Activity.json", + "subtitle": "", + "provider": "Microsoft" + } ] \ No newline at end of file