![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Trend_Micro_Logo.svg\"){kind=logo}
\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Trend Micro Apex One](https://www.trendmicro.com/business/products/user-protection/sps/endpoint.htmlhttps:/www.trendmicro.com/business/products/user-protection/sps/endpoint.html) solution for Microsoft Sentinel enables ingestion of [Trend Micro Apex One events](https://docs.trendmicro.com/enterprise/trend-micro-apex-central-2019-online-help/appendices/syslog-mapping-cef.aspx) into Microsoft Sentinel. Refer to [Trend Micro Apex Central](https://docs.trendmicro.com/enterprise/trend-micro-apex-central-2019-online-help/preface_001.aspx) for more information. \n\r\n1. **Trend Micro Apex One via AMA** - This data connector helps in ingesting Trend Micro Apex One logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **Trend Micro Apex One via Legacy Agent** - This data connector helps in ingesting Trend Micro Apex One logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of Trend Micro Apex One via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Data Connectors:** 2, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/OSSEC/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Trend Micro Apex One](https://www.trendmicro.com/business/products/user-protection/sps/endpoint.htmlhttps:/www.trendmicro.com/business/products/user-protection/sps/endpoint.html) solution for Microsoft Sentinel enables ingestion of [Trend Micro Apex One events](https://docs.trendmicro.com/enterprise/trend-micro-apex-central-2019-online-help/appendices/syslog-mapping-cef.aspx) into Microsoft Sentinel. Refer to [Trend Micro Apex Central](https://docs.trendmicro.com/enterprise/trend-micro-apex-central-2019-online-help/preface_001.aspx) for more information. \n\r\n1. **Trend Micro Apex One via AMA** - This data connector helps in ingesting Trend Micro Apex One logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **Trend Micro Apex One via Legacy Agent** - This data connector helps in ingesting Trend Micro Apex One logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of Trend Micro Apex One via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Data Connectors:** 2, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -60,14 +60,15 @@
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "This Solution installs the data connector for Trend Micro Apex One. You can get Trend Micro Apex One CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+ "text": "The Trend Micro Apex One connector allows you to easily connect your Trend Micro Apex One events logs with Microsoft Sentinel. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
+
{
"name": "dataconnectors-parser-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel."
+ "text": "The solution installs a parser that transforms ingested data. The transformed logs can be accessed using the TMApexOneEvent Kusto Function alias."
}
},
{
@@ -79,13 +80,6 @@
"uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
}
}
- },
- {
- "name": "dataconnectors2-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "This Solution installs the data connector for Trend Micro Apex One. You can get Trend Micro Apex One CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
- }
}
]
},
@@ -102,7 +96,7 @@
"name": "workbooks-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "This solution installs workbook(s) to help you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view."
+ "text": "The workbook installed with the Trend Micro Apex One help’s you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view."
}
},
{
@@ -308,7 +302,7 @@
"name": "huntingqueries-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "This solution installs the following hunting queries. After installing the solution, run these hunting queries to hunt for threats in Manage solution view. "
+ "text": "This solution installs the following hunting queries. After installing the solution, run these hunting queries to hunt for threats in Manage solution view."
}
},
{
@@ -330,7 +324,7 @@
"name": "huntingquery1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Shows behavior monitoring actions taken for files. This hunting query depends on TrendMicroApexOne TrendMicroApexOneAma data connector (TMApexOneEvent TMApexOneEvent Parser or Table)"
+ "text": "Shows behavior monitoring actions taken for files. This hunting query depends on TrendMicroApexOne data connector (TMApexOneEvent Parser or Table)"
}
}
]
@@ -344,7 +338,7 @@
"name": "huntingquery2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Shows behavior monitoring operations by users. This hunting query depends on TrendMicroApexOne TrendMicroApexOneAma data connector (TMApexOneEvent TMApexOneEvent Parser or Table)"
+ "text": "Shows behavior monitoring operations by users. This hunting query depends on TrendMicroApexOne data connector (TMApexOneEvent Parser or Table)"
}
}
]
@@ -358,7 +352,7 @@
"name": "huntingquery3-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Shows behavior monitoring triggered policy by command line. This hunting query depends on TrendMicroApexOne TrendMicroApexOneAma data connector (TMApexOneEvent TMApexOneEvent Parser or Table)"
+ "text": "Shows behavior monitoring triggered policy by command line. This hunting query depends on TrendMicroApexOne data connector (TMApexOneEvent Parser or Table)"
}
}
]
@@ -372,7 +366,7 @@
"name": "huntingquery4-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Shows behavior monitoring event types. This hunting query depends on TrendMicroApexOne TrendMicroApexOneAma data connector (TMApexOneEvent TMApexOneEvent Parser or Table)"
+ "text": "Shows behavior monitoring event types. This hunting query depends on TrendMicroApexOne data connector (TMApexOneEvent Parser or Table)"
}
}
]
@@ -386,7 +380,7 @@
"name": "huntingquery5-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Shows channel type. This hunting query depends on TrendMicroApexOne TrendMicroApexOneAma data connector (TMApexOneEvent TMApexOneEvent Parser or Table)"
+ "text": "Shows channel type. This hunting query depends on TrendMicroApexOne data connector (TMApexOneEvent Parser or Table)"
}
}
]
@@ -400,7 +394,7 @@
"name": "huntingquery6-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Shows data loss prevention action by IP address. This hunting query depends on TrendMicroApexOne TrendMicroApexOneAma data connector (TMApexOneEvent TMApexOneEvent Parser or Table)"
+ "text": "Shows data loss prevention action by IP address. This hunting query depends on TrendMicroApexOne data connector (TMApexOneEvent Parser or Table)"
}
}
]
@@ -414,7 +408,7 @@
"name": "huntingquery7-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query searches rare application protocols by Ip address. This hunting query depends on TrendMicroApexOne TrendMicroApexOneAma data connector (TMApexOneEvent TMApexOneEvent Parser or Table)"
+ "text": "Query searches rare application protocols by Ip address. This hunting query depends on TrendMicroApexOne data connector (TMApexOneEvent Parser or Table)"
}
}
]
@@ -428,7 +422,7 @@
"name": "huntingquery8-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query searches spyware detection events. This hunting query depends on TrendMicroApexOne TrendMicroApexOneAma data connector (TMApexOneEvent TMApexOneEvent Parser or Table)"
+ "text": "Query searches spyware detection events. This hunting query depends on TrendMicroApexOne data connector (TMApexOneEvent Parser or Table)"
}
}
]
@@ -442,7 +436,7 @@
"name": "huntingquery9-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query searches suspicious files events. This hunting query depends on TrendMicroApexOne TrendMicroApexOneAma data connector (TMApexOneEvent TMApexOneEvent Parser or Table)"
+ "text": "Query searches suspicious files events. This hunting query depends on TrendMicroApexOne data connector (TMApexOneEvent Parser or Table)"
}
}
]
@@ -456,7 +450,7 @@
"name": "huntingquery10-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query shows list of top sources with alerts. This hunting query depends on TrendMicroApexOne TrendMicroApexOneAma data connector (TMApexOneEvent TMApexOneEvent Parser or Table)"
+ "text": "Query shows list of top sources with alerts. This hunting query depends on TrendMicroApexOne data connector (TMApexOneEvent Parser or Table)"
}
}
]
diff --git a/Solutions/Trend Micro Apex One/Package/mainTemplate.json b/Solutions/Trend Micro Apex One/Package/mainTemplate.json
index a0ef874960d..d1557a5c99a 100644
--- a/Solutions/Trend Micro Apex One/Package/mainTemplate.json
+++ b/Solutions/Trend Micro Apex One/Package/mainTemplate.json
@@ -38,12 +38,12 @@
}
},
"variables": {
- "solutionId": "azuresentinel.azure-sentinel-solution-trendmicroapexone",
- "_solutionId": "[variables('solutionId')]",
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"_solutionName": "Trend Micro Apex One",
"_solutionVersion": "3.0.0",
+ "solutionId": "azuresentinel.azure-sentinel-solution-trendmicroapexone",
+ "_solutionId": "[variables('solutionId')]",
"uiConfigId1": "TrendMicroApexOne",
"_uiConfigId1": "[variables('uiConfigId1')]",
"dataConnectorContentId1": "TrendMicroApexOne",
@@ -62,6 +62,15 @@
"dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]",
"dataConnectorVersion2": "1.0.0",
"_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]",
+ "parserName1": "Trend Micro Apex One Data Parser",
+ "_parserName1": "[concat(parameters('workspace'),'/',variables('parserName1'))]",
+ "parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
+ "_parserId1": "[variables('parserId1')]",
+ "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1'))))]",
+ "parserVersion1": "1.0.0",
+ "parserContentId1": "TMApexOneEvent-Parser",
+ "_parserContentId1": "[variables('parserContentId1')]",
+ "_parsercontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('_parserContentId1'),'-', variables('parserVersion1'))))]",
"workbookVersion1": "1.0.0",
"workbookContentId1": "TrendMicroApexOneWorkbook",
"workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]",
@@ -641,13 +650,13 @@
"instructionSteps": [
{
"title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
- "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine",
- "instructions": []
+ "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
+
},
{
"title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent",
- "description": "[Follow these steps](https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-central-2019-online-help/detections/logs_001/syslog-forwarding.aspx) to configure Apex Central sending alerts via syslog. While configuring, on step 6, select the log format **CEF**.",
- "instructions": []
+ "description": "[Follow these steps](https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-central-2019-online-help/detections/logs_001/syslog-forwarding.aspx) to configure Apex Central sending alerts via syslog. While configuring, on step 6, select the log format **CEF**."
+
},
{
"title": "Step C. Validate connection",
@@ -831,13 +840,13 @@
"instructionSteps": [
{
"title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
- "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine",
- "instructions": []
+ "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
+
},
{
"title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent",
- "description": "[Follow these steps](https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-central-2019-online-help/detections/logs_001/syslog-forwarding.aspx) to configure Apex Central sending alerts via syslog. While configuring, on step 6, select the log format **CEF**.",
- "instructions": []
+ "description": "[Follow these steps](https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-central-2019-online-help/detections/logs_001/syslog-forwarding.aspx) to configure Apex Central sending alerts via syslog. While configuring, on step 6, select the log format **CEF**."
+
},
{
"title": "Step C. Validate connection",
@@ -868,6 +877,138 @@
}
}
},
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('parserTemplateSpecName1')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "TMApexOneEvent Data Parser with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('parserVersion1')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "name": "[variables('_parserName1')]",
+ "apiVersion": "2022-10-01",
+ "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "eTag": "*",
+ "displayName": "Trend Micro Apex One Data Parser",
+ "category": "Microsoft Sentinel Parser",
+ "functionAlias": "TMApexOneEvent",
+ "query": "CommonSecurityLog\n| where DeviceVendor == \"Trend Micro\"\n| where DeviceProduct == \"Apex Central\"\n| extend DeviceCustomNumber1 = coalesce(column_ifexists(\"FieldDeviceCustomNumber1\", long(null)),DeviceCustomNumber1),\n DeviceCustomNumber2 = coalesce(column_ifexists(\"FieldDeviceCustomNumber2\", long(null)),DeviceCustomNumber2),\n DeviceCustomNumber3 = coalesce(column_ifexists(\"FieldDeviceCustomNumber3\", long(null)),DeviceCustomNumber3),\n ExternalID = coalesce(column_ifexists(\"ExtID\", \"\"),tostring(ExternalID))\n| extend packed = pack (DeviceCustomNumber1Label, DeviceCustomNumber1,\n DeviceCustomNumber2Label, DeviceCustomNumber2,\n DeviceCustomString1Label, DeviceCustomString1,\n DeviceCustomString2Label, DeviceCustomString2,\n DeviceCustomString3Label, DeviceCustomString3,\n DeviceCustomString4Label, DeviceCustomString4,\n DeviceCustomString5Label, DeviceCustomString5,\n DeviceCustomString6Label, DeviceCustomString6,\n DeviceCustomDate1Label, DeviceCustomDate1,\n DeviceCustomDate2Label, DeviceCustomDate2)\n| evaluate bag_unpack(packed)\n| project-rename EventVendor=DeviceVendor,\n EventProduct=DeviceProduct,\n EventProductVersion=DeviceVersion,\n EventSubType=DeviceEventClassID,\n EventMessage=Activity,\n EventSeverity=LogSeverity,\n EventOriginalUid=DeviceExternalID,\n EventEndTime=ReceiptTime,\n DstDvcHostname=DestinationHostName,\n DstIpAddr=DestinationIP,\n DstUserName=DestinationUserName,\n DstPortNumber=DestinationPort,\n DstServiceName=DestinationServiceName,\n SrcPortNumber=SourcePort,\n SrcIpAddr=SourceIP,\n SrcDvcHostname=SourceHostName,\n SrcServiceName=SourceServiceName,\n SrcUserName=SourceUserName,\n SrcProcessName=SourceProcessName,\n SrcMacAddr=SourceMACAddress,\n DvcAction=DeviceAction,\n DvcHostname=DeviceName,\n DvcProcessName=ProcessName,\n FileHashSha1=FileHash,\n UrlOriginal=RequestURL,\n NetworkDirection=CommunicationDirection\n| extend Command = iif(DeviceCustomString3Label == \"Command\", DeviceCustomString3, \"\")\n| extend ActionResult = iif(DeviceCustomString5Label == \"ActionResult\", DeviceCustomString5, \"\")\n| extend Event_Type = iif(DeviceCustomNumber2Label == \"Event_Type\", DeviceCustomNumber2, long(null))\n| extend VirusName = iif(DeviceCustomString1Label == \"VirusName\", DeviceCustomString1, \"\")\n| extend Policy = iif(DeviceCustomString2Label == \"Policy\", DeviceCustomString2, \"\")\n| extend ProcessCommandLine = iif(DeviceCustomString4Label == \"ProcessCommandLine\", DeviceCustomString4, \"\")\n| project-away DeviceCustomNumber1Label,\n DeviceCustomNumber1,\n DeviceCustomNumber2Label,\n DeviceCustomNumber2,\n DeviceCustomString1Label,\n DeviceCustomString1,\n DeviceCustomString2Label,\n DeviceCustomString2,\n DeviceCustomString3Label,\n DeviceCustomString3,\n DeviceCustomString4Label,\n DeviceCustomString4,\n DeviceCustomString5Label,\n DeviceCustomString5,\n DeviceCustomString6Label,\n DeviceCustomString6,\n DeviceCustomDate1Label,\n DeviceCustomDate1,\n DeviceCustomDate2Label,\n DeviceCustomDate2\n",
+ "functionParameters": "",
+ "version": 2,
+ "tags": [
+ {
+ "name": "description",
+ "value": ""
+ }
+ ]
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]",
+ "dependsOn": [
+ "[variables('_parserId1')]"
+ ],
+ "properties": {
+ "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
+ "contentId": "[variables('_parserContentId1')]",
+ "kind": "Parser",
+ "version": "[variables('parserVersion1')]",
+ "source": {
+ "name": "Trend Micro Apex One",
+ "kind": "Solution",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Microsoft",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Microsoft Corporation",
+ "email": "support@microsoft.com",
+ "tier": "Microsoft",
+ "link": "https://support.microsoft.com"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_parserContentId1')]",
+ "contentKind": "Parser",
+ "displayName": "Trend Micro Apex One Data Parser",
+ "contentProductId": "[variables('_parsercontentProductId1')]",
+ "id": "[variables('_parsercontentProductId1')]",
+ "version": "[variables('parserVersion1')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
+ "apiVersion": "2022-10-01",
+ "name": "[variables('_parserName1')]",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "eTag": "*",
+ "displayName": "Trend Micro Apex One Data Parser",
+ "category": "Microsoft Sentinel Parser",
+ "functionAlias": "TMApexOneEvent",
+ "query": "CommonSecurityLog\n| where DeviceVendor == \"Trend Micro\"\n| where DeviceProduct == \"Apex Central\"\n| extend DeviceCustomNumber1 = coalesce(column_ifexists(\"FieldDeviceCustomNumber1\", long(null)),DeviceCustomNumber1),\n DeviceCustomNumber2 = coalesce(column_ifexists(\"FieldDeviceCustomNumber2\", long(null)),DeviceCustomNumber2),\n DeviceCustomNumber3 = coalesce(column_ifexists(\"FieldDeviceCustomNumber3\", long(null)),DeviceCustomNumber3),\n ExternalID = coalesce(column_ifexists(\"ExtID\", \"\"),tostring(ExternalID))\n| extend packed = pack (DeviceCustomNumber1Label, DeviceCustomNumber1,\n DeviceCustomNumber2Label, DeviceCustomNumber2,\n DeviceCustomString1Label, DeviceCustomString1,\n DeviceCustomString2Label, DeviceCustomString2,\n DeviceCustomString3Label, DeviceCustomString3,\n DeviceCustomString4Label, DeviceCustomString4,\n DeviceCustomString5Label, DeviceCustomString5,\n DeviceCustomString6Label, DeviceCustomString6,\n DeviceCustomDate1Label, DeviceCustomDate1,\n DeviceCustomDate2Label, DeviceCustomDate2)\n| evaluate bag_unpack(packed)\n| project-rename EventVendor=DeviceVendor,\n EventProduct=DeviceProduct,\n EventProductVersion=DeviceVersion,\n EventSubType=DeviceEventClassID,\n EventMessage=Activity,\n EventSeverity=LogSeverity,\n EventOriginalUid=DeviceExternalID,\n EventEndTime=ReceiptTime,\n DstDvcHostname=DestinationHostName,\n DstIpAddr=DestinationIP,\n DstUserName=DestinationUserName,\n DstPortNumber=DestinationPort,\n DstServiceName=DestinationServiceName,\n SrcPortNumber=SourcePort,\n SrcIpAddr=SourceIP,\n SrcDvcHostname=SourceHostName,\n SrcServiceName=SourceServiceName,\n SrcUserName=SourceUserName,\n SrcProcessName=SourceProcessName,\n SrcMacAddr=SourceMACAddress,\n DvcAction=DeviceAction,\n DvcHostname=DeviceName,\n DvcProcessName=ProcessName,\n FileHashSha1=FileHash,\n UrlOriginal=RequestURL,\n NetworkDirection=CommunicationDirection\n| extend Command = iif(DeviceCustomString3Label == \"Command\", DeviceCustomString3, \"\")\n| extend ActionResult = iif(DeviceCustomString5Label == \"ActionResult\", DeviceCustomString5, \"\")\n| extend Event_Type = iif(DeviceCustomNumber2Label == \"Event_Type\", DeviceCustomNumber2, long(null))\n| extend VirusName = iif(DeviceCustomString1Label == \"VirusName\", DeviceCustomString1, \"\")\n| extend Policy = iif(DeviceCustomString2Label == \"Policy\", DeviceCustomString2, \"\")\n| extend ProcessCommandLine = iif(DeviceCustomString4Label == \"ProcessCommandLine\", DeviceCustomString4, \"\")\n| project-away DeviceCustomNumber1Label,\n DeviceCustomNumber1,\n DeviceCustomNumber2Label,\n DeviceCustomNumber2,\n DeviceCustomString1Label,\n DeviceCustomString1,\n DeviceCustomString2Label,\n DeviceCustomString2,\n DeviceCustomString3Label,\n DeviceCustomString3,\n DeviceCustomString4Label,\n DeviceCustomString4,\n DeviceCustomString5Label,\n DeviceCustomString5,\n DeviceCustomString6Label,\n DeviceCustomString6,\n DeviceCustomDate1Label,\n DeviceCustomDate1,\n DeviceCustomDate2Label,\n DeviceCustomDate2\n",
+ "functionParameters": "",
+ "version": 2,
+ "tags": [
+ {
+ "name": "description",
+ "value": ""
+ }
+ ]
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "location": "[parameters('workspace-location')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]",
+ "dependsOn": [
+ "[variables('_parserId1')]"
+ ],
+ "properties": {
+ "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
+ "contentId": "[variables('_parserContentId1')]",
+ "kind": "Parser",
+ "version": "[variables('parserVersion1')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Trend Micro Apex One",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Microsoft",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Microsoft Corporation",
+ "email": "support@microsoft.com",
+ "tier": "Microsoft",
+ "link": "https://support.microsoft.com"
+ }
+ }
+ },
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
@@ -895,7 +1036,7 @@
},
"properties": {
"displayName": "[parameters('workbook1-name')]",
- "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"**NOTE**: This data connector depends on a parser based on Kusto Function **TMApexOneEvent** to work as expected. [Follow steps to get this Kusto Function](https://aka.ms/sentinel-TMApexOneEvent-parser)\"},\"name\":\"text - 8\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"cd8447d9-b096-4673-92d8-2a1e8291a125\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"description\":\"Sets the time name for analysis\",\"value\":{\"durationMs\":7776000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":900000},{\"durationMs\":3600000},{\"durationMs\":86400000},{\"durationMs\":604800000},{\"durationMs\":2592000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"TMApexOneEvent\\r\\n| make-series TotalEvents = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain};\",\"size\":0,\"title\":\"Events Over Time\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"graphSettings\":{\"type\":0}},\"customWidth\":\"60\",\"name\":\"query - 12\",\"styleSettings\":{\"maxWidth\":\"55\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"TMApexOneEvent\\r\\n| where isnotempty(DstDvcHostname)\\r\\n| summarize dcount(DstDvcHostname)\",\"size\":3,\"title\":\"Devices\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"50\",\"name\":\"query - 3\",\"styleSettings\":{\"margin\":\"10\",\"padding\":\"10\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"TMApexOneEvent\\n| where isnotempty(SrcUserName)\\n| summarize dcount(SrcUserName)\",\"size\":3,\"title\":\"Users\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"50\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"TMApexOneEvent\\n| where isnotempty(SrcProcessName)\\n| summarize dcount(SrcProcessName)\",\"size\":3,\"title\":\"Processes\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" TMApexOneEvent\\r\\n | where EventMessage has \\\"Endpoint Application Control\\\"\\r\\n | where DvcAction has \\\"blocked\\\"\\r\\n | count\",\"size\":3,\"title\":\"Blocked applications\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"50\",\"name\":\"query - 2\"}]},\"customWidth\":\"30\",\"name\":\"group - 15\",\"styleSettings\":{\"maxWidth\":\"30\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" TMApexOneEvent\\r\\n | extend EventType = case(\\r\\n EventMessage == \\\"7\\\", \\\"Web Security\\\", \\r\\n EventMessage == \\\"virusa\\\", \\\"Predictive Machine Learning\\\",\\r\\n EventMessage == \\\"Attack Discovery Detections\\\", \\\"Attack Discovery Detection\\\", \\r\\n EventMessage == \\\"Behavior Monitoring\\\", \\\"Behavior Monitoring\\\",\\r\\n EventMessage == \\\"CnC Callback\\\", \\\"C&C Callback\\\", \\r\\n EventMessage == \\\"This is a policy name\\\", \\\"Policy name\\\",\\r\\n EventMessage == \\\"Data Loss Prevention\\\", \\\"Data Loss Prevention\\\", \\r\\n EventMessage == \\\"Device Access Control\\\", \\\"Device Access Control\\\",\\r\\n EventMessage == \\\"Endpoint Application Control Violation Information\\\", \\\"Endpoint Application Control\\\", \\r\\n EventMessage == \\\"Engine Update Status\\\", \\\"Engine Update Status\\\",\\r\\n EventMessage == \\\"Managed Product Logon/Logoff Events\\\", \\\"Managed Product Logon/Logoff Events\\\", \\r\\n EventMessage == \\\"Suspicious Connection\\\", \\\"Suspicious Connection\\\",\\r\\n EventMessage == \\\"Pattern Update Status\\\", \\\"Pattern Update Status\\\", \\r\\n EventMessage == \\\"VAN_RANSOMWARE.umxxhelloransom_abc\\\", \\\"Sandbox Detection\\\",\\r\\n EventMessage == \\\"Spyware Detected\\\", \\\"Spyware Detected\\\", \\r\\n EventMessage == \\\"JS_EXPLOIT.SMDN\\\", \\\"Virus/Malware Detected\\\",\\r\\n EventMessage == \\\"Suspicious Files\\\", \\\"Suspicious Files\\\",\\r\\n \\\"unknown\\\")\\r\\n | summarize count() by EventType\",\"size\":3,\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"EventType\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" TMApexOneEvent\\r\\n | where isnotempty(ApplicationProtocol)\\r\\n | extend AppProtocol = case(\\r\\n ApplicationProtocol == \\\"0\\\", \\\"Unknown\\\", \\r\\n ApplicationProtocol == \\\"1\\\", \\\"SMTP\\\",\\r\\n ApplicationProtocol == \\\"2\\\", \\\"POP3\\\",\\r\\n ApplicationProtocol == \\\"3\\\", \\\"IRC\\\", \\r\\n ApplicationProtocol == \\\"4\\\", \\\"DNS Response\\\",\\r\\n ApplicationProtocol == \\\"5\\\", \\\"HTTP\\\",\\r\\n ApplicationProtocol == \\\"6\\\", \\\"FTP\\\", \\r\\n ApplicationProtocol == \\\"7\\\", \\\"TFTP\\\",\\r\\n ApplicationProtocol == \\\"8\\\", \\\"SMB\\\",\\r\\n ApplicationProtocol == \\\"9\\\", \\\"Windows Live Messenger (MSN)\\\", \\r\\n ApplicationProtocol == \\\"10\\\", \\\"AIM\\\",\\r\\n ApplicationProtocol == \\\"11\\\", \\\"Yahoo! Messenger\\\",\\r\\n ApplicationProtocol == \\\"12\\\", \\\"Gmail\\\",\\r\\n ApplicationProtocol == \\\"13\\\", \\\"Yahoo! Mail\\\", \\r\\n ApplicationProtocol == \\\"14\\\", \\\"Windows Live Hotmail\\\",\\r\\n ApplicationProtocol == \\\"15\\\", \\\"RDP\\\",\\r\\n ApplicationProtocol == \\\"16\\\", \\\"DHCP\\\",\\r\\n ApplicationProtocol == \\\"17\\\", \\\"Telnet\\\", \\r\\n ApplicationProtocol == \\\"18\\\", \\\"LDAP\\\",\\r\\n ApplicationProtocol == \\\"19\\\", \\\"File transfer\\\",\\r\\n ApplicationProtocol == \\\"20\\\", \\\"SSH\\\",\\r\\n ApplicationProtocol == \\\"21\\\", \\\"Dameware\\\", \\r\\n ApplicationProtocol == \\\"22\\\", \\\"VNC\\\",\\r\\n ApplicationProtocol == \\\"23\\\", \\\"Cisco Telnet\\\",\\r\\n ApplicationProtocol == \\\"24\\\", \\\"Kerberos\\\", \\r\\n ApplicationProtocol == \\\"25\\\", \\\"DCE RPC\\\",\\r\\n ApplicationProtocol == \\\"26\\\", \\\"SQL\\\",\\r\\n ApplicationProtocol == \\\"27\\\", \\\"pcAnywhere\\\", \\r\\n ApplicationProtocol == \\\"28\\\", \\\"ICMP\\\",\\r\\n ApplicationProtocol == \\\"29\\\", \\\"SNMP\\\",\\r\\n ApplicationProtocol == \\\"30\\\", \\\"Virus pattern TCP\\\", \\r\\n ApplicationProtocol == \\\"31\\\", \\\"Virus pattern UDP\\\",\\r\\n ApplicationProtocol == \\\"32\\\", \\\"HTTPS\\\",\\r\\n ApplicationProtocol == \\\"33\\\", \\\"SMB2\\\",\\r\\n ApplicationProtocol == \\\"34\\\", \\\"MMS\\\", \\r\\n ApplicationProtocol == \\\"35\\\", \\\"IMAP4\\\",\\r\\n ApplicationProtocol == \\\"36\\\", \\\"RADIUS\\\",\\r\\n ApplicationProtocol == \\\"37\\\", \\\"Radmin\\\",\\r\\n ApplicationProtocol == \\\"38\\\", \\\"FTP_Response\\\", \\r\\n ApplicationProtocol == \\\"48\\\", \\\"RTSP/RTP-UDP\\\",\\r\\n ApplicationProtocol == \\\"49\\\", \\\"RTSP/RTP-TCP\\\",\\r\\n ApplicationProtocol == \\\"50\\\", \\\"RTSP/RDT-UDP\\\",\\r\\n ApplicationProtocol == \\\"51\\\", \\\"RTSP/RDT-TCP\\\",\\r\\n ApplicationProtocol == \\\"52\\\", \\\"WMSP\\\",\\r\\n ApplicationProtocol == \\\"53\\\", \\\"SHOUTCast\\\", \\r\\n ApplicationProtocol == \\\"54\\\", \\\"RTMP\\\",\\r\\n ApplicationProtocol == \\\"68\\\", \\\"DNS Request\\\",\\r\\n ApplicationProtocol == \\\"256\\\", \\\"BitTorrent\\\", \\r\\n ApplicationProtocol == \\\"257\\\", \\\"Kazaa\\\",\\r\\n ApplicationProtocol == \\\"258\\\", \\\"Limewire\\\",\\r\\n ApplicationProtocol == \\\"259\\\", \\\"Bearshare\\\", \\r\\n ApplicationProtocol == \\\"260\\\", \\\"Bluester\\\",\\r\\n ApplicationProtocol == \\\"261\\\", \\\"Edonkey emule\\\",\\r\\n ApplicationProtocol == \\\"262\\\", \\\"Edonkey2000\\\",\\r\\n ApplicationProtocol == \\\"263\\\", \\\"Filezilla\\\", \\r\\n ApplicationProtocol == \\\"264\\\", \\\"Guncleus\\\",\\r\\n ApplicationProtocol == \\\"265\\\", \\\"Gnutella\\\",\\r\\n ApplicationProtocol == \\\"266\\\", \\\"Winny\\\",\\r\\n ApplicationProtocol == \\\"267\\\", \\\"Napster\\\", \\r\\n ApplicationProtocol == \\\"268\\\", \\\"Morpheus\\\",\\r\\n ApplicationProtocol == \\\"269\\\", \\\"Napster\\\",\\r\\n ApplicationProtocol == \\\"270\\\", \\\"Shareaza\\\",\\r\\n ApplicationProtocol == \\\"271\\\", \\\"WinMX\\\", \\r\\n ApplicationProtocol == \\\"272\\\", \\\"Mldonkey\\\",\\r\\n ApplicationProtocol == \\\"273\\\", \\\"Direct Connect\\\",\\r\\n ApplicationProtocol == \\\"274\\\", \\\"Soulseek\\\", \\r\\n ApplicationProtocol == \\\"275\\\", \\\"OpenAP\\\",\\r\\n ApplicationProtocol == \\\"276\\\", \\\"Kuro\\\",\\r\\n ApplicationProtocol == \\\"277\\\", \\\"Imesh\\\", \\r\\n ApplicationProtocol == \\\"278\\\", \\\"Skype\\\",\\r\\n ApplicationProtocol == \\\"279\\\", \\\"Google Talk\\\",\\r\\n ApplicationProtocol == \\\"317\\\", \\\"Cabos\\\", \\r\\n ApplicationProtocol == \\\"318\\\", \\\"Zultrax\\\",\\r\\n ApplicationProtocol == \\\"319\\\", \\\"Foxy\\\",\\r\\n ApplicationProtocol == \\\"320\\\", \\\"eDonkey\\\",\\r\\n ApplicationProtocol == \\\"321\\\", \\\"Ares\\\", \\r\\n ApplicationProtocol == \\\"322\\\", \\\"Miranda\\\",\\r\\n ApplicationProtocol == \\\"323\\\", \\\"Kceasy\\\",\\r\\n ApplicationProtocol == \\\"324\\\", \\\"MoodAmp\\\",\\r\\n ApplicationProtocol == \\\"325\\\", \\\"Deepnet Explorer\\\", \\r\\n ApplicationProtocol == \\\"326\\\", \\\"FreeWire\\\",\\r\\n ApplicationProtocol == \\\"327\\\", \\\"Gimme\\\",\\r\\n ApplicationProtocol == \\\"328\\\", \\\"GnucDNA GWebCache\\\",\\r\\n ApplicationProtocol == \\\"329\\\", \\\"Jubster\\\",\\r\\n ApplicationProtocol == \\\"330\\\", \\\"MyNapster\\\", \\r\\n ApplicationProtocol == \\\"331\\\", \\\"Nova GWebCache\\\",\\r\\n ApplicationProtocol == \\\"332\\\", \\\"Swapper GWebCache\\\",\\r\\n ApplicationProtocol == \\\"333\\\", \\\"Xnap\\\",\\r\\n ApplicationProtocol == \\\"334\\\", \\\"Xolox\\\", \\r\\n ApplicationProtocol == \\\"335\\\", \\\"Ppstream\\\",\\r\\n ApplicationProtocol == \\\"640\\\", \\\"AIM Express\\\",\\r\\n ApplicationProtocol == \\\"641\\\", \\\"Chikka SMS Messenger\\\",\\r\\n ApplicationProtocol == \\\"642\\\", \\\"eBuddy\\\", \\r\\n ApplicationProtocol == \\\"643\\\", \\\"ICQ2Go\\\",\\r\\n ApplicationProtocol == \\\"644\\\", \\\"ILoveIM Web Messenger\\\",\\r\\n ApplicationProtocol == \\\"645\\\", \\\"IMUnitive\\\",\\r\\n ApplicationProtocol == \\\"646\\\", \\\"Mabber\\\",\\r\\n ApplicationProtocol == \\\"647\\\", \\\"Meebo\\\",\\r\\n ApplicationProtocol == \\\"648\\\", \\\"Yahoo! Web Messenger\\\", \\r\\n ApplicationProtocol == \\\"848\\\", \\\"SIP2\\\",\\r\\n ApplicationProtocol == \\\"1024\\\", \\\"GPass\\\",\\r\\n ApplicationProtocol == \\\"10001\\\", \\\"IP\\\",\\r\\n ApplicationProtocol == \\\"10002\\\", \\\"ARP\\\",\\r\\n ApplicationProtocol == \\\"10003\\\", \\\"TCP\\\", \\r\\n ApplicationProtocol == \\\"10004\\\", \\\"UDP\\\",\\r\\n ApplicationProtocol == \\\"10005\\\", \\\"IGMP\\\",\\r\\n ApplicationProtocol == \\\"60\\\", \\\"ORACLE\\\", \\r\\n ApplicationProtocol == \\\"44\\\", \\\"MySQL\\\",\\r\\n ApplicationProtocol == \\\"520\\\", \\\"MSSQL\\\",\\r\\n ApplicationProtocol == \\\"337\\\", \\\"Postgres\\\", \\r\\n ApplicationProtocol == \\\"41\\\", \\\"ICMPv6\\\",\\r\\n ApplicationProtocol == \\\"10006\\\", \\\"GGP\\\",\\r\\n ApplicationProtocol == \\\"10007\\\", \\\"PUP\\\",\\r\\n ApplicationProtocol == \\\"10008\\\", \\\"IDP\\\", \\r\\n ApplicationProtocol == \\\"10009\\\", \\\"ND\\\",\\r\\n ApplicationProtocol == \\\"10010\\\", \\\"RAW\\\",\\r\\n \\\"unknown\\\")\\r\\n | summarize ProtocolCount = count() by AppProtocol\",\"size\":3,\"title\":\"Network protocols\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"30\",\"name\":\"query - 10\",\"styleSettings\":{\"maxWidth\":\"45\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"TMApexOneEvent\\r\\n| where EventMessage has \\\"CnC Callback\\\" \\r\\n| project EventEndTime, SrcIpAddr, DstIpAddr\\r\\n\",\"size\":0,\"title\":\"CnC connections\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"filter\":true}},\"customWidth\":\"35\",\"name\":\"query - 15\",\"styleSettings\":{\"maxWidth\":\"35\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"TMApexOneEvent\\r\\n| where EventMessage has \\\"Endpoint Application Control\\\"\\r\\n| where DvcAction has \\\"Blocked\\\"\\r\\n| project EventEndTime, Application = FileName, SrcUserName\\r\\n\",\"size\":0,\"title\":\"Blocked applications\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"filter\":true}},\"customWidth\":\"35\",\"name\":\"query - 13\",\"styleSettings\":{\"maxWidth\":\"35\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" TMApexOneEvent\\r\\n | where isnotempty(FileName)\\r\\n | extend File = strcat(FilePath, FileName)\\r\\n | summarize count() by File\\r\\n | sort by count_ desc \",\"size\":0,\"title\":\"Suspicious files\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"filter\":true}},\"customWidth\":\"35\",\"name\":\"query - 10\",\"styleSettings\":{\"maxWidth\":\"30\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"TMApexOneEvent\\r\\n| sort by TimeGenerated desc \\r\\n| where EventMessage !in~ (\\\"Engine Update Statusd\\\", \\\"Pattern Update Status\\\")\\r\\n| project EventEndTime, Module=EventMessage, FileName \",\"size\":0,\"title\":\"Latest detections\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"filter\":true}},\"customWidth\":\"55\",\"name\":\"query - 11\",\"styleSettings\":{\"maxWidth\":\"80\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" TMApexOneEvent\\r\\n | where EventMessage has \\\"Data Loss Prevention\\\"\\r\\n | extend DeviceCustomNumber3 = coalesce(column_ifexists(\\\"FieldDeviceCustomNumber3\\\", long(null)),DeviceCustomNumber3)\\r\\n | where isnotempty(DeviceCustomNumber3)\\r\\n | extend Channel_Type = case(\\r\\n DeviceCustomNumber3 == \\\"65535\\\", \\\"Not available\\\",\\r\\n DeviceCustomNumber3 == \\\"0\\\", \\\"Removable storage\\\", \\r\\n DeviceCustomNumber3 == \\\"1\\\", \\\"SMB\\\",\\r\\n DeviceCustomNumber3 == \\\"2\\\", \\\"Email\\\",\\r\\n DeviceCustomNumber3 == \\\"3\\\", \\\"IM\\\", \\r\\n DeviceCustomNumber3 == \\\"4\\\", \\\"FTP\\\",\\r\\n DeviceCustomNumber3 == \\\"5\\\", \\\"HTTP\\\",\\r\\n DeviceCustomNumber3 == \\\"6\\\", \\\"HTTPS\\\", \\r\\n DeviceCustomNumber3 == \\\"7\\\", \\\"PGP\\\",\\r\\n DeviceCustomNumber3 == \\\"8\\\", \\\"Data recorders\\\",\\r\\n DeviceCustomNumber3 == \\\"9\\\", \\\"Printer\\\", \\r\\n DeviceCustomNumber3 == \\\"10\\\", \\\"Clipboard\\\",\\r\\n DeviceCustomNumber3 == \\\"11\\\", \\\"Sync\\\",\\r\\n DeviceCustomNumber3 == \\\"12\\\", \\\"P2P\\\",\\r\\n DeviceCustomNumber3 == \\\"13\\\", \\\"Webmail\\\", \\r\\n DeviceCustomNumber3 == \\\"14\\\", \\\"Document management\\\",\\r\\n DeviceCustomNumber3 == \\\"15\\\", \\\"Cloud storage\\\",\\r\\n DeviceCustomNumber3 == \\\"121\\\", \\\"SMTP email\\\",\\r\\n DeviceCustomNumber3 == \\\"122\\\", \\\"Exchange Client Mail\\\", \\r\\n DeviceCustomNumber3 == \\\"123\\\", \\\"Lotus Note Email\\\",\\r\\n DeviceCustomNumber3 == \\\"130\\\", \\\"Webmail (Yahoo! Mail)\\\",\\r\\n DeviceCustomNumber3 == \\\"131\\\", \\\"Webmail (Hotmail)\\\",\\r\\n DeviceCustomNumber3 == \\\"132\\\", \\\"Webmail (Gmail)\\\",\\r\\n DeviceCustomNumber3 == \\\"133\\\", \\\"Webmail (AOL Mail)\\\",\\r\\n DeviceCustomNumber3 == \\\"140\\\", \\\"IM (MSN)\\\",\\r\\n DeviceCustomNumber3 == \\\"141\\\", \\\"IM (AIM)\\\",\\r\\n DeviceCustomNumber3 == \\\"142\\\", \\\"IM (Yahoo Messenger)\\\",\\r\\n DeviceCustomNumber3 == \\\"143\\\", \\\"IM (Skype)\\\",\\r\\n DeviceCustomNumber3 == \\\"191\\\", \\\"P2P (BitTorrent)\\\",\\r\\n DeviceCustomNumber3 == \\\"192\\\", \\\"P2P (EMule)\\\",\\r\\n DeviceCustomNumber3 == \\\"193\\\", \\\"P2P (Winny)\\\",\\r\\n DeviceCustomNumber3 == \\\"194\\\", \\\"P2P (HTCSYN)\\\",\\r\\n DeviceCustomNumber3 == \\\"195\\\", \\\"P2P (iTunes)\\\",\\r\\n DeviceCustomNumber3 == \\\"196\\\", \\\"Cloud storage (DropBox)\\\",\\r\\n DeviceCustomNumber3 == \\\"197\\\", \\\"Cloud storage (Box)\\\",\\r\\n DeviceCustomNumber3 == \\\"198\\\", \\\"Cloud storage (Google Drive)\\\",\\r\\n DeviceCustomNumber3 == \\\"199\\\", \\\"Cloud storage (OneDrive)\\\",\\r\\n DeviceCustomNumber3 == \\\"200\\\", \\\"Cloud storage (SugarSync)\\\",\\r\\n DeviceCustomNumber3 == \\\"201\\\", \\\"Cloud storage (Hightail)\\\",\\r\\n DeviceCustomNumber3 == \\\"202\\\", \\\"IM (QQ)\\\",\\r\\n DeviceCustomNumber3 == \\\"203\\\", \\\"Webmail (other)\\\",\\r\\n DeviceCustomNumber3 == \\\"204\\\", \\\"Cloud storage (Evernote)\\\",\\r\\n DeviceCustomNumber3 == \\\"211\\\", \\\"Document management (SharePoint)\\\",\\r\\n \\\"unknown\\\")\\r\\n | summarize ChannelType = count() by Channel_Type\",\"size\":3,\"title\":\"Channel types\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"name\":\"query - 9\"}],\"fromTemplateId\":\"sentinel-TrendMicroApexOneWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n",
+ "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"**NOTE**: This data connector depends on a parser based on Kusto Function **TMApexOneEvent** to work as expected. [Follow steps to get this Kusto Function](https://aka.ms/sentinel-TMApexOneEvent-parser)\"},\"name\":\"text - 8\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"cd8447d9-b096-4673-92d8-2a1e8291a125\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"description\":\"Sets the time name for analysis\",\"value\":{\"durationMs\":7776000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":900000},{\"durationMs\":3600000},{\"durationMs\":86400000},{\"durationMs\":604800000},{\"durationMs\":2592000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"TMApexOneEvent\\r\\n| make-series TotalEvents = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain};\",\"size\":0,\"title\":\"Events Over Time\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"graphSettings\":{\"type\":0}},\"customWidth\":\"60\",\"name\":\"query - 12\",\"styleSettings\":{\"maxWidth\":\"55\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"TMApexOneEvent\\r\\n| where isnotempty(DstDvcHostname)\\r\\n| summarize dcount(DstDvcHostname)\",\"size\":3,\"title\":\"Devices\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"50\",\"name\":\"query - 3\",\"styleSettings\":{\"margin\":\"10\",\"padding\":\"10\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"TMApexOneEvent\\n| where isnotempty(SrcUserName)\\n| summarize dcount(SrcUserName)\",\"size\":3,\"title\":\"Users\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"50\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"TMApexOneEvent\\n| where isnotempty(SrcProcessName)\\n| summarize dcount(SrcProcessName)\",\"size\":3,\"title\":\"Processes\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" TMApexOneEvent\\r\\n | where EventMessage has \\\"Endpoint Application Control\\\"\\r\\n | where DvcAction has \\\"blocked\\\"\\r\\n | count\",\"size\":3,\"title\":\"Blocked applications\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"50\",\"name\":\"query - 2\"}]},\"customWidth\":\"30\",\"name\":\"group - 15\",\"styleSettings\":{\"maxWidth\":\"30\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" TMApexOneEvent\\r\\n | extend EventType = case(\\r\\n EventMessage == \\\"7\\\", \\\"Web Security\\\", \\r\\n EventMessage == \\\"virusa\\\", \\\"Predictive Machine Learning\\\",\\r\\n EventMessage == \\\"Attack Discovery Detections\\\", \\\"Attack Discovery Detection\\\", \\r\\n EventMessage == \\\"Behavior Monitoring\\\", \\\"Behavior Monitoring\\\",\\r\\n EventMessage == \\\"CnC Callback\\\", \\\"C&C Callback\\\", \\r\\n EventMessage == \\\"This is a policy name\\\", \\\"Policy name\\\",\\r\\n EventMessage == \\\"Data Loss Prevention\\\", \\\"Data Loss Prevention\\\", \\r\\n EventMessage == \\\"Device Access Control\\\", \\\"Device Access Control\\\",\\r\\n EventMessage == \\\"Endpoint Application Control Violation Information\\\", \\\"Endpoint Application Control\\\", \\r\\n EventMessage == \\\"Engine Update Status\\\", \\\"Engine Update Status\\\",\\r\\n EventMessage == \\\"Managed Product Logon/Logoff Events\\\", \\\"Managed Product Logon/Logoff Events\\\", \\r\\n EventMessage == \\\"Suspicious Connection\\\", \\\"Suspicious Connection\\\",\\r\\n EventMessage == \\\"Pattern Update Status\\\", \\\"Pattern Update Status\\\", \\r\\n EventMessage == \\\"VAN_RANSOMWARE.umxxhelloransom_abc\\\", \\\"Sandbox Detection\\\",\\r\\n EventMessage == \\\"Spyware Detected\\\", \\\"Spyware Detected\\\", \\r\\n EventMessage == \\\"JS_EXPLOIT.SMDN\\\", \\\"Virus/Malware Detected\\\",\\r\\n EventMessage == \\\"Suspicious Files\\\", \\\"Suspicious Files\\\",\\r\\n \\\"unknown\\\")\\r\\n | summarize count() by EventType\",\"size\":3,\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"EventType\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" TMApexOneEvent\\r\\n | where isnotempty(ApplicationProtocol)\\r\\n | extend AppProtocol = case(\\r\\n ApplicationProtocol == \\\"0\\\", \\\"Unknown\\\", \\r\\n ApplicationProtocol == \\\"1\\\", \\\"SMTP\\\",\\r\\n ApplicationProtocol == \\\"2\\\", \\\"POP3\\\",\\r\\n ApplicationProtocol == \\\"3\\\", \\\"IRC\\\", \\r\\n ApplicationProtocol == \\\"4\\\", \\\"DNS Response\\\",\\r\\n ApplicationProtocol == \\\"5\\\", \\\"HTTP\\\",\\r\\n ApplicationProtocol == \\\"6\\\", \\\"FTP\\\", \\r\\n ApplicationProtocol == \\\"7\\\", \\\"TFTP\\\",\\r\\n ApplicationProtocol == \\\"8\\\", \\\"SMB\\\",\\r\\n ApplicationProtocol == \\\"9\\\", \\\"Windows Live Messenger (MSN)\\\", \\r\\n ApplicationProtocol == \\\"10\\\", \\\"AIM\\\",\\r\\n ApplicationProtocol == \\\"11\\\", \\\"Yahoo! Messenger\\\",\\r\\n ApplicationProtocol == \\\"12\\\", \\\"Gmail\\\",\\r\\n ApplicationProtocol == \\\"13\\\", \\\"Yahoo! Mail\\\", \\r\\n ApplicationProtocol == \\\"14\\\", \\\"Windows Live Hotmail\\\",\\r\\n ApplicationProtocol == \\\"15\\\", \\\"RDP\\\",\\r\\n ApplicationProtocol == \\\"16\\\", \\\"DHCP\\\",\\r\\n ApplicationProtocol == \\\"17\\\", \\\"Telnet\\\", \\r\\n ApplicationProtocol == \\\"18\\\", \\\"LDAP\\\",\\r\\n ApplicationProtocol == \\\"19\\\", \\\"File transfer\\\",\\r\\n ApplicationProtocol == \\\"20\\\", \\\"SSH\\\",\\r\\n ApplicationProtocol == \\\"21\\\", \\\"Dameware\\\", \\r\\n ApplicationProtocol == \\\"22\\\", \\\"VNC\\\",\\r\\n ApplicationProtocol == \\\"23\\\", \\\"Cisco Telnet\\\",\\r\\n ApplicationProtocol == \\\"24\\\", \\\"Kerberos\\\", \\r\\n ApplicationProtocol == \\\"25\\\", \\\"DCE RPC\\\",\\r\\n ApplicationProtocol == \\\"26\\\", \\\"SQL\\\",\\r\\n ApplicationProtocol == \\\"27\\\", \\\"pcAnywhere\\\", \\r\\n ApplicationProtocol == \\\"28\\\", \\\"ICMP\\\",\\r\\n ApplicationProtocol == \\\"29\\\", \\\"SNMP\\\",\\r\\n ApplicationProtocol == \\\"30\\\", \\\"Virus pattern TCP\\\", \\r\\n ApplicationProtocol == \\\"31\\\", \\\"Virus pattern UDP\\\",\\r\\n ApplicationProtocol == \\\"32\\\", \\\"HTTPS\\\",\\r\\n ApplicationProtocol == \\\"33\\\", \\\"SMB2\\\",\\r\\n ApplicationProtocol == \\\"34\\\", \\\"MMS\\\", \\r\\n ApplicationProtocol == \\\"35\\\", \\\"IMAP4\\\",\\r\\n ApplicationProtocol == \\\"36\\\", \\\"RADIUS\\\",\\r\\n ApplicationProtocol == \\\"37\\\", \\\"Radmin\\\",\\r\\n ApplicationProtocol == \\\"38\\\", \\\"FTP_Response\\\", \\r\\n ApplicationProtocol == \\\"48\\\", \\\"RTSP/RTP-UDP\\\",\\r\\n ApplicationProtocol == \\\"49\\\", \\\"RTSP/RTP-TCP\\\",\\r\\n ApplicationProtocol == \\\"50\\\", \\\"RTSP/RDT-UDP\\\",\\r\\n ApplicationProtocol == \\\"51\\\", \\\"RTSP/RDT-TCP\\\",\\r\\n ApplicationProtocol == \\\"52\\\", \\\"WMSP\\\",\\r\\n ApplicationProtocol == \\\"53\\\", \\\"SHOUTCast\\\", \\r\\n ApplicationProtocol == \\\"54\\\", \\\"RTMP\\\",\\r\\n ApplicationProtocol == \\\"68\\\", \\\"DNS Request\\\",\\r\\n ApplicationProtocol == \\\"256\\\", \\\"BitTorrent\\\", \\r\\n ApplicationProtocol == \\\"257\\\", \\\"Kazaa\\\",\\r\\n ApplicationProtocol == \\\"258\\\", \\\"Limewire\\\",\\r\\n ApplicationProtocol == \\\"259\\\", \\\"Bearshare\\\", \\r\\n ApplicationProtocol == \\\"260\\\", \\\"Bluester\\\",\\r\\n ApplicationProtocol == \\\"261\\\", \\\"Edonkey emule\\\",\\r\\n ApplicationProtocol == \\\"262\\\", \\\"Edonkey2000\\\",\\r\\n ApplicationProtocol == \\\"263\\\", \\\"Filezilla\\\", \\r\\n ApplicationProtocol == \\\"264\\\", \\\"Guncleus\\\",\\r\\n ApplicationProtocol == \\\"265\\\", \\\"Gnutella\\\",\\r\\n ApplicationProtocol == \\\"266\\\", \\\"Winny\\\",\\r\\n ApplicationProtocol == \\\"267\\\", \\\"Napster\\\", \\r\\n ApplicationProtocol == \\\"268\\\", \\\"Morpheus\\\",\\r\\n ApplicationProtocol == \\\"269\\\", \\\"Napster\\\",\\r\\n ApplicationProtocol == \\\"270\\\", \\\"Shareaza\\\",\\r\\n ApplicationProtocol == \\\"271\\\", \\\"WinMX\\\", \\r\\n ApplicationProtocol == \\\"272\\\", \\\"Mldonkey\\\",\\r\\n ApplicationProtocol == \\\"273\\\", \\\"Direct Connect\\\",\\r\\n ApplicationProtocol == \\\"274\\\", \\\"Soulseek\\\", \\r\\n ApplicationProtocol == \\\"275\\\", \\\"OpenAP\\\",\\r\\n ApplicationProtocol == \\\"276\\\", \\\"Kuro\\\",\\r\\n ApplicationProtocol == \\\"277\\\", \\\"Imesh\\\", \\r\\n ApplicationProtocol == \\\"278\\\", \\\"Skype\\\",\\r\\n ApplicationProtocol == \\\"279\\\", \\\"Google Talk\\\",\\r\\n ApplicationProtocol == \\\"317\\\", \\\"Cabos\\\", \\r\\n ApplicationProtocol == \\\"318\\\", \\\"Zultrax\\\",\\r\\n ApplicationProtocol == \\\"319\\\", \\\"Foxy\\\",\\r\\n ApplicationProtocol == \\\"320\\\", \\\"eDonkey\\\",\\r\\n ApplicationProtocol == \\\"321\\\", \\\"Ares\\\", \\r\\n ApplicationProtocol == \\\"322\\\", \\\"Miranda\\\",\\r\\n ApplicationProtocol == \\\"323\\\", \\\"Kceasy\\\",\\r\\n ApplicationProtocol == \\\"324\\\", \\\"MoodAmp\\\",\\r\\n ApplicationProtocol == \\\"325\\\", \\\"Deepnet Explorer\\\", \\r\\n ApplicationProtocol == \\\"326\\\", \\\"FreeWire\\\",\\r\\n ApplicationProtocol == \\\"327\\\", \\\"Gimme\\\",\\r\\n ApplicationProtocol == \\\"328\\\", \\\"GnucDNA GWebCache\\\",\\r\\n ApplicationProtocol == \\\"329\\\", \\\"Jubster\\\",\\r\\n ApplicationProtocol == \\\"330\\\", \\\"MyNapster\\\", \\r\\n ApplicationProtocol == \\\"331\\\", \\\"Nova GWebCache\\\",\\r\\n ApplicationProtocol == \\\"332\\\", \\\"Swapper GWebCache\\\",\\r\\n ApplicationProtocol == \\\"333\\\", \\\"Xnap\\\",\\r\\n ApplicationProtocol == \\\"334\\\", \\\"Xolox\\\", \\r\\n ApplicationProtocol == \\\"335\\\", \\\"Ppstream\\\",\\r\\n ApplicationProtocol == \\\"640\\\", \\\"AIM Express\\\",\\r\\n ApplicationProtocol == \\\"641\\\", \\\"Chikka SMS Messenger\\\",\\r\\n ApplicationProtocol == \\\"642\\\", \\\"eBuddy\\\", \\r\\n ApplicationProtocol == \\\"643\\\", \\\"ICQ2Go\\\",\\r\\n ApplicationProtocol == \\\"644\\\", \\\"ILoveIM Web Messenger\\\",\\r\\n ApplicationProtocol == \\\"645\\\", \\\"IMUnitive\\\",\\r\\n ApplicationProtocol == \\\"646\\\", \\\"Mabber\\\",\\r\\n ApplicationProtocol == \\\"647\\\", \\\"Meebo\\\",\\r\\n ApplicationProtocol == \\\"648\\\", \\\"Yahoo! Web Messenger\\\", \\r\\n ApplicationProtocol == \\\"848\\\", \\\"SIP2\\\",\\r\\n ApplicationProtocol == \\\"1024\\\", \\\"GPass\\\",\\r\\n ApplicationProtocol == \\\"10001\\\", \\\"IP\\\",\\r\\n ApplicationProtocol == \\\"10002\\\", \\\"ARP\\\",\\r\\n ApplicationProtocol == \\\"10003\\\", \\\"TCP\\\", \\r\\n ApplicationProtocol == \\\"10004\\\", \\\"UDP\\\",\\r\\n ApplicationProtocol == \\\"10005\\\", \\\"IGMP\\\",\\r\\n ApplicationProtocol == \\\"60\\\", \\\"ORACLE\\\", \\r\\n ApplicationProtocol == \\\"44\\\", \\\"MySQL\\\",\\r\\n ApplicationProtocol == \\\"520\\\", \\\"MSSQL\\\",\\r\\n ApplicationProtocol == \\\"337\\\", \\\"Postgres\\\", \\r\\n ApplicationProtocol == \\\"41\\\", \\\"ICMPv6\\\",\\r\\n ApplicationProtocol == \\\"10006\\\", \\\"GGP\\\",\\r\\n ApplicationProtocol == \\\"10007\\\", \\\"PUP\\\",\\r\\n ApplicationProtocol == \\\"10008\\\", \\\"IDP\\\", \\r\\n ApplicationProtocol == \\\"10009\\\", \\\"ND\\\",\\r\\n ApplicationProtocol == \\\"10010\\\", \\\"RAW\\\",\\r\\n \\\"unknown\\\")\\r\\n | summarize ProtocolCount = count() by AppProtocol\",\"size\":3,\"title\":\"Network protocols\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"30\",\"name\":\"query - 10\",\"styleSettings\":{\"maxWidth\":\"45\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"TMApexOneEvent\\r\\n| where EventMessage has \\\"CnC Callback\\\" \\r\\n| project EventEndTime, SrcIpAddr, DstIpAddr\\r\\n\",\"size\":0,\"title\":\"CnC connections\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"filter\":true}},\"customWidth\":\"35\",\"name\":\"query - 15\",\"styleSettings\":{\"maxWidth\":\"35\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"TMApexOneEvent\\r\\n| where EventMessage has \\\"Endpoint Application Control\\\"\\r\\n| where DvcAction has \\\"Blocked\\\"\\r\\n| project EventEndTime, Application = FileName, SrcUserName\\r\\n\",\"size\":0,\"title\":\"Blocked applications\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"filter\":true}},\"customWidth\":\"35\",\"name\":\"query - 13\",\"styleSettings\":{\"maxWidth\":\"35\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" TMApexOneEvent\\r\\n | where isnotempty(FileName)\\r\\n | extend File = strcat(FilePath, FileName)\\r\\n | summarize count() by File\\r\\n | sort by count_ desc \",\"size\":0,\"title\":\"Suspicious files\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"filter\":true}},\"customWidth\":\"35\",\"name\":\"query - 10\",\"styleSettings\":{\"maxWidth\":\"30\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"TMApexOneEvent\\r\\n| sort by TimeGenerated desc \\r\\n| where EventMessage !in~ (\\\"Engine Update Statusd\\\", \\\"Pattern Update Status\\\")\\r\\n| project EventEndTime, Module=EventMessage, FileName \",\"size\":0,\"title\":\"Latest detections\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"filter\":true}},\"customWidth\":\"55\",\"name\":\"query - 11\",\"styleSettings\":{\"maxWidth\":\"80\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" TMApexOneEvent\\r\\n | where EventMessage has \\\"Data Loss Prevention\\\"\\r\\n | extend DeviceCustomNumber3 = coalesce(column_ifexists(\\\"FieldDeviceCustomNumber3\\\", long(null)),DeviceCustomNumber3)\\r\\n | where isnotempty(DeviceCustomNumber3)\\r\\n | extend Channel_Type = case(\\r\\n DeviceCustomNumber3 == \\\"65535\\\", \\\"Not available\\\",\\r\\n DeviceCustomNumber3 == \\\"0\\\", \\\"Removable storage\\\", \\r\\n DeviceCustomNumber3 == \\\"1\\\", \\\"SMB\\\",\\r\\n DeviceCustomNumber3 == \\\"2\\\", \\\"Email\\\",\\r\\n DeviceCustomNumber3 == \\\"3\\\", \\\"IM\\\", \\r\\n DeviceCustomNumber3 == \\\"4\\\", \\\"FTP\\\",\\r\\n DeviceCustomNumber3 == \\\"5\\\", \\\"HTTP\\\",\\r\\n DeviceCustomNumber3 == \\\"6\\\", \\\"HTTPS\\\", \\r\\n DeviceCustomNumber3 == \\\"7\\\", \\\"PGP\\\",\\r\\n DeviceCustomNumber3 == \\\"8\\\", \\\"Data recorders\\\",\\r\\n DeviceCustomNumber3 == \\\"9\\\", \\\"Printer\\\", \\r\\n DeviceCustomNumber3 == \\\"10\\\", \\\"Clipboard\\\",\\r\\n DeviceCustomNumber3 == \\\"11\\\", \\\"Sync\\\",\\r\\n DeviceCustomNumber3 == \\\"12\\\", \\\"P2P\\\",\\r\\n DeviceCustomNumber3 == \\\"13\\\", \\\"Webmail\\\", \\r\\n DeviceCustomNumber3 == \\\"14\\\", \\\"Document management\\\",\\r\\n DeviceCustomNumber3 == \\\"15\\\", \\\"Cloud storage\\\",\\r\\n DeviceCustomNumber3 == \\\"121\\\", \\\"SMTP email\\\",\\r\\n DeviceCustomNumber3 == \\\"122\\\", \\\"Exchange Client Mail\\\", \\r\\n DeviceCustomNumber3 == \\\"123\\\", \\\"Lotus Note Email\\\",\\r\\n DeviceCustomNumber3 == \\\"130\\\", \\\"Webmail (Yahoo! Mail)\\\",\\r\\n DeviceCustomNumber3 == \\\"131\\\", \\\"Webmail (Hotmail)\\\",\\r\\n DeviceCustomNumber3 == \\\"132\\\", \\\"Webmail (Gmail)\\\",\\r\\n DeviceCustomNumber3 == \\\"133\\\", \\\"Webmail (AOL Mail)\\\",\\r\\n DeviceCustomNumber3 == \\\"140\\\", \\\"IM (MSN)\\\",\\r\\n DeviceCustomNumber3 == \\\"141\\\", \\\"IM (AIM)\\\",\\r\\n DeviceCustomNumber3 == \\\"142\\\", \\\"IM (Yahoo Messenger)\\\",\\r\\n DeviceCustomNumber3 == \\\"143\\\", \\\"IM (Skype)\\\",\\r\\n DeviceCustomNumber3 == \\\"191\\\", \\\"P2P (BitTorrent)\\\",\\r\\n DeviceCustomNumber3 == \\\"192\\\", \\\"P2P (EMule)\\\",\\r\\n DeviceCustomNumber3 == \\\"193\\\", \\\"P2P (Winny)\\\",\\r\\n DeviceCustomNumber3 == \\\"194\\\", \\\"P2P (HTCSYN)\\\",\\r\\n DeviceCustomNumber3 == \\\"195\\\", \\\"P2P (iTunes)\\\",\\r\\n DeviceCustomNumber3 == \\\"196\\\", \\\"Cloud storage (DropBox)\\\",\\r\\n DeviceCustomNumber3 == \\\"197\\\", \\\"Cloud storage (Box)\\\",\\r\\n DeviceCustomNumber3 == \\\"198\\\", \\\"Cloud storage (Google Drive)\\\",\\r\\n DeviceCustomNumber3 == \\\"199\\\", \\\"Cloud storage (OneDrive)\\\",\\r\\n DeviceCustomNumber3 == \\\"200\\\", \\\"Cloud storage (SugarSync)\\\",\\r\\n DeviceCustomNumber3 == \\\"201\\\", \\\"Cloud storage (Hightail)\\\",\\r\\n DeviceCustomNumber3 == \\\"202\\\", \\\"IM (QQ)\\\",\\r\\n DeviceCustomNumber3 == \\\"203\\\", \\\"Webmail (other)\\\",\\r\\n DeviceCustomNumber3 == \\\"204\\\", \\\"Cloud storage (Evernote)\\\",\\r\\n DeviceCustomNumber3 == \\\"211\\\", \\\"Document management (SharePoint)\\\",\\r\\n \\\"unknown\\\")\\r\\n | summarize ChannelType = count() by Channel_Type\",\"size\":3,\"title\":\"Channel types\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"name\":\"query - 9\"}],\"fromTemplateId\":\"sentinel-TrendMicroApexOneWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
"version": "1.0",
"sourceId": "[variables('workspaceResourceId')]",
"category": "sentinel"
@@ -993,16 +1134,16 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "TrendMicroApexOne",
"dataTypes": [
"TMApexOneEvent"
- ]
+ ],
+ "connectorId": "TrendMicroApexOne"
},
{
- "connectorId": "TrendMicroApexOneAma",
"dataTypes": [
"TMApexOneEvent"
- ]
+ ],
+ "connectorId": "TrendMicroApexOneAma"
}
],
"tactics": [
@@ -1016,8 +1157,8 @@
"entityType": "IP",
"fieldMappings": [
{
- "columnName": "IPCustomEntity",
- "identifier": "Address"
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
}
]
},
@@ -1025,8 +1166,8 @@
"entityType": "Account",
"fieldMappings": [
{
- "columnName": "AccountCustomEntity",
- "identifier": "Name"
+ "identifier": "Name",
+ "columnName": "AccountCustomEntity"
}
]
}
@@ -1112,16 +1253,16 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "TrendMicroApexOne",
"dataTypes": [
"TMApexOneEvent"
- ]
+ ],
+ "connectorId": "TrendMicroApexOne"
},
{
- "connectorId": "TrendMicroApexOneAma",
"dataTypes": [
"TMApexOneEvent"
- ]
+ ],
+ "connectorId": "TrendMicroApexOneAma"
}
],
"tactics": [
@@ -1135,8 +1276,8 @@
"entityType": "IP",
"fieldMappings": [
{
- "columnName": "IPCustomEntity",
- "identifier": "Address"
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
}
]
},
@@ -1144,8 +1285,8 @@
"entityType": "Account",
"fieldMappings": [
{
- "columnName": "AccountCustomEntity",
- "identifier": "Name"
+ "identifier": "Name",
+ "columnName": "AccountCustomEntity"
}
]
}
@@ -1231,16 +1372,16 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "TrendMicroApexOne",
"dataTypes": [
"TMApexOneEvent"
- ]
+ ],
+ "connectorId": "TrendMicroApexOne"
},
{
- "connectorId": "TrendMicroApexOneAma",
"dataTypes": [
"TMApexOneEvent"
- ]
+ ],
+ "connectorId": "TrendMicroApexOneAma"
}
],
"tactics": [
@@ -1255,8 +1396,8 @@
"entityType": "URL",
"fieldMappings": [
{
- "columnName": "UrlCustomEntity",
- "identifier": "Url"
+ "identifier": "Url",
+ "columnName": "UrlCustomEntity"
}
]
}
@@ -1342,16 +1483,16 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "TrendMicroApexOne",
"dataTypes": [
"TMApexOneEvent"
- ]
+ ],
+ "connectorId": "TrendMicroApexOne"
},
{
- "connectorId": "TrendMicroApexOneAma",
"dataTypes": [
"TMApexOneEvent"
- ]
+ ],
+ "connectorId": "TrendMicroApexOneAma"
}
],
"tactics": [
@@ -1365,8 +1506,8 @@
"entityType": "Account",
"fieldMappings": [
{
- "columnName": "AccountCustomEntity",
- "identifier": "Name"
+ "identifier": "Name",
+ "columnName": "AccountCustomEntity"
}
]
}
@@ -1452,16 +1593,16 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "TrendMicroApexOne",
"dataTypes": [
"TMApexOneEvent"
- ]
+ ],
+ "connectorId": "TrendMicroApexOne"
},
{
- "connectorId": "TrendMicroApexOneAma",
"dataTypes": [
"TMApexOneEvent"
- ]
+ ],
+ "connectorId": "TrendMicroApexOneAma"
}
],
"tactics": [
@@ -1475,8 +1616,8 @@
"entityType": "IP",
"fieldMappings": [
{
- "columnName": "IPCustomEntity",
- "identifier": "Address"
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
}
]
},
@@ -1484,8 +1625,8 @@
"entityType": "Account",
"fieldMappings": [
{
- "columnName": "AccountCustomEntity",
- "identifier": "Name"
+ "identifier": "Name",
+ "columnName": "AccountCustomEntity"
}
]
}
@@ -1571,16 +1712,16 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "TrendMicroApexOne",
"dataTypes": [
"TMApexOneEvent"
- ]
+ ],
+ "connectorId": "TrendMicroApexOne"
},
{
- "connectorId": "TrendMicroApexOneAma",
"dataTypes": [
"TMApexOneEvent"
- ]
+ ],
+ "connectorId": "TrendMicroApexOneAma"
}
],
"tactics": [
@@ -1594,8 +1735,8 @@
"entityType": "IP",
"fieldMappings": [
{
- "columnName": "IPCustomEntity",
- "identifier": "Address"
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
}
]
}
@@ -1681,16 +1822,16 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "TrendMicroApexOne",
"dataTypes": [
"TMApexOneEvent"
- ]
+ ],
+ "connectorId": "TrendMicroApexOne"
},
{
- "connectorId": "TrendMicroApexOneAma",
"dataTypes": [
"TMApexOneEvent"
- ]
+ ],
+ "connectorId": "TrendMicroApexOneAma"
}
],
"tactics": [
@@ -1705,8 +1846,8 @@
"entityType": "IP",
"fieldMappings": [
{
- "columnName": "IPCustomEntity",
- "identifier": "Address"
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
}
]
},
@@ -1714,8 +1855,8 @@
"entityType": "Account",
"fieldMappings": [
{
- "columnName": "AccountCustomEntity",
- "identifier": "Name"
+ "identifier": "Name",
+ "columnName": "AccountCustomEntity"
}
]
}
@@ -1801,16 +1942,16 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "TrendMicroApexOne",
"dataTypes": [
"TMApexOneEvent"
- ]
+ ],
+ "connectorId": "TrendMicroApexOne"
},
{
- "connectorId": "TrendMicroApexOneAma",
"dataTypes": [
"TMApexOneEvent"
- ]
+ ],
+ "connectorId": "TrendMicroApexOneAma"
}
],
"tactics": [
@@ -1824,8 +1965,8 @@
"entityType": "IP",
"fieldMappings": [
{
- "columnName": "IPCustomEntity",
- "identifier": "Address"
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
}
]
},
@@ -1833,8 +1974,8 @@
"entityType": "Account",
"fieldMappings": [
{
- "columnName": "AccountCustomEntity",
- "identifier": "Name"
+ "identifier": "Name",
+ "columnName": "AccountCustomEntity"
}
]
}
@@ -1920,16 +2061,16 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "TrendMicroApexOne",
"dataTypes": [
"TMApexOneEvent"
- ]
+ ],
+ "connectorId": "TrendMicroApexOne"
},
{
- "connectorId": "TrendMicroApexOneAma",
"dataTypes": [
"TMApexOneEvent"
- ]
+ ],
+ "connectorId": "TrendMicroApexOneAma"
}
],
"tactics": [
@@ -1943,8 +2084,8 @@
"entityType": "IP",
"fieldMappings": [
{
- "columnName": "IPCustomEntity",
- "identifier": "Address"
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
}
]
},
@@ -1952,8 +2093,8 @@
"entityType": "Account",
"fieldMappings": [
{
- "columnName": "AccountCustomEntity",
- "identifier": "Name"
+ "identifier": "Name",
+ "columnName": "AccountCustomEntity"
}
]
}
@@ -2039,16 +2180,16 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "TrendMicroApexOne",
"dataTypes": [
"TMApexOneEvent"
- ]
+ ],
+ "connectorId": "TrendMicroApexOne"
},
{
- "connectorId": "TrendMicroApexOneAma",
"dataTypes": [
"TMApexOneEvent"
- ]
+ ],
+ "connectorId": "TrendMicroApexOneAma"
}
],
"tactics": [
@@ -2062,8 +2203,8 @@
"entityType": "IP",
"fieldMappings": [
{
- "columnName": "IPCustomEntity",
- "identifier": "Address"
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
}
]
},
@@ -2071,8 +2212,8 @@
"entityType": "Account",
"fieldMappings": [
{
- "columnName": "AccountCustomEntity",
- "identifier": "Name"
+ "identifier": "Name",
+ "columnName": "AccountCustomEntity"
}
]
}
@@ -2981,7 +3122,7 @@
"contentSchemaVersion": "3.0.0",
"displayName": "Trend Micro Apex One",
"publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
- "descriptionHtml": "Note: There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Trend Micro Apex One solution for Microsoft Sentinel enables ingestion of Trend Micro Apex One events into Microsoft Sentinel. Refer to Trend Micro Apex Central for more information.
\nTrend Micro Apex One via AMA - This data connector helps in ingesting Trend Micro Apex One logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent here. Microsoft recommends using this Data Connector.
\nTrend Micro Apex One via Legacy Agent - This data connector helps in ingesting Trend Micro Apex One logs into your Log Analytics Workspace using the legacy Log Analytics agent.
\nNOTE: Microsoft recommends installation of Trend Micro Apex One via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024, and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.
\nData Connectors: 2, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 10
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "descriptionHtml": "Note: There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Trend Micro Apex One solution for Microsoft Sentinel enables ingestion of Trend Micro Apex One events into Microsoft Sentinel. Refer to Trend Micro Apex Central for more information.
\nTrend Micro Apex One via AMA - This data connector helps in ingesting Trend Micro Apex One logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent here. Microsoft recommends using this Data Connector.
\nTrend Micro Apex One via Legacy Agent - This data connector helps in ingesting Trend Micro Apex One logs into your Log Analytics Workspace using the legacy Log Analytics agent.
\nNOTE: Microsoft recommends installation of Trend Micro Apex One via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024, and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.
\nData Connectors: 2, Parsers: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 10
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -3016,6 +3157,11 @@ "contentId": "[variables('_dataConnectorContentId2')]", "version": "[variables('dataConnectorVersion2')]" }, + { + "kind": "Parser", + "contentId": "[variables('_parserContentId1')]", + "version": "[variables('parserVersion1')]" + }, { "kind": "Workbook", "contentId": "[variables('_workbookContentId1')]", diff --git a/Solutions/Trend Micro Apex One/ReleaseNotes.md b/Solutions/Trend Micro Apex One/ReleaseNotes.md new file mode 100644 index 00000000000..19df1aa026c --- /dev/null +++ b/Solutions/Trend Micro Apex One/ReleaseNotes.md @@ -0,0 +1,5 @@ +| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | +|-------------|--------------------------------|--------------------------------------------------------------------| +| 3.0.0 | 22-09-2023 | Addition of new Trend Micro Apex One AMA **Data Connector** | | + +