From 4daabfa6386256ad2bb05f6ae6b90d133d8023b1 Mon Sep 17 00:00:00 2001 From: v-shukore Date: Wed, 13 Mar 2024 10:12:17 +0530 Subject: [PATCH] Repackaging - DNS Essentials --- .../DNS Essentials/Data/Solution_DNS.json | 5 +- Solutions/DNS Essentials/Package/3.0.2.zip | Bin 0 -> 30625 bytes .../Package/createUiDefinition.json | 16 +- .../DNS Essentials/Package/mainTemplate.json | 318 ++++++++++++------ Solutions/DNS Essentials/ReleaseNotes.md | 1 + 5 files changed, 235 insertions(+), 105 deletions(-) create mode 100644 Solutions/DNS Essentials/Package/3.0.2.zip diff --git a/Solutions/DNS Essentials/Data/Solution_DNS.json b/Solutions/DNS Essentials/Data/Solution_DNS.json index d17f17b8860..8f737b2e233 100644 --- a/Solutions/DNS Essentials/Data/Solution_DNS.json +++ b/Solutions/DNS Essentials/Data/Solution_DNS.json @@ -14,7 +14,8 @@ "Analytic Rules/PotentialDGADetectedviaRepetitiveFailuresAnomalyBased.yaml", "Analytic Rules/PotentialDGADetectedviaRepetitiveFailuresStaticThresholdBased.yaml", "Analytic Rules/RareClientObservedWithHighReverseDNSLookupCountAnomalyBased.yaml", - "Analytic Rules/RareClientObservedWithHighReverseDNSLookupCountStaticThresholdBased.yaml" + "Analytic Rules/RareClientObservedWithHighReverseDNSLookupCountStaticThresholdBased.yaml", + "Analytic Rules/NgrokReverseProxyOnNetwork.yaml" ], "Playbooks": [ "Playbooks/SummarizeData_DNSEssentials/azuredeploy.json" @@ -32,7 +33,7 @@ "Hunting Queries/UnexpectedTopLevelDomains.yaml" ], "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\DNS Essentials", - "Version": "3.0.1", + "Version": "3.0.2", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "Is1PConnector": false diff --git a/Solutions/DNS Essentials/Package/3.0.2.zip b/Solutions/DNS Essentials/Package/3.0.2.zip new file mode 100644 index 0000000000000000000000000000000000000000..eed12f4d2b0f720056fb6c4cf59a93bc69945947 GIT binary patch literal 30625 zcmX`RQ;;r9uq-;ZjWxDy+q1^DZQHhO+gyWhY}>Z&IsZO)pZn4k(NR&6nJ?XyRSGho zU}!)(xV(OWs&+g?`}Y4C&^Y{!5kN+^-!hMt$|67c*~p?h7w0`O zMvmmXet6Bq(A5`vXK7x!eCZCBFB?2y5ocj9qG-J(x)jFw{(}ZRo5D$$%nNqAga;1r1j5nm?lXSCabvT!4N8}KS=zO z4z55tUFkFH3KU9$k26o7=dmTZt3o4UNElOZnsmbVt1516*7Cb22f&*y-)@wp$V|sB zEF4AS3i(%l)+GdhJzQVO2jDCLP|1kKMu zJ>?+yirx0S>;D^$hfHCOxPD1uxH(ccwONK+k9Ro?D%*-=mon;UY-aoWexECJo5-XA z|JIwpd8{qZwL94cyA!Xb|4gUqVXR#u?Q(nBTV5{9Zj8dqK za5tz(Vq9Vvm&Y!H@s2^)R2{97yO(`8xqc}qHfIDVPAbTd=&7ySCjqX{&9o~r)Zqu# zH?^!-!e+YqlnqBb%jLNo~o8yMO)GlN)gR zVKn5MFOqrctLmt^C-!_%KYY>rQ{>&{b~L}?YMF2< zuScN&7V+;9UQh% z%@6~MGKa|~D==h~u~j;o-YE4L1reQY1O|BFpj}qDTXs085?Km!k9h2>rNRWrnXuY+ z1U@^8ap<>^0zB1q9X(k8Vyi;-69j4z8S&T~nKRR$kC)%0jgU|TaW4F?mTomWLMvfY zj4XKfZl`YVReY12vMXNtBZJ1TGK(6D;3HM`ceaoSM_!P`4 z_p5gREcIqs(;?pr(ixzhNB0GWT*#T7xBs?V_oexsYmLqWJw=CBiT%mf5U!cm4;xZA zoMnk8RMnVbAb%*Js}W2vpb$#I6LX`qUv^>^%qmNe6eKIsH$a%Td}&cy*%qW)F)^EQ z&T_bWEj1yeL?;(S9IO4*VYJY4-Jl0ZBIxLBRl-gmKJV46ba0C;t{f!xl-sc z5Y@dSz!IpjH5*@+<8`TXtQ@5#?+N=a3Rawm3x=3Zu+)e;9cVmQ1=$@72sMp?S3(g+ z9#H2#+}ZS{1~O0_O8U(<&&(#O4MFy(pF^F@q%sz8MnFRW1@!wAD4Xtp3rtRSvISPU z>^^Y8+?XS+#KNf~%+eT?elsahHj*Ll3oH@0>IWRIeKV1ReVTASH>{ysud#qh#meYa zyR1b&M?0*Q%XC$nbX$8|1c+kIFsnwt;Cy29>$< znAac>B9SB6ztP{(bZts&ZL{= z@Jfdy*hWA>7H=H+4JwvC>ZP4V320#(^AI8xM5V1>i+;$&`Sq8Mq4C6Xt^I}5c?RPH39PdhQ3 zp9&z~S=9A$&<@Dpor2Z#YZtHYZo#{zbvj8c_UJ_c&OmPig8t66RqA!f*=9AKqdhmn z=VJ>X{v_@gU5wKze4!YwKX7Kf%Vu>p zR6kk@h0uPcqSpyDYg39Yudf_wr}j9nyR0{D*lNY?8&@~k;-7NCl$t+JgSr+U*MH=l zPq{UgkX7SSsVlXpAUCwj`T7Ut_^Wu+svfu#FbIO5c&DwG%4z07%A_IWqd8tEl>_7G zi}pdf=Oz1ZtNPjz`Mp)cs(QSM5QidVBY`m$pg2WHIt|oLYezwFxhp-==`&hkhws3w z1co9E_R&){4*wZ6HgH`Hj;rp69p86Stu2LE5ajenLQ#<$8pAD^)`jhf;FFZHuBprd z9TlcBp!JDyKpDj$8~haglfun4&kb5U&*K!X;CkSdwwm9(VZRXhRQT57C?+uHHN)y< zJ*w)^gl-=ROSFr^3H1_t5^>3}nFYUo7ZNLIy0kIcb0 zJ;R$F8KLbt$0&~G91tdFihd}WhFvSm!x0|^i)c5me1J0*UNaM5CTR|Z7Kro@CsGGw zFo0RxMRBsYrx%vHfP6=JfHdYW!eyXBD96{s#6U%wL}4_B#Rdq)eMzPBg(;}Uh(|Oz z`yjVMIgB#pY(2f7VR{|vRTfk=x`ev8a0KY4hqOJy!1(h|VNRp}tM#kprI}!OJ&Zat z>J-AG_x*O-Mu3SIw**ObT)LJ#5wC@*O< z>(5E2ZGBzTnh-jK78<)2ov*Q8y_QpKkNt{4AR?rOt)HWjd=J;Lsje>b6Yr`U{I+VT z;!vC^$Tk+4`TWFxW6p*_&Ps)!da|q-4q~D4pNT`c2@bPS5$Lv#)rQjZucBZU>(r8w zSH@5p#+=V?z2Hp71JQw5aHQ}}V&Xm*0CGXCwT zFy!ybQlt&I8>km_CzLXPVina983(m$@*|f)L4vB@hp{+<-BfS$%_qeTMjsn-oKXBM zs$Fxdv=kS%@Xb@oi-|EAdk)fJa!4FuZe!Ya0`lQW zYInROwGTb9IK+r3h>bsqomVY6cdB+yOvw-!E(wa6wnj@9N!^%2+4N_&*^ou^Hfp70 zHp7Ywd_E_&I;Mv2aHi+tL5Y+kJNCzS#y)s>mnP1h)+Qv&H?DB{+#`*6(8)=-Sm%Hs2F;k_0 zoV6Bw8xyrGT@3s=X+juuK4EPLB8aBq;T-biz~MmNpK_W4o^TPDQlnW|DAN=&-wP9l zW?z7??T4+K^fib;CRA;S4m2Q!L=DSaDM9y$%1-OW>)h#Tb?Omj>2QSw`v=t4sbgRt zo%7%+HH=mj04c{~&-lBRKw&`yLf~MW!e9%_*%XEFkcu#7M6q{bwQ}nU!cSAe@#?3& z8<%3IUz~!!pL4QKd%W)3;|2nyp|vNEb}70)b4A;Tq#aqh-3uP{#+A0hmE}6GyT`!f zMnq=eTCB}U8Ilqg6<{Yv-tT9u4uPFPbCcgH#6JtxQ9d&I<{-W&P8DTL9}AdH+l{Na z+Je#4EPUSR1Q&KreC`qi!?;SHZ7pMjf1O)Nl-0hHDLL)k%NK6ZZ~!OT=n*IK;$OLd zLsXnEA+UOmYr7V}q@v&1jgY*mQzLa^tm>e~Y&n(Q*ZY-anIt(4QEUR{3gUr&q=WKA zr{IBZoQHh!Y6jz_y6dIo0cAo#>T_K`7Y!p8C}AnA0ney_UY)0ebwnld8F^&ei`Wl@ zohTsGx_(K}sj-2WEO)Pu>wlOe*aBl3xA^tTlc}B&iLC47`)QSa#)D2@{#x>dcAc=> zJqgL_J=hx>WhXm}S@8zaaJFBV5n{Du9~7@X$GlN6P~RJvnG1RBB{4$Ph)MFwux57tR_u2v7t{s$5s746feuB<3 za9e`{@XB?{JVYl6n-ndOU$!NHowM4x&}SYWR74CC))Rx8YLc-ifR3MgyybpgmMwf3 zwfcPB67CXG)P)ne1N4U5!qnm*_(7XwfEwUlr}e}5{vqg|dwJzukMDZcBJc0pJeoBM z`8N*#y4``ty22#umbvx)2zPKhYIW{tdw<|gj?3qP{t+y&yFOsl zE?2^`drFyW&#-#Mp-L?4ykm+N=vDV|uYuvx4IQg{27UY;=y>dUhYkcSh2`=ZtN_}4 zFE`*E`*d=b1EOo0j#KGQ7*_|%0Bb)Q`J_7fY*^P5gw`h~l*l_y+s3ACQ$-{*SR|W7 zp+m(TVNTPeYO_?tU71L-TsWr|#CWwc&+W`<5-K?v4g`6kz5q`s{&k**m-tGpUl+80Z?B#@4F;#ZS;yh5Tzz6=pO{`UC!~TMDM+mmtEo_+KU9H6 z)zs&E*4#t5||e6({OG5B62l!-exD0{+4dAvkx3L=UOHY2koW21gWjn2PdGMeY$bBKZQ%02(ZSL$U zHGcGruz=w?NX5Y}YSSj86zCTuO~S6+_3>@^u0nN(@a=wCt6ND1lhV_r*s#JZ;0CT< zjTV}Z3TpcC9Ua7CVhwz?JD@wqo~{B9NVMphZdAwq^(#ezPO(*FW$Z zLDUSGA|UhZ`%DaDbJOhvVzaDAt}Rzg*@QAOiY=8)JtUz4#CXt_;d!qi&jFf2IS&sNR(R+*RSt0Ih zbla0;q6w}HPTCPkJpI61+I;TfJ25FX-xptOasEr0P5`b1c1us86wVNGG6{k7RbP>> zJj+31jOAUXZh(wQ=JY{GVlUJdsl2g(2v+IjFtL2oZ&vzhhA}(-Rz@j4~mNWX4USpL-_^Y!Z?JD60)6@(BI7Q*5-115>xI0y)ui5@8p0 zC<{%{8CPsw6L!nQvuXT?3AUNNWXI9>4jF4~dZdiM)WNaQ?_NX7L+^O?X=0H21v#K- z&hnOZW{$aZ2aRhIPAtW1NklUSgH#S#>V$KWKLB(A?)&8*QqZi~J@XTz%dmg>8v*J4 z7FO4{Tg04pR1oDfn#GW9<=OcR083n+BQYb8*i8yW4_F@f`h}y&(Du#!a)z{) z!ispt=Ctg@I8FO4z5D2SfVaHy0+Ln>9!$N-U} z8y-&b(S?)BZ1nyINod}RQ9W2LQ6E80{Bp;aX=UK01hB(LJXIZ3!BQvXM_uZQZd>|(z!3XgP&?1U$gWCe$~F1?Xe9HF zf%0`v^9B$!YT>@qI;1sYkh|zi1*%6kzk`jbR5HIhnb7Ov7hXl!{$SADgUhH&$zsn2 zy}g1Z6IEYPRb!A@LA|1)J&Rn^w7ru@ZS;G<`>BGhP=;HkjyoVVQP4R*a-}i)e`aet@J#05xEw zW&>pSyiY`HvWS7SvLd8GLsU~2%1E({C$r3YVUSOWu@X^jH2UoOCep^Y&7v~iBtcZO zO)xj2dT zcPPZEuzF3&CP=qvJ&vTh%BrIniT&pPL(h)?zvvJD7d`u`&>C7eBSor@6(|03L-82* z3hnrC+qK2oLWHft?DL-j+~5Y!{}t~2e}&8bf5NpQ45a;!aF*O<)>J4fz9IuSHLQ)t z9*n?Aa8+YNk1qZ`T;~5v+~)rgU-`ep=?HD=gBx^(HMC$2<*Q`kj^5)U(N|X*#3SP) ztEe;1+N?avj;X`AVGKWikT4P%5DY&932DuSA&}Y#@CSt1*$8Rjh2Lzr@`KO*K2eR2 z9WO36kLXTFRA?_c~zi5+Q9)pX|F9# z(9JhB2NT2=jZsj6cdP5o^3e9A6q_=;?XX)z%^3a)ul7LPIg+fZSbHS{?hx7kq~l)w zZ}kuE*NgwD-eo1|w?Ip)nFhG&_*^sO*drTV`7_!e`xiy*R(<^oZ=wf;9I9(o<5W*% zt0xBy&Cz8x#5CRdLW86$p6(!fjWF#3cS%uh7~SQ+^o&0a^%2lPH*Bk&t7z^F6l`o( znPnG7vlQ$rE|lGj2Mr6)vV$sQsTXn7XFK&xmh5|a$f#i3*0s*{WH);97glX{9Vknh zx=fAa*z|5Ds-sJ*tWru9aH^VfJ^H31=KVdy{{u$vbZ7rNPUv;R(`n9kP(hW}vniBK z+u2Y^hOI^;>KIu;!O`b`q?`@|95w8K3B67%aQ`~N2tl5kvIsB+ zqC@l`pUQ-^{t#mM6m*8yzSJ2VLXGcq3)Sp>7>G9)OJK4-ETk)5Bl~^heS^{(S*^}W z-y+(d)VwU1d~uyqX|?Wa2`6+AjG@a(gk=F24loJdT2C6d2sYAMKlmJm7(lJV?|D`9A2NBR1-l>3I2@lT2oBkF>$vWkI~ z`oO-Wx$bYi<_ExErjrf5g1#c-f$c+2|5fuMguhdVp>dt~JG@*q+i$s7S0w3C$`b5lf$-Wj=)Wp4sew}s z^^ee0c(Pc9&x6JGVbC&o4gz714h!+F>XkM8c;_^_hj>-@im%H6l9tNY84R^Dy61dY z4~U8>w9H*_Yyi7=!l83a;10H~8En}5_et4&kAa>zhUp9XH$NDX;`&4?c6-2+>MbvX z6ZYiGf_xVJ4t!2%twU&ePvl=jbBl4Ljj050|K7kGM=|z+VznAk?R#YE*BehI;vXIl zW#?aY?)|~=k4D>BaQNc45&1x8tVt%<%^c5->e)+dx}?X9+)|c;xMZUoiL)$~mX#ZC zD{xk14-7XSXl2p2A60WZnl9{_7B9ckUsxWyZ4%&pDR1md&! z7D(JIH}*j$s}eX_P4Kkgl~ua_WP$AN+H*Kd`sjhT@n{6!6AAIBSb8N~b{_|@oaP99 z1eGM80J3HdvW0nd_J}p6nyY3{U;WX9uIZd>dJVp5MUvM}Zy5R`t=^)Hl(4h2jE$!k z(Uzh0|l)y3irbeUm{WrVx0wlugW6^~WSZ~IdzrAwRv0K)CI`q1?p6&lKrz)>?zaaCXNMq72_ zrL_%C|G;_470A0c4AvEQ6#~Vx|1tl=Z*wuAFQ|yom}b2+z_fk&GUmFDW2q3^h@Zv2 zP*gb~DZ^*LXII8t7Fe`t`~@e4dr3x<#8=i;G+s<|V}%^j09D;I*rT}HZ_dYtqrvo)1}AqVfLMe`H?{f!qUP*M1non)uQilu z*U6kpi%HXKZzxBO)8?W-kW{_VR<1;l9Pmv+6ub`cPEGjTQ76dNh(BFhU6A^IRUuGri1K=GXA zDfnKnxv~7?3tRO^HbAL0SjiM!dNLR3XQ2wFO8rV5on;Bu!|hlOl!xqs8dw2DOHpC< zHo?q7{-;818GrVDw4p*;7bOYo`ZP7m_MEmjz~26C@^8Lfyk?@PE6L|oyMGg6L6@J( za(9T7n3tx_>)^-b!}y~g=F5Athx-CcTZIX=uGyJD{QPN^5?_$3U($B$bKU8n!4}!& zGiMaO({)=A#zmz28E7=J9A>8MPh5;k5TusQ4B?N z-EVdQm`%NEY+XlMq-TOlyA>r)!d^~=$dxz7iu^m7Y* zYJXHy=fkfLQd^@qfP+&LZTE^GMJ6)3W}k-tVHj`B3w@}*H}Hisv*{S|#JYg|8pb}S zL9QHX0>fg|E%#;H16stxp&!Fo4qy2QY~F8DMA>8trzZRD?9FIUa)Ul-LQiOd-SQ;* z%B|0`-?S?dw}8rh__%b{eZ(>Q9<8-F#j~o=d-d=0su21cvum&ZHwFPr-eKUX7{B{? zP>tm4?87(Rp7TggoQ9Qn4J`>or%#y9Y`vfS!FzSr#gp0kv{VwSE|-*6yIy9UHizoa za8c!&+En}Y0|-o4CriHw|D#j7CC2P7gdY3kDOxT#s5*X?jAWyBSuh1JfVTU zo*LmAsQ9{*8lfABM2X!0nQuB_F#A!<*ja>Ii>_<7>oI;-)!pO-r@dQ`r&~7aONFbF z)V9PXUsqHp12UzPv=Daqi8lJR-!=MPOmH=utiFm9bQT7a^iV#GQg5R(3C>R^K7vF7 z%wPVi-R$`%%mCc`soEe3#>vy^<88P(YZet{7}@)d<5vQgUFmGNo-H4f6bi7funXjr z-N?mPy?%E|CAZe)NJ3seqra-7Hw^5ZWyXSFPSLmYXC|mR!elZe%FS;b>!7*D!-)4c z+;nZQHrw*yLoOJ*d-iFK?B0X5HB*7zb_hJ2@TOBzRoNT5&fs0Z`PN zm*ALrrtd0Vc4KDJjlFIsJ|eLD9Ak4mo{PeIb!xix$BBe(c&*ShxkB^628Cwjy1%4)RE?Y{%F4$o(gC@kIZCB=*s>ap_ky#B9#uZNElH#SE% zDfaf<=gFna?#tw-=B|GCR$p%m7`jZ#3L5}saYw&8jZ`zHh;!fxkR?pMjqW>y!x)Edckci28QdUGm z(F8|*WQ$iz52qZizAX5&XP4-eA;o3b(%6`RtkKd!^99uMW4xj^KVb7g1sWyZGzs;_SaEFZNUv z=7$i+n~(Rgs|#*JqkZcI`7&a=RL8)LpB&zr^cOKtD2+X9trM5_!mDQkIh>!g-UDC&0AB3{0ZXi&T`k)E#cww`xvNNzEO0f?@~%Co z3DYz!bR~B1nAb~)*R~ZxikK?S-3d zx9w_+`Ne+gwr;!fv4R2$nX_!7RZ`O=%O>ut_D%UVL#OONsH8oaB-2T9R`8SM;j`*uKc0rd*om0Sc-Y4(tF;{5!4OM6BSRr zHYPK>)bgfv53B9YrQFoEb)Sct#A5?DM7L?p(o^2JJXG19-SWC)hMfwQY!XZBbC{XR zQ{ZGg1pER9wZ50*%hh`8p!z%eJg1YVgLZcb^V>lV%<@~m9$r3xK>c!RjZy|NBXy`$ z-$IW=DAlSc7_4@zTn`*^j~eK_%~0i(i1WD&!#uBv5_wfiF?MTl-suic^lA*)l2g_E zgY$w)m0~H5YSny^YO#;DQsMD`TLwvHMDnH*St1Nxif$#+L|HOKIJhKdO^ptzl7ZUt zR2!OIN-mZ-dcP;kcM8L1nW1#%pevU3mL8~}{_50!abl#8=j+v*D|u(dyODYHoQ&V* zp^NlK5D`}e{J48M-dqy*VY?U|m9lPiU){J1QD`<{Qf$Nvmy<8K3c<@L6T2RhDhv1| zS$Ml2qHmFw+P9n6n2cZ<%$unM>z0^7&Txvf8|h zYO+&i&-1SA^2YbrG|fqAnsl$yHEA-kG$&-l|RqlJ;A{(=cYZJQ#-#qGO1Ygjj~++m&F{&TzQdBCpc zle8gR?ri+Dps&_U%V*hanvrM31fv`0Oi3&g`he{L16cIezCPj;VoT^$bo2rtdm+3FSuZ!}=@vZQo zrBcl4Eh~#JGC@7K3Du&=u5vG#lO)#s(Fnbi&xuu0yfvs?jLBR??F} z$gs0?wy9ehNP1BxJ9XdQ^?+6UJ2>P7w137+qy?h;E1p=syOht(ovXlDD8ZW6V;nt+ zxD;XFhLbPNrT<1DN-FUs8&vVqO1)KQhKp6_s=71MNec}A>!OHvWC(=m$jMVXk=^?8 z+E|V?#{pn3HQQR7aQi+^VQctK-4AjqOVYHV_BXpy?%t_*QXbr?w>&8dG~8H7T~)kc z%#6Ge5_}1=52uO@;<`GX$4e#No?oSe&O(6XWd!3`z?TlfZ{V$3B4yxR;yqat)QtARTA_jObU4%mwq;xQpUZqReEgW_*~=gx(0$b2W5I&D8$TnPFzi z8;CUo;tJr^f0A|tG666gr|!^5T5P~Qa$a{xU&A;tYBcW!vVfINul~ht1Yht4-nTPQ zVXt=?efa%@tM>^q2gl>ZZq@HQ9^cJIj%%K`zgpR=n>Q{K>z`-(H_PU^=Zo z@7E~p#xaP0bAdlW*_U}Auc^>6Pk{OXdq(w_@R5St5->2xpxMCC*5DjN3Eh zPn>M~tiFMN*6rw0$!JjZK*UW47PZMwnD$lMxOK~;-jv=g7UOT_%)uV+65ayMv*nQ? zZ91G+GT+cD;B&!4gp$=_CGS;GA*)N6a!XXyJ4%~K(hO3cnx!(Qk}Q2?n`9P%D$Q}0 zao%0v(0(#4-Qe_xuCt|4scVGWo);pVj19Dr*UqbulWEy;mm`RrRhJ6FX6T`;AaJ%k zXmLP>`jWC{y`4pCU4$R03Kdl=MW|yhhAmZ6m0bW)YMivHa~rb3jTWZl#)3)Gkpa!j zLe|;Y0^VhgGIA|f8koRRhbXWcS^XK}PD)WMr!8Ate#1YqHZ;6%+Zy(DtEzW>ALQUS z`%Qdq-vNPSHwnEz&j&qap)~FbrQ(BiQ*1FGBsKGFrS}Yh(F4nOyoZI8tSHaUzQxLY zBR{MYOO~tkB;NwY-*7j&VIYbQi~*4#t7HuU-oTZa(~8MBLmzg|UNlptSHm6H9&hTw z{VQWv zzl7Ug(XYf6X!9Fe=J{o1CYi3`Rh-WPbU=XDzJhUnPhRb(8ik@^p!u4DvMuYOb+^9= zO#mnJU@jT_xgEIXI#@P7Vehff1K-nm*Dvg&VTfz?%n2$=d!r}2RBiqN5zZ?(zaI>w zFHpuy8@Np?c5N+U85&%;2AK@*f`Vwcezv+WSVW#P5SP!^bWmsATuwcZU_=p37!0ox zPs0REg1<58m7ZqpeWeW9Y~E!?@WYPi1~ z_ftHR|5jCmAPSd&A;j3knTw@MpS_Iv{w$U`C{Fs-ad=$2GBx2|!W#`XtYpC8lJKQ* z;?_y<2;tAbBgr#i* zc?%upK{K1ibmg1_VMdOK=4+hEuerjhfjZq|vmgz%3=~@a2z~}tMf)4cGs=QG0ENba zd$0;T&(*viXQ6|Fj|b-0r7NfXZDRSCK8I;jMm2i8LIhQ7b_pqr&U&=!pdlOw-=WgW zxZfvO;Y`vof6tDdCIBSm1-FF=;(Mzwvnh~u5i>u|y=P^B+|!Zb%q}L&%pufdr>??} zL8fH5H-lRZTk=rSTNkbKQ`!a?>d`Br)J1w)1}K!6x#*Rm$!mvn1>vn9B-h~Ti&L^1 z%ab=CGVI_wU3n=Cjuq5iVMG2XcQgVqB`86s zLDxfV5c1kJ=FDk&;7(iM;#@td`8=PxzKN9L$kzYRjfM4@-DOZdX6H?kP2Sxy(POp> zM2YFDqYIQRO&%+@BIMtvt5_?4bcY(rsXJk;6JGqViLlnd4|MQv2ZQKa=07#0^qHkTT9vMz3|RizaPRRV-mF$OO8 zWo(dZLjq@(eWz#@U7nTenTJBW(amEo>r)kr#r(A}(8hp{@NCp?*TM!jN(m ze(OE=^Do6JA+_wH26XI^z@>$aF?azdcmq<|E)xa%;Tfe=qmHF-Pqv-gxLaJiIVA1;Ro4%Vy({PJ%@ z11!b^T{|3y%e5sFaM*1Yd>)R^9=0qh+prqKLFlD|x_L&wC?v)vRLJqp;d(R_ z6|NTt+C7ODsUy#GM%S!Z#7`1H00EVVlc}z-@aY30LGFvU-x!DF={Ep-j zg`#S{aVRV^ zkVm*7kSPgP!ca?(LW&I_ViO87i--qB-B3I(A9-VW&jPuh%*PiwIF#~#N63V>HPTB$ zV_&LsJks+bBT&?1V~7P9G#Ps-@P|7ddjz;CWM}<8`2a5#X5Q>P%k=hzxok$3rVzAp zhco=xky(pF5A1VO4&r&13nW5q=d=+}$&Lz}yU-9dLpkH(Ejg$sIEg5H9^o_xaDxQ z2EB60Ex-b+kW+d4GE}1lWkwjD7|8fV((4iK$R9L|v(6Fyt6&RpzhusZS?YS4NBLf} z(hBp)w1PxsLx#(VeHQ3*I@Dj#XPQd_AL#VhTPeuCQDSi`vQTh)DGFjECJi0S@&z^0 zog{wKR0)e?Np?sIcGcr_wT!&BRNuE3WQVgE*@c(V-wDsoLHx0U~)U!dZ zs928{Vi52`zzTnuTu8;aKt^CAbxGi>fF+HX1sn!iO zh~%cVku>niDL(7)7(s^HDkILG9hOmd!td?I3;p*wa6f{ZBR=Sq`kUMZt3n-Q=PFXq zC>8FzytBUjmnmAeRlD}P$TssS^#67hlhFc}0WpREqXxp)_u zhqrb#cGV!ypfF~FssND52OUh{?E(e}M?H?Z-JY3g4PX;|MiaLbgzpbWqWx!K40z_=Q`MUgm@kN^^1x8TE3WgMdsWM%dAJnjGKlUN;OBHq$FR+3< zb-z^Xew7v=2pO%eet+a`um%8ZglLNk(VbZP1RocAaRvdAm`<%ThGdUBVD&nv{Ua~` z&@I(qy>IcD4Z-^euoEs+S2;ZJ<>o1`2m#)kLx&d_)>q~Czj;h=6J{kS<@tHMwlfcY zAqE98lE2N6YOd8SSmZ4T< z(*p-o-`k?2Vz&dP{1BCUiM5q}c5+=p59atpHJ5&Rf=;h3aME1rtt_j|0TT9y5@M$? z$(&|TGy3y4&m1S>`OhN_j4_7e_H4aP@8o7T(DR zZ`t1SNzd$^D(TRi71c58tyTqbZRWGQ|OPsmvwiX@aK{p0)_~P|} z4aqux-T{*Gv*P^=CoPl?lC^)x9}2afKh=(;Zca@xXvK|v(9OSgPdht4H-E1SO%Yu7 z=*)vXVGBN9%!v(SH_Wv*G2TC+Djzm6o=}lKS!|Un;mC}JP8ok=k}(a!6x>b(ZwyTw z=7DT4qL~4k&kS67t#0 z_FKVRZDjNf%|Z?7VBBUrglw%aqS)LtG2m5@fZPOxr2+5aXlJx@*%1-ena7@?OUy)E zyFsovSS;WP++Ia_a1_0OgGEwGO~5KyE2<3O`q39TjMb&MdeXkl;h-MgiEn8Hf%M>tRQu`QIw{?|`vd?0)^;y# z8QF*D_Ae@7DLD)%1;u>M{$_g2@yaGbfgbqT>T+Fwq>gZUQ~?-*rY=6IJV zi9v1bQQl(k|5MjH2G+0$@Y``yIs=OjTq5?AOU8Enrvi)P4NplGb` zDJke!!wvL5i4c3)ahUrHl;n{Qr0Dbxc_T)S1EHBmo--1|)3Ovaf8)%!JqVim%;gSG zhM}!ze_zk9>TH-di#Ljcb$p2tb}L6eAjUkzh8msBlia#6H#I_2^R!1EN{zM|CK=iZ zjdEceC%C9+dV&N9T-&(jVX3LWI)+jYD@h~=)ODF;-Is{w&&;Sh0<(1K3rUv)?=T2n z5zKg2erh~~+af>RbKXan(;fX3KPqGG{%V#nY4qQw0LO#@PGH6ZZ{=g@Ri+O>B>5_} zgiR^k<_o1MJLkOzi>hB;S{M6h9)VM(oTg;hHl5x|%;Qnf^W%_%LZJ+#Vg@N6cd;g# z|Dl@vT0o`rq{8~e-dq#W3$@>xr&k3_Pr1uI;fj6;?7(ggFV#Ap(F2jG6-_uYC81&bwny}CW@+M1rFd%gPlQN55=%8zo6nj|}B z#*2neQ=GOO>Q$~%snkSFR~R%RJUX~5Ro|1(lT7K$%tI)HP=#)-`K`SgA`wtyaK9oYa%nws~U*z9Rs)wkV=TvArRkPC{*-D?%B3 zq`h#_tF4{%FB(*SP_#u*f;9#^Px2&3Hz15w!aj~pymC60?2;#V5@ZkC33VaLkM2kB zx!UJhRDl(E{i(If*;nObW!EwDScx@B=)Q=Q-Ah0tpNHOQOlVK_ZPhfK3^zb*hf8&C z#Br_>`pArc6;*BQ&t^YAE#iZ;9yz5je106cRw2<{$B^w-htA6WK^d_LT5r`!-Y0gd`C*S?1^ z+hxOM{YZ>p*-{1nHU#rBC0f!H1urXIY{yQiSvpUe?0<6Sk#lQI4K8P}b9z9+dM2*C>?pUY13PhM8w`Y#bH{t$S_?tSKyYCoR8Pj zpo=co6nnrR|Lh89)1E+P1IRK}anl90MAgmqe`dcPinF{@1j`%p;b@p_GkrIzL%?vP94n+SzE)^H47R1hdJGW&!c(qiGbnOudw{n4 z1iKqbm%TBZcDhHKpCf}Gz(P{ceiFF5#?uJST5&@^ieqV0KX^p`=*Iw4<8(p8q7aNw zVi=)jw0RgV+zGpdT09RYY9+hM)Yldf)U0x1ZfS{_PsZBaLeh+=;Ci&tT2&NNhZWNi z~vxTF_hPK3FMeg=B#eO44(Xz0Wz z`nXL)78`}k+XI^ggmwwmV<&@08k6WJljj$fc-sRJM-%O+1!T4uXc7>*Q(W#^2;UKV z2kkD+rkyX{ZYNg8NeBsBULan~GA+@kOxS!u;!RLouI@QD!Tohmca^EpR(zq#tZWZ3 z;VWuVh(K)6Eh-^p8VG9}n>z!;qn@f_kXD1F{JaZ7uXuH(PVq7xgQslT7X*J>J=79` zfrwAJ!;4b?;Qj^$82Bv8y~b7&3YZdALA6vuPQ#jOS#qKRA*dfNQ43}6?k z{?1KW$ZDz}%f#nLcV!wU@<106kV)yl7ddkf+=5!#80-tZGWlTvIavoitj|wSVpW`&u%pc0*d5YyVU+kCwJaCIji?(yjfA5h9Us-`_!Q zs5Hl_C2ychh>si5laCjz=jMqT6p&s~0N}lbHP1YXB+VlM9Wa0Ot0MYYiV) zt6!g(WNX)#`2w3(hR{bn(Sw3$WOx-d^mn95T240J+8ZAoBIvR{N==L1SH}u6c-JxZR z;fMm&qT3-+!rhiPRG35*pwkEx6_HSsg?@U)j#;N-7-=^ZYwtP z8QTTx9qng}H?!1w&Ru_x5*-6$15Ho!(}S4>#paB`XG{?(xC=$15vYt3Vz9DiL%XD& zz;7*CfDCgNWX#N7!Bd+C62$JqQ=0)F>QTm$QL4HNQO24T=+MMgIO7ZxYAEG#A;z9s zp^Tzy6`DK6;~5;1?_*FyIRYZ6^JzM-oa)3_I@LNvYed>b>-f10w#ejq^qg&_2hP&5 z`ufXgc@1uZf%?eQG6-y$1{N*AwSm`+UXV;I?*~qhZoBF_i&A#QiY2SS(C}D zQZP%pSyjwGM%na#z9>^z6&tyLGdA(7#R#jeLtLunyEkdD4S@s2Vbq;8*hm9KI_`82 zc5}aZ%~hVUg&e(yEVAZy-XIt!t`>D_aTLom3&`ONRj~}1d%Z7||(MS(o?AUdS zw$mP6WE@%L8Fu_I4h}BXo27#2MW0~3Aj0TnC-l`zO!$d1T>PJsp1L)5SJXuQ7n75ZidB@9~!AI1|Aem+)%}EhqD;>kn zj&wubuLv64kRL;l@4K;^A_f>Kzcu#Vg}<85clA?Bp>_PRM3|X{Yoj|i-$G92-vQ~b zi7K-9=edMEkIt^kZY~Il59!qfmScK?~eY=2LW zvKN(7^|hO#SM`78eWR?DH+A`}kevH*~DR#lrO1O_E_)s{((8;RgxKezd#*P5r37O6fC>>g`VoJDTl$(Z&t-msH z-+IY#?VVA|%mwEt5emmv)C(kVm4j7)&%e1CjMFWaF@S*_-*XSk_?I_IjN-=L6jsE9 zDf3iJh!*oyo)kueiC9s+2}tIt&-#H(Of7U#g{>HHE6xt!BS+k=>QlYum*Gc5ryuai;;^Upu^I?7t3>VgI8VvuAkD?El$JvRuUHr?!}LHvw9ST^Ty# z2+`B1cyiU#60{Y3ELj%v%&suCB@(u3J;9s4Cs%_P9{bf_fh{3;MpGoOUWRK_%8^HT z=s%hRw%X`%u=mFXPI9eR#{PCNPr(W7kzO#14xldDC3l(na9=+g2?dzrd7f&@)OQ<_ zGC#$B)ygIT(J{=v9<<-e_>?&^F7egmlrr9hWIxmXFO&pON=e*jlhzUHJ7XG0jCm-C zt+wr99k2DGeF@;ZP&VfrxkYzg;neh<5t}m_Y8`+Mn$T)h0!#n9Ak#$l`vaYV6@{X$q#*d_>{1%DUczOiZ@s)5a4x0 z0hnIVP3bn<(KfpKJ>B!KepC;o5O-|=oOcP|JKL$evKOMH*61q_CRdz6%5$xbi^cl* zl{a~^-3L=yf~p4UBjFO?H*+_majwTLAKNOKxG5G@dPXW{xOLi}cy; zZy{*O8b)>4{fbA*E%%P_muewr{t~FTE)P7e;~a|9xI*v_3mjYP5`*I2Qkaer&U(-# zu(Nz5kwDL`;l+I$-%cIg$$c_{a#Gj$bw?rB$GtwXUk*2jAN%WkmP%J9Nk>3a#y)ySyF3BAb)3j?Rew!B<=PJ9&FYC|m_R(A42ZEk%0>;wWJzsQ*(wp@rhk6ujK41&IkAjfx)Rs9Ir&C&Hirfh_)y+}G7>?vW4$~(Kkk<@0#H0E=+JWZg;kq^prpJx z!+D4W(xBv0@kn~dA5-Pjg@tW+M-sujBnN<#b#JoVymP;nUO#h=x{2ra685=vRfxv@ zOer%4(}0>efKO)>)Y>;}cX4Ei(fOOL_$Afk%B|>S8VXghh5W1S(5*Rg)dos&;!0^+ za!JM~Q*z~ox!z!_9C;~q=(Q2jVTmeMuS5fmM5-(`RYF8O7>Ntq)H()b&f6lF&bSmJ zNz-RezzcfLoZ9WNg0=1#APu2Z=h{a%@KkM-Z=GF{nC<73@FLYRG$gEwo(0$xM(74@ zGL&;8SEg#U&SVuD>oo8;X1{AUjaoDU**QV_3JI_iTy;X({VIPK)-j~%CM6my4T*ts z8>iV2?GDnQ-kHWqWDr@&9>?w)^9Ngi>!T*uL-!HEd=fKbx#M~og;!GJapYDcd9$yz z*A5mjV$e#vRP!^*MRcUn&?*u)Af;+KsM#B=YD@M+bGbU-m#W82z@x|9FLRJ%w9^EU zi^n(I;Wq$2TPedha`l8+45~xS2;N4@tKWe%UU!|#MV=o#OTHN13#3{P>YetVO1}Qr z@=Om5OJZhlAL7a16+U%3-wifKH>@?iWFCxFs2sClU*h((qqzf4hV1?Dxey92E(+|d6YvCQgLN$@Q7cMJa`2Z8?VE) z_Yp{aO5ka(S_~$tW58-r2<=44-9UD|_GYh9$`ZTd;%KR#uUBwP2X@%krC-y3+N<*q ztEzRSvT2~N&oS^W>6z*;>R*^?n7=~=Up9fp^vgIh;1l^&Wy?wiT0>D!D!-CKu`?4|^YN%()p(`Q0D& z5?@4t)-Zj0i4n+ejU8CBf_Vj6qT9a!IR^@rfx@S5g83u_kB7KQ2Uavf&g^LlIx^^C z80Z`_aM@x;iVzf5#IZ-5oDG8PtyeYna}kbflq%a^D=VIIyl z1)ekqg7kN{%0PqrKJeRPz)o|F3fdL&O%=9`3wr_IwOBiszOtGtZFOVn+>$b;oBI`) zE%rgv{?M;M3eNc0%Hf|rZ-KZXHW^Ni0c~}b{zl*E5SgqAu{0wrOR?=i$f6+sjn1otu z?mj=EFb=G!>X~rmes2;7>E7?~3iB^{muErnI`4?yG;#+@A&HX^ukWJ1(Cc`VFmb>&l zm{O9463R{{rv&a85Eyw;NoNhT;LY^yR>q`cZT)7YE?d=RD7wJNCX7H-le+TDS7r1& z5hlH|KJO-G4WRy9fH2a|#ZH}*hg5^qdBEpu)3<-6uUxlb7_bZnb*qJIDh#M%mHRTV zJESADwSjO8!||$$SJh|oBHWiwd_=rH&Q8roBd`KfR{c7l76(9$|3v0I&wZWNo{gkl zblG-n#Bq&3itjWa<^ZMVG}b4f=uC2T;k>%KvZ6g?Sgpyss{i#E@92H^$onK zS$XMbxpl72PmzROR+gN%8tZNI@gqoD5>;h_rg#3b!L@-t&%th zQDGz`Ad0vtln7BCz>+XuB4t3S9aENsbIXK3ZzOQEK4BAK+T}G9p2~ozQ0(B;;TBdK zBWW1>$H@>%KkWA@g0r^tjHkYfOCV7zprqCK|JSkuQkz-&1}@M7Z1l)bYwijcIx9{6;k zlWPl9+e%W8VTp|N3>grJ7YQL#;qZIo^Gw3oO6(eG1s&xrW#p6!d*3A&o;DGkYU@|S z`(vkB6^rWQ?U>>S=?S|$^gAjcx)ar%l>_)kbs4dwEh(dj!HWgF7o18#9q~Ti5n~D7 zEM|&zjk<{mE~DZ_Al#A5fh^YLKMIIkAaM>^OKO?+sg;som;+&9c-Pc#ht0g zKUNZi)@R0+ptoQy%kHG*9!tbK3{#Pc?TemzWau#k2s>tJAf^DMZa|u{;?KZ%J}}#g zcprgXrGO@|!#5bq_nw7HUUe7EI_uE!M3Z#k8CzE4V6B?*PhmAmqwiqlp~#B|>o>m= z3-1{Vs{T%|;%Se1j?RCGU^R6d$mcDmcuy|;p!1y?G^Eq!tv zp|-zpb96A%)RZIl#t=MrV6FAL^$YPPuIwY#Y8qIhG_yrQJS8|<;ds}4o2_haO3i!F z7r+Ro%woiuSJ)z=?vf!@)b#Fg!xCHXUD(E8xmvAW|KW9f!;v^*1Tz_w&)vTJ_fd8;3iFd10H#1*YaaZn+?v>K zHe3}aBL)$4A{X!Ih-jRVfWULrHP%5V4EpMJkwnD}lZ+e3KVx!rTb)~V=s?@#zj@!r2{R*z z66{}r;b3^}1ne<`U4=gI9=w)4(_*?7kv5R|!04_)Mp9cOEoHw-1ciPopD@dm(g2IwJ9>v~lIb>tzy8NCI;ry*dc7;ex=iU>G#|t;Hs$G=cThEKZ)dXAxAA zu7rOCQo~%t1*LUJ@&*-OOz1p@CIy223W#I^f`~O{fVd_~fq#AK=bPKV0Ck**b9pR{ z7~)a7L^4fsl<^Cbi{hvEs1;#uvVJBm?D$N=@TAKy>76?lPr7}!35FGherFHEgM9-- z(w=oRLfb~Leazg8od4h{^#+fU;ko$uB1v{H!>0XmOo49%zivnXnJC%k)8+PlcQS zk6v8%-f~F7w;3(A(RM3yc$jqjEAR_*kjv(Ck1sZZA1wR}rK}s^@D`^Ka4xvwWccDK zNw#RSaxZs3O+k6WP>xu`**~jf0F8YnSANPyg3Ev#&LSS`e+JXu;2tzv5;1;Fs4nZj zAYAwLkYayadjPLe^~)^~Owi?IyJ~7B-a+t6H;T ztTt6ed2{#Bzqj%{DxtyPif;mIntSSPQZ`7_`9Ru8os$x0TL)yK=A!ZN%P@1nmC}J2 z`9HCU@V-ks$V`9yI{Cyz)kO`4Ylv^5lE!Gd%j&7onli%|NmuEw zwFwPpBVNvjk{{30@NvD9_Y8w?X`RL~vN?d71wCnb#%I&Lv&ICUl-|AD|Ksx5YWWk0 ze0O%&-iY2A6Bx8d0PfNQM9AOcqkze6u42+R3tu&PXd0+`Q)}a1y$bv`Fxg6@Ww5AO zLc0*765E5AqecIggLHGz3Yq|AC+Olsg-nZJU!^b!NUk&>!J#)H_>gbU_{r}KY0sJO z8;Qd}bkAncx&vCdS(r0fUpDE%2L#)F9zQ$3fnkvGbG93mo3lmzId7_n;09)(j8}(U zKFglCxOJ9)S=7bSnO{ZS)w#7^;(p7U5w)lfdGn(oV#wCs7ac=jNt zke0g2(D`t<2_HHkhP>m*qkPWHBgm4w`O^CgfZ@qj&{Cp?8 z+Rbs&(GR^fmbhPR$pM@~&oI-z%89IU4t^e@n}{z4y5NB30(0Zh2Y8#v582|4kJ;ci72;Zl#VkTXqcdNGzk(W5Dmk2o zm!hW@&U4z@7DuB|<2Zih9#EW}^3YCicq4Zt+k<;`0Dfd=a{6Hzfg@ppkFsD}ud2=g zCJn!giXZ)n;cCw&JNjdTeW?_4x#Vc%s&KWDeZ=0tY(mk1CF+9m=E&K==tnyluRSL= z(XSF?rBdTyq#AQ6)UAc1e8Ck#*jdJvz7*e0rubpuUc*?{v5<3-e(O=6b5V^o`>1l% z-h#5<{&nR998%dlzrAiAzkalqODiLLUb;ilVhMs&>qzJ~!&$rLjcqETV}J1<@zu66 zA)98WBJf?$6lc9_OkNBrrD2;;9zAs#E3(k1f@yO5Z*Pk;i#CICI3hJN4%hy|OS#`E zYJq9ntFX8C_az&4AHY+)0&cxoKm6M}{Jj5jc@njxX6~O3wiD7;{Y4J*(-}C= zB3ag2Nu$R;^g$D{a!cB}NMp8vf0;EL2uCI13mP?4^8gKgPBhNVdPVg?l{t)- zRF5u^~W)XDt-0SS!?J?fF3GKHU8|#!0IafDlKE^$}0W;sYfGOs>!=EG%{P+ zXM9?q4>5puE`Zkm+f>l{E3Cj(7h||a6n!|ve4^ay-D7Mjb;Z8Bsea56j*Z@3^p6!Q z@JL4d|56?@p!GL?G+{>cM-vtmCg5C-WW-EK5po1yT`u1M(H%-g<+9A~!jD#ms_NN= zfWi?mJu=g%O2!3|!b=WPO@DeY>M`46?`WaMtD$}j*K_JEH}Ya9JjUkA(9-Z|AFd4< z`K80i5v4=K>c7(lOj5yp6@z%bdO3_oT?UkweU2Bd;AJvhPd;$1+*1y&Bx3ed0Mscn zxm%Z73~x*_x|=VvHee;H{$MP#i{S@jhstuD`+Ag#KdJfjE{eqeCpCYltduilap!@B z?bBSPi_WBDez7v;)~$B2A`|myS=!*E4pr|npIsI^Qu`bNcIV1*oxWX)e_8Nax?=Se z;rO!|jz9d5jA`Bfm<6$)%>ZUhe2t`MI#9=K&t^;7q7MT@^XcoQ9lkW~ytalldDah^ zmQ0!#4g`#t)8h@p5=Igsi5P3&n@8%g3Zn&rFvNgS=P zWXszX`qbDuov(m5$d|};`e1YFkq<*Rc0i}CN#hh*5yiSQBxYTD4Sk^mt8BuR@=dO- zIy>d2nnZ9)*wx}X&`xtpt854eWq}AJz^r!-P$^Gjjk#snmVwB(%LW+y%yEdaAUf@{z`>~#S)&S zWvsdvmE@WnNO$wi)7g+smGu~+$^=%l&teX-!_s@&q?OI^E~0aVzO8ocvZb<|?E)(q zz~Pypc*^FM>pkFckn0_-b?}ZCI_^8Xp9DZMDYLa|!sMi3P&`tTDv++VZFn0p5^GkV zOEeMA)+S@;x1KNJ641ToP7X{RRH_KwBj^Zlv{pwJ#|x=kfUHB;8ibNl9*ouX*bww8 z9WcDrbIvB)>!~?)+-$1Zkl1kn8 zJ7?*KpW16+AMJX6t>wyZ;Gg#p>IHb7$6=&LfPsqt(JGkFu^(7@X#5S7FzCB^mRifU%1%cVXuT);iEc2*c9UY0*N8z8mTW#kLBlBye|%Xrg%rT0#<(@}ZHADXa&veMI7z`k5B{0KzzjTnbEm)qQD`zjB5; zgrf~s*)bAUz{~?XprmiV4?$laN$6&pC0?bIZl?%>*5mplZ&QIC#BR7+DdK%82| zieYX1C9>6uDdF^9n_CQ;c`|`Z#k#NDELjz6`I@uUnq6~}bw$mm{RA&2tVOklaTEdtCB=;@>T4K`u!5drkRsH}=vkBGSl|E^ZcT zAFpjtbTH=trWRWAKuY`;0?89*y75%5uMw}q7DU%&h=sT|Du52(z@>QGbCf2)*)c15 zFN1x6oz})hCyR6(Oc&a=KOsrC_laivEBGuh4L+h+4xD5!I?eP12~^u=JbUMlS;Pb9 zG3+omokyb`ya&!q*~nRIzA@NlM0+2Oa!&cmQTn=cv(^>OEMxJSZNiaTNyA+324gay zmwHZlz%mR>%bircL$Ybboz(x5Be)cWkH)KV%0*kst5Yf|0#_-oDl&dF_M&2a(q8#W zxrV|LzNW%)<(b+K5@_GzoQ;HvwNMskTP@$lB<3Z!y>?9$`9w^|{^p;PeJ^|Z=VY^f zoNP@=Qmh0Wmo@_NWMOc?wpghHH@sDDYuH4KiHnrA4T8Sm_v3z49hwEPCzUK@%+L}@$f|3OA3otO3Bz*ZKrsp!y!@GsS_^h7PL-F z0^)g0Sr}i_V`BOctKWI`fN*r?qfUG1Ay7##-WK?{FR^J`SNbJRO2drh`M(yJ-V^IHouKs#qIB&E+)8Cm%Fp&X?gYeGFMJj-}a zGNxD{;Wl6yn*X>-Ov!(tn3{&%)v+F>AvvWgx+JBc`Tth1)inOONh8TiXlF98qnWHbG}Tz>j{jELmnOb?|*2}6ntj>K||ON8d{2r zn3EV;&mgWzMEZl}2eQ`A!$C#g1f$1qez%b)_&^liZR~S{u4bpX=m`mS4y$%4W*rAV z7NW>}eQy3LaR6dTUqX1VR;tu)ik0Bec%?^}OmD;0TJJx%5HcjPXo@#EyXW_fMgt1p zd&Zm(Q*;xI1RAIJuE6j)?dzQ%2z}7r4mbp(UO_G&6L92b=As|nHwXss z`)m$d5ACi)mbZ!(Av^3z7e8a+L%)d^E#&KU1X3#Vm>(TJZXS@Jt2|@;wbRVZrYh5x z87qmNMjZUi5V>`iMJ#QU2qF~2&3V_E)o$w#6qDxr?pr@6tl+OKJ^>z+8Q?3{V#d&+ zzarXEqbTtM84A$O0oVeQU35|Sc!~`NUSR@$Y%CeCm37#etzHO%sf+O2zqMwWE;E4Y zWO_y!@$?tv&1@Be1cxrM%L8=HO475JE9(P7#SQsRK=gTqmPoa@Ux=}I&^@lxXmDCM z1Ass?diVkF26@P+KD3uP{BM!JG5Lc}(SBK+9PrRaSwel>-KCAKm+^R5 zidfQ6mPO>tMgRtetLKZV1aYE9Wo!*6-BD z-t$u)-e7-fhpUW)jP&gHeRIfL?rwyl4v(ufwMmM~)pPY>7=_2vz$5ixrbvAC7-cG` z&-Q8q^uAPMWXiG#`?_T1sN~8jgJfl@|KT$jAX8Gvnlwjn_YCxEv^4(qsBOBkGU?K( zx~kfmpwDU6On#iw2ztC!9sK}hf}R2t%X~i0HdlSFC0>hNiL%2E{>YFvxk@QHu2Pf- z8rvF6YDf>hl&(f$VQA}8JfE-D&&&)mA&#P*yc6>B&s@EmH9tYCIn^u2PmFi3A=!!E zS{3Q3`Qdsk^;$L6A}3<;)?o)LklKzveW28*BB!C`1cNSbgf--F!AFDTO2=l0;{e%` zg%(g^Y8VSrmSiZiG#%bmtCnq4AF0nfT@b3rpi^f8Ibtp_^wUlzsi=t`_)!{S{Me2~ z3PX+mwH;|HS|w8!GMT2dbs8ZJQW`Z)^-;6RQ&@Tau-izSjkb%odg7 z8i0~hud7v(x@0S-=IFRC$)xiXdl~lOOIV9GahuLU%F{j&BTm?__IFRBtF;3t7gwUJ zbUPnyT1k)N)DyRGPMCGG5>)2k0GAfKPod0Vd8 zDq`K!P>D~N@wb@={VUC_AJF-=KATM2A{?&5t(PAx*G9E3$MYxMaG%e%*w5SbUbrpd zbH6@?S7ogLYbE*y-B3C^$oix!P8|cK5|Xe1#T_- zl&-8@V~)7k_U^3XqJeoknmxROBCTEghJAYW9Q@qU_w2O(4ZAK<%eZ<0`!g~lueBRY zxGo>%!`IdFW>?SCx3qcj+^V(pspaorEetl^%f&?#h=jqqrc>Lqn3+=c6jnBpEBJ4NY;0~{@x@o6r>lNm~J@?nwPA_)um5-gqj&(Lb zU$qKUrtx>->O0b>tS`Oj;tdC{tBf!2+Wp8k``1Okk=I|`80Uuf++0%58p}@K4QQWN z(eE!-DE|41x+Qw<)j_Nlzfw014t|XZm4{{el?VEKJe_s_GvM;(fSfR3z{9@P`&9z2 z4G9p0jAb&giSf{rS1Plpwixo7u#7rmO_YJc0J;^-%M|*J5#M@Z*1n4#BgH#5oYqwE zMM%aXyxl+S#Lx_WR9}H;AyTwO3+<*0*KaC%39Oh3JmUeTRwHy;FOS4nq+Byl*zsh{ zX14O>fJevv83`pmyD{m~U@5S8y|Xct0~Pj?`gNL(FAdCmo!UVu1%oxw-_6ynx%%OD zH~Jk1VhdQlyfy=tPw^2Qp>)?D|QHImm?1HVPojYTrjk592siTLcr=@r2tZ34+c%r5goxQK#gP>S5 zSX?9Kpoe9!l5MmSRt#B#`EN`9!CO9j`KUF*s%A1kHn`zU5w;0}ZpeEwf6C-m>1PqS zUC%k{k4WY6SWcVzHqKw#0y;M^xF(Icra~M`M0b-N01YuD^wZ!KGi6W>>FUy8 zfO|#UD3XbNoCJ?ROZ;$OZ1)F!bJ9f8^b=}2xupQ+9B-t8hi(7^c`|SYjS>eetn1Ws z1umcvi%!t&j98?uhQRIS`AFM7{Yu@{-C5{MKb8dmuN5*T%)f}^vlZw!wItYykbY@C zVKXPMez_l`ipP|SbkdTcEQ2`9g!>XhjsXh7qygC|!!#ji$kJTC{>JfLur1sQ*% z@47IAr|mFI09Ej}+uRKX(GXNZEaA`Nsm5R3vjk=!1qTAE7mmLQsgTNrRn>Cc;1;tq1NcRfNWhI$_eSNpChxQ41#WMh)RuQ)CoUC6%ZdgigofrPi>5-|GLtWDb zO|zgDFzPUV_puqCJd2R^J?^;Bs|(AYP>%uV-BCccb+;EG|i2u1Smo zapzuQbYU#dRihNGTG&}XU1nYNeoLU>TOjG3Y+@2m|8Im^ET;TiNI?&bH5qZ-;-K;l zWK%B4Lbg&7rz8H>JmHo*ikNLNK{qq%f~H4NYYxc5M!A^nZ16)1&e@fz|AP$0!q39) zLQ#(sb-eD(h^A|l&V8|)^Z0FV6tSCPg6c^TZLBkH?gh_TptDbmiBD6#rs+!!wZ8;yIi3W&1_k%iuN>x`e%CX*=&ac zY^5iDo*r3|INJwtPzPB)1J6I}a14j_QAao^(HKKo-x#TNY|Pw!>}Cc8Wmf0$aVQqI z&1@^NwG-)CE$I#O44QxI>Q*Yhw!>t9#)k$E>kp*HQnga\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/DNS%20Essentials/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThis is a [domain solution](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fsentinel%2Fsentinel-solutions-catalog%23domain-solutions&data=05%7C01%7Ckavishbakshi%40microsoft.com%7Cbe2a496082b24caa4b8c08da9cefacca%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637994850502413731%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=OJegu%2B2EqD7rmYmK9pm9QniD6YWp5ooloZ6tHzcwVi0%3D&reserved=0) and does not include any data connectors. The content in this solution requires one of the product solutions below, as well as any other connector or data source normalized to the [ASIM](https://aka.ms/AboutASIM).\n\n**Prerequisite :-**\n\n Install one or more of the listed solutions, or develop your custom ASIM parsers to unlock the value provided by this solution.\n 1. Windows Server DNS \n 2. Azure Firewall \n 3. Cisco Umbrella \n 4. Corelight Zeek \n 5. Google Cloud Platform DNS \n 6. Infoblox NIOS \n 7. ISC Bind \n 8. Vectra AI \n 9. Zscaler Internet Access \n\n**Underlying Microsoft Technologies used:** \n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs: \n 1. Product solutions as described above \n 2. Logic app for data summarization\n\n**Recommendation :-**\n\nIt is highly recommended to use the **Summarize Data for DNS Essentials Solution** logic app playbook provided with this solution as it will significantly improve the performance of the Workbook, Analytic rules & Hunting queries.\n\n**Workbooks:** 1, **Analytic Rules:** 8, **Hunting Queries:** 10, **Playbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/DNS%20Essentials/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThis is a [domain solution](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fsentinel%2Fsentinel-solutions-catalog%23domain-solutions&data=05%7C01%7Ckavishbakshi%40microsoft.com%7Cbe2a496082b24caa4b8c08da9cefacca%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637994850502413731%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=OJegu%2B2EqD7rmYmK9pm9QniD6YWp5ooloZ6tHzcwVi0%3D&reserved=0) and does not include any data connectors. The content in this solution requires one of the product solutions below, as well as any other connector or data source normalized to the [ASIM](https://aka.ms/AboutASIM).\n\n**Prerequisite :-**\n\n Install one or more of the listed solutions, or develop your custom ASIM parsers to unlock the value provided by this solution.\n 1. Windows Server DNS \n 2. Azure Firewall \n 3. Cisco Umbrella \n 4. Corelight Zeek \n 5. Google Cloud Platform DNS \n 6. Infoblox NIOS \n 7. ISC Bind \n 8. Vectra AI \n 9. Zscaler Internet Access \n\n**Underlying Microsoft Technologies used:** \n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs: \n 1. Product solutions as described above \n 2. Logic app for data summarization\n\n**Recommendation :-**\n\nIt is highly recommended to use the **Summarize Data for DNS Essentials Solution** logic app playbook provided with this solution as it will significantly improve the performance of the Workbook, Analytic rules & Hunting queries.\n\n**Workbooks:** 1, **Analytic Rules:** 9, **Hunting Queries:** 10, **Playbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -230,6 +230,20 @@ } } ] + }, + { + "name": "analytic9", + "type": "Microsoft.Common.Section", + "label": "Ngrok Reverse Proxy on Network (ASIM DNS Solution)", + "elements": [ + { + "name": "analytic9-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This detection identifies the top four Ngrok domains from DNS resolution. Ngrok reverse proxy can bypass network defense. While not inherently harmful, it has been used for malicious activities recently." + } + } + ] } ] }, diff --git a/Solutions/DNS Essentials/Package/mainTemplate.json b/Solutions/DNS Essentials/Package/mainTemplate.json index 38921c0b116..6ed70120b85 100644 --- a/Solutions/DNS Essentials/Package/mainTemplate.json +++ b/Solutions/DNS Essentials/Package/mainTemplate.json @@ -41,7 +41,7 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "DNS Essentials", - "_solutionVersion": "3.0.1", + "_solutionVersion": "3.0.2", "solutionId": "azuresentinel.azure-sentinel-solution-dns-domain", "_solutionId": "[variables('solutionId')]", "workbookVersion1": "1.0.0", @@ -107,6 +107,13 @@ "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('77b7c820-5f60-4779-8bdb-f06e21add5f1')))]", "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','77b7c820-5f60-4779-8bdb-f06e21add5f1','-', '1.0.2')))]" }, + "analyticRuleObject9": { + "analyticRuleVersion9": "1.0.0", + "_analyticRulecontentId9": "50b0dfb7-2c94-4eaf-a332-a5936d78c263", + "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '50b0dfb7-2c94-4eaf-a332-a5936d78c263')]", + "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('50b0dfb7-2c94-4eaf-a332-a5936d78c263')))]", + "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','50b0dfb7-2c94-4eaf-a332-a5936d78c263','-', '1.0.0')))]" + }, "SummarizeData_DNSEssentials": "SummarizeData_DNSEssentials", "_SummarizeData_DNSEssentials": "[variables('SummarizeData_DNSEssentials')]", "playbookVersion1": "1.0", @@ -177,7 +184,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DNSSolutionWorkbook Workbook with template version 3.0.1", + "description": "DNSSolutionWorkbook Workbook with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -252,7 +259,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ExcessiveNXDOMAINDNSQueriesAnomalyBased_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "ExcessiveNXDOMAINDNSQueriesAnomalyBased_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", @@ -262,7 +269,7 @@ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]", - "apiVersion": "2022-04-01-preview", + "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { @@ -278,7 +285,6 @@ "triggerOperator": "GreaterThan", "triggerThreshold": 0, "status": "Available", - "requiredDataConnectors": [], "tactics": [ "CommandAndControl" ], @@ -288,21 +294,21 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { - "columnName": "SrcIpAddr", - "identifier": "Address" + "identifier": "Address", + "columnName": "SrcIpAddr" } - ] + ], + "entityType": "IP" } ], "eventGroupingSettings": { "aggregationKind": "AlertPerResult" }, "customDetails": { - "baseline": "baseline", "AnomalyScore": "score", + "baseline": "baseline", "Total": "Total", "DNSQueries": "DNSQueries" }, @@ -363,7 +369,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ExcessiveNXDOMAINDNSQueriesStaticThresholdBased_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "ExcessiveNXDOMAINDNSQueriesStaticThresholdBased_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", @@ -373,7 +379,7 @@ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", "name": "[variables('analyticRuleObject2')._analyticRulecontentId2]", - "apiVersion": "2022-04-01-preview", + "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { @@ -389,7 +395,6 @@ "triggerOperator": "GreaterThan", "triggerThreshold": 0, "status": "Available", - "requiredDataConnectors": [], "tactics": [ "CommandAndControl" ], @@ -399,13 +404,13 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { - "columnName": "SrcIpAddr", - "identifier": "Address" + "identifier": "Address", + "columnName": "SrcIpAddr" } - ] + ], + "entityType": "IP" } ], "eventGroupingSettings": { @@ -473,7 +478,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MultipleErrorsReportedForSameDNSQueryAnomalyBased_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "MultipleErrorsReportedForSameDNSQueryAnomalyBased_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", @@ -483,7 +488,7 @@ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", "name": "[variables('analyticRuleObject3')._analyticRulecontentId3]", - "apiVersion": "2022-04-01-preview", + "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { @@ -499,7 +504,6 @@ "triggerOperator": "GreaterThan", "triggerThreshold": 0, "status": "Available", - "requiredDataConnectors": [], "tactics": [ "CommandAndControl" ], @@ -510,23 +514,23 @@ ], "entityMappings": [ { - "entityType": "DNS", "fieldMappings": [ { - "columnName": "DnsQuery", - "identifier": "DomainName" + "identifier": "DomainName", + "columnName": "DnsQuery" } - ] + ], + "entityType": "DNS" } ], "eventGroupingSettings": { "aggregationKind": "AlertPerResult" }, "customDetails": { - "baseline": "baseline", "AnomalyScore": "score", - "TotalIPs": "TotalIPs", - "SrcIps": "SrcIps" + "SrcIps": "SrcIps", + "baseline": "baseline", + "TotalIPs": "TotalIPs" }, "alertDetailsOverride": { "alertDescriptionFormat": "Multiple errors were detected on different clients for the same DNS query. These unsuccessful responses can be an indication of C2 communication. \n\nBaseline for total clients reporting errors for this DNS query: '{{baseline}}'\n\nCurrent count of clients reporting errors for this DNS query: '{{TotalIPs}}'\n\nClients requesting this DNS query include:\n'{{SrcIps}}'", @@ -585,7 +589,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MultipleErrorsReportedForSameDNSQueryStaticThresholdBased_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "MultipleErrorsReportedForSameDNSQueryStaticThresholdBased_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", @@ -595,7 +599,7 @@ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", "name": "[variables('analyticRuleObject4')._analyticRulecontentId4]", - "apiVersion": "2022-04-01-preview", + "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { @@ -611,7 +615,6 @@ "triggerOperator": "GreaterThan", "triggerThreshold": 0, "status": "Available", - "requiredDataConnectors": [], "tactics": [ "CommandAndControl" ], @@ -622,62 +625,62 @@ ], "entityMappings": [ { - "entityType": "DNS", "fieldMappings": [ { - "columnName": "DnsQuery", - "identifier": "DomainName" + "identifier": "DomainName", + "columnName": "DnsQuery" } - ] + ], + "entityType": "DNS" }, { - "entityType": "IP", "fieldMappings": [ { - "columnName": "SrcIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "SrcIP" } - ] + ], + "entityType": "IP" }, { - "entityType": "AzureResource", "fieldMappings": [ { - "columnName": "ResourceId", - "identifier": "ResourceId" + "identifier": "ResourceId", + "columnName": "ResourceId" } - ] + ], + "entityType": "AzureResource" }, { - "entityType": "Url", "fieldMappings": [ { - "columnName": "DnsQuery", - "identifier": "Url" + "identifier": "Url", + "columnName": "DnsQuery" } - ] + ], + "entityType": "Url" }, { - "entityType": "Host", "fieldMappings": [ { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "HostNameDomain", - "identifier": "NTDomain" + "identifier": "NTDomain", + "columnName": "HostNameDomain" } - ] + ], + "entityType": "Host" } ], "eventGroupingSettings": { "aggregationKind": "SingleAlert" }, "customDetails": { - "TotalIPs": "TotalIPs", "IPCountthreshold": "IPCountthreshold", - "SrcIPs": "SrcIPs" + "SrcIPs": "SrcIPs", + "TotalIPs": "TotalIPs" }, "alertDetailsOverride": { "alertDescriptionFormat": "Multiple errors were detected on different clients for the same DNS query. These unsuccessful responses can be an indication of C2 communication. \n\nThreshold for total clients reporting errors: '{{IPCountthreshold}}'\n\nCurrent count of clients reporting errors for this DNS query: '{{TotalIPs}}'\n\nClients requesting this DNSQuery include:\n\n'{{SrcIPs}}'", @@ -736,7 +739,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PotentialDGADetectedviaRepetitiveFailuresAnomalyBased_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "PotentialDGADetectedviaRepetitiveFailuresAnomalyBased_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", @@ -746,7 +749,7 @@ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", "name": "[variables('analyticRuleObject5')._analyticRulecontentId5]", - "apiVersion": "2022-04-01-preview", + "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { @@ -762,7 +765,6 @@ "triggerOperator": "GreaterThan", "triggerThreshold": 0, "status": "Available", - "requiredDataConnectors": [], "tactics": [ "CommandAndControl" ], @@ -772,21 +774,21 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { - "columnName": "SrcIpAddr", - "identifier": "Address" + "identifier": "Address", + "columnName": "SrcIpAddr" } - ] + ], + "entityType": "IP" } ], "eventGroupingSettings": { "aggregationKind": "AlertPerResult" }, "customDetails": { - "baseline": "baseline", "AnomalyScore": "score", + "baseline": "baseline", "Total": "Total", "DNSQueries": "DNSQueries" }, @@ -847,7 +849,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PotentialDGADetectedviaRepetitiveFailuresStaticThresholdBased_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "PotentialDGADetectedviaRepetitiveFailuresStaticThresholdBased_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", @@ -857,7 +859,7 @@ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", "name": "[variables('analyticRuleObject6')._analyticRulecontentId6]", - "apiVersion": "2022-04-01-preview", + "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { @@ -873,7 +875,6 @@ "triggerOperator": "GreaterThan", "triggerThreshold": 0, "status": "Available", - "requiredDataConnectors": [], "tactics": [ "CommandAndControl" ], @@ -883,22 +884,22 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { - "columnName": "SrcIpAddr", - "identifier": "Address" + "identifier": "Address", + "columnName": "SrcIpAddr" } - ] + ], + "entityType": "IP" } ], "eventGroupingSettings": { "aggregationKind": "AlertPerResult" }, "customDetails": { - "DNSQueryThreshold": "DNSQueryThreshold", "DNSQueryCount": "DNSQueryCount", - "DNSQueries": "DNSQueries" + "DNSQueries": "DNSQueries", + "DNSQueryThreshold": "DNSQueryThreshold" }, "alertDetailsOverride": { "alertDescriptionFormat": "Client has been identified with high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live). This client is found to be communicating with multiple Domains which do not exist.\n\nDGA DNS query count baseline is: '{{DNSQueryThreshold}}'\n\nCurrent failed DNS query count from this client: '{{DNSQueryCount}}'\n\nDNS queries requested by this client inlcude: '{{DNSQueries}}'", @@ -957,7 +958,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RareClientObservedWithHighReverseDNSLookupCountAnomalyBased_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "RareClientObservedWithHighReverseDNSLookupCountAnomalyBased_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]", @@ -967,7 +968,7 @@ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", "name": "[variables('analyticRuleObject7')._analyticRulecontentId7]", - "apiVersion": "2022-04-01-preview", + "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { @@ -983,7 +984,6 @@ "triggerOperator": "GreaterThan", "triggerThreshold": 0, "status": "Available", - "requiredDataConnectors": [], "tactics": [ "Reconnaissance" ], @@ -992,21 +992,21 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { - "columnName": "SrcIpAddr", - "identifier": "Address" + "identifier": "Address", + "columnName": "SrcIpAddr" } - ] + ], + "entityType": "IP" } ], "eventGroupingSettings": { "aggregationKind": "AlertPerResult" }, "customDetails": { - "baseline": "baseline", "AnomalyScore": "score", + "baseline": "baseline", "Total": "Total", "DNSQueries": "DNSQueries" }, @@ -1067,7 +1067,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RareClientObservedWithHighReverseDNSLookupCountStaticThresholdBased_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "RareClientObservedWithHighReverseDNSLookupCountStaticThresholdBased_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]", @@ -1077,7 +1077,7 @@ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", "name": "[variables('analyticRuleObject8')._analyticRulecontentId8]", - "apiVersion": "2022-04-01-preview", + "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { @@ -1093,7 +1093,6 @@ "triggerOperator": "GreaterThan", "triggerThreshold": 0, "status": "Available", - "requiredDataConnectors": [], "tactics": [ "Reconnaissance" ], @@ -1102,22 +1101,22 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { - "columnName": "SrcIpAddr", - "identifier": "Address" + "identifier": "Address", + "columnName": "SrcIpAddr" } - ] + ], + "entityType": "IP" } ], "eventGroupingSettings": { "aggregationKind": "AlertPerResult" }, "customDetails": { - "DNSQuerythreshold": "DNSQuerythreshold", "DNSQueryCount": "DNSQueryCount", - "DNSQueries": "DNSQueries" + "DNSQueries": "DNSQueries", + "DNSQuerythreshold": "DNSQuerythreshold" }, "alertDetailsOverride": { "alertDescriptionFormat": "Client identified as making high reverse DNS counts which could be carrying out reconnaissance or discovery activity.\n\nReverse DNS lookup threshold is: '{{DNSQuerythreshold}}'\n\nCurrent reverse DNS lookup count from this client is : '{{DNSQueryCount}}'\n\nDNS queries requested by this client inlcude: '{{DNSQueries}}'", @@ -1167,6 +1166,116 @@ "version": "[variables('analyticRuleObject8').analyticRuleVersion8]" } }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject9').analyticRuleTemplateSpecName9]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "NgrokReverseProxyOnNetwork_AnalyticalRules Analytics Rule with template version 3.0.2", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject9')._analyticRulecontentId9]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "This detection identifies the top four Ngrok domains from DNS resolution. Ngrok reverse proxy can bypass network defense. While not inherently harmful, it has been used for malicious activities recently.", + "displayName": "Ngrok Reverse Proxy on Network (ASIM DNS Solution)", + "enabled": false, + "query": "// Define a list of Ngrok domains\nlet NgrokDomains = dynamic([\"ngrok.com\", \"ngrok.io\", \"ngrok\", \"tunnel.com\", \"korgn\", \"lennut.com\"]);\n// Query the _Im_Dns function for the past 1 hour\n_Im_Dns(starttime=ago(1h))\n| where isnotempty(DnsQuery) // Filter out empty DNS queries\n| where DnsQuery has_any (NgrokDomains) // Filter DNS queries that match any of the Ngrok domains\n| summarize Starttime = min(EventStartTime),Endtime=max(EventEndTime),EventsCount=sum(EventCount),EventResults=make_set(EventResult,4) by DnsQuery, Domain, SrcIpAddr, Dvc\n// Summarize the data by Domain, DNS query, source IP address, and device Dvc\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "tactics": [ + "CommandAndControl" + ], + "techniques": [ + "T1572", + "T1090", + "T1102" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "SrcIpAddr" + } + ], + "entityType": "IP" + }, + { + "fieldMappings": [ + { + "identifier": "DomainName", + "columnName": "Domain" + } + ], + "entityType": "DNS" + } + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject9').analyticRuleId9,'/'))))]", + "properties": { + "description": "DNS Essentials Analytics Rule 9", + "parentId": "[variables('analyticRuleObject9').analyticRuleId9]", + "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject9').analyticRuleVersion9]", + "source": { + "kind": "Solution", + "name": "DNS Essentials", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", + "contentKind": "AnalyticsRule", + "displayName": "Ngrok Reverse Proxy on Network (ASIM DNS Solution)", + "contentProductId": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]", + "id": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]", + "version": "[variables('analyticRuleObject9').analyticRuleVersion9]" + } + }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", @@ -1176,7 +1285,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SummarizeDNSData_DNSEssentials Playbook with template version 3.0.1", + "description": "SummarizeDNSData_DNSEssentials Playbook with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion1')]", @@ -1685,7 +1794,7 @@ "Initial version" ] }, - "lastUpdateTime": "2024-01-31T14:39:27.720Z" + "lastUpdateTime": "2024-03-12T17:30:34.996Z" } }, "packageKind": "Solution", @@ -1710,7 +1819,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AnomalousIncreaseInDNSActivityByClients_HuntingQueries Hunting Query with template version 3.0.1", + "description": "AnomalousIncreaseInDNSActivityByClients_HuntingQueries Hunting Query with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]", @@ -1795,7 +1904,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ConnectionToUnpopularWebsiteDetected_HuntingQueries Hunting Query with template version 3.0.1", + "description": "ConnectionToUnpopularWebsiteDetected_HuntingQueries Hunting Query with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]", @@ -1880,7 +1989,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CVE-2020-1350 (SIGRED)ExploitationPattern_HuntingQueries Hunting Query with template version 3.0.1", + "description": "CVE-2020-1350 (SIGRED)ExploitationPattern_HuntingQueries Hunting Query with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]", @@ -1965,7 +2074,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DNSQueryWithFailuresInLast24Hours_HuntingQueries Hunting Query with template version 3.0.1", + "description": "DNSQueryWithFailuresInLast24Hours_HuntingQueries Hunting Query with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]", @@ -2050,7 +2159,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DomainsWithLargeNumberOfSubDomains_HuntingQueries Hunting Query with template version 3.0.1", + "description": "DomainsWithLargeNumberOfSubDomains_HuntingQueries Hunting Query with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]", @@ -2135,7 +2244,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IncreaseInDNSRequestsByClientThanTheDailyAverageCount_HuntingQueries Hunting Query with template version 3.0.1", + "description": "IncreaseInDNSRequestsByClientThanTheDailyAverageCount_HuntingQueries Hunting Query with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]", @@ -2220,7 +2329,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PossibleDNSTunnelingOrDataExfiltrationActivity_HuntingQueries Hunting Query with template version 3.0.1", + "description": "PossibleDNSTunnelingOrDataExfiltrationActivity_HuntingQueries Hunting Query with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]", @@ -2305,7 +2414,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PotentialBeaconingActivity_HuntingQueries Hunting Query with template version 3.0.1", + "description": "PotentialBeaconingActivity_HuntingQueries Hunting Query with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject8').huntingQueryVersion8]", @@ -2390,7 +2499,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Sources(Clients)WithHighNumberOfErrors_HuntingQueries Hunting Query with template version 3.0.1", + "description": "Sources(Clients)WithHighNumberOfErrors_HuntingQueries Hunting Query with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject9').huntingQueryVersion9]", @@ -2475,7 +2584,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "UnexpectedTopLevelDomains_HuntingQueries Hunting Query with template version 3.0.1", + "description": "UnexpectedTopLevelDomains_HuntingQueries Hunting Query with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject10').huntingQueryVersion10]", @@ -2556,12 +2665,12 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.1", + "version": "3.0.2", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "DNS Essentials", "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", - "descriptionHtml": "

Note: There may be known issues pertaining to this Solution, please refer to them before installing.

\n

This is a domain solution and does not include any data connectors. The content in this solution requires one of the product solutions below, as well as any other connector or data source normalized to the ASIM.

\n

Prerequisite :-

\n

Install one or more of the listed solutions, or develop your custom ASIM parsers to unlock the value provided by this solution.

\n
    \n
  1. Windows Server DNS
  2. \n
  3. Azure Firewall
  4. \n
  5. Cisco Umbrella
  6. \n
  7. Corelight Zeek
  8. \n
  9. Google Cloud Platform DNS
  10. \n
  11. Infoblox NIOS
  12. \n
  13. ISC Bind
  14. \n
  15. Vectra AI
  16. \n
  17. Zscaler Internet Access
  18. \n
\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n
  1. Product solutions as described above
  2. \n
  3. Logic app for data summarization
  4. \n
\n

Recommendation :-

\n

It is highly recommended to use the Summarize Data for DNS Essentials Solution logic app playbook provided with this solution as it will significantly improve the performance of the Workbook, Analytic rules & Hunting queries.

\n

Workbooks: 1, Analytic Rules: 8, Hunting Queries: 10, Playbooks: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

This is a domain solution and does not include any data connectors. The content in this solution requires one of the product solutions below, as well as any other connector or data source normalized to the ASIM.

\n

Prerequisite :-

\n

Install one or more of the listed solutions, or develop your custom ASIM parsers to unlock the value provided by this solution.

\n
    \n
  1. Windows Server DNS
  2. \n
  3. Azure Firewall
  4. \n
  5. Cisco Umbrella
  6. \n
  7. Corelight Zeek
  8. \n
  9. Google Cloud Platform DNS
  10. \n
  11. Infoblox NIOS
  12. \n
  13. ISC Bind
  14. \n
  15. Vectra AI
  16. \n
  17. Zscaler Internet Access
  18. \n
\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n
  1. Product solutions as described above
  2. \n
  3. Logic app for data summarization
  4. \n
\n

Recommendation :-

\n

It is highly recommended to use the Summarize Data for DNS Essentials Solution logic app playbook provided with this solution as it will significantly improve the performance of the Workbook, Analytic rules & Hunting queries.

\n

Workbooks: 1, Analytic Rules: 9, Hunting Queries: 10, Playbooks: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -2631,6 +2740,11 @@ "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]", "version": "[variables('analyticRuleObject8').analyticRuleVersion8]" }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", + "version": "[variables('analyticRuleObject9').analyticRuleVersion9]" + }, { "kind": "Playbook", "contentId": "[variables('_SummarizeData_DNSEssentials')]", diff --git a/Solutions/DNS Essentials/ReleaseNotes.md b/Solutions/DNS Essentials/ReleaseNotes.md index f9aa8fc9179..6339203e854 100644 --- a/Solutions/DNS Essentials/ReleaseNotes.md +++ b/Solutions/DNS Essentials/ReleaseNotes.md @@ -1,3 +1,4 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|--------------------------------------------------------------------| | 3.0.1 | 31-01-2023 | Updated the solution to fix Analytic Rules deployment issue | +| 3.0.2 | 12-03-2024 | Added new Analytic rule and repackaged solution |