From bc491e605e0f49c7aa72cdc21b6f1f6c8914de18 Mon Sep 17 00:00:00 2001
From: esfateev <esfateev@gmail.com>
Date: Thu, 21 Sep 2023 13:12:07 +0200
Subject: [PATCH 1/5] Update NRT_AuthenticationMethodsChangedforVIPUsers.yaml

Fixing issue - https://github.com/Azure/Azure-Sentinel/issues/8187
---
 .../NRT_AuthenticationMethodsChangedforVIPUsers.yaml            | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Solutions/Azure Active Directory/Analytic Rules/NRT_AuthenticationMethodsChangedforVIPUsers.yaml b/Solutions/Azure Active Directory/Analytic Rules/NRT_AuthenticationMethodsChangedforVIPUsers.yaml
index d6fb35b5517..932e0e8a87a 100644
--- a/Solutions/Azure Active Directory/Analytic Rules/NRT_AuthenticationMethodsChangedforVIPUsers.yaml	
+++ b/Solutions/Azure Active Directory/Analytic Rules/NRT_AuthenticationMethodsChangedforVIPUsers.yaml	
@@ -15,7 +15,7 @@ tags:
   - AADSecOpsGuide
 query: |
   let security_info_actions = dynamic(["User registered security info", "User changed default security info", "User deleted security info", "Admin updated security info", "User reviewed security info", "Admin deleted security info", "Admin registered security info"]);
-  let VIPUsers = (_GetWatchlist('VIPUsers') | distinct ["User Principal Name"]);
+  let VIPUsers = (_GetWatchlist('VIPUsers') | distinct "User Principal Name");
   AuditLogs
   | where Category =~ "UserManagement"
   | where ActivityDisplayName in (security_info_actions)

From 47437e32c86fef1eae7b2c707bcd1dacc7e58679 Mon Sep 17 00:00:00 2001
From: esfateev <esfateev@gmail.com>
Date: Thu, 21 Sep 2023 13:27:07 +0200
Subject: [PATCH 2/5] Update NRT_AuthenticationMethodsChangedforVIPUsers.yaml

---
 .../NRT_AuthenticationMethodsChangedforVIPUsers.yaml            | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Solutions/Azure Active Directory/Analytic Rules/NRT_AuthenticationMethodsChangedforVIPUsers.yaml b/Solutions/Azure Active Directory/Analytic Rules/NRT_AuthenticationMethodsChangedforVIPUsers.yaml
index 932e0e8a87a..1dc8dc1eb4c 100644
--- a/Solutions/Azure Active Directory/Analytic Rules/NRT_AuthenticationMethodsChangedforVIPUsers.yaml	
+++ b/Solutions/Azure Active Directory/Analytic Rules/NRT_AuthenticationMethodsChangedforVIPUsers.yaml	
@@ -40,5 +40,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: IP
-version: 1.0.1
+version: 1.0.2
 kind: NRT

From 943ae0328657da3c94b5141efbb8ed345a815045 Mon Sep 17 00:00:00 2001
From: PrasadBoke <v-prasadboke@microsoft.com>
Date: Tue, 26 Sep 2023 14:28:28 +0530
Subject: [PATCH 3/5] Update SkipValidationsTemplates.json

---
 .../tests/KqlvalidationsTests/SkipValidationsTemplates.json  | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json b/.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json
index ef7196154a0..59734b77952 100644
--- a/.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json
+++ b/.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json
@@ -79,11 +79,6 @@
     "templateName": "vimNetworkSessionMicrosoftMD4IoT.yaml",
     "validationFailReason": "The name 'LocalPort' does not refer to any known column, table, variable or function."
   },
-  {
-    "id": "29e99017-e28d-47be-8b9a-c8c711f8a903",
-    "templateName": "NRT_AuthenticationMethodsChangedforVIPUsers.yaml",
-    "validationFailReason": "The name 'User Principal Name' does not refer to any known column, table, variable or function"
-  },
   {
     "id": "078a6526-e94e-4cf1-a08e-83bc0186479f",
     "templateName": "Anomalous AAD Account Manipulation.yaml",

From 1dfaf9443861e83c7d15fceb2e854a8724f7ea82 Mon Sep 17 00:00:00 2001
From: PrasadBoke <v-prasadboke@microsoft.com>
Date: Tue, 26 Sep 2023 16:02:40 +0530
Subject: [PATCH 4/5] package repackaged

---
 .../Azure Active Directory/Package/3.0.3.zip  |   Bin 86986 -> 89287 bytes
 .../Package/createUiDefinition.json           |    24 +
 .../Package/mainTemplate.json                 | 15557 ++++++++--------
 3 files changed, 7999 insertions(+), 7582 deletions(-)

diff --git a/Solutions/Azure Active Directory/Package/3.0.3.zip b/Solutions/Azure Active Directory/Package/3.0.3.zip
index bc481bdff9e79146653441b26a40f9a20f904818..7a61443d3deec4cccd4f346d0390d010104a24ad 100644
GIT binary patch
literal 89287
zcmagFV{qo%6Ezwe6HRQ})<hHAw(VqM+qP{xnb@}T#I|{J{-^5RFZVs~*QaXj?%loC
z>RnIuPfijP3>63n2nq<%mrK=7jXD~X0tiUs8VCse`&UB;V|^!MWpiO;6LTALCv#gH
zItxczn|)qO+jX({ZN%2EnQNRS7Xpc9l%t?=1QwTgMzS=FI_6$N82_KE@qdKs+pOlA
zP1wFZ%FFSsc;6+=C|BYAg^AwewY9IxZ9X2hzXn%^zK-39n7VHgt)<G#XJkEi?+P<+
zGGj!@Zp+8NDkW#5lufozwq#seI?&OII1+X{UFBeO!dyi|3`iW+#gklhm(5APM%uq-
zsJ_e#gdC;avJ3ME+H}TSl{BKtZE}VXe%D4#3zz8=Sn)8Yd1+tAo96rfp4p}M1Vc1T
zirH^<2Z|~5rvKVE20;|%S<K(thHFc%L%{Cu7d~!H6frja)J=;@quVnDjme77aUHHt
zU+C9}KsKrTAry+O5%$8)<rl()ZjKlW{_An8;`UCiY`Wbw5m?3fDhZ2vlX&2^HQtmc
zt|*jRS%$ypy1Zg~C?Lu)O$jCSZPweKaYYY>a5!Pi=j)9CfB)(7qnhgGev9|<#ED3v
zmx<3<sF%-kYSDeFaH(kqzXj+1o!P4L(i}Eh#XQP#abb;R%Or?`8UZ^kM!iUlH7-4C
zB^Xzw(BHCGf)TmMot7!pu29b=?JT^6(&^k=a0iI!(GTgjT8_#n!X^`TDl*!c%^@_1
zytvy5=72CBbC-M;ISwVVivz&gi4TwjcAch)2AZ2%!gBZ+7?z2sn7695*a`xqdVGq^
zuo~i>HF9d1ODmE$CLx*zk}XFnH4o|#CL%9_GaRW`@Zb{S#Syp16YoCmXvR!6X{S}r
z9Ci){uaR9075qs3hx)<v@g43*H6{aZ|CQn+0!Fbb(HJu(tP5PhK>g0i@?T<<jd6?c
z2Gwi0;w$L|_o94KTOerD+Fl1ZWHKt?_?+t;^T2o5eSd}q4dNzz3BD;bmMA|pDuSPG
z#Et}UB1ETHhj*S)IIYY2PnQpl*)sNlEvz#bd|N*L(=m#C545hXb#Ec6{wbW}vChwO
zi;MB@Kh;tgcAs4{J|bwNcT=6?u1vW+4k0^jZJj_UOV9KvAV7hk>Ggq>Q|buPB_e@7
ze>Cgmx%q(h1<updbn%_Mr1h)QpN-5HXcg?tcRBuTrgMY4ZLn*2;wViFkM$ZfV-}iW
z)0)LFYKSa5pin;gLu~b2_i{@rtX^)=jjEkn=+;Ng_XYBhC*`XlKmAUHQpnFP7Lo<a
z_7g1u4LgZSh%mwlrqd`?k~t<E^SFD0#sU-*g(Pd<E5-Mc?cTWT)BxB!_UQEeC1_y;
z;kudX%#Pq`*4qx0eQhz}cd3bE>~5=#+Fr${M^EC9atn=6b;;fY=N4U)4?#TNOIl^F
zb;+`OrClmE8F||%qi{A5Y#HoG^IzmOsef64Jy0CBHE<XNLFS3TR|(_O>I8O4=hPwa
zhm7hHHOoeZ7mX|-!Zg>lwE!-rrf+*gH058=Sj`&0Nl=2=#)ig^N*WTOlVw=*Fy(h|
zEvSuTQpL!!CVjDO#(weN3I1Lh`qSLf(1LQo6Yb){4!mRBaVDVA9C5_H@fS47599<d
zxts&c(XiNgEQDzAaJ(!}3@|EO6vl`zYvzMtnj*z33JyJyn#<`#H=kJ4dPOA*8V^Mw
zxE)X8r0id%bP~i%I)pTe&l5yj0zctaXAI>qUOT*WNCRqR<2qgI9<u7Pe!jYmxt7Wh
zv{k-9jZxQlrFSH-*lsF$VvCJsH7a4mf{;3)VWm#B_HL<X$G76fwX$-~VD-C;%gV8K
z7Srkn$@sSSYG5A!)GXy38^y7a{O>>vOJRkT5#%*da^Altbk%5h6w3OnoU34eI9YK8
zv0Z9AXBiH{IFir=9E~Mc{w!$1rrYS`(uY{Fmk)?E<=WC6#3-75z?S+?!)hz(Hy-*^
z^#be=M6YF(xFWPrM2OWU`bCy*912>-KM|$&QjZD)=@=vTG*olb<!ERB{$<mXqi1d9
z&2d)u0V~AjfB{Q=+zPtcvEyUGj>@y)iRIi8$c;gDz=&q7Hty@i5y6N|n|%g4W_DpW
znSCIA=c-_~Z7xFc{dB*oZb2nie<UKg2H%?o2{R*1#H_2;yPTnLrep^h{!(~bSC8c7
zb_*mHwb_61>zUw76>+&6)KpleP5}?FR?(*EhQNIpYfeQQ6QTS?0NTXC>%9Yw0DXge
zW>)}IqSw5gHzqW1`Fm&*Ci&pUmP(=9hzh;by+4EfUn{>iu&r6)LU7J`LpjBj@JRSQ
zPC^xG4XYp~P_^Vn3j5Q1MdvIx-(h3ptR}mj%h((20Tk{n#$DUt+Y1I~<pRlR#iLD8
zilMMU+u^kq!K2GbMt6ga=O6?;LKOjACYZ%op`Mv%Chva!@!Bq+D~0ZY;udn?Qx|Z|
zRDD{+ZY`s7NtRnXEQv4DKN!vy{X83nuxV~^Ho^M5%t(+z$mt#%rx=a)lu4KM0+$m3
ziDI)9cyJ{Q2b*5Cn0FjiqcyaxOTHt4Ko|*}o5CsFG)SmO`4os8Y9Ox${Ss)0X}NXM
zBw^@5*+&-dcgCNy8v!wZ<@LBz+WYrO@x`I{%V4#q&yP@L$Y+ZntxaFT!BehmhH7}q
zj%P~XT_WZgF(WMyCvgzE6qm-a=;#blsi;UwDWmmXq-k)D?CUS6SN}&#u}wKH8o5ML
zjN~DtDhW<J*z2NW_{ZMb&6WhOyMy4Nlo)ne_U>0nU7xC(CMTvx>!D=_C|gTU_mOVM
zy$G?s4n71Hm8E0Kuu3s^@J5F$QZ&V9s{4AA-*c{J@~kWGEiI+Uew?AD=>*NrMp}nC
z+c_=`&k0i5xE07Q<hRrx!n<dRsc>DvJw3o5RT_HsaJwxA5Do=Lh<@XhMLtY^LG_Ah
zVMr#{n)9ySl$P_Z<i9v`nHdrVB?|1+X@eQ+t6YbBY?%eZYUw<JvSHW`Ahg#U^mh|~
zAr!}oVwEyu*j)i<_)-Z3S5x8n{N{#I?9BGr)MH_YB!rHaVK$;<ayB8YwEh!4?Fg<x
z3(4B=K!_aY1o@)LXdt`V<mBzFqY{CEQJnre%A`n1b6@2n;kN_OAwNo($Ma<Qg-YRe
zxrnL#X*04*uQgFBN81=NgSzC3Um!)H^O|l>m8)>s5)vk3bnd7p=P*~`!Sl|wF&Gn5
zo&57GQShM~6eYj7Cn1P)!vTbG){#uZN5jv91x8hEB3s{4rINp{75Qh2bJrg~&7Yej
z?C?>NOX1+3kw!opgd^ub`<f<$TV%SPmVb8{Y0LA4B9Htgb2uAJJ~l0$TY1;RAPJrr
zy|=L2tL;l1#ZW&NxN;ToM>WI0#sarL2rh`MuB!^I)=fnc2kG&h+Vu}WgCxp?+7b-$
z)oA(ammYB^(lUlPq?I?Q@^w8p%Emnyg*vL)J0DpF;Lr8iySBS^iA^y`h5reg3j)O9
z6%RG;Wy1?pOo-8e=hi01j>k@Le#X)pUl^Z~KR$9uFD<bShafqH1FX_HkQjhj^K^MZ
z9Y}~~c%8&F=PFL-7{<vi0TK$$pHL1KDw8Cis(0zX%bg=7&I+>I`{Qk1{HIc8(<&As
zei$62dq2qa)1+D8bH|rmkKy|mg8!dHRc8eJrXQ-|s3Ki?jx`|5sAo}R63P)wLw`}+
zfrvnV8NG@!_>#iblJ+8z7&zub3FDj>C$$p<3(K=!Q9Y=~DpE(@iZba97qzGE_9TTX
zk2UM$2tU6+yJegR4tOip=x6|g3R!M~qLauUy(;QME_6wW@?f6iABTzdll$|x<6rQ(
zccSpN_PlZYxsBzIMDFhS+V9;9LB!|7SSyM;o%?fFi=9SD@GJ@FR6V|4&u7*eyC`~&
z-z6>ALE+q4Rx)7yd~V@hZHeDS)JWVNrW-4cK!(an=o;aGIH>D{Z^jIe5q+s(6O!>J
zv_#qW!z8MO0=e_mQ$=-LVc_O@c&;ted8DqDGp2d|Bn16w??-6ZR4^OwzZqSRwBD*0
z8Mlk6()P2=430pzx?uLxHeZmSS0J-s1wx!GRUgMN9Yey31K|Zyk;-x5Li02`Xw&x-
z2UHZ23aPu-LfoxK1o^VS4H8t&I6M%jgkVS$9K&X8SdD*XayWmYaER*XWBvY%f!(1d
zw1<y%p!83eAm>=1tl~M9Dt47yIXMIzRa@d<X%;j)1t};$_|JAdP?9SF(NG&hb}MiQ
zL}eiEN)63*DG-gsNMHhsg&Mv!i*xA1PQ4>j14%QHjMD=~YJ2V$BlJkWlrpS7nAbd&
z<@M4j`wKH~2E}2kAj~B}OlxvR3C%ke@Mt__wIwQz0Yq5=X);ANz>q)atw7*CtHUdf
z;H#bqctnfX1(QFyo4_D%x>aQUU*~ksAwk^^OW<BM+Q#1L#D|y|z0nWST*H|)y8ylV
zIU-!bXf(?4pd}L?LAHD~-6+F`LPyg~eNq&aSbYYN5S|1*XJ|5~2}R4pFt>Qg>js-$
zxv03yKfM~nH4Z+4JNaZ^DBx9G%Q2&{t9OmULi(N@W5R4;XIG|?@_Yr!48%O!7nko<
zyFwpukUCX*o-4(A6TMVY%2ffvp`;XYa?Dbq>h*v3{u0;=`BaS$hnywF3|*<3?$&FN
z#W08hjuna=De;UHdVA4fhB5Xh2?!yH{b4Z!gok*LB@*E%e&BV`hLiK)D>BA!lj!Xt
z*(D|cSlXDOZh<*;pc%9j3Tk1REs7RiOQkKcoZWO4ohwWr15*NH?aqaz`mDgJoX0#H
z*~Z|A4I4^FXs9B&qCf+|6xi)Mt%97+16f3SSnLh`;>NQ~gg<4G6Mp1#UPw(jy7mdo
zFH=(fyv`E83<xcq%+xE{5^nXeZmd+-LxKH`hjCV_(EV!U+T`@rD&4M2=NDZk_+%tV
zsVB&Ei893drpMLRxA~}DKWtg>r8%%92c}p*TliWtOt8igC>+rHl8l!nZ5Lt1hxNps
z`_9ktY=sLX-lyrIhCnQeWtlSSKN(Of|3km;m&gPxU!r+J8#;PW?jN@0A8qw%*X2P*
zRAuwnVDT{L{s{VO%-ZK=y@jTcxNlW6vpTLv>AqtQxiS=w%dI19dJep1?1-%s_!64-
zsR!b3Qr@jQ$y;sIuSV8zxD+hA2Q|)2jO08n=6Ro_c;q7pR}<yNcv*Ld^moIZc7B&5
zSOaBC0zxCBmKY8fNqFYH$a{IVJ}3BA(-0wL@sOomK&sY??A|o(Rt(zyA!Zzl&H2d?
zn5Mgrz;-Fz6RI2|B-)Wrq*(Jizh7Udvudzo-uGJdI=HKtyUSJyx`HescD?jo6Ixkm
zWkkHuH+ni6*d7sis>o2mPtn{>mDopsG?k1*in10t1L_>PvZG_7-k9Y_PUx;0agxyT
z>X}Ep(zJfa57v}nvES{wv4k$bH{jyBs^_G^;3(OTNkzfIOBekV&}7C{2XCDMuCpPW
zMzt>oo@neXL}lQ^PryXv7@lJ|&2&RDHIA5w`UO-xF4AT&*s^YtG)->|Uk`N-`(x;1
z^}J6~{X+xsY9eV}TQ^8n(IvpBKTcw-j760=(sE;`c)@Yr6t^)dsGe|_1`BB_^Dcz<
z#?E%jShQI|DakN<oIh$U{*vc)bQBu~Ma!Vo`LIh;701#Al(f07FT^dKqea~0aSDBr
z%{VZ)ZIs$6gmXgt6=})p7z>fgP{38(ox?~)aU|STndKd_nI53OD7<CD8$;;Opzlb@
zGKHX^On&~H>jm;fH|Ey&zREDr?|B>9@I-bOv1%WK1}7r3?-p+$&ZeN8fR|C>YbVZ<
zcq$~Muah>>^x)pWIOENiz^loa)TC~ICz<8le8aH2GH9o^Bh!eFwW6)NIoU~##4dKd
zZxHPfn1-C#L8mcvbI+Dd%4>1?pvN>WOaxHmGDfZ#ixrDNb+$3^STjp!y{ziGjK~T2
zl|H-vc`WF*lfA$xZWWg^s*v_R3r}<O)4=4@B4Nl=ml3j2y=ta~3v`AjGk?wK(;NJ9
z*NE(m61%6&>-RI==})%;L15e-tuO>0M@o9w1E<L>Nl58sz6YK%x1ccSq$TyKW22rL
z@_5u*|K6z=9ugNre?TgxZES$MA=gwVd<%St5Zl79(e&_+X1aj0Rp#an+@C_nB?0e`
z6R3JLOtJS2jDerW%W$p%3@VcSYzJaCJE75_B6SjAQV!r-E^0NyG8P@ws)QKW-3;MR
zW5FIP*RICnG{O$Xdv7bPQ<UO82Koyoo1+4hq1f&gmdMh8F!5r;UAa~}r7r}<vJT5?
zRz?{hcet(R5>VlhxFsLm)^1qXF51h+viC>Q0>@bnhI=KOE}sD1F)46bIiuE@ZMaKy
zbD5XCDl<?p4!BUb``qVBkD6d7ZHe6B07c||nG>uCYEpy^;U%eE9&sr>zdbZ+&ZNvK
z<Lm1sd=ga6C`(VuGU+b05Uy$802#DeQI2RmY07Y29u{rkYHlD(XJ1n-7ycVTSGtie
zh=v-P+~btuAK(Cte36(V65u9VU7XsG7(5>RWbT!KOHi=gM`T*RqLT9CtP2qs)i(4&
zN+Nc_SZ85wEP%2G)U&I~RhvQHqKWi~0EP>be_LDgr8I`zF|lYfef5&+D^m3o2juT#
zv4r$iWagw>fHy&Y<rFUHn5S5$A5mfT#8Dir`CZ5~ZimI0bSjGX3hutb&Js{VS6al$
ziiInR2w2Pj7{d)uM1|SBvpj{SfoV1Q-9aIrqut_~$^}x3I<teLMKdJqddblPTI74|
z{du&r*EY+ViP!L?`TfZ5=dYp}%~c`B?y9Oli=4n^)w`RIgllUyib!@qU_g{B%fa@9
zweO!=frboKKQu^s73m%8CAN+1ztYG0;E7$`yCL|A^+&FU!-OYYYz>d><R|Pl_$oAw
zPfIB)U%g^)?YOUgVx5zn@2auS<pYmfugFjQRMuaA9Xcj?Jo!sW9Uerk8RM`}T)Kt3
zKQ@lHT;sxB(StUBz+MBNw29|w=+cl333yZdR{M~;5szvy&oHckmELS5Lq?i_9q{yF
zlbv_*v~dS9@-a32LW(#>C-I~}=N#V!#;oGp_l5ij2C<#DH^WLl1L`BTt2m5etAIqX
zM{-cxgLqNgwjVX*Dn2(KDuTWuux)?RM*Tqoj2AwB!+@WgDw)3a>I%oR{(j<FW|-B{
zP^`AqcZ&t9T_-l=VD8vclz}{gFObSha!HQ_7vra%uZ^y{3Ayly9o)Am;Elw{o;1Ox
z3u=~)4&ij@ECJ4W=)_&HCtgP-?jzq)AheK(z^l!Cz$fLNm;;FN{!|Xp4~Cc33ytuX
zF_>`vgW=>)c!z~}%GD?ek4_?y+Su^r4yg@zF&^M3lDFD2^D%X$$3ej-jtjY-^TMB#
zPT!-KOY@&Kj#8zSU8@{)^Y*LPRXKl%;NwPpY4mch>*j);!|bd6p@uO4IfkHRA%6zF
zrI-=BTOf>GV<lZjt$R)GsRdqdydu3hlf(NP^(}ojNl_?c^cv}Ui9CVlV*p?)pNdMf
zvvY5Qvg2VX<I5iWhxn~b#s!I(nVn?h`V(A&J%i+2$|mE~jk3&3FMdrjx^89L9$Imk
z;3!*n1!d6f?p#hA=pkENCYIO7$A1}8&S4oJMZ`dL4%jf*AG(R8OSA`uVI)Km)-9nL
z5t<`#Q$w}aAbp(71b|5Ak&l1YP*$m>=*(-}MwN=4pfA*}f;#@-;P=D9!)skj8puj8
zYd#wTezo*>`-JPu3+i95#4#zAxWQCfNDW5C=CpG!z**JNlzN~k&6?@RLy;T0S6*9_
zCjX~K2148d3rpxJ6HhC9R+$0*zPA~HP!&^M<A~SiVNQXe>#y}wB)_1N^7=va{vZbj
zOG60N=j4%kH&w2Qqy_&88pT-=3CQWTwQzIS62LsGS_Jp^%hP!6r>U9fML)J{4rjS^
zSh1FR!k5`{Kellg|1Z^`WE37u>>4-`sGX=&4E-HQ4$?3&kU+}L)jBJP&3EZgf8#?3
zyYO=>Hb-_yv`Ks7%V{j&)C!epYqBxj5oGFXc&~xGAj<|)i}8qXDN@zyzOB%lzIQgg
zHw7cFu!jTkS!)WQx`1}AtRuh&r5cEdjVj!=;leAtyynXvjbBV3Hncjh4rCIQrEk(w
z{SHD^$}|@jF<)s-R{Tbk>pri8K_1pi%AEuFB5($2bTTndhN%Qko~wytej^uANv?6t
zYPz^Vy&~It27I=R2`n5<A@TxrzG%@bBU9I^^uN}Wv;rWBJKWr~0Q!zQr?5yJ_zHaz
z%&{T);T_9HltW;#(sqFdUELc;U+W!fTg_1<@2YMP;bOiz$iol_koO2Onf))Z1HlK)
z_;exy>eLyGBBx^I)t?`e%*-8H67_p5mhxTY6d>xm;|^`i-1O5tcZsS4SkOCc$13;R
zgJ`X~N>ytX_(6?Kn)=tu&0V!ZyOeyft3y&y-mEEi#TBNH#p?l5m8g-Do%61zE9gcb
zL<kF-J`Pa?22d(tHU+4WCQ+uSj@Zuc?nTbOO*rzuY_>W&FXeiJrYbOZ`RTZK_Fie{
z<7s`XB6RUFn~)K!>5Yy`Y~3%q5uh_MXva7)f6kD0pV=b4kiIONPtfj6%Y&7J1619!
zw@3ljBg+?lBzT6*bE`k#tpeDm_9auis-onL+kXD=&o?SoV|0FZp0c#;+!x}@oI6`%
znT|WV_7X}-NWTJDDWqH0kqv>HT?BJxt)f3Q=#HjoKM0Yhqukr@($w6w+0UjvWSo)G
z%;I_)i-Sg@Q-IVIs^B2dmdu({8~_Q^@P>7di$aBY7s3yZAO&zpd#HHRz{7qyAkwAb
zVR2z!MZ7)(cZGy~bu|7h{Tj*xr8C)mfK^;ev3}!{n0JGfe!bN(auY?_lCSf4`CzLr
zi988L`&iEm)+6h=suXal!<e7;7ygwzUe3=cNMn8iK7oDLC4O>|(eu74J-<v?$11z*
zkABZ59^7x){Yb#Vo%`}BE_t~*x3cP7Zkn)_F;{0|9{lHgo^|7NkWf0ic&uceWi-+R
zh-b2hYgCcHBj4e1tl;zFEKyVp4#god<*;EN(OiHS4O55z984$7u)#a8v>aM(JtzyL
zzMAtwW53~rc)yq?DU_2nK(;k8C$GLvdupJ;!yI&MqPMi|ldC#JEzWpJTn%eB9z(Yv
zr0q;)1IUO6u?%!bSuuCX04O`Rn*{eYobyIvlD7m#Q2>2<5Hap2(Rrv^!&!){txO<-
z*p_?~53&4Vh*yDB5_!8f$s{zdfUR>Ka^QS(dMf(5jQRL21~U6Y@6D{;vnuqNO+p)s
zxDYrqxhs=n&e~5)jW8Z4`j!iU(#|9jd3^W>mK@Eny(IbUjuCetp`m5F-F5CtB^_n>
znLk#@zji2<iCh)NFfCA}^$1x;YHEdH<rIy~c+3?6$GdAg9>7S-Qxo<y%a}*&4rC%O
zLRvmO8}XAH?0C}t2g;tNol;JowAf^UjX*UH?HiAMh|t$BV$<*Nm<89CJ-i%p+?aW8
zj*lUfs*SusCflAr2KY!DWuZU(q>f?<8e>va<s+=2H6ikOqqx1cQ)<_qNVU%2klRJq
zpGe_~$At{g^Tu;#kPn9&V54Js0=TxJG4@m&{p%*<7)j&ZdtxfiG(9(e%cj!Sbj6x+
zR(A2@8C*W#F}8?KTx=H9;7!QbmJuR3%2{%wFPI~;EJx3+K{`KboPFt71_cTUT54x{
zg>Drcs-_J{{=FUHXi%TKmMG)>u}?MM1!0d&Pe`@Yz5E=f$&bm-OL12KjV+9CWPY6X
z{b%<Xaxtmq=hAsiLt!(nHsRgG)Ze=!cGs}RPYM#Ucyzmu=2p<m`?%tsDReZfiQOP@
z-67G7UVJY^7wa+$=&~%3b4{%Bh0)vx(Yv~=rbDJv<#lP17(v0A+T+$xFEsZaEW-zt
z;$OG@^!=Ly`7bwmiO%J7ni(;;aA%{TSd*(F^`641qz>vn2iq(P(KK;Y0c9tS<In9?
zy1GW~(?1*ETaA%mpa<6KXYCtNVk^65XR~LKkeeE}u*(<xEh!+ZPmrPxM>m;S;`l5O
zi%{Jy+Xm(V_Dv+)`MV_MCzG*Fzz`YTiLLE_lIDPtmpniThyS+0RO&aXh&rg2MG-s0
zp$uoa1j!hYXwLm5&zbe4d<}D@to9IW`>`4C;%Dg_bF2guRs=kqpwR~LBRHfgpLSeW
z?3W_<Z#R$9qAsMV9<NP**f7zyNY!wR#!td`qIJe&XtrBf$P7sgK3riNBq$Iqje82y
zOeIN}s3ou}9}Y6L97Z-pxrW}p+*NQ^)hWH?!o~$L>H#Xx!6XeiY{sr69jq0SL8a{J
zBHXy2C8b)i>CFc`YU_w9ruQ=}#$68_kXkpeAvB0*r;5>P8gkHG<P`5t<^WP;Gv^ra
zPRNurnAc=TpDBH@b%(?pC3dP?II1aEacQ_L{-ZU7g@AX7bwYLq;S(5jaNX+gRbF(n
zaScL}`rcWD<U9YZ6Nw%*RRVsd8yaJOz^uDl&@5gnfDot6$Ps18R=wYP&j_kcb`;D|
z@+a&ujK-Z5e_5CQCP_@E_@#XnC75U`)#5?ynFw<uYy=ar!Zg!<?w%NSNAJFR`$F?*
zQ-A*7B1{5w69wYUi>2Ve(foyyM9oDJKtv?nux3LSh9{XFN0qkeIyFB@wIH@P?4-)Q
ziTsL*NcGTemoYbd&#vZg(FG~YbXiT^M=tukKRRr+f9HU?qHr0qVtI0n?31DbKJEC1
zS$~DIM+ho)8`|5TYR`D5F!C-XR<eRlMS-1S3MPvZ93*Jv{h@I%*C>bPBwc|hav56y
zJ!X9b;Q<6o2ZKv|Uc~5?n~>o~&wKJ@4mMJv_am)*UN1PzxQ5V^CX3)}u~@q0)2DWK
zY7yW#_Z1XwV%^BD&C*t6OzfmR5?^)HAtV=SLd+%~P#GEcEZA8I(2)~J&=%Nx+cv>d
z-4{GEy=M0Zi0`02?`0mVJ#Z3qGzu=i%%WGHe5`_#kn3)2lyA5dy7;p#jiU2myMn9S
zv=|YkM?S?$LzKsKb@WWKR@st8k)=t8=5%x~k)O`rm^qG%PzUw7n|Jb-f(a37|HAW^
zmWZ4oLc{_)4*2;Dk`vJIA*%uAj>-i6WfB$VFsRq%hDSGBkTo)Z{p{apM#u?oBXc8~
zjC}-Ri8OIVX~ip6ygs2SNkM`^-8V5*QKF?19VAx(Mchs(Kb|Vei@d=Vj%!^3fxYFt
zdv{8zyAh9Nhk8rS2j7F&O%lMOsl?XaDjm07FNYH%b<RH<cLxI2d$8w5uJGRNIiX5s
z+z`rA5(N4y)JsSzS20VBrAn{mqU{il0Q4ns_7X>y4E$Y)oB)2714XpvvUjJNL`zfy
zK^c2EN1igc`=SfVXl?SQRG`*DvKz=o11Rx}QV7fxE+Vho9K?tmL%78G1(p*yNp7cC
z;&5j^U{_beKSA`8E{3MiW97(6w;~Er)woL{Q*ZJ|UYE0>8liAqVINCCzRsz5K?VL3
z(K7uIw)9?B{ZJY!D)JHUkf&`)l8$JCn>bnTa3_;bgiKIZ%gfJEY08AU9)=O)>3Lmv
z(68Oarqo(G;o84hYJRShOfAY9MtGvj_pc`+<DXw&HK;-$vcIXVrkBV8PuA#&KIjRn
zYzOA0$4}Sgb-XL1pf66U+<V0%LvgoKj01Eqv{S++=M!bAJ-bzFbr}(LIi@Nsso2mZ
z#JJm;+ohnE+XdK9{%fb?L^3v{5MbHoAGO$og;HFfm%k#71g71{uA5V=#cD%DSA%ND
zdK@4B%D{`>7J;z6!&oEU0NjP0m&5C`LG2@HiZ?D+bBr~}m}skEhQ0kD1H+q~&70rC
zK6#3&8il=)+ObDsSb$$-=V=ckW6?4ox;LW2YD%#wQmV6P%006S<<3Xe37QmQ6f&PN
zXuT9#!*6M&zp~0^hJ)U}!YDf{V^vvc*j}>K%Z<;?zY1I5a7-Hn;t|D7q?8dNp1s|Y
z<3h4XTN;zRT%T{@qwv_^y$a7}dgk}pU*-oJWKQrgk-chvpuU=+6bHN*wHw#LKnuNq
zpx~)wAs3yThoIL#)>6deA@(Fe*Kk@^UU7Dao!xi7pdkL;0;%6C;%Wm<slY2cb)r}`
zf63P~pyPrdikJ{45+QhU_n{(MWs$|7h)BjBrYYpT36z?1=aEsU>v<G*p*`e`5$dz%
zS=Ft1((k5-PACh&(79d*-O{SE(>5F0;%zwBD2RyZf?yDUuJVZbTZ3%*z$2TETe7es
zDL{6tA%F2G18X&ad#2sxaFcbJoT4bkFxj!)Do3kq<9>S|F9B+{fhL;YGo{p)Ya2dW
zC2sA@_YPu-=yYdtqIHBliY^J?tz0M>W;PFpIclAHxX&2cVLE-l0lW*6u+aj%sf2ag
ziss$$`^^?9!l6tyO$XCGlB<iBSl<ElbM8}`YSvdrJNiif7dA0^bQDBJ`i0a^*Hp{Z
zG!D#d(0q@5ax8KW?JbSA5sJ#+5PC#ic-`4AAKc_+#+{Q)i%9bOtr?KKD_*sn$pLSD
zo1f-d_roE3eEjhN#qcdOT!cvEnbPiH5S3MNTiHD51kbI!t)uh6z1=Z7Yn+6zeQ3Gm
zn@rOH4oBgOn23kXhOqXpZi;Y1LI!Sy1m_JVEEC;?hmx{UE`%_rxU32PB~_pgK#>u7
zE)Aa07F8(zZGG?#zVNJgv(v1}n!F9iGT{$o54=>YMrhiS_%6xevFr+U<~C5W__A8&
z<&D(w_UC3#dGkdL6MCwO%A@<jFswqVF@*NG5){RI&&UHu8&__1OFJCoJYa(q9><1*
zV=UYQ!i-LUNFlH95QMC-eFJt$UwrW*cH|UvEDAX_Mx~`{idy>~1|6xjXk7@uUB+)=
z_n#@X$-80l1`?`Re*vxjAsIsv=UA4E>GLQzA!lxEG2+LyRhjMRX<`_#bjb0k8-LtQ
zA}HK64bCK5w^^cxypFXo!9u1E{z!53EB3~s#3UmhJ+ZJI`|#_c9uGcVEUA8kymkM?
zxytGoWRu-Hz^GZ)rN=`s+?zfyc-M(Bt1Jj`*Y{3T_xm;bVv9yV4VaB$?>Bc>XPxGr
zWZshwrhkXrOVoK)Rwz0IAn}oSAfCXp*GCaOaSvQD%3Fr3mx*maVIaut)oK@mhR5<t
zS@((k$@6<idWtme1_Hz&yJw^S(lp!N!ZWq0%#xLSQh0<zasGWop0e3~9^z7vU_Mxk
zx4pf~bkUj`UCLsh8Xbq9Uh)$Ell`uA3AD=rRCywh9mw1Gc}rT)NPbkqGIs?UwsZ+D
zWdT;!!YXtIu;e)Od=jYHs+t<-LpxL<xDcCCazXT9k-Mtq)8wZLx@}nSyZYdoH@(8K
z)4V{Z1l+fvyR{>Q>!jZTxFG{aj**niOB`~}raI;`CZ`&r;Y>Gv^a-TxtRv(jX!2Zl
z%i;Pyq(QMETUb+Gev-XbTx2vP=V2D%R)keoDQcCgbvmNM0WZNv5BSY(_e-jmbTw`8
zE_xq_YyUW5dEMRKu>6Ufe>FkJ3G)2;iHNrv+w04frVfE!xS(je?Dh#N@Z>7MXs#%!
zW_vXgzC$eQ5(u_v{UYrvUQ~OH`Pz7T>$AI?`9ritS}gXZ_?e-0dgkI&t7j%)C}EYK
zD@tg?`6U(J^-X;nVw&<p=<5qn?*H8zwD#drtsr#@9%2RtT1ABiLi*ktwAMGbQ8Ko+
zv-;j1{NKjlLY8gJMzhP%Hu|wEMl1Lduv7*QPvXd1c{lV7gxEZRjjaxtK!498+gaAd
z#JTilgy)mO+>{&dT&So`V_Yn{dJLX8Pv#L$+-q2R&&S8MHQV&3{nhs1)8lFm+w>ML
zg6kW9*PlhN+uN?LCfmI?HxD=SuP1MG-Pen^5bHP9zd`yqnCLZvogJ&*W=>z<OxRoz
z@_f;KySU)z@tDp2Yio<>zOK7#<I~k;Jw>c@d)O0lakbYA;bEq6-EtW49@oX+xqgXt
z(xdaX>Cz(|0>6HKb#>X?(a+z-@4duQ$}Q%R{v?g^IH_aX%>ESOSw9KL6Ub=XwANu4
zu+n+!f6(1KtT@xY54pJPZ!r1VZZF<g&6=DXrS)1!&8TV#sXjo&KR`spzcg?x{?K>z
zdV5?6B}+eBx81#1@9*eT_I&3UFuJlu@Tp^ey71<|-1YY8xx2}6U4QF1((UBQJ}4O;
zK7E+zuY2@%^?I5qHr=*C%y{#Hqi4JPtZj>89H`~AVs~}v*<RW7aN&55=Qi+Jd4Hem
z7hlQvJ|pArZT0zd+(*PFc+X_V$Gbzr3!zQ5?Nf-EkmJH6Kzrl;{mkWQ{B!DcBzp4Q
z{qC&8^2^4tYdf%Y92bktyv1vKtjE2J^Wyq^<#M~7-<#W8`$K5%^{JDX+;ur-HRdI7
zx~4nERx`qiJ<E^%t-vyRd(ykV{>)%6d`M8*b9m@5#<t$)R#%mtul?|4(f(}_UH4rn
z`XeD$l&IsJO<{x|XS$_r65iSoka4j-d8X-c2e7+%dg+MdWac|u%g7X4Zn-Ib`SWyR
z=fjQ_zHZ}#RLOaN<Q0VI{<3)Z;MK~vPv_l1PmW4^Ya4UJ*3Hx0gaP-C*W20V?J-_$
z`{iqw{>6*h*t53T<jj6!&pUqb_F5ce+?f4&B>uE_LNQ&lhFH`6d{S_p%DU~M{dg{z
zba8^OjcC-3HIlGP@yx}tzD7O$*&DOz9E$rj8m+M8ZL{teJYI4h{mhXWqlq`{<nwXx
z$fn)%!4;|~to;l0CNm5l|6{gzIK;O5s1wl4JD0M#80S<Thl`){=zng25*-rym5?;)
zdix>t@y5lo?e%_ls)Voexvss@WIVOynf2uMc3JD=Ol9#_fu1o;deca_Jb<1dD(a5%
z@p1Wj4R8vT)mX$il$T5Kw}rj1LriKnsg#W-PGfhSWuN*PLywD|?_vL7LDE`*Ueu+2
zeSSLlaq-}@JzPD-Q{wy=Jtg05q^|j9cQ3YLSrJjF@ycc0?n*ZKkJ(l4Co;eJ$X=m)
zp4<Fw1-fdlZj+ByJJ6OBFb~e&?&U?bF0YNGE2_fI<_n!y*YM6X*RdKK{{^<&0=uXP
zC+j+_N_XO=569B(ogvPf14j&>c=m5^lUHxa>R`bap^4WDZ00k)aenbdfX-*#kB^ex
zmZ}%Esz1CR-i-!X!6JrembrsHqRsE8eB7GRI%ni#av={6`x{?-C&1EH*T}<jpmar|
z%wS{vSvT*#+sypFiTJgD-+c|de=+j!gd3=;Rchy1E#KMHBRZyDUD@uwEXp91zmq=<
zwMi%mfTC!T2Rp}31RkfAp$d-&IF-Gw6s5%6J$qoPXlt82Jfr0wbuP2pyP7?6r@zvW
z(q+B(t$xKyhHOR^4Glu^iN^phepL{xZ<=zyv&7h}&9%G~x&2YWzjau>v}@#!T<=;`
z&Wm^N)2LeuFgONbifA`jQlX>F7F=l7d(y$gQqgXHQ|tZmI!7?-;2%xeVLspLz=~Y`
zaD;h9S@$ZfM|5wqa&>R)z-aNPV5V|wl&>E_VOXGJFqInggaVqnHnO5x(T+c-qhHsa
zvT+q}?$9dTJV5OjKUmkEJNL$W^aTrZv2~UZPs=}?utUR4&rMw#s*lY@*eNQjkgMg6
zKaWnih;CTN9d#KFTEi__!A-GsEnNNJIR_3Sir&=Jp5wtFrHLSP3(o)9)($x(h&RVw
za`%h;*?$vl^zyWRbMf3o)u^K)XiZzXu0x}H6K(SHNFPzGoJ{R`f9QM%Q&amQOU4;D
zRW-Jx9EtkS=~MC*O#T`MNYd~r-0121fQr=%owy4f+J(zS)DG4077vkzH}@6L_*b>f
zht}@|jAyWs4C#(K#}t(<Q-QNWShdul{7MGC@##iSul1W}-}r<J9r}gK2h@(`Z@l#X
z@W@_`9)KyS3Pr8O)Jjuv$X>a09vAd(lcr|1QL9I-2UwS7l8&=+m*s|a?SzYJbPHGB
z!OK4{F3T((IU&3RjG`TTt()B166L!awL5Oj9;Ee~0#H90z+s8h5Q@sm30F6@nmf`q
zFN3XI8{|4NC|%gcTRQUoE!@s<uLodBihO|;>eBkLy>4XY(7w~r?2f;w`p$Q2p`Atj
z0zt{CbBDMzZ2I!$@LqVHzp;3Ky~NcE8+7$CC%8^(n;l6$ay!CPj5u_DNyf|q+v0vi
z0g8-Um+X)#B{e)3rC38)N4QdWhzmkJ$G2YQZ)L<m<@~QREHP@dCS<h=pz=G-JgF(r
z>4R+c$6*-a`B82aW#z2I$hOC2(xZ913JgG%f%gv8@qjW7T3fjIgmNWNI}DNYg$Q3E
zr~Pu@aW{(pOxZ3W6QXkUOL_BzIs8QGxfk>lm~Q0@%PrOKnTph$E*LIPG|8eG17vSB
z>YW;YC_RrjMDy6wcNGe2rd(y_cJ_A63knm^RGziEIgW8J@b-OAtUxqkRF#PseekUQ
z@FIUT#;}2Kv|Kd-qq?q<5EgPQ%~rovXiJ>}fr`}VR8j7Bhl%ULG&!nJu4xb_r|-nw
zDlvfT4ZMk{kHu7Il19VD<y0zt$6$z(|4F<odWwE?{bZ!F+|byvzZ{5Z`CW~%K%Nn9
zDI#69+@btCd^#GjmC6L7DR|aYc+svpW7u>!8jywnN#j4^Sr=cb7`UvX(6bLtX!bFy
z_oX7%n323@ns*t^bR77i=E9Mrs1J`C{Shn%6~wDj11$z&)T#*j)^zrTu%w;6sqfb)
zYBKeCUcw2V7?<CzzDk>B+Wo=u)b7mxszm<KWaO_$b26b$hOr(bv7lD*wFZw{e<Z@6
z!}x9%;exVUpB<TVC|rT1&6(I}rW0!+4{)jRO*L86W;l`?^<hbif3)qO!b?>unB5=@
zR5bz7hR!}H){gLzs~}K<1%L)tgDW`psJ;3{5=t{~$IRdd_z`Fnpbx4)=mnE*29u5^
z3D8Fp3`?!o`pc;GpZofMw`v3&J?<=)x(m@g*wVs8dY?uYcE&9+sjg_)*>}iJKM>IO
z4u^gWhn_rUr;pqpgvOvn!1Ntg2<z5=RYk4BEGZ=z6BA9y8pn|cM&-na+7<*X`nyjU
zbdgnQSvdfZEI^+ECY_W)Yb{7HtZ?x9Ka?(;vJIl+1i;Hm-5mmZLQ_rKX&ZIRl)2Xm
z=u<Fi<uYnv=(jTP_k(lw2Nf}Cr4HEXgTtYR!nL5k#6tXo{h9k4k5^LXyF={$2W2*c
zJQ%upyKL8U+S31tJshxum92CZ40_qkHqcxBXgef_l#&F7t6bPnBUU7poGSUR$p4_H
zFPsE{Ff(ucp;Mghh$to-r}psBK^*{v<yQ8YvWBe;eRlfZ!LUxju#(2D3}Jvi7!0}}
zm^Spcgp;8CXd*`~g4d&xx+2LxV)N$HF|Xk7)<_oIy{XIR+8zEg^WgUVW)zjBFr_0#
z8B(q47pO4K8gS+$>AGeC4`rN-neS>dXr=!DSKHB`HHiJlNl*?=RnUFt%%#b_fvHF)
zS_HjFT5i!<ITJAVALw7iFZPX!e~9&{r68J;+U7u&CM64m@peOgs4-AsAxYt8QF7?c
zVN~Pjw>o$SQ=h=8(j@`L#Nkw{eE||g{r`wEk7+}OB8p*6%m_^_+qBg^w}5ed+X6W0
zR;zgT!&BU_)gcft_JUbm$gI_-6iiLdsMQ7%Oda;WZU?s`w4gv3dMfDD%PFtEFrj-}
zCmODu79u&<%3&QzV)Z8x!>LY9+mU7g#=e=t83q{pCaCzo?B0LEZxO_=WXk0YNH!|d
zU_^<Z?DtkSKgw%X`xBO4$f(8n2($lx2n<oS_pYLbt*i_U4qH}^`MWo*s?A8pLep=g
zVM9(MgxVZVHJU+-lfOU7DVREC%<h0Bm|FF(9cdikA3bMc*o?kZ$x-j?5HlQTWdk&R
znPA0QI^#WGmnJF~l_Ziz0mhJmsgF!s<EQKn6fmnZ2kZ`DFse!Zr>u08e%g)ct3bVc
zMy&-Je+2j7Gotw^wZo>GAh9(p9h`4*{a3v?tNLjfHe`;e3Yu(_cZyAn!$lT(T8Pv7
z$HYge_0Q(!VdIDF4xsvz?wGa2O<Ntx;8bM{S{=aQRFVJ3RQM!-OJC@Zb$rg7C9>dN
zPLmANWh2_mN}(XV@IBA}F8P9UYnB{%$P7<cY^^&VzQx1=-}1XzysMtvFDkB_{|XBX
zudoc@gJM+fbufyRa^V{qfrHxOX+8{!KyyHXof5_BA4Cd{_)htoCR$YegW_=L-}R0g
zvHNG_l=i5sLtAEh!fVwoe4>UousV_*_9BX!mZwLMNPI&WwZ8eu!QU^!)j#-6lkaNV
ze;dlb6gzB0Xrbch(G0;pg_=AAD_WRT9Bb0kXr#{$|9w+>N78ct>G|IW4A@Ds_Ml1J
zj};rGE_S;QW7*=#sf>8y*2P2ljn8?o#tqro2Lg7#ZS({V{hKTH$o+%gEd96HSf?F{
z+=NOHMd9&bGrT$U871gE%yg87Qn-~AOW)Q0k6Ytm*w{;}kT1-sk19{z?&vU8Ch5~D
zCu35g2p>3H&`;T!!=Z~}(0$7zZpzNS3=aKUT3W#UBLAN(Q?)J})!Aua?%~{<dsLK-
zaue=B3ec(>v5@{7+AZ0J0%6W#t3!zG4;^)f#w<vpqKd#+xRc>(f&PyVa`f5Rdk052
z1xI}QAV(Nr_uB{mWtX(%B|(gf1oKA7cK3mfojGPo9|K&u0T)((VT=x>_Kil;7DWV0
za0D?N`nNp9Oj}!(f+G?z=)V1g=wETA7TkT;8^t2Uv}yIKG`$49wJP-hAx#;^tNMlN
zc-JiCKgtb?<^1i2m^S1C#g&>26N1^x`OcFb5SCdNy5Q*krFGBUxFUwF7J-2BZ(sOc
z?QT*Et{`L7Y61za_;>vL#<BGFGjbM0U_6l%P4>jQ)x+Cnh$uHn+8r&|0K?7weqr=0
ze|ys8v>jR&p!}O`tYLui?{16y>q+Fnni$_R#Js4cQ7O`K^V1~UI9hVFGLB9F&8bSV
z0tqb&P>vK_acJ5aK4rJ~?F{Jyc8lN6K=kj-J>~lL(xk+)-_vl{T-^AUCgo6(qNat(
zbmhDB0@VK<dcl>_wNHW?ifo0a9X&jcdGadYb)nO?Bp9QOrTl&zDSXIo5vpJLTVf)n
ztrp*|AZ^fU@$Cvo|IROSTpMjWZ|cUaf)K5fD(SXEY^RB`OsIUBN&10No;AwNb$OQH
zir*O3={W!@u72h3##<owD}O&W!v7U%`$1D+x~}t{CyEkWoS&swa^v50BRyb?SOSIe
zvpGlZ|BesujQia+J%(IXn&)pz+i89|2tA~e{ggGI2<o}7EdKUN);_z%cR1Bq%xVp)
ze&qy=Y7O9i<$qrsjv67F?G>vqZM#z(n5pr3Uc*>S)ETqU6&4pPP)HH1-`4bhxjW#(
zKkEm|p*;fGVLEFllmNrHKs}c_APK6NX|N;xzi$5ZVshrAU!&{ufdAHN*lZ6rZteBP
zc9~u}%$CDdV;4CbjTgt~;@mt7*|Pb0J98Rx5SQQbF>d(ozp(<)#&4;s!LV4f9|mZ>
znY=x&^;krv+cfuNA1uy5LrmFa%g722U)l`So7W!Xkj%;3XA9@_4_w;tafft!nEmGW
z3Kl#zo@)F0opAWNq#NQ{I_^HNs3n$_N31=S?f4)DBEaaUCs7gdgf~fuF_p&%!%iFG
zn<ymPw@P*>hghdQmN%VeDVrc9Bz3XjZz_LSy0wkFa!tB-JETY+b@{atjvhq(LKN{r
z6gG*oWzV9#Z&x0v-(g-xBwlt)qGw}JexJHgr1XM=^Tbld1O}MeWRIs3N(r642!K{>
zpNTXVor8!l54e9sxZ+Od<jCYST(Q+SB%pN620NFY$i$oPNaV~3xXUJU3?|rW1D?)*
z=eyhkaOA#BT|TuT3Vk^U#AR_s6Y()q>8He1DhyUCBm`ja4VXEU0rs(oBj)2J<KoZ6
zR{#V1r~3VpqYs<|*XHq-p(xpJv58tjDL?b;V-1QTep=Uj8D43pe1G8V)ca-GeDz}z
z4;z^k2+EgTp0$$lr+WEeS^NN+@+KSgh#9nz|HRMOuu(AKIu<TjyNM+$YaiToL(`|H
z?!SD~oqw}M)t*|7g^l*%(c}G@sx(E6h6aiIc<DadJocg1^z(9Y>E^IJDBJ2?%u<?o
zXd2Qhag*blAO)zY$24F{C*qq#7{)^4Sh1PR>kX=hfF=B7rk2<-wvAQMlH#i@XXXz_
zX5{nWaFa@wv)NT0qR-<KLV{EhG7A*q?+DCHMMlMev()1opoU%;;thq^q#<aUB#PX7
zl-m8#sC4tk_DAC?O@rbeD*tew8}Cc3Fn0tV=vOb2oU2npd;Cyp$`338TBL#21e5f_
zfNmfxB_qbF!imh<5t<0WpF`-%x&Ti6`?<PgbYuA3D|Fa-YwI7eGZs<zcg2N>I!PgJ
zSm8twS)EKZS_&qTLz659-8`x*QLBunS<)B}PfMCAMpFDBfS?<#hzb1BMErn=<Eme*
z2!4}Qow4cC_&W2$SB1^KZU7B`UczJoG>|*Ue>gs|nnv`wof6SdG9E6JW4fU={oR?n
z2(0#vV5=XEv^L`wX9~IZl1Qf?kvKp*qronmeq18Y8dQVMybkQAwUDIoctW>L-Murq
zg~D&nm--ar>^i}>$an}W**U?2&afer=2;5E!Z?f4(mAVRkjY4N+e0*;1RE17+B&a;
z$-SulX0JTj4dl!y%`4Z+$(&W6oxOAKQ+;j}9S`0IB1l-Lq4-S_)4`5;igze#1JtYA
z%lO}Z`9gV0rl*b$wdZ(P94?QVSvHnf?)Y9;GU8Z3Z|U`CT+EO|EZ4ye3=-loL_@JY
zI0%$Yjc^q#jl#&h1!vM-f1`9E#am{ct~zCBXbL~1nMhYmL*A?X?Z;xLATnJY0yVGm
znBR9cQiqbU*suMDj=biWFo+1O4(E}+Dp@8UcJ=pVMO?E!8Dn@HxH4bxc^xiA8#}I`
zANerDFUeg$&yy#f31VZc)JC(hV$*-}*}wmaOwytEd=GJRJCnw#d~jjQ7@Br<UCnqL
zfX<CWF|%D4__Nk;*Vi-H(IxYgYClB>x6IL*Ljkw^>45{`qhjtG?zT<2kus_lHoN3e
z5NotjOQ?GvQ_nHZ9#I;0)bOcz@Sb1B<3lLtE@Y|8L|tAHFZfGBqN8dmTUo+5nY0)-
zs(D4>F+ZLL_IU@=X{tM2ARlmro=l>iPlzJc{j~{cAo>}_i(7cFozPKz#1mr!W3eBA
zJGnCcvnNt({zdP6xWy`i%!8k}j_8O!>o@>=YgXn1oFwttGj=CNU5u&Nx3?=5NbiNH
z#Bn(XiQEp_W_m|VcnBaZMbJSKs0C1=y&igg97+Su6PK1jog#Gnt$i~Cn~T`rD*eft
znUDuM=plpp!}P~g-r7mxgkdUCx)|~gLG>sOp`Gefss1|tz*#H7Y;03E*-Xv}l{nEO
zs^tvMPmbX86__7VQJ;nF*tQS@(S2ruX%T<FF3l}$dHj9yV?Jky1w|xEcN5RGw6(j<
zp~jff9~Gvof6;s1#odgoeC-JQrniX4K29@F5C&kt^d^%v<O#B#`79lcSXkeJ93F^6
zDN`A-i=VrL{mJfZfQ!IJI8vjLe)SfW>SNdUAQHhe-J0E8LF7CCg#A40An($7dM@?2
zj&W^xG;)KdH_#!-vM8+mb#lX+^QR`H_xTS7_sxuLBQwT5nL}~Q*Z4++=eiOlUd0BW
z0i0QAe|{6__F>%)0!JW)_ShY9=x@`q<Q+(Xn`btV%{A!CuBHibn&-{{p28p7{aVxK
zc=?(33_<lmiEru3RuYyR)#%xRW}?c+-TcVbE9sM%q^39=Wlfi5PC=r|ES_@9BRfL9
z-N%|Z{QcBtZ2BIwmZ3eAV0lS;8DLidp73W-rMRB2ZYZm#RYULoUQ4#}{{e77kH1L_
z6@BB!AAbG_yj8wcsf<sqVMyCO5?Q5DN~WjPpjX}uPY0)TH~2PkMk9Y%wq4e|Ppf&N
z>&=P1^4O&dcybLjNnA+!atg_4u<iAGYlY%$i2L~aGdP9A_SIQv`zlV+7coB&doF84
zc0)fp<GGhz7fqAwPWyrS;onI-pG@G4^@m4(b7I`~z2SpHPT<J#Y3Hp!@qY0FJjr`*
z!^{nb=D!1xL?IXQnI-)|oSSgx$Zce|f++jWCro1g-tkEjp1lKn(qw0D<eoIu=Em#^
z6RYjEo-m!}{^?1Rn(T_6E}6DX&eNqfbG!1SNzUGMJTBQ;RKH(-D}+0|x3G&@X!|38
zk5c-#F*NTSY7_0V=;E?_8T+$T*WTTFs7;N75RtCgJx!j~gVi_5qQzy@beRn<v2}WK
z?Oj-#m)#4C?#`ZI-z=o`%j=m%wtr8sUl!2~=5@;g+sh}|D-~3Td7V*y*ZSo8psc1b
zyZI&e!B4K`6%>+rV_$Z2{RG=zN^hCh_A<Nmr`GO@>dnmNS33nfwO&|63tGqt6^<BB
zus;@3mR8w0JmM^2du=(gq|zBL%>GRqU@c+HH1TE*o`KT6UBUKIW?7LX7|*?Zu3B25
zxhM|&PCOm^x(%vkk;Ma??dry{3Xz4TQ$RH}H=`|ibR$aL+|00{)IJv3$q{K)c#$^w
z$}GuVkT6lxhRB-o<1!YEybRXe_Tf^95thgHsUw+os@SWEkxq4(YQFm3G6mSC#Vxez
z3Zu-12nvhr;=GCDk5d%Uw-tzq=hJBz%`&M05h-P*m!g`Sg%OnO<cx)E0Vm=|&3Y>%
z6WVfN9%*^Y@*0+3w&oX2vFcA{idMS~rUh!o{A&)gi8L8jyJ-{m_qN;ugS2MFj~V$2
znN-cgXM!tgpsdilrv?C4Q!YGbhys2snliRrKSm#iSEc1t6s>zYWRhs6PEl$xg{@XV
z)yYm|<qRnJP0HhHm-Y%v`jcMDvt1tYi?TWyENZQt?VYfB`-kP{fWrMkWzkXd+V=+q
z`+`dQf$IAJZSAnH`$g-0`E_2aEMr|STF<Mj<CWI$>g%>#k2B}R6-`g2I9ZeW^1dd^
z%-y=sDrGJ_TV?x{WKU#6K|z)eNi`pkQobLx&qwX^@g#jd3Vc1%TA2k53Kc`bJWRQy
zFGsQBXgLydK;Uvd8fz!8Dr&oo@5KW&rV7kjXi@r@4XJ>OF6=Au0L>@{GOPMPtexlr
z<gtQp!`ewLh6=0sEIa_gdDvcgUxalNS`Lh>>|?NQvMZoxi}?;bKm)44U4=7vHm9pU
z-)jZu8N8+2D^6Ltn~^7E*j7A(^30#JcX>L7YZcm4d8_l(4bv*Mz0%I83Vi&;+g)WN
z^`s5UDz&=AzUwI(j#X%5(KhXg8HQD8S&3cU(=+_4)V|zJV4*qBgBo^~Z&%4Z<C8Sp
zD&NW~Tg<|dd^E$XO6{$*BdxM>K7y30KaFj#&<Gc}yr#RVyo+m|Yip^!@I$!Lq^KsP
zwzZE&+M;{WM<jTWE#xDTyTI1(5veV|cY8D<OYXoPjlS}ms7EBR%wFiR$g8%Oc`Pay
z*oHhJsf+9$9)etxTEl)jZ_7~}S20OmZ1AvzF~M+c@olj>YhdU)wCyTG+cIokLi2LJ
z_BY=BME<c!F>VEOJ$888wB%`wge2O|N_p~<X(z|?E-Emx0AcMD-#U>Mm9UvHJ%gdM
zB$algc5exTVHdU2v6y|J(GD{tLBkM7F(fH6(>YfSbNYeJGzV>1NGK+UxCuoK$4~{-
zHWk(~NC35RQA}H!#Pz66O=1+&qzPx?l)Yp2F)@AVOs8=>wTPGp^ql!XCNONHQ(S>;
z)omfuWjaydnRg5er+dyubL(?oSY7tFp7*z2!QmQ<+3mJF{jFwy3y#T?7(Ts&geV2@
zXBS>`v4vmo9_5<m{_~%c-cQD=zx4%jAXzlg3?^>UB3*o)6nbnHs#5jqzl|?NTQ7hh
zNnO$doJ8NH83x0>quyY2(CWEEx3%w$oR;G}J7^v64-UP<ku&nT`?P>kwMf!&U-8BX
zZan&$Q@)SA6u<HQZ4PXW)z6~2hee|*fVIV)GZuS^WF8$I9d_vRg%@(=&5-|NmN@pt
zAP+cO{1r<OEz`=_<N3|^#~JUt&oVyj9cJa&-_Q86zt_w7^6W4xPxq*oMM3Z2IIFzF
z&VE*|Zm)BkMS5?)n^~l+&GPM_`)oh!n=)wcVbq-QIJ`TX$Fp$42mA}o!`aX4?DYo6
zqodZr{{C@mA9}xaJnVH^M+Z=fGjfg(M~4frAD)F&&g*4x-ef+W`B#*Ul9&HB2hpa*
zY|}DaZ|qM{2}a*F>Hq!>wOaIdq7Ujv{eB>{Z&!55yt<EpK5}wG`u)Bz`#i_LMQXY?
zb74M($<cwC9`@J1KO#G`kYC?%!M=FzPxoz{D(OFR=Z`a7gZzn=kN<CyDmj}p-#qvb
zgm(e{*<f_-?n*79AWW%4(4HJF&R{*60qH~h?@j|(E16NGhBX2f5%|Iq<4V|6+U>+c
zky0Exs8nNzh(t{|dkkQ$J0Z|SG-Ou3Y{N_m8%tU^w2KWYJ+F-57{}%zG10u^e?ET>
z?AhOXZ=GEnSD2uRZS!loZpZcl*kp7%9{-hB0^^O}=+p(XA>GA%;#0OJF&!hxizu8(
z{_dw|Q_6d98Dn?gx7eTYSHRVB?-eHdc|X0M=j#d=#g21u>~scutwZ;CueCq&yw<=S
zc&+aK(cZJY;X$`ETtpPlfCFzr6qd&k$EPV^LcH+RXPm8`k8vIQg1_Z-0qlc6!$_eX
z_KQ0-!<R-WF_hh(Cxs$Wo)C&ODH%*YXd+k(T#>--yS+hg|6tHM@D5<@^9F~l<IzF4
zHE@o5hX>EP&S3v&0fB?g12L+_?NP*ycYdC*u_Sq-#!{pNO}tjc41dMU)gj)lWzH^h
zl=9jAm}Q*$<8i$5I#dZv&RXfy+g>yO^rp#lB4=Z7#%w1~NXCYfvbLCu^VwTY_msQE
zuP-)PVLX>#9A{`+82dXZN}mpZ?|wIB7FtwA!gU(+%2g&2vdk=CEnJxwzGsEw=#-iw
z%oX|XAryuxDBP;f;kYyh&LKNk9zEO21@<}XrN+DMm!9j-Col(W-vTS*f8mg|{l0<z
zOlI+7a*=}$6Y^-Zll(j(+uO+&pqu>JXiD;JIXZHsw=~2L0?`Qe8I>ykPA1L=uN70L
zAo4cyXj0KNt~YX!k4{Jj+o2&7WCYU%`7Eah=n5yAeL>xp@)FAX0+XdTRbSpjjvstc
zJHC-nl-*w~=gzrTdqtziU~i>w&En<(2shbDs-#k^_DMFgsHu2OfB)cNEnW4K?DrFE
zuRn6nn}iq*p*)K}ER9vVbsOYT;nEmieYcINSw6{xmL*qw!pj^<m(8p(^mm_Wq^MVB
zUpcB^7kv!J^9fst^4B#(M^%1-^FE<h?+f1>yRWQgC6+)IkxKO9Vm#wo4wm$s4WqF%
zuXde-+#mgTj+#-LjAoztWBv{Q(l;2ichA%XZ-`wRymV&6+jOIuk0a}`uKb<sNg#iG
z8{S<EY1Levgv;Y-mR|{SL%N2Zy$YD+p%JWaocSzdEMwFQuY&nx;6*QJ0W2qoJO0%@
zg0G=QwcLNW-q4>oY-A?RCx0@ZyrA|vVQ}u>_%o_}OTJNCsF6Q(f|>lh_l34P_JADM
ziSBcoPNhB7^j=2qs!gBHqv_bQHvS8L_Y;*jcuSQmU$kuyWjojb?LXuWXtf)bO+3G>
zX}hRx4?gRY)R%26$MROMjPImyq@C&XoDH^pUq!u%ESoC{U}JYSQ>$^oQn|!33FSsO
zx9_Bu%BHzcHq(n_ns${aZA+qCY#<?)e9Ahg^b|XPYRPTKP@@l%0-CH#(%l*hu#8+_
zhehGtHJciD@^{BsqxfW`FKKGi-pyYRLp7gHuP(~lN)uMk<_eUca(puWY#lA+_%7QG
zrcXtJL-^E|ExOX`3M7r6kX7Pf6~*1Jd<EO$ciXa{m~DKw-$R-l$!(HL9(M`SUASFQ
zH$Se3>DMw+Dp}@C!AX;^%aLYuae6CnErX4+99(5n-{E_cQ`p4b&-`KBm&(m#ua9e@
zVwF&0r@z<+KfQm)nlFM;n74EPOl5{K1-_7ihyT)TyLkN_{_{od(SD}oy$yf<H1x(v
zyH|SxxQTpM-{s4lCDj{RHlY{k9q2)`<o4dSr=@hSut1Z+QiVUW7e4U=-lgisc|gap
zS?$b#g%lkbzGQTVb&G#oh2+^h`nP%L#}7)kn1dD`O4RJa-1{3M6z~$~Ud-vUld<6b
zTOS5D8s6UPOzXR6l%BrApe!1l@?Ilx7I~f`MIgLR0CSX*oJl!5o(-wh!{2;&##(#S
zk$rpV2MKwp15<Bx2PPgD3AWMqP>nxihXI^^q~db(^vO?PbCWWlcvKa&UN&cnHe0Tl
zA}z$NtNA|JVo>wE+)h7{#j+l?7MN@dXo30`%`75)TsTc4YuSzqHo{~fuqt9wr3l<W
zkYGLr@jy>KVs0Uly~10=Sh2)rVPUo4YFFyCu5Rjk!&^8-Fv!ZBqV^0dS<Fa#4>}{|
zsd}Eaer8G0!se_`ke>3qzR0YntG8C5Jkr7YCw;V6NiB7d&M-_!9h<YQ6NLFe>Qq^L
zCSFVnWSlO)y3w(!j4BLPhRSJ~u`5#T6%S=4^@cuViz*OUDFup+Rj4y0hjTL6@3J)5
z^cH5ee5FOQ<KQC+Y&V;i*=|(bWn}3lSiNh}PONrgvmzBl1?7S@sW!gL=?q}{xc`av
z@CwfOdcmF-oIBBntdg@&;q-j{v`){dt?2<b@ESSe@xU2=cq1JfDI)-DQp+_oV-W6j
zNY8VGPnqjfE7xt1*2<myXf_#8*Pq?a2h^!gx?}C0PN!pkNSU`K9N$`h6OM1YgK;?6
zoxo|si?}DC^onaU-=HrriCC`zQA56W^-CvY647#-Cmj`@q;s<To`!svNB!Y=2c=!I
z^cTe;RPfxepg*p3s4L-?*F$IAhrDx1jBNHD4Ptngzi7#D9sKdLDEe3L{-l)W>-Xqn
z7QXPu^wN|Q>XgdPwXVo>jVapk$D8koQr}7Kr<n3n{GJ{za6XIAspGX5V0iKq=JL~i
zJ;2??yZ0>FnT$@KpO!Q3#RT1?#Xwoo@wwon+wQeH-xIoVIFa3yL=pd9x;MYUK<Uto
zOX%W!ZlM#=_pm=7uws!aCX6R?IKQ-2ZnVuKQ}tSpEP1GU?Uu-VmhTa)xbzCvFPc#+
zxl;4&aedF0mag>u8{)AN^9|jzWoy2x%nzA;z-Bl)WLu}N&NB!b^2l9V3tZN&$zYlL
z%hfAua8k6i7av=j@hMA*W#TGHl$?UID6_p@<N`|dXMH<b+1t?yr*@I|*PNMsale02
z`eo+bXd=6rFh!>&l1=Hn6;>pXYcpct^y(NmYm9-z;wgSx5pa5jY>`cffRk<%&AX_$
z$O1Mn0#0mPV72twQWU5jFXQ>}mN+pxcM3mDN{HxhNJMv)#Bp6<qgWg)$;D;zii9I}
z4;4LQHnGGzZ#>5Tjv%k+D(6ymEQJPoQ3U5n_|ut@S>)f`crbMI3+91VJzy-I-Xq7-
zx#D9(P5xp(wg=MbtTT{KcW-oXczD!p9Ua1?w!hyyYB~Gvv)19^-e}KtI>W*6fMN1w
zYLTStdV5ZJ)j&FG3>cdiaQQ$w*kzH2Kot^3DTI0aS*zP^b@$$OkDu@DJ@0nf-NWAh
z$_6rKsQQ>Er*0xtfA3H&IF2eX{kaq04nik#mF9Anl8nebr3u+z8zDSY&=a79$0m9L
zl!#zRPk<B=ed!61BEmhDCgoslq{#SErD-`_8!a-#)DxgZM$mc!v?SB@6Cfsu16G=t
zqg4@uz+FKAvAw~;aJb*=w4OPz*zO;|d350Pp0%8V{o`)u=-}|^cz=Oq_jEdq)fKnb
zTw4g0t0dTc$~4Ae6$6x=Cp)r~&4FqUq9@IZIHIRaMIJFfXGb8h1m2=mvLUDvnS^#3
zE9`BE+=BeKe7KVDo_eqnH6qtxx9bhz@a7&moz}i{IBGfF!LW5W@b<d<j<<K{ED|6H
z?d5PBFC%Z{e|jt~XBK}3i&A?&l)W$1@Da@?l~<+Y16x;CK#a6`5@IAxiAd^ubs3Sy
zty4NMSoVCtZBr>3H0DNEb^{#DKwf}GmR|M_H+ANv2s@)n!nYDRYcgL4Za&nPE6h_6
zt<llw==i8JXdOHoc3b;L`=i!zXMeAC*z4`@xjlE^bKM0+i>(`DWDiZ;YC(HCg2wt}
z$1Y!qRdF&)erYgEY}rw%&!+gX_Q-}-m%;P`D7RtDi)Tsc>=)`19$k{39UL4!8|{0o
zW5?ZZ?H>*gTE|`ZtK)gyL2vkMwC6YrNU|1{WL;8Qi62%m=s0AkH$y!fef16vG_R5i
zSl|~k<IKHC2)@7HxVUOePMO7UGKn^eE>+TIlmd^5#iwGH)0{@-OcWP{Av30J&8ekH
z23QUXtF%II9!wg_yk)gf7CKjETpvPz6L!!moI;Z5*Oev^O!`wak8jg<%WuV}Rr6od
z9`9(PI#Egf6eg+N<CXDdps^mF)XK3V-%0+)QHXQtbp<jMd)GJz>=++SAImFhe6D9<
z?<{^=8N#EJ|72uEI9u|TQY7Upbg_R~3)}LQo{}|9_RP?Uy&Wa@32q?hj5?>+9kJ<D
zOK{NX96V!*E}=w3tL8BeMG#V#vZj%~yWh!AZ&U#Lgu_Z1fTH6H6dgi_Zlwx(oz8xx
z3_#IAwG7?;sx=(-s%EHELl^f*RWnrTR?M(hB?I(Q@2F~qs^icrV5RiHRcgbtZl_zR
zTQNhWfx`?v(#*|(|Gr=#EB;wI1gJWVhzx~cK-El1C{RArU<^<}E~Av}(3v-yPiJuh
zKXZb4m{1!D;wWa!av1zmf5ifTs_(k`Pa|}wE%#R!K2&R8LREfWG7mqar!?BKR$W`6
zO9T^D6Mc)ZL=B$ahJ%r?8bIMmK2(b;YWY{$FyqE=rKjm+k82Ab%9$nkoZcvFT$LnD
zx%hqeKpW|00*9vB^7Mj-E))pp=?4$36j>;<556?Z#}GZxPgL2)K>s|5$nFnJ6#vJ6
z|KI;_a(y=ThaYfea0qf4o*NwWXvPx(T1%lTDNaFd<d4UApdHO4G!?tH8xbAC|Ifnd
zeSO5sJL2&QjN=>I4VW+4eqj4|7FA>0#4R84Kqw<mqr^udR=UxP?IHX6I(p;XU~d>L
zApHBb5?iF8h=w^bXZ|d+cKXSz5?<!k2j5eblsNZhET8qkw^Rl7!M9|FO5Iu?e9LC2
zG;oU?e8numX4up*@3Z<w1c5f*oyaIj)=%0#U0Ia)1bSXI&JS$$*%YO{_tR%oY@afl
zK}O#2G8xrAY7%)6FOxN+?;G;;5#2W>IK`W6oZ8rH<CrMYE_`@fL0lZs06|N37#!{V
zg|~EAGs+IpqOqt0+*AjxsSiYxg^n>hGdsSH*cCYOuyR17jo>@FEm?^Bk~8(=a-i0d
zh1pQgUW#EdIhS_nLhMWI{97~}Lss*-WZgn3qfwP8ogz{a`+;fzRGFNy&F8yqK2hgK
zYI-L$kxDYHnUF%ZR7qpDUg|!{8|VR=1P)l_J6+IrH4-k9C{bbn%<khlwp1^f-66(L
z^oaN^JB7XY>iT6n3d7m9>=t8*F97Y-*jHwwjo4Q-Ltjyr;hDZLY`547U=`ww(=SGx
zt7_MfjyK*Y^5WZ{=Chg9Su};h>?N9fOcj3_?W^a?!l`w}XN*a#YU-pt*fgb~(@$=C
zBCdDqQp=0AE9Ve(px;&$Y^zyPBWF`X-P=NPEm5GxoT-v41@2m(j&FU@zH@YPmI}3b
z>EDexXt~Y{BWd38P~E4_j*IeC9&Md$(m)J{9(LI}<Dox#^mF;`Z8-hS`$)}TxoQ_X
z&J65!cqE7aGB+&xvz4h_V{R78*JzRiBYyW;pMSr+S2dvzsj6+}C}*3nj0t1FQ_9Vk
z;n*Ltz}QOi%w&z`IgNM4DkCRK9`%E!1x^QUrsoDa=6&qienA*Wi%$7l(<YbJ2b(1@
zb#T6VS60g?bfU<)zaD$R&Fpr^;P?hr*<u^z@X!{dl3^5RPJQNgq|N%#Xhf}UuGP(D
zGE}OeRyUW-P^+6OtDE)eO2_sWCx05LL(cuB;`&of3d_e)J}r|)>xcm=LGG#gNmG`o
zH{bGE6%*je_f>cYlPWBaI}O-Y<yj-)x6_-DNbegu6RYL?GwDs5;_EE*gPHbumvko$
z>Xk#y4X9I&k^Qzzb~ruEXPzy)o1gubX1|4#G0mKp)TK#X=RRh^oQQK1ZcCmM+8<ow
ziN#GRQFt(hqKX$@oz(_TvE2KQ|MUO&|Nh_qjsErD{>wJ4+pw=|s1+dHOpC;ZhwgDm
z+Kczy_RlDBWC$Wh(@OzNLYfoYP1BF;H?pGgHHIpo{zy%7CEh9Nl&C&R%Jbwcrd771
zAm;QCHsu>qnkjR;nvpq9Iy#k=b(?bk9Lz5<4WmlatGisG9tmz(oYf}zDGKk{Fl*@s
z>@}l?i8b_YM0aeo)Ph|d9mAPW%9)9=HMC3VBw#I$YF*!L<FJz(A+nMa67LO?w4So-
zRQP)kJXFyP_}*{>F*TuOG=AE@Rh4<7eKLFxpX~apSLm%)S+;;eOrIQ52mGU^^?;AD
zMc+EnjW?r(oO$E%xzb0av^Ov-q^c{cPq3Aj%qc4^R+*00QLdcG)={`J`>nM2oC$N?
z^~82QU8WXuB3^0Xe9B&Fnfg4t(xNk_fn|!c%=9ZQU*9J#T5?K5Y1Ikt?a>O>r~<62
z%1bQCt7-A_Y%H5Z*TRu9YPjmgm=B=p(oF4(^*ni&`Rmd3q>sauPPgk&_UIXEZBLmD
zwYH~Zh9{}*Dae5TKBBg#-~vH5XKk>N*K3@8CBl$*KyDDjYKHX<8z(5{Pl&;&U)JkY
zwgR)T3T-#Z&bi7@PYQIuj@4etwi^R-q=}4H3w+73bu`R{%9x9Bu3q8Ijo*q4s9GX>
z4z4b06j|u4(9d;AQCL?GSU5RfUZ||d@<qRu6Bu1seiAynRZ7juF31!Ug7rGegmi9F
z$X|SQCWRMnH_OaYthBbdPQ52IPF)TP63qDUtLu(d_iM1OWP;pZy(%`-L^5p)sZJ&|
zue<zJq*Q;PTVqPz<Tg+S6^vkeB4LqfqwPCuWjUswtfF*+qDpFO&?O7hgeg^WC4<I|
zvIboj&9y;k720Zp(lr^Bew|_3YQxalFf=KljA5ver&vG#u)6uDr<$)d^R;HaY=(`{
z%-439M%LO6v$n&m?J#RQ%*V9Dl-kd7>i8U0;`V1<hxKK<k@o$uB+`qN+gXtkU*s0W
z6ZEU<Az3@uW)`}ZI|-T#X~y)qDs@a>z$~<a5ol%e&gzDn3z}puY;0N9yfNF1vTO;l
zeZ=hfi%lP^88v1QY0QNs^U<lWWLg^cq+C*cb}X4GLk{eTEpuwgoSHJfIQc7k$xGTY
zS_4Uzx#kw{8%ADIxst86_K=m`-dCyUGIbHzYOj=9Wl1I2lef1N_Ys_(>bjYX?HBBG
zaczzjEe-y|cfO<fn7@kpiMfjUWEV>p{!wx?OwNjUhQZ%uo`q`;!Wnen*cX-Izpp}S
zz?Hl#^JG)t$KGT*yU*&{Mn<LC1>$!YUc}Q}^)x;C$dugK>}!twFOd__$i-1OHn)nI
zg|xi@X0f5?s=4ELo%fBr;w6KnE5(__!AS`l^YX=MG7|izB%-{`>J;%5mH*a@CiJ@W
z-(xRbk?rfUHNxinqcgluSH?fkdC8mLT)LtfIr5&Wknf7m!U^!1v%30D|3ED6^ql-B
zIE|~4Br5*P{lJf0Vx%KFol8@JH?F3thPP4p(W5GUF>w{ugvnlG1ZOH;7F|s_V~cbs
zeV3jicP?BON{-LHB7Ncg1?FS7^HM5Vr>R%E1vV0?k&@X^&4NpO%(~XV7CB!z4&qJr
z$+<6oo1K63TR4*bYR`bH4stI$-`sw7Y54T{phOXJv%BVK_s)D4@*QY-oINj6eKRM>
z{g+Dd<G)U*_p93hKjhw5g)x~Pne{~iW*R%1H=Yw?wDx3^#53^yEBl_>29@1m!`uPu
z4O1Z#4G=B!<S%R4wGxh@{l|a%FXV-~4=?j9Tq(yA|Kq>@U)WgO{GP6E$Bj=;-B?Ak
zQOF`8zj#dZKmPlF{eMWk5zlyv%C9%#^+vp4n_YGT-84ut_L<DWo+Efkp6%UjGh-u(
z#;d&-*4OldtdpCDbE|SahlHHJ-c7x|SM4M(($mcDH2>sq;TmJf&I}iBSG?zL0D7O6
zJE5_ZWtmLPqX%-9?UcMDUP!J%!?6^<uvB(Gx3b*AvON)wDIznY+X@%~AB`Eb!X!ha
zeH`ouM*R+AWpRDD17p_RYKosi#;s}<4I|lm#)bNqFAsBaeL^<>ycbqk<O;0K7qXns
zvF9!_HD9^s!#ceOC_c8lu{aauB}~N`F*a!KfF1Bt+JY{7Psc^48`hc|KaiQftVpR~
zv7u(OiDnyJs~(;d`1aHk5V$ay5Z{BVBe04T9{8}z39P~f4A$C;T3b<TD^^zD*QTu~
zstJ=N`iwlTh7;6>%ADO@MQhWX+FM1j8nf=LqC|C&_g7J%mD>(hQnKWr!xCI_WEjPk
z_eKy31Ljt6nk*4z{1J5R6fZ)bY4w6KYhjyeo4zhNd8fHu^<q#|E?Pp|qM$0{I`(FU
zTu?oOX%?@j5Ok~Qluf@xFpaIIR>xa3b~_=F2l<BH&W~K|#nd4FmEX7V_jZ%~h}s=3
z7yQ5fo~0JQw=7BCrIIAesNOLRd~%7uqJ4TVW)<!32D32o15PGVO=m91=(X@q=(mtx
zNDB+uCX+Do(9<D5F~ga%nuogpC<~4vUScy|JH$M&Lk!(evO^rP`JkMgsva?k@X;@H
zJc$@kp2EVQm>hkx%49)-%y*YzZV}QCB3I@MRKkXeu+YWejfal&)CL_bYWpkK7rt4O
zlfjDBbg6;trz}63i>sHctdgo>83oqwR{Qvp1-{SI3Kho>II3>J{Wc2cFj`P{NZkRh
zB>!0rxA!*OY-K@R&tqwMO#P0YaxKpC%<PHm$RH`$z5QaR`K)|}&hsTRrk&_ZQEG9f
zFIi#QslH^!v~zvgj43DkvKdp(_T@7!RHMcDzI?`ohQs2FUoNA?DZhNiMaR)}(l4FS
zbk;AI(c-jUKI1|RU~%Hl%!vQ0&ith;Hy9dCk8$cWm)@qS5cp_59*3|y<}f(jr)d7y
z&)IpR@lJKZ&S?OC=A>`Gr=YT0nz<o1=3}e#x8dI1O?i8Z4#>*g;Yk|#U9svwpCj0F
zk`&|*hb|NJhl7PTO#}btKsFMp@_Us5_C}xOoz!Ii+Y068A4%n|84NO;71dO{uD^fq
z@Ce;iKdm?R@Ur7z5@Ixj@;LsmG}d5mJ!FP*?*Q(Dh(It5?NyNvgv}U(ezN?loWO9O
z`n4XWma^8@czof5)LM=77cyBW6&|mdW38Wjvl{wyV}7cNaiaU&rmxjxp;_Lg;GjO6
zJ=)n!kpHs=!Rw&9+#scLy-?wHOHLh*m$?~vNtJ){>C)BT>d=i9{zDIN%CGLe{;QL0
z!RXOT`H2Ur<R?8RDPQsQqbEL4f5J&crQxWjr9D!z(xZY*OZWf!$33mw-jV)OueEoq
z)C!yB<Rjez>p%DPpOi$|xydpQ!)DoZ%3fEr(AqF6`!CougwYIhiLz3AGqFW{hk<@r
z;RH*ksz{|SjH`pCZ@)j$xh4tfLo1;9nC@28ncfiQFS+VATv<v>#Y++BK{%pncgp!|
zP-&VbkT0~r#(GaG$<mgRvWJyaDPzg+l9_Uy>-{pyQ-uRk3sNOJ!knnJC8JD~4tl!j
z%a)O{<PBR!uCo;zv7MA!I<<MCUO?*wRR5W~fb!1W{w%xK2(oCrPo`j=zs74H7_UW%
zBo^TF;_}pWVVR@QY|-{48(Tds7mCo>?9`zM>rjLXUkRPkBy0ax-qdnk7P<3hw-2zV
zebPHk%jR0$Y?g}?NV&lu%20vLk{J7GeS>s;gLLJ3V!IY}nOcg&C@xX>PiweAI<+RO
zv~;>~th7XXc*i9Q)Yqkz7M-DGU#3XQ%D8a(<&N!H!66T<rbQcfSpRl(%(jzp=D}E;
zi_@p!`uv-5{#~U4SqzJ*M&|FUE02jqdo0ZwDrk@^?7u7Twi6X{EH~bcPZwL@)Onm-
z39-gK_>y{M*{6@DU|wKrZ!kh?!C6R=Tz35_tu{W|gq7$lOPfGSs&$R>7E>;-emxYE
zV7)BX%c8z4O0{r$YBco2SqW-Iajht>6~(op_#qU<l{c-Aw^M!eZDXwwE-tp#2$#~-
z)*9hjBV22QpO!|r#ECpn5z~@k!FuaWU<WtzFrXTwjNx?d2i~|vgJ+!5qvE+A!JZOU
z;p8w$>-&dzc<W6Zn(uZto5s&~cW?aJ?R)?`k;(2$v6}5FZsx5EzMQrG2FuwX3_rxX
zgK;?6oj4$i(Jm{Ju66ja%^YFBz*-+{HUH=Ti5QR2A#6P-TitfYnuIN~7cQoG_tA-b
z1XbgmZMmMl@kEmC#(QfKL%t2cB18{und!dhFTNNBeKylmy$F^lJF5LUS@ti|%l<9~
zsPSEB@h)sJ9NY?}soip>{$G<$>2-R&R;P>qn?|s?^zJNKkWXmu0PEqwV=6W=YA?aT
zWIGwt_LVoBM<D2u&g~}8y)8zzwcR9R7}gy)Blxo&qw6unh1;XWZey?uOV@8fi=j(q
zu+RW~sUCy`%94jI`0=wS`d9D%B%g-`nctIfcoV+x#~$uWPaMp|bR@3Gbd4$6@yDC*
z)iw6y7Y8<}Vt)pI%t8^lh^bg)rFig#-U;9rt~;_9$rWcN8hVA@&^5dDggO-oi_tOY
z#=#&%NmWh+OM((6DIR(O^llipNk914a88B}WcHjWAkHA1%a{d3?ki!l9?yrj#EIGN
zS1NFkkTE|9Kq3%EAE;x8Mm!necQ{5SuTcGa5As9H!340i_QqrUFREzZkWV|)$3djI
zv4PAq1O9Yis}=b-H?Z|*U$|N)ZhueJS-3Zj&%G&}^SuB!94GA1)P6m{gYLWcEZG_B
zTqrX?Eti3diF4z{V#qD&__T7;Ywx!^-xGR#IFa3br3?>z<TL0S5B`N=zl6ccVZE5n
zY2OoZ561~o#pL=#GRBv-%GkCkiABD&&uUV%GG;TTgiYtY7MagPip(<5I}Wo8Au5`j
zZ6xw(DzgqYE87KMA>j(v->hy@CO5leW@O4*Gp=J^8CxsTdCgg$mgdZ7w_%jo5J90F
z{S2b0ET$-;Zz~WJ&!-4&WKsii8kM0YMK$a!A}HC(84KA0PQ;JNi5GSZ8JY0>iFw2p
zgXe8)d3Vb;-&N*^%syb#BptG?(^uyign@j*8tFTb>YXitWz83lE`!OMWUq<l5bS==
zXGKec@v$`;pOU25=B<)M$vHTSGTZC-mSHnrnHwwhr;=Z7IZThk4=~67nlnd;G=H_v
zQc~3UcVm_kxnGIBlPxQL%*a<bx2Spe5M9yDu|n@&yQ6P<mzmo|-d}U3_ANJ2_|h88
zts-XVwE|1KdFhu?=+1|E1eys`boxu=t*|7CT%6wodr3iBX8+FV6o)TG?$i7Cy;f)6
zx_?jh?Mh1=uKav6AA6$stEo4{5$kHbu_d;7)`6rXw?q;>Bb!6x*MUCsZM~y_43eH4
zsdl2|&+W231qX+WGYCQ+IfoE2{!GTOoGbxT2Kar_vaIuldCoW;QeFEQoD^oB3%lBL
zZw$n`esBdV{R|ZrBc%UY=%Sr54oFO-Zkph4W~VGRkYd+KP^|YfwuN;w5Tj|XTH+k8
zt&#Lidji~WLnFqv>9K~cl<Zr)+v{|X8EfsrfR4laiNcX|llo_U<`*KIF=48l$CGpo
z@uSn97*}kEzFKX`(k$NuAI0hAw#?Bw#VV&`7-&^WEQ@cUgvseP-BOz0b{Mw{v&<s5
zwJ=OBRN-3EEGoIOfU4)}D-Q$mlTpZyd4_t6?EHTDszJPu&=qh5{S78kn$%%Z5|bg5
z6LI_t;1o^81wo!U2IVKceFlHF$?0qc(hIF26X%}igp8svS}>I1Q%agik&!nEVP}tL
zNRjjo-v=R_(*ihPlECv^&u#Z%b{diAM97L84r608Nrh#XDFIqi3$Qx^S{;-UXB_Xw
zoS|CDnYx92(-N)zbBt3#YmABn@zQ$EG1gQ*w~#ZX)6SFrq7w{}GmN!FFQ75Mp)?wd
zz?Oun1hG0a9HBo(kq7?`hBS)E?f1;2gnoer`XR<Q>ALXxbnf~yssxmvoet{%fSB}-
zUS=anET?{IFLLsq35Nc~=26z_Z}o%SU5@OhP(#&lgke%*rNM}z?YWtrRy+CFa;DSq
zJ<)R@jHwraSRh7B*%9GYc<Z!O?HP}-D*_3M#L^zYMm2mw!<(HSw|Cw-tx>0S{QmP^
z?@QxfcG}-zjG|sMt6`Q#HL%KtW>iGk<EML$`^%y(0)OT^^b;+|Qdl#|Ev*A`i}0sB
zm6ZZ!8eq*0gV0uZy`dT`(EPv?*E%bukY)>xtTo=&nx;lwGpP%{bGRw73`@OJ(kqRD
zl*%t9jmc6eCc{>z0t_)8QY4EpRDpCcxoqgEE#d`j;<Cj!RfdwPDj4`k;ixPig+c->
zGr=IsTieZw!hnzL2N8BE^6273=g~se>IXD%Qi?3Y&Irbt+Sq0AYb&F+WcE`^8F;fh
z4_2rhv?18(#0}DJ6MbM4Geou+EGXeJ_Yx8=%UDpt?H$w1=*ec%Ppc7ntpja6($rem
zOz15+OUU#&vqaJdMYBZSEM=dOvgaUW5Rud3nKPMYvar0<P7W|bZ_;D1{o{7C(_n$T
zVgGkEAC3G^WixhZ#tcx8%D@Y;b-+!^<=gIGvXfp?aiQtDR%P8*40}`DtYMnJ!2aK!
zXg-}HCqSQ^bAzAUx|Q@l7jL*Y%<)=LE&f6oE_!?G*!zKJd3zgS^xrWS-?0)xL2SBr
z{0Iz!q*%*~*i{#<rmeG_r`VIBG2D`{OjbskO3`WB)4aD(h|ktgP?n>Sv}LvE7j1QH
z&2V2o%%pyc$rQKiv(#iS)EnLgK5%1pxo^9jqi1EyLtJon{}LutwC}1qL?iTuD9Vga
zrdF7a1KKr+Q^~80vxZFWyGZkhqX#s3R_ZJrbrpK#j8lQABu^$~6?v5n(_5}>;3qdb
zcUp^hzyVAzkrjGQ<XBI?U0jwHX!BKVbis`-q+$`(QrVUls`83ztyXD$kzxE`=sdgD
zwJ8hFP7z!c)2^VdBZ>A+>rQLR3?!kH7L*rJ1KfJL8sM%7a2L&n>dzV}EsK<vnlVhY
zG;_jOoqD$zLbXsX6Q>$rfl({vuQ&mUoSOru>frLipiB*?8gQ!IslEz>Q+_KWY7xG1
zFg0x_x2a&N-6C*fz|;$Iw2Bjilv={xp@LXorC}sd(!o7(@J<1G7wXuLXJ~U9gaK;r
z*`1{pP!^$7*G22$*{vV5Yy)o;LKV?G2!yFIa}D5VEo!~sGxa8l9}Fn9?u|26O?&U8
z`odad6;yP0m-b#^C$s+bME8!vJA4x-a5;mj9hH3OfnAp?Uxjh>J))k(`}ADi=Kija
z`id^~)83j-gKlrHzlAE(F$;(w$ht<dP=hQpzHiu3+I(aPXe~x&MNw~<!x>E??hoHm
z^vql@4NSHGUXfH|6m#puutm8iJE`WYNJA^~*c}vxUOQPtn|e!|Mm<d%WT!WbEl3vv
zC#jC6*p=)C9VIpFmRwcU>lteE1+?ogJ=dRGPdc@JU4NF-uS@x^)$1%ttzH*TtzH+;
z0}h~lVW`l1wTgWsRqQKva4e@{?^&0paw_%(+{P*#;>dbb?6nVBtzxfL>|eQxy~rV{
zvWk5HWx;Yf_A;(YmGW1d0Y%Qu(XsE<I`&oR*w0^ForhHS9nIs}%g~L#afSMxA#G%1
z73%4h()^pEP=AXG?mHiYPGGk&zaNL`Yf-VCgr6ak&}Eu;8f(IHxk!_kM^Zx@aQx&_
zNx|H|PhI4G{sOmQc(UTf(Yt(KQa+}t_7|)~>Sgo-GJBsK7(NUjjU;mFkWj9A5~K#+
zU3yb53nN!vgmD4M4hnIDPyzPbH=Z+|kdOwgNWytIG?oXd_lMYrBP10F!0KJsbA`g1
zwFk(2NqdC12R`zK+WIEG4d-K6Lp>6~QKF4e5J!GAVLn&1aA-2`VW@~IQF(d0zrXnn
zX&8Gqa890Jk2>ze5BzvW)pbzlt@F_jBcSMQ$ehCB8DisixA)Zji|&8@KZG70ox|pA
zXe50U#SoNZbWzq6_}}Z%2>WmE@Sw?}rZkb%i(obn;Lq6ea#4<u=7!9>vnZUSoZW`u
zEDd`wdRmfz79*g=^0%M>&K52=B&VIrB%ee$nj8qi;AhiW@@*D=@My>uk2$y@8xYtv
ze7eVfXW=j$lbx4WEqs4@*&s2jo^nw0n+D4wriP^qBs;u|ucy2~IE=?F#~sDf>8^J)
zIQE>Qy;k@5S*NwX*L~JHK6DOSu5)m3y#MU*@Nj>?n>Lz9JXQ^hZ-op5|C8!U0^;Dr
z9&Ji>U@7u&+a9+jVc^3H7<G6x^59$x{p(;Itt8q^+j=52_KGhByQcYmhGHhU%UW0!
zNNI;fWcK6H{Et8GPcTMTKiDaY)LelmWz1KMa^^Uf3(x>LySoIs7uQmpA;S5L2JG=?
zRGtPHFBzt4FQ#8%G8j5j3|1&3`OI)PFpIfYo%d;q5}J*ch`HcWPUu7nVQu7Ww9^^%
zs_fr|a|10+4Mwd%B}%R7LK=qGN~2kEWUQ;hH#{QJvy8t+PZ&$pc7IEeM;#Q_Z@<B8
zz@nw5oGx<*-&P`yu_3FkygRl-rUC!01;9d0KPE1ijAkS2Eev6QOD^C@Z-f3%=^E3o
z$L3a)(L-js_6P5t^$=>GTc<Z3#@M$yrqXX}(^6%9)Z1r8bYDlz3(OylcKkR9DHGn8
z0e72KkYL3rHqXt>PN#~_7SWktv>8>FONE3biOPV|xj;1S<tAQsAd|6p*(qjk^68~%
zYkxBt_$DgYA{wX+&y-E_7FIAkA<$aHj|_*gQhs8#7A%BgCs`j4%&uL<YA8Dg%07b*
z!gaeUnq8yM=2N53wx@iDS!VqTT~|ZT8wow{JqGl=XI)OpLC<zIC8-P~WtOuJ=sB~p
z8hX~#)zEVdJ*V>(GO3zpZP2qR#0x{u3#k*A1D#W}R|K6?`76$SBIo9S&igg!yh70V
zN?yx&>BKS6=w3}D=l&Z9pZ5)^BO41or&~(%ZwmOVcyoC;YXw6O-Ls~g*GY`bF5P^H
za|8Su<8FiMF34XzXFOxBLZ|2C#g)9Ofko3qgQam8en9O%rV-a8FywhMAJ6>hSVp|$
zujv&MsGUphX`teS2nE&X5eD`#4=;wEB`6_cez)FuYV1&C%6OO4&PbP+{K*8?-LSDv
zUK-s)gMP}+(Web-c~y`%YlzFe&V<Lf<efJYx-<CL?eK3LsloPXK31J3p;vt}Un`AV
zO&NWI$W0i~8;nkfFMeOskZ+o&lbW(1f@Ton<&c7wQw?+y*Vtk>OdXDT>A^PMWr6wd
z=FS@ilK+k2zU0)vu4sMoifo1@ocoAF4QKpH)-!%*woCiZA6a63Dc3xbKjD>rYKJxi
z1|!P75+5s-n^`O`?o<fJ37I$_yldEkT~{x(NqPqzQL+==Tu=O9$54rX$72wJ(8?$~
z$*@^_?+1J1X;c7f`jZsDGL(_CT)NGOeK--WxMMH4nceOfNgCu&Cj|J}c->Sz5rg@7
zjNXS0R#yW58JX08e@5S&IqVLlH0Gg%?6b7EY3(2jxjF;CVG3+qxSQG6bza2EmB<=S
z^2(dxiecP|+0<_6Y?8NVm~j!uAgK(QQC>)v;@dipYQ@UK7;pDFFSFAsKt?9$P`l;P
zbPtMU=qr~!-NpeLrQGwn-A>u^yr%|`)G^caBSYx}{N`!Z_a8&6zHgn_%4yZ@=Py!O
zN0wR6I<)GUmDO5xJzcF;ueIvwe1%M^=2@Fo-4x=5wd#v%3zk!?r^v6USWo4zIQ@y7
zo1<7is1@t0Qmmu%1aR6UJRJdzZ^E(n@@6tSolfCkIPvM}?3c(1X5YA){lJhxvaxFR
zbW3UeO;NK`AFl{G7S-Xx*C*zVQAt#;frqN{8)SWt-6)*wML-~?w}i?{!j^A5$Nd}L
z<k?Pk-#d!SSc6QZM2P@utde=m+^HNFqj)B_F*A=WBJRo(vA-}Sq(Z?Z(xZh$Kn>aP
z+g_XeG7bmOf>YHmDsG@d6t*25xX6bfybHwoH+4{S(O<~NTb$?4cnoXffRe@i%F_Mg
zj3a39J+)A$u0+!*cF1XrxP#Flr{l5Oc;2aPLg`UHK*gv*MlY@D6x+$9K9!e`n&OU^
zq=;Gnz{%(G0-AhkAssKZp5l}T6O})Uz3~Y9IHc}Isno1I+S%B}aeg1OCfy15HV~>9
z*GY7+z#>2TV-MN`9O;ZXm@hOQWuoNWAm8mOZEZ=Xr9UHatz?#LDXE&pWrB3?N?xKx
zO~ZKBns}1|NaMetfS=HmP$RtWwmbhga|ZDV7HmCUnV$5t16iljk;cV_N)Smz2zf}3
zXtMkey8c*eSqQwj&c2}RdMa)x>)lqop^Rr$&=sMm<`MFewk0j@Z&3w3RB?lL|H3_!
zW;hEY<tV8J&9nFpVf;Om89EC%QU+NJL4%`NQCUtt=__P%{dDeA>EHFYEWSKj?-Tl^
zxxQHzWL5YEaRP=i@wuf<ePXoufW{_8^#!mLE}U*y{6j&GSqAgDDW2VBKQcF*g*yg)
zbGToQgvspwRTOm^I5*1GS@7!`&uTjrI@NGkl122l!m-Ocs3|Vdde`qmL;Lajf7)*5
zc5agQeZ%4tMbz%EUb;GT4ct6;J00N(#epJLrMYd*zX#5q#}F_BXtL*d!`<?P1C2Em
ze+&Ga;b4{?_IKzQNF`WejO}x6JdNH->M-+NxYetAP4^%d=b81G{g8cYRmS)f-e6_V
zSMD|~dtS|V3G!*bk)u|0uimu^x~n<#r9q!+s;mh#rRmniR|L8U2<JUfvE6qKMi%BU
zHY>8!RaOTx$HEh#PHKe-je_i~A9dMi^4>kin8%bg^zX90d^yo~u$5L5m2{&RJX)cK
ziLTQVUl|l_=E6tMS!(jKWGgd&S+d!uuyjJ@0~=VzbxCI#Eb^{{bH|MO+iI&1OGi>}
zmDc>`B34kHB{>`}yvUw9<uYonVl0<FgIY`SU89jkCl}3+mMmqbNK4i#v!o?^?nJ3%
zD_m@BlMVb4r!pnNM6c1b7M!_tGvwu;bHypyMY8%>pPCCY1M%25oK1d&NrO6|s+n?p
zQH`A4_v(%%pZ;e4z9jvbi*0JtVeB`W_Fhewr!r^Jx}8ptX0!ZtxS2azsjo&~Sf?`c
zbyJzI#NSP2;G5=nHl^IBYS20-Utm+;EnSl*coj^2O5SeywpVQFQ~NAGh@H>Z>a%<)
zv{^q(WmX2ndWmY|ct$OH%T`{-4ybedEThJ+JA}7BTict+Ggfh@uE<~B*W<LDOyDc)
ztjuz%QuWn&pj)KId{x_hEo1j}@ECSq2iAqIoZXil5G0kYI5Nvwhuv3ZWwqUxp02k0
zs_nkg`3jj-&9gSUFH?vYw)<Kw{J5MoSgKJKt-(_HD^7|c=jK?09oE)htFi_Q!ih5u
z=P`9)noh511YqI2bP-@6{Mc)`(10Pn`NoaH4h>Nx8*3DnZYj;bQAT0x2Fnn*lw@qG
zWA0Kd%z7{q_m~-H@lVV$$#aIcS{eNyDMU3}Lbz<|4?n~hua%lnO~M$RHn|v*;jI(g
zP$yE+U|hvUKFAg`T%(l>pX{Iy((3v!8PCx|E2+r36E@dKS*d8Ita5O#Tc9D?s!wom
zQ&?FQOC5S==HD^M35|9>@^9u84<rtIdmG-77$;;pJT#4*k%%92hijg|rvPNHeZcK}
z(7W?z<`Rzv6~I@%Gxq=RcKU%HSNUx;_lTGPZ(<tQ@)b^k($5no$t%rWI~xx^QZ0kt
zB<{f{C#0j;vlwooK%(*Hnmf~4@<8Hv7U99v$kV2y7Tv#&-gr0g8qtUrf}>_SRFHbj
zjE_U;Nu>?4)<2<zP7AWI+d@U}YF^*m16vZ-K$fzg5~ydlxKq=s(BRX+4|agYXcmrK
z=YB`)XEX^>`<T^uEy?_W^mLNW@cZkLNFeQN@CMc$BR4fS>2#nDtn-S;F-?*iPz6iO
z+bG(kg+tw8(&i&La5W4uj{HxsvcjpvYv4EnS9&nkFab}dVeDNyBKeL<c2ni_CTVqH
zCxOL`{MojM6U>46REsf$KQLi9+Hq+(daZrRM`#ts8Gz4{Y+GL15ZedQH09ek3~rRs
zO3M9#$%A2mv7^eZ>_v4jGWmkyh=POYcqrq*#5a*P#TH5j3%8oY807wz=txys@ck8C
z$nmY>l8#s4BI1UxRo`zR(0Z5zov<r!b|NAU>}X#YuTfSLO|-~QnrCFsNwL$VQRyO%
zh%&8~rErOf>M?nX(s$pNhqX!u;yo%3#9O<sKMbsuteX#pYgr3it`!9<{)06w{c<75
zuD&ssJ_b(n)NrFUAx5j9jIJ;h$U1dgo+p#6iX!AK1!P(I5%(0oMByA+>PiGv%+g~!
zH#d=YLl+0ByoC&7j~=(nYRiXkiU}ut3D2xcQAg6o>acLhs_0cwyr$Q%4n{CS*{x%V
z<<a;By?JNr8#o|y#~n2NXGcjmxPAVd+P!@FA}_`A1K7-d{;ZD*e5ZlaK7Tg1T=1n2
zHIJyf&P);;x9z(iIT%UV$zbH4)a_(jiCqNVFo-Rqn<}k7-aN4P@G-#NL+kdh9N24D
z^pVQYO=dak0DChltHEA9T@CiuU~f8KA(N_k)&};PLcBQGyADP6a+q(bZ51)!RQ`%{
zqsX~AnD0@I`K}7{wFGyK&*-+=g)OwS^L6=Y>l?>>j|@>H8;kj-TT1h93g)ZC+cqv^
zo-i5U(K*-&)8)rW8N|UAiwHkD4n@od2QLbCMOop9hO?l7HgMr_UAoAyD?WKmgkPmB
zR;8H!yr*$0Zk>-bj0CJrb5^Gp$7NzgWL$hZng_0fQsIo_U2!jPD-=^$+)5hQ62ZX#
zjECo&xHSvKeYvf!b-QgY#Co^#sfC;=9h%H8L@0A?1y@0jWiW@Sh~?1Tchw*dYWRnq
z2>&3u;u`N8zIG^<tOe?3S7MULyFp(DjOZb6RmLpL*OVp^4C8tu2mL9t(zzZ~Y%hn|
ztFddKvnyiqmRCYy71_<90m-pv{(5nVwP9y)H)s)p_yQA_^Msy?;211*f=M!;C(lJ&
zJj1P8`;<7*Zd1y)McM>1L%5ak(C?S88WqEL*utZqIjWa7c7p1qt$>$9hQ6vk{WR>i
zji)SkjDj54T_v-wGgXVY%*~rzBC5rzD01q~xGq*t)t*UbbL<<-J+aciH^XJt+BEGt
zTwa17{AaQw7?H*fC%*^$wqrVVQgnIXjl(<QkH~#ECl2HW9z!4<iibJ(7S>4e5f$3l
zzL6-JvN9|JZE`VUwj>w?NfeGiFP6^}GkrL0amHf|o{!W01bUQ*Zwgpp_iYy3Tmf?t
zn?6a!d4~<)&w(_ZQ*<R=*S0%$(y?uu9ox2TyJOq7ZFFqgwr#uf?|#1bKiG9pW7Ixa
zW3H<Ez9yC@lLK$@cJ4To_<r}K`C;_QU>H-6Gp~-o9Qh1ZzZjz|f#Kd71=15dJf$$r
z8(h2vVsXy%G3Jd_iAgY?IM<(W9!X!Wz}vzRL*d`H8@-h)YlG73CL5$M8%2@CtIt}7
z`TS3sYlEenV|rdoH1tK4?cfVyPE?}wZbC@=;0WvwF;n9#ED=+I9I9oDW6~W2^m+(Z
z;=z@UjX07rVci{iQFALXr3n7BzFje;+wYqaQYj}qtgu>{=a-W5IXC`&mybA_{_RL*
zt|Hq{;{zkhM0ob%R;8+ct^4(LwN+2c-@8Mjg92jlK%jXWu9?RL`dq*8%V95#0q&84
z1K=K^0q#-W9uDmPyGQvt%E3sXz6r~`)Ie{gt1`%s5&$rQ001L@@7$%jn+knB4_iK-
zp255@HGqSgyd>*>`bf&fWD;XT+mUHWI^IF?N)_1`li_J9LS@I4|G+<Z{xO(t7-W6S
zNCbwdbs?-+)|^XJPXZaJN>z;WLbm<kDK&@+^#@SR=6SCcN>zJf>;1~*aE&OQ1~L0%
z@$VcAK5+BY!}sk^<!%?=cZ0?2LJ>AhE+w<wSV~I)+O(g?d1w<vg#FkO!N1|sgE(|g
zg-(wO#*`)lS~z3fG|)ome_hjcVEcV%3|HexgGNoyaTlmj5xfVNOsp;##EGChU=YEN
z%;zCE=%Jw}rT{rVd;-^pI1H7$oXVKd8boY2<DpE_3LD@v$?^~9PuhFrMD;WUROmM!
zw9+5<{k&VjJQg0$VP5h+aN^6mNuaM#BK3G?^sD*Bv3`Mrf7#L=Is>oy5m@-Oe5Zfd
ztZfG9CHN&4Xg2ckMH`T_;$eLsS!qb8xXbm0rG*!sQNwaVWtc%zBhA@Y<9u!BvI@cs
z&wZJj|0=}|+q=v6e6Pe-CsM#vs8OriBXeEV%zpQT{V<Qd<dQ`7L`gyt1-eRY0=gR6
zOkTrQdc7@<+~ces4z>}|$q<m8e9jzUe?r+Ix;hW}4488>0D&?BQfZV7dksf{LoOEq
z+I@e`5hal?qt8@4bqa>#6sk3VyA0n@45iT5jH5r56TheUwHw*$u;uX9=|D6H+DhTT
zYb<-lP3m;CporG?xNzyA?uQuy7Wc%K7(nf3Vp8}gr8V}gWwwDJ5sR8R=cuk>J(Kl|
zX8X_MM6iADdS)_j6MN;ea^7X-y=gTIewBaidE`V(4t){%1~<XQn$Zu9W%(Uaf0~Yh
zKxI`aGeF1^Py<4CbbeupUlq={_<z8IKLrr7AQ~cEX$_iXM?b2SJ*j{-%Rf<1gyNl?
zepDY|&1zESxzy;DxM}Da){M^96Z#k%)mQ&#F#DQOc0{19Xgzq|+SrH9MPZ#3_u(wu
zl0O_A;XKScV6-=BY7XaY?^8Iijm46}0#rXO?TT>dX>H-M)Zf_^&FI~wT(>`+J(m5j
zG}Or~>l_fQ#Te*HkT>l{#^6rf*VvU$3KqF$IgaBvV}A#!2e)2UE<4qzmhxkFoR3O%
z@=LWD(z)BXoh7XJ{BAiVW!C>|A{*zWp^n-*v0q>MYmbt<eK5Lweam68ElMZ<O7ge-
zYA{oeeMXhz)U${8bxjoZr~5`0h2wSYh^{?z2kX|=d`k@*!#35FSnUq%@j-pMgh7bt
z_y7WV&0}y<N<@)f?q%%6p@+I^MAsKlx@0I0)0gfo*|7Q%h&j#YRiy!k44s#XW}E|J
zWA(b|Ik?cIKe~q9OG|U+S?7MpYRK8LIa=dx^1+02esbvJhJ%u~iT*$`c8_R(qGyGT
za^~3DQPEP^NwEXE`H<7fOVfmv3cj{^wTD9W-Pmq56<%-unEbqe)*lX1hl)T)sQaxD
z*VuA@Fslcv{Ynda?=w#cm6e&Iu6u}%fQ2-f%oHozg%__2!Wb#eFjZ&pYCq^y=lrUh
zYcHz0ThUf|O^eNTzpJNNa1mPn3fohc>>bE`&G?}nB6B6ZV5&#Wzw$M;12hSS-4%$_
zCO@YSM))~mt1mP-gBEJ8iIVRkCLNdk?M+oxiL(HCjlC+wY3FW1GL?raxILC&ca5ON
zj06Wx7G@Do5f<j;p8ZX7M_c%ewW~$@W2(JLskECcMrOX@NU$sd;Z&^mt7`Pcu#!Ie
zKXGuuEVMGkVAjwj<=Tu)@B;|2myzkYljgi7vL2^}CzE9!%xDTqYyEvB!57hYtQ{{0
zY{IWhDQ>QH7o4pacU8<(;$`w8IG_)@+C=<e9`tD144o3^L-*!{K3N1|=&3f2&=v}7
z!F1Myl~@Xr;^!kd2`MUKU4QGcy(7eAzhVi4<1q|qWTc177MyJ3Tn`&shnUGZP$8th
z{PMF1V*Sxo?5z*J$hcPKd8~8lQ`EuMH?~N7+{HONEa`C&<Ip_Np(~H!+7CyJA(~dI
zXaVp%I+Q<}QTEL1Qux3VHfExq-UBukPakqv|2k?f6EaP*wk)3=O)<5^7w+UwhZrxu
zUJ~aXF{ZoQA)ii{k4T&oQr*+__4KNF`<@O1Jg!?Rd;Znng539h2RTG2#FmlfoK?tR
zWD+9{BfD-Q?8x6+kgtZR2iwFxFSY@K(5xc{Bx=~{S>n%arPy6uwj}x7<cKW+5GKb^
zvdgB6u%~sXC1WuLn_U5~P?0=uR<X|)P6IAW65_0mv6<K~yTKU=$M4;a?yPO%lNxUj
zsSz(f$H5bVb+`s4S8_&ag${-}p{b742cSRqV6c*%ANS`&8<A3Md4Rh4@8!1eS`8wu
zhnJS^g(i#8w~!obx#NTMSiMOtYRv3rw=3fa3#Z>*QJwMMV>zE(5<WH(HDC$J8DITX
zRBVSMe;*Hc12km;{Zg++{=o1{!0^;)3|*#>jF?>YEs1{ZQ7ln7ZBGul{%iOMoWj|E
zxZCFbw5nc`>FV&kcH>j%x>3ONydmf6mi=I=kYQyIE2t8!yC*o8F@tA<TeIn&%zs<P
zmUH-vKTXNR0T=(_)ma~|X$pyNFqOO5DX-Svo0GYkF9`>t>=YvR&O@^{5hRN+YYR&Z
z0|PC}D}zRD(sy@eOs57zwX5#pNJvE!LNG?)Y%G=yddgGk$d97Qho>7D1ZRgxFo^Ht
zbp>Hx*Jg(4h7zh2VC1XA{p|7fVfpq^NtOE)qsUEDA!&p}CIrvC?0qWCNEl%Qti_oa
z@Qoz<iuT?=^ebxUw_s=CQO_>jrI98=WrXak*V>UuWO7vP^e+rwjKG$TSwTFdG%(Wc
zL{sI~M`Q%`T!n)l?0Km4G%)IL$Un%44u^`@3CXfYZ%a#0pw=q5du|KeU5|dB;#);d
zePkwjH3yxlfIMVukK9jd49u)vcV}tGRz7<&FJVonjA^4zGp^Iz=o8iEt2ESH@UE+H
z-7d4w^TMisK=O8;rNZPlT{t;k;o+y!-i-CtjQ`PJ!GF+JA?TQN98YW_dvrlfTKZdq
z>Tyx|?A8QzdrlwVO+q_$Kw+U;TX+V6{uzwl8-Up>JLBVWk+#m-C>u=TC`V40862~l
z1))c}<MY-qyVSr|EPq_wkiJe-;yO)ajW{}OE{^GKZBb?X0E;27_IZm2yA>0?BbmWq
zT-G9CBFxm0=Yqj#yrQbbczR|@9kL!lm|YtuvBYiFXecgmmtYDTnMXCT##E#wKbHnL
zV{J)7-gt|^Da6)hx{k;xB)8yglDKXz$mW`|3oem^-92|F>T`eQFB3i_&rXZ&>@4eG
zoOO+WP<#0wKN&`Ij-%A>;m5S_7sTlT&zP{S$vb6Xo%B0M9J|2RVMh7=VU|z3%XlD3
zX)9q;(M|D4&NG*=$7aC{o+#U_-tRz8^@WbNx`@ik6=}uGkKvNvN3>at7H86E@n@Lh
zytjFR@Q{DTZvI$9%Z8rrM)#!A`RS@$M3<r*?P|t*KBDG!+=4*j^_TxDQGbSHQ?Sn}
z#z^C?4JBSiD5gP|oFQHAuK+Zp&Hl|i5iUz@MOhic3*RvI4Zs{OEfZGLCjKzZ@er{S
zmDWWfqRWD#I6PCLAJzTvBmd^KPZUh(q*ZWEkp7t>`5^~BB>}le<q#Av|It(qV&@tP
zn546vWBGHQ;EHYUhI0sxhr|IoR>plA5|M^ri_bwEeXmS4irr)Q5bUU6NB%7E7{R&K
zjRLe{VZ2$FKX#iG?)<zqQDQ%xJvq=)tY!Or_Z&Vl{id*IZ;2s_U`Vd_*j>vMgppkG
zqUj<(hBAt0)$i``7uA<cGG<26QZOlYB*q)_0*0U!Tg9?pj{Tp55GM?_PH1JT&V(O6
zN`Yx)@gy7f3!<yMVWyNj!-Nd7Y^k62g1^)sYx+SFe(ZVD!F>C}IS06Wlu=1-2He%(
zS=={)jz|iO?JhYR3~6UhC+_R9hCA3%rS3*;C=IE>@KYyS=D5aM2K2f9$`%diwhSMX
z+QZ!#NIJp8x-dUm1<bKW)*vOe$TFu$9#ZBKaXnX`N5GVNFMHiy!V2G3Ct26rb*x^k
zGoLqOc-5_=%j(*o)Y?uQSnEOb>muq<<!_(`vFonrt10fSxi0k6(YX**M7nIK<P~=r
zaxoRK0_tG0s_df!n041BeYO9YbqLpV#ZHFRrZ^&7i7aXnFO@8675=3+IY2mPRjM6m
zR}Qw731{VZEFG=2#F#z7IuK_@niXeC!mOfjOF?m6?l}jeMec>|DF^K-_cKe;fy8tg
z0`jze^6><zW@Un%!GstG3<P1q+217?N-CknKdFIBOmq!Ez$qk@l!$4ek=Df%uvb~Z
zmAfEs>h7WQknBRbQ#cdstprqnNV9F1`5=K@$ac(xgeu&0ax^ua*-OaL{f~E^1D=jA
z!ghGW;I#_pVhYNSTNs#TngV58+z7rmPwZm3vcI|xXTJWTxws*tW6dLU79@ER`uc`w
z0RyeS7UCw>BqBG3m9)~-OS4IcN*uY1ExcqR*l+eOj%ChLUfhZfn?z}h+sXbSf58a>
z5?^dDEoS|N=`1B1lR@$|IU&`_xsaX#s<pEhH;1}1K+YM();K8ml)E#zrNioM&IDPp
zvb*1lNz4nuU=*edoIW=_>Nl?5f&YVSg1_g{fO@Hei<j+Ll=&Kl3PU5Cay2vJA$W8!
z^!y1GHVhiLNvK%_#<u3#Xtj;Ml9-}Da?%;(nM;MJ12uUoG{ZjPw;Gizv-c1Xm6YZP
z>|F-@O%!F5CG2WtG$hcn%dqLjq_fa#4T>IKU!x4eTUicmXi_0})=Ww~eD37kd&Hhs
zbJ7^a_~ECDE8eyh6Ug6bLQxINB<V4&jHO9+MH-aRdW!Nx_%;8<a$xfWdS@|3)XJoT
zuU?K~mm32C&<@w48BkE>ge5-$sg^xI{dbe-jHR+QWWlK_5$@d|=hQ;Mx}Hq3dB>Gl
z#@f)vmpss;tBrKBqynNHyb;O}uuL$TFr#T2T5wF~XO?mG;Ft^l$9s9>=92bF1%{y`
z)<}VdQT9}ThLwR-PI%*80)Gs5Vd-n5_Hy9+aunX-9%#5zUK2XMnZ7f%@!o1d;Jv^y
zl4Qbgm;4J#{@wU(*YW;L#i346`0|%Dz!~JyxYz2E=pd!N$2(Suk-NmB(XkF1VSMTC
zbldoB-6OAF0%0)FQKCQj;ZquA%sa7tzA1VXllHtHZI!O~#1icNtkp1QAR53}Zed)O
z9s**0Q0B3TC$zC8hfGs3)mjd}aykls?{cY!FvqwVO>0!kPg*iY)uf?lUYbMaB3t~q
zu9_l6KgMuOd30o&f(*nXrRrf7R5X!K+HQLXcgNx(kQ3h%$$QrcuQ*tx9LZBDJ6H~9
zBq(k@Ucmlf=ZzukAVSRyWA`9)^UAn++JI5>P9#6~rtO81s;vl*MmjF(R^Nm!<6byb
zpgT=6QnoK7Aw$%Bv|M3yq^FL@Cl}g8nFj(@J-74TK~OH4&u2^Jgl*8ZF#gfCrBzIp
za*%;Aj&P_Bu}{QR?}?oI606(9RUscb_}NHREI!Of(7LjWyCy3;$~RlFF2PBa6Tcbu
z`YX`!=k81^64Khpun@Gn78z^Qc?$GZ173p=@nvR6Xq_5oSy)1-03lT(HeB<HCCPjR
zdpGLNby>0^YG(P3`{#OHdhJV$SiR}@Bpt079fg)Nrt`5?cLQU3!6g-0&Y3?WmJwMM
z|9VUGVo|Cev`)*j!jz^y)$D88fR^HL=z}|&Y-@egm%129<VcmyWoj4kq)(&s5fPSd
zVGUF0%X~!>9B9`w9@yi0W4*A(>_iO=;S%a<I#@N><9Jmyc-Nyd>#0hh?*B5U_@^e4
zcl&uO{aCG}bG6Da6$N_bz!kCqL>J)sdLOLsO;nE;cn61l`8y`yp{rXvT(eDf;y7#C
zdDL6Vn!Vt_I<iREh$X(m&t->b@Cd+;5q{6vt^OE^-gYb35O#Jvjw!|_2?N>`kiV)L
zu<s9#qIkQo5TQGqq$R<lkcv6_$1fn<`OrI*?j~i)Y2gi;G2UrJU;QtQ=Uf~G+u=eI
zfCz!Ses3dG1e!?3Herx<xO0*)4G|5A;MunCFOvinnum=WR2lr^CHk*<M-X=r5z)dO
zCVjN$m<w1TbOEfKU(0<R$3eu}y8U!yC^4?Tp*+)WQDHaFP~f9-GBe!~kY@rB1l-Nk
zATkjfl_rz>j-g{WywNKRW0>>f$Y#-Zh}Y;5(K^gp97*)j?FleO>5Q3cX>d3gb-6M`
zf1^iqloRCq7J`^hdBg2%iMP*NWaw&KkRrNfA6z1*_5Ih5{Qk)$0BzDo^X#U-=<Gs7
zDW;QWjS6Bd=$5aC@ZImjKoP|%=fzg0Qctp!9Yw_S*`P>Ek?)MMpjf9Sc`LLOEltAI
zU9M8wdu1adYwm8f4QFd`kF<|S*zSv4Uj!GJ*7SP^vx%Q>G!VM1NL3g%7kO|!eJ9m%
zDsGQX`%okGMuePFJWF$}(zM0MB0F6&Xo&lCRVUm+aREr~FIx9Fj+v}2qD?^n!950n
z)86@zMXr0ih+^sSw8R+C#ifFc3t*z(k7Jw~!~WV@j@$;iM^JXMdWUppY@NG6rd+NB
zKH-<|vt@z9zekZuLw)!q)Xv|*lqjk=jL{CIx+eUC@>oKauFiyZM0$$NixG_K4Wp%-
z$XR(#_$3PIGt(f8{)!)p!4T@#iZldZQsZ$$GL9<N`OJb;L5?9-#oKeLZubz+J)i9d
zgEiCCk1ex~IYdos{&zHHuD6hM`OCnmRzo2}VN3LeO^R(U;U18yc>QD5RlkKToM1eo
zZ?9f2Scmeyr!ed@KK=LJYvFTiNt&%N_)SD=W=)z>FHNyvFZm++db?e^=qwoYS11$D
zcl7{bfe~Z0s+tXBc3}w|q^Xbp|I|W=6*C4yvAaQ_e{s{P)H+-dmg15v0YERb{gb~P
z{(<YZ`Xa6%l6gccPn!#fKP7dXcM0%4pQ;lfLLTF%nh3?&lhNuZ*+3T!l6A(#?d+3M
z84U+PA^e?d@_Ga@yu$u^Y9C01D2fxnkvYh#+Diyv{|NHI%s-_=2cJAi;h>O2c~Vm%
znD<5I1bVOHq%dp6$<ISPrVtB!yN8J{H`Czj#iqrLK;mFluhY+z=m&Z@liIY3|7rUz
zD#A4E^fEgV0GNLni3a;;B&v$>Cq~{X7EmC08BfqKQVqr9*;Wd#DEqU#LUcN-<88tO
zL8sD$zn}(fspJ8nMZ42UJq_QPne}sd(42mlr~%7fFzDeErLu5BdE{pR50(-aI0ljt
z{8dnm_rrb^4&D{MP_<BoTTfT4urj-_eg4^jefvlK3UqyP*Rp+7_J&}>0UGYyvN_H+
z;U0Zn1OSX0nak64m5e$|-+V>!*a0~@UJ>C`6%G;0ez;x*wn-_zC)}|e=tc`+j!++1
z(6&}o`ww`Kd@}eI$L!-A20b1wWu33&f>_4+?a<iHw)0W+7&Gd$8;TO7+JdJNY)-53
zP$@_VA%078TcJAhqA4V=oP$r9h(<&W>A061vF_m)8k=0w#>{yrpr3Gpz1bT0;LWpC
zf?6A!V$!4PT`JS7J}ow*Xe`-eGLK-^q~)4kMXGO6Xn+r`ApN`^`!f2icKy_RkTe}`
zGo-yf4_*(atjLoc!VuGHzflsTpU}CizEEimeTJCc<~n?kjsKzb>xQe^sFan<rpx{N
zZ7ntB-Kl4M#`Z?4uxE*8%@;@iDBJvx|1WO=RnS;nF$TuO;LY{Q-%VOd1G|=ulDu8$
z3na!)h+W;{nHN5KY0yy8NUX+T0l12WwDojkbr?tVq!@I>#~s<_Hq`0ei*35f_vp!`
z%><w4ThyYO&2OSH&rLbcXOsEpefHcVxH~sWsg51<-e=%<!V(#!3vuU>0!$owPabhB
z2bCH~)+BtvD*o%wC8b@amVXto0<A<EhL{7EXJZkEOXqr=pPEDuzfVX&$kH4^j7TLE
zjhXGpXKD0d8bz8_=RF~!WUQHeVU}o6DoSj`)+Tc(Y^sy866Pe|cm^_LFJzrGjQDK@
zZj%3GQY%O<@pF<+EqM$bTRxG3BN){`FM*G1Ji>$2vK2GstS5~>C*9O#k>&}aFPErf
zT4=i5Qk19wa_YrJ7Rk7l#7k2o0Erc8p<-&&WRaXx!&Y4(Q~7^6b!P2Mi)6|nm`qh#
zI4n8~&16e)m4%9bDoYTcvZO2FtrjYh(^Z2VHUlbf2G`55xnNT9dSd?bn9b1{I^Gwm
zs-YnS2~$lClK<^vRaGjh#!B$j`5)B4aDD}&ps}%nLCU*={$D7;MvrzmlOP7{hY%o^
z^MNUH511dGD59UXAeM_sGz^SAnZ3a&OqIC=%JdTUzy(MW1eC<_m^xFoxS~|;F$cAn
zC3(Nn(`Ze%$v>GQ`k|QZ_t^&8Y^YrpJZw+QSr#M)0CmL=nOi#dDXM6Rkxm01miBVM
zC&b$jdxb8lX^6rQo&@^dKnwj@6*KiWopZ1^1$c$e?<aDL)7H}JD7lzj8|}ip)xTPc
zwP@NwAavk?a4TNfI$^{)kZcUWh538~g5g{VFG<-Rg2D*UZ{D?f3}i<S?u>)fAfP_9
zrv5H#-6cN0Yu#YGP7vdMn&5qe{pD)qp8|H(>u2a-UDtVp=Iw)Jk=OIeSC2<6BxZ{$
z;fT)}4zjyMDTu`mwQiV8tzd9PMagWx+tKRffy>v1r%;V(KuU#^XqfA^r+xI7hfFEz
zr?FoYgq2Sir;<y4Apc`2?$E{M<2qOvb~A2>S3F)G;bGj1$$BoZuv7-2fqSm7l)9C(
zzZn~fAvYy@;o-H_;Tf8~!!;8#KCckSeykM8{$EvNGYo2b4Y&;(@*hqwl-Xe}krXhS
zOL8|w9iU8&Sxx@T$#u(FQ8~3hHdgb*X|>TJ%bX{Fwh|P2pmmxmV@;$Q3D$fn?L?})
za~g^U+n?G_$^)zj&?{M<ESJYE@T)kO1>$VzbrOL1kOyIlg<NfwhQ>z^+Eemxnx$fp
zmJs$=AtwyRQ2lXQWB^CA*b7__1e3)B;}>jynb9i<hrGxj@b3cTYnevydwfA@0Q8Y^
z$ADFuKi5S0CpIK94iB`ny|E6uR6pqR15tU+{RE9UErWom4XbosX{A8`7Mb`7wXq`W
z%)36YQUt(o)s+dPfI=%qmqDWxL6>nML{wpeqHtIG2S9*9)1^T_(%=k8WX_Bb;db=A
zXF?$6U>ZuYp$q@}PRR#CB7hN@OQEI86hN5?BF^&}6G>8E+I`7Zeu~{op-h)L_(rzj
z&&owu5qqgK4$AXW<cd|fs0t9cy3qrB%w$^=*${vas%ee@f5-SG-NI)JzH3Ffa+3<B
z&Q9nX3F`3O>EkC(j3Q$>Y{wNv=D((D><~o_A;7{2`axSqS>d$ZT6leT;$L1T^z8ZF
z`xM@Z<WE~DrW)g%(ez)J56w>K9M3V|Wf7SA8fJQxOd_8`b!}p5owZ$=P+cTfTmP7U
z1)`p?)>UxnuC`zyVWu9TH&+P1U#Om&P{UF{nltP>L}5=Cq`24+_5|<pX9KeLuTRLN
zbTBc<bG{s+;jG4cvnz}jXN*WEzAa6xs;N?F!E&ioU{@@(9aH-E%gMoVDU^GI2i$w7
zDV*8hU%Xl?%(GoSYoq~W!|USCu^s^jdk3_eEUOmU0vJEw;g<g~egqfh;#VN~mh+50
zQh_#Q?8*Sgf0{cHpt=1WM_4IdF!FG;fUH<#6YGtHc*l+l9L`GSfh}3C73Mg|lI1W%
zm?^97S}NkyqkEQKH&()W7{^XL-mrWt?^^!5JSrX7vHpFIyOoLV(a6E_MV@iQRXebY
z4er6^gZ}Gk4G5rpJJ)3B@*1fbKmfgJ0Rrf6N$G!&OZ_i^ZrK3=^wXC*A4wa@U5d4a
z>NW)s^`C&KhreCESnS;h1h%W?G?woeFd5J2O9Z4Iz;<Z>sfWcMn}t8@1vzrN`Lq#>
z^$-ZiH4Q}$=kZg64@pM2A<0tJHn{lPs@?&^7>|_Y2OMJ|CoC5H;xfFn=}5IEK%6v0
zmPfV0nNrUgz%rP7mR7Z+r<PW6%In(>|NSWC<f5nM0OiSmd)_H?*EV=;p%sy#BgY=N
z*eA(@$4q}{iyCrx0Q^$lX{~8#H7loP_}J2#?tl1l;8;=d^T+BYux9@eL%TCEwW0GF
zaK-e$g*R~C!YcGciK=;yX@t~R`6=Jf2AFjLAe2~Hp4#@;XYC^<3F-q5Fh7i0anuGJ
z^eAyke~&HMYr~CbyjO)BIL@!wXQfw!99VMLlA6l`?&e^{{I~7{4zXY(F8E+E7n&<W
z3HDh!J%SaL%gg`}fRhRU0V8K;mK-%92mdSl;^ml5+7AsnkSv2p9o$o_u8bHc25ejb
zz{U+4c(TN?72&|iIzD~NxoNEZ%<M(jSE`WrIs<*FVEfR5*z^b?NtgoLoc}KcwChR;
zZ^($**A0A^fT@zI$PL%dlDDcQu1$xBA_w#qwugWM$CMsx_7^2B#|~bFq8dNTlNbUi
zE`8QcVUjvqSs4cP^y!^(R0iKPHy%Boj?70kh^2Lpfz6dc8OIg3UBITzFt8o_ck4#D
zR^rd;azZMmJyiO-;N&L$MJ-*FU<E6T_OcMZQ)l=X@km0g&MEPzQ-~lao;RSmF#i)U
z33j;aaO9sO*{}ZiGi6+LC=G6!4IkAeDt%YOIb2la#y1~6em6KH-i!z#x29$x#e@bk
z>CY{9fOn4DSgL5jpAax$(TsfoK;>7Dh-aKXon^p75D+F?{WzZK($K>g=;1p;toBrv
z`SWsVyS;czpzq&(uvYosbTr(25H+voUXtD_`g_chgHR5XtiO8OPa@`f))12Z)P)v+
z`P|kR(PyXB5n-+R?a=P_ld6TXP&TJH>qTVX%O(IRD}OVai*P%UDG>-Z_oVwn7C})!
z0j)AaXMd*#rLPJ?gV_(SpV`%`p=@nfl2Gayz@Db3+&?~Mbp<o#3q~&)KEsfHaP#Zl
z|F5;dbZ%4X+=dJ+Rg9?pC@w6@m=&pSo`(b}-hMGq0P&y45dmu9Q(u^;SMzH~qWwc7
zs@T9?JIobTI?QDacm*ZGI0wU5BF0P!b9lrC*gsZX*hmBo_~el;H6{P^{d)j2Bgz5r
z{rw8WIRD@G_Zvvw^+S#jStgL)MWS4(+(iPkP$?fk3*AO`VfCov`T&u?_7x+KnAv-M
z_L3fIg;G7k<`ZYas1*H&n#%f3I(fxf^`T)ARN9Thv}3zTk@_%1_JZ1_jV~*as}(x%
z^BU4EUq?9r?c$R{6lo()X58K6EewVvX>#DY!u|2RlEzyNlKOTe{>wD+h;s;4@}XRK
z;i%{Jb<sShdkey6)7<o<z1Up*xK}Kaq|S{{V?m%n?>Xh^Yma-osRkGdFu)mC`#4?I
z!Y_X`k|E@eL~iFWKO|;Y!$Z&M$_74IL~QcY&*aBIMZh2KIL@BY+E9Gk3FVQ4m?<FA
zKq#a0*}2ybn4M1xnxEB8TS`;HYZV5SJu+Vh(38O_D3JM{4XySS%ck4<>k<xG1_~BX
zmgd)3Csg*bUo}D8xwMyfyLBnA3qOwJ#ZMyYaq}mkneqCWIyw%`j0FYL<J!JA^K+3I
z2yW4#ah*XOZWG<)wpxi0$VJ9|vIrHPkyMq`hkykIzJ7%X_PM{bWZ=ZDU)Ukuy$IZ6
zDVF76pD-}OcRAUC8_MP*yx@gw;a`{G>u>cGRNQu=^f=6!(LWXqvnTtlsKqJLR^T@1
z!v902yD9$-+LB+40x(le%1FfD;9WHZ9G5nk(=e|x&7#H1au=;NGtXjZ5h6x4=4hjE
zzZL3<U>G$wN|fZBzyHnO>%9PnAEJv9H-!hq>qI&W>2-)6rt;@k02$hn<p3{hQI{wV
z@bxG#ZCMbgldt%>R0MS^rbNo0=g%|#5+^!>)~Fz+TLk7W<5<MYhCopdRXA4ksnQr4
ztf-rutE*SvVr_$3bRv`kdlCc{pq1N)^gFQY1_3pwU1VB68`Hh+HTLwLt<cHyegcN~
zT>)bkk0~8NnaO9COjyi7GrW{asW7-jCH?0O02}n2#3V>3_lMXJlPHz)vMpNhlO5C!
z&W^s+)++mZd!@C4hg-z~E=NiYsMz30xqZ6_ZML)=4lRJZL5|wN;IPuc;6F{c#BsN5
zSaAwB82*9>M!wxh*GB4K*ufUBJmU2a*UDyTXhkDmoLOeI4u}7LT${C;v>)uSUyM>K
z1w33XstgvT1g4w~A+ihy9Q9(=>n`GVH<LS?+nd|v<=}A*_Oinz-)RSl4Zvm`|FBuf
zkD<l<(SuE%ZgTs6!C8#gEa{Uw8)Q?@RId46Xnun-2X_#dAK>#wKZqt-SsV#0C6LjJ
zt~h}3$ftQK3jD?VIR?Qe`uqeBDQGF2m!(w<x`X38*fU0!1xgpLTu_%dL0Z)Fcx3Bt
z+IE<OR-QuYlJDIS`chD0GptcQw8COb8alW?j%+aGPx#94TXf}zBS+IaCfy>fN--7Y
zLB<Ojml-l3mb6x`WtxuLm$j+o##9$GtTJkswO2AOG@Yh$6Sk6z+k7r_xUfI?DK1U)
zsTxB71Pt~$V%X}ud}rrV)nl1iZ%OiRank2UY{B79%eAZ|)!P-hfTE5;DnMu_eWo`p
zN%{bqI1X!*KmYei%1zh-tZMRSn`JU-@+&1#CDq-(RXq`2hEv?fUzGezro3BYWu`wi
z@`3##b<DGTv4QNEx6>*0)gQ%M)6Vw!FQGVhhV8~gN~ig#NvQwV%5`m`3FJFd77B&;
zuAD6%mRtF8hoPQd4~d+hR_^4qB}sVEu)sc|Z%|(eX%O#evY?4d<Ssn%HqxZ7>Mjiu
zlcZGzGbopTn)e;P`0}JjCw^f9hRONXwD1jsr;36F@jU>;K@9E|Y|CsvKkPBEkB2-<
z$1j*trB$Ff8$wbEix}H#7JmmCYxT4-Am4KHM3Dj%ZO+Hf?F;r4=P3F{VwW%&9*0NR
z_m|~v_Z)YgQ9sTa5<+wRiLihD0dRXsOGj&qP4rhdpVb|n6=ym-W13Z$N!44F*mj7e
zxPX;`N*?M2s_^XvxY4HGZ^ZUZ2D4ITXXeCG5Z2u-Oz|hUoHcW<;O10EL*+y*oN^B8
z`8~OY%JfOCNQ~`-Ytr8zi1zrvTB5v5FOVi6VMk#R@$y}lqGOLtE{XA^R`2b^2`)?V
z#oW6)l5Ti+-M<DX?-#1BMwHv%v?hkc&dpGNCa{inggMe%XyP7ST4p~NC+)1d>L}em
zIfR=Adha#2*_)rHM?31*!?bWuW!cHekh26soeBHp^`AvEhPWduQ<;4Py5$DtS<gwI
zs;9_`+c5}@H2y_%q6s9WfBw^5dNJZQwwup;&G~68Oi2%=>c9%SH1lYN-qV|TgS4m0
zrzqHXsCnfVSw4hYeo9628!Gt<n&yqs`$;9CHokyZLNhp_ExeO0W60wE=Fm_GE!a1d
zvK{re0jL>1GM}nh7ums72^%TP(w;4r&XzQ5n}xlR67HmF1a;E%!2{g_TS?@V-4~?x
zYt4i1NG(hPpx${Tw2?p)nP57|(JCmd#8W)zwX!SXViUXX@50Ahp%4P4i4<*MJ|4~@
z1{E)0Zek7u4!^f|*{oG8NKr~s;vRQSFmg9-L+&PFvbxlf!sYLKy3G2PLruyL`rk$~
zgwRJ$=wHOyv+#9!@4@VctW|1=QG%v{?uO;@?gI4fn-xz;dZD`eMEb1oxT}AB|61E7
zbbG}IX^6r?zI|#O>59t^e1ruAMftupbb=3dOC;i?U0NW+7cJLNn=cZXrwLeL@|atg
z8-l=r!s89`@AkHH(pnJct5GMO>;K0+fBxg1KmT!0;3oh7anEHl0)2p100)Ng2baQv
zFAA%*<cRxc2FM$1<Mw(DY&hzO2K>?CMe9CkJD~zw2z5s241k@7ciP8#^9fyyon*lO
zQ=}1N{O^{(j!#Otyi=j!rQAOyQsTlTGJkfWC{l95zWdVv{@a1$?$3;<wk9U-^FGtD
znf-MtB!mVNoI{+KnKU>ej@w<>ug5yjG<5g6bp;N*P`5`4yuCedj+}$=&1_F`du}rb
z_rb{k26IAECoCmo@4x#eu|Hj#g){?b)Z;{Q4g97-ULA*wLJF`;5NNPOoIG#|>|zr+
z^aPPR)3E|jw>RskckSu!8LCJkAKPP96iuK=gMx(O$|xwEKh$P2kub<fRtJDqWzR)n
z>BNclh;$f_!m$Y&lR8dds5b<<sK_;7Dhx~c>F*!Nx3McOI0<#s27kj1An*b8^mY*6
z$%e3Z9uH>61xCqnEa(YX?cun;eK)?)P1+ocuHWhbbbxY|j%12gv{}pv_K1XO*RS-}
z%fm}8R@pX+_=dK4@nnj%gSJb%?{@4T;n<|}375hp=ULflpja)UAeScsAPF`t)y}Fx
z<2LamlD?nr?-_fvem#FOLwz1v<a&BO8`Hl$TLyc6ZTRZiCPm6fN%$OWjg`_OR6&72
zF;l$DWcj${_%G@6!vdY@k!LoXV4)-{;?kxJ27YkA)FZCNyW>eZLQ_*?5i0Lgl_=bC
zvQB`v=UKAs1k=tQe{oKEa>-XFIoO6w*i59gGEg@9UN@KH%5Ot_zhlwDyJ;ZH{fL!5
z5M*yX((U-m5m1f#e&RLwMW_~H?Gx1)BnIoCZ(BhA!l7E{T*MJSpcnk^4m;EC;RQY$
zX0UogaV;Z#xy)6S`NY}$R|?RHdHl%n_aSd<du!^ut+AJb#sa0g@ZKQs=hMv`hhQcV
z4Y!tk5i{Em6yfX;h2B@%PHs>?4?IsYf>M??B$QZ;!AIa1x&Pn(=wU?cpf3p~5yq_S
z{S1v%2M|gc_$3Mq+pin=8hV9sPUv^+Xqnxew--^_P+nK#o-fc46E4GB-!%*hA@L93
zN0J5*wAYt%h7v<};q40Os#T_Rcx994JnX(ikwsl&Vb~J2S2>=n>N^st;wOLcQl5kC
zdpVr7Dn4-?1^?2v9C(JJUr*CvGo8w8xW6dmUYU=0m>wnAv{XKc6|HotiDp&G6+KF+
z$DJ#{!J9k!ukk~<4$o+o79Yn+CzBP<L^<^!S=#PE8uiW|qT89zDtV;O4i4e(H~0T4
zO^~&}jq4gsIJ0QLyN?`TU<3x=!AZACLh$`2c$Th%G|Snr`!lwKlzy>^n4%He$xWTm
z@hhZ}x}-yco_1SAq3$u!+>wtO7ffn|P5<X}I#jg#m88k-tv?d+uL~;aldjhTFns(|
z#&`DRvc5E1L+1t3{qVw^^I^3?#u-skxncbD`~@MNIU&I+>KLT-2y)Ax7?v`k^o_~O
zn@etyYpsRN?waJsYJ3QGq<U&Q_Y|~ATluhIYngfHxAdFihj*_}7%xr(X`$u3Q-hv=
z2X&E>z25ohk-~Ziyu1v2VY2H&<U5SDR{SC0kXk%4L)gk!oHBDIISNt?Eihj<z-@)b
zNtF4PQAFI|32tUc)TjGC^*Q-S;a4y#f5#2mG2$85$i|8WIYVn#p}G{|jH^W)X^4&Q
z^<*4T`o?nj>B$x0jG!>$FJ0CIuj+ir^<S^M0mR{&jxA`MikT$}v?f$XW!;~Qt>V(k
zH67NDiD`B<K#^3Xkz0D>Yu{zfIKxH2BwgjcO1e&pUq!Q=sSdH}ion#RCR!skRw+ip
z?bmBRM|iexD34ppia#UB+IvIiWl4gci@|TijuSd8SPb0wy&_!vzp*jWdoCM=h*H=4
zpTjoXZAnbILwmRvCd`63y^5{9X&RFRDKdn67e~G9u^2ODBMBA}51<NnzQHeV(ndZR
zWIS9+f#mV;ljJ+J+s;uN5-HB)yoMIzbJZM`lrjS-JvE*fW+;*owg%N87Xo<3mXNq!
zSkkwK=i!*)JO{lDdkc{ihdlTBwnEOXMyAzV?gX#~{35ax*Ty+J><cW3xo$LnxDd*E
z3tHvKQ^iBLZ%Q7~<{FeLMA0d27cew5E<dlJHuzR~f&@7;^;?=EUCO4lVDgRvjsLiG
zY)RL}Z%pA0+1nUKFOX%YTRuaKZIR~O8-1N&jI39=xo&1egA?XZNe$crC8tXiJk&>#
z9T9r)bB<$T`IbvZxSEwd9m5wCL6)^C%*~zPw96T)7F2TfpBux_?IB_GnLaokfL8P8
zqQqHwVhKj`v)>O1X|Go^S#f|#{S;i};N&b|Wls|p0-byF*E8Oov<OKXZM0vM4N{*Y
z-esUBkrhZn<xzn_hocUOBQ6*ZYCzRywH{TbzLAhvvm**<oBa6`Ech*KTR96k^I-IY
zv(q<Fbu0$w5E6%lIYWl7-0~+j!xnVR&8eX}OAQ4Utgb7Zhyp<x^=8uHXa(-b@SJAQ
zwIocyprHJ+?KYASG$I|J|N3~VBrx}~rHnf5Q0*LcqDY;;>}c!40dd^3hBtwG>Zq4r
z5XT}Blt|~Cu8*`qK}5@=-BD9PF;Vb6iQJ0>LKrdF-P}G6i_v)coM)b0wI45-he3%G
z1Z0CVu%0GjD2+yohcI!x+A7MZzv6bRK>+jgcqImLX@vK~_!^5F&(f{n!+E(VDpk$y
zrgAr~xi~SlxyR*MqM(d6%Db435BEx(d(E@wTd!yH*%K4?Ii>0xGs;#X^2mhp#zJXk
zsBD7+$L-rl{s?ccVI=kka8l1=6GshM%HVrsgXEu`Ha>NSxP0H<(8ON~aMhJPU;<}c
zgK_ai@QftBtgkfxc3uo?x!?*99PHPkw`uhPs)zM6ta@38Ech6U{7n9@Uo$@HMz0e?
zw+K0)1AO*1SEP(yExxHLBL~o6)u03PG}XhmPtL3%dPc9V-EES9_Hf(~yXpN<qu1E8
z7TurUEm%6J-z}iZO_@v=SbN{}R-e8Suivq^V_b;%bZ3myxfHy-K3@kM=`r&!VW#<>
z`vWqsyzokwzK+#=Zlb+XMzRf0fKCS)QlN`|NP;gjM__q-l<tTyclw)=6(5|h;Z&q+
z8PZK$Xo09yQ__MrWWKMghB8#iZ-?=IJp*%w+>t?_px{K^%AqKRItL=)nV;Bu8B{?v
zwoPo9d{?im2TqBkpsaHGu8JbaX}L7X$Vm*d3ISqR-fS`RGZcI4v4+81abi}%v8EA%
zfjef!en#6?KFd}OBQa8{Ga90(+U{17UA|8<?Bw{XXI9)<RVY>UK<yZFyKL=bBcbz=
z$6{#r=)y(W3^_#mfyu+OKn(7LlcC`#vA9xDlt4MrvUUj_>b0OJlG?j0(E2lxykL^U
z<%l;OWdxo3`8yqZC#w`EXI8?JhYAOJbnHI;NTXRf@+>C0qi-LvW|9!jr*vVMP|fu0
zynFsFZT4KE>Fz)iKb!~ZA`c)m1D^t(Lh+nzrJomp-U+}5Ziw;|0fm2tyugRRxyOKG
zy|M#4Lflb=dKHHtkqZ;=@r~4V?BVtdC>l5<Z>Izd{NEApEjYx;rZD+tlSc>rf+&*M
zQoEVjewQKVXm)+<gA>CKzYJQuy5H@6{d#`?>Nr@)U7H!X+5QZMczK=3{C?S^516iF
zy8jWA1Jcbsq#6v=Ez)X+1IO;`?$CBe6p8{D{+z~jdxcY>hcT@ttTOaq0p5(_mV1GR
zRnMLfy|Qur;{gs<_o@dX)<waoyt$$6NR!$|VOhDdIBP|rz1q?U6%nOJG=sxMae5F3
zCR#$|hhuYAg}L#VQa9L`B~3y-R^;H0Hcf(6EjPqP)zL8Kb^iiX!VeflKY<I<mi)#V
z1PJC02zr?DkJ+<J4up(5FM5RWW#Z3ye)%Eyjtz209xS9s5#ksruu15nq*^&R%!OL7
zP|oKG)b?u&0;3OuXb(E{C$Be>vQnpd%1DoPZ}lp!00jzj(lRpx3)b`U(n^IHtfxN@
zQ!0Q&(Yd^w6B-}JlXl61i-7!srIL#L0+Rd^&3Kg+s3qQV-f;r|l$*Zv%>9QO)beK>
zMUmf0j2<4=LToj?j|F=&Xcdf)ggVi0Jjwt*u*K)4OgIs1z14M>0fruBhX)r9$lALD
zcz?b$EUl9<0&9vF8YEG7ymz31vq83GsG(D%L|MlD4zv=>TcgwkTgjUFF~2%kUGvx-
z5ebeGKR(3b4k!p>#9wW`e2vRKZW)d!i@gku6I4=tDH<kC6RSr@vRrnfl(o>pXT9sP
zc|Emv7sK2+Z__h!<y6;BJ{f8}z(t1OVIyE`6vrSVBWVNz(!gKi!wk*t&D`xVoC(3F
z^e4j6By3J?g!`Agg~$!)qLVOXgt*E0v0opR0vLL7w$j`aA%$3%p35a(K{mq+efrC9
z8Ze6elzPxF4GxW=+1X90!wF)(X25oxm@14dldwn01#heErvhjYKh*5?*HnNnMHheT
zf(<G1)2IY7eK2YDJG5WU_zoDNW%zBacugv!${RLNJ3?AH4Tsb5E{@5}iu2S-L>yr*
z9N6V7G2e>El!!v{`~Tkkd&vcPZZ;&&%r<f@n3{VV40~1DpnZ4k>zCfI$F}(vr^cXW
zd5qI`)bf~;wb<<4yK`sGa>L&<xw2c0ZbT;a(h7MXOtlr2$D{E$T3uS1?mE59=Df~q
z=c<$HX4*`oS$*umW&N&$A*@t-Q7&5gw8Jb?s&d#?HL5szzc<lv-%k%mSi>kca%0uc
z-857rSh{3>;!%(tDi`32$E8-BU|za$FjPT|9vq+=;EI-_T9^&UdR<k`$^P2WCIxi1
zz+bVL-387~hrU~)3$s<ftBJ7D0;$O4O}6un9?N!!vZaPt2TULMGe-nNEA5_tP5<3y
z+<N>XlmO2y9Ah3~gEJu}w2H9d%8&$JhTiy7!20l@46Jx)#@OaPptU1nf7IvggykD^
zr;WFBL%FTV2y|FHz+F}c?TNIwTFmT!xn+eR6yg+hCow!oW0a|QQ!B9fN6L~HcD`=p
z;MsM=y}^#!KT9Upk&T?&tk5O=q+H|Yv$ybSQh`AZKY~dr(MB)~VwIcFN=qpeEKoa{
zhFgT&p8(A|isKfk!W4d$c{F8`+p>j0K8FX=zu{tc?hz?`816{2G6PUtgm0O@Kv}rC
zkI|?Q?jLC}LixRK?wAwScG6JRFQ2nZ*X)b(*`Uv4m~cVe6P#dkdGKJuM?ed%O@b`2
zc8pX|a7PB+mrzDgx*8G2mJH1n=sHX2aKyGK<-niNfD|cBn>e0B#hh>Yfuej~r&cgQ
z-wiWjUNZ`&kQn>avET~*<;-|-7kV}LQIl}wx=qFMhjenX`L(aY%HX!kH;0h+-fFz!
zb<CmUUIv-7EY-X!bnY(78GEbQ;Qo%9_TjIQyb9%l_@c=A^KB=HnqlZ&s27z0uy4(c
z?`ef^n}J%Kg_&0qmm>#bCB-*$CGEFTtz*uhhTY$Fh2J79&3@nMD_ftL=qk=ptDX3`
z^vEm2Dgw%cC#=9uz|;GyXkM&TI|o!tc|=x%LXkz6M61_8d0PW*V9y4MSI?^u2QCE1
zLH+YHLYJ3S#cdGa6g6lPV!znyC5%>!^S<qrur$&|gUp|qF04ZBY(MV@Oqx@1KHO-#
zYxaeIV&gGI{>ggyw$aT?WPyj!s%r}BZ=v&ARSy1c+!9?iy|BRmFW<*13hsWQU-)eC
zIHN6N)eB*38{-Y&441=>2H#jW<m>sqJ=R*)>HPKA{vP4?D<2XJ#Fd-}@1l}+jo&X+
zd6rR7D^O<@B`mM=MNiGGoBT`-j2+Q~AV|&~^9+hb)LMj`fl7JB^+o8rgj`P>O1(L4
z<ln}|&{x%HX<*N22$b^dpJRMo$)T`tp!F>GE01QO+gU%2Lm@T87VwFkn5hL@NFT8O
ztm$VqXn-V7h3?W7J+ZaNSR5HC=vnXlxx%G+TxrYvQI!%_;(-13rh_lD&UEJsp|lz;
z5_pP*u3&N?FhPlQ=)nUG9=QQIL_?XKawmv_O<x9USaGuDRIm+`^T<v<M$iT`k|_z%
zKT^_^(f30B^&&EG$}4jE^44#T_GJRPzie3~%##M70_IGWw#7;xHGrcj#5eMD6xx2-
zj?41;f}QmfkfuG1E0va-J@t6Uw$(7_DA3C_eWURSrDMR0iVP3>51VM?G@p^|x3Zz0
z=hWqs(X~~MGAC`S9b)4Af+0~aVN1N9*au10J<L|lo9}=LL|{oJ4&xKEifjvzN6wE6
zD7A=x0hN&|5}cwh5zh{lZ;L(QQy~VYf(v@@dk$pIxgU#5yh<V>fMCo`N;=jKGn{>(
zj3<s->!sE;5G})$oPlOlI!n(trAov7!*6%e5sS~siJ9ID#%b!1@zm!v3p$Wn;`&<2
zJ%<-dp2e=FLmcx|*)i_TRYqik$22xI3@U7SkVu|t6;p_pLpa#*Eq_e|zB|9d=z^rG
zy_7Y@oYJ0Ny`<VNG8&}HEHw|6{iZ5Hv6($XQB}CL=+%$u)&FVOlMZC3`dc9M*W`~%
z`kPT-R%(U6cn&|Ff-41UdEjX8$~&ZXz?4sG)-rnJ^_Egyy%2+B2Pg4!XWJHBDGek9
z&44Cns1h3^z^VggHMBKlP8S!Jf~GTOElx5k0mUlY6_DA>G(HUZP8QsOLl`-(fmBS~
zHb5#i1(WTfursn#x7wHk50`YqzPxU_W+Q2?*51FfU6myGr!KUyY9DAXk#{yjr6;SS
z)XxlEh$4wQ5n6=T?>}XfI2_SY@J#1#4se0hxHF>rCs3lKg0<g@e^Oal8uz7$z&0tJ
zTAsyS3=TQv+n4t`4_TK>c(Pj9(OKAStvZ8S$<q3znceQlL^4;=(}TyV8-SxD`El;8
z6lIpX{H0p;V1==@wd^tN^LC(Vg^tQ4*P5_;-gq$XQ916`8Ac%P@up4GXC-L?95*Y~
zc&qlCt{SATnx)BxQBh0A!m~N4nM+((#<Ehv=IsVig7<MJz@YR{rHm)oaeSqetZ5D)
zki1Qb*haVkW`40MxJ)CPJm1tMD^g3sG6lQbXvqQ%@X->SqN1rTF$Lt~EmdWv8vfHq
za&{(*Gys7F%sS!kL?=GdfTfTeV**uX31PC#T3}?e;#_4iSHF#y8+tkd6?o0_u9EW$
z&T1pg*4o=b9k8yw?Xz{VM`9`wX=f<i!?W>|xI+Qa!G8VfWqbwo4A`@^oH#Ovth$)*
z5%DL$+MHpZhjRRYQD1$&yEU=G{xyczVb}NVd&U$v@b{RppDe*8;527WScpsf+HRDc
z<F`?9#s#s``pmJh5K!FVcR<5CduLjy`sweN8xXT$?+YBa4*Rcx&eW(>%hE-dQkm+t
zC7mG;^qd=IYjVR=yqC@Wd7ROuXN&kOcf-}DD5c_<6LgjXH9z*CdN!=NpuPNkCRV-i
zcRIO-O^c&q5i8vJ@`t;j?LIdsFi%t=)=Y~Udt~#3qqUA=^J6+IN1U_OIM<P58dyBU
z(}WsNCe@PHSOAs<y~`LUN19xsXC`LV_2XA_lMBwLS%&OunVa__eAy>07mVN{xWdcC
zE3gN$06r=fS81xS7zdZ3=as8jN1=O(H*$HmV)i)t;kmU&xbo$0VR%8}54^?^kJ29s
zH3^88ecQnb(fzx>YW4+Ig$ls&$@Lzlogl{u!->7W>iOU}xRYf=h3d?Df??NLav;xF
z86wzOeYvYD?DlsDD19%!EjyD7tD7V?>yX{u7cL<%oZ!ifTSzFpk6fQOkfc05wlIr3
zcK#nv-xM858?8NYCbn(cwr$(V#I|kQ_QbYr+nG#k|2^k?=fCKizUWm|U2DI4KiVEu
zNg_Q<5rcW<J`c#Xut`otFp;%)qpRv_VeWtJmdFR<z*SQkM1u4Sj1RZq3oSjRWI`zZ
z*ipeNlGC5>aW`0V;aRg6gGRs~H{8ZnT`U=Y%XHuuj{Enen{aue!*$jpY>5zK0Cfz~
z!`w88IjkZ=B*-ZfiW@-WDza9=JC?&hlm2?a(JR?ENm4Idv~5+r%1}gQ4N{e6u2ZvS
zEt|(-&RgzOc$fVw$kcfX)e_nfF0}_9chAcq$YRBu8XIk#UI3L=k1I|XYaC->P}|^~
zu)*}vY%y35f1fD79J}b;a+jV&(3p5;EOUwQV|&PkT0INA-aamFSwgwUp2$fZ)e8$p
zr-nBny(2HXrIl$o%cQ|%Veb!FG8PjQ<D7Po;0Au&X$!=GQ(d95gez0hR7Q_pDd(&S
z&Ge9;&4xwY_~V^cm9(*&k3p9enHAvFZXc*(tn|@c4*V)*68^HI6K47OLt0`*UpkUo
zObt(iHjqu$q!|IYCP7u|IepBkr_7VZVwuwZx0(i;WB*8UQfp*tId&QtHlzAdgMh8v
zSUjYgW`Swn#gm{9I?h**fxjmvV5M6W6d-C8B%!Qc3$;w{<#F%i@zEK3mv0QSH#GkB
zDM{dDb4FKMa%}5T)pU8kPDqeCU<z8giqHw*6U$hQZ_lx-O|0}#gUHANKzi}7JovAH
z<!!37mE~=u`IQw(nyZkgyA_JJrUeI!{Ulhh1I9cF9;{P3z3PYd>056>4^VdFZEu`i
zhm^UTW<AC-Vl6%C?b|9y^>pd&fd_ZtP?T|cNMUY4UMq)gx%K!ElB@XP_Y*9n0;gd{
zGxay>Ts&^mwJ9bP<bSs7bMc`$w)5i6@zBxv`#6Dg@s+A!0cJQf1B7G~@5|A7JK)P0
z5DFV$r{I1Wata*2S1ors8aD)Dq`yH*#;?H@i+zSq#d+$CdGj(;7S-S^O4eFZNMv89
z2zrK^d_;H70(_(dzBmGmLGO<FjWk)$nYuyAyIn=kETpcJbx?BfcVk!({cbWkENHNU
zU+G1eIoPksZonBW580vU@Qf#hGG_QXQzmT5!Ec-*LxW2o;Zg&KhpX!c1wZ)kjq~bR
zVxMlLx-mso5g&l0I=2+0lMG_8#)vux#mvx+`#ODOm>kz>PzG=-+$B?H=~83n1GH&J
z3mkHNM+5~&9o+9Bja~-_(v|ti=;NjuMB(2K?3<GlC^?3r#z}Vg4u9A&LFz!bgLx1o
z1%O4h%X-3+Mef1l%>l_*lc97#aNV$B1+V5$bF5)32`Y#wqNA)y;VcAo;KYgjDW8Jk
z*+Ynr2CK9k72RvV&ec<E4u||xJtke;hjvYuX<l}n4^j`Yqa;Jzlz9^!(n>f|Zp3vj
zlny-1C4m(x+H?~f>VREXbp5h*(X=_l!yspFMtpMI{0Is$Vwz*HN3~9737Te^8H+kN
z^!;ft80=|*g{OhwbQt_|>J(P1)E(b}PmBwdQPE2H@ff2rPy(d6Kr66d;SvQigh|b+
z1qdm1f=$HgR3dbmC5L2?Js8VGD++v)O^pjZG%VEqs!ib6cce;2YPN#--#X)ua?9h-
zA`LY4qVLu*v#RVClJhKWUU41JToGJS?!)Kk@(9fPNk!5cZc}(}u6gS6_MUooSJI`_
zSGtzms`^Cl?!szS__MU*1e_&^hh7w{adj_&Z)c7`6jMp?5(#K8?i|1<nAv3Tffv@K
zpeQ+b_xHzWUsjyelo#QY*Qq4KHEvl1ZG=ZB;CHxuRROR=x*Gs?H~~zYjMrHAE&ss|
z40eE173W?rG0IoaX3I)m)n*F-JCFcihv1m&m9>||dI!*M@uKHLXyRfcyq|yD2lqQi
zK8!D*!!`l9n>ARNHoM1I`L?^W3yaaXZZ+N!TwwBRFzIsxreHxYrH~DpHz-pS=1>D=
zGOnEXx7>H`Cw14XIcf;fGXzHa2Od34!5rxw72LzF-bk6xy^808XcrHvMtgZ^HPti#
z5hwA&5JVQnaY|!?=&2wj@fJ{gAU`?RWfO4&1V(uQR+vhMWslQdC<4&%@UPMF94hkU
zR;Q^;9ACEFqf=h!8orrW_$+k08~eXf=t>eTDv1bh&Yn2ncmE#=|G916S)*Gm{5bds
z)Z`r>-D2CC^^?u9bG_)SShm_>qxeVL^cO+<I~P3+&?ddAq@r!!$40*PedwH~2r6C>
zv2(*oFZ=JNCAgg!ijAKe{(P4B>W?hJC;mo9(hvhy+S>V)ML!>YY2m<ZQG1p=AZ*L|
zAM4n97h6DTVHA>4tKtW^P^2dae0)_A`MzFI?L~3eeS`4F>BA9DG*qJ)tEfx>vC2_w
zGSyP=C!T-_(oc}fnW7&Lop9Xw!d>s$e^@DIGp8M0?HENPr>3vIW}X57?y=f4Heiu!
zM5SSFfm-{bCQj(XChaVkz`H<awJ_l1KT42zAIHe6f{KP`9MN4sb#*s+TU)=Zrf-}X
zBi+F^ho&AvcRhuS8ZYGXHydu44vEv*@|GbEo-ia%1%*`L5<tHzdOy+!K+)~acPFex
z>qMd6L$S=ZbBVxiZ$J4rBr%d6)*##Z)qD@Zz=#pjbdMAta$5C{h;4z^D2_kV2iM@+
zq>3X&s~wZVRcGn<vCuTSZqQokY{aiHM)dn{gl-u9zjPk-NQ8CN5X^Gr&Ym*1vdHQf
zkl2^^Y$N{8^X>w)JQOs~=dj^&Mk*9O`(@@&;Bx+t_4|Rc@+@YC-q<lo>8b4Hb}jal
zWXoE>_KG8<6B5S0(T*YL0?v!Q_t%!dUN)(?3XRc&COCaFQ;=y!^<X%a=j{)DljQ#9
z^jdl?Z|+iqJjMfF3;yowD9_G~#$b)#1cB=mQd*pe-Bl5!`*(%aRe_Ti_0X((wO@F_
zX?09WKDaTtzOzW|ZjtUoK+e@t0D(K7es8W$&^Gx#)?co)vP2z_*2xUjQCMiOnqX@M
z4XtTb0Ku;llxc17zf;4q1MHOMhe2&W67M<m0&F#zY6-RmaHW=LhD*#DxEJfTfu?iN
zJ-qs8-L77jTsRy<ZfTO6WIUf+Y=17}`P!Q!%s<)+i~~GhIkpu(r#QpEveT5k(;s5`
zWGm1H7Qr1seB!-c?}jpl0>XD8p%qUbj76HE^#|542uK?_7B>H}#N@O#9V3huP8ytF
ziS`BW)eUO%U?fypay3;0PW84g8I5)en*%UAhU^Xl2mEJ$JgM$OqbE(ylWjckUSl$m
zi(aE%Y^dj1(+t{hSAfE_+Y)gh?~M}6(lYxi?jPfqA&Y(7yiW_Bqb+bGIN8+jteZY4
z4{iKezX2|o0qYlUJS69;+zF5Zo_MmQGvR?!MmjF!VEb#^s|ahstb;Rl1erswhig%h
zk1k({gB#On!U7AZk6o`Lvp$H$uiQ}!^J_y@`NMIRP`^?`j(cGLU`OGTnsJVd1C&n5
z#E5C+y+=zkREs+(7LPA7NCYdyqq+Dljvs@xFrgJ~NI+~XMUr2(iQaIx@n{R^;Rirg
z{u)Phpn7tNdQ1jcfFtPT<8O7pk_KO+V9qv+1{xzPjVVJ}Qs;ve3Fv^i=f*>jFBjIY
z5Qy!;IsP?ES2+EatWNHnwCO<~zh2B2FR!pp`se3ox6Ycn<OqkafbJwJ>x(bYGObcW
zxd7>7T}T8oC6g?7SZKTGo-wj)7eW6>7*0(1=-3b_9_UMPCa^|eG}6pDn~P8sP!pWH
zd=djH(2AhjP8t(}L=}PJ{W@ZP?&0iPG!)3;krNk|&9Qa+z*k$GUBV8k{BL9nytn1b
z22vd)Tnaw#)|(uR-h^#Z0%D+a0oxvio1md(l>Q<fvDfV2#GfN7^%MTTyra0b_xvbd
zdXz$lJ<H%bLIPLoUzvlZ(*l2F1rTMY)3cl1?;ilmsCU+wTos&-iaDr`q1r(>kZV!y
zX%!XPc$AmBOuI?8v&LF}S>Y@`QUe?mv68)_-i6lT##g*QW7|)46r>K)ZClZ*VkQ5v
zxUrfVS~11|M>bC52;-%<Q;N!TBNxtM_AvY?BmSQ-ErjMKECtl&CIDp=0HBNtQr}sv
z+GUoMoD9054OM?GBw_RSzy<j-ef2Iff8_f<Nu2aBBCfv?W&E1}SK~~m)PH4(2e)rD
z+Dgpft@;MI!xCv=C-Mbl5X5F~y(aCz^3nD9VuuLf;R)cBI*eVzm)h^Dv{5Jlhu+mY
zN%`$8TBc&-v!!s*DDsH@@P|NhyRyQa%;BrcNMHLaVu{@nPS&byhI#}BvLnTF3DsXg
zjp_dp4)&bysc3hPekE#lc!SkJhZ80U*KdgCE0K~o1_U|K6Q>}h*g+5+xa~->VdPrn
zmhhvty^&;!wy=#e4{P^Up>H8n$lONn6GQHc_R;)4#QU+Z|H}YKwD?-q<noSLlA}Hi
zn_@P=A?L-)#9*pI418v>z3|P*#^AJ%(|Z?1t2r`D7uA7{+3spf@0?NhZ&pTuKO@5x
zJP{LJFI$_pv%v*IIRf_Zw`rDR_Ia~|^vnF55C2O7wZWqUTU~?3@|LKd96FRj{hCeJ
zjpxl)$m|94>QDNCoYaR->I&)3jl93k%9l3glTIyp`({6A^tYT|bMbw@%6&BS*&=&4
z?CAdyiDl-fo|UePb!Az;-;!Go?=vOk#aTO_(<7CgTL7|fNLF7%>#}rpaoP55L)PxU
zYS?~0t=Scy^;O^-1;+cRhF$6T2LM!01AuC=+_#_&<z5nbAD&#D?wFDDqc%7zE^9Je
zjK=tyx~v^rs-G`!+Yj={GtNTaQS;J=!HW8%i%Yl%OY)1w;$M?onU=WI4~#Q&@#kq!
zkMT)sLgRwXDO=@#iA3reiBu8t+s*A#G4EOE2R&BE{B*%;+#AjcmyM%Rxv7;28_os~
zBKdeK&jyVmQ=zD&a=5Mmk1O}g(Kv#SC)UCcW1g5b+QJu0qKXa|wm>4^le(uiK7VcQ
zdr~N{VHl2Gm48D8-zHOgwp~1RqND+it%j$^3|I3WI<8t1WVn{)FEx1Ng+|JUy7BO9
z9SQiGsqye5CjAHPL7JZM&C8x--yz89oeC0<s~3`{3qiTUoK)Z8z=G9{2EZ;g%Ia?O
z-_r{iJ)zNq<ndMEKMxFVT)wFcZv>1=m&t%p$-!5Xct%<%`_@LoC*q{b<6$8^$j0Z^
zth0h7e<TY(lzny8e8vAh4Vr_V@y1PU3LTn!Ro$W%@5mQ&sv9`}y+Gla$lzIc|BA`N
z?KM1$ZVcORGNk+V+5YSuv2Lz-Ds$-#SXMNyvhSGHK(8>@so=)30>|IOC*Y*KN1!qE
zwdR3!N`LS}HOvBx!U6W4+n05U-Y?2U2lk#Hb?W<0(%>s?=D31n>e_X$;ZMA7L4Hc#
zM@Y#sLvL<v=&N=5?tl7@pjW{AfiTr8a{UlU(6d}!NzenhL(_kEIK*Eq_(2-@0+<<g
zU<S0UhCRadwUX`;a_|jrw&vf3jqiRxie6s=PRly{ZuP*99ZGg(F-mM`T66~;<~?qM
zL(pXI<fOoDF}@(p1*2<@P%1|;40FW$$n@HAj*|3RrhIA(Y86+E5<)&PXRoO;^tTJJ
zkDZQS&Q)_}yPq^aT;BnhkK*~KU<awOGaIsH{DRp|KH2w4@ak)_qiqJRH6=^7=~KW@
zkpAKjdnrwXF_&RN-nVP$A+@mmdTb)P@i0iQ^f3MHAuA<xMP6+Btuu<96o?$lJ%WrB
z2xT>_ausGuhGWj9Ng(e%V>3_$R5>Ntcp$2DiCre^$eA_Z@KPDsU)3aa*ErXlX#0w3
z8o3Wnh*8Pk>R=>|x7h)OD1)Mv>K!P555*iN2$*NMk{v3oznqU%HD^0cR8~h8bvsna
z_|g?KRYTvaI(wL>Q~p%BZ07CX^+qz(Lg?FJsQc)3e!>wQ5_?_aniUB><~HN&V@*JP
zHs9?p(Kv=g@?Hc~17W_=9;|5!3!L0Y{>TtM9VsFqIQ$|rU(TrlpnSk%D5+{7OaN*s
zz5)pI|EQ^WM)O-Ce;E(*g+TWx)r(5^D8N6u4;b$u?ACv+x=%9QraCxF>uEas<CZA|
zalq`zlT$`BP9>Sgwqs0)39X<wIj{i8P}CEnL#hurUVRF_9I>N#nSs+Efus!Zcn}zf
z3^H$N<FLN|Y~&F<6svzZp6hFeY3&HwUyrlRjFgP6vm4NcB;~vx_1I}PeCo1X802tN
znEOzQ-kDAO3B`?&BYVW`T1li8GU^3YT6WT~olRuvW0jw47DP6b1Eg=0*Z^&U%3YGq
z-P1fMkQvTl0}#kXy_D!&ez>dMawX0APR{S9)3352Lo<!bwpKs=+C#m}5_ZbJq%R67
zsNGj^AM`V`+VAeS>OF&2v$Z{{w4XoQeRFlU#Q1y6-C8eoGA2A+p<TbK8`4TO=BRi&
zhf9`ob$N9!*K2q?|5I6Hn6G9IM|rqX`+m@!>^5KM&G%YEms@?Atgzl)yIOr;A$@kf
z9LtK!lKsrXVPN;gAzxH{+tTgCHNN`&=yJIM80_?Wtyghj=nt37&8r!nQVqJPr9tx`
zYUt^&Fze<S#U7#-#@EPG`D@MRI0wT&)KPvH?;RQxWGcC*oUppcB16lzHl)d3k=rR%
z3w|xM1G!aCiFnP-cC}O6#>6OlqKZEfWFOJ(<>fQ4BSK#po``f$>u=Q>%$~=E?ue~v
zWM>G(^2dhY4}w|)W+f|cH%wzq4`_FghXaZoC^wV2y;2pe+%Sf=k70<&WFmY8%*aFD
zI9cTh?4I&6zR2%Mw&q%Iq)`s}-gK`mIAAszisJPH#91amRgm0$hNdrEIPmYtq|O%~
z^mfRXm3c5R9Znvsg1l(^lmjRqF)A$~89cseP_$Ta;z(I@aG$$d54HR|wK^~ODHTN=
zD(3PObJW7FN3)#4bixtu7)4}3xcid9Z%5+mR%qhvB)pW_YF(=mx>OUZ8y?LLv_q46
zu>fMOfZQ{huz<*Ud|K$r5@t?JKU&L*6$L$X1JW3|+9VTu8LtWB@SLZ0A0|^E8)AcL
z2y97fp35IMpgM514PP9Xh5Ju^j_^s^n4Z=6h94RtzKp!$Z(5a-v<jNA7%DSpjE6Gw
zx3?ElDtBiZ3ujv9(FErZh=`Mi_v6$Q+fEkwpV4JY4W>SSe(K&jyWHFrJpC<rh_tD-
zf_N!(Ws)Tyzk!8Nyga|Gv??kGOKo=iLOECa#F`mNMu8dZoUhlm_`~)L&Yf9DSak3S
z<KH9^=;9w47t)CZc37+`T1;6xPD5A%w8<rwnfT{o*k<sfKBY0XO56oLhcS3<HTH#S
zWoVl(;UXbGe^E}ge6w-H&#6eKU{sASGqj>kp_v?4W;B}(e;MIX2*Kr4lE8{R=r@VT
z<&#0fAA4m$`4?CMlz)U~K>07X4&V5{@?ZY1{EKwA5qk^HZCJ^w&TRmo3xa=&2`#(T
z{KrIr3$7nJ`$y|+WO&;8LmPmmK;y^n5f{RAI32+OJRV(UAl23>7mT*BumEa5Pxd4Q
zFh*CLUmH47FaXfo`3mZLrH@(mcoG3*B>%mz(7=g0VqQ%=sj3K&$6?`ULb9{)5#?n<
zJHuzwX$URli56Q#lAdt|4XMDs&u;4YtHka#2LCp2%Kl@2#LX=jz}<sOwM&9i^jua;
zz>Zdf$5K)^pp4z2f>65r<vwhMf$vftB8IDExj=ohJ|3*7!AGTfs)lHY^%3tC{m`_A
z<p0J0^P}l<%RM<bZ|e$DZ97E=0P5T*13;aR;<Bp!GA!T!<w|D%?2-S|lK4_xb7~_P
zHCXAO8a05buzCVoW<eQl)}bbvaLRkZsBI@tMBP!vk5q0Gda?P_n|1uSEyhv;ZT<T3
ze~${iK7!IhIkF=rY#qTH5=3nDweWAgNG#j9f-~)^Fk4@evpbj<yNNFUF!bgjjrWG-
zmi*c%dtK~0XlJ(zrv8nRGMa&M7-H_&Y(oJ^PX8+F@M%;MVKhQ#XM`vFhrua<Bp<Wi
zfNlPmN%Ueu!@}{cv!v&nguSYRJ>MzXrjFOWUb0viE9M3+4y>UE20O2uhbjXNPei)h
z$1Nzmnz?v&BX;<G#7jQ^3Eh3HcluMJ14lxSj(a1q-dL>K?q!5q4}Mq92(NpC<X|-H
zXX^VBcCXWss4C=_$N>(P#XyhwmrFy2Y8&BV>Eb@Z$(0@9J%B_I{$7;@v3b=Fa=A`f
zL}fa>X~F#B66%r#_s<`s^~7ybhp7pOL*56=Y4tW-6~qg{ddnN6&i;{=30g!2$_SI#
zY2TH>Kc)4Q2MUfGGpvXrZ0)ELb<3ILW=ZUKc-3Xg(GESBe)}c;7U0)g;bva6th6&c
zzHL^tk1%OS=^VGmSk{thV5T6nBk}$Ki$2#!`L!wtd9QGpP5iXVxN(<ysFI*Y*7C!O
zABT{{0;j<dkINC~HGvqA)68O!cAM8ucaQsn1j)181F&@$5v6N>O!*5&JKnvpgon>}
zI!|bMY{-C=;k_cmhhb0YH`gMD8;s&c-q+LS=e!9I?0uxWha?d-+gD&UNsTXszndx@
zv$EgZTxoszw||J6y<Z@%i^z8Kdb}9>Dk0O?@LSMWV~OAm3C`~s*h(M8JZ$6k@oBH%
z(W$W$_lyur0VnsEx<CZM2NKx2hNCPgYMwzIkLvY+U!+jy;z{W1D3ibZ6EU>|-=m6q
zF-erujogW(E}%$(K4dSSHPjH*eJf)xL|bHzufcz6i0cj3&_1zohlHCWSvqUDV;=z0
z9^!xbxV)#R|M6NOa}-qDdmi>Uc3|t7Gg?hYmM%>e$BqJDRSt1KIa(5vSrI#zoVVMZ
z_mJB`91^>2cO(uX4WY;9^2({xO8d<T>-cv|M;XRv#)Jh@u!Y8c-=>mI7sf75K;@*7
zV`yG<lmm7VgDV8(68vopBW*Qa7)FXca{95>=}-fEHlHYg-(4EJW2+;4{OWg}y&n&v
z@ne7;q*-m*RUj>wux}x&J}1r*_$i^xadm~O(xW@e!WSQqY6STWiqb**+Q(4khnQ-j
z{)ov2&Tzz|`0}d_P$F+_?n!fpjo6`iEj!Z_h`v1zZ0@3q(;LVzu6`KDaB}Udq&Kg?
z6QxXrJCSV~-zmX+{6Zdy1H!HRi*ZNRTVTGY`KYHHZV+Xjj7>K+=PfE)SjP~zC*P(;
zayUg-ros^1hWM$AgH*`l{JKk7l_q{PFWm+4?i4T9<={VVXKLMoPiygS7`#!Fy|)HN
zegjT&^J&wZA9QGRB0t+>K`HMZfXp?ub^sV&$Kfs{UDrI28U|yXx@jd{?K=lGUG^FP
zgUJ{ipl+K$@aoFCmXE{zp9pllA289AbMqkBYsSABEca49_5%txD4=kQ_^j1bz)KhN
zEv<f{%H`|+Ytu=2|3~2|<f*^`Z|!@Y*D#mTaZiw>9HOY8|1wI>Ozp+cY^7t&-lE4=
z=-|rrNZoT|2SoqwP5!>PMes7^{a62bd_pzscXjvtLsj?u-E%mI27dRZ``YLgmS>S$
z-Vk>8g-(W)XVLa9Wp#&n1>mx~<^h+zV*%)@VrskR|GVrQ_Kob}$s4h>HwpbY=wHj7
zmFWM@n}_jg>!XmJs_r@IJE6S61wWp^Zm4U#7dqL3wbLu_9p)1pZT-{6|KXZu%ukzx
z$85#(NYA-mv+ptO+Y|J)h7$3deIsRT_EU1V_FmcfP2E{l<M$$fX$WTLVc*Z7h6&;s
z8o{6AA!n%s3Rg^JQUb0Q1qqCWLUj%#+GP-`glTvx$#QLlwvz4W#ED(Q=wuE3Lwa%6
zySgbdO5+iqvK8VxE%Ah(t*Jg*h|iHpzNvdW;z*7!8>{K~V{iG&9zv;LG9ylYXf453
z{5tRswpp3$HD}*95P^X9LazMq+Df;L3Qy}QIVd(F!OdT5T?#3(ME~>ipb@$^|7qNx
zl{xR56(h$o%|;NvWp&@D&BYbnIH$MEnmA_{dqfOWwvLO({RUQiI-?az$lp9!!0t9n
zj#vBaK30Oy&4DF$O|UP{TPGM9iZc_R7PNWYkZ*uhaP65=$>@3{u1?q+BaF}jPj?<{
za-h5Lef{X{fRf`^IB7Za2zVnQ?jlfx0*vBJ0)#&lb0EFBYaj5po{W}4%FXJI0oI-&
z1{bSkc1*C;$61u&=p8uBC+G*pvOtTA2%MFC_&`hK)onUp*FfgUHW=+J^=Tu@LLiZl
zkH%6M=j@0x1HrKi;q)5=xJ$^yk(HXg+;MoUnpMzTennZ?yS^0JpTTR5O|zfP3=lO<
z?Vx7Pff_Mp;1vFp*J|lHmMj@}jCTpw@JyU2huOEl3Hy{Z)(-9are$CTLobiN4(Qm=
zx^ww6Why`hlg(~y9xBGbH|J>)sRL|d-+UhN8mZ>l9<9-<jvlruro9l=qttXU+!|4L
z#whR2IFR_!v_K8pjr&i+GOGtA|GX0WCew2t1S@ZI<Q6%npOzC)8Y96gs2?AxJa~s9
z7Et=LL%ZEF2`&w9u@(QUPHK}HU{@I%UQ7(}q*b@m+8iaM8$SAt>^fRd*Ojn)ddJ#H
zEDOQTgtCu$%CSypOFlD*M-pGDx1n;xW-yOgED-OEn9l`&qi!X1j6lk+ZK_0+`A(Dz
z2Tl)F8voN*tp-!BUkP;)d8Q^UcdK$GDo-$gsp&d|7~{HOI_0&B==?REzH?G6<r*pU
zm<3jp?``H&n{N_<?G^3IWMcQ`l-&J}z2;fKiRcQ&9anA$yx(1ADafp2<@AQ{l$zx{
z-Vn$-V5b7+hcsHqc|DQE#nWj0dd8!D#x-VZ1(j|wZXAzfU$uh?dL94p^Hy%pJ~pqI
zetLaOfUS%J@%Xf5OIiQ@7&G6Fg=QPbV)~sd#dqX_Ti`+QJs|ydX<;G1NmJvOJC#&H
zMYXoW;~LW-b4|TN<Pt6+jP0#d`C63I3z;Ot2G9;)E~__|@}p%pavm5%ZW^}ZDBNsd
z*Hx|QvIVd&7hM5tZQ=wgSlVCfExiF?axIbR`Oa5(#7M!q_8!9V$buVuOOEv;`7XIm
zS?+l9m6O2xCb62xsVp?doIlz3-ZX{s6<yhYjYqY!{eVxBE?*~3$82mP5$m>jgfspF
zBj0&<OHR&bU?RWs#yhJfq#vuM#6S7c<#C13>@?m?2-l@aybK5!(;JglU8&YD?{@+b
zH`od_FL|Nn4W}z8DW#gNa-1r;EDDq+q)Jsl3%M*MudZBURhja?M7t+-k=8%+j7k*~
z<Z0joRaLF(xhlXsb0TM^OYFJqD_f_9)cuF(Aq)iO-1YWrN?y6#z@8E7{dqRWpxJJU
ztEC5&8h|Dl)Ih2oVWCXru^ei|P|mgGiF2X9x2(#@L4)51h8#LD$!Y%`ly#S9Ardj~
zB)oWCQ~~aFykp4Z4OBe(eU*$HLs8Ksnl@=Hj3aAQMIa%NU8LQm^NgiiR5Qs@1=BwW
z5^S8p?G83<bS7WlsQF@DygixadE=WIsdiUr`>`3XtY3QT4>x`?FsF)7?y#7s97&nn
z%%`d~`(YiO$m{T2scfT)lu&+@g6Zt77k}(-J&8E+1{n~Lmg8!!&zn?Dk}pt8nZYMB
zrhM%Cy}IPmEr}+46b_c{W`OGec9B<dg8%5zWe*B-hmeEBJXV#UK23Gw)hQ18hx`EB
z+_8Y63Ybcwx_I)p=IdN|WYm}plW6L6DY2Xjp6tA_(@2O>gIS41&gA|OG|msiG*^qz
z+?2gPSsd|_HfE6W2V8<VkKI0an4<#Yl!`L65MkQM$){%FYJa7s_D7$yR-}2+T_faK
zNU7zYq=KKpmK6@#9bd#(Q(%Nk+%(ZW8;Yhh+8YC>uw3jzn^Zd?&%wSho{@tXdUCgp
zbeH?iR}_`L7ru%=N|?}?NUWZIJD}Xm5uY;IEi0dj8pOMl*dbap@o6lrIz4!I0~h5A
zv=$J%k^WZX&T-ZBFob2m?8P#0{G4#pz{PesG}Oyr4VD0Oy+jT~*QSI>&u*+$S64KE
zmn*!uz6pzHesLK=5;kG&^@Iwrp3(&&f-?#qCV}Q`Llc4bccvmL?{5I4AN&u}Cx>A5
zY@m4v){hw1lZ~j1F@M{Ug-Egh&4Tb~o@wmGed<dOwDBoG`Jb079|f*3KN5;OKBmk*
zjsD`K(TKu4q#7Zo{F5>B!+66qYqZT@r^~L1&e$v&$j_v;SBU?)=;9n8`{k4#rT0%U
zmmU4tD;n3OYm;1zc*TI&Es62OYDjT+r9p?~Bj5V<gEuvJPQ*|TNS-@6hSoXzsZ=%o
z+wLB?7vs>rei@f!n>O8;fkfLeEAdVQAY?tk)_)OidE8Dk1HwzpSvyeICS6SKDlAHP
zD89$ziMd^9W3e%F`L#WWwPiFj-TAvRDi<Aub<vx1SQX6bsNPS(KU1!K)9_MSu2EaF
z8GH5xkz|JfCj}VhH2jKM)exJD_q8XFl_Tue5pfr$yhqmSXXEDL*yU`e1Dr@d@^l~t
z6y5kz0)ExZ?xwDe{giOsF|odl)*asBpP6q6uP^J?Z)S)0)65SGJm0duVJ*cV^yE5l
zdaD~FHurrD_j|?5MEx;RzZ(*|SCCU7r3KRKFFxbtZEFBncaR7$^SF)!!WYuKFB4n;
z(+=p|ozVE!OMeC6Uqg2s)cjF*8P*1{l>z{^Qs<W5TKxk__g2xHr$9jLyy|_iadXTM
zx8wnn=4Zp~HtP4nzyDG9_J6c_Z3ijblX9~nIOTjcxC1{3wK74@z~qN<Q*Y!SqR5T$
zc$pCHiHu(xDa8^=c3;jh-&T^&A7gH+%aq?(uH_*}=pvPSHg3}6GC;X>?LqMS4P{2r
zb$**LnvnvH#ou0m|5?iElNs>m&cOG_7rmjZr5UbFx=ZMZJp;DGU1sZ7Mx5i~`(>BN
zq7utrJRUEnb0enkpk7_Tj}hi;KRYWp=4&zk_=|8@N*3QSVsmP*ic<XNA{p+7#Z%&s
z_9w5)ryU^c#5#2~Z0z*qpR-ve^bO@D>vQ|Rk<VrfFox$;j|P&uXXHB#(9Qt2_=*8`
zrZ*yY7yu*ubUR&T>{~0MXX}dfjQr<JozPh=Iojzxyhy0=Vs(58--6M`XATYVm($c>
zTq+j}QJ->wZ27Qrp(qSPQg<k8%fm8dFBQc;C|<e%-rDun`ZW1+%98idA^JWd*Mxn$
zAhFFL!bXBWF(TV9ORRdr><6Z0)X=j5Pi$C4L<IDMn;d8l!)gS@aec~t&`T$JE1`Fk
z5q5?Q_Q%YNe!lw~k9O6>DDF6MU@l)GBVRQ9o(#g!YhpT~3;(cyQ3`Ti7|vG*BjLzc
zbq7SzFpd|eXoGB_L*Y!ke@;g{n`9cjN?C&VCpR1yuEjx+#^V-bPwvNep~}DC?Yb|$
zHgz@TiX*Oiwv0=!j0F_2x8d=%VbnZF%#vhZeQQ8p!51N0Bn>n))nkZf5mna7j>$SE
za6vp-d|zN8Y71R7cA_~>=bQNT+>i`PcRmrhgWKUgTGF{JnNA}XweEH^5*pV9^Lm2j
z?jg#HS=>N4luY+G@wV?u1!|{?e6@xvVgjuYM>HsO9$V%@#{eiN)Uzv&5#{+f^u=6w
z_7yznUO#-T#`(T7A8BH)pq<O`Lg_VU@AoR<h@~ptnADNHTw_wx90Y?8(#OIL2EE+8
zh_x%GD7zuZY0~3#oG_M<3EU{sqhfUzDY;XsXv^SKCCmDlnR7(u{2yB4i}Q@eMgh<!
zi^bQO-xj(fEvyJXzJ@oQreqa(Y`P(`4)`0(+>ND4ve?D3C%|RU9(n&tXn8d?_0?vp
zFKtUT86O*dCpwTzZ!u~IeX*X+O0^zH1AVH`u~_?P)-xU-(MI+35wA;K1vW-%fzCG!
zry8>FiS}P1?Qid|Vxu?lJ(h7xNeg3GOE9{>lAwT`c2P+)+P~*$y0p~;rXLFMkdhMC
zVF77%Wf-f-fd7<t;*1Oc*9ax}<lQv=7-#*4a*C4yK!1w_(BB^5;H+c^l{mub#grx8
z`~r@#Ubu4wcb&)QajWbvV7y;@Q-b{`Okgd>3btrJz}x?$tKt<L;uWqK*%|lXwC_!p
z|9uJ0<?Ejl*XHAjfzWC~k+qtNAT>5p;2T+4t^gn1#Nk8K1$2+)n#hQ2A876nzty~E
z`jNQ{HL>Fufpa2g(Y#2uf3Tt;hOp2}iQThpOS}g<Erp+lpa8|>SMt<;LBe<KP*z@f
z#^HL-xn1Eo)Z%8>Gr505spkWVTZwyOZJyRvc}VhxM$!~^9Q!`qw;FTr`{60ry#1#n
zaA0tHdv_hzJc*<&ECTnDZ5cg--`n~kFgsmK>We~}xIN`Ak%hJ5w$@Pf^fSbhM7Bnl
zdf(d6+s7eqpd&uz*(!UBFkL&jZgN-q7Y9&{67y{ttrDlVxv2tn@#*b!)_y}*x&Za?
zSpXVW$bF$4M}tCoN7z}Qj5nU1IFFT)q2toP?dLnA`~-bbw?H1SbZJKI!U2~oWmkoF
za8xjq5~T30uXjH!++hJUYAOgs>juukhP7MEbA#ViWEsTe)0N!U?Dk{~_?LG05xt1u
zO(bI_9U+QDtz<hq{~N5V$>R9<UaPnmU`bB3Axgo#L81`qi~X2{7vAFa{R1Lsf5#Y=
zfzvq*>vheA0~0Ace$ZE_2a1@;XC}p86yHzBNEl|;`dW*QK=4~4NJ6-vIOHaf{66(9
zSN#aAGyk5nO`=&#eH;Niz5IxaYLKc?t_5nRIqdA%q!{$oGTUUAYDctfRoG9B-;}zJ
zkR0g#v9DT|?!q^@Y#(*tTUi1<fksf!`vESuFVPPcr5;95<MsI?s`k1`+WS{qp?D}u
zBMdc!CANoFg6s^Frnp>84+#om%p9Fjp696Biu7+skP9L{*7cwQcJf=qzfviI<l}Tk
ze}nPwkGVuJ7?n#1H=zzMA{eSK?eHe#<xT=E<Siha$Gz;G&kkW^!Z#uYpqERpP;eMG
zVo@1Tr7ZEu{qk2Fx<wuY+hkiaGdQz`3Yy|KXrR1G_*F>4F@0`|L`}Zpfub>2ezRIt
z+#B)fX<F6G^==Q<ijMT7BOff!<;2qe_a(*Olv2M_?#{)GEYApagm<c3xK4KvXa3bU
zI!fki$$}!VG@;X9wAnC_zdBnDR1gu5G0}T1M5?4DB*2wM4Q3<qJT$_I@tTYZrH6c7
zgHgvcwRwtvP|G_TLNn=VSXN5=V$;?jk`{sRXlVpw>MPts=K=?RE4_d{4MG&$xhMd=
zRs}&F^(Gp8Pvrxroa{h>*Pn>l@W5DU3fm6tC)pFj<w)B~+6Heb&Qu;|13G|#7z&!2
z6EVOV5?hh!nEL-ZfHp)x2f)C707Nhq$O2jQN7WJmFeI!19QOEFLwcR1f;1`Miu(8&
z@>s&{5@VSS_&EPWgEPJun1;98py7wB8wm;zi|~m@%tYR2+0))bp3z5t*XVf3Mt{eZ
z@0?@ahnTY!@mmaqE%xjO&ycu`hIa*5>^pqHzg_H8gE}<#_m#&%f*Ybp0@u$m9yp{i
z;?Z6iHHH5ig}JBrK}&{cdSty7jKmxa<5uAMvDTMUo_CTwlO+R@ML7}>ZW#}eySJbJ
zsR5oxV1Ps!%>)Y8d9Pdom&`boPKfjtjF&8t`j;iXC#(#?L#UZ;BONKvq<mi1{;y`*
z#0&>HH_grU;^fPz36k%mo;;;{Ghbv8iEL4AC5EDR7L2WMbTtr{!I_bW3_7S)Lo|Wo
zSsVau&A&QC&U-X?G0cBO|3sJap!E0-W}41cLO1OF3mVuFc=!wz#cu>5XxS5$DsVjY
zHv&cR?QnE)6((R(e`8v>_jR*uSO05$>Z@D(U^nNIzi|#8QvhYIq%bl24tk_$?G_^u
z{pptfvb$S8=9*#b$5|48c%V#D7tAVzEU?!brb^9Et{^Lv-N|yMiZFlVj*Z6XF5rq_
zix{XT(TWd#2o=;X^|I;jM&U>6``!(Ru1tuqhb#Y8pKDUTHo(`=-|LpGZZCctAN;sG
z6NB=Q@PhBYfdN^u7$5j_rQRn;P65@pZ#ruM>CvR_QY`j5Bi#u6)NJ8$Z7*MtEF9~}
zZ^gwymYtMEzr!bel*=DnUaAz3Nox=-4q4`mO(otSfIEWDQ~D|VH?(j-5+=GZmjj54
z-mkd>?%~1RCA2k~wqzzq&DB8Niqy-M8!}E~tC5DYDt)nK#r9ZW8YZM>L=CsV{}$cx
zK!!LO5}h((2*mDcE%yn!Z31`0cD4OIrfzq(UP2Uq3H?CfM=oGPv45jW20_}Z6@+?r
zul-r$?ftv-@h2wTYp8$0#RKAqqCq3P@!Id!#eRXFP#y-=`A)7d=9BIhke;aQYSx!F
z$L@<;<eNX?(^0Sd%o-6wkeDL*IQg3SWdW_*YP%INhjl8k0tL2hka#01E!F-k{BT@j
z{@7ePAf>+tlc|bs8NFspAjP(2HdE8w+XWw}Wh)-nP&zJAZy~-SEw#+%#l`(_56k4E
zzAMy}?A{Sq7yt}Xv#i<Ryk@LQsCP}LE-6NWiH`A+45v0kV=wI|vR}o9DSCx<-nz{v
z?Z@{r&Gztf%h!T+irz4$?&hTj7tLjk(6)2Bcg#x=tG$bX10;5dw>k?p=9YK_g_Ft3
zqAKI)S*iHUhGs`<*`m}q7oJ_jPl^~`JP(02ngBKeuKhE<s<DI#4<uL$ja;)j;gf}c
ztQqTQC2(ly*Z>o;?a~^X`G8rD!2Ix$;I96~Mp1Pf7h@@&IZS9IHAOY*@7l?X!PljC
zhj{1D00Rruzr2M#)NfIe3@d+D=hD-Jyvvc`>WESbb%b#0C}U5BmY3cn>rS*^U$uKu
zLz@D(Vew}Mz`gmMP|WNfZVpAsO5>ia<<y1j1Z&e|(cp*}s?KPQ?Pimm5->)T)>kTQ
zV}QJC;Sztg|L`sp9xNOl@WqFXh7`+?QEAwNi5jwuSkH=$3UzxJ*1tIXVDsZZzREWn
zcx6SFd#7EA%={_-x{~`-9l63ezMMs)(^rHFv>q={qIuO->#w6oCGb>?Dw!w>v=&%G
zWm{9G1R#7QLWMP9;(ysmYGNf#0DdA;Ih@};%%SQ^P32f=1EdOD01z)_SISLSXrYxw
zdLi;{1v7eb*XoIXex0u`gQ;NhOMYPJ#?9uKF8>b|mzweqI1Z($;_i~!S*2r`^RaR^
zmJHM(=1;8}vLLxCj^MPGz!8i!ihf}#7BJgd9leg0G#YOZG($D*jq#>n^|wSjK*K4q
zIVfRNbajKpeyfKQ9cSqb2LH-Rva2mS!-}kXt$xQLcl%xKS2TQ9i^>m~4>ci6Rf55Q
z&M6<MuKR*lk+MK5JNxj)ZK{6UA6@itFG`OYM!qPyaE;suMoByh<S<G$);tkNv~|GF
zHh(zsfrlZP6`)lFWQ;*>_JW%wT~}^DE~VXVFdU9>4-3C>+p`<zNw~SbYi#Fx96+`9
zj=`2i7&q>4i&?T?-!)(zKetP*j|_D~81Mvh+r{>%=>(Y0eYN)ro(cBYsR(}zx<J9Z
z5kHCeTQa}@ZUyYh2n7TLNK_GGp)ITm;LmaLgc^2ktLt<UG4dT_GU;UbEmOtbO~%+2
z^z=6INBDVGQ%IWoCSJZuy7IARqi*Nu&#URps|g~~>dlAFN8ObPxfGt|DNKS+S<Z3d
z#EYrzepGity-FrvW)Xx<$fVOJk!;E`xRIfobJ<!nUg-?nu$o0w%(cg?=i_RDtl|pH
zX#4jtf*cvB;Fvo;eihl>oP<3~Kuy>AXe_I+)ursc*swP5dq6dbLD3YjoI>H5JwoB5
zlJyaY(>hzWzc!i;d~3x#Fc0zgtvH+TC{?@WlH0woqkxi>G|S}y(Fvt)j7tbI<g)Rs
zl8gkO9ELKNCh+FeP};x;%o91iNW~;T2M1+lHRldP61pz_bCbe(ZlwJ@;FU#y)qt=-
zCT)?c#ulmzxFVW@fr9wsmnXwn4fR9<yUz9-8nW*B#WciCae~mmS8zv{1p`4I%dL4R
zR~{Mu2>w<%<i&0XV-y!Ib$Q{k*hMwgGa}c88s_~cKM>jJPy!m%Ra{*ijZpgNmzWgY
zOo6bQq-Noweu47)KO5FW7-!^L)`V~m?Hh!5NWSD>_v&AoJvwYmnzaR9Um4E)B1u3N
zZ*dqG7rNmH9-hcCJYD`UDg-byNkFb7a7cN`Wfk$neG0SX8_`(~^$H<`_2bm@mKW-a
z7^;fQ8qF;CR?TWoSksL6n%z;YduQ;|@18GuD&*3)cuXOO*z@M(`NM}M48*%7T_$A;
z$knfoB(##bC5lavQ;H`k+waBksq_z7$uz9PTxGArqSBqu;}qh0cP4e0V6Tz2o{5hP
z5ULdo6^N+xwpu&WvSP;jU=$Iz3c4+Qce#`Df)xGfWPbFOGCk~!BHnhsnhPz0;IvDL
zg;oBvIb2E*ij@__BX+;lyeXFwP+4lWN~DglmF0G*v<k20(QJlv6sd`CIjAkRL{(e<
zHi+Q6WqhDjCYpxmWBm;O(q`C5?t%+@Gz}YM>V2br*j$Wn&+PzE+B@jG`cH$IA1yj}
z+NY9ZcDSdxjU=zrupte9L{b6%DZ*aVRJEjCK-%nU4O#E{f6&_zJ3tzc{?P)X;wK1|
zy_{N!!XYi7>O|34iwI`hS=vV%1DqDiv3v6J^2nb=0S9u0{K*k0tMRfmZnrsdWPBm*
z+n5FL{fB&r0abC3L;#^F`Qj>+e%eUA%^0%{bJD-@vyf^CI0<p?QsE(#1|-ynlOo=9
z2Hmat`1vQampXr;IHUI<f3%^S-8Lqk6BtOsgR3#!F<3x?&kewu>XDN=LW1K2y#WL%
z6azsuCQ%OVcUp20gr|+pi7*1??oc3KoZ0S>B&5bBf`-zs{hN5MCV3d{A9`)G``v9h
zvJr}?G5p`7abYzS>vxMRps)Z7x^{l-I76&$pTg&?D>i(k@e%6_`B=dBrFiche}(vM
zZ{5D1d&(X@Qy=IDGwRzm7MRZ|+K$#{<8P3~;kHX84fw;ANy<_v&TDrp5oF+N=5W%+
zXPh)~D_DA&2WImLSi7vT@?LaCm?J93;%`a8O;9unxh?B!ZDb+d-_ffX_A=RmV%Ld3
zx*_^C*|6gci=Z*JEMW+B*hJwO8^m}v6j!iN9F8cEv-+1@_c~LV47w1>gG{i>i?JFx
zuOR~Rx#Rs!5I*ww(?h2uo}Apv$f5?hrCOFca!bjLdgOGLdB({ayK-df01M~AG}V;6
z_+rZhqv9^ZZdphZW2z|ECz)dEk?M-y%82Ij(?@}no!thjQzVLHfjX@`ygbs<o3J#3
z7H**2V6)bl3u0jfV-?>Ex)2JgQxVFLrmJET22~p)g)VVY72rGt(0e<?+hkM5h%Ze{
zKuArY+m9dkxi%-V@<x=UZ32WUpcdwYzSD*2L4KVDSaRHs%Rpn>UyBMG@?Lb@PABlq
zXmM2~eNXBUWL$vJ=G7|tgEsAS5hN~ip9v5NB4S3%j`(H|te&O^rXD;~&{<;eP>1Lu
znlDjD=^zuwAhLeIO(ngB)(K8HmdLLYKMCoac;M*R-b`4b?O{vZ+N}i%`W<=>R=r=x
z8~H3qInJK1wwe&eNAt!AN3P5tkz9Hkr(Q>Pw1Fu-iEiKU1r!!ZPPi$&L^4rhH&_ro
ziR+eJK!bmHeLDVj7<1zQKb5X^%H^xi<-5r>e&KO~b6-1OSMx`XT#9{Yihcg;$&II|
zYy~y)ro_;&eH57Q?vWYzY0tUmuGwztf8Bjqhq0x08NPW;b9XMV%is5*oLYzzMd(BE
zH8~{4Dy{97erWETuG2{MfSM7uxH?-~6;0Y9757RMejNE`L)JU!d)DN`=lL$;zVzJM
zrV10eFO$IG<likjB8+d?K|c-aigmwjGAl3q^nRV`@p3O8i8mWD*aY_V={CJ51Wa@G
zyt}PU>0a|!loG3_Twn7W+op$6FNeNcYAb~7M-itSM>VGR`W&CydUp`R3ymq!vhv&7
z7WcG_#~ppGj)zp+7EVxGF%XLJGlI>Eg*m33mnEnT>^aq@ypa03>(#9Eg6h^DSQQ*E
zIzYFtTLMU5t1T?6I;UdQ9sW<ARaBMU=nm8|vGusDI<r2QPN~*h#iUFFq)M9y=z*q^
zb22j;oXsY@)+}}nNJ^hS`9d-G<jPOwWY-zZ@U``=BL8(hYD*|w<nnoXTJ~gT!7M|Y
zV|y2p80=lqFxZgH#`e3}BRo(@yN8s9A1|O1FUbiq@GyNMi$8mKb}#D6fg2z{+-HmU
z5=atcf}IDrp$&dbpoA^#q4T+w6UVZ)OK19g5!UFBgP7*sm?dNhc6ZLIntzA{%kTI<
zekAP1>}`VaLo8wg!To0RCUU2d=?4|(8xA^+#{83JtjeW^wT%LBTp(b9)4H-<4p>9E
zF~oK#=fY48E8Fji@MG;|{OSU`ro-uDf$wb>iG#Y3A9dc=LwP<&#^mM|Z1uOlZ=5F(
z=@r8Yo$NWE9%afr5E?2!qP3fN5?V$sFgp6V(78j|1my=FWD3gQ<r$oK>kotLQGxxI
zd}EYB*Za4oF^V218he!%B~t-xAS8SB>_->mXp`kZ6S4?e<18L)^77B{u8}xJsj{<)
z&Z&;7aojEZR-&p5nTgq$IKxO0adk6j!e>KeJo&sqOr)H6!;8d^-wb{docQ#<Vg!UC
zga(kx3EpKGzGYAe2`2d=M4F0o`HfE#FIB)4ne$|9&M;L_Zx(DNlJS-zG%WOus8Ylx
z*-iSsZBr{>zx`G_z>!%m3mwp)QDlvnQa}8%&@KKP*w=$;15tQi41|dy@H#*;*>=MY
z5~yymZ{d7TvZ&SQd3v?qMraSo+8V?HD00gp!^U4PV<`5vI9f^M_BTy!O8AQ~);S@E
zh9dE{f941h(Cj)C!*l_fb9=K>T=Btad_5i8t{WysDJawGh|$91QoT2AJ(q_rKWM)O
z{87GPpagi#(CM}_(m&R3jUax$f#iP5)j>-BY}R#c9>GgJ^H375A?R*~<*|^iEHzFV
zZSKXfZa1HG9}(&am38vA9~jOjxMN_GMZM`1e!h^OhEze06tk2XQFqT-e)>%>Vy_tV
zv{<dN5FocFYmZ_XB5HX)LH&T;RA!R(=i1tTPoMF3yrXnbbg+vq($y%@9$(RfccWk2
z&!NYTV-2F;gOtOsC2l&_3?LVq#|>c7zTrv<p$(dQOE>-Rk8@Ld;<uiBrS#c@yh4yf
zQuuL?Z$+h?Qiw7t3XtO;(%3jDXIJb0B#_rAC80K!mRq5aopO=1B&#u6$PD#jfo(iU
zzbjujQLIQztrUBg%gi(l!63CxvZ83kN{%uvPbr%hnY-lU>d4?*&03_D(ShgoxO)95
z9_Al8wBNhGR;zYEYlPqukJwOlbSkv9$#t{?#s%?`*VAzQT)?{Iz|jUn_tT`o(oDL<
z!kMPkcMV=gZlUpF4auC);P>vgH%YWE)-V_GO!-~qObE#XUqJfL_BE457~5ck{sC0V
z5+eI^gjCsFl<i(MBR(LEN+~h3G4McLE@JCmbp~3ipyj>>b{!4_{{@_C3^6$9CR2-f
z!ts_gCiD#P6s7k<#<Xo_c^4c;Fzar<1373ttC_h~CAQ;K<2{nTeSG#LkBaib2%*rW
zwL^zv;vxEP>Uk-HO)97UGH|h6X5?f-qr(UmD`4X}Qt3k-7SW<b-K*t@gF#gWDTpN3
z{WwRW+-yHE$;$RC%}O3p*kIf;irS&NvW7L3HEy2dM{57B(?8qaQd$mFx0*P%mi*hw
zOwwGdYqqtr<XbBCp7C-8#=mTf-GA8@c7SY)H#OPa|DSE~K<k7?AJkLQ0RW||pcC7x
z#Z*Y0G=VEO1OZ&ym`*2ahBaVI^J32OV4bN=ntxL+ca8OGdKe(wLiZnmrZwLIS_Iv$
zn%y{1JP;+phwjcVaiut;pahQ$l_omDyf4ftJC+tjXGsZ#DNhhJk4Wqc+`z|{@C)2<
zHxG{NAhw4RMr*L$oK|nD*qAS?(F5DWB^#-VDda4!=K-FG^h``4<m$u15$xhrb;Zbc
zJf|%-%r93zLe5D1%xOkb<0Z|bBved|GczP51Ks-e=%7|4g8;%zPQNNw2^;?s(z~g^
zH2IT~LP?Xhfb+wOn6w7$<Ia^_O9xK97#>;3mIX(kQB5V(hF(D=HWs@m#gYlX_Hgz8
z@$?OWfdojqv2EM7ZF9njZQHhOYhv5B&53RMWp@94r#^Hat4km1Xgp6VyU5u=%p-99
zuN+d14pMzt0~-&p_Z=O(oFl}vvMqAQW*l`5T1wbe0TVuZmSOZa>`Uec9#Ok4$XZCI
zyY*|ZaN5KP#Qf=+g{6R!_%GXbn%h$+Rk@+iQySX`VU+U5X}-=dp==e|dOoe8LeV4w
zhVM*`Jch%40R=BRjZ^B|m3aiIj3Szy=rC#@JbkTuww%dksRG+!w~>WpdK<5dIa+3G
z`Ugl!11$t?I5x?MrH-;>u+<1_mbp=$1_x=>(L8Qa)A9()&d)K>CbmhT*cgb?VFOK^
zl${%s^Min3(<tuMFJ#!#+O-JSA^z}%!cLn>2CH(Esb<Uxdqna)Y`Lp`29rz)*jlug
zp7Tt9v5G^PVMwv3u8boh;Z_C}I~NcA$O$sFi@r{pH<mf&`>Qz^3*{YTqwHYrjwu(Y
zPyOfM03dw$f(?bq4NM0WI~>)&@U@2fH!Lbs3-cZs1T}8>dmf}#b*8qIJR1g{B8xra
zsdBFZJt}mThVHFx5cjONNATd6uG2xRe<yRG>|7Q_O46HLKhFFuOhwuAid*IgI^lMT
zczqcr9J|`7BX2Z`T+?;gNp#HCBAnyW|5DXEm>3?SJ~DlHAe;)_>pthcn?B?=iK(8n
zlmb5XWZ_j*o69d4{tPl;by`@1SBbL(F4^2A2`msT!dWVzEdQjkV2bLRvVlKRS(dO2
zF#Z3NH_Z`DYIMS2iHIJU3Bm;}{oD$J_!(q~{|z$W1~o?lG~vLvj5#IBzBj~PzvPSP
zKiV2_pQ12FmQyeF{^OUovAe{ZC=+P8Xb0nDkA1}W`wDS7+(5wt@k|%Y<nP$4xt;vc
zBe=Pc8XQPCRyJFtIQH;DJ_8u7m`EfI5yViFad+jgF%8Mi7D?yNfx)8t3=p^NSiJEb
zeKp7d*4E?GKUi+9-f>#G1IJX^sw45k<5|1m3z3<240`1J*>?)n7r&o~pda@}Zi+WL
zFv)NAu)tYb^t`x#<G%EyGE9BkdMB1>FTiIY-*vGkhp?XFl^$_)=D>Z}H*{=SD<x(C
zc}uipW!f0B`V_h{Hzn5eej53OngI9P7>!Ux3z>QzJW<fct_j+T9k`nkvB``r6iLY)
zGW?0@G5|s7lnrU5Q|9;u0oU1`0mmm@e6S0VL6iMrNMqapO^?l!Ee+H%rROA6rPhY5
zJ*bRe7KI1)7qImE(hUSP_IrUA58trUo+Rp31;^_}@lSX>RD&`I7nH3q49Czrva-@S
z1EFnmEMok<WMqNybp@=7kUoJz;Mq6&cBZfU{Wsr-=z~IEzQ(zX+o53tzImLnfiZ<y
z&i)1_xcU|ju!cS&4wSK%#7zl8BLa?iSAk*MS(=AMJS<c$sI$ylCQ+wMb$ffK!`8^}
zq2H2ubyjN_s#XklY6aeRUOZ<xI&gnHrP{5MjIy2=>lJzP;Ch^Hl1?_03WnX-P+SdD
zvH5RGwEBeY8^2jHg@BqDkGw+uMC|@_k{oLVjr^aNE$_sg9--QCT|xtbEe#(qo^0x#
zBRsWe%aq{3gMi0vN2DXUk1&h<G)&_icB@m#vXG)qSVjXUUwuUfeLMYh*l*7$p_Alb
z_`y{BjonEY#O8RUUTGy}dADibM$#4>(^1iK&w8catt}fD7d@MnS1#}_nW0-gvoIgq
zPfyjpv)=Bl(7f<NXsrzn_qh|nXw9x2mw|x;T}KlHCv2|I+&&G^6J`xvTl_HGTVH~%
zuDKIa*^r$e>X@vO*#lk8JzdZBZC%~~3H{k}3;Y+4nc&%hTLWDKTU|c38?=A&EPOg#
zYZuNh*gpg9O4~YG;ANlkOE$LhdOU0I9gg!1RW7G$c+xmL@e?nF>6VIWgM6O<8rM3m
z+BAE5W*^yfptI<PWCxn?pFDkD_4Q5Ll>S!lf6a`9zj(Pw>bg_z9D#|Hs3HoGLwMNO
zwP9Z6U$wac^I5&P>SMqI^PG+PYiDZv+)D$Lgl(%sRra9Y(z5UB3ZJ?4*_GF}Vg5dq
z>RCGl(Vv<<-~%Cr_#hLG&d#7aqn9FUG;%<Qnx_3j6KnXa?|HAse1aP|x^n4(^-Ow_
zV}5Xjf8X-%>1m*+_U@ywil6s#VS>^7lxGd!;O?9F@?ke~>9^@<+c>vo|9qOzxzF3!
z+1Nh6#CP%pOqB>&tym~Hx^{ATg7XCbG-2oPYsbBK%%Fc3bk?8Ld4h9=dvehY5mNGE
z>qrm1{PHQ?x@2$Jc%Mzo>zOUh&TDg=eSUryEQMy4o}}c*fL~)2rKiF;nYOuc;D+%e
zutHz#X@O<sfzW5exq1h`?7hCi58`Q7;-le@`J9Vx$WK=phvce_(H4Bo9G?5`K@>hN
zY^xmmIAaRv(U1-&9kiag9igq?$f14&7tTR1Q&M_h72McW??XybSyqNh`JOHeF#;6f
zy31Z7k~lCc7Q$u)7UWnhzzavn$G;0vr{N)4PM=wXIbs`K$1s1Ntb`X~j!M?JBw?Kl
zyz>$p1ZQ>?KTu`S!ptwgIuI^fA@JmD0Q0yi-z6Kr^F5PZ=oSEq;~u*U=aKV|WF^|k
z;M1i3VTBhEpI#7}(y~v_`X<XU$mt3~)kbz5usJO|vwjp#Py6h4JWT}FKSK1d*d*xh
zZCRsm;&VELS|a{Y=rP3|98hPccG@6@spw)-E8DrpQ*AS@oYiN=H|Kqo@RaWtUw5?m
zD|HvY8HZXiP5Y0c$fxu}QN)*&SG$k5;7j;FM#6|V(+?xzRboO!0Nsc}!@7K2;h)SU
z@`pyonDk^BGGC7&byA0N5O6ehOMOy0qu-m2j$U};_;NwNwa$L@Gh=oq{D+q9Me0J;
z)2@_KU_-1?1m6Lv4mW$nUdVCC&Wn65=wNfA86g=UQT1cdX)nJ-fhp1zW|P|e7l@PE
zoTtbVrvn6_-->_-#7N9(l^;{+xS=Dn%ynR3P~vS~HfgU(o?(H4de`1bi+`$2Y>7Vk
zOn$$2#C;cjp4J`Pi8<bc+S<U7IbcrruA?;L(`fTxYaz>l$WYlOu~jy6hbji}BAiW>
zh1w_Et+!3LtB(a@?VrRZUOqVjQ2_Re9Odb+irfB<*cb;p6$W$kue%k<q_VBXe>Pwr
z8Mln0!W6EMX#Se>qjhA00vr#v`PQw#2>YH6ldVIJ<CWvSSmLM0kvdFp@+FByJEr1R
z9iO-x>s)YO%(CPk8Fe!JHgmxUL@)H~L+MH)i)nT=(L2e(^0$ES4~3hR$p(tZr<bAZ
z+<U>lNFKLzeuK5$1hy=+g2%Fvuku_lx<k%ihuvCPE7A+nz9s+w^AaK{Q?)7ZVQ7#*
zDW*B_T?`?EKBh5JQPC?zIw&GA_<0bWf`9Q2!Hsg2%$YSMx!OClteJ82n{-ao`b#y`
zSyB}^;^^A2#8HeoB3}ciQ~cPHdCmlWonJWp<>$U3|BijJ#Qtj7vblD<_;-$ADUhL+
zL0odaZu?ZD?hh#9cCb#apAzW+J4>6E`jPR6Dc_M74PiQl?@2gLwO`6HC1;_SG-s%3
zp%Fez(L4?#xI1}8SZXRsy#Y4;sMb7GC=lJg7G8Y)$Be#m+Tu!H!87?PtoR~kCak%W
zqY6=nPNf)%``|AUH>4Q77*v4MwHqskOgVjMGa`?*MoWPuciI{tb@R}||Egi!r+5va
zJS!ok9)XM>3df)W!%~iwPmBebf+?363<)VA|JqtqkJMAO-YLs!(bua``m#%e&4q*n
zv<3~*$y{N;29cok8yI32WPzosiRoy>qds(T=SI2rt<3xOmW+$yCl&#L*Vi08Oi~uZ
zMbK!UGS2buP)3)KjvbdroTF>YgzIZM7<yx7N@-6zvo5kE>WA<l+KWL%tC@;3PFbfI
z)j#nBK;LWN>|qp`X6_7+sci>s3B;N=LmC2y1D>qYBuz)7DjdO-BfJ84S0A7WO=`t{
z2EDI_V-WO_5XMA)S5Rg<YHbd!Kl4K(g_Wv1&*<Ruq_+PhzQ;qjwDp++=Lt^o7sIhf
z5FIQgjdA#jP?K+BY2q{Z!8>hwNVzqatSV|u8rx+WjvgknR4X1*JAr+q4vfj)4#|(R
zlo*O0$X}%<{g0uE$WU&qw5UK9IMP=wRBV{gH%s<Twyk!XUurydQaY7}vK14w@H$-;
zs)8IcF-tGYGVL<uhBv(A)aFvsy$yhYtQY?nU!WS09Qz>1DtCv56?~Q4#fbyGgP*Y3
zwCmMbnjSRM2q=<ai>-*KT=OShg_<$tRX8M^hTYpOWSSL;*GY9n)k3$YL2(9H>|?4l
zyb+kP>*p&tM))U(B+BZ9!(F`pn$P^7MI2@Z^@KUg$fW5b-J*}OZy8x?SAI&|a~!4C
zEmYrNR#akNlo!tijchH;gT$H54?tmra!k?i2uL}xOgwA+`(*;whET8OO=oZq`I`k|
zXWTs+`sz86Y)VPF(vd2gsn!?b7Nqh{K$XbX0c)q9B(i!8LC6vLgW@?&F-}p=5vPEj
zyrqhP0+bV{yi#QzN3OWOgbt%h(NPnY^*$$u6Pv1W>6K26ys1Z!F^TOc;_+zdw(VmU
z?9Xt~i>D%J5;8_c(Dl@ei%ePoVG%t5E#+H^x;xe$l5JPHd04El@FagYeste4N~=2c
zkyo|vlx%~{cR(~Hxh*QKqN@=!n?ZHi(yYh?6s`0f4JG}@{Ak9HMPz=#L9EPS#jEGT
zKZg)s+x-o2MZo2_o|bQt4_@-fE*jq%*xmXwt*jqVWB2+8)VP2C0X2MUj;{X)YJBki
z12uYDAPjm4bZ0DtRl0M2WaF4WMgU<ot_t^$DWfa*fdnvQW0*t0J#fHxjQpNC+y0E#
zt8aG?|A=YMyQjA=6cSO$YJawZFz}5dB7wGRLe653@FjWnuo{^$vHAb%!5~F%lNm1O
z#_T?-8^-Ul;;bc07Yd$~j!r@23shkvOQf(lPUG;Lg&OjpZ9LRPmE>-j5n71U5fwNI
z(fty8-ib=8_^TIB{UW1YR<i19exK1^BKe$PWlW#>5t2|6%eqgW{o8&8D?3_L(GJs5
zD=VSG;hYKk3pr$x)1Z%cGP|th6}m^=Ou`O(*<zBu)t+}ahmYHPWK=qrh}!^pr0-{`
z$4bY}CyA!K4YUo=#Q{oD=r8-Hkq17&bvzOt<yMw2k11)^)Lnu0<sD02S0_xb9A*0q
zL_f6BlJO}{CP%!z*Gb(3Z(BsxR7~ofeq*uyPO{(e_QA%l!>Wu9)B&kSUr3E)t&bUp
zokHKF>vRtnNF|-X)zVms^+A&lrph-ou&-zDfX-(}6eRXWrUSb1ybhz$z4dj^VLv$4
z*{>ogq;RRIfOPPnMby|@&1OX?q6|}GdgNHcfBbjX6)%ILX#CYAfHU*Jio2C+XQu(<
zk>#N4kGPt&vM8jYjiEX&KZV;id|<s;^~^xB1Z*a;*pg8W%o3%{STT=WDNc{Os*_M~
zg2)|A)q&|lb6%+`zw;?-^8d@L+X73yU2<hK0DePsz9lYTy`IUtnweTTPw#^aT>2lD
zoFjA)&cnWAz9KC2beIVxs0wBYsTjMnuuDzT77sqiW?cT0S36t@%T+RAs4Z7%`l~6l
zAI}QBW6J+Ao_JeCZr?jS`+F#SdEkw@s<i~iVLo*9;G)u`xCk_%$>|&6RN(__YA6MT
z*0PsQ%i^5*9)vr!f}zc6TO78kLef{@a$9GoR;ZWNSRTeQ#F|cOq%xNT1qsd?>p#y+
z7Q1^pK)D8wAH<Lwd>;Ul%~>r%{o9R_<gJ!tb9N<4iMn~_KLYDMi-mI4e*){ud(tAI
z*eWlU=-@v>OF2#qxQ^>yzXr~r`_91SfhzDh(DxE*+c);d%Y}{p*)de0r>G8`{n#<6
z*62I`&yGQr-SpO=_DzWH9kkE6f>fo?`Dey9{5NB_e$|7mq(W3r7^-oF+;8?hrVe-h
zxWZNcbA>wxs-|YN1F4Q7?-FmDJN|1n?!|~WiY))vGtz&3XQGvZ2IrsqAc_0tCyj2_
zW}Qt~&WokGx`7G{eBGRoEkABrDbfiX*eHASfNo!r><g^6qRddj>{xUxB?1;gzOEP~
zOn0lH3<H2s)hu`DGoZ*?Ta8_EpX1%~A)yl)`-}Nb7D)oe>;(t=uH1a)g|jiH81Mm#
z0w}wyR-FnO8(ST`eN2K{GJgKSw+}JPUY4FKC~yKefy#j><UqiQSBWf|$INEg*Lbf*
zz#kH==;BN}F_&M9LUouuXB7xQEu@s}l$dQ!Q4Kt3SAN0b(t`cs@S%N6tKe)O(UK%z
zim;7ngg!<-EPH%-@8Z#zVvK4ApJHqX?mSpi{U(pni<2LaVC}t$7i@e}qQ`zL-y4pp
zzx*=UqAWK!+99Rn30%O!h#Z5XP}zmy@{o}<R!w|Hd%PB-DqTtE4-QF3F%XkyD?|O%
zpj3-duIWf?viIxbjh>9jEvCn3S6w8{DhaZoqV*L(Tnn%;lzmwlRM7&cz+JtE;#8yk
z!*-Y$5K6<uab%_j)lM3dV@tcDewA${!u>JS`LPaEw<J_QKTPb^lnW5jP@lLw*IUwF
z{1+USKUsG`^Cvi#%k^ph7aYq!?YBX#D(1*qz)7;oZuv>_Ptu+GXT{mYRXJBdny<zm
z>UzCDIoKtKV96y```i|&7CPMc6D2xp|A`WvxiN)Kz5G!5lWh<@J50t(5;Y&RxTjK}
zuyOgQfQ<dID722KSi>k|_(UYM*beL{P5z)Wm_n3mGlbLCACcmZol-WfAz<>_5CL97
z6fm5epHkt-3_QY40L>qcesWk^71zJ=`*;N+Rv@$mz7HR}qoJrUGvRk_kxMb7T@!lj
zGq}C#6NEYXm;QKjoXQc?Q9cJr#q48F2!Epy5yjq)S}_d_3o=~0d3ZLuz!hu70$vD9
z20!pxfY<NmoT30Hq_^sC8aiz2yN`L#k{StOjCYk$)X`*ep$zQhS$_s2(aP_=!g!<<
zp<Ei!yQ8VG-7<5lE{8nOlQZ!XkZZ0UA<Gg2fS89o$i~b+KC9yij+zh-C#3_MZRq_H
z1S3Ohr{`4Qf8~HxV(Q)g2*Jo)r#_Ka5P7jIeYkOt9flO7V^KNDq=?{G1qeqOSh08=
z6U*Y1;l07atR6cAvSLz2ZBxTG<)`WPVqk&Ahj(wj0RFI*%1x9AqSD*Aa+8p)r|d_g
zlK|f^++ydQbGEp1O7u{B<KH$FU}JgEc!*#JEfq2Znfh^!HPj1HWa^(CYAQSF;mG2_
zMlLxKHSpH{bQ9^mAz76CzJglfeggJkc&60)ltYXyGdx35ES||Bi8xYrO{w2jJ)zFA
ze45lM>(Kf3s*8&*iS!NQk4YrYk`ak*;~o8aWc4zh^T=+KB^)3qn%S@Su_zengd?x@
zE4kM1VF=-)rb{57=A++H^2&=Y{`s@?bJG&?Rt+XTdOtp0EmL2Pa|_sgzO@x?-83(u
znSU5<vAMAcl<P0kgYsIYQ+Rui>}RUObIR+N?I8juyNLk#q0_LAk_3yF?1oE%(LY@U
zpwN%itiQsK)ojqRK-vGSW`i<*2wVbY&gd5bVPz`!<zZz%@qL@9(L*PK0$v6EE`<zx
zxu|!N(5uis+U@T3fyF<N`GDCsEmBj1`j=8gvhxZ9IU-%X)MkX;C>H|Rz}7mj_D8LP
z%;l~)TNlHdljXc=Z%f0lzQ+jd$$B=98(tH<qnze)2H&>jE%<o}E-TExq}u)CT<Lgj
z=bzhW&yl7gVWOuT-|Aq0{qFsu_rsvdRFNS<RzcgDC}QJomstgLYH$zW_AcRDwQ5}C
zXRO?W9>P0Xc-zr;mDa>dD4-~^&dgAZYO(1SSg0K$7q{byn5SjbjFG(<PTm45hIuTe
zZn^V$kGux>BYNMi@2SdeHFFx0P2YyiB%8Ye%H7beH<H{@i$)^pGD7bFOA?F9qDvBj
z))mG-m6BO?4GO&%)%i*^xlvp_IFL?#+q0Csx^`N}0>>P68DNBl^V#{WJ&5X<xwvNA
zy!(waqJM9lz|}4nd0moV=2@&ee!4r*iTsxH?*Dk0y-ycl{BCAVY>masy}wz*R*0oL
zOfaM2sm8rIk9_A_eMVOV4R4O7>|)utKYoK3WrO{G;-}F}XI+y>hiX-+S|JSmM=}|U
zo^6&pmVK6=bVV_i5B)vxpn6dNpJfC59<1FBxpVyIg0Sf55?Ir{8;g{@7oHU0M1nq1
z*1jt;s2~P=v1}Z^j}mKRO$GJNr?U!;*y+671g=y6Xu36tob{pog|ZfvQHK<$x}+1X
zT8m_GTdVvowHDL!1O%O(mC^Mh@2~vBId)ml3YR_@F9k$L^gv@YRWl`=K-0h<0TpIK
zve^fT>A1>0!G*Xz$x-fxj><z`E1y7XzM>bkLD#62ybf%tEop_+%w3(+Y*hufOY%d5
z7nMdqPr0SGK9e!ujWiJyf;V~2bqT%1`da0<v9}wkic(r86KZfxvsQ}$x@|8)hi62+
z=&c!7`Wk3lStbbRlaS=%J$PXC&bt>YE;7d5z;z%+c2-y^{z%|d2=s1pkAWP5<}gY2
znuk;p{Ap*=`1oUByWJnn+k)H3OIeTGQ}n|IG^=XMrD<PK9(WJdiZ)_jhrr~-YCjue
zDoNDnhhy15SO-!a)*2reay1F4VbY>@Cc5(A85zhtKK3jRPh7OTWFq4dx>5rxrGe0g
zfouIu>42O4*HcL*98$OV`4R?^8a*3Zwyz#t9ixqC=&7EEJ>~rw+9_~lmF>2S^g+rv
zIab92E+bg!BUEh6$v#K594Sz3cxjr8LOn_}WZ~^_PDg{N(p!69B(#DfB8|QvN2`h?
z8FV)%A{d;GrVmq4w74Dv6|E^FH0kkS_#?M59q-*uXXDr0Dn<<b0cnjug@=O_{=oQ%
zp7MxqHcZ`MpKFtnlIO%aiH2KXxTmAYfY&=9ao%^s;j$UsG78iaGX_V;%wihSSS1st
z{42$8C`wl~_AhI<A=d%Nk_H5&b`B|T91u04`PC(ou}Xkn0E9{!3?G=}YEHa*oNdL{
zac>*Fw*_MCH9&HES*Fp8x|9<|Ur<#^Z<(yRce*O)#fP+pV~e_fqU+x_;s!i;@a}57
z7}d0(0c4XX(yTEa@mHf+KzRknzPaCWrfWWLJVBs|R@peCCF#6_eclqSeR$r}SqT+m
z_vwesc|-D7(<Elqkd4Rz?7FOHcZUh2P6Lx{=6HOjY>0Cuy|T=!lhO9`=|-&XLwDS5
zv*s|ne04g%G20I`&kE9jeib<1z^&hXw>;BM+iytZenT<2IyYCaB#6h7WZoASNXS+G
z+AE_W{nHgKEjpzz?}Z23bP$E>>-o9^ZyP{@2OEH+h@|j)+boP7Yb#pp8J-^FfbwxN
z$GT^|?Hx_RhhZEDijdVEl7!V-jN{K3QQ0C$4pl3Fa-v)luYn9A3sNry0rBiT|LmJ}
z$~R0DK`?S3!q}{RnUb<(Fh2PP{aRqx+km*5%z_0aC9<9i0W&j~bZSGS(O8xZW3-{S
zVZ)m!wlR4*{^LQ7kJpU6zB)U?m7kVD{X{A~LUb!(-2S<WSb>m97!o8AQ3!}blFxj<
zYB<~vtLkIP`0FxP`std#!8r!Qi`}5ck^2`S60T2r$wc{8@5ff`oK?0`&l>jK729=t
zUZ%BE63uBv@rSVuSIG<u^I8{+O$Y{ITF36xM~Z=3BHl;Mp|SmQkEB|#a5GoPzSMIY
z#Y>3yyM7KjwaCjJy95QDY@48XnHJZcfBl~6InJ+Uy;q~Q+<NJt85L;PvF~xZ8A&mX
zByBMQ`-P)QzgM77noUhn)}0#Y&MQ&>D;oxMr)7t+hTMeB;L5|)3kNwoE$}6KY379=
zleQZ*S3x8d0;yVGNxv6xAsSr;RK!MBNv!NmBr1s%mb8H|=t}uC@;Ycx3yNzO^n?4o
z0dzcV&Y7e@acULpQ8j%UM>h+ZQ($%x(UNSwPkYx;D-4BiKyOzQd-zFZTMP|K)N*{c
zQ!u$M0EST~#iCw7kG053sYND{Txewj%`!$>6wJjAQczyI-%yCeBoS#5Nct#iLh2}n
zuzKBlB}h)mRdp630ZD2ix5U5Cpy4MVjiAF0rVfE$c#;-e%>@A&MB{nLs&IG2e=ceN
zH3LY`(%5WZl=?<m6=2}PAYDvGAwdFIif8HH0A1#gE_~QIADpp?0cv78=1DPs*mCId
zGY2N&BqfxdE(SAkU;`(>Bpi^d#wm1KV)bzJ@hMm1%o-%{yfta6->bQ~;44TRHbibF
z)usjvHmh6XISj?vJ$KF~cV&N6Ffw&Dcb?x*0*%jN1c*Z3bv~&cVErbcw7MBtIgZPT
zzF8Y(?T>J-VNUNNJ{ee&91*jdic}_aNeHX~v)P6qKr21j_5&S!_3Z^uiKaXYh&iqN
z`X%t7-E+xh>=PYPZjm-)O1~+)|5h|YmS=z9Lb_C}C_LUfL8V+C&BIFS=jK;QE?Ezp
zK9#O4J3XxJx%{-YZ5}(t@pc)b_a)(p&W$(APv|*kir@c~=lsnX0?SSCjuS%*zRxnl
zxbxILZ|RHiWB||6u|wFp18jGB^PAHs#dL;pD39n^LN0J}-G-Oc@%_!R9x1FvDZ_p$
zNjApP>2(w_IyEt6t7Q#J&B0-4oqPp-aIbC%uBpD`M@#Zs>cj0tx(wvWFHM<#>_#0E
ztOk@H7??ADXRYP1&2_<4hrFdIT@QKjC=1(V*!ihjT<6*`CpgC#&}h${3>9annbMyc
zl-H)6we5=p@nq2KalLWe`24Lgo=NW&D20ajic=F<&*cJmg%foAy|WE3YNyFn%AOHm
zr580PrLtstqra~$TYcE}!zc$OFTm2ip@oTdb}A;GSG}Fq<p_SWPa{{6n=k|485U4z
z)eq3BFct@Ul%tQh8y6=s?+S(KMYS(hr!Om`<ki1{w>q#=Iml2RJiM(y@47K>CWNmg
zyx1C3q~bKlB|dwJ|K+fm09GYLNp6vH)o<S#6OM7ug@&Z)dWfuS6)hX~Hwx|J+pff@
zW~givsvgCDKN!@=n|u@gnbQJ6975QbU?D$r7%cNmL#;#BB$<EO3|ZEZ6tqWF&>ut_
z6%;-s&M0RH3<5?YYcgQAKgj;^=&@;&OJ0bHZSpclQv1YXrdSIs1wLIx!i(EdKew#~
z9itlm<~Zl6cnJv}gay1X;xXRJZWf`RW8UKv<rK1HwcFr)vgpzjVXAS-rFNI1o_%$S
z#znm%gSMjXCQ@BYU2p>R!=6;YG?K1UJq{jiuYI&bPt_<8>1eM1@bx^mFETAm=wzE<
zN7N>Fl-^jB8Ff!{;jp@fN>A1cx@{K|P%8`}p(?6O>Zf$umpF%dq@lgkM*=_(*M#0K
zpmLrn{}zr|_9xR!H9!|`Sw9%c=_urNYhT}B>c897tx|n|07ph9eUiP#B-FfRPDU|&
z_hc*I8xneeolbAF-9C<dn0)P+pC-ttCV8e9UIKi!>%^OKAp{2s9$a#Xey+R7a>rXw
zMu_EzQ5RpT?T;ON98TDte1F**PAS_k&sHaX`R9l&;QTJv_|o>soIZ+r<v1Hv#_|;~
zQ~#YRw@FoCWf0It$qDQ!A#a7t>H<tEmPvT4UC&cEgm<V8@n8(wW4S78@lk!J{aO+c
z9wvBQgR-=H?98QzJ3s9Ybs3V5-c@dD<s=u#08e+G-y5!!RShCL)`e2=AkQ8{tt$#1
z(|Xr=OiFDXPEB78kPFi2g>2BSX6DY=f|X5BFd^>b-f~Ov@A(==hd*~1Ury81v2+e2
zy=o2~eR9{tlpncyq*~K(7;|!msLhuY5->VgI-(DaJ9oH2d)<{k@%{_J{%~XS!LyC1
z$+Djktlf%cZ(LmKm96#ea;}rOv6Hd^;dhsq_UdM()j%@ekip@|0?*Qxaq`$ixVU`Q
zv{{v^-g*w-oeszvNQsGH;LP^^H_aO9C$oGwK~6ZK$bki^JII~L!C9D=bqyvOV_r#^
z7VH>Y(tyQ$P^KnEiF_HQ$6pC)#3s$6DF`xFji98AUS&{p9Sf*PVbEwGrhqU_ZFz<O
zD|`Y9Bt1aM02(66pKnu%ESy<+ahHe-RK*w1!Zdl!7SGT&2>MllBLyGRAbwv?9!&1x
zrIqge6*&c_gwPrHS7ro&K?)fcZScU1tkhgw2&%f8j0(VOB_tJ66>jxPJwgT$Mj11l
zU%&N2u@VD}0gD?;AL7N<LC|dkKsbsd5pX6E9kp<Epkrl7Y~TbK^8*-_a9Bbmtf*Q7
z&C9Mm$nZ@dGID0-Ox7poe6iR;tZ!Exw(O82HfpK>kp#E}(2)Om-_+eY!WVQYc>d)G
zgYClc#EHSLF?tpQ*MnG%<@N>YK-lAGJHdQiGSeX^C&}DLRyKvne&Ka~;T`L>eM|$*
zI|4L1c+Z2iTb?;~R*tz_&I&pCf7$F=>_6FzSgR?+Z`?YlVtEN9Dl*(|>5VHi8U%Z{
z{5<la@~e;D_2*3qgc|R!@@Tsyc+hH(7S~n_Tq7h}u3%zjtn(9u>h)Ezpo;3FNV_HA
z&<Zv{ux8Opw2*xW&8n}bZbfO3DjO&A0M(AOu)L)u+w$6<$5*)`hgp-HSK~;P&BF|E
zOS|H-a3XRshdE?@!Um<td#(*mOFL9MrhSF`jI<5ZaMkdjvu6vIvQ+8Kg*;GwJLLL0
zqmi?rChNE#ZdE%S#>~P&GsoO|4y^^_r`GSg6}JM1^7>gWMA2MP@)6iSOFU(br}uNR
z0Zpl*^xDVHuJi7XGZwq=0pO)7!g+nvs*2Yp9wDHnB6@#3M48;wexD5@TJsb{FI;;H
z=Y-(R4JTi}3+Di}&uI_rw7~l6s&NHW{T5LJ`E9$r-?%4U`>2^NhqkuQ*WOTk1#h<H
zDnSuY89Em?Gi7J`fGk49#|!uS1U8`Zxo0*5c)$-GbA6*0bbDtLNF3!eh2kw@>X>M5
z!)r2GgyfS=PC`c~0Z{hE{jAAybRoZ7n^@DPI6vyG3nxgLPbkgDba68b%eAe86=DVt
z$qm5a{n_F5+3wjEbKU6Pcu|f{+RjZ<dr)bqGyn0q2K-U7*<F><dv^3bBD}Yy+tor}
zGuuJqNDcKG4wb04K8r9BsnQAC)y$h9ny=$ehN|9Mo~%B|2s$ks^7{{!A(@(}7WS$u
z-Oo>-3asRhB6O0F_edECA}_?o4yCMFH8EsH&pDBxdNfNZWy$;NwI}`NkpJ&rCLv%`
zbCXj7R%l#*3X!lvK;eh0gAG>V=~zb#23O83a(0kXJ06&Cr#pTZfea*Tan+xiRJ&(E
zhSL|-Y=jBs<I&a|baz(2+za+CT5o8QAdn}fdvjz+d^)nl)8NRN_{%_M?T--wBF<jX
zx!0k_Yb`|(XoM9|PCT^Omqvo%1Jv~9GZ96{P=UgyHn^HA)ec-gpCaK?%HM(&Y}Xq)
zHPc-kEx0$+b?esXd^?AdBLQ{xDOHg!PrARMr?(*v8FCnGWWQKfQ>YVcH?~Yal8-g1
z(>#uEjfPvwrnrcx#~_;okx0}K`<jy^_f&4wqnn0q@d8??Gj#}G{AQ)ofE2k$8Y}Y;
z2f;9;UN(QXvUN;E;4<3Y^1!Vb40ZIpyYj(Q29H>=n(nm^0xCJt-8cz#j`=33L&aY(
zVC^y4-T+BRPN4j?;(!<;q4QBoD!xe~4`MHRbMRuRqu-8RX;_s8QFMm5EUSv1)p-ln
zCP7#7!ei$T@27ke4e|RS$Cds1?{m6W)t>cRxHy9L;aU~hUPz&IcKtK{cvo`4K*NCY
z*CWkmn$qA0lI!>=g9SY*T4$L^4i{ZE_ot;YkFaG8vOpRv>{N!-*36iL*ET1{;i;1k
zJNVf#QFKW}uGM9C<(ar;tIlHS94n(Z7BwrV%vpk`Z7mDccqrE3)02+Q?d9d$6B0e4
zPJNv#F7=laxS3b&9IPY?gKK*zJrLc3O1~HISQlzIbKad-XhSWol4-{I)ZZDOLhKLQ
z(;TzWVfGp3S?V7k(UWQqAsL}4%CmeQAQ*>ZJLPUMhfw0Do8++T-4YmZ4*%S3##675
zo)&eU>}cvV+};hE!I$hHW^WwZ6ADV_K8BUqB^-bduS9+ewj}D!!22OuN1~<)U;?dU
z|BddeuG^kXp$mjx#*UiL%UY0fdZS%J{1lwQDAYYT-A+eOmOqL|9?gFQA(F@Eg#I!m
zkG)$IjDd{KyuMSvC3iNPGcK6IQ=0~ez8CMBv_A~mEs)}xXIC%k;ru>4cJQHqASp8I
zD4i4Q*@i4kq7rJ3`v}Z3v-wfXMYm7e)XNt=Z<5J9{@Hi0AFcKVE8tlm!<Q&pxb_`R
zgyJdM8c(!JZov2Ko1PlXs*2jCG6U>6L}5Pc_@+4;I-}5_p-Vgk|JZjdjXAYA={^(~
z-LTG25V&*c+aKM#{FsR-l!st`n$<yh<)cY1CX)D)ptps{@fXcW<4e!P*0%4Rb`bAc
z?s%MqCHt<$AoFAXE+dd>YO)|&qO=IdYXK2NkV8b-|AjeI)69<R6*4eXQst;LuL~hL
zgIi>c8*D~P5N*tIIQeR@6=D4QkrATe$zXv24c7s7cKMG?y~%VG{S>)Mug{&Hfro|F
zSD7Vht*4(S`5y53IS$){2?n2?ai+DE#%BR63oZkFwOVgM<treK{UFG4Nf;#0ukv7h
zpx*}+Z47IJ1sOsiKxim<%#@ZmPX<y((ECDQ7Hp5X7W|8+MS>`VH#RM?pquVBu6Cxl
zJkbBD62`x(w7Iq_2IBftmHti-0J)klE~9j#N5`XS)Wl$x0t(4Rz(Wb#CzCD)>iil7
zfCoCNY-<uYc<dzFD4;ti`l7rYuI}eVj@p6x%S_!gscOu)cjCuv*8?6wEu(m~dVfdB
z_5K+4QRZR7T3)p;!LASncru-6{V-!S#aO7!M<`-an22eu*nc&ZWj81+=x@_cXG=My
z7;Hoh#7M2d4m#K=!=JA#_5!n@80QOO*zI|u_rr}4PI?41Y$o~>0VVIKi*qEl!ef_)
zZOofQrx>A}oJY}?DTMNPI&7a-;pT-Hn*Q8rR8nP^R=iNTiXV#^(FS?CN{rF~H<68Q
z>2I|OU1Tp}Sn|5WUlB}<<tSokV_g<$HW@RK5H^f6mzGI93(sG`D9&P1y#p%1!Zmdz
zhoYn4tBCMrB4T)D@P`=dzA&FKm-}`4ggi{d%LAu*7BTvD8|^=(E5>Z{GUX{}HqARi
z9OsCQPe^CG>|e<eYyK%&;Z@qih@owUI7chPwTQxy2k82<BH2@B0HD#z6~R@9l)EI%
zbHxzS6N%t*A}zIze2A?j7DR)Vtjr{LVkR~Q(HbtuIHoih#x(sMPlJRa^>$F{piHE8
z(}a;A0#R)p2SZ9C4l3BY+W5eomh4%yLLFSn@SUVW9hyo5men}`hE_vt*14C~VrDCJ
z=}O>GYC+DIvG@TTL~afrtkn$J(93nIFd$0KLC&=L+Pf)m=tb0>B@o9@QUm^u!Sq#l
z<ET1({jHkwcIrMs_R$R0>#=aKpZdM64k$FRAA8JTLalizk-BXlz&1HyZ{;b#Heqr4
zB8w|wZ&-@D6`1+raf12X0n;QVJnAjYYik<AqN`5zM0S<H9B6#+h%Cz~RqTvNf`;bH
z5LnoPhQwx-cZJ=amjZ@_==%g+;6?W$o2wQU=Z~aq4eH&uDA!OGTrjJecpozIX;b*l
zRX}V=cG#jH>fYG{Vo#ATb$R9ZA4uXK>edl2b;8B#VfgQ1Xv}*f3GJaV_#HdkK9z8a
z{%G0#f-6zZPGR_#R>XTFs`sKFtAzU_8Gn1<{Ns|RnGr?V3Pv4N#yIc7h_Drnu5;KT
zthCn<j5i8K&sw|7?iaBon&-IT3D(3k;4h_<_JT;mq-@F%qP^Sg3DyF~Wkd)xw(k>i
z1N@C{U*?xyZf;&!D4{mHFok9LOwsA&fs~%|nyVC6;_9C`m&@R~^s=Q40{s%CraD*|
z%u8AdR5H!sWi+Wo5d{*xcd+kR9w72C5lLua`k)2pt>cM6gw)B7q)dU>N}M8Q&8K1!
zv`Z+pa`J40-vxEfr#hOc8`U31YF`Xl2JcF|nObLSyAHAC;-_!U5SMaWpV3Aqz)vt-
zLe7yp(bRlL9-GMSD^t(c7%R_E@mk$;FfIcIz?^nRRY;|<`4wDQQv%*A3-owBzxS@Q
zBarrf?{GIURLOBhzpD&&2&Z$@(uBg1kgA*8!s(^Gsj6G`ep>xSjx}S}&A2%ltb{|B
zyZTD^r#5MVEy^O_4J6p}xJhssSIan;D433>KN<p6Zn%#;Fl5q2cs(HkRcHQbnj~B<
zcBrc0hjEQu(CC_so-11wH$ms<7(FFf{~DxJ+rgFQx@j=_C59OtP!O%1WRU8@5l;wm
zL{GxZbr~O#HNq6?;~JKLz=Wp$@t>IGUcdfg1{J-JKbOzg9Y>jZW=E=!E6fao4c#8Z
z!^2y^?pTuLntA0VFi(X&XBmrp*eh+&-Px<_;^gNa`VMV^6O?O2bpZ9sNEF;5g<dZ0
zF~>g8N{=hkYb^2e@0WoDt+z*ph})T%<nz)kn!53gr*RPYX~v+n=thYE|FXvDba?PM
z#9<oMk<{clfBtfsA#Y6=S$k-Q-L*kgBemxDbBW)GDV8oAZVpNng^TQ>1Poh|g`pXP
zGh%Cq%gBljMKXu}bCzYRJ9f2Ap%@2TU%<qZDZO4rCwhs7>U)1UVs#tOu|zYbG7Dv_
zMj;5a(DOjMSKA&MJeiydNA|loH92XAz4dN_MVpDRyDC65dw=pkiFqRN!%@RPCl144
z=!A~$DyQqELno_Qv@3;9Qsk{?#W4aX%RX6O)Voh)$kMA-Eb_wRDv+{Rj0=BxSoMso
zfz|n!#WZ?typ)-vG%r{!_vRo!4k;;#SUL%LB&eKtn8TgD>oNLX{3+G`-c$3;lc3wp
zg(5eabx%O~;V0lsNMh`7_g2GJ>_G(DnUM*rLsu~ydLy2psM0*at{luc-W)9Yl?o+}
zsrp8BzTf(54~(SSEmoM|q?rWwkovkgADyJ)p?43}a5-`@V?Wc~XzoB^9xz4TGcQz7
zXuxhtm0HluDSY*}$1uZ6Y`q4QF@FcWZhJ%94E*O<wOuE(ucZj|r(b<dB#0Nk^n}oi
zo%ZBT=F-`;9FiX987{0$<m3^hxEs<o(~7%;t8#RiJ+ifgQJrNymDTmnVzGKV>ZWa&
zF^_8bx2ce~xI%q0Q$Jf&NYP~nSwcoeRuR~eptu2`-2H_G+;TDFt&B2KzEd`o_l5P_
z%9)i<7Y`wF+xQBB0<$Hr@1z=gj}{^~1qO*MVQIXirIQ6Tok}n3^C25QFAu-RenIg2
z#z_@>>uKT;HUQZp9@Vepd>}+J*6-_IZyIZ4dA}r#+IB=49q|c2s`sdDv!&1%P)6YD
z3bPJqhn<G6ptRON;bzU+bXG4p(4bi9n~s4pcn>BcAxNBgtvBh@_jg@H?f9IO=-ynv
z3F*v|lyY=yjvJ2Yn`b9zS=`t90i~ZCj>NYb0kYEk=_UcRDuyw)7#q%RvnMsEHxb3%
zWGKMG8{R^r#P^^a{=gJxl|h6T9i0b7z$&WcFIrYU5h~NdAW_DpF8f*_Nu8T6XCii7
zt?c0MEnF~pC19KfKO6v3;4SgKm9C%HEhpAMTn$K1DZINcZBg#Q5C~LZH88e&V6%eO
z@;OJV%wAM#>ar-Wr+MRPmyES9)~O#~oHpyLZD;_{epa7XPh^+F<sk6T6qRMNguQ8P
z{-V2~p9uQPZ7#jb$^fZB8M(;t<{+x!L>uJG52AU8xB~AN;uV4{2I`qv2*l7nT-Z0j
zeS!-wkFG5jDYtvWILyU0IKbSDczaX+N`$vvdvjApMb|fpL6<W-I+xb7Vc5$Gn0El#
zlGF}P9vS))zX_Z-uz(z3Ffw-@ku+qG<eux>o-S`Y%G?V%o_I*pAv$OiQiORK-0Mhe
zEkV<Qqo(Pco?p!wQ6p3CoNOL7AMNza_Ir7tbcfyIR<Jga+K!_moBr4>4RZSg!f|1P
z)473Qz)xryP~i51dRw{fhDFb{7{WzX2Bg&yV3RP!j+`hlW!zE-aqDWgaAQd&l<maD
zj;H*I!!_E+<L@TxxQCfa0SY;zppJuXu-V>1^!}!|MtXRd<A|qD{SrVH_b%&eQr=Z}
z<t5D`|Dv{a2J5(>NQa|p4OV%%Gu*k<kTW92+!fKfwn#^$nJa_ZPl4QIUdM$nqygHd
z9C2$24f)I56>`4n#c4HQeGj3}Vb5g<^gcN5fwbx>)=F~^Jm)Uube*2|8dh3N65HDp
zR*HJtNR*R8#w^k}F*&tr22C6|BD$md%V}`F{wI(6#M3bSH;<D2<k9@ee|Z$f55j>?
zb#T7CB&_%_y>F?84QYvUr(0>OOR)d}+(;Brx&prw={RD(EmmE#dGeEz5>XoZX^js8
zJ_on1@xgt|bblnecxlWXace)EanDQ;y$6;(^zObIE?ds#zj>siFmHhTUmghzD>RnA
zY7q8ypx!fcX7)wg3?o6mkL1u)O=!N(kg%|DNWl8_9mSzJb)W>Q<%n<Jm;p)gNED+w
zI2Xa8IlRc7E{;Q+0&o>Ca6B4Tc<4_~Xo=586hGnJ&6MO&KopabQG-ks!=Y(c9?hXy
z>%P$Jy~Cl&hbjtE#bhZmtE6OzdIkD8%IVn-ySgNH1^-z#RjVK}3sp#pFZc;yHfqYD
z{|f=J(L-eRt=<)+%EXU@o-0`R7sgMEFF3I(CNf)o6bYdT4<#twN+5zz1yP_<!x3P1
zTZt%A@g#e=hA1+jD|`wjG7;dkfG1utrvi^t_0!30NhR(5BBPM8sY3AfYPZL!s-a>=
zv~P5qk)DPco_oWSp9I$z!RaaKKcgfx^H$kVF0%xoodB_P3ec%-D0A^}(`rJUb&qF9
zaN15xXOBxBNK>&cviCjR+N{A2Jk0oYj<XC4t4oXPvLNaRBZYk?u5G^b!Ttgn)@p>9
z8Wn9h+iLWzf3@uJ;S;?jXIMOy1A9#mRc|8CW;%7{8^57N;@rIXxn<pmi5Br}sNZO$
zQ2ADzPr!70YQHLEdjmCjS+=)3uRzzB`z@n3(IKgeQKOvF)-HaH_@n!Z6!gG$F{mKR
z63U+#j;a)GaC0_f3#t<RrQx^162K)#{l1%{Xl(77k~+T!B_gAtY(m)Y0ju5e%DNHq
z8?^VM^M1>B{*WcJxTlMobKK^-p7iUpO(3grDAE0O{tR+CJWa7*Me}q)1AfZ6NJv*l
zJMMfJ+JPAc&KitW*fB-+vfc50QN}T|PnZHGRR94~m!=^yXp?y0jMdud9<C-S_`-$N
z-=#YPfPsiyD#p+ZhhNfzAl~CqMtGs`UP<!(%QnX7@uOv-#Y_wI=`Z(Lnqc8>^kYCk
z#NPp+<PspYgMA)KUP`LBUADJiT@e120ObS%Z>a@3vvKsn!T@cuQf3aWu<V*L$e%sf
z!H~{UBc^Hv8T5t<vRnDOUT~RKC#)uf8Ok)x6(Nu?sPPj%C}=Er?AST5hY&P?zq|y{
zFL9*Xdq39c1adtnY212srF7;K71?QLgE7gnUYY4503$#lEy6LCR3CbdmG&xtXQXYN
zi!M~l&^l-P+|`(LV2b`G2@*;e9B92~nTpO1AkVzHe%kc`FgrXNvl^d_;u?%Hsu=>4
zCi}0Rc<-Y^f(pCpe%jJK#uv~6o%X?Wm#%S}F+-#<I$HZq?fi)uF7Y|xlw=gOxs$K-
zD#yw;Byp#t(!t`k<a!!?Eo!M+JE^0a(!t+qz?hy%G;_yR(ay$uL1SWXZ4c~ZepiDS
zgIRtyM=g_|?CIMKu-PyIZiW@a+|@7<j@!1YE%-<7bwWX`-o(4RnN}I)TjQtzcoft=
z&C`O$&?)jM@01-Pi=>MhcRlqJjtPorhgWU=SC^H3Ta({3S<@n{JIJNhm6v%P*pq2l
zO<H#sr6jI|man88S@cSJxGgNqRr!?wzRu_*grL`!tKnmJz=SFEJP0205Wn`RcGV?p
zk5<@w1E3mhGkNC>l>dYO_HL&$`sa^`0|YwX&+JklA|hh^C$S;&*DK+Q{0$85Qkmrj
zTLeC`{j+i*c=x^}cb^FxIMF<gEp7dXo6^~cm(uBkpYp~6UoZ_5#G45g{?OZwkVw!!
z+!9<XFznImHAL%s0@cDk@O=csns(7k&jaIMy;Vp?FE*n@?J|QDb?R!4;8efF<SvuZ
z!=XpH$N+%@OMq-tyKTa9U@QTgIUm=;2;0P5ns1YibjSJ!5Uz&^FeQydflZ*0zyUCG
zCF>Jv&e<yrO{yB8|DI6Mb`ORd31B&f1l}N6A&NSZSUAiDf=J|?wKJend%?E~`lHt`
zz;&|-G2rq@vowO>5;$qSWbiS9`I1XyEqrvp(WFF~+!S+}m@Z(_uV%l`b!PF2N+;R7
z{ittWgQv7dr%)i!eqfwZ8QceIW-4O~gb)jq*Vh#NIEB~b&FG52?mh~m-k(LWz5(ZR
zp~*GxeYnds>V1fbr)3w|BBeHsc%Em*;bq8#`ySX0dcV@nQJCN4=Yo5_LpweEr+Pn)
z$pgU5X}GpaW3BLwbnJ=|E`n`GV^yYkYF5taUOX~0J^9on2-H5dlf#gQs7*##vUy~W
z3<((H#DTJ;>+8q9mmtwlxZ-;POh$4(D+)s*h+k^2ECQ_zd?pL0Q=huGEcB%;ROZ3>
ztT5(*z|o%A%|P-jgcUYaEl`|eqV^A=PK+a#zoee)m)k8=|4`j;9G)U{kaBRK6{>d%
zjVjdz$Na@qz)EVMU!i)?@Jo^FGJcs^o^E&mav*2KfXZlPSJX=_qa74CLbW4GUXUZ@
z&tQp)(KOeoI)3XEQ3eE96w95IoZ%2OUruptVM`$Za}k{nglS}p)7CXr`66>J2}_G-
zgL5s0Ip*Z2KFc3v*klAmuo$smZli(pS%EQ2tfYx+R4H@RY|0BP?6!@emT}H-?{mPQ
zN~NIqmRXW)b&a%!2CUh$boC8y;60nS#%R{-7ZWtidX}pNW`9=T@r0JStjfD`Q#Hze
zHd-Zu1cVX^v0!VT72EM!nZ3cCCnzzQ7L|p<My`g~h-+OL^h6!-&}-S-I0~+U7D4#L
zE??pmY!X)=4?1?f_n>4mPQz3_)3F6%kZ<S_sUE=@{I-eE{%5cN*U;5xR5Lb;^-1=)
zVfFq!st3+$U|TtpCKQ4nXp*hnsrm$12kxXOA|49!bkI1Luc%Udd#vQS&4?Y1vn#|k
z8spO8A%$J|-5q4ZB_M_~4Z#mr=sYq7>)gBBzLUs2!i%^MxO~V~_;hH$4|9F>ZsY2A
zNOBeLRD2WDQN3P-9$@CPp(HwCbO;1Fu?F2DjsoDWuTU;t3_6-!w^vHH{P6hufS%67
z@V;TYyrci##-j0bSLZbX#)9|9HibspI?V&Kb^icG_CG+8H{^PPCzZ(B4^YJRb^f!2
zSathZLKFw+?>E`X^9jDZ)L42#JHz6`r<p}B&q7Ca4iHF~mJ3(94q&@3nQ--a#3~#=
zyl=;q5(;HE*u!F-ZCWq?>>6JFvugldI4i>JV<J>bgz(_}Ga3SsVm=c<q+UYS^oZw{
zr<V@$w>}PVXMWX~^tb6F%L*dSDv~Pkl(`GaGge^b%z~hJO5lZHI%Yk(@sUo}a6BQ^
z)?Ut?>+2mUB%>+3!QIPUP*)EpJ#DdOmLzHWP%w++27v?dZiwOCQz=KJKs@;t-IPE#
z3G@36c|6-dsYv||_0I;3w!3?qYU2L!$>nMNZH*5n&y!%vqK~%lrquxWMNcL`3sRD)
z9Xa6ugLpAG+XSq&E)gW}DrY}}d)E=-2zVyJ8CKolie5Y<&e(-(Cedg~3g=?ADeV~r
z3bT*^8#Al1C!azByRJ#E)aC46@6blbwLU-E?h5UV%u8ADQ3e$-fg<2HoUC1>h3S6>
zaeo;7DU;xO>ZB6@bWEE)eL}~>L*wI=qkPwJLviQHODY0gDcEz3oP*p6r2D;0i`3v<
z4A<s=lXuPO|7+_!fTC!&J-#e)0YS1zSYSbvoWqJB2usdE5EjX><gjFrEGQr#QIH^u
zNR}X3lpG{TTqLX_EQsVN8Q%EaTlMa{^=7K3r>5q2{ykG&J=3R8cMBUTLs7h2L|^E(
z@$kp{y>}@I^oV!wRwR}i<;XHV_NfA0%kny2SgVg`Y5FE$<oE}hY2D&YwwI?lfxd>*
z75?*JwodfX1aG`Ke**HwdGitmBCZhmk*0GWyj~QDGl5jdo|)a69U!-)<r59?E19<{
z6{a9w!y>$zEz@fqGTz1{@aRTQ+2|FLh^Yv<_t0h`>+r)L%pz;Hs)kr~5F>vZ+DWDR
zN(3uZ_qQJ`rzNR_A`-zIb)Y>lN{+Az(AtY04(L9p|NepnT#r%p!N@Y{D{}a>Oo1{f
zr*x*=Q@Y{RR@XKzu%3s}@wB-2a*NQ5T4u5o_oHRaV8*k+(es)_F}#JNp;_Ck<7>38
z{Y&zucxCoo<RB5;C3Yx@?SQI?BM{M~7_r65hhD!eTaF@0aBDQPxI2M-7xh$fl2NOl
zaq^kkP#2d&zn48XFsJF)s+DBe^eW%ryWeBlwI6k2UR+6CxcEwaw#-Y0m@ltS@;t5d
zJr{k9JNH(pn4*vGFwRuM!6qO@_0_SW@e^J97-<$;rra9Huw_GS94Qe4H}?D6hBP(F
z4XVy`q|z6e^d%E=?PD<CkWAKe`KXBLYf1zv5OhGQdZ)0*S=zd4gOFH?3q@z=Q9Nk%
za=NbjjOU2`{s)c?{kLL^i`we@Cx=1u!Iw4^ZSzX0nSypHTaLp?EhvKH&)~Ml1fy~^
z18?=uszpUDc4^Yzq|pJLdXpi!dNrI@ylFv+Q}T9YZBXva-jMXM)b!Cb=bbc%JW1<(
z0U0G_B`2eN=ceV)R{O<nImC%BtAWaQy#o9nvhtK4WP`%5FF$W(Snan*i|79gm1TUb
zuS`O&;mYvDv8sV~Pc$MeO<&H&c5S7Sl6E{L)nSHsG2Hs*TavwI)3=S3o{E?iC%!7u
zEuBv{KX+eEP)^Y+^M7t!RMgRT1YuB9S&2WV=1T5F9+tXPL^{Myoff_t@7>r3@n~b;
zzL<hL>Nc{q&SJqkzx<K@$nVb%!_OD2IaM}`I+}iU&RIo-ncX6KrD9J0K0^JQ#;c-(
zO4>G5`w42JHTJ%yyv-TGX!2Lj&JrsRA0yCH=KzT&*T+XM2C>RS3o7qC)o5+m*cNM<
z=i-`NfjFH^H`69pBOc*5)g?@?M~4XYXG=V?JrU)t)^%B}(1B}IaJhRkh}CFVIm4a!
zBmRB)E8u;6AB{EF%M);%5#%C~;NC<D6Or6NJ>W`RZW=Gcu=@5J%Ha(vqbzLGEY+O7
z_oyIJbFBU%9l=Hf0x-64tMtvz_L+13s_+7o=U0v2W|+RC!)G;CxuGXJ)g#$rpTMrg
zhLLzFgXWoKF0&`M5BSoFdxs!4CJF~7VSHgFl;T_&C*`DW*9YaUv23Oc-poC`FXWPT
zsOP49N5?U;7oP#qkA26YDs-l5e~ZhTc{^}`<6iQhyaUug>11dfpCIc5EO!|ZuK*dX
z4V!FWSY!V%B-IBmwd>(82ZqViwuc6)q}{2V`gF0yfbH6GMs;FO3A8Y9J|cli@7U!;
zJBRR=_fli*x3x`li`zi;ifykxvKY8>q&oL>wX}NSWK0(NkJZvLCX-sm%M?BPCqM|h
zU~mCCZ2`Go?U)lAr!~zlh6^=q7u>i~H0x+{e`<`hF+94JI&3y{_U>kWtP32IB~p0(
z)Ra1tGigm@s962p*dcDgK66g7rz_C9H1{^I|Awog^g1CXZ)Igq!rxkE_?1fqSDuoF
zyvR|eWyqt7plEB&2Iv0$I}PoK4_bP4PkdoA(Yg1OMy+_ilVGcNURxvxKhb(fYt!|b
zjR4ulX$7&o4iT}6UgMmjrter$F3+{dNNcZJpL`xv&;>7H*Q(!XIBcRAm>=PbHKBE>
zF_fJ+!5--dYLy!feS2cOyQODBEigE9>rRJ84x2@yk1NQ3%u$*o;p57*Ux?vOJe<F$
zONyAf#<f!@j&U<$U)RU5xmwxz##jKOKkep}^D6-&BFb}75$(hs6Y@j06FTJs1-lcK
zY%Pxpqph@C5}A<3-+zMyEF>VaY7#JR%U2GrV1Cg_Y1~Z%V8kIM7#N^qyojxrb+8ZM
zeWw0)%D{N}f|08R9p~6&Aa2yTa($QOm9T!tl*7TDVaPd+ewm|t_bOELKDpd>tFRN{
z7q3bRPp3JOTafPeP6%k83dO-lqgw5b(CLh1hzvDm#+-|Drj@|XNy3Ezm8O>%|F*^k
z)PQ)IQlEmq5knmh8{jiv3+|GX^vpwlC3@Uy+NAs3zob*5kvpJ}Wzo=5pICBqH38}M
z5EMtQj&l<P*X+qi(?QKtS^A}&Xnmtgm0ZZl+R?*-_8zY<gB(;S3THw&@3+j}#8axH
z6UrzM{Zge1n;(kADxKEiR@$Ezk^E?`GutMmY$?c?Hi#{H(!olf&G)jfxa@34i~*GM
z<q7wDc}(<2vQYoV1(pv^5x>rJs%$NqH|eL$%E5+L!I>QBt>riUC&3K6Pc#I{nw!M~
z%k_8JOEx4!YrheSWd7s@!Xqdd1zTWvXok43=bB(f-C2FYdAp-B5SrL``e+Fjf~S%9
zi<(ZCofPVY{<IC^^n2Fu$7mq-B&N%LwijNuY`KV1f&Om?E-C1zp&0||GVnAjn5lG!
zc#22bq#8dcoTmO{$6gCx^e(IfyrV^Aa~Qxo8g$R&LNd|i&U9arcB$_-BZ{a^0s(=0
z8y;w1?JY*6faqktcIjzEMICxWO31IEy5edw0>dJcusK!$KgakR#X9uU1J0gUx4-?l
zQyqY_$G2o9zJ%(*1K-hDN-o9>X7I23e8qo8S}OPW1~n<l3BPlialwC*%s)l+iR2dv
zvoiQRIF=)@I(BS8G_Kpk6bEW-)HbEyx2XJ2vfqd-SdQzA-z7XpjT9Pqu@8-jOf7Qp
zWGPvP+Z9wARdfs_bQn**VcJO=cph$2y)`tt?3kStuBC<gdc1HgjwZ07pus+3xCV*A
z9384Je&SJS)a<*`89mC{I&hKQH`fw$?v9p;)%^oybB^u>G3vwE37nOYl1{NV39fCp
zQ{Na{eMf4gjH!sla%*_e(&2ghHRFo!;bg43@%Hw7TsA~NrN`Pu1M7}iNd+aA(9l;}
zJt(0W7k&uK;_{6CP#8ogq`VL}{3zW*YMYFeCIW{3r)v7=wB<S9i*_0bSvO?8J7tt}
zh|v7M>!Yk^9N-Kou&UhFVPZSYCL@}xokreQr9V!p@lsIk<*X$Bw;b)axPjO=-}P`{
zDr-9$F)k&<ssf5PlPBP{MRY=3G7XJb;W^QqQB{8$8S@xqOtn9bjG2ZL#y8N}y6QN+
z^HVOtAt{-r7vHm}R{JG`jM-WPrymlXP-2&uOjCUg&r%)5Wv3jSFv>(Q!D^b4@Yi5u
zamT;Qv0HQk$H3!1+45!^1i<xoWX$@PCEJ$K37-D#Q88WL{Ns>?mG>l-5X${=s@Kyt
zz4QN7;+Wt3pAr}KPl;pUghk5Dq?JMYf#`hqB^y%m!BbtfrlttO8TM;-L=eX{W^pAt
z(Vjt_pZYl~8gS)A5oua$7~ltY?Y?deTMd;Fe*}ZDie_NDVw2c8+qw7{XV>LAY+;e;
zGi3JAWxItaPQII&UW;tZifxV4hE+mLIUy=G$!qkwU2Y`n>SFTT605}78UcD#U<3AB
zMN|hB`2}AL8N2>2Cl+3U=t7hb0u2|{hNtiwKC@8qQm+yG>O}ipr(V;e1pk73*W98t
zLZABvP$K_=6j^SEu+fgSSb5R2OM-P#y*Z^S%ZS-6!n>TbwV!wLWa&EOmzQmAbKa;j
z(@o+dba$x4>!bH}4X|@UZjYU60*+A4XK8XvpSBccTGnxzF~Z&A<~#Z_9dOKTMAp26
ziJy{>?E0H#*RdN+OBC*dO$$`kRlZU()uzSlO)w`!e^mi<jwst<av2>@pI3YURbf)1
zrg>7r$C9j&-nSG5Qbp_gbw|evnl;K-6*459@s-;dZ(A2&aU*2QMBKPc@f^qKr!kJq
zGYMv&K%q5pwo>1JB)AKcBSvgmlePw7{1+6^0~ID$oNh@?@2onLw3&m*sm@iK4x<jQ
zWS;Env1E;m^%xw(OYZXgH&Mre&^dveg;U;#w_=9%u<B3U593c0Nz2TiShC@|=|3D%
z);Npp$V4`X5_!IwjJdrZFTG>%Ia}d-Yo^(QHCeKU3~`uV2<z(b&+7GPI9jGWtY4l@
zXi3-p_OdcC2D+|Y@ZnWyGpRX@tDeAl7WDij(=FQhRhO!hF&KAXfy*Jd7;op5eNy^k
z8{0CQRS+DJ?n9-edWv*=^P=V!VeDIHaE?;`Jclyp@t;4t$4A<yN87-hUK6#3)Jep)
zJjl}{W|n7{p;IAapFKt|L(B9tn&(AxVe?%{!FYx#1o`t?LlV`A8*9c0xs9sYb4KGS
z|1=BU{bebyiyYxyFHfD1zsc9+)GB%dgJSBFSS&6dJa@@s>dF4xS43oN$l}wP9g>&4
z0DP5@{rb9IeWDYEyWa{YGG(!T6Rgn3LJD>F*BD;i9Cy%{HM`O|J$R6ZWA~9(z*7B+
z$&abyaA=P{;vB!&C3l>Vx$V%iW*US{pxicR8*wNpLUO*KF%blu!Wq(WpKcKQ>MI|}
z@)ygl&9e^}s23ZaA@X9t%_=52u1(C&ZQTBSskq%O_pg>O$GY@~_wDYnt`~l!pjJKN
zlxQEW8MB5;_aUsIF{<?IW5fCZ`1H_&U2oUTQm2DoXQn)LWlVY6Ir|0Jo1)F>pT=;f
z-lD?p<L6C}KHOnxNH(0-w?EC95}fk2#D$)fnJ&-lotk$-KL^%#T`9dEpY!<YLDt#t
zw#SStUNw$%ujal~2-C3VJxO-`!FacGgjWi^YyB$pk-;70x$J4iWlyx<t~2jRMqDZb
z<B`!gEh<uyLbS%*w2$Lsc3g<Sa#nS7PbD3iM4%;}0Soc$*nD`mDHtz*^p%GlOkjiZ
z^T^PS&*nlPWBh30%S*4a_HxS)y)&){z7}}iJH7jkMK0ZrTkW$AT2Cz@Z;kWjOs;`$
z2{?2FYiAK~9aSSXc|#&gj_0P6=%?Z8f`K>;Y{qBez+Li|v;_Z0@u~qQssU)xwt1*z
zpRdyRjcLVTH=RR6x+pp0ClnqQPIrq+8N?AA^LF_rGp75*)JHJO#S=+=lKsHlpJB;i
z@=3qjXtrkWo-+kq&}7<v5j!~(H~#9^<aIN5rQ3c<$V`tG_F(bL*{)o(rH!_?d=C*K
z-K6jvu%0*V_l9{M8;mWRl;Zq{)a963VA0H=<1jiy-V}<pU%0(}&XxUq_5E#ZR!O=X
z>D6s<$g@W%8-qW6-FkexYXQYibW%f}xkD(_gz648#5LfGS6_!Pe8w7xn1_}R+ZGUM
z$eOKLdeR&tk@(QDXF-VYQBtN{G4%uIC&7u&L&~%?^Fn4n<-K>uW=69DKlBH8RBf&_
zT8~BqvEN0J8in6vn|V5efBo8kFQpDj#n1CIWj(6fTwFTL$LQ|QtdTTcOm*NMhrJlp
z*7!hpa@5#@+Baa*CgIhjX*=w-uHUW29-E{1$lJd2E!Fn6SBj+fQkpP9`JZPVcH8&v
zHkKJZ?b;GE7?RET)uxX)G=kS-x*GfHpT5J-$Md=q?c^|aD}5`)7f+o!$&0IhoqV~h
zs1jBrvAUfOkEZ?cp{d#JhmDL)Qg9-kPI%J$df~C>>HBzD(9vTb1%mC*$rZ#Y74lJP
z0g49hv+it@d@ZK&?tP1mx3X&}osj4x>YzlG{e+3oM0*9az*!gbpyH~jgp=fvWQOpA
zzP)A7-aX@0(@!@?Og~Yv4NiA4YhK_2EFmERS2spXDXoOqqe_7;YqSRj!gN9S@*>sh
zrvh{GK|WFZ)j&A@irbVRi&Bj+i>MrwO7I($YQ<wE#vy1$TS1~lQbej1$q+FRE)k(#
z%_qW~EL6=>L9s!l#`NtPme`N9h+>0e9o$MdPV5)u8-XME4Q}mdY2OM*N8qfGR{r-}
z+TE*#s_$|jt)xwvzOns3IPp3-7{LET`bM+?crbu}2k<rk_W*E90G9@EVE|_Va3(<g
z8lX;rCH_MKsQ(v!2H=+fegWWN0R9BP6#!fTz@Y#R1#oHrrv~u9nI~NbpZ!$_GJgT6
z|2M8!E#xV}fn4A)Ws<p(EaZ8;f`XM&jY)<KOH2i*vl6X?NdcS+$b1xllLG1;fO?b_
za={8v|4*E3oOozeWF^8P<a2*9RP9(AGQl#zl-tLu*ySQ|Sh60>9tV25Wh0<yQ#WM_
zL{a>4m)!DGkHp*Wh_qNFbC}IIb8nNqe9lodQFL40{-mPyErd3cjjCi&g`76Kve#%C
zbSK_&%ZghOTsNh5P(Fc+i;Q*{q+w<^Sa+p%vqZz8vFkRb)>Oy17v*=slkmmzFur8P
zH7C`F`yWkn#VAv3FS)3@pmH~KKN+2gzXS<l9<7$s7MWk3TMEK^Bp*9A3(fjvq>v6t
zsHwpqAI)>pQo==*ZP87ZKlkX3mQH5g$8K91t=wn(aQxN#0I7Jp<wrawu@1s)zn<Q1
z+^4W~brGhgNdTq?(StxBG7xn*{Gq2Q{|my~Akd>75Qqu5`gbD$ar~2lK(^lY)@XZU
zl(M}8${mG9dAJKX`*^tjrxCX>_``A@^wVB(0?-WoH4x3e(SI3{0ZhADquh<`-8@|Z
WQ~$<^N&emi2KHzm6|^7#j{gG<T;b;c

literal 86986
zcmaf)Q*@+V_w8eJtd4Elwv$dewr$(CZQHK6VxwbqoOJAtPu}l4=UkjI{_nYXZfcCR
z*Q~kc{_Ps0*7HLa90DB#1Ox^oG?_!)i%rETh!O<E<s1YA^XpS%CsRWgQ&mebQ!`6D
zOBYLfI|eIfd%FW&Z~IM-w$D$nCtl>s;dMj_);6@`&}{lLw<H{S98xzN9h0B{Qb)6n
zM6p_`wLG`Gtt;+uBu4^2@>{tkZS-1tB_F(xnb(Amv%b&h#@NsK8!;1~ed>)271hH0
zN3SDk&V6peXt@K`^iR$7BHZe!-o>8WOFMT)8W~55Vb7}q^lsFvIK*M8qoyR9tKPar
znU6%*&qCFYMTzi{tZP1L@kryIG{?#o9Mvs>2mE^j-26yoQOQ*gGp5(B-{iAmkg)~B
z`hQ^vMra7f9q&L0q~G;E#wQ^N;ykLvNBgjy=#B9?!onlx9I2xx;@<jLa9MRnW})(U
z$OW(BOxY{LTfdXXXb^`caI~P_?VLamOz4#G6MdI!deTeH50~*>?kR?^sPeA=rEyAt
zk~W&khZadEu2bpsLLI8E>&ro4lQUV8)xR457#%$Tl?}t4r}FXChjc6KceQ<0g{pY9
zWt^`-S%glv|C0m#9C)mgdn{+A3-|6gIi2Sp7Q4i6TVAfJwXenA$`RYHNjwn+lsGb0
zqgInIF{5lV49BSat<|6$BW9@=4G)D!jir6mwP*Q_&`ognz(C?0oHVLIpf(A=%ap@e
zMx_Rj2@R2ybh5x263J)kRm`KvMS|+)v}@}ku$vlk%Gyo?m25;{IduVx#!Xlz(p*{P
z2+5>dSS?#NE^vP)rl!xjp^RQt<B~%C8&-9Yi9bM=E{bMv)f@u1ww?DJ7>ReBIHgS>
znyqIUvag&gZ9-`=cgrL`*Q!6ST`AanY%b(59dL^MAz*qHVCY3z#FyM?Fghno2bbqJ
z?PC(;ttsz#|1EFex+jvSUZv##0eKgmLnBUjP>g))fbwmYP2>Zz<9Ci`Ey_iBQoJ*y
zyfKI@q(LAj3v>isP=$5I>>az)Z@us>z{;#A&oIIEasabW_a{U?VY$yA?aRx(V?sSx
zy(2o&<y}!#b=eV31KpyC{T<s!#<taH<7M&Q{O46x!8u>=Vl*jXT_jOvEEp*dSp15v
z7)V1JX0X4at3jcA?+7qx3dP-zFD1v4h>|_$qIm>|IFR|5x!|p?1I7vYp}0Mx!lf!=
z=d@ngr$KGIQ6ogzrgHR>l{_oBhQRn~MtzZ_Qko;#aY&gc%I>{8#vg<e5OYypN9vhG
zA3BuyZVam$DspNzDpl~IbbII?;{md)icy(szL}c8pjarRc*<WHGP^eB(o3tNL!X2B
z)Q@KwOC;O^+Eq2f@jD4Gkm~j&0A3a$RvggOac5!dy?^?iWMR!!<>8pEsXa8@Urm=8
z4?s`0l}nrTsZ;Z0bcRQ$|I{YR%}W>nEk&6T4h}HTIw%b6NiMZz!6n2Dv`UD0#aI?O
zrMks<CVvAn=+c~MF`hfJY^ISNtpU-ro0sP{{+k)(4}!u#wMiisC5vL4ZXZ9MXt@TL
zD%jWv)O2-iV&_32mQx$3O^2UQFPWGuO&rV3J-I!(7RQb)%>Y<5y*7ZK%%t1RTNtiK
z0m~1fEub<+xPjeNi^B7dl2spWoGA1>Ih8D|yPJ^5a7VZCIcF*<gCU6NLg&mfx?x{+
zPaGi<p^#p3G8fgLT9wmKe)18NaYDXO`f`LRk496FPSaImYv(jjj&^|gYB$gZVEcG}
z1#c^dC1S7o2jgC2-M!(iz-p_x^zTL(ly(y;_5(OY^LOp<;@SQP@YB$^iqN>(_+is0
z)rcE-HZD-OY{`fAeKsO1gvSn1t5A@+bQ2K?MzK=ga5W2jT^7J?j`p;68&y(f!7Ojs
z9cF1ajNAbIJpr{zk;!|w&<An_@(~stV)i!Z1`Jbv?iIH`sAg;YGH%6kCZb>*#^FKD
zE66Z^{po(xAQDxHjJ6W4)tv|{pL@Za<I2YrPzqI=fy03V0GaXhJw-QgKGu^h;oxZ-
zvMEUD$EFCt0~#?RiH&~}tI}%OK$^MLC<FD!{A8!-mkB|Sz>$J`SGMT`M@>zqI~@8d
zc$@gL){1b~wlZ|r)2~-F*}eF84F#fAY%;IeMv^dz4{&82dabS0)164K?-<$Ja|2ha
zt=Jwt|D1oov^B+yWo2G{Or8hZ6CGbpQ+pc0zl9?43D+pPkBvo={`4=rF?|dBq$_?L
z^hv+PXYb*MIBBLeFz9OK`|Ffg$>3-dK4#z<cL4UGv4>imyv&63^h<;Ss?X9$V-|i$
zcv#3;Q5!#4R9B`HV3Y7k$mBicoQ8@XD;N~_{pU6ch;7oSrTlmMfmSFH3bsII>UE0C
zUxtxH`iXCXOg#`j(FnAv8RkJR90C-K-}q;j{?4X9OFAP7g!OGBR(ZRFs^TJa;5J;o
zzXqy8-&;Y})d7(kyW%Kgtieq&H47uT@)2+%V`MXQlLDB_@YUAl9q%G4QL2Co{cXYg
zd2me9yPu?gzqjavy9T>x6i~^kYL%DL9D308PZV+fMc}#LL3};J{Cu;@-tjJ)jIIAz
zSkbrkp~sK$&Aw^%32SHXeVgiq-j60KoVyU(cKB&*np;$w8i=F{s#e!rV&r54>r3&2
zXCt{+G`gzrsINyn6(&YOVhN(Mwzy+Cb;8fje|>sSk;T)kMrJj4to|M?vR=_J>j3BD
z1M0TjDsY%NVkasy6PMo~M#qf)JsFlRC3iwDhADqBtM^V;GrN};^dMlSA02`^c5oPg
zJ(FnL!~5Zz4f`$8eU0{BrGc9BU?B|-tsKIMDU@$sC|5Y#8)+3n1(wA{_2w_@x^TwZ
z&D$AIaa<viH0vpwZW_r?bG5<svg5ye>IF+qKUnE7Nl>KS6Z$YnA5(Or@2Xijw1)bb
zme{P=Xd!n=+yCUV4T5HT%8^~}a#pu#3-_r;&n*11B|i_^5My$5N|iKdN^1azB`$G2
zub*A!Eh3wWh{1xkV9}pp7VXR-!1KcnjFGePv1^ek<R%a~po~;hS}^B8(OmYtWZMw5
z29+o^t?Lro21%||2)t4YJzFyR>lcmXSBtti8bVGZ3hoDS+fRqG?=IwEduLKx{PeLt
zC%cRx9!1@1VnWicXA|jXMiV=Y6eetBpirhRiYtjxCP%lXjMVF=P8K2b8n8kYLA!!~
z=oMot-r;BHMF#r@Ch#2-uZ9bG7s7*=H>biCZd1kCvG+vnc_u@4!0rJ_KgXu|=cZI*
zHwNEy2F?fgIwv9$r9HGKb=bT?Ba><d2x30jpi{m!lH4N5NFB5u!`{duRETdbg+|Sf
zTV)sQwYO4fx6B#C@l0@oVcDsO%nz@t?cPD|5+nFtWr-JtaT5k+9Hi<{1<E(MDpWI<
zs+d6tXH4{+XA_w!6d0ti)qI7fg1wsQ<-gB~V-BqL8XzCOtT@E)mx7yDSba^wKlvxB
zdBO=>k=3Kn#r1)sJ>PVG)`(?LsnSnivF48{60x8~Og*8v7#M=Kk#Pk<a8O1G4Gq|7
zRl*rbp{w52Dd$6Sw+>SIhk)`jEDfW7YFBEM+MGQ|hs?&uw`VelopV0?DaDv$ZdvAc
z5Jq*a6U1l}-I{b6N={^m%JX3JA^BVUI)9lw$~zzY3WzVJM0y5N?Y_P$67c!`z1|Hj
z)LpM&sO3ZgBw~XM^r6pqha&dTOAeH7>P0b9TNiYFPXzaskCoVu_Xi~V(o%mEh*SHW
z7uj@Cfu7`?i;pl<#fLIBOk=t5Oz5{_JKe%*W)mSzAqSo+t*W-rMsZtZ;OBXH;br_r
zd&SVGVEOLznE)Ey(Vx(`K5rpCU?;g2VXMP5B6S0QwiBho29=<AVBPYWU4bm+fP75V
zCY%IohBcZ&0TqcbO8jXcV~V)dTY9<HnO!M3+CLvC6Jp<>1#{I7vnvqg&IF=bCI#d0
z&8S;dXt%5(<N<ukhi*d7YRbMjoqQHEn04pd`Fks9HXZu6Ga``OvIVtTPPN+~L|mgC
zUbxIQMU_IyMj{Y4Co7P+M4m`IA}+W9Ls}+}3XVCYrS)|)<hddfc#sOEz88z?M#_x4
zpxpdO`a%rbs`SyCp^MEVT_z~KGAkI`lW;9v`(mEa*5c;@xzJ(^GYxXXmfRsK+v!Dg
zE-$IYCbfAIUypBAESXKPoZs>Kp<x$R#!j6fPJ=Ts=(bT?CoKd9;ACE{o0y}(RxEF^
z;da(_;XpQ8=E4MiE(;0-kw2x&;Ri2=;X)**em{k=tdY`WXyJHAX-ph?vBJqF&*j~R
zx5jH|g9t`hJ<NotmSrk5&eLL597@&+%6CNzw~FaFgS3wAo_L3)#AJWYr?Ob;>{Zko
z%Ns>?4ZYc=LR&+w>C0!9c#hE;jJWn`2i&zsAw963d$b1K7-k1CLsv7Ywj!bufB#WX
zV3rZrWD+<UD7**dUpqM(ewG?Pa;0uA6d;Q#A7_BLd!k(GOif^-JTQRy?G@`lo{|`v
zG!PCuSZst3RVD=<876+~`!HHwe4|3w8kxZ!ibG23E?WmH%q=LF9xRiNa&g1AHmgz#
z-(M73=J?wyDo<r=p!4L!BzU|i$xOJy*7%w6%VASYEF7{?Q%Qpri(EufM6PI~lWJ0<
z3R2GZvS=%qSe=`e5(l4T%&^2bi*W~h?v!|J?>ywgV7;v4zQ`!8*l6d!vSFU;W7F8-
zY>WoRz>V=$C)D%L>%Kq5Zw$RV!Men>dQ+mwfTATj<}+QcK`)M{-nU*Q@$2D!*rRBR
zqR5R)B>(Bl3$oZpMnQl)*7kDZ7@%)@uGrZDdG>d>UgKdRhqb?8#)-kRtg#}4<3Jje
z5DtL_$6#js`=d<$NKXen=+Byt=)r_pfA#mI$`S>8WGR|!G#8k~yyu}jN*S+_)y6&y
zp7pa!9kd^s0+nb{@9Yds2pKwpt=Z5zNAcA)TvN9tz7&Ew4zgF97`{y$VTkBBH@7Q1
znHgvVfR-PhsPSkf;qGQjEb%kX;pxxDdL8}8V>m;V%fi6S<Q1labz1&~Ao3B>osR{<
z)jR~mpX5jdJs|3~KRNyAx@?$qf({>YthAM6gJW17Uk#knd8gF5#>jMIp2%?)e@nbP
z)8^LWKE3UC7yx){S$iwjh<ZY;qW63aUXnZ5=@rENFgN=E%^Z(Ne6<wlkbf{d%~d#u
zK(tj%#7lFRxJ4VCc{-xvV_#X7#!eZoT5?h_5}R1Zd^2^Bm4@|yvfGUee^j7V;+paD
zTs8@?VsKULrC{S=<7COu2ep}THGOl)1vlCf$)ny=VP#%~N>=Xw>mz5zH-{$+JlP+L
z=AzX$v4a3((q)*ypzYn_sP^%rwoVW?&<|j`oHfJLoA|Th<zZg8dHF))lhuS9f*_fa
z^3xJgKHhrsciAuJMRWX?*w7~81v(s*>72W8{k_J%?#Vct(h8bUzI1<_R`M<BrQ~Ez
zbc&84hqEc~^g6EPb0`@b<4~lV97DV0sq<XMD%%Md1m|S+6GZ0>);7|bwK;YI!=a$d
zq+5rvnz958#YWCI=r+cA!zCj7=Dg8>O`BDnZ?Vn6Doe1u0v3e7cf_$3GX!zNTrw2%
z93Qt${Fr$!D}xHhBJmWJ>Bc2g*iRcfzrm!7iB<}*!Q4%l)YZ;r$AZ2-%RSl*Q&~6f
z9i{WU+w2<-HAe3?^ygX#vNZsDyRtpiN$eti?;6E<hh(Cr02s7JZgkA)ggiJXKQgCS
z5~co9=dwhqn!+rQi05XnGTO3D<2)_vJq^za6HTAk`nwSGMalljA!{3(HK~;QIDtxY
zhGS;+KNU9at<L~ouTeYE&IL6gP*AdE@xRRiaAl7BO^n!E<)idQcR_Af{2&@-R8In*
z)tQ(S;nsD=ofN*a%<tu^^azcFO<mTUIhm@jr%Xa`2%4FBev>;Nf!JbR+#!O#8}Z?~
z<JjalM_l^>p2UvfZmY{tZ$7(v>81f+n2&h7!TM9Eacrt2Jd*fcvabw)8`7xtr;S?D
z3189$k19%)#2|t8qz&lB@20$=+ZolrdL63Nt<JFt4C|xSHX}}=#oZYlaaE9h!GJ5~
zI8#8B5#Aj8shw=`O;L^oA1!<^wD`q6LuO0Yxi-=fY|Qw2L=c}yB(CM-b#Pcf<HXjo
zT>h|~5j!_}B(SjD>Fgc%McItTB9H_a`e9}<E8{$YWGjwK)NdzbQUE<{zU9qc5{(YV
zPmq&D<Sw(Kp+nucPtjzCdMs@O28YL}KUR6*!Vnz(6iD>LhQ02lw1nfq2>->yjORoJ
z)H~!IW;vzk@382i_+A%yf-<zri0Km=qswv7n?2L(1ejPKTPPJ*Jh9fjhXSh9>*Fw}
z_urENG_%fN{u6<I=}o;N@`igAjGpEmsa=|<A};Yg2`*Fo`8WxWaYThT-s&fv#yP8I
ziUT5eUhIKQ9g7DFc&htE(hW@YGun3;b@Lo>QkN2Gc^&CYnP&&V0IF)|(Et`gRQm#$
zO4_@-v9y+F;BlO8>jT9Utl%5of%5NVkmjDu=+jjzcQkQ`_#p_U8@}jji$zx@Ds3Zk
z28P?i5&>t2rFFFnly*&4Cug>e;LwYGPhUt<L9)E9#=0xqV%uf+O}t{sv`1)~(E3z<
z^!<%>nTki^?%u5UE5gC{wF0K?5O73}?fC?M)~Aru0jO9zJxDdYZVmSSjT+ky{(kur
zL&z~b{Tm=s)cJGnvm;T@irMnVQG(z8qv5cKx4m!VJ0bk~%EcTK#0|&Ytv=|DYUD-F
z1No)Dip^)g6JVOpN3eq2=|TM3n1r3;+$YlKwR67biUi||;TwP$<2Uq>bFxTluLjJB
zupgC##=G2&bnMf4mT^6t{8j@6DoPBTL9bwTxh1baJ0ECMUvu+kgt$w4H_{=Axh4-$
zF?%@Pb-~V$-?lt)a-z=oLLLxyOWpHk5B<apB8b+TME-wx89e1iQ~1qvvaS(t%e;5Q
zL4{H03OjNT??9tEODb#qNBf(n^Jmg|mOFW^qYmlm>Ko@UqD|=1Ii9q;h(SNNLf1t1
zK2Qg)u`(bpx;p*{B(&`?p<g22Mn`m3nzTLR5Z!e%6|mO-q#0u_-@wLKj8c_;i5B4H
z5tBb1TVxl#1SUv6V{e}v>$_r^tzJWfbx@s<jciIH1;-amc8>&i#hohwAtO;KF3uVK
zRxtAPC8B=f3?Icly1P9M3fwRU@#QdXJrQpeaDUk1{AB8?xv4so&Thq;W&H6t8P(%A
zZyrvP-^R$etZpvMBf5$K1{eHSXf05d-im*~+X_wDC&gkvwU*lL5bh%+zFMda9#Dz<
zwq`8WSWm6Tjk7Kn79Y?qka=)QiTL?FRGJtJLE(x6w72~T!o#?Nvnl_N2_`j*vuF_f
zm41Osv-IH1L0e^9deS;HMP<(cR`fd@lHnhmgUvfQ?;<SwJp3v+p{vXTw&vq2#p@Rk
znadaBA{aOFEfYC)rh>GRr)wj7j<N8cyf+lOgkW4bfY!R8VYYPnsTskJ^T>~wba~Um
ztg18WN!5YX40zmy)*_9%bhsSi_LcVOC5V2CU)&dw^9iw5C6hks`HG<Hl9f{?7@ARQ
zP6ZgOrrG1$n7!LxmpS4dBSpSpI{H!W^O#xMfQSA1*3$$jc~Q{{24JxFVkXU_@Ff5W
z%PKXpRQ&Re^Aisr0KTpk4@1YNno8e`#gLM$jmz3G*e;ef3|KI%Dfw<<mKnvM%;Pb$
zq$UU8MaZuk(AorLrKMVIV-w}IBHZqHol>%uVLP12dXoeYY*Wd;Evl$ma1SIm-c0-m
z0okgEL*elY5KW3GiDU}p<V}+=&+da&YM9bNR7lL7HakBmDB`vode<b)II3E5&W^mr
zY#RFJ6CCf+>tNd^X6vbxSa~p^`j>s7oXMZP#+SOOcj)Cd`Gf;K;Fqv&-OSzf2Ra=n
zYdbB}J+sw&SV^r9KRt5hM-jOmoD+piO~tFc9MDO$R+aAJBK|Y8)ke^Sdc*%^IMmyA
zS+#peF#Y=wi*63V)hLtj<#Q8tD)`t%Y^r-=n}$AqXrcJdqLF|-b21xOYq*jyLjXn`
zmWlaabw;6e6`f#cQh<kt&aR>J?>}%T0Kt-wR5KzZaSZqRapf3G5sm?rw5J!R{A?Q(
zX)-!H(X}Z5Of>I;KFp<vwh>9tN;x&G7n*7)x9kV>`T?8bY~;a3o$c(p%hhZ>{qdpA
zKu5GI_*|Y_$Wt(qZ@+l`opysF2)1b&`JK_>D<sgx*PCh+>H=7qfXpvfr@itWKs24d
zoY>AWpMTGVG*+(cw49&~vVryLQ|o$s9WW+W<@H#Ar_a6~>rdMaslm^0vqC7ibEJ+o
zza50Geh+cyAW7S3*u4Tvsi>??S<9sG30)s{c6?ZyCrinA6`H><RY#E|kPD<u=B|1A
z+{sJ*9;#qCHqj7D|6A85evp2kU(U=KE+C0g@jXQU(9<hDq@7sb9XiP)W?ITzl&t|_
zn=6@7_r8@wBK1&42qr2i(`fkD%?fvY?M)EUvx7{%^%kFG-BY~_t+}%i2laHT2AVM&
zK_C8+i<$oBtRJ~KK?Nbtd`^M;nW1OyY;5#M&9)AsVdUj+T3H+eonn~oBrQj-mK=%l
z!W3}i#(T0C20~)8mqZRcQc3tdwhPVYMmD;)N&XHKFN+7OZpN&A=z9W+kE;c+;%D4&
z#Ey)}6-GHr{kDrUD)}?|meWb^#9e%O56R)n!>5gjJeD$CwR?MKoS@9N-e#zIasIM=
z$jAV?bX9++5RHWe@)XV^@8pFIPXFiT?6P`MBkR06NX8T2B>3<ZpDkgFHle%s<g`sd
zXk+u4$}CS0XQ}b@ApFB>xpl{3v}hKee5zu(WfJx@h)0&JYf`yioA}{*isaqK3Uzz}
z7R3P;<FxrW;X;rE4NJG*>bGvxQL}duB~`SBHaK2L6J6)^)-m%t$uW6N8Wd+M=zIri
zK~Ym<Ku)Cj(*jgVX0Vd;ySxrkBgte<asyitIdiXqGx85r`l?^YWUl=kINyFr!1ts5
zN-q)BXQtGv>^xR6q&eB^{7bwb5`vFn?e>0sIUP9%I?h}5-JERVt-(H}@>XmmzJ$Aw
z@}zcIR+!7SI?}W8B87u4p4jmxAs!(@xPNNHB}b-gGMfsMvlAujQ>ATVS?XBuwbKTE
z$b_~u>cjjG#n;YME<NnS&gdLyCKDe7%HAHJ%%SQMNbM*EC`6tzxf5k+PNBp+#CMVC
zw{Nm7Anf8{Bgq^XaSV0zy_m>Khf{c?PPvY~^ybPYoI^`blk{s-zGw4f8hXR-Ba>pI
zD@}$XQgGKa<<attZwVmz@%K|Z3C!R69s$ANuE{7-E9U+gPU0IsEgq+#h0m2m04Z~X
zV=joWBCj5v7_O^n4aP+4iye#ZzOdE0`h#98>2v(+b&Q5gx&){I7~PMMG$z43U5AhZ
z>|f7n{aAfP7%{eSG1Q4uuf96EJ9}pgUV}Cs7olR4h8OQQ$j<fd5uNx(cE<$14+d>s
zvIvnG!CD(#1q$v3opve93>D3bTAxo^v}AawT4#IbqW28!eG_DQU}=&gnbS#O>M~n_
zMCqBA>=DTxuu6@OJtOg(FXJ7j!kL8ft3)qEvZAv?7tcEBO!RBF?PmVT<gFJc-!jeJ
zpz;L!I^|0qB#D_5y92V@hw*=x#IwD->Zw~WMPq*V!6tNt_P^&}O)ae=FLC?UU~gHW
zOc}gPI6Z2%oHbdYuFHwR{|#0cShP>_XnOGO6tkqA2{w+@2j7kseKZ=Zv|K4;Zz|Bn
zR6|K>#cqx{ev4w5HfH*e>c1$(-6YnASXMSmzn|Ua=bLycpgniHA0|#khHMR#7@b!W
zYI2j1beE8n`n6zXU!e?FSBTY8D#?~b={`Fr_EN!{qI^($h^iPqx|HM-9hF>C$|<@G
zg;n#ay!YpistmY>))jpS9{4d$L)g3){<v-_N8B%FIXw4u44%Y98)@)-ABnrt6Uyz<
zj!W1>5f|BY$U0DgqMx8-X;6HMR);u3SOjfR9CT>Jpz>Q-yIX~6ZW3IdkFIbGWCVvS
zdNf9JFX7kGHj@REt7C!}wTy;;TQEDtiC`Qo=ZkY3mFcP3w9r~Ub~6l|M^@#8r=j42
z%`kuIa0hE9Ehv-Hqf}pGq+1Ew4&AGHSsEmx|MV0{cN5dfDRL6FT2H$(uocwEofln9
zSz6x5a~NjCYvQx1Qsg$W6ehpVE4W?^4NaFSSmOVFO`u~&bD~Y~#vM*<JE`QSyj3yA
zTEVqL&d%)ekz>vK1L>C5Hhi-mxs=uf!>5zR>{X`#!8$Zy3`&w$V+PKvT=v~aH}Gw2
zs5u2TO!9aaL&E)cSh&MM(zHBQpD99nYclbW06AI=y#`$Yt;IC!d&y&%Yck(0MdxU1
z88V(>l}fs39p>~L1KmW76#ryGa2%=aIaIRwsmKNeCt@^Mx><luhIFt?yEZN=g=?iE
zb-Pv6;8_gAsCIJ?mJfvkSFMiuBCQ}<od~WU+_c(#8G}tTiMsL4c2jPc{tbRHDNY&u
zba^d<cW$~PE2FiB!6``Yh%Zxa0$+iNV`gmdhl9W<yHFITD>2PZBUgJAgGJwD27$HA
zau(>Z1lR*S@g!-&t#sWF{_mY^^h+T*s5ZgMyrx;8_gdbdc@EPQKrr&pM@c4C)?~y{
zO96rzqxF>NT^JjG4=e5y05BbOvIvPGi=A&CQ%+xR8AdYqn#!_W;w{<DW%3UNt4G=U
z*sEPlFyv{PaEoE*x6D<-Ry^&5N!SSGNsF8vZQG!4?-hWU-s5WnR4&L5E=nFXU&Jwn
z+BsFf`*rpnK|sL4!NYXzM69G0rG;^>&u+7$x&em2EJe|{2a=|F!OJS(bwg+I#caVU
zX)Ww;=b5!{kpO-?N4rjoGF49c$VRXX6Z!(=0r6_d5Dfiofp~zxNdV(DH`m5ziFkq}
zaq_jj8Wwdr{Brd1E-L?elw5Zpqg3?wq{Y1>bbpgZH-?7q18;eQ%fTjH(>|RcB0-HL
zQ#RdR6Q-vcFziuGMYyP~F`mCj2WpE~=i96rc6BKQ>h*4i=_^4ciT(E$ug`X6S)`h~
zn&yY)qu#<o_qa@qJ|p9DFo|Fo2uHOO_nr=od)cVZ#7p?;@jyh*agD%o|A-aYLIP}O
z+08+)$I4^ejy+hYe-rY6T1Jj!a(T%kLAjIf@+>%2jBtI#$S~jAUWpSe+QmyE1eI#v
zLOLvh6}%~8lW-Ypz^jU)5%CTX@z_r2kHJ=ifFY@|K<5*ne=eZr@Hx4Anh<XR1<GHw
zjD0$2&P?|ptixa~YH@+6#8KoJW!UHs3vxKR?;V((e$3kzT30FTGc~0NTvyCT-n_N<
zJXu3<EU*Gcsn6OjH0M1R?NW9!nKAF7!VKPdA68g@F&XQJLtKf2ATNi$bz7%()-I6T
zadnlgC^Bk2et!CwVxfAlXc>983BdN*13dl$GN#(76-CAS!qsE91{4U!$^q-xoZ=jD
zDdthcZb}x86fDN(3d3(0_DgYFIx+8j%|!#7Qe60_e;?l@UK<|yyBrxSYW+y|4%Cc<
zevfY>0Z>FHO7;b@A`<CNuxBB*@0$={AFrtZ$ZF5-GX$%ZyHdR>{bBlrTf_o<@fD|9
zN*vBaaf!nz0RGozxk<6IVb$GL#_NC|jcp9mZi4gq<t?dcV~is1;LnK^M4y&`;T)7E
zqs75=0P_uoEBN6;YjW4bvGlj$xNZbx+G(oc$oTmM%Ft@6orU|I%x}IrW1smMgOlGp
zRe?syJDH(cBYBUCQGi)T4qUS51d|b!!-j~faC2<WRZS;Z?KSss#+|tn!^JttF2r|U
zdB0>qUB0uFk3`~mXgJ}*cn(9J48=0s@6`!RDU3|JhD+2+Su=hf#Ak@nw^%RN+L_nu
z%_A>)&Cx9ivm1gpAm{W%yn0p1xDK6v604-clXBBmAkm!XnUOV3C{U@vI%i*hqKvnB
zz8L7W=<u2mUqn)xB+cwQCPlrsk~W<&&3fXY+U<{jSoI*?i96=V;SXI0?ciS@Sw)_S
zus&X9ny%pJ`kc20z{*%`Sws4zYE&P4E}V0fj_7@35nhSHX?NE$Al+`?UZTa^;a<IV
z`UYF(`GkvERXRbhn5U;~2@(s~le%BYq`|zGXYOLJM3@WLH`ofa+osDo^C5jUsvKyK
zav?^s%_1i4L|Dw@gK~U2@5G}N(lJPS<tWIO5hZ9Jv{$qEq&HGxc%WXSC5@jiX*VU4
ziyPEm?~^9SnX8_>;e)p@J{WAAH~86{3){W&{P><JD%|Vv!a0Mgyw@(CSL(`P2<h|p
z_Il|W<Nb5R&=Vg#Z>Dm@L*xp99{FWE_+d@%9P_A5VZTUF0PpEJ5s%Hb!*Cupl55vy
zf|SX?HunDUpc7<ZbZbC94-w|k_kLjpRuj1nMD-%g6LB<?)XHC{<|<D9*ZY&W5<G0+
zT2fZce%w40Age}DUVhn8swDc{<a<jm#0e53xi+Zj4c2X%@LNJU2E->(ltNQzG{<6`
z6R;C8Fk$ts|5t&$1$XMXE|1!y&UDr|K2xGxXm01xh|cnG`(d<9^)idMlBOwtIi>tB
zB2^`~xmdp3jG|*>x_oEA#)MYzegX^vGT<OHn_hC|gbHcx0D+NY3zTiygCr_jmlq?A
zt#-}8MIj)EOLNdb7tl4dfIsR$ZOI$O{}#B>LNd|Z5z>mT7=!w=YXJmt6oYS*t*+U+
zX4pbOafq;Pe~pi#5ZLDQN6&=Bkgh{Y%E;;LFq6LMw{2uC?XKS<7tT|myD2grPx=}2
zF1#Y7r~;psOwP{YYQg7wH^W@?#YS!Y5z><{Dc3fyd$eudNHnuveV-m5-pG3Xq}Q8X
zyhUwskEfwuie{kD{Ifj<5$*1LD<{y>Q?qrJcbauyK8*3rdp||*MOC@<Xct9*%p2(x
zfwQTV<cW9af?3HrTC-AW69x-WVZTAQ3_L19P|kKx%BwK&A@wOnTrc=qGLml=u7JM9
z-aej{b9tt`)SKEnEb>wEm@*w&ehukDf^soRp1-$m*mT{I8DGhAs1A=*kWKLplHTq}
z$rj4%5UMHz)*j?-;<_ihf2=5}by=tp?fZ{fY=%nAJhoNjLZIzY%*`TfyF)z_>1WmG
zq{y$N^zsXmX{&-Y4d2#4b?_bIS_!*@YyPZi=Wfedy>iHa;@%EGI?pMvDr`+2u_6OC
zxwiz|l5<7!b5v11c<q64{J=YK^I;44F=+P4XwU8O0$i)qlrN&Mta!xLC@(qy&c0Z9
zd+JV~Rk3S(KY2Q;&luk#(HRgbzU5PQkUg2-_~<(!z8;(;uK+&xMpUj8{hBCyxUd@b
zccSk*f=^!ij3Y0cMcK4oUR6H`0-4@@6XXyr4$s^<%z+FG9|It8hrbKVKV%79Eob}F
z`MqCXk7n)(w>XG}kFxiG{Q|&&f!S%eEo=VFcjG?S2mk|N^O2q4*~V|~QvZ|BPtYI#
zcWkfuYiv)SB_mvh78Hb{6CMQRYi!Tf(9%xD)Yie~Yk2QJ1AD)6b>sIr(!#DVS3eEz
z8GhgwtWC#@M&(prtbqVPn=*-dcspUB(4q*pw(A&HR_h>og5RDBOPV%Ri^fUqJ4r}|
zlpFQO`EFkqQu0ZkuRh-tqlcsYw>pq^lYMW(hog};E-sFc?6=|LyFX0q&tI>pH*NGc
zJ^|X{D|Qd3ADz><3Yo;{FsAlC9X)!!moA_90$X|;wjS?&*-O)X-5yJQ0oq$Oi_ZRt
zXVXrui#>?m@&NzK{7>|@<qccTpgwn`lJN7bN1)Y~^r!Xda`iNg9i~ZRC!j~Sw*B+b
z@=1fUz>xBN(&tZD!)cpWdspv98K$<)6?98P^~0X6`p{nO27^Crbbb2S@3!iPW6Z6`
zJ_OOuR_pArWC<^(jI-3{4a0*cq*Cbie0$L+nd}QM&pSWPh`Ox9>Gs{D_eW8$G+)ov
zaEq(DcK@~&_jfnJTA-P0yW6hday4KhUB73$XF?zGiJgb#>2<y1;r7u_j<HwU7SlcZ
zw?6$k;9`#gg7D1<ptZR^ZDzQVKj!wzj2|)Wc5~PM#3-`utFfi)oy0-z4}Tzdu?|pO
zKR;fH9*#F`>|V18e%R8(+(0tCxvQ^!7@e+l4LlEfzS~<tl6^94+@$l-C<p(8>Dcq~
zYqHN5uxfv8#Cf?BCg``(qr0!W7k9M}&i(B0p7NHVcYU~owCii1xMak1ZPe^Mec7`{
zC*`DjqBE~qQEkt;dVlSDtN3#EX9;tqyL+AA|6xhpzjEcH;6TK5bSsSJd35WH-fltY
zmCgs?)#u@DTrX&!ZkN10nUHitZhfVkkjA;&<?YRB=<TjeSE^epz_M`h($an{kgm_T
zz5RU1fxq{Z?N#8A>fc`7es^eB^EHF<6aCKa`6G<Z-Y?v#>vL1lqHpzKp>1W?L11I;
z4R`0FDSwUg>FSATHhJqaDL3Ule#7tR{x#Csef8tTAztu8|Nd|(-Mp@Meb$C?0ebAV
zOE7B~`@P<KYnR~_8tJLc|M@D6^I|yB)2~GEuNdm-ozyvozZ~_4)OPRti$8~<{JE=!
zy|mZPP9M^{x$^1hd$h`<qlS{OmxlQZ(d%Z<&J)m#@kLRY!|P)we0Ia0PZWux?{pVy
zG-`9s4fm2_&i-w(`n~3sXPR5~sjS(yTkpNA)2p?jTj&VGjW));eZcjKlQ(ApiE{59
z&--Dix|&lT>V}~M@Zj|NoSi*=`yPIAG`&>4zI^bQrPI>|(EPYyfPeP)WV)UjkR=tw
zd-XFHJV%;5q4JgP&$k11eZn-ZyfR->USAgAV;>umxQTY@d-?Y1J@dBvYhRsht;g>Q
z6Nel6l3S`jFIC@<=sft-g@Iq&ae+L&a&>w3ojyGQvD|*}ngOd#=o(qyih(b4Yg;L;
z?>>BG@p*zti#K|4&<}-e2`YN>G^6pHeYVV1e1xhWCQ64D6}Q+Dse-q^<`1sdD8g5g
z?>Z*J6|}cIN)-V-dAW&uQeIBpJbC$}e?)@B*oBQID(<u~S;=m(Q5DmO11AzP48tHe
zM2*_8Q6J#>>sVADPTgd0s{#9pmq^NvucEXB7~gNfmbyWlGM*8ll>&WKevcP{RaErD
z7lW-<^xG7JJyh`3-OibH#z*Ykt@ZyBu#j07u`yxiKo#76Ya2co^Km*zCYLNqA~nyz
zi<FPcv2`-x=Z>$Iql_^GXwUiBb7s51zyI9_Bi$h6ius$Ugp!S}Tv}DBoE$xNRfNTm
zij?lv<Up;`@e3YU+OVtKjF4Uxe&(3!2@IX*1fkL;*W2$|zQbtPVPsnhU|&2NyDH9T
zpvZ4H8b@6&KwX|<GDP4ooVGz*{)P6~G4Z&*?X$Vr_bz=lI9bhcVfc4Nl|8!Clt5W?
z+}IX0a-%9iT6elcpfu}EFRJp_v&tVz*;0v8<yodwoa_nc;CxjYSN_!a>Nn!IrWY)p
zMc0Vi>}+?##c_^KS8^H81ojla6!s~#(3(tQ>wAyoDe9$zC*`TEar0?D&1HBRYqKy-
z*43KKHM8ko&0lJY^Csz89T&XTt)k_BnSG65R|n#fjiu9w*{v#Ki!G9pWeI5h=}H$G
zy8OVf9{1edd@z=TyxP4sPwlRY(7KlhC2-aE(~QJexl`BIA>pJmO;}<bQ=mH^%bTF)
zTSmGKK_DKBOVDf!;j`1@${WOfvM|VEbDCxhpG9grgdW+V?(J46Kh5q4BdGI*Q{N%X
zkZXRv@k^c;m_U$v<@BKRH|e~Qs&guRW8jzSYa<7mN`Ca)KNr9KEPa_mlnCP=sPAi|
ze06<Vj(^X>{T!={ztC{A-gy|%7agyC%g_cqyLtX>w626TZ_?$SsGD5~XPvJr7RY%s
zWLQrvKKGI#oxNLSUm3ewjgLo6?z#H?v3tqGmt%mmp^2n=Dg3sf#(c<58S_V~;3f!*
z5RX~r)}Rv8Rz)B2^yVF}m(g=+DN!k%@;vcw+pYZ1mK*O+!Kk4|Ou^efeUox_E2S2A
zwZDb=SgJl(LTpwjd42pbggMh1r{kAco4jTwT>*EwTb^r|Jqn)WA}vvDak5~w&_=?v
zMzvPOCG*g>v~Gm*qMl2RfOLwt@<v|Cjdx7}ScQhylf?p)r=Jw}=55|~X0x81cJ7VM
zytErVE7+&_t3*--iD+}Rl(o!JTvy!o2(cq0QCpI+iT_y#hb({O63q6=+%k`E;IbHM
zB56y}vdG5_aNI@htXH>zpWt@os{9QlxNPVLHVhVH<njnAq33=lTA5O>(UX$1v7YPZ
zWhuqzmzsi$4?2Vd%2nTA5SmS|)UgS(HcvW|CjWdZ*@N|-6><5V#Hpm;J*53OX=d(<
zk&3b}ZA+Gg`?|xI#c@O3e>%2gb0Zav-6Pvxn_cMh44#yZjm9s_T^I$Lx14QbxEWV2
zw%wC&7~R3R%%1dCI@CtXZib}u6jZ^f7XI9)J0wC&U>yI@2E=<o+*R$nF+O|~h~2_i
zznoo=^a$FL><J+U<S!`xopPIH|9;f1)9&4zz2*9k*VqnWp$TQqRST6>>_ZN@Y3wRm
zm;AAb%gdL=VLkuR73-~N`~>xnOMiI3TpH>9$E8c}e_VQV`f^G4>Rj*HtZYS^1~+0k
zv4WqJNKOmDx{@HF{evWvfBFRj5YMxF`;REsA^zAc_J2gtyMKwocm78d`_q@G*4e`^
zQLlBd7wjn)0w+c(QOcq|vdLQ*vTnyQC`j|#Gu@@#ZdE*15|h<&8$G{L9@*SDEdYYD
zz;#$RLiXC!b3d8=b=D33m4UQ7r>#rTX5@N*c2*cyAhs)q=avSM!6Hwu?LgV*QkOKG
z*W$_g_@54p^N5;&uQ?M##r<c=S|jpBK}EnSY#m{HOsb8)^2RFbtH6d}nk)O@GrZ?I
z4~)FAFF2yq{WjTgw3OD81PS;GiV+a3mPC!rm|l3<yr2e+>CA@vjBU;fwge+u3#BI2
zvF6UZFrs#!P5!B+S&#}wOmYRaR0XXR#`4nMYG!m-P3?E>`CEVLZX|6st&?eT1}y;O
zWFq00tBR*W^Ko73(mT<CoTRufQCv0K@#IL7nzcfV^fqQU`?l(_51ywf<o(3VtR6N&
zZ&T-jItOfD6Ws55cvu6;)MK^)S3gE{4xBpE_AbsY?F%U*eoo6)<4{X_*Qm3sJ4fU+
z3@SQa!7x(~#L1&?Mr&lKlMEokEM(F6s(Fj&mNtiQQ^KorQ1BYkE&(m;^Ht<w67m@-
zdF-cjLg8&kK6vq_kVKO+iYC|u<4v6`njEkbO>hNG@R6qf^tL*FTX*LL&rFs7(Z($1
z$*_<^h|Y{d25OIQU6E9k%6_~*M@QSB>E_2ZdF_%mjWOFK?USYpQeY}2!dt~xZrLz%
z6<WBo%ylHilY4jyul}P*a~}q7#=6?#I%_#6zPP0(z;f-Gn;saf#i6b|Nl~cf23nIw
zY<N*|n<HVIy91ZYu`s@jjFU?uq$}m@*W^E!Wm)TS(93hYA3#rwtnKD!GI>4q)p)&0
z`qx+EHd86Pe;PAu96yO{Q!!>1idhiCgtWbCNy02dwe2$Jg0L06)KbK4HGy@T9+$Vn
z$J?*zJkw`GIIKY;>x7AQ6i=|?C?w7hhU8?gHY}soi^~R-J8!kUMl)9jC@~E*N8NG9
z?cRa`50A||@MayJb+8%oha8?EnRMbzzKWf3!oIevB&JEIRgtyl?i7B7Z754f`h^Z;
zUx>=s`ho{<)WI`w_x6reC(gXXrw%?{(Wv7M42waMWmD;p8{s8rO>cF~pcE|(3xy2S
zR%@ZDKVo5?#+>g7{VQh7I(l7Zk8kkl`(IsYfrrUh41FMBlZo)|Uoj*7$81}hOjb5j
zc>t8pfGH2q7Ti%jM%OqPLf^RK|I^su%WV2%gt^~RE_AuOJU}U)CDkFveRL@+{#xJa
zaYy)cOe_XLLExcB*yQnq!!udfBxAs?6B+P7F~hbiHMT{Tks`cg_DI^yKYCkrDuUb(
z(JriPln^8TuX2NqxBo$Tvw25qZ?5oI=XI@1OasTCONk#@7P-s(w%0<Mv?WbTt^)sR
zdDhmfp~{#1&S(WL3@Hdi2(7P~pBdzGd5GK@`^+j`^_hQHZ@}33^$%Ga9fxIXu}1ch
z&+o(*1y-Y!*uq9VUQOML-&hQcOgeskVUsuT>9eW3x6<(G`XInVsjz>Nw#K?Sk?Raa
zoE{}ZfnO-^-|FdZDubqtx=v(sP-Us|0FU`^8;%`Y09aDEhzsap!kJSm$;@+J+G2|;
zCGUO8^B@g2+-56e$2f+=17bji(ay{|K<4d6b+YI%NA5<!8FYY+JN$D-HNtpdLJcKw
zLB$+p7qRWMPAsGz+p`?W@i7`-e0%$ub(9P`_TJ#te`D8W&;l`%vFbWN!e|rzlbPTi
zM0aE_W1SQQ<a!mSUMaLbjwbT;KNX-Y?cHrNm|S7B-{94A@^`=S0Wq9SJB(0)7?}MI
zkV(67G_#g-PlA`BGuoCNZXr)(vK&cRgtl6bvZdOixNxo66|i5bOSOse|A%4_z*kyh
z6J^8=h9sAeVPa4>ehBBxsX3<2IQd@i=mZ*f6!kj{KV#SRv+6LbhtX0n>o|hKs}o^g
zexbo^*1`I#Tno$<hbz%Gd&Yqt+K4B?+EwfC98qa%D}(93mqU5uUlJWqV2Nsqf~^ST
z?zRP<ENkqwSYt)6<7nv~?_<?bG3hw^h0$Kat52owMoGh~>wo|;{`ZFKhie;l1UINk
zSg+^?;R0xX(v8*GOD23*p@mSL;%L2u{QoqcbbvMlA$TF=c3hSK>$Q!%@LCZAYR!8<
zZmO(2|GVQ2E4zpyr`o@DpF~3H1oJr)%3j%yq0w|F5ts<7|G~rmywwumt7i^Zp~$K2
z=rHjV+=L=TVXW(|wcN{4kSU>2cc7yVh5Zh@Z}6Dc@R&yv4u+_}(65LE{FiCx^-G9@
zVG=726H@2?-%48%Eaj!53BT1UA($pE%{csPan`$QN7dfjE|1O*#P*iL511`iYR(vo
z<sA<iEa_kc%Ffo;WAM0Lk-*)-XKaSw*bHBe50Zt!edP@FzXA6S)6V|7eL*N~W5P5p
zy1Z-V>x4DI9OXgC1H5Uho|Yi+fT3W(&@ZHZW#ud4q0;b}3<0}f|4nJblQKbw4mL6i
z%;4KxK4aG<q@)~fDRbFP+CMk%zg1ph+dX8}2v>+(L#84~M|%qwB!;ypX&Qw@@Qray
zzb~=s{A>9meEY5M2T_de{z8kLl)-P9ITL?+RU#e9T`Y*n_4TEQ0OO7y1|1H5VQ?N{
za9^j3DROu4>mCvM?@jQiHxWDsS8VAHr+F27mBScmNS7qh3L@aOvh@?N_wUNRoJJR|
z%H6`eKR4QcG1Jf$24REg(G&$Ui*@{NS&8Cka+B2j0>f9zxdefbe8A8zsALQ|?0(%t
z|2<$M=Q;Y>chH4)i<-8#ykm9Vfm-5pwt*Vd1Et*hUb_E*B03hs7a73vb_c)iKsloh
z2T*v-|4>DO^a;M*>5EE**~|2tL$@w^aBUZttg9y`{)gIEn&3;X7gBh@)GwsX&N`6i
z?M{4k=Z@T+_{tmVe|Ox5^H^PKnW%(M>>^vJNLH3W>I~ONm_tk&r`9H8C2u7s-ngTw
z-{J5J4@0av++TR0WY+Qg!UM_w!2@k|t}s=NgAANB)zZ6tnZ|-LaRhr&td8f_$(Qq}
zqYkElyAxlDi8SwUs)JWoFzUDk!>SYe-`4YN3R9IJH-bvSm&-c|unkr8!y?q8XtfBd
z`NL}MVb#$w>3DwO;RarPCUtk>3lDlAz|{ZZVPIR<6Pbp-lXJUli9Z=aYw=y6B6{oH
z4Tk^>Lt@#FTjbx%*Yv|TRC0FUYMp<3WS!Q=TF!9JC8?DWHBh+qAyY0`l|OF94KeFz
z8g$%#A$<?KE{7JF`i1oFFQotXX8@~?UUbIYQo{_V9uy&rJ#P{@9i=W-#4!S9&hRQ*
zYcGD}zk2r{HbU6<2eS_WE+^0>Y@a4kw%Ykl2`h=^-&*zL|KI9Yq{nTyPFpf-w6{JK
zZ=|(zP6=fs>d2QC-3!0kqzTnOb{pShRWYtK5Fw=kP}j)@primQe(dT@D7cM{eH3m+
zZvIyY=MPf|=Q@K&<BVhhawZfYUoRYpwQ57$^3HO5-X3r(Uh?MdUJ3@WZu(BLZi>u)
zy_t<yH(n);YIkLil!xT@zWq_B$h7?Ewas9`8ypNY4>sq0_cKU&b~EpICI5OR1%X@b
zUyuIM*AnHdo9~hiVE}v2Fzu60n%D>+djZ@+h<7o6&GC7x7kGs5=Elt{zrDA4yF1tI
z3-G=7^X+%%e3hkp7(m}C4AA%XwaDw&BC7nrEq5N^mOsQ-i!}3&;k>(-yPmqaV-uau
z+2eEhMnGtb)I+Lkyes01o21w3ZcW1P51#_x51CIS|D2r}uoH8cfGacMbK$^kjkyA%
zb`$IGlKG;9E3Ly}vJQxZKMW!@$Ff8pWr-l$p1d~Rx9JcC!Ur&^Ptg}$@=hH++k>fI
zQjRH}v5?I1B}Es0B<YUh^XHLe&m)-){8HSOUqm6k5`^g6B@k}jDc=*Nm!6P>RZI-i
z=IpAFBXC5$56ka9>t>oj2Fo_~5GdmZHV5N!AdQ>&r*<7dk24{f`*ie<g5OoTySUss
zqYm+tK+a?1y55uL>=bb0df#U%kgccgw@788G3MM-PpE|pe#o+P!%`5axUuHXCShu8
z-%lSwupYWH4Qy@R`{@r295H1z*pDyIxP5Y$rqc7t?w`1kB(5F_CRw~lb|Q3;aG0R>
zR7yqq&L|^~=PRi6BK;*LOm0t+an2v_i0dBq_=x7zgUAY;UY2xntSesVN`CjF{Oq3O
zP`j6#Una$xDo)<F;6Vsunz!e+b|h|-7}>b<=6*@>re?G)vJh@O_9y{bGBH$}45Cre
zH9EUqNfbL^ofDj=tD@bA%?u-nSN8a|P1Tw(Bm02KGA8NQ*xO79D*8@MCh^Iwy{s5C
z43i^Ki<68M+58DzWF{zMM@G<2;eIRD%&=)(qe-Bv(Hs_#avdX7?JT|Gr4<CpiIM|0
z{N#Y=4KrNTJv2m4vBL@4Y9d}$JzQ=RS@vBH;dnR3qc`h#rDMLFU%xl@>@@OSp^G5*
zToliEl+}x*ETz4vzm=)MyQjuPBp*~O<hm*EKt{))&UkluOZE}Ouu}dkXpj9oqfLr3
zOfgrdzQGX9T1gdHoiD7y%MBt%{c8wjeYxRvQ5sxa2j&m=F0zIl*^!p5@v?cSf2g;4
znAM1rY@^|w&byUANR9nRUuC*h98R?>l*~5PLI=}EAa3OEG`jn-^Bf!f1s}QA0+rfi
zX`z<M-ol<2T93Cs+WXT94_?y6o&}z7W7Y|9`?1in=t1V1rQH2e_lzR#{?39!Hty!=
zf+xzpurB1nGxg3L?ZuDj!ZEX-(=UgO1yD_^*aKL=Bt@u1PghR+NrhT2zNd6TO@lgt
z22&_T<>yz8&7r__+zz`PN=U9znF-Y^KY#-a`}-kmj5#fxSF=!}*~*TmQTc7(XwJk`
zE3qh}JARm%BdXa%;et4qu<S>1y-g=!%%J7iUq$+QJbJ1s1Q-mqB-_whOp(Wu=^txq
zVn4$mapAZzq-G(VPA6?>Nap*-taCXshmfwIKKsWpSa9-!awr&=rn5(PA6z~6hp_Y<
zlT7wT$_hPJ(iXm#4dc>9ERl*gg)Xic>G42t%@f_S--^hv-H+@Ca=y8=MvTrSsOyg!
zvIv^l`^Sx*;kswt1WWSk+@EfWNn2h?7rDsDOP8jerFJ`vt2DOV6k5n@z5W$mUpC6D
z)@ogpl*T;&sp)RM{RV|IDi0bgq#axK4KwOq&Ss9dY^ZvBDSqIMCI@jGbx$G2welL5
z6l^muJEG?8e=+rr(Up8p+;42-#J0_eC+5VqZQHhO+qP}nwlhiQ=J&trdG1}SU+g}6
zcb`{P-%nNTUA^kBu!uwj-k#OaF5$plq^cWu&iD|RyPJzImZ;7;Y`&6C_<{fU@-fou
zqlS7h;y%*T^kRQ#Lt_|dPj}m$m5xS%cix6RobkIT-&m()OaLKcGd-F0cWkO!mDql9
z8q>(U9VT7LvC>vJ#$q9I2@7bsC8lh?ibVPh#-KjZ8;mubH=o6?TGN?gMixy4?%IdP
zVKHZ!a_8{R-73a3!O`j>!9G!k$-<;{%>CY&gUUXfog{@1$_Vw08Je`KXEylWs{X1-
z0<uOMoicH1=|Z1!2O0&9WHE&ZX8X;-`DG9nKaQQ#y$Fjz2p5xJHB~VMg7<H9m1@EH
zo(wS|m_3L-WU5-se_5icIsDK+xihlOal-fWKCgJ$*P2hgn_$CWb&Y>&66Ejml2q?h
zhpA8Y$vWv>><Q97RcOZV=Xd735fo0Tvu+~IKuDs{Uk?3g-gR5zDAE*v9&$~6fhWN|
zp4o<AiBqhzq9xjmFh1@Ps{eVt0G{m%h<JVHORo!>RoxsXQKF8(+M*u8ch0{dF0Uaz
z4#>t3Q5%Rv_R;Y0vh!y1L*L#xC(=~d=W!%A&AygZxv@=kvcOb*d3|32h~sRfA|oJ0
zqHgwpLGkG>rprkP7*y8ilYL6K&uM<!>2CuGAD1NKcBt{##Q;+N*GA59xp5&f{*~Xx
zy?*1dlFhs&Lh}_AfbP0;e~oYT>D{l1Tyzrg8{xVLBeON7aXHE0+`pNdngUQ6(_)H3
zjY|p%e1Jkj7Ut|ny$fCU#Y(*Z37kdF6^<L#-m-$LrVFuedsY4((@w@J96MKm7K4Ss
zRQ|k3oUX8ge_g{o8E%eUeyGHPbwhdmbSN#7L)OV>VdTMAzW77F?O6-H|L8P^)ZoMJ
zk@7gxMDDlpBDVCJ^^w39t8RdZ!S%rhbivH<^WSCs-pUaUoEpPpx~V#%0cyigU8H&5
z9c1DDp79*d$e2WBo%=GJ{sm(`$NbWe<5$1TEE>`TNjQ%AvWzljQvxuaHZK`vPoRzt
zV299C4>|-rDDk)tVivAWBiE>Hg%-oTe4`<tZYxJlvi^lZV8s0~Dh@>s%WcAf&Fc~H
zJ+-OsO1s5?&UqyjY{a1jk1mE&dtedI4pZ0>4z$BnOJO1kmw+}0eyijn`Ib7$`=_(z
zwkRh+>q|&ofNnXk$dwI*?zTvzf0sLOi4!_?3hR+40Czm?Ac#wz`@J`p6e+&prlinJ
zcU+M@rp3!f{_L+QB2tpU_vLO1i#by91+eBIXL6mAw>?WzsHpbYE5gBi28on~I3%sR
z%1i7nQwq;mnLoXtVnSa^gNcCC=pX~<b<l*NB~gPdkb>rja6;CJsE0tBNiPSBE&x}F
zwgbIO2+#$V`s(j@_(^Ym+NV6Q9d%U~*)9Ya5TU&vGMX(P@l{w$)L%u55F4UAnmGmR
znlPP+T5_Mc4J9vGNYqgx<RF+}bWWTvLVvg4ZC#y|m8h8Djy|1tWzdhfYyk0$B**cM
zl($G5Rm}t#y<xj>Ge0dTshpNZMzS<d=#xUsN93M7rn~!OrOY7g6zuw~q0}S;(#6^N
z;nv7Q{(5MS?p&F$L^}czFgQ9&*bf{gLBwZ4-k%~N+<;y<o6!%le&2~3+>H{@TWPHH
zdy*(3vaEEEtX$E_5|oHyWA?Msiw3WWBh+BG<serHXBByBN)yWd!?snsk&!=jk`{fg
z4Ug`*9I5$zu}WE9k#VoJ$*3AViHe^ING55dDZe;JQ^ES%wGc;5BIg`C{Gi8@dlv>F
zY&?_oU|6*^)M%VLiF4f-m7Qza!+{vo9chC&CWoWrwEz1TKJ798@78PfG5XBIglK!D
zQ8k-ic<0KyaKFMKv$m{JySCu%Y#uY$jY>Rc^_wvN8WD_}#c6CxxsFfue1lGb88jD}
zXz>~kx<pG8Sk0^P>92d^OxqKcl4$Vb>iP{AN^vw7wEM7XXOi3<3N~_n;>G~K08N#H
zp5agbmK48w?Mq1*v%b}|-}T(})G2Ht4ZngYo8W8R!CzhbAe-<={i?dwSqYHFeJ#=|
zNMb5JmR`5vn9kUGP$90wGb~><Iq%To=2uq1x_ln?Fg|CTmB*KU0*Pj92ZP{ayjHX_
z&TU+3Omtn&R*(kiTe6oZaevIeZ?Zeyl9l|Z{VF0rlLBuYn(k3DQ_sFK8~!cP$Yt7N
zf-rLtGyyE%rKD_xJYa&=xAHz!=idanrGKTD29~av_m~_&kR8B<uG|Q3>Z}DRPmVZ>
zUqgBl5!9{d&j<Ul<t=SJOsFA3l9Xsg`#mq`3cc{BgyvizTOG$Pi*C?4stuk2W#ILI
zudI!hd(%cCY3VYAgh*1`x?&pWw>d@2$w8WLvS)m0CW!x%f7%diUFfoFEvJ}B*f?Ha
zs*<2|1g#dEHAIZEfECd9)|%AG<+v5D$sfM<<ijNj*Jx{Ff3f0}bh!S!XfQ<tiHb_W
z=y=8>pz`-FRh~yCxqQ07L7;nj8dPuD(m`ndc;nIpp-QWJa=SDow#^7GlO6ZpeqcgN
z#%On9OX<vvh7VBVewmVXn95=T3t}448cl!Z(n{oqMqB5IA6D|2rUF$qv85gBWh`N;
zMMveMq+TRXgr5A^4wO&I<PxE!I^^QS1aufN_O=Agzy-<veWsOnksL|ur*RL}Vqgnj
zRS&I(VzPRQL*JxBY7GBE1JgtsYPk=i-`ykU)p=X;h2jyD;B?;M{2;@P4aQRClr8Nk
z#k%OZCZ2tb4^2zY{#)eW$@0BFjVunzkVW1^u0V4?WU{k<)dm|(a^yYI2+3wkY%$SI
z*&@TvQd+VRa7dG4D~S8)h)lk(6<iXk*frdFwpHXqn}kC4hzbl-Nn6qzPN@?!LG|q&
zw>QnLqxJ_kI(U{o)!Y*Lk~asn#K@Xj_<4r>gX!hY4rRCI)h)KpofY48F}L^Nm^kk?
zXe)lfcsG0qYVx0i_*5*kZMux33rGJd!DQy$E1|PQ2$pfqvDz<zTfigJ6qbLWpjabT
z!cwiwV%^||Xtfyz5ju!dGw;>&UyRL7hB4oN<&3AmjaZbY=i*oh+GQE~Qs|Gph~)kR
z3j2nXBnaZ4z;ksCw95`ObjIFzQ!><8F<yE`Gu#eW5D!i4zwfjaIKsSm!IkiBr{+`9
zA8PbC#>YFST+cJRr1iQ3fMotv8`&S5vjR=3f`8t}R%{7TsTwPr9q{DZ%cndtDxYR$
z4M<&YPtWS(6^EUEX@<)tg*LI|2|W@wjy+bW9HRoTF;>Pd^ZM?!qG~v0pmiz=pAc{H
zRQVziwhks5Q%Vb(h--M5aCUY6IK|t7==OxMbSrtiPXW<11p-WahSNDR<2AD0|2MR?
zKZ&nmSN^qY38%bfhHPzr;^=-M>yZ4|JyOy+oc=R?x$uXM+1}i~JKV<pq*CTKaDOV(
zMg8MIqwAd-A4ry7a=C($9!5rG<zTwi?NRyeWYR6=*aG-;k&BHiIi;?6#2|@FH`$pZ
z63eUdh53ZA+Y+6z2@h%obKN-f&XPW~h`T2I%2E|xB3-4~Q1)7ZSwb6JXtqELukezK
zCvi1o^LRAk@mLJ`B}EL4KUpDbEwqaW{vZ;i?$hO(<eNpCeq63$!Kdptnxbr8|JVh@
zaT#jN9~IEOV(`i1*{?8-cP6lqyHSs_3b5XBg)YgrOl5{Bi7D+SxW7o_mA_*(Mf~o>
zaG(bWB6He>@8jW8;=S(F&>&}d^A}jj4dT5i3B98pg$YRVHOQG&Oa%cd_Ca@P6BSUu
zwVi=oHM+8gJjv#5C{`-PUi%FNkxL{3M)6EG_*QC#J?jLb*`4N=+E3yNv{U`79<0c!
zZnVF5VRPFl#}H$0uWD#J54T&&X6Y^-yYu)|MZIPUcsn13!AtCb{Cfz1%o;zn@W=}2
z_Z%NBg0A`I@b=b=kdwUWZ-WL=Y=>%C=-*Z%z0ZYg&*o6-$`!gzR>`|H&q=*uVY^8m
z2`#1s+Kd+UBEPIio-$dXu!k)^IN>t>Itb);ga}UVsF60DS2be6b73u1$(WC=r-f9c
zFaBv1f^N@PqGj*>tWPs=t4dH;vJjzPIbk#Gyg1{g7q*nD0R){270e8&+e+y%x!!Ri
zRl*OaC19c~%_CGp)jwhO5I3}eR<t#*97kaVW(cFyf(jUBluij*_~YM1;p&tOsr&n@
zJ|8ez7fghY>9?wYzIitHh2RPHT(_I9;kLDc*0s*-*2d)%wp~9+{5FL@u?9?=1lWPx
z(d*7gxk<lD><UPolmjnWPjZ;#%s)s;yiSE6YBmZx>TNAgA+FFyC2nNmq!^l%L3dnR
zg}Mp-*#a~S?SRSmKiTDyhmwO;R+{H`NbK_!H(ZxYnfx|M5Piw4G|_9SevvuukZ-gM
zvj1B+IeBj~up3BI^UE=9w-WWyA#R0s;yoB$aTQTJgt$xuPYc(G1FS^dMZST0y5vwe
z+weFUQQ|yGt>U)}s%<5PG8PaE*C8K=h|G;J;a%ph10m{F<!;!q-IsJ`RaNuQrDVGb
z;Qh@6`50P)6dl@T`Ck$B|1}2skg|qi*N9K#Gb)8vcHFGAptJ`%&}}iyiAhwdMQ2dn
zZVD4`j1sflKU_AhVP|%PCCJS+GQ5xV>Ck+0J6;?Zt)*UWxx0@A=kqZ=zq_a2V@_~3
zi%qJaD-?Wlv&N(I@?zJ9CFni4yLb8*dt#xM&QoUr@XEg4K|QhM8#%&yYubCJo%;*{
z(EFewfHhD6RnfJT$>Ykzame%^hGV{2BfO@{pS>znz01I>@gRaD<0lo3Pl9CI?jOKT
zyK}a^@#*O0Hrw4ZXtceR!eivB{<#<&UJMoj=2yXE@0k;aTzeDJfgFxLHFz2}m%3BJ
zGxl}6t-Dt*+61uYH1nXBqw62O+rM!5W9kM;{T$`tA<zuAnF|<h)w?$-l!pcE{%=U9
z#*>g-Y*FeSEeMKpolB?YMK8B4QR9%Yy5{t=^5<R~yF!GVp00*t{^zFo+?%n^Efqw=
z?Twn^Q<h%*KVJp<<EsV+Tkr0a_x9h_GnF+p{oH6usd}vF*bK@lMyu`uj#+kbM*J_N
zX}q(tT$hH-qo{rg^RhQJ9;$v{BQqCQZf00H8^dk<*cBBH&9R_rVct8z4{3e2(R){*
z3l6Cmd+}QjNn$PMg(NaEblI!&Uf_)J#YSuq1}PzsZsuW$geGDCMW!Xb2^VW8++Ya{
z6+8(KZ70o8MM#$y;upu-dU_b5#Qbc3M)&JsnB#K?fZH$r7h|H^{=}FCvOZNS`tS8n
zNhx3^XPe-Xi(=6ufCF#P6w9n&=tpEc)e&tRh0Yp2YYah5bOUHnhXCmzCFi)7mv4yg
zt=R!mezM4<Pc_8kuLCmvWy6Yd!+F?Dd?n#@3iVs%mnuv_6<Ga5f=K9~Q4^GXd$Ih`
zQNF!us(f=`O~lyYv$ZH`N2HgcCYTNpbdgeJ-iO%Ei+k^<KD{^Nim+b;uCSiF13SC0
zSG+vQ`M3My1G}mAg5d0SKpml{K7BX)^@-_~rK3yWy`iH9)ghxEVHea(EqZTvYE9c|
zLt9K@!~J2`X2pb@RFI;>eFcdoTb%Jr<7!G3BF%L#%~O<T@i+<^O`bSZyG8FqLWB>a
z`g0ZIUP_x$2J1MH!Xu<7^K~J0s93alS8s;$xIFZjhj*L;`^9p+(Nml;=Z3+VseB{K
z|G$7EO2F%rDOnjkHtVQ)l$2szJ4MD+042Vf%F97P3qA?;BW;8LpQFklVGzBxtDbEW
zW(yY|lq79rxC{<wykGfm4X~T+gJu9n<dZ0p={GAC1Fhhk1U`ie9y?@+>_j7^FvYlx
zjzvW&HzPL>eOvaqVLi{<6a|ls!1)~}4adFJ`sst{FGfRnAm@Z_f5dCIx}<+_+bx^8
zomNqqpsEzb$~#d1Z#)3n)irG^)AyW!_kbFp5<02?(|+wqbK`#N*=w1UL>j*hq`ZE(
zvbl?`*(=O-+mPD4J*p8Ge(2ML<>sQ1aICUeHB4uV-mpQJ(qW+j>PoIoQ^mMq8Tnjs
z0G9_B8{S|2e}KJP{(ry@X=j|^v-~OZe`x)<WhlP;KUzQgzqGD1{r}NAmLV3#;($`+
zq?R?<8lZ%me|+SC;LE9%ae1ONxLilM!dkzA09N|>W<kF~*-eo2at=RVUQ;xXae0GV
zBkjVf15n~ItY6{m=kE?B)+HfWCnc!<X>J#f&){{zNBUd%RHg`QBOS*vc()0mt3xw}
zKiby~t#Jbum=Me2VMOf(NzCdbtDAQ1oHH!YmwteB3FyUT=b+ok#)2OpY2IJ?pNqP?
zxE|E$-3?IfHS4d;Wp{Jdu`Wl{sn+1DI8?#dIQ7%i{$Z-|AEs*JREKt{DE#_is#XsM
z78E)gHcNMEnQHq=CVLr^NBsOJk^)^j1ow%!Wlt_yA(`JQ7$M5}a7l&Arx+uVeVL@C
zlADg<8q$2HC7+Nyf0*Re#nZ#`W(yV*2P%}e%9P9>@1sMTQ|}crW+rTk?jL5YPC^49
zDMU5}0!^z5W|nEO09h!467!DYds<c%sI6v)bQ_%SJ)IMSb;3>d=YMyo5rOrc6klH_
zI&`&K<zZWP0;+!rU1C?i(XDyV%aJ5r+2L=mDKQ|LZ8uAmfveYw{idfFjGmXHL-`-a
z^@zniAImiv4Au=KT5WE4pmw?XqHYzOsS3}hTJfpoY@8G_6p1X<9t0g7k*OELaL9FA
zpmT96DOU<pRih=v^QSh(C&(d{>|(O55{+n|*jNXf+M>GY9lzWjJ>2fy=rT2xPo>Ip
zwLR5`rYech8c*X$`u_9!lZ%vjinR#&bLb%rN^8=S!IXShBGlMMr2ZsMWQdsobu2FM
zq~-vj8lgy@VijExT6#Bvs%h`7Yh-z-$5*X{Sp-a_zk3xm&NwYX)Qoxwgle(DP{{(h
z8@;91o{gwH2HfmBCLHWql9bAsY5TJG$|kK*v!P7f3Wrq;1p~C+{H!QKQXDhIo6&_H
z?N_W*xc~rMw^ANcuJ4$>4g9uiof8O7mD8zcP)7SP4e3BPuR1eKC?7wzkTgrj^z+@S
ze`#_pgI^^<n$#uU>{GqR=uj>^2vx!=WJu>AoR*C^Z(7Cyh31n9eKOF<8cinN)II7K
zuBRI)X9Gg=zT7Ei;=S2LFJf1ajZZIPiJO#r2v(Te<jdSUaeD9|qXy|N!wLT<`yi+}
zXqRBFmP}Jd<Q@lRJ3_x9XUP?UPo^UXAS~U*Aj{WHI#DFISdwGSo=(r=7okHGBgx%b
zQ%5pGuviL1WW~Yonx3N+EgNn8R^3&qg;oI)&U7Td27DAhz`Kf+dy+48)jb!9oAJh^
zI|luLxE;^<)d5@)G$NHi!49{^PvT>h+@m|}UM{Tq4VU!sF2lnXl$3@@QB!+T81vIU
zArzhLz<WZNrreB|^Cm-;cYCr%KRGB&W*)C9bE+28-4LSvp(ezQ-!7QL@ApNt8OOQQ
ziOoviEs4G6@a7(DBq8?jyfCu;;9T*{*%u;}E%@2l=UJ3DFCrf#7!&_+_5w`QmP|18
zBz0V=tiq}6>jLTQ+}1T1`#?yL34HL4DH<33E3VUl9_EaY)K?aNcK#7X<}ZfHk9mt2
zjAgk~?5X$-A!p#kiqR>Yr*qPC5%{d`?9x<U&(1WsJG29;ORiKVQ&m^B=h+(9$|kfw
zt{tPjU~mELV&0(pTQCQ3V;()j!fSvetRV}Qw~g7L{@WnW0&*<F9JWf$0xOT}varpv
zAeD)>LT;P<IL(*V0}qXyyp)x1PP;wYcK@KufG_<7#42Up5ec>^PjjEawoO#NPEu<K
zil&{nh|qML(dmqVOQ%9U1H7NU1)%!X=jsgfGm{b90Sz!_wg6W+_UPx3jtVe(HCvY?
z6B;h5aM@`E`1#yx{K7}ktD9(Zc@Ja!D}fkES3-kV<i$PTjz@7<ygC`mEU(hd2&sd)
z0!iTt-tjA7n7^@JIf+vUgTl#0rTqJ3U!{>8zH+0XegYdt)h=urr`u6D#YbdCkwb`U
z^U_H<!@&(Rwgn7x9ww+1A4?Kv(S??&G2*LD;jk#<cb&KQK_Iq@wkMJ;Q#-LcdZqw_
z5e;rzvL?S=!+`XMi%U-FlhGYFp1Y9TyGiH581ss={8fK$*Vbii=pd_8W(0EEOI_v|
zKIfqNz!&1`+sfhwBS3;~U_bmGR#Fv3hup^nHwnaAy2BEpMJxV*-ho)S{(!?#E?Q7|
zgOW%Qw;-MTVG1EmkfKqfJ@xac_Ifq~{kHz3iTdG?r0=k*#|feK${(ESVM)VtxOBT7
z4JDNI;*YfGG8dFZ7vhc?CIRJAW}=LAM*K6^3c%+P;n32Onpb(na)2kTd+9KwN^1MY
zT;}tgKZ})%?cxQ%I?v3{#~~X8ATl1S7ojPwcf4o-@<Z1f`XH%Qg?4%l1c?=}SQSk9
zFHDIAL(4hR{#N<fV;LDT-^w>4IkGUq@{l{$4@!O6uPF#ORRa`6>Y*=CAsfutV6H1G
z^8vq17n}EHD#3504XdEN7%qs&8g%ekWPyXO$Z|>jPUI!ZAi2trfboG&syLek>^yZ)
zoWo(clK8=FuV}Ma^gd01a?NYZS>+o23qfW3KJlSy7zNu4S0^FQKDU{=l6V_ohEME^
zU@3<HXER?iPqy;``l66l0(#S;rF`Y`eK+r-oCnH+{`3R%uEiH&LJQXZX~jja;6ps{
zJ$WpWZ)l70iN3HSJf2s2Q|@emr_R8J^dbt!;5oxJoKwLiTziZd58Ra6JQ#)4vho3$
z7nB!+o}>CZvr)p4gHswgFpH9$Qv>EHkE4nq20OD%s2b#GjWCnh#+80nU1;Kmfavt1
zR9_R8R<kKOY)9kY+L0qxoV4ciX_~Aj28c`Bw*QSxN_Ln1%vdwFqba*ou0@*fIDTfy
zOFBdheVAE~9LRSuzm|xRQvs`)XMpJUe)9E}pWah#B8D~W&4@uGR|(z2`ZWh6M@P{b
zKjJkz_MdpwD_0f`>)T+4zC&8Cg^@!#L^4tq%!rcu1q_uR53C#jk%rG^E)6U+i~>^>
zsH<tDLTPC;(G6L$*UKD5i)#&G)9jObX4P*{8q#%LCXj;pN|FYP8?cbRB>Xli2WB#{
zNk|mmk1byV>^xKTb+VJJYnZ7XHiE4$2z93LfY-Kv8qSYO8Z=%xx@XfhStbgV0|!?I
zJ8S3gG$n+s1RmDdFE6%VVXH{^t)XoXbd=Q9yrdwY7FBvn&}CIFH*(w6yeL+NI5f}h
z4z#84RFXVsVy*&4l;7v`^7#=kRYL-b{dBbo34;s`+TBJ~7^P0k<#ms}QsCrEap*2A
zBR@6@dQ4C^Yy?$co|i4;3PuCjEHk68jirNRAS%IQ*nmbiVtrt-HB+q2C&gj0r4m~5
z>gmj^V6kbsl{jj#&8nvR+md$-iyxcX>eovvR#W3<ygodBPoWoI)PY-ajj^!l19U4a
zn)QA*@mbs({uiM(=tdG)DnAwG9su}N-kaX)D<zxhe6CP4rU3ka2_5IpwXfpC(VNQv
z^w5_)%OC3)id|lrKNvMxZ2nmrMNk<Cs)-O(WtU?vZ={K)UP6uKxl=IKLfO!0izC8b
zYjxM9EN`T&kelj$0!ON8mJJ$bMN}L3GVI7Sa3D;ESrIeB*X2sM9ylf5B+yWGT+Y)B
zkudxPd(vH4n8?B)VfW}2k>MqXsMP~4z8;9HnO{O=JUObC&rJ({sf3gXPgy?KMFW~B
zYC)sXl5x>jRIacDVzzMGS;+$@1vY1eOezHyfErM=P7DqPLX0X^?1+Gq$SqRVbV3nE
zuc)QfBe)Cm7~EA%aXV2GXI0HF8qP1Ouij&u3)f<nw0*3ZOB}twj90+VbW2CWKp-_*
z=ct9B+T8YrwYVBFz>;e_9;2^bdzUfw7(HL(yyi!Z%k{%vhma37BL@3?vy^I<1ROUl
z%#vZ2?zhKNMV#gwH!5hB2*?L1?pRKQM|thpWPT=RH2U@G4~?R-JVYk=XLl!WWi{kk
zTZ6Emic=Qo;#^__tpQ=00jW*)-ef=QbfI-iEnQQVfv4-9+ieGTSs0FXRY64MEZD&N
zsv+U-vLHxWy04(<F%v;EEVK6<ur5^wtm?x!N)_dEVBQZ%2;$cWAIN3yD2c5MLVmX*
zjTW~m^o$%5F~gD^r0$o7TEo{Nhot{KW2Wnkry=s#e@`L7xFGWQb0Yqdv;*3T^N952
z>?|m2ZQ3?~(d5+c55x6JItE4mvhM6|_ptZh^MeDpe*`PsoLuo5dr)t*A+obwOxBBd
z<)AOg_`=|Y;J|Q4CX$+jI4u5Z6Q1#FKMk@@eUA8jC0BsshfLJ2R>9+oA>5+#mrH(B
z*2siKT}UOa;X8wsfg&wk*uVq*cbes}2=r#GNcWi4r~+>`h~~zr2t;J}O+BFw3)7q!
zD<L%t?09VbLx-@2zA{@(>*a)vNs<dut9Zo1omI<%OQx1Zr_noXX>Q@Ysa-|-fczY;
z2+0vq%z5qyfJtq;P`D^U5i-%{!kBF37Dwxi5URupc{i!QfZoo4b1BMzp-09s2zm%f
zO4QZIuC>KJbyoI*SVsypO#I&|F)3vqvLe>W5JnV6S6`+jYfQ~=3~4H^g?Gx;Rwa&m
zj3N1QPMwrwBcV*13nsvpKKb{uyu!s0<)9&2eafJ`7}tAO<1+*gvy8j+LeGy2qQEtB
zDa{C@=MR`D_Kp@Cq#TtpZp-g{4I|39i7lPqvX0gAj<?q`!NtICTH+<~=+i#bW0J$5
z;D<>#-@vVv$pyXZDPC+-uuPnG+X!P2bJvkC*qnGOVb2i_A4ge-kLwH)Yi7>_RO=oD
z+^I2c6%6AZWqBNa=tmpW5QzEc(fGKuv`&vt{S7^?)_%U9*{ViHe*z`$so}YNR8LrS
zL0lbr`(n+VosbytfOn38AXoon)Ps`S(mdgQG2vJb!)BRZ38!U;R}sDXdK(NbXT$5N
zWpbj7d|p{A=ozMJPh!4ciV7&2Y%d{WduK|>s7Bb>N3{cp70zj-jtsHD5el7i?|rOo
z?zO(VyYcb{`)7^9()?*$aPWaY<**gigKUP7NE|CKT*Qvv2#`Q$jP{;5F%`oY<xe-;
z-^c7`4!q<`b^~3j_J~EVkW>UhOoZ`849Znr2P%RIAA5zJEwL?(?wV|yNJS`?Fnh3u
zJf$RYf8@(vYy?qshyh(nryn_X$wGlymTNu)yWl-~N;H$Wu-I@@V;<eMj@Z*WBh7wN
z)$Iq5{xk9MO#HOU(P7pZ`LT(PTlc?A;Gn_&kk$EsmA|F(S|N_8%1+N<n(_c1Q_$$r
zFd-A*U)sI6v><(YO%dp_5b^jqcD{kklCt*2GT?7o`3eF`c?s=wFExtfvE@o6a_7nB
zF2UjQ6|ome)U(&K5iljfFz<Wi#$)};*Y7^>H5DgkuGS8mR8DxPKgAOhVA?$~Ss-Zy
z9RswKoHVO|;W&V3u1G3Xf~+#}3a1A(yH!Ls*W3a_#Yx6i`NJM`b7wHAb0V0$?p@*p
zlMl-?(5^%}?5w{{Ji28(u4wKIWpqt*{BEp&idM>{n80uP?Q${j&Q~$;l{0KP2*g{x
zb2m2;Qpgl%Gem;IpF}1P&rc!~Ux!^gGPG60%}p2`L(c>aBi8b$Z1m=OelJ5U@5sJ2
zsSA=KI`j>B26%3MohomQ>8XP>uO8EU<C%eD{|=%C_~p-)%$Hd}pG`;*mUZA^yC5FO
zB;81`iMC0YWy}!`Dy6nDOgAgZc6W5i``vkLu!0uS)es!+d!ilofsIGnJaS4&VqBZL
z0EZRPC9S~y7VJ)P{T-T~>p6-Qb{b%B2FNayasV$@IzzG*y7|l{mSCH{mRm`%wQ;nt
zBF0hGtQ2%c`$wu&exwTJ@QCcKB8L1&s<Ju<f24}j^+&4IoJZReqr<uh#v-2S{I~H=
z++gY8uVne>V8HW5x>x`VIF${?H7oTI=ZtkCU6#nV8bh6c`<WSSVGSI7%zJuDu4cn_
zjj><mB(^W}dkQAyz`u-laE-U82mWnU2sUu;$fjddCqnvX=tb8DH1~N-4JRs@qyH*t
zZ>EVaVhv^2cos}jWh$GGfD|#n(LoE3+>dfEt5KvH4!5R_=Z=%tV8=4g`QsGa448-D
znxOdJip@HZ3-3bt35ADwi|S+r^7EIAb0<3u&v~U2RQzz|H-0q+YqVhw7CN(pjLwaQ
zMucUFzEm9oc*8Ri9RI}4KW6h6I|>kx_+p_frJsE4Cz}XlJ_N5LKaYE;TR~lq1D}t#
zxzZR>(ki;V$Mtg;drS$N6nS$9mpTAz#;;L_EjnB{A|0CuaYW>M#&4lN$#|ADEVC$|
zNgHSA!L}6<Oc)2!Z9~o_NOY)OPR)EYWY=gxs*M+!XLQ_@U~~dgB|~d$Q+Nl`4I6{c
zk!tplvZy7fIHfpE!o?X`@{3!elq9_vCp4K<4lP1xSx7qCE{M(_P^{0CR?d~gW}n$i
zOzEQ?(f*|1+M%6O%0t=*3!a@<sW1|O8rWgf(!t{r^?}+mA^tcLL$s$sR>6Udls8Hm
zl#OwIsgwkaupwv`G!k(vdRWP^!jsrz$+u0s27bgUClMX;Tt09UTXRt-)<9{hcwTcK
zDk3-<6%%qn#B+dJEAb+AFR>a%XC1?pD3)Yn`PVs_W<y}R0QWYK8G&a&iOrgayElie
zn{*z;OfG|wt0uZ>J=eEYY}n)7wPK@VM2Ck1*e>D=MU!C<HyV7DYpuP&o>Gl9NYsyI
z2c*ZzFlkOwD!NK;{#Rt<og?8dFYbgL^L|Ok_J6dDy3(v;6|tb<c14b*Q_~nBG{sb3
zSAjHCf%YB_yU35RRb?fPj<fqYzxuQslFd9UX4H{@pah#jUTPT>@$;x>g?0bJ)rgGx
z>+itg^nu%_;g&pe^92B_j0a5P9if2g$h=~`p`ukcPhTbVwh*0}2Cs&LdJ6$Ce7jRA
zK6+E0xfGbpFD-5}4P<0LW4w*R1hYvqBvu(sG1!b0nbm+2Ug|m4ip;|I*656tgY5WI
zLmxd>H&gE}Gdv!?uEqoGTwo4GD#3tgBXf34&qcX#jbds+W|o7rV-DU2x${t3M$I{9
z*XKNdS$ej9A-98iem%mNac~zx1^n#rS=3^hUOM;1-Q7<7WR9_Dfe5`Jog8@4FNbtO
zj~nX0bo(j1llA}&Y@2kOG-XT0NDUKeofd%cq*nDK{9?IQq{d1?N^_Ypoke=~Zb%b5
z52FQE>~*7sWu&IbF@68>lmh7S1TM`)2Tj4o+th1_ecnc8Y3yQscLry4fAi0##EwX-
zXD9P>*w%`h+!XsBSuZ8Htim@!YSS@JpzY055?y?p=j!`#?=dq37^K*vl+vcW;@HYU
z%HGC~BplJJiDL{9UZFunFgBr2%5-Oz%><=UwmxtPV3p;#q?10+%l~i>MVPeK&rOlq
zU?G4`7~Z#uIF#SmNrpfbne<^j>}Sudi8)62G$CjLA*^?%fUH6dih<tRQuH02NkQh+
z>Fn2-&v#N4Fmd>F-C8X)u@pQK@b5|)x)#4NX4w=PeBALvQj(D9y@B|GtNML$hedkz
zXQk1wz)?I31bo;7HdIjWEylw=CKa7jahj^Kk$V^I<>{ye`U8MOJc?;eeQ^tTF%7|A
zW6;HT$s6D-1bmkJ+L#0d$SMT<!mwuC819L1csD#Aa&z66_AXQe=1!12ym1p~3$X=k
z|LZ-f<o%GF48a?5=F4oRhIJfY%{-^%m&h|<*C@Jx?CT@d_>-20u5y`Dd5s2P7tka6
zZTafyQjyElHq5nysQ4j(n&F*VTsY_nro;~I4JME16_eYP=MTzgit;eKNy1;=q=dnA
z_|x!Vjazp5S{i&#5aoy~Y(6h?<>0V^y$b()NCL+OyDDmpWiKs$sb)_&n(jh$kHxJb
zM_3t1kmOxMA(4QjeElN#M%<8871Ye|#9<3*RNNhfOZhim;Ajy{+Q<&De^ik#qiF5a
zUWXi+4TwvnPWYkld4y^6#`3+5+jLCfGIX=pHeE_4nCf0wK{JY)4P99>aWi^<`<w)<
zMe_Rp<p!Zq#sd1X!&vlaalA9_2nGi4=6!$Zo5%m*Lx9GA_;3JNn#i%x{6o`euekCx
zm#0Dx-pr`-W33~S|FhP)-#^yMq^B6w#RFCFpS4CQ|7Wdb|JPa>RiuLIJzAVFD-HZO
zC%KzO%jZ(&38Ru*VgMu5nKi-n9!iWVTj0Rvdni5Vgq56xHtZ5*f<zZx(ItX5AACOv
z{QbHyMNCY1T)@ud)8AM`gvviD7Uz?MM&<>piuA+6dxz_LL=uZ;_%UhIaPAtrJ<M~o
zMj_J*YHN-I6pz{;<datbiAn9><-tY9fli8eVwH1Bkhs-9^~mjrQv;<DD(N~EJZ~?z
zTTYEx7Lxe`v-*_Mgk@l{OUEZFppMcWw9_SErgL}0tglR<d5;`JnkAkvm32%S)<6fa
z>dyyg?owyXZ@3QJx(!{OFRV&`w-&T`_DTOcV#x-0FV&N^DJ;#)ZHN3$;d{obaAmw9
zg3)&3aj3;vK$pg-NXhRRI03+AxKiS$e6nVXc+CT&nqiPPD5H7Mp3GsLCOZP1%7#My
z0{#G)F7Y=(GS<#Hqs9u^&E;N+uP^!EW5s9_HeLGRB@&pLSh{`I6N&8cWOIexv(KGF
z^UQUMk$z8u3S7!UCo3zV+tq8)o#|i$4%g!K>2s+m1G|kQFQab`Df<elWfE3e^>X6t
zg~lYwB%wb{zV4Up(VU(Ej4h&JKvnwtO#1soDsHtZI~VLko3j2JF8k~2GA){BF6p~9
z4tD1x!4%q%DSzV3hn!suKQ1g8@kD*@9{(;LnlVR~aLVj2I1+8muw<&Bn5V5Twx_)6
z%t%KhPObfy{6~_vO-~J%854B8^tNa=tm-fPL$Nwi_L&!*UNMfQfu^E!Xc17wN2{2Q
z1YZGEbpbubydqA*iXPdTWWL@n+8nk6BfQd<5vRmmmj0~k!XeFSJ}gd}?<{PC3>yNX
zRDKdS<g~HhPm2Q$v86IVC7HGn)dR-lSLdg2ohdKuD-Dcx*LG_a2UB#df$EoU3<npR
z+(itnZ3Gyvb7}{d3%?@HmDz4h)hBfq;YoQgQG;PkV2x~nQZhs_XUz;&3lyW-*kgJc
z5E<%M>}WZ1A7o{HVLtbV=5wvPi$k;h6D(mNc$bHBpskYtKdE{aB_pA#DIGJS2K$FQ
zhn%H8hiyop#y;cho-j<D5^y`Cid7wQfvJuW#ch=!m{BfnJW*Uul+ma{N<iRaEks*e
zjv%p>fE7b0PwFnAetT@*r~ggr1D7X{|9vrSVmOi)P6k#D$N#snLSMSQ8d@k5JWsiz
zj})k{2?^WXU3ujlQu|;#NdpII{bWTmIO0`&RcE^t#j_8k#-kqRV>E)j$fKHGd7tSW
zUI$i8?k<BlG=<?%?#`i=+a<i>MTsbM-G7jfKqQF|@LAM#F&m5>$)Mb<VHZnwtCk00
zY%(m+{t(pfro_EaWhYQ+CUD`Yuj%AIUK!nP;7~B_M21%cpc0o|g?i@B`JkazRj7$1
z$W*$pP^`vNh#MYCnEvjbshQa>2&Za!HcgE1A$_F9?QBlecC4T3wdk9l=8n1^?~~-w
z<*pKDGK%;Sen@MJAK_OK`VoGbc$w7!$tvusAZ{b1`MN20cvfi2w6$N4Efex+r2rMs
zjvx*ZqdvAe<lvBWV8V~gv)uyl4B7-PVpm7VKj9pi`{cTcZxCCO3*rtYe*D3#)aa%C
zDDaAOGYJKZq}a5O3Q{B3SMO+aB(dv$x*m>wQ+d<(^Lr^ppiz-T=2(|q5EjHSBSS4y
z{etX{PESny;!~}p<}Md&wus)b=d!%1J)1_<`{W;BHU_u%{W56IVYDql0a0L?6AKQE
zFD1E3^0sAY;sa15@r{Tkq>)d*0b_I~L7gA+@GJxDb)DRL!ui<<e#k!%qJcU)EFP7Z
zx|hP8@p88VO!Bdro^OUsqBg0xuZG1`Fk03lrYaMX@*qPfc2pLDR;P6a^{iK!Qf5rZ
z33bsZXirI66X;jBkpEAN9t!Ga|DW}mCv-b^aCashfdFZrZkp+g`<&7_e1#lSO9drp
zZ-3)n9w}+UF*PrnQcJLr<!oH48>0EOqY?M51&8*HqJj%oS|YfXOx=iC5&}6#uToZ=
z(ujk2MMGIi<qmoylNQq`_acuauD@i+P6COz5Kavt^z<uft|XN#_0X^%--?tqBXIzk
zVZ?cHP13|%o2G-DV+U<~E*7NJU#rM<R_9JH5P5oMGGHFWW3)5Oa|PnYCIivl9<`63
z`UJbbO)ZM#OxE@<#N%}nPsoPpuTgSy=IE=l&10V<2rzgwgRVt{90gw)(EC)cDrRe~
z3rhy^m1DMqeDyEt-t%P(d;6ytb8_~=j!>C$azlbxc{aeHkBo%@m1E?lokDK}1HqPN
zZQTVHl&TKWuVB2kV%4br8pTzn5w%almuMy|UuJCy$O|g>n`NW+&q`uMm66m65Km{s
zG$mOm#TQXs?{PVN^9kTeE2=ytQRGt0+|PcSn(|;^52QFg!%?N8T{Kv>s4exMS|z!i
zu3FA3)SH>N$6upQ()~A^@tA}NRG}1Cv)hV1h9W^#32(CMS|fJtOPcnGo&+!sO53F3
z8e3q;)5=TM@y~+<D>7*NJgLB`cXV|%r>FwAfQE}-4>jF(9nko0`)Ib1zwHX8!W0SA
zq7U_gnqzUY{wexNAtW00XQ37EIT;wfm?dB0gQfp|@*wu$9fBVfiX3Ww6h$<sx`trd
z>4CE`7x=&pfw+)n{&lIFCsTW9<}mR2cdgk_39#cpAV}*c_(EjnV;hr5<;8bhbNTS~
z5ZN4tLsq$bqEY?SLmxJ{=0)K4UF%j4#U87dbf*NJpZFJ|Cn4cqS<j4BGWb8CX=|;o
z?46mJgl!VdRZ*_#){6}_wTa9-YgSvK%D<cdoU6SfwW+IuyE`knp=l=1V9CpqF^wI+
z%)-0tW3kEIkWj;W*&H%YPQZwIvv@K$#|g%8ZsLm%ZF$CvPt{*uLdM{i)>p%2=eXpa
zTfPV)B>g4h|4HoimztC_nh%szCr!(Eg~oce?3t1CL66nN&xA8o3BJ6Yx3m}%TgeN4
ztkjLY1$xF32Y2t!+%mZn`pu{V)#dnK8ros#e2_bh<_KJ-1`Cw}G~bB#NzFlPuyxd^
z9cEGQCJw{<(y2|E|H|UM2zlLDmH)eFzKlkdO4Kr6OsYh~db+V-7k(DjYm0lbsFeSI
z%Cqd&zu-UzjxFJ_vlCT3qeqvBpSHJ|Sx;MR`Lob)YH24*gaC4fQN$qO2)&TWvN6Ok
zh>R!YXk{mAc_-?*;ODP+0ynw;<w<pADs1jVfye&csQjyBfM{krVi1dY{bE8Z<64oQ
z-^^inj-nZU`#*2L^z$p~il`?GfXco3o=y6u@rMcnpOWs_p0?I^qM8eoe%_=!nJ7d3
z5kJ*vcfKO)GCj=vuL2l@<5HldH1KUsm+v5uS~Bnmk6YNz0@fVmUQkma@-0qgm6)%J
z^<eNE&AyWD0{T+ly9;tPGbN*kG;%jQxqeP(6#r&(R>TaH<}AP~`C3_)Zm0ih{t)j7
zqk;SmLGm!pQUDKa;{wF_&)8MN!lPBx0%tOGNqHd=LMnta&@xp%0`u>AV!XPPQsM>d
zbH6iFC0^8x_4xtBQ{UK{MBVi}lKW9bp<jDL!|z3e4~{QmRXVBBC$rv_Shg8Nq-F)w
zAmvfI3g>3X8b^JM1wcKp;x>0V;>euxMqX8_Jc^@Y=gE8zTw-<n1``7o_;`e$kSi`r
zo^X8~2PM!|WyLU!e(42s+PKiLxKbx}y%h6#HN2nnvNR6{RV!}?+;T~9fmHafl<UH&
zigSx0YWss9;yfZdgc?)jF_`xIaZZA4c!$(|=Lx!4Fz{^<x1LETJ{a%7YG}xuyFTO*
zDyiH)qAVXV7YS(YQ<>8VJmkq1kOn(jCxssmO29_Tru{1!(T0BKcDUd8Zxl}KzjPVi
zv7Oi5?bm^2;3L)tHr9+wJ=ckBP~H|Hvyj?={;iMJVr?GizVY6%jem{umlWpCEE}I9
zocfu>3p>)b-LvN*)-DR=p28+;KDYYD%)05y*#`<=E+Fg4z<DR=Gj8#2VMV=o{`#J~
zy#^<#J$0Xb@tl2yfb8!d!vX)|Rq#`$D>%;!?0qd+1$Lj-=z%Ou>I#hpK4JMZz-IuV
z#Gc_W)BOY|tLK=T8XO!9w0_vC7n-43(-cCbP&37!5!8tDv)pNv#_FW?{r+;C{`<``
z9l8yw9n;M_o!Y&PH=Sw<*}?NQh^Gzf@{)Tw@oQ~o@%ZA_ihq^O+qAZpPGPC!t!3A@
zrSvbk%!U|`rQ0c%H<u3SquBuYXUviQ5r)<64O~tvg6CgP&sk4Tw<pip&|jO~gWg&Z
z91l4JQ3%v=1Xk3>6PxpYc8r*ELQjLD7E=Fd>8+3tSH&}b>fy>Vx{e-cr+&W9iXiPK
z><aa^bwx2Sl>Uq9+4AF`<5Fif*Fy4mN72^Nad@1E{+w1s-G=ij(dz|wrRx>e=M=hp
z3?qK1TFhSKx$EuS29uZg=86<d&2=}7v%@(<Z1Q^3#b`ge`st^BUTXei4C8Av=VEPr
z?-Ldx;e6LZ5jhUVfYS?khS~DdS>C9#s|UC;d2CGakPU=^_zhMDjz(YgqBRxHU6OXE
zUjzubCIomtyyNV42dLJW0r`gbUR$cSN?#%zT}pxT1|xf^Z`53Dhcn+H3^oJtY8Hcm
z(Ot)dkGeSWbTP8Li%B(eS6-^S1Bf~*X5>&;jm)iQ9|u`m4I72-goC_+1-CI<3M4K$
zpobxHA!%+0ob1Z_GxO5)YT4N1alj<$;!$5d*Ypy`aM;@RUwbR>+BM$WtgEMIA>kSP
zr{LV>E#3{^Cf?0!YpAkXJftB%+OHb&K>L>fRb4@iZp=Y$7s%e=w!R}!{z5ei-W7~h
ziI7fs8g{fn-H~7(c`VciR&ac2ej~LyV@}k;>-S%Q+1+1)w)|_Omb#3bXS@X0ub!Z{
z?=$`1jXfM|zpDD|-0m20ny+36uSOtxqt?w5m{kg?V4_BJC#@iQF(VusRvxl4PQ@or
zTMaYp0WqTzht6ZTX*bOgovqt8?>BUVi&VMMpdf#)^)2Qovx1u1Y3V6!iEf~sA9Y=+
zb@EwNb#O_{6fnPj(NWVNFm8WkovLq<U?9x4)K_UqgynH72&lJ_V)PUS4_>K-hkZtT
z#zJ90kW>Cq#&GLwN(05_P7-@*G4S^m6f-{@+{o-h#6b0H@9Zyv`WMTg{!;+_!%BxX
z8yuPDL>nho`22J#)zp$w0rd4W8(m}8Lp|D}c8-n*U8=YP{ecxl{V#@mr!)_;B$-eU
z!(JfaAz%Nk_-&f~33RAGwjXT`;f8ql0K^-e7z8mGWA?VMg{*t%cw1i|Yw9R<wH`zE
z_Q-!%T(gLvHs^J?Gg*vmF$dRO$}p3`hG}>zdS#Is8e`J1fC9jUUU^QC3sP3h;EQtj
zt-y7G$n)?Xa>OlU2JoTerh&i2K9LHSM0I;EWfPZqgeF#^ZU0=vMFhT39M9Oh@A(N1
z9Be$Otd;e`_{0u}gKC72FEwUFjeGmRd;K8?E*UZZ+9rFFWeA|ji$8rh@tCS0WIPFj
z0LiAFn5=ST{dG*E?PHcqh`)NYo9gM;RR<4@x~cElgV#4Jwe5PpD_JvdGablWM81sN
zEtd^=q~MrOT_h^cNKe#r$DN*}0k)uAsrxzTEakoh&CR}JfG?jgz8tA5gOMnR)JqON
zmzB1?U;9n;jcu$!_k_rg8G;%+Gd1*=E{m4D)(}S49z`eA(ZEZp7x}DSp7W{1@!tJ4
z=7}5H&e4mZhwhqt|3zrkm9>z@)w?Ck^iW{^{nyKl=YZ`S9aF=W@e-ksiyG)gryP8l
zdhjvTjc!U2y~$EwtvZo&E5tG7jtPxn2HI2;M`rfixXPt6#{3ozO%jd0AN=4tUDZfP
zal;66_++$TOD#sqgpE)B6#!%0VDnhiSSdle+2~p6C~-y5yy)zkB~hyxemYuTLm(AF
z!d?y4M=eBFzwh8|5*<DI@_3`(2A~@9ccI2*dGON>s-ly-P$Rjen4VScWI;Ya`u_ZL
z(RoSy-n#-G;3|?OlxDWrNN-En_SuNnu*KOG5%5Bzqu=~Cm_bRIA91@OmQ@nu*m)N9
z?tAD|>XW-V-9n@FNo^u&qoSiwR}#MJA~OkZFQ2TMB50~ET~oAV%d&k0MN{AUXqTo1
zb7)d=`ST)oGBvZ0Wwg(NZv?hnSuy$alkem^I5HSFB22_@GK*inUlebrvS()eaS!wb
z1U@(rhfTZFH$XLqbF&ujLXD&@zk^XcG?oNjJ5w&YB}>V!ZR+}X{Lx{2OX$5&WY^;+
zA|Cyw3|FmZfr8Uo;9N8I|5UuqYG?514*k;-)_17AK4C6<Pzo@{nB3_dga-G4ZoqH|
zaWb7M|3^NQh=XWr(<uBCH5c)wqWCYAVV--Jgg<gZk<t%LUG@+AC^$?UJ9)B`>LB)p
zd}qD9*l9*xt8>a^s;)6!v$pEPoak^uScdyXRzin5u>c*2VbbU3@VbL1Wd?u_2WFHt
z8nYCv6-~0S6^Z0^oa~lTL)g#K;60@lsBsrefG7_8p`|I$KZu~U!ipKRtJq*D!J`K6
zDI+IHiui%}mqap|Aco-yx}y^>qtiRgL;xm)j2rbDX`JU(IA8<!;deylNGiL+Hm0-5
z9K)MDYf;LlmKrx+(le^Sx7G1UsvERwiJu!zsv)Ap)(8J4?`%xUG;fGo;-bQAnsmE@
zxbjn8QBQjwSg7P}-8{@s$1E5fF{)!HDrUE{q`yolo*V6q$*L=Zg3t}?t(gsE5m9Eb
z1%9_!2Ts_;&#L@<aF`8&J<+aobU<|5ZkgGs1zO`)p$c`HnjJo!5H|{TqA2~n+LWd5
z;PAzhc>w<Ez7ZU<|7j?a|6FqAc3}M5quFH^eAy|N%PpEGqT)pdj2%U&uSkMtwJ+K~
zbXCw(r|+Js)3t@wDsE{a;8UF4-vVdG766K}L@`j`5~JWXkB{he`85H$+X8WDR>#)g
z8BJ&s??+5+lQ;sgtxfHZ7`4AEj>t)*MuCS-R|mOxFV2dKlVc#D@*={=H%U%@r#-PB
zi&+~yTZvyAEJq)%T?M|H0E_GOoQ(0+y7yA7ymje{WB}+!7$xQVCWDqJ?$pRVZ4W@p
z96!ChjZ@m4WS6W*Dt^OT*YIPNk`-Tb_Hzvvd`N)!v{HzgL?ke8Fytncw-TR(dUXO3
zT<|JDJ5Qr^Ti@MU-}**CZr(4(EFobk+YR44c?JH)a6N=WwC8F@VtT?Ol%F@qS5Csx
zjX3YxOe&Wr6EnfK%ZKA{Gl0FH8a=-6QxIUF@J<wVhAA>xPXwq_Cf0}m9E1T1&bz5c
zfi7@mK_rSRTppeU=4(iMPItmiO>e^<obzyqFh39*X0*5DGZ0jOAg8PtU@e6fFxen4
z1lCE|P5mcx`z~*Rz+qOC5Z84+XS82l;^jjAp9vCf4sY%p1n4Mt?O?=^BQHEyRyF|G
zG#rX^DA4W0dVlxo$PJbk{4>*_RD7r6iWtT%;EjWpyrI3DjN#9Y4teB0{6oT12X@#1
zDLk@Umv%_z**hP3VUR8D{JHuEOif?=Fq-IVnl|OV6p-sOsaen?L{AgLaVvQNVa&Y`
z%D;1Hw=q8-f1Wng*RZ0-$3AiHQ!AUWL0uGb3(V|m<AJj$SFyj4kfC2Y`@jGTPtRYW
zytcExE5A6`@UB00UhEjRN+}-Lo5M;>t6!>)YZ$qiL87Q3*6>9kLue89(qOPfHNuYH
z{vQCGKx4nNUccY#?_Ttuzu4V<(cj+eAME@mI*|!IQy;VBBuIo<?>%Azhgro$f8r%K
zgUE}0sk<zoM1$L7-H^SdHG}~Ltw2i{GSLdOghL^%KvOvO(h4+%gFRU{Wq)Z+5$ICZ
zZ8=z4TLi$=3baMwXRSb6QgOWkjY(0!tQ&LKRAb=S&Hx{_JJ=r%_ja~>&pf=??(O6K
z=)l`~*7NrFp7*y8_YV%A?^RfKk7lz(UU7H2O9N1$n={$NtrR=}x9lX<$O;|@vNuRJ
zX&K%~He~^KB>!2DKcax$B305UaKR-ZLq-d`h=5vv{_2C3{AtypN@P5)gML34;?0|X
z;BEKzyn|8C>ko##gF&#{-}8dq1Fs4^5O~YMJf6kDDE#fAsGR!y<w%rx^8xSO5w}Nh
zo|Il$@dxzImO*l9%Qz&Lw7?>T@9sPzTw7;kVxa8BfO)2pW)Q@Uz8D6)F~j_V+ep)k
z(P56xtQ78L<ivc9@L88eIxy#<OR>VN0&9&9M~BZ3w+FrbXTyGP?{II_d%nH5+dJ6V
z+1vGZ{Jp^UE3y_{H^x978Fp(KZFLxpj>)>3zfzy#R7&1$P(N%jP=(KV_M`m~9d+ly
z;sPktu=?z2$(@%*Tf&2L^0WQ@gJ+|?p!eMK_j-E=!~Nd#KK^Sv2>OGa;j_`M=T+e3
z3?|94xYmgtnwWH$GO(M09ge*E0PdOR<dO&~GA@}D=i3Os!mXvwFF@_tR3D!lsv6}}
z>MxuM(eBaFN%>gF62%ZNQC$?%oOv-SBvE1jA<K#FOh`)?4WJxgR^fx*-Jfhoa!cu<
z%x$jJwLZe*jp#<tC_+-~YbOB$NxzR5$xYE~`GS9Hn*O?Kw4;d}LM7;vJEZoXH%6P&
z4C%p6&5j(ICi!=E3UMN0t}qWJ!4=4W_1wpNgylJLJ<n#L?-Ws58s^D1e`R=uhg!0p
zl9QC<$cOQzJ=_$pvMFiT#K;W2Bv_YnzXSz>NL08HJYnKAlVE>)d;b|tbcRcW)2c<n
zfCwTIP}a?*@9%Awr_WV@^@Ibb47f$l9a?mNGxVJ**xBCRbIO2QwC|Rozvo)R;f`wt
zryBa8Be`a98dk`#>yiPF($1l42G@DmF_2Pm;+*>MtiRoN8dk{QG;xq&2X#v`z`w8Q
zAuIgp3;-&N5uU*a0xD-pfk2t00R&LqT-s8!P9$%<n9Y+7_{<v2Ktfeb;9IerlmqC`
z>?;cYDZlGyf98NgRk<G>cxa}7X{*Y|lE(MtMk>=b-Kwi9v<8%@oakFb63x-{8r~Rj
zuK{45^n)9wsN!EqVFtyo(cN^a<Ep?z8L_0Fi;8lFs?vmo0KY%olOkOQHnh-})q@VL
z1Ov4C(4kJaLfSF7>)IoT?q_#YdS{?N4`Q_S7s`tN^S}S^|2Mii9*4tEAQ?OaR0jJ7
z58|0&M*!YZ5J(Cl$dAME7&f${MGUTDS86As1N^_^Xm;Cf@yfP%tb*M3jcNn=msB5E
z`<Y^DtmV%w?{h;aaHoOeV~&)b8^z5b{rWC`A6&y|<a&VE_caMw#8AXWerArtxwdxl
zDPJXiSy~_dUZ})k->X?Z+l{YP1?|SyGK15wwi{pD3{DeQW#h}G1eLIbZQfV;4Tpfv
zy?ZGzl9Zn^db+eIF#&qwit>Y1eJY|d@5ACA75XPhGn|oi+$N(uMqMN};x<_|W4|GG
zAMtHh98R$==XP!Mb#9x;(^lTRHGqo4JHXqb2f@kgzu=AzWkxX|87vlgg1hphb+Z%E
zrNA-y!PKMcaIL^ghR$$CPlE1<T2hJn(mnOVQedVhmB}!h-HKqeluL%R68R!E{hFp@
zNNYY3q-*3df~iE>$#IhC4=@9O$>f+SpC8tkpf1O0`oJxbQnE}paSG8>DNVlj!uE;Y
z;}IZ9@CFP0Da&YEnI@d27*Tuz^25h$Y=u$E4+oz=J|g_L7!>;A(T&Sm97XdrF)X<y
z-f(CqBVXk^okPAN87?Jb8SLqepxs;*fGYSN=hA%Q>}p+ucDxTpagf}6znIU3&7#W<
zW^cgdV<yGRWWENzD4cj_d<8^e*-|I`!Da;uU3TY|O~mYOed2ksbmJVHI*@M-L2Y#{
zEpjR|)U67Tt44tt;w+Tx1lzSd8{hJ<zDsO!iV8Dw>EClQsNUd3v2gFWui=xWV^x|e
zYumQIX_yU%0SwtP(a;|p`&@jxh-QBeJ`*=sX4-{;%fq@I9E#~bD+NV=)|kmPVQ!&p
zjYcUH@rSQj`Fr<KwuIiNskU2UobBRej5`A!5o$h*#^I2{VoS-j$u_zt1n-JghF(f}
z<PRAua1pkd>>J3OU&7E{8bBZwHsx>4nrv+k&X+*V!R6*%Q7vtu7suZ1)i{`5&u`Xq
z6u&`Cw$Mj0J){SPWPkz9TCe>MZBu^Cb)q#lx8`P>3{Ew)=4Q(bt-0CR+?=h>8rh%k
z{0UNrko{Ju{=||(^RZLDOeTfZ5dbPN-xKpw##kobd&{IMB!Hdo+vp1xs(5)^-@s~B
znKu%AJGzdLh`u3`ST5(!XlK&pU*}Ocoo7C8q5fopMCA~70}_;z%YI{%9q%3%^FWo|
zFVB8MvftpHG09w()F(-O?>3=ePRP5C)&$LQ>kq8)ND-!#8ayaL5yK0sPU!<DdG7s>
z|MUO&|Nh_qjr{fB{>vJvJLg}wAy)wHrdA|6Jw(Sr#VFnnYd-+Tp&@2Dl3p-i3TTc%
zn<gLWZy-hKYl5r9^~Z9ObN)_BC!zXCDNoY3kXBMhF`JW3*o-NpB$HNM)nrc6fi7gF
z!zSH6hviE`U{pzZS<B_-k?A$XS?!|l<LC>W=1jT)eN9_K*&2^-Of)u9szIwGb2#Tl
zxqM>i4H;4*1eC=QtLuj~n09o{SyoU&8ohzi-V<`2@pumen<|n4-si$V@|I8=i(lqn
zS7RRUpMdXS!tSzpgI=@7vI+*VtZ*o7@DIDn4L)FtUU>0!Feil^2jlUHG)7j|8!QzH
z)!Et;ROO{IrO{#~akPwbg&<o-;ga-gwD=N%x$JrpHJ#R}B`=5@Eu4w$M$62~*+z@j
zh=DpqDkOcQ<!AN8swEdJluDc6?k=fdi6%f-Q(o#x?q<a+^ReurtQ8K~nBm-=G4H|D
zm2tH<+j+`7^Os}mDQ<_IcDKtg_GB}()*hP-t+mH8!%A9v3>o0x2ekGWt`DR#>j^t~
zy#whhP8iBI$Qvl<HABaS&J!-?4{!z}e_3u+Sp#li4t>uzyW}FjY*O6rcZobIdcQH;
z9N{99sRe&2@pa6(3)#4fF{*Cx-o|f*2V^UeItMcsZJ0dt8jN$T$qLIF0R<(O^9$h>
zQ9d6xJBG<J%lF)7*Cf|8c0DE+2+GSS)21_*LiXa(xfGuIeVv;nUujjcPQE2HDO?ST
zIhfMnqZ^K1|1o%1QbxXP-W02Kku3T`%EE-?_3K|mO6&(&Z%jd(%m*sh3ff?GBJPo?
zYTKWbm6f=D(u#@+OqI0WpfwB3FjJvqCx^x-<qf*5Hn$F?E^TWaN|)qN`Z!_QTF21V
zF*Gf~#xXRP$84X!U)%iZndV!|d~2Dv&F~~F^Q|9dE^F(D+4^C&eweKv=0o~n3hSqx
zIljb{xb`(`!@67BD8~LM5@m}N>MTzQFG`DI2`*jjkhGsma|>O{odn%Vma(j?Ds0m$
zxP>}6fjYZ)x;t)GbjhsjY-#J>sCT2ZEg@0Qm^#1N_0i3#QPaqrEVRr=M4@F`f_q|@
zG%Fn~Gimrhome4LEpuj!`R3$r)g{;TWmE!5+FWxB_YDIr$y7;KTQy{5f9Fvey7ION
zz1gc^R;g(OTX}y=ejmZ{QPwu2QNOUB3u|*CS!v)OrumK*WA-Y(Ox;!FM_(*i_($p1
zFx@M{9tM8fJe6ynMsqxX<B(Sd|Gtfg16TUe=FztxOoGX5eybbW4Nax`0^vKJUN}$l
z<=yn;Gc|JS$u~duKgQmaAQ#8cIIk*d3)u{&Sc(k;U(TI;*#5XtR=gmvVx=HSJP=CI
znK!SG(wSg4B_ZjhZczARD*qygC*->HpOc_ik?L#R8nJTz*&E&#D`OvsTnZ*2OB<?@
zoxB$+WLoiYG{JP{HCNx!?{F4(bb|hhcjGcA@rr-C9fYxua_LaEowZv5H?9_{#&6^3
zb3jb|TyU9cf@JRi!I^NE!d7GFY*B>L_sKqT{nV#Wa!mH}^v3%O@{iijOR8j<u3p6+
zsG3Nel=2<TcyRHLx@!$o$obNC5N@(h_kHDRcKOz?GLn9?d%&ha?#1Be)z3bGPhSiy
ziV(`~lF{zH#XMpfsQo#68B%?>1mynC2|xaE9`!yt4fsBFU-=l5+L7s4q=%U~jplve
zC4knRDoHE@(_iWLf*NG2VPn~W*Bfd=MwtUqo2PtP)7OgF8QTB&Z~q0omi2I(r*ft2
zEb)K**Z&JT3(D_Na~d~1C3Qm;siL53LV59!=70Y8|N8%+RuR`crt(`wyj8>vYPPKc
z-OV*Ar)N?Rdv=1C=2_cX%V*q3(RefOx%V~sAnIhU;moT%n?oEqKVGF?J*w&^R~c#Q
zcUr!4IQ4ULN%st=exJW*VF1}NwcDZ5l(s}B=g9&&i+&2);V%T$fa6$!UT7+HoSQAR
z&}=J0F{Wl}hRr|-@MMS~Q<xx#VvK`&!<fB;SXx}~Z^Nj&TTO~n(A=u#=om@gQ!31U
zxx1g8>k9e&vr%ZW$OgR4D|ybB_;Z_F%^Qz=SZ4G9IUlR<EKXUuhO0PjjOu7^pKkCA
z)`C8LPv#}tZoJl9hf|UHt|6m>!iSnllZ<b4YkF9z!?#s4K)}L~KjOQ0a|BdTI1jvE
z;{;TpIv8xN6|J?RwN^A%-(#~@m}-J#sXe2Ns__o$lQU)ao9JzkQg@mtHbbntO_V54
z@?H}KDyeP1k&*=k9avDwVa_SmJ{o}=3}{%vQMyFf#3N*_Q>=)rq|Fwjt%WMpDtleJ
z^Da`m9K|4+TrvqkMFCUBRT9i|d_n9CdAE4Ugpl=`F8K6|6U>~dnW^IfoZVicIKcUa
z!TKx4_FOdZf5rDT_`TLeufV#K$%X%S`H`mPzdMQ~9|}p*Wi&f58}O7i{+x{IEte{p
zyBqR_p}&AI5oWslf(%g${}JLA$_wd1A!}$7#Q{V*lqaU=OuFuY7J$pbTah638E*q(
z?l~ZaD3o*)hg2~r$47EROv-%Z3z<*ECzPd75GW*v*eshYz>wwPGBhkg#6gtuyul=#
zGZ7j?4BiJ2I8S`g!K3!FaeLwWB?TEYY^Ezr<YmG0qg&m)q$HI>4Rs7yKP&y?Eerfu
zW)(8y2OPS4a9_mH0?!sMJ0jr#=Ysx}j@!FW+-;?zt>>YvJbC+0Hsw-+<*C~fS{EQG
zFua%Mpm|+BWAMCX#$ph?RZA7Y^p+JCgX%3a7K7_;GZupEZ8H{v?d>yGs!<VqZ=bQ!
zbSQ%H?J_EY^6fKLoyUBTzIDcYu)bYJMbN%|#!3XB2;$dfgn#8=ek;!ndKyi(ak7{z
zs%i2O_-HX6M_4;%$KXUy$;4m3p!<o94{{K8NeAFFYx>$pa;PkqmRE>#@>m)CoeS^o
z7oxrS0O)dWvm_hkL(w$Q=LqYZsBq+uH(mKdf4s2>X2pa5{6ub~ttuZ?dSIU$v$CC<
z7=Klv%>5&++|PqS>Pb;f#p?RUrvSFlefiUJv4`u<L%t!oju0A$ABxWA$U6&}A>BIw
zdJy6#7&+^eDF#C2j6psr{*`uMpr=08%~UOK{S1v)-bgLgNxzcIf)zYox5QgN{ibyE
zXU_b@6ywFWrCndD%R<*aq+q|@n?2axj5q&>%n^L{P+cfUg<P-Y<90>P>~XxvO`Dfi
z`G=4!U6-A0qFBK{WCJJt>hEQLZKo<2*?LJoVMCSvB>N=kE9`!<iTCB7c&8$_;czFD
z_E5@7whAIG(f_j_cQfVg9A<xJYu$M+)rytn^dnJ$vp@H;KS>kC;HJwwo;HQjDMnqg
zLT9E?(!a3M5XE!I#mg$_W?V)506;&qa0I0jQ>0WE;Oao>Yad@`sU`*WAr+8()OO43
zEGmTMORlVjOG~L0UJ5@wh(^ThPAGo~Ce6GH<m(Kuadsr7WJOO&F~U-+g0tkGQc1bY
z^}derRHA^wg5=~!Sb|z>i85ggdivCttz1gW8@6(}jvIDjdug?FX5>V>fVK;0_Gjq=
z$_97ss~FxK$YSn&DuP-5_Pq9<&uf7rk>cR<^z6v@@iIq_W=-me{%rNg4vH|R?6gpX
zEfitpE1?UP<jlX$N-eWxp)cY5<{os~mDV&B%C)R)+TjEeY6yn{DzIyL#(vb^Al=>|
z?Oacywu08F#SEiZqww#SaD#MVO=z@qvT!t7q8i?@MuFLNsnMb}R`xnYDptnI<=buB
zb>NWuO4p(%w^{#oY|N^iv36t3_r=BCaJ&E2?0=gyAoFR-n~~XjcjGZqSdWEUgM$Ux
zLH~Bvwo?;wA{1{gB#SMk)J2kB39&>Syrx}QjOl|Jm@BCEIYKBbIF$^^w(F0z+4%4&
ztVG8;YXY(~>*mU<W?XK5J>){LT^8GAF}o}Zvv5%~=Iq0|1g)XCH59jo;?_`nABJLQ
zrS;)7)dyD_TZ^!{*w!L!WvOi~!mUNPwFs}4Mc86To|=eB$#}uK2qsvAn+E`>hEpbZ
zcOFiIagTs!9FeW!Nf=|D60gGPW|GwRFUjyGn0O@L&3ryfUTke$hx41o0Ba(Xtv7r%
z+mgb}d#7wU>-~zCvq2PnO11{$Xs|W$FfYbiv`Dhn!N*M+2zz%q?R5Xw{{`h9Zb9h0
zK%M^PwlWD_Vo!ZY^Wn1>hj65ttgngH^nJjStZjT$7BOT>2o%A`r;|^2mwj=UE9h%J
zJ+X>FiDH;G-=&NGX>rlt0(hFx$35P{3Wf)YP_eZgZx;TN4$98<&Q5Q;5C6?#tXc+N
z6j^{u$mn3ggKfu*t1$8?;cdxUI-{HC!Eg~{HW%$&>$2Qyd|rENT{Om%x{h}U;e0(e
z^pN7z-yy}W0n~+J=sUQ_cu3}WnZfNVj37=REqKs_S6_M2e+zD3mQyfq=67fuT}Q9O
zaR6HBOAj(p3yIG&T|tV?<n#4+@(TO%M-Qv0Tsy;m%p;ClL=7yWQrPz5(V603u<D3W
zMCXi{2=EHMpKE>-aAPVoEP=3~YY!lX(yF`|F9;GyQZfvtcyyy=6J1XKEn1+VhcgFW
zJVo9hS_s4fB(zGbswa!#4e}DI`wH_dG-S-S0XPw6#SpiSZW&=;1mE!{GJOTc-&@Q-
zq#Q_q73*L;hW`fx4c_9D!3<#%Np9#Mb<DtjdRWnl!|Q9T_|q@UsFQ4dM~qpZ87C*f
z4Da%TDX1GS>6U5p-2k?^A3oA#$8>OUndNC251dZC>mcD%u1Lqk%FCV2z0K|K5ZOGu
z6vKTkO%MLa<mdYU|BI*n3{O@G=_N#>eTVoh9510&l&@b3!noU%30ozSDDI_NstMN8
zNHc1JE#|%AnU8r2Z5a?72iZ9jnS`^diA+ps>!4Cu&G=Fi&hhH28zxD(sX0@VNw;QP
zC9E>KRuuE*r9LUmTg-2wSlbcaLNWWAMiE{tw1~WQXiT!0!NG>MHJDFho7NOsjrEEc
zm+Y0yh3Elm#H)0_i}eLfCfI#K9<E@pyqlT4TejWzCHbHo11cuTly#2Yo@g3|`4g{^
zp@&m_P$f{T`TWW9V7ex$Ya%%~xt}npsOT^}s!qdW*%X!BvTT%)!Mc{IUVl_fTmDsE
zv66pE`Q@Ht@i_d1W&GbtWCTz1i&{zvR%hRHQi|t(%XKGJR`{sNXOt~+9yUeiL^YP$
zySuraReI~lcAocdC8E9Kr{-Q#Lta&c3_HE4qTj6avpDh>!?FhE6BgPT*2wFyB=KB~
z-Z*&)MyjK~vv%^Wm&Er){e8E$y{FXQQ@vg4iN{Qz?-%2M7k@qrhA?CO%xHADnx~vd
z(&QdblFdkEX!35Fm3*BK<TwVJo^Gku<Mhup+mXT>2hAP?4m?UWA$<NRk3l&)29qZE
zW7;#_ej~rnI2sa5`!U`r%mW{5wI{(CH`WiQ=Xj-`gSlb^?Z4udXm1P?k|1H3M(~?@
zDRTvqYn=$#dN)J1c-@@x+03t6d>5WsBgvc138sc?f)~3<wl!p>q~DUQo$dZ}N?KcZ
zLdVhVM50Kdr2a80`8f+~1g1=REJ;7denkB7d4+ytSF4UFP4SJ>QBquPZMN10QaKvq
ziI%xUvG^J}Oo-cJPf32&W?aq8B8yOK@ih6k3SW_?D(8v<T=&)I0l@L2QAD?SIpY>u
z|M~3g1`0mop}<?vzhgm4l6sU&5;UZI!nc1@yo)C60!KUxfaFIzd-U*g6CKUxn0s+=
z(8RlCIdMi_7%3Q+5t5d4(<0+w5@F3A_K-a37kEF7@IGydH<)M|1b*OeUSjDqLN5^K
z6+ap#Ic1VC%N8{P^n?{)YlPeC0hf5=WGi6=)l2u(Js6uF@AV%O5Cy$47!vqP<vu63
zrZU-rj-^36Nym!_7$hW&vczCY5WjJ01d2eFgct;&I&d2yKSptY|9?6p7$P^{QHK)p
z1$Quv0NteT<JU(EKb#X2pg6M29_jxDPNdhfWp1R2h3F^VA}{|l0^nch9wDvE&gFD#
zi=FEi&J1O@5qcuUR~o<*-CX3;lWHfQd){m|zD3y_aEO^L0!{(}FJ+yBtFYc>Qf<x|
zzAlFm<cWnhf~wW{6S&>1zgk=W;Ppn^z2_gl?(W=e{OkJWp8%m~r>pCjqEj1C<wnM(
zh>*wkx9rqk6m>cc=b=YFk#ZD;b<^C!H=wkLaK=(8TR<HHl)3RFY)Z7gA-gM({Fo-L
zvZPcvXI7jdXF9LyO*hlJZdw=q&JLSWzp%nPDZSJgoKpHFrOA_2fykiO1$ZG!LlS3E
zf--Oy<;#t1Y6W}YJ~7^+lq!IvTp0r%!5q#EVq_9bG82GU?yPkknE@U#4jgnU4#?s}
z<fxIfE~f-GsnD#Pml2+4;$f$u*Pf=fRQgG!41)QW0IyK%;6bpyoot}ZO_ZJ3)CrL;
z1{FD6<gUTtqKt|ht{#}KW+c1mI5orcnE_OdNH^2NZrWZ;DIwCANQra|Oj4puN~tB1
zUIs~%2$Yu0y~#{V!s13dF~RiorZ@*{uhzQT8x+PH>wo8q(J1`QHe;V;)Ew#&9(c`F
z2T)SZF8V*|lb#WFA?f-`V_he~x+y4Ykme_>|Em)%W;37!JSHd1-KVr}Dg6&-g^L|?
zypv3eKN5nAFK#^bIIt`iH!)!Uj-mK%WkbjjHqjkFV*-JuD9elKMHha?TBq1g(MMx3
z><oEMcZ*?19O>vPC8;EPs5*_pYN)g?epHSs==DQw3p$jim{*^o0qR17;mtI})Tl4_
zqQ8Ck%(gr@7o6X|!2%V$yIiM;=DuK?;3NIsgQOlo<b<gzc(gWT1V%Zibi@u1-fDIx
zA~|)L;9DN@|GLyVi?&O9gnV*nRGLTIG8gJpR%|zcr)T#$cWga$7^&jw+su$DcqRX;
zb-G|q7s9XzW+}brg>1YcR;wnxFEq{%Ih$u+xi;y}vkMJ&J=1nD*P+z<mKjcEO3g`v
zl@*i~(H?MT)3pcOjtAT(X(<0}PfBf1O06VD{<KspFq$*(nvYNwEf<Lk9Z(#jI^}m1
zfIR2ZIZn+UE>}L3X^&HL$EiY{d>c)V*qw}EMfk=KQ;U9bPxUZW?GgB74pUG0b}LCw
zNQo!x7cda>v(hLQr=){h<iU*s<R;W{n9RZFb{b8=dQWdGRUFE~QL68Q_wf8COlY=2
zFp6*$@nSmVuEsPlfSuNY)eC<nu|&ze9h53{W6i3m9-YEiD2sGC72Vn*qh}msI=%rP
z-f{E=-X!U9IX$ZO<mTfM*z%e2l{-h@!l@?;etRMAa{q7%7KlEH((Wu~)BeuxWd}^A
zV+x1Bn{@@v0t>Rp_;EvhN?U$1gxhL9ndL>jr{QKK3BNtOBiWgmT^bWvh4YHEnp`nA
zUV>GWTeM#2zI@WqivxNCMb56BE~4FRPrJE#x~e0)Y{%$=bjr_3+)q=~M)q7gEG_Jc
zT(0JIjoG|{b^T4?hYRISr?szVpNF%r3)#?`*IV;?YhGV<^SXM?X=d0I{E~mwn%L`@
z*c%RTv@@~qD3>QY6MKcQF^5eYT8@dmjUj7I?5&CYk(<~}0ZGm#_6o*=dNy{OP$j4Q
zjuMdPd^$Gv-PXq5l#Tu5_4!FeY~S%BnZJqr<Qq4r@8-A-Jz0Z#v8N>eQ!%JtfPwo<
z2%r-%Y&7o2qxM=bY^UHeXcGC<@=mZO0-v!oN*InB_<+MFpKuD~{(0sD^|KeChQV%*
z6-RFJeM9J&nA%^{5=oTNYn(aw&BN0N@X^pj);ee?Gd=O9PJ=H+rCt<<&Vv|G0ns`z
z@dhFc9Qf}8Z#+Q}0j)^kJUoKs0p|T7jNu5HiW>mc`+neagEj3BZsr>@BCJ37BkQPY
zY?7O3F~)0XfMUFr*aQs3Q5a8X%oQmdcbSbau80^>S$SJOzyCY5VH{lJ&Fln5)bl6d
zG)(5iT!#z2@ji!9j9YXO(V(zo4rk+EZf;5V7tw#i-?<$gg2NVcYDD|UDF$yjV2jeO
z;Q!u@MlgQ62m4)$n$m@)o=)eBDgHAFg3?oth~&nZx8`xQ06x2kqIvPygSMw98qlK+
z=+XQ=TmT~rpE;6~!KIv!Vwg>K5CqU?vw8Y$9(@W3WJ^E;+<*)a)*61hg@5PKFdC!v
zH|ITge|ENk61;kfNiFXhUKSxWUdk|MM_-bw87mNP#*?1skCNGJD>xiH54^+OUjO;C
z?cUyQ|5@+(fp^gJz5V^?d(RFI4)zADYokTXuxco}6%Y{qPnaALW(O|`NLSnsmf`@^
z_M|t7rXhZTXC1#91$bYJ$Jc{8dMVn>rgBG^(-q%vaxK#R9N0`ym$ERIBc*kU#~dc3
z#qYo0z66A>%jvr9NzFNCC5^nIEvJEVr3W;)Ia^x@4==2xAR(f~oB;NObHYypKugA=
zI!MS@EDVO;44?`HlFuBpfqBBB>Vn^9z@hrn5-tnQgg{3b0P9@Njm=_)Y*p&-Jh*|B
zCPPt6M<r6N#X>f6Q7ao=$C**C4&U&Mh{!Vb8X{p7RjcDIc^-LE=(znIO9P6PS_rx<
zoqSb^FvmGweH(nC8Zv?VR~CR5YVt7+!K7`@Wxc^uc-avPIJ9?z{3i`fKCVX<R-_rB
ze7em~!7UvjFcJ5Tt^+{WR|ck%Z*tcPWqr=}PkEyIE~Zgn;b^oTCew%z;jPW#Zr9}`
zSPF_Q3o}!<Q$C$FwKF}V)l_Mh3L2IsvN@D4J%}cw+=Z(SL^6t&T_E-@6E9s=|GVkL
zcfr6G6QDBKQ+Ck>Ucq38Kx*MXGy!8)abl_-R655_vp(Emb{i_z9%YvtWgp`Kf_2;V
zG`l^07EgQn{76op<prggF;g&0{#ASQT<7R{_aTm+cU7cidGxF{QzGYsByBm%IC|Dr
z)*d}))3ry>?a^~FpOHxAJWD%z&NFf4qvuNI#CnI$g|<5$Iv4Ug%08a+=^Q%mwTI3P
z9y*_kOBv6+B*AU;&u6iB`;8wy@8!4-J=w$OVoyo_r*il#MRNrpwWh-W!n0<K)=>h)
zF2a0}ca7;a0d0erM$k`zH=ff_p`#P@`dnPqK+!b8VQCyipTPPLY54UB^yGQ67|+Am
zSRh`q*W?Nbu+F9TG!S-z6AEI{L-eqZMtITFv-Fe@&irnI@hqpIh?L0|YddYaxZ+PF
zP-?@ub@D7XJOuPp3{F;TD9dv>c~e4M?ru*Q#w8oPIk%nRkNs`-jh)m$|1vRF+g(I1
z`lPW|ndWAU(bsTt6HUqeMK4jve_s*Ew@jpyoYH`xIgQ|INZyvC%%Ky%#1`N%v&T_y
z0<6aS6qpb0?YyRk<iFB$Uv!i^yCU_83$p21!bu3{P{TR9koB0|nC+AC3r7m9FX@s;
z^ar@mPae<>eg?zKJ?9^t%GDOjiaX-W@e)nEPr(&d!LHm3?V_FiZC<h$Utdka>3Ys2
z{wIb(h?!PE;iS{19KFA&J5Nvnl<8j<=#`!_GLkFy8O}bu7*^bIFuk7Ntml$!pg+7s
zn4WX5yK*GrbTJ-7^x+1rD?R?pWs(8^a$|Gs(L0oiXC4w{pQ6WI<p3#~n<e1))PM~O
zcUON|=V>Bch@3emc^k}O#mL==+0ER~*+m!Nm~omUm{aM=jPyc~6jSR0V)nB?#<<ws
zexpw-9b{+^9on!wlJ3!*Wn@=9bvkQXs&ZtPbf94sp4abh+m;tJctEo9_VpGsE!_Y-
z0;~GoLs-@Kl!DF9s;=IDA!i$zwwz^H)wPwiR`qPU)~eoG)r<LzL@MW5npHi|#Fee;
zRjmc}4C{sFI~vvt`5na{&-ru=>-()?y(z;w1W#Z}n?y$=+{X9OICyhCnIFw&cw;yT
z$?ojO*qhG3aWngVjt9|`HM19cO7cGyGdqd#ih*Lm9L{5X5*8ShqH+xaFqK~e=?C;i
z;ZzsF3^BVwgjZ6sd>?rJuW*y+W~zO!OCe($XeKy{1E|qT76}cf@_az?OmAbR5m|`e
zmBq2YASF%(jEh7>3yN`T(0aHTY@#2>(E#`0NREq2HXtAh`VIkH=+iX%GUe;v%mdbi
zc%cw(ab9@iF<u)7q**MktT;a2IK~~mB_8S|lxQ}C0Xa(G+#xq0N8_>Fc{Zq<h_pxg
zfGY+IGDK<3X3$T{^@Y4_)}(N}G(|$k2k(5&PH~ry6itUqt!E(eu%HU(NiZJ47)K=B
zsF0eLM+O^)I4K`v+NCc%ybUu|0_!9MSU{1V!*PK7gDKJ*v%`FD@vuS3y9T=3lKR>c
zK}&yx#`RJu*^^Rr&1GWl-V(G#ikd~qyf+CZ1I&&83Jm^|q{KDi_x;W7|1kFk$xA3$
zxxLCq(vtzCgHC1|78}ArC}km_Au*%r@`K3wqpYRU;mwu)g0ia_zoBgB#_@(SmQ^}k
z;f894keBu??eS%Y80c{o*WmZh!!t>S<0zK4k}_zXB6bMy_kd@J6z~KOQVhWyMbn~m
zK|aMRWJ=?7ZVTx@Ty_+(Je`ke`-QuHzAT(oq8m6Tpr=eswrrA^m<&E(PDznt0ThMv
zpc{&R$eWWdgT~yLrMnnM8irGOU?4V!#pQ@&GIe|vIdvL%*V5Hl_}3Ne)z%#bH5afX
zin#1VW1kIBmtUgw;qnr9^fLMQAJ@92gPZ34xS@!NLh|stmo87;1}M+{?QI?j#SV&S
zm3g(b{2n-Uo*aYa4w}??-m|bg9zdf^#ol6i)&!Upr~Ly21`-YyXN;RCnfc6(PFhDk
z->L6j)jOhtoStaw$&Z8n)+){X7;msr=d-&_OPx0pyM*&)egj1{bg$l(eCRIc$Sw_8
zQRA{Ekd*nbF18|&MSutI@ru>4Yj|d{45Lz!rgm8!@;NFC!faC=1R6PHr{kFAjV>GA
z6Tmzsq>=qD`pcG+tOo0}n#fJh6$4u<urQHzdJ;;Ll962SWOG^xFGV&R`K8FF7GcGN
z(g!-Rl<LyK%8|&2ZIB&v5^tMXeP}vV2&+`)&o5$z>J-WG<|2sIsS6>a`BjYO%1TgW
zNui(XWNwg6@==k+RzxbYx=2Yy_EJG9Wiu`|Dq(~FND7%!W+K;UDht-CZaIGWb16He
zS|qKHj%j{DriXa+8%UE^SZI&{R5?>gENU)i|D&w2l()ZIu9p-)Gqx=#9XWlYs~**2
zc`|XD*6m_~BAJ!1!`;%^Dtyh2g;JE|Uw0*W#sBU~6W`6xXIJojp@z)hlrwDMyJBd{
z7|+4g$MSZ|iygD4PaCtm@_s%K8MA!Gtyw<^W0tx*oii{SCv)P_Yg@UEAJF#mXPO#Y
z2yZEQ)=Mb66g1;1q^$j^3|P84tX%AQZn0`+G8J5tf7SYZ)$#k<e+a*?edR)D=l7*P
z5Jb*i9NKc0;rFGjto8fKrfdDaTEDMiJ|mIJd6wq)m1pA0eqYTVKi2aGD|E`y8?2Du
zQ7H19PsbbVp!Ei8${TDNO}ufmNJs$FY<5l%fO+iF=@fwQlc4A04h-SVH|`X6kYh#k
zWSzo_Jtg^{lv5bJ!7{>BiZn`f!a}OKTMr;{kEwGO`$RpH0&jSeDdTdQ79zVX!ExCv
z9DYgwua&q_O`-&XHW?eD;f*)FCPAdU!?22tLd;v#ag9{YW3s20m|Oi23*!ZNXr&b?
zHR1dkDJtdN6jcsxvmR*BY&j-)dTp%C#Z!menfVU@IU#80qwsn`&I6H0-`+%DPyzy(
zOb<yTBoYb}7I4iHgyaBnXLFzV`9O5%4>Tkm94atfh2A*)Jy^e-W^t7-;zfYC0K85J
zu;p72f+EfngyeZ9Tw8x0d?<Scy-&k~U%o`!l0Qo>OcXaU_vVTP(<<`d#K}B{jcG2=
zCYiPP_FeowxW=#HG@=KGqxp1TAPu^jk3&3?QXfREe*h1i9?n8<3+1DmiTY*{*rH(@
zKvIfR39z#(!l}u9W%$z|oUY?G#`9?8d$;SEaR!$Vd5md|SE8AJK|9$d9mDr`Bc4F`
z*T4;|>$%*--DG<k*8z2&GaS=2dG4r!CT4x)eagV0u2XIc;c(!57y*v__jqN+yOLl7
z<`Gk6fae+u;K?jXf-8?FU(YwYD^q$G_4-(ofMQ1Be2wD-vxE6Uj{(9T6Ja!3_X!+*
zrhn2$+$+Etz@J64Re4EAR3CWPq;KPBdM(XXTJB#cKjb_x)@8mGqbN^?mM+LSBBvlS
zAJRNf_D#7>@`cJC7IwNQH_4YBK9DlE!25Huki%OkBpt56g%dY;EysRyhR(tyWE*xK
z%wKZEf%VK6N^6AFco!A?Q=}O&a)Rx$+$aqZI}xQ;Ek)ttOf-whYf9h$Xn(9_3B-G7
z2I6hQ*H`~oD_wJ)&b5@4K3p#h+JaNpiZ3f2*|j(3>SoLSoW}9=XeG~$EKZCXXxWiR
z@0nF>@T5GsmeCB_W-Wnf2t3x0akKy;Ip?5?Iy<&^eH{naWN{G2TbyAWknOguwS0(o
zG0}uA;o7<+b0is0)5)#+lmObrYI=v)!5B}HzIP;XTFGm2^Nx9Q`1NaHoxi&SW$)|P
zY^(3?)WpD>DK_P4%};%6&O(MD=zwlw@s?3No=Hfr;|izBk)@DrU%%#+J^bYo*E}MD
zLUYmBWE1OO3L?tCY7cws9QGbO#9{A&QvI_#>{T23kn_=vwwz@g_G&9@4|}ue+QZ)V
zu(z1cNThO}r5*O>nYj94?=lS8_0D_?eRDkXE#!BUjXdYmIrBYi&wQIY^HqSmCdWj%
z^|2x={Cs`3+y2JSd=GQ1h@R}3Z?UH&|5G{hmGHK6moZN$4={8Ny3h03rcQu3_<Rvz
z8@M6IeDL6+V4s&2jR>3t0os6t$M?x1L$CN`H6eDDGGCPv^7EG9RNQ!<35*0@n-;Xr
zAW3YnA~YA@juunj1FrDK$risCxEFB|mh{pN_Ba^$A7Kl7o%H4rzc07fSE}3jg*ZE`
zOthe5X+Tryf=Y~ePN&BL%wfi{9Qu2{4DukuKkRV$2R;;6aNqEiN6wNnK;868OcV##
z5X%6F9^zJI$U<XHNfJ&lelYSNo>G_24{*ima;U!=y#`ue5#_hC5{y;oyF&oUVPt+e
zJ%id{FjyEghaf(Mgm#h8GY*bHQ>SN=H0CMr!51$VR-O5j2GOpOmap-&>5&;6w^ADV
z`Rwh6BYcMn9{t#pqqJcV<S1?F@N!5`U*(v70{g9^Da9S5m=DyUlDg|m<s!~X^QM=G
zX0R$uLEW0`Vza3>=OWk~#zt{ZtcdT`gv=_tmbng>l@Lz<Gg{|_NU+1v&r^2WF%g~Q
zba@brqc12Nq1$MIJe(WT7#yVI;<3!V!D}S?4CZF&--s7YNEt5zo9J{zeMtZWi5CtB
zy-+?&Os&;e#TkzQJRijU1dk|#Z<^A=ZZ|2oxpbHdXVWhWIPX{i{9)?9oOr(#-X948
zB+h-Q)5!b4OW>6GjrZF*F8bxO4IZPIq({U&vXLj+**_ph#Dd=7WSXPYlhHh8V@YkD
zcm&b`?ZSwXpWYz)98ip?z~9WBS1+@R+O~_n3ldgw7dydL-x7-pl&_UdW17?a=Bs8|
zA$>VCm^_)FVu*6jaYC}e;ATEhsZ5|zR1w69)XHo#iy_GM>!BTSxGGl{P?|rY@9&w<
z=-a^4RX?GB*uc|ZdEum%<ptl=8FogFF7?Q`%3*d<N;h+StZczknbL19sI|squKu+T
z%?wfTWgGX~=uz<DLmUMkD)kJzqhPiD4>=#~Xv<l~QLwhM_9!@;u00BFkAjQ&j6^Eu
zS=v!>o{6g;1=qDe*E{wt^uzJkw~*ga4)UB&=h*jId+giPu`e+T9G#p2DB}4|FdkFC
ziEsTr<!3pbLr?a6x7bsX|EZksQY3z`)D!1oev<+5|H<7R0Ow2z9N8=qI4RJm)+whD
zYd<-OMbl{7E2I?j-i3RAZxFvCft35V;1>Pj5##ljn-G7Uc(-tnu$bZwfc1}D_%Nkv
zUif<ehsrnJ=P-&lFTpPw4ZWE+2*>2qf_N~&F$eJ*<_Y0=BdxHkBa;Z`3t|X^($nM_
zWP#h9$6GWDJzw_xEqXTq`!!2?J6I6Vc8(S?xl#d6zrdRtMmn168bzaikjKu_@EC$#
zmi+(hy^D9-IFdK|ub{p2-B`1dEWhF;z3y)uJL&OG()O{FoqJEaj}IkLHYYNvBT9DM
z)4hNDtttQ{UX(~ZB1eYK>~>57g;x~-)~_DZyH)^ni~16=hIPfQwG$3T4QUYGbbct9
zSBR-|$T<NShnV5$Bwv4L169H7An3jy#~s99M_3bk_J*tOYyZBA=~@0pb*e<qJ`T`r
zw-0t(ulM&F+b>`3H}={GdyUuaUboQ=Iy*ai!9n}g>%FTDhMw1YZ1U5~>0G41b$S|G
z5s8{kniCZ<%@0?uY~d-LuQpoz2Rjb@`2Xw3f5{&QFvK6blS|fcM6xksSihWo%5zq`
zhj?~jCVf#|M@gwqkdQPI;E$9Q;18OiOl?l?-q<IRbXbW6+Zcw)5N=kg&nUv3M?8(N
zV-Wnk^`O896xRcr<BhZ*4JaHpPeKBJ2_FQENzf)RnKEYd0#1d)t>F&q2HEV6s9@U!
zV9i~T<5E}gpEBcm&=vc}p%fF~qTGRyJEe<~+#OFVInAY?s_S6^Mi>?#Yqy>gt^k&m
zjnY~oAM=OAaUe5~l^MU)VP)Q%)%Yz62lU>oMXOaFZm0+wJxRc*1XQ$uo~_!OwbFj@
zy&+gWarv9?2*`T13LwiF>boS6<yLgC%4+FCI?DjE3LEo4mR`;SSsuu;>rG`+wa(Ij
zEK`VQ2ePK=V9IKt<^!~>@l*t~tojxALs@fu0Ik;^&{`;<b)qNJJNHS<6&ZSMh#y;9
zY|9=g)n6BEOYvPKSZmhw<R@VtqZx6`Nr^Y4<tmTTJPmr{$^|Yniz{`sOx_vJ2GtQI
zBG5{t_QsxL(&9!tNHhONa`u9!Z1dvn(Qyr0<YAe}VB-<kj$vHPAbxz2<{8j2**7%T
zMX3#7aNHqtoQepsO6Q7Gtxrg;PCy$^brj}apru?fXH45&n)1?<cgtBa1LmJk2$G)>
zs{(g9Joa=aJcUQ+$e60-j^oZ{JcV{QlLv)ei20?{WR*1A%k{atG&1;!u?53n@Oa%1
z<D1c~>27CdU9DlfRjNnnH{)@?Z&p&6p=Npb;l^brq;xct`SoS<ah|7#<y73`m&Me6
zWJ{*!1+Qa_Rk47^!QZ^>B!fKRt1^OuM9i*cYgPtBtbvKFUtDdxsM~dAhS-|v)@YKM
zG3EF?Q|RO&Jv**7R|Ym*dGJf@c%G-))oZgjPfl8`^MaaifmS?sqex3$tNP%=Xw^iu
z#w&xjs(1iPC&R2CG@{vil3Eiqu|rX}rsXj;uwZR}&3!cut}mUJRCWE#$D94ZQ*au)
zY2A_L*3R>-hd3_fAX?EGv;rzz(uLCJ?pz00_{q3XI)|}w3fJq7E1u~bsH#ub`R3Um
zu2q=Y+3>n7;L)_Gz5G{c!W@!fKJp0XJP7CORUn+No#$COgww6=VwLfVLORPpI13x|
z2&Z1oBb*-LwChb}Qnk*~5KdEw=S4WHDH-QOGp)W?L^G}W756?_bA8av?Usi#7YS#c
z!+sa^xd}0b_YdL(U25pvr!e-2ronJTWKAJW$54sDx?q}0qK|%(eBoeU%Kc<|<32g*
zp^siLBK2k}qo(qMgG-9g8{=c1ed9Jk_%h8hXYeE$LX1S!5eX71R1pWkx~Jy|5Tf3T
z2Nz6k@^+CP5sA_qK|DQgvLh&q$}V(aOL)_WQbN%v4VALIIr93$ab6J~If(8Pf{}Q~
zc$t*-QKuK&VBe9;(uSy<<5U7Ljbe^+f;`6Iu!3Wom^V4Oj_Kk1jFVy&Xm4wa{TyP?
zd8)mn$3R*rBMEQj0$uV`wu#znK9<iHA4CY$6yubR`@yjPh{17r_{EUp(QORD7>|QK
zypsV_DNzh%EF_nv|1TNSboU~$z9@6jM=}l{*neN1{lbuQa<KK`;la3Qc9Vy=p9I}4
zF@$E24!-{1sC&5oa)0|ZHFU<2cv&)qBjzTovra$ie4#flMBNvxJsyoP$f004jKm6y
z(+Qc#dm1v#BtspII8~eu3dkrNnsC;xhkVu!Ns~Q<Z392VH+clwU&e_4zF}NPjonDb
z-Tcpc#5dA6EYCmq>s7YB4}*v14ICZgHp-FMgJ>GEN!hwfVT;;=jUHOwIv=-Tl<#3t
z(yfn|??0WM^99`!3jI&PO?u4>(awLh@f)2@o7^|_@WtJ@KZ@{;nYEJl)Ag*GZ!t|F
zujj+C7kzaXzs`$aJBn+8WHZhF)T$~r6s6JNeh)#dV3>y2_{R(cUaACMRwOXE<_IzC
z1ZlXLgSxzH7&&s|evgCM_b&xRosT@vXga-BoF>uSRs7>sta#m_EPROWB1)(LGOBGg
zut%b-4&mfM)SGq=Hb{6jU+&O+8}<jd|98fO3=R_Hz6kRsk!6PT5!U=k&4jv{3+#!B
z9jd+Ifa-+h%bXMDoMlGa1B@HP$ijhwkx%o(N;z;M+RU@lf&?6!&J&`-VF;28LdQ1M
zO@Q*8W(%V9_5S5GNLc3<0YdyEO0T0BK5QO&#ZATGl;PT6PhWeT{+>#IZ&CF5>?q{n
zP*nz#GZ}K2aqhz;$_-Io6ZpxQ6aIU0C$7+^UCd!DzbE7~qW@mFu=lAQ-V|-n;@B0m
z<w+(^=S_@1jKSNxFhUVim<J_($jqql=w~6YKJQHc+<;cRa4cXmTmZO;u=nTcgqZzA
zhCezw$-Aw}^ZRI+jxNIx{bOCRc|QdCYe$G)H88K~eVpZ-HT;a-?#p?4Ty@^-)@U55
zl7)_6V6;Wv!7NKdt5jW9KH5b(@cN9jPamwE(TCT5I1^gCJV)2<*RRXcdtR`svgdq{
z=<5P{=KWpWFYJkWg8r^90bW!hSeMqIFa>O(I)UpY;o2*v0_tbeGGCI|73q#vqdHo=
z=IAOu6%V2qj`0}opYEmYleIOUR49_&H07!nt*uWx`wa{jP*?ozEf}_2F2OBn!cd^z
zW|a}iVnWL>VkmCSTQTV6ycL7DVzBE?Wm2`y(ySOPDW21eVHQ+nK3fKR1Qm@LYywp`
zL0NT;%o(=5Im3d?8Qu=ZqmaRk9WIndlns*wH<-_F#D0!Oe;>D{p6|IEG;AAU$kx}O
z!5%6RSQmqaBa!qqr4KsHM>rZj3PkK?j2}ki%8VbI=?f6wG=-jYQwsl^hOCVe)98`J
z$c(gDlhPqlwnD0&3~z!s`kgyiQ*J(N;_~v0ON#s6ST|GN!q*&8=dy@Q&r$Yv2n`BA
zpvgWHZ33qgbnwQ%_*XZjstx-CLOFzj<Pm+v$6fdXI^2Qp+mx{E9$cc}!;vts?8`Xm
z@p&j^xlnp9aT2Ryw17bShcFnT2H;$#lRc2xWZ%LL6A>!0Ez`(ejIBqM88Lszm`peu
z6XY3@7vxTJUle~AcXJ|n-G(Hc7n2>c%KoR(=R5>zl{muKQFq$Zb~t)K&}b90ry3op
zv1XHr=c30oJtVP($L2g|gb0?9?hgXeML4RFVn)xDy(cdEfa(=Af1u^wBnVXRE5CX{
zfAlG-k*mMnO_q+rLAI!FbnBB2u5R*}`4RdXUUrfplz0nlj@dG6h&fSTue%{?bCNWK
z3z#UrsrJ9FGDDp;w&BP|61`|-8bfHqMkN;XC+Tf=lQAqCrUKOluM~j4$snfAvM#&o
z(;!?g<gk=?{R9}Nm`i>-qzRU@tMEY90qJ|55&wxVbdGgLsFcdxg7N3#)BJ4-j?Dz6
zfLCo|)4A5JWAU$A#K@Z}B)A}Zs(kAJXfwT9sO3@3G1%=^tCpj$S|RyRddKcy$&(O`
zb+mH)5if;>oRX0bP7ai0(JH6Nj*lh%En`U^OwYUOk?6HWqMePdZWK>2n)ER&ei$zc
zXWwp>rT4sW_U{#7pOZn&M;`2&3+&on3D~vmJV;7{U2fF}tFE{%B(xN;tFSc>cIo9j
z*yX`4yWUhLRqHGd>@uZzX0U4}MckY?m(}^IIG07B>i#FIt`W|)<8iJ<;#?#V$LMZ#
ze*E0=tQ|w#*!tpG_E3qyy5Lz#(BTlbE3^$vdK{->9H)|=S=liVWGVJ`U+yy!33h&r
zD#Tk@f<7(-f=J~2H^7*xIxK})5il+H3TtyfDKqLc%Az2lH6pu#TVqV>MR<mdR{)j7
zF!Zx5$U5#MR25Lt`_1PEA)waXkHyfC>RmTUEiI=T%d^v1^KX04XY*_*vJaxeR<F0I
zXsSgPM((+`-`d{U&;Ge5o*uMXd%O8R_pUa`-AyJmq!*$g%e_!MKgKJ81Z|?;rrEE<
zLzP5bCQB?+E$c=}<#<ce_nSZ9xVEX2H=$EL;kANfj77?C(Rb0^6Icf5qBcDZZP@vu
zJ8BBlB%fzNFZbrOE7ci}z9k@|OQDC)YZznZg{A6$@-Vly)X<^%BB)-2vjb<m^Ai9w
zj!5N@8BIn3RK~~s4PdeY^h;m1QnRb$WBsr<62734k=31oKdHE1$Vy_V&Msj=R1m0{
z@GDw;bNQIU%>_n11QOxUEZ63bEs8uVD$j?SbBdWO6{ndV34qE`HZViH+ToqCq}Gf9
zdo>Xuz_yP0Zd+Kc1Md~`<q<sB1~VDebJfV?XcErnsz}S1)i}H4IG?LzzKU6K@u;|t
zn6<0|{ym{H%2A_K%AZnIvtmiHP$0)?MKkWmCXn10pikKY-H}wqDzo+e#yF+(?%_ZL
zx7|pe2?!Px^MD{Px8{JL{m`Rk9yNPHsF}0jatrv~_<z!&vzX~}$cg#LgN$>5j5{j<
z8F!qAQ%R7~t&d{W0fRz9O92@RTk{~JUe1Gz9%QuZO=VKG&hkJ;Q;O#V87nAe=L8t7
zj#mX3Edo{dK3R2*0LEPpFfIyU9QVH*Q+&sCl$^^vgkAB~a-OFTeD1*Gt|5kOeSt@N
zs6=25fk(=A%EOzIVm<>7$$L!6+L)5V9WU9%5G8Q=51Z^Xz6ZI9FaipT?(V`a<`3&X
zVtl?h!2<<WBaWd4ui0c2Sw`d^6)8nI-bcAjg@+%@!vXSJWjbzWBcKo~<f<3O_t7w+
zjFDy1hLYH9aRcc@y<>Ew;nKDp+cqb*?TKwoY}>Y-Ol)&v+vdc!ZNEMH+57u`^jdfK
z>ObA9>MEQ^)g|_O+o_TxwgY$`>g`mGnzJ%tREI8PF(p$t$giUR{1;9(ht>UP2wy1v
zaYL3J%Y2@A#Q62cLp5Ba()1$ij>UsNudy;}z*!rL>PQ`FfKa8vh)ukqpj7%1%Y`@x
zat*P3LZrxGbdE=?{C!(am;GEiuj2JNkgmIjs;spFR_2>wI=aFud?=0NY<l%va&)4`
zPs_Q=Vk0zNwR(QrP<N^#a4@y@wU=9JwREYlwe}5z_!+5cpp(sRRjoa?nxTS^LEUq~
zjd=E_8+w%cLXPSh>c#|vFVPs3#9K_T=ZtpJ^<Cn3ShmH<(=vCl9OPS;Fh`^v1_|hh
zi~T)f@J>2q95ok_5Z70@wtVC-xdD-vLg=z^r7#g<>LgrH*A`2(`3#ON*_o>{#q!9h
z7reL`=uAzUSaA>2o_)!Q1laLJ`k?8T<QPo{ovz$#KY4^grl++bLB#2!WfLa+<B25g
z#R5`mrU`AOVV-^G<PB&e>}NCl2`t9LphLelam(0orddtaPBCp0{w?Xsr6r_?H67@a
zrgOuH`n*(a%>D|RT3Bd0@CRz^sUTfXE<{g{*@+sC6v;*I3D7PXsvP`>3{6lDiZ_#(
zJnA<S<g#|?@d~S8-%F1NE5(y#(&4e7xG#DR&cRdPE5YR)Vh4bo(f^;F)eyzSK&=ay
zd8s%`he1Mf!RKFRTEH`rKX2A}p!>DMuR7?aNF%uA>whRGnvG5*vWO+)AcymTnaZzq
zQowKxpXv;y<whN=@VY)HjS^4(?$0WQ5~!Uj@Wm&nzr+zA%Ohp#^l(B~hnz^pwz|o&
zHgJ?Mj?^557wL2^j_Cm77e!S;FoMmtXS4(w7>S{j!~E$=Ig*WR8*e64nB<IHmCk5K
zH_1kUze|q3F&sEQXRFkQPx}H(yD<mEk2P>L*x#Yyj^`JV1lhv95}jtlqz;@(!+Z6l
zQx?e;TO^#(_v<5k^DDe|g>=R*q35taK%Yo{)U<@w8j^|}ze#Z`eb1IU{J5wX)Plx4
zZbw_5Tfs7I>voPS=@tI=q3-aS_f$Mvq6qZ|C9G?mA8_H?)K~$C3-B5>ghtq@a1X(4
z=yzW}BR}u!+DUaJS^1T5@MySkv6e#rq@oN>A0bsAqACZo=BRrqdlyhk3mI3w!BQt~
zXTJ<}crMhyNCPp077KR+>ordydKtKj0&q%8WcV&_s0PpTyAsM9)>Z!k?>V{GoC)7(
zw$^Lmo9hG<cSAB<RNJ;=2a2-d0x-k7_8T>97S{}kmN<AH<AMLAg*ruP7s`)P$!skz
zVaZ+1<5<f|o=|F_+8ujzz#VgF-s7c=$s1`S!-w-WGDGs?zBtAo#HHV1>p%(bao2HZ
zkbWyQv!9sF3Y-oH?BrRVDc}jx7PRGDbIKm5uZb&4q(-#|thsjzj)BuY8e%5=9EkCt
z#ZM(Lh&OA+8bqj7GNE|3iBX2I*~nE$<KQ(ZZ$Ei9$9n3%51;WVTpe`t2~kF#(e6zl
zhwWTUAz9jkxp8$iDRcCrHTaM#o!oJc%fkH6iM`uW*y1Q{Y<F#ux4NE6unJn;l8g1)
zz&~v9Oa=~%rPv5Pf&$v$AfD6=8EcPu|48G&wYrQ~alfcbm{UQ3hE#h50e59_VBJ7~
zx^|VzR4kp+PU-h1@1?^-94!^hSa9gW7gcQf12P0%%F3FA&ED=7T#fimf0VMab@&c(
zz7xu}lio0IoVTi^_t1yB$0p+1Fe$L5p-_K3H4i1R@trg>qrq@!V31Q`A-@PlcgWA@
z;Nc_}X5s*5jUR%VeWc(vKuB+g_@ZuYKaTiYXayBX{_4>MNPJH*hR>PN333hWLxIOQ
zh;zXl(V&ndnXRfuW7B~OLkA+`Y1mI0OJ=@599}i8ARBy(k)-dXI#USur?1n*VZiyw
zd$hdG_F)YzL1B4^t%+dKqDJ<IJ8FwzZF2q;Wm8*f50a$cKM*Pg{pmp?KE9J*#@Dvb
zT9`Y-g78imG^ZcoId&t56tTLB%sO~i9rYQ_lA$E9hJ|7Tw;x>I<?c7BOK{N@s>Y+@
z_NOf@yUaFxHYEQ!sc-31j<iqlij~_ZYXicS%Vsu`-ShJRnCFWi<0K}mF;r}ZWrl+N
zM0sn570&Er`e#Qt(7Jhe_(Fn}a;=@@_%Fw;qm4=j%42sEzU<)2H5@Q+u|x(N&NHZE
z{V;0^>8bK=AHec7kZz||q4TdilCc6=9VXJzSX+ctq78aEzQi)`yl}t6oF*9V-0`w;
zX_p`j=A?+|0Uh_EMYdhSp!)hJgc0-Xzo%nh!isK|KFITp;UEb0@x$UnnClrs6*+4N
ziK?5;;7)k^5w9+Pd1V))5{(o|s)0~*HvDL=$GbKh@aA$>R3?k@jpCODi~lZQLmh`N
z*e)a^(K1`GPTx^y3VZxi2kf%(ySG!v&FpE$`4c2|U3UA`;@9)mkpI=DemHZPEnuaN
z`<Qr70i?zhF^m<wfT<!1bYcyK%aS=(-Ibx<(ZEVu(_ATYb$v>NxXN4IlR(Qe_vvd%
zb)m0Y_B(`f#h7dw<=6luZ0?{CY`~;wubIVOhwQRw`b#0*yNtI9beC|q(6H!m&8~j2
zduf6{o9}`3>S4rv|DE>)rG;j}3{e7Ye1bPSKt%xVZs@gUCdeCWdn#e)>`s{zeYAOb
z>*;Lis~8SqCh{ZF3^4ALDiSSU*t5DcgQNM~a|ffLPXrg8Lc%rnR+K5|1EZZr>KK!F
zhk%v3@^(O@;!~lpsKYVtc`J5`V=_zyUO2ghsj*<OU_oGoH=51tMRs{4rBIGTSz6S#
zHtp=hmOHp}s$EshsxV!}1t)ALMdr7ad{&;RB+IFT!QzIH&qV04P|+q+`J`^B)pX6P
zA(f%lmd~!XDN_(Xt0YqiqkUhZ>d9rNbtqeT;i;UiQoW#=VUa>L1Xv9}1&=drp=AQ_
zV2hOhd9cNzw4GKH<3hy`S=?C_e+}HW{CoS;)72aD@WO2iYh%~Pjp{00oIpU8IzIlN
zDwT#NrOBfL*q608LJ(L1Egk7rF)bN}m(o5bRFd#B^Ln_h5jS#=J^dl?aKU}>ds8};
zqy-q8?GRFi+7Z>+plIWaLhkPmXral!a?F(D9iuTdVlBYe)a|kRdZe^M9O=n~rn~Ci
z3%KNN8@-Y%aPoNC<ud1}6yoPBHaK#Ls*`rj%_|g^v?iq#p^qx>2}6B+M?vAU+%!~B
z1wkxG_ig?*1~O+(Ssk?;{lEVD{MGGwmvS}r87_Q@rfhME@LY3-l5SCvgQWLt25VF~
zwYfuTD54k{gb&~H2?>I?CH^2rxQ`zr!tBwt@$St~pg<c+1KjeVYxDOHJO7x#>h$8U
z9b3y`0>YPLoX<}`P~JQ-rkT`PDuS5bQM!E;tpN~cQS#_C^`|G{u!ZTm5)4ND99IMd
zq#6F!k#ngPjIQWtnHw*J_&YhF3e%8iG(}n2G@(CUEpuJ*KSA^3X(jt<9sZVM=`X2n
zwTd1?Hd@xU>got^>@me$j~fycpQwoP!R)}rc`9(ldDaf)6R7&EZj#9rGzQ)NC71{#
zcY1HPyY8m-UiNfRXeK1+9P=gU^f=pz*(a}0<8p$E0;J^ZP66x;>L6>JEu-~$G4B)E
zs_MNMC|WS)$}1U=HV=*jjkkF*I(F1a6)wLa*V2@DA<bDD5-sFfhjD~eTZc&$TriVW
zm!WF7ZtSNxLagM3VLDznfHOfw&{p3-*a4NHKcux9)QWQ(S`9`pvUWg{IXYI!kAmLJ
z38D}*IiR$nSV#=s+TLHif%-F4y~6X?8NGpF(7ZA`1|W#2;ko}F^*?xJ1O*ULY4OQ9
zHK1kecX%<S`@ycRMb&f;{{<>WAp<J{^4STGwB7-*|BF+a1Ty+kw;cY^c$V>80U%aL
zssSKTf{Q*1YC5EOJ1LMb-Bb$p<EnWhl7!ujL%y^Vw;zi$1V7zP!l|_NkpA^wZixC@
zK#&_rrANsZf?2MSpLzyFlW{uNUSwpy1TKyZm<fv1aW_8wb*XA%ZVda729jeVeFj%e
z(ZLL@&RI)%-Byt-{IQVqu<;Q;)`Mz(AfBK(Hub&7S^}k^NI_&WJAMxSxlYbT6e&l>
z1RX2I8ug>~<QUZW=&dCJE9)I@9Uh?XJQL_{i)?9L5pWP1>QwYrG<S+`Nnw&ZqV2!`
zYj|>Kb2aCL3E?pQ9bpvN$}C?%k-UK|j_sOx&)TfqT*of4k7-?H@4k=`^-H8Melkmr
z)#NAH$$H`3DNPV%g!!$$V`S!}3gx*+0pDeIb2BhhfP-s`!rpklpzFmD30F12t6g=1
zL|bGC&CP(poQmh)sX|)<7b60f2|ogt`?Ad2`!d{5-m_-szn6<r3LM8zniwulG#VN%
z@Seo^#d)@X?BTC0!?7YqT>I){33IuYnMYYB)zCJOOJxmq7HV?Cum*Z^1C+`pxyd3M
z$f2&6f-QO;o&Yc(PU+Z+l?eapTY<wr`w`z)iyU?+_a0}=S`~@wQ4Ja7{W`jBxkmQe
zPh@zwBk;R_$sF0{{WAUj&*zCZG5_AF8PxE8Jw@NNEYtLD>+;MDCB9^87x!13&;QH+
z{b;PG_U$~m;(9zjrv97%4{Xa&eTBYgL#OOy^=7iQR`h26YkdF`8^oLDg}dH$4)CpM
zFyo!gT^N(89Z8b<5}+)jvY)-6_B6mdMfUtYeytXKpT0m`TqqPIW<6P$i4&Yhnfi`N
zTG|kl>VLQT722TT-8F1OYO|W*CCbyICp7EX1Q^wS&XYQUk7ltMz_6Ni->+l=x?Sue
zyzHspyzIwyT>F66n}@aS>Iz;3eK#L_%Yq}5x}<fD;Cesx`Dzq29cU(v?Ua!d;I~Y9
zSWo}oZ;>82qNVzRSlNKn>VIYA_KHVm;?4w^zY@UwqixrXoN4+_09T-ij5fmqo1DW=
zuZoa?5M*i7aXve5?!$DP?6zV9F(Zz6a9;6*?6Wd({d=5dG9!r1RM;ADAc$R%a_78?
z3ESUt=d2n31^60vpTjy$z<zV~v7sdAbhVzrqUw1_@NbY2^yZ^o&aSMmeO^4X<;?LS
z%k0BGhY~bDY0jEpPkTAMX&fC@ylKEG67=sB30uGA+z7Pie90)h_PP~v!rmNI%pyn-
zzBNJ;s93u=MrggnN*rCnv~T#AMuOY(r0AJZo%eNt+$JKIOGC>CQN=)eNo%NwL+(-$
z5mJ4CiUw`Qyce1S$uQ7|Q75~i=LUBH!PF-FwL?BK!AzMF2KDSvgmH8N?~rG}E1)O$
z87N|PPLi|S(3ik#25HY@Z@&v{XM?+KPGY}8c}bH|NPvz5>w{ol0#dXK9x!0Gc21<P
z*nQTn{sdjx8U2mL;wm-`+8=E21Tq)yiZ%So+C->{)R5<eIi$!<;-XJwd|h_%z+<7>
zclnmzP90|bJW`333oi8h$$8bAG=;1*5Zkr8w!H?x<vf4)lpji2aT4hlLnCtY8mr^7
z2H`m?!e$-7jn+koPBYrk<8N;U{Q4%SpHO7P^NEzeL^x!>%@qh^B2Y2FM96V-Q16EC
z*0Mv_cuC`S7;XQXDXYJUDtfBd6PZ$PA4U?W*MH91IKeDe5DNNo0fadn5?ds<qQ&o{
zX6MU2iK(FY8K;kSO4*7lNKt>g42uNZ0ZK*;<R)5v|IK1X?i&vR+^3PLj{AX}?}gjc
zdBA`L>RFV+%gwzjZy+mCR;O9zTcJWYGAgaOhWq{XzQ1eEiE!_F&b50dG3d(mqaZI$
zoW#BD8a!gOtquik*V@^oFpY#NCDc^l7tpxUZ*$G)q90weM)-Hfb+Ht2E~5>8Oe}{;
z$oC22oJYc(u4;ky7o0QeiBMthLBCa()&51Se#MmxaZW(Q+P#4a`)|Ywvj;>hmVTzF
z3}d;E{xdJtkA8ryy(a-|t!L%&WoYjP_9f6R7t+ELF4tc#IGES1%y1crySZB-ginQ}
zHdH}0_5KZOHxQVSmvz+y|G@KsZVV}Ui?NL~H6qZ<rRLQ_cc{#o9G>u;Vk|Y;3u<WJ
z84qw{(glWE^w55XE2pufydjz9x@J=E)(W^Kmx$N_uYCb97r_{+rRvHs{p5{ejq`C1
zW);3G$O*nI&Lc|6YOpa1gz)F+;-vRG)Qv0!b|N^iDi5EK9Ss+s?A8H4s|U_D<R@ir
z8#k<?3AjzL9%LCEE8yB-YTz;VjqBruE&b!W+)Xe~R0`5O(8&NkSp#<Aj9X-G=Y(p$
z`Hd|_i#;PWrlua357NY#VM<CjMVyl9{$hn})DVLP`gOP{Iprc8XRF_p{XC~l5I2p%
z6<vN^3LE0j6T}k7i4FLqrXl!<2I<vwPYCJp$f%CbxsVS|AP`_*!udfF`oP^Vgkv#Q
zSbHTB7Zg}1CJbh5A*y&pXpKD)lxS7Yi()!JN*(IBGGAT-esE+eGcl+uSUkIuoFGgT
zCx!1&69g{oi<tITdWqEDN)d>{53itIWw&ydy{lx&Dw1rd{1dlRhej|PN@jLpW1x{4
ziZxS&G>z^QaRy7OXkh|2^WFZ}^>bx>ixUu=wu9H=u>=!+zm(9+;9V5!5|Nq2){Cmm
zUfkI`q3m`X;8P7@)r)E&KoAWg9PxKrwQLdu^Q;5xTSNkY&q&pz%6D>g%epr$i8azr
zU;h?x-G~=E63zA!G#o34jbKD6iVMvL^d7NQr9S$cSx=j5D&CfL2mOptZ%{W&{h$)i
zHd&?+$-z4gh8Nbz?L+nmY9Mq$3vTa=-OaKHvwwL$amSt8%K1kB*FTK7MM%GfwB+!e
zXCD+aSc8*SZ5D&Ht7In5Er%`c&TW;_q=LnDtyWN5^VC#s38(_BKu9I`@^vkTxi~X0
zL`3n5UkMsqy~d5+gAN=VseO6TX+g_!_v%pnt$X5N_<GM-HxdER0Vr}{DYkT=0b}!q
z<@KC(+L@yjMgSh|cOWWe^O1vLSJp@bpPco759!^(6116U)R|)UY*fZ(2t{;8zzs~B
zkpCie^fRx1CsFUqruqX#xESF!VRrECz7u5RGn|3ZIV{>bAeNkipe2bYQnq${kM0=3
z3K{J<v166CxU5`u97upt0QD(+9zY-f!4-`F|6H-6bR@Erbiypcv_Rn90*@<;gdhl+
zCT7<_fJi10_Yul>QmcTupNihlF(=S|uU>kZZZ6<H-oZd@q~OL2*(BuZUx(+hPk|YN
z>q|lFF@L4jwISlSRK1QoJ8qGbnf9CI*X{Bjem7vea@?lN&pyf?=gq_8wt_EwE%CIv
z-a24g)^)1>=<cKJJi_tQb-H9*9=`UlsyR+82Z-t2hble<Pc$+M4uHFR?ZpFaYC6)&
z>j^!{z7118yl52fuDR?e$WlJ87=+Yx4E`mfQeXW`or!u3$0;AWV|M@jH>qA_sd6;O
z1Qe^8OHsDZj8)0H0jUK)KvhXV@!O`k#Vi>-wlLj_d*5SuI5q&1brT@7_wv5t{`3)f
zT6sHrxXechaG5*B<w|$Nq?4inoAjGX>iPwF)6?e<eA^M;7*T~^Q1BfZ1^$)@#>B&e
zQ@E`}pcoa^j|_ntBrTa0dXO$!O<goNJoeKNyJ+#6g(?W{5B22%&FHERn!?Q1=Y1l6
zc5c0#e|pTY&qFPVIZ1@EnQ<)64s5&Go;Y$x<a%7eJ})rFZ<Sq$rfU*~4CXZJTCwj1
z?N!L`w=721nCD-C!aGP^kxa|-nNMZ4-=lj-URb@QVOiIL@EgmxBaP%633Si;=V5(}
z?6$vV|MXpAY}w#`p3vj44MwvC_RGK>X<lns)$P~GN8l*UN>;%%?nwxN`EBYGy-nDM
z({pUBo?>lI*8c%z+u3B2c!c+DP~<AMBW#FKq`R^&LaCCN$W>RTN!N_x+%lX|`uz#j
ziWopwm~-Y8To0U$9v-QvAnRJF@@8(r?5NVTfL~XjB97qM+mqr*5YfgnOm}x)hF$z)
zbFZBAHsMVRJh&dC{?|{`Bv!hbW8NmYd)}n&zbQ3TejRIa_e1=b>>>8%C+U^Py@sWm
zcRm>2UdG({R5B8{z#yRF9K$$<<dl`B_tGzEVR_aHWX`k=uu2dt&b%FKJFzDA2gUj9
z&(6LdY<j#ZEZqSD9;L})aG9+aKhCV)oN%{$lX{N&tGkP0F~*v>flEQdc;*{bG&E7D
z)nTeGinHIS|EM>-C16(1C)GuCE}bn*$V`t7rCO(bz&4)@Gs=YCTpI0-oYklwcWN#-
z2e-FxxENKOFU6lja4anjRcZgqm&sXiYiph(_iDQ3*y-2P?m2yVOx|1XNf`-?BGN)7
zq7QcD6P7vb#te2ZE^n3VC)f}eaC-*!DM~KZf)Lr<e#WYxykb&$OVREvjm<w3pD`?{
zEXr~oKBa6!T_$-><=KaDcRn%cn#$!2Ya^D|s~edUAWxm-zu!8Tfq7Yjug!ZCg*$+o
zt|YFK+Vywe{Sdp&LD4~3E}+}!`L@aF@cT;l3F6_`*tNRa{#N7pJkA9#MDLnZA@&&1
zCBDO_{3&O&Wk})wCj{IcI*#TC^ceomjKHya*RQtNt#b3UzDARWyyE-_Hddq+y@-I`
z?t4eAdBNUlHPgkuZh+9lghXjQg$o6c?gRWekp3&(-@$<aI{&MJ`sB0vas$AX_p0!a
zv;e6|03bENLF#%A1b|~BbRsea9)=x|M+lHP$7T;eU_In^jP**3oUOcNz^(i{^9-5w
zOPlw7eJd8+%6DpI26GR<+tOIE2a4ih4u5n<vdrJ;q>;PjKdpsJXNrdL@yQRB*4{`5
zUrVw}*e4X^&8&&MoDDKe$%Uio14>X!FUg)<-dW6Bq@H}9PbOb1w-I7jPW=08^TElz
zAGZ4P!)VH=K40@3G*CS2hVZL&obiWQ2L97N?oL#Op#`|6V6@zLu~hhZSn}~adi_ZK
z2{?i1IU6@<_N|y9SZaylo|^;Yl4e5q29l6JEYnbZZsQp77&Ry^?89MiNbGQ#S~=r_
zqduh~C~WgGi#PbTc~%kDRJq0^%ObNu$nK)9`eBvY@aivXqVF?)=xu@Y^frLL(!$!g
z({a0vKEdkl%K1SThFteLQ8q8sk82`RyZua{{CvGXg&v^w|4-v@_`2uweK9xYV%v-C
ztE=n&cu}lvrBUU;jX(RBwTHf}hD3bciQDey*+amhz91Yh_QsD)$0JL$6eS(H--Dkc
zolgnKs|gpp$$MyOYH-4}-K(;N`^uib>70d@CANli^Ts~G$N0GZQrrAW+jZ1tCZ~ro
zd7A0Mhyh)DN88xgi5*Z~F{bdRUvQs&yl%Uz;)vd{46&>Sa_}olA<oR*ui7CN!ArB7
zD-{1l!^y3Lc5qXvpUW+xx6GXiq{RgHjz5&05V5H>-M*T&f0BC^{LN@Ge47hdy|ktK
zHM7aJWFS;|L)wIh8C>=po=F-_)j!+-Dt`7;84U_pSM2q4ByfuoP0KQ^+&g{mKuLkq
znRcD<LJxWpQ<oJ%Q{W;dktuO^iHd%#J<`g&e@{Oq@NnsSYxtf_sx2n)ORRw$iXc$D
zuq24E<*?JoKgNVt|E9+pKAEh@3)m8675E$?u6#vi=q|in6<cF<!k9}xWh}}TOddng
zYmTHqpnKTwY}Y!5LX*k{;V0K6c5d?baLUwC&<Z-Xd)B=Lp-B6}1zhVvvEvD+kVl_h
z*;Rg@yyFV>J|T+sxivcQAF1E-6gmba%503aeCSUfoGZi(W_2aQ>hy*+k>jjV9>f=W
z>?axbQn_}l*^=_v2GoQUhziGm4X9ddOjFBG*xIHA7RUZ>ys-gw8d%%CMU^r)<DhkB
z!J?e^-rvJ~ukhGTI-LE?=LxA4qK<AO_O3(D9Ph<L9h5M?eeq%lC{habPdOpr`uXef
zkpJkM!f_K)GSxSf_d7mf`gQJ{gR+Qy4-+h6Ewo_yoTJ<hCdfZdsSh&EsF5)Y6Q<`c
zh;+@;5-*{PM$ityE<z<W2G`|Wru@D*YZ<cMOwc}C`*BpBdwo^hRpWc8C`MT-qKV|h
z9<aEp=bkdQe|ye!RT|2KsH`(N==C+okCNi~COm^0-b3W=z3UB|Q~O&%y1x3pS0-xE
ztxGm2^Y6pPQ7KAI*^q`7_*Zl2ay&EmVjNotvKryRXFAvfR~iBBvB;i6Hj^Es#fO?1
zWO{=knTUj0VI^)zTyl_r-Qj69Z_Kuv>0#TB1Q!A_py7L7(^l1?TQk^xUVJ}FXR&!G
z2BhgC9RoPt>aGB~rncMZVW&%K%hi8b+q<fcf5%&UCG#YAsY&YMZN+aLjDQNS+^Tl5
z-#U<6^;U|%b><j{W&_Lyqz6!Wz7f2x)N~<3!RjBI?&|-e*NjJ1c@Y%&<|h0><5+{<
z@jGY>K5d2s{mnb*F>K>ZB&FHAcN5^k9D(Gk5J|@fsKy4Fkx|-p5xnoiZ=+3Vu}di_
z!Xv*)y(h_Hz%4SIM|UCd13hVpHt9^chtGdVuN4B-u?_`MPkTxkrtLjDLhc6$OV9CT
zxzu{aL!?6pe~Eu0la~;rC#<mGVv#$00xo3)i2LtIDVrLa=Ll~m#BgP^(4uljr%o(#
zEN`!a{bl$5Ftm|g2mNBKMeFIz+Qz@Ll{nVS_t<0SsH1c`1xy(bpL9hEH!}1A@{CWJ
zZOc+f!vEwMA%HxCX4MqHCx?3ww|MfH6h`CRY}9p&w7hoVcEmgd@rjh(G0&Kl&w?6r
z0%Bb#<TA>emo<iM`<0lEb~T-KR6<|CimYHoT39&E<xJB_onFb+e`X9xzl(y^XL@hB
zkL4CXz(jQX#2QQhY<CbACb3qnwPcS<Yk*WRJT``0UEcS@k|cb3+nof|OqONvr*250
zE6HFa0dSZmu>(v&)k$%NySWBaFdnk1m`XL#Vy%$!rMHgKxGyR4qzOnsnYKpUWM-t*
zo;{vRPjK9|y?Q+<Bo_#zY_w^Tas|#HM6)gUh?@)(9?mivJVcU?2;e|E!eJoes<#}e
zbBM;s@0btHt0hW~$&4G!6NX6b0bU<(l>*^i@|4w}1MFpoOcJdPkQ}ux4GR;zjCvDX
z(J43tMH?)}5T)FUdAf6g38dbd?@3vPNsUAqPwL#T^AyCB4F7}CBFyr0I(iG#$qM{|
zY6rF<i$^ei2=!$?lGAvueVG&|qTNtF07v4`8VY2(RaJKgi%a#X#j}lXYEz!AbGFg9
zLNO$ghqFmV9};Ii8lIKE=3F=*gC6FykU+p?Iq|Q~{-0x5y_S|O&*reD6rDO-Mo%3W
zIX<Jyc6wVEl|=Xf-(CTP^9xkGX7@S<!B^?xAqV)nA4_^Fss*3Z?|q3uaG&`6SsNj|
zjWu6tP*U$mBKeTHhciJl@&w+^aUCf$s}2I#Zm`}>O_tJWeUTe>n-CZ*9#0~1y9^iu
z0vgbvemlJD(uOa#pY)ZnBj|vBM5x|M#>ma1Bf-EkR`>t<5xbd6ygZ@bbdO6;d*4fW
zm3!X+S9~u4xZ=w<P24vF)b}?wzoz&eEEAvbYs6k*VN!0`n0tH<aYo2lgnY}cCSD2W
zcafIg6$bDhxOC%lD`b7d6sW2wQJ`CaBoM(q#TP1)y{;_y{}6zLWWO?{T6tIlu^1%D
z3SJ9|J`?N9u%$j7#{2)&vTFR99`p$gDU@p%i#D%vAOV?)XX}S|fl}SHv}1m6EJPhP
zNg@MdixcE7FN7YYkS_K|f#8;yEoRamp!^I(vkjzFlYzX;E5CV^Ry4nPuR^n*G@~0e
zm7QKu9J}ILFAIdVv#D!n`To3mK?O80j*W{Arf~9Nkm0Wiap&bI8_a!;^FIT_8&QXi
zetOp~U~vOsFo1brN#1eRsl>zN**SY=@(y}Zv{nz2MJi%mb-pyo54BnhYT{xCyYa$t
zw`|14SmxvqDUs;J_;szl_|wh0ddkctdyrz9<<6u)uax{kLWQ~bW%Ch=V5hw69L;<S
z5(}Ib+QD8!Xb=AcJ5A_0X#<${M3{wS!peyX=A}cI4nKv8hxN|THFxBObVHoe6Yf<S
zf<h&gf1P2<qIVCyVMNo!BYQc@s}<~my0mDGk;%~h=v65ogFyRP;M@j>wtJK>=WfCF
zJVYmk7fm=;vU`76+7NefaIrsk%5afd7<c^@1o`|D=k|SF`i*o1C(T08yXe%LTFO~b
z8)b)lg)Qcm>F4FpbW0M31|Rv9!F_XySCNZ5tuCQDbT0{#8A&po5+=40bFlMR$J6T#
z8l-+~chp3WL;t9T(6V8EsGAJGh(pzKPRXa{QVRnesYlwvsY*#<7#or)DGKDsoLymV
zEXlAPXh;xcJZY5hk{K!Lc$MN?I~`!1wNJ;3pO36B1idoLJ;tY-HSSsom$u67t~$F_
zdU>f+T8RDU`7F;`px+EUkeXt^5QxZZ;hb5UfO*Mpo5HwCcL<Zk4B!r)^caucO(=gC
zJXVrL`8K&})$sc$0kGlUhFZ2b&$C0`vr|R+|G|cjtN_^XuTz55GMA97m5i#8EI_2O
zQ3Q0U74DlL*)YK@eS@bScxQT~YmZ8QGQqfCy&PJJd;plk)c<1+Q-jG8j}k~;lm#yZ
zWf>_A-}@J9@IyUp2d0v03Ac7Iu|WKYaI`Tc1*)h{5uiysp@Qf|91Jrf1)1JLe=vx7
zFAplQUAc1EmKIUtKSEFJ#JIXkN%S*;e?(Aj+N=<UuZ(q#M06pn?I#!JL4>9sM$>|8
zn`SR2)=eD9wQt5J>7s|v2Q=XicyI44$DHQ8GL3erpg(dwAF1m2t4spjw%RsFzV_d;
zkxL*&^>)@1SJA!w7Uy6RuSfbkWLE@@nEGWC&e<_DD)KZR?g7mAL;ZD^(Y^C3>~`v8
zX|TbXvtroSkgh^}#gzBznc{UuD;_1%n`&cXc*^uXyD4rsv8D$#fP+7}B2Bv){xF-w
z!&=uhFA~(B#$Lm<38)2Gb-FT7117vUQK5)oU7Axa_48Gpb5a<!_C04)MiqoCSSMdZ
zBa=nWxlWm4I}oB`fSgHf6Dh7|sX9GC+>wnf3Ft=}<kif)&@3-aCaaP1lTO;5k#GF&
zS2>=#_nX;D$xSMqTlWEaGfk6Y?8Y5jFImXi7U7K>E0&DYN$R7e_k-b-@wtm!|BXcP
zB-C1xhmP$zccz7J^OIO9U#0xj`JT5aO~ImN^`gN7;eaixYefz(clCD;6?ZksjEUrL
z;oo{a)Y1&zYEX3}ypP*%p&pjUe+^A1h{=yg<6NghT)TCl*Iw5=s8axR3=V@De%n7&
zYy4+wt^iY8JDrpJpQ&B`Gqpx1HJ!_>(UQgQiqR542L|JxxKrP@em8p5A1}M(;mld6
zQAPx^Y}Uc>97nnET>9hGFG6evZ=E$QCcKKO`4kHPX46<NL@rH!mV*_I`Y^qIg=%h#
z+8=%y83Ev_Ifl6HXEd8?B%pNXG)Qzc1NlIl^#jyV{+wPM=47VfkZ5Qsqs+u>JO7PV
zS!>^A*#U&O^>u;*vu!mHHeBFE>uC2Wt$Ucya!rm4@bFqH*`TamI1|Z)%VBWnrMBXS
zOA8Qb{|d<^0;5<peOQbk-VRnrXlF7TVexjC4AxuuPVWf60vZB_Ik>ma_F&}&`(P=F
zuOndK81DAAknx~SZ`7sy%I-f-gku+Wv@k}l=hF+;T=NRrArI`>&mAXYT){Ir+^}P@
z&=P#(Pz#OS;?z`*BZKaXXrpLN4Gn)S>+c<Kbr;YO3ZK$2gM6ca%F!CMT0irnu0&SC
z77_hk_=5!XVi$k~lv$~eL5Al~=+7Vz?oW|G0n>L1jt|~bzw$-tXD(|bF2l><k5p`p
zqHet9yGK#9`WJj|;Y2SpqSn~t<zs+t*_d8PlL7^piC;ug0|a11cjBH0=dg#Dc~Ocb
zfxbpxKM}JZ|FB;mFi(xBpOc26HpJcuG;G}oJklSFW_=$0!OvEg*oS(__1K>3@lY1E
z9W?cImLadHt_&;_p27t?0?QhzqkFMb=^jy44vJJm#nJj<f!XKE;_uq9j<GUbr1i9t
ze#=edBx7(|O6=;oINuBjL0Q8tS(BZ~Swy^{r10HB#i6Mw7HnQ)*6|0wyY1<GyQaS5
zfYIIj&Iuh{=$E^>cF}&;_xCW_nbCf254gItx%WA<zqIO$pQ{$sx^)-gfNez?#A%-0
z*TBYCX7&TYN(P}wruPItSo&aTlU9t4O`YB}f0q|%OH`bAZtORG_BW}6{p@EEs-S?V
zBY0;yP@xbRC#ik~j^jY7q)*YpCvr)8$gK~n%qY<@WDF{JhvC}}l`FcG<a(oU=Yj7Z
z*+ZHPCz7~mnf$Irh=$%R0IYcyD)3s`au>e~A*6=$3g|y&ZsDOChe2tD@5LpwrK9Js
z7rcUAt=4jwD1l~ArS1?H-LtnxoE{h{%KzGKJjcg-;AqPLa-~C--RFn7`$Y)f&V1_!
zDAsVJ-sa#53dV<mVwG9r&z&i;Xmv@GZ6wnhC+UB#?uSqXAw7C~#x8d5NZL6iKO}|O
zx0cHgd0T6hVtf0|`|16SK2;9?N+ygpU63b5YFQ#BJL`MkUkxQsdQ)q6-ib8q7H+`L
zz+QA6v8hj*_`}%F7>y#+R#Ca9*>bc!ZB%nFvw5Pfv-wT;4kyZphk>3>h5$$3Fl3M^
zCxW+JEZl{<^tYeP4&5Up@j0?HaNjfl;&-`?<ZI(afE3}KoO0fL3+w=ac|{D-7hWM<
zGkS0iR4AHj#_!u4#s!q(`1>f?B6{JIjpHc9ML5tDVBznbw?4WYM}yIr%VhFA2u*$}
zGFi=V!<~C3Y;mmlULIW`lD{y;#lqDpTFif?z~_Y^ALM-BU(#_Y3d!t+VkFt8-VCRI
z=)WwiAo!(#U#_o09}lR`gp=~QsJF>OrWDzP$v8K#0Vl4#9Sj|&@1KZo5*c28&tCn2
z?G4E_sz6fXUCbI_iEWQ4T$Jngh=#5<_{~b;yrlhGXm`swN|^9+cpX))mSPh1T^7#0
zVG<1giV<{@;(9jHtMcc6`gpb}Ww{YFxi#06c45BD8k3W&h+RU*!tmV4EZ<KM*&TG4
zdMT_YwEnM}Ci_+Y=3h=|ZKrUZ&kj3<N;yvc57(A6(}c+WjW%OF+s4Qf^h(Qn39Q<9
z(+I7yi3-pR>TfolFmj|DZg~B|Z*ylhYn;}Rc$&Liv;XP)E$6?|bdJ4RDZ0Jj(&MWq
zYv)ZCBh>JAjatdZf46M2MigEK8iu7mc&3T$WQaE?UNDCY6&wC~Re_`KvM}yT5v6TP
zI&qvLULM1k3F$8eSwNo$6e68-TPlTJE)69tRY!jzM(^OhIxJS<&PM>NCaW|cFmZsK
zg7g+PWG?UB462W-cS?REbfRx0H3U}b-!{}YY-soJ$)C53H`}S-S`XW8M<LOUjM|7{
z*K@-9rI=XY!)-`qHcy%TJ(69^sg}${OgxTR>r~YKqA@$z|IbrMn<tK#4FcCcKC7xt
zrlDEgFat1vu_2XV+LpkrwmJD9KC9s$pQQ=lvoa248~%Sj>o<Us=w+P<aGJJ=HGwav
z;QIYfEda!-1g@o6juEY7uBG?FD5OVDgO<;5&y-`^&?cjBTx~rT+J7jr&Sb6Jp}1OP
z+9?))x<bMv`cOX(EO1D^zTZzHAsmH29voO>th(55kqO7`?vC-d%8Vc=SkYkL0WJI_
z;GL08q~nJ!6EXSrToPuyQ1fV^YbKI$naGNWKij4ARYT2!e<Zz*Leby9wC46EVG-(o
z;OlmKfb%HFb*1-3m;FQEVdQ4zTa@|?V}9BiS%AJT##?ZHleVy1J|r3xLbg=bu49e-
zlSy&Y94e8As4}8WBG&Aw{oVVWGGib&1@pF<UAK?j?BeV-sP?UbX}6@!YwZTsclf13
zUu%MvOa~kE#Agdkwb9}7<Gd@vlBX-PR#9u}Hy&p75nA}nx+;Fl0_qdTRmsrZTleG#
z&x`oWMqguXZShUNm<43LM_2z1;Ow3ehBu@(p@&cE?%>s*v*ID4^e1HLq<94NpK4ZK
zX4-QykmO1})zm2rl8dX2Fy$+KW~ibRAiSn=k8;2TzvxK+1~$M};{21JqTB`$a4c_J
zU|27C!{YIhIp>!F*P_ygmCoO8;$N8cguxB7;z2Lebx>~oeYmx+=#J{hm3v*^sk~LI
zX=W!+Feud?k!i@)pW;f3FJ@La8n3=+q5A#zse?w!rH7?5>1Ve}->&>$t~Y<Pfs;Tu
zh#?j5flMna;j@cBtQ5iq&^jrNgZ|qEhWjKZV*3xtwCDw8E#<sFb2>>z+!||EYZ}yK
zmEvC%<ZzvSZ5FvaZA-o@v!0=1B}GFL4s@{Nfwjy5srfs;gy_gDQ99x~Af2+JJA=6@
zaI~9F2_d8y6b{1wBL(nm?&PdnwCEO}CQl-@`p$|q)z6!>7O-M9XEJn7K1;q7=;+Nv
zY>0D-lQ;v6y{BX6GT2V#%SI|?_rRjm5f8}|)DsN!tLl~0R@WX(*89iB4rmJN3U#&@
zhrPH%^-Fo9+B8#N%w+$Rui)t1b#$OvM#<LAly_Pzu1bcx*WC%alK45|YzM`Qax^CO
z*`xAGoKKpMnwK)cor>ih#n6=P>YG$29XV2Gvw8Gk#b_<ylxaRcY;Y;`RZqKd@s!`g
zNAIpF-!j`1Bg*AjLJj$0xDW|Mz@Z4FA2VhX)}qc|{XrkXC8a^E!Vt<Nuh)VK@H9>t
z_hA^d^d+nWtLDa~<ASlG$#Q~X@3Lb<c?@MfCSp}meX|qDf<8Ecz((1nmu`e}-{ih&
z+xdC>2vmkS+fbM{As|ul5Uoymp@yDc{^NmLkI!XeqqOvWn&>_|MevAcT3cFjbfa3;
zWO4TopnDfE37CS3Z_}L?IU-<g`M<HkJ0d6LNVCw%($mr7pF`EYYNA7cDVP>+fHa|S
zs}mQ=0E15WEIyY<NRTgn^r%zv)<qENHs&)c|A$F>_>o~3l;L)g>0U<!YxT|W=sz`+
z{t-;%1Sxe9ucss){{x|B*fFnxz;lx8Eaunv50u_}H(^tamz1ny+m#q4xYM86+Dp)e
zz@?C+^OO6#D9(!H`e!1MO~4{={q0y_WY}9^4i6oIUi<W{>>$_%M5kaO1F64IKl>fQ
znMnG88QGfU)41vI)Z{%qFr6Yyg$wF%86|AYsT8rm^@QC+Y{0`ulY+dZ1V3tFryd9=
z0;cP2_^n(Km2y19b1kSZO7zgPu8tGf5ZVQp6U=GbVZB6REp4~QOTAIdt)v;uJ?0{q
z5RI5u9heF=m0`|&!^6YM5yGYV0Bw_t8wH@;83#cP9C0uA(yhnBOsFHEavhtpYROtL
zc;ke_+Jwa+oEr;5l$b1bSa1h%sx2jx?V)-m?wg83dz|A#3QidAja^yH!Mo{x4Q02a
zRQd*MU2(l%H6``T;BuWBGJBV(c<xEQ%ZI%*(G<)$E4A@9dsZt2P+vR1__IcA`LleC
z0nds8oxrxkL&JFp{l;h>LIKsmNdymv=8OvJCQ3WNkO9V&3NAeKAf-B$=QgTQ;dxS`
zTO{DkFYc?H0-sQ*{wy~+hB&)5&@&qDgoe@7CEB{-)q<<|McAPx=8Bkj!_P?gJ|oAE
zmugY8h;Y}F)<b6=cIW*N!%aMW{i<u32js1z)u$4xX)iryTWRr#Q!$VTgWgX4AV>E&
z_{!d~t$bqK7)**EVvo-36@e0<zJ*%7V#U|Wja132#pHH^hNbl!Brc9cAyb_AWNz0`
zaAU0)9JF2y^EL+V=1|8muq#gt=F|(xATFa{%!6?mru+iq(|b4%e(0C06|&li50jNS
zr1T&R1vQB}w-jO}5$T7ih0<%z<Jhh;hFy8bZ+%KFJo&M-_L}EyI5ZZ2)K!`)f_yc3
z5<#!?dJs&1(74PBbm0m{)QdqBM`Jv>wM@*zcFhHT(Dk$GONzld)fc~x8f`flY<1A|
zb-HD1TT4!^SEHLO-c|zKsjm~@PH8Q=(?(ka_s#!xCq_GfJB@T=78T^8;<gMcqvN&!
zxCRtJj?zE;%*)<QWQ`|u-M3@yZV{|9NgBZC#_2s1FVNg=-};XSQnPPO850q^6kA^G
z^Cv^BI~(1+ETJW$ZA+2_3;8O6s?)qdE~EVsZbFjGRa)p<`aJrD%zvaLnm-uCFGlY-
z7)*@T{<CCH@bgmDdyS=QK8bzru)KF%l*3qE5<&Tc{X!p17S3T(bsX=dBmwD`Uv!Qz
zeXHXFVUdrOw`NtSnwE<zNvl~drRj?34WOt{XDgT<r*U&_aO9jEv%nVek8gxc4dU|R
zbufpZanPlRLGj%YgoSkeZyrGmdeh8nitj?i<@k+0x-%E9`N|Ck8o{x2F8`zm{=#7`
z52!UpSHR<iA2qahi$PP;;L87Dtyg>D_w4FVbRG!t6JuFFJ41_d{7ziOMxzZ-&q1H8
z#Ra5L(C7q0e5gtr8{kqnF~$}P2gV!EIU18tN*>^5r>5KV0%CK6aGWX?Kd_~IeKC;R
zcRlpm2|aaSz2KhD?N$L_u3*Z_dX;EJ11iYBoCTIq66*a_vao@=D)R0on2UqEoM*n!
zgxd}umbzIir3X1%hS8|8X-OZGPJlMH@p5tu(41GW3KQfgn{F~Yg+bPnd6I7nFY#uD
z2(Xk3H5lU88}6~toIx6AbSLniKexHw9qWHX6_>{-574bqX%=vE9)m|sPv!L2>Tj3_
zM36EW&Oj6RAjTK-iI~GE1Hb?3`N|3P4r#x&+-dDvDfUk*3{+iEB_io<f9Gcg6Bmh#
z^};tlL}Q{w3;yUBEj;0A&^@5B1zrL4vPTUru$3ZIR*@@>QR?1a(dKJ=cSAHc*6i^;
z^s)TF2Vna~fX<v0y%IKd>jD|?-G8o{Iof2%82n&f+_8yxDirs9-8;&+-zaSn<c>(l
ze+bIWS;gc8UK$92rRSTA|4+eZ$i0=<v)Wf|UA~0uAI40eD29D+l+4lzRDjzjaw7rq
z%Pi>$xM>_f2k5k>WA7@#Sph>@E$MhG%z)?F5^6nOJe1RbR^o!_rQ%BPq29K4UuyJS
z2t??!!z8K28eiiWO15^Eoz?F+61w*7A8K(O7s>Taq+*wEi5I30<r3OnS+{P0@O%96
zeDBqs%;E|j@;<PEKdNV2(T=F@%ei-_wy@e!<7zl-H2`42D>!J)M>g;ej$2E;>o_a_
z<${|b0JM>{Rjr`xTh<Z8QhY@Qt_E1eRb>4cPCD*|ms5~vI_@v;c7ARTKaa$Cu3r1B
zSbp-&hqiUB3tZumrRCvX0I{7mFbw2Ae(S16JO!oFMb}Xc>pp93s~w*W41%~P;ej{}
zOFtj(xZ{Rtaek|sS_EbVo2SUj=<mgBw67cMywQ1#Hej2yKfkL!uBCSjqc_KMQKld{
zR#T7?<gz{!ZZfh&4r3paa1**2#dxw^R}|y9#4SCNt<4Gyr6D!PZl^&ZE^=PhIE^sm
z?LRve$4Y9*d!q#RmyN>%;gQ(ekd<k~i~(oMVI6`5LF9LM=4>yFr*<v_zdqsHF1+{t
z7P51t=OM5nfgY;o1C_x(7GgHCa4TX<oUxTq>fVVPk<7U#CU0c;i^unDIB7gzSfC;0
zO%F@sls{rg>br{=$2+&{BP&6S(Tf>QC@Lz@4;5T$yO_{1EYS;gNwMZ^plf;3bHO0D
zyuNb|e}DZbTLk#AL0~M~e81GlWGMT5?C3kU!UO4WIW6;UL2`m#h;UI~vKz-_=S2SX
z5BJsH<Kttt-~G4gbY}<oeRbi*yOf~mas>0|0Yp%_rxv6qPxF2HG`!|L2th%c!%yex
z)x%p?PnE;xseKb-94p&?UC(ES6RBR8M{br84!03L$+TAYUr?fS`-~KQA!|BNNTw={
z9Jd4*rqSJ#VAE1ac_booQIKM``5-g>pQP9W%^*BdtRxmzVQ65+Sa*3pYE_{M5r&;K
zM+JYB`%4V`2_m{ToW8(7gBlt>a$#LB({u`awZ+>OYNyWo2IfRW4^yos`-O&2$?x5A
zlZiDmdPNeC4V)%u>&s{_zGoS&P|7X#z5zu>8eP1T9ME;kcjp}QUA*%yg^6&Q-F<=q
zb7gRE29e1C2FwmB%E_eHoh};|1<R;Ir#+@pdTbZ7R}oKR3h98UMZI&TsMyS@@>l9!
zC$VOPsUdfSi7!_3*Ytjx({9>3O&`;9Hl&m!-a_?~;UZJSzc9rF2veLTx`1yGjQnr*
z*<R*fm|`+p6q$<9(gH1u)Y1a@Ljb@Z@_#e%S++_1RZ`aXf!kF%Eg5MM@<w&_8oTk6
zo4E~oTP00rfEO}8k1}2ZKq=b-iRDFW>^i|*>kY0FvjoS!0q&2aoVbYuppr;6<cNJ`
zPEm1D3wET6Wdoq$L0DnDevBdSCBvdgD2&O|(^Q|Y5?iz_z`v*+Gz;9Lfq)QyTy-vT
z$MWdZq$63oRz<^$|Lngk(ggSD^KU_s?+~*;(}ExpFy0i`?<#9}rCBCvFmMM|#zYvf
zMd&j?zbcXvJpgeY(Dhf4Qf#w@g6}w0XdI%gbVCN7ZcCz+u_<up>{;|Z$oD@afJv(J
z_;liYD?P}a!n|9I!g&vJp(61y8$3`sl#^_&4=eyZ<VN_r(yO5w1D}=ZH1s%h(mP%3
zWZpy7YKbn|A+_gixcRHAOGR8KD>I_cpNaKq`=|A<9L`p6Z~X~)mH3#wZ<9>N;?t%C
zijSM=Y~qhu^!hi-q$*l1HuZTu1u0+{%*<*`a;TY<mreoY#T$|x3(2VtrS`^pACoUx
z-OXu?Qd@zMbD#?!hmm6WoK4X3$F)*i^r5b!9N$BXn=z}a8B7*YgjGgD57EzGk#DIq
zihp~Y2}H@zAFuwftLdDo0cgR<HvlbIpv!QK{-~??|IvbH09sI5QK0h3P)?_dEwrND
z^Pep8Z+1oJGhlg<K|-AnQGEHj(14r!&Onwzaz21K#M%e_@n3%b{HIJ$R&W9N(=S>N
zha&oj8oTt0s8lF}9DiQ#&Ao&_=d|UfAir9V`7dqvO5j*PQ_9-t1&PF;22xeVyz(uM
zsA$iOmfeTuF+Fu58Z`{PMo;HC$1P@b!>DNtP3Nc9f(B7^I&`&Ua+eIyM4EyV!@`JZ
z0?9_k_>+7b3D#%G`F81PVl-G4!l7q$G&IOJ0Zj!3_FOMzmt*qlHP)tF<?P?%DfPcH
ze-juij4XNY)v@s@blM8m#i_Lcb<P<L9obda8D1Ygb_I?=(g4RHW{oII-mFwh8ZQRq
z0lWn`4&W_2b%0F)BLuwvOX_-!0Gk3p;(E$+oaF{raokl0R{@mw^}mS%2j4^FV{qc>
z6a1qEbGf8K^-#F_$DvFBPzfBzF%!!14wgY+@7wNw4<h1cHpQ#Sxk@qji+_|4cCrgB
z&r7Y$i=fs^t+fMgO^5%e1om!t+t9%7V+z5?Z{SCUie}-NvN^T43ON0<zej|xTuA>!
ziX+ewf5=g9>FfhzkLuRI$I>5G@{<fO#QV(RR3LP(wCxX%wA^p%sdN#INpXUsT-YPO
zCX}@A6hNGWzVAS9t>QNR&rFjaV5aG488FkdJ@E0rnWjlQsoP(S-yls3PJu5=wH1Lc
z0P&co5Fj2CeOV#yF(3^J2z<WO5N<6{(hGmg<LCsJeL!{0;CK1iKoM%|J!}D@<jdEb
z7g^PLP+}&t)T)AgTlhf+@U{-SjDMR571{+q43>mslFtEFMH#k1mS`1CK|A?CazXoe
zd`)ll>}m%k{4G<#x(K~)*&oasuX`Bdni29NXj&jwul-hBq6NrLXX)V+>mQCHQn;`F
zI3FTty2m7koy<JbN?4o|Pmtv7P~>h<6e(N*ztr*O2flp*R?c+Xml2Rt52S-xCP8a$
z4LK|#%W|7AZJp5?4*QI8I3=1V2GrDW%2a5m7!Sc8CV;(nj7-6h(4~}O;(@8tB(_Ps
zBF9%i!b@c2ZK{4;U!z@eu`8BR)v=ypl3-AM|ACP(J?8=zr3#HwsdlDX8Hw3T7BbE9
zp)6EcemEVktj}<fEw8CA?Qp4-^=8axtAu}6Z<)zxR<nF};{8fR9)9c%b3h-8O750d
z^15D0!zfI0bv4kzP`&Dxx8-W$^E-q+1y0{{B#2LkjrZt65j<+T-%~`1ckoMUI2&L5
zXR*eBCZB&aVEr94L44hR%Mc*!e->*zPLpsns9mM2KBNr*4mkk3E&d-<?-*POxO8pD
zwr$(S#J25B>||owwr$(CHL-0QZ{|GbeDziBs{LpGyQ_M4_gdF#ubbqq<Pj~juojpC
zkNNR@pbLs1yg`F!D;`OMC;{1Q&LcwxY(x#E$sxvn^GIq$RK*RAyPv-2o#;WVbiWBe
zA5v_9EpQ|R2H9uK9Idw+n`oF*qNNr0b#3(kEj~fnYmqcF;UWhXc@?L9{Qj@0^I(~d
z`*w|J`+kKf0Hw&&nOMMJHl&Q%2Uv@aqB@W!NOa-DGp{BAI!kxQ4X14jnM7XHR+Q()
zSJ&0tWVQH%%LYgwX}kS;K;Q|DA|f++V;9@U^2)ic4ny;)&yc~oDTbQX6z3lBp{|YO
zts=XW9VwOMMzx)pymPN~ciozO+Dd~H*Dh1`o<H8;={lXFJ|0t7x)Vc+q^upF>^`a*
zQcBWhnCY8)%blib^vA3nx($~9XR0nTccG=smTS<u-T%Y)S-trj{-*Q8I9<y9l*!Ml
z=D*i;@;woHTL%_QlC5^WRzD2kaKJ-bg-Z+Us?mAHTGNlQsoQ6%nj1scR4M0G-Qa@O
z;ISG9Q5!B@j{XYsdJa+aA!2@xfq>eFXGY)QifCR>VKCl5CZNq-a#sb5orM+Fie+<L
zm#sCsQ=ks)Rq7aY!=5Q&)$!{7=&H4eP4-L$W$Du{vBH<X*SKD2*$ZSWj4Pw3U8T>t
zgb&LU+rVg-*^lk36-@vJNVQ|_rRr&4CDQtkcn5ekqrjC~+ekPfL($R=w}0mjJ%>Uu
z-1C<;MflHzDnn`g(wY87@uk;XCUYo>vfugPd1lWIv7#eLICT``nv7VEbpw-<_c~L%
z{VkTsGx*!OQKYvenv!8}JkK)l3Uk+D2=y&ey%8jh$1@$01_u@lC1V=q4Q1!PQsA&^
z>lw~UNyNT%GFR2P0`bt=D;|Fsgz3mKG9AK6odESq4g0lI2WvO;q14m#TCu{3ku)Ko
zWNy9<BdAXkH2TEpQSg`(Mmh4!OeK~!YsmcmZ+J2m?2<E}s>8yVTRa<%BmW`epsdFQ
zBW44gHu2762ygtfYdc^rxHepM{SQ|&5Y++4{jB3aFBJ1g6p0@(N}qfzuBWuA2(7LP
z42HT*Wcq@Fi<@PvMH&-L%C0jp0uk<wgjjc`oqYyc^%ob%jDMfB$znBg8MJ26*`@SY
zN~a~IUbpeM{2hRQF?!_3rtC2ypsdxYqf><%)w@=e$sg3d)RXSWKngi<XR~;LnBF<n
z^h0S_j+VOe0}{~Y>vPKAHrf3t(9deD4rLnRO%pC;(LXmTtO7N~KAKjYHlV>@^16&9
z9OT)nK>bT7WK!Yo&|A}nOb52))Z9Zik#_weXTusbV9XeC8f$(Z7gBocU)rJuq|iZ&
zAtktI14~u`$NtYQB&@TN9#Z;a7s`J^X!;*;tMFqNLKo)kA@Y=+UBi-5nO*z&V-x!K
z$JV%YoBQbh%Mu@;THe(KrqAd+Lj50l;YhITO6N4<r50P8HpEIS|2Tdz&^v_(R^9n*
zBbo<gcwuL~rY#P`;lS8#7vxisC#UqvHt5fo+FeSqvY}|$_-f|Bm%h;uO(vEx=n>!3
zD%3IbT7t`NB_J|0V36oUp6mexcqYoDM0TwDmc0FfiEJD^AlKsOK_r|c*D^b9Juh}g
z`&*0$rvZnfm}X3oAOc*`_%{DVQ%>>y%4mD4zVvR=)nTG6OP*S9l>8d~)M(qQ=4N49
za;F6Mc&LEn<3Lrc_N@Hir*Qh^{1ncc1l{QYIXv(Gc^P-e|E)uF#x19h0#hsT)Php~
z6;9rtbtplx4m=|*l;OD3?4BcOSES7zh4&0<eM-QI)XT*t@gG=3<8x@Xf289%5E~<?
zwPak&TpDa&NbSUE7X3I5sY9bgaK2?bUOk`tyaCjc%jlXwIOO_1jpv&AhSbVGL1G1>
zq{|Ie?@m=|c_?p7<RmUfMF^BDz*aAO2A%v*t>DEj+u4T0$n;N$q(NWkreMMt!cbhf
z;+?Bxe6}}nYdHr;&V9IbcGoM-xJ(Eu#uaxfmf^91=ehlSg}*@_xgi%+FtK#yG~DWw
zuG$OvUcgpt#bnFjKw|>TK-}VCe}>Mjplsutjb10T|JA$wh97xG<0Qu{yLO50JG+>!
za`28E$#k9{*#$Y;k5gJB#IoLstGfeu^^@1Q@8;-@?xo$_m)57M?x|o;hmd+}lfAzN
zcyQeq0K&m$?mf55uoWAG0)l>Y`z~k`{1nO=-4n7#0f3DaN>mNP@Pr(G*N)jIHR{Kq
zOv7b^7NP)CFs48|Y(kbZulY61>vn1PfDp{Mf1mQu-nU=Om(^sd<c3ZTpV5>aKoe3V
z{~cf>OWV{tm>cLB+x!emE-!@mEyWMQsZ4$x`)LyD;kK}=QrHwm?7OuMi-5$ES(zy-
z2A6{0=D@ik2JM3Sop#UE1Ne)u@9%$*LxH~kAcuCKVPcwN1qH}oDD9$JFfKq9Iq6I9
zUb3hi%+a^Q2t{4D*FF4r(ZTx+*W$dk63Rn;dh>J=CHP1?N=XZoEBG9Zgf5Fc1AXg0
zJi}pJg{NzkV>0Z=gliuWui$aNBLa3LIP}+BMxR6+Z7L7Rwzr6#m<xDIvM(7}G2pIm
zo!NyEcqInTD_@G4!rSX~mNbm8tCPeF(W7*YiIT4YB~5T3x9H=yOxZC5Li5BD*-#|`
zUowXEert$nKbCP<qpvb1^_-K}a^K<ESl2zLp%cB4%%9cX@C_CK$`W`yFFn_ED)HB$
zVWJzuekp6KwKv=bpp^`x&}b;Ov!T)2=#VP12PtVWu40>z4RwBse`R_Sjbf4ROh%#6
zP<p<`UORhR=nNHO9IUjt6=Qs4&XpqiTV3`B%`0cMt8c;imD1?jhgL+aS!xy&N<%TO
z(N4zI(fvFOjU;#Y)V<C7vOQb2kXU~1cQ&2V>lIO8*EHYGrz^?w8FCMTG>_aStkw}s
zo0z4y14krwrfh0>P1#YII}3)H4?b|kAh9bH=^Q=VvwG5YspM@%YBQUd<KBmY8y~mt
zL1e{N=W?P9#>e2j=&<(=c(hTkQnAgrCqY|527-umS~~pRIbeB=K;d58D4kcIz!Nu>
zPv+oes82t>g3Xzf|5+BY)}K3!P*0}%*XqI@YSo{Mh1aRC7x@ZA`8N)Nh}@HW&2r&V
zRI2#v9#;-qX90EBBWJ`t5UNb?c5LnK3es(bs#xitc4QG~aC_mfrIoPZE#_$>AAVn2
z%I+q`@LLyowZR5Yc2`ljTb^>ma2?c)E-TJ;${I#L(MXvp;B-F#`Or#UEvxNCZp!^I
z+}29pe+hDC7ltBN7o!kNz!Xjy{K_viR<GKh?K05McA3d*<-Qmmn#Jqp^a~2qYzBd^
zxmy(eKY|PfF9jRCW%h#{=ZWMY&*+JA9mNggcPm3feRP@1K2}HFV?AON^Y!92$L=<c
z=F_R<(~>d51DA`cCU=+O%(zKN-NTxh#)f6VshSO7PAA)1$Ch>HYj)$D2lbrjHK$y0
z{F>SGAE=6I4XPh=l(mzAr7m_=%Ke&IP1OGesK&Ws6na5yoik!DS=z>>>vB!ApNX^T
zUn@oX(EV4CUL4vBQ0#jS;EKxAeW!yZ$TX+p&TTuEv$=cx_kT3!#F^>FK(ozgE~!1|
zdCp@byPvU|)=&bRj9)~`DlZ9dGyhvFmPuM>NoKYH0DIK3aR9GekP(7JT=g3fDz63z
z#X@&zF-?}~>W_)^Xsi+r#TZB(w{eizrtme{pv>!`1A{(%={yQ{?QBW`t1Y?YFr{)J
zH#y4zo@Q3w8!M{&y5AyX{1@tWW?tOgwA*q@PDttuWmgd#@b5hr0Ah;}7Peh{!VqV4
zp8EA#eu9zy=}<18VDtrC#M}57WmhUuMZj=JDJ2e!mb{!_d{Qr<U2<=gai<@)`U{vX
z=JY3hk6fNGEz|gh7xxQN*ry*`40J@TkL42q(YCD?)9oq<Ko1H)-9xrqODzmL$Z?+L
z`xZF$0d#*}TVcdd99aI)f;6w10QR$P)}qT74o+JmYzMwDzzOZ}NX~(d^cVEMr`a{m
zLCb0xLY~3c_g+MAIQbH>2$3C|f&0QR`_lh*>22>TK+x1ry0I+bzshHZag)L7j++h3
z0j|4P(ap)r_U%x3JX8lS%&mr2<WObgbw+dgW|h4^^^ZHwf>wtz@k7kxr#bVRY#`(W
zE9|5n)W`|$t)5NGoPzpLh8t^A)C$B3%htW>DNQ|rpQ&peK*BPB(=@LKSwDfO!?MQC
z1t|8^6lk3{V>z-!$?f8wJ&=!7+5;sTkW%j$S`y{GNApG9KV285V^8gpWx$9s2O3Bu
zab<c_ZUkSSqeZ0lGmm!XWsT8DGRtsZ8=_)8znVAI9X!leNfEVa?vKo@w+SY;Z<!^6
zn81Z*`(sg`nV|eld^MiZ#*tTweZ@H*xP*&KVk*7IcUO)g8#F_1MMMIWs?i!X1`>yU
z-$f|1lR2n_)SV|Nn;lJaVCm+*u*wH>OF<Tuwekn&V;uZdNmg(D&%tsZJ7)MzB$Mnr
z!ZtZwKO9PIrLKF$=+E#@D(*)>iI__T{z6SE&nZ0CQpH4yIOT;H^ZtnrN@VPxqv8=v
zq+V|1-dFZHAECABehbYYAN<s12ePm8;9~MsF7M8_p2BMqFy0op%ONAA5Yz4Woi2r$
zFJQYPSNs9%^93gNRX&AhCp(w~M7}GojSwj&!fcjo`J-z%dIW)SVxp<j&T=mS_2!Eh
za8*LAy?q&7tgc?|u62_eE2$KVJI3(H>TB(f(iQU$J$v$djnKPCb~Ef^0WYNPiNxEM
ztY(3I#*uq=&eh!jXc>*u=Y3F1_CP|(9UF`%EY8p6MrvHF-6%H-=2u?tm9H}i<*2rD
zh@3?sptZb^C_hC&zmQ2VtO1(h&w%kom%Te}h0Oq|&s4y=8HN1b?7XfvTEYPG=AzSw
zsZJh;1&z7D?$qrEBo`GPm@9dOM+_IZZu2G_OV7K(H|JP8kULwiLfibMIynXU)hJpM
z-po#W!1c)4a$g7ICAoB1%oow}$eC($-cWzg5W)Do>g+O@@lG?l0qz`0J!RR^^<JNQ
zD7RjfvZXGL@;of~K;7ay@@c%GBA-Ow8UIAsdbfICta?OjYr&dQw)7<_UG<dJ;vZkE
zYNH&j!k+QZ0jgB-vsNoh(w)xGbW@`KKMSZ+vZ;lM<n3g!stLk0=Tt>yw<>E*{ZDzm
zGX5#gHSVWV6==q~&X{0-ykJgU++6SqDV=IPI5EItW;T1ziU^&pykILYen8wNrdpz<
z+}aNbX6y<=P%QX6@#DQMm;OR^hFEAcxR5ah>-ry~K5-f%A=f&b202Cv(o0hRfVg|0
zh(cD=$i{4F_&7~_CSJ$D5{V@$2;}I|30}haR<1>(8|v>YLf6(9yUO?gwN&*DP~uE0
zH1DX!&Q5dOtr#Un$*o0eJA8+Q6#ETw^3_a?^0R#s8+9j14JeZWxum&<9k2r9n2m-r
z60N0Bai_aA7%o2AQHRc^LkJVE(B9sP%jGAjr61($m!G!M+FLCFebV`-oY@&y0Zs5I
z;kiQx@Wc?R%XcNqx9ZG(5V3x2$Vp<Vz*bbJrD_2GDl?HhKjJn=0d$lGuDpO@k#_Xd
zc!;R7wy<eDqvom=*Pik*BI3E#c)PsxawV#@181gd7&O7&{8n1tZ_?H`x~p-bW)led
zy}R7$qpc^gVODty$)9)X+eIrn2*S)qEkUvbx!o^*RICY7LW)g`S0VQx?SBWdq`1}Q
z{3y7W49=VHu!1^w$e&biOYon>^0EtVR4IX&g7zoeB7ZaRWNx1-DG%Oju1frBdd#>>
zv8anBR7ltyj_a+YJFd4;sktX&7?nKL0>P?+M|<Sap2^YGUo=W(TSTWPWjlLvsi5ha
z1(v=$1}r9rk9%1u#kTDx4?Q@PBtRm+(?uh)_fcy&JDdJDmWcn1B?w_ZE)5bqqW|r4
z2$24bCE`cQmy==H>I0?W+5hybz<>LCa&SCe4HWl&CBym_Bc>(MobH(YFAA*QLxJLD
zx2IJDc$j~KNzp%q)DpDF4gpj{nZnPCC#b?xgF7Xhn-aBN=s@A!k>%~Zb&4(K2B3|n
zg0;rbv=Pw9cva6J+hcCZHB>71W&ReVcK)wZ>d!W)@X|1VB<dzO>_n#Dt{PG(uFZ(k
ze35q(+-p%CNf0^64g4%!i7k3|_fn>W;QKpD>VqL_;7he5r?KVNu)aj|0W0ZY(ASJ?
zgr4Uv{_4^nDI4gU*rzbs?6sd|av>@%Od(m;%#L}a#QuD3++))##BaL<PWtQNGCEUT
zn#IA(35jYddE%7M1fWH$lnFRXa?YvxdJD{%R%j%AjA}{1U`O#+NtKo0PVyP|RbR&y
zQNI33*YS1f>l_m~;wJu_VM+v0dKSoh3i0?dVt&;epZb#4-YKE$Lv~p!O{N%g=fm&G
zbf221XN&JLi*IcxD)X2BgdpQ}_U3@oXM?)#s=MCDsg2DP#q+C&Nq+UZ#U?6`b@a@r
zJ3ngvXpp4`KRaY9x2{aJF^{Cq|Bl)v@$5ea@uZJP{A<VZy{aoUl_9O4C-nV!!m>R*
zH<b?{m0JZ*mi%9$r|TmN_wN)OVTx}s$zb&}I;h{{2m;OB<*xtfgp_Y3r|TCS5y8vB
z)k10`5NO8$Ec%q<29UnO+;5FX3&dQ4w2f82tRmw`B-p*(quU>iJsqi8&QDYMrabof
z;v)7EbJ%!}j70r9p>1{>*doWg`cS3Nj8u_)VNmgH^5iZN#gV`^#vTARPziHe>rpCX
z=f&=wh0$M5N?Rb^MS4$KSGLH^OI!I1$8g=WZv^BY)GiEW@q-1P<K6{E-OLo<nqv)%
ziW^AmGcY_^4=D`R2u5N=$xrjEKD{fNe0s48&yzNX0ZqLGeG)E2(3)7ZxSY8CPA|4Z
z7^P9mZVoCPZP6=%?$aPrVg%5aCOFJ_Vhu+5dOSP^KP8PF8WvhpW`%oT4eIlaQ?FxM
zsYrD6#P)M*hH7DbwS*g|2;uoP$IXR(OZ+opBgP6uXc!V2f_a-?mLz(pD0V^cQh(vC
z^t9DyKrb~Ncs7pE_Y*rM?pg$>t^^aZr1%OUvRND8)Dk8>)Gx9IpY(fU11lgRpzqxj
zK)V@KA}EaMQSO3R_n<fBUIyI)L);f{Ir6Uj#^a;kPCD3~CJq9K!H-DI8JcEC9=-7x
zG%@3J#c++>J2jXc+YE!H;?f<GK;g8%ImYPY2<i(V!TTqh;8`WQbSfhg<UZxJo*gU<
z05=?ZkWac`J%Ffiek+yS^sIPG)#O)RHm(_#IkM+bM9+zc9}kdny++0>%(C0~;@@<}
zrU)ko1);LGyYHUi6t%`jj2p1m6xa9&6eMxbS7^l@Ykxd}Z@{%<P`=g;PVQO{J}t**
ziz<0W7RT4fX+WOy!nEr$U_J`YRm!0Ph=o~sq?)W{Q!So39q!|p>VQ0a`X&Yez4v;M
zIbHFNu|Mq749jn*VejRzb{%oUO#4t8wkRH{7)VkGg&bW37Dyfb5zNX8#3)g5BjAqX
z=bYj(H-P))iS#jF%Dk1?AC~NdDZ{=4gg$$f(IJE-Yz#Ys_^6TDNgBjiK{R5ZsuFCa
z%v>y7Wj2+p@c84f)A$7>+IZ@D%+XkF=)sNv@OAhOT`42aquuqMvB#ev(%DQJE|V~q
z?f{q|^9jNpf5eANYe#*I>l}mhTz6ONGuE0w>M-d(yB+X#kr8Pam;22l)BqRHIbyO<
z!G!d_D}4mb6JOP+V+SYxlTgsS%CrodO0lv@)alU`-<rF1KI3^H19Qa0=-PyY3|yj}
z#L8%Qo~7a3TKg{m5e7<2sw>P-bvgsX6&d)yEXd5@zX($q7__2{oQ0!aEIE}7;Gc1a
z_8)hY5%72GNI#Da+%{xi;f2qykM+crJH(6eg#V9Hz~A75x<^*l|74iXE)oo8QC}fc
zZ;3XGska7T6peZnz6Uu<{Q6v{mG;CZ$G3l<#6+ku7SDK2MvyEW&hrj0FHOb6Fj4R%
zn)G!8W*<w%$=uP{kikp8pyJ!r5Loq)jT_*BsIqAZZ5_oLhY)-tR~cyGrUl8=S3hlG
zhoAsW>rpx0I1HQly&+Lf#TBjOF2Jb*zdF5j8N-RgH@qmukeAM^M=iBiUY(Gtl{?!`
zeSF0ZsK@^C>FO@vykVgzkhgnuc1<&~N^#2PuP>G*^C(gbzx{J;j<i@co_~B?d|fh)
zM26O)vqEE&vqM>Devyv_*&A(`Jtc-R6I#RLU+Rv3o5<tZ$B!y$v_sW|<g-SSJn%;q
z)cKctR_`QC%F+;!CiO53ivndPyYpmRQ2#uxFuL(>#0}Y=0y1<2F*+RnOmHWKoTx__
z7ie-Mvu@FVbEcxJ(klc!Bx)f7_R#80{53~p2%T~z4oB<KUhJ~>j~$o){W#mzeb(ag
z^5}b`W36<z2UOxqkOia$qu>fj&~KQP^6#!#&pz6!-J0>uMckYYn#A%7iot9xX%N-T
zZf=~*ne@ytCIN)MSDa4oZah3|PF02h6WI`Mz$+Lh6fx5$7UeP}&!<B;nyH1p4x<w&
z?4AsQAdU-vj2%7zSoe{~bJK|*+{xejuF|UwJ)B=ZVS|H?%YI8n_@_y2C#*Kn303IF
zB`%3Fm3t9aXTevhR*ETXARB1D8=h56o&>2Su-_Gc&t$PRxv7RBr2|)r$4DCF5*5&h
z@dg4>%68TZ&HcP>th^MZQ3je)k_*GD{!9!LMz~~5FtfR_YId^dQ}bHm3iL+@2;;)M
zmUSS%Y@x66$V?=A7lcx{n``AboJbKxVNj<KtVPQ#Lu;umuDeU+W)6W)<;=q##5`{w
zejCD0g{+46LLZP?qGr}<z@jmvNjl)OTl=aEJ|a(m{$*=5)jzR>3Yg^AXF{x5*b)|z
zpFA}|qQ*PtfugZfetG0NwchL0UB9T2#1FT#qyy@O*1Xa9orPu9ydM52N$d)dxo}!3
z(=f;#>WCV1y_O2tp5o}0k(xGBxHIQpIQyy&9R!$X{frvPMU>C8zl#ogq6`U{E3m-W
z>bUnCk8Lj$yvk~h)R3RMAL>9=i>DBP+V-UXsL{!wNJi(*s?kX_F%s@(svpYr9mrNM
z_X7>SpWXl^qLIE9e>!mdJr@YN@2|wE{45@-kGB9Q)mV17?-pDCj}eLZs6NWI3u!&{
z?=*2sp>?2^!gTq5=1=O8A@)yPSWDDTYUDbEEw;gbgL+m)fAYc_tOsETCNoVDRR30_
z3;b*3yz9^2QUxwrIxz<YrwBaXMzzggj);gXEk1Yt5n+z!A%2Kx+tvW~PWf$t`Ptn$
zBzg$DLWfqx#LGq`zim1mQc*?#^W961X%Ny^CqD$3JvlBhB~Kz1JwivNQn9d(ee$~T
zx&;x`&Yz>cLiG_u6NCY<af$H$pcYu#V;6`-a+s!y0h%#|Q519yTT?I!mEIs&T#bNT
z3E#66IrAAiSQTS{6BP^Kx%!6$z!_qC`uj?-7$g!>tO&(YdF6&1m|_y;$)yT}8IMT-
zpS_<1jY5}q%`GQhNL;ZvB5Qjr7dJC!B<L)|;w@CXq!^=g8;~18=~mV35lAeQRxyd9
zY?FV!BM@5xz+-e`#1%mUv1*7AxS_*f{6!?V-cRs#)_*m~Ys=pYOYcma<j)IDOE}|M
zrti=(X!k#VM$6zg2H%{2qSFLiGBwpp44u#6&&g&0q4Tk3)di2*_IZD<;KyF=d6xX}
z@Hn2Kc@P3aaHcFPWs!YF-B-9+#>ArU9Q<y4diJUK3>5(L&GGkMoZ=|U-hJzpsLk;P
zRJ8<{A;2DrVJer_6zhdlxzrHZ@>3RU6b0AJSNX~TK7;zU>=^oPkovT|?a>79%mA-B
z-2}XT|Dyh~3;F&H|JAT=ae4RM_~O(2N}=~1e1i~q4NSA)+PmZ9n(8n%X5#0<z1UU@
zOc+Uek!ZHd5hW(zt!Ra?xwBUyw6kNZbeEtAH|U}yYJ@oErF8Nj^P*B4rnn5zXuq~(
zWFmeK590K`Z#j?;;BL8!5vpivstg_-sX2uYI=y{ekkGs`cW14L$C*IXirpZX5HFF<
zT`!4ZTmE4UgXy<Wo8hdwrj0Ue-OEX33!b;4ojUrH)*ZXwqRMVJx9Q=>2ezgCbXUdG
z&bojo_7c1ikrO754aM>KlNf%wS0#W{bFWFv_4;BUbBwIndVmfTT)tpi8x53^HPs*8
zh5!71$GQlpAaZ$zl2P{-!N1cnYTg8fuU7pB_X@D4dZjV-8#y3}0*vqzA{Cee`lV58
z+q~?0vF}!`Jn9#rZ7U29j6$;uVB06hq`;eJ!2q*94tKMn2`k_4Yfe-H1$KMe39ZgG
zf_v(yvd0yaw=L>D_z%ztmZ@TR_;02`xg4@@rOQITC!q_2#5>xhEhfw8F^5E^6U&85
zi@s2jeNE!uV`Dt2pVqfIFH(ne9THjZlLqIuyWiF1w{+btuPM3}M=BfnmL;rFA&1^2
zsWx2Ao>MpA9y{s1dkAcj@6~2(Osz3U3P-aSB^5@|OEU0TT@9|Z^d(L4GCZbXr;3;!
zym!8}8i3XUP5}iYmBb<CQwbQq`fgcXahPJ@I-R!k6PY;F?O+Q{7QNOc;c#Cfi6O!#
zQ)g{%9z3^@#kx}CaZdt)Av-8Kl6?LiCJ(fod~V3C3FxVtp>FWzXH&mLnCn+Q))Z^#
zLfz$A*tz1Ck&Tm%-e&K)PcO+>XFu3<r{we;dYH>ow{G4X(%|&UA*&hu9JuoC9PNLY
z^B$N=lGlp8Hwg&(glJY-Os;!A4%Z_Iu2ZgdF4ru8&#Cw{7N+v`oy^;vH8iLR!H$Fw
zO^Z}E>VxD)VwalSvg(+;fy?pK#6NC%y-2nL-$J6hNw!<FbuRe%deLep&15fR!gmuY
zcY`TI=zV(%R(_{Fj@FruEeCKkN{S*1hol{dEpKJD6)#G;4_4la9sh5(D05+bp{uD-
z`D<?1t5x}hf^uV7{SW5_@sIN=TYF+tiKs8z(+rerF^F7?K2Iq9%gx)<9Z0wTTLhut
z?6yry!y23D|I3dSqOJg!Cc`&_gmKEkGNF-}U8V><q-4Yh&17M0!9t=NRft5?yP}B2
z{QG#D$tXcnWi?wLUcM~`*tiDD2z?6`t<1(~E}eK-ZSV&$Q%HenI)1j-$8kR+gYjn>
zfKBJDw|798{8___d8i55u5;oaFHw{TI%#4<KGZ?y6vHA}mR$VX{X46%VyzFR;9<gq
z95Z-iUt#_{&ICF=632PW#VW8_RYN||;{$>0zLjtWn0U%G_iw8oV<fWUGjWE6t^(nh
zq?Ampp>XJ{ANVE5`D4E9=+D8MhCh04xlk@>118J|jGS~m1gzT0EvaCTk6m}Hc>p;`
z7&EwUmJ6AzU=monEudUoe>!*ykboF6OJ>`!>&Stmu~%cdV!9Qv4LP^-HDJ>W@?NoS
zfT==4YOS8>QJ1PIBIVqIVE!KIHHGJYSnR_-JpWy`-OF)SRW|l;kIOn0aq+3(<Zfs0
zDwyglnDQq}?<`<7LOYZTIul;NkDUOSG*5NpAc(5$X{+ggdX<PzWBp-$(irqaC89I*
zuOjIrxpd7MPPKdQmdN7D7}}b~a&fP~s&Rfz)BNI31$1Dbif(94|2_eq{ICla&2w7|
zF$t?rQ}y3(SXv4GOSyw3Q46x5P2rl#O6{qV3J`$PHCuMLo<j=xZ34?Qig5p-F`#fO
zzuI)q_1f!`OF%%G<=hU^3RAx*A&LyLZ(enUWJqJiSIudJwYp~&R@((K96EVO-6Tqf
zaP@6_y_T^)9QX09=DZDf-d3UBQCL-Cay?Y$jMuQ=WxN;8%&x{NTSO68-xepFL@~5K
zG3E7iZu9SY=&1Zp%6d^T86qUh?5~2kU*9XRyzCxbP>6yj#r6)^Q@A&cmri@U(g?6C
z;G>~P#mLyg3>E|(C#GP2z_&e8$s1KrZzNIb8MB}VHP5c~{p%cubo$u@*KBw(kmOOS
zw0Xx1gTQadJmm;qQ3(5HyZTz-?b(frhouq^m6Z$^tayNE*AT?CAUvshK8*kdc<;=R
zZ7)0c!BX=`0be-uP1~Rbozkx?Be!OHZlhEA_&X^6RCR}S#YL|UYoW$%!Mm?wOs@F!
z!vv>3BkFp#L{4!f?6;ExAjSkh3NLh+`@i-`ZdvWKp}6`n&oFhg;xNInf0T*$PUNcM
z?DXOPKewenQu#ZI&a`h1KmFCcm9{*f=mjEe@HPsg0i9sz-ncV=D@nRui2`!joiiz&
zq-LICO=KD3zU$CS@z+F(I~l2zblr@3cB`3@TTY~laXh()Eq$q4;+e$LK&EohM6s~4
z^hRUbqzqWY4N%~qYpIP^uG{ul0YRfaO+pWfGg*ra4ARVG0%;m7lUbfBN)6P?a2|07
zfh6}y=<V@t>k5feA)MuUQehb!c{!tM0%VkO($_jXe`~U)2|`Q)E-|{wYV!n;*M{{S
zjWX$aI2#1eTF}7Hr<_4`NkRK4sNbfy66?(uvw7cic*46CxW^jpW7!?yMr*>{F&U(%
zO((CCE4C<hw##=LN^9M3`@w<xW*zRs^sg56PeSoKa8FvrOGTe;#?9H^z+R0`<)B^-
zkn(aNjYmX*oi%QVjbQ@2)5v}6>1o|B;;<5h(Q9F!^q&sU>wKrBx$b3UAGBw+63K4_
z$h*K-WrH*f5KS=~jv~RknZ)gwF{AkB_Hj-liMqI@;A^)E4?zx?Xg^V+@TepBVU1WH
z2C*aU>AO;_4hK2Nf<fZYjAZhDEU8ecdf4bdE+NJ*XxQ;iImrVA7!I&cExLG(Nc`q_
zy5Z9?k2aD(?cRA2Cb0ZHO6ivpv)w#m$~0mqD9%ItEjW7uvB2Jaw_QGwKSbOaNCi~c
zK5xGnvTz2+3}TBB#dmmGc|q)@$rfI~P?maHGG6kyM0EpvfN)>FDZY}v3lWEU^!mSD
zQ+Du~dO<#zQSZDMpv7d7x7OAh+JKjaTCb40@rIjH5~NY>wpN)U(GNOjv}w}1kG<Uj
zmv4p#IUEZ&4jN)Y-?$M6eq9ljyvaeWk$L*<MR;6(_W5^auMAH_a-dCXi`vE`)FAgq
zSg{iHi;^?djbjLNScl^oDo43B7DQr`*q@mpuj*6bzg+!FW0)R{u&;+vk&haiUbm;%
zffFXc4EaWlOhIH0|HRlVA1a=sMO`=3n^{0N?4r}&^o*l5P0NzGt}B=TRk<p9_QabR
z0Oo7CKAuSY#YU%EpJI|)3$-ovJR_1TP!}y!JbIPAO06KO1?2MA!TU8fwH9k7VE%+y
z6ZU<TnJ^j_Fj`?Gj|Y*k5)H8gq3S$ZVPL5tT=)_TP2uXnm(bfggpN6hD5f#N4>mC#
zJe0QN`_zou)(cb4`W6605;Zm$?QJB}9n(w*UV6Y!&Qyb;w~HJW^s#bcI7jx;ZFyWH
z;KSzv(!VWx_USYol;YR>6f%%TmmeSr0*YVXiXon~5{K6`r5R<mn7!1%js~T=2#!LH
zl>?tB7O~k2Z7KO9>~=unrKDbc$wip>ksF%s<?XZu){dO=-tXEz{Z9Ly-OW$VeD$2h
zgbn+b$KUe^5W~8%#No@kj<GH_sfVg_05SwabXdZFAX#wf6>S7|smm)djBf>3#DGms
zpvgYcvbC-7?4d_`J;%JJ7s!_v$hRD&bADF?!h`cNgL34G<BH2+yUtv->?79I2k2iA
zU{ounk+!2w-_|=#aCCcIg4^4C17Nk<$zJuXhFs3g73Ip58@jfr&^BS}<uu%iG3%$}
zeIJ2EHcq!GZT@C`xQ)l&3xHn&CXks1LTs(?cf}O#H4UEfK3Vhv+<FSTDYfM<D8oSO
zV0PQxF#F<5lLK;ENNQs>(CapXK5f~?0KbmMd^?ONPTnEKiqq?Eox*grUJtlJOu;d2
zad9hYxwyLW9GBTKh;0Xh7TU5k>!k?nIni5{65?RgkL~&;OV#s?tXs{>9<svB5gm71
zg~REKky(^R@feF9ppUm+->}SXIjWVm{xpwQD+Zxv&JUqoblEr~)vvNK4XwKQs4ae?
zyF(RJb-6?3-iE7f0<KnfUWNK|3Hh^6Wl}{OxVnCs!?DTn)_D}AVqGPU^2gYlE~n}x
zJeoKSmsW3YJg!x%VatHDus#Pd0COW%YKxmb&!~#;(K(Bfp+a<1noIeR#e?hDv?I*`
zVIH_Ty2C-1h)qT;1ZH3odHr#iC?>GSmW?zVL+=|%j~VvR3n1N?xr6Ym>LY^t6MVwS
z5%VUTD9ngB59x^3yOjtDm((}F)FUs(zr4qGEA}B>UUJ~qtY_DJGFW|d<@ksRUu5SF
zv)joF4aS(Mb7Pjd1#yg!F@V@-qyR<50Y`zyBQ`nPnpw73x8S-L<DCVlz@gX>aR{KR
z)EeN%qkd;NOR4LRe=l~6(X%>C<JvNZk?i(RLfx6EUvQW?e>t>(sH3uzOYYi_ruJyX
z7JU;=5S1_U+a0<VR*ytDQp(g#X%bpRHZXLqD4g#>Hecn28H0v6aEY0O9ut0aHeO=$
z#vKfK0>-tzMHO9-1A)Do1_euDC<vOh=GOg+DLr9s(183zV=|i8f}#Tb*BusofwF8|
z5__79S_F43zm0$@by{pr2EYJHm|t}yn&8Di_Xm#`tf@GR;E`6!PR!a1;o-aM?Fa-(
zApr=CVLAD>MDVdPAwxV&qr5OR9QH$17t=QtV7O^xOysnIS|4}1R~eEqCL;9Igi}y|
zU}VD6#7|sEmk-_so_0XECY(HH1Z+4OBc;@r&o`3FCJPq6KP5mEzAjiT<X#aP7bbj9
zOg@83wQVccmz<IYF3iG=ng@QX=*BVB(St=yHX9b(TJVfC;L$K4s~aG=Yy|WpW>sxK
zgc)DhSWyNSiFo3WH2Ya2^#Llz^jZ78YyEc%xtfPuXJn+JV47uromrE4;#cM$TwG|M
zpqz{Ad*40Z(GZvcQ*AipN7hfPz8UzNgPCv_d8}F0OR;LaJSTlSz#%@vJvx{r!~hY;
z8#p#Pys~}R%<rU})Np05&ponK|H)3k_FT6Ibm+t5cZ$?PCW?@|O#dc|9=%Ubw_eyo
zW@$|peh%!Ip$z7~*d~Y?Mo;80F2F@hGX9nLc=h<(-9C?MgZVpK7<zK%DTcS985r%1
zNc!{WxfAq5j92h<gf?;d?JIUb6HC8q!6SS^CPIU1*Y%Xxc04;us_65vZwQJOre0+I
zKopK=e!F?b&8ruwt6H1@kbD-w%8sA2R(c<ZR6HDHD=00pLM1rjB5F#WV=y4!D;3<Z
zea?T_-B2QVkf`35{a`2!G=u@dE^Wa;6O6kY#i?#*77vwxjR6s-N|%_PZfB-DryeaO
zbebQGIb!?1Ia+li8k2Y!IHVSG68pleR(SJletv-K3GB&5dhWt#Ap^>GyD3A(adlSD
zJ5JW`4g`~NwdSiGln=_oZ$Agi3gS12hxmxcD?)WlApCYZAUIx6H!X2GQ4dO~;QGG(
zsbu;n`dW?8%12eZC6TFa<V7SE9985$#!3A=zGBb)T}oYS)?%-GU;UWn1)><R#QqLW
z(Nqkzu%zd2+soW)|EB79uKHlphe}tDdCH<J?NUi@BXwZm`MpNjT^N^B#h;}3lR++w
zZR6Zw*LaG#M7tzoutMYPt%n`kZboGzCVLdgYe8DGhE^O|gGIEk^Oq;xp1*d;bnI9B
zv^!ID;r&rASZGrR-q0JDz4l8TZs5{OLqIJb7Q{Jl?$5>Dx?EnW?uZ#-pPy3O9D+Un
zr*R4<#V9K^#^t6;^QLM#ptpsKu8j(M+kyK<-I+p^Fweu!7PYxK!1na;=O?(H6V)xM
z;!9iu9s#y#6|TrPw2x;UnLbTqsS}3zRH+k0@+$D-<uMSGOPhXeY;Z?RH4VY8nxfr-
zQs-JB&dyQJqj>a{6Q)TJJXGo_znlo0!;Mr^QCtznj*;#I4%o-jQWgjN_r{41lWy{~
z$(&Lm)aK(+h_Zdr3Tm8hkYb}^MVj$N3-md4Lvg&MQX7L8Olh|!4~9IOO&#%!|74<6
z5Cxr#h;P9Yk(`MB3bF}sy+wSQiNPG<8OstM8MqeU3l}gfaXro~sJ%%^QxpQO$gI9g
zN(*apwU47#KpVwnKBiyFP+aF<L;9KvR#k{D@fA1e0&#J*ATFvrd^z+a*VKknD}-MN
z+A!n5nbK5B``sam-1cW9wMshv)hVls<qsICb3EH9<_WBOKr%_OE>fde?Gw+y`+?47
z)-fH2+!UEh6Zs!qS{lT|d?tMMOvfmnkPn&ckkGpbf;Bt-Yg##uz@|t)f;3&)=3uF_
z#5b8SBz#%ZL&XoSv_om1s9#CRt2MUy@}??Dm2yAPD2OBwi{IX86w;hH5TWok)WoD;
znpgr-5s8P(q2jmq+>@5m`w>f;5|L9ljyzs4!oww~1NDl}{iz6~!;lINwIYf%TO!(6
z)2at^528m&Ni-_I0vsf(QBV_H?*k^5))=sPc}e+M*&KT}?>x3F(kfS7gIj^`bM!fa
ztf;wAe2|L8+&0zoR+OpIZJ3+)iKKf8G&e-&5-*8ade?To^Ra=W0)T%r!ZFm}Tcl^e
zyats8R7^nYXg9a!!!N7MrG)9G!^afMdu@`9f<e=Ee40Y-8^i?df%0LG<Pg`{sLiTm
z?bibLfJa1il$2R!t1d4<xDC04o+r%?Wm_w{HV;2RlzuaAa~%TnR%j0!x&3jBoB8{|
z-gC{q%>jLdGkp<rVn>%dKtZWox7mgoZSi~iIkzQe-`)wgOERR-b!qDHvxug@QTU3j
zhcty_&z7ov2wLUXRJ(FIn&;{knR_H4X1m$rq3ZGvyP;}SKH_?5<SP6hhR~^gf_8YI
zfD<m-;&=v#=OB)Xt9cp{Cwhj^{$&>ih^`Gdu(|+&mB(eMGR@;JeS{;bEfARe{NqwG
zu>QSVDzKj`7%D%PEn^^n=hh7f*aH1t%-f|?`d+T>N_9s&ZftQcXPH%TJUY$5|8*DY
zvv4!lslr&=1%XDn5i<&S4To@>oVO@}x`A&geweQIU#zX<=V1FRd5ORV`C#r-f*qm@
zhr$#Az@on*Xow(!LQVWGhL@D(ySpS@Q@~u~rah4Mp1mLBzrZSxiY+}yCY0E3_Mhw>
zykJY@-!yT5V{tqB>1FC}3GXv{+`eUsiJ179$kof!_o2Ym4rI77;nJ57R?((zFB?FA
zaR-~AO<sFyx_BeJLAQH6qYitH?;p$*oF8(ez6U(@k|%radWpkliMG^X_soZ+y&Q1g
zP+;zhH4whq9Q0C2@0xgAbSrHA*!8w1PmZ#}Rv1Wo$W$z-@Dt9u)gl4>SB=HbnEZtN
zcB20tPu!AICi39;&CH81jHo_=-_-X_v{Be?!bp<OizeyiN4P@uV;6(~zJ%9&U%G;z
z@_(1m;PJ~a?u)Y=mT|m16v!hJp{kZZIH7n&Gwh(?%h5<|7zj+e`1S?ei$oM2o>W9q
z<uS}E1nhm|;!j=cem=in4?>`NvRHZ{>%KOu=9tBs7?@C*W$mw{;@7q_g4GWYaiGk*
z=I9qAEFx^gyv6ZNs2ndUWmw6-(3}`Ct)cIlILs}bCSmhUqaMd+4#zieUaaIE@I!qa
zJl|4yxO0<SQI6Hm#ou<7s7Ad3dc70{>4jC(Qo2WO2j{c8G(EFVkBhld@LlrHB*)rm
zSy=MjmxZ5h>&e>J4V{|3@_#%22`~GzLV8NAjFXskC|0|wf1P#TtGQCLQAf;Yr(2=x
z@ZF&6$1zD%&>2P+puLhPFMMpk7Inp6OW}6YV%AI6hdV?F4bdl-H_lN>PdX@`4!)6H
zNJ(Y(G3jGZL5ia`tZO-Y%_8Tn)8p*4ao-W({g)pzQji}e_|k>_1U_1>o#AfQs?S-q
z`pdDs*Pwyh?CG7H_nQL--21r{^#yoE^wZSC38@LJ;49Z-@boAJvJ-R#lU1@RL6_O=
zIr`J313ocdb^=~Dn7C*A?2nu~`R10{ii;A}iRLWM6ZgP!9R5Q=^!6n#-~`}9BQJ#5
zruT8{f~|&*$0K!2+4PpI#4};Cg~Cd|*(^UCH@Qp?=S9<pjU&d}h(g76On)B*#>0D-
zjivlbe}`Ji_3G*nrw3kP>Ih7RcokW{Dn@j=!e989H|rj3usHscK9=l2UVUPo(}#Ai
z21o>($xh|j(}ccSWSDmHuboo#w@p>%n-~v$)4)0Vb7K@g`9PtBy+hc_ztHL?(3}iz
z;-IGNa~3UYBL!D=_^@(BJ?nU^eWK<r9~39qkzis!urCR>*BFIWTtA-&Bc#E%9BcTc
ztSb)}R-iXE7R%?A-O5wI(e3Otyl9t;t?ME_jF4;`MBVYR$i*MctgW$H{yT63{I}(6
z*w1}p1fA4|{auNY?Q=Xa|M>?))(rBgIfV*NjMvK}#7L4+`bcx?2kuV=I~FJ{V08^c
z8PHwN{%Hz#g+Aey_Fa4K@ZevS(0lw=Lh$d1mB9%Gx!W)SeG2@0bxC*TukSpmn;e)^
zjf!xyeqI;EjXk!WZ{NQKPd<!oEbF`5qjqvsw8BINt7dND|Bl*tRX^aPxNYS^Nz6Ti
zO!e3KlTvh4max!#XNkd%0fjama7PeR9PB9iMWy=@;Fu}Ih=<O?a}uLL!TUKMF*o^}
zgJ}fEnf^94B3NN?F?EhzWPl&PM@7V+T%%RcinB8b4tI~0%i9XLcpb+(X{rd$posWh
zC6)0o1|awo2g}iLofEcESv45+c~h|?&gDKjHns)2rB?(Uxu7Nw^svY98i@{M(xHOx
zvv`Js+HHyVJn=;QW@MB=^#h)N8l4mU`MEPb)yqg#^~%51XpwP;CR@?<%>UA8!%auo
zAj;0H_%wivXWrmixD~Jy=PnCeO@cReS#P*h2O1Q31sbEgvIZAZn6kbb=i*Azv873<
za=w9&H>N$L7bUh<2;N90IJQ?tB{=p|@@fB-{5+>dAqs1#yg>G3AnlzV4iC8f2TG_{
z(7{8RFBGqPiI(Wd#}Pbw-LZdt5?Ut`cM5oIViCnU1RACvE8sfdnHPU{F^@S@9v;b2
z@Vp`o(!=7oln2?J@>IM%Pb8(nJt_I9g2X*!kv&c<FoG)ZtB|j$H2ym|GKQy%2Qs{^
zYbpk$UVE65^g9T3RCzpqG~Zu2=2C^nLdAkZ78pAnko^aFGSw&KvSvm6v?&15?ZdW`
z4+W;@*P9n9IOB&yhOog!9szc+TJjZ?zDifqt5~C+;C&N}x*T0zejy$eDpLSb*F^c1
zfa5ut8&27yHpRYFbCUQTx?B<31yzO+zPrdx$M9fzI!H9mrown5zBXUGvmWrRSs;Y_
z_q|B_sN+Hn)NhuU1-X;~W4tbPy7;-!ta_Jw{*~Qbjh7jd_8s$Krq`Fq;}3|eZ-4se
zM55eb|Mz*<Y8uaQc-LHf(gxLV8QKGD{?5}-bj8@kKV8Kz4v2x<^d&;BjXl4f>;{dI
z3h7VwIe7{d{B`eW0m<A22#S>r^MK^*AyD!e4n5Z*(4oc|jTV)+a?uX+3G@M?gqffM
zxWjQ{VWkV~?Q%Oa$Xec`f{Cqy<BfEKR#$jY=QyXUpRgcM4w@jJ{lpV>8&)se7`&@w
zp})?0<-Ss0mV$fMrc6hSK200emjW1CJ)@Bdjk*>ph$=u4w}P~L0P-ZsYRv50Jk!(`
zw(mHP9U+GXKL*4P=)iY)=*JLQHOE*vu#4VYX@ZUtIeWP^#5y}k6;RzeNt`9PagbWm
zj~*ZrQ9Z*w^Az>`L$|tm4LFMWR(_PDj0mLDM?=Q^QQ~5Pz63Kc%gWxkY?&Fpzo#h8
zzG(R=v>jkhS<iPy5Zsr>$%S(xl`q~~jx*~0c=rOO*#uDvovwxeb9e4goix(PwS`!w
zG$cg;A7n1P$<BQ$IqrMzahH;>9rl8uY|1Esq$ExT4ijcXB((@^*jk8(46U8aOeP}B
zv&?^ZG4K7ai}-yN4*g>!<oyO3Y8D?RNsDB|t#mLM8Tr2R7-X~*dqq&6=_RGZ3^W}~
zyjWR-+A+>8Ld``7V7!R-B4gQgb#R9mT2vAx*6$(cX!I9;HXb!OZfvsM_hc7fqS6a8
z7}(;{y}hD&jW(6OOz5*g92oarq<;|%58W?V*Xp1d1%M<3F;aHa61YZMTQi#O`5_TP
zOU#^Sw(xmUT6c(<;X|J?N?v_S<e3(IiQ#fX#WnZLj<*>e7yZbVOD?vL%r5aq{ZvWU
zu_{otQw%JpMk{wUgL)2tZ@A*dWFHR5uQ>|!1rPNOxEcTO=pixW0sP)aB2*t9>qo0_
zh-f3o2sd(Vh+6OOIWy8?Dhlt&2Wj(cy3DnJB+bAKxhxfJg(ctT=_ycdG*QiA_~k2x
zt2vxq5Obh|Fg%gCj$qHTriOPXuFvmlRWJvdp~DQ^VgeY>w8qc@nD6-=2eUO2!B{jd
zk<1)DAY;3ihBrj@$ka<WYDjegQ5yBzX$mU<XEQKLaE2006^r)Cja*azxh$8xfZ77I
zBE?jPnMF-?;r}#=2X8%}QnZwUyyn=LSPAVmRR5s1RPue)N7p8mczubJvc%0!$pUf8
zYDCj>0Lt}c;#m{2k0rdn2>KP>sC6%c{II<(cU{AzJ<kbLQ%Fh|j#Ts}z22cW(CUYN
z7s6i$o^P0F8lE!Y2rDu-@>h%ngax=hc)L2X)mjFMP!=4*8s~+aS(3kHG#FYHEHxw3
zooDDXBcaTlyC;SuaBUG_f=0A!f9i|}IsDqMC3O@Z$}`_P&|uNsG&idee@Y5LE<iJp
zTbr<?5JDS<^Ch_8)=!4P4-Os3zGJJ0-BxwS#qUk^1}9IMZY%d5bn^03mH(+5>;TBL
zQjIjD4J2JB89<iv+ag8yP~$BF*Gaf#xZc<B!Q0&K2p`$VL%L`^$1c0|XX=@Pg3tcj
z)K=CZ+Y1wyHy+#{**dmWvE|NJ@IAk)_iBc(mu^@74xVf9C=Z?g6EFmR1dQFsH}1|Y
zuv>Ql4AEVpwp`bpzY5}iCbxNHYiujIpIq(T*(!v0>UJJnJyAf0!;~%95r@Sz_KJO9
zm*hVbK8Zuc3I#f1>u!avA_a2ip2sqyk{w-n|H>Pu1`|uQv0#e{gs*g-Q0F>3I>Z-w
zN2djd6_`cm47~w1?}BTHLeCM0qav0-w+osiew!8-`Ul8V@1)9ClyJC|`N#<EE9u4$
zTolbPC%ynaMfNzQ?^W}1WklrfFdcPrP^t|rn{a)w22XOD?BZ5txwd{o%h9k9{=t5-
zm`2`c#oHIx%j_|5lFA|CGQ>Y7OzlUq)V}nJr6|q>p7!0!+@mN6lPPQJgyXtSM8Bro
z%lL;>=gr*ZYTmqK^+a`|^eIzzE<rnS8w*9$g&5!R%!4Kmu-)H~S#UBdu6@^eSySMX
z@SxLQyV#|`E)}(A4(3P*QpR8GU`E48s%!k#=@b%E5gnbXqA3g3ohaGeIX2_@nlX3a
z_Tv5pkN3)aNjN)i#JJ;D|9xO_9hL&?TagqTV2Lz`WPE3(fO#$HLK_&G9(M@jnax_-
zx%AElf~taYIt?S=!sMAXqB=A|O=i?B`b{@$;O9hLwrfEb#lkSy#w>;NMAsyVuEa#@
zic6~#ZqKOR@GEmDPgndFWZlFB3%DwL5L10f;?`0`%3jF%5;cuFOPfq$H}x&i2z*BD
zf=;6zK^j8(bIc&h^SK0P4O25~pF_ajBe#tbcaK1@^(W^C-|&?^g%5?3B2=j~oF?W-
zbf~R3k<Sa+)Z>XsDGBF27PtatFeyoe`T<Jw83*aV1a_*spem0JPN!#iR%;DVR>c`0
zdF6`sR&_O7I7e+`(tV8J=9%8Wn6yMc5q0)h9_9Ln>`GsE@X5G6wMcI@5foZu#7s~J
zHt2n!vq&Q4)fg4gGpbA(f?e$ZqkJ1bRP^q7KjkWX&-j2RVih!#)2?`!YV)mP_DRB?
zoe(#@v#RzVN2+k=^US5<t*uD%<<&2vv}sSDwf0q(=I$x!Vk4Q17#EvIO`FHBfYzn=
z>8RF1txd1}@$!yQD9FtSt*+XpEG-@S7RQR~jWd_7rvKO0okv5x{&4^wGRhJuOAFcQ
ziY#T{E6FlcLzt1cn6Wf7!ldkpYmK@xN@mIya#4e^?~y$!!!Xq4hsM&__c6c6z4wpb
zx#u@?&U~LU^SnOq@Atp&`8?k<&&9XYYU9e9>V&!KLEl@np}-PkrX9WnJR+{NzbvRb
zloHgpc35v{3hhuMID-r-kvuh*Z0Ism)2k$OU%3x2&z-zjG?_kL=FA9~@#^Ayf8>V(
zDU*4S|HGb5dz;&UPD8Sr9HZT^V-}W*)QVeF*gL63D74Io9oA_Y4c~SpAzq8~U&HA>
z4u_^uzMrU>_(jv|vY0jp!DJ}%5KF_#b=fRg{UPK@eaonB&%q<;Z((K|Ckzy4&Ix9f
zRW-NPG+vccYXaO)@dqrqhI}}O)Bk9}gmzHwu+p5CR+!|3zU8?69*;bG<E*q0vtyxT
zGx9$NpS+zh<7tf=-?Gk7W*P>BtTB6?U|1zaNjnu5bY;D;V5$veFzArQM}L#+aYMt0
zVbr(W;1`R$PZ6@+oSz%}?lXU2l=avwmz|UG1rfdZbnSZl!A+X6Wse-mUz&QJ%+Xm!
zyOV~yX`79r+N$+K!#lA%`MM0cbZ<n+PXh1mo5Ql0QybW*{?udo0dX?^G0#LCE(w?`
z3X?-$Zkg{*<)A!r&Kkm8#-oyiu6Mp%)9gFj=8$)RiIry(WocK*dbD^%8QJ%bTc0&=
zUbDeJcDu$Eltpy6W|ajbrQuD}0)iHt5#-Ivg#&lB*p3SDQDX|$XyLKXdHAg3&~y$F
zSwuk2ZJN>%Hjx*dDhWF!kL(+>&w)M*wixtTuqyTRzT%1iU)n!?7CK^Dsbq$#6ma+E
zmk>{U)!U6OaML~0`8K5^1W#UZ!E}VIxd-mt%P6c$=h@Ea>!<A$>zCRjd44=yy3+O6
z?e>gF*og!l(cd<smlYNxyMMG=`u~ZRwun#?zrH1wBQ?G0+0Id$L4v6h43#a14X`*h
z9~M{5`FMEGfK=Ce3%`%k1DY<Bo|vK@EH_KK)8IdSJV$)$miR8N;!M-*LR%C?RPaIK
z%K4X8kG?<QcbR>hJJkuIe>_~VYv|lP{Wo*BxTyw>5U?1yc#10BArywT9C)#GTGx{S
zBa6pASC?tO`i+kJtwDXDchn@@K)>q1jd$jpTRemh+oy*PjI7Z7lR3JrJe@WN47F&(
zD?<1iZy6uSyKrGgQM*^OA11U1ckOG0-|r<FKYoV&r7ktkWIU5dm#D}@l!}jY*3Fs^
z@l5Nn<3_C4ICQ!m$vx48v)s=n_C3f-y~Nh*xm8O@;qq~I$!z>%nS=hI;PZ7Y)wH-j
zzwG2~HP0S;1*<SZDOQib<=`v4#HR`a=%VkkSJbsLB4!j3I{k)q+G=zohmaoh8MW<#
z3wBrDH~6`G8O0^74vv2_c^3(<_<f?q(Wz+7bSt~}mASLU2^-1QZ#n!#bV_nQk0W%Z
z<7aIaG34?Vd^`EGZh<dd_J(O4SJnx|^W|r{YcwsZErLJRlUEy5wBx^`kU@nm6X(JX
z80zy~+|$IykQgDYsFH1BaeC_eV!^D!c_Tq1N7abBT|@IkW{*gEE}4i!)y>CZ+hXG*
z4jCtBOQ?wcDo)q#XkOFIBzraXmB6xEbh0P!(n5TqKGr3PzI*rv*X;7VbyGy!A|_yN
zDI`HKS|wsDn|}n?_(JixfkD{TuTEDQS<@sDTG71tOYQRNFY^SVr~J|7NX)X_oOq!6
z$?42uoi4rT&d~CJXsUlS$skU4^@F!sdSG-7v)2)yzu$hp8!bwq1VqnH-AnE#%6|R3
z{k}1CNYi1-LH}aW?Pls~9Kx`4R;c2TojrI=)-d>T-sCwZS|s+z(Dv1YvG7-T+Ly4v
zq6;BVAuTRn7WX@Cq(Hmtp7$0PULq(y_J#L_^<hMPeg?!?Ss{0W)JHOeiLH19v*tf~
z2(i`}S(|O7E2(HEV_XbIH~m23o=2U2Y*VVyCKk#ops)!QWJWnpF%*+}#qt>%mZj^Y
z0oC>hBSU_Y8`$voH3WljHu5U%ez@jgVw14hdE5M$S6H;$$!5fDF86DVLkDdIvqEeI
z(Vt4*G;ywe8K^JamFf(g`xZqMmsNyHZXAVM`+vHW=d{vVrLT||cjsB#spyF7tJQuI
zDDfruz;Y6bPsk8&%@gx#03)+LR$DrK<Hb-YlP1resn;^s<93iVcxLT#=F_ZpU#Wm-
z(C{-I*VE&2m0)MEx}~&~snDLtb%{M@vPP@>klNgdkT&?%g!JKvm86c?i9`j0uK(2!
zXNGn(+VCqH0wwu8M<g{K9BwlHSq5cFA?5wE*!+6_ksp8ctf+Kz{m?koepL}tVa=3N
z4dm$R$Q|&Rf{8GAPdXN=xgK#bZw~EJsH%BnN_N&cE;Y`sbYywSotNNBot04)IqWSn
zK4yQVMJeWXU2V6`bEwt)TwamDmcq&fl5<(0k=<{eV5PE&gN4#Hu{aie^{oYMk-g&|
zD5%Kca!VX_@$P-2=CG|rygxCnd1_7y$t`JmB=yni%G%&KM*JN1^+GsqeQxk{ZM@&)
zr*Px5-c2GeW6cisirCX*%Qa)mEMv*DvFg2%L6QwriJC4+N_ji4fP=k&RhodsoQ?0G
zpzTS0@f6XAH_Dm1>qpyS?yu)OUA`-*EScn);HWe?GTiXs_ZFFoOq+xRVXKvZcLv5=
zXte6}w4K1~48D}SQ>AcM;-|}#ExC7S=Cf-KUZ*@R&*M&g&t)}bekUc2t|{DS?Eb84
zBB*h=qsv+b!>(y*=}OmsBc=wqhAQWReuOtKy5BDV9#AgNkHNAwDx-5?31dqK7FTt*
zgr(u>&-B-Sm&JbWwHWVQUo6-C(^s=Hwg|@ST0{twDrQ@TjwM*Cdc@z9=k{2G4Qsz-
zMAX`_eVsIYcOBZSb(jrBy^khEtEkR*2<bin6W=`(r}N<H=?LmH>H&i~l}G5Tc5(^E
zKPdDJ#1h1U`i6MxzLK@IyRA&GP?o{)!u}9aw?9+^!{&`^Q(&$Wn2Qypy1gNpRl8wl
zaV%u{Mx_sKuUKV-g{-J#Q$-ip#UtD%zKP0_H!;UvSD0y;6j6l0-^-kRZ9mHIg?TE`
z{}ywooYHaBYfuY{Kzi_%`;KxhsF0x}6_|(XqBPEh5sFDj;+=>0Fv!>SW)zcJic0^u
z4D$7@QBg14Q<eS_3}1O=hp5*O1v>J7I1z9(;5LAl0iF*y4RH9V=#M*q7h?DVDIKCe
zzEYrifCu`FauPwh9!T#4>Hp@HfR6!=1RM)^G2kHm2bBV?+2`Qo#{jPZ{3qaJAUz1A
zV?lZ?NdGr4!tkx`rw>w~!GN!V^m@R90Urmv9&jAsE`V18UJBAjWspslXq5uH?<nv~
zc2BiP)&BLIc@_-CI#VLI%g$i?&XDpG`A*wT%BNJQW=E{;QlF0G*DE`Al9q}KmhFA_
zHXk9tR_Bd1Mz$hL)7BZ*C_xv;_pjDHj;K$Ul}&NZ!Xx8Z-IZwO$&up)*4+`)bevKo
zZCjY{tB&N8dXMVoDq;q7cH<u3?gsms6$hs<L>K~r9D>B8YB>a7u=9^ngg^r4ArLX}
z?f#1cBK6l10&(~EbPM#f_rC0j^2T}xdgHL?d;)OT|1DAmirm(C9&34)1ENsP4-xu@
k{#~RJl*YJuW9>XKes@5re>jwTe-<ZrM}wmpoCAFR7n?rs0ssI2

diff --git a/Solutions/Azure Active Directory/Package/createUiDefinition.json b/Solutions/Azure Active Directory/Package/createUiDefinition.json
index a69424a5497..2530be72fb7 100644
--- a/Solutions/Azure Active Directory/Package/createUiDefinition.json	
+++ b/Solutions/Azure Active Directory/Package/createUiDefinition.json	
@@ -51,6 +51,30 @@
       }
     ],
     "steps": [
+      {
+        "name": "dataconnectors",
+        "label": "Data Connectors",
+        "bladeTitle": "Data Connectors",
+        "elements": [
+          {
+            "name": "dataconnectors1-text",
+            "type": "Microsoft.Common.TextBlock",
+            "options": {
+              "text": "This Solution installs the data connector for Azure Active Directory. You can get Azure Active Directory custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+            }
+          },
+          {
+            "name": "dataconnectors-link2",
+            "type": "Microsoft.Common.TextBlock",
+            "options": {
+              "link": {
+                "label": "Learn more about connecting data sources",
+                "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
+              }
+            }
+          }
+        ]
+      },
       {
         "name": "workbooks",
         "label": "Workbooks",
diff --git a/Solutions/Azure Active Directory/Package/mainTemplate.json b/Solutions/Azure Active Directory/Package/mainTemplate.json
index 5c380daa6fb..67f37493196 100644
--- a/Solutions/Azure Active Directory/Package/mainTemplate.json	
+++ b/Solutions/Azure Active Directory/Package/mainTemplate.json	
@@ -46,107 +46,27 @@
     }
   },
   "variables": {
-    "solutionId": "azuresentinel.azure-sentinel-solution-azureactivedirectory",
-    "_solutionId": "[variables('solutionId')]",
     "email": "support@microsoft.com",
     "_email": "[variables('email')]",
     "_solutionName": "Azure Active Directory",
     "_solutionVersion": "3.0.3",
-    "Block-AADUser-alert-trigger": "Block-AADUser-alert-trigger",
-    "_Block-AADUser-alert-trigger": "[variables('Block-AADUser-alert-trigger')]",
-    "playbookVersion1": "1.1",
-    "playbookContentId1": "Block-AADUser-alert-trigger",
-    "_playbookContentId1": "[variables('playbookContentId1')]",
-    "playbookId1": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId1'))]",
-    "playbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId1'))))]",
-    "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
-    "_playbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId1'),'-', variables('playbookVersion1'))))]",
-    "Block-AADUser-entity-trigger": "Block-AADUser-entity-trigger",
-    "_Block-AADUser-entity-trigger": "[variables('Block-AADUser-entity-trigger')]",
-    "playbookVersion2": "1.1",
-    "playbookContentId2": "Block-AADUser-entity-trigger",
-    "_playbookContentId2": "[variables('playbookContentId2')]",
-    "playbookId2": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId2'))]",
-    "playbookTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId2'))))]",
-    "_playbookcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId2'),'-', variables('playbookVersion2'))))]",
-    "Block-AADUser-incident-trigger": "Block-AADUser-incident-trigger",
-    "_Block-AADUser-incident-trigger": "[variables('Block-AADUser-incident-trigger')]",
-    "playbookVersion3": "1.1",
-    "playbookContentId3": "Block-AADUser-incident-trigger",
-    "_playbookContentId3": "[variables('playbookContentId3')]",
-    "playbookId3": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId3'))]",
-    "playbookTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId3'))))]",
-    "_playbookcontentProductId3": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId3'),'-', variables('playbookVersion3'))))]",
-    "Prompt-User-alert-trigger": "Prompt-User-alert-trigger",
-    "_Prompt-User-alert-trigger": "[variables('Prompt-User-alert-trigger')]",
-    "playbookVersion4": "1.1",
-    "playbookContentId4": "Prompt-User-alert-trigger",
-    "_playbookContentId4": "[variables('playbookContentId4')]",
-    "playbookId4": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId4'))]",
-    "playbookTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId4'))))]",
-    "_playbookcontentProductId4": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId4'),'-', variables('playbookVersion4'))))]",
-    "Prompt-User-incident-trigger": "Prompt-User-incident-trigger",
-    "_Prompt-User-incident-trigger": "[variables('Prompt-User-incident-trigger')]",
-    "playbookVersion5": "1.1",
-    "playbookContentId5": "Prompt-User-incident-trigger",
-    "_playbookContentId5": "[variables('playbookContentId5')]",
-    "playbookId5": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId5'))]",
-    "playbookTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId5'))))]",
-    "_playbookcontentProductId5": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId5'),'-', variables('playbookVersion5'))))]",
-    "Reset-AADUserPassword-alert-trigger": "Reset-AADUserPassword-alert-trigger",
-    "_Reset-AADUserPassword-alert-trigger": "[variables('Reset-AADUserPassword-alert-trigger')]",
-    "playbookVersion6": "1.1",
-    "playbookContentId6": "Reset-AADUserPassword-alert-trigger",
-    "_playbookContentId6": "[variables('playbookContentId6')]",
-    "playbookId6": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId6'))]",
-    "playbookTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId6'))))]",
-    "_playbookcontentProductId6": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId6'),'-', variables('playbookVersion6'))))]",
-    "Reset-AADUserPassword-entity-trigger": "Reset-AADUserPassword-entity-trigger",
-    "_Reset-AADUserPassword-entity-trigger": "[variables('Reset-AADUserPassword-entity-trigger')]",
-    "playbookVersion7": "1.1",
-    "playbookContentId7": "Reset-AADUserPassword-entity-trigger",
-    "_playbookContentId7": "[variables('playbookContentId7')]",
-    "playbookId7": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId7'))]",
-    "playbookTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId7'))))]",
-    "_playbookcontentProductId7": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId7'),'-', variables('playbookVersion7'))))]",
-    "blanks": "[replace('b', 'b', '')]",
-    "Reset-AADUserPassword-incident-trigger": "Reset-AADUserPassword-incident-trigger",
-    "_Reset-AADUserPassword-incident-trigger": "[variables('Reset-AADUserPassword-incident-trigger')]",
-    "playbookVersion8": "1.1",
-    "playbookContentId8": "Reset-AADUserPassword-incident-trigger",
-    "_playbookContentId8": "[variables('playbookContentId8')]",
-    "playbookId8": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId8'))]",
-    "playbookTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId8'))))]",
-    "_playbookcontentProductId8": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId8'),'-', variables('playbookVersion8'))))]",
-    "Revoke-AADSignInSessions-alert-trigger": "Revoke-AADSignInSessions-alert-trigger",
-    "_Revoke-AADSignInSessions-alert-trigger": "[variables('Revoke-AADSignInSessions-alert-trigger')]",
-    "playbookVersion9": "1.0",
-    "playbookContentId9": "Revoke-AADSignInSessions-alert-trigger",
-    "_playbookContentId9": "[variables('playbookContentId9')]",
-    "playbookId9": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId9'))]",
-    "playbookTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId9'))))]",
-    "_playbookcontentProductId9": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId9'),'-', variables('playbookVersion9'))))]",
-    "Revoke-AADSignInSessions-entity-trigger": "Revoke-AADSignInSessions-entity-trigger",
-    "_Revoke-AADSignInSessions-entity-trigger": "[variables('Revoke-AADSignInSessions-entity-trigger')]",
-    "playbookVersion10": "1.0",
-    "playbookContentId10": "Revoke-AADSignInSessions-entity-trigger",
-    "_playbookContentId10": "[variables('playbookContentId10')]",
-    "playbookId10": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId10'))]",
-    "playbookTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId10'))))]",
-    "_playbookcontentProductId10": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId10'),'-', variables('playbookVersion10'))))]",
-    "Revoke-AADSignInSessions-incident-trigger": "Revoke-AADSignInSessions-incident-trigger",
-    "_Revoke-AADSignInSessions-incident-trigger": "[variables('Revoke-AADSignInSessions-incident-trigger')]",
-    "playbookVersion11": "1.0",
-    "playbookContentId11": "Revoke-AADSignInSessions-incident-trigger",
-    "_playbookContentId11": "[variables('playbookContentId11')]",
-    "playbookId11": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId11'))]",
-    "playbookTemplateSpecName11": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId11'))))]",
-    "_playbookcontentProductId11": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId11'),'-', variables('playbookVersion11'))))]",
+    "solutionId": "azuresentinel.azure-sentinel-solution-azureactivedirectory",
+    "_solutionId": "[variables('solutionId')]",
+    "uiConfigId1": "AzureActiveDirectory",
+    "_uiConfigId1": "[variables('uiConfigId1')]",
+    "dataConnectorContentId1": "AzureActiveDirectory",
+    "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
+    "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
+    "_dataConnectorId1": "[variables('dataConnectorId1')]",
+    "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
+    "dataConnectorVersion1": "1.0.0",
+    "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
     "workbookVersion1": "1.2.0",
     "workbookContentId1": "AzureActiveDirectoryAuditLogsWorkbook",
     "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]",
     "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]",
     "_workbookContentId1": "[variables('workbookContentId1')]",
+    "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
     "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]",
     "workbookVersion2": "2.4.0",
     "workbookContentId2": "AzureActiveDirectorySigninLogsWorkbook",
@@ -364,7 +284,7 @@
     "analyticRuleId35": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId35'))]",
     "analyticRuleTemplateSpecName35": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId35'))))]",
     "_analyticRulecontentProductId35": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId35'),'-', variables('analyticRuleVersion35'))))]",
-    "analyticRuleVersion36": "1.0.1",
+    "analyticRuleVersion36": "1.0.2",
     "analyticRulecontentId36": "29e99017-e28d-47be-8b9a-c8c711f8a903",
     "_analyticRulecontentId36": "[variables('analyticRulecontentId36')]",
     "analyticRuleId36": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId36'))]",
@@ -508,2534 +428,855 @@
     "analyticRuleId59": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId59'))]",
     "analyticRuleTemplateSpecName59": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId59'))))]",
     "_analyticRulecontentProductId59": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId59'),'-', variables('analyticRuleVersion59'))))]",
+    "Block-AADUser-alert-trigger": "Block-AADUser-alert-trigger",
+    "_Block-AADUser-alert-trigger": "[variables('Block-AADUser-alert-trigger')]",
+    "playbookVersion1": "1.1",
+    "playbookContentId1": "Block-AADUser-alert-trigger",
+    "_playbookContentId1": "[variables('playbookContentId1')]",
+    "playbookId1": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId1'))]",
+    "playbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId1'))))]",
+    "_playbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId1'),'-', variables('playbookVersion1'))))]",
+    "Block-AADUser-incident-trigger": "Block-AADUser-incident-trigger",
+    "_Block-AADUser-incident-trigger": "[variables('Block-AADUser-incident-trigger')]",
+    "playbookVersion2": "1.1",
+    "playbookContentId2": "Block-AADUser-incident-trigger",
+    "_playbookContentId2": "[variables('playbookContentId2')]",
+    "playbookId2": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId2'))]",
+    "playbookTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId2'))))]",
+    "_playbookcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId2'),'-', variables('playbookVersion2'))))]",
+    "Prompt-User-alert-trigger": "Prompt-User-alert-trigger",
+    "_Prompt-User-alert-trigger": "[variables('Prompt-User-alert-trigger')]",
+    "playbookVersion3": "1.1",
+    "playbookContentId3": "Prompt-User-alert-trigger",
+    "_playbookContentId3": "[variables('playbookContentId3')]",
+    "playbookId3": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId3'))]",
+    "playbookTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId3'))))]",
+    "_playbookcontentProductId3": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId3'),'-', variables('playbookVersion3'))))]",
+    "Prompt-User-incident-trigger": "Prompt-User-incident-trigger",
+    "_Prompt-User-incident-trigger": "[variables('Prompt-User-incident-trigger')]",
+    "playbookVersion4": "1.1",
+    "playbookContentId4": "Prompt-User-incident-trigger",
+    "_playbookContentId4": "[variables('playbookContentId4')]",
+    "playbookId4": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId4'))]",
+    "playbookTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId4'))))]",
+    "_playbookcontentProductId4": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId4'),'-', variables('playbookVersion4'))))]",
+    "Reset-AADUserPassword-alert-trigger": "Reset-AADUserPassword-alert-trigger",
+    "_Reset-AADUserPassword-alert-trigger": "[variables('Reset-AADUserPassword-alert-trigger')]",
+    "playbookVersion5": "1.1",
+    "playbookContentId5": "Reset-AADUserPassword-alert-trigger",
+    "_playbookContentId5": "[variables('playbookContentId5')]",
+    "playbookId5": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId5'))]",
+    "playbookTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId5'))))]",
+    "_playbookcontentProductId5": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId5'),'-', variables('playbookVersion5'))))]",
+    "Reset-AADUserPassword-incident-trigger": "Reset-AADUserPassword-incident-trigger",
+    "_Reset-AADUserPassword-incident-trigger": "[variables('Reset-AADUserPassword-incident-trigger')]",
+    "playbookVersion6": "1.1",
+    "playbookContentId6": "Reset-AADUserPassword-incident-trigger",
+    "_playbookContentId6": "[variables('playbookContentId6')]",
+    "playbookId6": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId6'))]",
+    "playbookTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId6'))))]",
+    "_playbookcontentProductId6": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId6'),'-', variables('playbookVersion6'))))]",
+    "Block-AADUser-entity-trigger": "Block-AADUser-entity-trigger",
+    "_Block-AADUser-entity-trigger": "[variables('Block-AADUser-entity-trigger')]",
+    "playbookVersion7": "1.1",
+    "playbookContentId7": "Block-AADUser-entity-trigger",
+    "_playbookContentId7": "[variables('playbookContentId7')]",
+    "playbookId7": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId7'))]",
+    "playbookTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId7'))))]",
+    "_playbookcontentProductId7": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId7'),'-', variables('playbookVersion7'))))]",
+    "Reset-AADUserPassword-entity-trigger": "Reset-AADUserPassword-entity-trigger",
+    "_Reset-AADUserPassword-entity-trigger": "[variables('Reset-AADUserPassword-entity-trigger')]",
+    "playbookVersion8": "1.1",
+    "playbookContentId8": "Reset-AADUserPassword-entity-trigger",
+    "_playbookContentId8": "[variables('playbookContentId8')]",
+    "playbookId8": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId8'))]",
+    "playbookTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId8'))))]",
+    "_playbookcontentProductId8": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId8'),'-', variables('playbookVersion8'))))]",
+    "blanks": "[replace('b', 'b', '')]",
+    "Revoke-AADSignInSessions-alert-trigger": "Revoke-AADSignInSessions-alert-trigger",
+    "_Revoke-AADSignInSessions-alert-trigger": "[variables('Revoke-AADSignInSessions-alert-trigger')]",
+    "playbookVersion9": "1.0",
+    "playbookContentId9": "Revoke-AADSignInSessions-alert-trigger",
+    "_playbookContentId9": "[variables('playbookContentId9')]",
+    "playbookId9": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId9'))]",
+    "playbookTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId9'))))]",
+    "_playbookcontentProductId9": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId9'),'-', variables('playbookVersion9'))))]",
+    "Revoke-AADSignInSessions-incident-trigger": "Revoke-AADSignInSessions-incident-trigger",
+    "_Revoke-AADSignInSessions-incident-trigger": "[variables('Revoke-AADSignInSessions-incident-trigger')]",
+    "playbookVersion10": "1.0",
+    "playbookContentId10": "Revoke-AADSignInSessions-incident-trigger",
+    "_playbookContentId10": "[variables('playbookContentId10')]",
+    "playbookId10": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId10'))]",
+    "playbookTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId10'))))]",
+    "_playbookcontentProductId10": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId10'),'-', variables('playbookVersion10'))))]",
+    "Revoke-AADSignInSessions-entity-trigger": "Revoke-AADSignInSessions-entity-trigger",
+    "_Revoke-AADSignInSessions-entity-trigger": "[variables('Revoke-AADSignInSessions-entity-trigger')]",
+    "playbookVersion11": "1.0",
+    "playbookContentId11": "Revoke-AADSignInSessions-entity-trigger",
+    "_playbookContentId11": "[variables('playbookContentId11')]",
+    "playbookId11": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId11'))]",
+    "playbookTemplateSpecName11": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId11'))))]",
+    "_playbookcontentProductId11": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId11'),'-', variables('playbookVersion11'))))]",
     "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
   },
   "resources": [
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('playbookTemplateSpecName1')]",
+      "name": "[variables('dataConnectorTemplateSpecName1')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Block-AADUser-Alert Playbook with template version 3.0.3",
+        "description": "Azure Active Directory data connector with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('playbookVersion1')]",
-          "parameters": {
-            "PlaybookName": {
-              "defaultValue": "Block-AADUser-Alert",
-              "type": "string"
-            }
-          },
-          "variables": {
-            "AzureADConnectionName": "[[concat('azuread-', parameters('PlaybookName'))]",
-            "MicrosoftSentinelConnectionName": "[[concat('microsoftsentinel-', parameters('PlaybookName'))]",
-            "Office365ConnectionName": "[[concat('office365-', parameters('PlaybookName'))]",
-            "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuread')]",
-            "_connection-1": "[[variables('connection-1')]",
-            "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
-            "_connection-2": "[[variables('connection-2')]",
-            "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]",
-            "_connection-3": "[[variables('connection-3')]",
-            "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
-            "workspace-name": "[parameters('workspace')]",
-            "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
-          },
+          "contentVersion": "[variables('dataConnectorVersion1')]",
+          "parameters": {},
+          "variables": {},
           "resources": [
             {
-              "type": "Microsoft.Web/connections",
-              "apiVersion": "2016-06-01",
-              "name": "[[variables('AzureADConnectionName')]",
-              "location": "[[variables('workspace-location-inline')]",
-              "properties": {
-                "displayName": "[[variables('AzureADConnectionName')]",
-                "api": {
-                  "id": "[[variables('_connection-1')]"
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
+              "apiVersion": "2021-03-01-preview",
+              "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+              "location": "[parameters('workspace-location')]",
+              "kind": "StaticUI",
+              "properties": {
+                "connectorUiConfig": {
+                  "id": "[variables('_uiConfigId1')]",
+                  "title": "Azure Active Directory",
+                  "publisher": "Microsoft",
+                  "descriptionMarkdown": "Gain insights into Azure Active Directory by connecting Audit and Sign-in logs to Microsoft Sentinel to gather insights around Azure Active Directory scenarios. You can learn about app usage, conditional access policies, legacy auth relate details using our Sign-in logs. You can get information on your Self Service Password Reset (SSPR) usage, Azure Active Directory Management activities like user, group, role, app management using our Audit logs table. For more information, see the [Microsoft Sentinel documentation](https://go.microsoft.com/fwlink/?linkid=2219715&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).",
+                  "graphQueries": [
+                    {
+                      "metricName": "Total data received",
+                      "legend": "SigninLogs",
+                      "baseQuery": "SigninLogs"
+                    },
+                    {
+                      "metricName": "Total data received",
+                      "legend": "AuditLogs",
+                      "baseQuery": "AuditLogs"
+                    },
+                    {
+                      "metricName": "Total data received",
+                      "legend": "AADNonInteractiveUserSignInLogs",
+                      "baseQuery": "AADNonInteractiveUserSignInLogs"
+                    },
+                    {
+                      "metricName": "Total data received",
+                      "legend": "AADServicePrincipalSignInLogs",
+                      "baseQuery": "AADServicePrincipalSignInLogs"
+                    },
+                    {
+                      "metricName": "Total data received",
+                      "legend": "AADManagedIdentitySignInLogs",
+                      "baseQuery": "AADManagedIdentitySignInLogs"
+                    },
+                    {
+                      "metricName": "Total data received",
+                      "legend": "AADProvisioningLogs",
+                      "baseQuery": "AADProvisioningLogs"
+                    },
+                    {
+                      "metricName": "Total data received",
+                      "legend": "ADFSSignInLogs",
+                      "baseQuery": "ADFSSignInLogs"
+                    },
+                    {
+                      "metricName": "Total data received",
+                      "legend": "AADUserRiskEvents",
+                      "baseQuery": "AADUserRiskEvents"
+                    },
+                    {
+                      "metricName": "Total data received",
+                      "legend": "AADRiskyUsers",
+                      "baseQuery": "AADRiskyUsers"
+                    },
+                    {
+                      "metricName": "Total data received",
+                      "legend": "NetworkAccessTraffic",
+                      "baseQuery": "NetworkAccessTraffic"
+                    },
+                    {
+                      "metricName": "Total data received",
+                      "legend": "AADRiskyServicePrincipals",
+                      "baseQuery": "AADRiskyServicePrincipals"
+                    },
+                    {
+                      "metricName": "Total data received",
+                      "legend": "AADServicePrincipalRiskEvents",
+                      "baseQuery": "AADServicePrincipalRiskEvents"
+                    }
+                  ],
+                  "connectivityCriterias": [
+                    {
+                      "type": "IsConnectedQuery",
+                      "value": [
+                        "SigninLogs\n            | summarize LastLogReceived = max(TimeGenerated)\n            | project IsConnected = LastLogReceived > ago(7d)",
+                        "AuditLogs\n            | summarize LastLogReceived = max(TimeGenerated)\n            | project IsConnected = LastLogReceived > ago(7d)",
+                        "AADNonInteractiveUserSignInLogs\n            | summarize LastLogReceived = max(TimeGenerated)\n            | project IsConnected = LastLogReceived > ago(7d)",
+                        "AADServicePrincipalSignInLogs\n            | summarize LastLogReceived = max(TimeGenerated)\n            | project IsConnected = LastLogReceived > ago(7d)",
+                        "AADManagedIdentitySignInLogs\n            | summarize LastLogReceived = max(TimeGenerated)\n            | project IsConnected = LastLogReceived > ago(7d)",
+                        "AADProvisioningLogs\n            | summarize LastLogReceived = max(TimeGenerated)\n            | project IsConnected = LastLogReceived > ago(7d)",
+                        "ADFSSignInLogs\n            | summarize LastLogReceived = max(TimeGenerated)\n            | project IsConnected = LastLogReceived > ago(7d)",
+                        "AADUserRiskEvents\n            | summarize LastLogReceived = max(TimeGenerated)\n            | project IsConnected = LastLogReceived > ago(7d)",
+                        "AADRiskyUsers\n            | summarize LastLogReceived = max(TimeGenerated)\n            | project IsConnected = LastLogReceived > ago(7d)",
+                        "NetworkAccessTraffic\n            | summarize LastLogReceived = max(TimeGenerated)\n            | project IsConnected = LastLogReceived > ago(7d)",
+                        "AADRiskyServicePrincipals\n            | summarize LastLogReceived = max(TimeGenerated)\n            | project IsConnected = LastLogReceived > ago(7d)",
+                        "AADServicePrincipalRiskEvents\n            | summarize LastLogReceived = max(TimeGenerated)\n            | project IsConnected = LastLogReceived > ago(7d)"
+                      ]
+                    }
+                  ],
+                  "dataTypes": [
+                    {
+                      "name": "SigninLogs",
+                      "lastDataReceivedQuery": "SigninLogs\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
+                    },
+                    {
+                      "name": "AuditLogs",
+                      "lastDataReceivedQuery": "AuditLogs\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
+                    },
+                    {
+                      "name": "AADNonInteractiveUserSignInLogs",
+                      "lastDataReceivedQuery": "AADNonInteractiveUserSignInLogs\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
+                    },
+                    {
+                      "name": "AADServicePrincipalSignInLogs",
+                      "lastDataReceivedQuery": "AADServicePrincipalSignInLogs\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
+                    },
+                    {
+                      "name": "AADManagedIdentitySignInLogs",
+                      "lastDataReceivedQuery": "AADManagedIdentitySignInLogs\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
+                    },
+                    {
+                      "name": "AADProvisioningLogs",
+                      "lastDataReceivedQuery": "AADProvisioningLogs\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
+                    },
+                    {
+                      "name": "ADFSSignInLogs",
+                      "lastDataReceivedQuery": "ADFSSignInLogs\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
+                    },
+                    {
+                      "name": "AADUserRiskEvents",
+                      "lastDataReceivedQuery": "AADUserRiskEvents\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
+                    },
+                    {
+                      "name": "AADRiskyUsers",
+                      "lastDataReceivedQuery": "AADRiskyUsers\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
+                    },
+                    {
+                      "name": "NetworkAccessTraffic",
+                      "lastDataReceivedQuery": "NetworkAccessTraffic\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
+                    },
+                    {
+                      "name": "AADRiskyServicePrincipals",
+                      "lastDataReceivedQuery": "AADRiskyServicePrincipals\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
+                    },
+                    {
+                      "name": "AADServicePrincipalRiskEvents",
+                      "lastDataReceivedQuery": "AADServicePrincipalRiskEvents\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
+                    }
+                  ]
                 }
               }
             },
             {
-              "type": "Microsoft.Web/connections",
-              "apiVersion": "2016-06-01",
-              "name": "[[variables('MicrosoftSentinelConnectionName')]",
-              "location": "[[variables('workspace-location-inline')]",
-              "kind": "V1",
+              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+              "apiVersion": "2023-04-01-preview",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
               "properties": {
-                "displayName": "[[variables('MicrosoftSentinelConnectionName')]",
-                "parameterValueType": "Alternative",
-                "api": {
-                  "id": "[[variables('_connection-2')]"
+                "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
+                "contentId": "[variables('_dataConnectorContentId1')]",
+                "kind": "DataConnector",
+                "version": "[variables('dataConnectorVersion1')]",
+                "source": {
+                  "kind": "Solution",
+                  "name": "Azure Active Directory",
+                  "sourceId": "[variables('_solutionId')]"
+                },
+                "author": {
+                  "name": "Microsoft",
+                  "email": "[variables('_email')]"
+                },
+                "support": {
+                  "tier": "Microsoft",
+                  "name": "Microsoft Corporation",
+                  "email": "support@microsoft.com",
+                  "link": "https://support.microsoft.com/"
                 }
               }
+            }
+          ]
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('_dataConnectorContentId1')]",
+        "contentKind": "DataConnector",
+        "displayName": "Azure Active Directory",
+        "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
+        "id": "[variables('_dataConnectorcontentProductId1')]",
+        "version": "[variables('dataConnectorVersion1')]"
+      }
+    },
+    {
+      "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
+      "dependsOn": [
+        "[variables('_dataConnectorId1')]"
+      ],
+      "location": "[parameters('workspace-location')]",
+      "properties": {
+        "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
+        "contentId": "[variables('_dataConnectorContentId1')]",
+        "kind": "DataConnector",
+        "version": "[variables('dataConnectorVersion1')]",
+        "source": {
+          "kind": "Solution",
+          "name": "Azure Active Directory",
+          "sourceId": "[variables('_solutionId')]"
+        },
+        "author": {
+          "name": "Microsoft",
+          "email": "[variables('_email')]"
+        },
+        "support": {
+          "tier": "Microsoft",
+          "name": "Microsoft Corporation",
+          "email": "support@microsoft.com",
+          "link": "https://support.microsoft.com/"
+        }
+      }
+    },
+    {
+      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
+      "apiVersion": "2021-03-01-preview",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+      "location": "[parameters('workspace-location')]",
+      "kind": "StaticUI",
+      "properties": {
+        "connectorUiConfig": {
+          "title": "Azure Active Directory",
+          "publisher": "Microsoft",
+          "descriptionMarkdown": "Gain insights into Azure Active Directory by connecting Audit and Sign-in logs to Microsoft Sentinel to gather insights around Azure Active Directory scenarios. You can learn about app usage, conditional access policies, legacy auth relate details using our Sign-in logs. You can get information on your Self Service Password Reset (SSPR) usage, Azure Active Directory Management activities like user, group, role, app management using our Audit logs table. For more information, see the [Microsoft Sentinel documentation](https://go.microsoft.com/fwlink/?linkid=2219715&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).",
+          "graphQueries": [
+            {
+              "metricName": "Total data received",
+              "legend": "SigninLogs",
+              "baseQuery": "SigninLogs"
             },
             {
-              "type": "Microsoft.Web/connections",
-              "apiVersion": "2016-06-01",
-              "name": "[[variables('Office365ConnectionName')]",
-              "location": "[[variables('workspace-location-inline')]",
+              "metricName": "Total data received",
+              "legend": "AuditLogs",
+              "baseQuery": "AuditLogs"
+            },
+            {
+              "metricName": "Total data received",
+              "legend": "AADNonInteractiveUserSignInLogs",
+              "baseQuery": "AADNonInteractiveUserSignInLogs"
+            },
+            {
+              "metricName": "Total data received",
+              "legend": "AADServicePrincipalSignInLogs",
+              "baseQuery": "AADServicePrincipalSignInLogs"
+            },
+            {
+              "metricName": "Total data received",
+              "legend": "AADManagedIdentitySignInLogs",
+              "baseQuery": "AADManagedIdentitySignInLogs"
+            },
+            {
+              "metricName": "Total data received",
+              "legend": "AADProvisioningLogs",
+              "baseQuery": "AADProvisioningLogs"
+            },
+            {
+              "metricName": "Total data received",
+              "legend": "ADFSSignInLogs",
+              "baseQuery": "ADFSSignInLogs"
+            },
+            {
+              "metricName": "Total data received",
+              "legend": "AADUserRiskEvents",
+              "baseQuery": "AADUserRiskEvents"
+            },
+            {
+              "metricName": "Total data received",
+              "legend": "AADRiskyUsers",
+              "baseQuery": "AADRiskyUsers"
+            },
+            {
+              "metricName": "Total data received",
+              "legend": "NetworkAccessTraffic",
+              "baseQuery": "NetworkAccessTraffic"
+            },
+            {
+              "metricName": "Total data received",
+              "legend": "AADRiskyServicePrincipals",
+              "baseQuery": "AADRiskyServicePrincipals"
+            },
+            {
+              "metricName": "Total data received",
+              "legend": "AADServicePrincipalRiskEvents",
+              "baseQuery": "AADServicePrincipalRiskEvents"
+            }
+          ],
+          "dataTypes": [
+            {
+              "name": "SigninLogs",
+              "lastDataReceivedQuery": "SigninLogs\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
+            },
+            {
+              "name": "AuditLogs",
+              "lastDataReceivedQuery": "AuditLogs\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
+            },
+            {
+              "name": "AADNonInteractiveUserSignInLogs",
+              "lastDataReceivedQuery": "AADNonInteractiveUserSignInLogs\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
+            },
+            {
+              "name": "AADServicePrincipalSignInLogs",
+              "lastDataReceivedQuery": "AADServicePrincipalSignInLogs\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
+            },
+            {
+              "name": "AADManagedIdentitySignInLogs",
+              "lastDataReceivedQuery": "AADManagedIdentitySignInLogs\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
+            },
+            {
+              "name": "AADProvisioningLogs",
+              "lastDataReceivedQuery": "AADProvisioningLogs\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
+            },
+            {
+              "name": "ADFSSignInLogs",
+              "lastDataReceivedQuery": "ADFSSignInLogs\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
+            },
+            {
+              "name": "AADUserRiskEvents",
+              "lastDataReceivedQuery": "AADUserRiskEvents\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
+            },
+            {
+              "name": "AADRiskyUsers",
+              "lastDataReceivedQuery": "AADRiskyUsers\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
+            },
+            {
+              "name": "NetworkAccessTraffic",
+              "lastDataReceivedQuery": "NetworkAccessTraffic\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
+            },
+            {
+              "name": "AADRiskyServicePrincipals",
+              "lastDataReceivedQuery": "AADRiskyServicePrincipals\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
+            },
+            {
+              "name": "AADServicePrincipalRiskEvents",
+              "lastDataReceivedQuery": "AADServicePrincipalRiskEvents\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
+            }
+          ],
+          "connectivityCriterias": [
+            {
+              "type": "IsConnectedQuery",
+              "value": [
+                "SigninLogs\n            | summarize LastLogReceived = max(TimeGenerated)\n            | project IsConnected = LastLogReceived > ago(7d)",
+                "AuditLogs\n            | summarize LastLogReceived = max(TimeGenerated)\n            | project IsConnected = LastLogReceived > ago(7d)",
+                "AADNonInteractiveUserSignInLogs\n            | summarize LastLogReceived = max(TimeGenerated)\n            | project IsConnected = LastLogReceived > ago(7d)",
+                "AADServicePrincipalSignInLogs\n            | summarize LastLogReceived = max(TimeGenerated)\n            | project IsConnected = LastLogReceived > ago(7d)",
+                "AADManagedIdentitySignInLogs\n            | summarize LastLogReceived = max(TimeGenerated)\n            | project IsConnected = LastLogReceived > ago(7d)",
+                "AADProvisioningLogs\n            | summarize LastLogReceived = max(TimeGenerated)\n            | project IsConnected = LastLogReceived > ago(7d)",
+                "ADFSSignInLogs\n            | summarize LastLogReceived = max(TimeGenerated)\n            | project IsConnected = LastLogReceived > ago(7d)",
+                "AADUserRiskEvents\n            | summarize LastLogReceived = max(TimeGenerated)\n            | project IsConnected = LastLogReceived > ago(7d)",
+                "AADRiskyUsers\n            | summarize LastLogReceived = max(TimeGenerated)\n            | project IsConnected = LastLogReceived > ago(7d)",
+                "NetworkAccessTraffic\n            | summarize LastLogReceived = max(TimeGenerated)\n            | project IsConnected = LastLogReceived > ago(7d)",
+                "AADRiskyServicePrincipals\n            | summarize LastLogReceived = max(TimeGenerated)\n            | project IsConnected = LastLogReceived > ago(7d)",
+                "AADServicePrincipalRiskEvents\n            | summarize LastLogReceived = max(TimeGenerated)\n            | project IsConnected = LastLogReceived > ago(7d)"
+              ]
+            }
+          ],
+          "id": "[variables('_uiConfigId1')]"
+        }
+      }
+    },
+    {
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('workbookTemplateSpecName1')]",
+      "location": "[parameters('workspace-location')]",
+      "dependsOn": [
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+      ],
+      "properties": {
+        "description": "AzureActiveDirectoryAuditLogsWorkbook Workbook with template version 3.0.3",
+        "mainTemplate": {
+          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+          "contentVersion": "[variables('workbookVersion1')]",
+          "parameters": {},
+          "variables": {},
+          "resources": [
+            {
+              "type": "Microsoft.Insights/workbooks",
+              "name": "[variables('workbookContentId1')]",
+              "location": "[parameters('workspace-location')]",
+              "kind": "shared",
+              "apiVersion": "2021-08-01",
+              "metadata": {
+                "description": "Gain insights into Azure Active Directory by connecting Microsoft Sentinel and using the audit logs to gather insights around Azure AD scenarios. \nYou can learn about user operations, including password and group management, device activities, and top active users and apps."
+              },
               "properties": {
-                "displayName": "[[variables('Office365ConnectionName')]",
-                "api": {
-                  "id": "[[variables('_connection-3')]"
-                }
+                "displayName": "[parameters('workbook1-name')]",
+                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Azure AD audit logs\"},\"name\":\"text - 1\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"bc372bf5-2dcd-4efa-aa85-94b6e6fafe14\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":7776000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true}},{\"id\":\"e032b9f7-5449-4180-9c20-75760afa96f6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"User\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"AuditLogs\\r\\n| where SourceSystem == \\\"Azure AD\\\"\\r\\n| extend initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != \\\"\\\", tostring(InitiatedBy.user.userPrincipalName), \\\"unknown\\\")\\r\\n//| where initiator!= \\\"\\\"\\r\\n| summarize Count = count() by initiator\\r\\n| order by Count desc, initiator asc\\r\\n| project Value = initiator, Label = strcat(initiator, ' - ', Count), Selected = false\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\"},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"0a59a0b3-6d93-4fee-bdbe-147383c510c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Category\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"AuditLogs\\r\\n| extend initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != \\\"\\\", tostring(InitiatedBy.user.userPrincipalName), \\\"unknown\\\")\\r\\n| where \\\"{User:lable}\\\" == \\\"All\\\" or initiator in ({User})\\r\\n| summarize Count = count() by Category\\r\\n| order by Count desc, Category asc\\r\\n| project Value = Category, Label = strcat(Category, ' - ', Count)\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\"},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"4d2b245b-5e59-4eb6-9f51-ba926581ab47\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Result\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"AuditLogs\\r\\n| extend initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != \\\"\\\", tostring(InitiatedBy.user.userPrincipalName), \\\"unknown\\\")\\r\\n| where \\\"{User:lable}\\\" == \\\"All\\\" or initiator in ({User})\\r\\n| summarize Count = count() by Result\\r\\n| order by Count desc, Result asc\\r\\n| project Value = Result, Label = strcat(Result, ' - ', Count, ' sign-ins')\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\"},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let data = AuditLogs\\r\\n| where \\\"{Category:lable}\\\" == \\\"All\\\" or Category in ({Category})\\r\\n| where \\\"{Result:lable}\\\" == \\\"All\\\" or Result in ({Result})\\r\\n| extend initiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\r\\n| where initiatingUserPrincipalName != \\\"\\\" \\r\\n| where \\\"{User:lable}\\\" == \\\"All\\\" or initiatingUserPrincipalName in ({User});\\r\\ndata\\r\\n| summarize Count = count() by Category\\r\\n| join kind = fullouter (datatable(Category:string)['Medium', 'high', 'low']) on Category\\r\\n| project Category = iff(Category == '', Category1, Category), Count = iff(Category == '', 0, Count)\\r\\n| join kind = inner (data\\r\\n    | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by Category)\\r\\n    on Category\\r\\n| project-away Category1, TimeGenerated\\r\\n| extend Category = Category\\r\\n| union (\\r\\n    data \\r\\n    | summarize Count = count() \\r\\n    | extend jkey = 1\\r\\n    | join kind=inner (data\\r\\n        | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\\r\\n        | extend jkey = 1) on jkey\\r\\n    | extend Category = 'All', Categorys = '*'    \\r\\n)\\r\\n| order by Count desc\\r\\n| take 10\",\"size\":4,\"title\":\"Categories volume\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"Category\",\"exportParameterName\":\"CategoryFIlter\",\"exportDefaultValue\":\"All\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Category\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":21,\"formatOptions\":{\"palette\":\"purple\",\"showIcon\":true}},\"showBorder\":false}},\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let data = AuditLogs\\r\\n| where \\\"{Result:lable}\\\" == \\\"All\\\" or Result in ({Result})\\r\\n| extend initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != \\\"\\\", tostring(InitiatedBy.user.userPrincipalName), \\\"unknown\\\")\\r\\n| where \\\"{User:lable}\\\" == \\\"All\\\" or initiator in ({User})\\r\\n| where \\\"{Category:lable}\\\" == \\\"All\\\" or Category in ({Category})\\r\\n| where Category == '{CategoryFIlter}' or '{CategoryFIlter}' == \\\"All\\\";\\r\\nlet appData = data\\r\\n| summarize TotalCount = count() by OperationName, Category\\r\\n| join kind=inner (data\\r\\n    | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by OperationName\\r\\n    | project-away TimeGenerated) on OperationName\\r\\n| order by TotalCount desc, OperationName asc\\r\\n| project OperationName, TotalCount, Trend, Category\\r\\n| serialize Id = row_number();\\r\\ndata\\r\\n| summarize TotalCount = count() by initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != \\\"\\\", tostring(InitiatedBy.user.userPrincipalName), \\\"unknown\\\"), Category, OperationName\\r\\n| join kind=inner (data\\r\\n    | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by OperationName, initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != \\\"\\\", tostring(InitiatedBy.user.userPrincipalName), \\\"unknown\\\")\\r\\n    | project-away TimeGenerated) on OperationName, initiator\\r\\n| order by TotalCount desc, OperationName asc\\r\\n| project OperationName, initiator, TotalCount, Category, Trend\\r\\n| serialize Id = row_number(1000000)\\r\\n| join kind=inner (appData) on OperationName\\r\\n| project Id, Name = initiator, Type = 'initiator', ['Operations Count'] = TotalCount, Trend, Category, ParentId = Id1\\r\\n| union (appData \\r\\n    | project Id, Name = OperationName, Type = 'Operation', ['Operations Count'] = TotalCount, Category, Trend)\\r\\n| order by ['Operations Count'] desc, Name asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"User activities\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"exportParameterName\":\"UserInfo\",\"exportDefaultValue\":\"{ \\\"Name\\\":\\\"\\\", \\\"Type\\\":\\\"*\\\"}\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Id\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Type\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Operations Count\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"palette\":\"blue\",\"showIcon\":true},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"min\":0,\"palette\":\"turquoise\",\"showIcon\":true},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"ParentId\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}}],\"rowLimit\":1000,\"filter\":true,\"hierarchySettings\":{\"idColumn\":\"Id\",\"parentColumn\":\"ParentId\",\"treeType\":0,\"expanderColumn\":\"Name\"}}},\"customWidth\":\"70\",\"showPin\":true,\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let details = dynamic({UserInfo});\\r\\nAuditLogs\\r\\n| where \\\"{Category:lable}\\\" == \\\"All\\\" or Category in ({Category})\\r\\n| where \\\"{Result:lable}\\\" == \\\"All\\\" or Result in ({Result})\\r\\n| extend initiatingUserPrincipalName = iif (tostring(InitiatedBy.user.userPrincipalName) != \\\"\\\", tostring(InitiatedBy.user.userPrincipalName), \\\"unknown\\\")\\r\\n//| where initiatingUserPrincipalName != \\\"\\\" \\r\\n| where \\\"{User:lable}\\\" == \\\"All\\\" or initiatingUserPrincipalName in ({User})\\r\\n| where details.Type == '*' or (details.Type == 'initiator' and initiatingUserPrincipalName == details.Name) or (details.Type == 'Operation' and OperationName == details.Name)\\r\\n| summarize Activities = count() by initiatingUserPrincipalName\\r\\n| sort by Activities desc nulls last \",\"size\":0,\"title\":\"Top active users\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"30\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let details = dynamic({UserInfo});\\r\\nlet data = AuditLogs\\r\\n| extend initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != \\\"\\\", tostring(InitiatedBy.user.userPrincipalName), \\\"unknown\\\")\\r\\n| where details.Type == '*' or (details.Type == 'initiator' and initiator == details.Name) or (details.Type == 'Operation' and OperationName == details.Name)\\r\\n| where \\\"{Category:lable}\\\" == \\\"All\\\" or Category in ({Category})\\r\\n| where \\\"{Result:lable}\\\" == \\\"All\\\" or Result in ({Result})\\r\\n| where \\\"{User:lable}\\\" == \\\"All\\\" or initiator in ({User});\\r\\nlet appData = data\\r\\n| summarize TotalCount = count() by Result\\r\\n| join kind=inner (data\\r\\n    | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by Result\\r\\n    | project-away TimeGenerated) on Result\\r\\n| order by TotalCount desc, Result asc\\r\\n| project Result, TotalCount, Trend\\r\\n| serialize Id = row_number();\\r\\ndata\\r\\n| summarize TotalCount = count() by OperationName, Result\\r\\n| join kind=inner (data\\r\\n    | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by Result, OperationName\\r\\n    | project-away TimeGenerated) on Result, OperationName\\r\\n| order by TotalCount desc, Result asc\\r\\n| project Result, OperationName, TotalCount, Trend\\r\\n| serialize Id = row_number(1000000)\\r\\n| join kind=inner (appData) on Result\\r\\n| project Id, Name = OperationName, Type = 'Operation', ['Results Count'] = TotalCount, Trend, ParentId = Id1\\r\\n| union (appData \\r\\n    | project Id, Name = Result, Type = 'Result', ['Results Count'] = TotalCount, Trend)\\r\\n| order by ['Results Count'] desc, Name asc\",\"size\":0,\"title\":\"Result status\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"exportParameterName\":\"ResultInfo\",\"exportDefaultValue\":\"{ \\\"Name\\\":\\\"\\\", \\\"Type\\\":\\\"*\\\"}\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Id\",\"formatter\":5},{\"columnMatch\":\"Type\",\"formatter\":5},{\"columnMatch\":\"Results Count\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"palette\":\"grayBlue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"greenDark\"}},{\"columnMatch\":\"ParentId\",\"formatter\":5}],\"hierarchySettings\":{\"idColumn\":\"Id\",\"parentColumn\":\"ParentId\",\"treeType\":0,\"expanderColumn\":\"Name\"}}},\"customWidth\":\"70\",\"name\":\"query - 5\"}],\"fallbackResourceIds\":[\"\"],\"fromTemplateId\":\"sentinel-AzureActiveDirectoryAuditLogs\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
+                "version": "1.0",
+                "sourceId": "[variables('workspaceResourceId')]",
+                "category": "sentinel"
               }
             },
             {
-              "type": "Microsoft.Logic/workflows",
-              "apiVersion": "2017-07-01",
-              "name": "[[parameters('PlaybookName')]",
-              "location": "[[variables('workspace-location-inline')]",
-              "tags": {
-                "LogicAppsCategory": "security",
-                "hidden-SentinelTemplateName": "Block-AADUser_alert",
-                "hidden-SentinelTemplateVersion": "1.1",
-                "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
-              },
-              "identity": {
-                "type": "SystemAssigned"
-              },
-              "dependsOn": [
-                "[[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]",
-                "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
-                "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]"
-              ],
+              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+              "apiVersion": "2022-01-01-preview",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]",
               "properties": {
-                "state": "Enabled",
-                "definition": {
-                  "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
-                  "contentVersion": "1.0.0.0",
-                  "parameters": {
-                    "$connections": {
-                      "type": "Object"
-                    }
-                  },
-                  "triggers": {
-                    "Microsoft_Sentinel_alert": {
-                      "type": "ApiConnectionWebhook",
-                      "inputs": {
-                        "body": {
-                          "callback_url": "@{listCallbackUrl()}"
-                        },
-                        "host": {
-                          "connection": {
-                            "name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
-                          }
-                        },
-                        "path": "/subscribe"
-                      }
-                    }
-                  },
-                  "actions": {
-                    "Alert_-_Get_incident": {
-                      "type": "ApiConnection",
-                      "inputs": {
-                        "host": {
-                          "connection": {
-                            "name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
-                          }
-                        },
-                        "method": "get",
-                        "path": "/Incidents/subscriptions/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/resourceGroups/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/workspaces/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/alerts/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}"
-                      }
-                    },
-                    "Entities_-_Get_Accounts": {
-                      "runAfter": {
-                        "Alert_-_Get_incident": [
-                          "Succeeded"
-                        ]
-                      },
-                      "type": "ApiConnection",
-                      "inputs": {
-                        "body": "@triggerBody()?['Entities']",
-                        "host": {
-                          "connection": {
-                            "name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
-                          }
-                        },
-                        "method": "post",
-                        "path": "/entities/account"
-                      }
+                "description": "@{workbookKey=AzureActiveDirectoryAuditLogsWorkbook; logoFileName=azureactivedirectory_logo.svg; description=Gain insights into Azure Active Directory by connecting Microsoft Sentinel and using the audit logs to gather insights around Azure AD scenarios. \nYou can learn about user operations, including password and group management, device activities, and top active users and apps.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.2.0; title=Azure AD Audit logs; templateRelativePath=AzureActiveDirectoryAuditLogs.json; subtitle=; provider=Microsoft}.description",
+                "parentId": "[variables('workbookId1')]",
+                "contentId": "[variables('_workbookContentId1')]",
+                "kind": "Workbook",
+                "version": "[variables('workbookVersion1')]",
+                "source": {
+                  "kind": "Solution",
+                  "name": "Azure Active Directory",
+                  "sourceId": "[variables('_solutionId')]"
+                },
+                "author": {
+                  "name": "Microsoft",
+                  "email": "[variables('_email')]"
+                },
+                "support": {
+                  "tier": "Microsoft",
+                  "name": "Microsoft Corporation",
+                  "email": "support@microsoft.com",
+                  "link": "https://support.microsoft.com/"
+                },
+                "dependencies": {
+                  "operator": "AND",
+                  "criteria": [
+                    {
+                      "contentId": "AuditLogs",
+                      "kind": "DataType"
                     },
-                    "For_each": {
-                      "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']",
-                      "actions": {
-                        "Condition": {
-                          "actions": {
-                            "Condition_-_if_user_have_manager": {
-                              "actions": {
-                                "Add_comment_to_incident_-_with_manager_-_no_admin": {
-                                  "runAfter": {
-                                    "Get_user_-_details": [
-                                      "Succeeded"
-                                    ]
-                                  },
-                                  "type": "ApiConnection",
-                                  "inputs": {
-                                    "body": {
-                                      "incidentArmId": "@body('Alert_-_Get_incident')?['id']",
-                                      "message": "<p>User @{items('For_each')?['Name']} (UPN - @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}) was disabled in AAD via playbook Block-AADUser. Manager (@{body('Parse_JSON_-_get_user_manager')?['userPrincipalName']}) is notified.</p>"
-                                    },
-                                    "host": {
-                                      "connection": {
-                                        "name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
-                                      }
-                                    },
-                                    "method": "post",
-                                    "path": "/Incidents/Comment"
-                                  }
-                                },
-                                "Get_user_-_details": {
-                                  "type": "ApiConnection",
-                                  "inputs": {
-                                    "host": {
-                                      "connection": {
-                                        "name": "@parameters('$connections')['azuread']['connectionId']"
-                                      }
-                                    },
-                                    "method": "get",
-                                    "path": "/v1.0/users/@{encodeURIComponent(concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix']))}"
-                                  }
-                                },
-                                "Send_an_email_-_to_manager_-_no_admin": {
-                                  "runAfter": {
-                                    "Add_comment_to_incident_-_with_manager_-_no_admin": [
-                                      "Succeeded"
-                                    ]
-                                  },
-                                  "type": "ApiConnection",
-                                  "inputs": {
-                                    "body": {
-                                      "Body": "<p>Security notification! This is automated email sent by Microsoft Sentinel Automation!<br>\n<br>\nYour direct report @{items('For_each')?['Name']} has been disabled in Azure AD due to the security incident. Can you please notify the user and work with him to reach&nbsp;our support.<br>\n<br>\nDirect report details:<br>\nFirst name: @{body('Get_user_-_details')?['displayName']}<br>\nSurname: @{body('Get_user_-_details')?['surname']}<br>\nJob title: @{body('Get_user_-_details')?['jobTitle']}<br>\nOffice location: @{body('Get_user_-_details')?['officeLocation']}<br>\nBusiness phone: @{body('Get_user_-_details')?['businessPhones']}<br>\nMobile phone: @{body('Get_user_-_details')?['mobilePhone']}<br>\nMail: @{body('Get_user_-_details')?['mail']}<br>\n<br>\nThank you!</p>",
-                                      "Importance": "High",
-                                      "Subject": "@{items('For_each')?['Name']} has been disabled in Azure AD due to the security risk!",
-                                      "To": "@body('Parse_JSON_-_get_user_manager')?['userPrincipalName']"
-                                    },
-                                    "host": {
-                                      "connection": {
-                                        "name": "@parameters('$connections')['office365']['connectionId']"
-                                      }
-                                    },
-                                    "method": "post",
-                                    "path": "/v2/Mail"
-                                  }
-                                }
-                              },
-                              "runAfter": {
-                                "Parse_JSON_-_get_user_manager": [
-                                  "Succeeded"
-                                ]
-                              },
-                              "else": {
-                                "actions": {
-                                  "Add_comment_to_incident_-_no_manager_-_no_admin": {
-                                    "type": "ApiConnection",
-                                    "inputs": {
-                                      "body": {
-                                        "incidentArmId": "@body('Alert_-_Get_incident')?['id']",
-                                        "message": "<p>User @{items('For_each')?['Name']} (UPN - @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}) was disabled in AAD via playbook Block-AADUser. Manager has not been notified, since it is not found for this user!</p>"
-                                      },
-                                      "host": {
-                                        "connection": {
-                                          "name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
-                                        }
-                                      },
-                                      "method": "post",
-                                      "path": "/Incidents/Comment"
-                                    }
-                                  }
-                                }
-                              },
-                              "expression": {
-                                "and": [
-                                  {
-                                    "not": {
-                                      "equals": [
-                                        "@body('Parse_JSON_-_get_user_manager')?['userPrincipalName']",
-                                        "@null"
-                                      ]
-                                    }
-                                  }
-                                ]
-                              },
-                              "type": "If"
-                            },
-                            "HTTP_-_get_user_manager": {
-                              "type": "Http",
-                              "inputs": {
-                                "authentication": {
-                                  "audience": "https://graph.microsoft.com/",
-                                  "type": "ManagedServiceIdentity"
-                                },
-                                "method": "GET",
-                                "uri": "https://graph.microsoft.com/v1.0/users/@{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}/manager"
-                              }
-                            },
-                            "Parse_JSON_-_get_user_manager": {
-                              "runAfter": {
-                                "HTTP_-_get_user_manager": [
-                                  "Succeeded",
-                                  "Failed"
-                                ]
-                              },
-                              "type": "ParseJson",
-                              "inputs": {
-                                "content": "@body('HTTP_-_get_user_manager')",
-                                "schema": {
-                                  "properties": {
-                                    "userPrincipalName": {
-                                      "type": "string"
-                                    }
-                                  },
-                                  "type": "object"
-                                }
-                              }
-                            }
-                          },
-                          "runAfter": {
-                            "Update_user_-_disable_user": [
-                              "Succeeded",
-                              "Failed"
-                            ]
-                          },
-                          "else": {
-                            "actions": {
-                              "Add_comment_to_incident_-_error_details": {
-                                "type": "ApiConnection",
-                                "inputs": {
-                                  "body": {
-                                    "incidentArmId": "@body('Alert_-_Get_incident')?['id']",
-                                    "message": "<p>Block-AADUser playbook could not disable user @{items('For_each')?['Name']}.<br>\nError message: @{body('Update_user_-_disable_user')['error']['message']}<br>\nNote: If user is admin, this playbook don't have privilages to block admin users!</p>"
-                                  },
-                                  "host": {
-                                    "connection": {
-                                      "name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
-                                    }
-                                  },
-                                  "method": "post",
-                                  "path": "/Incidents/Comment"
-                                }
-                              }
-                            }
-                          },
-                          "expression": {
-                            "and": [
-                              {
-                                "equals": [
-                                  "@body('Update_user_-_disable_user')",
-                                  "@null"
-                                ]
-                              }
-                            ]
-                          },
-                          "type": "If"
-                        },
-                        "Update_user_-_disable_user": {
-                          "type": "ApiConnection",
-                          "inputs": {
-                            "body": {
-                              "accountEnabled": false
-                            },
-                            "host": {
-                              "connection": {
-                                "name": "@parameters('$connections')['azuread']['connectionId']"
-                              }
-                            },
-                            "method": "patch",
-                            "path": "/v1.0/users/@{encodeURIComponent(concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix']))}"
-                          }
-                        }
-                      },
-                      "runAfter": {
-                        "Entities_-_Get_Accounts": [
-                          "Succeeded"
-                        ]
-                      },
-                      "type": "Foreach"
-                    }
-                  }
-                },
-                "parameters": {
-                  "$connections": {
-                    "value": {
-                      "azuread": {
-                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]",
-                        "connectionName": "[[variables('AzureADConnectionName')]",
-                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuread')]"
-                      },
-                      "microsoftsentinel": {
-                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
-                        "connectionName": "[[variables('MicrosoftSentinelConnectionName')]",
-                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
-                        "connectionProperties": {
-                          "authentication": {
-                            "type": "ManagedServiceIdentity"
-                          }
-                        }
-                      },
-                      "office365": {
-                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]",
-                        "connectionName": "[[variables('Office365ConnectionName')]",
-                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]"
-                      }
+                    {
+                      "contentId": "AzureActiveDirectory",
+                      "kind": "DataConnector"
                     }
-                  }
-                }
-              }
-            },
-            {
-              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
-              "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId1'),'/'))))]",
-              "properties": {
-                "parentId": "[variables('playbookId1')]",
-                "contentId": "[variables('_playbookContentId1')]",
-                "kind": "Playbook",
-                "version": "[variables('playbookVersion1')]",
-                "source": {
-                  "kind": "Solution",
-                  "name": "Azure Active Directory",
-                  "sourceId": "[variables('_solutionId')]"
-                },
-                "author": {
-                  "name": "Microsoft",
-                  "email": "[variables('_email')]"
-                },
-                "support": {
-                  "tier": "Microsoft",
-                  "name": "Microsoft Corporation",
-                  "email": "support@microsoft.com",
-                  "link": "https://support.microsoft.com/"
+                  ]
                 }
               }
             }
-          ],
-          "metadata": {
-            "title": "Block AAD user - Alert",
-            "description": "For each account entity included in the alert, this playbook will disable the user in Azure Active Directoy, add a comment to the incident that contains this alert and notify manager if available. Note: This playbook will not disable admin user!",
-            "prerequisites": [
-              "None"
-            ],
-            "postDeployment": [
-              "1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity.",
-              "2. Grant User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All permissions to the managed identity.",
-              "3. Authorize Azure AD and Office 365 Outlook Logic App connections."
-            ],
-            "lastUpdateTime": "2022-07-11T00:00:00Z",
-            "entities": [
-              "Account"
-            ],
-            "tags": [
-              "Remediation"
-            ],
-            "releaseNotes": [
-              {
-                "version": "1.0.0",
-                "title": "Added manager notification action",
-                "notes": [
-                  "Initial version"
-                ]
-              }
-            ]
-          }
+          ]
         },
         "packageKind": "Solution",
         "packageVersion": "[variables('_solutionVersion')]",
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_playbookContentId1')]",
-        "contentKind": "Playbook",
-        "displayName": "Block-AADUser-Alert",
-        "contentProductId": "[variables('_playbookcontentProductId1')]",
-        "id": "[variables('_playbookcontentProductId1')]",
-        "version": "[variables('playbookVersion1')]"
+        "contentId": "[variables('_workbookContentId1')]",
+        "contentKind": "Workbook",
+        "displayName": "[parameters('workbook1-name')]",
+        "contentProductId": "[variables('_workbookcontentProductId1')]",
+        "id": "[variables('_workbookcontentProductId1')]",
+        "version": "[variables('workbookVersion1')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('playbookTemplateSpecName2')]",
+      "name": "[variables('workbookTemplateSpecName2')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Block-AADUser-EntityTrigger Playbook with template version 3.0.3",
+        "description": "AzureActiveDirectorySigninsWorkbook Workbook with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('playbookVersion2')]",
-          "parameters": {
-            "PlaybookName": {
-              "defaultValue": "Block-AADUser-EntityTrigger",
-              "type": "string"
-            }
-          },
-          "variables": {
-            "AzureADConnectionName": "[[concat('azuread-', parameters('PlaybookName'))]",
-            "MicrosoftSentinelConnectionName": "[[concat('microsoftsentinel-', parameters('PlaybookName'))]",
-            "Office365ConnectionName": "[[concat('office365-', parameters('PlaybookName'))]",
-            "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuread')]",
-            "_connection-1": "[[variables('connection-1')]",
-            "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
-            "_connection-2": "[[variables('connection-2')]",
-            "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]",
-            "_connection-3": "[[variables('connection-3')]",
-            "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
-            "workspace-name": "[parameters('workspace')]",
-            "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
-          },
+          "contentVersion": "[variables('workbookVersion2')]",
+          "parameters": {},
+          "variables": {},
           "resources": [
             {
-              "type": "Microsoft.Web/connections",
-              "apiVersion": "2016-06-01",
-              "name": "[[variables('AzureADConnectionName')]",
-              "location": "[[variables('workspace-location-inline')]",
+              "type": "Microsoft.Insights/workbooks",
+              "name": "[variables('workbookContentId2')]",
+              "location": "[parameters('workspace-location')]",
+              "kind": "shared",
+              "apiVersion": "2021-08-01",
+              "metadata": {
+                "description": "Gain insights into Azure Active Directory by connecting Microsoft Sentinel and using the sign-in logs to gather insights around Azure AD scenarios. \nYou can learn about sign-in operations, such as user sign-ins and locations, email addresses, and  IP addresses of your users, as well as failed activities and the errors that triggered the failures."
+              },
               "properties": {
-                "displayName": "[[variables('AzureADConnectionName')]",
-                "api": {
-                  "id": "[[variables('_connection-1')]"
-                }
+                "displayName": "[parameters('workbook2-name')]",
+                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Sign-in Analysis\"},\"name\":\"text - 0\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"13f56671-7604-4427-a4d8-663f3da0cbc5\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":1209600000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000,\"createdTime\":\"2018-11-13T19:33:10.162Z\",\"isInitialTime\":false,\"grain\":1,\"useDashboardTimeRange\":false},{\"durationMs\":900000,\"createdTime\":\"2018-11-13T19:33:10.164Z\",\"isInitialTime\":false,\"grain\":1,\"useDashboardTimeRange\":false},{\"durationMs\":1800000,\"createdTime\":\"2018-11-13T19:33:10.164Z\",\"isInitialTime\":false,\"grain\":1,\"useDashboardTimeRange\":false},{\"durationMs\":3600000,\"createdTime\":\"2018-11-13T19:33:10.164Z\",\"isInitialTime\":false,\"grain\":1,\"useDashboardTimeRange\":false},{\"durationMs\":14400000,\"createdTime\":\"2018-11-13T19:33:10.164Z\",\"isInitialTime\":false,\"grain\":1,\"useDashboardTimeRange\":false},{\"durationMs\":43200000,\"createdTime\":\"2018-11-13T19:33:10.164Z\",\"isInitialTime\":false,\"grain\":1,\"useDashboardTimeRange\":false},{\"durationMs\":86400000,\"createdTime\":\"2018-11-13T19:33:10.165Z\",\"isInitialTime\":false,\"grain\":1,\"useDashboardTimeRange\":false},{\"durationMs\":172800000,\"createdTime\":\"2018-11-13T19:33:10.166Z\",\"isInitialTime\":false,\"grain\":1,\"useDashboardTimeRange\":false},{\"durationMs\":259200000,\"createdTime\":\"2018-11-13T19:33:10.166Z\",\"isInitialTime\":false,\"grain\":1,\"useDashboardTimeRange\":false},{\"durationMs\":604800000,\"createdTime\":\"2018-11-13T19:33:10.166Z\",\"isInitialTime\":false,\"grain\":1,\"useDashboardTimeRange\":false},{\"durationMs\":1209600000,\"createdTime\":\"2018-11-13T19:33:10.166Z\",\"isInitialTime\":false,\"grain\":1,\"useDashboardTimeRange\":false},{\"durationMs\":2592000000,\"createdTime\":\"2018-11-13T19:33:10.167Z\",\"isInitialTime\":false,\"grain\":1,\"useDashboardTimeRange\":false}],\"allowCustom\":true}},{\"id\":\"3b5cc420-8ad8-4523-ba28-a54910756794\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Apps\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"SigninLogs\\r\\n| summarize Count = count() by AppDisplayName\\r\\n| order by Count desc, AppDisplayName asc\\r\\n| project Value = AppDisplayName, Label = strcat(AppDisplayName, ' - ', Count, ' sign-ins'), Selected = false\\r\\n\",\"value\":[\"value::all\"],\"typeSettings\":{\"limitSelectTo\":10,\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\"},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"0611ecce-d6a0-4a6f-a1bc-6be314ae36a7\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"UserNamePrefix\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"SigninLogs\\r\\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n| summarize Count = count() by UserDisplayName\\r\\n| order by Count desc, UserDisplayName asc\\r\\n| project Value = UserDisplayName, Label = strcat(UserDisplayName, ' - ', Count, ' sign-ins'), Selected = false\\r\\n| extend prefix = substring(Value, 0, 1)\\r\\n| distinct prefix\\r\\n| sort by prefix asc\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"f7f7970b-58c1-474f-9043-62243d2d4edd\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Users\",\"label\":\"UserName\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"SigninLogs\\r\\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n| summarize Count = count() by UserDisplayName\\r\\n| order by Count desc, UserDisplayName asc\\r\\n| project Value = UserDisplayName, Label = strcat(UserDisplayName, ' - ', Count, ' sign-ins'), Selected = false\\r\\n| where (substring(Value, 0, 1) in ({UserNamePrefix})) or ('*' in ({UserNamePrefix}))\\r\\n| sort by Value asc\\r\\n\",\"value\":[\"value::all\"],\"typeSettings\":{\"limitSelectTo\":10000000,\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"\",\"showDefault\":false},\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"85568f4e-9ad4-46c5-91d4-0ee1b2c8f3aa\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Category\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"\"},\"jsonData\":\"[\\\"SignInLogs\\\", \\\"NonInteractiveUserSignInLogs\\\"]\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let data = \\r\\nunion SigninLogs,AADNonInteractiveUserSignInLogs\\r\\n| where Category in ({Category})\\r\\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users});\\r\\ndata\\r\\n| summarize count() by UserPrincipalName, bin (TimeGenerated,5m)\\r\\n\",\"size\":0,\"title\":\"Sign-in Trend over Time\",\"timeContext\":{\"durationMs\":86400000},\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"TimeBrush\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\"},\"name\":\"query - 19\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails)\\r\\n| extend Status = parse_json(Status);\\r\\nlet data = \\r\\nunion SigninLogs,nonInteractive\\r\\n| where Category in ({Category})\\r\\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n|extend errorCode = Status.errorCode\\r\\n|extend SigninStatus = case(errorCode == 0, \\\"Success\\\", errorCode == 50058, \\\"Pending user action\\\",errorCode == 50140, \\\"Pending user action\\\", errorCode == 51006, \\\"Pending user action\\\", errorCode == 50059, \\\"Pending user action\\\",errorCode == 65001, \\\"Pending user action\\\", errorCode == 52004, \\\"Pending user action\\\", errorCode == 50055, \\\"Pending user action\\\", errorCode == 50144, \\\"Pending user action\\\", errorCode == 50072, \\\"Pending user action\\\", errorCode == 50074, \\\"Pending user action\\\", errorCode == 16000, \\\"Pending user action\\\", errorCode == 16001, \\\"Pending user action\\\", errorCode == 16003, \\\"Pending user action\\\", errorCode == 50127, \\\"Pending user action\\\", errorCode == 50125, \\\"Pending user action\\\", errorCode == 50129, \\\"Pending user action\\\", errorCode == 50143, \\\"Pending user action\\\", errorCode == 81010, \\\"Pending user action\\\", errorCode == 81014, \\\"Pending user action\\\", errorCode == 81012 ,\\\"Pending user action\\\", \\\"Failure\\\");\\r\\ndata\\r\\n| summarize Count = count() by SigninStatus\\r\\n| join kind = fullouter (datatable(SigninStatus:string)['Success', 'Pending action (Interrupts)', 'Failure']) on SigninStatus\\r\\n| project SigninStatus = iff(SigninStatus == '', SigninStatus1, SigninStatus), Count = iff(SigninStatus == '', 0, Count)\\r\\n| join kind = inner (data\\r\\n    | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SigninStatus)\\r\\n    on SigninStatus\\r\\n| project-away SigninStatus1, TimeGenerated\\r\\n| extend Status = SigninStatus\\r\\n| union (\\r\\n    data \\r\\n    | summarize Count = count()\\r\\n    | extend jkey = 1\\r\\n    | join kind=inner (data\\r\\n        | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\\r\\n        | extend jkey = 1) on jkey\\r\\n    | extend SigninStatus = 'All Sign-ins', Status = '*'    \\r\\n)\\r\\n| order by Count desc\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":3,\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeBrush\",\"exportFieldName\":\"Status\",\"exportParameterName\":\"SigninStatus\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"min\":0,\"palette\":\"blue\",\"showIcon\":true}},\"showBorder\":false}},\"name\":\"query - 5\"},{\"type\":1,\"content\":{\"json\":\"<br />\\r\\n💡 _Click on a tile or a row in the grid to drill-in further_\"},\"name\":\"text - 6 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails)\\r\\n| extend Status = parse_json(Status);\\r\\nlet data = \\r\\nunion SigninLogs,nonInteractive\\r\\n| extend AppDisplayName = iff(AppDisplayName == '', 'Unknown', AppDisplayName)\\r\\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n| extend Country = iff(LocationDetails.countryOrRegion == '', 'Unknown country', tostring(LocationDetails.countryOrRegion))\\r\\n| extend City = iff(LocationDetails.city == '', 'Unknown city', tostring(LocationDetails.city))\\r\\n| extend errorCode = Status.errorCode\\r\\n| extend SigninStatus = case(errorCode == 0, \\\"Success\\\", errorCode == 50058, \\\"Pending user action\\\",errorCode == 50140, \\\"Pending user action\\\", errorCode == 51006, \\\"Pending user action\\\", errorCode == 50059, \\\"Pending user action\\\",errorCode == 65001, \\\"Pending user action\\\", errorCode == 52004, \\\"Pending user action\\\", errorCode == 50055, \\\"Pending user action\\\", errorCode == 50144, \\\"Pending user action\\\", errorCode == 50072, \\\"Pending user action\\\", errorCode == 50074, \\\"Pending user action\\\", errorCode == 16000, \\\"Pending user action\\\", errorCode == 16001, \\\"Pending user action\\\", errorCode == 16003, \\\"Pending user action\\\", errorCode == 50127, \\\"Pending user action\\\", errorCode == 50125, \\\"Pending user action\\\", errorCode == 50129, \\\"Pending user action\\\", errorCode == 50143, \\\"Pending user action\\\", errorCode == 81010, \\\"Pending user action\\\", errorCode == 81014, \\\"Pending user action\\\", errorCode == 81012 ,\\\"Pending user action\\\", \\\"Failure\\\")\\r\\n| where SigninStatus == '{SigninStatus}' or '{SigninStatus}' == '*' or '{SigninStatus}' == 'All Sign-ins';\\r\\nlet countryData = data\\r\\n| summarize TotalCount = count(), SuccessCount = countif(SigninStatus == \\\"Success\\\"), FailureCount = countif(SigninStatus == \\\"Failure\\\"), InterruptCount = countif(SigninStatus == \\\"Pending user action\\\") by Country,Category\\r\\n| join kind=inner\\r\\n(\\r\\n    data\\r\\n| make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by  Country\\r\\n| project-away TimeGenerated\\r\\n)\\r\\non Country\\r\\n| project Country, TotalCount, SuccessCount,FailureCount,InterruptCount,Trend,Category\\r\\n| order by TotalCount desc, Country asc;\\r\\ndata\\r\\n| summarize TotalCount = count(), SuccessCount = countif(SigninStatus == \\\"Success\\\"), FailureCount = countif(SigninStatus == \\\"Failure\\\"), InterruptCount = countif(SigninStatus == \\\"Pending user action\\\") by Country, City,Category\\r\\n| join kind=inner\\r\\n(\\r\\n    data    \\r\\n| make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by Country, City\\r\\n| project-away TimeGenerated\\r\\n)\\r\\non Country, City\\r\\n| order by TotalCount desc, Country asc\\r\\n| project Country, City,TotalCount, SuccessCount,FailureCount,InterruptCount, Trend,Category\\r\\n| join kind=inner\\r\\n(\\r\\n    countryData\\r\\n)\\r\\non Country\\r\\n| project Id = City, Name = City, Type = 'City', ['Sign-in Count'] = TotalCount, Trend, ['Failure Count'] = FailureCount, ['Interrupt Count'] = InterruptCount, ['Success Rate'] = 1.0 * SuccessCount / TotalCount, ParentId = Country,Category\\r\\n| union (countryData\\r\\n| project Id = Country, Name = Country, Type = 'Country', ['Sign-in Count'] = TotalCount, Trend, ['Failure Count'] = FailureCount, ['Interrupt Count'] = InterruptCount, ['Success Rate'] = 1.0 * SuccessCount / TotalCount, ParentId = 'root',Category)\\r\\n| where Category in ({Category})\\r\\n| order by ['Sign-in Count'] desc, Name asc\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"Sign-ins by Location\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeBrush\",\"showRefreshButton\":true,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"Name\",\"parameterName\":\"LocationDetail\",\"parameterType\":1}],\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Id\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Type\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Sign-in Count\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"palette\":\"blue\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"min\":0,\"palette\":\"blue\",\"showIcon\":true}},{\"columnMatch\":\"Failure Count|Interrupt Count\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"palette\":\"orange\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"Success Rate\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"percent\"}}},{\"columnMatch\":\"ParentId\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true,\"hierarchySettings\":{\"idColumn\":\"Id\",\"parentColumn\":\"ParentId\",\"treeType\":0,\"expanderColumn\":\"Name\",\"expandTopLevel\":false}}},\"customWidth\":\"67\",\"showPin\":true,\"name\":\"query - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let selectedCountry = dynamic([{LocationDetail}]);\\r\\nlet nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails),Status = parse_json(Status),ConditionalAccessPolicies = parse_json(ConditionalAccessPolicies),DeviceDetail =parse_json(DeviceDetail);\\r\\nlet details = dynamic({ \\\"Name\\\":\\\"\\\", \\\"Type\\\":\\\"*\\\"});\\r\\nlet data = union SigninLogs,nonInteractive\\r\\n| extend AppDisplayName = iff(AppDisplayName == '', 'Unknown', AppDisplayName)\\r\\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n| extend Country = tostring(LocationDetails.countryOrRegion)\\r\\n| extend City = tostring(LocationDetails.city) \\r\\n| where array_length(selectedCountry) == 0 or \\\"*\\\" in (selectedCountry) or Country in (selectedCountry) or City in (selectedCountry) \\r\\n| extend errorCode = Status.errorCode\\r\\n| extend SigninStatus = case(errorCode == 0, \\\"Success\\\", errorCode == 50058, \\\"Pending user action\\\",errorCode == 50140, \\\"Pending user action\\\", errorCode == 51006, \\\"Pending user action\\\", errorCode == 50059, \\\"Pending user action\\\",errorCode == 65001, \\\"Pending user action\\\", errorCode == 52004, \\\"Pending user action\\\", errorCode == 50055, \\\"Pending user action\\\", errorCode == 50144, \\\"Pending user action\\\", errorCode == 50072, \\\"Pending user action\\\", errorCode == 50074, \\\"Pending user action\\\", errorCode == 16000, \\\"Pending user action\\\", errorCode == 16001, \\\"Pending user action\\\", errorCode == 16003, \\\"Pending user action\\\", errorCode == 50127, \\\"Pending user action\\\", errorCode == 50125, \\\"Pending user action\\\", errorCode == 50129, \\\"Pending user action\\\", errorCode == 50143, \\\"Pending user action\\\", errorCode == 81010, \\\"Pending user action\\\", errorCode == 81014, \\\"Pending user action\\\", errorCode == 81012 ,\\\"Pending user action\\\", \\\"Failure\\\")\\r\\n| where SigninStatus == '{SigninStatus}' or '{SigninStatus}' == '*' or '{SigninStatus}' == 'All Sign-ins'\\r\\n| where details.Type == '*' or (details.Type == 'Country' and Country == details.Name) or (details.Type == 'City' and City == details.Name);\\r\\ndata\\r\\n| top 200 by TimeGenerated desc\\r\\n| extend TimeFromNow = now() - TimeGenerated\\r\\n| extend TimeAgo = strcat(case(TimeFromNow < 2m, strcat(toint(TimeFromNow / 1m), ' seconds'), TimeFromNow < 2h, strcat(toint(TimeFromNow / 1m), ' minutes'), TimeFromNow < 2d, strcat(toint(TimeFromNow / 1h), ' hours'), strcat(toint(TimeFromNow / 1d), ' days')), ' ago')\\r\\n| project User = UserDisplayName, ['Sign-in Status'] = strcat(iff(SigninStatus == 'Success', '✔️', '❌'), ' ', SigninStatus), ['Sign-in Time'] = TimeAgo, App = AppDisplayName, ['Error code'] = errorCode, ['Result type'] = ResultType, ['Result signature'] = ResultSignature, ['Result description'] = ResultDescription, ['Conditional access policies'] = ConditionalAccessPolicies, ['Conditional access status'] = ConditionalAccessStatus, ['Operating system'] = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser, ['Country or region'] = LocationDetails.countryOrRegion, ['State'] = LocationDetails.state, ['City'] = LocationDetails.city, ['Time generated'] = TimeGenerated, Status, ['User principal name'] = UserPrincipalName, Category\\r\\n| where Category in ({Category})\\r\\n\\r\\n\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"Location Sign-in details\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeBrush\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Sign-in Status\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"showIcon\":true}},{\"columnMatch\":\"App\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Error code\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Result type\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Result signature\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Result description\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Conditional access policies\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Conditional access status\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Operating system\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Browser\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Time generated\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Status\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"User principal name\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"TimeGenerated\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true}},\"customWidth\":\"33\",\"name\":\"query - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let nonInteractive = AADNonInteractiveUserSignInLogs | extend LocationDetails = parse_json(LocationDetails), Status = parse_json(Status), DeviceDetail = parse_json(DeviceDetail);\\r\\nlet data = \\r\\nunion SigninLogs,nonInteractive\\r\\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n    | extend errorCode = Status.errorCode\\r\\n    | extend SigninStatus = case(errorCode == 0, \\\"Success\\\", errorCode == 50058, \\\"Pending user action\\\", errorCode == 50140, \\\"Pending user action\\\", errorCode == 51006, \\\"Pending user action\\\", errorCode == 50059, \\\"Pending user action\\\", errorCode == 65001, \\\"Pending user action\\\", errorCode == 52004, \\\"Pending user action\\\", errorCode == 50055, \\\"Pending user action\\\", errorCode == 50144, \\\"Pending user action\\\", errorCode == 50072, \\\"Pending user action\\\", errorCode == 50074, \\\"Pending user action\\\", errorCode == 16000, \\\"Pending user action\\\", errorCode == 16001, \\\"Pending user action\\\", errorCode == 16003, \\\"Pending user action\\\", errorCode == 50127, \\\"Pending user action\\\", errorCode == 50125, \\\"Pending user action\\\", errorCode == 50129, \\\"Pending user action\\\", errorCode == 50143, \\\"Pending user action\\\", errorCode == 81010, \\\"Pending user action\\\", errorCode == 81014, \\\"Pending user action\\\", errorCode == 81012, \\\"Pending user action\\\", \\\"Failure\\\")\\r\\n| where SigninStatus == '{SigninStatus}' or '{SigninStatus}' == '*' or '{SigninStatus}' == 'All Sign-ins';\\r\\nlet appData = data\\r\\n    | summarize TotalCount = count(), SuccessCount = countif(SigninStatus == \\\"Success\\\"), FailureCount = countif(SigninStatus == \\\"Failure\\\"), InterruptCount = countif(SigninStatus == \\\"Pending user action\\\") by Os = tostring(DeviceDetail.operatingSystem) ,Category\\r\\n    | where Os != ''\\r\\n    | join kind=inner (data\\r\\n        | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by Os = tostring(DeviceDetail.operatingSystem)\\r\\n        | project-away TimeGenerated)\\r\\n        on Os\\r\\n    | order by TotalCount desc, Os asc\\r\\n    | project Os, TotalCount, SuccessCount, FailureCount, InterruptCount, Trend,Category\\r\\n    | serialize Id = row_number();\\r\\ndata\\r\\n| summarize TotalCount = count(), SuccessCount = countif(SigninStatus == \\\"Success\\\"), FailureCount = countif(SigninStatus == \\\"Failure\\\"), InterruptCount = countif(SigninStatus == \\\"Pending user action\\\") by Os = tostring(DeviceDetail.operatingSystem), Browser = tostring(DeviceDetail.browser),Category\\r\\n| join kind=inner (data\\r\\n    | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain})by Os = tostring(DeviceDetail.operatingSystem), Browser = tostring(DeviceDetail.browser)\\r\\n    | project-away TimeGenerated)\\r\\n    on Os, Browser\\r\\n| order by TotalCount desc, Os asc\\r\\n| project Os, Browser, TotalCount, SuccessCount, FailureCount, InterruptCount, Trend,Category\\r\\n| serialize Id = row_number(1000000)\\r\\n| join kind=inner (appData) on Os\\r\\n| project Id, Name = Browser, Type = 'Browser', ['Sign-in Count'] = TotalCount, Trend, ['Failure Count'] = FailureCount, ['Interrupt Count'] = InterruptCount, ['Success Rate'] = 1.0 * SuccessCount / TotalCount, ParentId = Id1,Category\\r\\n| union (appData \\r\\n    | project Id, Name = Os, Type = 'Operating System', ['Sign-in Count'] = TotalCount, Trend, ['Failure Count'] = FailureCount, ['Interrupt Count'] = InterruptCount, ['Success Rate'] = 1.0 * SuccessCount / TotalCount, ParentId = -1,Category)\\r\\n| where Category in ({Category})\\r\\n| order by ['Sign-in Count'] desc, Name asc\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"Sign-ins by Device\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeBrush\",\"exportedParameters\":[{\"parameterName\":\"DeviceDetail\",\"defaultValue\":\"{ \\\"Name\\\":\\\"\\\", \\\"Type\\\":\\\"*\\\"}\"},{\"fieldName\":\"Category\",\"parameterName\":\"exportCategory\",\"parameterType\":1,\"defaultValue\":\"*\"},{\"fieldName\":\"Name\",\"parameterName\":\"exportName\",\"parameterType\":1,\"defaultValue\":\"*\"}],\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Id\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Type\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Sign-in Count\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"palette\":\"blue\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"min\":0,\"palette\":\"blue\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"Failure Count|Interrupt Count\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"palette\":\"orange\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"Success Rate\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"percent\"}}},{\"columnMatch\":\"ParentId\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true,\"hierarchySettings\":{\"idColumn\":\"Id\",\"parentColumn\":\"ParentId\",\"treeType\":0,\"expanderColumn\":\"Name\",\"expandTopLevel\":false}}},\"customWidth\":\"67\",\"showPin\":true,\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails),Status = parse_json(Status),ConditionalAccessPolicies = parse_json(ConditionalAccessPolicies),DeviceDetail =parse_json(DeviceDetail);\\r\\nlet details = dynamic({ \\\"Name\\\":\\\"\\\", \\\"Type\\\":\\\"*\\\"});\\r\\nlet data = union SigninLogs,nonInteractive\\r\\n| extend AppDisplayName = iff(AppDisplayName == '', 'Unknown', AppDisplayName)\\r\\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n| extend Country = tostring(LocationDetails.countryOrRegion)\\r\\n| extend City = tostring(LocationDetails.city)\\r\\n| extend errorCode = Status.errorCode\\r\\n| extend SigninStatus = case(errorCode == 0, \\\"Success\\\", errorCode == 50058, \\\"Pending user action\\\",errorCode == 50140, \\\"Pending user action\\\", errorCode == 51006, \\\"Pending user action\\\", errorCode == 50059, \\\"Pending user action\\\",errorCode == 65001, \\\"Pending user action\\\", errorCode == 52004, \\\"Pending user action\\\", errorCode == 50055, \\\"Pending user action\\\", errorCode == 50144, \\\"Pending user action\\\", errorCode == 50072, \\\"Pending user action\\\", errorCode == 50074, \\\"Pending user action\\\", errorCode == 16000, \\\"Pending user action\\\", errorCode == 16001, \\\"Pending user action\\\", errorCode == 16003, \\\"Pending user action\\\", errorCode == 50127, \\\"Pending user action\\\", errorCode == 50125, \\\"Pending user action\\\", errorCode == 50129, \\\"Pending user action\\\", errorCode == 50143, \\\"Pending user action\\\", errorCode == 81010, \\\"Pending user action\\\", errorCode == 81014, \\\"Pending user action\\\", errorCode == 81012 ,\\\"Pending user action\\\", \\\"Failure\\\")\\r\\n| where SigninStatus == '{SigninStatus}' or '{SigninStatus}' == '*' or '{SigninStatus}' == 'All Sign-ins'\\r\\n| where details.Type == '*' or (details.Type == 'Country' and Country == details.Name) or (details.Type == 'City' and City == details.Name);\\r\\ndata\\r\\n| top 200 by TimeGenerated desc\\r\\n| extend TimeFromNow = now() - TimeGenerated\\r\\n| extend TimeAgo = strcat(case(TimeFromNow < 2m, strcat(toint(TimeFromNow / 1m), ' seconds'), TimeFromNow < 2h, strcat(toint(TimeFromNow / 1m), ' minutes'), TimeFromNow < 2d, strcat(toint(TimeFromNow / 1h), ' hours'), strcat(toint(TimeFromNow / 1d), ' days')), ' ago')\\r\\n| project User = UserDisplayName, ['Sign-in Status'] = strcat(iff(SigninStatus == 'Success', '✔️', '❌'), ' ', SigninStatus), ['Sign-in Time'] = TimeAgo, App = AppDisplayName, ['Error code'] = errorCode, ['Result type'] = ResultType, ['Result signature'] = ResultSignature, ['Result description'] = ResultDescription, ['Conditional access policies'] = ConditionalAccessPolicies, ['Conditional access status'] = ConditionalAccessStatus, ['Operating system'] = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser, ['Country or region'] = LocationDetails.countryOrRegion, ['State'] = LocationDetails.state, ['City'] = LocationDetails.city, ['Time generated'] = TimeGenerated, Status, ['User principal name'] = UserPrincipalName, Category, Name = tostring(DeviceDetail.operatingSystem)\\r\\n| where Category in ('{exportCategory}') or \\\"*\\\" in ('{exportCategory}')\\r\\n| where Name in ('{exportName}') or \\\"*\\\" in ('{exportName}')\",\"size\":1,\"showAnalytics\":true,\"title\":\"Device Sign-in details\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Sign-in Status\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\"}},{\"columnMatch\":\"App\",\"formatter\":5},{\"columnMatch\":\"Error code\",\"formatter\":5},{\"columnMatch\":\"Result type\",\"formatter\":5},{\"columnMatch\":\"Result signature\",\"formatter\":5},{\"columnMatch\":\"Result description\",\"formatter\":5},{\"columnMatch\":\"Conditional access policies\",\"formatter\":5},{\"columnMatch\":\"Conditional access status\",\"formatter\":5},{\"columnMatch\":\"Operating system\",\"formatter\":5},{\"columnMatch\":\"Browser\",\"formatter\":5},{\"columnMatch\":\"Country or region\",\"formatter\":5},{\"columnMatch\":\"State\",\"formatter\":5},{\"columnMatch\":\"City\",\"formatter\":5},{\"columnMatch\":\"Time generated\",\"formatter\":5},{\"columnMatch\":\"Status\",\"formatter\":5},{\"columnMatch\":\"User principal name\",\"formatter\":5},{\"columnMatch\":\"Category\",\"formatter\":5},{\"columnMatch\":\"Name\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"33\",\"name\":\"query - 8 - Copy\"},{\"type\":1,\"content\":{\"json\":\"## Sign-ins using Conditional Access\"},\"name\":\"text - 12\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails)\\r\\n| extend Status = parse_json(Status)\\r\\n| extend ConditionalAccessPolicies = parse_json(ConditionalAccessPolicies);\\r\\nlet data = \\r\\nunion SigninLogs,nonInteractive\\r\\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n|extend CAStatus = case(ConditionalAccessStatus ==\\\"success\\\",\\\"Successful\\\",\\r\\n                    ConditionalAccessStatus == \\\"failure\\\", \\\"Failed\\\",                                     \\r\\n                    ConditionalAccessStatus == \\\"notApplied\\\", \\\"Not applied\\\",                                     \\r\\n                    isempty(ConditionalAccessStatus), \\\"Not applied\\\", \\r\\n                    \\\"Disabled\\\")\\r\\n|mvexpand ConditionalAccessPolicies\\r\\n|extend CAGrantControlName = tostring(ConditionalAccessPolicies.enforcedGrantControls[0])\\r\\n|extend CAGrantControl = case(CAGrantControlName contains \\\"MFA\\\", \\\"Require MFA\\\", \\r\\n                            CAGrantControlName contains \\\"Terms of Use\\\", \\\"Require Terms of Use\\\", \\r\\n                            CAGrantControlName contains \\\"Privacy\\\", \\\"Require Privacy Statement\\\", \\r\\n                            CAGrantControlName contains \\\"Device\\\", \\\"Require Device Compliant\\\", \\r\\n                            CAGrantControlName contains \\\"Azure AD Joined\\\", \\\"Require Hybird Azure AD Joined Device\\\", \\r\\n                            CAGrantControlName contains \\\"Apps\\\", \\\"Require Approved Apps\\\",\\r\\n                            \\\"Other\\\");\\r\\ndata\\r\\n| where Category in ({Category})\\r\\n| summarize Count = dcount(Id) by CAStatus\\r\\n| join kind = inner (data\\r\\n                    | make-series Trend = dcount(Id) default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by CAStatus\\r\\n                    ) on CAStatus\\r\\n| project-away CAStatus1, TimeGenerated\\r\\n| order by Count desc\",\"size\":4,\"title\":\"Conditional access status\",\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeBrush\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"CAStatus\",\"formatter\":1},\"subtitleContent\":{\"columnMatch\":\"Category\"},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false}},\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails)\\r\\n| extend Status = parse_json(Status)\\r\\n| extend ConditionalAccessPolicies = parse_json(ConditionalAccessPolicies);\\r\\nlet data = \\r\\nunion SigninLogs,nonInteractive|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n|extend errorCode = toint(Status.errorCode)\\r\\n|extend Reason = tostring(Status.failureReason)\\r\\n|extend CAStatus = case(ConditionalAccessStatus ==0,\\\"✔️ Success\\\",                                     \\r\\n                        ConditionalAccessStatus == 1, \\\"❌ Failure\\\",                                     \\r\\n                        ConditionalAccessStatus == 2, \\\"⚠️ Not Applied\\\",                                     \\r\\n                        ConditionalAccessStatus == \\\"\\\", \\\"⚠️ Not Applied\\\", \\r\\n                        \\\"🚫 Disabled\\\")\\r\\n|mvexpand ConditionalAccessPolicies\\r\\n|extend CAGrantControlName = tostring(ConditionalAccessPolicies.enforcedGrantControls[0])\\r\\n|extend CAGrantControl = case(CAGrantControlName contains \\\"MFA\\\", \\\"Require MFA\\\", \\r\\n                            CAGrantControlName contains \\\"Terms of Use\\\", \\\"Require Terms of Use\\\", \\r\\n                            CAGrantControlName contains \\\"Privacy\\\", \\\"Require Privacy Statement\\\", \\r\\n                            CAGrantControlName contains \\\"Device\\\", \\\"Require Device Compliant\\\", \\r\\n                            CAGrantControlName contains \\\"Azure AD Joined\\\", \\\"Require Hybird Azure AD Joined Device\\\", \\r\\n                            CAGrantControlName contains \\\"Apps\\\", \\\"Require Approved Apps\\\",\\\"Other\\\");\\r\\ndata\\r\\n| summarize Count = dcount(Id) by CAStatus, CAGrantControl\\r\\n| project Id = strcat(CAStatus, '/', CAGrantControl), Name = CAGrantControl, Parent = CAStatus, Count, Type = 'CAGrantControl'\\r\\n| join kind = inner (data\\r\\n                    | make-series Trend = dcount(Id) default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by CAStatus, CAGrantControl\\r\\n                    | project Id = strcat(CAStatus, '/', CAGrantControl), Trend\\r\\n                    ) on Id\\r\\n| project-away Id1\\r\\n| union (data\\r\\n    | where Category in ({Category})\\r\\n    | summarize Count = dcount(Id) by CAStatus\\r\\n    | project Id = CAStatus, Name = CAStatus, Parent = '', Count, Type = 'CAStatus'\\r\\n    | join kind = inner (data\\r\\n                        | make-series Trend = dcount(Id) default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by CAStatus\\r\\n                        | project Id = CAStatus, Trend\\r\\n                        ) on Id\\r\\n    | project-away Id1)\\r\\n| order by Count desc\",\"size\":0,\"title\":\"Conditional access status\",\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeBrush\",\"exportParameterName\":\"Detail\",\"exportDefaultValue\":\"{ \\\"Name\\\":\\\"\\\", \\\"Type\\\":\\\"*\\\", \\\"Parent\\\":\\\"*\\\"}\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Id\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Parent\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Count\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"palette\":\"blue\",\"showIcon\":true},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"Type\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"min\":0,\"palette\":\"blue\",\"showIcon\":true}}],\"hierarchySettings\":{\"idColumn\":\"Id\",\"parentColumn\":\"Parent\",\"treeType\":0,\"expanderColumn\":\"Name\",\"expandTopLevel\":true}}},\"customWidth\":\"50\",\"name\":\"query - 10\",\"styleSettings\":{\"margin\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let details = dynamic({Detail});\\r\\nlet nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails)\\r\\n| extend Status = parse_json(Status)\\r\\n| extend ConditionalAccessPolicies = parse_json(ConditionalAccessPolicies);\\r\\nlet data = \\r\\nunion SigninLogs,nonInteractive\\r\\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n|extend errorCode = toint(Status.errorCode)\\r\\n|extend Reason = tostring(Status.failureReason)\\r\\n|extend CAStatus = case(ConditionalAccessStatus ==\\\"success\\\",\\\"✔️ Success\\\",                                     \\r\\n                        ConditionalAccessStatus == \\\"failure\\\", \\\"❌ Failure\\\",                                     \\r\\n                        ConditionalAccessStatus == \\\"notApplied\\\", \\\"⚠️ Not Applied\\\",                                     \\r\\n                        ConditionalAccessStatus == \\\"\\\", \\\"⚠️ Not Applied\\\", \\r\\n                        \\\"🚫 Disabled\\\")\\r\\n|mvexpand ConditionalAccessPolicies\\r\\n|extend CAGrantControlName = tostring(ConditionalAccessPolicies.enforcedGrantControls[0])\\r\\n|extend CAGrantControl = case(CAGrantControlName contains \\\"MFA\\\", \\\"Require MFA\\\", \\r\\n                            CAGrantControlName contains \\\"Terms of Use\\\", \\\"Require Terms of Use\\\", \\r\\n                            CAGrantControlName contains \\\"Privacy\\\", \\\"Require Privacy Statement\\\", \\r\\n                            CAGrantControlName contains \\\"Device\\\", \\\"Require Device Compliant\\\", \\r\\n                            CAGrantControlName contains \\\"Azure AD Joined\\\", \\\"Require Hybird Azure AD Joined Device\\\", \\r\\n                            CAGrantControlName contains \\\"Apps\\\", \\\"Require Approved Apps\\\",\\r\\n                            \\\"Other\\\")\\r\\n|extend CAGrantControlRank = case(CAGrantControlName contains \\\"MFA\\\", 1, \\r\\n                            CAGrantControlName contains \\\"Terms of Use\\\", 2, \\r\\n                            CAGrantControlName contains \\\"Privacy\\\", 3, \\r\\n                            CAGrantControlName contains \\\"Device\\\", 4, \\r\\n                            CAGrantControlName contains \\\"Azure AD Joined\\\", 5, \\r\\n                            CAGrantControlName contains \\\"Apps\\\", 6,\\r\\n                            7)\\r\\n| where details.Type == '*' or (details.Type == 'CAStatus' and CAStatus == details.Name) or (details.Type == 'CAGrantControl' and CAGrantControl == details.Name and CAStatus == details.Parent);\\r\\ndata\\r\\n| order by CAGrantControlRank desc\\r\\n| summarize CAGrantControls = make_set(CAGrantControl) by AppDisplayName, CAStatus, TimeGenerated, UserDisplayName, Category\\r\\n| extend CAGrantControlText = replace(@\\\",\\\", \\\", \\\", replace(@'\\\"', @'', replace(@\\\"\\\\]\\\", @\\\"\\\", replace(@\\\"\\\\[\\\", @\\\"\\\", tostring(CAGrantControls)))))\\r\\n| extend CAGrantControlSummary = case(array_length(CAGrantControls) > 1, strcat(CAGrantControls[0], ' + ', array_length(CAGrantControls) - 1, ' more'), array_length(CAGrantControls) == 1, tostring(CAGrantControls[0]), 'None')\\r\\n| top 200 by TimeGenerated desc\\r\\n| extend TimeFromNow = now() - TimeGenerated\\r\\n| extend TimeAgo = strcat(case(TimeFromNow < 2m, strcat(toint(TimeFromNow / 1m), ' seconds'), TimeFromNow < 2h, strcat(toint(TimeFromNow / 1m), ' minutes'), TimeFromNow < 2d, strcat(toint(TimeFromNow / 1h), ' hours'), strcat(toint(TimeFromNow / 1d), ' days')), ' ago')\\r\\n| project Application = AppDisplayName, ['CA Status'] = CAStatus, ['CA Grant Controls'] = CAGrantControlSummary, ['All CA Grant Controls'] = CAGrantControlText, ['Sign-in Time'] = TimeAgo, ['User'] = UserDisplayName, Category\\r\\n| where Category in ({Category})\",\"size\":0,\"showAnalytics\":true,\"title\":\"Recent sign-ins\",\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"CA Grant Controls\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"All CA Grant Controls\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"User\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}}]}},\"customWidth\":\"50\",\"showPin\":true,\"name\":\"query - 7 - Copy\"},{\"type\":1,\"content\":{\"json\":\"## Troubleshooting Sign-ins\"},\"name\":\"text - 13\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails)\\r\\n| extend Status = parse_json(Status);\\r\\nlet data = \\r\\nunion SigninLogs,nonInteractive|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n|extend errorCode = Status.errorCode\\r\\n|extend SigninStatus = case(errorCode == 0, \\\"Success\\\", errorCode == 50058, \\\"Pending action (Interrupts)\\\",errorCode == 50140, \\\"Pending action (Interrupts)\\\", errorCode == 51006, \\\"Pending action (Interrupts)\\\", errorCode == 50059, \\\"Pending action (Interrupts)\\\",errorCode == 65001, \\\"Pending action (Interrupts)\\\", errorCode == 52004, \\\"Pending action (Interrupts)\\\", errorCode == 50055, \\\"Pending action (Interrupts)\\\", errorCode == 50144, \\\"Pending action (Interrupts)\\\", errorCode == 50072, \\\"Pending action (Interrupts)\\\", errorCode == 50074, \\\"Pending action (Interrupts)\\\", errorCode == 16000, \\\"Pending action (Interrupts)\\\", errorCode == 16001, \\\"Pending action (Interrupts)\\\", errorCode == 16003, \\\"Pending action (Interrupts)\\\", errorCode == 50127, \\\"Pending action (Interrupts)\\\", errorCode == 50125, \\\"Pending action (Interrupts)\\\", errorCode == 50129, \\\"Pending action (Interrupts)\\\", errorCode == 50143, \\\"Pending action (Interrupts)\\\", errorCode == 81010, \\\"Pending action (Interrupts)\\\", errorCode == 81014, \\\"Pending action (Interrupts)\\\", errorCode == 81012 ,\\\"Pending action (Interrupts)\\\", \\\"Failure\\\");\\r\\ndata\\r\\n| summarize Count = count() by SigninStatus, Category\\r\\n| join kind = fullouter (datatable(SigninStatus:string)['Success', 'Pending action (Interrupts)', 'Failure']) on SigninStatus\\r\\n| project SigninStatus = iff(SigninStatus == '', SigninStatus1, SigninStatus), Count = iff(SigninStatus == '', 0, Count), Category\\r\\n| join kind = inner (data\\r\\n    | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SigninStatus)\\r\\n    on SigninStatus\\r\\n| project-away SigninStatus1, TimeGenerated\\r\\n| extend Status = SigninStatus\\r\\n| union (\\r\\n    data \\r\\n    | summarize Count = count() \\r\\n    | extend jkey = 1\\r\\n    | join kind=inner (data\\r\\n        | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\\r\\n        | extend jkey = 1) on jkey\\r\\n    | extend SigninStatus = 'All Sign-ins', Status = '*'    \\r\\n)\\r\\n| where Category in ({Category})\\r\\n| order by Count desc\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":3,\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"min\":0,\"palette\":\"blue\",\"showIcon\":true}},\"showBorder\":false}},\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails)\\r\\n| extend Status = parse_json(Status);\\r\\nlet data = \\r\\nunion SigninLogs,nonInteractive|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n| extend ErrorCode = tostring(Status.errorCode) \\r\\n| extend FailureReason = tostring(Status.failureReason) \\r\\n| where ErrorCode !in (\\\"0\\\",\\\"50058\\\",\\\"50148\\\",\\\"50140\\\", \\\"51006\\\", \\\"50059\\\", \\\"65001\\\", \\\"52004\\\", \\\"50055\\\", \\\"50144\\\",\\\"50072\\\", \\\"50074\\\", \\\"16000\\\",\\\"16001\\\", \\\"16003\\\", \\\"50127\\\", \\\"50125\\\", \\\"50129\\\",\\\"50143\\\", \\\"81010\\\", \\\"81014\\\", \\\"81012\\\") \\r\\n|summarize errCount = count() by ErrorCode, tostring(FailureReason), Category| sort by errCount, Category\\r\\n|project ['❌ Error Code'] = ErrorCode, ['Reason']= FailureReason, ['Error Count'] = toint(errCount), Category\\r\\n|where Category in ({Category});\\r\\ndata\",\"size\":1,\"showAnalytics\":true,\"title\":\"Summary of top errors\",\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeBrush\",\"exportFieldName\":\"❌ Error Code\",\"exportParameterName\":\"ErrorCode\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Error Count\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"palette\":\"orange\",\"showIcon\":true}}],\"filter\":true}},\"customWidth\":\"67\",\"showPin\":true,\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails)\\r\\n| extend Status = parse_json(Status)\\r\\n| extend DeviceDetail = parse_json(DeviceDetail)\\r\\n| extend ConditionalAccessPolicies = parse_json(ConditionalAccessPolicies);\\r\\nlet data=\\r\\nunion SigninLogs,nonInteractive\\r\\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n| extend ErrorCode = tostring(Status.errorCode) \\r\\n| extend FailureReason = tostring(Status.failureReason) \\r\\n| where ErrorCode !in (\\\"0\\\",\\\"50058\\\",\\\"50148\\\",\\\"50140\\\", \\\"51006\\\", \\\"50059\\\", \\\"65001\\\", \\\"52004\\\", \\\"50055\\\", \\\"50144\\\",\\\"50072\\\", \\\"50074\\\", \\\"16000\\\",\\\"16001\\\", \\\"16003\\\", \\\"50127\\\", \\\"50125\\\", \\\"50129\\\",\\\"50143\\\", \\\"81010\\\", \\\"81014\\\", \\\"81012\\\") \\r\\n| where '{ErrorCode}' == '*' or '{ErrorCode}' == ErrorCode\\r\\n| top 200 by TimeGenerated desc\\r\\n| extend TimeFromNow = now() - TimeGenerated\\r\\n| extend TimeAgo = strcat(case(TimeFromNow < 2m, strcat(toint(TimeFromNow / 1m), ' seconds'), TimeFromNow < 2h, strcat(toint(TimeFromNow / 1m), ' minutes'), TimeFromNow < 2d, strcat(toint(TimeFromNow / 1h), ' hours'), strcat(toint(TimeFromNow / 1d), ' days')), ' ago')\\r\\n| project User = UserDisplayName, IPAddress, ['❌ Error Code'] = ErrorCode, ['Sign-in Time'] = TimeAgo, App = AppDisplayName, ['Error code'] = ErrorCode, ['Result type'] = ResultType, ['Result signature'] = ResultSignature, ['Result description'] = ResultDescription, ['Conditional access policies'] = ConditionalAccessPolicies, ['Conditional access status'] = ConditionalAccessStatus, ['Operating system'] = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser, ['Country or region'] = LocationDetails.countryOrRegion, ['State'] = LocationDetails.state, ['City'] = LocationDetails.city, ['Time generated'] = TimeGenerated, Status, ['User principal name'] = UserPrincipalName, Category\\r\\n| where Category in ({Category});\\r\\ndata\\r\\n\\r\\n\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"Sign-ins with errors\",\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeBrush\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"❌ Error Code\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"showIcon\":true}},{\"columnMatch\":\"App\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Error code\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Result type\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Result signature\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Result description\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Conditional access policies\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Conditional access status\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Operating system\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Browser\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Country or region\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"State\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"City\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Time generated\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Status\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"User principal name\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true}},\"customWidth\":\"33\",\"name\":\"query - 5 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails)\\r\\n| extend Status = parse_json(Status);\\r\\nlet data = \\r\\nunion SigninLogs,nonInteractive|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n| extend ErrorCode = tostring(Status.errorCode) \\r\\n| extend FailureReason = Status.failureReason \\r\\n| where ErrorCode in (\\\"50058\\\",\\\"50140\\\", \\\"51006\\\", \\\"50059\\\", \\\"65001\\\", \\\"52004\\\", \\\"50055\\\", \\\"50144\\\",\\\"50072\\\", \\\"50074\\\", \\\"16000\\\",\\\"16001\\\", \\\"16003\\\", \\\"50127\\\", \\\"50125\\\", \\\"50129\\\",\\\"50143\\\", \\\"81010\\\", \\\"81014\\\", \\\"81012\\\") \\r\\n|summarize errCount = count() by ErrorCode, tostring(FailureReason), Category\\r\\n| sort by errCount\\r\\n|project ['❌ Error Code'] = ErrorCode, ['Reason'] = FailureReason, ['Interrupt Count'] = toint(errCount), Category\\r\\n| where Category in ({Category});\\r\\ndata\",\"size\":1,\"showAnalytics\":true,\"title\":\"Summary of sign-ins waiting on user action\",\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeBrush\",\"exportFieldName\":\"❌ Error Code\",\"exportParameterName\":\"InterruptErrorCode\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Interrupt Count\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"palette\":\"orange\"}}],\"filter\":true}},\"customWidth\":\"67\",\"showPin\":true,\"name\":\"query - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails)\\r\\n| extend ConditionalAccessPolicies = parse_json(ConditionalAccessPolicies)\\r\\n| extend DeviceDetail = parse_json(DeviceDetail)\\r\\n| extend Status = parse_json(Status);\\r\\nlet data = \\r\\nunion SigninLogs,nonInteractive \\r\\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n| extend ErrorCode = tostring(Status.errorCode) \\r\\n| extend FailureReason = Status.failureReason \\r\\n| where ErrorCode in (\\\"50058\\\",\\\"50140\\\", \\\"51006\\\", \\\"50059\\\", \\\"65001\\\", \\\"52004\\\", \\\"50055\\\", \\\"50144\\\",\\\"50072\\\", \\\"50074\\\", \\\"16000\\\",\\\"16001\\\", \\\"16003\\\", \\\"50127\\\", \\\"50125\\\", \\\"50129\\\",\\\"50143\\\", \\\"81010\\\", \\\"81014\\\", \\\"81012\\\") \\r\\n| where '{InterruptErrorCode}' == '*' or '{InterruptErrorCode}' == ErrorCode\\r\\n| top 200 by TimeGenerated desc\\r\\n| extend TimeFromNow = now() - TimeGenerated\\r\\n| extend TimeAgo = strcat(case(TimeFromNow < 2m, strcat(toint(TimeFromNow / 1m), ' seconds'), TimeFromNow < 2h, strcat(toint(TimeFromNow / 1m), ' minutes'), TimeFromNow < 2d, strcat(toint(TimeFromNow / 1h), ' hours'), strcat(toint(TimeFromNow / 1d), ' days')), ' ago')\\r\\n| project User = UserDisplayName, IPAddress, ['❌ Error Code'] = ErrorCode, ['Sign-in Time'] = TimeAgo, App = AppDisplayName, ['Error code'] = ErrorCode, ['Result type'] = ResultType, ['Result signature'] = ResultSignature, ['Result description'] = ResultDescription, ['Conditional access policies'] = ConditionalAccessPolicies, ['Conditional access status'] = ConditionalAccessStatus, ['Operating system'] = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser, ['Country or region'] = LocationDetails.countryOrRegion, ['State'] = LocationDetails.state, ['City'] = LocationDetails.city, ['Time generated'] = TimeGenerated, Status, ['User principal name'] = UserPrincipalName, Category\\r\\n| where Category in ({Category});\\r\\ndata\\r\\n\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"Sign-ins waiting on user action\",\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeBrush\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"❌ Error Code\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"showIcon\":true}},{\"columnMatch\":\"App\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Error code\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Result type\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Result signature\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Result description\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Conditional access policies\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Conditional access status\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Operating system\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Browser\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Country or region\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"State\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"City\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Time generated\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Status\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"User principal name\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true}},\"customWidth\":\"33\",\"showPin\":true,\"name\":\"query - 7 - Copy\"}],\"fromTemplateId\":\"sentinel-AzureActiveDirectorySigninLogs\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
+                "version": "1.0",
+                "sourceId": "[variables('workspaceResourceId')]",
+                "category": "sentinel"
               }
             },
             {
-              "type": "Microsoft.Web/connections",
-              "apiVersion": "2016-06-01",
-              "name": "[[variables('MicrosoftSentinelConnectionName')]",
-              "location": "[[variables('workspace-location-inline')]",
-              "kind": "V1",
+              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+              "apiVersion": "2022-01-01-preview",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId2'),'/'))))]",
               "properties": {
-                "displayName": "[[variables('MicrosoftSentinelConnectionName')]",
-                "parameterValueType": "Alternative",
-                "api": {
-                  "id": "[[variables('_connection-2')]"
+                "description": "@{workbookKey=AzureActiveDirectorySigninLogsWorkbook; logoFileName=azureactivedirectory_logo.svg; description=Gain insights into Azure Active Directory by connecting Microsoft Sentinel and using the sign-in logs to gather insights around Azure AD scenarios. \nYou can learn about sign-in operations, such as user sign-ins and locations, email addresses, and  IP addresses of your users, as well as failed activities and the errors that triggered the failures.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=2.4.0; title=Azure AD Sign-in logs; templateRelativePath=AzureActiveDirectorySignins.json; subtitle=; provider=Microsoft}.description",
+                "parentId": "[variables('workbookId2')]",
+                "contentId": "[variables('_workbookContentId2')]",
+                "kind": "Workbook",
+                "version": "[variables('workbookVersion2')]",
+                "source": {
+                  "kind": "Solution",
+                  "name": "Azure Active Directory",
+                  "sourceId": "[variables('_solutionId')]"
+                },
+                "author": {
+                  "name": "Microsoft",
+                  "email": "[variables('_email')]"
+                },
+                "support": {
+                  "tier": "Microsoft",
+                  "name": "Microsoft Corporation",
+                  "email": "support@microsoft.com",
+                  "link": "https://support.microsoft.com/"
+                },
+                "dependencies": {
+                  "operator": "AND",
+                  "criteria": [
+                    {
+                      "contentId": "SigninLogs",
+                      "kind": "DataType"
+                    },
+                    {
+                      "contentId": "AzureActiveDirectory",
+                      "kind": "DataConnector"
+                    }
+                  ]
                 }
               }
-            },
+            }
+          ]
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('_workbookContentId2')]",
+        "contentKind": "Workbook",
+        "displayName": "[parameters('workbook2-name')]",
+        "contentProductId": "[variables('_workbookcontentProductId2')]",
+        "id": "[variables('_workbookcontentProductId2')]",
+        "version": "[variables('workbookVersion2')]"
+      }
+    },
+    {
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('analyticRuleTemplateSpecName1')]",
+      "location": "[parameters('workspace-location')]",
+      "dependsOn": [
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+      ],
+      "properties": {
+        "description": "AccountCreatedandDeletedinShortTimeframe_AnalyticalRules Analytics Rule with template version 3.0.3",
+        "mainTemplate": {
+          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+          "contentVersion": "[variables('analyticRuleVersion1')]",
+          "parameters": {},
+          "variables": {},
+          "resources": [
             {
-              "type": "Microsoft.Web/connections",
-              "apiVersion": "2016-06-01",
-              "name": "[[variables('Office365ConnectionName')]",
-              "location": "[[variables('workspace-location-inline')]",
+              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+              "name": "[variables('analyticRulecontentId1')]",
+              "apiVersion": "2022-04-01-preview",
+              "kind": "Scheduled",
+              "location": "[parameters('workspace-location')]",
               "properties": {
-                "displayName": "[[variables('Office365ConnectionName')]",
-                "api": {
-                  "id": "[[variables('_connection-3')]"
-                }
+                "description": "Search for user principal name (UPN) events. Look for accounts created and then deleted in under 24 hours. Attackers may create an account for their use, and then remove the account when no longer needed.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-account",
+                "displayName": "Account Created and Deleted in Short Timeframe",
+                "enabled": false,
+                "query": "let queryfrequency = 1h;\nlet queryperiod = 1d;\nAuditLogs\n| where TimeGenerated > ago(queryfrequency)\n| where OperationName =~ \"Delete user\"\n//extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName)\n| mv-apply TargetResource = TargetResources on \n  (\n      where TargetResource.type == \"User\"\n      | extend UserPrincipalName = extract(@'([a-f0-9]{32})?(.*)', 2, tostring(TargetResource.userPrincipalName))\n  )\n| extend DeletedByUser = tostring(InitiatedBy.user.userPrincipalName), DeletedByIPAddress = tostring(InitiatedBy.user.ipAddress)\n| extend DeletedByApp = tostring(InitiatedBy.app.displayName)\n| project Deletion_TimeGenerated = TimeGenerated, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, Deletion_AdditionalDetails = AdditionalDetails, Deletion_InitiatedBy = InitiatedBy, Deletion_TargetResources = TargetResources\n| join kind=inner (\n    AuditLogs\n    | where TimeGenerated > ago(queryperiod)\n    | where OperationName =~ \"Add user\"      \n    | mv-apply TargetResource = TargetResources on \n      (\n          where TargetResource.type == \"User\"\n          | extend UserPrincipalName = trim(@'\"',tostring(TargetResource.userPrincipalName))\n      )\n    | project-rename Creation_TimeGenerated = TimeGenerated\n) on UserPrincipalName\n| extend TimeDelta = Deletion_TimeGenerated - Creation_TimeGenerated\n| where  TimeDelta between (time(0s) .. queryperiod)\n| extend CreatedByUser = tostring(InitiatedBy.user.userPrincipalName), CreatedByIPAddress = tostring(InitiatedBy.user.ipAddress)\n| extend CreatedByApp = tostring(InitiatedBy.app.displayName)\n| project Creation_TimeGenerated, Deletion_TimeGenerated, TimeDelta, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, CreatedByUser, CreatedByIPAddress, CreatedByApp, Creation_AdditionalDetails = AdditionalDetails, Creation_InitiatedBy = InitiatedBy, Creation_TargetResources = TargetResources, Deletion_AdditionalDetails, Deletion_InitiatedBy, Deletion_TargetResources\n| extend timestamp = Deletion_TimeGenerated, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n",
+                "queryFrequency": "PT1H",
+                "queryPeriod": "P1D",
+                "severity": "High",
+                "suppressionDuration": "PT1H",
+                "suppressionEnabled": false,
+                "triggerOperator": "GreaterThan",
+                "triggerThreshold": 0,
+                "status": "Available",
+                "requiredDataConnectors": [
+                  {
+                    "dataTypes": [
+                      "SigninLogs"
+                    ],
+                    "connectorId": "AzureActiveDirectory"
+                  }
+                ],
+                "tactics": [
+                  "InitialAccess"
+                ],
+                "techniques": [
+                  "T1078"
+                ],
+                "entityMappings": [
+                  {
+                    "fieldMappings": [
+                      {
+                        "columnName": "Name",
+                        "identifier": "Name"
+                      },
+                      {
+                        "columnName": "UPNSuffix",
+                        "identifier": "UPNSuffix"
+                      }
+                    ],
+                    "entityType": "Account"
+                  },
+                  {
+                    "fieldMappings": [
+                      {
+                        "columnName": "DeletedByIPAddress",
+                        "identifier": "Address"
+                      }
+                    ],
+                    "entityType": "IP"
+                  }
+                ]
               }
             },
             {
-              "type": "Microsoft.Logic/workflows",
-              "apiVersion": "2017-07-01",
-              "name": "[[parameters('PlaybookName')]",
-              "location": "[[variables('workspace-location-inline')]",
-              "tags": {
-                "LogicAppsCategory": "security",
-                "hidden-SentinelTemplateName": "Block-AADUser-EntityTrigger",
-                "hidden-SentinelTemplateVersion": "1.1",
-                "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
-              },
-              "identity": {
-                "type": "SystemAssigned"
-              },
-              "dependsOn": [
-                "[[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]",
-                "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
-                "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]"
-              ],
+              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+              "apiVersion": "2022-01-01-preview",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId1'),'/'))))]",
               "properties": {
-                "state": "Enabled",
-                "definition": {
-                  "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
-                  "contentVersion": "1.0.0.0",
-                  "parameters": {
-                    "$connections": {
-                      "type": "Object"
-                    }
-                  },
-                  "triggers": {
-                    "Microsoft_Sentinel_entity": {
-                      "type": "ApiConnectionWebhook",
-                      "inputs": {
-                        "body": {
-                          "callback_url": "@{listCallbackUrl()}"
-                        },
-                        "host": {
-                          "connection": {
-                            "name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
-                          }
-                        },
-                        "path": "/entity/@{encodeURIComponent('Account')}"
-                      }
-                    }
-                  },
-                  "actions": {
-                    "Condition": {
-                      "actions": {
-                        "Condition_-_if_user_have_manager": {
-                          "actions": {
-                            "Condition_2": {
-                              "actions": {
-                                "Add_comment_to_incident_-_with_manager_-_no_admin": {
-                                  "type": "ApiConnection",
-                                  "inputs": {
-                                    "body": {
-                                      "incidentArmId": "@triggerBody()?['IncidentArmID']",
-                                      "message": "<p>User @{triggerBody()?['Entity']?['properties']?['Name']} &nbsp;(UPN - @{variables('AccountDetails')}) was disabled in AAD via playbook Block-AADUser. Manager (@{body('Parse_JSON_-_get_user_manager')?['userPrincipalName']}) is notified.</p>"
-                                    },
-                                    "host": {
-                                      "connection": {
-                                        "name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
-                                      }
-                                    },
-                                    "method": "post",
-                                    "path": "/Incidents/Comment"
-                                  }
-                                }
-                              },
-                              "runAfter": {
-                                "Get_user_-_details": [
-                                  "Succeeded"
-                                ]
-                              },
-                              "expression": {
-                                "and": [
-                                  {
-                                    "not": {
-                                      "equals": [
-                                        "@triggerBody()?['IncidentArmID']",
-                                        "@null"
-                                      ]
-                                    }
-                                  }
-                                ]
-                              },
-                              "type": "If"
-                            },
-                            "Get_user_-_details": {
-                              "type": "ApiConnection",
-                              "inputs": {
-                                "host": {
-                                  "connection": {
-                                    "name": "@parameters('$connections')['azuread']['connectionId']"
-                                  }
-                                },
-                                "method": "get",
-                                "path": "/v1.0/users/@{encodeURIComponent(variables('AccountDetails'))}"
-                              }
-                            },
-                            "Send_an_email_-_to_manager_-_no_admin": {
-                              "runAfter": {
-                                "Condition_2": [
-                                  "Succeeded"
-                                ]
-                              },
-                              "type": "ApiConnection",
-                              "inputs": {
-                                "body": {
-                                  "Body": "<p>Security notification! This is automated email sent by Microsoft Sentinel Automation!<br>\n<br>\nYour direct report @{triggerBody()?['Entity']?['properties']?['Name']} has been disabled in Azure AD due to the security incident. Can you please notify the user and work with him to reach&nbsp;our support.<br>\n<br>\nDirect report details:<br>\nFirst name: @{body('Get_user_-_details')?['displayName']}<br>\nSurname: @{body('Get_user_-_details')?['surname']}<br>\nJob title: @{body('Get_user_-_details')?['jobTitle']}<br>\nOffice location: @{body('Get_user_-_details')?['officeLocation']}<br>\nBusiness phone: @{body('Get_user_-_details')?['businessPhones']}<br>\nMobile phone: @{body('Get_user_-_details')?['mobilePhone']}<br>\nMail: @{body('Get_user_-_details')?['mail']}<br>\n<br>\nThank you!</p>",
-                                  "Importance": "High",
-                                  "Subject": "@{triggerBody()?['Entity']?['properties']?['Name']}  has been disabled in Azure AD due to the security risk!",
-                                  "To": "@body('Parse_JSON_-_get_user_manager')?['userPrincipalName']"
-                                },
-                                "host": {
-                                  "connection": {
-                                    "name": "@parameters('$connections')['office365']['connectionId']"
-                                  }
-                                },
-                                "method": "post",
-                                "path": "/v2/Mail"
-                              }
-                            }
-                          },
-                          "runAfter": {
-                            "Parse_JSON_-_get_user_manager": [
-                              "Succeeded"
-                            ]
-                          },
-                          "else": {
-                            "actions": {
-                              "Condition_3": {
-                                "actions": {
-                                  "Add_comment_to_incident_-_no_manager_-_no_admin": {
-                                    "type": "ApiConnection",
-                                    "inputs": {
-                                      "body": {
-                                        "incidentArmId": "@triggerBody()?['IncidentArmID']",
-                                        "message": "<p>User @{triggerBody()?['Entity']?['properties']?['Name']} (UPN - @{variables('AccountDetails')}) was disabled in AAD via playbook Block-AADUser. Manager has not been notified, since it is not found for this user!</p>"
-                                      },
-                                      "host": {
-                                        "connection": {
-                                          "name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
-                                        }
-                                      },
-                                      "method": "post",
-                                      "path": "/Incidents/Comment"
-                                    }
-                                  }
-                                },
-                                "expression": {
-                                  "and": [
-                                    {
-                                      "not": {
-                                        "equals": [
-                                          "@triggerBody()?['IncidentArmID']",
-                                          "@null"
-                                        ]
-                                      }
-                                    }
-                                  ]
-                                },
-                                "type": "If"
-                              }
-                            }
-                          },
-                          "expression": {
-                            "and": [
-                              {
-                                "not": {
-                                  "equals": [
-                                    "@body('Parse_JSON_-_get_user_manager')?['userPrincipalName']",
-                                    "@null"
-                                  ]
-                                }
-                              }
-                            ]
-                          },
-                          "type": "If"
-                        },
-                        "HTTP_-_get_user_manager": {
-                          "type": "Http",
-                          "inputs": {
-                            "authentication": {
-                              "audience": "https://graph.microsoft.com/",
-                              "type": "ManagedServiceIdentity"
-                            },
-                            "method": "GET",
-                            "uri": "https://graph.microsoft.com/v1.0/users/@{variables('AccountDetails')}/manager"
-                          }
-                        },
-                        "Parse_JSON_-_get_user_manager": {
-                          "runAfter": {
-                            "HTTP_-_get_user_manager": [
-                              "Succeeded",
-                              "Failed"
-                            ]
-                          },
-                          "type": "ParseJson",
-                          "inputs": {
-                            "content": "@body('HTTP_-_get_user_manager')",
-                            "schema": {
-                              "properties": {
-                                "userPrincipalName": {
-                                  "type": "string"
-                                }
-                              },
-                              "type": "object"
-                            }
-                          }
-                        }
-                      },
-                      "runAfter": {
-                        "Update_user_-_disable_user": [
-                          "Succeeded",
-                          "Failed"
-                        ]
-                      },
-                      "else": {
-                        "actions": {
-                          "Add_comment_to_incident_-_error_details": {
-                            "type": "ApiConnection",
-                            "inputs": {
-                              "body": {
-                                "incidentArmId": "@triggerBody()?['IncidentArmID']",
-                                "message": "<p>Block-AADUser playbook could not disable user @{triggerBody()?['Entity']?['properties']?['Name']}.<br>\nError message: @{body('Update_user_-_disable_user')['error']['message']}<br>\nNote: If user is admin, this playbook don't have privilages to block admin users!</p>"
-                              },
-                              "host": {
-                                "connection": {
-                                  "name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
-                                }
-                              },
-                              "method": "post",
-                              "path": "/Incidents/Comment"
-                            }
-                          }
-                        }
-                      },
-                      "expression": {
-                        "and": [
-                          {
-                            "equals": [
-                              "@body('Update_user_-_disable_user')",
-                              "@null"
-                            ]
-                          }
-                        ]
-                      },
-                      "type": "If"
-                    },
-                    "Initialize_variable_Account_Details": {
-                      "type": "InitializeVariable",
-                      "inputs": {
-                        "variables": [
-                          {
-                            "name": "AccountDetails",
-                            "type": "string"
-                          }
-                        ]
-                      }
-                    },
-                    "Set_variable": {
-                      "runAfter": {
-                        "Initialize_variable_Account_Details": [
-                          "Succeeded"
-                        ]
-                      },
-                      "type": "SetVariable",
-                      "inputs": {
-                        "name": "AccountDetails",
-                        "value": "@{concat(triggerBody()?['Entity']?['properties']?['Name'],'@',triggerBody()?['Entity']?['properties']?['UPNSuffix'])}"
-                      }
-                    },
-                    "Update_user_-_disable_user": {
-                      "runAfter": {
-                        "Set_variable": [
-                          "Succeeded"
-                        ]
-                      },
-                      "type": "ApiConnection",
-                      "inputs": {
-                        "body": {
-                          "accountEnabled": false
-                        },
-                        "host": {
-                          "connection": {
-                            "name": "@parameters('$connections')['azuread']['connectionId']"
-                          }
-                        },
-                        "method": "patch",
-                        "path": "/v1.0/users/@{encodeURIComponent(variables('AccountDetails'))}"
-                      }
-                    }
-                  }
-                },
-                "parameters": {
-                  "$connections": {
-                    "value": {
-                      "azuread": {
-                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]",
-                        "connectionName": "[[variables('AzureADConnectionName')]",
-                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuread')]"
-                      },
-                      "microsoftsentinel": {
-                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
-                        "connectionName": "[[variables('MicrosoftSentinelConnectionName')]",
-                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
-                        "connectionProperties": {
-                          "authentication": {
-                            "type": "ManagedServiceIdentity"
-                          }
-                        }
-                      },
-                      "office365": {
-                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]",
-                        "connectionName": "[[variables('Office365ConnectionName')]",
-                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]"
-                      }
-                    }
-                  }
-                }
-              }
-            },
-            {
-              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
-              "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId2'),'/'))))]",
-              "properties": {
-                "parentId": "[variables('playbookId2')]",
-                "contentId": "[variables('_playbookContentId2')]",
-                "kind": "Playbook",
-                "version": "[variables('playbookVersion2')]",
-                "source": {
-                  "kind": "Solution",
-                  "name": "Azure Active Directory",
-                  "sourceId": "[variables('_solutionId')]"
-                },
-                "author": {
-                  "name": "Microsoft",
-                  "email": "[variables('_email')]"
-                },
-                "support": {
-                  "tier": "Microsoft",
-                  "name": "Microsoft Corporation",
-                  "email": "support@microsoft.com",
-                  "link": "https://support.microsoft.com/"
-                }
-              }
-            }
-          ],
-          "metadata": {
-            "title": "Block AAD user - Entity trigger",
-            "description": "This playbook disables the selected user (account entity) in Azure Active Directoy. If this playbook triggered from an incident context, it will add a comment to the incident. This playbook will notify the disabled user manager if available. Note: This playbook will not disable admin user!",
-            "postDeployment": [
-              "1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity.",
-              "2. Grant User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All permissions to the managed identity.",
-              "3. Authorize Azure AD and Office 365 Outlook Logic App connections."
-            ],
-            "lastUpdateTime": "2022-12-08T00:00:00Z",
-            "entities": [
-              "Account"
-            ],
-            "tags": [
-              "Remediation"
-            ],
-            "releaseNotes": [
-              {
-                "version": "1.0.0",
-                "title": "Added manager notification action",
-                "notes": [
-                  "Initial version"
-                ]
-              }
-            ]
-          }
-        },
-        "packageKind": "Solution",
-        "packageVersion": "[variables('_solutionVersion')]",
-        "packageName": "[variables('_solutionName')]",
-        "packageId": "[variables('_solutionId')]",
-        "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_playbookContentId2')]",
-        "contentKind": "Playbook",
-        "displayName": "Block-AADUser-EntityTrigger",
-        "contentProductId": "[variables('_playbookcontentProductId2')]",
-        "id": "[variables('_playbookcontentProductId2')]",
-        "version": "[variables('playbookVersion2')]"
-      }
-    },
-    {
-      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
-      "apiVersion": "2023-04-01-preview",
-      "name": "[variables('playbookTemplateSpecName3')]",
-      "location": "[parameters('workspace-location')]",
-      "dependsOn": [
-        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
-      ],
-      "properties": {
-        "description": "Block-AADUser-Incident Playbook with template version 3.0.3",
-        "mainTemplate": {
-          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('playbookVersion3')]",
-          "parameters": {
-            "PlaybookName": {
-              "defaultValue": "Block-AADUser-Incident",
-              "type": "string"
-            }
-          },
-          "variables": {
-            "AzureADConnectionName": "[[concat('azuread-', parameters('PlaybookName'))]",
-            "MicrosoftSentinelConnectionName": "[[concat('microsoftsentinel-', parameters('PlaybookName'))]",
-            "Office365ConnectionName": "[[concat('office365-', parameters('PlaybookName'))]",
-            "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuread')]",
-            "_connection-1": "[[variables('connection-1')]",
-            "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
-            "_connection-2": "[[variables('connection-2')]",
-            "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]",
-            "_connection-3": "[[variables('connection-3')]",
-            "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
-            "workspace-name": "[parameters('workspace')]",
-            "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
-          },
-          "resources": [
-            {
-              "type": "Microsoft.Web/connections",
-              "apiVersion": "2016-06-01",
-              "name": "[[variables('AzureADConnectionName')]",
-              "location": "[[variables('workspace-location-inline')]",
-              "properties": {
-                "displayName": "[[variables('AzureADConnectionName')]",
-                "api": {
-                  "id": "[[variables('_connection-1')]"
-                }
-              }
-            },
-            {
-              "type": "Microsoft.Web/connections",
-              "apiVersion": "2016-06-01",
-              "name": "[[variables('MicrosoftSentinelConnectionName')]",
-              "location": "[[variables('workspace-location-inline')]",
-              "kind": "V1",
-              "properties": {
-                "displayName": "[[variables('MicrosoftSentinelConnectionName')]",
-                "parameterValueType": "Alternative",
-                "api": {
-                  "id": "[[variables('_connection-2')]"
-                }
-              }
-            },
-            {
-              "type": "Microsoft.Web/connections",
-              "apiVersion": "2016-06-01",
-              "name": "[[variables('Office365ConnectionName')]",
-              "location": "[[variables('workspace-location-inline')]",
-              "properties": {
-                "displayName": "[[variables('Office365ConnectionName')]",
-                "api": {
-                  "id": "[[variables('_connection-3')]"
-                }
-              }
-            },
-            {
-              "type": "Microsoft.Logic/workflows",
-              "apiVersion": "2017-07-01",
-              "name": "[[parameters('PlaybookName')]",
-              "location": "[[variables('workspace-location-inline')]",
-              "tags": {
-                "LogicAppsCategory": "security",
-                "hidden-SentinelTemplateName": "Block-AADUser",
-                "hidden-SentinelTemplateVersion": "1.1",
-                "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
-              },
-              "identity": {
-                "type": "SystemAssigned"
-              },
-              "dependsOn": [
-                "[[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]",
-                "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
-                "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]"
-              ],
-              "properties": {
-                "state": "Enabled",
-                "definition": {
-                  "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
-                  "contentVersion": "1.0.0.0",
-                  "parameters": {
-                    "$connections": {
-                      "type": "Object"
-                    }
-                  },
-                  "triggers": {
-                    "Microsoft_Sentinel_incident": {
-                      "type": "ApiConnectionWebhook",
-                      "inputs": {
-                        "body": {
-                          "callback_url": "@{listCallbackUrl()}"
-                        },
-                        "host": {
-                          "connection": {
-                            "name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
-                          }
-                        },
-                        "path": "/incident-creation"
-                      }
-                    }
-                  },
-                  "actions": {
-                    "Entities_-_Get_Accounts": {
-                      "type": "ApiConnection",
-                      "inputs": {
-                        "body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
-                        "host": {
-                          "connection": {
-                            "name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
-                          }
-                        },
-                        "method": "post",
-                        "path": "/entities/account"
-                      }
-                    },
-                    "For_each": {
-                      "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']",
-                      "actions": {
-                        "Condition": {
-                          "actions": {
-                            "Condition_-_if_user_have_manager": {
-                              "actions": {
-                                "Add_comment_to_incident_-_with_manager_-_no_admin": {
-                                  "runAfter": {
-                                    "Get_user_-_details": [
-                                      "Succeeded"
-                                    ]
-                                  },
-                                  "type": "ApiConnection",
-                                  "inputs": {
-                                    "body": {
-                                      "incidentArmId": "@triggerBody()?['object']?['id']",
-                                      "message": "<p>User @{items('For_each')?['Name']} (UPN - @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}) was disabled in AAD via playbook Block-AADUser. Manager (@{body('Parse_JSON_-_get_user_manager')?['userPrincipalName']}) is notified.</p>"
-                                    },
-                                    "host": {
-                                      "connection": {
-                                        "name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
-                                      }
-                                    },
-                                    "method": "post",
-                                    "path": "/Incidents/Comment"
-                                  }
-                                },
-                                "Get_user_-_details": {
-                                  "type": "ApiConnection",
-                                  "inputs": {
-                                    "host": {
-                                      "connection": {
-                                        "name": "@parameters('$connections')['azuread']['connectionId']"
-                                      }
-                                    },
-                                    "method": "get",
-                                    "path": "/v1.0/users/@{encodeURIComponent(concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix']))}"
-                                  }
-                                },
-                                "Send_an_email_-_to_manager_-_no_admin": {
-                                  "runAfter": {
-                                    "Add_comment_to_incident_-_with_manager_-_no_admin": [
-                                      "Succeeded"
-                                    ]
-                                  },
-                                  "type": "ApiConnection",
-                                  "inputs": {
-                                    "body": {
-                                      "Body": "<p>Security notification! This is automated email sent by Microsoft Sentinel Automation!<br>\n<br>\nYour direct report @{items('For_each')?['Name']} has been disabled in Azure AD due to the security incident. Can you please notify the user and work with him to reach&nbsp;our support.<br>\n<br>\nDirect report details:<br>\nFirst name: @{body('Get_user_-_details')?['displayName']}<br>\nSurname: @{body('Get_user_-_details')?['surname']}<br>\nJob title: @{body('Get_user_-_details')?['jobTitle']}<br>\nOffice location: @{body('Get_user_-_details')?['officeLocation']}<br>\nBusiness phone: @{body('Get_user_-_details')?['businessPhones']}<br>\nMobile phone: @{body('Get_user_-_details')?['mobilePhone']}<br>\nMail: @{body('Get_user_-_details')?['mail']}<br>\n<br>\nThank you!</p>",
-                                      "Importance": "High",
-                                      "Subject": "@{items('For_each')?['Name']}  has been disabled in Azure AD due to the security risk!",
-                                      "To": "@body('Parse_JSON_-_get_user_manager')?['userPrincipalName']"
-                                    },
-                                    "host": {
-                                      "connection": {
-                                        "name": "@parameters('$connections')['office365']['connectionId']"
-                                      }
-                                    },
-                                    "method": "post",
-                                    "path": "/v2/Mail"
-                                  }
-                                }
-                              },
-                              "runAfter": {
-                                "Parse_JSON_-_get_user_manager": [
-                                  "Succeeded"
-                                ]
-                              },
-                              "else": {
-                                "actions": {
-                                  "Add_comment_to_incident_-_no_manager_-_no_admin": {
-                                    "type": "ApiConnection",
-                                    "inputs": {
-                                      "body": {
-                                        "incidentArmId": "@triggerBody()?['object']?['id']",
-                                        "message": "<p>User @{items('For_each')?['Name']} (UPN - @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}) was disabled in AAD via playbook Block-AADUser. Manager has not been notified, since it is not found for this user!</p>"
-                                      },
-                                      "host": {
-                                        "connection": {
-                                          "name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
-                                        }
-                                      },
-                                      "method": "post",
-                                      "path": "/Incidents/Comment"
-                                    }
-                                  }
-                                }
-                              },
-                              "expression": {
-                                "and": [
-                                  {
-                                    "not": {
-                                      "equals": [
-                                        "@body('Parse_JSON_-_get_user_manager')?['userPrincipalName']",
-                                        "@null"
-                                      ]
-                                    }
-                                  }
-                                ]
-                              },
-                              "type": "If"
-                            },
-                            "HTTP_-_get_user_manager": {
-                              "type": "Http",
-                              "inputs": {
-                                "authentication": {
-                                  "audience": "https://graph.microsoft.com/",
-                                  "type": "ManagedServiceIdentity"
-                                },
-                                "method": "GET",
-                                "uri": "https://graph.microsoft.com/v1.0/users/@{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}/manager"
-                              }
-                            },
-                            "Parse_JSON_-_get_user_manager": {
-                              "runAfter": {
-                                "HTTP_-_get_user_manager": [
-                                  "Succeeded",
-                                  "Failed"
-                                ]
-                              },
-                              "type": "ParseJson",
-                              "inputs": {
-                                "content": "@body('HTTP_-_get_user_manager')",
-                                "schema": {
-                                  "properties": {
-                                    "userPrincipalName": {
-                                      "type": "string"
-                                    }
-                                  },
-                                  "type": "object"
-                                }
-                              }
-                            }
-                          },
-                          "runAfter": {
-                            "Update_user_-_disable_user": [
-                              "Succeeded",
-                              "Failed"
-                            ]
-                          },
-                          "else": {
-                            "actions": {
-                              "Add_comment_to_incident_-_error_details": {
-                                "type": "ApiConnection",
-                                "inputs": {
-                                  "body": {
-                                    "incidentArmId": "@triggerBody()?['object']?['id']",
-                                    "message": "<p>Block-AADUser playbook could not disable user @{items('For_each')?['Name']}.<br>\nError message: @{body('Update_user_-_disable_user')['error']['message']}<br>\nNote: If user is admin, this playbook don't have privilages to block admin users!</p>"
-                                  },
-                                  "host": {
-                                    "connection": {
-                                      "name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
-                                    }
-                                  },
-                                  "method": "post",
-                                  "path": "/Incidents/Comment"
-                                }
-                              }
-                            }
-                          },
-                          "expression": {
-                            "and": [
-                              {
-                                "equals": [
-                                  "@body('Update_user_-_disable_user')",
-                                  "@null"
-                                ]
-                              }
-                            ]
-                          },
-                          "type": "If"
-                        },
-                        "Update_user_-_disable_user": {
-                          "type": "ApiConnection",
-                          "inputs": {
-                            "body": {
-                              "accountEnabled": false
-                            },
-                            "host": {
-                              "connection": {
-                                "name": "@parameters('$connections')['azuread']['connectionId']"
-                              }
-                            },
-                            "method": "patch",
-                            "path": "/v1.0/users/@{encodeURIComponent(concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix']))}"
-                          }
-                        }
-                      },
-                      "runAfter": {
-                        "Entities_-_Get_Accounts": [
-                          "Succeeded"
-                        ]
-                      },
-                      "type": "Foreach"
-                    }
-                  }
-                },
-                "parameters": {
-                  "$connections": {
-                    "value": {
-                      "azuread": {
-                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]",
-                        "connectionName": "[[variables('AzureADConnectionName')]",
-                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuread')]"
-                      },
-                      "microsoftsentinel": {
-                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
-                        "connectionName": "[[variables('MicrosoftSentinelConnectionName')]",
-                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
-                        "connectionProperties": {
-                          "authentication": {
-                            "type": "ManagedServiceIdentity"
-                          }
-                        }
-                      },
-                      "office365": {
-                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]",
-                        "connectionName": "[[variables('Office365ConnectionName')]",
-                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]"
-                      }
-                    }
-                  }
-                }
-              }
-            },
-            {
-              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
-              "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId3'),'/'))))]",
-              "properties": {
-                "parentId": "[variables('playbookId3')]",
-                "contentId": "[variables('_playbookContentId3')]",
-                "kind": "Playbook",
-                "version": "[variables('playbookVersion3')]",
-                "source": {
-                  "kind": "Solution",
-                  "name": "Azure Active Directory",
-                  "sourceId": "[variables('_solutionId')]"
-                },
-                "author": {
-                  "name": "Microsoft",
-                  "email": "[variables('_email')]"
-                },
-                "support": {
-                  "tier": "Microsoft",
-                  "name": "Microsoft Corporation",
-                  "email": "support@microsoft.com",
-                  "link": "https://support.microsoft.com/"
-                }
-              }
-            }
-          ],
-          "metadata": {
-            "title": "Block AAD user - Incident",
-            "description": "For each account entity included in the incident, this playbook will disable the user in Azure Active Directoy, add a comment to the incident that contains this alert and notify manager if available. Note: This playbook will not disable admin user!",
-            "prerequisites": [
-              "None"
-            ],
-            "postDeployment": [
-              "1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity.",
-              "2. Grant User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All permissions to the managed identity.",
-              "3. Authorize Azure AD and Office 365 Outlook Logic App connections."
-            ],
-            "lastUpdateTime": "2022-07-11T00:00:00Z",
-            "entities": [
-              "Account"
-            ],
-            "tags": [
-              "Remediation"
-            ],
-            "releaseNotes": [
-              {
-                "version": "1.0.0",
-                "title": "Added manager notification action",
-                "notes": [
-                  "Initial version"
-                ]
-              }
-            ]
-          }
-        },
-        "packageKind": "Solution",
-        "packageVersion": "[variables('_solutionVersion')]",
-        "packageName": "[variables('_solutionName')]",
-        "packageId": "[variables('_solutionId')]",
-        "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_playbookContentId3')]",
-        "contentKind": "Playbook",
-        "displayName": "Block-AADUser-Incident",
-        "contentProductId": "[variables('_playbookcontentProductId3')]",
-        "id": "[variables('_playbookcontentProductId3')]",
-        "version": "[variables('playbookVersion3')]"
-      }
-    },
-    {
-      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
-      "apiVersion": "2023-04-01-preview",
-      "name": "[variables('playbookTemplateSpecName4')]",
-      "location": "[parameters('workspace-location')]",
-      "dependsOn": [
-        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
-      ],
-      "properties": {
-        "description": "Prompt-User-Alert Playbook with template version 3.0.3",
-        "mainTemplate": {
-          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('playbookVersion4')]",
-          "parameters": {
-            "PlaybookName": {
-              "defaultValue": "Prompt-User-Alert",
-              "type": "string"
-            },
-            "TeamsId": {
-              "metadata": {
-                "description": "Enter the Teams Group ID"
-              },
-              "type": "string"
-            },
-            "TeamsChannelId": {
-              "metadata": {
-                "description": "Enter the Teams Channel ID"
-              },
-              "type": "string"
-            }
-          },
-          "variables": {
-            "AzureADConnectionName": "[[concat('azuread-', parameters('PlaybookName'))]",
-            "AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]",
-            "Office365ConnectionName": "[[concat('office365-', parameters('PlaybookName'))]",
-            "TeamsConnectionName": "[[concat('teams-', parameters('PlaybookName'))]",
-            "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuread')]",
-            "_connection-1": "[[variables('connection-1')]",
-            "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
-            "_connection-2": "[[variables('connection-2')]",
-            "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]",
-            "_connection-3": "[[variables('connection-3')]",
-            "connection-4": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/teams')]",
-            "_connection-4": "[[variables('connection-4')]",
-            "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
-            "workspace-name": "[parameters('workspace')]",
-            "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
-          },
-          "resources": [
-            {
-              "type": "Microsoft.Web/connections",
-              "apiVersion": "2016-06-01",
-              "name": "[[variables('AzureADConnectionName')]",
-              "location": "[[variables('workspace-location-inline')]",
-              "properties": {
-                "displayName": "[[variables('AzureADConnectionName')]",
-                "api": {
-                  "id": "[[variables('_connection-1')]"
-                }
-              }
-            },
-            {
-              "type": "Microsoft.Web/connections",
-              "apiVersion": "2016-06-01",
-              "name": "[[variables('AzureSentinelConnectionName')]",
-              "location": "[[variables('workspace-location-inline')]",
-              "kind": "V1",
-              "properties": {
-                "displayName": "[[variables('AzureSentinelConnectionName')]",
-                "parameterValueType": "Alternative",
-                "api": {
-                  "id": "[[variables('_connection-2')]"
-                }
-              }
-            },
-            {
-              "type": "Microsoft.Web/connections",
-              "apiVersion": "2016-06-01",
-              "name": "[[variables('Office365ConnectionName')]",
-              "location": "[[variables('workspace-location-inline')]",
-              "properties": {
-                "displayName": "[[variables('Office365ConnectionName')]",
-                "api": {
-                  "id": "[[variables('_connection-3')]"
-                }
-              }
-            },
-            {
-              "type": "Microsoft.Web/connections",
-              "apiVersion": "2016-06-01",
-              "name": "[[variables('TeamsConnectionName')]",
-              "location": "[[variables('workspace-location-inline')]",
-              "properties": {
-                "displayName": "[[variables('TeamsConnectionName')]",
-                "api": {
-                  "id": "[[variables('_connection-4')]"
-                }
-              }
-            },
-            {
-              "type": "Microsoft.Logic/workflows",
-              "apiVersion": "2017-07-01",
-              "name": "[[parameters('PlaybookName')]",
-              "location": "[[variables('workspace-location-inline')]",
-              "tags": {
-                "LogicAppsCategory": "security",
-                "hidden-SentinelTemplateName": "Prompt-User_alert",
-                "hidden-SentinelTemplateVersion": "1.1",
-                "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
-              },
-              "identity": {
-                "type": "SystemAssigned"
-              },
-              "dependsOn": [
-                "[[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]",
-                "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
-                "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]",
-                "[[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]"
-              ],
-              "properties": {
-                "state": "Enabled",
-                "definition": {
-                  "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
-                  "actions": {
-                    "Alert_-_Get_incident": {
-                      "inputs": {
-                        "host": {
-                          "connection": {
-                            "name": "@parameters('$connections')['azuresentinel']['connectionId']"
-                          }
-                        },
-                        "method": "get",
-                        "path": "/Incidents/subscriptions/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/resourceGroups/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/workspaces/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/alerts/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}"
-                      },
-                      "type": "ApiConnection"
-                    },
-                    "Entities_-_Get_Accounts": {
-                      "inputs": {
-                        "body": "@triggerBody()?['Entities']",
-                        "host": {
-                          "connection": {
-                            "name": "@parameters('$connections')['azuresentinel']['connectionId']"
-                          }
-                        },
-                        "method": "post",
-                        "path": "/entities/account"
-                      },
-                      "runAfter": {
-                        "Alert_-_Get_incident": [
-                          "Succeeded"
-                        ]
-                      },
-                      "type": "ApiConnection"
-                    },
-                    "For_each": {
-                      "actions": {
-                        "Condition_2": {
-                          "actions": {
-                            "Add_comment_to_incident_(V3)": {
-                              "inputs": {
-                                "body": {
-                                  "incidentArmId": "@body('Alert_-_Get_incident')?['id']",
-                                  "message": "<p>@{body('Get_user')?['displayName']} confirms they completed the action that triggered the alert. &nbsp;Closing the incident.</p>"
-                                },
-                                "host": {
-                                  "connection": {
-                                    "name": "@parameters('$connections')['azuresentinel']['connectionId']"
-                                  }
-                                },
-                                "method": "post",
-                                "path": "/Incidents/Comment"
-                              },
-                              "type": "ApiConnection"
-                            },
-                            "Update_incident": {
-                              "inputs": {
-                                "body": {
-                                  "classification": {
-                                    "ClassificationAndReason": "BenignPositive - SuspiciousButExpected",
-                                    "ClassificationReasonText": "User Confirmed it was them"
-                                  },
-                                  "incidentArmId": "@body('Alert_-_Get_incident')?['id']",
-                                  "status": "Closed"
-                                },
-                                "host": {
-                                  "connection": {
-                                    "name": "@parameters('$connections')['azuresentinel']['connectionId']"
-                                  }
-                                },
-                                "method": "put",
-                                "path": "/Incidents"
-                              },
-                              "runAfter": {
-                                "Add_comment_to_incident_(V3)": [
-                                  "Succeeded"
-                                ]
-                              },
-                              "type": "ApiConnection"
-                            }
-                          },
-                          "else": {
-                            "actions": {
-                              "Add_comment_to_incident_(V3)_2": {
-                                "inputs": {
-                                  "body": {
-                                    "incidentArmId": "@body('Alert_-_Get_incident')?['id']",
-                                    "message": "<p>@{body('Get_user')?['displayName']} confirms they did not complete the action. Further investigation is needed.</p>"
-                                  },
-                                  "host": {
-                                    "connection": {
-                                      "name": "@parameters('$connections')['azuresentinel']['connectionId']"
-                                    }
-                                  },
-                                  "method": "post",
-                                  "path": "/Incidents/Comment"
-                                },
-                                "type": "ApiConnection"
-                              },
-                              "Post_message_in_a_chat_or_channel": {
-                                "inputs": {
-                                  "body": {
-                                    "messageBody": "<p>New alert from Microsoft Sentinel.<br>\nPlease investigate ASAP.<br>\nSeverity : @{body('Alert_-_Get_incident')?['properties']?['severity']}<br>\nDescription: @{body('Alert_-_Get_incident')?['properties']?['description']}<br>\n<br>\n@{body('Get_user')?['displayName']} user confirmed they did not complete the action.</p>",
-                                    "recipient": {
-                                      "channelId": "[[parameters('TeamsChannelId')]",
-                                      "groupId": "[[parameters('TeamsId')]"
-                                    },
-                                    "subject": "Incident @{body('Alert_-_Get_incident')?['properties']?['incidentNumber']} - @{body('Alert_-_Get_incident')?['properties']?['title']}"
-                                  },
-                                  "host": {
-                                    "connection": {
-                                      "name": "@parameters('$connections')['teams']['connectionId']"
-                                    }
-                                  },
-                                  "method": "post",
-                                  "path": "/beta/teams/conversation/message/poster/@{encodeURIComponent('User')}/location/@{encodeURIComponent('Channel')}"
-                                },
-                                "runAfter": {
-                                  "Add_comment_to_incident_(V3)_2": [
-                                    "Succeeded"
-                                  ]
-                                },
-                                "type": "ApiConnection"
-                              }
-                            }
-                          },
-                          "expression": {
-                            "and": [
-                              {
-                                "equals": [
-                                  "",
-                                  "This was me"
-                                ]
-                              }
-                            ]
-                          },
-                          "runAfter": {
-                            "Send_approval_email": [
-                              "Succeeded"
-                            ]
-                          },
-                          "type": "If"
-                        },
-                        "Get_user": {
-                          "inputs": {
-                            "host": {
-                              "connection": {
-                                "name": "@parameters('$connections')['azuread']['connectionId']"
-                              }
-                            },
-                            "method": "get",
-                            "path": "/v1.0/users/@{encodeURIComponent(concat(items('For_each')?['Name'], '@' ,items('For_each')?['UPNSuffix']))}"
-                          },
-                          "type": "ApiConnection"
-                        },
-                        "Send_approval_email": {
-                          "inputs": {
-                            "body": {
-                              "Message": {
-                                "Body": "New Alert from Microsoft Sentinel.\nPlease respond ASAP.\nSeverity: @{triggerBody()?['Severity']}\nName: @{triggerBody()?['AlertDisplayName']}\nDescription: @{triggerBody()?['Description']}",
-                                "HideHTMLMessage": false,
-                                "Importance": "High",
-                                "Options": "This was me, This was not me",
-                                "ShowHTMLConfirmationDialog": false,
-                                "Subject": "Security Alert: @{body('Alert_-_Get_incident')?['properties']?['title']}",
-                                "To": "@body('Get_user')?['mail']"
-                              },
-                              "NotificationUrl": "@{listCallbackUrl()}"
-                            },
-                            "host": {
-                              "connection": {
-                                "name": "@parameters('$connections')['office365']['connectionId']"
-                              }
-                            },
-                            "path": "/approvalmail/$subscriptions"
-                          },
-                          "runAfter": {
-                            "Get_user": [
-                              "Succeeded"
-                            ]
-                          },
-                          "type": "ApiConnectionWebhook"
-                        }
-                      },
-                      "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']",
-                      "runAfter": {
-                        "Entities_-_Get_Accounts": [
-                          "Succeeded"
-                        ]
-                      },
-                      "type": "Foreach"
-                    }
-                  },
-                  "contentVersion": "1.0.0.0",
-                  "parameters": {
-                    "$connections": {
-                      "type": "Object"
-                    }
-                  },
-                  "triggers": {
-                    "Microsoft_Sentinel_alert": {
-                      "inputs": {
-                        "body": {
-                          "callback_url": "@{listCallbackUrl()}"
-                        },
-                        "host": {
-                          "connection": {
-                            "name": "@parameters('$connections')['azuresentinel']['connectionId']"
-                          }
-                        },
-                        "path": "/subscribe"
-                      },
-                      "type": "ApiConnectionWebhook"
-                    }
-                  }
-                },
-                "parameters": {
-                  "$connections": {
-                    "value": {
-                      "azuread": {
-                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]",
-                        "connectionName": "[[variables('AzureADConnectionName')]",
-                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuread')]"
-                      },
-                      "azuresentinel": {
-                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
-                        "connectionName": "[[variables('AzureSentinelConnectionName')]",
-                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
-                        "connectionProperties": {
-                          "authentication": {
-                            "type": "ManagedServiceIdentity"
-                          }
-                        }
-                      },
-                      "office365": {
-                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]",
-                        "connectionName": "[[variables('Office365ConnectionName')]",
-                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]"
-                      },
-                      "teams": {
-                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]",
-                        "connectionName": "[[variables('TeamsConnectionName')]",
-                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/teams')]"
-                      }
-                    }
-                  }
-                }
-              }
-            },
-            {
-              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
-              "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId4'),'/'))))]",
-              "properties": {
-                "parentId": "[variables('playbookId4')]",
-                "contentId": "[variables('_playbookContentId4')]",
-                "kind": "Playbook",
-                "version": "[variables('playbookVersion4')]",
-                "source": {
-                  "kind": "Solution",
-                  "name": "Azure Active Directory",
-                  "sourceId": "[variables('_solutionId')]"
-                },
-                "author": {
-                  "name": "Microsoft",
-                  "email": "[variables('_email')]"
-                },
-                "support": {
-                  "tier": "Microsoft",
-                  "name": "Microsoft Corporation",
-                  "email": "support@microsoft.com",
-                  "link": "https://support.microsoft.com/"
-                }
-              }
-            }
-          ],
-          "metadata": {
-            "title": "Prompt User - Alert",
-            "description": "This playbook will ask the user if they completed the action from the alert in Microsoft Sentinel.  If so, it will close the incident and add a comment.  If not, it will post a message to teams for the SOC to investigate and add a comment to the incident.",
-            "prerequisites": [
-              "1. You will need the Team Id and Channel Id."
-            ],
-            "postDeployment": [
-              "1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity.",
-              "2. Authorize Azure AD, Microsoft Teams, and Office 365 Outlook Logic App connections."
-            ],
-            "lastUpdateTime": "2022-07-11T00:00:00Z",
-            "entities": [
-              "Account"
-            ],
-            "tags": [
-              "Remediation"
-            ],
-            "releaseNotes": [
-              {
-                "version": "1.0.0",
-                "title": "Added new Post a Teams message action",
-                "notes": [
-                  "Initial version"
-                ]
-              }
-            ]
-          }
-        },
-        "packageKind": "Solution",
-        "packageVersion": "[variables('_solutionVersion')]",
-        "packageName": "[variables('_solutionName')]",
-        "packageId": "[variables('_solutionId')]",
-        "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_playbookContentId4')]",
-        "contentKind": "Playbook",
-        "displayName": "Prompt-User-Alert",
-        "contentProductId": "[variables('_playbookcontentProductId4')]",
-        "id": "[variables('_playbookcontentProductId4')]",
-        "version": "[variables('playbookVersion4')]"
-      }
-    },
-    {
-      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
-      "apiVersion": "2023-04-01-preview",
-      "name": "[variables('playbookTemplateSpecName5')]",
-      "location": "[parameters('workspace-location')]",
-      "dependsOn": [
-        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
-      ],
-      "properties": {
-        "description": "Prompt-User-Incident Playbook with template version 3.0.3",
-        "mainTemplate": {
-          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('playbookVersion5')]",
-          "parameters": {
-            "PlaybookName": {
-              "defaultValue": "Prompt-User-Incident",
-              "type": "string"
-            },
-            "TeamsId": {
-              "metadata": {
-                "description": "Enter the Teams Group ID"
-              },
-              "type": "string"
-            },
-            "TeamsChannelId": {
-              "metadata": {
-                "description": "Enter the Teams Channel ID"
-              },
-              "type": "string"
-            }
-          },
-          "variables": {
-            "AzureADConnectionName": "[[concat('azuread-', parameters('PlaybookName'))]",
-            "AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]",
-            "Office365ConnectionName": "[[concat('office365-', parameters('PlaybookName'))]",
-            "TeamsConnectionName": "[[concat('teams-', parameters('PlaybookName'))]",
-            "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuread')]",
-            "_connection-1": "[[variables('connection-1')]",
-            "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
-            "_connection-2": "[[variables('connection-2')]",
-            "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]",
-            "_connection-3": "[[variables('connection-3')]",
-            "connection-4": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/teams')]",
-            "_connection-4": "[[variables('connection-4')]",
-            "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
-            "workspace-name": "[parameters('workspace')]",
-            "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
-          },
-          "resources": [
-            {
-              "type": "Microsoft.Web/connections",
-              "apiVersion": "2016-06-01",
-              "name": "[[variables('AzureADConnectionName')]",
-              "location": "[[variables('workspace-location-inline')]",
-              "properties": {
-                "displayName": "[[variables('AzureADConnectionName')]",
-                "api": {
-                  "id": "[[variables('_connection-1')]"
-                }
-              }
-            },
-            {
-              "type": "Microsoft.Web/connections",
-              "apiVersion": "2016-06-01",
-              "name": "[[variables('AzureSentinelConnectionName')]",
-              "location": "[[variables('workspace-location-inline')]",
-              "kind": "V1",
-              "properties": {
-                "displayName": "[[variables('AzureSentinelConnectionName')]",
-                "parameterValueType": "Alternative",
-                "api": {
-                  "id": "[[variables('_connection-2')]"
-                }
-              }
-            },
-            {
-              "type": "Microsoft.Web/connections",
-              "apiVersion": "2016-06-01",
-              "name": "[[variables('Office365ConnectionName')]",
-              "location": "[[variables('workspace-location-inline')]",
-              "properties": {
-                "displayName": "[[variables('Office365ConnectionName')]",
-                "api": {
-                  "id": "[[variables('_connection-3')]"
-                }
-              }
-            },
-            {
-              "type": "Microsoft.Web/connections",
-              "apiVersion": "2016-06-01",
-              "name": "[[variables('TeamsConnectionName')]",
-              "location": "[[variables('workspace-location-inline')]",
-              "properties": {
-                "displayName": "[[variables('TeamsConnectionName')]",
-                "api": {
-                  "id": "[[variables('_connection-4')]"
-                }
-              }
-            },
-            {
-              "type": "Microsoft.Logic/workflows",
-              "apiVersion": "2017-07-01",
-              "name": "[[parameters('PlaybookName')]",
-              "location": "[[variables('workspace-location-inline')]",
-              "tags": {
-                "LogicAppsCategory": "security",
-                "hidden-SentinelTemplateName": "Prompt-User",
-                "hidden-SentinelTemplateVersion": "1.1",
-                "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
-              },
-              "identity": {
-                "type": "SystemAssigned"
-              },
-              "dependsOn": [
-                "[[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]",
-                "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
-                "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]",
-                "[[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]"
-              ],
-              "properties": {
-                "state": "Enabled",
-                "definition": {
-                  "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
-                  "actions": {
-                    "Entities_-_Get_Accounts": {
-                      "inputs": {
-                        "body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
-                        "host": {
-                          "connection": {
-                            "name": "@parameters('$connections')['azuresentinel']['connectionId']"
-                          }
-                        },
-                        "method": "post",
-                        "path": "/entities/account"
-                      },
-                      "type": "ApiConnection"
-                    },
-                    "For_each": {
-                      "actions": {
-                        "Condition_2": {
-                          "actions": {
-                            "Add_comment_to_incident_(V3)": {
-                              "inputs": {
-                                "body": {
-                                  "incidentArmId": "@triggerBody()?['object']?['id']",
-                                  "message": "<p>@{body('Get_user')?['displayName']} confirms they completed the action that triggered the alert. &nbsp;Closing the incident.</p>"
-                                },
-                                "host": {
-                                  "connection": {
-                                    "name": "@parameters('$connections')['azuresentinel']['connectionId']"
-                                  }
-                                },
-                                "method": "post",
-                                "path": "/Incidents/Comment"
-                              },
-                              "type": "ApiConnection"
-                            },
-                            "Update_incident": {
-                              "inputs": {
-                                "body": {
-                                  "classification": {
-                                    "ClassificationAndReason": "BenignPositive - SuspiciousButExpected",
-                                    "ClassificationReasonText": "User Confirmed it was them"
-                                  },
-                                  "incidentArmId": "@triggerBody()?['object']?['id']",
-                                  "status": "Closed"
-                                },
-                                "host": {
-                                  "connection": {
-                                    "name": "@parameters('$connections')['azuresentinel']['connectionId']"
-                                  }
-                                },
-                                "method": "put",
-                                "path": "/Incidents"
-                              },
-                              "runAfter": {
-                                "Add_comment_to_incident_(V3)": [
-                                  "Succeeded"
-                                ]
-                              },
-                              "type": "ApiConnection"
-                            }
-                          },
-                          "else": {
-                            "actions": {
-                              "Add_comment_to_incident_(V3)_2": {
-                                "inputs": {
-                                  "body": {
-                                    "incidentArmId": "@triggerBody()?['object']?['id']",
-                                    "message": "<p>@{body('Get_user')?['displayName']} confirms they did not complete the action. Further investigation is needed.</p>"
-                                  },
-                                  "host": {
-                                    "connection": {
-                                      "name": "@parameters('$connections')['azuresentinel']['connectionId']"
-                                    }
-                                  },
-                                  "method": "post",
-                                  "path": "/Incidents/Comment"
-                                },
-                                "type": "ApiConnection"
-                              },
-                              "Post_message_in_a_chat_or_channel": {
-                                "inputs": {
-                                  "body": {
-                                    "messageBody": "<p>New alert from Microsoft Sentinel.<br>\nPlease investigate ASAP.<br>\nSeverity : @{triggerBody()?['object']?['properties']?['severity']}<br>\nDescription: @{triggerBody()?['object']?['properties']?['description']}<br>\n<br>\n@{body('Get_user')?['displayName']} user confirmed they did not complete the action.</p>",
-                                    "recipient": {
-                                      "channelId": "[[parameters('TeamsChannelId')]",
-                                      "groupId": "[[parameters('TeamsId')]"
-                                    },
-                                    "subject": "Incident @{triggerBody()?['object']?['properties']?['incidentNumber']} - @{triggerBody()?['object']?['properties']?['title']}"
-                                  },
-                                  "host": {
-                                    "connection": {
-                                      "name": "@parameters('$connections')['teams']['connectionId']"
-                                    }
-                                  },
-                                  "method": "post",
-                                  "path": "/beta/teams/conversation/message/poster/@{encodeURIComponent('User')}/location/@{encodeURIComponent('Channel')}"
-                                },
-                                "runAfter": {
-                                  "Add_comment_to_incident_(V3)_2": [
-                                    "Succeeded"
-                                  ]
-                                },
-                                "type": "ApiConnection"
-                              }
-                            }
-                          },
-                          "expression": {
-                            "and": [
-                              {
-                                "equals": [
-                                  "@body('Send_approval_email')?['SelectedOption']",
-                                  "This was me"
-                                ]
-                              }
-                            ]
-                          },
-                          "runAfter": {
-                            "Send_approval_email": [
-                              "Succeeded"
-                            ]
-                          },
-                          "type": "If"
-                        },
-                        "Get_user": {
-                          "inputs": {
-                            "host": {
-                              "connection": {
-                                "name": "@parameters('$connections')['azuread']['connectionId']"
-                              }
-                            },
-                            "method": "get",
-                            "path": "/v1.0/users/@{encodeURIComponent(concat(items('For_each')?['Name'], '@' ,items('For_each')?['UPNSuffix']))}"
-                          },
-                          "type": "ApiConnection"
-                        },
-                        "Send_approval_email": {
-                          "inputs": {
-                            "body": {
-                              "Message": {
-                                "Body": "New Alert from Microsoft Sentinel.\nPlease respond ASAP.\nSeverity: @{triggerBody()?['object']?['properties']?['severity']}\nName: @{triggerBody()?['object']?['properties']?['title']}\nDescription: @{triggerBody()?['object']?['properties']?['description']}",
-                                "HideHTMLMessage": false,
-                                "Importance": "High",
-                                "Options": "This was me, This was not me",
-                                "ShowHTMLConfirmationDialog": false,
-                                "Subject": "Security Alert: @{triggerBody()?['object']?['properties']?['title']}",
-                                "To": "@body('Get_user')?['mail']"
-                              },
-                              "NotificationUrl": "@{listCallbackUrl()}"
-                            },
-                            "host": {
-                              "connection": {
-                                "name": "@parameters('$connections')['office365']['connectionId']"
-                              }
-                            },
-                            "path": "/approvalmail/$subscriptions"
-                          },
-                          "runAfter": {
-                            "Get_user": [
-                              "Succeeded"
-                            ]
-                          },
-                          "type": "ApiConnectionWebhook"
-                        }
-                      },
-                      "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']",
-                      "runAfter": {
-                        "Entities_-_Get_Accounts": [
-                          "Succeeded"
-                        ]
-                      },
-                      "type": "Foreach"
-                    }
-                  },
-                  "contentVersion": "1.0.0.0",
-                  "parameters": {
-                    "$connections": {
-                      "type": "Object"
-                    }
-                  },
-                  "triggers": {
-                    "Microsoft_Sentinel_incident": {
-                      "inputs": {
-                        "body": {
-                          "callback_url": "@{listCallbackUrl()}"
-                        },
-                        "host": {
-                          "connection": {
-                            "name": "@parameters('$connections')['azuresentinel']['connectionId']"
-                          }
-                        },
-                        "path": "/incident-creation"
-                      },
-                      "type": "ApiConnectionWebhook"
-                    }
-                  }
-                },
-                "parameters": {
-                  "$connections": {
-                    "value": {
-                      "azuread": {
-                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]",
-                        "connectionName": "[[variables('AzureADConnectionName')]",
-                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuread')]"
-                      },
-                      "azuresentinel": {
-                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
-                        "connectionName": "[[variables('AzureSentinelConnectionName')]",
-                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
-                        "connectionProperties": {
-                          "authentication": {
-                            "type": "ManagedServiceIdentity"
-                          }
-                        }
-                      },
-                      "office365": {
-                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]",
-                        "connectionName": "[[variables('Office365ConnectionName')]",
-                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]"
-                      },
-                      "teams": {
-                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]",
-                        "connectionName": "[[variables('TeamsConnectionName')]",
-                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/teams')]"
-                      }
-                    }
-                  }
-                }
-              }
-            },
-            {
-              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
-              "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId5'),'/'))))]",
-              "properties": {
-                "parentId": "[variables('playbookId5')]",
-                "contentId": "[variables('_playbookContentId5')]",
-                "kind": "Playbook",
-                "version": "[variables('playbookVersion5')]",
-                "source": {
-                  "kind": "Solution",
-                  "name": "Azure Active Directory",
-                  "sourceId": "[variables('_solutionId')]"
-                },
-                "author": {
-                  "name": "Microsoft",
-                  "email": "[variables('_email')]"
-                },
-                "support": {
-                  "tier": "Microsoft",
-                  "name": "Microsoft Corporation",
-                  "email": "support@microsoft.com",
-                  "link": "https://support.microsoft.com/"
-                }
-              }
-            }
-          ],
-          "metadata": {
-            "title": "Prompt User - Incident",
-            "description": "This playbook will ask the user if they completed the action from the Incident in Microsoft Sentinel.  If so, it will close the incident and add a comment.  If not, it will post a message to teams for the SOC to investigate and add a comment to the incident.",
-            "prerequisites": [
-              "1. You will need the Team Id and Channel Id."
-            ],
-            "postDeployment": [
-              "1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity.",
-              "2. Authorize Azure AD, Microsoft Teams, and Office 365 Outlook Logic App connections."
-            ],
-            "lastUpdateTime": "2022-07-11T00:00:00Z",
-            "entities": [
-              "Account"
-            ],
-            "tags": [
-              "Remediation"
-            ],
-            "releaseNotes": [
-              {
-                "version": "1.0.0",
-                "title": "Added new Post a Teams message action",
-                "notes": [
-                  "Initial version"
-                ]
-              }
-            ]
-          }
-        },
-        "packageKind": "Solution",
-        "packageVersion": "[variables('_solutionVersion')]",
-        "packageName": "[variables('_solutionName')]",
-        "packageId": "[variables('_solutionId')]",
-        "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_playbookContentId5')]",
-        "contentKind": "Playbook",
-        "displayName": "Prompt-User-Incident",
-        "contentProductId": "[variables('_playbookcontentProductId5')]",
-        "id": "[variables('_playbookcontentProductId5')]",
-        "version": "[variables('playbookVersion5')]"
-      }
-    },
-    {
-      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
-      "apiVersion": "2023-04-01-preview",
-      "name": "[variables('playbookTemplateSpecName6')]",
-      "location": "[parameters('workspace-location')]",
-      "dependsOn": [
-        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
-      ],
-      "properties": {
-        "description": "Reset-AADPassword-AlertTrigger Playbook with template version 3.0.3",
-        "mainTemplate": {
-          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('playbookVersion6')]",
-          "parameters": {
-            "PlaybookName": {
-              "defaultValue": "Reset-AADPassword-AlertTrigger",
-              "type": "string"
-            }
-          },
-          "variables": {
-            "MicrosoftSentinelConnectionName": "[[concat('microsoftsentinel-', parameters('PlaybookName'))]",
-            "office365ConnectionName": "[[concat('office365-', parameters('PlaybookName'))]",
-            "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
-            "_connection-2": "[[variables('connection-2')]",
-            "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]",
-            "_connection-3": "[[variables('connection-3')]",
-            "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
-            "workspace-name": "[parameters('workspace')]",
-            "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
-          },
-          "resources": [
-            {
-              "properties": {
-                "provisioningState": "Succeeded",
-                "state": "Enabled",
-                "definition": {
-                  "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
-                  "contentVersion": "1.0.0.0",
-                  "parameters": {
-                    "$connections": {
-                      "type": "Object"
-                    }
-                  },
-                  "triggers": {
-                    "Microsoft_Sentinel_alert": {
-                      "type": "ApiConnectionWebhook",
-                      "inputs": {
-                        "body": {
-                          "callback_url": "@{listCallbackUrl()}"
-                        },
-                        "host": {
-                          "connection": {
-                            "name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
-                          }
-                        },
-                        "path": "/subscribe"
-                      }
-                    }
-                  },
-                  "actions": {
-                    "Alert_-_Get_incident": {
-                      "runAfter": {
-                        "Set_variable_-_password": [
-                          "Succeeded"
-                        ]
-                      },
-                      "type": "ApiConnection",
-                      "inputs": {
-                        "host": {
-                          "connection": {
-                            "name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
-                          }
-                        },
-                        "method": "get",
-                        "path": "/Incidents/subscriptions/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/resourceGroups/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/workspaces/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/alerts/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}"
-                      }
-                    },
-                    "Entities_-_Get_Accounts": {
-                      "runAfter": {
-                        "Alert_-_Get_incident": [
-                          "Succeeded"
-                        ]
-                      },
-                      "type": "ApiConnection",
-                      "inputs": {
-                        "body": "@triggerBody()?['Entities']",
-                        "host": {
-                          "connection": {
-                            "name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
-                          }
-                        },
-                        "method": "post",
-                        "path": "/entities/account"
-                      }
-                    },
-                    "For_each": {
-                      "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']",
-                      "actions": {
-                        "Condition_-_is_manager_available": {
-                          "actions": {
-                            "Add_comment_to_incident_-_manager_available": {
-                              "runAfter": {
-                                "Send_an_email_-_to_manager_with_password_details": [
-                                  "Succeeded"
-                                ]
-                              },
-                              "type": "ApiConnection",
-                              "inputs": {
-                                "body": {
-                                  "incidentArmId": "@body('Alert_-_Get_incident')?['id']",
-                                  "message": "<p>User @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])} password was reset in AAD and their manager @{body('Parse_JSON_-_HTTP_-_get_manager')?['userPrincipalName']} was contacted using playbook.</p>"
-                                },
-                                "host": {
-                                  "connection": {
-                                    "name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
-                                  }
-                                },
-                                "method": "post",
-                                "path": "/Incidents/Comment"
-                              }
-                            },
-                            "Parse_JSON_-_HTTP_-_get_manager": {
-                              "type": "ParseJson",
-                              "inputs": {
-                                "content": "@body('HTTP_-_get_manager')",
-                                "schema": {
-                                  "properties": {
-                                    "userPrincipalName": {
-                                      "type": "string"
-                                    }
-                                  },
-                                  "type": "object"
-                                }
-                              }
-                            },
-                            "Send_an_email_-_to_manager_with_password_details": {
-                              "runAfter": {
-                                "Parse_JSON_-_HTTP_-_get_manager": [
-                                  "Succeeded"
-                                ]
-                              },
-                              "type": "ApiConnection",
-                              "inputs": {
-                                "body": {
-                                  "Body": "<p>User, @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}, was involved in part of a security incident. &nbsp;As part of remediation, the user password has been reset.<br>\n<br>\nThe temporary password is: @{variables('Password')}<br>\n<br>\nThe user will be required to reset this password upon login.</p>",
-                                  "Subject": "A user password was reset due to security incident.",
-                                  "To": "@body('Parse_JSON_-_HTTP_-_get_manager')?['userPrincipalName']"
-                                },
-                                "host": {
-                                  "connection": {
-                                    "name": "@parameters('$connections')['office365']['connectionId']"
-                                  }
-                                },
-                                "method": "post",
-                                "path": "/v2/Mail"
-                              }
-                            }
-                          },
-                          "runAfter": {
-                            "HTTP_-_get_manager": [
-                              "Succeeded",
-                              "Failed"
-                            ]
-                          },
-                          "else": {
-                            "actions": {
-                              "Add_comment_to_incident_-_manager_not_available": {
-                                "type": "ApiConnection",
-                                "inputs": {
-                                  "body": {
-                                    "incidentArmId": "@body('Alert_-_Get_incident')?['id']",
-                                    "message": "<p>User @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])} password was reset in AAD but the user doesn't have a manager.<br>\n<br>\nThe temporary password is: @{variables('Password')}<br>\n<br>\nThe user will be required to reset this password upon login.</p>"
-                                  },
-                                  "host": {
-                                    "connection": {
-                                      "name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
-                                    }
-                                  },
-                                  "method": "post",
-                                  "path": "/Incidents/Comment"
-                                }
-                              }
-                            }
-                          },
-                          "expression": {
-                            "and": [
-                              {
-                                "equals": [
-                                  "@outputs('HTTP_-_get_manager')['statusCode']",
-                                  200
-                                ]
-                              }
-                            ]
-                          },
-                          "type": "If"
-                        },
-                        "HTTP_-_get_manager": {
-                          "runAfter": {
-                            "HTTP_-_reset_a_password": [
-                              "Succeeded"
-                            ]
-                          },
-                          "type": "Http",
-                          "inputs": {
-                            "authentication": {
-                              "audience": "https://graph.microsoft.com",
-                              "type": "ManagedServiceIdentity"
-                            },
-                            "method": "GET",
-                            "uri": "https://graph.microsoft.com/v1.0/users/@{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}/manager"
-                          }
-                        },
-                        "HTTP_-_reset_a_password": {
-                          "type": "Http",
-                          "inputs": {
-                            "authentication": {
-                              "audience": "https://graph.microsoft.com",
-                              "type": "ManagedServiceIdentity"
-                            },
-                            "body": {
-                              "passwordProfile": {
-                                "forceChangePasswordNextSignIn": true,
-                                "forceChangePasswordNextSignInWithMfa": false,
-                                "password": "@{variables('Password')}"
-                              }
-                            },
-                            "method": "PATCH",
-                            "uri": "https://graph.microsoft.com/v1.0/users/@{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}"
-                          }
-                        }
-                      },
-                      "runAfter": {
-                        "Entities_-_Get_Accounts": [
-                          "Succeeded"
-                        ]
-                      },
-                      "type": "Foreach"
-                    },
-                    "Initialize_variable": {
-                      "type": "InitializeVariable",
-                      "inputs": {
-                        "variables": [
-                          {
-                            "name": "Password",
-                            "type": "String",
-                            "value": "null"
-                          }
-                        ]
-                      }
-                    },
-                    "Set_variable_-_password": {
-                      "runAfter": {
-                        "Initialize_variable": [
-                          "Succeeded"
-                        ]
-                      },
-                      "type": "SetVariable",
-                      "inputs": {
-                        "name": "Password",
-                        "value": "@{substring(guid(), 0, 10)}"
-                      }
-                    }
-                  }
-                },
-                "parameters": {
-                  "$connections": {
-                    "value": {
-                      "microsoftsentinel": {
-                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
-                        "connectionName": "[[variables('MicrosoftSentinelConnectionName')]",
-                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
-                        "connectionProperties": {
-                          "authentication": {
-                            "type": "ManagedServiceIdentity"
-                          }
-                        }
-                      },
-                      "office365": {
-                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('office365ConnectionName'))]",
-                        "connectionName": "[[variables('office365ConnectionName')]",
-                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]"
-                      }
-                    }
-                  }
-                }
-              },
-              "name": "[[parameters('PlaybookName')]",
-              "type": "Microsoft.Logic/workflows",
-              "location": "[[variables('workspace-location-inline')]",
-              "tags": {
-                "LogicAppsCategory": "security",
-                "hidden-SentinelTemplateName": "Reset-AADUserPassword_alert",
-                "hidden-SentinelTemplateVersion": "1.1",
-                "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
-              },
-              "identity": {
-                "type": "SystemAssigned"
-              },
-              "apiVersion": "2017-07-01",
-              "dependsOn": [
-                "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
-                "[[resourceId('Microsoft.Web/connections', variables('office365ConnectionName'))]"
-              ]
-            },
-            {
-              "type": "Microsoft.Web/connections",
-              "apiVersion": "2016-06-01",
-              "name": "[[variables('MicrosoftSentinelConnectionName')]",
-              "location": "[[variables('workspace-location-inline')]",
-              "kind": "V1",
-              "properties": {
-                "displayName": "[[variables('MicrosoftSentinelConnectionName')]",
-                "parameterValueType": "Alternative",
-                "api": {
-                  "id": "[[variables('_connection-2')]"
+                "description": "Azure Active Directory Analytics Rule 1",
+                "parentId": "[variables('analyticRuleId1')]",
+                "contentId": "[variables('_analyticRulecontentId1')]",
+                "kind": "AnalyticsRule",
+                "version": "[variables('analyticRuleVersion1')]",
+                "source": {
+                  "kind": "Solution",
+                  "name": "Azure Active Directory",
+                  "sourceId": "[variables('_solutionId')]"
+                },
+                "author": {
+                  "name": "Microsoft",
+                  "email": "[variables('_email')]"
+                },
+                "support": {
+                  "tier": "Microsoft",
+                  "name": "Microsoft Corporation",
+                  "email": "support@microsoft.com",
+                  "link": "https://support.microsoft.com/"
                 }
               }
-            },
+            }
+          ]
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('_analyticRulecontentId1')]",
+        "contentKind": "AnalyticsRule",
+        "displayName": "Account Created and Deleted in Short Timeframe",
+        "contentProductId": "[variables('_analyticRulecontentProductId1')]",
+        "id": "[variables('_analyticRulecontentProductId1')]",
+        "version": "[variables('analyticRuleVersion1')]"
+      }
+    },
+    {
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('analyticRuleTemplateSpecName2')]",
+      "location": "[parameters('workspace-location')]",
+      "dependsOn": [
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+      ],
+      "properties": {
+        "description": "AccountCreatedDeletedByNonApprovedUser_AnalyticalRules Analytics Rule with template version 3.0.3",
+        "mainTemplate": {
+          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+          "contentVersion": "[variables('analyticRuleVersion2')]",
+          "parameters": {},
+          "variables": {},
+          "resources": [
             {
-              "type": "Microsoft.Web/connections",
-              "apiVersion": "2016-06-01",
-              "name": "[[variables('office365ConnectionName')]",
-              "location": "[[variables('workspace-location-inline')]",
-              "kind": "V1",
+              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+              "name": "[variables('analyticRulecontentId2')]",
+              "apiVersion": "2022-04-01-preview",
+              "kind": "Scheduled",
+              "location": "[parameters('workspace-location')]",
               "properties": {
-                "displayName": "[[variables('office365ConnectionName')]",
-                "api": {
-                  "id": "[[variables('_connection-3')]"
-                }
+                "description": "Identifies accounts that were created or deleted by a defined list of non-approved user principal names. Add to this list before running the query for accurate results.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts",
+                "displayName": "Account created or deleted by non-approved user",
+                "enabled": false,
+                "query": "// Add non-approved user principal names to the list below to search for their account creation/deletion activity\n// ex: dynamic([\"UPN1\", \"upn123\"])\nlet nonapproved_users = dynamic([]);\nAuditLogs\n| where OperationName =~ \"Add user\" or OperationName =~ \"Delete user\"\n| where Result =~ \"success\"\n| extend InitiatingUser = tostring(InitiatedBy.user.userPrincipalName)\n| where InitiatingUser has_any (nonapproved_users)\n| project-reorder TimeGenerated, ResourceId, OperationName, InitiatingUser, TargetResources\n| extend InitiatedUserIpAddress = tostring(InitiatedBy.user.ipAddress)\n| extend Name = tostring(split(InitiatingUser,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUser,'@',1)[0])\n",
+                "queryFrequency": "P1D",
+                "queryPeriod": "P1D",
+                "severity": "Medium",
+                "suppressionDuration": "PT1H",
+                "suppressionEnabled": false,
+                "triggerOperator": "GreaterThan",
+                "triggerThreshold": 0,
+                "status": "Available",
+                "requiredDataConnectors": [
+                  {
+                    "dataTypes": [
+                      "AuditLogs"
+                    ],
+                    "connectorId": "AzureActiveDirectory"
+                  }
+                ],
+                "tactics": [
+                  "InitialAccess"
+                ],
+                "techniques": [
+                  "T1078"
+                ],
+                "entityMappings": [
+                  {
+                    "fieldMappings": [
+                      {
+                        "columnName": "Name",
+                        "identifier": "Name"
+                      },
+                      {
+                        "columnName": "UPNSuffix",
+                        "identifier": "UPNSuffix"
+                      }
+                    ],
+                    "entityType": "Account"
+                  },
+                  {
+                    "fieldMappings": [
+                      {
+                        "columnName": "InitiatedUserIpAddress",
+                        "identifier": "Address"
+                      }
+                    ],
+                    "entityType": "IP"
+                  }
+                ]
               }
             },
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId6'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId2'),'/'))))]",
               "properties": {
-                "parentId": "[variables('playbookId6')]",
-                "contentId": "[variables('_playbookContentId6')]",
-                "kind": "Playbook",
-                "version": "[variables('playbookVersion6')]",
+                "description": "Azure Active Directory Analytics Rule 2",
+                "parentId": "[variables('analyticRuleId2')]",
+                "contentId": "[variables('_analyticRulecontentId2')]",
+                "kind": "AnalyticsRule",
+                "version": "[variables('analyticRuleVersion2')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Azure Active Directory",
@@ -3053,399 +1294,454 @@
                 }
               }
             }
-          ],
-          "metadata": {
-            "title": "Reset Azure AD User Password - Alert Trigger",
-            "description": "This playbook will reset the user password using Graph API.  It will send the password (which is a random guid substring) to the user's manager.  The user will have to reset the password upon login.",
-            "prerequisites": [
-              "None"
-            ],
-            "postDeployment": [
-              "1. Assign Password Administrator permission to managed identity.",
-              "2. Assign Microsoft Sentinel Responder permission to managed identity.",
-              "3. Authorize Office 365 Outlook connection"
-            ],
-            "lastUpdateTime": "2022-07-11T00:00:00Z",
-            "entities": [
-              "Account"
-            ],
-            "tags": [
-              "Remediation"
-            ],
-            "releaseNotes": [
-              {
-                "version": "1.0.0",
-                "title": " Added manager notification action",
-                "notes": [
-                  "Initial version"
+          ]
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('_analyticRulecontentId2')]",
+        "contentKind": "AnalyticsRule",
+        "displayName": "Account created or deleted by non-approved user",
+        "contentProductId": "[variables('_analyticRulecontentProductId2')]",
+        "id": "[variables('_analyticRulecontentProductId2')]",
+        "version": "[variables('analyticRuleVersion2')]"
+      }
+    },
+    {
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('analyticRuleTemplateSpecName3')]",
+      "location": "[parameters('workspace-location')]",
+      "dependsOn": [
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+      ],
+      "properties": {
+        "description": "ADFSDomainTrustMods_AnalyticalRules Analytics Rule with template version 3.0.3",
+        "mainTemplate": {
+          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+          "contentVersion": "[variables('analyticRuleVersion3')]",
+          "parameters": {},
+          "variables": {},
+          "resources": [
+            {
+              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+              "name": "[variables('analyticRulecontentId3')]",
+              "apiVersion": "2022-04-01-preview",
+              "kind": "Scheduled",
+              "location": "[parameters('workspace-location')]",
+              "properties": {
+                "description": "This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated.\nFor example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain.\nModification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior.\nTo understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.\nFor details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.",
+                "displayName": "Modified domain federation trust settings",
+                "enabled": false,
+                "query": "(union isfuzzy=true\n(\nAuditLogs\n| where OperationName =~ \"Set federation settings on domain\"\n//| where Result =~ \"success\"   // commenting out, as it may be interesting to capture failed attempts\n| mv-expand TargetResources\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\n| mv-expand modifiedProperties\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName)\n),\n(\nAuditLogs\n| where OperationName =~ \"Set domain authentication\"\n//| where Result =~ \"success\"   // commenting out, as it may be interesting to capture failed attempts\n| mv-expand TargetResources\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\n| mv-expand modifiedProperties\n| mv-apply Property = modifiedProperties on \n  (\n      where Property.displayName =~ \"LiveType\"\n      | extend targetDisplayName = tostring(Property.displayName),\n               NewDomainValue = tostring(Property.newValue)\n  )\n| where NewDomainValue has \"Federated\"\n)\n)\n| mv-apply AdditionalDetail = AdditionalDetails on \n  (\n      where AdditionalDetail.key =~ \"User-Agent\"\n      | extend UserAgent = tostring(AdditionalDetail.value)\n  )\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, AADOperationType, targetDisplayName, Result, InitiatingIpAddress, UserAgent, CorrelationId, TenantId, AADTenantId\n| extend timestamp = TimeGenerated, Name = tostring(split(InitiatingUserOrApp,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUserOrApp,'@',1)[0])\n",
+                "queryFrequency": "P1D",
+                "queryPeriod": "P1D",
+                "severity": "High",
+                "suppressionDuration": "PT1H",
+                "suppressionEnabled": false,
+                "triggerOperator": "GreaterThan",
+                "triggerThreshold": 0,
+                "status": "Available",
+                "requiredDataConnectors": [
+                  {
+                    "dataTypes": [
+                      "AuditLogs"
+                    ],
+                    "connectorId": "AzureActiveDirectory"
+                  }
+                ],
+                "tactics": [
+                  "CredentialAccess"
+                ],
+                "entityMappings": [
+                  {
+                    "fieldMappings": [
+                      {
+                        "columnName": "Name",
+                        "identifier": "Name"
+                      },
+                      {
+                        "columnName": "UPNSuffix",
+                        "identifier": "UPNSuffix"
+                      }
+                    ],
+                    "entityType": "Account"
+                  },
+                  {
+                    "fieldMappings": [
+                      {
+                        "columnName": "InitiatingIpAddress",
+                        "identifier": "Address"
+                      }
+                    ],
+                    "entityType": "IP"
+                  }
                 ]
               }
-            ]
-          }
+            },
+            {
+              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+              "apiVersion": "2022-01-01-preview",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId3'),'/'))))]",
+              "properties": {
+                "description": "Azure Active Directory Analytics Rule 3",
+                "parentId": "[variables('analyticRuleId3')]",
+                "contentId": "[variables('_analyticRulecontentId3')]",
+                "kind": "AnalyticsRule",
+                "version": "[variables('analyticRuleVersion3')]",
+                "source": {
+                  "kind": "Solution",
+                  "name": "Azure Active Directory",
+                  "sourceId": "[variables('_solutionId')]"
+                },
+                "author": {
+                  "name": "Microsoft",
+                  "email": "[variables('_email')]"
+                },
+                "support": {
+                  "tier": "Microsoft",
+                  "name": "Microsoft Corporation",
+                  "email": "support@microsoft.com",
+                  "link": "https://support.microsoft.com/"
+                }
+              }
+            }
+          ]
         },
         "packageKind": "Solution",
         "packageVersion": "[variables('_solutionVersion')]",
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_playbookContentId6')]",
-        "contentKind": "Playbook",
-        "displayName": "Reset-AADPassword-AlertTrigger",
-        "contentProductId": "[variables('_playbookcontentProductId6')]",
-        "id": "[variables('_playbookcontentProductId6')]",
-        "version": "[variables('playbookVersion6')]"
+        "contentId": "[variables('_analyticRulecontentId3')]",
+        "contentKind": "AnalyticsRule",
+        "displayName": "Modified domain federation trust settings",
+        "contentProductId": "[variables('_analyticRulecontentProductId3')]",
+        "id": "[variables('_analyticRulecontentProductId3')]",
+        "version": "[variables('analyticRuleVersion3')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('playbookTemplateSpecName7')]",
+      "name": "[variables('analyticRuleTemplateSpecName4')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Reset-AADUserPassword-EntityTrigger Playbook with template version 3.0.3",
+        "description": "ADFSSignInLogsPasswordSpray_AnalyticalRules Analytics Rule with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('playbookVersion7')]",
-          "parameters": {
-            "PlaybookName": {
-              "defaultValue": "Reset-AADUserPassword-EntityTrigger",
-              "type": "string"
-            }
-          },
-          "variables": {
-            "MicrosoftSentinelConnectionName": "[[concat('microsoftsentinel-', parameters('PlaybookName'))]",
-            "office365ConnectionName": "[[concat('office365-', parameters('PlaybookName'))]",
-            "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
-            "_connection-2": "[[variables('connection-2')]",
-            "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]",
-            "_connection-3": "[[variables('connection-3')]",
-            "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
-            "workspace-name": "[parameters('workspace')]",
-            "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
-          },
-          "resources": [
-            {
-              "properties": {
-                "provisioningState": "Succeeded",
-                "state": "Enabled",
-                "definition": {
-                  "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
-                  "contentVersion": "1.0.0.0",
-                  "parameters": {
-                    "$connections": {
-                      "type": "Object"
-                    }
-                  },
-                  "triggers": {
-                    "Microsoft_Sentinel_entity": {
-                      "type": "ApiConnectionWebhook",
-                      "inputs": {
-                        "body": {
-                          "callback_url": "@{listCallbackUrl()}"
-                        },
-                        "host": {
-                          "connection": {
-                            "name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
-                          }
-                        },
-                        "path": "/entity/@{encodeURIComponent('Account')}"
-                      }
-                    }
-                  },
-                  "actions": {
-                    "Condition_-_is_manager_available": {
-                      "actions": {
-                        "Condition_2": {
-                          "actions": {
-                            "Add_comment_to_incident_-_manager_available": {
-                              "type": "ApiConnection",
-                              "inputs": {
-                                "body": {
-                                  "incidentArmId": "@triggerBody()?['IncidentArmID']",
-                                  "message": "<p>User @{variables('AccountDetails')} password was reset in AAD and their manager @{body('Parse_JSON_-_HTTP_-_get_manager')?['userPrincipalName']} was contacted using playbook.</p>"
-                                },
-                                "host": {
-                                  "connection": {
-                                    "name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
-                                  }
-                                },
-                                "method": "post",
-                                "path": "/Incidents/Comment"
-                              }
-                            }
-                          },
-                          "runAfter": {
-                            "Send_an_email_-_to_manager_with_password_details": [
-                              "Succeeded"
-                            ]
-                          },
-                          "expression": {
-                            "and": [
-                              {
-                                "not": {
-                                  "equals": [
-                                    "@triggerBody()?['IncidentArmID']",
-                                    "@null"
-                                  ]
-                                }
-                              }
-                            ]
-                          },
-                          "type": "If"
-                        },
-                        "Parse_JSON_-_HTTP_-_get_manager": {
-                          "type": "ParseJson",
-                          "inputs": {
-                            "content": "@body('HTTP_-_get_manager')",
-                            "schema": {
-                              "properties": {
-                                "userPrincipalName": {
-                                  "type": "string"
-                                }
-                              },
-                              "type": "object"
-                            }
-                          }
-                        },
-                        "Send_an_email_-_to_manager_with_password_details": {
-                          "runAfter": {
-                            "Parse_JSON_-_HTTP_-_get_manager": [
-                              "Succeeded"
-                            ]
-                          },
-                          "type": "ApiConnection",
-                          "inputs": {
-                            "body": {
-                              "Body": "<p>User, @{variables('AccountDetails')}, was involved in part of a security incident. &nbsp;As part of remediation, the user password has been reset.<br>\n<br>\nThe temporary password is: @{variables('Password')}<br>\n<br>\nThe user will be required to reset this password upon login.</p>",
-                              "Subject": "A user password was reset due to security incident.",
-                              "To": "@body('Parse_JSON_-_HTTP_-_get_manager')?['userPrincipalName']"
-                            },
-                            "host": {
-                              "connection": {
-                                "name": "@parameters('$connections')['office365']['connectionId']"
-                              }
-                            },
-                            "method": "post",
-                            "path": "/v2/Mail"
-                          }
-                        }
-                      },
-                      "runAfter": {
-                        "HTTP_-_get_manager": [
-                          "Succeeded",
-                          "Failed"
-                        ]
-                      },
-                      "else": {
-                        "actions": {
-                          "Condition": {
-                            "actions": {
-                              "Add_comment_to_incident_-_manager_not_available": {
-                                "type": "ApiConnection",
-                                "inputs": {
-                                  "body": {
-                                    "incidentArmId": "@triggerBody()?['IncidentArmID']",
-                                    "message": "<p>User @{variables('AccountDetails')} password was reset in AAD but the user doesn't have a manager.<br>\n<br>\nThe temporary password is: @{variables('Password')}<br>\n<br>\nThe user will be required to reset this password upon login.</p>"
-                                  },
-                                  "host": {
-                                    "connection": {
-                                      "name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
-                                    }
-                                  },
-                                  "method": "post",
-                                  "path": "/Incidents/Comment"
-                                }
-                              }
-                            },
-                            "expression": {
-                              "and": [
-                                {
-                                  "not": {
-                                    "equals": [
-                                      "@triggerBody()?['IncidentArmID']",
-                                      "@null"
-                                    ]
-                                  }
-                                }
-                              ]
-                            },
-                            "type": "If"
-                          }
-                        }
-                      },
-                      "expression": {
-                        "and": [
-                          {
-                            "equals": [
-                              "@outputs('HTTP_-_get_manager')['statusCode']",
-                              200
-                            ]
-                          }
-                        ]
-                      },
-                      "type": "If"
-                    },
-                    "HTTP_-_get_manager": {
-                      "runAfter": {
-                        "HTTP_-_reset_a_password": [
-                          "Succeeded"
-                        ]
-                      },
-                      "type": "Http",
-                      "inputs": {
-                        "authentication": {
-                          "audience": "https://graph.microsoft.com",
-                          "type": "ManagedServiceIdentity"
-                        },
-                        "method": "GET",
-                        "uri": "https://graph.microsoft.com/v1.0/users/@{variables('AccountDetails')}/manager"
-                      }
-                    },
-                    "HTTP_-_reset_a_password": {
-                      "runAfter": {
-                        "Initialize_variable_Account": [
-                          "Succeeded"
-                        ]
-                      },
-                      "type": "Http",
-                      "inputs": {
-                        "authentication": {
-                          "audience": "https://graph.microsoft.com",
-                          "type": "ManagedServiceIdentity"
-                        },
-                        "body": {
-                          "passwordProfile": {
-                            "forceChangePasswordNextSignIn": true,
-                            "forceChangePasswordNextSignInWithMfa": false,
-                            "password": "@{variables('Password')}"
-                          }
-                        },
-                        "method": "PATCH",
-                        "uri": "https://graph.microsoft.com/v1.0/users/@{variables('AccountDetails')}"
-                      }
-                    },
-                    "Initialize_variable": {
-                      "type": "InitializeVariable",
-                      "inputs": {
-                        "variables": [
-                          {
-                            "name": "Password",
-                            "type": "String",
-                            "value": "null"
-                          }
-                        ]
+          "contentVersion": "[variables('analyticRuleVersion4')]",
+          "parameters": {},
+          "variables": {},
+          "resources": [
+            {
+              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+              "name": "[variables('analyticRulecontentId4')]",
+              "apiVersion": "2022-04-01-preview",
+              "kind": "Scheduled",
+              "location": "[parameters('workspace-location')]",
+              "properties": {
+                "description": "Identifies evidence of password spray activity against Connect Health for AD FS sign-in events by looking for failures from multiple accounts from the same IP address within a time window.\nReference: https://adfshelp.microsoft.com/References/ConnectHealthErrorCodeReference",
+                "displayName": "Password spray attack against ADFSSignInLogs",
+                "enabled": false,
+                "query": "let queryfrequency = 30m;\nlet accountthreshold = 10;\nlet successCodes = dynamic([0, 50144]);\nADFSSignInLogs\n| extend IngestionTime = ingestion_time()\n| where IngestionTime > ago(queryfrequency)\n| where not(todynamic(AuthenticationDetails)[0].authenticationMethod == \"Integrated Windows Authentication\")\n| summarize\n    DistinctFailureCount = dcountif(UserPrincipalName, ResultType !in (successCodes)),\n    DistinctSuccessCount = dcountif(UserPrincipalName, ResultType in (successCodes)),\n    SuccessAccounts = make_set_if(UserPrincipalName, ResultType in (successCodes), 250),\n    arg_min(TimeGenerated, *)\n    by IPAddress\n| where DistinctFailureCount > DistinctSuccessCount and DistinctFailureCount >= accountthreshold\n//| extend SuccessAccounts = iff(array_length(SuccessAccounts) != 0, SuccessAccounts, dynamic([\"null\"]))\n//| mv-expand SuccessAccounts\n| project TimeGenerated, Category, OperationName, IPAddress, DistinctFailureCount, DistinctSuccessCount, SuccessAccounts, AuthenticationRequirement, ConditionalAccessStatus, IsInteractive, UserAgent, NetworkLocationDetails, DeviceDetail, TokenIssuerType, TokenIssuerName, ResourceIdentity\n",
+                "queryFrequency": "PT30M",
+                "queryPeriod": "PT1H",
+                "severity": "Medium",
+                "suppressionDuration": "PT1H",
+                "suppressionEnabled": false,
+                "triggerOperator": "GreaterThan",
+                "triggerThreshold": 0,
+                "status": "Available",
+                "requiredDataConnectors": [
+                  {
+                    "dataTypes": [
+                      "ADFSSignInLogs"
+                    ],
+                    "connectorId": "AzureActiveDirectory"
+                  }
+                ],
+                "tactics": [
+                  "CredentialAccess"
+                ],
+                "techniques": [
+                  "T1110"
+                ],
+                "entityMappings": [
+                  {
+                    "fieldMappings": [
+                      {
+                        "columnName": "IPAddress",
+                        "identifier": "Address"
                       }
-                    },
-                    "Initialize_variable_Account": {
-                      "runAfter": {
-                        "Set_variable_-_password": [
-                          "Succeeded"
-                        ]
-                      },
-                      "type": "InitializeVariable",
-                      "inputs": {
-                        "variables": [
-                          {
-                            "name": "AccountDetails",
-                            "type": "string",
-                            "value": "@{concat(triggerBody()?['Entity']?['properties']?['Name'],'@',triggerBody()?['Entity']?['properties']?['UPNSuffix'])}"
-                          }
-                        ]
+                    ],
+                    "entityType": "IP"
+                  }
+                ]
+              }
+            },
+            {
+              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+              "apiVersion": "2022-01-01-preview",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId4'),'/'))))]",
+              "properties": {
+                "description": "Azure Active Directory Analytics Rule 4",
+                "parentId": "[variables('analyticRuleId4')]",
+                "contentId": "[variables('_analyticRulecontentId4')]",
+                "kind": "AnalyticsRule",
+                "version": "[variables('analyticRuleVersion4')]",
+                "source": {
+                  "kind": "Solution",
+                  "name": "Azure Active Directory",
+                  "sourceId": "[variables('_solutionId')]"
+                },
+                "author": {
+                  "name": "Microsoft",
+                  "email": "[variables('_email')]"
+                },
+                "support": {
+                  "tier": "Microsoft",
+                  "name": "Microsoft Corporation",
+                  "email": "support@microsoft.com",
+                  "link": "https://support.microsoft.com/"
+                }
+              }
+            }
+          ]
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('_analyticRulecontentId4')]",
+        "contentKind": "AnalyticsRule",
+        "displayName": "Password spray attack against ADFSSignInLogs",
+        "contentProductId": "[variables('_analyticRulecontentProductId4')]",
+        "id": "[variables('_analyticRulecontentProductId4')]",
+        "version": "[variables('analyticRuleVersion4')]"
+      }
+    },
+    {
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('analyticRuleTemplateSpecName5')]",
+      "location": "[parameters('workspace-location')]",
+      "dependsOn": [
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+      ],
+      "properties": {
+        "description": "AdminPromoAfterRoleMgmtAppPermissionGrant_AnalyticalRules Analytics Rule with template version 3.0.3",
+        "mainTemplate": {
+          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+          "contentVersion": "[variables('analyticRuleVersion5')]",
+          "parameters": {},
+          "variables": {},
+          "resources": [
+            {
+              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+              "name": "[variables('analyticRulecontentId5')]",
+              "apiVersion": "2022-04-01-preview",
+              "kind": "Scheduled",
+              "location": "[parameters('workspace-location')]",
+              "properties": {
+                "description": "This rule looks for a service principal being granted the Microsoft Graph RoleManagement.ReadWrite.Directory (application) permission before being used to add an Azure AD object or user account to an Admin directory role (i.e. Global Administrators).\nThis is a known attack path that is usually abused when a service principal already has the AppRoleAssignment.ReadWrite.All permission granted. This permission allows an app to manage permission grants for application permissions to any API.\nA service principal can promote itself or other service principals to admin roles (i.e. Global Administrators). This would be considered a privilege escalation technique.\nRef : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions, https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0&tabs=http",
+                "displayName": "Admin promotion after Role Management Application Permission Grant",
+                "enabled": false,
+                "query": "let query_frequency = 1h;\nlet query_period = 2h;\nAuditLogs\n| where TimeGenerated > ago(query_period)\n| where Category =~ \"ApplicationManagement\" and LoggedByService =~ \"Core Directory\"\n| where OperationName =~ \"Add app role assignment to service principal\"\n| mv-expand TargetResource = TargetResources\n| mv-expand modifiedProperty = TargetResource[\"modifiedProperties\"]\n| where tostring(modifiedProperty[\"displayName\"]) == \"AppRole.Value\"\n| extend PermissionGrant = tostring(modifiedProperty[\"newValue\"])\n| where PermissionGrant has \"RoleManagement.ReadWrite.Directory\"\n| mv-apply modifiedProperty = TargetResource[\"modifiedProperties\"] on (\n    summarize modifiedProperties = make_bag(\n        bag_pack(tostring(modifiedProperty[\"displayName\"]),\n            bag_pack(\"oldValue\", trim(@'[\\\"\\s]+', tostring(modifiedProperty[\"oldValue\"])),\n                \"newValue\", trim(@'[\\\"\\s]+', tostring(modifiedProperty[\"newValue\"])))), 100)\n)\n| project\n    PermissionGrant_TimeGenerated = TimeGenerated,\n    PermissionGrant_OperationName = OperationName,\n    PermissionGrant_Result = Result,\n    PermissionGrant,\n    AppDisplayName = tostring(modifiedProperties[\"ServicePrincipal.DisplayName\"][\"newValue\"]),\n    AppServicePrincipalId = tostring(modifiedProperties[\"ServicePrincipal.ObjectID\"][\"newValue\"]),\n    PermissionGrant_InitiatedBy = InitiatedBy,\n    PermissionGrant_TargetResources = TargetResources,\n    PermissionGrant_AdditionalDetails = AdditionalDetails,\n    PermissionGrant_CorrelationId = CorrelationId\n| join kind=inner (\n    AuditLogs\n    | where TimeGenerated > ago(query_frequency)\n    | where Category =~ \"RoleManagement\" and LoggedByService =~ \"Core Directory\" and AADOperationType =~ \"Assign\"\n    | where isnotempty(InitiatedBy[\"app\"])\n    | mv-expand TargetResource = TargetResources\n    | mv-expand modifiedProperty = TargetResource[\"modifiedProperties\"]\n    | where tostring(modifiedProperty[\"displayName\"]) in (\"Role.DisplayName\", \"RoleDefinition.DisplayName\")\n    | extend RoleAssignment = tostring(modifiedProperty[\"newValue\"])\n    | where RoleAssignment contains \"Admin\"\n    | project\n        RoleAssignment_TimeGenerated = TimeGenerated,\n        RoleAssignment_OperationName = OperationName,\n        RoleAssignment_Result = Result,\n        RoleAssignment,\n        TargetType = tostring(TargetResources[0][\"type\"]),\n        Target = iff(isnotempty(TargetResources[0][\"displayName\"]), tostring(TargetResources[0][\"displayName\"]), tolower(TargetResources[0][\"userPrincipalName\"])),\n        TargetId = tostring(TargetResources[0][\"id\"]),\n        RoleAssignment_InitiatedBy = InitiatedBy,\n        RoleAssignment_TargetResources = TargetResources,\n        RoleAssignment_AdditionalDetails = AdditionalDetails,\n        RoleAssignment_CorrelationId = CorrelationId,\n        AppServicePrincipalId = tostring(InitiatedBy[\"app\"][\"servicePrincipalId\"])\n    ) on AppServicePrincipalId\n| where PermissionGrant_TimeGenerated < RoleAssignment_TimeGenerated\n| extend\n    TargetName = tostring(split(Target, \"@\")[0]),\n    TargetUPNSuffix = tostring(split(Target, \"@\")[1])\n| project PermissionGrant_TimeGenerated, PermissionGrant_OperationName, PermissionGrant_Result, PermissionGrant, AppDisplayName, AppServicePrincipalId, PermissionGrant_InitiatedBy, PermissionGrant_TargetResources, PermissionGrant_AdditionalDetails, PermissionGrant_CorrelationId, RoleAssignment_TimeGenerated, RoleAssignment_OperationName, RoleAssignment_Result, RoleAssignment, TargetType, Target, TargetName, TargetUPNSuffix, TargetId, RoleAssignment_InitiatedBy, RoleAssignment_TargetResources, RoleAssignment_AdditionalDetails, RoleAssignment_CorrelationId\n",
+                "queryFrequency": "PT1H",
+                "queryPeriod": "PT2H",
+                "severity": "High",
+                "suppressionDuration": "PT1H",
+                "suppressionEnabled": false,
+                "triggerOperator": "GreaterThan",
+                "triggerThreshold": 0,
+                "status": "Available",
+                "requiredDataConnectors": [
+                  {
+                    "dataTypes": [
+                      "AuditLogs"
+                    ],
+                    "connectorId": "AzureActiveDirectory"
+                  }
+                ],
+                "tactics": [
+                  "PrivilegeEscalation",
+                  "Persistence"
+                ],
+                "techniques": [
+                  "T1098",
+                  "T1078"
+                ],
+                "entityMappings": [
+                  {
+                    "fieldMappings": [
+                      {
+                        "columnName": "AppDisplayName",
+                        "identifier": "Name"
                       }
-                    },
-                    "Set_variable_-_password": {
-                      "runAfter": {
-                        "Initialize_variable": [
-                          "Succeeded"
-                        ]
+                    ],
+                    "entityType": "Account"
+                  },
+                  {
+                    "fieldMappings": [
+                      {
+                        "columnName": "TargetName",
+                        "identifier": "Name"
                       },
-                      "type": "SetVariable",
-                      "inputs": {
-                        "name": "Password",
-                        "value": "@{substring(guid(), 0, 10)}"
+                      {
+                        "columnName": "TargetUPNSuffix",
+                        "identifier": "UPNSuffix"
                       }
-                    }
+                    ],
+                    "entityType": "Account"
+                  }
+                ]
+              }
+            },
+            {
+              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+              "apiVersion": "2022-01-01-preview",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId5'),'/'))))]",
+              "properties": {
+                "description": "Azure Active Directory Analytics Rule 5",
+                "parentId": "[variables('analyticRuleId5')]",
+                "contentId": "[variables('_analyticRulecontentId5')]",
+                "kind": "AnalyticsRule",
+                "version": "[variables('analyticRuleVersion5')]",
+                "source": {
+                  "kind": "Solution",
+                  "name": "Azure Active Directory",
+                  "sourceId": "[variables('_solutionId')]"
+                },
+                "author": {
+                  "name": "Microsoft",
+                  "email": "[variables('_email')]"
+                },
+                "support": {
+                  "tier": "Microsoft",
+                  "name": "Microsoft Corporation",
+                  "email": "support@microsoft.com",
+                  "link": "https://support.microsoft.com/"
+                }
+              }
+            }
+          ]
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('_analyticRulecontentId5')]",
+        "contentKind": "AnalyticsRule",
+        "displayName": "Admin promotion after Role Management Application Permission Grant",
+        "contentProductId": "[variables('_analyticRulecontentProductId5')]",
+        "id": "[variables('_analyticRulecontentProductId5')]",
+        "version": "[variables('analyticRuleVersion5')]"
+      }
+    },
+    {
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('analyticRuleTemplateSpecName6')]",
+      "location": "[parameters('workspace-location')]",
+      "dependsOn": [
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+      ],
+      "properties": {
+        "description": "AnomalousUserAppSigninLocationIncrease-detection_AnalyticalRules Analytics Rule with template version 3.0.3",
+        "mainTemplate": {
+          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+          "contentVersion": "[variables('analyticRuleVersion6')]",
+          "parameters": {},
+          "variables": {},
+          "resources": [
+            {
+              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+              "name": "[variables('analyticRulecontentId6')]",
+              "apiVersion": "2022-04-01-preview",
+              "kind": "Scheduled",
+              "location": "[parameters('workspace-location')]",
+              "properties": {
+                "description": "This query over Azure Active Directory sign-in considers all user sign-ins for each Azure Active\nDirectory application and picks out the most anomalous change in location profile for a user within an\nindividual application",
+                "displayName": "Anomalous sign-in location by user account and authenticating application",
+                "enabled": false,
+                "query": "// Adjust this figure to adjust how sensitive this detection is\nlet sensitivity = 2.5;\nlet AuthEvents = materialize(\nunion isfuzzy=True SigninLogs, AADNonInteractiveUserSignInLogs\n| where TimeGenerated > ago(7d)\n| where ResultType == 0\n| extend LocationDetails = LocationDetails_dynamic\n| extend Location = strcat(LocationDetails.countryOrRegion, \"-\", LocationDetails.state,\"-\", LocationDetails.city)\n| where Location != \"--\");\nAuthEvents\n| summarize dcount(Location) by AppDisplayName, AppId, UserPrincipalName, UserId, bin(startofday(TimeGenerated), 1d)\n| where dcount_Location > 2\n| summarize CountOfLocations = make_list(dcount_Location, 10000), TimeStamp = make_list(TimeGenerated, 10000) by AppId, UserId\n| extend (Anomalies, Score, Baseline) = series_decompose_anomalies(CountOfLocations, sensitivity, -1, 'linefit')\n| mv-expand CountOfLocations to typeof(double), TimeStamp to typeof(datetime), Anomalies to typeof(double), Score to typeof(double), Baseline to typeof(long)\n| where Anomalies > 0\n| join kind=inner( AuthEvents | extend TimeStamp = startofday(TimeGenerated)) on UserId, AppId\n| extend SignInDetails = bag_pack(\"TimeGenerated\", TimeGenerated, \"Location\", Location, \"Source\", IPAddress, \"Device\", DeviceDetail_dynamic)\n| summarize SignInDetailsSet=make_set(SignInDetails, 1000) by UserId, UserPrincipalName, CountOfLocations, TimeStamp, AppId, AppDisplayName\n| extend Name = split(UserPrincipalName, \"@\")[0], UPNSuffix = split(UserPrincipalName, \"@\")[1]\n",
+                "queryFrequency": "P1D",
+                "queryPeriod": "P7D",
+                "severity": "Medium",
+                "suppressionDuration": "PT1H",
+                "suppressionEnabled": false,
+                "triggerOperator": "GreaterThan",
+                "triggerThreshold": 0,
+                "status": "Available",
+                "requiredDataConnectors": [
+                  {
+                    "dataTypes": [
+                      "SigninLogs"
+                    ],
+                    "connectorId": "AzureActiveDirectory"
+                  },
+                  {
+                    "dataTypes": [
+                      "AADNonInteractiveUserSignInLogs"
+                    ],
+                    "connectorId": "AzureActiveDirectory"
                   }
-                },
-                "parameters": {
-                  "$connections": {
-                    "value": {
-                      "microsoftsentinel": {
-                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
-                        "connectionName": "[[variables('MicrosoftSentinelConnectionName')]",
-                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
-                        "connectionProperties": {
-                          "authentication": {
-                            "type": "ManagedServiceIdentity"
-                          }
-                        }
+                ],
+                "tactics": [
+                  "InitialAccess"
+                ],
+                "techniques": [
+                  "T1078"
+                ],
+                "entityMappings": [
+                  {
+                    "fieldMappings": [
+                      {
+                        "columnName": "Name",
+                        "identifier": "Name"
                       },
-                      "office365": {
-                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('office365ConnectionName'))]",
-                        "connectionName": "[[variables('office365ConnectionName')]",
-                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]"
+                      {
+                        "columnName": "UPNSuffix",
+                        "identifier": "UPNSuffix"
+                      },
+                      {
+                        "columnName": "UserId",
+                        "identifier": "AadUserId"
                       }
-                    }
+                    ],
+                    "entityType": "Account"
                   }
-                }
-              },
-              "name": "[[parameters('PlaybookName')]",
-              "type": "Microsoft.Logic/workflows",
-              "location": "[[variables('workspace-location-inline')]",
-              "tags": {
-                "LogicAppsCategory": "security",
-                "hidden-SentinelTemplateName": "Reset-AADUserPassword-EntityTrigger",
-                "hidden-SentinelTemplateVersion": "1.1",
-                "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
-              },
-              "identity": {
-                "type": "SystemAssigned"
-              },
-              "apiVersion": "2017-07-01",
-              "dependsOn": [
-                "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
-                "[[resourceId('Microsoft.Web/connections', variables('office365ConnectionName'))]"
-              ]
-            },
-            {
-              "type": "Microsoft.Web/connections",
-              "apiVersion": "2016-06-01",
-              "name": "[[variables('MicrosoftSentinelConnectionName')]",
-              "location": "[[variables('workspace-location-inline')]",
-              "kind": "V1",
-              "properties": {
-                "displayName": "[[variables('MicrosoftSentinelConnectionName')]",
-                "parameterValueType": "Alternative",
-                "api": {
-                  "id": "[[variables('_connection-2')]"
-                }
-              }
-            },
-            {
-              "type": "Microsoft.Web/connections",
-              "apiVersion": "2016-06-01",
-              "name": "[[variables('office365ConnectionName')]",
-              "location": "[[variables('workspace-location-inline')]",
-              "kind": "V1",
-              "properties": {
-                "displayName": "[[variables('office365ConnectionName')]",
-                "api": {
-                  "id": "[[variables('_connection-3')]"
+                ],
+                "eventGroupingSettings": {
+                  "aggregationKind": "SingleAlert"
+                },
+                "customDetails": {
+                  "Application": "AppDisplayName"
+                },
+                "alertDetailsOverride": {
+                  "alertDescriptionFormat": "This query over Azure Active Directory sign-in considers all user sign-ins for each Azure Active\nDirectory application and picks out the most anomalous change in location profile for a user within an\nindividual application. This has detected {{UserPrincipalName}} signing into {{AppDisplayName}} from {{CountOfLocations}} \ndifferent locations.\n",
+                  "alertDisplayNameFormat": "Anomalous sign-in location by {{UserPrincipalName}} to {{AppDisplayName}}"
                 }
               }
             },
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId7'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId6'),'/'))))]",
               "properties": {
-                "parentId": "[variables('playbookId7')]",
-                "contentId": "[variables('_playbookContentId7')]",
-                "kind": "Playbook",
-                "version": "[variables('playbookVersion7')]",
+                "description": "Azure Active Directory Analytics Rule 6",
+                "parentId": "[variables('analyticRuleId6')]",
+                "contentId": "[variables('_analyticRulecontentId6')]",
+                "kind": "AnalyticsRule",
+                "version": "[variables('analyticRuleVersion6')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Azure Active Directory",
@@ -3463,367 +1759,490 @@
                 }
               }
             }
-          ],
-          "metadata": {
-            "title": "Reset Azure AD User Password - Entity trigger",
-            "description": "This playbook will reset the user password using Graph API.  It will send the password (which is a random guid substring) to the user's manager.  The user will have to reset the password upon login.",
-            "postDeployment": [
-              "1. Assign Password Administrator permission to managed identity.",
-              "2. Assign Microsoft Sentinel Responder permission to managed identity.",
-              "3. Authorize Office 365 Outlook connection"
-            ],
-            "lastUpdateTime": "2022-12-06T00:00:00Z",
-            "entities": [
-              "Account"
-            ],
-            "tags": [
-              "Remediation"
-            ],
-            "releaseNotes": {
-              "version": "1.1",
-              "title": "[variables('blanks')]",
-              "notes": [
-                "Initial version"
-              ]
-            }
-          }
+          ]
         },
         "packageKind": "Solution",
         "packageVersion": "[variables('_solutionVersion')]",
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_playbookContentId7')]",
-        "contentKind": "Playbook",
-        "displayName": "Reset-AADUserPassword-EntityTrigger",
-        "contentProductId": "[variables('_playbookcontentProductId7')]",
-        "id": "[variables('_playbookcontentProductId7')]",
-        "version": "[variables('playbookVersion7')]"
+        "contentId": "[variables('_analyticRulecontentId6')]",
+        "contentKind": "AnalyticsRule",
+        "displayName": "Anomalous sign-in location by user account and authenticating application",
+        "contentProductId": "[variables('_analyticRulecontentProductId6')]",
+        "id": "[variables('_analyticRulecontentProductId6')]",
+        "version": "[variables('analyticRuleVersion6')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('playbookTemplateSpecName8')]",
+      "name": "[variables('analyticRuleTemplateSpecName7')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Reset-AADPassword-IncidentTrigger Playbook with template version 3.0.3",
+        "description": "AuthenticationMethodsChangedforPrivilegedAccount_AnalyticalRules Analytics Rule with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('playbookVersion8')]",
-          "parameters": {
-            "PlaybookName": {
-              "defaultValue": "Reset-AADPassword-IncidentTrigger",
-              "type": "string"
+          "contentVersion": "[variables('analyticRuleVersion7')]",
+          "parameters": {},
+          "variables": {},
+          "resources": [
+            {
+              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+              "name": "[variables('analyticRulecontentId7')]",
+              "apiVersion": "2022-04-01-preview",
+              "kind": "Scheduled",
+              "location": "[parameters('workspace-location')]",
+              "properties": {
+                "description": "Identifies authentication methods being changed for a privileged account. This could be an indication of an attacker adding an auth method to the account so they can have continued access.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1",
+                "displayName": "Authentication Methods Changed for Privileged Account",
+                "enabled": false,
+                "query": "let queryperiod = 14d;\nlet queryfrequency = 2h;\nlet security_info_actions = dynamic([\"User registered security info\", \"User changed default security info\", \"User deleted security info\", \"Admin updated security info\", \"User reviewed security info\", \"Admin deleted security info\", \"Admin registered security info\"]);\nlet VIPUsers = (\n    IdentityInfo\n    | where TimeGenerated > ago(queryperiod)\n    | mv-expand AssignedRoles\n    | where AssignedRoles contains 'Admin'\n    | summarize by AccountUPN);\nAuditLogs\n| where TimeGenerated > ago(queryfrequency)\n| where Category =~ \"UserManagement\"\n| where ActivityDisplayName in (security_info_actions)\n| extend Initiator = tostring(InitiatedBy.user.userPrincipalName)\n| extend IP = tostring(InitiatedBy.user.ipAddress)\n| mv-apply TargetResource = TargetResources on \n  (\n      where TargetResource.type =~ \"User\"\n      | extend Target = tostring(TargetResource.userPrincipalName)\n  )\n| where Target in~ (VIPUsers)\n// Uncomment the line below if you are experiencing high volumes of Target entities. If this is uncommented, the Target column will not be mapped to an entity.\n//| summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason, MaxSize=8), Targets=make_set(Target, MaxSize=256) by Initiator, IP, Result\n// Comment out this line below, if line above is used.\n| summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason, MaxSize=8) by Initiator, IP, Result, Targets = Target\n| extend InitiatorName = tostring(split(Initiator,'@',0)[0]), \n         InitiatorUPNSuffix = tostring(split(Initiator,'@',1)[0]),\n         TargetName = iff(tostring(Targets) has \"[\", \"\", tostring(split(Targets,'@',0)[0])), \n         TargetUPNSuffix = iff(tostring(Targets) has \"[\", \"\", tostring(split(Targets,'@',1)[0]))\n",
+                "queryFrequency": "PT2H",
+                "queryPeriod": "P14D",
+                "severity": "High",
+                "suppressionDuration": "PT1H",
+                "suppressionEnabled": false,
+                "triggerOperator": "GreaterThan",
+                "triggerThreshold": 0,
+                "status": "Available",
+                "requiredDataConnectors": [
+                  {
+                    "dataTypes": [
+                      "AuditLogs"
+                    ],
+                    "connectorId": "AzureActiveDirectory"
+                  }
+                ],
+                "tactics": [
+                  "Persistence"
+                ],
+                "techniques": [
+                  "T1098"
+                ],
+                "entityMappings": [
+                  {
+                    "fieldMappings": [
+                      {
+                        "columnName": "InitiatorName",
+                        "identifier": "Name"
+                      },
+                      {
+                        "columnName": "InitiatorUPNSuffix",
+                        "identifier": "UPNSuffix"
+                      }
+                    ],
+                    "entityType": "Account"
+                  },
+                  {
+                    "fieldMappings": [
+                      {
+                        "columnName": "TargetName",
+                        "identifier": "Name"
+                      },
+                      {
+                        "columnName": "TargetUPNSuffix",
+                        "identifier": "UPNSuffix"
+                      }
+                    ],
+                    "entityType": "Account"
+                  },
+                  {
+                    "fieldMappings": [
+                      {
+                        "columnName": "IP",
+                        "identifier": "Address"
+                      }
+                    ],
+                    "entityType": "IP"
+                  }
+                ]
+              }
+            },
+            {
+              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+              "apiVersion": "2022-01-01-preview",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId7'),'/'))))]",
+              "properties": {
+                "description": "Azure Active Directory Analytics Rule 7",
+                "parentId": "[variables('analyticRuleId7')]",
+                "contentId": "[variables('_analyticRulecontentId7')]",
+                "kind": "AnalyticsRule",
+                "version": "[variables('analyticRuleVersion7')]",
+                "source": {
+                  "kind": "Solution",
+                  "name": "Azure Active Directory",
+                  "sourceId": "[variables('_solutionId')]"
+                },
+                "author": {
+                  "name": "Microsoft",
+                  "email": "[variables('_email')]"
+                },
+                "support": {
+                  "tier": "Microsoft",
+                  "name": "Microsoft Corporation",
+                  "email": "support@microsoft.com",
+                  "link": "https://support.microsoft.com/"
+                }
+              }
             }
-          },
-          "variables": {
-            "MicrosoftSentinelConnectionName": "[[concat('microsoftsentinel-', parameters('PlaybookName'))]",
-            "office365ConnectionName": "[[concat('office365-', parameters('PlaybookName'))]",
-            "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
-            "_connection-2": "[[variables('connection-2')]",
-            "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]",
-            "_connection-3": "[[variables('connection-3')]",
-            "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
-            "workspace-name": "[parameters('workspace')]",
-            "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
-          },
+          ]
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('_analyticRulecontentId7')]",
+        "contentKind": "AnalyticsRule",
+        "displayName": "Authentication Methods Changed for Privileged Account",
+        "contentProductId": "[variables('_analyticRulecontentProductId7')]",
+        "id": "[variables('_analyticRulecontentProductId7')]",
+        "version": "[variables('analyticRuleVersion7')]"
+      }
+    },
+    {
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('analyticRuleTemplateSpecName8')]",
+      "location": "[parameters('workspace-location')]",
+      "dependsOn": [
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+      ],
+      "properties": {
+        "description": "AzureAADPowerShellAnomaly_AnalyticalRules Analytics Rule with template version 3.0.3",
+        "mainTemplate": {
+          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+          "contentVersion": "[variables('analyticRuleVersion8')]",
+          "parameters": {},
+          "variables": {},
           "resources": [
             {
+              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+              "name": "[variables('analyticRulecontentId8')]",
+              "apiVersion": "2022-04-01-preview",
+              "kind": "Scheduled",
+              "location": "[parameters('workspace-location')]",
               "properties": {
-                "provisioningState": "Succeeded",
-                "state": "Enabled",
-                "definition": {
-                  "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
-                  "contentVersion": "1.0.0.0",
-                  "parameters": {
-                    "$connections": {
-                      "type": "Object"
-                    }
-                  },
-                  "triggers": {
-                    "Microsoft_Sentinel_incident": {
-                      "type": "ApiConnectionWebhook",
-                      "inputs": {
-                        "body": {
-                          "callback_url": "@{listCallbackUrl()}"
-                        },
-                        "host": {
-                          "connection": {
-                            "name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
-                          }
-                        },
-                        "path": "/incident-creation"
-                      }
-                    }
+                "description": "This will alert when a user or application signs in using Azure Active Directory PowerShell to access non-Active Directory resources, such as the Azure Key Vault, which may be undesired or unauthorized behavior.\nFor capabilities and expected behavior of the Azure Active Directory PowerShell module, see: https://docs.microsoft.com/powershell/module/azuread/?view=azureadps-2.0.\nFor further information on Azure Active Directory Signin activity reports, see: https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins.",
+                "displayName": "Azure Active Directory PowerShell accessing non-AAD resources",
+                "enabled": false,
+                "query": "let aadFunc = (tableName:string){\ntable(tableName)\n| where AppId =~ \"1b730954-1685-4b74-9bfd-dac224a7b894\" // AppDisplayName IS Azure Active Directory PowerShell\n| where TokenIssuerType =~ \"AzureAD\"\n| where ResourceIdentity !in (\"00000002-0000-0000-c000-000000000000\", \"00000003-0000-0000-c000-000000000000\") // ResourceDisplayName IS NOT Windows Azure Active Directory OR Microsoft Graph\n| extend Status = todynamic(Status)\n| where Status.errorCode == 0 // Success\n| project-reorder IPAddress, UserAgent, ResourceDisplayName, UserDisplayName, UserId, UserPrincipalName, Type\n| order by TimeGenerated desc\n// New entity mapping\n| extend timestamp = TimeGenerated, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+                "queryFrequency": "PT1H",
+                "queryPeriod": "PT1H",
+                "severity": "Low",
+                "suppressionDuration": "PT1H",
+                "suppressionEnabled": false,
+                "triggerOperator": "GreaterThan",
+                "triggerThreshold": 0,
+                "status": "Available",
+                "requiredDataConnectors": [
+                  {
+                    "dataTypes": [
+                      "SigninLogs"
+                    ],
+                    "connectorId": "AzureActiveDirectory"
                   },
-                  "actions": {
-                    "Entities_-_Get_Accounts": {
-                      "runAfter": {
-                        "Set_variable_-_password": [
-                          "Succeeded"
-                        ]
-                      },
-                      "type": "ApiConnection",
-                      "inputs": {
-                        "body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
-                        "host": {
-                          "connection": {
-                            "name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
-                          }
-                        },
-                        "method": "post",
-                        "path": "/entities/account"
-                      }
-                    },
-                    "For_each": {
-                      "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']",
-                      "actions": {
-                        "Condition_-_is_manager_available": {
-                          "actions": {
-                            "Add_comment_to_incident_-_manager_available": {
-                              "runAfter": {
-                                "Send_an_email_-_to_manager_with_password_details": [
-                                  "Succeeded"
-                                ]
-                              },
-                              "type": "ApiConnection",
-                              "inputs": {
-                                "body": {
-                                  "incidentArmId": "@triggerBody()?['object']?['id']",
-                                  "message": "<p>User @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])} password was reset in AAD and their manager @{body('Parse_JSON_-_HTTP_-_get_manager')?['userPrincipalName']} was contacted using playbook.</p>"
-                                },
-                                "host": {
-                                  "connection": {
-                                    "name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
-                                  }
-                                },
-                                "method": "post",
-                                "path": "/Incidents/Comment"
-                              }
-                            },
-                            "Parse_JSON_-_HTTP_-_get_manager": {
-                              "type": "ParseJson",
-                              "inputs": {
-                                "content": "@body('HTTP_-_get_manager')",
-                                "schema": {
-                                  "properties": {
-                                    "userPrincipalName": {
-                                      "type": "string"
-                                    }
-                                  },
-                                  "type": "object"
-                                }
-                              }
-                            },
-                            "Send_an_email_-_to_manager_with_password_details": {
-                              "runAfter": {
-                                "Parse_JSON_-_HTTP_-_get_manager": [
-                                  "Succeeded"
-                                ]
-                              },
-                              "type": "ApiConnection",
-                              "inputs": {
-                                "body": {
-                                  "Body": "<p>User, @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}, was involved in part of a security incident. &nbsp;As part of remediation, the user password has been reset.<br>\n<br>\nThe temporary password is: @{variables('Password')}<br>\n<br>\nThe user will be required to reset this password upon login.</p>",
-                                  "Subject": "A user password was reset due to security incident.",
-                                  "To": "@body('Parse_JSON_-_HTTP_-_get_manager')?['userPrincipalName']"
-                                },
-                                "host": {
-                                  "connection": {
-                                    "name": "@parameters('$connections')['office365']['connectionId']"
-                                  }
-                                },
-                                "method": "post",
-                                "path": "/v2/Mail"
-                              }
-                            }
-                          },
-                          "runAfter": {
-                            "HTTP_-_get_manager": [
-                              "Succeeded",
-                              "Failed"
-                            ]
-                          },
-                          "else": {
-                            "actions": {
-                              "Add_comment_to_incident_-_manager_not_available": {
-                                "type": "ApiConnection",
-                                "inputs": {
-                                  "body": {
-                                    "incidentArmId": "@triggerBody()?['object']?['id']",
-                                    "message": "<p>User @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])} password was reset in AAD but the user doesn't have a manager.<br>\n<br>\nThe temporary password is: @{variables('Password')}<br>\n<br>\nThe user will be required to reset this password upon login.</p>"
-                                  },
-                                  "host": {
-                                    "connection": {
-                                      "name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
-                                    }
-                                  },
-                                  "method": "post",
-                                  "path": "/Incidents/Comment"
-                                }
-                              }
-                            }
-                          },
-                          "expression": {
-                            "and": [
-                              {
-                                "equals": [
-                                  "@outputs('HTTP_-_get_manager')['statusCode']",
-                                  200
-                                ]
-                              }
-                            ]
-                          },
-                          "type": "If"
-                        },
-                        "HTTP_-_get_manager": {
-                          "runAfter": {
-                            "HTTP_-_reset_a_password": [
-                              "Succeeded"
-                            ]
-                          },
-                          "type": "Http",
-                          "inputs": {
-                            "authentication": {
-                              "audience": "https://graph.microsoft.com",
-                              "type": "ManagedServiceIdentity"
-                            },
-                            "method": "GET",
-                            "uri": "https://graph.microsoft.com/v1.0/users/@{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}/manager"
-                          }
-                        },
-                        "HTTP_-_reset_a_password": {
-                          "type": "Http",
-                          "inputs": {
-                            "authentication": {
-                              "audience": "https://graph.microsoft.com",
-                              "type": "ManagedServiceIdentity"
-                            },
-                            "body": {
-                              "passwordProfile": {
-                                "forceChangePasswordNextSignIn": true,
-                                "forceChangePasswordNextSignInWithMfa": false,
-                                "password": "@{variables('Password')}"
-                              }
-                            },
-                            "method": "PATCH",
-                            "uri": "https://graph.microsoft.com/v1.0/users/@{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}"
-                          }
-                        }
+                  {
+                    "dataTypes": [
+                      "AADNonInteractiveUserSignInLogs"
+                    ],
+                    "connectorId": "AzureActiveDirectory"
+                  }
+                ],
+                "tactics": [
+                  "InitialAccess"
+                ],
+                "techniques": [
+                  "T1078"
+                ],
+                "entityMappings": [
+                  {
+                    "fieldMappings": [
+                      {
+                        "columnName": "Name",
+                        "identifier": "Name"
                       },
-                      "runAfter": {
-                        "Entities_-_Get_Accounts": [
-                          "Succeeded"
-                        ]
+                      {
+                        "columnName": "UPNSuffix",
+                        "identifier": "UPNSuffix"
                       },
-                      "type": "Foreach"
-                    },
-                    "Initialize_variable": {
-                      "type": "InitializeVariable",
-                      "inputs": {
-                        "variables": [
-                          {
-                            "name": "Password",
-                            "type": "String",
-                            "value": "null"
-                          }
-                        ]
+                      {
+                        "columnName": "UserId",
+                        "identifier": "AadUserId"
                       }
-                    },
-                    "Set_variable_-_password": {
-                      "runAfter": {
-                        "Initialize_variable": [
-                          "Succeeded"
-                        ]
-                      },
-                      "type": "SetVariable",
-                      "inputs": {
-                        "name": "Password",
-                        "value": "@{substring(guid(), 0, 10)}"
+                    ],
+                    "entityType": "Account"
+                  },
+                  {
+                    "fieldMappings": [
+                      {
+                        "columnName": "IPAddress",
+                        "identifier": "Address"
                       }
-                    }
+                    ],
+                    "entityType": "IP"
                   }
+                ]
+              }
+            },
+            {
+              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+              "apiVersion": "2022-01-01-preview",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId8'),'/'))))]",
+              "properties": {
+                "description": "Azure Active Directory Analytics Rule 8",
+                "parentId": "[variables('analyticRuleId8')]",
+                "contentId": "[variables('_analyticRulecontentId8')]",
+                "kind": "AnalyticsRule",
+                "version": "[variables('analyticRuleVersion8')]",
+                "source": {
+                  "kind": "Solution",
+                  "name": "Azure Active Directory",
+                  "sourceId": "[variables('_solutionId')]"
                 },
-                "parameters": {
-                  "$connections": {
-                    "value": {
-                      "microsoftsentinel": {
-                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
-                        "connectionName": "[[variables('MicrosoftSentinelConnectionName')]",
-                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
-                        "connectionProperties": {
-                          "authentication": {
-                            "type": "ManagedServiceIdentity"
-                          }
-                        }
+                "author": {
+                  "name": "Microsoft",
+                  "email": "[variables('_email')]"
+                },
+                "support": {
+                  "tier": "Microsoft",
+                  "name": "Microsoft Corporation",
+                  "email": "support@microsoft.com",
+                  "link": "https://support.microsoft.com/"
+                }
+              }
+            }
+          ]
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('_analyticRulecontentId8')]",
+        "contentKind": "AnalyticsRule",
+        "displayName": "Azure Active Directory PowerShell accessing non-AAD resources",
+        "contentProductId": "[variables('_analyticRulecontentProductId8')]",
+        "id": "[variables('_analyticRulecontentProductId8')]",
+        "version": "[variables('analyticRuleVersion8')]"
+      }
+    },
+    {
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('analyticRuleTemplateSpecName9')]",
+      "location": "[parameters('workspace-location')]",
+      "dependsOn": [
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+      ],
+      "properties": {
+        "description": "AzureADRoleManagementPermissionGrant_AnalyticalRules Analytics Rule with template version 3.0.3",
+        "mainTemplate": {
+          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+          "contentVersion": "[variables('analyticRuleVersion9')]",
+          "parameters": {},
+          "variables": {},
+          "resources": [
+            {
+              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+              "name": "[variables('analyticRulecontentId9')]",
+              "apiVersion": "2022-04-01-preview",
+              "kind": "Scheduled",
+              "location": "[parameters('workspace-location')]",
+              "properties": {
+                "description": "Identifies when the Microsoft Graph RoleManagement.ReadWrite.Directory (Delegated or Application) permission is granted to a service principal.\nThis permission allows an application to read and manage the role-based access control (RBAC) settings for your company's directory.\nAn adversary could use this permission to add an Azure AD object to an Admin directory role and escalate privileges.\nRef : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions\nRef : https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0&tabs=http",
+                "displayName": "Azure AD Role Management Permission Grant",
+                "enabled": false,
+                "query": "AuditLogs\n| where Category =~ \"ApplicationManagement\" and LoggedByService =~ \"Core Directory\" and OperationName in~ (\"Add delegated permission grant\", \"Add app role assignment to service principal\")\n| mv-apply TargetResource = TargetResources on \n  (\n      where TargetResource.type =~ \"ServicePrincipal\" and array_length(TargetResource.modifiedProperties) > 0 and isnotnull(TargetResource.displayName)\n      | extend props = TargetResource.modifiedProperties\n  )\n| mv-apply Property = props on \n  (\n      where Property.displayName in~ (\"AppRole.Value\",\"DelegatedPermissionGrant.Scope\")\n      | extend DisplayName = tostring(Property.displayName), PermissionGrant = trim('\"',tostring(Property.newValue))\n  )\n| where PermissionGrant has \"RoleManagement.ReadWrite.Directory\"\n| mv-apply Property = props on \n  (\n      where Property.displayName =~ \"ServicePrincipal.DisplayName\"\n      | extend AppDisplayName = trim('\"',tostring(Property.newValue))\n  )\n| mv-apply Property = props on \n  (\n      where Property.displayName =~ \"ServicePrincipal.ObjectID\"\n      | extend AppServicePrincipalId = trim('\"',tostring(Property.newValue))\n  )\n| extend \n    Initiator = iif(isnotempty(InitiatedBy.app), tostring(InitiatedBy.app.displayName), tostring(InitiatedBy.user.userPrincipalName)),\n    InitiatorId = iif(isnotempty(InitiatedBy.app), tostring(InitiatedBy.app.servicePrincipalId), tostring(InitiatedBy.user.id))\n| project TimeGenerated, OperationName, Result, PermissionGrant, AppDisplayName, AppServicePrincipalId, Initiator, InitiatorId, InitiatedBy, TargetResources, AdditionalDetails, CorrelationId\n| extend Name = tostring(split(Initiator,'@',0)[0]), UPNSuffix = tostring(split(Initiator,'@',1)[0])\n",
+                "queryFrequency": "PT2H",
+                "queryPeriod": "PT2H",
+                "severity": "High",
+                "suppressionDuration": "PT1H",
+                "suppressionEnabled": false,
+                "triggerOperator": "GreaterThan",
+                "triggerThreshold": 0,
+                "status": "Available",
+                "requiredDataConnectors": [
+                  {
+                    "dataTypes": [
+                      "AuditLogs"
+                    ],
+                    "connectorId": "AzureActiveDirectory"
+                  }
+                ],
+                "tactics": [
+                  "Persistence",
+                  "Impact"
+                ],
+                "techniques": [
+                  "T1098",
+                  "T1078"
+                ],
+                "entityMappings": [
+                  {
+                    "fieldMappings": [
+                      {
+                        "columnName": "Name",
+                        "identifier": "Name"
                       },
-                      "office365": {
-                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('office365ConnectionName'))]",
-                        "connectionName": "[[variables('office365ConnectionName')]",
-                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]"
+                      {
+                        "columnName": "UPNSuffix",
+                        "identifier": "UPNSuffix"
                       }
-                    }
+                    ],
+                    "entityType": "Account"
+                  },
+                  {
+                    "fieldMappings": [
+                      {
+                        "columnName": "AppDisplayName",
+                        "identifier": "Name"
+                      }
+                    ],
+                    "entityType": "Account"
                   }
-                }
-              },
-              "name": "[[parameters('PlaybookName')]",
-              "type": "Microsoft.Logic/workflows",
-              "location": "[[variables('workspace-location-inline')]",
-              "tags": {
-                "LogicAppsCategory": "security",
-                "hidden-SentinelTemplateName": "Reset-AADUserPassword",
-                "hidden-SentinelTemplateVersion": "1.1",
-                "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
-              },
-              "identity": {
-                "type": "SystemAssigned"
-              },
-              "apiVersion": "2017-07-01",
-              "dependsOn": [
-                "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
-                "[[resourceId('Microsoft.Web/connections', variables('office365ConnectionName'))]"
-              ]
+                ]
+              }
             },
             {
-              "type": "Microsoft.Web/connections",
-              "apiVersion": "2016-06-01",
-              "name": "[[variables('MicrosoftSentinelConnectionName')]",
-              "location": "[[variables('workspace-location-inline')]",
-              "kind": "V1",
+              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+              "apiVersion": "2022-01-01-preview",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId9'),'/'))))]",
               "properties": {
-                "displayName": "[[variables('MicrosoftSentinelConnectionName')]",
-                "parameterValueType": "Alternative",
-                "api": {
-                  "id": "[[variables('_connection-2')]"
+                "description": "Azure Active Directory Analytics Rule 9",
+                "parentId": "[variables('analyticRuleId9')]",
+                "contentId": "[variables('_analyticRulecontentId9')]",
+                "kind": "AnalyticsRule",
+                "version": "[variables('analyticRuleVersion9')]",
+                "source": {
+                  "kind": "Solution",
+                  "name": "Azure Active Directory",
+                  "sourceId": "[variables('_solutionId')]"
+                },
+                "author": {
+                  "name": "Microsoft",
+                  "email": "[variables('_email')]"
+                },
+                "support": {
+                  "tier": "Microsoft",
+                  "name": "Microsoft Corporation",
+                  "email": "support@microsoft.com",
+                  "link": "https://support.microsoft.com/"
                 }
               }
-            },
+            }
+          ]
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('_analyticRulecontentId9')]",
+        "contentKind": "AnalyticsRule",
+        "displayName": "Azure AD Role Management Permission Grant",
+        "contentProductId": "[variables('_analyticRulecontentProductId9')]",
+        "id": "[variables('_analyticRulecontentProductId9')]",
+        "version": "[variables('analyticRuleVersion9')]"
+      }
+    },
+    {
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('analyticRuleTemplateSpecName10')]",
+      "location": "[parameters('workspace-location')]",
+      "dependsOn": [
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+      ],
+      "properties": {
+        "description": "AzurePortalSigninfromanotherAzureTenant_AnalyticalRules Analytics Rule with template version 3.0.3",
+        "mainTemplate": {
+          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+          "contentVersion": "[variables('analyticRuleVersion10')]",
+          "parameters": {},
+          "variables": {},
+          "resources": [
             {
-              "type": "Microsoft.Web/connections",
-              "apiVersion": "2016-06-01",
-              "name": "[[variables('office365ConnectionName')]",
-              "location": "[[variables('workspace-location-inline')]",
-              "kind": "V1",
+              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+              "name": "[variables('analyticRulecontentId10')]",
+              "apiVersion": "2022-04-01-preview",
+              "kind": "Scheduled",
+              "location": "[parameters('workspace-location')]",
               "properties": {
-                "displayName": "[[variables('office365ConnectionName')]",
-                "api": {
-                  "id": "[[variables('_connection-3')]"
+                "description": "This query looks for successful sign in attempts to the Azure Portal where the user who is signing in from another Azure tenant,\n and the IP address the login attempt is from is an Azure IP. A threat actor who compromises an Azure tenant may look\n to pivot to other tenants leveraging cross-tenant delegated access in this manner.",
+                "displayName": "Azure Portal sign in from another Azure Tenant",
+                "enabled": false,
+                "query": "// Get details of current Azure Ranges (note this URL updates regularly so will need to be manually updated over time)\n// You may find the name of the new JSON here: https://www.microsoft.com/download/details.aspx?id=56519\n// On the downloads page, click the 'details' button, and then replace just the filename in the URL below\nlet azure_ranges = externaldata(changeNumber: string, cloud: string, values: dynamic)\n[\"https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/MSFTIPRanges/ServiceTags_Public.json\"] with(format='multijson')\n| mv-expand values\n| mv-expand values.properties.addressPrefixes\n| mv-expand values_properties_addressPrefixes\n| summarize by tostring(values_properties_addressPrefixes)\n| extend isipv4 = parse_ipv4(values_properties_addressPrefixes)\n| extend isipv6 = parse_ipv6(values_properties_addressPrefixes)\n| extend ip_type = case(isnotnull(isipv4), \"v4\", \"v6\")\n| summarize make_list(values_properties_addressPrefixes) by ip_type\n;\nSigninLogs\n// Limiting to Azure Portal really reduces false positives and helps focus on potential admin activity\n| where ResultType == 0\n| where AppDisplayName =~ \"Azure Portal\"\n| extend isipv4 = parse_ipv4(IPAddress)\n| extend ip_type = case(isnotnull(isipv4), \"v4\", \"v6\")\n // Only get logons where the IP address is in an Azure range\n| join kind=fullouter (azure_ranges) on ip_type\n| extend ipv6_match = ipv6_is_in_any_range(IPAddress,  list_values_properties_addressPrefixes)\n| extend ipv4_match = ipv4_is_in_any_range(IPAddress,  list_values_properties_addressPrefixes)\n| where ipv4_match or ipv6_match \n// Limit to where the user is external to the tenant\n| where HomeTenantId != ResourceTenantId\n// Further limit it to just access to the current tenant (you can drop this if you wanted to look elsewhere as well but it helps reduce FPs)\n| where ResourceTenantId == AADTenantId\n| summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), make_set(ResourceDisplayName) by UserPrincipalName, IPAddress, UserAgent, Location, HomeTenantId, ResourceTenantId, UserId\n| extend AccountName = split(UserPrincipalName, \"@\")[0]\n| extend UPNSuffix = split(UserPrincipalName, \"@\")[1]\n",
+                "queryFrequency": "PT1H",
+                "queryPeriod": "PT1H",
+                "severity": "Medium",
+                "suppressionDuration": "PT1H",
+                "suppressionEnabled": false,
+                "triggerOperator": "GreaterThan",
+                "triggerThreshold": 0,
+                "status": "Available",
+                "requiredDataConnectors": [
+                  {
+                    "dataTypes": [
+                      "SigninLogs"
+                    ],
+                    "connectorId": "AzureActiveDirectory"
+                  }
+                ],
+                "tactics": [
+                  "InitialAccess"
+                ],
+                "techniques": [
+                  "T1199"
+                ],
+                "entityMappings": [
+                  {
+                    "fieldMappings": [
+                      {
+                        "columnName": "AccountName",
+                        "identifier": "Name"
+                      },
+                      {
+                        "columnName": "UPNSuffix",
+                        "identifier": "UPNSuffix"
+                      },
+                      {
+                        "columnName": "UserId",
+                        "identifier": "AadUserId"
+                      }
+                    ],
+                    "entityType": "Account"
+                  },
+                  {
+                    "fieldMappings": [
+                      {
+                        "columnName": "IPAddress",
+                        "identifier": "Address"
+                      }
+                    ],
+                    "entityType": "IP"
+                  }
+                ],
+                "alertDetailsOverride": {
+                  "alertDescriptionFormat": "This query looks for successful sign in attempts to the Azure Portal where the user who is signing in from another Azure tenant,\nand the IP address the login attempt is from is an Azure IP. A threat actor who compromises an Azure tenant may look\nto pivot to other tenants leveraging cross-tenant delegated access in this manner.\nIn this instance {{UserPrincipalName}} logged in at {{FirstSeen}} from IP Address {{IPAddress}}.\n",
+                  "alertDisplayNameFormat": "Azure Portal sign in by {{UserPrincipalName}} from another Azure Tenant with IP Address {{IPAddress}}"
                 }
               }
             },
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId8'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId10'),'/'))))]",
               "properties": {
-                "parentId": "[variables('playbookId8')]",
-                "contentId": "[variables('_playbookContentId8')]",
-                "kind": "Playbook",
-                "version": "[variables('playbookVersion8')]",
+                "description": "Azure Active Directory Analytics Rule 10",
+                "parentId": "[variables('analyticRuleId10')]",
+                "contentId": "[variables('_analyticRulecontentId10')]",
+                "kind": "AnalyticsRule",
+                "version": "[variables('analyticRuleVersion10')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Azure Active Directory",
@@ -3841,322 +2260,345 @@
                 }
               }
             }
-          ],
-          "metadata": {
-            "title": "Reset Azure AD User Password - Incident Trigger",
-            "description": "This playbook will reset the user password using Graph API.  It will send the password (which is a random guid substring) to the user's manager.  The user will have to reset the password upon login.",
-            "prerequisites": [
-              "None"
-            ],
-            "postDeployment": [
-              "1. Assign Password Administrator permission to managed identity.",
-              "2. Assign Microsoft Sentinel Responder permission to managed identity.",
-              "3. Authorize Office 365 Outlook connection"
-            ],
-            "lastUpdateTime": "2022-07-11T00:00:00Z",
-            "entities": [
-              "Account"
-            ],
-            "tags": [
-              "Remediation"
-            ],
-            "releaseNotes": [
-              {
-                "version": "1.0.0",
-                "title": " Added manager notification action",
-                "notes": [
-                  "Initial version"
-                ]
-              }
-            ]
-          }
+          ]
         },
         "packageKind": "Solution",
         "packageVersion": "[variables('_solutionVersion')]",
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_playbookContentId8')]",
-        "contentKind": "Playbook",
-        "displayName": "Reset-AADPassword-IncidentTrigger",
-        "contentProductId": "[variables('_playbookcontentProductId8')]",
-        "id": "[variables('_playbookcontentProductId8')]",
-        "version": "[variables('playbookVersion8')]"
+        "contentId": "[variables('_analyticRulecontentId10')]",
+        "contentKind": "AnalyticsRule",
+        "displayName": "Azure Portal sign in from another Azure Tenant",
+        "contentProductId": "[variables('_analyticRulecontentProductId10')]",
+        "id": "[variables('_analyticRulecontentProductId10')]",
+        "version": "[variables('analyticRuleVersion10')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('playbookTemplateSpecName9')]",
+      "name": "[variables('analyticRuleTemplateSpecName11')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Revoke-AADSignInSessions-alert Playbook with template version 3.0.3",
+        "description": "Brute Force Attack against GitHub Account_AnalyticalRules Analytics Rule with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('playbookVersion9')]",
-          "parameters": {
-            "PlaybookName": {
-              "defaultValue": "Revoke-AADSignInSessions-alert",
-              "type": "string"
-            },
-            "UserName": {
-              "defaultValue": "<username>@<domain>",
-              "type": "string"
-            }
-          },
-          "variables": {
-            "AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]",
-            "Office365ConnectionName": "[[concat('office365-', parameters('PlaybookName'))]",
-            "Office365UsersConnectionName": "[[concat('office365users-', parameters('PlaybookName'))]",
-            "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
-            "_connection-1": "[[variables('connection-1')]",
-            "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]",
-            "_connection-2": "[[variables('connection-2')]",
-            "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365users')]",
-            "_connection-3": "[[variables('connection-3')]",
-            "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
-            "workspace-name": "[parameters('workspace')]",
-            "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
-          },
+          "contentVersion": "[variables('analyticRuleVersion11')]",
+          "parameters": {},
+          "variables": {},
           "resources": [
             {
-              "type": "Microsoft.Web/connections",
-              "apiVersion": "2016-06-01",
-              "name": "[[variables('AzureSentinelConnectionName')]",
-              "location": "[[variables('workspace-location-inline')]",
-              "kind": "V1",
+              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+              "name": "[variables('analyticRulecontentId11')]",
+              "apiVersion": "2022-04-01-preview",
+              "kind": "Scheduled",
+              "location": "[parameters('workspace-location')]",
               "properties": {
-                "displayName": "[[parameters('PlaybookName')]",
-                "parameterValueType": "Alternative",
-                "api": {
-                  "id": "[[variables('_connection-1')]"
-                }
+                "description": "Attackers who are trying to guess your users' passwords or use brute-force methods to get in. If your organization is using SSO with Azure Active Directory, authentication logs to GitHub.com will be generated. Using the following query can help you identify a sudden increase in failed logon attempt of users.",
+                "displayName": "Brute Force Attack against GitHub Account",
+                "enabled": false,
+                "query": "let LearningPeriod = 7d;\nlet BinTime = 1h;\nlet RunTime = 1h;\nlet StartTime = 1h;  \nlet sensitivity = 2.5;\nlet EndRunTime = StartTime - RunTime;\nlet EndLearningTime = StartTime + LearningPeriod;\nlet aadFunc = (tableName:string){\ntable(tableName)  \n| where TimeGenerated between (ago(EndLearningTime) .. ago(EndRunTime))\n| where AppDisplayName =~ \"GitHub.com\"\n| where ResultType != 0\n| make-series FailedLogins = count() on TimeGenerated from ago(LearningPeriod) to ago(EndRunTime) step BinTime by UserPrincipalName, Type\n| extend (Anomalies, Score, Baseline) = series_decompose_anomalies(FailedLogins, sensitivity, -1, 'linefit')\n| mv-expand FailedLogins to typeof(double), TimeGenerated to typeof(datetime), Anomalies to typeof(double), Score to typeof(double), Baseline to typeof(long)  \n| where TimeGenerated >= ago(RunTime)\n| where Anomalies > 0 and Baseline > 0\n| join kind=inner (\n          table(tableName)  \n          | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime))\n          | where AppDisplayName =~ \"GitHub.com\"\n          | where ResultType != 0\n          | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddresses = make_set(IPAddress,100), Locations = make_set(LocationDetails,20), Devices = make_set(DeviceDetail,20) by UserPrincipalName          \n      ) on UserPrincipalName\n| extend timestamp = TimeGenerated, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+                "queryFrequency": "PT1H",
+                "queryPeriod": "P7D",
+                "severity": "Medium",
+                "suppressionDuration": "PT1H",
+                "suppressionEnabled": false,
+                "triggerOperator": "GreaterThan",
+                "triggerThreshold": 0,
+                "status": "Available",
+                "requiredDataConnectors": [
+                  {
+                    "dataTypes": [
+                      "SigninLogs"
+                    ],
+                    "connectorId": "AzureActiveDirectory"
+                  },
+                  {
+                    "dataTypes": [
+                      "AADNonInteractiveUserSignInLogs"
+                    ],
+                    "connectorId": "AzureActiveDirectory"
+                  }
+                ],
+                "tactics": [
+                  "CredentialAccess"
+                ],
+                "techniques": [
+                  "T1110"
+                ],
+                "entityMappings": [
+                  {
+                    "fieldMappings": [
+                      {
+                        "columnName": "Name",
+                        "identifier": "Name"
+                      },
+                      {
+                        "columnName": "UPNSuffix",
+                        "identifier": "UPNSuffix"
+                      }
+                    ],
+                    "entityType": "Account"
+                  }
+                ]
               }
             },
             {
-              "type": "Microsoft.Web/connections",
-              "apiVersion": "2016-06-01",
-              "name": "[[variables('Office365ConnectionName')]",
-              "location": "[[variables('workspace-location-inline')]",
+              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+              "apiVersion": "2022-01-01-preview",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId11'),'/'))))]",
               "properties": {
-                "displayName": "[[parameters('UserName')]",
-                "api": {
-                  "id": "[[variables('_connection-2')]"
+                "description": "Azure Active Directory Analytics Rule 11",
+                "parentId": "[variables('analyticRuleId11')]",
+                "contentId": "[variables('_analyticRulecontentId11')]",
+                "kind": "AnalyticsRule",
+                "version": "[variables('analyticRuleVersion11')]",
+                "source": {
+                  "kind": "Solution",
+                  "name": "Azure Active Directory",
+                  "sourceId": "[variables('_solutionId')]"
+                },
+                "author": {
+                  "name": "Microsoft",
+                  "email": "[variables('_email')]"
+                },
+                "support": {
+                  "tier": "Microsoft",
+                  "name": "Microsoft Corporation",
+                  "email": "support@microsoft.com",
+                  "link": "https://support.microsoft.com/"
                 }
               }
+            }
+          ]
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('_analyticRulecontentId11')]",
+        "contentKind": "AnalyticsRule",
+        "displayName": "Brute Force Attack against GitHub Account",
+        "contentProductId": "[variables('_analyticRulecontentProductId11')]",
+        "id": "[variables('_analyticRulecontentProductId11')]",
+        "version": "[variables('analyticRuleVersion11')]"
+      }
+    },
+    {
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('analyticRuleTemplateSpecName12')]",
+      "location": "[parameters('workspace-location')]",
+      "dependsOn": [
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+      ],
+      "properties": {
+        "description": "BruteForceCloudPC_AnalyticalRules Analytics Rule with template version 3.0.3",
+        "mainTemplate": {
+          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+          "contentVersion": "[variables('analyticRuleVersion12')]",
+          "parameters": {},
+          "variables": {},
+          "resources": [
+            {
+              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+              "name": "[variables('analyticRulecontentId12')]",
+              "apiVersion": "2022-04-01-preview",
+              "kind": "Scheduled",
+              "location": "[parameters('workspace-location')]",
+              "properties": {
+                "description": "Identifies evidence of brute force activity against a Windows 365 Cloud PC by highlighting multiple authentication failures and by a successful authentication within a given time window.",
+                "displayName": "Brute force attack against a Cloud PC",
+                "enabled": false,
+                "query": "let authenticationWindow = 20m;\nlet sensitivity = 2.5;\nSigninLogs\n| where AppDisplayName =~ \"Windows Sign In\"\n| extend FailureOrSuccess = iff(ResultType in (\"0\", \"50125\", \"50140\", \"70043\", \"70044\"), \"Success\", \"Failure\")\n| summarize FailureCount = countif(FailureOrSuccess==\"Failure\"), SuccessCount = countif(FailureOrSuccess==\"Success\"), IPAddresses = make_set(IPAddress,1000)\n                          by bin(TimeGenerated, authenticationWindow), UserDisplayName, UserPrincipalName\n| extend FailureSuccessDiff = FailureCount - SuccessCount\n| where FailureSuccessDiff > 0\n| summarize Diff = make_list(FailureSuccessDiff, 10000), TimeStamp = make_list(TimeGenerated, 10000) by UserDisplayName, UserPrincipalName//, tostring(IPAddresses)\n| extend (Anomalies, Score, Baseline) = series_decompose_anomalies(Diff, sensitivity, -1, 'linefit')  \n| mv-expand Diff to typeof(double), TimeStamp to typeof(datetime), Anomalies to typeof(double), Score to typeof(double), Baseline to typeof(long)\n| where Anomalies > 0\n| summarize by UserDisplayName, UserPrincipalName\n| join kind=leftouter (\n      SigninLogs\n      | where AppDisplayName =~ \"Windows Sign In\"\n      | extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\n      | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\n      | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)\n      | summarize StartTime = min(TimeGenerated), \n                  EndTime = max(TimeGenerated), \n                  IPAddress = make_set(IPAddress,100), \n                  OS = make_set(OS,20), \n                  Browser = make_set(Browser,20), \n                  City = make_set(City,100), \n                  ResultType = make_set(ResultType,100)\n              by UserDisplayName, UserPrincipalName\n  ) on UserDisplayName, UserPrincipalName\n| extend IPAddressFirst = IPAddress[0]\n| extend timestamp = StartTime, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n",
+                "queryFrequency": "P1D",
+                "queryPeriod": "P1D",
+                "severity": "Medium",
+                "suppressionDuration": "PT1H",
+                "suppressionEnabled": false,
+                "triggerOperator": "GreaterThan",
+                "triggerThreshold": 0,
+                "status": "Available",
+                "requiredDataConnectors": [
+                  {
+                    "dataTypes": [
+                      "SigninLogs"
+                    ],
+                    "connectorId": "AzureActiveDirectory"
+                  }
+                ],
+                "tactics": [
+                  "CredentialAccess"
+                ],
+                "techniques": [
+                  "T1110"
+                ],
+                "entityMappings": [
+                  {
+                    "fieldMappings": [
+                      {
+                        "columnName": "Name",
+                        "identifier": "Name"
+                      },
+                      {
+                        "columnName": "UPNSuffix",
+                        "identifier": "UPNSuffix"
+                      }
+                    ],
+                    "entityType": "Account"
+                  },
+                  {
+                    "fieldMappings": [
+                      {
+                        "columnName": "IPAddressFirst",
+                        "identifier": "Address"
+                      }
+                    ],
+                    "entityType": "IP"
+                  }
+                ]
+              }
             },
             {
-              "type": "Microsoft.Web/connections",
-              "apiVersion": "2016-06-01",
-              "name": "[[variables('Office365UsersConnectionName')]",
-              "location": "[[variables('workspace-location-inline')]",
+              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+              "apiVersion": "2022-01-01-preview",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId12'),'/'))))]",
               "properties": {
-                "displayName": "[[parameters('UserName')]",
-                "api": {
-                  "id": "[[variables('_connection-3')]"
+                "description": "Azure Active Directory Analytics Rule 12",
+                "parentId": "[variables('analyticRuleId12')]",
+                "contentId": "[variables('_analyticRulecontentId12')]",
+                "kind": "AnalyticsRule",
+                "version": "[variables('analyticRuleVersion12')]",
+                "source": {
+                  "kind": "Solution",
+                  "name": "Azure Active Directory",
+                  "sourceId": "[variables('_solutionId')]"
+                },
+                "author": {
+                  "name": "Microsoft",
+                  "email": "[variables('_email')]"
+                },
+                "support": {
+                  "tier": "Microsoft",
+                  "name": "Microsoft Corporation",
+                  "email": "support@microsoft.com",
+                  "link": "https://support.microsoft.com/"
                 }
               }
-            },
+            }
+          ]
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('_analyticRulecontentId12')]",
+        "contentKind": "AnalyticsRule",
+        "displayName": "Brute force attack against a Cloud PC",
+        "contentProductId": "[variables('_analyticRulecontentProductId12')]",
+        "id": "[variables('_analyticRulecontentProductId12')]",
+        "version": "[variables('analyticRuleVersion12')]"
+      }
+    },
+    {
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('analyticRuleTemplateSpecName13')]",
+      "location": "[parameters('workspace-location')]",
+      "dependsOn": [
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+      ],
+      "properties": {
+        "description": "BulkChangestoPrivilegedAccountPermissions_AnalyticalRules Analytics Rule with template version 3.0.3",
+        "mainTemplate": {
+          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+          "contentVersion": "[variables('analyticRuleVersion13')]",
+          "parameters": {},
+          "variables": {},
+          "resources": [
             {
-              "type": "Microsoft.Logic/workflows",
-              "apiVersion": "2017-07-01",
-              "name": "[[parameters('PlaybookName')]",
-              "location": "[[variables('workspace-location-inline')]",
-              "tags": {
-                "LogicAppsCategory": "security",
-                "hidden-SentinelTemplateName": "Revoke-AADSigninSessions_alert",
-                "hidden-SentinelTemplateVersion": "1.0",
-                "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
-              },
-              "identity": {
-                "type": "SystemAssigned"
-              },
-              "dependsOn": [
-                "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
-                "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]",
-                "[[resourceId('Microsoft.Web/connections', variables('Office365UsersConnectionName'))]"
-              ],
+              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+              "name": "[variables('analyticRulecontentId13')]",
+              "apiVersion": "2022-04-01-preview",
+              "kind": "Scheduled",
+              "location": "[parameters('workspace-location')]",
               "properties": {
-                "state": "Enabled",
-                "definition": {
-                  "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
-                  "actions": {
-                    "Alert_-_Get_incident": {
-                      "inputs": {
-                        "host": {
-                          "connection": {
-                            "name": "@parameters('$connections')['azuresentinel']['connectionId']"
-                          }
-                        },
-                        "method": "get",
-                        "path": "/Incidents/subscriptions/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/resourceGroups/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/workspaces/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/alerts/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}"
-                      },
-                      "type": "ApiConnection"
-                    },
-                    "Entities_-_Get_Accounts": {
-                      "inputs": {
-                        "body": "@triggerBody()?['Entities']",
-                        "host": {
-                          "connection": {
-                            "name": "@parameters('$connections')['azuresentinel']['connectionId']"
-                          }
-                        },
-                        "method": "post",
-                        "path": "/entities/account"
-                      },
-                      "runAfter": {
-                        "Alert_-_Get_incident": [
-                          "Succeeded"
-                        ]
-                      },
-                      "type": "ApiConnection"
-                    },
-                    "For_each": {
-                      "actions": {
-                        "Add_comment_to_incident_(V3)": {
-                          "inputs": {
-                            "body": {
-                              "incidentArmId": "@body('Alert_-_Get_incident')?['id']",
-                              "message": "<p>User @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])} singin sessions were revoked in AAD and their manager @{body('Get_manager_(V2)')?['displayName']} was contacted using playbook.</p>"
-                            },
-                            "host": {
-                              "connection": {
-                                "name": "@parameters('$connections')['azuresentinel']['connectionId']"
-                              }
-                            },
-                            "method": "post",
-                            "path": "/Incidents/Comment"
-                          },
-                          "runAfter": {
-                            "Send_an_email_(V2)": [
-                              "Succeeded"
-                            ]
-                          },
-                          "type": "ApiConnection"
-                        },
-                        "Get_manager_(V2)": {
-                          "inputs": {
-                            "host": {
-                              "connection": {
-                                "name": "@parameters('$connections')['office365users']['connectionId']"
-                              }
-                            },
-                            "method": "get",
-                            "path": "/codeless/v1.0/users/@{encodeURIComponent(concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix']))}/manager"
-                          },
-                          "runAfter": {
-                            "HTTP": [
-                              "Succeeded"
-                            ]
-                          },
-                          "type": "ApiConnection"
-                        },
-                        "HTTP": {
-                          "inputs": {
-                            "authentication": {
-                              "audience": "https://graph.microsoft.com",
-                              "type": "ManagedServiceIdentity"
-                            },
-                            "method": "POST",
-                            "uri": "https://graph.microsoft.com/v1.0/users/@{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}/revokeSignInSessions"
-                          },
-                          "type": "Http"
-                        },
-                        "Send_an_email_(V2)": {
-                          "inputs": {
-                            "body": {
-                              "Body": "<p>User, @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}, was involved in part of a security incident. &nbsp;As part of remediation, the user signin sessions have been revoked. &nbsp;The user will need to reauthenticate in all applications.</p>",
-                              "Subject": "User signin sessions were reset due to security incident.",
-                              "To": "@body('Get_manager_(V2)')?['mail']"
-                            },
-                            "host": {
-                              "connection": {
-                                "name": "@parameters('$connections')['office365']['connectionId']"
-                              }
-                            },
-                            "method": "post",
-                            "path": "/v2/Mail"
-                          },
-                          "runAfter": {
-                            "Get_manager_(V2)": [
-                              "Succeeded"
-                            ]
-                          },
-                          "type": "ApiConnection"
-                        }
-                      },
-                      "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']",
-                      "runAfter": {
-                        "Entities_-_Get_Accounts": [
-                          "Succeeded"
-                        ]
-                      },
-                      "type": "Foreach"
-                    }
-                  },
-                  "contentVersion": "1.0.0.0",
-                  "parameters": {
-                    "$connections": {
-                      "type": "Object"
-                    }
-                  },
-                  "triggers": {
-                    "Microsoft_Sentinel_alert": {
-                      "inputs": {
-                        "body": {
-                          "callback_url": "@{listCallbackUrl()}"
-                        },
-                        "host": {
-                          "connection": {
-                            "name": "@parameters('$connections')['azuresentinel']['connectionId']"
-                          }
-                        },
-                        "path": "/subscribe"
-                      },
-                      "type": "ApiConnectionWebhook"
-                    }
+                "description": "Identifies when changes to multiple users permissions are changed at once. Investigate immediately if not a planned change. This setting could enable an attacker access to Azure subscriptions in your environment.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management",
+                "displayName": "Bulk Changes to Privileged Account Permissions",
+                "enabled": false,
+                "query": "let AdminRecords = AuditLogs\n| where Category =~ \"RoleManagement\"\n| where ActivityDisplayName has_any (\"Add eligible member to role\", \"Add member to role\")\n| mv-apply TargetResource = TargetResources on \n  (\n      where TargetResource.type =~ \"User\"\n      | extend Target = tostring(TargetResource.userPrincipalName),\n               props = TargetResource.modifiedProperties\n  )\n| mv-apply Property = props on \n  (\n      where Property.displayName =~ \"Role.DisplayName\"\n      | extend RoleName = trim('\"',tostring(Property.newValue))\n  )\n| where RoleName contains \"Admin\";\nAdminRecords\n| summarize dcount(Target) by bin(TimeGenerated, 1h)\n| where dcount_Target > 9\n| join kind=rightsemi  (\n  AdminRecords\n  | extend TimeWindow = bin(TimeGenerated, 1h)\n) on $left.TimeGenerated == $right.TimeWindow\n| extend InitiatedByUser = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), \"\")\n| extend TargetName = tostring(split(Target,'@',0)[0]), TargetUPNSuffix = tostring(split(Target,'@',1)[0]),\n         InitiatedByUserName = tostring(split(InitiatedByUser,'@',0)[0]), InitiatedByUserUPNSuffix = tostring(split(InitiatedByUser,'@',1)[0])\n",
+                "queryFrequency": "PT2H",
+                "queryPeriod": "PT2H",
+                "severity": "High",
+                "suppressionDuration": "PT1H",
+                "suppressionEnabled": false,
+                "triggerOperator": "GreaterThan",
+                "triggerThreshold": 0,
+                "status": "Available",
+                "requiredDataConnectors": [
+                  {
+                    "dataTypes": [
+                      "AuditLogs"
+                    ],
+                    "connectorId": "AzureActiveDirectory"
                   }
-                },
-                "parameters": {
-                  "$connections": {
-                    "value": {
-                      "azuresentinel": {
-                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
-                        "connectionName": "[[variables('AzureSentinelConnectionName')]",
-                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
-                        "connectionProperties": {
-                          "authentication": {
-                            "type": "ManagedServiceIdentity"
-                          }
-                        }
+                ],
+                "tactics": [
+                  "PrivilegeEscalation"
+                ],
+                "techniques": [
+                  "T1078"
+                ],
+                "entityMappings": [
+                  {
+                    "fieldMappings": [
+                      {
+                        "columnName": "TargetName",
+                        "identifier": "Name"
                       },
-                      "office365": {
-                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]",
-                        "connectionName": "[[variables('Office365ConnectionName')]",
-                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]"
+                      {
+                        "columnName": "TargetUPNSuffix",
+                        "identifier": "UPNSuffix"
+                      }
+                    ],
+                    "entityType": "Account"
+                  },
+                  {
+                    "fieldMappings": [
+                      {
+                        "columnName": "InitiatedByUserName",
+                        "identifier": "Name"
                       },
-                      "office365users": {
-                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('Office365UsersConnectionName'))]",
-                        "connectionName": "[[variables('Office365UsersConnectionName')]",
-                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365users')]"
+                      {
+                        "columnName": "InitiatedByUserUPNSuffix",
+                        "identifier": "UPNSuffix"
                       }
-                    }
+                    ],
+                    "entityType": "Account"
                   }
+                ],
+                "customDetails": {
+                  "TargetUser": "Target",
+                  "InitiatedByUser": "InitiatedByUser"
                 }
               }
             },
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId9'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId13'),'/'))))]",
               "properties": {
-                "parentId": "[variables('playbookId9')]",
-                "contentId": "[variables('_playbookContentId9')]",
-                "kind": "Playbook",
-                "version": "[variables('playbookVersion9')]",
+                "description": "Azure Active Directory Analytics Rule 13",
+                "parentId": "[variables('analyticRuleId13')]",
+                "contentId": "[variables('_analyticRulecontentId13')]",
+                "kind": "AnalyticsRule",
+                "version": "[variables('analyticRuleVersion13')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Azure Active Directory",
@@ -4174,208 +2616,349 @@
                 }
               }
             }
-          ],
-          "metadata": {
-            "title": "Revoke-AADSignInSessions alert trigger",
-            "description": "This playbook will revoke all signin sessions for the user using Graph API.  It will send an email to the user's manager.",
-            "prerequisites": [
-              "1. You must create an app registration for graph api with appropriate permissions.",
-              "2.  You will need to add the managed identity that is created by the logic app to the Password Administrator role in Azure AD."
-            ],
-            "comments": "This playbook will revoke all signin sessions for the user using Graph API using a Beta API.  It will send and email to the user's manager.",
-            "lastUpdateTime": "2021-07-14T00:00:00Z",
-            "entities": [
-              "Account"
-            ],
-            "tags": [
-              "Remediation"
-            ],
-            "releaseNotes": {
-              "version": "1.0",
-              "title": "[variables('blanks')]",
-              "notes": [
-                "Initial version"
-              ]
+          ]
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('_analyticRulecontentId13')]",
+        "contentKind": "AnalyticsRule",
+        "displayName": "Bulk Changes to Privileged Account Permissions",
+        "contentProductId": "[variables('_analyticRulecontentProductId13')]",
+        "id": "[variables('_analyticRulecontentProductId13')]",
+        "version": "[variables('analyticRuleVersion13')]"
+      }
+    },
+    {
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('analyticRuleTemplateSpecName14')]",
+      "location": "[parameters('workspace-location')]",
+      "dependsOn": [
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+      ],
+      "properties": {
+        "description": "BypassCondAccessRule_AnalyticalRules Analytics Rule with template version 3.0.3",
+        "mainTemplate": {
+          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+          "contentVersion": "[variables('analyticRuleVersion14')]",
+          "parameters": {},
+          "variables": {},
+          "resources": [
+            {
+              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+              "name": "[variables('analyticRulecontentId14')]",
+              "apiVersion": "2022-04-01-preview",
+              "kind": "Scheduled",
+              "location": "[parameters('workspace-location')]",
+              "properties": {
+                "description": "Identifies an attempt to Bypass conditional access rule(s) in Azure Active Directory.\nThe ConditionalAccessStatus column value details if there was an attempt to bypass Conditional Access\nor if the Conditional access rule was not satisfied (ConditionalAccessStatus == 1).\nReferences:\nhttps://docs.microsoft.com/azure/active-directory/conditional-access/overview\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\nConditionalAccessStatus == 0 // Success\nConditionalAccessStatus == 1 // Failure\nConditionalAccessStatus == 2 // Not Applied\nConditionalAccessStatus == 3 // unknown",
+                "displayName": "Attempt to bypass conditional access rule in Azure AD",
+                "enabled": false,
+                "query": "let threshold = 1; // Modify this threshold value to reduce false positives based on your environment\nlet aadFunc = (tableName:string){\ntable(tableName)\n| where ConditionalAccessStatus == 1 or ConditionalAccessStatus =~ \"failure\"\n| mv-apply CAP = parse_json(ConditionalAccessPolicies) on (\n  project ConditionalAccessPoliciesName = CAP.displayName, result = CAP.result\n  | where result =~ \"failure\"\n)\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(Status), LocationDetails = todynamic(LocationDetails)\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\n| extend Status = strcat(StatusCode, \": \", ResultDescription)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Status = make_list(Status,10), StatusDetails = make_list(StatusDetails,50), IPAddresses = make_list(IPAddress,100), IPAddressCount = dcount(IPAddress), CorrelationIds = make_list(CorrelationId,100), ConditionalAccessPoliciesName = make_list(ConditionalAccessPoliciesName,100)\nby UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), City, State, Region, Type\n| where IPAddressCount > threshold and StatusDetails !has \"MFA successfully completed\"\n| mv-expand IPAddresses, Status, StatusDetails, CorrelationIds\n| extend Status = strcat(Status, \" \", StatusDetails)\n| summarize IPAddresses = make_set(IPAddresses,100), Status = make_set(Status,10), CorrelationIds = make_set(CorrelationIds,100), ConditionalAccessPoliciesName = make_set(ConditionalAccessPoliciesName,100)\nby StartTime, EndTime, UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), City, State, Region, IPAddressCount, Type\n| extend timestamp = StartTime, IPAddresses = tostring(IPAddresses), Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+                "queryFrequency": "P1D",
+                "queryPeriod": "P1D",
+                "severity": "Low",
+                "suppressionDuration": "PT1H",
+                "suppressionEnabled": false,
+                "triggerOperator": "GreaterThan",
+                "triggerThreshold": 0,
+                "status": "Available",
+                "requiredDataConnectors": [
+                  {
+                    "dataTypes": [
+                      "SigninLogs"
+                    ],
+                    "connectorId": "AzureActiveDirectory"
+                  },
+                  {
+                    "dataTypes": [
+                      "AADNonInteractiveUserSignInLogs"
+                    ],
+                    "connectorId": "AzureActiveDirectory"
+                  }
+                ],
+                "tactics": [
+                  "InitialAccess",
+                  "Persistence"
+                ],
+                "techniques": [
+                  "T1078",
+                  "T1098"
+                ],
+                "entityMappings": [
+                  {
+                    "fieldMappings": [
+                      {
+                        "columnName": "Name",
+                        "identifier": "Name"
+                      },
+                      {
+                        "columnName": "UPNSuffix",
+                        "identifier": "UPNSuffix"
+                      }
+                    ],
+                    "entityType": "Account"
+                  },
+                  {
+                    "fieldMappings": [
+                      {
+                        "columnName": "IPAddresses",
+                        "identifier": "Address"
+                      }
+                    ],
+                    "entityType": "IP"
+                  }
+                ]
+              }
+            },
+            {
+              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+              "apiVersion": "2022-01-01-preview",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId14'),'/'))))]",
+              "properties": {
+                "description": "Azure Active Directory Analytics Rule 14",
+                "parentId": "[variables('analyticRuleId14')]",
+                "contentId": "[variables('_analyticRulecontentId14')]",
+                "kind": "AnalyticsRule",
+                "version": "[variables('analyticRuleVersion14')]",
+                "source": {
+                  "kind": "Solution",
+                  "name": "Azure Active Directory",
+                  "sourceId": "[variables('_solutionId')]"
+                },
+                "author": {
+                  "name": "Microsoft",
+                  "email": "[variables('_email')]"
+                },
+                "support": {
+                  "tier": "Microsoft",
+                  "name": "Microsoft Corporation",
+                  "email": "support@microsoft.com",
+                  "link": "https://support.microsoft.com/"
+                }
+              }
+            }
+          ]
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('_analyticRulecontentId14')]",
+        "contentKind": "AnalyticsRule",
+        "displayName": "Attempt to bypass conditional access rule in Azure AD",
+        "contentProductId": "[variables('_analyticRulecontentProductId14')]",
+        "id": "[variables('_analyticRulecontentProductId14')]",
+        "version": "[variables('analyticRuleVersion14')]"
+      }
+    },
+    {
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('analyticRuleTemplateSpecName15')]",
+      "location": "[parameters('workspace-location')]",
+      "dependsOn": [
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+      ],
+      "properties": {
+        "description": "CredentialAddedAfterAdminConsent_AnalyticalRules Analytics Rule with template version 3.0.3",
+        "mainTemplate": {
+          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+          "contentVersion": "[variables('analyticRuleVersion15')]",
+          "parameters": {},
+          "variables": {},
+          "resources": [
+            {
+              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+              "name": "[variables('analyticRulecontentId15')]",
+              "apiVersion": "2022-04-01-preview",
+              "kind": "Scheduled",
+              "location": "[parameters('workspace-location')]",
+              "properties": {
+                "description": "This query will identify instances where Service Principal credentials were added to an application by one user after the application was granted admin consent rights by another user.\n If a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\n Additional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow.\n For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities",
+                "displayName": "Credential added after admin consented to Application",
+                "enabled": false,
+                "query": "let auditLookbackStart = 2d;\nlet auditLookbackEnd = 1d;\nAuditLogs\n| where TimeGenerated >= ago(auditLookbackStart)\n| where OperationName =~ \"Consent to application\" \n| where Result =~ \"success\"\n| mv-apply TargetResource = TargetResources on \n  (\n      where TargetResource.type =~ \"ServicePrincipal\"\n      | extend targetResourceName = tostring(TargetResource.displayName),\n               targetResourceID = tostring(TargetResource.id),\n               targetResourceType = tostring(TargetResource.type),\n               targetModifiedProp = TargetResource.modifiedProperties\n  )\n| mv-apply Property = targetModifiedProp on \n  (\n      where Property.displayName =~ \"ConsentContext.IsAdminConsent\"\n      | extend isAdminConsent = trim(@'\"',tostring(Property.newValue))\n  )\n| mv-apply Property = targetModifiedProp on \n  (\n      where Property.displayName =~ \"ConsentAction.Permissions\"\n      | extend Consent_Permissions = trim(@'\"',tostring(Property.newValue))\n  )\n| mv-apply Property = targetModifiedProp on \n  (\n      where Property.displayName =~ \"TargetId.ServicePrincipalNames\"\n      | extend Consent_ServicePrincipalNames = tostring(extract_all(@\"([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})\",trim(@'\"',tostring(Property.newValue)))[0])\n  )\n| extend Consent_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend Consent_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n| join ( \nAuditLogs\n| where TimeGenerated  >= ago(auditLookbackEnd)\n| where OperationName =~ \"Add service principal credentials\"\n| where Result =~ \"success\"\n| mv-apply TargetResource = TargetResources on \n  (\n      where TargetResource.type =~ \"ServicePrincipal\"\n      | extend targetResourceName = tostring(TargetResource.displayName),\n               targetResourceID = tostring(TargetResource.id),\n               targetModifiedProp = TargetResource.modifiedProperties\n  )\n| mv-apply Property = targetModifiedProp on \n  (\n      where Property.displayName =~ \"KeyDescription\"\n      | extend Credential_KeyDescription = trim(@'\"',tostring(Property.newValue))\n  )\n| mv-apply Property = targetModifiedProp on \n  (\n      where Property.displayName =~ \"Included Updated Properties\"\n      | extend UpdatedProperties = trim(@'\"',tostring(Property.newValue))\n  )\n| mv-apply Property = targetModifiedProp on \n  (\n      where Property.displayName =~ \"TargetId.ServicePrincipalNames\"\n      | extend Credential_ServicePrincipalNames = tostring(extract_all(@\"([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})\",trim(@'\"',tostring(Property.newValue)))[0])\n  )\n| extend Credential_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend Credential_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n) on targetResourceName, targetResourceID\n| extend TimeConsent = TimeGenerated, TimeCred = TimeGenerated1\n| where TimeConsent < TimeCred \n| project TimeConsent, TimeCred, Consent_InitiatingUserOrApp, Credential_InitiatingUserOrApp, targetResourceName, targetResourceType, isAdminConsent, Consent_ServicePrincipalNames, Credential_ServicePrincipalNames, Consent_Permissions, Credential_KeyDescription, Consent_InitiatingIpAddress, Credential_InitiatingIpAddress\n| extend timestamp = TimeConsent, Name = tostring(split(Credential_InitiatingUserOrApp,'@',0)[0]), UPNSuffix = tostring(split(Credential_InitiatingUserOrApp,'@',1)[0])\n",
+                "queryFrequency": "P1D",
+                "queryPeriod": "P2D",
+                "severity": "Medium",
+                "suppressionDuration": "PT1H",
+                "suppressionEnabled": false,
+                "triggerOperator": "GreaterThan",
+                "triggerThreshold": 0,
+                "status": "Available",
+                "requiredDataConnectors": [
+                  {
+                    "dataTypes": [
+                      "AuditLogs"
+                    ],
+                    "connectorId": "AzureActiveDirectory"
+                  }
+                ],
+                "tactics": [
+                  "CredentialAccess"
+                ],
+                "entityMappings": [
+                  {
+                    "fieldMappings": [
+                      {
+                        "columnName": "Name",
+                        "identifier": "Name"
+                      },
+                      {
+                        "columnName": "UPNSuffix",
+                        "identifier": "UPNSuffix"
+                      }
+                    ],
+                    "entityType": "Account"
+                  },
+                  {
+                    "fieldMappings": [
+                      {
+                        "columnName": "Consent_InitiatingIpAddress",
+                        "identifier": "Address"
+                      }
+                    ],
+                    "entityType": "IP"
+                  }
+                ]
+              }
+            },
+            {
+              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+              "apiVersion": "2022-01-01-preview",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId15'),'/'))))]",
+              "properties": {
+                "description": "Azure Active Directory Analytics Rule 15",
+                "parentId": "[variables('analyticRuleId15')]",
+                "contentId": "[variables('_analyticRulecontentId15')]",
+                "kind": "AnalyticsRule",
+                "version": "[variables('analyticRuleVersion15')]",
+                "source": {
+                  "kind": "Solution",
+                  "name": "Azure Active Directory",
+                  "sourceId": "[variables('_solutionId')]"
+                },
+                "author": {
+                  "name": "Microsoft",
+                  "email": "[variables('_email')]"
+                },
+                "support": {
+                  "tier": "Microsoft",
+                  "name": "Microsoft Corporation",
+                  "email": "support@microsoft.com",
+                  "link": "https://support.microsoft.com/"
+                }
+              }
             }
-          }
+          ]
         },
         "packageKind": "Solution",
         "packageVersion": "[variables('_solutionVersion')]",
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_playbookContentId9')]",
-        "contentKind": "Playbook",
-        "displayName": "Revoke-AADSignInSessions-alert",
-        "contentProductId": "[variables('_playbookcontentProductId9')]",
-        "id": "[variables('_playbookcontentProductId9')]",
-        "version": "[variables('playbookVersion9')]"
+        "contentId": "[variables('_analyticRulecontentId15')]",
+        "contentKind": "AnalyticsRule",
+        "displayName": "Credential added after admin consented to Application",
+        "contentProductId": "[variables('_analyticRulecontentProductId15')]",
+        "id": "[variables('_analyticRulecontentProductId15')]",
+        "version": "[variables('analyticRuleVersion15')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('playbookTemplateSpecName10')]",
+      "name": "[variables('analyticRuleTemplateSpecName16')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Revoke-AADSignIn-Session-entityTrigger Playbook with template version 3.0.3",
+        "description": "Cross-tenantAccessSettingsOrganizationAdded_AnalyticalRules Analytics Rule with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('playbookVersion10')]",
-          "parameters": {
-            "PlaybookName": {
-              "defaultValue": "Revoke-AADSignIn-Session-entityTrigger",
-              "type": "string"
-            }
-          },
-          "variables": {
-            "MicrosoftSentinelConnectionName": "[[concat('MicrosoftSentinel-', parameters('PlaybookName'))]",
-            "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]",
-            "_connection-2": "[[variables('connection-2')]",
-            "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
-            "workspace-name": "[parameters('workspace')]",
-            "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
-          },
+          "contentVersion": "[variables('analyticRuleVersion16')]",
+          "parameters": {},
+          "variables": {},
           "resources": [
             {
+              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+              "name": "[variables('analyticRulecontentId16')]",
+              "apiVersion": "2022-04-01-preview",
+              "kind": "Scheduled",
+              "location": "[parameters('workspace-location')]",
               "properties": {
-                "provisioningState": "Succeeded",
-                "state": "Enabled",
-                "definition": {
-                  "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
-                  "contentVersion": "1.0.0.0",
-                  "parameters": {
-                    "$connections": {
-                      "type": "Object"
-                    }
-                  },
-                  "triggers": {
-                    "Microsoft_Sentinel_entity": {
-                      "type": "ApiConnectionWebhook",
-                      "inputs": {
-                        "body": {
-                          "callback_url": "@{listCallbackUrl()}"
-                        },
-                        "host": {
-                          "connection": {
-                            "name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
-                          }
-                        },
-                        "path": "/entity/@{encodeURIComponent('Account')}"
-                      }
-                    }
-                  },
-                  "actions": {
-                    "Condition": {
-                      "actions": {
-                        "Add_comment_to_incident_(V3)_-_session_revoked": {
-                          "type": "ApiConnection",
-                          "inputs": {
-                            "body": {
-                              "incidentArmId": "@triggerBody()?['IncidentArmID']",
-                              "message": "<p>Sign-in session revoked for the user - @{concat(triggerBody()?['Entity']?['properties']?['Name'], '@', triggerBody()?['Entity']?['properties']?['upnSuffix'])}</p>"
-                            },
-                            "host": {
-                              "connection": {
-                                "name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
-                              }
-                            },
-                            "method": "post",
-                            "path": "/Incidents/Comment"
-                          }
-                        }
-                      },
-                      "runAfter": {
-                        "HTTP_-_revoke_sign-in_session": [
-                          "Succeeded"
-                        ]
-                      },
-                      "expression": {
-                        "and": [
-                          {
-                            "not": {
-                              "equals": [
-                                "@triggerBody()?['IncidentArmID']",
-                                "@null"
-                              ]
-                            }
-                          }
-                        ]
+                "description": "Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when an Organization is added other than the list that is supposed to exist from the Azure AD Cross-tenant Access Settings.",
+                "displayName": "Cross-tenant Access Settings Organization Added",
+                "enabled": false,
+                "query": "// Tenants IDs can be found by navigating to Azure Active Directory then from menu on the left, select External Identities, then from menu on the left, select Cross-tenant access settings and from the list shown of Tenants\nlet ExpectedTenantIDs = dynamic([\"List of expected tenant IDs\",\"Tenant ID 2\"]);\nAuditLogs\n| where OperationName has \"Add a partner to cross-tenant access setting\"\n| extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\n| extend InitiatedByIPAdress = InitiatedBy.user.ipAddress\n| mv-apply TargetResource = TargetResources on\n  (\n      where TargetResource.type =~ \"Policy\"\n      | extend Properties = TargetResource.modifiedProperties\n  )\n| mv-apply Property = Properties on\n  (\n      where Property.displayName =~ \"tenantId\"\n      | extend ExtTenantIDAdded = trim('\"',tostring(Property.newValue))\n  )\n| where ExtTenantIDAdded !in (ExpectedTenantIDs)\n| extend Name = tostring(split(InitiatedByActionUserInformation,'@',0)[0]), UPNSuffix = tostring(split(InitiatedByActionUserInformation,'@',1)[0])\n",
+                "queryFrequency": "P2D",
+                "queryPeriod": "P2D",
+                "severity": "Medium",
+                "suppressionDuration": "PT1H",
+                "suppressionEnabled": false,
+                "triggerOperator": "GreaterThan",
+                "triggerThreshold": 0,
+                "status": "Available",
+                "requiredDataConnectors": [
+                  {
+                    "dataTypes": [
+                      "AuditLogs"
+                    ],
+                    "connectorId": "AzureActiveDirectory"
+                  }
+                ],
+                "tactics": [
+                  "InitialAccess",
+                  "Persistence",
+                  "Discovery"
+                ],
+                "techniques": [
+                  "T1078",
+                  "T1136",
+                  "T1087"
+                ],
+                "entityMappings": [
+                  {
+                    "fieldMappings": [
+                      {
+                        "columnName": "Name",
+                        "identifier": "Name"
                       },
-                      "type": "If"
-                    },
-                    "HTTP_-_revoke_sign-in_session": {
-                      "type": "Http",
-                      "inputs": {
-                        "authentication": {
-                          "audience": "https://graph.microsoft.com",
-                          "type": "ManagedServiceIdentity"
-                        },
-                        "method": "POST",
-                        "uri": "https://graph.microsoft.com/v1.0/users/@{concat(triggerBody()?['Entity']?['properties']?['Name'], '@', triggerBody()?['Entity']?['properties']?['upnSuffix'])}/revokeSignInSessions"
+                      {
+                        "columnName": "UPNSuffix",
+                        "identifier": "UPNSuffix"
                       }
-                    }
-                  }
-                },
-                "parameters": {
-                  "$connections": {
-                    "value": {
-                      "microsoftsentinel": {
-                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
-                        "connectionName": "[[variables('MicrosoftSentinelConnectionName')]",
-                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]",
-                        "connectionProperties": {
-                          "authentication": {
-                            "type": "ManagedServiceIdentity"
-                          }
-                        }
+                    ],
+                    "entityType": "Account"
+                  },
+                  {
+                    "fieldMappings": [
+                      {
+                        "columnName": "InitiatedByIPAdress",
+                        "identifier": "Address"
                       }
-                    }
+                    ],
+                    "entityType": "IP"
                   }
-                }
-              },
-              "name": "[[parameters('PlaybookName')]",
-              "type": "Microsoft.Logic/workflows",
-              "location": "[[variables('workspace-location-inline')]",
-              "tags": {
-                "hidden-SentinelTemplateName": "Revoke-AADSignIn-Session-entityTrigger",
-                "hidden-SentinelTemplateVersion": "1.0",
-                "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
-              },
-              "identity": {
-                "type": "SystemAssigned"
-              },
-              "apiVersion": "2017-07-01",
-              "dependsOn": [
-                "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]"
-              ]
-            },
-            {
-              "type": "Microsoft.Web/connections",
-              "apiVersion": "2016-06-01",
-              "name": "[[variables('MicrosoftSentinelConnectionName')]",
-              "location": "[[variables('workspace-location-inline')]",
-              "kind": "V1",
-              "properties": {
-                "displayName": "[[variables('MicrosoftSentinelConnectionName')]",
-                "parameterValueType": "Alternative",
-                "api": {
-                  "id": "[[variables('_connection-2')]"
-                }
+                ]
               }
             },
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId10'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId16'),'/'))))]",
               "properties": {
-                "parentId": "[variables('playbookId10')]",
-                "contentId": "[variables('_playbookContentId10')]",
-                "kind": "Playbook",
-                "version": "[variables('playbookVersion10')]",
+                "description": "Azure Active Directory Analytics Rule 16",
+                "parentId": "[variables('analyticRuleId16')]",
+                "contentId": "[variables('_analyticRulecontentId16')]",
+                "kind": "AnalyticsRule",
+                "version": "[variables('analyticRuleVersion16')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Azure Active Directory",
@@ -4393,313 +2976,352 @@
                 }
               }
             }
-          ],
-          "metadata": {
-            "title": "Revoke AAD Sign-in session using entity trigger",
-            "description": "This playbook will revoke user's sign-in sessions and user will have to perform authentication again. It invalidates all the refresh tokens issued to applications for a user (as well as session cookies in a user's browser), by resetting the signInSessionsValidFromDateTime user property to the current date-time.",
-            "postDeployment": [
-              "1. Add Microsoft Sentinel Responder role to the managed identity.",
-              "2. Assign User.ReadWrite.All and Directory.ReadWrite.All API permissions to the managed identity."
-            ],
-            "lastUpdateTime": "2022-12-22T00:00:00Z",
-            "entities": [
-              "Account"
-            ],
-            "releaseNotes": {
-              "version": "1.0",
-              "title": "[variables('blanks')]",
-              "notes": [
-                "Initial version"
-              ]
-            }
-          }
+          ]
         },
         "packageKind": "Solution",
         "packageVersion": "[variables('_solutionVersion')]",
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_playbookContentId10')]",
-        "contentKind": "Playbook",
-        "displayName": "Revoke-AADSignIn-Session-entityTrigger",
-        "contentProductId": "[variables('_playbookcontentProductId10')]",
-        "id": "[variables('_playbookcontentProductId10')]",
-        "version": "[variables('playbookVersion10')]"
+        "contentId": "[variables('_analyticRulecontentId16')]",
+        "contentKind": "AnalyticsRule",
+        "displayName": "Cross-tenant Access Settings Organization Added",
+        "contentProductId": "[variables('_analyticRulecontentProductId16')]",
+        "id": "[variables('_analyticRulecontentProductId16')]",
+        "version": "[variables('analyticRuleVersion16')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('playbookTemplateSpecName11')]",
+      "name": "[variables('analyticRuleTemplateSpecName17')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Revoke-AADSignInSessions-incident Playbook with template version 3.0.3",
+        "description": "Cross-tenantAccessSettingsOrganizationDeleted_AnalyticalRules Analytics Rule with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('playbookVersion11')]",
-          "parameters": {
-            "PlaybookName": {
-              "defaultValue": "Revoke-AADSignInSessions-incident",
-              "type": "string"
-            },
-            "UserName": {
-              "defaultValue": "<username>@<domain>",
-              "type": "string"
-            }
-          },
-          "variables": {
-            "AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]",
-            "Office365ConnectionName": "[[concat('office365-', parameters('PlaybookName'))]",
-            "Office365UsersConnectionName": "[[concat('office365users-', parameters('PlaybookName'))]",
-            "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
-            "_connection-1": "[[variables('connection-1')]",
-            "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]",
-            "_connection-2": "[[variables('connection-2')]",
-            "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365users')]",
-            "_connection-3": "[[variables('connection-3')]",
-            "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
-            "workspace-name": "[parameters('workspace')]",
-            "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
-          },
+          "contentVersion": "[variables('analyticRuleVersion17')]",
+          "parameters": {},
+          "variables": {},
           "resources": [
             {
-              "type": "Microsoft.Web/connections",
-              "apiVersion": "2016-06-01",
-              "name": "[[variables('AzureSentinelConnectionName')]",
-              "location": "[[variables('workspace-location-inline')]",
-              "kind": "V1",
-              "properties": {
-                "displayName": "[[parameters('PlaybookName')]",
-                "parameterValueType": "Alternative",
-                "api": {
-                  "id": "[[variables('_connection-1')]"
-                }
-              }
-            },
-            {
-              "type": "Microsoft.Web/connections",
-              "apiVersion": "2016-06-01",
-              "name": "[[variables('Office365ConnectionName')]",
-              "location": "[[variables('workspace-location-inline')]",
-              "properties": {
-                "displayName": "[[parameters('UserName')]",
-                "api": {
-                  "id": "[[variables('_connection-2')]"
-                }
-              }
-            },
-            {
-              "type": "Microsoft.Web/connections",
-              "apiVersion": "2016-06-01",
-              "name": "[[variables('Office365UsersConnectionName')]",
-              "location": "[[variables('workspace-location-inline')]",
-              "properties": {
-                "displayName": "[[parameters('UserName')]",
-                "api": {
-                  "id": "[[variables('_connection-3')]"
-                }
-              }
-            },
-            {
-              "type": "Microsoft.Logic/workflows",
-              "apiVersion": "2017-07-01",
-              "name": "[[parameters('PlaybookName')]",
-              "location": "[[variables('workspace-location-inline')]",
-              "tags": {
-                "LogicAppsCategory": "security",
-                "hidden-SentinelTemplateName": "Revoke-AADSigninSessions",
-                "hidden-SentinelTemplateVersion": "1.0",
-                "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
-              },
-              "identity": {
-                "type": "SystemAssigned"
-              },
-              "dependsOn": [
-                "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
-                "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]",
-                "[[resourceId('Microsoft.Web/connections', variables('Office365UsersConnectionName'))]"
-              ],
+              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+              "name": "[variables('analyticRulecontentId17')]",
+              "apiVersion": "2022-04-01-preview",
+              "kind": "Scheduled",
+              "location": "[parameters('workspace-location')]",
               "properties": {
-                "state": "Enabled",
-                "definition": {
-                  "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
-                  "actions": {
-                    "Alert_-_Get_incident": {
-                      "inputs": {
-                        "host": {
-                          "connection": {
-                            "name": "@parameters('$connections')['azuresentinel']['connectionId']"
-                          }
-                        },
-                        "method": "get",
-                        "path": "/Incidents/subscriptions/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/resourceGroups/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/workspaces/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/alerts/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}"
-                      },
-                      "type": "ApiConnection"
-                    },
-                    "Entities_-_Get_Accounts": {
-                      "inputs": {
-                        "body": "@triggerBody()?['Entities']",
-                        "host": {
-                          "connection": {
-                            "name": "@parameters('$connections')['azuresentinel']['connectionId']"
-                          }
-                        },
-                        "method": "post",
-                        "path": "/entities/account"
-                      },
-                      "runAfter": {
-                        "Alert_-_Get_incident": [
-                          "Succeeded"
-                        ]
-                      },
-                      "type": "ApiConnection"
-                    },
-                    "For_each": {
-                      "actions": {
-                        "Add_comment_to_incident_(V3)": {
-                          "inputs": {
-                            "body": {
-                              "incidentArmId": "@body('Alert_-_Get_incident')?['id']",
-                              "message": "<p>User @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])} singin sessions were revoked in AAD and their manager @{body('Get_manager_(V2)')?['displayName']} was contacted using playbook.</p>"
-                            },
-                            "host": {
-                              "connection": {
-                                "name": "@parameters('$connections')['azuresentinel']['connectionId']"
-                              }
-                            },
-                            "method": "post",
-                            "path": "/Incidents/Comment"
-                          },
-                          "runAfter": {
-                            "Send_an_email_(V2)": [
-                              "Succeeded"
-                            ]
-                          },
-                          "type": "ApiConnection"
-                        },
-                        "Get_manager_(V2)": {
-                          "inputs": {
-                            "host": {
-                              "connection": {
-                                "name": "@parameters('$connections')['office365users']['connectionId']"
-                              }
-                            },
-                            "method": "get",
-                            "path": "/codeless/v1.0/users/@{encodeURIComponent(concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix']))}/manager"
-                          },
-                          "runAfter": {
-                            "HTTP": [
-                              "Succeeded"
-                            ]
-                          },
-                          "type": "ApiConnection"
-                        },
-                        "HTTP": {
-                          "inputs": {
-                            "authentication": {
-                              "audience": "https://graph.microsoft.com",
-                              "type": "ManagedServiceIdentity"
-                            },
-                            "method": "POST",
-                            "uri": "https://graph.microsoft.com/v1.0/users/@{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}/revokeSignInSessions"
-                          },
-                          "type": "Http"
-                        },
-                        "Send_an_email_(V2)": {
-                          "inputs": {
-                            "body": {
-                              "Body": "<p>User, @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}, was involved in part of a security incident. &nbsp;As part of remediation, the user signin sessions have been revoked. &nbsp;The user will need to reauthenticate in all applications.</p>",
-                              "Subject": "User signin sessions were reset due to security incident.",
-                              "To": "@body('Get_manager_(V2)')?['mail']"
-                            },
-                            "host": {
-                              "connection": {
-                                "name": "@parameters('$connections')['office365']['connectionId']"
-                              }
-                            },
-                            "method": "post",
-                            "path": "/v2/Mail"
-                          },
-                          "runAfter": {
-                            "Get_manager_(V2)": [
-                              "Succeeded"
-                            ]
-                          },
-                          "type": "ApiConnection"
-                        }
-                      },
-                      "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']",
-                      "runAfter": {
-                        "Entities_-_Get_Accounts": [
-                          "Succeeded"
-                        ]
-                      },
-                      "type": "Foreach"
-                    }
-                  },
-                  "contentVersion": "1.0.0.0",
-                  "parameters": {
-                    "$connections": {
-                      "type": "Object"
-                    }
-                  },
-                  "triggers": {
-                    "Microsoft_Sentinel_alert": {
-                      "inputs": {
-                        "body": {
-                          "callback_url": "@{listCallbackUrl()}"
-                        },
-                        "host": {
-                          "connection": {
-                            "name": "@parameters('$connections')['azuresentinel']['connectionId']"
-                          }
-                        },
-                        "path": "/subscribe"
+                "description": "Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when an Organization is deleted from the Azure AD Cross-tenant Access Settings.",
+                "displayName": "Cross-tenant Access Settings Organization Deleted",
+                "enabled": false,
+                "query": "AuditLogs\n| where OperationName has \"Delete partner specific cross-tenant access setting\"\n| extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\n| extend InitiatedByIPAdress = InitiatedBy.user.ipAddress\n| mv-apply TargetResource = TargetResources on\n  (\n      where TargetResource.type =~ \"Policy\"\n      | extend Properties = TargetResource.modifiedProperties\n  )\n| mv-apply Property = Properties on\n  (\n      where Property.displayName =~ \"tenantId\"\n      | extend ExtTenantDeleted = trim('\"',tostring(Property.oldValue))\n  )\n| extend Name = tostring(split(InitiatedByActionUserInformation,'@',0)[0]), UPNSuffix = tostring(split(InitiatedByActionUserInformation,'@',1)[0])\n",
+                "queryFrequency": "P2D",
+                "queryPeriod": "P2D",
+                "severity": "Medium",
+                "suppressionDuration": "PT1H",
+                "suppressionEnabled": false,
+                "triggerOperator": "GreaterThan",
+                "triggerThreshold": 0,
+                "status": "Available",
+                "requiredDataConnectors": [
+                  {
+                    "dataTypes": [
+                      "AuditLogs"
+                    ],
+                    "connectorId": "AzureActiveDirectory"
+                  }
+                ],
+                "tactics": [
+                  "InitialAccess",
+                  "Persistence",
+                  "Discovery"
+                ],
+                "techniques": [
+                  "T1078",
+                  "T1136",
+                  "T1087"
+                ],
+                "entityMappings": [
+                  {
+                    "fieldMappings": [
+                      {
+                        "columnName": "Name",
+                        "identifier": "Name"
                       },
-                      "type": "ApiConnectionWebhook"
-                    }
+                      {
+                        "columnName": "UPNSuffix",
+                        "identifier": "UPNSuffix"
+                      }
+                    ],
+                    "entityType": "Account"
+                  },
+                  {
+                    "fieldMappings": [
+                      {
+                        "columnName": "InitiatedByIPAdress",
+                        "identifier": "Address"
+                      }
+                    ],
+                    "entityType": "IP"
                   }
+                ]
+              }
+            },
+            {
+              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+              "apiVersion": "2022-01-01-preview",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId17'),'/'))))]",
+              "properties": {
+                "description": "Azure Active Directory Analytics Rule 17",
+                "parentId": "[variables('analyticRuleId17')]",
+                "contentId": "[variables('_analyticRulecontentId17')]",
+                "kind": "AnalyticsRule",
+                "version": "[variables('analyticRuleVersion17')]",
+                "source": {
+                  "kind": "Solution",
+                  "name": "Azure Active Directory",
+                  "sourceId": "[variables('_solutionId')]"
                 },
-                "parameters": {
-                  "$connections": {
-                    "value": {
-                      "azuresentinel": {
-                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
-                        "connectionName": "[[variables('AzureSentinelConnectionName')]",
-                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
-                        "connectionProperties": {
-                          "authentication": {
-                            "type": "ManagedServiceIdentity"
-                          }
-                        }
-                      },
-                      "office365": {
-                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]",
-                        "connectionName": "[[variables('Office365ConnectionName')]",
-                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]"
+                "author": {
+                  "name": "Microsoft",
+                  "email": "[variables('_email')]"
+                },
+                "support": {
+                  "tier": "Microsoft",
+                  "name": "Microsoft Corporation",
+                  "email": "support@microsoft.com",
+                  "link": "https://support.microsoft.com/"
+                }
+              }
+            }
+          ]
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('_analyticRulecontentId17')]",
+        "contentKind": "AnalyticsRule",
+        "displayName": "Cross-tenant Access Settings Organization Deleted",
+        "contentProductId": "[variables('_analyticRulecontentProductId17')]",
+        "id": "[variables('_analyticRulecontentProductId17')]",
+        "version": "[variables('analyticRuleVersion17')]"
+      }
+    },
+    {
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('analyticRuleTemplateSpecName18')]",
+      "location": "[parameters('workspace-location')]",
+      "dependsOn": [
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+      ],
+      "properties": {
+        "description": "Cross-tenantAccessSettingsOrganizationInboundCollaborationSettingsChanged_AnalyticalRules Analytics Rule with template version 3.0.3",
+        "mainTemplate": {
+          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+          "contentVersion": "[variables('analyticRuleVersion18')]",
+          "parameters": {},
+          "variables": {},
+          "resources": [
+            {
+              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+              "name": "[variables('analyticRulecontentId18')]",
+              "apiVersion": "2022-04-01-preview",
+              "kind": "Scheduled",
+              "location": "[parameters('workspace-location')]",
+              "properties": {
+                "description": "Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when Organization Inbound Collaboration Settings are changed for \"Users & Groups\" and for \"Applications\".",
+                "displayName": "Cross-tenant Access Settings Organization Inbound Collaboration Settings Changed",
+                "enabled": false,
+                "query": "//In User & Groups and in Applications, the following \"AccessType\" values in columns PremodifiedInboundSettings and ModifiedInboundSettings are interpreted accordingly:\n// When Access Type in premodified inbound settings value was 1 that means that the initial access was allowed. When Access Type in premodified inbound settings value was 2 that means that the initial access was blocked. \n// When Access Type in modified inbound settings value is 1 that means that now access is allowed. When Access Type in modified inbound settings value is 2 that means that now access is blocked. \nAuditLogs\n| where OperationName has \"Update a partner cross-tenant access setting\"\n| mv-apply TargetResource = TargetResources on\n  (\n      where TargetResource.type =~ \"Policy\"\n      | extend Properties = TargetResource.modifiedProperties\n  )\n| mv-apply Property = Properties on\n  (\n      where Property.displayName =~ \"b2bCollaborationInbound\"\n      | extend PremodifiedInboundSettings = trim('\"',tostring(Property.oldValue)),\n               ModifiedInboundSettings = trim(@'\"',tostring(Property.newValue))\n  )\n| extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\n| extend InitiatedByIPAdress = InitiatedBy.user.ipAddress\n| where PremodifiedInboundSettings != ModifiedInboundSettings\n| extend Name = tostring(split(InitiatedByActionUserInformation,'@',0)[0]), UPNSuffix = tostring(split(InitiatedByActionUserInformation,'@',1)[0])\n",
+                "queryFrequency": "P2D",
+                "queryPeriod": "P2D",
+                "severity": "Medium",
+                "suppressionDuration": "PT1H",
+                "suppressionEnabled": false,
+                "triggerOperator": "GreaterThan",
+                "triggerThreshold": 0,
+                "status": "Available",
+                "requiredDataConnectors": [
+                  {
+                    "dataTypes": [
+                      "AuditLogs"
+                    ],
+                    "connectorId": "AzureActiveDirectory"
+                  }
+                ],
+                "tactics": [
+                  "InitialAccess",
+                  "Persistence",
+                  "Discovery"
+                ],
+                "techniques": [
+                  "T1078",
+                  "T1136",
+                  "T1087"
+                ],
+                "entityMappings": [
+                  {
+                    "fieldMappings": [
+                      {
+                        "columnName": "Name",
+                        "identifier": "Name"
                       },
-                      "office365users": {
-                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('Office365UsersConnectionName'))]",
-                        "connectionName": "[[variables('Office365UsersConnectionName')]",
-                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365users')]"
+                      {
+                        "columnName": "UPNSuffix",
+                        "identifier": "UPNSuffix"
                       }
-                    }
+                    ],
+                    "entityType": "Account"
+                  },
+                  {
+                    "fieldMappings": [
+                      {
+                        "columnName": "InitiatedByIPAdress",
+                        "identifier": "Address"
+                      }
+                    ],
+                    "entityType": "IP"
                   }
+                ]
+              }
+            },
+            {
+              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+              "apiVersion": "2022-01-01-preview",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId18'),'/'))))]",
+              "properties": {
+                "description": "Azure Active Directory Analytics Rule 18",
+                "parentId": "[variables('analyticRuleId18')]",
+                "contentId": "[variables('_analyticRulecontentId18')]",
+                "kind": "AnalyticsRule",
+                "version": "[variables('analyticRuleVersion18')]",
+                "source": {
+                  "kind": "Solution",
+                  "name": "Azure Active Directory",
+                  "sourceId": "[variables('_solutionId')]"
+                },
+                "author": {
+                  "name": "Microsoft",
+                  "email": "[variables('_email')]"
+                },
+                "support": {
+                  "tier": "Microsoft",
+                  "name": "Microsoft Corporation",
+                  "email": "support@microsoft.com",
+                  "link": "https://support.microsoft.com/"
                 }
               }
+            }
+          ]
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('_analyticRulecontentId18')]",
+        "contentKind": "AnalyticsRule",
+        "displayName": "Cross-tenant Access Settings Organization Inbound Collaboration Settings Changed",
+        "contentProductId": "[variables('_analyticRulecontentProductId18')]",
+        "id": "[variables('_analyticRulecontentProductId18')]",
+        "version": "[variables('analyticRuleVersion18')]"
+      }
+    },
+    {
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('analyticRuleTemplateSpecName19')]",
+      "location": "[parameters('workspace-location')]",
+      "dependsOn": [
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+      ],
+      "properties": {
+        "description": "Cross-tenantAccessSettingsOrganizationInboundDirectSettingsChanged_AnalyticalRules Analytics Rule with template version 3.0.3",
+        "mainTemplate": {
+          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+          "contentVersion": "[variables('analyticRuleVersion19')]",
+          "parameters": {},
+          "variables": {},
+          "resources": [
+            {
+              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+              "name": "[variables('analyticRulecontentId19')]",
+              "apiVersion": "2022-04-01-preview",
+              "kind": "Scheduled",
+              "location": "[parameters('workspace-location')]",
+              "properties": {
+                "description": "Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when Organization Inbound Direct Settings are changed for \"Users & Groups\" and for \"Applications\".",
+                "displayName": "Cross-tenant Access Settings Organization Inbound Direct Settings Changed",
+                "enabled": false,
+                "query": "//In User & Groups and in Applications, the following \"AccessType\" values in columns PremodifiedInboundSettings and ModifiedInboundSettings are interpreted accordingly:\n// When Access Type in premodified inbound settings value was 1 that means that the initial access was allowed. When Access Type in premodified inbound settings value was 2 that means that the initial access was blocked. \n// When Access Type in modified inbound settings value is 1 that means that now access is allowed. When Access Type in modified inbound settings value is 2 that means that now access is blocked. \nAuditLogs\n| where OperationName has \"Update a partner cross-tenant access setting\"\n| mv-apply TargetResource = TargetResources on\n  (\n      where TargetResource.type =~ \"Policy\"\n      | extend Properties = TargetResource.modifiedProperties\n  )\n| mv-apply Property = Properties on\n  (\n      where Property.displayName =~ \"b2bDirectConnectInbound\"\n      | extend PremodifiedInboundSettings = trim('\"',tostring(Property.oldValue)),\n               ModifiedInboundSettings = trim(@'\"',tostring(Property.newValue))\n  )\n| extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\n| extend InitiatedByIPAdress = InitiatedBy.user.ipAddress\n| where PremodifiedInboundSettings != ModifiedInboundSettings\n| extend Name = tostring(split(InitiatedByActionUserInformation,'@',0)[0]), UPNSuffix = tostring(split(InitiatedByActionUserInformation,'@',1)[0])\n",
+                "queryFrequency": "P2D",
+                "queryPeriod": "P2D",
+                "severity": "Medium",
+                "suppressionDuration": "PT1H",
+                "suppressionEnabled": false,
+                "triggerOperator": "GreaterThan",
+                "triggerThreshold": 0,
+                "status": "Available",
+                "requiredDataConnectors": [
+                  {
+                    "dataTypes": [
+                      "AuditLogs"
+                    ],
+                    "connectorId": "AzureActiveDirectory"
+                  }
+                ],
+                "tactics": [
+                  "InitialAccess",
+                  "Persistence",
+                  "Discovery"
+                ],
+                "techniques": [
+                  "T1078",
+                  "T1136",
+                  "T1087"
+                ],
+                "entityMappings": [
+                  {
+                    "fieldMappings": [
+                      {
+                        "columnName": "Name",
+                        "identifier": "Name"
+                      },
+                      {
+                        "columnName": "UPNSuffix",
+                        "identifier": "UPNSuffix"
+                      }
+                    ],
+                    "entityType": "Account"
+                  },
+                  {
+                    "fieldMappings": [
+                      {
+                        "columnName": "InitiatedByIPAdress",
+                        "identifier": "Address"
+                      }
+                    ],
+                    "entityType": "IP"
+                  }
+                ]
+              }
             },
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId11'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId19'),'/'))))]",
               "properties": {
-                "parentId": "[variables('playbookId11')]",
-                "contentId": "[variables('_playbookContentId11')]",
-                "kind": "Playbook",
-                "version": "[variables('playbookVersion11')]",
+                "description": "Azure Active Directory Analytics Rule 19",
+                "parentId": "[variables('analyticRuleId19')]",
+                "contentId": "[variables('_analyticRulecontentId19')]",
+                "kind": "AnalyticsRule",
+                "version": "[variables('analyticRuleVersion19')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Azure Active Directory",
@@ -4717,83 +3339,110 @@
                 }
               }
             }
-          ],
-          "metadata": {
-            "title": "Revoke AAD SignIn Sessions - incident trigger",
-            "description": "This playbook will revoke all signin sessions for the user using Graph API.  It will send an email to the user's manager.",
-            "prerequisites": "1. You will need to grant User.ReadWrite.All permissions to the managed identity.",
-            "lastUpdateTime": "2021-07-14T00:00:00Z",
-            "entities": [
-              "Account"
-            ],
-            "tags": [
-              "Remediation"
-            ],
-            "releaseNotes": {
-              "version": "1.0",
-              "title": "[variables('blanks')]",
-              "notes": [
-                "Initial version"
-              ]
-            }
-          }
+          ]
         },
         "packageKind": "Solution",
         "packageVersion": "[variables('_solutionVersion')]",
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_playbookContentId11')]",
-        "contentKind": "Playbook",
-        "displayName": "Revoke-AADSignInSessions-incident",
-        "contentProductId": "[variables('_playbookcontentProductId11')]",
-        "id": "[variables('_playbookcontentProductId11')]",
-        "version": "[variables('playbookVersion11')]"
+        "contentId": "[variables('_analyticRulecontentId19')]",
+        "contentKind": "AnalyticsRule",
+        "displayName": "Cross-tenant Access Settings Organization Inbound Direct Settings Changed",
+        "contentProductId": "[variables('_analyticRulecontentProductId19')]",
+        "id": "[variables('_analyticRulecontentProductId19')]",
+        "version": "[variables('analyticRuleVersion19')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('workbookTemplateSpecName1')]",
+      "name": "[variables('analyticRuleTemplateSpecName20')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "AzureActiveDirectoryAuditLogsWorkbook Workbook with template version 3.0.3",
+        "description": "Cross-tenantAccessSettingsOrganizationOutboundCollaborationSettingsChanged_AnalyticalRules Analytics Rule with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('workbookVersion1')]",
+          "contentVersion": "[variables('analyticRuleVersion20')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
-              "type": "Microsoft.Insights/workbooks",
-              "name": "[variables('workbookContentId1')]",
+              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+              "name": "[variables('analyticRulecontentId20')]",
+              "apiVersion": "2022-04-01-preview",
+              "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
-              "kind": "shared",
-              "apiVersion": "2021-08-01",
-              "metadata": {
-                "description": "Gain insights into Azure Active Directory by connecting Microsoft Sentinel and using the audit logs to gather insights around Azure AD scenarios. \nYou can learn about user operations, including password and group management, device activities, and top active users and apps."
-              },
               "properties": {
-                "displayName": "[parameters('workbook1-name')]",
-                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Azure AD audit logs\"},\"name\":\"text - 1\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"bc372bf5-2dcd-4efa-aa85-94b6e6fafe14\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":7776000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true}},{\"id\":\"e032b9f7-5449-4180-9c20-75760afa96f6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"User\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"AuditLogs\\r\\n| where SourceSystem == \\\"Azure AD\\\"\\r\\n| extend initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != \\\"\\\", tostring(InitiatedBy.user.userPrincipalName), \\\"unknown\\\")\\r\\n//| where initiator!= \\\"\\\"\\r\\n| summarize Count = count() by initiator\\r\\n| order by Count desc, initiator asc\\r\\n| project Value = initiator, Label = strcat(initiator, ' - ', Count), Selected = false\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\"},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"0a59a0b3-6d93-4fee-bdbe-147383c510c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Category\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"AuditLogs\\r\\n| extend initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != \\\"\\\", tostring(InitiatedBy.user.userPrincipalName), \\\"unknown\\\")\\r\\n| where \\\"{User:lable}\\\" == \\\"All\\\" or initiator in ({User})\\r\\n| summarize Count = count() by Category\\r\\n| order by Count desc, Category asc\\r\\n| project Value = Category, Label = strcat(Category, ' - ', Count)\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\"},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"4d2b245b-5e59-4eb6-9f51-ba926581ab47\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Result\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"AuditLogs\\r\\n| extend initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != \\\"\\\", tostring(InitiatedBy.user.userPrincipalName), \\\"unknown\\\")\\r\\n| where \\\"{User:lable}\\\" == \\\"All\\\" or initiator in ({User})\\r\\n| summarize Count = count() by Result\\r\\n| order by Count desc, Result asc\\r\\n| project Value = Result, Label = strcat(Result, ' - ', Count, ' sign-ins')\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\"},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let data = AuditLogs\\r\\n| where \\\"{Category:lable}\\\" == \\\"All\\\" or Category in ({Category})\\r\\n| where \\\"{Result:lable}\\\" == \\\"All\\\" or Result in ({Result})\\r\\n| extend initiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\r\\n| where initiatingUserPrincipalName != \\\"\\\" \\r\\n| where \\\"{User:lable}\\\" == \\\"All\\\" or initiatingUserPrincipalName in ({User});\\r\\ndata\\r\\n| summarize Count = count() by Category\\r\\n| join kind = fullouter (datatable(Category:string)['Medium', 'high', 'low']) on Category\\r\\n| project Category = iff(Category == '', Category1, Category), Count = iff(Category == '', 0, Count)\\r\\n| join kind = inner (data\\r\\n    | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by Category)\\r\\n    on Category\\r\\n| project-away Category1, TimeGenerated\\r\\n| extend Category = Category\\r\\n| union (\\r\\n    data \\r\\n    | summarize Count = count() \\r\\n    | extend jkey = 1\\r\\n    | join kind=inner (data\\r\\n        | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\\r\\n        | extend jkey = 1) on jkey\\r\\n    | extend Category = 'All', Categorys = '*'    \\r\\n)\\r\\n| order by Count desc\\r\\n| take 10\",\"size\":4,\"title\":\"Categories volume\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"Category\",\"exportParameterName\":\"CategoryFIlter\",\"exportDefaultValue\":\"All\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Category\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":21,\"formatOptions\":{\"palette\":\"purple\",\"showIcon\":true}},\"showBorder\":false}},\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let data = AuditLogs\\r\\n| where \\\"{Result:lable}\\\" == \\\"All\\\" or Result in ({Result})\\r\\n| extend initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != \\\"\\\", tostring(InitiatedBy.user.userPrincipalName), \\\"unknown\\\")\\r\\n| where \\\"{User:lable}\\\" == \\\"All\\\" or initiator in ({User})\\r\\n| where \\\"{Category:lable}\\\" == \\\"All\\\" or Category in ({Category})\\r\\n| where Category == '{CategoryFIlter}' or '{CategoryFIlter}' == \\\"All\\\";\\r\\nlet appData = data\\r\\n| summarize TotalCount = count() by OperationName, Category\\r\\n| join kind=inner (data\\r\\n    | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by OperationName\\r\\n    | project-away TimeGenerated) on OperationName\\r\\n| order by TotalCount desc, OperationName asc\\r\\n| project OperationName, TotalCount, Trend, Category\\r\\n| serialize Id = row_number();\\r\\ndata\\r\\n| summarize TotalCount = count() by initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != \\\"\\\", tostring(InitiatedBy.user.userPrincipalName), \\\"unknown\\\"), Category, OperationName\\r\\n| join kind=inner (data\\r\\n    | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by OperationName, initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != \\\"\\\", tostring(InitiatedBy.user.userPrincipalName), \\\"unknown\\\")\\r\\n    | project-away TimeGenerated) on OperationName, initiator\\r\\n| order by TotalCount desc, OperationName asc\\r\\n| project OperationName, initiator, TotalCount, Category, Trend\\r\\n| serialize Id = row_number(1000000)\\r\\n| join kind=inner (appData) on OperationName\\r\\n| project Id, Name = initiator, Type = 'initiator', ['Operations Count'] = TotalCount, Trend, Category, ParentId = Id1\\r\\n| union (appData \\r\\n    | project Id, Name = OperationName, Type = 'Operation', ['Operations Count'] = TotalCount, Category, Trend)\\r\\n| order by ['Operations Count'] desc, Name asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"User activities\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"exportParameterName\":\"UserInfo\",\"exportDefaultValue\":\"{ \\\"Name\\\":\\\"\\\", \\\"Type\\\":\\\"*\\\"}\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Id\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Type\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Operations Count\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"palette\":\"blue\",\"showIcon\":true},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"min\":0,\"palette\":\"turquoise\",\"showIcon\":true},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"ParentId\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}}],\"rowLimit\":1000,\"filter\":true,\"hierarchySettings\":{\"idColumn\":\"Id\",\"parentColumn\":\"ParentId\",\"treeType\":0,\"expanderColumn\":\"Name\"}}},\"customWidth\":\"70\",\"showPin\":true,\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let details = dynamic({UserInfo});\\r\\nAuditLogs\\r\\n| where \\\"{Category:lable}\\\" == \\\"All\\\" or Category in ({Category})\\r\\n| where \\\"{Result:lable}\\\" == \\\"All\\\" or Result in ({Result})\\r\\n| extend initiatingUserPrincipalName = iif (tostring(InitiatedBy.user.userPrincipalName) != \\\"\\\", tostring(InitiatedBy.user.userPrincipalName), \\\"unknown\\\")\\r\\n//| where initiatingUserPrincipalName != \\\"\\\" \\r\\n| where \\\"{User:lable}\\\" == \\\"All\\\" or initiatingUserPrincipalName in ({User})\\r\\n| where details.Type == '*' or (details.Type == 'initiator' and initiatingUserPrincipalName == details.Name) or (details.Type == 'Operation' and OperationName == details.Name)\\r\\n| summarize Activities = count() by initiatingUserPrincipalName\\r\\n| sort by Activities desc nulls last \",\"size\":0,\"title\":\"Top active users\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"30\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let details = dynamic({UserInfo});\\r\\nlet data = AuditLogs\\r\\n| extend initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != \\\"\\\", tostring(InitiatedBy.user.userPrincipalName), \\\"unknown\\\")\\r\\n| where details.Type == '*' or (details.Type == 'initiator' and initiator == details.Name) or (details.Type == 'Operation' and OperationName == details.Name)\\r\\n| where \\\"{Category:lable}\\\" == \\\"All\\\" or Category in ({Category})\\r\\n| where \\\"{Result:lable}\\\" == \\\"All\\\" or Result in ({Result})\\r\\n| where \\\"{User:lable}\\\" == \\\"All\\\" or initiator in ({User});\\r\\nlet appData = data\\r\\n| summarize TotalCount = count() by Result\\r\\n| join kind=inner (data\\r\\n    | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by Result\\r\\n    | project-away TimeGenerated) on Result\\r\\n| order by TotalCount desc, Result asc\\r\\n| project Result, TotalCount, Trend\\r\\n| serialize Id = row_number();\\r\\ndata\\r\\n| summarize TotalCount = count() by OperationName, Result\\r\\n| join kind=inner (data\\r\\n    | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by Result, OperationName\\r\\n    | project-away TimeGenerated) on Result, OperationName\\r\\n| order by TotalCount desc, Result asc\\r\\n| project Result, OperationName, TotalCount, Trend\\r\\n| serialize Id = row_number(1000000)\\r\\n| join kind=inner (appData) on Result\\r\\n| project Id, Name = OperationName, Type = 'Operation', ['Results Count'] = TotalCount, Trend, ParentId = Id1\\r\\n| union (appData \\r\\n    | project Id, Name = Result, Type = 'Result', ['Results Count'] = TotalCount, Trend)\\r\\n| order by ['Results Count'] desc, Name asc\",\"size\":0,\"title\":\"Result status\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"exportParameterName\":\"ResultInfo\",\"exportDefaultValue\":\"{ \\\"Name\\\":\\\"\\\", \\\"Type\\\":\\\"*\\\"}\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Id\",\"formatter\":5},{\"columnMatch\":\"Type\",\"formatter\":5},{\"columnMatch\":\"Results Count\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"palette\":\"grayBlue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"greenDark\"}},{\"columnMatch\":\"ParentId\",\"formatter\":5}],\"hierarchySettings\":{\"idColumn\":\"Id\",\"parentColumn\":\"ParentId\",\"treeType\":0,\"expanderColumn\":\"Name\"}}},\"customWidth\":\"70\",\"name\":\"query - 5\"}],\"fallbackResourceIds\":[\"\"],\"fromTemplateId\":\"sentinel-AzureActiveDirectoryAuditLogs\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n",
-                "version": "1.0",
-                "sourceId": "[variables('workspaceResourceId')]",
-                "category": "sentinel"
+                "description": "Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when Organization Outbound Collaboration Settings are changed for \"Users & Groups\" and for \"Applications\".",
+                "displayName": "Cross-tenant Access Settings Organization Outbound Collaboration Settings Changed",
+                "enabled": false,
+                "query": "//In User & Groups and in Applications, the following \"AccessType\" values in columns PremodifiedOutboundSettings and ModifiedOutboundSettings are interpreted accordingly:\n// When Access Type in premodified outbound settings value was 1 that means that the initial access was allowed. When Access Type in premodified outbound settings value was 2 that means that the initial access was blocked. \n// When Access Type in modified outbound settings value is 1 that means that now access is allowed. When Access Type in modified outbound settings value is 2 that means that now access is blocked. \nAuditLogs\n| where OperationName has \"Update a partner cross-tenant access setting\"\n| mv-apply TargetResource = TargetResources on\n  (\n      where TargetResource.type =~ \"Policy\"\n      | extend Properties = TargetResource.modifiedProperties\n  )\n| mv-apply Property = Properties on\n  (\n      where Property.displayName =~ \"b2bCollaborationOutbound\"\n      | extend PremodifiedOutboundSettings = trim('\"',tostring(Property.oldValue)),\n               ModifiedOutboundSettings = trim(@'\"',tostring(Property.newValue))\n  )\n| extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\n| extend InitiatedByIPAdress = InitiatedBy.user.ipAddress\n| where PremodifiedOutboundSettings != ModifiedOutboundSettings\n| extend Name = tostring(split(InitiatedByActionUserInformation,'@',0)[0]), UPNSuffix = tostring(split(InitiatedByActionUserInformation,'@',1)[0])\n",
+                "queryFrequency": "P2D",
+                "queryPeriod": "P2D",
+                "severity": "Medium",
+                "suppressionDuration": "PT1H",
+                "suppressionEnabled": false,
+                "triggerOperator": "GreaterThan",
+                "triggerThreshold": 0,
+                "status": "Available",
+                "requiredDataConnectors": [
+                  {
+                    "dataTypes": [
+                      "AuditLogs"
+                    ],
+                    "connectorId": "AzureActiveDirectory"
+                  }
+                ],
+                "tactics": [
+                  "InitialAccess",
+                  "Persistence",
+                  "Discovery"
+                ],
+                "techniques": [
+                  "T1078",
+                  "T1136",
+                  "T1087"
+                ],
+                "entityMappings": [
+                  {
+                    "fieldMappings": [
+                      {
+                        "columnName": "Name",
+                        "identifier": "Name"
+                      },
+                      {
+                        "columnName": "UPNSuffix",
+                        "identifier": "UPNSuffix"
+                      }
+                    ],
+                    "entityType": "Account"
+                  },
+                  {
+                    "fieldMappings": [
+                      {
+                        "columnName": "InitiatedByIPAdress",
+                        "identifier": "Address"
+                      }
+                    ],
+                    "entityType": "IP"
+                  }
+                ]
               }
             },
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId20'),'/'))))]",
               "properties": {
-                "description": "@{workbookKey=AzureActiveDirectoryAuditLogsWorkbook; logoFileName=azureactivedirectory_logo.svg; description=Gain insights into Azure Active Directory by connecting Microsoft Sentinel and using the audit logs to gather insights around Azure AD scenarios. \nYou can learn about user operations, including password and group management, device activities, and top active users and apps.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.2.0; title=Azure AD Audit logs; templateRelativePath=AzureActiveDirectoryAuditLogs.json; subtitle=; provider=Microsoft}.description",
-                "parentId": "[variables('workbookId1')]",
-                "contentId": "[variables('_workbookContentId1')]",
-                "kind": "Workbook",
-                "version": "[variables('workbookVersion1')]",
+                "description": "Azure Active Directory Analytics Rule 20",
+                "parentId": "[variables('analyticRuleId20')]",
+                "contentId": "[variables('_analyticRulecontentId20')]",
+                "kind": "AnalyticsRule",
+                "version": "[variables('analyticRuleVersion20')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Azure Active Directory",
@@ -4808,19 +3457,6 @@
                   "name": "Microsoft Corporation",
                   "email": "support@microsoft.com",
                   "link": "https://support.microsoft.com/"
-                },
-                "dependencies": {
-                  "operator": "AND",
-                  "criteria": [
-                    {
-                      "contentId": "AuditLogs",
-                      "kind": "DataType"
-                    },
-                    {
-                      "contentId": "AzureActiveDirectory",
-                      "kind": "DataConnector"
-                    }
-                  ]
                 }
               }
             }
@@ -4831,57 +3467,103 @@
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_workbookContentId1')]",
-        "contentKind": "Workbook",
-        "displayName": "[parameters('workbook1-name')]",
-        "contentProductId": "[variables('_workbookcontentProductId1')]",
-        "id": "[variables('_workbookcontentProductId1')]",
-        "version": "[variables('workbookVersion1')]"
+        "contentId": "[variables('_analyticRulecontentId20')]",
+        "contentKind": "AnalyticsRule",
+        "displayName": "Cross-tenant Access Settings Organization Outbound Collaboration Settings Changed",
+        "contentProductId": "[variables('_analyticRulecontentProductId20')]",
+        "id": "[variables('_analyticRulecontentProductId20')]",
+        "version": "[variables('analyticRuleVersion20')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('workbookTemplateSpecName2')]",
+      "name": "[variables('analyticRuleTemplateSpecName21')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "AzureActiveDirectorySigninsWorkbook Workbook with template version 3.0.3",
+        "description": "Cross-tenantAccessSettingsOrganizationOutboundDirectSettingsChanged_AnalyticalRules Analytics Rule with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('workbookVersion2')]",
+          "contentVersion": "[variables('analyticRuleVersion21')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
-              "type": "Microsoft.Insights/workbooks",
-              "name": "[variables('workbookContentId2')]",
+              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+              "name": "[variables('analyticRulecontentId21')]",
+              "apiVersion": "2022-04-01-preview",
+              "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
-              "kind": "shared",
-              "apiVersion": "2021-08-01",
-              "metadata": {
-                "description": "Gain insights into Azure Active Directory by connecting Microsoft Sentinel and using the sign-in logs to gather insights around Azure AD scenarios. \nYou can learn about sign-in operations, such as user sign-ins and locations, email addresses, and  IP addresses of your users, as well as failed activities and the errors that triggered the failures."
-              },
               "properties": {
-                "displayName": "[parameters('workbook2-name')]",
-                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Sign-in Analysis\"},\"name\":\"text - 0\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"13f56671-7604-4427-a4d8-663f3da0cbc5\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":1209600000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000,\"createdTime\":\"2018-11-13T19:33:10.162Z\",\"isInitialTime\":false,\"grain\":1,\"useDashboardTimeRange\":false},{\"durationMs\":900000,\"createdTime\":\"2018-11-13T19:33:10.164Z\",\"isInitialTime\":false,\"grain\":1,\"useDashboardTimeRange\":false},{\"durationMs\":1800000,\"createdTime\":\"2018-11-13T19:33:10.164Z\",\"isInitialTime\":false,\"grain\":1,\"useDashboardTimeRange\":false},{\"durationMs\":3600000,\"createdTime\":\"2018-11-13T19:33:10.164Z\",\"isInitialTime\":false,\"grain\":1,\"useDashboardTimeRange\":false},{\"durationMs\":14400000,\"createdTime\":\"2018-11-13T19:33:10.164Z\",\"isInitialTime\":false,\"grain\":1,\"useDashboardTimeRange\":false},{\"durationMs\":43200000,\"createdTime\":\"2018-11-13T19:33:10.164Z\",\"isInitialTime\":false,\"grain\":1,\"useDashboardTimeRange\":false},{\"durationMs\":86400000,\"createdTime\":\"2018-11-13T19:33:10.165Z\",\"isInitialTime\":false,\"grain\":1,\"useDashboardTimeRange\":false},{\"durationMs\":172800000,\"createdTime\":\"2018-11-13T19:33:10.166Z\",\"isInitialTime\":false,\"grain\":1,\"useDashboardTimeRange\":false},{\"durationMs\":259200000,\"createdTime\":\"2018-11-13T19:33:10.166Z\",\"isInitialTime\":false,\"grain\":1,\"useDashboardTimeRange\":false},{\"durationMs\":604800000,\"createdTime\":\"2018-11-13T19:33:10.166Z\",\"isInitialTime\":false,\"grain\":1,\"useDashboardTimeRange\":false},{\"durationMs\":1209600000,\"createdTime\":\"2018-11-13T19:33:10.166Z\",\"isInitialTime\":false,\"grain\":1,\"useDashboardTimeRange\":false},{\"durationMs\":2592000000,\"createdTime\":\"2018-11-13T19:33:10.167Z\",\"isInitialTime\":false,\"grain\":1,\"useDashboardTimeRange\":false}],\"allowCustom\":true}},{\"id\":\"3b5cc420-8ad8-4523-ba28-a54910756794\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Apps\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"SigninLogs\\r\\n| summarize Count = count() by AppDisplayName\\r\\n| order by Count desc, AppDisplayName asc\\r\\n| project Value = AppDisplayName, Label = strcat(AppDisplayName, ' - ', Count, ' sign-ins'), Selected = false\\r\\n\",\"value\":[\"value::all\"],\"typeSettings\":{\"limitSelectTo\":10,\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\"},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"0611ecce-d6a0-4a6f-a1bc-6be314ae36a7\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"UserNamePrefix\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"SigninLogs\\r\\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n| summarize Count = count() by UserDisplayName\\r\\n| order by Count desc, UserDisplayName asc\\r\\n| project Value = UserDisplayName, Label = strcat(UserDisplayName, ' - ', Count, ' sign-ins'), Selected = false\\r\\n| extend prefix = substring(Value, 0, 1)\\r\\n| distinct prefix\\r\\n| sort by prefix asc\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"f7f7970b-58c1-474f-9043-62243d2d4edd\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Users\",\"label\":\"UserName\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"SigninLogs\\r\\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n| summarize Count = count() by UserDisplayName\\r\\n| order by Count desc, UserDisplayName asc\\r\\n| project Value = UserDisplayName, Label = strcat(UserDisplayName, ' - ', Count, ' sign-ins'), Selected = false\\r\\n| where (substring(Value, 0, 1) in ({UserNamePrefix})) or ('*' in ({UserNamePrefix}))\\r\\n| sort by Value asc\\r\\n\",\"value\":[\"value::all\"],\"typeSettings\":{\"limitSelectTo\":10000000,\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"\",\"showDefault\":false},\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"85568f4e-9ad4-46c5-91d4-0ee1b2c8f3aa\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Category\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"\"},\"jsonData\":\"[\\\"SignInLogs\\\", \\\"NonInteractiveUserSignInLogs\\\"]\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let data = \\r\\nunion SigninLogs,AADNonInteractiveUserSignInLogs\\r\\n| where Category in ({Category})\\r\\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users});\\r\\ndata\\r\\n| summarize count() by UserPrincipalName, bin (TimeGenerated,5m)\\r\\n\",\"size\":0,\"title\":\"Sign-in Trend over Time\",\"timeContext\":{\"durationMs\":86400000},\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"TimeBrush\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\"},\"name\":\"query - 19\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails)\\r\\n| extend Status = parse_json(Status);\\r\\nlet data = \\r\\nunion SigninLogs,nonInteractive\\r\\n| where Category in ({Category})\\r\\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n|extend errorCode = Status.errorCode\\r\\n|extend SigninStatus = case(errorCode == 0, \\\"Success\\\", errorCode == 50058, \\\"Pending user action\\\",errorCode == 50140, \\\"Pending user action\\\", errorCode == 51006, \\\"Pending user action\\\", errorCode == 50059, \\\"Pending user action\\\",errorCode == 65001, \\\"Pending user action\\\", errorCode == 52004, \\\"Pending user action\\\", errorCode == 50055, \\\"Pending user action\\\", errorCode == 50144, \\\"Pending user action\\\", errorCode == 50072, \\\"Pending user action\\\", errorCode == 50074, \\\"Pending user action\\\", errorCode == 16000, \\\"Pending user action\\\", errorCode == 16001, \\\"Pending user action\\\", errorCode == 16003, \\\"Pending user action\\\", errorCode == 50127, \\\"Pending user action\\\", errorCode == 50125, \\\"Pending user action\\\", errorCode == 50129, \\\"Pending user action\\\", errorCode == 50143, \\\"Pending user action\\\", errorCode == 81010, \\\"Pending user action\\\", errorCode == 81014, \\\"Pending user action\\\", errorCode == 81012 ,\\\"Pending user action\\\", \\\"Failure\\\");\\r\\ndata\\r\\n| summarize Count = count() by SigninStatus\\r\\n| join kind = fullouter (datatable(SigninStatus:string)['Success', 'Pending action (Interrupts)', 'Failure']) on SigninStatus\\r\\n| project SigninStatus = iff(SigninStatus == '', SigninStatus1, SigninStatus), Count = iff(SigninStatus == '', 0, Count)\\r\\n| join kind = inner (data\\r\\n    | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SigninStatus)\\r\\n    on SigninStatus\\r\\n| project-away SigninStatus1, TimeGenerated\\r\\n| extend Status = SigninStatus\\r\\n| union (\\r\\n    data \\r\\n    | summarize Count = count()\\r\\n    | extend jkey = 1\\r\\n    | join kind=inner (data\\r\\n        | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\\r\\n        | extend jkey = 1) on jkey\\r\\n    | extend SigninStatus = 'All Sign-ins', Status = '*'    \\r\\n)\\r\\n| order by Count desc\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":3,\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeBrush\",\"exportFieldName\":\"Status\",\"exportParameterName\":\"SigninStatus\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"min\":0,\"palette\":\"blue\",\"showIcon\":true}},\"showBorder\":false}},\"name\":\"query - 5\"},{\"type\":1,\"content\":{\"json\":\"<br />\\r\\n💡 _Click on a tile or a row in the grid to drill-in further_\"},\"name\":\"text - 6 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails)\\r\\n| extend Status = parse_json(Status);\\r\\nlet data = \\r\\nunion SigninLogs,nonInteractive\\r\\n| extend AppDisplayName = iff(AppDisplayName == '', 'Unknown', AppDisplayName)\\r\\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n| extend Country = iff(LocationDetails.countryOrRegion == '', 'Unknown country', tostring(LocationDetails.countryOrRegion))\\r\\n| extend City = iff(LocationDetails.city == '', 'Unknown city', tostring(LocationDetails.city))\\r\\n| extend errorCode = Status.errorCode\\r\\n| extend SigninStatus = case(errorCode == 0, \\\"Success\\\", errorCode == 50058, \\\"Pending user action\\\",errorCode == 50140, \\\"Pending user action\\\", errorCode == 51006, \\\"Pending user action\\\", errorCode == 50059, \\\"Pending user action\\\",errorCode == 65001, \\\"Pending user action\\\", errorCode == 52004, \\\"Pending user action\\\", errorCode == 50055, \\\"Pending user action\\\", errorCode == 50144, \\\"Pending user action\\\", errorCode == 50072, \\\"Pending user action\\\", errorCode == 50074, \\\"Pending user action\\\", errorCode == 16000, \\\"Pending user action\\\", errorCode == 16001, \\\"Pending user action\\\", errorCode == 16003, \\\"Pending user action\\\", errorCode == 50127, \\\"Pending user action\\\", errorCode == 50125, \\\"Pending user action\\\", errorCode == 50129, \\\"Pending user action\\\", errorCode == 50143, \\\"Pending user action\\\", errorCode == 81010, \\\"Pending user action\\\", errorCode == 81014, \\\"Pending user action\\\", errorCode == 81012 ,\\\"Pending user action\\\", \\\"Failure\\\")\\r\\n| where SigninStatus == '{SigninStatus}' or '{SigninStatus}' == '*' or '{SigninStatus}' == 'All Sign-ins';\\r\\nlet countryData = data\\r\\n| summarize TotalCount = count(), SuccessCount = countif(SigninStatus == \\\"Success\\\"), FailureCount = countif(SigninStatus == \\\"Failure\\\"), InterruptCount = countif(SigninStatus == \\\"Pending user action\\\") by Country,Category\\r\\n| join kind=inner\\r\\n(\\r\\n    data\\r\\n| make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by  Country\\r\\n| project-away TimeGenerated\\r\\n)\\r\\non Country\\r\\n| project Country, TotalCount, SuccessCount,FailureCount,InterruptCount,Trend,Category\\r\\n| order by TotalCount desc, Country asc;\\r\\ndata\\r\\n| summarize TotalCount = count(), SuccessCount = countif(SigninStatus == \\\"Success\\\"), FailureCount = countif(SigninStatus == \\\"Failure\\\"), InterruptCount = countif(SigninStatus == \\\"Pending user action\\\") by Country, City,Category\\r\\n| join kind=inner\\r\\n(\\r\\n    data    \\r\\n| make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by Country, City\\r\\n| project-away TimeGenerated\\r\\n)\\r\\non Country, City\\r\\n| order by TotalCount desc, Country asc\\r\\n| project Country, City,TotalCount, SuccessCount,FailureCount,InterruptCount, Trend,Category\\r\\n| join kind=inner\\r\\n(\\r\\n    countryData\\r\\n)\\r\\non Country\\r\\n| project Id = City, Name = City, Type = 'City', ['Sign-in Count'] = TotalCount, Trend, ['Failure Count'] = FailureCount, ['Interrupt Count'] = InterruptCount, ['Success Rate'] = 1.0 * SuccessCount / TotalCount, ParentId = Country,Category\\r\\n| union (countryData\\r\\n| project Id = Country, Name = Country, Type = 'Country', ['Sign-in Count'] = TotalCount, Trend, ['Failure Count'] = FailureCount, ['Interrupt Count'] = InterruptCount, ['Success Rate'] = 1.0 * SuccessCount / TotalCount, ParentId = 'root',Category)\\r\\n| where Category in ({Category})\\r\\n| order by ['Sign-in Count'] desc, Name asc\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"Sign-ins by Location\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeBrush\",\"showRefreshButton\":true,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"Name\",\"parameterName\":\"LocationDetail\",\"parameterType\":1}],\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Id\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Type\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Sign-in Count\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"palette\":\"blue\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"min\":0,\"palette\":\"blue\",\"showIcon\":true}},{\"columnMatch\":\"Failure Count|Interrupt Count\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"palette\":\"orange\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"Success Rate\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"percent\"}}},{\"columnMatch\":\"ParentId\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true,\"hierarchySettings\":{\"idColumn\":\"Id\",\"parentColumn\":\"ParentId\",\"treeType\":0,\"expanderColumn\":\"Name\",\"expandTopLevel\":false}}},\"customWidth\":\"67\",\"showPin\":true,\"name\":\"query - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let selectedCountry = dynamic([{LocationDetail}]);\\r\\nlet nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails),Status = parse_json(Status),ConditionalAccessPolicies = parse_json(ConditionalAccessPolicies),DeviceDetail =parse_json(DeviceDetail);\\r\\nlet details = dynamic({ \\\"Name\\\":\\\"\\\", \\\"Type\\\":\\\"*\\\"});\\r\\nlet data = union SigninLogs,nonInteractive\\r\\n| extend AppDisplayName = iff(AppDisplayName == '', 'Unknown', AppDisplayName)\\r\\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n| extend Country = tostring(LocationDetails.countryOrRegion)\\r\\n| extend City = tostring(LocationDetails.city) \\r\\n| where array_length(selectedCountry) == 0 or \\\"*\\\" in (selectedCountry) or Country in (selectedCountry) or City in (selectedCountry) \\r\\n| extend errorCode = Status.errorCode\\r\\n| extend SigninStatus = case(errorCode == 0, \\\"Success\\\", errorCode == 50058, \\\"Pending user action\\\",errorCode == 50140, \\\"Pending user action\\\", errorCode == 51006, \\\"Pending user action\\\", errorCode == 50059, \\\"Pending user action\\\",errorCode == 65001, \\\"Pending user action\\\", errorCode == 52004, \\\"Pending user action\\\", errorCode == 50055, \\\"Pending user action\\\", errorCode == 50144, \\\"Pending user action\\\", errorCode == 50072, \\\"Pending user action\\\", errorCode == 50074, \\\"Pending user action\\\", errorCode == 16000, \\\"Pending user action\\\", errorCode == 16001, \\\"Pending user action\\\", errorCode == 16003, \\\"Pending user action\\\", errorCode == 50127, \\\"Pending user action\\\", errorCode == 50125, \\\"Pending user action\\\", errorCode == 50129, \\\"Pending user action\\\", errorCode == 50143, \\\"Pending user action\\\", errorCode == 81010, \\\"Pending user action\\\", errorCode == 81014, \\\"Pending user action\\\", errorCode == 81012 ,\\\"Pending user action\\\", \\\"Failure\\\")\\r\\n| where SigninStatus == '{SigninStatus}' or '{SigninStatus}' == '*' or '{SigninStatus}' == 'All Sign-ins'\\r\\n| where details.Type == '*' or (details.Type == 'Country' and Country == details.Name) or (details.Type == 'City' and City == details.Name);\\r\\ndata\\r\\n| top 200 by TimeGenerated desc\\r\\n| extend TimeFromNow = now() - TimeGenerated\\r\\n| extend TimeAgo = strcat(case(TimeFromNow < 2m, strcat(toint(TimeFromNow / 1m), ' seconds'), TimeFromNow < 2h, strcat(toint(TimeFromNow / 1m), ' minutes'), TimeFromNow < 2d, strcat(toint(TimeFromNow / 1h), ' hours'), strcat(toint(TimeFromNow / 1d), ' days')), ' ago')\\r\\n| project User = UserDisplayName, ['Sign-in Status'] = strcat(iff(SigninStatus == 'Success', '✔️', '❌'), ' ', SigninStatus), ['Sign-in Time'] = TimeAgo, App = AppDisplayName, ['Error code'] = errorCode, ['Result type'] = ResultType, ['Result signature'] = ResultSignature, ['Result description'] = ResultDescription, ['Conditional access policies'] = ConditionalAccessPolicies, ['Conditional access status'] = ConditionalAccessStatus, ['Operating system'] = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser, ['Country or region'] = LocationDetails.countryOrRegion, ['State'] = LocationDetails.state, ['City'] = LocationDetails.city, ['Time generated'] = TimeGenerated, Status, ['User principal name'] = UserPrincipalName, Category\\r\\n| where Category in ({Category})\\r\\n\\r\\n\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"Location Sign-in details\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeBrush\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Sign-in Status\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"showIcon\":true}},{\"columnMatch\":\"App\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Error code\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Result type\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Result signature\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Result description\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Conditional access policies\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Conditional access status\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Operating system\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Browser\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Time generated\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Status\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"User principal name\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"TimeGenerated\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true}},\"customWidth\":\"33\",\"name\":\"query - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let nonInteractive = AADNonInteractiveUserSignInLogs | extend LocationDetails = parse_json(LocationDetails), Status = parse_json(Status), DeviceDetail = parse_json(DeviceDetail);\\r\\nlet data = \\r\\nunion SigninLogs,nonInteractive\\r\\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n    | extend errorCode = Status.errorCode\\r\\n    | extend SigninStatus = case(errorCode == 0, \\\"Success\\\", errorCode == 50058, \\\"Pending user action\\\", errorCode == 50140, \\\"Pending user action\\\", errorCode == 51006, \\\"Pending user action\\\", errorCode == 50059, \\\"Pending user action\\\", errorCode == 65001, \\\"Pending user action\\\", errorCode == 52004, \\\"Pending user action\\\", errorCode == 50055, \\\"Pending user action\\\", errorCode == 50144, \\\"Pending user action\\\", errorCode == 50072, \\\"Pending user action\\\", errorCode == 50074, \\\"Pending user action\\\", errorCode == 16000, \\\"Pending user action\\\", errorCode == 16001, \\\"Pending user action\\\", errorCode == 16003, \\\"Pending user action\\\", errorCode == 50127, \\\"Pending user action\\\", errorCode == 50125, \\\"Pending user action\\\", errorCode == 50129, \\\"Pending user action\\\", errorCode == 50143, \\\"Pending user action\\\", errorCode == 81010, \\\"Pending user action\\\", errorCode == 81014, \\\"Pending user action\\\", errorCode == 81012, \\\"Pending user action\\\", \\\"Failure\\\")\\r\\n| where SigninStatus == '{SigninStatus}' or '{SigninStatus}' == '*' or '{SigninStatus}' == 'All Sign-ins';\\r\\nlet appData = data\\r\\n    | summarize TotalCount = count(), SuccessCount = countif(SigninStatus == \\\"Success\\\"), FailureCount = countif(SigninStatus == \\\"Failure\\\"), InterruptCount = countif(SigninStatus == \\\"Pending user action\\\") by Os = tostring(DeviceDetail.operatingSystem) ,Category\\r\\n    | where Os != ''\\r\\n    | join kind=inner (data\\r\\n        | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by Os = tostring(DeviceDetail.operatingSystem)\\r\\n        | project-away TimeGenerated)\\r\\n        on Os\\r\\n    | order by TotalCount desc, Os asc\\r\\n    | project Os, TotalCount, SuccessCount, FailureCount, InterruptCount, Trend,Category\\r\\n    | serialize Id = row_number();\\r\\ndata\\r\\n| summarize TotalCount = count(), SuccessCount = countif(SigninStatus == \\\"Success\\\"), FailureCount = countif(SigninStatus == \\\"Failure\\\"), InterruptCount = countif(SigninStatus == \\\"Pending user action\\\") by Os = tostring(DeviceDetail.operatingSystem), Browser = tostring(DeviceDetail.browser),Category\\r\\n| join kind=inner (data\\r\\n    | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain})by Os = tostring(DeviceDetail.operatingSystem), Browser = tostring(DeviceDetail.browser)\\r\\n    | project-away TimeGenerated)\\r\\n    on Os, Browser\\r\\n| order by TotalCount desc, Os asc\\r\\n| project Os, Browser, TotalCount, SuccessCount, FailureCount, InterruptCount, Trend,Category\\r\\n| serialize Id = row_number(1000000)\\r\\n| join kind=inner (appData) on Os\\r\\n| project Id, Name = Browser, Type = 'Browser', ['Sign-in Count'] = TotalCount, Trend, ['Failure Count'] = FailureCount, ['Interrupt Count'] = InterruptCount, ['Success Rate'] = 1.0 * SuccessCount / TotalCount, ParentId = Id1,Category\\r\\n| union (appData \\r\\n    | project Id, Name = Os, Type = 'Operating System', ['Sign-in Count'] = TotalCount, Trend, ['Failure Count'] = FailureCount, ['Interrupt Count'] = InterruptCount, ['Success Rate'] = 1.0 * SuccessCount / TotalCount, ParentId = -1,Category)\\r\\n| where Category in ({Category})\\r\\n| order by ['Sign-in Count'] desc, Name asc\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"Sign-ins by Device\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeBrush\",\"exportedParameters\":[{\"parameterName\":\"DeviceDetail\",\"defaultValue\":\"{ \\\"Name\\\":\\\"\\\", \\\"Type\\\":\\\"*\\\"}\"},{\"fieldName\":\"Category\",\"parameterName\":\"exportCategory\",\"parameterType\":1,\"defaultValue\":\"*\"},{\"fieldName\":\"Name\",\"parameterName\":\"exportName\",\"parameterType\":1,\"defaultValue\":\"*\"}],\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Id\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Type\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Sign-in Count\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"palette\":\"blue\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"min\":0,\"palette\":\"blue\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"Failure Count|Interrupt Count\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"palette\":\"orange\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"Success Rate\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"percent\"}}},{\"columnMatch\":\"ParentId\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true,\"hierarchySettings\":{\"idColumn\":\"Id\",\"parentColumn\":\"ParentId\",\"treeType\":0,\"expanderColumn\":\"Name\",\"expandTopLevel\":false}}},\"customWidth\":\"67\",\"showPin\":true,\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails),Status = parse_json(Status),ConditionalAccessPolicies = parse_json(ConditionalAccessPolicies),DeviceDetail =parse_json(DeviceDetail);\\r\\nlet details = dynamic({ \\\"Name\\\":\\\"\\\", \\\"Type\\\":\\\"*\\\"});\\r\\nlet data = union SigninLogs,nonInteractive\\r\\n| extend AppDisplayName = iff(AppDisplayName == '', 'Unknown', AppDisplayName)\\r\\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n| extend Country = tostring(LocationDetails.countryOrRegion)\\r\\n| extend City = tostring(LocationDetails.city)\\r\\n| extend errorCode = Status.errorCode\\r\\n| extend SigninStatus = case(errorCode == 0, \\\"Success\\\", errorCode == 50058, \\\"Pending user action\\\",errorCode == 50140, \\\"Pending user action\\\", errorCode == 51006, \\\"Pending user action\\\", errorCode == 50059, \\\"Pending user action\\\",errorCode == 65001, \\\"Pending user action\\\", errorCode == 52004, \\\"Pending user action\\\", errorCode == 50055, \\\"Pending user action\\\", errorCode == 50144, \\\"Pending user action\\\", errorCode == 50072, \\\"Pending user action\\\", errorCode == 50074, \\\"Pending user action\\\", errorCode == 16000, \\\"Pending user action\\\", errorCode == 16001, \\\"Pending user action\\\", errorCode == 16003, \\\"Pending user action\\\", errorCode == 50127, \\\"Pending user action\\\", errorCode == 50125, \\\"Pending user action\\\", errorCode == 50129, \\\"Pending user action\\\", errorCode == 50143, \\\"Pending user action\\\", errorCode == 81010, \\\"Pending user action\\\", errorCode == 81014, \\\"Pending user action\\\", errorCode == 81012 ,\\\"Pending user action\\\", \\\"Failure\\\")\\r\\n| where SigninStatus == '{SigninStatus}' or '{SigninStatus}' == '*' or '{SigninStatus}' == 'All Sign-ins'\\r\\n| where details.Type == '*' or (details.Type == 'Country' and Country == details.Name) or (details.Type == 'City' and City == details.Name);\\r\\ndata\\r\\n| top 200 by TimeGenerated desc\\r\\n| extend TimeFromNow = now() - TimeGenerated\\r\\n| extend TimeAgo = strcat(case(TimeFromNow < 2m, strcat(toint(TimeFromNow / 1m), ' seconds'), TimeFromNow < 2h, strcat(toint(TimeFromNow / 1m), ' minutes'), TimeFromNow < 2d, strcat(toint(TimeFromNow / 1h), ' hours'), strcat(toint(TimeFromNow / 1d), ' days')), ' ago')\\r\\n| project User = UserDisplayName, ['Sign-in Status'] = strcat(iff(SigninStatus == 'Success', '✔️', '❌'), ' ', SigninStatus), ['Sign-in Time'] = TimeAgo, App = AppDisplayName, ['Error code'] = errorCode, ['Result type'] = ResultType, ['Result signature'] = ResultSignature, ['Result description'] = ResultDescription, ['Conditional access policies'] = ConditionalAccessPolicies, ['Conditional access status'] = ConditionalAccessStatus, ['Operating system'] = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser, ['Country or region'] = LocationDetails.countryOrRegion, ['State'] = LocationDetails.state, ['City'] = LocationDetails.city, ['Time generated'] = TimeGenerated, Status, ['User principal name'] = UserPrincipalName, Category, Name = tostring(DeviceDetail.operatingSystem)\\r\\n| where Category in ('{exportCategory}') or \\\"*\\\" in ('{exportCategory}')\\r\\n| where Name in ('{exportName}') or \\\"*\\\" in ('{exportName}')\",\"size\":1,\"showAnalytics\":true,\"title\":\"Device Sign-in details\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Sign-in Status\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\"}},{\"columnMatch\":\"App\",\"formatter\":5},{\"columnMatch\":\"Error code\",\"formatter\":5},{\"columnMatch\":\"Result type\",\"formatter\":5},{\"columnMatch\":\"Result signature\",\"formatter\":5},{\"columnMatch\":\"Result description\",\"formatter\":5},{\"columnMatch\":\"Conditional access policies\",\"formatter\":5},{\"columnMatch\":\"Conditional access status\",\"formatter\":5},{\"columnMatch\":\"Operating system\",\"formatter\":5},{\"columnMatch\":\"Browser\",\"formatter\":5},{\"columnMatch\":\"Country or region\",\"formatter\":5},{\"columnMatch\":\"State\",\"formatter\":5},{\"columnMatch\":\"City\",\"formatter\":5},{\"columnMatch\":\"Time generated\",\"formatter\":5},{\"columnMatch\":\"Status\",\"formatter\":5},{\"columnMatch\":\"User principal name\",\"formatter\":5},{\"columnMatch\":\"Category\",\"formatter\":5},{\"columnMatch\":\"Name\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"33\",\"name\":\"query - 8 - Copy\"},{\"type\":1,\"content\":{\"json\":\"## Sign-ins using Conditional Access\"},\"name\":\"text - 12\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails)\\r\\n| extend Status = parse_json(Status)\\r\\n| extend ConditionalAccessPolicies = parse_json(ConditionalAccessPolicies);\\r\\nlet data = \\r\\nunion SigninLogs,nonInteractive\\r\\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n|extend CAStatus = case(ConditionalAccessStatus ==\\\"success\\\",\\\"Successful\\\",\\r\\n                    ConditionalAccessStatus == \\\"failure\\\", \\\"Failed\\\",                                     \\r\\n                    ConditionalAccessStatus == \\\"notApplied\\\", \\\"Not applied\\\",                                     \\r\\n                    isempty(ConditionalAccessStatus), \\\"Not applied\\\", \\r\\n                    \\\"Disabled\\\")\\r\\n|mvexpand ConditionalAccessPolicies\\r\\n|extend CAGrantControlName = tostring(ConditionalAccessPolicies.enforcedGrantControls[0])\\r\\n|extend CAGrantControl = case(CAGrantControlName contains \\\"MFA\\\", \\\"Require MFA\\\", \\r\\n                            CAGrantControlName contains \\\"Terms of Use\\\", \\\"Require Terms of Use\\\", \\r\\n                            CAGrantControlName contains \\\"Privacy\\\", \\\"Require Privacy Statement\\\", \\r\\n                            CAGrantControlName contains \\\"Device\\\", \\\"Require Device Compliant\\\", \\r\\n                            CAGrantControlName contains \\\"Azure AD Joined\\\", \\\"Require Hybird Azure AD Joined Device\\\", \\r\\n                            CAGrantControlName contains \\\"Apps\\\", \\\"Require Approved Apps\\\",\\r\\n                            \\\"Other\\\");\\r\\ndata\\r\\n| where Category in ({Category})\\r\\n| summarize Count = dcount(Id) by CAStatus\\r\\n| join kind = inner (data\\r\\n                    | make-series Trend = dcount(Id) default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by CAStatus\\r\\n                    ) on CAStatus\\r\\n| project-away CAStatus1, TimeGenerated\\r\\n| order by Count desc\",\"size\":4,\"title\":\"Conditional access status\",\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeBrush\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"CAStatus\",\"formatter\":1},\"subtitleContent\":{\"columnMatch\":\"Category\"},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false}},\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails)\\r\\n| extend Status = parse_json(Status)\\r\\n| extend ConditionalAccessPolicies = parse_json(ConditionalAccessPolicies);\\r\\nlet data = \\r\\nunion SigninLogs,nonInteractive|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n|extend errorCode = toint(Status.errorCode)\\r\\n|extend Reason = tostring(Status.failureReason)\\r\\n|extend CAStatus = case(ConditionalAccessStatus ==0,\\\"✔️ Success\\\",                                     \\r\\n                        ConditionalAccessStatus == 1, \\\"❌ Failure\\\",                                     \\r\\n                        ConditionalAccessStatus == 2, \\\"⚠️ Not Applied\\\",                                     \\r\\n                        ConditionalAccessStatus == \\\"\\\", \\\"⚠️ Not Applied\\\", \\r\\n                        \\\"🚫 Disabled\\\")\\r\\n|mvexpand ConditionalAccessPolicies\\r\\n|extend CAGrantControlName = tostring(ConditionalAccessPolicies.enforcedGrantControls[0])\\r\\n|extend CAGrantControl = case(CAGrantControlName contains \\\"MFA\\\", \\\"Require MFA\\\", \\r\\n                            CAGrantControlName contains \\\"Terms of Use\\\", \\\"Require Terms of Use\\\", \\r\\n                            CAGrantControlName contains \\\"Privacy\\\", \\\"Require Privacy Statement\\\", \\r\\n                            CAGrantControlName contains \\\"Device\\\", \\\"Require Device Compliant\\\", \\r\\n                            CAGrantControlName contains \\\"Azure AD Joined\\\", \\\"Require Hybird Azure AD Joined Device\\\", \\r\\n                            CAGrantControlName contains \\\"Apps\\\", \\\"Require Approved Apps\\\",\\\"Other\\\");\\r\\ndata\\r\\n| summarize Count = dcount(Id) by CAStatus, CAGrantControl\\r\\n| project Id = strcat(CAStatus, '/', CAGrantControl), Name = CAGrantControl, Parent = CAStatus, Count, Type = 'CAGrantControl'\\r\\n| join kind = inner (data\\r\\n                    | make-series Trend = dcount(Id) default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by CAStatus, CAGrantControl\\r\\n                    | project Id = strcat(CAStatus, '/', CAGrantControl), Trend\\r\\n                    ) on Id\\r\\n| project-away Id1\\r\\n| union (data\\r\\n    | where Category in ({Category})\\r\\n    | summarize Count = dcount(Id) by CAStatus\\r\\n    | project Id = CAStatus, Name = CAStatus, Parent = '', Count, Type = 'CAStatus'\\r\\n    | join kind = inner (data\\r\\n                        | make-series Trend = dcount(Id) default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by CAStatus\\r\\n                        | project Id = CAStatus, Trend\\r\\n                        ) on Id\\r\\n    | project-away Id1)\\r\\n| order by Count desc\",\"size\":0,\"title\":\"Conditional access status\",\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeBrush\",\"exportParameterName\":\"Detail\",\"exportDefaultValue\":\"{ \\\"Name\\\":\\\"\\\", \\\"Type\\\":\\\"*\\\", \\\"Parent\\\":\\\"*\\\"}\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Id\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Parent\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Count\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"palette\":\"blue\",\"showIcon\":true},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"Type\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"min\":0,\"palette\":\"blue\",\"showIcon\":true}}],\"hierarchySettings\":{\"idColumn\":\"Id\",\"parentColumn\":\"Parent\",\"treeType\":0,\"expanderColumn\":\"Name\",\"expandTopLevel\":true}}},\"customWidth\":\"50\",\"name\":\"query - 10\",\"styleSettings\":{\"margin\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let details = dynamic({Detail});\\r\\nlet nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails)\\r\\n| extend Status = parse_json(Status)\\r\\n| extend ConditionalAccessPolicies = parse_json(ConditionalAccessPolicies);\\r\\nlet data = \\r\\nunion SigninLogs,nonInteractive\\r\\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n|extend errorCode = toint(Status.errorCode)\\r\\n|extend Reason = tostring(Status.failureReason)\\r\\n|extend CAStatus = case(ConditionalAccessStatus ==\\\"success\\\",\\\"✔️ Success\\\",                                     \\r\\n                        ConditionalAccessStatus == \\\"failure\\\", \\\"❌ Failure\\\",                                     \\r\\n                        ConditionalAccessStatus == \\\"notApplied\\\", \\\"⚠️ Not Applied\\\",                                     \\r\\n                        ConditionalAccessStatus == \\\"\\\", \\\"⚠️ Not Applied\\\", \\r\\n                        \\\"🚫 Disabled\\\")\\r\\n|mvexpand ConditionalAccessPolicies\\r\\n|extend CAGrantControlName = tostring(ConditionalAccessPolicies.enforcedGrantControls[0])\\r\\n|extend CAGrantControl = case(CAGrantControlName contains \\\"MFA\\\", \\\"Require MFA\\\", \\r\\n                            CAGrantControlName contains \\\"Terms of Use\\\", \\\"Require Terms of Use\\\", \\r\\n                            CAGrantControlName contains \\\"Privacy\\\", \\\"Require Privacy Statement\\\", \\r\\n                            CAGrantControlName contains \\\"Device\\\", \\\"Require Device Compliant\\\", \\r\\n                            CAGrantControlName contains \\\"Azure AD Joined\\\", \\\"Require Hybird Azure AD Joined Device\\\", \\r\\n                            CAGrantControlName contains \\\"Apps\\\", \\\"Require Approved Apps\\\",\\r\\n                            \\\"Other\\\")\\r\\n|extend CAGrantControlRank = case(CAGrantControlName contains \\\"MFA\\\", 1, \\r\\n                            CAGrantControlName contains \\\"Terms of Use\\\", 2, \\r\\n                            CAGrantControlName contains \\\"Privacy\\\", 3, \\r\\n                            CAGrantControlName contains \\\"Device\\\", 4, \\r\\n                            CAGrantControlName contains \\\"Azure AD Joined\\\", 5, \\r\\n                            CAGrantControlName contains \\\"Apps\\\", 6,\\r\\n                            7)\\r\\n| where details.Type == '*' or (details.Type == 'CAStatus' and CAStatus == details.Name) or (details.Type == 'CAGrantControl' and CAGrantControl == details.Name and CAStatus == details.Parent);\\r\\ndata\\r\\n| order by CAGrantControlRank desc\\r\\n| summarize CAGrantControls = make_set(CAGrantControl) by AppDisplayName, CAStatus, TimeGenerated, UserDisplayName, Category\\r\\n| extend CAGrantControlText = replace(@\\\",\\\", \\\", \\\", replace(@'\\\"', @'', replace(@\\\"\\\\]\\\", @\\\"\\\", replace(@\\\"\\\\[\\\", @\\\"\\\", tostring(CAGrantControls)))))\\r\\n| extend CAGrantControlSummary = case(array_length(CAGrantControls) > 1, strcat(CAGrantControls[0], ' + ', array_length(CAGrantControls) - 1, ' more'), array_length(CAGrantControls) == 1, tostring(CAGrantControls[0]), 'None')\\r\\n| top 200 by TimeGenerated desc\\r\\n| extend TimeFromNow = now() - TimeGenerated\\r\\n| extend TimeAgo = strcat(case(TimeFromNow < 2m, strcat(toint(TimeFromNow / 1m), ' seconds'), TimeFromNow < 2h, strcat(toint(TimeFromNow / 1m), ' minutes'), TimeFromNow < 2d, strcat(toint(TimeFromNow / 1h), ' hours'), strcat(toint(TimeFromNow / 1d), ' days')), ' ago')\\r\\n| project Application = AppDisplayName, ['CA Status'] = CAStatus, ['CA Grant Controls'] = CAGrantControlSummary, ['All CA Grant Controls'] = CAGrantControlText, ['Sign-in Time'] = TimeAgo, ['User'] = UserDisplayName, Category\\r\\n| where Category in ({Category})\",\"size\":0,\"showAnalytics\":true,\"title\":\"Recent sign-ins\",\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"CA Grant Controls\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"All CA Grant Controls\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"User\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}}]}},\"customWidth\":\"50\",\"showPin\":true,\"name\":\"query - 7 - Copy\"},{\"type\":1,\"content\":{\"json\":\"## Troubleshooting Sign-ins\"},\"name\":\"text - 13\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails)\\r\\n| extend Status = parse_json(Status);\\r\\nlet data = \\r\\nunion SigninLogs,nonInteractive|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n|extend errorCode = Status.errorCode\\r\\n|extend SigninStatus = case(errorCode == 0, \\\"Success\\\", errorCode == 50058, \\\"Pending action (Interrupts)\\\",errorCode == 50140, \\\"Pending action (Interrupts)\\\", errorCode == 51006, \\\"Pending action (Interrupts)\\\", errorCode == 50059, \\\"Pending action (Interrupts)\\\",errorCode == 65001, \\\"Pending action (Interrupts)\\\", errorCode == 52004, \\\"Pending action (Interrupts)\\\", errorCode == 50055, \\\"Pending action (Interrupts)\\\", errorCode == 50144, \\\"Pending action (Interrupts)\\\", errorCode == 50072, \\\"Pending action (Interrupts)\\\", errorCode == 50074, \\\"Pending action (Interrupts)\\\", errorCode == 16000, \\\"Pending action (Interrupts)\\\", errorCode == 16001, \\\"Pending action (Interrupts)\\\", errorCode == 16003, \\\"Pending action (Interrupts)\\\", errorCode == 50127, \\\"Pending action (Interrupts)\\\", errorCode == 50125, \\\"Pending action (Interrupts)\\\", errorCode == 50129, \\\"Pending action (Interrupts)\\\", errorCode == 50143, \\\"Pending action (Interrupts)\\\", errorCode == 81010, \\\"Pending action (Interrupts)\\\", errorCode == 81014, \\\"Pending action (Interrupts)\\\", errorCode == 81012 ,\\\"Pending action (Interrupts)\\\", \\\"Failure\\\");\\r\\ndata\\r\\n| summarize Count = count() by SigninStatus, Category\\r\\n| join kind = fullouter (datatable(SigninStatus:string)['Success', 'Pending action (Interrupts)', 'Failure']) on SigninStatus\\r\\n| project SigninStatus = iff(SigninStatus == '', SigninStatus1, SigninStatus), Count = iff(SigninStatus == '', 0, Count), Category\\r\\n| join kind = inner (data\\r\\n    | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SigninStatus)\\r\\n    on SigninStatus\\r\\n| project-away SigninStatus1, TimeGenerated\\r\\n| extend Status = SigninStatus\\r\\n| union (\\r\\n    data \\r\\n    | summarize Count = count() \\r\\n    | extend jkey = 1\\r\\n    | join kind=inner (data\\r\\n        | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\\r\\n        | extend jkey = 1) on jkey\\r\\n    | extend SigninStatus = 'All Sign-ins', Status = '*'    \\r\\n)\\r\\n| where Category in ({Category})\\r\\n| order by Count desc\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":3,\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"min\":0,\"palette\":\"blue\",\"showIcon\":true}},\"showBorder\":false}},\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails)\\r\\n| extend Status = parse_json(Status);\\r\\nlet data = \\r\\nunion SigninLogs,nonInteractive|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n| extend ErrorCode = tostring(Status.errorCode) \\r\\n| extend FailureReason = tostring(Status.failureReason) \\r\\n| where ErrorCode !in (\\\"0\\\",\\\"50058\\\",\\\"50148\\\",\\\"50140\\\", \\\"51006\\\", \\\"50059\\\", \\\"65001\\\", \\\"52004\\\", \\\"50055\\\", \\\"50144\\\",\\\"50072\\\", \\\"50074\\\", \\\"16000\\\",\\\"16001\\\", \\\"16003\\\", \\\"50127\\\", \\\"50125\\\", \\\"50129\\\",\\\"50143\\\", \\\"81010\\\", \\\"81014\\\", \\\"81012\\\") \\r\\n|summarize errCount = count() by ErrorCode, tostring(FailureReason), Category| sort by errCount, Category\\r\\n|project ['❌ Error Code'] = ErrorCode, ['Reason']= FailureReason, ['Error Count'] = toint(errCount), Category\\r\\n|where Category in ({Category});\\r\\ndata\",\"size\":1,\"showAnalytics\":true,\"title\":\"Summary of top errors\",\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeBrush\",\"exportFieldName\":\"❌ Error Code\",\"exportParameterName\":\"ErrorCode\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Error Count\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"palette\":\"orange\",\"showIcon\":true}}],\"filter\":true}},\"customWidth\":\"67\",\"showPin\":true,\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails)\\r\\n| extend Status = parse_json(Status)\\r\\n| extend DeviceDetail = parse_json(DeviceDetail)\\r\\n| extend ConditionalAccessPolicies = parse_json(ConditionalAccessPolicies);\\r\\nlet data=\\r\\nunion SigninLogs,nonInteractive\\r\\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n| extend ErrorCode = tostring(Status.errorCode) \\r\\n| extend FailureReason = tostring(Status.failureReason) \\r\\n| where ErrorCode !in (\\\"0\\\",\\\"50058\\\",\\\"50148\\\",\\\"50140\\\", \\\"51006\\\", \\\"50059\\\", \\\"65001\\\", \\\"52004\\\", \\\"50055\\\", \\\"50144\\\",\\\"50072\\\", \\\"50074\\\", \\\"16000\\\",\\\"16001\\\", \\\"16003\\\", \\\"50127\\\", \\\"50125\\\", \\\"50129\\\",\\\"50143\\\", \\\"81010\\\", \\\"81014\\\", \\\"81012\\\") \\r\\n| where '{ErrorCode}' == '*' or '{ErrorCode}' == ErrorCode\\r\\n| top 200 by TimeGenerated desc\\r\\n| extend TimeFromNow = now() - TimeGenerated\\r\\n| extend TimeAgo = strcat(case(TimeFromNow < 2m, strcat(toint(TimeFromNow / 1m), ' seconds'), TimeFromNow < 2h, strcat(toint(TimeFromNow / 1m), ' minutes'), TimeFromNow < 2d, strcat(toint(TimeFromNow / 1h), ' hours'), strcat(toint(TimeFromNow / 1d), ' days')), ' ago')\\r\\n| project User = UserDisplayName, IPAddress, ['❌ Error Code'] = ErrorCode, ['Sign-in Time'] = TimeAgo, App = AppDisplayName, ['Error code'] = ErrorCode, ['Result type'] = ResultType, ['Result signature'] = ResultSignature, ['Result description'] = ResultDescription, ['Conditional access policies'] = ConditionalAccessPolicies, ['Conditional access status'] = ConditionalAccessStatus, ['Operating system'] = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser, ['Country or region'] = LocationDetails.countryOrRegion, ['State'] = LocationDetails.state, ['City'] = LocationDetails.city, ['Time generated'] = TimeGenerated, Status, ['User principal name'] = UserPrincipalName, Category\\r\\n| where Category in ({Category});\\r\\ndata\\r\\n\\r\\n\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"Sign-ins with errors\",\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeBrush\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"❌ Error Code\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"showIcon\":true}},{\"columnMatch\":\"App\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Error code\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Result type\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Result signature\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Result description\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Conditional access policies\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Conditional access status\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Operating system\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Browser\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Country or region\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"State\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"City\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Time generated\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Status\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"User principal name\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true}},\"customWidth\":\"33\",\"name\":\"query - 5 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails)\\r\\n| extend Status = parse_json(Status);\\r\\nlet data = \\r\\nunion SigninLogs,nonInteractive|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n| extend ErrorCode = tostring(Status.errorCode) \\r\\n| extend FailureReason = Status.failureReason \\r\\n| where ErrorCode in (\\\"50058\\\",\\\"50140\\\", \\\"51006\\\", \\\"50059\\\", \\\"65001\\\", \\\"52004\\\", \\\"50055\\\", \\\"50144\\\",\\\"50072\\\", \\\"50074\\\", \\\"16000\\\",\\\"16001\\\", \\\"16003\\\", \\\"50127\\\", \\\"50125\\\", \\\"50129\\\",\\\"50143\\\", \\\"81010\\\", \\\"81014\\\", \\\"81012\\\") \\r\\n|summarize errCount = count() by ErrorCode, tostring(FailureReason), Category\\r\\n| sort by errCount\\r\\n|project ['❌ Error Code'] = ErrorCode, ['Reason'] = FailureReason, ['Interrupt Count'] = toint(errCount), Category\\r\\n| where Category in ({Category});\\r\\ndata\",\"size\":1,\"showAnalytics\":true,\"title\":\"Summary of sign-ins waiting on user action\",\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeBrush\",\"exportFieldName\":\"❌ Error Code\",\"exportParameterName\":\"InterruptErrorCode\",\"exportDefaultValue\":\"*\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Interrupt Count\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"palette\":\"orange\"}}],\"filter\":true}},\"customWidth\":\"67\",\"showPin\":true,\"name\":\"query - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let nonInteractive = AADNonInteractiveUserSignInLogs\\r\\n| extend LocationDetails = parse_json(LocationDetails)\\r\\n| extend ConditionalAccessPolicies = parse_json(ConditionalAccessPolicies)\\r\\n| extend DeviceDetail = parse_json(DeviceDetail)\\r\\n| extend Status = parse_json(Status);\\r\\nlet data = \\r\\nunion SigninLogs,nonInteractive \\r\\n|where AppDisplayName in ({Apps}) or '*' in ({Apps})\\r\\n|where UserDisplayName in ({Users}) \\r\\n| extend ErrorCode = tostring(Status.errorCode) \\r\\n| extend FailureReason = Status.failureReason \\r\\n| where ErrorCode in (\\\"50058\\\",\\\"50140\\\", \\\"51006\\\", \\\"50059\\\", \\\"65001\\\", \\\"52004\\\", \\\"50055\\\", \\\"50144\\\",\\\"50072\\\", \\\"50074\\\", \\\"16000\\\",\\\"16001\\\", \\\"16003\\\", \\\"50127\\\", \\\"50125\\\", \\\"50129\\\",\\\"50143\\\", \\\"81010\\\", \\\"81014\\\", \\\"81012\\\") \\r\\n| where '{InterruptErrorCode}' == '*' or '{InterruptErrorCode}' == ErrorCode\\r\\n| top 200 by TimeGenerated desc\\r\\n| extend TimeFromNow = now() - TimeGenerated\\r\\n| extend TimeAgo = strcat(case(TimeFromNow < 2m, strcat(toint(TimeFromNow / 1m), ' seconds'), TimeFromNow < 2h, strcat(toint(TimeFromNow / 1m), ' minutes'), TimeFromNow < 2d, strcat(toint(TimeFromNow / 1h), ' hours'), strcat(toint(TimeFromNow / 1d), ' days')), ' ago')\\r\\n| project User = UserDisplayName, IPAddress, ['❌ Error Code'] = ErrorCode, ['Sign-in Time'] = TimeAgo, App = AppDisplayName, ['Error code'] = ErrorCode, ['Result type'] = ResultType, ['Result signature'] = ResultSignature, ['Result description'] = ResultDescription, ['Conditional access policies'] = ConditionalAccessPolicies, ['Conditional access status'] = ConditionalAccessStatus, ['Operating system'] = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser, ['Country or region'] = LocationDetails.countryOrRegion, ['State'] = LocationDetails.state, ['City'] = LocationDetails.city, ['Time generated'] = TimeGenerated, Status, ['User principal name'] = UserPrincipalName, Category\\r\\n| where Category in ({Category});\\r\\ndata\\r\\n\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"Sign-ins waiting on user action\",\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeBrush\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"❌ Error Code\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"showIcon\":true}},{\"columnMatch\":\"App\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Error code\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Result type\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Result signature\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Result description\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Conditional access policies\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Conditional access status\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Operating system\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Browser\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Country or region\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"State\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"City\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Time generated\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Status\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"User principal name\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true}},\"customWidth\":\"33\",\"showPin\":true,\"name\":\"query - 7 - Copy\"}],\"fromTemplateId\":\"sentinel-AzureActiveDirectorySigninLogs\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n",
-                "version": "1.0",
-                "sourceId": "[variables('workspaceResourceId')]",
-                "category": "sentinel"
+                "description": "Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when Organization Outbound Direct Settings are changed for \"Users & Groups\" and for \"Applications\".",
+                "displayName": "Cross-tenant Access Settings Organization Outbound Direct Settings Changed",
+                "enabled": false,
+                "query": "//In User & Groups and in Applications, the following \"AccessType\" values in columns PremodifiedOutboundSettings and ModifiedOutboundSettings are interpreted accordingly:\n// When Access Type in premodified outbound settings value was 1 that means that the initial access was allowed. When Access Type in premodified outbound settings value was 2 that means that the initial access was blocked. \n// When Access Type in modified outbound settings value is 1 that means that now access is allowed. When Access Type in modified outbound settings value is 2 that means that now access is blocked. \nAuditLogs\n| where OperationName has \"Update a partner cross-tenant access setting\"\n| mv-apply TargetResource = TargetResources on\n  (\n      where TargetResource.type =~ \"Policy\"\n      | extend Properties = TargetResource.modifiedProperties\n  )\n| mv-apply Property = Properties on\n  (\n      where Property.displayName =~ \"b2bDirectConnectOutbound\"\n      | extend PremodifiedOutboundSettings = trim('\"',tostring(Property.oldValue)),\n               ModifiedOutboundSettings = trim(@'\"',tostring(Property.newValue))\n  )\n| extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\n| extend InitiatedByIPAdress = InitiatedBy.user.ipAddress\n| where PremodifiedOutboundSettings != ModifiedOutboundSettings\n| extend Name = tostring(split(InitiatedByActionUserInformation,'@',0)[0]), UPNSuffix = tostring(split(InitiatedByActionUserInformation,'@',1)[0])\n",
+                "queryFrequency": "P2D",
+                "queryPeriod": "P2D",
+                "severity": "Medium",
+                "suppressionDuration": "PT1H",
+                "suppressionEnabled": false,
+                "triggerOperator": "GreaterThan",
+                "triggerThreshold": 0,
+                "status": "Available",
+                "requiredDataConnectors": [
+                  {
+                    "dataTypes": [
+                      "AuditLogs"
+                    ],
+                    "connectorId": "AzureActiveDirectory"
+                  }
+                ],
+                "tactics": [
+                  "InitialAccess",
+                  "Persistence",
+                  "Discovery"
+                ],
+                "techniques": [
+                  "T1078",
+                  "T1136",
+                  "T1087"
+                ],
+                "entityMappings": [
+                  {
+                    "fieldMappings": [
+                      {
+                        "columnName": "Name",
+                        "identifier": "Name"
+                      },
+                      {
+                        "columnName": "UPNSuffix",
+                        "identifier": "UPNSuffix"
+                      }
+                    ],
+                    "entityType": "Account"
+                  },
+                  {
+                    "fieldMappings": [
+                      {
+                        "columnName": "InitiatedByIPAdress",
+                        "identifier": "Address"
+                      }
+                    ],
+                    "entityType": "IP"
+                  }
+                ]
               }
             },
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId2'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId21'),'/'))))]",
               "properties": {
-                "description": "@{workbookKey=AzureActiveDirectorySigninLogsWorkbook; logoFileName=azureactivedirectory_logo.svg; description=Gain insights into Azure Active Directory by connecting Microsoft Sentinel and using the sign-in logs to gather insights around Azure AD scenarios. \nYou can learn about sign-in operations, such as user sign-ins and locations, email addresses, and  IP addresses of your users, as well as failed activities and the errors that triggered the failures.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=2.4.0; title=Azure AD Sign-in logs; templateRelativePath=AzureActiveDirectorySignins.json; subtitle=; provider=Microsoft}.description",
-                "parentId": "[variables('workbookId2')]",
-                "contentId": "[variables('_workbookContentId2')]",
-                "kind": "Workbook",
-                "version": "[variables('workbookVersion2')]",
+                "description": "Azure Active Directory Analytics Rule 21",
+                "parentId": "[variables('analyticRuleId21')]",
+                "contentId": "[variables('_analyticRulecontentId21')]",
+                "kind": "AnalyticsRule",
+                "version": "[variables('analyticRuleVersion21')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Azure Active Directory",
@@ -4896,19 +3578,6 @@
                   "name": "Microsoft Corporation",
                   "email": "support@microsoft.com",
                   "link": "https://support.microsoft.com/"
-                },
-                "dependencies": {
-                  "operator": "AND",
-                  "criteria": [
-                    {
-                      "contentId": "SigninLogs",
-                      "kind": "DataType"
-                    },
-                    {
-                      "contentId": "AzureActiveDirectory",
-                      "kind": "DataConnector"
-                    }
-                  ]
                 }
               }
             }
@@ -4919,44 +3588,44 @@
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_workbookContentId2')]",
-        "contentKind": "Workbook",
-        "displayName": "[parameters('workbook2-name')]",
-        "contentProductId": "[variables('_workbookcontentProductId2')]",
-        "id": "[variables('_workbookcontentProductId2')]",
-        "version": "[variables('workbookVersion2')]"
+        "contentId": "[variables('_analyticRulecontentId21')]",
+        "contentKind": "AnalyticsRule",
+        "displayName": "Cross-tenant Access Settings Organization Outbound Direct Settings Changed",
+        "contentProductId": "[variables('_analyticRulecontentProductId21')]",
+        "id": "[variables('_analyticRulecontentProductId21')]",
+        "version": "[variables('analyticRuleVersion21')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('analyticRuleTemplateSpecName1')]",
+      "name": "[variables('analyticRuleTemplateSpecName22')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "AccountCreatedandDeletedinShortTimeframe_AnalyticalRules Analytics Rule with template version 3.0.3",
+        "description": "DisabledAccountSigninsAcrossManyApplications_AnalyticalRules Analytics Rule with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion1')]",
+          "contentVersion": "[variables('analyticRuleVersion22')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRulecontentId1')]",
+              "name": "[variables('analyticRulecontentId22')]",
               "apiVersion": "2022-04-01-preview",
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "Search for user principal name (UPN) events. Look for accounts created and then deleted in under 24 hours. Attackers may create an account for their use, and then remove the account when no longer needed.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-account",
-                "displayName": "Account Created and Deleted in Short Timeframe",
+                "description": "Identifies failed attempts to sign in to disabled accounts across multiple Azure Applications.\nDefault threshold for Azure Applications attempted to sign in to is 3.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n50057 - User account is disabled. The account has been disabled by an administrator.",
+                "displayName": "Attempts to sign in to disabled accounts",
                 "enabled": false,
-                "query": "let queryfrequency = 1h;\nlet queryperiod = 1d;\nAuditLogs\n| where TimeGenerated > ago(queryfrequency)\n| where OperationName =~ \"Delete user\"\n//extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName)\n| mv-apply TargetResource = TargetResources on \n  (\n      where TargetResource.type == \"User\"\n      | extend UserPrincipalName = extract(@'([a-f0-9]{32})?(.*)', 2, tostring(TargetResource.userPrincipalName))\n  )\n| extend DeletedByUser = tostring(InitiatedBy.user.userPrincipalName), DeletedByIPAddress = tostring(InitiatedBy.user.ipAddress)\n| extend DeletedByApp = tostring(InitiatedBy.app.displayName)\n| project Deletion_TimeGenerated = TimeGenerated, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, Deletion_AdditionalDetails = AdditionalDetails, Deletion_InitiatedBy = InitiatedBy, Deletion_TargetResources = TargetResources\n| join kind=inner (\n    AuditLogs\n    | where TimeGenerated > ago(queryperiod)\n    | where OperationName =~ \"Add user\"      \n    | mv-apply TargetResource = TargetResources on \n      (\n          where TargetResource.type == \"User\"\n          | extend UserPrincipalName = trim(@'\"',tostring(TargetResource.userPrincipalName))\n      )\n    | project-rename Creation_TimeGenerated = TimeGenerated\n) on UserPrincipalName\n| extend TimeDelta = Deletion_TimeGenerated - Creation_TimeGenerated\n| where  TimeDelta between (time(0s) .. queryperiod)\n| extend CreatedByUser = tostring(InitiatedBy.user.userPrincipalName), CreatedByIPAddress = tostring(InitiatedBy.user.ipAddress)\n| extend CreatedByApp = tostring(InitiatedBy.app.displayName)\n| project Creation_TimeGenerated, Deletion_TimeGenerated, TimeDelta, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, CreatedByUser, CreatedByIPAddress, CreatedByApp, Creation_AdditionalDetails = AdditionalDetails, Creation_InitiatedBy = InitiatedBy, Creation_TargetResources = TargetResources, Deletion_AdditionalDetails, Deletion_InitiatedBy, Deletion_TargetResources\n| extend timestamp = Deletion_TimeGenerated, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n",
-                "queryFrequency": "PT1H",
+                "query": "let threshold = 3;\nlet aadFunc = (tableName:string){\ntable(tableName)\n| where ResultType == \"50057\"\n| where ResultDescription =~ \"User account is disabled. The account has been disabled by an administrator.\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), applicationCount = dcount(AppDisplayName),\napplicationSet = make_set(AppDisplayName), count() by UserPrincipalName, IPAddress, Type\n| where applicationCount >= threshold\n| extend timestamp = StartTime, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+                "queryFrequency": "P1D",
                 "queryPeriod": "P1D",
-                "severity": "High",
+                "severity": "Medium",
                 "suppressionDuration": "PT1H",
                 "suppressionEnabled": false,
                 "triggerOperator": "GreaterThan",
@@ -4964,10 +3633,16 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "AzureActiveDirectory",
                     "dataTypes": [
-                      "SigninLogs"
-                    ]
+                      "SigninLogs"
+                    ],
+                    "connectorId": "AzureActiveDirectory"
+                  },
+                  {
+                    "dataTypes": [
+                      "AADNonInteractiveUserSignInLogs"
+                    ],
+                    "connectorId": "AzureActiveDirectory"
                   }
                 ],
                 "tactics": [
@@ -4978,26 +3653,26 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "identifier": "Name",
-                        "columnName": "Name"
+                        "columnName": "Name",
+                        "identifier": "Name"
                       },
                       {
-                        "identifier": "UPNSuffix",
-                        "columnName": "UPNSuffix"
+                        "columnName": "UPNSuffix",
+                        "identifier": "UPNSuffix"
                       }
-                    ]
+                    ],
+                    "entityType": "Account"
                   },
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
-                        "columnName": "DeletedByIPAddress"
+                        "columnName": "IPAddress",
+                        "identifier": "Address"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   }
                 ]
               }
@@ -5005,13 +3680,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId1'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId22'),'/'))))]",
               "properties": {
-                "description": "Azure Active Directory Analytics Rule 1",
-                "parentId": "[variables('analyticRuleId1')]",
-                "contentId": "[variables('_analyticRulecontentId1')]",
+                "description": "Azure Active Directory Analytics Rule 22",
+                "parentId": "[variables('analyticRuleId22')]",
+                "contentId": "[variables('_analyticRulecontentId22')]",
                 "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion1')]",
+                "version": "[variables('analyticRuleVersion22')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Azure Active Directory",
@@ -5036,41 +3711,41 @@
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_analyticRulecontentId1')]",
+        "contentId": "[variables('_analyticRulecontentId22')]",
         "contentKind": "AnalyticsRule",
-        "displayName": "Account Created and Deleted in Short Timeframe",
-        "contentProductId": "[variables('_analyticRulecontentProductId1')]",
-        "id": "[variables('_analyticRulecontentProductId1')]",
-        "version": "[variables('analyticRuleVersion1')]"
+        "displayName": "Attempts to sign in to disabled accounts",
+        "contentProductId": "[variables('_analyticRulecontentProductId22')]",
+        "id": "[variables('_analyticRulecontentProductId22')]",
+        "version": "[variables('analyticRuleVersion22')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('analyticRuleTemplateSpecName2')]",
+      "name": "[variables('analyticRuleTemplateSpecName23')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "AccountCreatedDeletedByNonApprovedUser_AnalyticalRules Analytics Rule with template version 3.0.3",
+        "description": "DistribPassCrackAttempt_AnalyticalRules Analytics Rule with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion2')]",
+          "contentVersion": "[variables('analyticRuleVersion23')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRulecontentId2')]",
+              "name": "[variables('analyticRulecontentId23')]",
               "apiVersion": "2022-04-01-preview",
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "Identifies accounts that were created or deleted by a defined list of non-approved user principal names. Add to this list before running the query for accurate results.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts",
-                "displayName": "Account created or deleted by non-approved user",
+                "description": "Identifies distributed password cracking attempts from the Azure Active Directory SigninLogs.\nThe query looks for unusually high number of failed password attempts coming from multiple locations for a user account.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n50053   Account is locked because the user tried to sign in too many times with an incorrect user ID or password.\n50055   Invalid password, entered expired password.\n50056   Invalid or null password - Password does not exist in store for this user.\n50126   Invalid username or password, or invalid on-premises username or password.",
+                "displayName": "Distributed Password cracking attempts in AzureAD",
                 "enabled": false,
-                "query": "// Add non-approved user principal names to the list below to search for their account creation/deletion activity\n// ex: dynamic([\"UPN1\", \"upn123\"])\nlet nonapproved_users = dynamic([]);\nAuditLogs\n| where OperationName =~ \"Add user\" or OperationName =~ \"Delete user\"\n| where Result =~ \"success\"\n| extend InitiatingUser = tostring(InitiatedBy.user.userPrincipalName)\n| where InitiatingUser has_any (nonapproved_users)\n| project-reorder TimeGenerated, ResourceId, OperationName, InitiatingUser, TargetResources\n| extend InitiatedUserIpAddress = tostring(InitiatedBy.user.ipAddress)\n| extend Name = tostring(split(InitiatingUser,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUser,'@',1)[0])\n",
+                "query": "let s_threshold = 30;\nlet l_threshold = 3;\nlet aadFunc = (tableName:string){\ntable(tableName)\n| where OperationName =~ \"Sign-in activity\"\n// Error codes that we want to look at as they are related to the use of incorrect password.\n| where ResultType in (\"50126\", \"50053\" , \"50055\", \"50056\")\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\n| extend LocationString = strcat(tostring(LocationDetails.countryOrRegion), \"/\", tostring(LocationDetails.state), \"/\", tostring(LocationDetails.city))\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), LocationCount=dcount(LocationString), Location = make_set(LocationString,100),\nIPAddress = make_set(IPAddress,100), IPAddressCount = dcount(IPAddress), AppDisplayName = make_set(AppDisplayName,100), ResultDescription = make_set(ResultDescription,50),\nBrowser = make_set(Browser,20), OS = make_set(OS,20), SigninCount = count() by UserPrincipalName, Type\n// Setting a generic threshold - Can be different for different environment\n| where SigninCount > s_threshold and LocationCount >= l_threshold\n| extend Location = tostring(Location), IPAddress = tostring(IPAddress), AppDisplayName = tostring(AppDisplayName), ResultDescription = tostring(ResultDescription), Browser = tostring(Browser), OS = tostring(OS)\n| extend timestamp = StartTime, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
                 "queryFrequency": "P1D",
                 "queryPeriod": "P1D",
                 "severity": "Medium",
@@ -5081,40 +3756,46 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "AzureActiveDirectory",
                     "dataTypes": [
-                      "AuditLogs"
-                    ]
+                      "SigninLogs"
+                    ],
+                    "connectorId": "AzureActiveDirectory"
+                  },
+                  {
+                    "dataTypes": [
+                      "AADNonInteractiveUserSignInLogs"
+                    ],
+                    "connectorId": "AzureActiveDirectory"
                   }
                 ],
                 "tactics": [
-                  "InitialAccess"
+                  "CredentialAccess"
                 ],
                 "techniques": [
-                  "T1078"
+                  "T1110"
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "identifier": "Name",
-                        "columnName": "Name"
+                        "columnName": "Name",
+                        "identifier": "Name"
                       },
                       {
-                        "identifier": "UPNSuffix",
-                        "columnName": "UPNSuffix"
+                        "columnName": "UPNSuffix",
+                        "identifier": "UPNSuffix"
                       }
-                    ]
+                    ],
+                    "entityType": "Account"
                   },
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
-                        "columnName": "InitiatedUserIpAddress"
+                        "columnName": "IPAddress",
+                        "identifier": "Address"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   }
                 ]
               }
@@ -5122,13 +3803,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId2'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId23'),'/'))))]",
               "properties": {
-                "description": "Azure Active Directory Analytics Rule 2",
-                "parentId": "[variables('analyticRuleId2')]",
-                "contentId": "[variables('_analyticRulecontentId2')]",
+                "description": "Azure Active Directory Analytics Rule 23",
+                "parentId": "[variables('analyticRuleId23')]",
+                "contentId": "[variables('_analyticRulecontentId23')]",
                 "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion2')]",
+                "version": "[variables('analyticRuleVersion23')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Azure Active Directory",
@@ -5153,44 +3834,44 @@
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_analyticRulecontentId2')]",
+        "contentId": "[variables('_analyticRulecontentId23')]",
         "contentKind": "AnalyticsRule",
-        "displayName": "Account created or deleted by non-approved user",
-        "contentProductId": "[variables('_analyticRulecontentProductId2')]",
-        "id": "[variables('_analyticRulecontentProductId2')]",
-        "version": "[variables('analyticRuleVersion2')]"
+        "displayName": "Distributed Password cracking attempts in AzureAD",
+        "contentProductId": "[variables('_analyticRulecontentProductId23')]",
+        "id": "[variables('_analyticRulecontentProductId23')]",
+        "version": "[variables('analyticRuleVersion23')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('analyticRuleTemplateSpecName3')]",
+      "name": "[variables('analyticRuleTemplateSpecName24')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "ADFSDomainTrustMods_AnalyticalRules Analytics Rule with template version 3.0.3",
+        "description": "ExplicitMFADeny_AnalyticalRules Analytics Rule with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion3')]",
+          "contentVersion": "[variables('analyticRuleVersion24')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRulecontentId3')]",
+              "name": "[variables('analyticRulecontentId24')]",
               "apiVersion": "2022-04-01-preview",
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated.\nFor example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain.\nModification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior.\nTo understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.\nFor details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.",
-                "displayName": "Modified domain federation trust settings",
+                "description": "User explicitly denies MFA push, indicating that login was not expected and the account's password may be compromised.",
+                "displayName": "Explicit MFA Deny",
                 "enabled": false,
-                "query": "(union isfuzzy=true\n(\nAuditLogs\n| where OperationName =~ \"Set federation settings on domain\"\n//| where Result =~ \"success\"   // commenting out, as it may be interesting to capture failed attempts\n| mv-expand TargetResources\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\n| mv-expand modifiedProperties\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName)\n),\n(\nAuditLogs\n| where OperationName =~ \"Set domain authentication\"\n//| where Result =~ \"success\"   // commenting out, as it may be interesting to capture failed attempts\n| mv-expand TargetResources\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\n| mv-expand modifiedProperties\n| mv-apply Property = modifiedProperties on \n  (\n      where Property.displayName =~ \"LiveType\"\n      | extend targetDisplayName = tostring(Property.displayName),\n               NewDomainValue = tostring(Property.newValue)\n  )\n| where NewDomainValue has \"Federated\"\n)\n)\n| mv-apply AdditionalDetail = AdditionalDetails on \n  (\n      where AdditionalDetail.key =~ \"User-Agent\"\n      | extend UserAgent = tostring(AdditionalDetail.value)\n  )\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, AADOperationType, targetDisplayName, Result, InitiatingIpAddress, UserAgent, CorrelationId, TenantId, AADTenantId\n| extend timestamp = TimeGenerated, Name = tostring(split(InitiatingUserOrApp,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUserOrApp,'@',1)[0])\n",
+                "query": "let aadFunc = (tableName:string){\ntable(tableName)\n| where ResultType == 500121\n| where Status has \"MFA Denied; user declined the authentication\" or Status has \"MFA denied; Phone App Reported Fraud\"\n| extend Type = Type\n| extend timestamp = TimeGenerated, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
                 "queryFrequency": "P1D",
                 "queryPeriod": "P1D",
-                "severity": "High",
+                "severity": "Medium",
                 "suppressionDuration": "PT1H",
                 "suppressionEnabled": false,
                 "triggerOperator": "GreaterThan",
@@ -5198,37 +3879,55 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "AzureActiveDirectory",
                     "dataTypes": [
-                      "AuditLogs"
-                    ]
+                      "SigninLogs"
+                    ],
+                    "connectorId": "AzureActiveDirectory"
+                  },
+                  {
+                    "dataTypes": [
+                      "AADNonInteractiveUserSignInLogs"
+                    ],
+                    "connectorId": "AzureActiveDirectory"
                   }
                 ],
                 "tactics": [
                   "CredentialAccess"
                 ],
+                "techniques": [
+                  "T1110"
+                ],
                 "entityMappings": [
                   {
-                    "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "identifier": "Name",
-                        "columnName": "Name"
+                        "columnName": "Name",
+                        "identifier": "Name"
                       },
                       {
-                        "identifier": "UPNSuffix",
-                        "columnName": "UPNSuffix"
+                        "columnName": "UPNSuffix",
+                        "identifier": "UPNSuffix"
+                      }
+                    ],
+                    "entityType": "Account"
+                  },
+                  {
+                    "fieldMappings": [
+                      {
+                        "columnName": "IPAddress",
+                        "identifier": "Address"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   },
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
-                        "columnName": "InitiatingIpAddress"
+                        "columnName": "ClientAppUsed",
+                        "identifier": "Url"
                       }
-                    ]
+                    ],
+                    "entityType": "URL"
                   }
                 ]
               }
@@ -5236,13 +3935,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId3'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId24'),'/'))))]",
               "properties": {
-                "description": "Azure Active Directory Analytics Rule 3",
-                "parentId": "[variables('analyticRuleId3')]",
-                "contentId": "[variables('_analyticRulecontentId3')]",
+                "description": "Azure Active Directory Analytics Rule 24",
+                "parentId": "[variables('analyticRuleId24')]",
+                "contentId": "[variables('_analyticRulecontentId24')]",
                 "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion3')]",
+                "version": "[variables('analyticRuleVersion24')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Azure Active Directory",
@@ -5267,42 +3966,42 @@
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_analyticRulecontentId3')]",
+        "contentId": "[variables('_analyticRulecontentId24')]",
         "contentKind": "AnalyticsRule",
-        "displayName": "Modified domain federation trust settings",
-        "contentProductId": "[variables('_analyticRulecontentProductId3')]",
-        "id": "[variables('_analyticRulecontentProductId3')]",
-        "version": "[variables('analyticRuleVersion3')]"
+        "displayName": "Explicit MFA Deny",
+        "contentProductId": "[variables('_analyticRulecontentProductId24')]",
+        "id": "[variables('_analyticRulecontentProductId24')]",
+        "version": "[variables('analyticRuleVersion24')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('analyticRuleTemplateSpecName4')]",
+      "name": "[variables('analyticRuleTemplateSpecName25')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "ADFSSignInLogsPasswordSpray_AnalyticalRules Analytics Rule with template version 3.0.3",
+        "description": "ExchangeFullAccessGrantedToApp_AnalyticalRules Analytics Rule with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion4')]",
+          "contentVersion": "[variables('analyticRuleVersion25')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRulecontentId4')]",
+              "name": "[variables('analyticRulecontentId25')]",
               "apiVersion": "2022-04-01-preview",
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "Identifies evidence of password spray activity against Connect Health for AD FS sign-in events by looking for failures from multiple accounts from the same IP address within a time window.\nReference: https://adfshelp.microsoft.com/References/ConnectHealthErrorCodeReference",
-                "displayName": "Password spray attack against ADFSSignInLogs",
+                "description": "This detection looks for the full_access_as_app permission being granted to an OAuth application with Admin Consent.\nThis permission provide access to all Exchange mailboxes via the EWS API can could be exploited to access sensitive data \nby being added to a compromised application. The application granted this permission should be reviewed to ensure that it \nis absolutely necessary for the applications function.\nRef: https://learn.microsoft.com/graph/auth-limit-mailbox-access",
+                "displayName": "full_access_as_app Granted To Application",
                 "enabled": false,
-                "query": "let queryfrequency = 30m;\nlet accountthreshold = 10;\nlet successCodes = dynamic([0, 50144]);\nADFSSignInLogs\n| extend IngestionTime = ingestion_time()\n| where IngestionTime > ago(queryfrequency)\n| where not(todynamic(AuthenticationDetails)[0].authenticationMethod == \"Integrated Windows Authentication\")\n| summarize\n    DistinctFailureCount = dcountif(UserPrincipalName, ResultType !in (successCodes)),\n    DistinctSuccessCount = dcountif(UserPrincipalName, ResultType in (successCodes)),\n    SuccessAccounts = make_set_if(UserPrincipalName, ResultType in (successCodes), 250),\n    arg_min(TimeGenerated, *)\n    by IPAddress\n| where DistinctFailureCount > DistinctSuccessCount and DistinctFailureCount >= accountthreshold\n//| extend SuccessAccounts = iff(array_length(SuccessAccounts) != 0, SuccessAccounts, dynamic([\"null\"]))\n//| mv-expand SuccessAccounts\n| project TimeGenerated, Category, OperationName, IPAddress, DistinctFailureCount, DistinctSuccessCount, SuccessAccounts, AuthenticationRequirement, ConditionalAccessStatus, IsInteractive, UserAgent, NetworkLocationDetails, DeviceDetail, TokenIssuerType, TokenIssuerName, ResourceIdentity\n",
-                "queryFrequency": "PT30M",
+                "query": "AuditLogs\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Consent to application\"\n| where TargetResources has \"full_access_as_app\"\n| mv-expand TargetResources\n| extend OAuthAppName = TargetResources.displayName\n| extend ModifiedProperties = TargetResources.modifiedProperties \n| mv-apply Property = ModifiedProperties on \n  (\n      where Property.displayName =~ \"ConsentContext.isAdminConsent\"\n      | extend AdminConsent = tostring(Property.newValue)\n  )\n| mv-apply Property = ModifiedProperties on \n  (\n      where Property.displayName =~ \"ConsentAction.Permissions\"\n      | extend Permissions = tostring(Property.newValue)\n  )\n| mv-apply Property = ModifiedProperties on \n  (\n      where Property.displayName =~ \"TargetId.ServicePrincipalNames\"\n      | extend AppId = tostring(Property.newValue)\n  )\n| mv-expand AdditionalDetails\n| extend GrantUserAgent = tostring(iff(AdditionalDetails.key =~ \"User-Agent\", AdditionalDetails.value, \"\"))\n| parse Permissions with * \"ConsentType: \" GrantConsentType \", Scope: \" GrantScope1 \",\" *\n| where GrantScope1 =~ \"full_access_as_app\"\n| extend GrantIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\n| extend GrantInitiatedBy = tostring(iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName))\n| project-reorder TimeGenerated, OAuthAppName, AppId, AdminConsent, Permissions, GrantIpAddress, GrantInitiatedBy, GrantUserAgent, GrantScope1, GrantConsentType\n| extend Name = split(GrantInitiatedBy, \"@\")[0], UPNSuffix = split(GrantInitiatedBy, \"@\")[1]\n",
+                "queryFrequency": "PT1H",
                 "queryPeriod": "PT1H",
                 "severity": "Medium",
                 "suppressionDuration": "PT1H",
@@ -5312,41 +4011,63 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "AzureActiveDirectory",
                     "dataTypes": [
-                      "ADFSSignInLogs"
-                    ]
+                      "AuditLogs"
+                    ],
+                    "connectorId": "AzureActiveDirectory"
                   }
                 ],
                 "tactics": [
-                  "CredentialAccess"
+                  "DefenseEvasion"
                 ],
                 "techniques": [
-                  "T1110"
+                  "T1550"
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
-                        "columnName": "IPAddress"
+                        "columnName": "Name",
+                        "identifier": "Name"
+                      },
+                      {
+                        "columnName": "UPNSuffix",
+                        "identifier": "UPNSuffix"
+                      }
+                    ],
+                    "entityType": "Account"
+                  },
+                  {
+                    "fieldMappings": [
+                      {
+                        "columnName": "GrantIpAddress",
+                        "identifier": "Address"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   }
-                ]
+                ],
+                "customDetails": {
+                  "OAuthApplication": "OAuthAppName",
+                  "UserAgent": "GrantUserAgent",
+                  "OAuthAppId": "AppId"
+                },
+                "alertDetailsOverride": {
+                  "alertDescriptionFormat": "This detection looks for the full_access_as_app permission being granted to an OAuth application with Admin Consent.\nThis permission provide access to all Exchange mailboxes via the EWS API can could be exploited to access sensitive data \nby being added to a compromised application. The application granted this permission should be reviewed to ensure that it \nis absolutely necessary for the applications function.\nIn this case {{GrantInitiatedBy}} granted full_access_as_app to {{OAuthAppName}} from {{GrantIpAddress}}\nRef: https://learn.microsoft.com/graph/auth-limit-mailbox-access\n",
+                  "alertDisplayNameFormat": "User {{GrantInitiatedBy}} granted full_access_as_app to {{OAuthAppName}}"
+                }
               }
             },
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId4'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId25'),'/'))))]",
               "properties": {
-                "description": "Azure Active Directory Analytics Rule 4",
-                "parentId": "[variables('analyticRuleId4')]",
-                "contentId": "[variables('_analyticRulecontentId4')]",
+                "description": "Azure Active Directory Analytics Rule 25",
+                "parentId": "[variables('analyticRuleId25')]",
+                "contentId": "[variables('_analyticRulecontentId25')]",
                 "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion4')]",
+                "version": "[variables('analyticRuleVersion25')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Azure Active Directory",
@@ -5371,44 +4092,44 @@
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_analyticRulecontentId4')]",
+        "contentId": "[variables('_analyticRulecontentId25')]",
         "contentKind": "AnalyticsRule",
-        "displayName": "Password spray attack against ADFSSignInLogs",
-        "contentProductId": "[variables('_analyticRulecontentProductId4')]",
-        "id": "[variables('_analyticRulecontentProductId4')]",
-        "version": "[variables('analyticRuleVersion4')]"
+        "displayName": "full_access_as_app Granted To Application",
+        "contentProductId": "[variables('_analyticRulecontentProductId25')]",
+        "id": "[variables('_analyticRulecontentProductId25')]",
+        "version": "[variables('analyticRuleVersion25')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('analyticRuleTemplateSpecName5')]",
+      "name": "[variables('analyticRuleTemplateSpecName26')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "AdminPromoAfterRoleMgmtAppPermissionGrant_AnalyticalRules Analytics Rule with template version 3.0.3",
+        "description": "FailedLogonToAzurePortal_AnalyticalRules Analytics Rule with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion5')]",
+          "contentVersion": "[variables('analyticRuleVersion26')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRulecontentId5')]",
+              "name": "[variables('analyticRulecontentId26')]",
               "apiVersion": "2022-04-01-preview",
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "This rule looks for a service principal being granted the Microsoft Graph RoleManagement.ReadWrite.Directory (application) permission before being used to add an Azure AD object or user account to an Admin directory role (i.e. Global Administrators).\nThis is a known attack path that is usually abused when a service principal already has the AppRoleAssignment.ReadWrite.All permission granted. This permission allows an app to manage permission grants for application permissions to any API.\nA service principal can promote itself or other service principals to admin roles (i.e. Global Administrators). This would be considered a privilege escalation technique.\nRef : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions, https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0&tabs=http",
-                "displayName": "Admin promotion after Role Management Application Permission Grant",
+                "description": "Identifies failed login attempts in the Azure Active Directory SigninLogs to the Azure Portal.  Many failed logon\nattempts or some failed logon attempts from multiple IPs could indicate a potential brute force attack.\nThe following are excluded due to success and non-failure results:\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n0 - successful logon\n50125 - Sign-in was interrupted due to a password reset or password registration entry.\n50140 - This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.",
+                "displayName": "Failed login attempts to Azure Portal",
                 "enabled": false,
-                "query": "let query_frequency = 1h;\nlet query_period = 2h;\nAuditLogs\n| where TimeGenerated > ago(query_period)\n| where Category =~ \"ApplicationManagement\" and LoggedByService =~ \"Core Directory\"\n| where OperationName =~ \"Add app role assignment to service principal\"\n| mv-expand TargetResource = TargetResources\n| mv-expand modifiedProperty = TargetResource[\"modifiedProperties\"]\n| where tostring(modifiedProperty[\"displayName\"]) == \"AppRole.Value\"\n| extend PermissionGrant = tostring(modifiedProperty[\"newValue\"])\n| where PermissionGrant has \"RoleManagement.ReadWrite.Directory\"\n| mv-apply modifiedProperty = TargetResource[\"modifiedProperties\"] on (\n    summarize modifiedProperties = make_bag(\n        bag_pack(tostring(modifiedProperty[\"displayName\"]),\n            bag_pack(\"oldValue\", trim(@'[\\\"\\s]+', tostring(modifiedProperty[\"oldValue\"])),\n                \"newValue\", trim(@'[\\\"\\s]+', tostring(modifiedProperty[\"newValue\"])))), 100)\n)\n| project\n    PermissionGrant_TimeGenerated = TimeGenerated,\n    PermissionGrant_OperationName = OperationName,\n    PermissionGrant_Result = Result,\n    PermissionGrant,\n    AppDisplayName = tostring(modifiedProperties[\"ServicePrincipal.DisplayName\"][\"newValue\"]),\n    AppServicePrincipalId = tostring(modifiedProperties[\"ServicePrincipal.ObjectID\"][\"newValue\"]),\n    PermissionGrant_InitiatedBy = InitiatedBy,\n    PermissionGrant_TargetResources = TargetResources,\n    PermissionGrant_AdditionalDetails = AdditionalDetails,\n    PermissionGrant_CorrelationId = CorrelationId\n| join kind=inner (\n    AuditLogs\n    | where TimeGenerated > ago(query_frequency)\n    | where Category =~ \"RoleManagement\" and LoggedByService =~ \"Core Directory\" and AADOperationType =~ \"Assign\"\n    | where isnotempty(InitiatedBy[\"app\"])\n    | mv-expand TargetResource = TargetResources\n    | mv-expand modifiedProperty = TargetResource[\"modifiedProperties\"]\n    | where tostring(modifiedProperty[\"displayName\"]) in (\"Role.DisplayName\", \"RoleDefinition.DisplayName\")\n    | extend RoleAssignment = tostring(modifiedProperty[\"newValue\"])\n    | where RoleAssignment contains \"Admin\"\n    | project\n        RoleAssignment_TimeGenerated = TimeGenerated,\n        RoleAssignment_OperationName = OperationName,\n        RoleAssignment_Result = Result,\n        RoleAssignment,\n        TargetType = tostring(TargetResources[0][\"type\"]),\n        Target = iff(isnotempty(TargetResources[0][\"displayName\"]), tostring(TargetResources[0][\"displayName\"]), tolower(TargetResources[0][\"userPrincipalName\"])),\n        TargetId = tostring(TargetResources[0][\"id\"]),\n        RoleAssignment_InitiatedBy = InitiatedBy,\n        RoleAssignment_TargetResources = TargetResources,\n        RoleAssignment_AdditionalDetails = AdditionalDetails,\n        RoleAssignment_CorrelationId = CorrelationId,\n        AppServicePrincipalId = tostring(InitiatedBy[\"app\"][\"servicePrincipalId\"])\n    ) on AppServicePrincipalId\n| where PermissionGrant_TimeGenerated < RoleAssignment_TimeGenerated\n| extend\n    TargetName = tostring(split(Target, \"@\")[0]),\n    TargetUPNSuffix = tostring(split(Target, \"@\")[1])\n| project PermissionGrant_TimeGenerated, PermissionGrant_OperationName, PermissionGrant_Result, PermissionGrant, AppDisplayName, AppServicePrincipalId, PermissionGrant_InitiatedBy, PermissionGrant_TargetResources, PermissionGrant_AdditionalDetails, PermissionGrant_CorrelationId, RoleAssignment_TimeGenerated, RoleAssignment_OperationName, RoleAssignment_Result, RoleAssignment, TargetType, Target, TargetName, TargetUPNSuffix, TargetId, RoleAssignment_InitiatedBy, RoleAssignment_TargetResources, RoleAssignment_AdditionalDetails, RoleAssignment_CorrelationId\n",
-                "queryFrequency": "PT1H",
-                "queryPeriod": "PT2H",
-                "severity": "High",
+                "query": "let timeRange = 1d;\nlet lookBack = 7d;\nlet threshold_Failed = 5;\nlet threshold_FailedwithSingleIP = 20;\nlet threshold_IPAddressCount = 2;\nlet isGUID = \"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\";\nlet aadFunc = (tableName:string){\nlet azPortalSignins = materialize(table(tableName)\n| where TimeGenerated >= ago(lookBack)\n// Azure Portal only\n| where AppDisplayName =~ \"Azure Portal\")\n;\nlet successPortalSignins = azPortalSignins\n| where TimeGenerated >= ago(timeRange)\n// Azure Portal only and exclude non-failure Result Types\n| where ResultType in (\"0\", \"50125\", \"50140\")\n// Tagging identities not resolved to friendly names\n//| extend Unresolved = iff(Identity matches regex isGUID, true, false)\n| distinct TimeGenerated, UserPrincipalName\n;\nlet failPortalSignins = azPortalSignins\n| where TimeGenerated >= ago(timeRange)\n// Azure Portal only and exclude non-failure Result Types\n| where ResultType !in (\"0\", \"50125\", \"50140\", \"70044\", \"70043\")\n// Tagging identities not resolved to friendly names\n| extend Unresolved = iff(Identity matches regex isGUID, true, false)\n;\n// Verify there is no success for the same connection attempt after the fail\nlet failnoSuccess = failPortalSignins | join kind= leftouter (\n   successPortalSignins\n) on UserPrincipalName\n| where TimeGenerated > TimeGenerated1 or isempty(TimeGenerated1)\n| project-away TimeGenerated1, UserPrincipalName1\n;\n// Lookup up resolved identities from last 7 days\nlet identityLookup = azPortalSignins\n| where TimeGenerated >= ago(lookBack)\n| where not(Identity matches regex isGUID)\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName;\n// Join resolved names to unresolved list from portal signins\nlet unresolvedNames = failnoSuccess | where Unresolved == true | join kind= inner (\n   identityLookup\n) on UserId\n| extend UserDisplayName = lu_UserDisplayName, UserPrincipalName = lu_UserPrincipalName\n| project-away lu_UserDisplayName, lu_UserPrincipalName;\n// Join Signins that had resolved names with list of unresolved that now have a resolved name\nlet u_azPortalSignins = failnoSuccess | where Unresolved == false | union unresolvedNames;\nu_azPortalSignins\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\n| extend Status = strcat(ResultType, \": \", ResultDescription), OS = tostring(DeviceDetail.operatingSystem), Browser = tostring(DeviceDetail.browser)\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\n| extend FullLocation = strcat(Region,'|', State, '|', City)  \n| summarize TimeGenerated = make_list(TimeGenerated,100), Status = make_list(Status,100), IPAddresses = make_list(IPAddress,100), IPAddressCount = dcount(IPAddress), FailedLogonCount = count()\nby UserPrincipalName, UserId, UserDisplayName, AppDisplayName, Browser, OS, FullLocation, Type\n| mvexpand TimeGenerated, IPAddresses, Status\n| extend TimeGenerated = todatetime(tostring(TimeGenerated)), IPAddress = tostring(IPAddresses), Status = tostring(Status)\n| project-away IPAddresses\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserPrincipalName, UserId, UserDisplayName, Status, FailedLogonCount, IPAddress, IPAddressCount, AppDisplayName, Browser, OS, FullLocation, Type\n| where (IPAddressCount >= threshold_IPAddressCount and FailedLogonCount >= threshold_Failed) or FailedLogonCount >= threshold_FailedwithSingleIP\n| extend timestamp = StartTime, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+                "queryFrequency": "P1D",
+                "queryPeriod": "P7D",
+                "severity": "Low",
                 "suppressionDuration": "PT1H",
                 "suppressionEnabled": false,
                 "triggerOperator": "GreaterThan",
@@ -5416,42 +4137,46 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "AzureActiveDirectory",
                     "dataTypes": [
-                      "AuditLogs"
-                    ]
+                      "SigninLogs"
+                    ],
+                    "connectorId": "AzureActiveDirectory"
+                  },
+                  {
+                    "dataTypes": [
+                      "AADNonInteractiveUserSignInLogs"
+                    ],
+                    "connectorId": "AzureActiveDirectory"
                   }
                 ],
                 "tactics": [
-                  "PrivilegeEscalation",
-                  "Persistence"
+                  "CredentialAccess"
                 ],
                 "techniques": [
-                  "T1098",
-                  "T1078"
+                  "T1110"
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "identifier": "Name",
-                        "columnName": "AppDisplayName"
+                        "columnName": "Name",
+                        "identifier": "Name"
+                      },
+                      {
+                        "columnName": "UPNSuffix",
+                        "identifier": "UPNSuffix"
                       }
-                    ]
+                    ],
+                    "entityType": "Account"
                   },
                   {
-                    "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "identifier": "Name",
-                        "columnName": "TargetName"
-                      },
-                      {
-                        "identifier": "UPNSuffix",
-                        "columnName": "TargetUPNSuffix"
+                        "columnName": "IPAddress",
+                        "identifier": "Address"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   }
                 ]
               }
@@ -5459,13 +4184,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId5'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId26'),'/'))))]",
               "properties": {
-                "description": "Azure Active Directory Analytics Rule 5",
-                "parentId": "[variables('analyticRuleId5')]",
-                "contentId": "[variables('_analyticRulecontentId5')]",
+                "description": "Azure Active Directory Analytics Rule 26",
+                "parentId": "[variables('analyticRuleId26')]",
+                "contentId": "[variables('_analyticRulecontentId26')]",
                 "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion5')]",
+                "version": "[variables('analyticRuleVersion26')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Azure Active Directory",
@@ -5490,44 +4215,44 @@
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_analyticRulecontentId5')]",
+        "contentId": "[variables('_analyticRulecontentId26')]",
         "contentKind": "AnalyticsRule",
-        "displayName": "Admin promotion after Role Management Application Permission Grant",
-        "contentProductId": "[variables('_analyticRulecontentProductId5')]",
-        "id": "[variables('_analyticRulecontentProductId5')]",
-        "version": "[variables('analyticRuleVersion5')]"
+        "displayName": "Failed login attempts to Azure Portal",
+        "contentProductId": "[variables('_analyticRulecontentProductId26')]",
+        "id": "[variables('_analyticRulecontentProductId26')]",
+        "version": "[variables('analyticRuleVersion26')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('analyticRuleTemplateSpecName6')]",
+      "name": "[variables('analyticRuleTemplateSpecName27')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "AnomalousUserAppSigninLocationIncrease-detection_AnalyticalRules Analytics Rule with template version 3.0.3",
+        "description": "FirstAppOrServicePrincipalCredential_AnalyticalRules Analytics Rule with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion6')]",
+          "contentVersion": "[variables('analyticRuleVersion27')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRulecontentId6')]",
+              "name": "[variables('analyticRulecontentId27')]",
               "apiVersion": "2022-04-01-preview",
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "This query over Azure Active Directory sign-in considers all user sign-ins for each Azure Active\nDirectory application and picks out the most anomalous change in location profile for a user within an\nindividual application",
-                "displayName": "Anomalous sign-in location by user account and authenticating application",
+                "description": "This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated.\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.",
+                "displayName": "First access credential added to Application or Service Principal where no credential was present",
                 "enabled": false,
-                "query": "// Adjust this figure to adjust how sensitive this detection is\nlet sensitivity = 2.5;\nlet AuthEvents = materialize(\nunion isfuzzy=True SigninLogs, AADNonInteractiveUserSignInLogs\n| where TimeGenerated > ago(7d)\n| where ResultType == 0\n| extend LocationDetails = LocationDetails_dynamic\n| extend Location = strcat(LocationDetails.countryOrRegion, \"-\", LocationDetails.state,\"-\", LocationDetails.city)\n| where Location != \"--\");\nAuthEvents\n| summarize dcount(Location) by AppDisplayName, AppId, UserPrincipalName, UserId, bin(startofday(TimeGenerated), 1d)\n| where dcount_Location > 2\n| summarize CountOfLocations = make_list(dcount_Location, 10000), TimeStamp = make_list(TimeGenerated, 10000) by AppId, UserId\n| extend (Anomalies, Score, Baseline) = series_decompose_anomalies(CountOfLocations, sensitivity, -1, 'linefit')\n| mv-expand CountOfLocations to typeof(double), TimeStamp to typeof(datetime), Anomalies to typeof(double), Score to typeof(double), Baseline to typeof(long)\n| where Anomalies > 0\n| join kind=inner( AuthEvents | extend TimeStamp = startofday(TimeGenerated)) on UserId, AppId\n| extend SignInDetails = bag_pack(\"TimeGenerated\", TimeGenerated, \"Location\", Location, \"Source\", IPAddress, \"Device\", DeviceDetail_dynamic)\n| summarize SignInDetailsSet=make_set(SignInDetails, 1000) by UserId, UserPrincipalName, CountOfLocations, TimeStamp, AppId, AppDisplayName\n| extend Name = split(UserPrincipalName, \"@\")[0], UPNSuffix = split(UserPrincipalName, \"@\")[1]\n",
-                "queryFrequency": "P1D",
-                "queryPeriod": "P7D",
-                "severity": "Medium",
+                "query": "AuditLogs\n| where OperationName has (\"Certificates and secrets management\")\n| where Result =~ \"success\"\n| where tostring(InitiatedBy.user.userPrincipalName) has \"@\" or tostring(InitiatedBy.app.displayName) has \"@\"\n| mv-apply TargetResource = TargetResources on \n  (\n      where TargetResource.type =~ \"Application\"\n      | extend targetDisplayName = tostring(TargetResource.displayName),\n               targetId = tostring(TargetResource.id),\n               targetType = tostring(TargetResource.type),\n               keyEvents = TargetResource.modifiedProperties\n  )\n| mv-apply Property = keyEvents on \n  (\n      where Property.displayName =~ \"KeyDescription\"\n      | extend new_value_set = parse_json(tostring(Property.newValue)),\n               old_value_set = parse_json(tostring(Property.oldValue))\n  )\n| where old_value_set == \"[]\"  \n| mv-expand new_value_set\n| parse new_value_set with * \"KeyIdentifier=\" keyIdentifier:string \",KeyType=\" keyType:string \",KeyUsage=\" keyUsage:string \",DisplayName=\" keyDisplayName:string \"]\" *\n| where keyUsage =~ \"Verify\"\n| mv-apply AdditionalDetail = AdditionalDetails on \n  (\n      where AdditionalDetail.key =~ \"User-Agent\"\n      | extend UserAgent = tostring(AdditionalDetail.value)\n  )\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n| project-away new_value_set, old_value_set\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\n| extend timestamp = TimeGenerated, Name = tostring(split(InitiatingUserOrApp,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUserOrApp,'@',1)[0])\n",
+                "queryFrequency": "PT1H",
+                "queryPeriod": "PT1H",
+                "severity": "High",
                 "suppressionDuration": "PT1H",
                 "suppressionEnabled": false,
                 "triggerOperator": "GreaterThan",
@@ -5535,65 +4260,63 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "AzureActiveDirectory",
-                    "dataTypes": [
-                      "SigninLogs"
-                    ]
-                  },
-                  {
-                    "connectorId": "AzureActiveDirectory",
                     "dataTypes": [
-                      "AADNonInteractiveUserSignInLogs"
-                    ]
+                      "AuditLogs"
+                    ],
+                    "connectorId": "AzureActiveDirectory"
                   }
                 ],
                 "tactics": [
-                  "InitialAccess"
+                  "DefenseEvasion"
                 ],
                 "techniques": [
-                  "T1078"
+                  "T1550"
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "identifier": "Name",
-                        "columnName": "Name"
+                        "columnName": "Name",
+                        "identifier": "Name"
                       },
                       {
-                        "identifier": "UPNSuffix",
-                        "columnName": "UPNSuffix"
-                      },
+                        "columnName": "UPNSuffix",
+                        "identifier": "UPNSuffix"
+                      }
+                    ],
+                    "entityType": "Account"
+                  },
+                  {
+                    "fieldMappings": [
                       {
-                        "identifier": "AadUserId",
-                        "columnName": "UserId"
+                        "columnName": "InitiatingIpAddress",
+                        "identifier": "Address"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
+                  },
+                  {
+                    "fieldMappings": [
+                      {
+                        "columnName": "targetDisplayName",
+                        "identifier": "Name"
+                      }
+                    ],
+                    "entityType": "CloudApplication"
                   }
-                ],
-                "eventGroupingSettings": {
-                  "aggregationKind": "SingleAlert"
-                },
-                "customDetails": {
-                  "Application": "AppDisplayName"
-                },
-                "alertDetailsOverride": {
-                  "alertDisplayNameFormat": "Anomalous sign-in location by {{UserPrincipalName}} to {{AppDisplayName}}",
-                  "alertDescriptionFormat": "This query over Azure Active Directory sign-in considers all user sign-ins for each Azure Active\nDirectory application and picks out the most anomalous change in location profile for a user within an\nindividual application. This has detected {{UserPrincipalName}} signing into {{AppDisplayName}} from {{CountOfLocations}} \ndifferent locations.\n"
-                }
+                ]
               }
             },
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId6'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId27'),'/'))))]",
               "properties": {
-                "description": "Azure Active Directory Analytics Rule 6",
-                "parentId": "[variables('analyticRuleId6')]",
-                "contentId": "[variables('_analyticRulecontentId6')]",
+                "description": "Azure Active Directory Analytics Rule 27",
+                "parentId": "[variables('analyticRuleId27')]",
+                "contentId": "[variables('_analyticRulecontentId27')]",
                 "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion6')]",
+                "version": "[variables('analyticRuleVersion27')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Azure Active Directory",
@@ -5618,43 +4341,43 @@
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_analyticRulecontentId6')]",
+        "contentId": "[variables('_analyticRulecontentId27')]",
         "contentKind": "AnalyticsRule",
-        "displayName": "Anomalous sign-in location by user account and authenticating application",
-        "contentProductId": "[variables('_analyticRulecontentProductId6')]",
-        "id": "[variables('_analyticRulecontentProductId6')]",
-        "version": "[variables('analyticRuleVersion6')]"
+        "displayName": "First access credential added to Application or Service Principal where no credential was present",
+        "contentProductId": "[variables('_analyticRulecontentProductId27')]",
+        "id": "[variables('_analyticRulecontentProductId27')]",
+        "version": "[variables('analyticRuleVersion27')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('analyticRuleTemplateSpecName7')]",
+      "name": "[variables('analyticRuleTemplateSpecName28')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "AuthenticationMethodsChangedforPrivilegedAccount_AnalyticalRules Analytics Rule with template version 3.0.3",
+        "description": "GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified_AnalyticalRules Analytics Rule with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion7')]",
+          "contentVersion": "[variables('analyticRuleVersion28')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRulecontentId7')]",
+              "name": "[variables('analyticRulecontentId28')]",
               "apiVersion": "2022-04-01-preview",
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "Identifies authentication methods being changed for a privileged account. This could be an indication of an attacker adding an auth method to the account so they can have continued access.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1",
-                "displayName": "Authentication Methods Changed for Privileged Account",
+                "description": "Guest Accounts are added in the Organization Tenants to perform various tasks i.e projects execution, support etc.. This detection notifies when guest users are added to Azure AD Groups other than the ones specified and poses a risk to gain access to sensitive apps or data.",
+                "displayName": "Guest accounts added in AAD Groups other than the ones specified",
                 "enabled": false,
-                "query": "let queryperiod = 14d;\nlet queryfrequency = 2h;\nlet security_info_actions = dynamic([\"User registered security info\", \"User changed default security info\", \"User deleted security info\", \"Admin updated security info\", \"User reviewed security info\", \"Admin deleted security info\", \"Admin registered security info\"]);\nlet VIPUsers = (\n    IdentityInfo\n    | where TimeGenerated > ago(queryperiod)\n    | mv-expand AssignedRoles\n    | where AssignedRoles contains 'Admin'\n    | summarize by AccountUPN);\nAuditLogs\n| where TimeGenerated > ago(queryfrequency)\n| where Category =~ \"UserManagement\"\n| where ActivityDisplayName in (security_info_actions)\n| extend Initiator = tostring(InitiatedBy.user.userPrincipalName)\n| extend IP = tostring(InitiatedBy.user.ipAddress)\n| mv-apply TargetResource = TargetResources on \n  (\n      where TargetResource.type =~ \"User\"\n      | extend Target = tostring(TargetResource.userPrincipalName)\n  )\n| where Target in~ (VIPUsers)\n// Uncomment the line below if you are experiencing high volumes of Target entities. If this is uncommented, the Target column will not be mapped to an entity.\n//| summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason, MaxSize=8), Targets=make_set(Target, MaxSize=256) by Initiator, IP, Result\n// Comment out this line below, if line above is used.\n| summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason, MaxSize=8) by Initiator, IP, Result, Targets = Target\n| extend InitiatorName = tostring(split(Initiator,'@',0)[0]), \n         InitiatorUPNSuffix = tostring(split(Initiator,'@',1)[0]),\n         TargetName = iff(tostring(Targets) has \"[\", \"\", tostring(split(Targets,'@',0)[0])), \n         TargetUPNSuffix = iff(tostring(Targets) has \"[\", \"\", tostring(split(Targets,'@',1)[0]))\n",
-                "queryFrequency": "PT2H",
-                "queryPeriod": "P14D",
+                "query": "// OBJECT ID of AAD Groups can be found by navigating to Azure Active Directory then from menu on the left, select Groups and from the list shown of AAD Groups, the Second Column shows the ObjectID of each\nlet GroupIDs = dynamic([\"List with Custom AAD GROUP OBJECT ID 1\",\"Custom AAD GROUP OBJECT ID 2\"]);\nAuditLogs\n| where OperationName in ('Add member to group', 'Add owner to group')\n| extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\n| extend InitiatedByIPAdress = InitiatedBy.user.ipAddress \n// Uncomment the following line to filter events where the inviting user was a guest user\n//| where InitiatedBy has_any (\"CUSTOM DOMAIN NAME#\", \"#EXT#\")\n| mv-apply TargetResource = TargetResources on \n  (\n      where TargetResource.type =~ \"User\"\n      | extend InvitedUser = trim(@'\"',tostring(TargetResource.userPrincipalName)),\n               Properties = TargetResource.modifiedProperties\n  )\n| mv-apply Property = Properties on \n  (\n      where Property.displayName =~ \"Group.DisplayName\"\n      | extend AADGroup = trim('\"',tostring(Property.newValue))\n  )\n| where InvitedUser has_any (\"CUSTOM DOMAIN NAME#\", \"#EXT#\")\n| mv-apply Property = Properties on\n   (\n     where Property.displayName =~ \"Group.ObjectID\"\n     | extend AADGroupId = trim('\"',tostring(Property.newValue))\n   )\n| where AADGroupId !in (GroupIDs)\n| extend Name = tostring(split(InitiatedByActionUserInformation,'@',0)[0]), UPNSuffix = tostring(split(InitiatedByActionUserInformation,'@',1)[0])\n",
+                "queryFrequency": "P1D",
+                "queryPeriod": "P1D",
                 "severity": "High",
                 "suppressionDuration": "PT1H",
                 "suppressionEnabled": false,
@@ -5663,53 +4386,53 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "AzureActiveDirectory",
                     "dataTypes": [
                       "AuditLogs"
-                    ]
+                    ],
+                    "connectorId": "AzureActiveDirectory"
                   }
                 ],
                 "tactics": [
-                  "Persistence"
+                  "InitialAccess",
+                  "Persistence",
+                  "Discovery"
                 ],
                 "techniques": [
-                  "T1098"
+                  "T1078",
+                  "T1136",
+                  "T1087"
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "identifier": "Name",
-                        "columnName": "InitiatorName"
-                      },
-                      {
-                        "identifier": "UPNSuffix",
-                        "columnName": "InitiatorUPNSuffix"
+                        "columnName": "InvitedUser",
+                        "identifier": "Name"
                       }
-                    ]
+                    ],
+                    "entityType": "Account"
                   },
                   {
-                    "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "identifier": "Name",
-                        "columnName": "TargetName"
+                        "columnName": "Name",
+                        "identifier": "Name"
                       },
                       {
-                        "identifier": "UPNSuffix",
-                        "columnName": "TargetUPNSuffix"
+                        "columnName": "UPNSuffix",
+                        "identifier": "UPNSuffix"
                       }
-                    ]
+                    ],
+                    "entityType": "Account"
                   },
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
-                        "columnName": "IP"
+                        "columnName": "InitiatedByIPAdress",
+                        "identifier": "Address"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   }
                 ]
               }
@@ -5717,13 +4440,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId7'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId28'),'/'))))]",
               "properties": {
-                "description": "Azure Active Directory Analytics Rule 7",
-                "parentId": "[variables('analyticRuleId7')]",
-                "contentId": "[variables('_analyticRulecontentId7')]",
+                "description": "Azure Active Directory Analytics Rule 28",
+                "parentId": "[variables('analyticRuleId28')]",
+                "contentId": "[variables('_analyticRulecontentId28')]",
                 "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion7')]",
+                "version": "[variables('analyticRuleVersion28')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Azure Active Directory",
@@ -5748,44 +4471,44 @@
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_analyticRulecontentId7')]",
+        "contentId": "[variables('_analyticRulecontentId28')]",
         "contentKind": "AnalyticsRule",
-        "displayName": "Authentication Methods Changed for Privileged Account",
-        "contentProductId": "[variables('_analyticRulecontentProductId7')]",
-        "id": "[variables('_analyticRulecontentProductId7')]",
-        "version": "[variables('analyticRuleVersion7')]"
+        "displayName": "Guest accounts added in AAD Groups other than the ones specified",
+        "contentProductId": "[variables('_analyticRulecontentProductId28')]",
+        "id": "[variables('_analyticRulecontentProductId28')]",
+        "version": "[variables('analyticRuleVersion28')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('analyticRuleTemplateSpecName8')]",
+      "name": "[variables('analyticRuleTemplateSpecName29')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "AzureAADPowerShellAnomaly_AnalyticalRules Analytics Rule with template version 3.0.3",
+        "description": "MailPermissionsAddedToApplication_AnalyticalRules Analytics Rule with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion8')]",
+          "contentVersion": "[variables('analyticRuleVersion29')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRulecontentId8')]",
+              "name": "[variables('analyticRulecontentId29')]",
               "apiVersion": "2022-04-01-preview",
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "This will alert when a user or application signs in using Azure Active Directory PowerShell to access non-Active Directory resources, such as the Azure Key Vault, which may be undesired or unauthorized behavior.\nFor capabilities and expected behavior of the Azure Active Directory PowerShell module, see: https://docs.microsoft.com/powershell/module/azuread/?view=azureadps-2.0.\nFor further information on Azure Active Directory Signin activity reports, see: https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins.",
-                "displayName": "Azure Active Directory PowerShell accessing non-AAD resources",
+                "description": "This query look for applications that have been granted (Delegated or App/Role) permissions to Read Mail (Permissions field has Mail.Read) and subsequently has been consented to. This can help identify applications that have been abused to gain access to mailboxes.",
+                "displayName": "Mail.Read Permissions Granted to Application",
                 "enabled": false,
-                "query": "let aadFunc = (tableName:string){\ntable(tableName)\n| where AppId =~ \"1b730954-1685-4b74-9bfd-dac224a7b894\" // AppDisplayName IS Azure Active Directory PowerShell\n| where TokenIssuerType =~ \"AzureAD\"\n| where ResourceIdentity !in (\"00000002-0000-0000-c000-000000000000\", \"00000003-0000-0000-c000-000000000000\") // ResourceDisplayName IS NOT Windows Azure Active Directory OR Microsoft Graph\n| extend Status = todynamic(Status)\n| where Status.errorCode == 0 // Success\n| project-reorder IPAddress, UserAgent, ResourceDisplayName, UserDisplayName, UserId, UserPrincipalName, Type\n| order by TimeGenerated desc\n// New entity mapping\n| extend timestamp = TimeGenerated, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
-                "queryFrequency": "PT1H",
-                "queryPeriod": "PT1H",
-                "severity": "Low",
+                "query": "AuditLogs\n| where Category =~ \"ApplicationManagement\"\n| where ActivityDisplayName has_any (\"Add delegated permission grant\",\"Add app role assignment to service principal\")  \n| where Result =~ \"success\"\n| where tostring(InitiatedBy.user.userPrincipalName) has \"@\" or tostring(InitiatedBy.app.displayName) has \"@\"\n| mv-apply TargetResource = TargetResources on \n  (\n      where TargetResource.type =~ \"ServicePrincipal\" and array_length(TargetResource.modifiedProperties) > 0 and isnotnull(TargetResource.displayName)\n      | extend props = TargetResource.modifiedProperties,\n               Type = tostring(TargetResource.type),\n               PermissionsAddedTo = tostring(TargetResource.displayName)\n  )\n| mv-apply Property = props on \n  (\n      where Property.displayName =~ \"DelegatedPermissionGrant.Scope\"\n      | extend DisplayName = tostring(Property.displayName), Permissions = trim('\"',tostring(Property.newValue))\n  )\n| where Permissions has_any (\"Mail.Read\", \"Mail.ReadWrite\")\n| mv-apply AdditionalDetail = AdditionalDetails on \n  (\n      where AdditionalDetail.key =~ \"User-Agent\"\n      | extend UserAgent = tostring(AdditionalDetail.value)\n  )\n| extend InitiatingUser = tostring(InitiatedBy.user.userPrincipalName)\n| extend UserIPAddress = tostring(InitiatedBy.user.ipAddress)  \n| project-away props, TargetResource*, AdditionalDetail*, Property, InitiatedBy\n| join kind=leftouter(\n  AuditLogs\n  | where ActivityDisplayName has \"Consent to application\"\n  | mv-apply TargetResource = TargetResources on \n      (\n          where TargetResource.type =~ \"ServicePrincipal\"\n          | extend AppName = tostring(TargetResource.displayName),\n                   AppId = tostring(TargetResource.id)\n      )\n  | project AppName, AppId, CorrelationId) on CorrelationId\n| project-reorder TimeGenerated, OperationName, InitiatingUser, UserIPAddress, UserAgent, PermissionsAddedTo, Permissions, AppName, AppId, CorrelationId\n| extend timestamp = TimeGenerated, Name = tostring(split(InitiatingUser,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUser,'@',1)[0])\n",
+                "queryFrequency": "P1D",
+                "queryPeriod": "P1D",
+                "severity": "Medium",
                 "suppressionDuration": "PT1H",
                 "suppressionEnabled": false,
                 "triggerOperator": "GreaterThan",
@@ -5793,50 +4516,40 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "AzureActiveDirectory",
-                    "dataTypes": [
-                      "SigninLogs"
-                    ]
-                  },
-                  {
-                    "connectorId": "AzureActiveDirectory",
                     "dataTypes": [
-                      "AADNonInteractiveUserSignInLogs"
-                    ]
+                      "AuditLogs"
+                    ],
+                    "connectorId": "AzureActiveDirectory"
                   }
                 ],
                 "tactics": [
-                  "InitialAccess"
+                  "Persistence"
                 ],
                 "techniques": [
-                  "T1078"
+                  "T1098"
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "identifier": "Name",
-                        "columnName": "Name"
-                      },
-                      {
-                        "identifier": "UPNSuffix",
-                        "columnName": "UPNSuffix"
+                        "columnName": "Name",
+                        "identifier": "Name"
                       },
                       {
-                        "identifier": "AadUserId",
-                        "columnName": "UserId"
+                        "columnName": "UPNSuffix",
+                        "identifier": "UPNSuffix"
                       }
-                    ]
+                    ],
+                    "entityType": "Account"
                   },
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
-                        "columnName": "IPAddress"
+                        "columnName": "UserIPAddress",
+                        "identifier": "Address"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   }
                 ]
               }
@@ -5844,13 +4557,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId8'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId29'),'/'))))]",
               "properties": {
-                "description": "Azure Active Directory Analytics Rule 8",
-                "parentId": "[variables('analyticRuleId8')]",
-                "contentId": "[variables('_analyticRulecontentId8')]",
+                "description": "Azure Active Directory Analytics Rule 29",
+                "parentId": "[variables('analyticRuleId29')]",
+                "contentId": "[variables('_analyticRulecontentId29')]",
                 "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion8')]",
+                "version": "[variables('analyticRuleVersion29')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Azure Active Directory",
@@ -5875,43 +4588,43 @@
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_analyticRulecontentId8')]",
+        "contentId": "[variables('_analyticRulecontentId29')]",
         "contentKind": "AnalyticsRule",
-        "displayName": "Azure Active Directory PowerShell accessing non-AAD resources",
-        "contentProductId": "[variables('_analyticRulecontentProductId8')]",
-        "id": "[variables('_analyticRulecontentProductId8')]",
-        "version": "[variables('analyticRuleVersion8')]"
+        "displayName": "Mail.Read Permissions Granted to Application",
+        "contentProductId": "[variables('_analyticRulecontentProductId29')]",
+        "id": "[variables('_analyticRulecontentProductId29')]",
+        "version": "[variables('analyticRuleVersion29')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('analyticRuleTemplateSpecName9')]",
+      "name": "[variables('analyticRuleTemplateSpecName30')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "AzureADRoleManagementPermissionGrant_AnalyticalRules Analytics Rule with template version 3.0.3",
+        "description": "MaliciousOAuthApp_O365AttackToolkit_AnalyticalRules Analytics Rule with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion9')]",
+          "contentVersion": "[variables('analyticRuleVersion30')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRulecontentId9')]",
+              "name": "[variables('analyticRulecontentId30')]",
               "apiVersion": "2022-04-01-preview",
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "Identifies when the Microsoft Graph RoleManagement.ReadWrite.Directory (Delegated or Application) permission is granted to a service principal.\nThis permission allows an application to read and manage the role-based access control (RBAC) settings for your company's directory.\nAn adversary could use this permission to add an Azure AD object to an Admin directory role and escalate privileges.\nRef : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions\nRef : https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0&tabs=http",
-                "displayName": "Azure AD Role Management Permission Grant",
+                "description": "This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit).\nThe default permissions/scope for the MDSec O365 Attack toolkit change sometimes but often include contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, files.readwrite.all, mail.send, files.read, and files.read.all.\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.",
+                "displayName": "Suspicious application consent similar to O365 Attack Toolkit",
                 "enabled": false,
-                "query": "AuditLogs\n| where Category =~ \"ApplicationManagement\" and LoggedByService =~ \"Core Directory\" and OperationName in~ (\"Add delegated permission grant\", \"Add app role assignment to service principal\")\n| mv-apply TargetResource = TargetResources on \n  (\n      where TargetResource.type =~ \"ServicePrincipal\" and array_length(TargetResource.modifiedProperties) > 0 and isnotnull(TargetResource.displayName)\n      | extend props = TargetResource.modifiedProperties\n  )\n| mv-apply Property = props on \n  (\n      where Property.displayName in~ (\"AppRole.Value\",\"DelegatedPermissionGrant.Scope\")\n      | extend DisplayName = tostring(Property.displayName), PermissionGrant = trim('\"',tostring(Property.newValue))\n  )\n| where PermissionGrant has \"RoleManagement.ReadWrite.Directory\"\n| mv-apply Property = props on \n  (\n      where Property.displayName =~ \"ServicePrincipal.DisplayName\"\n      | extend AppDisplayName = trim('\"',tostring(Property.newValue))\n  )\n| mv-apply Property = props on \n  (\n      where Property.displayName =~ \"ServicePrincipal.ObjectID\"\n      | extend AppServicePrincipalId = trim('\"',tostring(Property.newValue))\n  )\n| extend \n    Initiator = iif(isnotempty(InitiatedBy.app), tostring(InitiatedBy.app.displayName), tostring(InitiatedBy.user.userPrincipalName)),\n    InitiatorId = iif(isnotempty(InitiatedBy.app), tostring(InitiatedBy.app.servicePrincipalId), tostring(InitiatedBy.user.id))\n| project TimeGenerated, OperationName, Result, PermissionGrant, AppDisplayName, AppServicePrincipalId, Initiator, InitiatorId, InitiatedBy, TargetResources, AdditionalDetails, CorrelationId\n| extend Name = tostring(split(Initiator,'@',0)[0]), UPNSuffix = tostring(split(Initiator,'@',1)[0])\n",
-                "queryFrequency": "PT2H",
-                "queryPeriod": "PT2H",
+                "query": "let detectionTime = 1d;\nlet joinLookback = 14d;\nlet threshold = 5;\nlet o365_attack_regex = \"contacts.read|user.read|mail.read|notes.read.all|mailboxsettings.readwrite|Files.ReadWrite.All|mail.send|files.read|files.read.all\";\nlet o365_attack = dynamic([\"contacts.read\", \"user.read\", \"mail.read\", \"notes.read.all\", \"mailboxsettings.readwrite\", \"Files.ReadWrite.All\", \"mail.send\", \"files.read\", \"files.read.all\"]);\nAuditLogs\n| where TimeGenerated > ago(detectionTime)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Consent to application\"\n| mv-apply TargetResource = TargetResources on \n  (\n      where TargetResource.type =~ \"ServicePrincipal\"\n      | extend AppDisplayName = tostring(TargetResource.displayName),\n               AppClientId = tostring(TargetResource.id),\n               props = TargetResource.modifiedProperties\n  )\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\"] with (format=\"csv\"))) // NOTE: a MATCH from this list will cause the alert to NOT fire - please modify for your environment!\n| mv-apply ConsentFull = props on \n  (\n      where ConsentFull.displayName =~ \"ConsentAction.Permissions\"\n  )\n| parse ConsentFull with * \"ConsentType: \" GrantConsentType \", Scope: \" GrantScope1 \", CreatedDateTime\" * \"]\" *\n| where GrantConsentType != \"AllPrincipals\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\n| where ConsentFull has_any (o365_attack)  \n| extend GrantScopeCount = countof(tolower(GrantScope1), o365_attack_regex, 'regex')\n| where GrantScopeCount > threshold\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| mv-apply AdditionalDetail = AdditionalDetails on \n  (\n      where AdditionalDetail.key =~ \"User-Agent\"\n      | extend GrantUserAgent = AdditionalDetail.value\n  )\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\n| join kind = leftouter (AuditLogs\n  | where TimeGenerated > ago(joinLookback)\n  | where LoggedByService =~ \"Core Directory\"\n  | where Category =~ \"ApplicationManagement\"\n  | where OperationName =~ \"Add service principal\"\n  | mv-apply TargetResource = TargetResources on \n      (\n          where TargetResource.type =~ \"ServicePrincipal\"\n          | extend props = TargetResource.modifiedProperties,\n                  AppClientId = tostring(TargetResource.id)\n      )\n  | mv-apply Property = props on \n      (\n          where Property.displayName =~ \"AppAddress\" and Property.newValue has \"AddressType\"\n          | extend AppReplyURLs = trim('\"',tostring(Property.newValue))\n      )\n  | distinct AppClientId, tostring(AppReplyURLs)\n) on AppClientId\n| join kind = innerunique (AuditLogs\n      | where TimeGenerated > ago(joinLookback)\n      | where LoggedByService =~ \"Core Directory\"\n      | where Category =~ \"ApplicationManagement\"\n      | where OperationName =~ \"Add OAuth2PermissionGrant\" or OperationName =~ \"Add delegated permission grant\"\n          | mv-apply TargetResource = TargetResources on \n          (\n              where TargetResource.type =~ \"ServicePrincipal\" and array_length(TargetResource.modifiedProperties) > 0 and isnotnull(TargetResource.displayName)\n              | extend GrantAuthentication = tostring(TargetResource.displayName)\n          )\n      | extend GrantOperation = OperationName\n      | project GrantAuthentication, GrantOperation, CorrelationId\n  ) on CorrelationId\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\n| extend timestamp = TimeGenerated, Name = tostring(split(GrantInitiatedBy,'@',0)[0]), UPNSuffix = tostring(split(GrantInitiatedBy,'@',1)[0])\n",
+                "queryFrequency": "P1D",
+                "queryPeriod": "P14D",
                 "severity": "High",
                 "suppressionDuration": "PT1H",
                 "suppressionEnabled": false,
@@ -5920,42 +4633,51 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "AzureActiveDirectory",
                     "dataTypes": [
                       "AuditLogs"
-                    ]
+                    ],
+                    "connectorId": "AzureActiveDirectory"
                   }
                 ],
                 "tactics": [
-                  "Persistence",
-                  "Impact"
+                  "CredentialAccess",
+                  "DefenseEvasion"
                 ],
                 "techniques": [
-                  "T1098",
-                  "T1078"
+                  "T1528",
+                  "T1550"
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "identifier": "Name",
-                        "columnName": "Name"
+                        "columnName": "Name",
+                        "identifier": "Name"
                       },
                       {
-                        "identifier": "UPNSuffix",
-                        "columnName": "UPNSuffix"
+                        "columnName": "UPNSuffix",
+                        "identifier": "UPNSuffix"
+                      }
+                    ],
+                    "entityType": "Account"
+                  },
+                  {
+                    "fieldMappings": [
+                      {
+                        "columnName": "GrantIpAddress",
+                        "identifier": "Address"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   },
                   {
-                    "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "identifier": "Name",
-                        "columnName": "AppDisplayName"
+                        "columnName": "AppDisplayName",
+                        "identifier": "Name"
                       }
-                    ]
+                    ],
+                    "entityType": "CloudApplication"
                   }
                 ]
               }
@@ -5963,13 +4685,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId9'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId30'),'/'))))]",
               "properties": {
-                "description": "Azure Active Directory Analytics Rule 9",
-                "parentId": "[variables('analyticRuleId9')]",
-                "contentId": "[variables('_analyticRulecontentId9')]",
+                "description": "Azure Active Directory Analytics Rule 30",
+                "parentId": "[variables('analyticRuleId30')]",
+                "contentId": "[variables('_analyticRulecontentId30')]",
                 "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion9')]",
+                "version": "[variables('analyticRuleVersion30')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Azure Active Directory",
@@ -5994,43 +4716,43 @@
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_analyticRulecontentId9')]",
+        "contentId": "[variables('_analyticRulecontentId30')]",
         "contentKind": "AnalyticsRule",
-        "displayName": "Azure AD Role Management Permission Grant",
-        "contentProductId": "[variables('_analyticRulecontentProductId9')]",
-        "id": "[variables('_analyticRulecontentProductId9')]",
-        "version": "[variables('analyticRuleVersion9')]"
+        "displayName": "Suspicious application consent similar to O365 Attack Toolkit",
+        "contentProductId": "[variables('_analyticRulecontentProductId30')]",
+        "id": "[variables('_analyticRulecontentProductId30')]",
+        "version": "[variables('analyticRuleVersion30')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('analyticRuleTemplateSpecName10')]",
+      "name": "[variables('analyticRuleTemplateSpecName31')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "AzurePortalSigninfromanotherAzureTenant_AnalyticalRules Analytics Rule with template version 3.0.3",
+        "description": "MaliciousOAuthApp_PwnAuth_AnalyticalRules Analytics Rule with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion10')]",
+          "contentVersion": "[variables('analyticRuleVersion31')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRulecontentId10')]",
+              "name": "[variables('analyticRulecontentId31')]",
               "apiVersion": "2022-04-01-preview",
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "This query looks for successful sign in attempts to the Azure Portal where the user who is signing in from another Azure tenant,\n and the IP address the login attempt is from is an Azure IP. A threat actor who compromises an Azure tenant may look\n to pivot to other tenants leveraging cross-tenant delegated access in this manner.",
-                "displayName": "Azure Portal sign in from another Azure Tenant",
+                "description": "This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the FireEye PwnAuth toolkit (https://github.com/fireeye/PwnAuth).\nThe default permissions/scope for the PwnAuth toolkit are user.read, offline_access, mail.readwrite, mail.send, and files.read.all.\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.",
+                "displayName": "Suspicious application consent similar to PwnAuth",
                 "enabled": false,
-                "query": "// Get details of current Azure Ranges (note this URL updates regularly so will need to be manually updated over time)\n// You may find the name of the new JSON here: https://www.microsoft.com/download/details.aspx?id=56519\n// On the downloads page, click the 'details' button, and then replace just the filename in the URL below\nlet azure_ranges = externaldata(changeNumber: string, cloud: string, values: dynamic)\n[\"https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/MSFTIPRanges/ServiceTags_Public.json\"] with(format='multijson')\n| mv-expand values\n| mv-expand values.properties.addressPrefixes\n| mv-expand values_properties_addressPrefixes\n| summarize by tostring(values_properties_addressPrefixes)\n| extend isipv4 = parse_ipv4(values_properties_addressPrefixes)\n| extend isipv6 = parse_ipv6(values_properties_addressPrefixes)\n| extend ip_type = case(isnotnull(isipv4), \"v4\", \"v6\")\n| summarize make_list(values_properties_addressPrefixes) by ip_type\n;\nSigninLogs\n// Limiting to Azure Portal really reduces false positives and helps focus on potential admin activity\n| where ResultType == 0\n| where AppDisplayName =~ \"Azure Portal\"\n| extend isipv4 = parse_ipv4(IPAddress)\n| extend ip_type = case(isnotnull(isipv4), \"v4\", \"v6\")\n // Only get logons where the IP address is in an Azure range\n| join kind=fullouter (azure_ranges) on ip_type\n| extend ipv6_match = ipv6_is_in_any_range(IPAddress,  list_values_properties_addressPrefixes)\n| extend ipv4_match = ipv4_is_in_any_range(IPAddress,  list_values_properties_addressPrefixes)\n| where ipv4_match or ipv6_match \n// Limit to where the user is external to the tenant\n| where HomeTenantId != ResourceTenantId\n// Further limit it to just access to the current tenant (you can drop this if you wanted to look elsewhere as well but it helps reduce FPs)\n| where ResourceTenantId == AADTenantId\n| summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), make_set(ResourceDisplayName) by UserPrincipalName, IPAddress, UserAgent, Location, HomeTenantId, ResourceTenantId, UserId\n| extend AccountName = split(UserPrincipalName, \"@\")[0]\n| extend UPNSuffix = split(UserPrincipalName, \"@\")[1]\n",
-                "queryFrequency": "PT1H",
-                "queryPeriod": "PT1H",
+                "query": "let detectionTime = 1d;\nlet joinLookback = 14d;\nAuditLogs\n| where TimeGenerated > ago(detectionTime)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Consent to application\"\n| where TargetResources has \"offline\"\n| mv-apply TargetResource = TargetResources on \n  (\n      where TargetResource.type =~ \"ServicePrincipal\"\n      | extend AppDisplayName = tostring(TargetResource.displayName),\n               AppClientId = tostring(TargetResource.id),\n               props = TargetResource.modifiedProperties\n  )\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\"] with (format=\"csv\")))\n| mv-apply ConsentFull = props on \n  (\n      where ConsentFull.displayName =~ \"ConsentAction.Permissions\"\n  )\n| parse ConsentFull with * \"ConsentType: \" GrantConsentType \", Scope: \" GrantScope1 \"]\" *\n| where ConsentFull has_all (\"user.read\", \"offline_access\", \"mail.readwrite\", \"mail.send\", \"files.read.all\")\n| where GrantConsentType != \"AllPrincipals\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| mv-apply AdditionalDetail = AdditionalDetails on \n  (\n      where AdditionalDetail.key =~ \"User-Agent\"\n      | extend GrantUserAgent = AdditionalDetail.value\n  )\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\n| join kind = leftouter (AuditLogs\n| where TimeGenerated > ago(joinLookback)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Add service principal\"\n  | mv-apply TargetResource = TargetResources on \n      (\n          where TargetResource.type =~ \"ServicePrincipal\"\n          | extend props = TargetResource.modifiedProperties,\n                  AppClientId = tostring(TargetResource.id)\n      )\n  | mv-apply Property = props on \n      (\n          where Property.displayName =~ \"AppAddress\" and Property.newValue has \"AddressType\"\n          | extend AppReplyURLs = trim('\"',tostring(Property.newValue))\n      )\n| distinct AppClientId, tostring(AppReplyURLs)\n)\non AppClientId\n| join kind = innerunique (AuditLogs\n| where TimeGenerated > ago(joinLookback)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Add OAuth2PermissionGrant\" or OperationName =~ \"Add delegated permission grant\"\n      | mv-apply TargetResource = TargetResources on \n          (\n              where TargetResource.type =~ \"ServicePrincipal\" and array_length(TargetResource.modifiedProperties) > 0 and isnotnull(TargetResource.displayName)\n              | extend GrantAuthentication = tostring(TargetResource.displayName)\n          )\n| extend GrantOperation = OperationName\n| project GrantAuthentication, GrantOperation, CorrelationId\n) on CorrelationId\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\n| extend timestamp = TimeGenerated, Name = tostring(split(GrantInitiatedBy,'@',0)[0]), UPNSuffix = tostring(split(GrantInitiatedBy,'@',1)[0])\n",
+                "queryFrequency": "P1D",
+                "queryPeriod": "P14D",
                 "severity": "Medium",
                 "suppressionDuration": "PT1H",
                 "suppressionEnabled": false,
@@ -6039,62 +4761,56 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "AzureActiveDirectory",
                     "dataTypes": [
-                      "SigninLogs"
-                    ]
+                      "AuditLogs"
+                    ],
+                    "connectorId": "AzureActiveDirectory"
                   }
                 ],
                 "tactics": [
-                  "InitialAccess"
+                  "CredentialAccess",
+                  "DefenseEvasion"
                 ],
                 "techniques": [
-                  "T1199"
+                  "T1528",
+                  "T1550"
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "identifier": "Name",
-                        "columnName": "AccountName"
+                        "columnName": "Name",
+                        "identifier": "Name"
                       },
                       {
-                        "identifier": "UPNSuffix",
-                        "columnName": "UPNSuffix"
-                      },
-                      {
-                        "identifier": "AadUserId",
-                        "columnName": "UserId"
+                        "columnName": "UPNSuffix",
+                        "identifier": "UPNSuffix"
                       }
-                    ]
+                    ],
+                    "entityType": "Account"
                   },
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
-                        "columnName": "IPAddress"
+                        "columnName": "GrantIpAddress",
+                        "identifier": "Address"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   }
-                ],
-                "alertDetailsOverride": {
-                  "alertDisplayNameFormat": "Azure Portal sign in by {{UserPrincipalName}} from another Azure Tenant with IP Address {{IPAddress}}",
-                  "alertDescriptionFormat": "This query looks for successful sign in attempts to the Azure Portal where the user who is signing in from another Azure tenant,\nand the IP address the login attempt is from is an Azure IP. A threat actor who compromises an Azure tenant may look\nto pivot to other tenants leveraging cross-tenant delegated access in this manner.\nIn this instance {{UserPrincipalName}} logged in at {{FirstSeen}} from IP Address {{IPAddress}}.\n"
-                }
+                ]
               }
             },
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId10'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId31'),'/'))))]",
               "properties": {
-                "description": "Azure Active Directory Analytics Rule 10",
-                "parentId": "[variables('analyticRuleId10')]",
-                "contentId": "[variables('_analyticRulecontentId10')]",
+                "description": "Azure Active Directory Analytics Rule 31",
+                "parentId": "[variables('analyticRuleId31')]",
+                "contentId": "[variables('_analyticRulecontentId31')]",
                 "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion10')]",
+                "version": "[variables('analyticRuleVersion31')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Azure Active Directory",
@@ -6119,43 +4835,43 @@
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_analyticRulecontentId10')]",
+        "contentId": "[variables('_analyticRulecontentId31')]",
         "contentKind": "AnalyticsRule",
-        "displayName": "Azure Portal sign in from another Azure Tenant",
-        "contentProductId": "[variables('_analyticRulecontentProductId10')]",
-        "id": "[variables('_analyticRulecontentProductId10')]",
-        "version": "[variables('analyticRuleVersion10')]"
+        "displayName": "Suspicious application consent similar to PwnAuth",
+        "contentProductId": "[variables('_analyticRulecontentProductId31')]",
+        "id": "[variables('_analyticRulecontentProductId31')]",
+        "version": "[variables('analyticRuleVersion31')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('analyticRuleTemplateSpecName11')]",
+      "name": "[variables('analyticRuleTemplateSpecName32')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Brute Force Attack against GitHub Account_AnalyticalRules Analytics Rule with template version 3.0.3",
+        "description": "MFARejectedbyUser_AnalyticalRules Analytics Rule with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion11')]",
+          "contentVersion": "[variables('analyticRuleVersion32')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRulecontentId11')]",
+              "name": "[variables('analyticRulecontentId32')]",
               "apiVersion": "2022-04-01-preview",
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "Attackers who are trying to guess your users' passwords or use brute-force methods to get in. If your organization is using SSO with Azure Active Directory, authentication logs to GitHub.com will be generated. Using the following query can help you identify a sudden increase in failed logon attempt of users.",
-                "displayName": "Brute Force Attack against GitHub Account",
+                "description": "Identifies occurances where a user has rejected an MFA prompt. This could be an indicator that a threat actor has compromised the username and password of this user account and is using it to try and log into the account.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\nThis query has also been updated to include UEBA logs IdentityInfo and BehaviorAnalytics for contextual information around the results.",
+                "displayName": "MFA Rejected by User",
                 "enabled": false,
-                "query": "let LearningPeriod = 7d;\nlet BinTime = 1h;\nlet RunTime = 1h;\nlet StartTime = 1h;  \nlet sensitivity = 2.5;\nlet EndRunTime = StartTime - RunTime;\nlet EndLearningTime = StartTime + LearningPeriod;\nlet aadFunc = (tableName:string){\ntable(tableName)  \n| where TimeGenerated between (ago(EndLearningTime) .. ago(EndRunTime))\n| where AppDisplayName =~ \"GitHub.com\"\n| where ResultType != 0\n| make-series FailedLogins = count() on TimeGenerated from ago(LearningPeriod) to ago(EndRunTime) step BinTime by UserPrincipalName, Type\n| extend (Anomalies, Score, Baseline) = series_decompose_anomalies(FailedLogins, sensitivity, -1, 'linefit')\n| mv-expand FailedLogins to typeof(double), TimeGenerated to typeof(datetime), Anomalies to typeof(double), Score to typeof(double), Baseline to typeof(long)  \n| where TimeGenerated >= ago(RunTime)\n| where Anomalies > 0 and Baseline > 0\n| join kind=inner (\n          table(tableName)  \n          | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime))\n          | where AppDisplayName =~ \"GitHub.com\"\n          | where ResultType != 0\n          | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddresses = make_set(IPAddress,100), Locations = make_set(LocationDetails,20), Devices = make_set(DeviceDetail,20) by UserPrincipalName          \n      ) on UserPrincipalName\n| extend timestamp = TimeGenerated, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+                "query": "let riskScoreCutoff = 20; //Adjust this based on volume of results\nSigninLogs\n| where ResultType == 500121\n| extend additionalDetails_ = tostring(Status.additionalDetails)\n| extend UserPrincipalName = tolower(UserPrincipalName)\n| where additionalDetails_ =~ \"MFA denied; user declined the authentication\" or additionalDetails_ has \"fraud\"\n| summarize StartTime = min(TimeGenerated), EndTIme = max(TimeGenerated) by UserPrincipalName, UserId, AADTenantId, IPAddress\n| extend Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n| join kind=leftouter (\n    IdentityInfo\n    | summarize LatestReportTime = arg_max(TimeGenerated, *) by AccountUPN\n    | extend BlastRadiusInt = iif(BlastRadius == \"High\", 1, 0)\n    | project AccountUPN, Tags, JobTitle, GroupMembership, AssignedRoles, UserType, IsAccountEnabled, BlastRadiusInt\n    | summarize\n        Tags = make_set(Tags, 1000),\n        GroupMembership = make_set(GroupMembership, 1000),\n        AssignedRoles = make_set(AssignedRoles, 1000),\n        BlastRadiusInt = sum(BlastRadiusInt),\n        UserType = make_set(UserType, 1000),\n        UserAccountControl = make_set(UserType, 1000)\n    by AccountUPN\n    | extend UserPrincipalName=tolower(AccountUPN)\n) on UserPrincipalName\n| join kind=leftouter (\n    BehaviorAnalytics\n    | where ActivityType in (\"FailedLogOn\", \"LogOn\")\n    | where isnotempty(SourceIPAddress)\n    | project UsersInsights, DevicesInsights, ActivityInsights, InvestigationPriority, SourceIPAddress\n    | project-rename IPAddress = SourceIPAddress\n    | summarize\n        UsersInsights = make_set(UsersInsights, 1000),\n        DevicesInsights = make_set(DevicesInsights, 1000),\n        IPInvestigationPriority = sum(InvestigationPriority)\n    by IPAddress)\non IPAddress\n| extend UEBARiskScore = BlastRadiusInt + IPInvestigationPriority\n| where  UEBARiskScore > riskScoreCutoff\n| sort by UEBARiskScore desc \n",
                 "queryFrequency": "PT1H",
-                "queryPeriod": "P7D",
+                "queryPeriod": "PT1H",
                 "severity": "Medium",
                 "suppressionDuration": "PT1H",
                 "suppressionEnabled": false,
@@ -6164,37 +4880,56 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "AzureActiveDirectory",
                     "dataTypes": [
                       "SigninLogs"
-                    ]
+                    ],
+                    "connectorId": "AzureActiveDirectory"
                   },
                   {
-                    "connectorId": "AzureActiveDirectory",
                     "dataTypes": [
-                      "AADNonInteractiveUserSignInLogs"
-                    ]
+                      "BehaviorAnalytics"
+                    ],
+                    "connectorId": "BehaviorAnalytics"
+                  },
+                  {
+                    "dataTypes": [
+                      "IdentityInfo"
+                    ],
+                    "connectorId": "IdentityInfo"
                   }
                 ],
                 "tactics": [
-                  "CredentialAccess"
+                  "InitialAccess"
                 ],
                 "techniques": [
-                  "T1110"
+                  "T1078"
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "identifier": "Name",
-                        "columnName": "Name"
+                        "columnName": "Name",
+                        "identifier": "Name"
                       },
                       {
-                        "identifier": "UPNSuffix",
-                        "columnName": "UPNSuffix"
+                        "columnName": "UPNSuffix",
+                        "identifier": "UPNSuffix"
+                      },
+                      {
+                        "columnName": "UserId",
+                        "identifier": "AadUserId"
+                      }
+                    ],
+                    "entityType": "Account"
+                  },
+                  {
+                    "fieldMappings": [
+                      {
+                        "columnName": "IPAddress",
+                        "identifier": "Address"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   }
                 ]
               }
@@ -6202,13 +4937,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId11'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId32'),'/'))))]",
               "properties": {
-                "description": "Azure Active Directory Analytics Rule 11",
-                "parentId": "[variables('analyticRuleId11')]",
-                "contentId": "[variables('_analyticRulecontentId11')]",
+                "description": "Azure Active Directory Analytics Rule 32",
+                "parentId": "[variables('analyticRuleId32')]",
+                "contentId": "[variables('_analyticRulecontentId32')]",
                 "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion11')]",
+                "version": "[variables('analyticRuleVersion32')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Azure Active Directory",
@@ -6233,43 +4968,43 @@
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_analyticRulecontentId11')]",
+        "contentId": "[variables('_analyticRulecontentId32')]",
         "contentKind": "AnalyticsRule",
-        "displayName": "Brute Force Attack against GitHub Account",
-        "contentProductId": "[variables('_analyticRulecontentProductId11')]",
-        "id": "[variables('_analyticRulecontentProductId11')]",
-        "version": "[variables('analyticRuleVersion11')]"
+        "displayName": "MFA Rejected by User",
+        "contentProductId": "[variables('_analyticRulecontentProductId32')]",
+        "id": "[variables('_analyticRulecontentProductId32')]",
+        "version": "[variables('analyticRuleVersion32')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('analyticRuleTemplateSpecName12')]",
+      "name": "[variables('analyticRuleTemplateSpecName33')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "BruteForceCloudPC_AnalyticalRules Analytics Rule with template version 3.0.3",
+        "description": "MultipleAdmin_membership_removals_from_NewAdmin_AnalyticalRules Analytics Rule with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion12')]",
+          "contentVersion": "[variables('analyticRuleVersion33')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRulecontentId12')]",
+              "name": "[variables('analyticRulecontentId33')]",
               "apiVersion": "2022-04-01-preview",
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "Identifies evidence of brute force activity against a Windows 365 Cloud PC by highlighting multiple authentication failures and by a successful authentication within a given time window.",
-                "displayName": "Brute force attack against a Cloud PC",
+                "description": "This query detects when newly created Global admin removes multiple existing global admins which can be an attempt by adversaries to lock down organization and retain sole access. \n Investigate reasoning and intention of multiple membership removal by new Global admins and take necessary actions accordingly.",
+                "displayName": "Multiple admin membership removals from newly created admin.",
                 "enabled": false,
-                "query": "let authenticationWindow = 20m;\nlet sensitivity = 2.5;\nSigninLogs\n| where AppDisplayName =~ \"Windows Sign In\"\n| extend FailureOrSuccess = iff(ResultType in (\"0\", \"50125\", \"50140\", \"70043\", \"70044\"), \"Success\", \"Failure\")\n| summarize FailureCount = countif(FailureOrSuccess==\"Failure\"), SuccessCount = countif(FailureOrSuccess==\"Success\"), IPAddresses = make_set(IPAddress,1000)\n                          by bin(TimeGenerated, authenticationWindow), UserDisplayName, UserPrincipalName\n| extend FailureSuccessDiff = FailureCount - SuccessCount\n| where FailureSuccessDiff > 0\n| summarize Diff = make_list(FailureSuccessDiff, 10000), TimeStamp = make_list(TimeGenerated, 10000) by UserDisplayName, UserPrincipalName//, tostring(IPAddresses)\n| extend (Anomalies, Score, Baseline) = series_decompose_anomalies(Diff, sensitivity, -1, 'linefit')  \n| mv-expand Diff to typeof(double), TimeStamp to typeof(datetime), Anomalies to typeof(double), Score to typeof(double), Baseline to typeof(long)\n| where Anomalies > 0\n| summarize by UserDisplayName, UserPrincipalName\n| join kind=leftouter (\n      SigninLogs\n      | where AppDisplayName =~ \"Windows Sign In\"\n      | extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\n      | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\n      | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)\n      | summarize StartTime = min(TimeGenerated), \n                  EndTime = max(TimeGenerated), \n                  IPAddress = make_set(IPAddress,100), \n                  OS = make_set(OS,20), \n                  Browser = make_set(Browser,20), \n                  City = make_set(City,100), \n                  ResultType = make_set(ResultType,100)\n              by UserDisplayName, UserPrincipalName\n  ) on UserDisplayName, UserPrincipalName\n| extend IPAddressFirst = IPAddress[0]\n| extend timestamp = StartTime, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n",
-                "queryFrequency": "P1D",
-                "queryPeriod": "P1D",
+                "query": "let lookback = 7d; \nlet timeframe = 1h; \nlet GlobalAdminsRemoved = AuditLogs \n| where TimeGenerated > ago(timeframe) \n| where Category =~ \"RoleManagement\" \n| where AADOperationType in (\"Unassign\", \"RemoveEligibleRole\") \n| where ActivityDisplayName has_any (\"Remove member from role\", \"Remove eligible member from role\") \n| mv-apply TargetResource = TargetResources on \n  (\n      where TargetResource.type =~ \"User\"\n      | extend Target = tostring(TargetResource.userPrincipalName),\n               props = TargetResource.modifiedProperties\n  )\n| mv-apply Property = props on \n      (\n          where Property.displayName =~ \"Role.DisplayName\"\n          | extend RoleName = trim('\"',tostring(Property.oldValue))\n      )\n| where RoleName =~ \"Global Administrator\" // Add other Privileged role if applicable \n| extend InitiatingApp = tostring(InitiatedBy.app.displayName) \n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(InitiatedBy.user.userPrincipalName)) \n| where Initiator != \"MS-PIM\"  // Filtering PIM events  \n| summarize RemovedGlobalAdminTime = max(TimeGenerated), TargetAdmins = make_set(Target,100) by OperationName,  RoleName, Initiator, Result; \nlet GlobalAdminsAdded = AuditLogs \n| where TimeGenerated > ago(lookback) \n| where Category =~ \"RoleManagement\" \n| where AADOperationType in (\"Assign\", \"AssignEligibleRole\") \n| where ActivityDisplayName has_any (\"Add eligible member to role\", \"Add member to role\") and Result == \"success\" \n| mv-apply TargetResource = TargetResources on \n  (\n      where TargetResource.type =~ \"User\"\n      | extend Target = tostring(TargetResource.userPrincipalName),\n               props = TargetResource.modifiedProperties\n  )\n| mv-apply Property = props on \n      (\n          where Property.displayName =~ \"Role.DisplayName\"\n          | extend RoleName = trim('\"',tostring(Property.newValue))\n      )\n| where RoleName =~ \"Global Administrator\" // Add other Privileged role if applicable \n| extend InitiatingApp = tostring(InitiatedBy.app.displayName) \n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(InitiatedBy.user.userPrincipalName)) \n| where Initiator != \"MS-PIM\"  // Filtering PIM events \n| summarize AddedGlobalAdminTime = max(TimeGenerated) by OperationName,  RoleName, Target, Initiator, Result \n| extend AccountCustomEntity = Target; \nGlobalAdminsAdded \n| join kind= inner GlobalAdminsRemoved on $left.Target == $right.Initiator \n| where AddedGlobalAdminTime < RemovedGlobalAdminTime \n| extend NoofAdminsRemoved = array_length(TargetAdmins) \n| where NoofAdminsRemoved > 1\n| project AddedGlobalAdminTime, Initiator, Target, AccountCustomEntity, RemovedGlobalAdminTime, TargetAdmins, NoofAdminsRemoved\n| extend Name = tostring(split(AccountCustomEntity,'@',0)[0]), UPNSuffix = tostring(split(AccountCustomEntity,'@',1)[0])\n",
+                "queryFrequency": "PT1H",
+                "queryPeriod": "P7D",
                 "severity": "Medium",
                 "suppressionDuration": "PT1H",
                 "suppressionEnabled": false,
@@ -6278,40 +5013,31 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "AzureActiveDirectory",
                     "dataTypes": [
-                      "SigninLogs"
-                    ]
+                      "AuditLogs"
+                    ],
+                    "connectorId": "AzureActiveDirectory"
                   }
                 ],
                 "tactics": [
-                  "CredentialAccess"
+                  "Impact"
                 ],
                 "techniques": [
-                  "T1110"
+                  "T1531"
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "identifier": "Name",
-                        "columnName": "Name"
+                        "columnName": "Name",
+                        "identifier": "Name"
                       },
                       {
-                        "identifier": "UPNSuffix",
-                        "columnName": "UPNSuffix"
-                      }
-                    ]
-                  },
-                  {
-                    "entityType": "IP",
-                    "fieldMappings": [
-                      {
-                        "identifier": "Address",
-                        "columnName": "IPAddressFirst"
+                        "columnName": "UPNSuffix",
+                        "identifier": "UPNSuffix"
                       }
-                    ]
+                    ],
+                    "entityType": "Account"
                   }
                 ]
               }
@@ -6319,13 +5045,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId12'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId33'),'/'))))]",
               "properties": {
-                "description": "Azure Active Directory Analytics Rule 12",
-                "parentId": "[variables('analyticRuleId12')]",
-                "contentId": "[variables('_analyticRulecontentId12')]",
+                "description": "Azure Active Directory Analytics Rule 33",
+                "parentId": "[variables('analyticRuleId33')]",
+                "contentId": "[variables('_analyticRulecontentId33')]",
                 "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion12')]",
+                "version": "[variables('analyticRuleVersion33')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Azure Active Directory",
@@ -6350,44 +5076,44 @@
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_analyticRulecontentId12')]",
+        "contentId": "[variables('_analyticRulecontentId33')]",
         "contentKind": "AnalyticsRule",
-        "displayName": "Brute force attack against a Cloud PC",
-        "contentProductId": "[variables('_analyticRulecontentProductId12')]",
-        "id": "[variables('_analyticRulecontentProductId12')]",
-        "version": "[variables('analyticRuleVersion12')]"
+        "displayName": "Multiple admin membership removals from newly created admin.",
+        "contentProductId": "[variables('_analyticRulecontentProductId33')]",
+        "id": "[variables('_analyticRulecontentProductId33')]",
+        "version": "[variables('analyticRuleVersion33')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('analyticRuleTemplateSpecName13')]",
+      "name": "[variables('analyticRuleTemplateSpecName34')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "BulkChangestoPrivilegedAccountPermissions_AnalyticalRules Analytics Rule with template version 3.0.3",
+        "description": "NewAppOrServicePrincipalCredential_AnalyticalRules Analytics Rule with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion13')]",
+          "contentVersion": "[variables('analyticRuleVersion34')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRulecontentId13')]",
+              "name": "[variables('analyticRulecontentId34')]",
               "apiVersion": "2022-04-01-preview",
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "Identifies when changes to multiple users permissions are changed at once. Investigate immediately if not a planned change. This setting could enable an attacker access to Azure subscriptions in your environment.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management",
-                "displayName": "Bulk Changes to Privileged Account Permissions",
+                "description": "This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.",
+                "displayName": "New access credential added to Application or Service Principal",
                 "enabled": false,
-                "query": "let AdminRecords = AuditLogs\n| where Category =~ \"RoleManagement\"\n| where ActivityDisplayName has_any (\"Add eligible member to role\", \"Add member to role\")\n| mv-apply TargetResource = TargetResources on \n  (\n      where TargetResource.type =~ \"User\"\n      | extend Target = tostring(TargetResource.userPrincipalName),\n               props = TargetResource.modifiedProperties\n  )\n| mv-apply Property = props on \n  (\n      where Property.displayName =~ \"Role.DisplayName\"\n      | extend RoleName = trim('\"',tostring(Property.newValue))\n  )\n| where RoleName contains \"Admin\";\nAdminRecords\n| summarize dcount(Target) by bin(TimeGenerated, 1h)\n| where dcount_Target > 9\n| join kind=rightsemi  (\n  AdminRecords\n  | extend TimeWindow = bin(TimeGenerated, 1h)\n) on $left.TimeGenerated == $right.TimeWindow\n| extend InitiatedByUser = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), \"\")\n| extend TargetName = tostring(split(Target,'@',0)[0]), TargetUPNSuffix = tostring(split(Target,'@',1)[0]),\n         InitiatedByUserName = tostring(split(InitiatedByUser,'@',0)[0]), InitiatedByUserUPNSuffix = tostring(split(InitiatedByUser,'@',1)[0])\n",
-                "queryFrequency": "PT2H",
-                "queryPeriod": "PT2H",
-                "severity": "High",
+                "query": "AuditLogs\n| where OperationName has_any (\"Add service principal\", \"Certificates and secrets management\") // captures \"Add service principal\", \"Add service principal credentials\", and \"Update application - Certificates and secrets management\" events\n| where Result =~ \"success\"\n| where tostring(InitiatedBy.user.userPrincipalName) has \"@\" or tostring(InitiatedBy.app.displayName) has \"@\"\n| mv-apply TargetResource = TargetResources on \n  (\n      where TargetResource.type =~ \"Application\"\n      | extend targetDisplayName = tostring(TargetResource.displayName),\n               targetId = tostring(TargetResource.id),\n               targetType = tostring(TargetResource.type),\n               keyEvents = TargetResource.modifiedProperties\n  )\n| mv-apply Property = keyEvents on \n  (\n      where Property.displayName =~ \"KeyDescription\"\n      | extend new_value_set = parse_json(tostring(Property.newValue)),\n               old_value_set = parse_json(tostring(Property.oldValue))\n  )\n| where old_value_set != \"[]\"\n| extend diff = set_difference(new_value_set, old_value_set)\n| where isnotempty(diff)\n| parse diff with * \"KeyIdentifier=\" keyIdentifier:string \",KeyType=\" keyType:string \",KeyUsage=\" keyUsage:string \",DisplayName=\" keyDisplayName:string \"]\" *\n| where keyUsage =~ \"Verify\"\n| mv-apply AdditionalDetail = AdditionalDetails on \n  (\n      where AdditionalDetail.key =~ \"User-Agent\"\n      | extend UserAgent = tostring(AdditionalDetail.value)\n  )\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\n//| where targetType =~ \"Application\" // or targetType =~ \"ServicePrincipal\"\n| project-away diff, new_value_set, old_value_set\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\n| extend timestamp = TimeGenerated, Name = tostring(split(InitiatingUserOrApp,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUserOrApp,'@',1)[0])\n",
+                "queryFrequency": "PT1H",
+                "queryPeriod": "PT1H",
+                "severity": "Medium",
                 "suppressionDuration": "PT1H",
                 "suppressionEnabled": false,
                 "triggerOperator": "GreaterThan",
@@ -6395,62 +5121,54 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "AzureActiveDirectory",
                     "dataTypes": [
                       "AuditLogs"
-                    ]
+                    ],
+                    "connectorId": "AzureActiveDirectory"
                   }
                 ],
                 "tactics": [
-                  "PrivilegeEscalation"
+                  "DefenseEvasion"
                 ],
                 "techniques": [
-                  "T1078"
+                  "T1550"
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "identifier": "Name",
-                        "columnName": "TargetName"
+                        "columnName": "Name",
+                        "identifier": "Name"
                       },
                       {
-                        "identifier": "UPNSuffix",
-                        "columnName": "TargetUPNSuffix"
+                        "columnName": "UPNSuffix",
+                        "identifier": "UPNSuffix"
                       }
-                    ]
+                    ],
+                    "entityType": "Account"
                   },
                   {
-                    "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "identifier": "Name",
-                        "columnName": "InitiatedByUserName"
-                      },
-                      {
-                        "identifier": "UPNSuffix",
-                        "columnName": "InitiatedByUserUPNSuffix"
+                        "columnName": "InitiatingIpAddress",
+                        "identifier": "Address"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   }
-                ],
-                "customDetails": {
-                  "TargetUser": "Target",
-                  "InitiatedByUser": "InitiatedByUser"
-                }
+                ]
               }
             },
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId13'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId34'),'/'))))]",
               "properties": {
-                "description": "Azure Active Directory Analytics Rule 13",
-                "parentId": "[variables('analyticRuleId13')]",
-                "contentId": "[variables('_analyticRulecontentId13')]",
+                "description": "Azure Active Directory Analytics Rule 34",
+                "parentId": "[variables('analyticRuleId34')]",
+                "contentId": "[variables('_analyticRulecontentId34')]",
                 "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion13')]",
+                "version": "[variables('analyticRuleVersion34')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Azure Active Directory",
@@ -6475,93 +5193,78 @@
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_analyticRulecontentId13')]",
+        "contentId": "[variables('_analyticRulecontentId34')]",
         "contentKind": "AnalyticsRule",
-        "displayName": "Bulk Changes to Privileged Account Permissions",
-        "contentProductId": "[variables('_analyticRulecontentProductId13')]",
-        "id": "[variables('_analyticRulecontentProductId13')]",
-        "version": "[variables('analyticRuleVersion13')]"
+        "displayName": "New access credential added to Application or Service Principal",
+        "contentProductId": "[variables('_analyticRulecontentProductId34')]",
+        "id": "[variables('_analyticRulecontentProductId34')]",
+        "version": "[variables('analyticRuleVersion34')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('analyticRuleTemplateSpecName14')]",
+      "name": "[variables('analyticRuleTemplateSpecName35')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "BypassCondAccessRule_AnalyticalRules Analytics Rule with template version 3.0.3",
+        "description": "NRT_ADFSDomainTrustMods_AnalyticalRules Analytics Rule with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion14')]",
+          "contentVersion": "[variables('analyticRuleVersion35')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRulecontentId14')]",
+              "name": "[variables('analyticRulecontentId35')]",
               "apiVersion": "2022-04-01-preview",
-              "kind": "Scheduled",
+              "kind": "NRT",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "Identifies an attempt to Bypass conditional access rule(s) in Azure Active Directory.\nThe ConditionalAccessStatus column value details if there was an attempt to bypass Conditional Access\nor if the Conditional access rule was not satisfied (ConditionalAccessStatus == 1).\nReferences:\nhttps://docs.microsoft.com/azure/active-directory/conditional-access/overview\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\nConditionalAccessStatus == 0 // Success\nConditionalAccessStatus == 1 // Failure\nConditionalAccessStatus == 2 // Not Applied\nConditionalAccessStatus == 3 // unknown",
-                "displayName": "Attempt to bypass conditional access rule in Azure AD",
+                "description": "This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated.\nFor example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain.\nModification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior.\nTo understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.\nFor details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.",
+                "displayName": "NRT Modified domain federation trust settings",
                 "enabled": false,
-                "query": "let threshold = 1; // Modify this threshold value to reduce false positives based on your environment\nlet aadFunc = (tableName:string){\ntable(tableName)\n| where ConditionalAccessStatus == 1 or ConditionalAccessStatus =~ \"failure\"\n| mv-apply CAP = parse_json(ConditionalAccessPolicies) on (\n  project ConditionalAccessPoliciesName = CAP.displayName, result = CAP.result\n  | where result =~ \"failure\"\n)\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(Status), LocationDetails = todynamic(LocationDetails)\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\n| extend Status = strcat(StatusCode, \": \", ResultDescription)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Status = make_list(Status,10), StatusDetails = make_list(StatusDetails,50), IPAddresses = make_list(IPAddress,100), IPAddressCount = dcount(IPAddress), CorrelationIds = make_list(CorrelationId,100), ConditionalAccessPoliciesName = make_list(ConditionalAccessPoliciesName,100)\nby UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), City, State, Region, Type\n| where IPAddressCount > threshold and StatusDetails !has \"MFA successfully completed\"\n| mv-expand IPAddresses, Status, StatusDetails, CorrelationIds\n| extend Status = strcat(Status, \" \", StatusDetails)\n| summarize IPAddresses = make_set(IPAddresses,100), Status = make_set(Status,10), CorrelationIds = make_set(CorrelationIds,100), ConditionalAccessPoliciesName = make_set(ConditionalAccessPoliciesName,100)\nby StartTime, EndTime, UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), City, State, Region, IPAddressCount, Type\n| extend timestamp = StartTime, IPAddresses = tostring(IPAddresses), Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
-                "queryFrequency": "P1D",
-                "queryPeriod": "P1D",
-                "severity": "Low",
+                "query": "AuditLogs\n| where OperationName =~ \"Set federation settings on domain\" or OperationName =~ \"Set domain authentication\"\n//| where Result =~ \"success\"   // commenting out, as it may be interesting to capture failed attempts\n| mv-expand TargetResources\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\n| mv-apply Property = modifiedProperties on \n  (\n      where Property.displayName =~ \"LiveType\"\n      | extend targetDisplayName = tostring(Property.displayName),\n               NewDomainValue = tostring(Property.newValue)\n  )\n| extend Federated = iif(OperationName =~ \"Set domain authentication\", iif(NewDomainValue has \"Federated\", True, False), True)\n| where Federated == True\n| mv-expand AdditionalDetails\n| mv-apply AdditionalDetail = AdditionalDetails on \n  (\n      where AdditionalDetail.key =~ \"User-Agent\"\n      | extend UserAgent = tostring(AdditionalDetail.value)\n  )\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, AADOperationType, targetDisplayName, Result, InitiatingIpAddress, UserAgent, CorrelationId, TenantId, AADTenantId\n| extend Name = tostring(split(InitiatingUserOrApp,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUserOrApp,'@',1)[0])\n",
+                "severity": "High",
                 "suppressionDuration": "PT1H",
                 "suppressionEnabled": false,
-                "triggerOperator": "GreaterThan",
-                "triggerThreshold": 0,
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "AzureActiveDirectory",
-                    "dataTypes": [
-                      "SigninLogs"
-                    ]
-                  },
-                  {
-                    "connectorId": "AzureActiveDirectory",
                     "dataTypes": [
-                      "AADNonInteractiveUserSignInLogs"
-                    ]
+                      "AuditLogs"
+                    ],
+                    "connectorId": "AzureActiveDirectory"
                   }
                 ],
                 "tactics": [
-                  "InitialAccess",
-                  "Persistence"
-                ],
-                "techniques": [
-                  "T1078",
-                  "T1098"
+                  "CredentialAccess"
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "identifier": "Name",
-                        "columnName": "Name"
+                        "columnName": "Name",
+                        "identifier": "Name"
                       },
                       {
-                        "identifier": "UPNSuffix",
-                        "columnName": "UPNSuffix"
+                        "columnName": "UPNSuffix",
+                        "identifier": "UPNSuffix"
                       }
-                    ]
+                    ],
+                    "entityType": "Account"
                   },
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
-                        "columnName": "IPAddresses"
+                        "columnName": "InitiatingIpAddress",
+                        "identifier": "Address"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   }
                 ]
               }
@@ -6569,13 +5272,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId14'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId35'),'/'))))]",
               "properties": {
-                "description": "Azure Active Directory Analytics Rule 14",
-                "parentId": "[variables('analyticRuleId14')]",
-                "contentId": "[variables('_analyticRulecontentId14')]",
+                "description": "Azure Active Directory Analytics Rule 35",
+                "parentId": "[variables('analyticRuleId35')]",
+                "contentId": "[variables('_analyticRulecontentId35')]",
                 "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion14')]",
+                "version": "[variables('analyticRuleVersion35')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Azure Active Directory",
@@ -6600,82 +5303,81 @@
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_analyticRulecontentId14')]",
+        "contentId": "[variables('_analyticRulecontentId35')]",
         "contentKind": "AnalyticsRule",
-        "displayName": "Attempt to bypass conditional access rule in Azure AD",
-        "contentProductId": "[variables('_analyticRulecontentProductId14')]",
-        "id": "[variables('_analyticRulecontentProductId14')]",
-        "version": "[variables('analyticRuleVersion14')]"
+        "displayName": "NRT Modified domain federation trust settings",
+        "contentProductId": "[variables('_analyticRulecontentProductId35')]",
+        "id": "[variables('_analyticRulecontentProductId35')]",
+        "version": "[variables('analyticRuleVersion35')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('analyticRuleTemplateSpecName15')]",
+      "name": "[variables('analyticRuleTemplateSpecName36')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "CredentialAddedAfterAdminConsent_AnalyticalRules Analytics Rule with template version 3.0.3",
+        "description": "NRT_AuthenticationMethodsChangedforVIPUsers_AnalyticalRules Analytics Rule with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion15')]",
+          "contentVersion": "[variables('analyticRuleVersion36')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRulecontentId15')]",
+              "name": "[variables('analyticRulecontentId36')]",
               "apiVersion": "2022-04-01-preview",
-              "kind": "Scheduled",
+              "kind": "NRT",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "This query will identify instances where Service Principal credentials were added to an application by one user after the application was granted admin consent rights by another user.\n If a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\n Additional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow.\n For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities",
-                "displayName": "Credential added after admin consented to Application",
+                "description": "Identifies authentication methods being changed for a list of VIP users watchlist. This could be an indication of an attacker adding an auth method to the account so they can have continued access.",
+                "displayName": "NRT Authentication Methods Changed for VIP Users",
                 "enabled": false,
-                "query": "let auditLookbackStart = 2d;\nlet auditLookbackEnd = 1d;\nAuditLogs\n| where TimeGenerated >= ago(auditLookbackStart)\n| where OperationName =~ \"Consent to application\" \n| where Result =~ \"success\"\n| mv-apply TargetResource = TargetResources on \n  (\n      where TargetResource.type =~ \"ServicePrincipal\"\n      | extend targetResourceName = tostring(TargetResource.displayName),\n               targetResourceID = tostring(TargetResource.id),\n               targetResourceType = tostring(TargetResource.type),\n               targetModifiedProp = TargetResource.modifiedProperties\n  )\n| mv-apply Property = targetModifiedProp on \n  (\n      where Property.displayName =~ \"ConsentContext.IsAdminConsent\"\n      | extend isAdminConsent = trim(@'\"',tostring(Property.newValue))\n  )\n| mv-apply Property = targetModifiedProp on \n  (\n      where Property.displayName =~ \"ConsentAction.Permissions\"\n      | extend Consent_Permissions = trim(@'\"',tostring(Property.newValue))\n  )\n| mv-apply Property = targetModifiedProp on \n  (\n      where Property.displayName =~ \"TargetId.ServicePrincipalNames\"\n      | extend Consent_ServicePrincipalNames = tostring(extract_all(@\"([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})\",trim(@'\"',tostring(Property.newValue)))[0])\n  )\n| extend Consent_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend Consent_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n| join ( \nAuditLogs\n| where TimeGenerated  >= ago(auditLookbackEnd)\n| where OperationName =~ \"Add service principal credentials\"\n| where Result =~ \"success\"\n| mv-apply TargetResource = TargetResources on \n  (\n      where TargetResource.type =~ \"ServicePrincipal\"\n      | extend targetResourceName = tostring(TargetResource.displayName),\n               targetResourceID = tostring(TargetResource.id),\n               targetModifiedProp = TargetResource.modifiedProperties\n  )\n| mv-apply Property = targetModifiedProp on \n  (\n      where Property.displayName =~ \"KeyDescription\"\n      | extend Credential_KeyDescription = trim(@'\"',tostring(Property.newValue))\n  )\n| mv-apply Property = targetModifiedProp on \n  (\n      where Property.displayName =~ \"Included Updated Properties\"\n      | extend UpdatedProperties = trim(@'\"',tostring(Property.newValue))\n  )\n| mv-apply Property = targetModifiedProp on \n  (\n      where Property.displayName =~ \"TargetId.ServicePrincipalNames\"\n      | extend Credential_ServicePrincipalNames = tostring(extract_all(@\"([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})\",trim(@'\"',tostring(Property.newValue)))[0])\n  )\n| extend Credential_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend Credential_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n) on targetResourceName, targetResourceID\n| extend TimeConsent = TimeGenerated, TimeCred = TimeGenerated1\n| where TimeConsent < TimeCred \n| project TimeConsent, TimeCred, Consent_InitiatingUserOrApp, Credential_InitiatingUserOrApp, targetResourceName, targetResourceType, isAdminConsent, Consent_ServicePrincipalNames, Credential_ServicePrincipalNames, Consent_Permissions, Credential_KeyDescription, Consent_InitiatingIpAddress, Credential_InitiatingIpAddress\n| extend timestamp = TimeConsent, Name = tostring(split(Credential_InitiatingUserOrApp,'@',0)[0]), UPNSuffix = tostring(split(Credential_InitiatingUserOrApp,'@',1)[0])\n",
-                "queryFrequency": "P1D",
-                "queryPeriod": "P2D",
+                "query": "let security_info_actions = dynamic([\"User registered security info\", \"User changed default security info\", \"User deleted security info\", \"Admin updated security info\", \"User reviewed security info\", \"Admin deleted security info\", \"Admin registered security info\"]);\nlet VIPUsers = (_GetWatchlist('VIPUsers') | distinct \"User Principal Name\");\nAuditLogs\n| where Category =~ \"UserManagement\"\n| where ActivityDisplayName in (security_info_actions)\n| extend Initiator = tostring(InitiatedBy.user.userPrincipalName)\n| extend IP = tostring(InitiatedBy.user.ipAddress)\n| mv-apply TargetResource = TargetResources on \n  (\n      where TargetResource.type =~ \"User\"\n      | extend Target = trim(@'\"',tolower(tostring(TargetResource.userPrincipalName)))\n  )\n| where Target in~ (VIPUsers)\n| summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason) by Initiator, IP, Result, Target\n| extend Name = tostring(split(Target,'@',0)[0]), UPNSuffix = tostring(split(Target,'@',1)[0])\n",
                 "severity": "Medium",
                 "suppressionDuration": "PT1H",
                 "suppressionEnabled": false,
-                "triggerOperator": "GreaterThan",
-                "triggerThreshold": 0,
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "AzureActiveDirectory",
                     "dataTypes": [
                       "AuditLogs"
-                    ]
+                    ],
+                    "connectorId": "AzureActiveDirectory"
                   }
                 ],
                 "tactics": [
-                  "CredentialAccess"
+                  "Persistence"
+                ],
+                "techniques": [
+                  "T1098"
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "identifier": "Name",
-                        "columnName": "Name"
+                        "columnName": "Name",
+                        "identifier": "Name"
                       },
                       {
-                        "identifier": "UPNSuffix",
-                        "columnName": "UPNSuffix"
+                        "columnName": "UPNSuffix",
+                        "identifier": "UPNSuffix"
                       }
-                    ]
+                    ],
+                    "entityType": "Account"
                   },
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
-                        "columnName": "Consent_InitiatingIpAddress"
+                        "columnName": "IP",
+                        "identifier": "Address"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   }
                 ]
               }
@@ -6683,13 +5385,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId15'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId36'),'/'))))]",
               "properties": {
-                "description": "Azure Active Directory Analytics Rule 15",
-                "parentId": "[variables('analyticRuleId15')]",
-                "contentId": "[variables('_analyticRulecontentId15')]",
+                "description": "Azure Active Directory Analytics Rule 36",
+                "parentId": "[variables('analyticRuleId36')]",
+                "contentId": "[variables('_analyticRulecontentId36')]",
                 "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion15')]",
+                "version": "[variables('analyticRuleVersion36')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Azure Active Directory",
@@ -6714,89 +5416,81 @@
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_analyticRulecontentId15')]",
+        "contentId": "[variables('_analyticRulecontentId36')]",
         "contentKind": "AnalyticsRule",
-        "displayName": "Credential added after admin consented to Application",
-        "contentProductId": "[variables('_analyticRulecontentProductId15')]",
-        "id": "[variables('_analyticRulecontentProductId15')]",
-        "version": "[variables('analyticRuleVersion15')]"
+        "displayName": "NRT Authentication Methods Changed for VIP Users",
+        "contentProductId": "[variables('_analyticRulecontentProductId36')]",
+        "id": "[variables('_analyticRulecontentProductId36')]",
+        "version": "[variables('analyticRuleVersion36')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('analyticRuleTemplateSpecName16')]",
+      "name": "[variables('analyticRuleTemplateSpecName37')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Cross-tenantAccessSettingsOrganizationAdded_AnalyticalRules Analytics Rule with template version 3.0.3",
+        "description": "nrt_FirstAppOrServicePrincipalCredential_AnalyticalRules Analytics Rule with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion16')]",
+          "contentVersion": "[variables('analyticRuleVersion37')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRulecontentId16')]",
+              "name": "[variables('analyticRulecontentId37')]",
               "apiVersion": "2022-04-01-preview",
-              "kind": "Scheduled",
+              "kind": "NRT",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when an Organization is added other than the list that is supposed to exist from the Azure AD Cross-tenant Access Settings.",
-                "displayName": "Cross-tenant Access Settings Organization Added",
+                "description": "This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated.\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.",
+                "displayName": "NRT First access credential added to Application or Service Principal where no credential was present",
                 "enabled": false,
-                "query": "// Tenants IDs can be found by navigating to Azure Active Directory then from menu on the left, select External Identities, then from menu on the left, select Cross-tenant access settings and from the list shown of Tenants\nlet ExpectedTenantIDs = dynamic([\"List of expected tenant IDs\",\"Tenant ID 2\"]);\nAuditLogs\n| where OperationName has \"Add a partner to cross-tenant access setting\"\n| extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\n| extend InitiatedByIPAdress = InitiatedBy.user.ipAddress\n| mv-apply TargetResource = TargetResources on\n  (\n      where TargetResource.type =~ \"Policy\"\n      | extend Properties = TargetResource.modifiedProperties\n  )\n| mv-apply Property = Properties on\n  (\n      where Property.displayName =~ \"tenantId\"\n      | extend ExtTenantIDAdded = trim('\"',tostring(Property.newValue))\n  )\n| where ExtTenantIDAdded !in (ExpectedTenantIDs)\n| extend Name = tostring(split(InitiatedByActionUserInformation,'@',0)[0]), UPNSuffix = tostring(split(InitiatedByActionUserInformation,'@',1)[0])\n",
-                "queryFrequency": "P2D",
-                "queryPeriod": "P2D",
+                "query": "AuditLogs\n| where OperationName has_any (\"Add service principal\", \"Certificates and secrets management\")\n| where Result =~ \"success\"\n| where tostring(InitiatedBy.user.userPrincipalName) has \"@\" or tostring(InitiatedBy.app.displayName) has \"@\"\n| mv-apply TargetResource = TargetResources on \n  (\n    where TargetResource.type =~ \"Application\"\n    | extend targetDisplayName = tostring(TargetResource.displayName),\n             targetId = tostring(TargetResource.id),\n             targetType = tostring(TargetResource.type),\n             keyEvents = TargetResource.modifiedProperties\n  )\n|  mv-apply Property = keyEvents on \n (\n  where Property.displayName =~ \"KeyDescription\"\n  | extend new_value_set = parse_json(tostring(Property.newValue)),\n           old_value_set = parse_json(tostring(Property.oldValue))\n )\n| where old_value_set == \"[]\"\n| mv-expand new_value_set\n| parse new_value_set with * \"KeyIdentifier=\" keyIdentifier:string \",KeyType=\" keyType:string \",KeyUsage=\" keyUsage:string \",DisplayName=\" keyDisplayName:string \"]\" *\n| where keyUsage == \"Verify\"\n | mv-apply AdditionalDetail = AdditionalDetails on \n  (\n    where AdditionalDetail.key =~ \"User-Agent\"\n    | extend UserAgent = tostring(AdditionalDetail.value)\n  )\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n//| where targetType =~ \"Application\" // or targetType =~ \"ServicePrincipal\"\n| project-away new_value_set, old_value_set\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\n| extend timestamp = TimeGenerated, Name = tostring(split(InitiatingUserOrApp,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUserOrApp,'@',1)[0])\n",
                 "severity": "Medium",
                 "suppressionDuration": "PT1H",
                 "suppressionEnabled": false,
-                "triggerOperator": "GreaterThan",
-                "triggerThreshold": 0,
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "AzureActiveDirectory",
                     "dataTypes": [
                       "AuditLogs"
-                    ]
+                    ],
+                    "connectorId": "AzureActiveDirectory"
                   }
                 ],
                 "tactics": [
-                  "InitialAccess",
-                  "Persistence",
-                  "Discovery"
+                  "DefenseEvasion"
                 ],
                 "techniques": [
-                  "T1078",
-                  "T1136",
-                  "T1087"
+                  "T1550"
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "identifier": "Name",
-                        "columnName": "Name"
+                        "columnName": "Name",
+                        "identifier": "Name"
                       },
                       {
-                        "identifier": "UPNSuffix",
-                        "columnName": "UPNSuffix"
+                        "columnName": "UPNSuffix",
+                        "identifier": "UPNSuffix"
                       }
-                    ]
+                    ],
+                    "entityType": "Account"
                   },
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
-                        "columnName": "InitiatedByIPAdress"
+                        "columnName": "InitiatingIpAddress",
+                        "identifier": "Address"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   }
                 ]
               }
@@ -6804,13 +5498,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId16'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId37'),'/'))))]",
               "properties": {
-                "description": "Azure Active Directory Analytics Rule 16",
-                "parentId": "[variables('analyticRuleId16')]",
-                "contentId": "[variables('_analyticRulecontentId16')]",
+                "description": "Azure Active Directory Analytics Rule 37",
+                "parentId": "[variables('analyticRuleId37')]",
+                "contentId": "[variables('_analyticRulecontentId37')]",
                 "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion16')]",
+                "version": "[variables('analyticRuleVersion37')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Azure Active Directory",
@@ -6835,89 +5529,81 @@
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_analyticRulecontentId16')]",
+        "contentId": "[variables('_analyticRulecontentId37')]",
         "contentKind": "AnalyticsRule",
-        "displayName": "Cross-tenant Access Settings Organization Added",
-        "contentProductId": "[variables('_analyticRulecontentProductId16')]",
-        "id": "[variables('_analyticRulecontentProductId16')]",
-        "version": "[variables('analyticRuleVersion16')]"
+        "displayName": "NRT First access credential added to Application or Service Principal where no credential was present",
+        "contentProductId": "[variables('_analyticRulecontentProductId37')]",
+        "id": "[variables('_analyticRulecontentProductId37')]",
+        "version": "[variables('analyticRuleVersion37')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('analyticRuleTemplateSpecName17')]",
+      "name": "[variables('analyticRuleTemplateSpecName38')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Cross-tenantAccessSettingsOrganizationDeleted_AnalyticalRules Analytics Rule with template version 3.0.3",
+        "description": "NRT_NewAppOrServicePrincipalCredential_AnalyticalRules Analytics Rule with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion17')]",
+          "contentVersion": "[variables('analyticRuleVersion38')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRulecontentId17')]",
+              "name": "[variables('analyticRulecontentId38')]",
               "apiVersion": "2022-04-01-preview",
-              "kind": "Scheduled",
+              "kind": "NRT",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when an Organization is deleted from the Azure AD Cross-tenant Access Settings.",
-                "displayName": "Cross-tenant Access Settings Organization Deleted",
+                "description": "This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.",
+                "displayName": "NRT New access credential added to Application or Service Principal",
                 "enabled": false,
-                "query": "AuditLogs\n| where OperationName has \"Delete partner specific cross-tenant access setting\"\n| extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\n| extend InitiatedByIPAdress = InitiatedBy.user.ipAddress\n| mv-apply TargetResource = TargetResources on\n  (\n      where TargetResource.type =~ \"Policy\"\n      | extend Properties = TargetResource.modifiedProperties\n  )\n| mv-apply Property = Properties on\n  (\n      where Property.displayName =~ \"tenantId\"\n      | extend ExtTenantDeleted = trim('\"',tostring(Property.oldValue))\n  )\n| extend Name = tostring(split(InitiatedByActionUserInformation,'@',0)[0]), UPNSuffix = tostring(split(InitiatedByActionUserInformation,'@',1)[0])\n",
-                "queryFrequency": "P2D",
-                "queryPeriod": "P2D",
+                "query": "AuditLogs\n| where OperationName has_any (\"Add service principal\", \"Certificates and secrets management\") // captures \"Add service principal\", \"Add service principal credentials\", and \"Update application - Certificates and secrets management\" events\n| where Result =~ \"success\"\n| where tostring(InitiatedBy.user.userPrincipalName) has \"@\" or tostring(InitiatedBy.app.displayName) has \"@\"\n| mv-apply TargetResource = TargetResources on \n  (\n      where TargetResource.type =~ \"Application\"\n      | extend targetDisplayName = tostring(TargetResource.displayName),\n               targetId = tostring(TargetResource.id),\n               targetType = tostring(TargetResource.type),\n               keyEvents = TargetResource.modifiedProperties\n  )\n| mv-apply Property = keyEvents on \n  (\n      where Property.displayName =~ \"KeyDescription\"\n      | extend new_value_set = parse_json(tostring(Property.newValue)),\n               old_value_set = parse_json(tostring(Property.oldValue))\n  )\n| where old_value_set != \"[]\"\n| extend diff = set_difference(new_value_set, old_value_set)\n| where diff != \"[]\"\n| parse diff with * \"KeyIdentifier=\" keyIdentifier:string \",KeyType=\" keyType:string \",KeyUsage=\" keyUsage:string \",DisplayName=\" keyDisplayName:string \"]\" *\n| where keyUsage =~ \"Verify\"\n| mv-apply AdditionalDetail = AdditionalDetails on \n  (\n      where AdditionalDetail.key =~ \"User-Agent\"\n      | extend UserAgent = tostring(AdditionalDetail.value)\n  )\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\n//| where targetType =~ \"Application\" // or targetType =~ \"ServicePrincipal\"\n| project-away diff, new_value_set, old_value_set\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\n| extend timestamp = TimeGenerated, Name = tostring(split(InitiatingUserOrApp,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUserOrApp,'@',1)[0])\n",
                 "severity": "Medium",
                 "suppressionDuration": "PT1H",
                 "suppressionEnabled": false,
-                "triggerOperator": "GreaterThan",
-                "triggerThreshold": 0,
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "AzureActiveDirectory",
                     "dataTypes": [
                       "AuditLogs"
-                    ]
+                    ],
+                    "connectorId": "AzureActiveDirectory"
                   }
                 ],
                 "tactics": [
-                  "InitialAccess",
-                  "Persistence",
-                  "Discovery"
+                  "DefenseEvasion"
                 ],
                 "techniques": [
-                  "T1078",
-                  "T1136",
-                  "T1087"
+                  "T1550"
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "identifier": "Name",
-                        "columnName": "Name"
+                        "columnName": "Name",
+                        "identifier": "Name"
                       },
                       {
-                        "identifier": "UPNSuffix",
-                        "columnName": "UPNSuffix"
+                        "columnName": "UPNSuffix",
+                        "identifier": "UPNSuffix"
                       }
-                    ]
+                    ],
+                    "entityType": "Account"
                   },
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
-                        "columnName": "InitiatedByIPAdress"
+                        "columnName": "InitiatingIpAddress",
+                        "identifier": "Address"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   }
                 ]
               }
@@ -6925,13 +5611,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId17'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId38'),'/'))))]",
               "properties": {
-                "description": "Azure Active Directory Analytics Rule 17",
-                "parentId": "[variables('analyticRuleId17')]",
-                "contentId": "[variables('_analyticRulecontentId17')]",
+                "description": "Azure Active Directory Analytics Rule 38",
+                "parentId": "[variables('analyticRuleId38')]",
+                "contentId": "[variables('_analyticRulecontentId38')]",
                 "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion17')]",
+                "version": "[variables('analyticRuleVersion38')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Azure Active Directory",
@@ -6956,89 +5642,94 @@
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_analyticRulecontentId17')]",
+        "contentId": "[variables('_analyticRulecontentId38')]",
         "contentKind": "AnalyticsRule",
-        "displayName": "Cross-tenant Access Settings Organization Deleted",
-        "contentProductId": "[variables('_analyticRulecontentProductId17')]",
-        "id": "[variables('_analyticRulecontentProductId17')]",
-        "version": "[variables('analyticRuleVersion17')]"
+        "displayName": "NRT New access credential added to Application or Service Principal",
+        "contentProductId": "[variables('_analyticRulecontentProductId38')]",
+        "id": "[variables('_analyticRulecontentProductId38')]",
+        "version": "[variables('analyticRuleVersion38')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('analyticRuleTemplateSpecName18')]",
+      "name": "[variables('analyticRuleTemplateSpecName39')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Cross-tenantAccessSettingsOrganizationInboundCollaborationSettingsChanged_AnalyticalRules Analytics Rule with template version 3.0.3",
+        "description": "NRT_PIMElevationRequestRejected_AnalyticalRules Analytics Rule with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion18')]",
+          "contentVersion": "[variables('analyticRuleVersion39')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRulecontentId18')]",
+              "name": "[variables('analyticRulecontentId39')]",
               "apiVersion": "2022-04-01-preview",
-              "kind": "Scheduled",
+              "kind": "NRT",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when Organization Inbound Collaboration Settings are changed for \"Users & Groups\" and for \"Applications\".",
-                "displayName": "Cross-tenant Access Settings Organization Inbound Collaboration Settings Changed",
+                "description": "Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management",
+                "displayName": "NRT PIM Elevation Request Rejected",
                 "enabled": false,
-                "query": "//In User & Groups and in Applications, the following \"AccessType\" values in columns PremodifiedInboundSettings and ModifiedInboundSettings are interpreted accordingly:\n// When Access Type in premodified inbound settings value was 1 that means that the initial access was allowed. When Access Type in premodified inbound settings value was 2 that means that the initial access was blocked. \n// When Access Type in modified inbound settings value is 1 that means that now access is allowed. When Access Type in modified inbound settings value is 2 that means that now access is blocked. \nAuditLogs\n| where OperationName has \"Update a partner cross-tenant access setting\"\n| mv-apply TargetResource = TargetResources on\n  (\n      where TargetResource.type =~ \"Policy\"\n      | extend Properties = TargetResource.modifiedProperties\n  )\n| mv-apply Property = Properties on\n  (\n      where Property.displayName =~ \"b2bCollaborationInbound\"\n      | extend PremodifiedInboundSettings = trim('\"',tostring(Property.oldValue)),\n               ModifiedInboundSettings = trim(@'\"',tostring(Property.newValue))\n  )\n| extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\n| extend InitiatedByIPAdress = InitiatedBy.user.ipAddress\n| where PremodifiedInboundSettings != ModifiedInboundSettings\n| extend Name = tostring(split(InitiatedByActionUserInformation,'@',0)[0]), UPNSuffix = tostring(split(InitiatedByActionUserInformation,'@',1)[0])\n",
-                "queryFrequency": "P2D",
-                "queryPeriod": "P2D",
-                "severity": "Medium",
+                "query": "AuditLogs\n| where ActivityDisplayName =~'Add member to role completed (PIM activation)'\n| where Result =~ \"failure\"\n| mv-apply ResourceItem = TargetResources on \n  (\n      where ResourceItem.type =~ \"Role\"\n      | extend Role = trim(@'\"',tostring(ResourceItem.displayName))\n  )\n| mv-apply ResourceItem = TargetResources on \n  (\n      where ResourceItem.type =~ \"User\"\n      | extend User = trim(@'\"',tostring(ResourceItem.userPrincipalName))\n  )\n| project-reorder TimeGenerated, User, Role, OperationName, Result, ResultDescription\n| where isnotempty(InitiatedBy.user)\n| extend InitiatingUser = tostring(InitiatedBy.user.userPrincipalName), InitiatingIpAddress = tostring(InitiatedBy.user.ipAddress)\n| extend InitiatingName = tostring(split(InitiatingUser,'@',0)[0]), InitiatingUPNSuffix = tostring(split(InitiatingUser,'@',1)[0])\n| extend UserName = tostring(split(User,'@',0)[0]), UserUPNSuffix = tostring(split(User,'@',1)[0])\n",
+                "severity": "High",
                 "suppressionDuration": "PT1H",
                 "suppressionEnabled": false,
-                "triggerOperator": "GreaterThan",
-                "triggerThreshold": 0,
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "AzureActiveDirectory",
                     "dataTypes": [
                       "AuditLogs"
-                    ]
+                    ],
+                    "connectorId": "AzureActiveDirectory"
                   }
                 ],
                 "tactics": [
-                  "InitialAccess",
-                  "Persistence",
-                  "Discovery"
+                  "Persistence"
                 ],
                 "techniques": [
-                  "T1078",
-                  "T1136",
-                  "T1087"
+                  "T1078"
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "identifier": "Name",
-                        "columnName": "Name"
+                        "columnName": "InitiatingName",
+                        "identifier": "Name"
+                      },
+                      {
+                        "columnName": "InitiatingUPNSuffix",
+                        "identifier": "UPNSuffix"
+                      }
+                    ],
+                    "entityType": "Account"
+                  },
+                  {
+                    "fieldMappings": [
+                      {
+                        "columnName": "UserName",
+                        "identifier": "Name"
                       },
                       {
-                        "identifier": "UPNSuffix",
-                        "columnName": "UPNSuffix"
+                        "columnName": "UserUPNSuffix",
+                        "identifier": "UPNSuffix"
                       }
-                    ]
+                    ],
+                    "entityType": "Account"
                   },
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
-                        "columnName": "InitiatedByIPAdress"
+                        "columnName": "InitiatingIpAddress",
+                        "identifier": "Address"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   }
                 ]
               }
@@ -7046,13 +5737,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId18'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId39'),'/'))))]",
               "properties": {
-                "description": "Azure Active Directory Analytics Rule 18",
-                "parentId": "[variables('analyticRuleId18')]",
-                "contentId": "[variables('_analyticRulecontentId18')]",
+                "description": "Azure Active Directory Analytics Rule 39",
+                "parentId": "[variables('analyticRuleId39')]",
+                "contentId": "[variables('_analyticRulecontentId39')]",
                 "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion18')]",
+                "version": "[variables('analyticRuleVersion39')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Azure Active Directory",
@@ -7077,89 +5768,81 @@
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_analyticRulecontentId18')]",
+        "contentId": "[variables('_analyticRulecontentId39')]",
         "contentKind": "AnalyticsRule",
-        "displayName": "Cross-tenant Access Settings Organization Inbound Collaboration Settings Changed",
-        "contentProductId": "[variables('_analyticRulecontentProductId18')]",
-        "id": "[variables('_analyticRulecontentProductId18')]",
-        "version": "[variables('analyticRuleVersion18')]"
+        "displayName": "NRT PIM Elevation Request Rejected",
+        "contentProductId": "[variables('_analyticRulecontentProductId39')]",
+        "id": "[variables('_analyticRulecontentProductId39')]",
+        "version": "[variables('analyticRuleVersion39')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('analyticRuleTemplateSpecName19')]",
+      "name": "[variables('analyticRuleTemplateSpecName40')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Cross-tenantAccessSettingsOrganizationInboundDirectSettingsChanged_AnalyticalRules Analytics Rule with template version 3.0.3",
+        "description": "NRT_PrivlegedRoleAssignedOutsidePIM_AnalyticalRules Analytics Rule with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion19')]",
+          "contentVersion": "[variables('analyticRuleVersion40')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRulecontentId19')]",
+              "name": "[variables('analyticRulecontentId40')]",
               "apiVersion": "2022-04-01-preview",
-              "kind": "Scheduled",
+              "kind": "NRT",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when Organization Inbound Direct Settings are changed for \"Users & Groups\" and for \"Applications\".",
-                "displayName": "Cross-tenant Access Settings Organization Inbound Direct Settings Changed",
+                "description": "Identifies a privileged role being assigned to a user outside of PIM\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1",
+                "displayName": "NRT Privileged Role Assigned Outside PIM",
                 "enabled": false,
-                "query": "//In User & Groups and in Applications, the following \"AccessType\" values in columns PremodifiedInboundSettings and ModifiedInboundSettings are interpreted accordingly:\n// When Access Type in premodified inbound settings value was 1 that means that the initial access was allowed. When Access Type in premodified inbound settings value was 2 that means that the initial access was blocked. \n// When Access Type in modified inbound settings value is 1 that means that now access is allowed. When Access Type in modified inbound settings value is 2 that means that now access is blocked. \nAuditLogs\n| where OperationName has \"Update a partner cross-tenant access setting\"\n| mv-apply TargetResource = TargetResources on\n  (\n      where TargetResource.type =~ \"Policy\"\n      | extend Properties = TargetResource.modifiedProperties\n  )\n| mv-apply Property = Properties on\n  (\n      where Property.displayName =~ \"b2bDirectConnectInbound\"\n      | extend PremodifiedInboundSettings = trim('\"',tostring(Property.oldValue)),\n               ModifiedInboundSettings = trim(@'\"',tostring(Property.newValue))\n  )\n| extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\n| extend InitiatedByIPAdress = InitiatedBy.user.ipAddress\n| where PremodifiedInboundSettings != ModifiedInboundSettings\n| extend Name = tostring(split(InitiatedByActionUserInformation,'@',0)[0]), UPNSuffix = tostring(split(InitiatedByActionUserInformation,'@',1)[0])\n",
-                "queryFrequency": "P2D",
-                "queryPeriod": "P2D",
-                "severity": "Medium",
+                "query": "AuditLogs\n| where Category =~ \"RoleManagement\"\n| where OperationName has \"Add member to role outside of PIM\"\n        or (LoggedByService =~ \"Core Directory\" and OperationName =~ \"Add member to role\" and Identity != \"MS-PIM\")\n| mv-apply TargetResource = TargetResources on \n  (\n      where TargetResource.type =~ \"User\"\n      | extend UserPrincipalName = tostring(TargetResource.userPrincipalName)\n  )\n| extend IpAddress = tostring(InitiatedBy.user.ipAddress), Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n",
+                "severity": "Low",
                 "suppressionDuration": "PT1H",
                 "suppressionEnabled": false,
-                "triggerOperator": "GreaterThan",
-                "triggerThreshold": 0,
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "AzureActiveDirectory",
                     "dataTypes": [
                       "AuditLogs"
-                    ]
+                    ],
+                    "connectorId": "AzureActiveDirectory"
                   }
                 ],
                 "tactics": [
-                  "InitialAccess",
-                  "Persistence",
-                  "Discovery"
+                  "PrivilegeEscalation"
                 ],
                 "techniques": [
-                  "T1078",
-                  "T1136",
-                  "T1087"
+                  "T1078"
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "identifier": "Name",
-                        "columnName": "Name"
+                        "columnName": "Name",
+                        "identifier": "Name"
                       },
                       {
-                        "identifier": "UPNSuffix",
-                        "columnName": "UPNSuffix"
+                        "columnName": "UPNSuffix",
+                        "identifier": "UPNSuffix"
                       }
-                    ]
+                    ],
+                    "entityType": "Account"
                   },
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
-                        "columnName": "InitiatedByIPAdress"
+                        "columnName": "IpAddress",
+                        "identifier": "Address"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   }
                 ]
               }
@@ -7167,13 +5850,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId19'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId40'),'/'))))]",
               "properties": {
-                "description": "Azure Active Directory Analytics Rule 19",
-                "parentId": "[variables('analyticRuleId19')]",
-                "contentId": "[variables('_analyticRulecontentId19')]",
+                "description": "Azure Active Directory Analytics Rule 40",
+                "parentId": "[variables('analyticRuleId40')]",
+                "contentId": "[variables('_analyticRulecontentId40')]",
                 "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion19')]",
+                "version": "[variables('analyticRuleVersion40')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Azure Active Directory",
@@ -7198,89 +5881,87 @@
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_analyticRulecontentId19')]",
+        "contentId": "[variables('_analyticRulecontentId40')]",
         "contentKind": "AnalyticsRule",
-        "displayName": "Cross-tenant Access Settings Organization Inbound Direct Settings Changed",
-        "contentProductId": "[variables('_analyticRulecontentProductId19')]",
-        "id": "[variables('_analyticRulecontentProductId19')]",
-        "version": "[variables('analyticRuleVersion19')]"
+        "displayName": "NRT Privileged Role Assigned Outside PIM",
+        "contentProductId": "[variables('_analyticRulecontentProductId40')]",
+        "id": "[variables('_analyticRulecontentProductId40')]",
+        "version": "[variables('analyticRuleVersion40')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('analyticRuleTemplateSpecName20')]",
+      "name": "[variables('analyticRuleTemplateSpecName41')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Cross-tenantAccessSettingsOrganizationOutboundCollaborationSettingsChanged_AnalyticalRules Analytics Rule with template version 3.0.3",
+        "description": "NRT_UseraddedtoPrivilgedGroups_AnalyticalRules Analytics Rule with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion20')]",
+          "contentVersion": "[variables('analyticRuleVersion41')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRulecontentId20')]",
+              "name": "[variables('analyticRulecontentId41')]",
               "apiVersion": "2022-04-01-preview",
-              "kind": "Scheduled",
+              "kind": "NRT",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when Organization Outbound Collaboration Settings are changed for \"Users & Groups\" and for \"Applications\".",
-                "displayName": "Cross-tenant Access Settings Organization Outbound Collaboration Settings Changed",
+                "description": "This will alert when a user is added to any of the Privileged Groups.\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\nFor Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles",
+                "displayName": "NRT User added to Azure Active Directory Privileged Groups",
                 "enabled": false,
-                "query": "//In User & Groups and in Applications, the following \"AccessType\" values in columns PremodifiedOutboundSettings and ModifiedOutboundSettings are interpreted accordingly:\n// When Access Type in premodified outbound settings value was 1 that means that the initial access was allowed. When Access Type in premodified outbound settings value was 2 that means that the initial access was blocked. \n// When Access Type in modified outbound settings value is 1 that means that now access is allowed. When Access Type in modified outbound settings value is 2 that means that now access is blocked. \nAuditLogs\n| where OperationName has \"Update a partner cross-tenant access setting\"\n| mv-apply TargetResource = TargetResources on\n  (\n      where TargetResource.type =~ \"Policy\"\n      | extend Properties = TargetResource.modifiedProperties\n  )\n| mv-apply Property = Properties on\n  (\n      where Property.displayName =~ \"b2bCollaborationOutbound\"\n      | extend PremodifiedOutboundSettings = trim('\"',tostring(Property.oldValue)),\n               ModifiedOutboundSettings = trim(@'\"',tostring(Property.newValue))\n  )\n| extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\n| extend InitiatedByIPAdress = InitiatedBy.user.ipAddress\n| where PremodifiedOutboundSettings != ModifiedOutboundSettings\n| extend Name = tostring(split(InitiatedByActionUserInformation,'@',0)[0]), UPNSuffix = tostring(split(InitiatedByActionUserInformation,'@',1)[0])\n",
-                "queryFrequency": "P2D",
-                "queryPeriod": "P2D",
+                "query": "let OperationList = dynamic([\"Add member to role\",\"Add member to role in PIM requested (permanent)\"]);\nlet PrivilegedGroups = dynamic([\"UserAccountAdmins\",\"PrivilegedRoleAdmins\",\"TenantAdmins\"]);\nAuditLogs\n//| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"RoleManagement\"\n| where OperationName in~ (OperationList)\n| mv-apply TargetResource = TargetResources on \n  (\n      where TargetResource.type =~ \"User\"\n      | extend TargetUserPrincipalName = tostring(TargetResource.userPrincipalName),\n               modProps = TargetResource.modifiedProperties\n  )\n| mv-apply Property = modProps on \n  (\n      where Property.displayName =~ \"Role.WellKnownObjectName\"\n      | extend DisplayName = trim('\"',tostring(Property.displayName)),\n               GroupName = trim('\"',tostring(Property.newValue))\n  )\n| extend AppId = InitiatedBy.app.appId,\n      InitiatedByDisplayName = case(isnotempty(InitiatedBy.app.displayName), InitiatedBy.app.displayName, isnotempty(InitiatedBy.user.displayName), InitiatedBy.user.displayName, \"not available\"),\n      ServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId),\n      ServicePrincipalName = tostring(InitiatedBy.app.servicePrincipalName),\n      UserId = InitiatedBy.user.id,\n      UserIPAddress = InitiatedBy.user.ipAddress,\n      UserRoles = InitiatedBy.user.roles,\n      UserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\n| where GroupName in~ (PrivilegedGroups)\n// If you don't want to alert for operations from PIM, remove below filtering for MS-PIM.\n//| where InitiatedByDisplayName != \"MS-PIM\"\n| project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName, TargetUserPrincipalName\n| extend AccountCustomEntity = case(isnotempty(ServicePrincipalName), ServicePrincipalName, \n                                    isnotempty(UserPrincipalName), UserPrincipalName,  \n                                    \"\")\n| extend AccountName = tostring(split(AccountCustomEntity,'@',0)[0]), AccountUPNSuffix = tostring(split(AccountCustomEntity,'@',1)[0])\n| extend TargetName = tostring(split(TargetUserPrincipalName,'@',0)[0]), TargetUPNSuffix = tostring(split(TargetUserPrincipalName,'@',1)[0])\n",
                 "severity": "Medium",
                 "suppressionDuration": "PT1H",
                 "suppressionEnabled": false,
-                "triggerOperator": "GreaterThan",
-                "triggerThreshold": 0,
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "AzureActiveDirectory",
                     "dataTypes": [
                       "AuditLogs"
-                    ]
+                    ],
+                    "connectorId": "AzureActiveDirectory"
                   }
                 ],
                 "tactics": [
-                  "InitialAccess",
                   "Persistence",
-                  "Discovery"
+                  "PrivilegeEscalation"
                 ],
                 "techniques": [
-                  "T1078",
-                  "T1136",
-                  "T1087"
+                  "T1098",
+                  "T1078"
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "identifier": "Name",
-                        "columnName": "Name"
+                        "columnName": "AccountName",
+                        "identifier": "Name"
                       },
                       {
-                        "identifier": "UPNSuffix",
-                        "columnName": "UPNSuffix"
+                        "columnName": "AccountUPNSuffix",
+                        "identifier": "UPNSuffix"
                       }
-                    ]
+                    ],
+                    "entityType": "Account"
                   },
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
-                        "columnName": "InitiatedByIPAdress"
+                        "columnName": "TargetName",
+                        "identifier": "Name"
+                      },
+                      {
+                        "columnName": "TargetUPNSuffix",
+                        "identifier": "UPNSuffix"
                       }
-                    ]
+                    ],
+                    "entityType": "Account"
                   }
                 ]
               }
@@ -7288,13 +5969,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId20'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId41'),'/'))))]",
               "properties": {
-                "description": "Azure Active Directory Analytics Rule 20",
-                "parentId": "[variables('analyticRuleId20')]",
-                "contentId": "[variables('_analyticRulecontentId20')]",
+                "description": "Azure Active Directory Analytics Rule 41",
+                "parentId": "[variables('analyticRuleId41')]",
+                "contentId": "[variables('_analyticRulecontentId41')]",
                 "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion20')]",
+                "version": "[variables('analyticRuleVersion41')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Azure Active Directory",
@@ -7319,44 +6000,44 @@
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_analyticRulecontentId20')]",
+        "contentId": "[variables('_analyticRulecontentId41')]",
         "contentKind": "AnalyticsRule",
-        "displayName": "Cross-tenant Access Settings Organization Outbound Collaboration Settings Changed",
-        "contentProductId": "[variables('_analyticRulecontentProductId20')]",
-        "id": "[variables('_analyticRulecontentProductId20')]",
-        "version": "[variables('analyticRuleVersion20')]"
+        "displayName": "NRT User added to Azure Active Directory Privileged Groups",
+        "contentProductId": "[variables('_analyticRulecontentProductId41')]",
+        "id": "[variables('_analyticRulecontentProductId41')]",
+        "version": "[variables('analyticRuleVersion41')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('analyticRuleTemplateSpecName21')]",
+      "name": "[variables('analyticRuleTemplateSpecName42')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Cross-tenantAccessSettingsOrganizationOutboundDirectSettingsChanged_AnalyticalRules Analytics Rule with template version 3.0.3",
+        "description": "PIMElevationRequestRejected_AnalyticalRules Analytics Rule with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion21')]",
+          "contentVersion": "[variables('analyticRuleVersion42')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRulecontentId21')]",
+              "name": "[variables('analyticRulecontentId42')]",
               "apiVersion": "2022-04-01-preview",
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when Organization Outbound Direct Settings are changed for \"Users & Groups\" and for \"Applications\".",
-                "displayName": "Cross-tenant Access Settings Organization Outbound Direct Settings Changed",
-                "enabled": false,
-                "query": "//In User & Groups and in Applications, the following \"AccessType\" values in columns PremodifiedOutboundSettings and ModifiedOutboundSettings are interpreted accordingly:\n// When Access Type in premodified outbound settings value was 1 that means that the initial access was allowed. When Access Type in premodified outbound settings value was 2 that means that the initial access was blocked. \n// When Access Type in modified outbound settings value is 1 that means that now access is allowed. When Access Type in modified outbound settings value is 2 that means that now access is blocked. \nAuditLogs\n| where OperationName has \"Update a partner cross-tenant access setting\"\n| mv-apply TargetResource = TargetResources on\n  (\n      where TargetResource.type =~ \"Policy\"\n      | extend Properties = TargetResource.modifiedProperties\n  )\n| mv-apply Property = Properties on\n  (\n      where Property.displayName =~ \"b2bDirectConnectOutbound\"\n      | extend PremodifiedOutboundSettings = trim('\"',tostring(Property.oldValue)),\n               ModifiedOutboundSettings = trim(@'\"',tostring(Property.newValue))\n  )\n| extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\n| extend InitiatedByIPAdress = InitiatedBy.user.ipAddress\n| where PremodifiedOutboundSettings != ModifiedOutboundSettings\n| extend Name = tostring(split(InitiatedByActionUserInformation,'@',0)[0]), UPNSuffix = tostring(split(InitiatedByActionUserInformation,'@',1)[0])\n",
-                "queryFrequency": "P2D",
-                "queryPeriod": "P2D",
-                "severity": "Medium",
+                "description": "Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management",
+                "displayName": "PIM Elevation Request Rejected",
+                "enabled": false,
+                "query": "AuditLogs\n| where (ActivityDisplayName =~'Add member to role completed (PIM activation)' and Result =~ \"failure\") or ActivityDisplayName =~'Add member to role request denied (PIM activation)'\n| mv-apply ResourceItem = TargetResources on \n  (\n      where ResourceItem.type =~ \"Role\"\n      | extend Role = trim(@'\"',tostring(ResourceItem.displayName))\n  )\n| mv-apply ResourceItem = TargetResources on \n  (\n      where ResourceItem.type =~ \"User\"\n      | extend User = trim(@'\"',tostring(ResourceItem.userPrincipalName))\n  )\n| project-reorder TimeGenerated, User, Role, OperationName, Result, ResultDescription\n| where isnotempty(InitiatedBy.user)\n| extend InitiatingUser = tostring(InitiatedBy.user.userPrincipalName), InitiatingIpAddress = tostring(InitiatedBy.user.ipAddress)\n| extend InitiatingName = tostring(split(InitiatingUser,'@',0)[0]), InitiatingUPNSuffix = tostring(split(InitiatingUser,'@',1)[0])\n| extend UserName = tostring(split(User,'@',0)[0]), UserUPNSuffix = tostring(split(User,'@',1)[0])\n",
+                "queryFrequency": "PT2H",
+                "queryPeriod": "PT2H",
+                "severity": "High",
                 "suppressionDuration": "PT1H",
                 "suppressionEnabled": false,
                 "triggerOperator": "GreaterThan",
@@ -7364,44 +6045,53 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "AzureActiveDirectory",
                     "dataTypes": [
                       "AuditLogs"
-                    ]
+                    ],
+                    "connectorId": "AzureActiveDirectory"
                   }
                 ],
                 "tactics": [
-                  "InitialAccess",
-                  "Persistence",
-                  "Discovery"
+                  "Persistence"
                 ],
                 "techniques": [
-                  "T1078",
-                  "T1136",
-                  "T1087"
+                  "T1078"
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "identifier": "Name",
-                        "columnName": "Name"
+                        "columnName": "InitiatingName",
+                        "identifier": "Name"
+                      },
+                      {
+                        "columnName": "InitiatingUPNSuffix",
+                        "identifier": "UPNSuffix"
+                      }
+                    ],
+                    "entityType": "Account"
+                  },
+                  {
+                    "fieldMappings": [
+                      {
+                        "columnName": "UserName",
+                        "identifier": "Name"
                       },
                       {
-                        "identifier": "UPNSuffix",
-                        "columnName": "UPNSuffix"
+                        "columnName": "UserUPNSuffix",
+                        "identifier": "UPNSuffix"
                       }
-                    ]
+                    ],
+                    "entityType": "Account"
                   },
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
-                        "columnName": "InitiatedByIPAdress"
+                        "columnName": "InitiatingIpAddress",
+                        "identifier": "Address"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   }
                 ]
               }
@@ -7409,13 +6099,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId21'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId42'),'/'))))]",
               "properties": {
-                "description": "Azure Active Directory Analytics Rule 21",
-                "parentId": "[variables('analyticRuleId21')]",
-                "contentId": "[variables('_analyticRulecontentId21')]",
+                "description": "Azure Active Directory Analytics Rule 42",
+                "parentId": "[variables('analyticRuleId42')]",
+                "contentId": "[variables('_analyticRulecontentId42')]",
                 "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion21')]",
+                "version": "[variables('analyticRuleVersion42')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Azure Active Directory",
@@ -7440,44 +6130,44 @@
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_analyticRulecontentId21')]",
+        "contentId": "[variables('_analyticRulecontentId42')]",
         "contentKind": "AnalyticsRule",
-        "displayName": "Cross-tenant Access Settings Organization Outbound Direct Settings Changed",
-        "contentProductId": "[variables('_analyticRulecontentProductId21')]",
-        "id": "[variables('_analyticRulecontentProductId21')]",
-        "version": "[variables('analyticRuleVersion21')]"
+        "displayName": "PIM Elevation Request Rejected",
+        "contentProductId": "[variables('_analyticRulecontentProductId42')]",
+        "id": "[variables('_analyticRulecontentProductId42')]",
+        "version": "[variables('analyticRuleVersion42')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('analyticRuleTemplateSpecName22')]",
+      "name": "[variables('analyticRuleTemplateSpecName43')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "DisabledAccountSigninsAcrossManyApplications_AnalyticalRules Analytics Rule with template version 3.0.3",
+        "description": "PrivilegedAccountsSigninFailureSpikes_AnalyticalRules Analytics Rule with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion22')]",
+          "contentVersion": "[variables('analyticRuleVersion43')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRulecontentId22')]",
+              "name": "[variables('analyticRulecontentId43')]",
               "apiVersion": "2022-04-01-preview",
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "Identifies failed attempts to sign in to disabled accounts across multiple Azure Applications.\nDefault threshold for Azure Applications attempted to sign in to is 3.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n50057 - User account is disabled. The account has been disabled by an administrator.",
-                "displayName": "Attempts to sign in to disabled accounts",
+                "description": " Identifies spike in failed sign-ins from Privileged accounts. Privileged accounts list can be based on IdentityInfo UEBA table.\nSpike is determined based on Time series anomaly which will look at historical baseline values.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor",
+                "displayName": "Privileged Accounts - Sign in Failure Spikes",
                 "enabled": false,
-                "query": "let threshold = 3;\nlet aadFunc = (tableName:string){\ntable(tableName)\n| where ResultType == \"50057\"\n| where ResultDescription =~ \"User account is disabled. The account has been disabled by an administrator.\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), applicationCount = dcount(AppDisplayName),\napplicationSet = make_set(AppDisplayName), count() by UserPrincipalName, IPAddress, Type\n| where applicationCount >= threshold\n| extend timestamp = StartTime, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+                "query": "let starttime = 14d;\nlet timeframe = 1d;\nlet scorethreshold = 3;\nlet baselinethreshold = 5;\nlet aadFunc = (tableName:string){\n    IdentityInfo\n    | where TimeGenerated > ago(starttime)\n    | summarize arg_max(TimeGenerated, *) by AccountUPN\n    | mv-expand AssignedRoles\n    | where AssignedRoles contains 'Admin'\n    | summarize Roles = make_list(AssignedRoles) by AccountUPN = tolower(AccountUPN)\n    | join kind=inner (\n        table(tableName)\n        | where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\n        | where ResultType != 0\n        | extend UserPrincipalName = tolower(UserPrincipalName)\n    ) on $left.AccountUPN == $right.UserPrincipalName\n    | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, Roles = tostring(Roles)\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt;\nlet TimeSeriesAlerts = \n    allSignins\n    | make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step 1h by UserPrincipalName, Roles\n    | extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, 'linefit')\n    | mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\n    // Filtering low count events per baselinethreshold\n    | where anomalies > 0 and baseline > baselinethreshold\n    | extend AnomalyHour = TimeGenerated\n    | project UserPrincipalName, Roles, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\n// Filter the alerts for specified timeframe\nTimeSeriesAlerts\n| where TimeGenerated > startofday(ago(timeframe))\n| join kind=inner ( \n    allSignins\n    | where TimeGenerated > startofday(ago(timeframe))\n    // create a new column and round to hour\n    | extend DateHour = bin(TimeGenerated, 1h)\n    | summarize PartialFailedSignins = count(), LatestAnomalyTime = arg_max(TimeGenerated, *) by bin(TimeGenerated, 1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, Roles, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\n) on UserPrincipalName, $left.AnomalyHour == $right.DateHour\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, Roles = todynamic(Roles), UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, PartialFailedSignins, TotalFailedSignins = HourlyCount, baseline, anomalies, score\n| extend timestamp = LatestAnomalyTime, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n",
                 "queryFrequency": "P1D",
-                "queryPeriod": "P1D",
-                "severity": "Medium",
+                "queryPeriod": "P14D",
+                "severity": "High",
                 "suppressionDuration": "PT1H",
                 "suppressionEnabled": false,
                 "triggerOperator": "GreaterThan",
@@ -7485,16 +6175,16 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "AzureActiveDirectory",
                     "dataTypes": [
                       "SigninLogs"
-                    ]
+                    ],
+                    "connectorId": "AzureActiveDirectory"
                   },
                   {
-                    "connectorId": "AzureActiveDirectory",
                     "dataTypes": [
                       "AADNonInteractiveUserSignInLogs"
-                    ]
+                    ],
+                    "connectorId": "AzureActiveDirectory"
                   }
                 ],
                 "tactics": [
@@ -7505,26 +6195,26 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "identifier": "Name",
-                        "columnName": "Name"
+                        "columnName": "Name",
+                        "identifier": "Name"
                       },
                       {
-                        "identifier": "UPNSuffix",
-                        "columnName": "UPNSuffix"
+                        "columnName": "UPNSuffix",
+                        "identifier": "UPNSuffix"
                       }
-                    ]
+                    ],
+                    "entityType": "Account"
                   },
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
-                        "columnName": "IPAddress"
+                        "columnName": "IPAddress",
+                        "identifier": "Address"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   }
                 ]
               }
@@ -7532,13 +6222,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId22'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId43'),'/'))))]",
               "properties": {
-                "description": "Azure Active Directory Analytics Rule 22",
-                "parentId": "[variables('analyticRuleId22')]",
-                "contentId": "[variables('_analyticRulecontentId22')]",
+                "description": "Azure Active Directory Analytics Rule 43",
+                "parentId": "[variables('analyticRuleId43')]",
+                "contentId": "[variables('_analyticRulecontentId43')]",
                 "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion22')]",
+                "version": "[variables('analyticRuleVersion43')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Azure Active Directory",
@@ -7563,44 +6253,44 @@
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_analyticRulecontentId22')]",
+        "contentId": "[variables('_analyticRulecontentId43')]",
         "contentKind": "AnalyticsRule",
-        "displayName": "Attempts to sign in to disabled accounts",
-        "contentProductId": "[variables('_analyticRulecontentProductId22')]",
-        "id": "[variables('_analyticRulecontentProductId22')]",
-        "version": "[variables('analyticRuleVersion22')]"
+        "displayName": "Privileged Accounts - Sign in Failure Spikes",
+        "contentProductId": "[variables('_analyticRulecontentProductId43')]",
+        "id": "[variables('_analyticRulecontentProductId43')]",
+        "version": "[variables('analyticRuleVersion43')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('analyticRuleTemplateSpecName23')]",
+      "name": "[variables('analyticRuleTemplateSpecName44')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "DistribPassCrackAttempt_AnalyticalRules Analytics Rule with template version 3.0.3",
+        "description": "PrivlegedRoleAssignedOutsidePIM_AnalyticalRules Analytics Rule with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion23')]",
+          "contentVersion": "[variables('analyticRuleVersion44')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRulecontentId23')]",
+              "name": "[variables('analyticRulecontentId44')]",
               "apiVersion": "2022-04-01-preview",
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "Identifies distributed password cracking attempts from the Azure Active Directory SigninLogs.\nThe query looks for unusually high number of failed password attempts coming from multiple locations for a user account.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n50053   Account is locked because the user tried to sign in too many times with an incorrect user ID or password.\n50055   Invalid password, entered expired password.\n50056   Invalid or null password - Password does not exist in store for this user.\n50126   Invalid username or password, or invalid on-premises username or password.",
-                "displayName": "Distributed Password cracking attempts in AzureAD",
+                "description": "Identifies a privileged role being assigned to a user outside of PIM\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1",
+                "displayName": "Privileged Role Assigned Outside PIM",
                 "enabled": false,
-                "query": "let s_threshold = 30;\nlet l_threshold = 3;\nlet aadFunc = (tableName:string){\ntable(tableName)\n| where OperationName =~ \"Sign-in activity\"\n// Error codes that we want to look at as they are related to the use of incorrect password.\n| where ResultType in (\"50126\", \"50053\" , \"50055\", \"50056\")\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\n| extend LocationString = strcat(tostring(LocationDetails.countryOrRegion), \"/\", tostring(LocationDetails.state), \"/\", tostring(LocationDetails.city))\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), LocationCount=dcount(LocationString), Location = make_set(LocationString,100),\nIPAddress = make_set(IPAddress,100), IPAddressCount = dcount(IPAddress), AppDisplayName = make_set(AppDisplayName,100), ResultDescription = make_set(ResultDescription,50),\nBrowser = make_set(Browser,20), OS = make_set(OS,20), SigninCount = count() by UserPrincipalName, Type\n// Setting a generic threshold - Can be different for different environment\n| where SigninCount > s_threshold and LocationCount >= l_threshold\n| extend Location = tostring(Location), IPAddress = tostring(IPAddress), AppDisplayName = tostring(AppDisplayName), ResultDescription = tostring(ResultDescription), Browser = tostring(Browser), OS = tostring(OS)\n| extend timestamp = StartTime, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+                "query": "AuditLogs\n| where Category =~ \"RoleManagement\"\n| where OperationName has \"Add member to role outside of PIM\"\n        or (LoggedByService =~ \"Core Directory\" and OperationName =~ \"Add member to role\" and Identity != \"MS-PIM\")\n| mv-apply TargetResource = TargetResources on \n  (\n      where TargetResource.type =~ \"User\"\n      | extend UserPrincipalName = tostring(TargetResource.userPrincipalName)\n  )\n| extend IpAddress = tostring(InitiatedBy.user.ipAddress), Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n",
                 "queryFrequency": "P1D",
                 "queryPeriod": "P1D",
-                "severity": "Medium",
+                "severity": "Low",
                 "suppressionDuration": "PT1H",
                 "suppressionEnabled": false,
                 "triggerOperator": "GreaterThan",
@@ -7608,46 +6298,40 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "AzureActiveDirectory",
-                    "dataTypes": [
-                      "SigninLogs"
-                    ]
-                  },
-                  {
-                    "connectorId": "AzureActiveDirectory",
                     "dataTypes": [
-                      "AADNonInteractiveUserSignInLogs"
-                    ]
+                      "AuditLogs"
+                    ],
+                    "connectorId": "AzureActiveDirectory"
                   }
                 ],
                 "tactics": [
-                  "CredentialAccess"
+                  "PrivilegeEscalation"
                 ],
                 "techniques": [
-                  "T1110"
+                  "T1078"
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "identifier": "Name",
-                        "columnName": "Name"
+                        "columnName": "Name",
+                        "identifier": "Name"
                       },
                       {
-                        "identifier": "UPNSuffix",
-                        "columnName": "UPNSuffix"
+                        "columnName": "UPNSuffix",
+                        "identifier": "UPNSuffix"
                       }
-                    ]
+                    ],
+                    "entityType": "Account"
                   },
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
-                        "columnName": "IPAddress"
+                        "columnName": "IpAddress",
+                        "identifier": "Address"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   }
                 ]
               }
@@ -7655,13 +6339,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId23'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId44'),'/'))))]",
               "properties": {
-                "description": "Azure Active Directory Analytics Rule 23",
-                "parentId": "[variables('analyticRuleId23')]",
-                "contentId": "[variables('_analyticRulecontentId23')]",
+                "description": "Azure Active Directory Analytics Rule 44",
+                "parentId": "[variables('analyticRuleId44')]",
+                "contentId": "[variables('_analyticRulecontentId44')]",
                 "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion23')]",
+                "version": "[variables('analyticRuleVersion44')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Azure Active Directory",
@@ -7686,100 +6370,96 @@
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_analyticRulecontentId23')]",
+        "contentId": "[variables('_analyticRulecontentId44')]",
         "contentKind": "AnalyticsRule",
-        "displayName": "Distributed Password cracking attempts in AzureAD",
-        "contentProductId": "[variables('_analyticRulecontentProductId23')]",
-        "id": "[variables('_analyticRulecontentProductId23')]",
-        "version": "[variables('analyticRuleVersion23')]"
+        "displayName": "Privileged Role Assigned Outside PIM",
+        "contentProductId": "[variables('_analyticRulecontentProductId44')]",
+        "id": "[variables('_analyticRulecontentProductId44')]",
+        "version": "[variables('analyticRuleVersion44')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('analyticRuleTemplateSpecName24')]",
+      "name": "[variables('analyticRuleTemplateSpecName45')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "ExplicitMFADeny_AnalyticalRules Analytics Rule with template version 3.0.3",
+        "description": "RareApplicationConsent_AnalyticalRules Analytics Rule with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion24')]",
+          "contentVersion": "[variables('analyticRuleVersion45')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRulecontentId24')]",
+              "name": "[variables('analyticRulecontentId45')]",
               "apiVersion": "2022-04-01-preview",
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "User explicitly denies MFA push, indicating that login was not expected and the account's password may be compromised.",
-                "displayName": "Explicit MFA Deny",
+                "description": "This will alert when the \"Consent to application\" operation occurs by a user that has not done this operation before or rarely does this.\nThis could indicate that permissions to access the listed Azure App were provided to a malicious actor.\nConsent to application, Add service principal and Add OAuth2PermissionGrant should typically be rare events.\nThis may help detect the Oauth2 attack that can be initiated by this publicly available tool - https://github.com/fireeye/PwnAuth\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.",
+                "displayName": "Rare application consent",
                 "enabled": false,
-                "query": "let aadFunc = (tableName:string){\ntable(tableName)\n| where ResultType == 500121\n| where Status has \"MFA Denied; user declined the authentication\" or Status has \"MFA denied; Phone App Reported Fraud\"\n| extend Type = Type\n| extend timestamp = TimeGenerated, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+                "query": "let current = 1d;\nlet auditLookback = 7d;\n// Setting threshold to 3 as a default, change as needed.\n// Any operation that has been initiated by a user or app more than 3 times in the past 7 days will be excluded\nlet threshold = 3;\n// Gather initial data from lookback period, excluding current, adjust current to more than a single day if no results\nlet AuditTrail = AuditLogs | where TimeGenerated >= ago(auditLookback) and TimeGenerated < ago(current)\n// 2 other operations that can be part of malicious activity in this situation are\n// \"Add OAuth2PermissionGrant\" and \"Add service principal\", extend the filter below to capture these too\n| where OperationName has \"Consent to application\"\n| extend InitiatedBy = iff(isnotempty(tostring(InitiatedBy.user.userPrincipalName)),\n          tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| mv-apply TargetResource = TargetResources on \n  (\n      where TargetResource.type =~ \"ServicePrincipal\"\n      | extend TargetResourceName = tolower(tostring(TargetResource.displayName))\n  )\n| summarize max(TimeGenerated), OperationCount = count() by OperationName, InitiatedBy, TargetResourceName\n// only including operations initiated by a user or app that is above the threshold so we produce only rare and has not occurred in last 7 days\n| where OperationCount > threshold;\n// Gather current period of audit data\nlet RecentConsent = AuditLogs | where TimeGenerated >= ago(current)\n| where OperationName has \"Consent to application\"\n| extend IpAddress = case(\n              isnotempty(tostring(InitiatedBy.user.ipAddress)) and tostring(InitiatedBy.user.ipAddress) != 'null', tostring(InitiatedBy.user.ipAddress),\n              isnotempty(tostring(InitiatedBy.app.ipAddress)) and tostring(InitiatedBy.app.ipAddress) != 'null', tostring(InitiatedBy.app.ipAddress),\n              'Not Available')\n| extend InitiatedBy = iff(isnotempty(tostring(InitiatedBy.user.userPrincipalName)),\n                          tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| mv-apply TargetResource = TargetResources on \n  (\n      where TargetResource.type =~ \"ServicePrincipal\"\n      | extend TargetResourceName = tolower(tostring(TargetResource.displayName)),\n               props = TargetResource.modifiedProperties\n  )\n| parse props with * \"ConsentType: \" ConsentType \"]\" *\n| mv-apply AdditionalDetail = AdditionalDetails on \n  (\n      where AdditionalDetail.key =~ \"User-Agent\"\n      | extend UserAgent = tostring(AdditionalDetail.value)\n  )\n| project TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type;\n// Exclude previously seen audit activity for \"Consent to application\" that was seen in the lookback period\n// First for rare InitiatedBy\nlet RareConsentBy = RecentConsent | join kind= leftanti AuditTrail on OperationName, InitiatedBy\n| extend Reason = \"Previously unseen user consenting\";\n// Second for rare TargetResourceName\nlet RareConsentApp = RecentConsent | join kind= leftanti AuditTrail on OperationName, TargetResourceName\n| extend Reason = \"Previously unseen app granted consent\";\nRareConsentBy | union RareConsentApp\n| summarize Reason = make_set(Reason,100) by TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type\n| extend timestamp = TimeGenerated, Name = tolower(tostring(split(InitiatedBy,'@',0)[0])), UPNSuffix = tolower(tostring(split(InitiatedBy,'@',1)[0]))\n",
                 "queryFrequency": "P1D",
-                "queryPeriod": "P1D",
+                "queryPeriod": "P7D",
                 "severity": "Medium",
                 "suppressionDuration": "PT1H",
                 "suppressionEnabled": false,
                 "triggerOperator": "GreaterThan",
-                "triggerThreshold": 0,
+                "triggerThreshold": 3,
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "AzureActiveDirectory",
-                    "dataTypes": [
-                      "SigninLogs"
-                    ]
-                  },
-                  {
-                    "connectorId": "AzureActiveDirectory",
                     "dataTypes": [
-                      "AADNonInteractiveUserSignInLogs"
-                    ]
+                      "AuditLogs"
+                    ],
+                    "connectorId": "AzureActiveDirectory"
                   }
                 ],
                 "tactics": [
-                  "CredentialAccess"
+                  "Persistence",
+                  "PrivilegeEscalation"
                 ],
                 "techniques": [
-                  "T1110"
+                  "T1136",
+                  "T1068"
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "identifier": "Name",
-                        "columnName": "Name"
+                        "columnName": "Name",
+                        "identifier": "Name"
                       },
                       {
-                        "identifier": "UPNSuffix",
-                        "columnName": "UPNSuffix"
+                        "columnName": "UPNSuffix",
+                        "identifier": "UPNSuffix"
                       }
-                    ]
+                    ],
+                    "entityType": "Account"
                   },
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
-                        "columnName": "IPAddress"
+                        "columnName": "TargetResourceName",
+                        "identifier": "Name"
                       }
-                    ]
+                    ],
+                    "entityType": "CloudApplication"
                   },
                   {
-                    "entityType": "URL",
                     "fieldMappings": [
                       {
-                        "identifier": "Url",
-                        "columnName": "ClientAppUsed"
+                        "columnName": "IpAddress",
+                        "identifier": "Address"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   }
                 ]
               }
@@ -7787,13 +6467,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId24'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId45'),'/'))))]",
               "properties": {
-                "description": "Azure Active Directory Analytics Rule 24",
-                "parentId": "[variables('analyticRuleId24')]",
-                "contentId": "[variables('_analyticRulecontentId24')]",
+                "description": "Azure Active Directory Analytics Rule 45",
+                "parentId": "[variables('analyticRuleId45')]",
+                "contentId": "[variables('_analyticRulecontentId45')]",
                 "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion24')]",
+                "version": "[variables('analyticRuleVersion45')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Azure Active Directory",
@@ -7818,41 +6498,41 @@
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_analyticRulecontentId24')]",
+        "contentId": "[variables('_analyticRulecontentId45')]",
         "contentKind": "AnalyticsRule",
-        "displayName": "Explicit MFA Deny",
-        "contentProductId": "[variables('_analyticRulecontentProductId24')]",
-        "id": "[variables('_analyticRulecontentProductId24')]",
-        "version": "[variables('analyticRuleVersion24')]"
+        "displayName": "Rare application consent",
+        "contentProductId": "[variables('_analyticRulecontentProductId45')]",
+        "id": "[variables('_analyticRulecontentProductId45')]",
+        "version": "[variables('analyticRuleVersion45')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('analyticRuleTemplateSpecName25')]",
+      "name": "[variables('analyticRuleTemplateSpecName46')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "ExchangeFullAccessGrantedToApp_AnalyticalRules Analytics Rule with template version 3.0.3",
+        "description": "SeamlessSSOPasswordSpray_AnalyticalRules Analytics Rule with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion25')]",
+          "contentVersion": "[variables('analyticRuleVersion46')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRulecontentId25')]",
+              "name": "[variables('analyticRulecontentId46')]",
               "apiVersion": "2022-04-01-preview",
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "This detection looks for the full_access_as_app permission being granted to an OAuth application with Admin Consent.\nThis permission provide access to all Exchange mailboxes via the EWS API can could be exploited to access sensitive data \nby being added to a compromised application. The application granted this permission should be reviewed to ensure that it \nis absolutely necessary for the applications function.\nRef: https://learn.microsoft.com/graph/auth-limit-mailbox-access",
-                "displayName": "full_access_as_app Granted To Application",
+                "description": "This query detects when there is a spike in Azure AD Seamless SSO errors. They may not be caused by a Password Spray attack, but the cause of the errors might need to be investigated.\nAzure AD only logs the requests that matched existing accounts, thus there might have been unlogged requests for non-existing accounts.",
+                "displayName": "Password spray attack against Azure AD Seamless SSO",
                 "enabled": false,
-                "query": "AuditLogs\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Consent to application\"\n| where TargetResources has \"full_access_as_app\"\n| mv-expand TargetResources\n| extend OAuthAppName = TargetResources.displayName\n| extend ModifiedProperties = TargetResources.modifiedProperties \n| mv-apply Property = ModifiedProperties on \n  (\n      where Property.displayName =~ \"ConsentContext.isAdminConsent\"\n      | extend AdminConsent = tostring(Property.newValue)\n  )\n| mv-apply Property = ModifiedProperties on \n  (\n      where Property.displayName =~ \"ConsentAction.Permissions\"\n      | extend Permissions = tostring(Property.newValue)\n  )\n| mv-apply Property = ModifiedProperties on \n  (\n      where Property.displayName =~ \"TargetId.ServicePrincipalNames\"\n      | extend AppId = tostring(Property.newValue)\n  )\n| mv-expand AdditionalDetails\n| extend GrantUserAgent = tostring(iff(AdditionalDetails.key =~ \"User-Agent\", AdditionalDetails.value, \"\"))\n| parse Permissions with * \"ConsentType: \" GrantConsentType \", Scope: \" GrantScope1 \",\" *\n| where GrantScope1 =~ \"full_access_as_app\"\n| extend GrantIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\n| extend GrantInitiatedBy = tostring(iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName))\n| project-reorder TimeGenerated, OAuthAppName, AppId, AdminConsent, Permissions, GrantIpAddress, GrantInitiatedBy, GrantUserAgent, GrantScope1, GrantConsentType\n| extend Name = split(GrantInitiatedBy, \"@\")[0], UPNSuffix = split(GrantInitiatedBy, \"@\")[1]\n",
+                "query": "let account_threshold = 5;\nAADNonInteractiveUserSignInLogs\n//| where ResultType == \"81016\"\n| where ResultType startswith \"81\"\n| summarize DistinctAccounts = dcount(UserPrincipalName), DistinctAddresses = make_set(IPAddress,100) by ResultType\n| where DistinctAccounts > account_threshold\n| mv-expand IPAddress = DistinctAddresses\n| extend IPAddress = tostring(IPAddress)\n| join kind=leftouter (union isfuzzy=true SigninLogs, AADNonInteractiveUserSignInLogs) on IPAddress\n| summarize\n    StartTime = min(TimeGenerated),\n    EndTime = max(TimeGenerated),\n    UserPrincipalName = make_set(UserPrincipalName,100),\n    UserAgent = make_set(UserAgent,100),\n    ResultDescription = take_any(ResultDescription),\n    ResultSignature = take_any(ResultSignature)\n    by IPAddress, Type, ResultType\n| project Type, StartTime, EndTime, IPAddress, ResultType, ResultDescription, ResultSignature, UserPrincipalName, UserAgent = iff(array_length(UserAgent) == 1, UserAgent[0], UserAgent)\n| extend Name = tostring(split(UserPrincipalName[0],'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName[0],'@',1)[0])\n",
                 "queryFrequency": "PT1H",
                 "queryPeriod": "PT1H",
                 "severity": "Medium",
@@ -7863,63 +6543,54 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "AzureActiveDirectory",
                     "dataTypes": [
-                      "AuditLogs"
-                    ]
+                      "AADNonInteractiveUserSignInLogs"
+                    ],
+                    "connectorId": "AzureActiveDirectory"
                   }
                 ],
                 "tactics": [
-                  "DefenseEvasion"
+                  "CredentialAccess"
                 ],
                 "techniques": [
-                  "T1550"
+                  "T1110"
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "identifier": "Name",
-                        "columnName": "Name"
+                        "columnName": "Name",
+                        "identifier": "Name"
                       },
                       {
-                        "identifier": "UPNSuffix",
-                        "columnName": "UPNSuffix"
+                        "columnName": "UPNSuffix",
+                        "identifier": "UPNSuffix"
                       }
-                    ]
+                    ],
+                    "entityType": "Account"
                   },
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
-                        "columnName": "GrantIpAddress"
+                        "columnName": "IPAddress",
+                        "identifier": "Address"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   }
-                ],
-                "customDetails": {
-                  "UserAgent": "GrantUserAgent",
-                  "OAuthAppId": "AppId",
-                  "OAuthApplication": "OAuthAppName"
-                },
-                "alertDetailsOverride": {
-                  "alertDisplayNameFormat": "User {{GrantInitiatedBy}} granted full_access_as_app to {{OAuthAppName}}",
-                  "alertDescriptionFormat": "This detection looks for the full_access_as_app permission being granted to an OAuth application with Admin Consent.\nThis permission provide access to all Exchange mailboxes via the EWS API can could be exploited to access sensitive data \nby being added to a compromised application. The application granted this permission should be reviewed to ensure that it \nis absolutely necessary for the applications function.\nIn this case {{GrantInitiatedBy}} granted full_access_as_app to {{OAuthAppName}} from {{GrantIpAddress}}\nRef: https://learn.microsoft.com/graph/auth-limit-mailbox-access\n"
-                }
+                ]
               }
             },
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId25'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId46'),'/'))))]",
               "properties": {
-                "description": "Azure Active Directory Analytics Rule 25",
-                "parentId": "[variables('analyticRuleId25')]",
-                "contentId": "[variables('_analyticRulecontentId25')]",
+                "description": "Azure Active Directory Analytics Rule 46",
+                "parentId": "[variables('analyticRuleId46')]",
+                "contentId": "[variables('_analyticRulecontentId46')]",
                 "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion25')]",
+                "version": "[variables('analyticRuleVersion46')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Azure Active Directory",
@@ -7944,44 +6615,44 @@
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_analyticRulecontentId25')]",
+        "contentId": "[variables('_analyticRulecontentId46')]",
         "contentKind": "AnalyticsRule",
-        "displayName": "full_access_as_app Granted To Application",
-        "contentProductId": "[variables('_analyticRulecontentProductId25')]",
-        "id": "[variables('_analyticRulecontentProductId25')]",
-        "version": "[variables('analyticRuleVersion25')]"
+        "displayName": "Password spray attack against Azure AD Seamless SSO",
+        "contentProductId": "[variables('_analyticRulecontentProductId46')]",
+        "id": "[variables('_analyticRulecontentProductId46')]",
+        "version": "[variables('analyticRuleVersion46')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('analyticRuleTemplateSpecName26')]",
+      "name": "[variables('analyticRuleTemplateSpecName47')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "FailedLogonToAzurePortal_AnalyticalRules Analytics Rule with template version 3.0.3",
+        "description": "Sign-in Burst from Multiple Locations_AnalyticalRules Analytics Rule with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion26')]",
+          "contentVersion": "[variables('analyticRuleVersion47')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRulecontentId26')]",
+              "name": "[variables('analyticRulecontentId47')]",
               "apiVersion": "2022-04-01-preview",
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "Identifies failed login attempts in the Azure Active Directory SigninLogs to the Azure Portal.  Many failed logon\nattempts or some failed logon attempts from multiple IPs could indicate a potential brute force attack.\nThe following are excluded due to success and non-failure results:\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n0 - successful logon\n50125 - Sign-in was interrupted due to a password reset or password registration entry.\n50140 - This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.",
-                "displayName": "Failed login attempts to Azure Portal",
+                "description": "This detection triggers when there is a Signin burst from multiple locations in GitHub (AAD SSO).\n This detection is based on configurable threshold which can be prone to false positives. To view the anomaly based equivalent of thie detection, please see here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/AnomalousUserAppSigninLocationIncrease-detection.yaml. ",
+                "displayName": "GitHub Signin Burst from Multiple Locations",
                 "enabled": false,
-                "query": "let timeRange = 1d;\nlet lookBack = 7d;\nlet threshold_Failed = 5;\nlet threshold_FailedwithSingleIP = 20;\nlet threshold_IPAddressCount = 2;\nlet isGUID = \"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\";\nlet aadFunc = (tableName:string){\nlet azPortalSignins = materialize(table(tableName)\n| where TimeGenerated >= ago(lookBack)\n// Azure Portal only\n| where AppDisplayName =~ \"Azure Portal\")\n;\nlet successPortalSignins = azPortalSignins\n| where TimeGenerated >= ago(timeRange)\n// Azure Portal only and exclude non-failure Result Types\n| where ResultType in (\"0\", \"50125\", \"50140\")\n// Tagging identities not resolved to friendly names\n//| extend Unresolved = iff(Identity matches regex isGUID, true, false)\n| distinct TimeGenerated, UserPrincipalName\n;\nlet failPortalSignins = azPortalSignins\n| where TimeGenerated >= ago(timeRange)\n// Azure Portal only and exclude non-failure Result Types\n| where ResultType !in (\"0\", \"50125\", \"50140\", \"70044\", \"70043\")\n// Tagging identities not resolved to friendly names\n| extend Unresolved = iff(Identity matches regex isGUID, true, false)\n;\n// Verify there is no success for the same connection attempt after the fail\nlet failnoSuccess = failPortalSignins | join kind= leftouter (\n   successPortalSignins\n) on UserPrincipalName\n| where TimeGenerated > TimeGenerated1 or isempty(TimeGenerated1)\n| project-away TimeGenerated1, UserPrincipalName1\n;\n// Lookup up resolved identities from last 7 days\nlet identityLookup = azPortalSignins\n| where TimeGenerated >= ago(lookBack)\n| where not(Identity matches regex isGUID)\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName;\n// Join resolved names to unresolved list from portal signins\nlet unresolvedNames = failnoSuccess | where Unresolved == true | join kind= inner (\n   identityLookup\n) on UserId\n| extend UserDisplayName = lu_UserDisplayName, UserPrincipalName = lu_UserPrincipalName\n| project-away lu_UserDisplayName, lu_UserPrincipalName;\n// Join Signins that had resolved names with list of unresolved that now have a resolved name\nlet u_azPortalSignins = failnoSuccess | where Unresolved == false | union unresolvedNames;\nu_azPortalSignins\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\n| extend Status = strcat(ResultType, \": \", ResultDescription), OS = tostring(DeviceDetail.operatingSystem), Browser = tostring(DeviceDetail.browser)\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\n| extend FullLocation = strcat(Region,'|', State, '|', City)  \n| summarize TimeGenerated = make_list(TimeGenerated,100), Status = make_list(Status,100), IPAddresses = make_list(IPAddress,100), IPAddressCount = dcount(IPAddress), FailedLogonCount = count()\nby UserPrincipalName, UserId, UserDisplayName, AppDisplayName, Browser, OS, FullLocation, Type\n| mvexpand TimeGenerated, IPAddresses, Status\n| extend TimeGenerated = todatetime(tostring(TimeGenerated)), IPAddress = tostring(IPAddresses), Status = tostring(Status)\n| project-away IPAddresses\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserPrincipalName, UserId, UserDisplayName, Status, FailedLogonCount, IPAddress, IPAddressCount, AppDisplayName, Browser, OS, FullLocation, Type\n| where (IPAddressCount >= threshold_IPAddressCount and FailedLogonCount >= threshold_Failed) or FailedLogonCount >= threshold_FailedwithSingleIP\n| extend timestamp = StartTime, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
-                "queryFrequency": "P1D",
-                "queryPeriod": "P7D",
-                "severity": "Low",
+                "query": "let locationThreshold = 1;\nlet aadFunc = (tableName:string){\ntable(tableName)\n| where AppDisplayName =~ \"GitHub.com\"\n| where ResultType == 0\n| summarize CountOfLocations = dcount(Location), Locations = make_set(Location,100), BurstStartTime = min(TimeGenerated), BurstEndTime = max(TimeGenerated) by UserPrincipalName, Type\n| where CountOfLocations > locationThreshold\n| extend timestamp = BurstStartTime\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n| extend Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n",
+                "queryFrequency": "PT1H",
+                "queryPeriod": "PT1H",
+                "severity": "Medium",
                 "suppressionDuration": "PT1H",
                 "suppressionEnabled": false,
                 "triggerOperator": "GreaterThan",
@@ -7989,16 +6660,16 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "AzureActiveDirectory",
                     "dataTypes": [
                       "SigninLogs"
-                    ]
+                    ],
+                    "connectorId": "AzureActiveDirectory"
                   },
                   {
-                    "connectorId": "AzureActiveDirectory",
                     "dataTypes": [
                       "AADNonInteractiveUserSignInLogs"
-                    ]
+                    ],
+                    "connectorId": "AzureActiveDirectory"
                   }
                 ],
                 "tactics": [
@@ -8009,26 +6680,17 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "identifier": "Name",
-                        "columnName": "Name"
+                        "columnName": "Name",
+                        "identifier": "Name"
                       },
                       {
-                        "identifier": "UPNSuffix",
-                        "columnName": "UPNSuffix"
-                      }
-                    ]
-                  },
-                  {
-                    "entityType": "IP",
-                    "fieldMappings": [
-                      {
-                        "identifier": "Address",
-                        "columnName": "IPAddress"
+                        "columnName": "UPNSuffix",
+                        "identifier": "UPNSuffix"
                       }
-                    ]
+                    ],
+                    "entityType": "Account"
                   }
                 ]
               }
@@ -8036,13 +6698,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId26'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId47'),'/'))))]",
               "properties": {
-                "description": "Azure Active Directory Analytics Rule 26",
-                "parentId": "[variables('analyticRuleId26')]",
-                "contentId": "[variables('_analyticRulecontentId26')]",
+                "description": "Azure Active Directory Analytics Rule 47",
+                "parentId": "[variables('analyticRuleId47')]",
+                "contentId": "[variables('_analyticRulecontentId47')]",
                 "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion26')]",
+                "version": "[variables('analyticRuleVersion47')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Azure Active Directory",
@@ -8067,44 +6729,44 @@
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_analyticRulecontentId26')]",
+        "contentId": "[variables('_analyticRulecontentId47')]",
         "contentKind": "AnalyticsRule",
-        "displayName": "Failed login attempts to Azure Portal",
-        "contentProductId": "[variables('_analyticRulecontentProductId26')]",
-        "id": "[variables('_analyticRulecontentProductId26')]",
-        "version": "[variables('analyticRuleVersion26')]"
+        "displayName": "GitHub Signin Burst from Multiple Locations",
+        "contentProductId": "[variables('_analyticRulecontentProductId47')]",
+        "id": "[variables('_analyticRulecontentProductId47')]",
+        "version": "[variables('analyticRuleVersion47')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('analyticRuleTemplateSpecName27')]",
+      "name": "[variables('analyticRuleTemplateSpecName48')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "FirstAppOrServicePrincipalCredential_AnalyticalRules Analytics Rule with template version 3.0.3",
+        "description": "SigninAttemptsByIPviaDisabledAccounts_AnalyticalRules Analytics Rule with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion27')]",
+          "contentVersion": "[variables('analyticRuleVersion48')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRulecontentId27')]",
+              "name": "[variables('analyticRulecontentId48')]",
               "apiVersion": "2022-04-01-preview",
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated.\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.",
-                "displayName": "First access credential added to Application or Service Principal where no credential was present",
+                "description": "Identifies IPs with failed attempts to sign in to one or more disabled accounts using the IP through which successful signins from other accounts have happened.\nThis could indicate an attacker who obtained credentials for a list of accounts and is attempting to login with those accounts, some of which may have already been disabled.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n50057 - User account is disabled. The account has been disabled by an administrator.\nThis query has also been updated to include UEBA logs IdentityInfo and BehaviorAnalytics for contextual information around the results.",
+                "displayName": "Sign-ins from IPs that attempt sign-ins to disabled accounts",
                 "enabled": false,
-                "query": "AuditLogs\n| where OperationName has (\"Certificates and secrets management\")\n| where Result =~ \"success\"\n| where tostring(InitiatedBy.user.userPrincipalName) has \"@\" or tostring(InitiatedBy.app.displayName) has \"@\"\n| mv-apply TargetResource = TargetResources on \n  (\n      where TargetResource.type =~ \"Application\"\n      | extend targetDisplayName = tostring(TargetResource.displayName),\n               targetId = tostring(TargetResource.id),\n               targetType = tostring(TargetResource.type),\n               keyEvents = TargetResource.modifiedProperties\n  )\n| mv-apply Property = keyEvents on \n  (\n      where Property.displayName =~ \"KeyDescription\"\n      | extend new_value_set = parse_json(tostring(Property.newValue)),\n               old_value_set = parse_json(tostring(Property.oldValue))\n  )\n| where old_value_set == \"[]\"  \n| mv-expand new_value_set\n| parse new_value_set with * \"KeyIdentifier=\" keyIdentifier:string \",KeyType=\" keyType:string \",KeyUsage=\" keyUsage:string \",DisplayName=\" keyDisplayName:string \"]\" *\n| where keyUsage =~ \"Verify\"\n| mv-apply AdditionalDetail = AdditionalDetails on \n  (\n      where AdditionalDetail.key =~ \"User-Agent\"\n      | extend UserAgent = tostring(AdditionalDetail.value)\n  )\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n| project-away new_value_set, old_value_set\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\n| extend timestamp = TimeGenerated, Name = tostring(split(InitiatingUserOrApp,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUserOrApp,'@',1)[0])\n",
-                "queryFrequency": "PT1H",
-                "queryPeriod": "PT1H",
-                "severity": "High",
+                "query": "let aadFunc = (tableName: string) {\nlet failed_signins = table(tableName)\n| where ResultType == \"50057\"\n| where ResultDescription == \"User account is disabled. The account has been disabled by an administrator.\";\nlet disabled_users = failed_signins | summarize by UserPrincipalName;\ntable(tableName)\n  | where ResultType == 0\n  | where isnotempty(UserPrincipalName)\n  | where UserPrincipalName !in (disabled_users)\n| summarize\n        successfulAccountsTargettedCount = dcount(UserPrincipalName),\n        successfulAccountSigninSet = make_set(UserPrincipalName, 100),\n        successfulApplicationSet = make_set(AppDisplayName, 100)\n    by IPAddress, Type\n    // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\n    | where successfulAccountsTargettedCount < 50\n    | where isnotempty(successfulAccountsTargettedCount)\n  | join kind=inner (failed_signins\n| summarize\n    StartTime = min(TimeGenerated),\n    EndTime = max(TimeGenerated),\n    totalDisabledAccountLoginAttempts = count(),\n    disabledAccountsTargettedCount = dcount(UserPrincipalName),\n    applicationsTargeted = dcount(AppDisplayName),\n    disabledAccountSet = make_set(UserPrincipalName, 100),\n    disabledApplicationSet = make_set(AppDisplayName, 100)\nby IPAddress, Type\n| order by totalDisabledAccountLoginAttempts desc) on IPAddress\n| project StartTime, EndTime, IPAddress, totalDisabledAccountLoginAttempts, disabledAccountsTargettedCount, disabledAccountSet, disabledApplicationSet, successfulApplicationSet, successfulAccountsTargettedCount, successfulAccountSigninSet, Type\n| order by totalDisabledAccountLoginAttempts};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n| join kind=leftouter (\n    BehaviorAnalytics\n    | where ActivityType in (\"FailedLogOn\", \"LogOn\")\n    | where EventSource =~ \"Azure AD\"\n    | project UsersInsights, DevicesInsights, ActivityInsights, InvestigationPriority, SourceIPAddress, UserPrincipalName\n    | project-rename IPAddress = SourceIPAddress\n    | summarize\n        Users = make_set(UserPrincipalName, 100),\n        UsersInsights = make_set(UsersInsights, 100),\n        DevicesInsights = make_set(DevicesInsights, 100),\n        IPInvestigationPriority = sum(InvestigationPriority)\n    by IPAddress\n) on IPAddress\n| extend SFRatio = toreal(toreal(disabledAccountsTargettedCount)/toreal(successfulAccountsTargettedCount))\n| where SFRatio >= 0.5\n| sort by IPInvestigationPriority desc\n",
+                "queryFrequency": "P1D",
+                "queryPeriod": "P1D",
+                "severity": "Medium",
                 "suppressionDuration": "PT1H",
                 "suppressionEnabled": false,
                 "triggerOperator": "GreaterThan",
@@ -8112,49 +6774,41 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "AzureActiveDirectory",
                     "dataTypes": [
-                      "AuditLogs"
-                    ]
+                      "SigninLogs"
+                    ],
+                    "connectorId": "AzureActiveDirectory"
+                  },
+                  {
+                    "dataTypes": [
+                      "AADNonInteractiveUserSignInLogs"
+                    ],
+                    "connectorId": "AzureActiveDirectory"
+                  },
+                  {
+                    "dataTypes": [
+                      "BehaviorAnalytics"
+                    ],
+                    "connectorId": "BehaviorAnalytics"
                   }
                 ],
                 "tactics": [
-                  "DefenseEvasion"
+                  "InitialAccess",
+                  "Persistence"
                 ],
                 "techniques": [
-                  "T1550"
+                  "T1078",
+                  "T1098"
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Account",
-                    "fieldMappings": [
-                      {
-                        "identifier": "Name",
-                        "columnName": "Name"
-                      },
-                      {
-                        "identifier": "UPNSuffix",
-                        "columnName": "UPNSuffix"
-                      }
-                    ]
-                  },
-                  {
-                    "entityType": "IP",
-                    "fieldMappings": [
-                      {
-                        "identifier": "Address",
-                        "columnName": "InitiatingIpAddress"
-                      }
-                    ]
-                  },
-                  {
-                    "entityType": "CloudApplication",
                     "fieldMappings": [
                       {
-                        "identifier": "Name",
-                        "columnName": "targetDisplayName"
+                        "columnName": "IPAddress",
+                        "identifier": "Address"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   }
                 ]
               }
@@ -8162,13 +6816,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId27'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId48'),'/'))))]",
               "properties": {
-                "description": "Azure Active Directory Analytics Rule 27",
-                "parentId": "[variables('analyticRuleId27')]",
-                "contentId": "[variables('_analyticRulecontentId27')]",
+                "description": "Azure Active Directory Analytics Rule 48",
+                "parentId": "[variables('analyticRuleId48')]",
+                "contentId": "[variables('_analyticRulecontentId48')]",
                 "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion27')]",
+                "version": "[variables('analyticRuleVersion48')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Azure Active Directory",
@@ -8193,44 +6847,44 @@
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_analyticRulecontentId27')]",
+        "contentId": "[variables('_analyticRulecontentId48')]",
         "contentKind": "AnalyticsRule",
-        "displayName": "First access credential added to Application or Service Principal where no credential was present",
-        "contentProductId": "[variables('_analyticRulecontentProductId27')]",
-        "id": "[variables('_analyticRulecontentProductId27')]",
-        "version": "[variables('analyticRuleVersion27')]"
+        "displayName": "Sign-ins from IPs that attempt sign-ins to disabled accounts",
+        "contentProductId": "[variables('_analyticRulecontentProductId48')]",
+        "id": "[variables('_analyticRulecontentProductId48')]",
+        "version": "[variables('analyticRuleVersion48')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('analyticRuleTemplateSpecName28')]",
+      "name": "[variables('analyticRuleTemplateSpecName49')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified_AnalyticalRules Analytics Rule with template version 3.0.3",
+        "description": "SigninBruteForce-AzurePortal_AnalyticalRules Analytics Rule with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion28')]",
+          "contentVersion": "[variables('analyticRuleVersion49')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRulecontentId28')]",
+              "name": "[variables('analyticRulecontentId49')]",
               "apiVersion": "2022-04-01-preview",
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "Guest Accounts are added in the Organization Tenants to perform various tasks i.e projects execution, support etc.. This detection notifies when guest users are added to Azure AD Groups other than the ones specified and poses a risk to gain access to sensitive apps or data.",
-                "displayName": "Guest accounts added in AAD Groups other than the ones specified",
+                "description": "Identifies evidence of brute force activity against Azure Portal by highlighting multiple authentication failures and by a successful authentication within a given time window. \nDefault Failure count is 10 and default Time Window is 20 minutes.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.",
+                "displayName": "Brute force attack against Azure Portal",
                 "enabled": false,
-                "query": "// OBJECT ID of AAD Groups can be found by navigating to Azure Active Directory then from menu on the left, select Groups and from the list shown of AAD Groups, the Second Column shows the ObjectID of each\nlet GroupIDs = dynamic([\"List with Custom AAD GROUP OBJECT ID 1\",\"Custom AAD GROUP OBJECT ID 2\"]);\nAuditLogs\n| where OperationName in ('Add member to group', 'Add owner to group')\n| extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\n| extend InitiatedByIPAdress = InitiatedBy.user.ipAddress \n// Uncomment the following line to filter events where the inviting user was a guest user\n//| where InitiatedBy has_any (\"CUSTOM DOMAIN NAME#\", \"#EXT#\")\n| mv-apply TargetResource = TargetResources on \n  (\n      where TargetResource.type =~ \"User\"\n      | extend InvitedUser = trim(@'\"',tostring(TargetResource.userPrincipalName)),\n               Properties = TargetResource.modifiedProperties\n  )\n| mv-apply Property = Properties on \n  (\n      where Property.displayName =~ \"Group.DisplayName\"\n      | extend AADGroup = trim('\"',tostring(Property.newValue))\n  )\n| where InvitedUser has_any (\"CUSTOM DOMAIN NAME#\", \"#EXT#\")\n| mv-apply Property = Properties on\n   (\n     where Property.displayName =~ \"Group.ObjectID\"\n     | extend AADGroupId = trim('\"',tostring(Property.newValue))\n   )\n| where AADGroupId !in (GroupIDs)\n| extend Name = tostring(split(InitiatedByActionUserInformation,'@',0)[0]), UPNSuffix = tostring(split(InitiatedByActionUserInformation,'@',1)[0])\n",
+                "query": "let timeRange = 24h;\nlet failureCountThreshold = 10;\nlet authenticationWindow = 20m;\nlet aadFunc = (tableName:string){\n table(tableName)\n| where AppDisplayName has \"Azure Portal\"\n| extend\n     DeviceDetail = todynamic(DeviceDetail),\n     //Status = todynamic(Status),\n     LocationDetails = todynamic(LocationDetails)\n| extend\n     OS = tostring(DeviceDetail.operatingSystem),\n     Browser = tostring(DeviceDetail.browser),\n     //StatusCode = tostring(Status.errorCode),\n     //StatusDetails = tostring(Status.additionalDetails),\n     State = tostring(LocationDetails.state),\n     City = tostring(LocationDetails.city),\n     Region = tostring(LocationDetails.countryOrRegion)\n// Split out failure versus non-failure types\n| extend FailureOrSuccess = iff(ResultType in (\"0\", \"50125\", \"50140\", \"70043\", \"70044\"), \"Success\", \"Failure\")  \n// sort for sessionizing - by UserPrincipalName and time of the authentication outcome\n| sort by UserPrincipalName asc, TimeGenerated asc\n// sessionize into failure groupings until either the account changes or there is a success\n| extend SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, UserPrincipalName != prev(UserPrincipalName) or prev(FailureOrSuccess) == \"Success\")\n// bin outcomes based on authenticationWindow\n| summarize FailureOrSuccessCount = count() by  FailureOrSuccess, UserId, UserDisplayName, AppDisplayName, IPAddress, Browser, OS, State, City, Region, Type, CorrelationId, bin(TimeGenerated, authenticationWindow), ResultType, UserPrincipalName,SessionStartedUtc\n// count the failures in each session\n| summarize FailureCountBeforeSuccess=sumif(FailureOrSuccessCount, FailureOrSuccess == \"Failure\"), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), makelist(FailureOrSuccess), IPAddress = make_set(IPAddress,15), make_set(Browser,15), make_set(City,15), make_set(State,15), make_set(Region,15), make_set(ResultType,15) by SessionStartedUtc, UserPrincipalName, CorrelationId, AppDisplayName, UserId, Type\n// the session must not start with a success, and must end with one\n| where array_index_of(list_FailureOrSuccess, \"Success\") != 0\n| where array_index_of(list_FailureOrSuccess, \"Success\") == array_length(list_FailureOrSuccess) - 1\n| project-away SessionStartedUtc, list_FailureOrSuccess\n// where the number of failures before the success is above the threshold \n| where FailureCountBeforeSuccess >= failureCountThreshold \n// expand out ip for entity assignment\n| mv-expand IPAddress\n| extend IPAddress = tostring(IPAddress)\n| extend timestamp = StartTime \n};\n let aadSignin = aadFunc(\"SigninLogs\");\n let aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\n union isfuzzy=true aadSignin, aadNonInt\n | extend Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n",
                 "queryFrequency": "P1D",
                 "queryPeriod": "P1D",
-                "severity": "High",
+                "severity": "Medium",
                 "suppressionDuration": "PT1H",
                 "suppressionEnabled": false,
                 "triggerOperator": "GreaterThan",
@@ -8238,53 +6892,46 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "AzureActiveDirectory",
                     "dataTypes": [
-                      "AuditLogs"
-                    ]
+                      "SigninLogs"
+                    ],
+                    "connectorId": "AzureActiveDirectory"
+                  },
+                  {
+                    "dataTypes": [
+                      "AADNonInteractiveUserSignInLogs"
+                    ],
+                    "connectorId": "AzureActiveDirectory"
                   }
                 ],
                 "tactics": [
-                  "InitialAccess",
-                  "Persistence",
-                  "Discovery"
+                  "CredentialAccess"
                 ],
                 "techniques": [
-                  "T1078",
-                  "T1136",
-                  "T1087"
+                  "T1110"
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Account",
-                    "fieldMappings": [
-                      {
-                        "identifier": "Name",
-                        "columnName": "InvitedUser"
-                      }
-                    ]
-                  },
-                  {
-                    "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "identifier": "Name",
-                        "columnName": "Name"
+                        "columnName": "Name",
+                        "identifier": "Name"
                       },
                       {
-                        "identifier": "UPNSuffix",
-                        "columnName": "UPNSuffix"
+                        "columnName": "UPNSuffix",
+                        "identifier": "UPNSuffix"
                       }
-                    ]
+                    ],
+                    "entityType": "Account"
                   },
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
-                        "columnName": "InitiatedByIPAdress"
+                        "columnName": "IPAddress",
+                        "identifier": "Address"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   }
                 ]
               }
@@ -8292,13 +6939,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId28'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId49'),'/'))))]",
               "properties": {
-                "description": "Azure Active Directory Analytics Rule 28",
-                "parentId": "[variables('analyticRuleId28')]",
-                "contentId": "[variables('_analyticRulecontentId28')]",
+                "description": "Azure Active Directory Analytics Rule 49",
+                "parentId": "[variables('analyticRuleId49')]",
+                "contentId": "[variables('_analyticRulecontentId49')]",
                 "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion28')]",
+                "version": "[variables('analyticRuleVersion49')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Azure Active Directory",
@@ -8323,43 +6970,43 @@
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_analyticRulecontentId28')]",
+        "contentId": "[variables('_analyticRulecontentId49')]",
         "contentKind": "AnalyticsRule",
-        "displayName": "Guest accounts added in AAD Groups other than the ones specified",
-        "contentProductId": "[variables('_analyticRulecontentProductId28')]",
-        "id": "[variables('_analyticRulecontentProductId28')]",
-        "version": "[variables('analyticRuleVersion28')]"
+        "displayName": "Brute force attack against Azure Portal",
+        "contentProductId": "[variables('_analyticRulecontentProductId49')]",
+        "id": "[variables('_analyticRulecontentProductId49')]",
+        "version": "[variables('analyticRuleVersion49')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('analyticRuleTemplateSpecName29')]",
+      "name": "[variables('analyticRuleTemplateSpecName50')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "MailPermissionsAddedToApplication_AnalyticalRules Analytics Rule with template version 3.0.3",
+        "description": "SigninPasswordSpray_AnalyticalRules Analytics Rule with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion29')]",
+          "contentVersion": "[variables('analyticRuleVersion50')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRulecontentId29')]",
+              "name": "[variables('analyticRulecontentId50')]",
               "apiVersion": "2022-04-01-preview",
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "This query look for applications that have been granted (Delegated or App/Role) permissions to Read Mail (Permissions field has Mail.Read) and subsequently has been consented to. This can help identify applications that have been abused to gain access to mailboxes.",
-                "displayName": "Mail.Read Permissions Granted to Application",
+                "description": "Identifies evidence of password spray activity against Azure AD applications by looking for failures from multiple accounts from the same\nIP address within a time window. If the number of accounts breaches the threshold just once, all failures from the IP address within the time range\nare bought into the result. Details on whether there were successful authentications by the IP address within the time window are also included.\nThis can be an indicator that an attack was successful.\nThe default failure acccount threshold is 5, Default time window for failures is 20m and default look back window is 3 days\nNote: Due to the number of possible accounts involved in a password spray it is not possible to map identities to a custom entity.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.",
+                "displayName": "Password spray attack against Azure AD application",
                 "enabled": false,
-                "query": "AuditLogs\n| where Category =~ \"ApplicationManagement\"\n| where ActivityDisplayName has_any (\"Add delegated permission grant\",\"Add app role assignment to service principal\")  \n| where Result =~ \"success\"\n| where tostring(InitiatedBy.user.userPrincipalName) has \"@\" or tostring(InitiatedBy.app.displayName) has \"@\"\n| mv-apply TargetResource = TargetResources on \n  (\n      where TargetResource.type =~ \"ServicePrincipal\" and array_length(TargetResource.modifiedProperties) > 0 and isnotnull(TargetResource.displayName)\n      | extend props = TargetResource.modifiedProperties,\n               Type = tostring(TargetResource.type),\n               PermissionsAddedTo = tostring(TargetResource.displayName)\n  )\n| mv-apply Property = props on \n  (\n      where Property.displayName =~ \"DelegatedPermissionGrant.Scope\"\n      | extend DisplayName = tostring(Property.displayName), Permissions = trim('\"',tostring(Property.newValue))\n  )\n| where Permissions has_any (\"Mail.Read\", \"Mail.ReadWrite\")\n| mv-apply AdditionalDetail = AdditionalDetails on \n  (\n      where AdditionalDetail.key =~ \"User-Agent\"\n      | extend UserAgent = tostring(AdditionalDetail.value)\n  )\n| extend InitiatingUser = tostring(InitiatedBy.user.userPrincipalName)\n| extend UserIPAddress = tostring(InitiatedBy.user.ipAddress)  \n| project-away props, TargetResource*, AdditionalDetail*, Property, InitiatedBy\n| join kind=leftouter(\n  AuditLogs\n  | where ActivityDisplayName has \"Consent to application\"\n  | mv-apply TargetResource = TargetResources on \n      (\n          where TargetResource.type =~ \"ServicePrincipal\"\n          | extend AppName = tostring(TargetResource.displayName),\n                   AppId = tostring(TargetResource.id)\n      )\n  | project AppName, AppId, CorrelationId) on CorrelationId\n| project-reorder TimeGenerated, OperationName, InitiatingUser, UserIPAddress, UserAgent, PermissionsAddedTo, Permissions, AppName, AppId, CorrelationId\n| extend timestamp = TimeGenerated, Name = tostring(split(InitiatingUser,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUser,'@',1)[0])\n",
+                "query": "let timeRange = 3d;\nlet lookBack = 7d;\nlet authenticationWindow = 20m;\nlet authenticationThreshold = 5;\nlet isGUID = \"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\";\nlet failureCodes = dynamic([50053, 50126, 50055]); // invalid password, account is locked - too many sign ins, expired password\nlet successCodes = dynamic([0, 50055, 50057, 50155, 50105, 50133, 50005, 50076, 50079, 50173, 50158, 50072, 50074, 53003, 53000, 53001, 50129]);\n// Lookup up resolved identities from last 7 days\nlet aadFunc = (tableName:string){\nlet identityLookup = table(tableName)\n| where TimeGenerated >= ago(lookBack)\n| where not(Identity matches regex isGUID)\n| where isnotempty(UserId)\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName, Type;\n// collect window threshold breaches\ntable(tableName)\n| where TimeGenerated > ago(timeRange)\n| where ResultType in(failureCodes)\n| summarize FailedPrincipalCount = dcount(UserPrincipalName) by bin(TimeGenerated, authenticationWindow), IPAddress, AppDisplayName, Type\n| where FailedPrincipalCount >= authenticationThreshold\n| summarize WindowThresholdBreaches = count() by IPAddress, Type\n| join kind= inner (\n// where we breached a threshold, join the details back on all failure data\ntable(tableName)\n| where TimeGenerated > ago(timeRange)\n| where ResultType in(failureCodes)\n| extend LocationDetails = todynamic(LocationDetails)\n| extend FullLocation = strcat(LocationDetails.countryOrRegion,'|', LocationDetails.state, '|', LocationDetails.city)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), make_set(ClientAppUsed,20), make_set(FullLocation,20), FailureCount = count() by IPAddress, AppDisplayName, UserPrincipalName, UserDisplayName, Identity, UserId, Type\n// lookup any unresolved identities\n| extend UnresolvedUserId = iff(Identity matches regex isGUID, UserId, \"\")\n| join kind= leftouter (\n identityLookup\n) on $left.UnresolvedUserId==$right.UserId\n| extend UserDisplayName=iff(isempty(lu_UserDisplayName), UserDisplayName, lu_UserDisplayName)\n| extend UserPrincipalName=iff(isempty(lu_UserPrincipalName), UserPrincipalName, lu_UserPrincipalName)\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), make_set(UserPrincipalName,20), make_set(UserDisplayName,20), make_set(set_ClientAppUsed,20), make_set(set_FullLocation,20), make_list(FailureCount,20) by IPAddress, AppDisplayName, Type\n| extend FailedPrincipalCount = array_length(set_UserPrincipalName)\n) on IPAddress\n| project IPAddress, StartTime, EndTime, TargetedApplication=AppDisplayName, FailedPrincipalCount, UserPrincipalNames=set_UserPrincipalName, UserDisplayNames=set_UserDisplayName, ClientAppsUsed=set_set_ClientAppUsed, Locations=set_set_FullLocation, FailureCountByPrincipal=list_FailureCount, WindowThresholdBreaches, Type\n| join kind= inner (\ntable(tableName) // get data on success vs. failure history for each IP\n| where TimeGenerated > ago(timeRange)\n| where ResultType in(successCodes) or ResultType in(failureCodes) // success or failure types\n| summarize GlobalSuccessPrincipalCount = dcountif(UserPrincipalName, (ResultType in (successCodes))), ResultTypeSuccesses = make_set_if(ResultType, (ResultType in (successCodes))), GlobalFailPrincipalCount = dcountif(UserPrincipalName, (ResultType in (failureCodes))), ResultTypeFailures = make_set_if(ResultType, (ResultType in (failureCodes))) by IPAddress, Type\n| where GlobalFailPrincipalCount > GlobalSuccessPrincipalCount // where the number of failed principals is greater than success - eliminates FPs from IPs who authenticate successfully alot and as a side effect have alot of failures\n) on IPAddress\n| project-away IPAddress1\n| extend timestamp=StartTime\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
                 "queryFrequency": "P1D",
-                "queryPeriod": "P1D",
+                "queryPeriod": "P7D",
                 "severity": "Medium",
                 "suppressionDuration": "PT1H",
                 "suppressionEnabled": false,
@@ -8368,40 +7015,33 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "AzureActiveDirectory",
                     "dataTypes": [
-                      "AuditLogs"
-                    ]
+                      "SigninLogs"
+                    ],
+                    "connectorId": "AzureActiveDirectory"
+                  },
+                  {
+                    "dataTypes": [
+                      "AADNonInteractiveUserSignInLogs"
+                    ],
+                    "connectorId": "AzureActiveDirectory"
                   }
                 ],
                 "tactics": [
-                  "Persistence"
+                  "CredentialAccess"
                 ],
                 "techniques": [
-                  "T1098"
+                  "T1110"
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "identifier": "Name",
-                        "columnName": "Name"
-                      },
-                      {
-                        "identifier": "UPNSuffix",
-                        "columnName": "UPNSuffix"
-                      }
-                    ]
-                  },
-                  {
-                    "entityType": "IP",
-                    "fieldMappings": [
-                      {
-                        "identifier": "Address",
-                        "columnName": "UserIPAddress"
+                        "columnName": "IPAddress",
+                        "identifier": "Address"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   }
                 ]
               }
@@ -8409,13 +7049,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId29'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId50'),'/'))))]",
               "properties": {
-                "description": "Azure Active Directory Analytics Rule 29",
-                "parentId": "[variables('analyticRuleId29')]",
-                "contentId": "[variables('_analyticRulecontentId29')]",
+                "description": "Azure Active Directory Analytics Rule 50",
+                "parentId": "[variables('analyticRuleId50')]",
+                "contentId": "[variables('_analyticRulecontentId50')]",
                 "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion29')]",
+                "version": "[variables('analyticRuleVersion50')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Azure Active Directory",
@@ -8440,44 +7080,44 @@
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_analyticRulecontentId29')]",
+        "contentId": "[variables('_analyticRulecontentId50')]",
         "contentKind": "AnalyticsRule",
-        "displayName": "Mail.Read Permissions Granted to Application",
-        "contentProductId": "[variables('_analyticRulecontentProductId29')]",
-        "id": "[variables('_analyticRulecontentProductId29')]",
-        "version": "[variables('analyticRuleVersion29')]"
+        "displayName": "Password spray attack against Azure AD application",
+        "contentProductId": "[variables('_analyticRulecontentProductId50')]",
+        "id": "[variables('_analyticRulecontentProductId50')]",
+        "version": "[variables('analyticRuleVersion50')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('analyticRuleTemplateSpecName30')]",
+      "name": "[variables('analyticRuleTemplateSpecName51')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "MaliciousOAuthApp_O365AttackToolkit_AnalyticalRules Analytics Rule with template version 3.0.3",
+        "description": "SuccessThenFail_DiffIP_SameUserandApp_AnalyticalRules Analytics Rule with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion30')]",
+          "contentVersion": "[variables('analyticRuleVersion51')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRulecontentId30')]",
+              "name": "[variables('analyticRulecontentId51')]",
               "apiVersion": "2022-04-01-preview",
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit).\nThe default permissions/scope for the MDSec O365 Attack toolkit change sometimes but often include contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, files.readwrite.all, mail.send, files.read, and files.read.all.\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.",
-                "displayName": "Suspicious application consent similar to O365 Attack Toolkit",
+                "description": "Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP (may indicate a malicious attempt at password guessing with known account). UEBA added for context.",
+                "displayName": "Successful logon from IP and failure from a different IP",
                 "enabled": false,
-                "query": "let detectionTime = 1d;\nlet joinLookback = 14d;\nlet threshold = 5;\nlet o365_attack_regex = \"contacts.read|user.read|mail.read|notes.read.all|mailboxsettings.readwrite|Files.ReadWrite.All|mail.send|files.read|files.read.all\";\nlet o365_attack = dynamic([\"contacts.read\", \"user.read\", \"mail.read\", \"notes.read.all\", \"mailboxsettings.readwrite\", \"Files.ReadWrite.All\", \"mail.send\", \"files.read\", \"files.read.all\"]);\nAuditLogs\n| where TimeGenerated > ago(detectionTime)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Consent to application\"\n| mv-apply TargetResource = TargetResources on \n  (\n      where TargetResource.type =~ \"ServicePrincipal\"\n      | extend AppDisplayName = tostring(TargetResource.displayName),\n               AppClientId = tostring(TargetResource.id),\n               props = TargetResource.modifiedProperties\n  )\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\"] with (format=\"csv\"))) // NOTE: a MATCH from this list will cause the alert to NOT fire - please modify for your environment!\n| mv-apply ConsentFull = props on \n  (\n      where ConsentFull.displayName =~ \"ConsentAction.Permissions\"\n  )\n| parse ConsentFull with * \"ConsentType: \" GrantConsentType \", Scope: \" GrantScope1 \", CreatedDateTime\" * \"]\" *\n| where GrantConsentType != \"AllPrincipals\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\n| where ConsentFull has_any (o365_attack)  \n| extend GrantScopeCount = countof(tolower(GrantScope1), o365_attack_regex, 'regex')\n| where GrantScopeCount > threshold\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| mv-apply AdditionalDetail = AdditionalDetails on \n  (\n      where AdditionalDetail.key =~ \"User-Agent\"\n      | extend GrantUserAgent = AdditionalDetail.value\n  )\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\n| join kind = leftouter (AuditLogs\n  | where TimeGenerated > ago(joinLookback)\n  | where LoggedByService =~ \"Core Directory\"\n  | where Category =~ \"ApplicationManagement\"\n  | where OperationName =~ \"Add service principal\"\n  | mv-apply TargetResource = TargetResources on \n      (\n          where TargetResource.type =~ \"ServicePrincipal\"\n          | extend props = TargetResource.modifiedProperties,\n                  AppClientId = tostring(TargetResource.id)\n      )\n  | mv-apply Property = props on \n      (\n          where Property.displayName =~ \"AppAddress\" and Property.newValue has \"AddressType\"\n          | extend AppReplyURLs = trim('\"',tostring(Property.newValue))\n      )\n  | distinct AppClientId, tostring(AppReplyURLs)\n) on AppClientId\n| join kind = innerunique (AuditLogs\n      | where TimeGenerated > ago(joinLookback)\n      | where LoggedByService =~ \"Core Directory\"\n      | where Category =~ \"ApplicationManagement\"\n      | where OperationName =~ \"Add OAuth2PermissionGrant\" or OperationName =~ \"Add delegated permission grant\"\n          | mv-apply TargetResource = TargetResources on \n          (\n              where TargetResource.type =~ \"ServicePrincipal\" and array_length(TargetResource.modifiedProperties) > 0 and isnotnull(TargetResource.displayName)\n              | extend GrantAuthentication = tostring(TargetResource.displayName)\n          )\n      | extend GrantOperation = OperationName\n      | project GrantAuthentication, GrantOperation, CorrelationId\n  ) on CorrelationId\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\n| extend timestamp = TimeGenerated, Name = tostring(split(GrantInitiatedBy,'@',0)[0]), UPNSuffix = tostring(split(GrantInitiatedBy,'@',1)[0])\n",
+                "query": "let riskScoreCutoff = 20; //Adjust this based on volume of results\nlet logonDiff = 10m; let aadFunc = (tableName:string){ table(tableName)\n| where ResultType == \"0\"\n| where AppDisplayName !in (\"Office 365 Exchange Online\", \"Skype for Business Online\") // To remove false-positives, add more Apps to this array\n// ---------- Fix for SuccessBlock to also consider IPv6\n| extend SuccessIPv6Block = strcat(split(IPAddress, \":\")[0], \":\", split(IPAddress, \":\")[1], \":\", split(IPAddress, \":\")[2], \":\", split(IPAddress, \":\")[3])\n| extend SuccessIPv4Block = strcat(split(IPAddress, \".\")[0], \".\", split(IPAddress, \".\")[1])\n// ------------------\n| project SuccessLogonTime = TimeGenerated, UserPrincipalName, SuccessIPAddress = IPAddress, SuccessLocation = Location, AppDisplayName, SuccessIPBlock = iff(IPAddress contains \":\", strcat(split(IPAddress, \":\")[0], \":\", split(IPAddress, \":\")[1]), strcat(split(IPAddress, \".\")[0], \".\", split(IPAddress, \".\")[1])), Type\n| join kind= inner (\n    table(tableName)\n    | where ResultType !in (\"0\", \"50140\")\n    | where ResultDescription !~ \"Other\"\n    | where AppDisplayName !in (\"Office 365 Exchange Online\", \"Skype for Business Online\")\n    | project FailedLogonTime = TimeGenerated, UserPrincipalName, FailedIPAddress = IPAddress, FailedLocation = Location, AppDisplayName, ResultType, ResultDescription, Type \n) on UserPrincipalName, AppDisplayName\n| where SuccessLogonTime < FailedLogonTime and FailedLogonTime - SuccessLogonTime <= logonDiff and FailedIPAddress !startswith SuccessIPBlock\n| summarize FailedLogonTime = max(FailedLogonTime), SuccessLogonTime = max(SuccessLogonTime) by UserPrincipalName, SuccessIPAddress, SuccessLocation, AppDisplayName, FailedIPAddress, FailedLocation, ResultType, ResultDescription, Type\n| extend timestamp = SuccessLogonTime\n| extend UserPrincipalName = tolower(UserPrincipalName)};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n| extend Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n// UEBA context below - make sure you have these 2 datatypes, otherwise the query will not work. If so, comment all that is below.\n| join kind=leftouter (\n    IdentityInfo\n    | summarize LatestReportTime = arg_max(TimeGenerated, *) by AccountUPN\n    | extend BlastRadiusInt = iif(BlastRadius == \"High\", 1, 0)\n    | project AccountUPN, Tags, JobTitle, GroupMembership, AssignedRoles, UserType, IsAccountEnabled, BlastRadiusInt\n    | summarize\n        Tags = make_set(Tags, 1000),\n        GroupMembership = make_set(GroupMembership, 1000),\n        AssignedRoles = make_set(AssignedRoles, 1000),\n        BlastRadiusInt = sum(BlastRadiusInt),\n        UserType = make_set(UserType, 1000),\n        UserAccountControl = make_set(UserType, 1000)\n    by AccountUPN\n    | extend UserPrincipalName=tolower(AccountUPN)\n) on UserPrincipalName\n| join kind=leftouter (\n    BehaviorAnalytics\n    | where ActivityType in (\"FailedLogOn\", \"LogOn\")\n    | where isnotempty(SourceIPAddress)\n    | project UsersInsights, DevicesInsights, ActivityInsights, InvestigationPriority, SourceIPAddress\n    | project-rename FailedIPAddress = SourceIPAddress\n    | summarize\n        UsersInsights = make_set(UsersInsights, 1000),\n        DevicesInsights = make_set(DevicesInsights, 1000),\n        IPInvestigationPriority = sum(InvestigationPriority)\n    by FailedIPAddress)\non FailedIPAddress\n| extend UEBARiskScore = BlastRadiusInt + IPInvestigationPriority\n| where  UEBARiskScore > riskScoreCutoff\n| sort by UEBARiskScore desc \n",
                 "queryFrequency": "P1D",
-                "queryPeriod": "P14D",
-                "severity": "High",
+                "queryPeriod": "P1D",
+                "severity": "Medium",
                 "suppressionDuration": "PT1H",
                 "suppressionEnabled": false,
                 "triggerOperator": "GreaterThan",
@@ -8485,51 +7125,69 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "AzureActiveDirectory",
                     "dataTypes": [
-                      "AuditLogs"
-                    ]
+                      "SigninLogs"
+                    ],
+                    "connectorId": "AzureActiveDirectory"
+                  },
+                  {
+                    "dataTypes": [
+                      "AADNonInteractiveUserSignInLogs"
+                    ],
+                    "connectorId": "AzureActiveDirectory"
+                  },
+                  {
+                    "dataTypes": [
+                      "BehaviorAnalytics"
+                    ],
+                    "connectorId": "BehaviorAnalytics"
+                  },
+                  {
+                    "dataTypes": [
+                      "IdentityInfo"
+                    ],
+                    "connectorId": "IdentityInfo"
                   }
                 ],
                 "tactics": [
                   "CredentialAccess",
-                  "DefenseEvasion"
+                  "InitialAccess"
                 ],
                 "techniques": [
-                  "T1528",
-                  "T1550"
+                  "T1110",
+                  "T1078"
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "identifier": "Name",
-                        "columnName": "Name"
+                        "columnName": "Name",
+                        "identifier": "Name"
                       },
                       {
-                        "identifier": "UPNSuffix",
-                        "columnName": "UPNSuffix"
+                        "columnName": "UPNSuffix",
+                        "identifier": "UPNSuffix"
                       }
-                    ]
+                    ],
+                    "entityType": "Account"
                   },
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
-                        "columnName": "GrantIpAddress"
+                        "columnName": "SuccessIPAddress",
+                        "identifier": "Address"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   },
                   {
-                    "entityType": "CloudApplication",
                     "fieldMappings": [
                       {
-                        "identifier": "Name",
-                        "columnName": "AppDisplayName"
+                        "columnName": "FailedIPAddress",
+                        "identifier": "Address"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   }
                 ]
               }
@@ -8537,13 +7195,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId30'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId51'),'/'))))]",
               "properties": {
-                "description": "Azure Active Directory Analytics Rule 30",
-                "parentId": "[variables('analyticRuleId30')]",
-                "contentId": "[variables('_analyticRulecontentId30')]",
+                "description": "Azure Active Directory Analytics Rule 51",
+                "parentId": "[variables('analyticRuleId51')]",
+                "contentId": "[variables('_analyticRulecontentId51')]",
                 "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion30')]",
+                "version": "[variables('analyticRuleVersion51')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Azure Active Directory",
@@ -8568,43 +7226,43 @@
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_analyticRulecontentId30')]",
+        "contentId": "[variables('_analyticRulecontentId51')]",
         "contentKind": "AnalyticsRule",
-        "displayName": "Suspicious application consent similar to O365 Attack Toolkit",
-        "contentProductId": "[variables('_analyticRulecontentProductId30')]",
-        "id": "[variables('_analyticRulecontentProductId30')]",
-        "version": "[variables('analyticRuleVersion30')]"
+        "displayName": "Successful logon from IP and failure from a different IP",
+        "contentProductId": "[variables('_analyticRulecontentProductId51')]",
+        "id": "[variables('_analyticRulecontentProductId51')]",
+        "version": "[variables('analyticRuleVersion51')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('analyticRuleTemplateSpecName31')]",
+      "name": "[variables('analyticRuleTemplateSpecName52')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "MaliciousOAuthApp_PwnAuth_AnalyticalRules Analytics Rule with template version 3.0.3",
+        "description": "SuspiciousAADJoinedDeviceUpdate_AnalyticalRules Analytics Rule with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion31')]",
+          "contentVersion": "[variables('analyticRuleVersion52')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRulecontentId31')]",
+              "name": "[variables('analyticRulecontentId52')]",
               "apiVersion": "2022-04-01-preview",
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
-              "properties": {
-                "description": "This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the FireEye PwnAuth toolkit (https://github.com/fireeye/PwnAuth).\nThe default permissions/scope for the PwnAuth toolkit are user.read, offline_access, mail.readwrite, mail.send, and files.read.all.\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.",
-                "displayName": "Suspicious application consent similar to PwnAuth",
+              "properties": {
+                "description": "This query looks for suspicious updates to an Azure AD joined device where the device name is changed and the device falls out of compliance.\nThis could occur when a threat actor updates the details of an Autopilot provisioned device using a stolen device ticket, in order to access certificates and keys.\nRef: https://dirkjanm.io/assets/raw/Insomnihack%20Breaking%20and%20fixing%20Azure%20AD%20device%20identity%20security.pdf",
+                "displayName": "Suspicious AAD Joined Device Update",
                 "enabled": false,
-                "query": "let detectionTime = 1d;\nlet joinLookback = 14d;\nAuditLogs\n| where TimeGenerated > ago(detectionTime)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Consent to application\"\n| where TargetResources has \"offline\"\n| mv-apply TargetResource = TargetResources on \n  (\n      where TargetResource.type =~ \"ServicePrincipal\"\n      | extend AppDisplayName = tostring(TargetResource.displayName),\n               AppClientId = tostring(TargetResource.id),\n               props = TargetResource.modifiedProperties\n  )\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\"] with (format=\"csv\")))\n| mv-apply ConsentFull = props on \n  (\n      where ConsentFull.displayName =~ \"ConsentAction.Permissions\"\n  )\n| parse ConsentFull with * \"ConsentType: \" GrantConsentType \", Scope: \" GrantScope1 \"]\" *\n| where ConsentFull has_all (\"user.read\", \"offline_access\", \"mail.readwrite\", \"mail.send\", \"files.read.all\")\n| where GrantConsentType != \"AllPrincipals\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| mv-apply AdditionalDetail = AdditionalDetails on \n  (\n      where AdditionalDetail.key =~ \"User-Agent\"\n      | extend GrantUserAgent = AdditionalDetail.value\n  )\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\n| join kind = leftouter (AuditLogs\n| where TimeGenerated > ago(joinLookback)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Add service principal\"\n  | mv-apply TargetResource = TargetResources on \n      (\n          where TargetResource.type =~ \"ServicePrincipal\"\n          | extend props = TargetResource.modifiedProperties,\n                  AppClientId = tostring(TargetResource.id)\n      )\n  | mv-apply Property = props on \n      (\n          where Property.displayName =~ \"AppAddress\" and Property.newValue has \"AddressType\"\n          | extend AppReplyURLs = trim('\"',tostring(Property.newValue))\n      )\n| distinct AppClientId, tostring(AppReplyURLs)\n)\non AppClientId\n| join kind = innerunique (AuditLogs\n| where TimeGenerated > ago(joinLookback)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Add OAuth2PermissionGrant\" or OperationName =~ \"Add delegated permission grant\"\n      | mv-apply TargetResource = TargetResources on \n          (\n              where TargetResource.type =~ \"ServicePrincipal\" and array_length(TargetResource.modifiedProperties) > 0 and isnotnull(TargetResource.displayName)\n              | extend GrantAuthentication = tostring(TargetResource.displayName)\n          )\n| extend GrantOperation = OperationName\n| project GrantAuthentication, GrantOperation, CorrelationId\n) on CorrelationId\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\n| extend timestamp = TimeGenerated, Name = tostring(split(GrantInitiatedBy,'@',0)[0]), UPNSuffix = tostring(split(GrantInitiatedBy,'@',1)[0])\n",
+                "query": "AuditLogs\n| where OperationName =~ \"Update device\"\n| mv-apply TargetResource=TargetResources on (\n    where TargetResource.type =~ \"Device\"\n    | extend ModifiedProperties = TargetResource.modifiedProperties\n    | extend DeviceId = TargetResource.id)\n| mv-apply Prop=ModifiedProperties on ( \n    where Prop.displayName =~ \"CloudDisplayName\"\n    | extend OldName = Prop.oldValue \n    | extend NewName = Prop.newValue)\n| mv-apply Prop=ModifiedProperties on ( \n    where Prop.displayName =~ \"IsCompliant\"\n    | extend OldComplianceState = Prop.oldValue  \n    | extend NewComplianceState = Prop.newValue)\n| mv-apply Prop=ModifiedProperties on ( \n    where Prop.displayName =~ \"TargetId.DeviceTrustType\"\n    | extend OldTrustType = Prop.oldValue  \n    | extend NewTrustType = Prop.newValue)\n| mv-apply Prop=ModifiedProperties on ( \n    where Prop.displayName =~ \"Included Updated Properties\" \n    | extend UpdatedProperties = Prop.newValue)\n| extend OldDeviceName = tostring(parse_json(tostring(OldName))[0])\n| extend NewDeviceName = tostring(parse_json(tostring(NewName))[0])\n| extend OldComplianceState = tostring(parse_json(tostring(OldComplianceState))[0])\n| extend NewComplianceState = tostring(parse_json(tostring(NewComplianceState))[0])\n| extend InitiatedByUser = tostring(iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName))\n| extend UpdatedPropertiesCount = array_length(split(UpdatedProperties, ','))\n| where OldDeviceName != NewDeviceName\n| where OldComplianceState =~ 'true' and NewComplianceState =~ 'false'\n// Most common is transferring from AAD Registered to AAD Joined - we just want AAD Joined devices\n| where NewTrustType == '\"AzureAd\"' and OldTrustType != '\"Workplace\"'\n// We can modify this value to tune FPs - more properties changed about the device beyond its name the more suspicious it could be\n| where UpdatedPropertiesCount > 1\n| project-reorder TimeGenerated, DeviceId, NewDeviceName, OldDeviceName, NewComplianceState, InitiatedByUser, AADOperationType, OldTrustType, NewTrustType, UpdatedProperties, UpdatedPropertiesCount\n",
                 "queryFrequency": "P1D",
-                "queryPeriod": "P14D",
+                "queryPeriod": "P1D",
                 "severity": "Medium",
                 "suppressionDuration": "PT1H",
                 "suppressionEnabled": false,
@@ -8613,56 +7271,72 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "AzureActiveDirectory",
                     "dataTypes": [
                       "AuditLogs"
-                    ]
+                    ],
+                    "connectorId": "AzureActiveDirectory"
                   }
                 ],
                 "tactics": [
-                  "CredentialAccess",
-                  "DefenseEvasion"
+                  "CredentialAccess"
                 ],
                 "techniques": [
-                  "T1528",
-                  "T1550"
+                  "T1528"
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "identifier": "Name",
-                        "columnName": "Name"
-                      },
+                        "columnName": "NewDeviceName",
+                        "identifier": "HostName"
+                      }
+                    ],
+                    "entityType": "Host"
+                  },
+                  {
+                    "fieldMappings": [
+                      {
+                        "columnName": "OldDeviceName",
+                        "identifier": "HostName"
+                      }
+                    ],
+                    "entityType": "Host"
+                  },
+                  {
+                    "fieldMappings": [
                       {
-                        "identifier": "UPNSuffix",
-                        "columnName": "UPNSuffix"
+                        "columnName": "DeviceId",
+                        "identifier": "AzureID"
                       }
-                    ]
+                    ],
+                    "entityType": "Host"
                   },
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
-                        "columnName": "GrantIpAddress"
+                        "columnName": "InitiatedByUser",
+                        "identifier": "AadUserId"
                       }
-                    ]
+                    ],
+                    "entityType": "Account"
                   }
-                ]
+                ],
+                "alertDetailsOverride": {
+                  "alertDescriptionFormat": "This query looks for suspicious updates to an Azure AD joined device where the device name is changed and the device falls out of compliance.\nIn this case {{OldDeviceName}} was renamed to {{NewDeviceName}} and {{UpdatedPropertiesCount}} properties were changed.\nThis could occur when a threat actor steals a Device ticket from an Autopilot provisioned device and uses it to AAD Join a new  device.\nRef: https://dirkjanm.io/assets/raw/Insomnihack%20Breaking%20and%20fixing%20Azure%20AD%20device%20identity%20security.pdf\n",
+                  "alertDisplayNameFormat": "Suspicious AAD Joined Device Update {{OldDeviceName}} renamed to {{NewDeviceName}} and {{UpdatedPropertiesCount}} properties changed"
+                }
               }
             },
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId31'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId52'),'/'))))]",
               "properties": {
-                "description": "Azure Active Directory Analytics Rule 31",
-                "parentId": "[variables('analyticRuleId31')]",
-                "contentId": "[variables('_analyticRulecontentId31')]",
+                "description": "Azure Active Directory Analytics Rule 52",
+                "parentId": "[variables('analyticRuleId52')]",
+                "contentId": "[variables('_analyticRulecontentId52')]",
                 "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion31')]",
+                "version": "[variables('analyticRuleVersion52')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Azure Active Directory",
@@ -8687,44 +7361,44 @@
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_analyticRulecontentId31')]",
+        "contentId": "[variables('_analyticRulecontentId52')]",
         "contentKind": "AnalyticsRule",
-        "displayName": "Suspicious application consent similar to PwnAuth",
-        "contentProductId": "[variables('_analyticRulecontentProductId31')]",
-        "id": "[variables('_analyticRulecontentProductId31')]",
-        "version": "[variables('analyticRuleVersion31')]"
+        "displayName": "Suspicious AAD Joined Device Update",
+        "contentProductId": "[variables('_analyticRulecontentProductId52')]",
+        "id": "[variables('_analyticRulecontentProductId52')]",
+        "version": "[variables('analyticRuleVersion52')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('analyticRuleTemplateSpecName32')]",
+      "name": "[variables('analyticRuleTemplateSpecName53')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "MFARejectedbyUser_AnalyticalRules Analytics Rule with template version 3.0.3",
+        "description": "SuspiciousOAuthApp_OfflineAccess_AnalyticalRules Analytics Rule with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion32')]",
+          "contentVersion": "[variables('analyticRuleVersion53')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRulecontentId32')]",
+              "name": "[variables('analyticRulecontentId53')]",
               "apiVersion": "2022-04-01-preview",
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "Identifies occurances where a user has rejected an MFA prompt. This could be an indicator that a threat actor has compromised the username and password of this user account and is using it to try and log into the account.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\nThis query has also been updated to include UEBA logs IdentityInfo and BehaviorAnalytics for contextual information around the results.",
-                "displayName": "MFA Rejected by User",
+                "description": "This will alert when a user consents to provide a previously-unknown Azure application with offline access via OAuth.\nOffline access will provide the Azure App with access to the listed resources without requiring two-factor authentication.\nConsent to applications with offline access and read capabilities should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.",
+                "displayName": "Suspicious application consent for offline access",
                 "enabled": false,
-                "query": "let riskScoreCutoff = 20; //Adjust this based on volume of results\nSigninLogs\n| where ResultType == 500121\n| extend additionalDetails_ = tostring(Status.additionalDetails)\n| extend UserPrincipalName = tolower(UserPrincipalName)\n| where additionalDetails_ =~ \"MFA denied; user declined the authentication\" or additionalDetails_ has \"fraud\"\n| summarize StartTime = min(TimeGenerated), EndTIme = max(TimeGenerated) by UserPrincipalName, UserId, AADTenantId, IPAddress\n| extend Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n| join kind=leftouter (\n    IdentityInfo\n    | summarize LatestReportTime = arg_max(TimeGenerated, *) by AccountUPN\n    | extend BlastRadiusInt = iif(BlastRadius == \"High\", 1, 0)\n    | project AccountUPN, Tags, JobTitle, GroupMembership, AssignedRoles, UserType, IsAccountEnabled, BlastRadiusInt\n    | summarize\n        Tags = make_set(Tags, 1000),\n        GroupMembership = make_set(GroupMembership, 1000),\n        AssignedRoles = make_set(AssignedRoles, 1000),\n        BlastRadiusInt = sum(BlastRadiusInt),\n        UserType = make_set(UserType, 1000),\n        UserAccountControl = make_set(UserType, 1000)\n    by AccountUPN\n    | extend UserPrincipalName=tolower(AccountUPN)\n) on UserPrincipalName\n| join kind=leftouter (\n    BehaviorAnalytics\n    | where ActivityType in (\"FailedLogOn\", \"LogOn\")\n    | where isnotempty(SourceIPAddress)\n    | project UsersInsights, DevicesInsights, ActivityInsights, InvestigationPriority, SourceIPAddress\n    | project-rename IPAddress = SourceIPAddress\n    | summarize\n        UsersInsights = make_set(UsersInsights, 1000),\n        DevicesInsights = make_set(DevicesInsights, 1000),\n        IPInvestigationPriority = sum(InvestigationPriority)\n    by IPAddress)\non IPAddress\n| extend UEBARiskScore = BlastRadiusInt + IPInvestigationPriority\n| where  UEBARiskScore > riskScoreCutoff\n| sort by UEBARiskScore desc \n",
-                "queryFrequency": "PT1H",
-                "queryPeriod": "PT1H",
-                "severity": "Medium",
+                "query": "let detectionTime = 1d;\nlet joinLookback = 14d;\nAuditLogs\n| where TimeGenerated > ago(detectionTime)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Consent to application\"\n| where TargetResources has \"offline\"\n| mv-apply TargetResource=TargetResources on \n  (\n      where TargetResource.type =~ \"ServicePrincipal\"\n      | extend ModifiedProperties = TargetResource.modifiedProperties,\n               AppDisplayName = tostring(TargetResource.displayName),\n               AppClientId = tolower(tostring(TargetResource.id))\n  )\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\"] with (format=\"csv\")))\n| mv-apply Properties=ModifiedProperties on \n  (\n      where Properties.displayName =~ \"ConsentAction.Permissions\"\n      | extend ConsentFull = tostring(Properties.newValue)\n      | extend ConsentFull = trim(@'\"',tostring(ConsentFull))\n  )\n| parse ConsentFull with * \"ConsentType: \" GrantConsentType \", Scope: \" GrantScope1 \"]\" *\n| where ConsentFull has \"offline_access\" and ConsentFull has_any (\"Files.Read\", \"Mail.Read\", \"Notes.Read\", \"ChannelMessage.Read\", \"Chat.Read\", \"TeamsActivity.Read\", \"Group.Read\", \"EWS.AccessAsUser.All\", \"EAS.AccessAsUser.All\")\n| where GrantConsentType != \"AllPrincipals\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\n| extend GrantIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\n| extend GrantInitiatedBy = tostring(iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName))\n| extend GrantUserAgent = tostring(iff(AdditionalDetails[0].key =~ \"User-Agent\", AdditionalDetails[0].value, \"\"))\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\n| join kind = leftouter (AuditLogs\n| where TimeGenerated > ago(joinLookback)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Add service principal\"\n| mv-apply TargetResource=TargetResources on \n  (\n      where TargetResource.type =~ \"ServicePrincipal\"\n      | extend ModifiedProperties = TargetResource.modifiedProperties,\n               AppClientId = tolower(TargetResource.id)\n  )\n| mv-apply ModifiedProperties=TargetResource.modifiedProperties on \n   (\n      where ModifiedProperties.displayName =~ \"AppAddress\" and ModifiedProperties.newValue has \"AddressType\"\n      | extend AppReplyURLs = ModifiedProperties.newValue\n   )\n | distinct AppClientId, tostring(AppReplyURLs)\n)\non AppClientId\n| join kind = innerunique (AuditLogs\n| where TimeGenerated > ago(joinLookback)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Add OAuth2PermissionGrant\" or OperationName =~ \"Add delegated permission grant\"\n | mv-apply TargetResource=TargetResources on \n  (\n      where TargetResource.type =~ \"ServicePrincipal\" and array_length(TargetResource.modifiedProperties) > 0 and isnotnull(TargetResource.displayName)\n      | extend GrantAuthentication = tostring(TargetResource.displayName)\n  )\n| extend GrantOperation = OperationName\n| project GrantAuthentication, GrantOperation, CorrelationId\n) on CorrelationId\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\n| extend timestamp = TimeGenerated, Name = tostring(split(GrantInitiatedBy,'@',0)[0]), UPNSuffix = tostring(split(GrantInitiatedBy,'@',1)[0])\n",
+                "queryFrequency": "P1D",
+                "queryPeriod": "P14D",
+                "severity": "Low",
                 "suppressionDuration": "PT1H",
                 "suppressionEnabled": false,
                 "triggerOperator": "GreaterThan",
@@ -8732,56 +7406,40 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "AzureActiveDirectory",
-                    "dataTypes": [
-                      "SigninLogs"
-                    ]
-                  },
-                  {
-                    "connectorId": "BehaviorAnalytics",
-                    "dataTypes": [
-                      "BehaviorAnalytics"
-                    ]
-                  },
-                  {
-                    "connectorId": "IdentityInfo",
                     "dataTypes": [
-                      "IdentityInfo"
-                    ]
+                      "AuditLogs"
+                    ],
+                    "connectorId": "AzureActiveDirectory"
                   }
                 ],
                 "tactics": [
-                  "InitialAccess"
+                  "CredentialAccess"
                 ],
                 "techniques": [
-                  "T1078"
+                  "T1528"
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "identifier": "Name",
-                        "columnName": "Name"
-                      },
-                      {
-                        "identifier": "UPNSuffix",
-                        "columnName": "UPNSuffix"
+                        "columnName": "Name",
+                        "identifier": "Name"
                       },
                       {
-                        "identifier": "AadUserId",
-                        "columnName": "UserId"
+                        "columnName": "UPNSuffix",
+                        "identifier": "UPNSuffix"
                       }
-                    ]
+                    ],
+                    "entityType": "Account"
                   },
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
-                        "columnName": "IPAddress"
+                        "columnName": "GrantIpAddress",
+                        "identifier": "Address"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   }
                 ]
               }
@@ -8789,13 +7447,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId32'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId53'),'/'))))]",
               "properties": {
-                "description": "Azure Active Directory Analytics Rule 32",
-                "parentId": "[variables('analyticRuleId32')]",
-                "contentId": "[variables('_analyticRulecontentId32')]",
+                "description": "Azure Active Directory Analytics Rule 53",
+                "parentId": "[variables('analyticRuleId53')]",
+                "contentId": "[variables('_analyticRulecontentId53')]",
                 "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion32')]",
+                "version": "[variables('analyticRuleVersion53')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Azure Active Directory",
@@ -8820,44 +7478,44 @@
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_analyticRulecontentId32')]",
+        "contentId": "[variables('_analyticRulecontentId53')]",
         "contentKind": "AnalyticsRule",
-        "displayName": "MFA Rejected by User",
-        "contentProductId": "[variables('_analyticRulecontentProductId32')]",
-        "id": "[variables('_analyticRulecontentProductId32')]",
-        "version": "[variables('analyticRuleVersion32')]"
+        "displayName": "Suspicious application consent for offline access",
+        "contentProductId": "[variables('_analyticRulecontentProductId53')]",
+        "id": "[variables('_analyticRulecontentProductId53')]",
+        "version": "[variables('analyticRuleVersion53')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('analyticRuleTemplateSpecName33')]",
+      "name": "[variables('analyticRuleTemplateSpecName54')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "MultipleAdmin_membership_removals_from_NewAdmin_AnalyticalRules Analytics Rule with template version 3.0.3",
+        "description": "SuspiciousServicePrincipalcreationactivity_AnalyticalRules Analytics Rule with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion33')]",
+          "contentVersion": "[variables('analyticRuleVersion54')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRulecontentId33')]",
+              "name": "[variables('analyticRulecontentId54')]",
               "apiVersion": "2022-04-01-preview",
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "This query detects when newly created Global admin removes multiple existing global admins which can be an attempt by adversaries to lock down organization and retain sole access. \n Investigate reasoning and intention of multiple membership removal by new Global admins and take necessary actions accordingly.",
-                "displayName": "Multiple admin membership removals from newly created admin.",
+                "description": "This alert will detect creation of an SPN, permissions granted, credentials created, activity and deletion of the SPN in a time frame (default 10 minutes)",
+                "displayName": "Suspicious Service Principal creation activity",
                 "enabled": false,
-                "query": "let lookback = 7d; \nlet timeframe = 1h; \nlet GlobalAdminsRemoved = AuditLogs \n| where TimeGenerated > ago(timeframe) \n| where Category =~ \"RoleManagement\" \n| where AADOperationType in (\"Unassign\", \"RemoveEligibleRole\") \n| where ActivityDisplayName has_any (\"Remove member from role\", \"Remove eligible member from role\") \n| mv-apply TargetResource = TargetResources on \n  (\n      where TargetResource.type =~ \"User\"\n      | extend Target = tostring(TargetResource.userPrincipalName),\n               props = TargetResource.modifiedProperties\n  )\n| mv-apply Property = props on \n      (\n          where Property.displayName =~ \"Role.DisplayName\"\n          | extend RoleName = trim('\"',tostring(Property.oldValue))\n      )\n| where RoleName =~ \"Global Administrator\" // Add other Privileged role if applicable \n| extend InitiatingApp = tostring(InitiatedBy.app.displayName) \n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(InitiatedBy.user.userPrincipalName)) \n| where Initiator != \"MS-PIM\"  // Filtering PIM events  \n| summarize RemovedGlobalAdminTime = max(TimeGenerated), TargetAdmins = make_set(Target,100) by OperationName,  RoleName, Initiator, Result; \nlet GlobalAdminsAdded = AuditLogs \n| where TimeGenerated > ago(lookback) \n| where Category =~ \"RoleManagement\" \n| where AADOperationType in (\"Assign\", \"AssignEligibleRole\") \n| where ActivityDisplayName has_any (\"Add eligible member to role\", \"Add member to role\") and Result == \"success\" \n| mv-apply TargetResource = TargetResources on \n  (\n      where TargetResource.type =~ \"User\"\n      | extend Target = tostring(TargetResource.userPrincipalName),\n               props = TargetResource.modifiedProperties\n  )\n| mv-apply Property = props on \n      (\n          where Property.displayName =~ \"Role.DisplayName\"\n          | extend RoleName = trim('\"',tostring(Property.newValue))\n      )\n| where RoleName =~ \"Global Administrator\" // Add other Privileged role if applicable \n| extend InitiatingApp = tostring(InitiatedBy.app.displayName) \n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(InitiatedBy.user.userPrincipalName)) \n| where Initiator != \"MS-PIM\"  // Filtering PIM events \n| summarize AddedGlobalAdminTime = max(TimeGenerated) by OperationName,  RoleName, Target, Initiator, Result \n| extend AccountCustomEntity = Target; \nGlobalAdminsAdded \n| join kind= inner GlobalAdminsRemoved on $left.Target == $right.Initiator \n| where AddedGlobalAdminTime < RemovedGlobalAdminTime \n| extend NoofAdminsRemoved = array_length(TargetAdmins) \n| where NoofAdminsRemoved > 1\n| project AddedGlobalAdminTime, Initiator, Target, AccountCustomEntity, RemovedGlobalAdminTime, TargetAdmins, NoofAdminsRemoved\n| extend Name = tostring(split(AccountCustomEntity,'@',0)[0]), UPNSuffix = tostring(split(AccountCustomEntity,'@',1)[0])\n",
+                "query": "let queryfrequency = 1h;\nlet wait_for_deletion = 10m;\nlet account_created =\n  AuditLogs \n  | where ActivityDisplayName == \"Add service principal\"\n  | where Result == \"success\"\n  | extend AppID = tostring(AdditionalDetails[1].value)\n  | extend creationTime = ActivityDateTime\n  | extend userPrincipalName_creator = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n  | extend ipAddress_creator = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\nlet account_activity =\n  AADServicePrincipalSignInLogs\n  | extend Activities = pack(\"ActivityTime\", TimeGenerated ,\"IpAddress\", IPAddress, \"ResourceDisplayName\", ResourceDisplayName)\n  | extend AppID = AppId\n  | summarize make_list(Activities) by AppID;\nlet account_deleted =\n  AuditLogs \n  | where OperationName == \"Remove service principal\"\n  | where Result == \"success\"\n  | extend AppID = tostring(AdditionalDetails[1].value)\n  | extend deletionTime = ActivityDateTime\n  | extend userPrincipalName_deleter = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n  | extend ipAddress_deleter = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\nlet account_credentials =\n  AuditLogs\n  | where OperationName has_all (\"Update application\", \"Certificates and secrets management\")\n  | where Result == \"success\"\n  | extend AppID = tostring(AdditionalDetails[1].value)\n  | extend credentialCreationTime = ActivityDateTime;\nlet roles_assigned =\n  AuditLogs\n  | where ActivityDisplayName == \"Add app role assignment to service principal\"\n  | extend AppID = tostring(TargetResources[1].displayName)\n  | extend AssignedRole =  iff(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].displayName)==\"AppRole.Value\", tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue))),\"\")\n  | extend AssignedRoles = pack(\"Role\", AssignedRole)\n  | summarize make_list(AssignedRoles) by AppID;\naccount_created\n| where TimeGenerated between (ago(wait_for_deletion+queryfrequency)..ago(wait_for_deletion))\n| join kind= inner (account_activity) on AppID\n| join kind= inner (account_deleted) on AppID\n| join kind= inner (account_credentials) on AppID\n| join kind= inner (roles_assigned) on AppID\n| where deletionTime - creationTime between (time(0s)..wait_for_deletion)\n| extend AliveTime = deletionTime - creationTime\n| project AADTenantId, AppID, creationTime, deletionTime, userPrincipalName_creator, userPrincipalName_deleter, ipAddress_creator, ipAddress_deleter, list_Activities, list_AssignedRoles, AliveTime\n",
                 "queryFrequency": "PT1H",
-                "queryPeriod": "P7D",
-                "severity": "Medium",
+                "queryPeriod": "PT70M",
+                "severity": "Low",
                 "suppressionDuration": "PT1H",
                 "suppressionEnabled": false,
                 "triggerOperator": "GreaterThan",
@@ -8865,31 +7523,58 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "AzureActiveDirectory",
                     "dataTypes": [
-                      "AuditLogs"
-                    ]
+                      "AuditLogs",
+                      "AADServicePrincipalSignInLogs"
+                    ],
+                    "connectorId": "AzureActiveDirectory"
                   }
                 ],
                 "tactics": [
-                  "Impact"
+                  "CredentialAccess",
+                  "PrivilegeEscalation",
+                  "InitialAccess"
                 ],
                 "techniques": [
-                  "T1531"
+                  "T1078",
+                  "T1528"
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "identifier": "Name",
-                        "columnName": "Name"
-                      },
+                        "columnName": "userPrincipalName_creator",
+                        "identifier": "FullName"
+                      }
+                    ],
+                    "entityType": "Account"
+                  },
+                  {
+                    "fieldMappings": [
+                      {
+                        "columnName": "userPrincipalName_deleter",
+                        "identifier": "FullName"
+                      }
+                    ],
+                    "entityType": "Account"
+                  },
+                  {
+                    "fieldMappings": [
+                      {
+                        "columnName": "ipAddress_creator",
+                        "identifier": "Address"
+                      }
+                    ],
+                    "entityType": "IP"
+                  },
+                  {
+                    "fieldMappings": [
                       {
-                        "identifier": "UPNSuffix",
-                        "columnName": "UPNSuffix"
+                        "columnName": "ipAddress_deleter",
+                        "identifier": "Address"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   }
                 ]
               }
@@ -8897,13 +7582,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId33'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId54'),'/'))))]",
               "properties": {
-                "description": "Azure Active Directory Analytics Rule 33",
-                "parentId": "[variables('analyticRuleId33')]",
-                "contentId": "[variables('_analyticRulecontentId33')]",
+                "description": "Azure Active Directory Analytics Rule 54",
+                "parentId": "[variables('analyticRuleId54')]",
+                "contentId": "[variables('_analyticRulecontentId54')]",
                 "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion33')]",
+                "version": "[variables('analyticRuleVersion54')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Azure Active Directory",
@@ -8928,43 +7613,43 @@
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_analyticRulecontentId33')]",
+        "contentId": "[variables('_analyticRulecontentId54')]",
         "contentKind": "AnalyticsRule",
-        "displayName": "Multiple admin membership removals from newly created admin.",
-        "contentProductId": "[variables('_analyticRulecontentProductId33')]",
-        "id": "[variables('_analyticRulecontentProductId33')]",
-        "version": "[variables('analyticRuleVersion33')]"
+        "displayName": "Suspicious Service Principal creation activity",
+        "contentProductId": "[variables('_analyticRulecontentProductId54')]",
+        "id": "[variables('_analyticRulecontentProductId54')]",
+        "version": "[variables('analyticRuleVersion54')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('analyticRuleTemplateSpecName34')]",
+      "name": "[variables('analyticRuleTemplateSpecName55')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "NewAppOrServicePrincipalCredential_AnalyticalRules Analytics Rule with template version 3.0.3",
+        "description": "UnusualGuestActivity_AnalyticalRules Analytics Rule with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion34')]",
+          "contentVersion": "[variables('analyticRuleVersion55')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRulecontentId34')]",
+              "name": "[variables('analyticRulecontentId55')]",
               "apiVersion": "2022-04-01-preview",
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.",
-                "displayName": "New access credential added to Application or Service Principal",
+                "description": "By default guests have capability to invite more external guest users, guests also can do suspicious Azure AD enumeration. This detection look at guests\nusers, who have been invited or have invited recently, who also are logging via various PowerShell CLI.\nRef : 'https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/",
+                "displayName": "External guest invitation followed by Azure AD PowerShell signin",
                 "enabled": false,
-                "query": "AuditLogs\n| where OperationName has_any (\"Add service principal\", \"Certificates and secrets management\") // captures \"Add service principal\", \"Add service principal credentials\", and \"Update application - Certificates and secrets management\" events\n| where Result =~ \"success\"\n| where tostring(InitiatedBy.user.userPrincipalName) has \"@\" or tostring(InitiatedBy.app.displayName) has \"@\"\n| mv-apply TargetResource = TargetResources on \n  (\n      where TargetResource.type =~ \"Application\"\n      | extend targetDisplayName = tostring(TargetResource.displayName),\n               targetId = tostring(TargetResource.id),\n               targetType = tostring(TargetResource.type),\n               keyEvents = TargetResource.modifiedProperties\n  )\n| mv-apply Property = keyEvents on \n  (\n      where Property.displayName =~ \"KeyDescription\"\n      | extend new_value_set = parse_json(tostring(Property.newValue)),\n               old_value_set = parse_json(tostring(Property.oldValue))\n  )\n| where old_value_set != \"[]\"\n| extend diff = set_difference(new_value_set, old_value_set)\n| where isnotempty(diff)\n| parse diff with * \"KeyIdentifier=\" keyIdentifier:string \",KeyType=\" keyType:string \",KeyUsage=\" keyUsage:string \",DisplayName=\" keyDisplayName:string \"]\" *\n| where keyUsage =~ \"Verify\"\n| mv-apply AdditionalDetail = AdditionalDetails on \n  (\n      where AdditionalDetail.key =~ \"User-Agent\"\n      | extend UserAgent = tostring(AdditionalDetail.value)\n  )\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\n//| where targetType =~ \"Application\" // or targetType =~ \"ServicePrincipal\"\n| project-away diff, new_value_set, old_value_set\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\n| extend timestamp = TimeGenerated, Name = tostring(split(InitiatingUserOrApp,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUserOrApp,'@',1)[0])\n",
+                "query": "let queryfrequency = 1h;\nlet queryperiod = 1d;\nAuditLogs\n| where TimeGenerated > ago(queryperiod)\n| where OperationName in (\"Invite external user\", \"Bulk invite users - started (bulk)\", \"Invite external user with reset invitation status\")\n| extend InitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\n// Uncomment the following line to filter events where the inviting user was a guest user\n//| where InitiatedBy has_any (\"live.com#\", \"#EXT#\")\n| mv-apply TargetResource = TargetResources on \n  (\n      where TargetResource.type =~ \"User\"\n      | extend InvitedUser = tostring(TargetResource.userPrincipalName)\n  )\n| mv-expand UserToCompare = pack_array(InitiatedBy, InvitedUser) to typeof(string)\n| where UserToCompare has_any (\"live.com#\", \"#EXT#\")\n| extend\n    parsedUser = replace_string(tolower(iff(UserToCompare startswith \"live.com#\", tostring(split(UserToCompare, \"#\")[1]), tostring(split(UserToCompare, \"#EXT#\")[0]))), \"@\", \"_\"),\n    InvitationTime = TimeGenerated\n| join (\n    (union isfuzzy=true SigninLogs, AADNonInteractiveUserSignInLogs)\n    | where TimeGenerated > ago(queryfrequency)\n    | where UserType != \"Member\"\n    | where AppId has_any                       // This web may contain a list of these apps: https://msshells.net/\n        (\"1b730954-1685-4b74-9bfd-dac224a7b894\",// Azure Active Directory PowerShell\n         \"04b07795-8ddb-461a-bbee-02f9e1bf7b46\",// Microsoft Azure CLI\n         \"1950a258-227b-4e31-a9cf-717495945fc2\",// Microsoft Azure PowerShell\n         \"a0c73c16-a7e3-4564-9a95-2bdf47383716\",// Microsoft Exchange Online Remote PowerShell\n         \"fb78d390-0c51-40cd-8e17-fdbfab77341b\",// Microsoft Exchange REST API Based Powershell\n         \"d1ddf0e4-d672-4dae-b554-9d5bdfd93547\",// Microsoft Intune PowerShell\n         \"9bc3ab49-b65d-410a-85ad-de819febfddc\",// Microsoft SharePoint Online Management Shell\n         \"12128f48-ec9e-42f0-b203-ea49fb6af367\",// MS Teams Powershell Cmdlets\n         \"23d8f6bd-1eb0-4cc2-a08c-7bf525c67bcd\",// Power BI PowerShell\n         \"31359c7f-bd7e-475c-86db-fdb8c937548e\",// PnP Management Shell\n         \"90f610bf-206d-4950-b61d-37fa6fd1b224\",// Aadrm Admin Powershell\n         \"14d82eec-204b-4c2f-b7e8-296a70dab67e\" // Microsoft Graph PowerShell\n        )\n    | summarize arg_min(TimeGenerated, *) by UserPrincipalName\n    | extend\n        parsedUser = replace_string(UserPrincipalName, \"@\", \"_\"),\n        SigninTime = TimeGenerated\n    )\n    on parsedUser\n| project InvitationTime, InitiatedBy, OperationName, InvitedUser, SigninTime, SigninCategory = Category1, SigninUserPrincipalName = UserPrincipalName, IPAddress, AppDisplayName, ResourceDisplayName, UserAgent, InvitationAdditionalDetails = AdditionalDetails, InvitationTargetResources = TargetResources\n| extend InvitedUserName = tostring(split(InvitedUser,'@',0)[0]), InvitedUserUPNSuffix = tostring(split(InvitedUser,'@',1)[0]), \n         InitiatedByName = tostring(split(InitiatedBy,'@',0)[0]), InitiatedByUPNSuffix = tostring(split(InitiatedBy,'@',1)[0])\n",
                 "queryFrequency": "PT1H",
-                "queryPeriod": "PT1H",
+                "queryPeriod": "P1D",
                 "severity": "Medium",
                 "suppressionDuration": "PT1H",
                 "suppressionEnabled": false,
@@ -8973,40 +7658,63 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "AzureActiveDirectory",
                     "dataTypes": [
                       "AuditLogs"
-                    ]
+                    ],
+                    "connectorId": "AzureActiveDirectory"
+                  },
+                  {
+                    "dataTypes": [
+                      "SigninLogs"
+                    ],
+                    "connectorId": "AzureActiveDirectory"
                   }
                 ],
                 "tactics": [
-                  "DefenseEvasion"
+                  "InitialAccess",
+                  "Persistence",
+                  "Discovery"
                 ],
                 "techniques": [
-                  "T1550"
+                  "T1078",
+                  "T1136",
+                  "T1087"
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "identifier": "Name",
-                        "columnName": "Name"
+                        "columnName": "InvitedUserName",
+                        "identifier": "Name"
+                      },
+                      {
+                        "columnName": "InvitedUserUPNSuffix",
+                        "identifier": "UPNSuffix"
+                      }
+                    ],
+                    "entityType": "Account"
+                  },
+                  {
+                    "fieldMappings": [
+                      {
+                        "columnName": "InitiatedByName",
+                        "identifier": "Name"
                       },
                       {
-                        "identifier": "UPNSuffix",
-                        "columnName": "UPNSuffix"
+                        "columnName": "InitiatedByUPNSuffix",
+                        "identifier": "UPNSuffix"
                       }
-                    ]
+                    ],
+                    "entityType": "Account"
                   },
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
-                        "columnName": "InitiatingIpAddress"
+                        "columnName": "IPAddress",
+                        "identifier": "Address"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   }
                 ]
               }
@@ -9014,13 +7722,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId34'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId55'),'/'))))]",
               "properties": {
-                "description": "Azure Active Directory Analytics Rule 34",
-                "parentId": "[variables('analyticRuleId34')]",
-                "contentId": "[variables('_analyticRulecontentId34')]",
+                "description": "Azure Active Directory Analytics Rule 55",
+                "parentId": "[variables('analyticRuleId55')]",
+                "contentId": "[variables('_analyticRulecontentId55')]",
                 "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion34')]",
+                "version": "[variables('analyticRuleVersion55')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Azure Active Directory",
@@ -9045,78 +7753,103 @@
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_analyticRulecontentId34')]",
+        "contentId": "[variables('_analyticRulecontentId55')]",
         "contentKind": "AnalyticsRule",
-        "displayName": "New access credential added to Application or Service Principal",
-        "contentProductId": "[variables('_analyticRulecontentProductId34')]",
-        "id": "[variables('_analyticRulecontentProductId34')]",
-        "version": "[variables('analyticRuleVersion34')]"
+        "displayName": "External guest invitation followed by Azure AD PowerShell signin",
+        "contentProductId": "[variables('_analyticRulecontentProductId55')]",
+        "id": "[variables('_analyticRulecontentProductId55')]",
+        "version": "[variables('analyticRuleVersion55')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('analyticRuleTemplateSpecName35')]",
+      "name": "[variables('analyticRuleTemplateSpecName56')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "NRT_ADFSDomainTrustMods_AnalyticalRules Analytics Rule with template version 3.0.3",
+        "description": "UserAccounts-CABlockedSigninSpikes_AnalyticalRules Analytics Rule with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion35')]",
+          "contentVersion": "[variables('analyticRuleVersion56')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRulecontentId35')]",
+              "name": "[variables('analyticRulecontentId56')]",
               "apiVersion": "2022-04-01-preview",
-              "kind": "NRT",
+              "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated.\nFor example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain.\nModification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior.\nTo understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.\nFor details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.",
-                "displayName": "NRT Modified domain federation trust settings",
+                "description": " Identifies spike in failed sign-ins from user accounts due to conditional access policied.\nSpike is determined based on Time series anomaly which will look at historical baseline values.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\nThis query has also been updated to include UEBA logs IdentityInfo and BehaviorAnalytics for contextual information around the results.",
+                "displayName": "User Accounts - Sign in Failure due to CA Spikes",
                 "enabled": false,
-                "query": "AuditLogs\n| where OperationName =~ \"Set federation settings on domain\" or OperationName =~ \"Set domain authentication\"\n//| where Result =~ \"success\"   // commenting out, as it may be interesting to capture failed attempts\n| mv-expand TargetResources\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\n| mv-apply Property = modifiedProperties on \n  (\n      where Property.displayName =~ \"LiveType\"\n      | extend targetDisplayName = tostring(Property.displayName),\n               NewDomainValue = tostring(Property.newValue)\n  )\n| extend Federated = iif(OperationName =~ \"Set domain authentication\", iif(NewDomainValue has \"Federated\", True, False), True)\n| where Federated == True\n| mv-expand AdditionalDetails\n| mv-apply AdditionalDetail = AdditionalDetails on \n  (\n      where AdditionalDetail.key =~ \"User-Agent\"\n      | extend UserAgent = tostring(AdditionalDetail.value)\n  )\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, AADOperationType, targetDisplayName, Result, InitiatingIpAddress, UserAgent, CorrelationId, TenantId, AADTenantId\n| extend Name = tostring(split(InitiatingUserOrApp,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUserOrApp,'@',1)[0])\n",
-                "severity": "High",
+                "query": "let riskScoreCutoff = 20; //Adjust this based on volume of results\nlet starttime = 14d;\nlet timeframe = 1d;\nlet scorethreshold = 3;\nlet baselinethreshold = 50;\nlet aadFunc = (tableName:string){\n  // Failed Signins attempts with reasoning related to conditional access policies.\n  table(tableName)\n  | where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\n  | where ResultDescription has_any (\"conditional access\", \"CA\") or ResultType in (50005, 50131, 53000, 53001, 53002, 52003, 70044)\n  | extend UserPrincipalName = tolower(UserPrincipalName)\n  | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt;\nlet TimeSeriesAlerts = \nallSignins\n| make-series DailyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step 1d by UserPrincipalName\n| extend (anomalies, score, baseline) = series_decompose_anomalies(DailyCount, scorethreshold, -1, 'linefit')\n| mv-expand DailyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\n// Filtering low count events per baselinethreshold\n| where anomalies > 0 and baseline > baselinethreshold\n| extend AnomalyHour = TimeGenerated\n| project UserPrincipalName, AnomalyHour, TimeGenerated, DailyCount, baseline, anomalies, score;\n// Filter the alerts for specified timeframe\nTimeSeriesAlerts\n| where TimeGenerated > startofday(ago(timeframe))\n| join kind=inner ( \n  allSignins\n  | where TimeGenerated > startofday(ago(timeframe))\n  // create a new column and round to hour\n  | extend DateHour = bin(TimeGenerated, 1h)\n  | summarize PartialFailedSignins = count(), LatestAnomalyTime = arg_max(TimeGenerated, *) by bin(TimeGenerated, 1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\n) on UserPrincipalName, $left.AnomalyHour == $right.DateHour\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, PartialFailedSignins, TotalFailedSignins = DailyCount, baseline, anomalies, score\n| extend timestamp = LatestAnomalyTime, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n| extend UserPrincipalName = tolower(UserPrincipalName)\n| join kind=leftouter (\n    IdentityInfo\n    | summarize LatestReportTime = arg_max(TimeGenerated, *) by AccountUPN\n    | extend BlastRadiusInt = iif(BlastRadius == \"High\", 1, 0)\n    | project AccountUPN, Tags, JobTitle, GroupMembership, AssignedRoles, UserType, IsAccountEnabled, BlastRadiusInt\n    | summarize\n        Tags = make_set(Tags, 1000),\n        GroupMembership = make_set(GroupMembership, 1000),\n        AssignedRoles = make_set(AssignedRoles, 1000),\n        BlastRadiusInt = sum(BlastRadiusInt),\n        UserType = make_set(UserType, 1000),\n        UserAccountControl = make_set(UserType, 1000)\n    by AccountUPN\n    | extend UserPrincipalName=tolower(AccountUPN)\n) on UserPrincipalName\n| join kind=leftouter (\n    BehaviorAnalytics\n    | where ActivityType in (\"FailedLogOn\", \"LogOn\")\n    | where isnotempty(SourceIPAddress)\n    | project UsersInsights, DevicesInsights, ActivityInsights, InvestigationPriority, SourceIPAddress\n    | project-rename IPAddress = SourceIPAddress\n    | summarize\n        UsersInsights = make_set(UsersInsights, 1000),\n        DevicesInsights = make_set(DevicesInsights, 1000),\n        IPInvestigationPriority = sum(InvestigationPriority)\n    by IPAddress)\non IPAddress\n| extend UEBARiskScore = BlastRadiusInt + IPInvestigationPriority\n| where UEBARiskScore > riskScoreCutoff\n| sort by UEBARiskScore desc \n",
+                "queryFrequency": "P1D",
+                "queryPeriod": "P14D",
+                "severity": "Medium",
                 "suppressionDuration": "PT1H",
                 "suppressionEnabled": false,
+                "triggerOperator": "GreaterThan",
+                "triggerThreshold": 0,
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "AzureActiveDirectory",
                     "dataTypes": [
-                      "AuditLogs"
-                    ]
+                      "SigninLogs"
+                    ],
+                    "connectorId": "AzureActiveDirectory"
+                  },
+                  {
+                    "dataTypes": [
+                      "AADNonInteractiveUserSignInLogs"
+                    ],
+                    "connectorId": "AzureActiveDirectory"
+                  },
+                  {
+                    "dataTypes": [
+                      "BehaviorAnalytics"
+                    ],
+                    "connectorId": "BehaviorAnalytics"
+                  },
+                  {
+                    "dataTypes": [
+                      "IdentityInfo"
+                    ],
+                    "connectorId": "IdentityInfo"
                   }
                 ],
                 "tactics": [
-                  "CredentialAccess"
+                  "InitialAccess"
+                ],
+                "techniques": [
+                  "T1078"
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "identifier": "Name",
-                        "columnName": "Name"
+                        "columnName": "Name",
+                        "identifier": "Name"
                       },
                       {
-                        "identifier": "UPNSuffix",
-                        "columnName": "UPNSuffix"
+                        "columnName": "UPNSuffix",
+                        "identifier": "UPNSuffix"
                       }
-                    ]
+                    ],
+                    "entityType": "Account"
                   },
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
-                        "columnName": "InitiatingIpAddress"
+                        "columnName": "IPAddress",
+                        "identifier": "Address"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   }
                 ]
               }
@@ -9124,13 +7857,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId35'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId56'),'/'))))]",
               "properties": {
-                "description": "Azure Active Directory Analytics Rule 35",
-                "parentId": "[variables('analyticRuleId35')]",
-                "contentId": "[variables('_analyticRulecontentId35')]",
+                "description": "Azure Active Directory Analytics Rule 56",
+                "parentId": "[variables('analyticRuleId56')]",
+                "contentId": "[variables('_analyticRulecontentId56')]",
                 "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion35')]",
+                "version": "[variables('analyticRuleVersion56')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Azure Active Directory",
@@ -9155,81 +7888,91 @@
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_analyticRulecontentId35')]",
+        "contentId": "[variables('_analyticRulecontentId56')]",
         "contentKind": "AnalyticsRule",
-        "displayName": "NRT Modified domain federation trust settings",
-        "contentProductId": "[variables('_analyticRulecontentProductId35')]",
-        "id": "[variables('_analyticRulecontentProductId35')]",
-        "version": "[variables('analyticRuleVersion35')]"
+        "displayName": "User Accounts - Sign in Failure due to CA Spikes",
+        "contentProductId": "[variables('_analyticRulecontentProductId56')]",
+        "id": "[variables('_analyticRulecontentProductId56')]",
+        "version": "[variables('analyticRuleVersion56')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('analyticRuleTemplateSpecName36')]",
+      "name": "[variables('analyticRuleTemplateSpecName57')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "NRT_AuthenticationMethodsChangedforVIPUsers_AnalyticalRules Analytics Rule with template version 3.0.3",
+        "description": "UseraddedtoPrivilgedGroups_AnalyticalRules Analytics Rule with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion36')]",
+          "contentVersion": "[variables('analyticRuleVersion57')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRulecontentId36')]",
+              "name": "[variables('analyticRulecontentId57')]",
               "apiVersion": "2022-04-01-preview",
-              "kind": "NRT",
+              "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "Identifies authentication methods being changed for a list of VIP users watchlist. This could be an indication of an attacker adding an auth method to the account so they can have continued access.",
-                "displayName": "NRT Authentication Methods Changed for VIP Users",
+                "description": "This will alert when a user is added to any of the Privileged Groups.\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\nFor Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles",
+                "displayName": "User added to Azure Active Directory Privileged Groups",
                 "enabled": false,
-                "query": "let security_info_actions = dynamic([\"User registered security info\", \"User changed default security info\", \"User deleted security info\", \"Admin updated security info\", \"User reviewed security info\", \"Admin deleted security info\", \"Admin registered security info\"]);\nlet VIPUsers = (_GetWatchlist('VIPUsers') | distinct [\"User Principal Name\"]);\nAuditLogs\n| where Category =~ \"UserManagement\"\n| where ActivityDisplayName in (security_info_actions)\n| extend Initiator = tostring(InitiatedBy.user.userPrincipalName)\n| extend IP = tostring(InitiatedBy.user.ipAddress)\n| mv-apply TargetResource = TargetResources on \n  (\n      where TargetResource.type =~ \"User\"\n      | extend Target = trim(@'\"',tolower(tostring(TargetResource.userPrincipalName)))\n  )\n| where Target in~ (VIPUsers)\n| summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason) by Initiator, IP, Result, Target\n| extend Name = tostring(split(Target,'@',0)[0]), UPNSuffix = tostring(split(Target,'@',1)[0])\n",
+                "query": "let OperationList = dynamic([\"Add member to role\",\"Add member to role in PIM requested (permanent)\"]);\nlet PrivilegedGroups = dynamic([\"UserAccountAdmins\",\"PrivilegedRoleAdmins\",\"TenantAdmins\"]);\nAuditLogs\n//| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"RoleManagement\"\n| where OperationName in~ (OperationList)\n| mv-apply TargetResource = TargetResources on \n  (\n      where TargetResource.type =~ \"User\"\n      | extend TargetUserPrincipalName = tostring(TargetResource.userPrincipalName),\n               modProps = TargetResource.modifiedProperties\n  )\n| mv-apply Property = modProps on \n  (\n      where Property.displayName =~ \"Role.WellKnownObjectName\"\n      | extend DisplayName = trim('\"',tostring(Property.displayName)),\n               GroupName = trim('\"',tostring(Property.newValue))\n  )\n| extend AppId = InitiatedBy.app.appId,\n      InitiatedByDisplayName = case(isnotempty(InitiatedBy.app.displayName), InitiatedBy.app.displayName, isnotempty(InitiatedBy.user.displayName), InitiatedBy.user.displayName, \"not available\"),\n      ServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId),\n      ServicePrincipalName = tostring(InitiatedBy.app.servicePrincipalName),\n      UserId = InitiatedBy.user.id,\n      UserIPAddress = InitiatedBy.user.ipAddress,\n      UserRoles = InitiatedBy.user.roles,\n      UserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\n| where GroupName in~ (PrivilegedGroups)\n// If you don't want to alert for operations from PIM, remove below filtering for MS-PIM.\n//| where InitiatedByDisplayName != \"MS-PIM\"\n| project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName, TargetUserPrincipalName\n| extend AccountCustomEntity = case(isnotempty(ServicePrincipalName), ServicePrincipalName, \n                                    isnotempty(UserPrincipalName), UserPrincipalName,  \n                                    \"\")\n| extend AccountName = tostring(split(AccountCustomEntity,'@',0)[0]), AccountUPNSuffix = tostring(split(AccountCustomEntity,'@',1)[0])\n| extend TargetName = tostring(split(TargetUserPrincipalName,'@',0)[0]), TargetUPNSuffix = tostring(split(TargetUserPrincipalName,'@',1)[0])\n",
+                "queryFrequency": "PT1H",
+                "queryPeriod": "PT1H",
                 "severity": "Medium",
                 "suppressionDuration": "PT1H",
                 "suppressionEnabled": false,
+                "triggerOperator": "GreaterThan",
+                "triggerThreshold": 0,
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "AzureActiveDirectory",
                     "dataTypes": [
                       "AuditLogs"
-                    ]
+                    ],
+                    "connectorId": "AzureActiveDirectory"
                   }
                 ],
                 "tactics": [
-                  "Persistence"
+                  "Persistence",
+                  "PrivilegeEscalation"
                 ],
                 "techniques": [
-                  "T1098"
+                  "T1098",
+                  "T1078"
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "identifier": "Name",
-                        "columnName": "Name"
+                        "columnName": "AccountName",
+                        "identifier": "Name"
                       },
                       {
-                        "identifier": "UPNSuffix",
-                        "columnName": "UPNSuffix"
+                        "columnName": "AccountUPNSuffix",
+                        "identifier": "UPNSuffix"
                       }
-                    ]
+                    ],
+                    "entityType": "Account"
                   },
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
-                        "columnName": "IP"
+                        "columnName": "TargetName",
+                        "identifier": "Name"
+                      },
+                      {
+                        "columnName": "TargetUPNSuffix",
+                        "identifier": "UPNSuffix"
                       }
-                    ]
+                    ],
+                    "entityType": "Account"
                   }
                 ]
               }
@@ -9237,13 +7980,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId36'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId57'),'/'))))]",
               "properties": {
-                "description": "Azure Active Directory Analytics Rule 36",
-                "parentId": "[variables('analyticRuleId36')]",
-                "contentId": "[variables('_analyticRulecontentId36')]",
+                "description": "Azure Active Directory Analytics Rule 57",
+                "parentId": "[variables('analyticRuleId57')]",
+                "contentId": "[variables('_analyticRulecontentId57')]",
                 "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion36')]",
+                "version": "[variables('analyticRuleVersion57')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Azure Active Directory",
@@ -9268,81 +8011,89 @@
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_analyticRulecontentId36')]",
+        "contentId": "[variables('_analyticRulecontentId57')]",
         "contentKind": "AnalyticsRule",
-        "displayName": "NRT Authentication Methods Changed for VIP Users",
-        "contentProductId": "[variables('_analyticRulecontentProductId36')]",
-        "id": "[variables('_analyticRulecontentProductId36')]",
-        "version": "[variables('analyticRuleVersion36')]"
+        "displayName": "User added to Azure Active Directory Privileged Groups",
+        "contentProductId": "[variables('_analyticRulecontentProductId57')]",
+        "id": "[variables('_analyticRulecontentProductId57')]",
+        "version": "[variables('analyticRuleVersion57')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('analyticRuleTemplateSpecName37')]",
+      "name": "[variables('analyticRuleTemplateSpecName58')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "nrt_FirstAppOrServicePrincipalCredential_AnalyticalRules Analytics Rule with template version 3.0.3",
+        "description": "UserAssignedPrivilegedRole_AnalyticalRules Analytics Rule with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion37')]",
+          "contentVersion": "[variables('analyticRuleVersion58')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRulecontentId37')]",
+              "name": "[variables('analyticRulecontentId58')]",
               "apiVersion": "2022-04-01-preview",
-              "kind": "NRT",
+              "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated.\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.",
-                "displayName": "NRT First access credential added to Application or Service Principal where no credential was present",
+                "description": "Identifies when a new privileged role is assigned to a user.  Any account eligible for a role is now being given privileged access. If the assignment is unexpected or into a role that isn't the responsibility of the account holder, investigate.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1",
+                "displayName": "User Assigned Privileged Role",
                 "enabled": false,
-                "query": "AuditLogs\n| where OperationName has_any (\"Add service principal\", \"Certificates and secrets management\")\n| where Result =~ \"success\"\n| where tostring(InitiatedBy.user.userPrincipalName) has \"@\" or tostring(InitiatedBy.app.displayName) has \"@\"\n| mv-apply TargetResource = TargetResources on \n  (\n    where TargetResource.type =~ \"Application\"\n    | extend targetDisplayName = tostring(TargetResource.displayName),\n             targetId = tostring(TargetResource.id),\n             targetType = tostring(TargetResource.type),\n             keyEvents = TargetResource.modifiedProperties\n  )\n|  mv-apply Property = keyEvents on \n (\n  where Property.displayName =~ \"KeyDescription\"\n  | extend new_value_set = parse_json(tostring(Property.newValue)),\n           old_value_set = parse_json(tostring(Property.oldValue))\n )\n| where old_value_set == \"[]\"\n| mv-expand new_value_set\n| parse new_value_set with * \"KeyIdentifier=\" keyIdentifier:string \",KeyType=\" keyType:string \",KeyUsage=\" keyUsage:string \",DisplayName=\" keyDisplayName:string \"]\" *\n| where keyUsage == \"Verify\"\n | mv-apply AdditionalDetail = AdditionalDetails on \n  (\n    where AdditionalDetail.key =~ \"User-Agent\"\n    | extend UserAgent = tostring(AdditionalDetail.value)\n  )\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n//| where targetType =~ \"Application\" // or targetType =~ \"ServicePrincipal\"\n| project-away new_value_set, old_value_set\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\n| extend timestamp = TimeGenerated, Name = tostring(split(InitiatingUserOrApp,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUserOrApp,'@',1)[0])\n",
-                "severity": "Medium",
+                "query": "AuditLogs\n| where Category =~ \"RoleManagement\"\n| where AADOperationType in (\"Assign\", \"AssignEligibleRole\")\n| where ActivityDisplayName has_any (\"Add eligible member to role\", \"Add member to role\")\n| mv-apply TargetResource = TargetResources on \n  (\n      where TargetResource.type in~ (\"User\", \"ServicePrincipal\")\n      | extend Target = iff(TargetResource.type =~ \"ServicePrincipal\", tostring(TargetResource.displayName), tostring(TargetResource.userPrincipalName)),\n               props = TargetResource.modifiedProperties\n  )\n| mv-apply Property = props on \n  (\n      where Property.displayName =~ \"Role.DisplayName\"\n      | extend RoleName = trim('\"',tostring(Property.newValue))\n  )\n| where RoleName contains \"Admin\"\n| extend InitiatingApp = tostring(InitiatedBy.app.displayName)\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(InitiatedBy.user.userPrincipalName))\n// Uncomment below to not alert for PIM activations\n//| where Initiator != \"MS-PIM\"\n| summarize by bin(TimeGenerated, 1h), OperationName,  RoleName, Target, Initiator, Result\n| extend TargetName = tostring(split(Target,'@',0)[0]), TargetUPNSuffix = tostring(split(Target,'@',1)[0]), InitiatorName = tostring(split(Initiator,'@',0)[0]), InitiatorUPNSuffix = tostring(split(Initiator,'@',1)[0])\n",
+                "queryFrequency": "PT2H",
+                "queryPeriod": "PT2H",
+                "severity": "High",
                 "suppressionDuration": "PT1H",
                 "suppressionEnabled": false,
+                "triggerOperator": "GreaterThan",
+                "triggerThreshold": 0,
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "AzureActiveDirectory",
                     "dataTypes": [
                       "AuditLogs"
-                    ]
+                    ],
+                    "connectorId": "AzureActiveDirectory"
                   }
                 ],
                 "tactics": [
-                  "DefenseEvasion"
+                  "Persistence"
                 ],
                 "techniques": [
-                  "T1550"
+                  "T1078"
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "identifier": "Name",
-                        "columnName": "Name"
+                        "columnName": "TargetName",
+                        "identifier": "Name"
                       },
                       {
-                        "identifier": "UPNSuffix",
-                        "columnName": "UPNSuffix"
+                        "columnName": "TargetUPNSuffix",
+                        "identifier": "UPNSuffix"
                       }
-                    ]
+                    ],
+                    "entityType": "Account"
                   },
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
-                        "columnName": "InitiatingIpAddress"
+                        "columnName": "InitiatorName",
+                        "identifier": "Name"
+                      },
+                      {
+                        "columnName": "InitiatorUPNSuffix",
+                        "identifier": "UPNSuffix"
                       }
-                    ]
+                    ],
+                    "entityType": "Account"
                   }
                 ]
               }
@@ -9350,13 +8101,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId37'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId58'),'/'))))]",
               "properties": {
-                "description": "Azure Active Directory Analytics Rule 37",
-                "parentId": "[variables('analyticRuleId37')]",
-                "contentId": "[variables('_analyticRulecontentId37')]",
+                "description": "Azure Active Directory Analytics Rule 58",
+                "parentId": "[variables('analyticRuleId58')]",
+                "contentId": "[variables('_analyticRulecontentId58')]",
                 "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion37')]",
+                "version": "[variables('analyticRuleVersion58')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Azure Active Directory",
@@ -9381,95 +8132,119 @@
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_analyticRulecontentId37')]",
+        "contentId": "[variables('_analyticRulecontentId58')]",
         "contentKind": "AnalyticsRule",
-        "displayName": "NRT First access credential added to Application or Service Principal where no credential was present",
-        "contentProductId": "[variables('_analyticRulecontentProductId37')]",
-        "id": "[variables('_analyticRulecontentProductId37')]",
-        "version": "[variables('analyticRuleVersion37')]"
+        "displayName": "User Assigned Privileged Role",
+        "contentProductId": "[variables('_analyticRulecontentProductId58')]",
+        "id": "[variables('_analyticRulecontentProductId58')]",
+        "version": "[variables('analyticRuleVersion58')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('analyticRuleTemplateSpecName38')]",
+      "name": "[variables('analyticRuleTemplateSpecName59')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "NRT_NewAppOrServicePrincipalCredential_AnalyticalRules Analytics Rule with template version 3.0.3",
+        "description": "NewOnmicrosoftDomainAdded_AnalyticalRules Analytics Rule with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion38')]",
+          "contentVersion": "[variables('analyticRuleVersion59')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRulecontentId38')]",
+              "name": "[variables('analyticRulecontentId59')]",
               "apiVersion": "2022-04-01-preview",
-              "kind": "NRT",
+              "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.",
-                "displayName": "NRT New access credential added to Application or Service Principal",
+                "description": "This detection looks for new onmicrosoft domains being added to a tenant. \nAn attacker who compromises a tenant may register a new onmicrosoft domain in order to masquerade as a service provider for launching phishing campaigns.\nDomain additions are not a common occurrence and users should validate that the domain was added by a legitimate user, with a legitimate purpose.",
+                "displayName": "New onmicrosoft domain added to tenant",
                 "enabled": false,
-                "query": "AuditLogs\n| where OperationName has_any (\"Add service principal\", \"Certificates and secrets management\") // captures \"Add service principal\", \"Add service principal credentials\", and \"Update application - Certificates and secrets management\" events\n| where Result =~ \"success\"\n| where tostring(InitiatedBy.user.userPrincipalName) has \"@\" or tostring(InitiatedBy.app.displayName) has \"@\"\n| mv-apply TargetResource = TargetResources on \n  (\n      where TargetResource.type =~ \"Application\"\n      | extend targetDisplayName = tostring(TargetResource.displayName),\n               targetId = tostring(TargetResource.id),\n               targetType = tostring(TargetResource.type),\n               keyEvents = TargetResource.modifiedProperties\n  )\n| mv-apply Property = keyEvents on \n  (\n      where Property.displayName =~ \"KeyDescription\"\n      | extend new_value_set = parse_json(tostring(Property.newValue)),\n               old_value_set = parse_json(tostring(Property.oldValue))\n  )\n| where old_value_set != \"[]\"\n| extend diff = set_difference(new_value_set, old_value_set)\n| where diff != \"[]\"\n| parse diff with * \"KeyIdentifier=\" keyIdentifier:string \",KeyType=\" keyType:string \",KeyUsage=\" keyUsage:string \",DisplayName=\" keyDisplayName:string \"]\" *\n| where keyUsage =~ \"Verify\"\n| mv-apply AdditionalDetail = AdditionalDetails on \n  (\n      where AdditionalDetail.key =~ \"User-Agent\"\n      | extend UserAgent = tostring(AdditionalDetail.value)\n  )\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\n//| where targetType =~ \"Application\" // or targetType =~ \"ServicePrincipal\"\n| project-away diff, new_value_set, old_value_set\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\n| extend timestamp = TimeGenerated, Name = tostring(split(InitiatingUserOrApp,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUserOrApp,'@',1)[0])\n",
+                "query": "AuditLogs\n| where AADOperationType == \"Add\"\n| where Result == \"success\"\n| where OperationName in (\"Add verified domain\", \"Add unverified domain\")\n| extend InitiatedBy = parse_json(InitiatedBy)\n| extend InitiatingUser = tostring(InitiatedBy.user.userPrincipalName)\n| extend InitiatingIp = tostring(InitiatedBy.user.ipAddress)\n| extend InitiatingApp = tostring(InitiatedBy.app.displayName)\n| extend InitiatingSPID = tostring(InitiatedBy.app.servicePrincipalId)\n| extend DomainAdded = tostring(TargetResources[0].displayName)\n| where DomainAdded has \"onmicrosoft\"\n| extend ActionInitiatedBy = case(isnotempty(InitiatingUser), InitiatingUser, strcat(InitiatingApp, \" - \", InitiatingSPID))\n| extend UserName = split(InitiatingUser, \"@\")[0]\n| extend UPNSuffix = split(InitiatingUser, \"@\")[1]\n| project-reorder TimeGenerated, OperationName, DomainAdded, ActionInitiatedBy, InitiatingIp\n",
+                "queryFrequency": "PT1H",
+                "queryPeriod": "PT1H",
                 "severity": "Medium",
                 "suppressionDuration": "PT1H",
                 "suppressionEnabled": false,
+                "triggerOperator": "GreaterThan",
+                "triggerThreshold": 0,
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "AzureActiveDirectory",
                     "dataTypes": [
                       "AuditLogs"
-                    ]
+                    ],
+                    "connectorId": "AzureActiveDirectory"
                   }
                 ],
                 "tactics": [
-                  "DefenseEvasion"
+                  "ResourceDevelopment"
                 ],
                 "techniques": [
-                  "T1550"
+                  "T1585"
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "identifier": "Name",
-                        "columnName": "Name"
+                        "columnName": "UserName",
+                        "identifier": "Name"
+                      },
+                      {
+                        "columnName": "UPNSuffix",
+                        "identifier": "UPNSuffix"
                       },
                       {
-                        "identifier": "UPNSuffix",
-                        "columnName": "UPNSuffix"
+                        "columnName": "InitiatingSPID",
+                        "identifier": "AadUserId"
+                      }
+                    ],
+                    "entityType": "Account"
+                  },
+                  {
+                    "fieldMappings": [
+                      {
+                        "columnName": "InitiatingIp",
+                        "identifier": "Address"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   },
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
-                        "columnName": "InitiatingIpAddress"
+                        "columnName": "DomainAdded",
+                        "identifier": "DomainName"
                       }
-                    ]
+                    ],
+                    "entityType": "DNS"
                   }
-                ]
+                ],
+                "eventGroupingSettings": {
+                  "aggregationKind": "SingleAlert"
+                },
+                "alertDetailsOverride": {
+                  "alertDescriptionFormat": "This detection looks for new onmicrosoft domains being added to a tenant. An attacker who compromises a tenant may register a new onmicrosoft domain in order to masquerade as a service provider for launching phishing accounts. Domain additions are not a common occurrence and users should validate that {{ActionInitiatedBy}} added {{DomainAdded}} with a legitimate purpose.",
+                  "alertDisplayNameFormat": "{{DomainAdded}} added to tenant by {{ActionInitiatedBy}}"
+                }
               }
             },
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId38'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId59'),'/'))))]",
               "properties": {
-                "description": "Azure Active Directory Analytics Rule 38",
-                "parentId": "[variables('analyticRuleId38')]",
-                "contentId": "[variables('_analyticRulecontentId38')]",
+                "description": "Azure Active Directory Analytics Rule 59",
+                "parentId": "[variables('analyticRuleId59')]",
+                "contentId": "[variables('_analyticRulecontentId59')]",
                 "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion38')]",
+                "version": "[variables('analyticRuleVersion59')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Azure Active Directory",
@@ -9494,108 +8269,397 @@
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_analyticRulecontentId38')]",
+        "contentId": "[variables('_analyticRulecontentId59')]",
         "contentKind": "AnalyticsRule",
-        "displayName": "NRT New access credential added to Application or Service Principal",
-        "contentProductId": "[variables('_analyticRulecontentProductId38')]",
-        "id": "[variables('_analyticRulecontentProductId38')]",
-        "version": "[variables('analyticRuleVersion38')]"
+        "displayName": "New onmicrosoft domain added to tenant",
+        "contentProductId": "[variables('_analyticRulecontentProductId59')]",
+        "id": "[variables('_analyticRulecontentProductId59')]",
+        "version": "[variables('analyticRuleVersion59')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('analyticRuleTemplateSpecName39')]",
+      "name": "[variables('playbookTemplateSpecName1')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "NRT_PIMElevationRequestRejected_AnalyticalRules Analytics Rule with template version 3.0.3",
+        "description": "Block-AADUser-Alert Playbook with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion39')]",
-          "parameters": {},
-          "variables": {},
+          "contentVersion": "[variables('playbookVersion1')]",
+          "parameters": {
+            "PlaybookName": {
+              "defaultValue": "Block-AADUser-Alert",
+              "type": "string"
+            }
+          },
+          "variables": {
+            "AzureADConnectionName": "[[concat('azuread-', parameters('PlaybookName'))]",
+            "MicrosoftSentinelConnectionName": "[[concat('microsoftsentinel-', parameters('PlaybookName'))]",
+            "Office365ConnectionName": "[[concat('office365-', parameters('PlaybookName'))]",
+            "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuread')]",
+            "_connection-1": "[[variables('connection-1')]",
+            "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
+            "_connection-2": "[[variables('connection-2')]",
+            "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]",
+            "_connection-3": "[[variables('connection-3')]",
+            "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
+            "workspace-name": "[parameters('workspace')]",
+            "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
+          },
           "resources": [
             {
-              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRulecontentId39')]",
-              "apiVersion": "2022-04-01-preview",
-              "kind": "NRT",
-              "location": "[parameters('workspace-location')]",
+              "type": "Microsoft.Web/connections",
+              "apiVersion": "2016-06-01",
+              "name": "[[variables('AzureADConnectionName')]",
+              "location": "[[variables('workspace-location-inline')]",
+              "properties": {
+                "displayName": "[[variables('AzureADConnectionName')]",
+                "api": {
+                  "id": "[[variables('_connection-1')]"
+                }
+              }
+            },
+            {
+              "type": "Microsoft.Web/connections",
+              "apiVersion": "2016-06-01",
+              "name": "[[variables('MicrosoftSentinelConnectionName')]",
+              "location": "[[variables('workspace-location-inline')]",
+              "kind": "V1",
+              "properties": {
+                "displayName": "[[variables('MicrosoftSentinelConnectionName')]",
+                "parameterValueType": "Alternative",
+                "api": {
+                  "id": "[[variables('_connection-2')]"
+                }
+              }
+            },
+            {
+              "type": "Microsoft.Web/connections",
+              "apiVersion": "2016-06-01",
+              "name": "[[variables('Office365ConnectionName')]",
+              "location": "[[variables('workspace-location-inline')]",
+              "properties": {
+                "displayName": "[[variables('Office365ConnectionName')]",
+                "api": {
+                  "id": "[[variables('_connection-3')]"
+                }
+              }
+            },
+            {
+              "type": "Microsoft.Logic/workflows",
+              "apiVersion": "2017-07-01",
+              "name": "[[parameters('PlaybookName')]",
+              "location": "[[variables('workspace-location-inline')]",
+              "tags": {
+                "LogicAppsCategory": "security",
+                "hidden-SentinelTemplateName": "Block-AADUser_alert",
+                "hidden-SentinelTemplateVersion": "1.1",
+                "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
+              },
+              "identity": {
+                "type": "SystemAssigned"
+              },
+              "dependsOn": [
+                "[[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]",
+                "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
+                "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]"
+              ],
               "properties": {
-                "description": "Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management",
-                "displayName": "NRT PIM Elevation Request Rejected",
-                "enabled": false,
-                "query": "AuditLogs\n| where ActivityDisplayName =~'Add member to role completed (PIM activation)'\n| where Result =~ \"failure\"\n| mv-apply ResourceItem = TargetResources on \n  (\n      where ResourceItem.type =~ \"Role\"\n      | extend Role = trim(@'\"',tostring(ResourceItem.displayName))\n  )\n| mv-apply ResourceItem = TargetResources on \n  (\n      where ResourceItem.type =~ \"User\"\n      | extend User = trim(@'\"',tostring(ResourceItem.userPrincipalName))\n  )\n| project-reorder TimeGenerated, User, Role, OperationName, Result, ResultDescription\n| where isnotempty(InitiatedBy.user)\n| extend InitiatingUser = tostring(InitiatedBy.user.userPrincipalName), InitiatingIpAddress = tostring(InitiatedBy.user.ipAddress)\n| extend InitiatingName = tostring(split(InitiatingUser,'@',0)[0]), InitiatingUPNSuffix = tostring(split(InitiatingUser,'@',1)[0])\n| extend UserName = tostring(split(User,'@',0)[0]), UserUPNSuffix = tostring(split(User,'@',1)[0])\n",
-                "severity": "High",
-                "suppressionDuration": "PT1H",
-                "suppressionEnabled": false,
-                "status": "Available",
-                "requiredDataConnectors": [
-                  {
-                    "connectorId": "AzureActiveDirectory",
-                    "dataTypes": [
-                      "AuditLogs"
-                    ]
+                "state": "Enabled",
+                "definition": {
+                  "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
+                  "contentVersion": "1.0.0.0",
+                  "parameters": {
+                    "$connections": {
+                      "type": "Object"
+                    }
+                  },
+                  "triggers": {
+                    "Microsoft_Sentinel_alert": {
+                      "type": "ApiConnectionWebhook",
+                      "inputs": {
+                        "body": {
+                          "callback_url": "@{listCallbackUrl()}"
+                        },
+                        "host": {
+                          "connection": {
+                            "name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
+                          }
+                        },
+                        "path": "/subscribe"
+                      }
+                    }
+                  },
+                  "actions": {
+                    "Alert_-_Get_incident": {
+                      "type": "ApiConnection",
+                      "inputs": {
+                        "host": {
+                          "connection": {
+                            "name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
+                          }
+                        },
+                        "method": "get",
+                        "path": "/Incidents/subscriptions/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/resourceGroups/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/workspaces/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/alerts/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}"
+                      }
+                    },
+                    "Entities_-_Get_Accounts": {
+                      "runAfter": {
+                        "Alert_-_Get_incident": [
+                          "Succeeded"
+                        ]
+                      },
+                      "type": "ApiConnection",
+                      "inputs": {
+                        "body": "@triggerBody()?['Entities']",
+                        "host": {
+                          "connection": {
+                            "name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
+                          }
+                        },
+                        "method": "post",
+                        "path": "/entities/account"
+                      }
+                    },
+                    "For_each": {
+                      "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']",
+                      "actions": {
+                        "Condition": {
+                          "actions": {
+                            "Condition_-_if_user_have_manager": {
+                              "actions": {
+                                "Add_comment_to_incident_-_with_manager_-_no_admin": {
+                                  "runAfter": {
+                                    "Get_user_-_details": [
+                                      "Succeeded"
+                                    ]
+                                  },
+                                  "type": "ApiConnection",
+                                  "inputs": {
+                                    "body": {
+                                      "incidentArmId": "@body('Alert_-_Get_incident')?['id']",
+                                      "message": "<p>User @{items('For_each')?['Name']} (UPN - @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}) was disabled in AAD via playbook Block-AADUser. Manager (@{body('Parse_JSON_-_get_user_manager')?['userPrincipalName']}) is notified.</p>"
+                                    },
+                                    "host": {
+                                      "connection": {
+                                        "name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
+                                      }
+                                    },
+                                    "method": "post",
+                                    "path": "/Incidents/Comment"
+                                  }
+                                },
+                                "Get_user_-_details": {
+                                  "type": "ApiConnection",
+                                  "inputs": {
+                                    "host": {
+                                      "connection": {
+                                        "name": "@parameters('$connections')['azuread']['connectionId']"
+                                      }
+                                    },
+                                    "method": "get",
+                                    "path": "/v1.0/users/@{encodeURIComponent(concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix']))}"
+                                  }
+                                },
+                                "Send_an_email_-_to_manager_-_no_admin": {
+                                  "runAfter": {
+                                    "Add_comment_to_incident_-_with_manager_-_no_admin": [
+                                      "Succeeded"
+                                    ]
+                                  },
+                                  "type": "ApiConnection",
+                                  "inputs": {
+                                    "body": {
+                                      "Body": "<p>Security notification! This is automated email sent by Microsoft Sentinel Automation!<br>\n<br>\nYour direct report @{items('For_each')?['Name']} has been disabled in Azure AD due to the security incident. Can you please notify the user and work with him to reach&nbsp;our support.<br>\n<br>\nDirect report details:<br>\nFirst name: @{body('Get_user_-_details')?['displayName']}<br>\nSurname: @{body('Get_user_-_details')?['surname']}<br>\nJob title: @{body('Get_user_-_details')?['jobTitle']}<br>\nOffice location: @{body('Get_user_-_details')?['officeLocation']}<br>\nBusiness phone: @{body('Get_user_-_details')?['businessPhones']}<br>\nMobile phone: @{body('Get_user_-_details')?['mobilePhone']}<br>\nMail: @{body('Get_user_-_details')?['mail']}<br>\n<br>\nThank you!</p>",
+                                      "Importance": "High",
+                                      "Subject": "@{items('For_each')?['Name']} has been disabled in Azure AD due to the security risk!",
+                                      "To": "@body('Parse_JSON_-_get_user_manager')?['userPrincipalName']"
+                                    },
+                                    "host": {
+                                      "connection": {
+                                        "name": "@parameters('$connections')['office365']['connectionId']"
+                                      }
+                                    },
+                                    "method": "post",
+                                    "path": "/v2/Mail"
+                                  }
+                                }
+                              },
+                              "runAfter": {
+                                "Parse_JSON_-_get_user_manager": [
+                                  "Succeeded"
+                                ]
+                              },
+                              "else": {
+                                "actions": {
+                                  "Add_comment_to_incident_-_no_manager_-_no_admin": {
+                                    "type": "ApiConnection",
+                                    "inputs": {
+                                      "body": {
+                                        "incidentArmId": "@body('Alert_-_Get_incident')?['id']",
+                                        "message": "<p>User @{items('For_each')?['Name']} (UPN - @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}) was disabled in AAD via playbook Block-AADUser. Manager has not been notified, since it is not found for this user!</p>"
+                                      },
+                                      "host": {
+                                        "connection": {
+                                          "name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
+                                        }
+                                      },
+                                      "method": "post",
+                                      "path": "/Incidents/Comment"
+                                    }
+                                  }
+                                }
+                              },
+                              "expression": {
+                                "and": [
+                                  {
+                                    "not": {
+                                      "equals": [
+                                        "@body('Parse_JSON_-_get_user_manager')?['userPrincipalName']",
+                                        "@null"
+                                      ]
+                                    }
+                                  }
+                                ]
+                              },
+                              "type": "If"
+                            },
+                            "HTTP_-_get_user_manager": {
+                              "type": "Http",
+                              "inputs": {
+                                "authentication": {
+                                  "audience": "https://graph.microsoft.com/",
+                                  "type": "ManagedServiceIdentity"
+                                },
+                                "method": "GET",
+                                "uri": "https://graph.microsoft.com/v1.0/users/@{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}/manager"
+                              }
+                            },
+                            "Parse_JSON_-_get_user_manager": {
+                              "runAfter": {
+                                "HTTP_-_get_user_manager": [
+                                  "Succeeded",
+                                  "Failed"
+                                ]
+                              },
+                              "type": "ParseJson",
+                              "inputs": {
+                                "content": "@body('HTTP_-_get_user_manager')",
+                                "schema": {
+                                  "properties": {
+                                    "userPrincipalName": {
+                                      "type": "string"
+                                    }
+                                  },
+                                  "type": "object"
+                                }
+                              }
+                            }
+                          },
+                          "runAfter": {
+                            "Update_user_-_disable_user": [
+                              "Succeeded",
+                              "Failed"
+                            ]
+                          },
+                          "else": {
+                            "actions": {
+                              "Add_comment_to_incident_-_error_details": {
+                                "type": "ApiConnection",
+                                "inputs": {
+                                  "body": {
+                                    "incidentArmId": "@body('Alert_-_Get_incident')?['id']",
+                                    "message": "<p>Block-AADUser playbook could not disable user @{items('For_each')?['Name']}.<br>\nError message: @{body('Update_user_-_disable_user')['error']['message']}<br>\nNote: If user is admin, this playbook don't have privilages to block admin users!</p>"
+                                  },
+                                  "host": {
+                                    "connection": {
+                                      "name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
+                                    }
+                                  },
+                                  "method": "post",
+                                  "path": "/Incidents/Comment"
+                                }
+                              }
+                            }
+                          },
+                          "expression": {
+                            "and": [
+                              {
+                                "equals": [
+                                  "@body('Update_user_-_disable_user')",
+                                  "@null"
+                                ]
+                              }
+                            ]
+                          },
+                          "type": "If"
+                        },
+                        "Update_user_-_disable_user": {
+                          "type": "ApiConnection",
+                          "inputs": {
+                            "body": {
+                              "accountEnabled": false
+                            },
+                            "host": {
+                              "connection": {
+                                "name": "@parameters('$connections')['azuread']['connectionId']"
+                              }
+                            },
+                            "method": "patch",
+                            "path": "/v1.0/users/@{encodeURIComponent(concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix']))}"
+                          }
+                        }
+                      },
+                      "runAfter": {
+                        "Entities_-_Get_Accounts": [
+                          "Succeeded"
+                        ]
+                      },
+                      "type": "Foreach"
+                    }
                   }
-                ],
-                "tactics": [
-                  "Persistence"
-                ],
-                "techniques": [
-                  "T1078"
-                ],
-                "entityMappings": [
-                  {
-                    "entityType": "Account",
-                    "fieldMappings": [
-                      {
-                        "identifier": "Name",
-                        "columnName": "InitiatingName"
+                },
+                "parameters": {
+                  "$connections": {
+                    "value": {
+                      "azuread": {
+                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]",
+                        "connectionName": "[[variables('AzureADConnectionName')]",
+                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuread')]"
                       },
-                      {
-                        "identifier": "UPNSuffix",
-                        "columnName": "InitiatingUPNSuffix"
-                      }
-                    ]
-                  },
-                  {
-                    "entityType": "Account",
-                    "fieldMappings": [
-                      {
-                        "identifier": "Name",
-                        "columnName": "UserName"
+                      "microsoftsentinel": {
+                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
+                        "connectionName": "[[variables('MicrosoftSentinelConnectionName')]",
+                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
+                        "connectionProperties": {
+                          "authentication": {
+                            "type": "ManagedServiceIdentity"
+                          }
+                        }
                       },
-                      {
-                        "identifier": "UPNSuffix",
-                        "columnName": "UserUPNSuffix"
-                      }
-                    ]
-                  },
-                  {
-                    "entityType": "IP",
-                    "fieldMappings": [
-                      {
-                        "identifier": "Address",
-                        "columnName": "InitiatingIpAddress"
+                      "office365": {
+                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]",
+                        "connectionName": "[[variables('Office365ConnectionName')]",
+                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]"
                       }
-                    ]
+                    }
                   }
-                ]
+                }
               }
             },
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId39'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId1'),'/'))))]",
               "properties": {
-                "description": "Azure Active Directory Analytics Rule 39",
-                "parentId": "[variables('analyticRuleId39')]",
-                "contentId": "[variables('_analyticRulecontentId39')]",
-                "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion39')]",
+                "parentId": "[variables('playbookId1')]",
+                "contentId": "[variables('_playbookContentId1')]",
+                "kind": "Playbook",
+                "version": "[variables('playbookVersion1')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Azure Active Directory",
@@ -9613,221 +8677,415 @@
                 }
               }
             }
-          ]
+          ],
+          "metadata": {
+            "title": "Block AAD user - Alert",
+            "description": "For each account entity included in the alert, this playbook will disable the user in Azure Active Directoy, add a comment to the incident that contains this alert and notify manager if available. Note: This playbook will not disable admin user!",
+            "prerequisites": [
+              "None"
+            ],
+            "postDeployment": [
+              "1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity.",
+              "2. Grant User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All permissions to the managed identity.",
+              "3. Authorize Azure AD and Office 365 Outlook Logic App connections."
+            ],
+            "lastUpdateTime": "2022-07-11T00:00:00Z",
+            "entities": [
+              "Account"
+            ],
+            "tags": [
+              "Remediation"
+            ],
+            "releaseNotes": [
+              {
+                "version": "1.0.0",
+                "title": "Added manager notification action",
+                "notes": [
+                  "Initial version"
+                ]
+              }
+            ]
+          }
         },
         "packageKind": "Solution",
         "packageVersion": "[variables('_solutionVersion')]",
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_analyticRulecontentId39')]",
-        "contentKind": "AnalyticsRule",
-        "displayName": "NRT PIM Elevation Request Rejected",
-        "contentProductId": "[variables('_analyticRulecontentProductId39')]",
-        "id": "[variables('_analyticRulecontentProductId39')]",
-        "version": "[variables('analyticRuleVersion39')]"
+        "contentId": "[variables('_playbookContentId1')]",
+        "contentKind": "Playbook",
+        "displayName": "Block-AADUser-Alert",
+        "contentProductId": "[variables('_playbookcontentProductId1')]",
+        "id": "[variables('_playbookcontentProductId1')]",
+        "version": "[variables('playbookVersion1')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('analyticRuleTemplateSpecName40')]",
+      "name": "[variables('playbookTemplateSpecName2')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "NRT_PrivlegedRoleAssignedOutsidePIM_AnalyticalRules Analytics Rule with template version 3.0.3",
+        "description": "Block-AADUser-Incident Playbook with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion40')]",
-          "parameters": {},
-          "variables": {},
+          "contentVersion": "[variables('playbookVersion2')]",
+          "parameters": {
+            "PlaybookName": {
+              "defaultValue": "Block-AADUser-Incident",
+              "type": "string"
+            }
+          },
+          "variables": {
+            "AzureADConnectionName": "[[concat('azuread-', parameters('PlaybookName'))]",
+            "MicrosoftSentinelConnectionName": "[[concat('microsoftsentinel-', parameters('PlaybookName'))]",
+            "Office365ConnectionName": "[[concat('office365-', parameters('PlaybookName'))]",
+            "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuread')]",
+            "_connection-1": "[[variables('connection-1')]",
+            "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
+            "_connection-2": "[[variables('connection-2')]",
+            "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]",
+            "_connection-3": "[[variables('connection-3')]",
+            "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
+            "workspace-name": "[parameters('workspace')]",
+            "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
+          },
           "resources": [
             {
-              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRulecontentId40')]",
-              "apiVersion": "2022-04-01-preview",
-              "kind": "NRT",
-              "location": "[parameters('workspace-location')]",
+              "type": "Microsoft.Web/connections",
+              "apiVersion": "2016-06-01",
+              "name": "[[variables('AzureADConnectionName')]",
+              "location": "[[variables('workspace-location-inline')]",
               "properties": {
-                "description": "Identifies a privileged role being assigned to a user outside of PIM\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1",
-                "displayName": "NRT Privileged Role Assigned Outside PIM",
-                "enabled": false,
-                "query": "AuditLogs\n| where Category =~ \"RoleManagement\"\n| where OperationName has \"Add member to role outside of PIM\"\n        or (LoggedByService =~ \"Core Directory\" and OperationName =~ \"Add member to role\" and Identity != \"MS-PIM\")\n| mv-apply TargetResource = TargetResources on \n  (\n      where TargetResource.type =~ \"User\"\n      | extend UserPrincipalName = tostring(TargetResource.userPrincipalName)\n  )\n| extend IpAddress = tostring(InitiatedBy.user.ipAddress), Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n",
-                "severity": "Low",
-                "suppressionDuration": "PT1H",
-                "suppressionEnabled": false,
-                "status": "Available",
-                "requiredDataConnectors": [
-                  {
-                    "connectorId": "AzureActiveDirectory",
-                    "dataTypes": [
-                      "AuditLogs"
-                    ]
-                  }
-                ],
-                "tactics": [
-                  "PrivilegeEscalation"
-                ],
-                "techniques": [
-                  "T1078"
-                ],
-                "entityMappings": [
-                  {
-                    "entityType": "Account",
-                    "fieldMappings": [
-                      {
-                        "identifier": "Name",
-                        "columnName": "Name"
-                      },
-                      {
-                        "identifier": "UPNSuffix",
-                        "columnName": "UPNSuffix"
-                      }
-                    ]
-                  },
-                  {
-                    "entityType": "IP",
-                    "fieldMappings": [
-                      {
-                        "identifier": "Address",
-                        "columnName": "IpAddress"
-                      }
-                    ]
-                  }
-                ]
+                "displayName": "[[variables('AzureADConnectionName')]",
+                "api": {
+                  "id": "[[variables('_connection-1')]"
+                }
               }
             },
             {
-              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
-              "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId40'),'/'))))]",
+              "type": "Microsoft.Web/connections",
+              "apiVersion": "2016-06-01",
+              "name": "[[variables('MicrosoftSentinelConnectionName')]",
+              "location": "[[variables('workspace-location-inline')]",
+              "kind": "V1",
               "properties": {
-                "description": "Azure Active Directory Analytics Rule 40",
-                "parentId": "[variables('analyticRuleId40')]",
-                "contentId": "[variables('_analyticRulecontentId40')]",
-                "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion40')]",
-                "source": {
-                  "kind": "Solution",
-                  "name": "Azure Active Directory",
-                  "sourceId": "[variables('_solutionId')]"
-                },
-                "author": {
-                  "name": "Microsoft",
-                  "email": "[variables('_email')]"
-                },
-                "support": {
-                  "tier": "Microsoft",
-                  "name": "Microsoft Corporation",
-                  "email": "support@microsoft.com",
-                  "link": "https://support.microsoft.com/"
-                }
-              }
-            }
-          ]
-        },
-        "packageKind": "Solution",
-        "packageVersion": "[variables('_solutionVersion')]",
-        "packageName": "[variables('_solutionName')]",
-        "packageId": "[variables('_solutionId')]",
-        "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_analyticRulecontentId40')]",
-        "contentKind": "AnalyticsRule",
-        "displayName": "NRT Privileged Role Assigned Outside PIM",
-        "contentProductId": "[variables('_analyticRulecontentProductId40')]",
-        "id": "[variables('_analyticRulecontentProductId40')]",
-        "version": "[variables('analyticRuleVersion40')]"
-      }
-    },
-    {
-      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
-      "apiVersion": "2023-04-01-preview",
-      "name": "[variables('analyticRuleTemplateSpecName41')]",
-      "location": "[parameters('workspace-location')]",
-      "dependsOn": [
-        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
-      ],
-      "properties": {
-        "description": "NRT_UseraddedtoPrivilgedGroups_AnalyticalRules Analytics Rule with template version 3.0.3",
-        "mainTemplate": {
-          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion41')]",
-          "parameters": {},
-          "variables": {},
-          "resources": [
+                "displayName": "[[variables('MicrosoftSentinelConnectionName')]",
+                "parameterValueType": "Alternative",
+                "api": {
+                  "id": "[[variables('_connection-2')]"
+                }
+              }
+            },
             {
-              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRulecontentId41')]",
-              "apiVersion": "2022-04-01-preview",
-              "kind": "NRT",
-              "location": "[parameters('workspace-location')]",
+              "type": "Microsoft.Web/connections",
+              "apiVersion": "2016-06-01",
+              "name": "[[variables('Office365ConnectionName')]",
+              "location": "[[variables('workspace-location-inline')]",
               "properties": {
-                "description": "This will alert when a user is added to any of the Privileged Groups.\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\nFor Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles",
-                "displayName": "NRT User added to Azure Active Directory Privileged Groups",
-                "enabled": false,
-                "query": "let OperationList = dynamic([\"Add member to role\",\"Add member to role in PIM requested (permanent)\"]);\nlet PrivilegedGroups = dynamic([\"UserAccountAdmins\",\"PrivilegedRoleAdmins\",\"TenantAdmins\"]);\nAuditLogs\n//| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"RoleManagement\"\n| where OperationName in~ (OperationList)\n| mv-apply TargetResource = TargetResources on \n  (\n      where TargetResource.type =~ \"User\"\n      | extend TargetUserPrincipalName = tostring(TargetResource.userPrincipalName),\n               modProps = TargetResource.modifiedProperties\n  )\n| mv-apply Property = modProps on \n  (\n      where Property.displayName =~ \"Role.WellKnownObjectName\"\n      | extend DisplayName = trim('\"',tostring(Property.displayName)),\n               GroupName = trim('\"',tostring(Property.newValue))\n  )\n| extend AppId = InitiatedBy.app.appId,\n      InitiatedByDisplayName = case(isnotempty(InitiatedBy.app.displayName), InitiatedBy.app.displayName, isnotempty(InitiatedBy.user.displayName), InitiatedBy.user.displayName, \"not available\"),\n      ServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId),\n      ServicePrincipalName = tostring(InitiatedBy.app.servicePrincipalName),\n      UserId = InitiatedBy.user.id,\n      UserIPAddress = InitiatedBy.user.ipAddress,\n      UserRoles = InitiatedBy.user.roles,\n      UserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\n| where GroupName in~ (PrivilegedGroups)\n// If you don't want to alert for operations from PIM, remove below filtering for MS-PIM.\n//| where InitiatedByDisplayName != \"MS-PIM\"\n| project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName, TargetUserPrincipalName\n| extend AccountCustomEntity = case(isnotempty(ServicePrincipalName), ServicePrincipalName, \n                                    isnotempty(UserPrincipalName), UserPrincipalName,  \n                                    \"\")\n| extend AccountName = tostring(split(AccountCustomEntity,'@',0)[0]), AccountUPNSuffix = tostring(split(AccountCustomEntity,'@',1)[0])\n| extend TargetName = tostring(split(TargetUserPrincipalName,'@',0)[0]), TargetUPNSuffix = tostring(split(TargetUserPrincipalName,'@',1)[0])\n",
-                "severity": "Medium",
-                "suppressionDuration": "PT1H",
-                "suppressionEnabled": false,
-                "status": "Available",
-                "requiredDataConnectors": [
-                  {
-                    "connectorId": "AzureActiveDirectory",
-                    "dataTypes": [
-                      "AuditLogs"
-                    ]
+                "displayName": "[[variables('Office365ConnectionName')]",
+                "api": {
+                  "id": "[[variables('_connection-3')]"
+                }
+              }
+            },
+            {
+              "type": "Microsoft.Logic/workflows",
+              "apiVersion": "2017-07-01",
+              "name": "[[parameters('PlaybookName')]",
+              "location": "[[variables('workspace-location-inline')]",
+              "tags": {
+                "LogicAppsCategory": "security",
+                "hidden-SentinelTemplateName": "Block-AADUser",
+                "hidden-SentinelTemplateVersion": "1.1",
+                "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
+              },
+              "identity": {
+                "type": "SystemAssigned"
+              },
+              "dependsOn": [
+                "[[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]",
+                "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
+                "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]"
+              ],
+              "properties": {
+                "state": "Enabled",
+                "definition": {
+                  "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
+                  "contentVersion": "1.0.0.0",
+                  "parameters": {
+                    "$connections": {
+                      "type": "Object"
+                    }
+                  },
+                  "triggers": {
+                    "Microsoft_Sentinel_incident": {
+                      "type": "ApiConnectionWebhook",
+                      "inputs": {
+                        "body": {
+                          "callback_url": "@{listCallbackUrl()}"
+                        },
+                        "host": {
+                          "connection": {
+                            "name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
+                          }
+                        },
+                        "path": "/incident-creation"
+                      }
+                    }
+                  },
+                  "actions": {
+                    "Entities_-_Get_Accounts": {
+                      "type": "ApiConnection",
+                      "inputs": {
+                        "body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
+                        "host": {
+                          "connection": {
+                            "name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
+                          }
+                        },
+                        "method": "post",
+                        "path": "/entities/account"
+                      }
+                    },
+                    "For_each": {
+                      "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']",
+                      "actions": {
+                        "Condition": {
+                          "actions": {
+                            "Condition_-_if_user_have_manager": {
+                              "actions": {
+                                "Add_comment_to_incident_-_with_manager_-_no_admin": {
+                                  "runAfter": {
+                                    "Get_user_-_details": [
+                                      "Succeeded"
+                                    ]
+                                  },
+                                  "type": "ApiConnection",
+                                  "inputs": {
+                                    "body": {
+                                      "incidentArmId": "@triggerBody()?['object']?['id']",
+                                      "message": "<p>User @{items('For_each')?['Name']} (UPN - @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}) was disabled in AAD via playbook Block-AADUser. Manager (@{body('Parse_JSON_-_get_user_manager')?['userPrincipalName']}) is notified.</p>"
+                                    },
+                                    "host": {
+                                      "connection": {
+                                        "name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
+                                      }
+                                    },
+                                    "method": "post",
+                                    "path": "/Incidents/Comment"
+                                  }
+                                },
+                                "Get_user_-_details": {
+                                  "type": "ApiConnection",
+                                  "inputs": {
+                                    "host": {
+                                      "connection": {
+                                        "name": "@parameters('$connections')['azuread']['connectionId']"
+                                      }
+                                    },
+                                    "method": "get",
+                                    "path": "/v1.0/users/@{encodeURIComponent(concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix']))}"
+                                  }
+                                },
+                                "Send_an_email_-_to_manager_-_no_admin": {
+                                  "runAfter": {
+                                    "Add_comment_to_incident_-_with_manager_-_no_admin": [
+                                      "Succeeded"
+                                    ]
+                                  },
+                                  "type": "ApiConnection",
+                                  "inputs": {
+                                    "body": {
+                                      "Body": "<p>Security notification! This is automated email sent by Microsoft Sentinel Automation!<br>\n<br>\nYour direct report @{items('For_each')?['Name']} has been disabled in Azure AD due to the security incident. Can you please notify the user and work with him to reach&nbsp;our support.<br>\n<br>\nDirect report details:<br>\nFirst name: @{body('Get_user_-_details')?['displayName']}<br>\nSurname: @{body('Get_user_-_details')?['surname']}<br>\nJob title: @{body('Get_user_-_details')?['jobTitle']}<br>\nOffice location: @{body('Get_user_-_details')?['officeLocation']}<br>\nBusiness phone: @{body('Get_user_-_details')?['businessPhones']}<br>\nMobile phone: @{body('Get_user_-_details')?['mobilePhone']}<br>\nMail: @{body('Get_user_-_details')?['mail']}<br>\n<br>\nThank you!</p>",
+                                      "Importance": "High",
+                                      "Subject": "@{items('For_each')?['Name']}  has been disabled in Azure AD due to the security risk!",
+                                      "To": "@body('Parse_JSON_-_get_user_manager')?['userPrincipalName']"
+                                    },
+                                    "host": {
+                                      "connection": {
+                                        "name": "@parameters('$connections')['office365']['connectionId']"
+                                      }
+                                    },
+                                    "method": "post",
+                                    "path": "/v2/Mail"
+                                  }
+                                }
+                              },
+                              "runAfter": {
+                                "Parse_JSON_-_get_user_manager": [
+                                  "Succeeded"
+                                ]
+                              },
+                              "else": {
+                                "actions": {
+                                  "Add_comment_to_incident_-_no_manager_-_no_admin": {
+                                    "type": "ApiConnection",
+                                    "inputs": {
+                                      "body": {
+                                        "incidentArmId": "@triggerBody()?['object']?['id']",
+                                        "message": "<p>User @{items('For_each')?['Name']} (UPN - @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}) was disabled in AAD via playbook Block-AADUser. Manager has not been notified, since it is not found for this user!</p>"
+                                      },
+                                      "host": {
+                                        "connection": {
+                                          "name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
+                                        }
+                                      },
+                                      "method": "post",
+                                      "path": "/Incidents/Comment"
+                                    }
+                                  }
+                                }
+                              },
+                              "expression": {
+                                "and": [
+                                  {
+                                    "not": {
+                                      "equals": [
+                                        "@body('Parse_JSON_-_get_user_manager')?['userPrincipalName']",
+                                        "@null"
+                                      ]
+                                    }
+                                  }
+                                ]
+                              },
+                              "type": "If"
+                            },
+                            "HTTP_-_get_user_manager": {
+                              "type": "Http",
+                              "inputs": {
+                                "authentication": {
+                                  "audience": "https://graph.microsoft.com/",
+                                  "type": "ManagedServiceIdentity"
+                                },
+                                "method": "GET",
+                                "uri": "https://graph.microsoft.com/v1.0/users/@{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}/manager"
+                              }
+                            },
+                            "Parse_JSON_-_get_user_manager": {
+                              "runAfter": {
+                                "HTTP_-_get_user_manager": [
+                                  "Succeeded",
+                                  "Failed"
+                                ]
+                              },
+                              "type": "ParseJson",
+                              "inputs": {
+                                "content": "@body('HTTP_-_get_user_manager')",
+                                "schema": {
+                                  "properties": {
+                                    "userPrincipalName": {
+                                      "type": "string"
+                                    }
+                                  },
+                                  "type": "object"
+                                }
+                              }
+                            }
+                          },
+                          "runAfter": {
+                            "Update_user_-_disable_user": [
+                              "Succeeded",
+                              "Failed"
+                            ]
+                          },
+                          "else": {
+                            "actions": {
+                              "Add_comment_to_incident_-_error_details": {
+                                "type": "ApiConnection",
+                                "inputs": {
+                                  "body": {
+                                    "incidentArmId": "@triggerBody()?['object']?['id']",
+                                    "message": "<p>Block-AADUser playbook could not disable user @{items('For_each')?['Name']}.<br>\nError message: @{body('Update_user_-_disable_user')['error']['message']}<br>\nNote: If user is admin, this playbook don't have privilages to block admin users!</p>"
+                                  },
+                                  "host": {
+                                    "connection": {
+                                      "name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
+                                    }
+                                  },
+                                  "method": "post",
+                                  "path": "/Incidents/Comment"
+                                }
+                              }
+                            }
+                          },
+                          "expression": {
+                            "and": [
+                              {
+                                "equals": [
+                                  "@body('Update_user_-_disable_user')",
+                                  "@null"
+                                ]
+                              }
+                            ]
+                          },
+                          "type": "If"
+                        },
+                        "Update_user_-_disable_user": {
+                          "type": "ApiConnection",
+                          "inputs": {
+                            "body": {
+                              "accountEnabled": false
+                            },
+                            "host": {
+                              "connection": {
+                                "name": "@parameters('$connections')['azuread']['connectionId']"
+                              }
+                            },
+                            "method": "patch",
+                            "path": "/v1.0/users/@{encodeURIComponent(concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix']))}"
+                          }
+                        }
+                      },
+                      "runAfter": {
+                        "Entities_-_Get_Accounts": [
+                          "Succeeded"
+                        ]
+                      },
+                      "type": "Foreach"
+                    }
                   }
-                ],
-                "tactics": [
-                  "Persistence",
-                  "PrivilegeEscalation"
-                ],
-                "techniques": [
-                  "T1098",
-                  "T1078"
-                ],
-                "entityMappings": [
-                  {
-                    "entityType": "Account",
-                    "fieldMappings": [
-                      {
-                        "identifier": "Name",
-                        "columnName": "AccountName"
+                },
+                "parameters": {
+                  "$connections": {
+                    "value": {
+                      "azuread": {
+                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]",
+                        "connectionName": "[[variables('AzureADConnectionName')]",
+                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuread')]"
                       },
-                      {
-                        "identifier": "UPNSuffix",
-                        "columnName": "AccountUPNSuffix"
-                      }
-                    ]
-                  },
-                  {
-                    "entityType": "Account",
-                    "fieldMappings": [
-                      {
-                        "identifier": "Name",
-                        "columnName": "TargetName"
+                      "microsoftsentinel": {
+                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
+                        "connectionName": "[[variables('MicrosoftSentinelConnectionName')]",
+                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
+                        "connectionProperties": {
+                          "authentication": {
+                            "type": "ManagedServiceIdentity"
+                          }
+                        }
                       },
-                      {
-                        "identifier": "UPNSuffix",
-                        "columnName": "TargetUPNSuffix"
+                      "office365": {
+                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]",
+                        "connectionName": "[[variables('Office365ConnectionName')]",
+                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]"
                       }
-                    ]
+                    }
                   }
-                ]
+                }
               }
             },
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId41'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId2'),'/'))))]",
               "properties": {
-                "description": "Azure Active Directory Analytics Rule 41",
-                "parentId": "[variables('analyticRuleId41')]",
-                "contentId": "[variables('_analyticRulecontentId41')]",
-                "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion41')]",
+                "parentId": "[variables('playbookId2')]",
+                "contentId": "[variables('_playbookContentId2')]",
+                "kind": "Playbook",
+                "version": "[variables('playbookVersion2')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Azure Active Directory",
@@ -9845,242 +9103,426 @@
                 }
               }
             }
-          ]
+          ],
+          "metadata": {
+            "title": "Block AAD user - Incident",
+            "description": "For each account entity included in the incident, this playbook will disable the user in Azure Active Directoy, add a comment to the incident that contains this alert and notify manager if available. Note: This playbook will not disable admin user!",
+            "prerequisites": [
+              "None"
+            ],
+            "postDeployment": [
+              "1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity.",
+              "2. Grant User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All permissions to the managed identity.",
+              "3. Authorize Azure AD and Office 365 Outlook Logic App connections."
+            ],
+            "lastUpdateTime": "2022-07-11T00:00:00Z",
+            "entities": [
+              "Account"
+            ],
+            "tags": [
+              "Remediation"
+            ],
+            "releaseNotes": [
+              {
+                "version": "1.0.0",
+                "title": "Added manager notification action",
+                "notes": [
+                  "Initial version"
+                ]
+              }
+            ]
+          }
         },
         "packageKind": "Solution",
         "packageVersion": "[variables('_solutionVersion')]",
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_analyticRulecontentId41')]",
-        "contentKind": "AnalyticsRule",
-        "displayName": "NRT User added to Azure Active Directory Privileged Groups",
-        "contentProductId": "[variables('_analyticRulecontentProductId41')]",
-        "id": "[variables('_analyticRulecontentProductId41')]",
-        "version": "[variables('analyticRuleVersion41')]"
+        "contentId": "[variables('_playbookContentId2')]",
+        "contentKind": "Playbook",
+        "displayName": "Block-AADUser-Incident",
+        "contentProductId": "[variables('_playbookcontentProductId2')]",
+        "id": "[variables('_playbookcontentProductId2')]",
+        "version": "[variables('playbookVersion2')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('analyticRuleTemplateSpecName42')]",
+      "name": "[variables('playbookTemplateSpecName3')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "PIMElevationRequestRejected_AnalyticalRules Analytics Rule with template version 3.0.3",
+        "description": "Prompt-User-Alert Playbook with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion42')]",
-          "parameters": {},
-          "variables": {},
+          "contentVersion": "[variables('playbookVersion3')]",
+          "parameters": {
+            "PlaybookName": {
+              "defaultValue": "Prompt-User-Alert",
+              "type": "string"
+            },
+            "TeamsId": {
+              "metadata": {
+                "description": "Enter the Teams Group ID"
+              },
+              "type": "string"
+            },
+            "TeamsChannelId": {
+              "metadata": {
+                "description": "Enter the Teams Channel ID"
+              },
+              "type": "string"
+            }
+          },
+          "variables": {
+            "AzureADConnectionName": "[[concat('azuread-', parameters('PlaybookName'))]",
+            "AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]",
+            "Office365ConnectionName": "[[concat('office365-', parameters('PlaybookName'))]",
+            "TeamsConnectionName": "[[concat('teams-', parameters('PlaybookName'))]",
+            "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuread')]",
+            "_connection-1": "[[variables('connection-1')]",
+            "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
+            "_connection-2": "[[variables('connection-2')]",
+            "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]",
+            "_connection-3": "[[variables('connection-3')]",
+            "connection-4": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/teams')]",
+            "_connection-4": "[[variables('connection-4')]",
+            "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
+            "workspace-name": "[parameters('workspace')]",
+            "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
+          },
           "resources": [
             {
-              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRulecontentId42')]",
-              "apiVersion": "2022-04-01-preview",
-              "kind": "Scheduled",
-              "location": "[parameters('workspace-location')]",
+              "type": "Microsoft.Web/connections",
+              "apiVersion": "2016-06-01",
+              "name": "[[variables('AzureADConnectionName')]",
+              "location": "[[variables('workspace-location-inline')]",
               "properties": {
-                "description": "Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management",
-                "displayName": "PIM Elevation Request Rejected",
-                "enabled": false,
-                "query": "AuditLogs\n| where (ActivityDisplayName =~'Add member to role completed (PIM activation)' and Result =~ \"failure\") or ActivityDisplayName =~'Add member to role request denied (PIM activation)'\n| mv-apply ResourceItem = TargetResources on \n  (\n      where ResourceItem.type =~ \"Role\"\n      | extend Role = trim(@'\"',tostring(ResourceItem.displayName))\n  )\n| mv-apply ResourceItem = TargetResources on \n  (\n      where ResourceItem.type =~ \"User\"\n      | extend User = trim(@'\"',tostring(ResourceItem.userPrincipalName))\n  )\n| project-reorder TimeGenerated, User, Role, OperationName, Result, ResultDescription\n| where isnotempty(InitiatedBy.user)\n| extend InitiatingUser = tostring(InitiatedBy.user.userPrincipalName), InitiatingIpAddress = tostring(InitiatedBy.user.ipAddress)\n| extend InitiatingName = tostring(split(InitiatingUser,'@',0)[0]), InitiatingUPNSuffix = tostring(split(InitiatingUser,'@',1)[0])\n| extend UserName = tostring(split(User,'@',0)[0]), UserUPNSuffix = tostring(split(User,'@',1)[0])\n",
-                "queryFrequency": "PT2H",
-                "queryPeriod": "PT2H",
-                "severity": "High",
-                "suppressionDuration": "PT1H",
-                "suppressionEnabled": false,
-                "triggerOperator": "GreaterThan",
-                "triggerThreshold": 0,
-                "status": "Available",
-                "requiredDataConnectors": [
-                  {
-                    "connectorId": "AzureActiveDirectory",
-                    "dataTypes": [
-                      "AuditLogs"
-                    ]
-                  }
-                ],
-                "tactics": [
-                  "Persistence"
-                ],
-                "techniques": [
-                  "T1078"
-                ],
-                "entityMappings": [
-                  {
-                    "entityType": "Account",
-                    "fieldMappings": [
-                      {
-                        "identifier": "Name",
-                        "columnName": "InitiatingName"
-                      },
-                      {
-                        "identifier": "UPNSuffix",
-                        "columnName": "InitiatingUPNSuffix"
-                      }
-                    ]
-                  },
-                  {
-                    "entityType": "Account",
-                    "fieldMappings": [
-                      {
-                        "identifier": "Name",
-                        "columnName": "UserName"
-                      },
-                      {
-                        "identifier": "UPNSuffix",
-                        "columnName": "UserUPNSuffix"
-                      }
-                    ]
-                  },
-                  {
-                    "entityType": "IP",
-                    "fieldMappings": [
-                      {
-                        "identifier": "Address",
-                        "columnName": "InitiatingIpAddress"
-                      }
-                    ]
-                  }
-                ]
+                "displayName": "[[variables('AzureADConnectionName')]",
+                "api": {
+                  "id": "[[variables('_connection-1')]"
+                }
+              }
+            },
+            {
+              "type": "Microsoft.Web/connections",
+              "apiVersion": "2016-06-01",
+              "name": "[[variables('AzureSentinelConnectionName')]",
+              "location": "[[variables('workspace-location-inline')]",
+              "kind": "V1",
+              "properties": {
+                "displayName": "[[variables('AzureSentinelConnectionName')]",
+                "parameterValueType": "Alternative",
+                "api": {
+                  "id": "[[variables('_connection-2')]"
+                }
+              }
+            },
+            {
+              "type": "Microsoft.Web/connections",
+              "apiVersion": "2016-06-01",
+              "name": "[[variables('Office365ConnectionName')]",
+              "location": "[[variables('workspace-location-inline')]",
+              "properties": {
+                "displayName": "[[variables('Office365ConnectionName')]",
+                "api": {
+                  "id": "[[variables('_connection-3')]"
+                }
               }
             },
             {
-              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
-              "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId42'),'/'))))]",
+              "type": "Microsoft.Web/connections",
+              "apiVersion": "2016-06-01",
+              "name": "[[variables('TeamsConnectionName')]",
+              "location": "[[variables('workspace-location-inline')]",
               "properties": {
-                "description": "Azure Active Directory Analytics Rule 42",
-                "parentId": "[variables('analyticRuleId42')]",
-                "contentId": "[variables('_analyticRulecontentId42')]",
-                "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion42')]",
-                "source": {
-                  "kind": "Solution",
-                  "name": "Azure Active Directory",
-                  "sourceId": "[variables('_solutionId')]"
-                },
-                "author": {
-                  "name": "Microsoft",
-                  "email": "[variables('_email')]"
-                },
-                "support": {
-                  "tier": "Microsoft",
-                  "name": "Microsoft Corporation",
-                  "email": "support@microsoft.com",
-                  "link": "https://support.microsoft.com/"
+                "displayName": "[[variables('TeamsConnectionName')]",
+                "api": {
+                  "id": "[[variables('_connection-4')]"
                 }
               }
-            }
-          ]
-        },
-        "packageKind": "Solution",
-        "packageVersion": "[variables('_solutionVersion')]",
-        "packageName": "[variables('_solutionName')]",
-        "packageId": "[variables('_solutionId')]",
-        "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_analyticRulecontentId42')]",
-        "contentKind": "AnalyticsRule",
-        "displayName": "PIM Elevation Request Rejected",
-        "contentProductId": "[variables('_analyticRulecontentProductId42')]",
-        "id": "[variables('_analyticRulecontentProductId42')]",
-        "version": "[variables('analyticRuleVersion42')]"
-      }
-    },
-    {
-      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
-      "apiVersion": "2023-04-01-preview",
-      "name": "[variables('analyticRuleTemplateSpecName43')]",
-      "location": "[parameters('workspace-location')]",
-      "dependsOn": [
-        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
-      ],
-      "properties": {
-        "description": "PrivilegedAccountsSigninFailureSpikes_AnalyticalRules Analytics Rule with template version 3.0.3",
-        "mainTemplate": {
-          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion43')]",
-          "parameters": {},
-          "variables": {},
-          "resources": [
+            },
             {
-              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRulecontentId43')]",
-              "apiVersion": "2022-04-01-preview",
-              "kind": "Scheduled",
-              "location": "[parameters('workspace-location')]",
+              "type": "Microsoft.Logic/workflows",
+              "apiVersion": "2017-07-01",
+              "name": "[[parameters('PlaybookName')]",
+              "location": "[[variables('workspace-location-inline')]",
+              "tags": {
+                "LogicAppsCategory": "security",
+                "hidden-SentinelTemplateName": "Prompt-User_alert",
+                "hidden-SentinelTemplateVersion": "1.1",
+                "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
+              },
+              "identity": {
+                "type": "SystemAssigned"
+              },
+              "dependsOn": [
+                "[[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]",
+                "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
+                "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]",
+                "[[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]"
+              ],
               "properties": {
-                "description": " Identifies spike in failed sign-ins from Privileged accounts. Privileged accounts list can be based on IdentityInfo UEBA table.\nSpike is determined based on Time series anomaly which will look at historical baseline values.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor",
-                "displayName": "Privileged Accounts - Sign in Failure Spikes",
-                "enabled": false,
-                "query": "let starttime = 14d;\nlet timeframe = 1d;\nlet scorethreshold = 3;\nlet baselinethreshold = 5;\nlet aadFunc = (tableName:string){\n    IdentityInfo\n    | where TimeGenerated > ago(starttime)\n    | summarize arg_max(TimeGenerated, *) by AccountUPN\n    | mv-expand AssignedRoles\n    | where AssignedRoles contains 'Admin'\n    | summarize Roles = make_list(AssignedRoles) by AccountUPN = tolower(AccountUPN)\n    | join kind=inner (\n        table(tableName)\n        | where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\n        | where ResultType != 0\n        | extend UserPrincipalName = tolower(UserPrincipalName)\n    ) on $left.AccountUPN == $right.UserPrincipalName\n    | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, Roles = tostring(Roles)\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt;\nlet TimeSeriesAlerts = \n    allSignins\n    | make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step 1h by UserPrincipalName, Roles\n    | extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, 'linefit')\n    | mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\n    // Filtering low count events per baselinethreshold\n    | where anomalies > 0 and baseline > baselinethreshold\n    | extend AnomalyHour = TimeGenerated\n    | project UserPrincipalName, Roles, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\n// Filter the alerts for specified timeframe\nTimeSeriesAlerts\n| where TimeGenerated > startofday(ago(timeframe))\n| join kind=inner ( \n    allSignins\n    | where TimeGenerated > startofday(ago(timeframe))\n    // create a new column and round to hour\n    | extend DateHour = bin(TimeGenerated, 1h)\n    | summarize PartialFailedSignins = count(), LatestAnomalyTime = arg_max(TimeGenerated, *) by bin(TimeGenerated, 1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, Roles, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\n) on UserPrincipalName, $left.AnomalyHour == $right.DateHour\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, Roles = todynamic(Roles), UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, PartialFailedSignins, TotalFailedSignins = HourlyCount, baseline, anomalies, score\n| extend timestamp = LatestAnomalyTime, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n",
-                "queryFrequency": "P1D",
-                "queryPeriod": "P14D",
-                "severity": "High",
-                "suppressionDuration": "PT1H",
-                "suppressionEnabled": false,
-                "triggerOperator": "GreaterThan",
-                "triggerThreshold": 0,
-                "status": "Available",
-                "requiredDataConnectors": [
-                  {
-                    "connectorId": "AzureActiveDirectory",
-                    "dataTypes": [
-                      "SigninLogs"
-                    ]
+                "state": "Enabled",
+                "definition": {
+                  "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
+                  "actions": {
+                    "Alert_-_Get_incident": {
+                      "inputs": {
+                        "host": {
+                          "connection": {
+                            "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+                          }
+                        },
+                        "method": "get",
+                        "path": "/Incidents/subscriptions/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/resourceGroups/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/workspaces/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/alerts/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}"
+                      },
+                      "type": "ApiConnection"
+                    },
+                    "Entities_-_Get_Accounts": {
+                      "inputs": {
+                        "body": "@triggerBody()?['Entities']",
+                        "host": {
+                          "connection": {
+                            "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+                          }
+                        },
+                        "method": "post",
+                        "path": "/entities/account"
+                      },
+                      "runAfter": {
+                        "Alert_-_Get_incident": [
+                          "Succeeded"
+                        ]
+                      },
+                      "type": "ApiConnection"
+                    },
+                    "For_each": {
+                      "actions": {
+                        "Condition_2": {
+                          "actions": {
+                            "Add_comment_to_incident_(V3)": {
+                              "inputs": {
+                                "body": {
+                                  "incidentArmId": "@body('Alert_-_Get_incident')?['id']",
+                                  "message": "<p>@{body('Get_user')?['displayName']} confirms they completed the action that triggered the alert. &nbsp;Closing the incident.</p>"
+                                },
+                                "host": {
+                                  "connection": {
+                                    "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+                                  }
+                                },
+                                "method": "post",
+                                "path": "/Incidents/Comment"
+                              },
+                              "type": "ApiConnection"
+                            },
+                            "Update_incident": {
+                              "inputs": {
+                                "body": {
+                                  "classification": {
+                                    "ClassificationAndReason": "BenignPositive - SuspiciousButExpected",
+                                    "ClassificationReasonText": "User Confirmed it was them"
+                                  },
+                                  "incidentArmId": "@body('Alert_-_Get_incident')?['id']",
+                                  "status": "Closed"
+                                },
+                                "host": {
+                                  "connection": {
+                                    "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+                                  }
+                                },
+                                "method": "put",
+                                "path": "/Incidents"
+                              },
+                              "runAfter": {
+                                "Add_comment_to_incident_(V3)": [
+                                  "Succeeded"
+                                ]
+                              },
+                              "type": "ApiConnection"
+                            }
+                          },
+                          "else": {
+                            "actions": {
+                              "Add_comment_to_incident_(V3)_2": {
+                                "inputs": {
+                                  "body": {
+                                    "incidentArmId": "@body('Alert_-_Get_incident')?['id']",
+                                    "message": "<p>@{body('Get_user')?['displayName']} confirms they did not complete the action. Further investigation is needed.</p>"
+                                  },
+                                  "host": {
+                                    "connection": {
+                                      "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+                                    }
+                                  },
+                                  "method": "post",
+                                  "path": "/Incidents/Comment"
+                                },
+                                "type": "ApiConnection"
+                              },
+                              "Post_message_in_a_chat_or_channel": {
+                                "inputs": {
+                                  "body": {
+                                    "messageBody": "<p>New alert from Microsoft Sentinel.<br>\nPlease investigate ASAP.<br>\nSeverity : @{body('Alert_-_Get_incident')?['properties']?['severity']}<br>\nDescription: @{body('Alert_-_Get_incident')?['properties']?['description']}<br>\n<br>\n@{body('Get_user')?['displayName']} user confirmed they did not complete the action.</p>",
+                                    "recipient": {
+                                      "channelId": "[[parameters('TeamsChannelId')]",
+                                      "groupId": "[[parameters('TeamsId')]"
+                                    },
+                                    "subject": "Incident @{body('Alert_-_Get_incident')?['properties']?['incidentNumber']} - @{body('Alert_-_Get_incident')?['properties']?['title']}"
+                                  },
+                                  "host": {
+                                    "connection": {
+                                      "name": "@parameters('$connections')['teams']['connectionId']"
+                                    }
+                                  },
+                                  "method": "post",
+                                  "path": "/beta/teams/conversation/message/poster/@{encodeURIComponent('User')}/location/@{encodeURIComponent('Channel')}"
+                                },
+                                "runAfter": {
+                                  "Add_comment_to_incident_(V3)_2": [
+                                    "Succeeded"
+                                  ]
+                                },
+                                "type": "ApiConnection"
+                              }
+                            }
+                          },
+                          "expression": {
+                            "and": [
+                              {
+                                "equals": [
+                                  "",
+                                  "This was me"
+                                ]
+                              }
+                            ]
+                          },
+                          "runAfter": {
+                            "Send_approval_email": [
+                              "Succeeded"
+                            ]
+                          },
+                          "type": "If"
+                        },
+                        "Get_user": {
+                          "inputs": {
+                            "host": {
+                              "connection": {
+                                "name": "@parameters('$connections')['azuread']['connectionId']"
+                              }
+                            },
+                            "method": "get",
+                            "path": "/v1.0/users/@{encodeURIComponent(concat(items('For_each')?['Name'], '@' ,items('For_each')?['UPNSuffix']))}"
+                          },
+                          "type": "ApiConnection"
+                        },
+                        "Send_approval_email": {
+                          "inputs": {
+                            "body": {
+                              "Message": {
+                                "Body": "New Alert from Microsoft Sentinel.\nPlease respond ASAP.\nSeverity: @{triggerBody()?['Severity']}\nName: @{triggerBody()?['AlertDisplayName']}\nDescription: @{triggerBody()?['Description']}",
+                                "HideHTMLMessage": false,
+                                "Importance": "High",
+                                "Options": "This was me, This was not me",
+                                "ShowHTMLConfirmationDialog": false,
+                                "Subject": "Security Alert: @{body('Alert_-_Get_incident')?['properties']?['title']}",
+                                "To": "@body('Get_user')?['mail']"
+                              },
+                              "NotificationUrl": "@{listCallbackUrl()}"
+                            },
+                            "host": {
+                              "connection": {
+                                "name": "@parameters('$connections')['office365']['connectionId']"
+                              }
+                            },
+                            "path": "/approvalmail/$subscriptions"
+                          },
+                          "runAfter": {
+                            "Get_user": [
+                              "Succeeded"
+                            ]
+                          },
+                          "type": "ApiConnectionWebhook"
+                        }
+                      },
+                      "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']",
+                      "runAfter": {
+                        "Entities_-_Get_Accounts": [
+                          "Succeeded"
+                        ]
+                      },
+                      "type": "Foreach"
+                    }
                   },
-                  {
-                    "connectorId": "AzureActiveDirectory",
-                    "dataTypes": [
-                      "AADNonInteractiveUserSignInLogs"
-                    ]
+                  "contentVersion": "1.0.0.0",
+                  "parameters": {
+                    "$connections": {
+                      "type": "Object"
+                    }
+                  },
+                  "triggers": {
+                    "Microsoft_Sentinel_alert": {
+                      "inputs": {
+                        "body": {
+                          "callback_url": "@{listCallbackUrl()}"
+                        },
+                        "host": {
+                          "connection": {
+                            "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+                          }
+                        },
+                        "path": "/subscribe"
+                      },
+                      "type": "ApiConnectionWebhook"
+                    }
                   }
-                ],
-                "tactics": [
-                  "InitialAccess"
-                ],
-                "techniques": [
-                  "T1078"
-                ],
-                "entityMappings": [
-                  {
-                    "entityType": "Account",
-                    "fieldMappings": [
-                      {
-                        "identifier": "Name",
-                        "columnName": "Name"
+                },
+                "parameters": {
+                  "$connections": {
+                    "value": {
+                      "azuread": {
+                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]",
+                        "connectionName": "[[variables('AzureADConnectionName')]",
+                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuread')]"
                       },
-                      {
-                        "identifier": "UPNSuffix",
-                        "columnName": "UPNSuffix"
-                      }
-                    ]
-                  },
-                  {
-                    "entityType": "IP",
-                    "fieldMappings": [
-                      {
-                        "identifier": "Address",
-                        "columnName": "IPAddress"
+                      "azuresentinel": {
+                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
+                        "connectionName": "[[variables('AzureSentinelConnectionName')]",
+                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
+                        "connectionProperties": {
+                          "authentication": {
+                            "type": "ManagedServiceIdentity"
+                          }
+                        }
+                      },
+                      "office365": {
+                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]",
+                        "connectionName": "[[variables('Office365ConnectionName')]",
+                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]"
+                      },
+                      "teams": {
+                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]",
+                        "connectionName": "[[variables('TeamsConnectionName')]",
+                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/teams')]"
                       }
-                    ]
+                    }
                   }
-                ]
+                }
               }
             },
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId43'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId3'),'/'))))]",
               "properties": {
-                "description": "Azure Active Directory Analytics Rule 43",
-                "parentId": "[variables('analyticRuleId43')]",
-                "contentId": "[variables('_analyticRulecontentId43')]",
-                "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion43')]",
+                "parentId": "[variables('playbookId3')]",
+                "contentId": "[variables('_playbookContentId3')]",
+                "kind": "Playbook",
+                "version": "[variables('playbookVersion3')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Azure Active Directory",
@@ -10098,351 +9540,408 @@
                 }
               }
             }
-          ]
+          ],
+          "metadata": {
+            "title": "Prompt User - Alert",
+            "description": "This playbook will ask the user if they completed the action from the alert in Microsoft Sentinel.  If so, it will close the incident and add a comment.  If not, it will post a message to teams for the SOC to investigate and add a comment to the incident.",
+            "prerequisites": [
+              "1. You will need the Team Id and Channel Id."
+            ],
+            "postDeployment": [
+              "1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity.",
+              "2. Authorize Azure AD, Microsoft Teams, and Office 365 Outlook Logic App connections."
+            ],
+            "lastUpdateTime": "2022-07-11T00:00:00Z",
+            "entities": [
+              "Account"
+            ],
+            "tags": [
+              "Remediation"
+            ],
+            "releaseNotes": [
+              {
+                "version": "1.0.0",
+                "title": "Added new Post a Teams message action",
+                "notes": [
+                  "Initial version"
+                ]
+              }
+            ]
+          }
         },
         "packageKind": "Solution",
         "packageVersion": "[variables('_solutionVersion')]",
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_analyticRulecontentId43')]",
-        "contentKind": "AnalyticsRule",
-        "displayName": "Privileged Accounts - Sign in Failure Spikes",
-        "contentProductId": "[variables('_analyticRulecontentProductId43')]",
-        "id": "[variables('_analyticRulecontentProductId43')]",
-        "version": "[variables('analyticRuleVersion43')]"
+        "contentId": "[variables('_playbookContentId3')]",
+        "contentKind": "Playbook",
+        "displayName": "Prompt-User-Alert",
+        "contentProductId": "[variables('_playbookcontentProductId3')]",
+        "id": "[variables('_playbookcontentProductId3')]",
+        "version": "[variables('playbookVersion3')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('analyticRuleTemplateSpecName44')]",
+      "name": "[variables('playbookTemplateSpecName4')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "PrivlegedRoleAssignedOutsidePIM_AnalyticalRules Analytics Rule with template version 3.0.3",
+        "description": "Prompt-User-Incident Playbook with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion44')]",
-          "parameters": {},
-          "variables": {},
+          "contentVersion": "[variables('playbookVersion4')]",
+          "parameters": {
+            "PlaybookName": {
+              "defaultValue": "Prompt-User-Incident",
+              "type": "string"
+            },
+            "TeamsId": {
+              "metadata": {
+                "description": "Enter the Teams Group ID"
+              },
+              "type": "string"
+            },
+            "TeamsChannelId": {
+              "metadata": {
+                "description": "Enter the Teams Channel ID"
+              },
+              "type": "string"
+            }
+          },
+          "variables": {
+            "AzureADConnectionName": "[[concat('azuread-', parameters('PlaybookName'))]",
+            "AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]",
+            "Office365ConnectionName": "[[concat('office365-', parameters('PlaybookName'))]",
+            "TeamsConnectionName": "[[concat('teams-', parameters('PlaybookName'))]",
+            "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuread')]",
+            "_connection-1": "[[variables('connection-1')]",
+            "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
+            "_connection-2": "[[variables('connection-2')]",
+            "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]",
+            "_connection-3": "[[variables('connection-3')]",
+            "connection-4": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/teams')]",
+            "_connection-4": "[[variables('connection-4')]",
+            "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
+            "workspace-name": "[parameters('workspace')]",
+            "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
+          },
           "resources": [
             {
-              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRulecontentId44')]",
-              "apiVersion": "2022-04-01-preview",
-              "kind": "Scheduled",
-              "location": "[parameters('workspace-location')]",
+              "type": "Microsoft.Web/connections",
+              "apiVersion": "2016-06-01",
+              "name": "[[variables('AzureADConnectionName')]",
+              "location": "[[variables('workspace-location-inline')]",
               "properties": {
-                "description": "Identifies a privileged role being assigned to a user outside of PIM\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1",
-                "displayName": "Privileged Role Assigned Outside PIM",
-                "enabled": false,
-                "query": "AuditLogs\n| where Category =~ \"RoleManagement\"\n| where OperationName has \"Add member to role outside of PIM\"\n        or (LoggedByService =~ \"Core Directory\" and OperationName =~ \"Add member to role\" and Identity != \"MS-PIM\")\n| mv-apply TargetResource = TargetResources on \n  (\n      where TargetResource.type =~ \"User\"\n      | extend UserPrincipalName = tostring(TargetResource.userPrincipalName)\n  )\n| extend IpAddress = tostring(InitiatedBy.user.ipAddress), Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n",
-                "queryFrequency": "P1D",
-                "queryPeriod": "P1D",
-                "severity": "Low",
-                "suppressionDuration": "PT1H",
-                "suppressionEnabled": false,
-                "triggerOperator": "GreaterThan",
-                "triggerThreshold": 0,
-                "status": "Available",
-                "requiredDataConnectors": [
-                  {
-                    "connectorId": "AzureActiveDirectory",
-                    "dataTypes": [
-                      "AuditLogs"
-                    ]
-                  }
-                ],
-                "tactics": [
-                  "PrivilegeEscalation"
-                ],
-                "techniques": [
-                  "T1078"
-                ],
-                "entityMappings": [
-                  {
-                    "entityType": "Account",
-                    "fieldMappings": [
-                      {
-                        "identifier": "Name",
-                        "columnName": "Name"
-                      },
-                      {
-                        "identifier": "UPNSuffix",
-                        "columnName": "UPNSuffix"
-                      }
-                    ]
-                  },
-                  {
-                    "entityType": "IP",
-                    "fieldMappings": [
-                      {
-                        "identifier": "Address",
-                        "columnName": "IpAddress"
-                      }
-                    ]
-                  }
-                ]
+                "displayName": "[[variables('AzureADConnectionName')]",
+                "api": {
+                  "id": "[[variables('_connection-1')]"
+                }
+              }
+            },
+            {
+              "type": "Microsoft.Web/connections",
+              "apiVersion": "2016-06-01",
+              "name": "[[variables('AzureSentinelConnectionName')]",
+              "location": "[[variables('workspace-location-inline')]",
+              "kind": "V1",
+              "properties": {
+                "displayName": "[[variables('AzureSentinelConnectionName')]",
+                "parameterValueType": "Alternative",
+                "api": {
+                  "id": "[[variables('_connection-2')]"
+                }
               }
             },
             {
-              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
-              "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId44'),'/'))))]",
+              "type": "Microsoft.Web/connections",
+              "apiVersion": "2016-06-01",
+              "name": "[[variables('Office365ConnectionName')]",
+              "location": "[[variables('workspace-location-inline')]",
               "properties": {
-                "description": "Azure Active Directory Analytics Rule 44",
-                "parentId": "[variables('analyticRuleId44')]",
-                "contentId": "[variables('_analyticRulecontentId44')]",
-                "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion44')]",
-                "source": {
-                  "kind": "Solution",
-                  "name": "Azure Active Directory",
-                  "sourceId": "[variables('_solutionId')]"
-                },
-                "author": {
-                  "name": "Microsoft",
-                  "email": "[variables('_email')]"
-                },
-                "support": {
-                  "tier": "Microsoft",
-                  "name": "Microsoft Corporation",
-                  "email": "support@microsoft.com",
-                  "link": "https://support.microsoft.com/"
+                "displayName": "[[variables('Office365ConnectionName')]",
+                "api": {
+                  "id": "[[variables('_connection-3')]"
                 }
               }
-            }
-          ]
-        },
-        "packageKind": "Solution",
-        "packageVersion": "[variables('_solutionVersion')]",
-        "packageName": "[variables('_solutionName')]",
-        "packageId": "[variables('_solutionId')]",
-        "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_analyticRulecontentId44')]",
-        "contentKind": "AnalyticsRule",
-        "displayName": "Privileged Role Assigned Outside PIM",
-        "contentProductId": "[variables('_analyticRulecontentProductId44')]",
-        "id": "[variables('_analyticRulecontentProductId44')]",
-        "version": "[variables('analyticRuleVersion44')]"
-      }
-    },
-    {
-      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
-      "apiVersion": "2023-04-01-preview",
-      "name": "[variables('analyticRuleTemplateSpecName45')]",
-      "location": "[parameters('workspace-location')]",
-      "dependsOn": [
-        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
-      ],
-      "properties": {
-        "description": "RareApplicationConsent_AnalyticalRules Analytics Rule with template version 3.0.3",
-        "mainTemplate": {
-          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion45')]",
-          "parameters": {},
-          "variables": {},
-          "resources": [
+            },
             {
-              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRulecontentId45')]",
-              "apiVersion": "2022-04-01-preview",
-              "kind": "Scheduled",
-              "location": "[parameters('workspace-location')]",
+              "type": "Microsoft.Web/connections",
+              "apiVersion": "2016-06-01",
+              "name": "[[variables('TeamsConnectionName')]",
+              "location": "[[variables('workspace-location-inline')]",
               "properties": {
-                "description": "This will alert when the \"Consent to application\" operation occurs by a user that has not done this operation before or rarely does this.\nThis could indicate that permissions to access the listed Azure App were provided to a malicious actor.\nConsent to application, Add service principal and Add OAuth2PermissionGrant should typically be rare events.\nThis may help detect the Oauth2 attack that can be initiated by this publicly available tool - https://github.com/fireeye/PwnAuth\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.",
-                "displayName": "Rare application consent",
-                "enabled": false,
-                "query": "let current = 1d;\nlet auditLookback = 7d;\n// Setting threshold to 3 as a default, change as needed.\n// Any operation that has been initiated by a user or app more than 3 times in the past 7 days will be excluded\nlet threshold = 3;\n// Gather initial data from lookback period, excluding current, adjust current to more than a single day if no results\nlet AuditTrail = AuditLogs | where TimeGenerated >= ago(auditLookback) and TimeGenerated < ago(current)\n// 2 other operations that can be part of malicious activity in this situation are\n// \"Add OAuth2PermissionGrant\" and \"Add service principal\", extend the filter below to capture these too\n| where OperationName has \"Consent to application\"\n| extend InitiatedBy = iff(isnotempty(tostring(InitiatedBy.user.userPrincipalName)),\n          tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| mv-apply TargetResource = TargetResources on \n  (\n      where TargetResource.type =~ \"ServicePrincipal\"\n      | extend TargetResourceName = tolower(tostring(TargetResource.displayName))\n  )\n| summarize max(TimeGenerated), OperationCount = count() by OperationName, InitiatedBy, TargetResourceName\n// only including operations initiated by a user or app that is above the threshold so we produce only rare and has not occurred in last 7 days\n| where OperationCount > threshold;\n// Gather current period of audit data\nlet RecentConsent = AuditLogs | where TimeGenerated >= ago(current)\n| where OperationName has \"Consent to application\"\n| extend IpAddress = case(\n              isnotempty(tostring(InitiatedBy.user.ipAddress)) and tostring(InitiatedBy.user.ipAddress) != 'null', tostring(InitiatedBy.user.ipAddress),\n              isnotempty(tostring(InitiatedBy.app.ipAddress)) and tostring(InitiatedBy.app.ipAddress) != 'null', tostring(InitiatedBy.app.ipAddress),\n              'Not Available')\n| extend InitiatedBy = iff(isnotempty(tostring(InitiatedBy.user.userPrincipalName)),\n                          tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| mv-apply TargetResource = TargetResources on \n  (\n      where TargetResource.type =~ \"ServicePrincipal\"\n      | extend TargetResourceName = tolower(tostring(TargetResource.displayName)),\n               props = TargetResource.modifiedProperties\n  )\n| parse props with * \"ConsentType: \" ConsentType \"]\" *\n| mv-apply AdditionalDetail = AdditionalDetails on \n  (\n      where AdditionalDetail.key =~ \"User-Agent\"\n      | extend UserAgent = tostring(AdditionalDetail.value)\n  )\n| project TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type;\n// Exclude previously seen audit activity for \"Consent to application\" that was seen in the lookback period\n// First for rare InitiatedBy\nlet RareConsentBy = RecentConsent | join kind= leftanti AuditTrail on OperationName, InitiatedBy\n| extend Reason = \"Previously unseen user consenting\";\n// Second for rare TargetResourceName\nlet RareConsentApp = RecentConsent | join kind= leftanti AuditTrail on OperationName, TargetResourceName\n| extend Reason = \"Previously unseen app granted consent\";\nRareConsentBy | union RareConsentApp\n| summarize Reason = make_set(Reason,100) by TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type\n| extend timestamp = TimeGenerated, Name = tolower(tostring(split(InitiatedBy,'@',0)[0])), UPNSuffix = tolower(tostring(split(InitiatedBy,'@',1)[0]))\n",
-                "queryFrequency": "P1D",
-                "queryPeriod": "P7D",
-                "severity": "Medium",
-                "suppressionDuration": "PT1H",
-                "suppressionEnabled": false,
-                "triggerOperator": "GreaterThan",
-                "triggerThreshold": 3,
-                "status": "Available",
-                "requiredDataConnectors": [
-                  {
-                    "connectorId": "AzureActiveDirectory",
-                    "dataTypes": [
-                      "AuditLogs"
-                    ]
-                  }
-                ],
-                "tactics": [
-                  "Persistence",
-                  "PrivilegeEscalation"
-                ],
-                "techniques": [
-                  "T1136",
-                  "T1068"
-                ],
-                "entityMappings": [
-                  {
-                    "entityType": "Account",
-                    "fieldMappings": [
-                      {
-                        "identifier": "Name",
-                        "columnName": "Name"
+                "displayName": "[[variables('TeamsConnectionName')]",
+                "api": {
+                  "id": "[[variables('_connection-4')]"
+                }
+              }
+            },
+            {
+              "type": "Microsoft.Logic/workflows",
+              "apiVersion": "2017-07-01",
+              "name": "[[parameters('PlaybookName')]",
+              "location": "[[variables('workspace-location-inline')]",
+              "tags": {
+                "LogicAppsCategory": "security",
+                "hidden-SentinelTemplateName": "Prompt-User",
+                "hidden-SentinelTemplateVersion": "1.1",
+                "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
+              },
+              "identity": {
+                "type": "SystemAssigned"
+              },
+              "dependsOn": [
+                "[[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]",
+                "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
+                "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]",
+                "[[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]"
+              ],
+              "properties": {
+                "state": "Enabled",
+                "definition": {
+                  "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
+                  "actions": {
+                    "Entities_-_Get_Accounts": {
+                      "inputs": {
+                        "body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
+                        "host": {
+                          "connection": {
+                            "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+                          }
+                        },
+                        "method": "post",
+                        "path": "/entities/account"
+                      },
+                      "type": "ApiConnection"
+                    },
+                    "For_each": {
+                      "actions": {
+                        "Condition_2": {
+                          "actions": {
+                            "Add_comment_to_incident_(V3)": {
+                              "inputs": {
+                                "body": {
+                                  "incidentArmId": "@triggerBody()?['object']?['id']",
+                                  "message": "<p>@{body('Get_user')?['displayName']} confirms they completed the action that triggered the alert. &nbsp;Closing the incident.</p>"
+                                },
+                                "host": {
+                                  "connection": {
+                                    "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+                                  }
+                                },
+                                "method": "post",
+                                "path": "/Incidents/Comment"
+                              },
+                              "type": "ApiConnection"
+                            },
+                            "Update_incident": {
+                              "inputs": {
+                                "body": {
+                                  "classification": {
+                                    "ClassificationAndReason": "BenignPositive - SuspiciousButExpected",
+                                    "ClassificationReasonText": "User Confirmed it was them"
+                                  },
+                                  "incidentArmId": "@triggerBody()?['object']?['id']",
+                                  "status": "Closed"
+                                },
+                                "host": {
+                                  "connection": {
+                                    "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+                                  }
+                                },
+                                "method": "put",
+                                "path": "/Incidents"
+                              },
+                              "runAfter": {
+                                "Add_comment_to_incident_(V3)": [
+                                  "Succeeded"
+                                ]
+                              },
+                              "type": "ApiConnection"
+                            }
+                          },
+                          "else": {
+                            "actions": {
+                              "Add_comment_to_incident_(V3)_2": {
+                                "inputs": {
+                                  "body": {
+                                    "incidentArmId": "@triggerBody()?['object']?['id']",
+                                    "message": "<p>@{body('Get_user')?['displayName']} confirms they did not complete the action. Further investigation is needed.</p>"
+                                  },
+                                  "host": {
+                                    "connection": {
+                                      "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+                                    }
+                                  },
+                                  "method": "post",
+                                  "path": "/Incidents/Comment"
+                                },
+                                "type": "ApiConnection"
+                              },
+                              "Post_message_in_a_chat_or_channel": {
+                                "inputs": {
+                                  "body": {
+                                    "messageBody": "<p>New alert from Microsoft Sentinel.<br>\nPlease investigate ASAP.<br>\nSeverity : @{triggerBody()?['object']?['properties']?['severity']}<br>\nDescription: @{triggerBody()?['object']?['properties']?['description']}<br>\n<br>\n@{body('Get_user')?['displayName']} user confirmed they did not complete the action.</p>",
+                                    "recipient": {
+                                      "channelId": "[[parameters('TeamsChannelId')]",
+                                      "groupId": "[[parameters('TeamsId')]"
+                                    },
+                                    "subject": "Incident @{triggerBody()?['object']?['properties']?['incidentNumber']} - @{triggerBody()?['object']?['properties']?['title']}"
+                                  },
+                                  "host": {
+                                    "connection": {
+                                      "name": "@parameters('$connections')['teams']['connectionId']"
+                                    }
+                                  },
+                                  "method": "post",
+                                  "path": "/beta/teams/conversation/message/poster/@{encodeURIComponent('User')}/location/@{encodeURIComponent('Channel')}"
+                                },
+                                "runAfter": {
+                                  "Add_comment_to_incident_(V3)_2": [
+                                    "Succeeded"
+                                  ]
+                                },
+                                "type": "ApiConnection"
+                              }
+                            }
+                          },
+                          "expression": {
+                            "and": [
+                              {
+                                "equals": [
+                                  "@body('Send_approval_email')?['SelectedOption']",
+                                  "This was me"
+                                ]
+                              }
+                            ]
+                          },
+                          "runAfter": {
+                            "Send_approval_email": [
+                              "Succeeded"
+                            ]
+                          },
+                          "type": "If"
+                        },
+                        "Get_user": {
+                          "inputs": {
+                            "host": {
+                              "connection": {
+                                "name": "@parameters('$connections')['azuread']['connectionId']"
+                              }
+                            },
+                            "method": "get",
+                            "path": "/v1.0/users/@{encodeURIComponent(concat(items('For_each')?['Name'], '@' ,items('For_each')?['UPNSuffix']))}"
+                          },
+                          "type": "ApiConnection"
+                        },
+                        "Send_approval_email": {
+                          "inputs": {
+                            "body": {
+                              "Message": {
+                                "Body": "New Alert from Microsoft Sentinel.\nPlease respond ASAP.\nSeverity: @{triggerBody()?['object']?['properties']?['severity']}\nName: @{triggerBody()?['object']?['properties']?['title']}\nDescription: @{triggerBody()?['object']?['properties']?['description']}",
+                                "HideHTMLMessage": false,
+                                "Importance": "High",
+                                "Options": "This was me, This was not me",
+                                "ShowHTMLConfirmationDialog": false,
+                                "Subject": "Security Alert: @{triggerBody()?['object']?['properties']?['title']}",
+                                "To": "@body('Get_user')?['mail']"
+                              },
+                              "NotificationUrl": "@{listCallbackUrl()}"
+                            },
+                            "host": {
+                              "connection": {
+                                "name": "@parameters('$connections')['office365']['connectionId']"
+                              }
+                            },
+                            "path": "/approvalmail/$subscriptions"
+                          },
+                          "runAfter": {
+                            "Get_user": [
+                              "Succeeded"
+                            ]
+                          },
+                          "type": "ApiConnectionWebhook"
+                        }
                       },
-                      {
-                        "identifier": "UPNSuffix",
-                        "columnName": "UPNSuffix"
-                      }
-                    ]
+                      "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']",
+                      "runAfter": {
+                        "Entities_-_Get_Accounts": [
+                          "Succeeded"
+                        ]
+                      },
+                      "type": "Foreach"
+                    }
                   },
-                  {
-                    "entityType": "CloudApplication",
-                    "fieldMappings": [
-                      {
-                        "identifier": "Name",
-                        "columnName": "TargetResourceName"
-                      }
-                    ]
+                  "contentVersion": "1.0.0.0",
+                  "parameters": {
+                    "$connections": {
+                      "type": "Object"
+                    }
                   },
-                  {
-                    "entityType": "IP",
-                    "fieldMappings": [
-                      {
-                        "identifier": "Address",
-                        "columnName": "IpAddress"
-                      }
-                    ]
+                  "triggers": {
+                    "Microsoft_Sentinel_incident": {
+                      "inputs": {
+                        "body": {
+                          "callback_url": "@{listCallbackUrl()}"
+                        },
+                        "host": {
+                          "connection": {
+                            "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+                          }
+                        },
+                        "path": "/incident-creation"
+                      },
+                      "type": "ApiConnectionWebhook"
+                    }
                   }
-                ]
-              }
-            },
-            {
-              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
-              "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId45'),'/'))))]",
-              "properties": {
-                "description": "Azure Active Directory Analytics Rule 45",
-                "parentId": "[variables('analyticRuleId45')]",
-                "contentId": "[variables('_analyticRulecontentId45')]",
-                "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion45')]",
-                "source": {
-                  "kind": "Solution",
-                  "name": "Azure Active Directory",
-                  "sourceId": "[variables('_solutionId')]"
-                },
-                "author": {
-                  "name": "Microsoft",
-                  "email": "[variables('_email')]"
                 },
-                "support": {
-                  "tier": "Microsoft",
-                  "name": "Microsoft Corporation",
-                  "email": "support@microsoft.com",
-                  "link": "https://support.microsoft.com/"
-                }
-              }
-            }
-          ]
-        },
-        "packageKind": "Solution",
-        "packageVersion": "[variables('_solutionVersion')]",
-        "packageName": "[variables('_solutionName')]",
-        "packageId": "[variables('_solutionId')]",
-        "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_analyticRulecontentId45')]",
-        "contentKind": "AnalyticsRule",
-        "displayName": "Rare application consent",
-        "contentProductId": "[variables('_analyticRulecontentProductId45')]",
-        "id": "[variables('_analyticRulecontentProductId45')]",
-        "version": "[variables('analyticRuleVersion45')]"
-      }
-    },
-    {
-      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
-      "apiVersion": "2023-04-01-preview",
-      "name": "[variables('analyticRuleTemplateSpecName46')]",
-      "location": "[parameters('workspace-location')]",
-      "dependsOn": [
-        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
-      ],
-      "properties": {
-        "description": "SeamlessSSOPasswordSpray_AnalyticalRules Analytics Rule with template version 3.0.3",
-        "mainTemplate": {
-          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion46')]",
-          "parameters": {},
-          "variables": {},
-          "resources": [
-            {
-              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRulecontentId46')]",
-              "apiVersion": "2022-04-01-preview",
-              "kind": "Scheduled",
-              "location": "[parameters('workspace-location')]",
-              "properties": {
-                "description": "This query detects when there is a spike in Azure AD Seamless SSO errors. They may not be caused by a Password Spray attack, but the cause of the errors might need to be investigated.\nAzure AD only logs the requests that matched existing accounts, thus there might have been unlogged requests for non-existing accounts.",
-                "displayName": "Password spray attack against Azure AD Seamless SSO",
-                "enabled": false,
-                "query": "let account_threshold = 5;\nAADNonInteractiveUserSignInLogs\n//| where ResultType == \"81016\"\n| where ResultType startswith \"81\"\n| summarize DistinctAccounts = dcount(UserPrincipalName), DistinctAddresses = make_set(IPAddress,100) by ResultType\n| where DistinctAccounts > account_threshold\n| mv-expand IPAddress = DistinctAddresses\n| extend IPAddress = tostring(IPAddress)\n| join kind=leftouter (union isfuzzy=true SigninLogs, AADNonInteractiveUserSignInLogs) on IPAddress\n| summarize\n    StartTime = min(TimeGenerated),\n    EndTime = max(TimeGenerated),\n    UserPrincipalName = make_set(UserPrincipalName,100),\n    UserAgent = make_set(UserAgent,100),\n    ResultDescription = take_any(ResultDescription),\n    ResultSignature = take_any(ResultSignature)\n    by IPAddress, Type, ResultType\n| project Type, StartTime, EndTime, IPAddress, ResultType, ResultDescription, ResultSignature, UserPrincipalName, UserAgent = iff(array_length(UserAgent) == 1, UserAgent[0], UserAgent)\n| extend Name = tostring(split(UserPrincipalName[0],'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName[0],'@',1)[0])\n",
-                "queryFrequency": "PT1H",
-                "queryPeriod": "PT1H",
-                "severity": "Medium",
-                "suppressionDuration": "PT1H",
-                "suppressionEnabled": false,
-                "triggerOperator": "GreaterThan",
-                "triggerThreshold": 0,
-                "status": "Available",
-                "requiredDataConnectors": [
-                  {
-                    "connectorId": "AzureActiveDirectory",
-                    "dataTypes": [
-                      "AADNonInteractiveUserSignInLogs"
-                    ]
-                  }
-                ],
-                "tactics": [
-                  "CredentialAccess"
-                ],
-                "techniques": [
-                  "T1110"
-                ],
-                "entityMappings": [
-                  {
-                    "entityType": "Account",
-                    "fieldMappings": [
-                      {
-                        "identifier": "Name",
-                        "columnName": "Name"
+                "parameters": {
+                  "$connections": {
+                    "value": {
+                      "azuread": {
+                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]",
+                        "connectionName": "[[variables('AzureADConnectionName')]",
+                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuread')]"
                       },
-                      {
-                        "identifier": "UPNSuffix",
-                        "columnName": "UPNSuffix"
-                      }
-                    ]
-                  },
-                  {
-                    "entityType": "IP",
-                    "fieldMappings": [
-                      {
-                        "identifier": "Address",
-                        "columnName": "IPAddress"
+                      "azuresentinel": {
+                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
+                        "connectionName": "[[variables('AzureSentinelConnectionName')]",
+                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
+                        "connectionProperties": {
+                          "authentication": {
+                            "type": "ManagedServiceIdentity"
+                          }
+                        }
+                      },
+                      "office365": {
+                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]",
+                        "connectionName": "[[variables('Office365ConnectionName')]",
+                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]"
+                      },
+                      "teams": {
+                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]",
+                        "connectionName": "[[variables('TeamsConnectionName')]",
+                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/teams')]"
                       }
-                    ]
+                    }
                   }
-                ]
+                }
               }
             },
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId46'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId4'),'/'))))]",
               "properties": {
-                "description": "Azure Active Directory Analytics Rule 46",
-                "parentId": "[variables('analyticRuleId46')]",
-                "contentId": "[variables('_analyticRulecontentId46')]",
-                "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion46')]",
+                "parentId": "[variables('playbookId4')]",
+                "contentId": "[variables('_playbookContentId4')]",
+                "kind": "Playbook",
+                "version": "[variables('playbookVersion4')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Azure Active Directory",
@@ -10459,222 +9958,389 @@
                   "link": "https://support.microsoft.com/"
                 }
               }
-            }
-          ]
+            }
+          ],
+          "metadata": {
+            "title": "Prompt User - Incident",
+            "description": "This playbook will ask the user if they completed the action from the Incident in Microsoft Sentinel.  If so, it will close the incident and add a comment.  If not, it will post a message to teams for the SOC to investigate and add a comment to the incident.",
+            "prerequisites": [
+              "1. You will need the Team Id and Channel Id."
+            ],
+            "postDeployment": [
+              "1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity.",
+              "2. Authorize Azure AD, Microsoft Teams, and Office 365 Outlook Logic App connections."
+            ],
+            "lastUpdateTime": "2022-07-11T00:00:00Z",
+            "entities": [
+              "Account"
+            ],
+            "tags": [
+              "Remediation"
+            ],
+            "releaseNotes": [
+              {
+                "version": "1.0.0",
+                "title": "Added new Post a Teams message action",
+                "notes": [
+                  "Initial version"
+                ]
+              }
+            ]
+          }
         },
         "packageKind": "Solution",
         "packageVersion": "[variables('_solutionVersion')]",
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_analyticRulecontentId46')]",
-        "contentKind": "AnalyticsRule",
-        "displayName": "Password spray attack against Azure AD Seamless SSO",
-        "contentProductId": "[variables('_analyticRulecontentProductId46')]",
-        "id": "[variables('_analyticRulecontentProductId46')]",
-        "version": "[variables('analyticRuleVersion46')]"
+        "contentId": "[variables('_playbookContentId4')]",
+        "contentKind": "Playbook",
+        "displayName": "Prompt-User-Incident",
+        "contentProductId": "[variables('_playbookcontentProductId4')]",
+        "id": "[variables('_playbookcontentProductId4')]",
+        "version": "[variables('playbookVersion4')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('analyticRuleTemplateSpecName47')]",
+      "name": "[variables('playbookTemplateSpecName5')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Sign-in Burst from Multiple Locations_AnalyticalRules Analytics Rule with template version 3.0.3",
+        "description": "Reset-AADPassword-AlertTrigger Playbook with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion47')]",
-          "parameters": {},
-          "variables": {},
+          "contentVersion": "[variables('playbookVersion5')]",
+          "parameters": {
+            "PlaybookName": {
+              "defaultValue": "Reset-AADPassword-AlertTrigger",
+              "type": "string"
+            }
+          },
+          "variables": {
+            "MicrosoftSentinelConnectionName": "[[concat('microsoftsentinel-', parameters('PlaybookName'))]",
+            "office365ConnectionName": "[[concat('office365-', parameters('PlaybookName'))]",
+            "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
+            "_connection-2": "[[variables('connection-2')]",
+            "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]",
+            "_connection-3": "[[variables('connection-3')]",
+            "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
+            "workspace-name": "[parameters('workspace')]",
+            "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
+          },
           "resources": [
             {
-              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRulecontentId47')]",
-              "apiVersion": "2022-04-01-preview",
-              "kind": "Scheduled",
-              "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "This detection triggers when there is a Signin burst from multiple locations in GitHub (AAD SSO).\n This detection is based on configurable threshold which can be prone to false positives. To view the anomaly based equivalent of thie detection, please see here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/AnomalousUserAppSigninLocationIncrease-detection.yaml. ",
-                "displayName": "GitHub Signin Burst from Multiple Locations",
-                "enabled": false,
-                "query": "let locationThreshold = 1;\nlet aadFunc = (tableName:string){\ntable(tableName)\n| where AppDisplayName =~ \"GitHub.com\"\n| where ResultType == 0\n| summarize CountOfLocations = dcount(Location), Locations = make_set(Location,100), BurstStartTime = min(TimeGenerated), BurstEndTime = max(TimeGenerated) by UserPrincipalName, Type\n| where CountOfLocations > locationThreshold\n| extend timestamp = BurstStartTime\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n| extend Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n",
-                "queryFrequency": "PT1H",
-                "queryPeriod": "PT1H",
-                "severity": "Medium",
-                "suppressionDuration": "PT1H",
-                "suppressionEnabled": false,
-                "triggerOperator": "GreaterThan",
-                "triggerThreshold": 0,
-                "status": "Available",
-                "requiredDataConnectors": [
-                  {
-                    "connectorId": "AzureActiveDirectory",
-                    "dataTypes": [
-                      "SigninLogs"
-                    ]
+                "provisioningState": "Succeeded",
+                "state": "Enabled",
+                "definition": {
+                  "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
+                  "contentVersion": "1.0.0.0",
+                  "parameters": {
+                    "$connections": {
+                      "type": "Object"
+                    }
                   },
-                  {
-                    "connectorId": "AzureActiveDirectory",
-                    "dataTypes": [
-                      "AADNonInteractiveUserSignInLogs"
-                    ]
+                  "triggers": {
+                    "Microsoft_Sentinel_alert": {
+                      "type": "ApiConnectionWebhook",
+                      "inputs": {
+                        "body": {
+                          "callback_url": "@{listCallbackUrl()}"
+                        },
+                        "host": {
+                          "connection": {
+                            "name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
+                          }
+                        },
+                        "path": "/subscribe"
+                      }
+                    }
+                  },
+                  "actions": {
+                    "Alert_-_Get_incident": {
+                      "runAfter": {
+                        "Set_variable_-_password": [
+                          "Succeeded"
+                        ]
+                      },
+                      "type": "ApiConnection",
+                      "inputs": {
+                        "host": {
+                          "connection": {
+                            "name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
+                          }
+                        },
+                        "method": "get",
+                        "path": "/Incidents/subscriptions/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/resourceGroups/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/workspaces/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/alerts/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}"
+                      }
+                    },
+                    "Entities_-_Get_Accounts": {
+                      "runAfter": {
+                        "Alert_-_Get_incident": [
+                          "Succeeded"
+                        ]
+                      },
+                      "type": "ApiConnection",
+                      "inputs": {
+                        "body": "@triggerBody()?['Entities']",
+                        "host": {
+                          "connection": {
+                            "name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
+                          }
+                        },
+                        "method": "post",
+                        "path": "/entities/account"
+                      }
+                    },
+                    "For_each": {
+                      "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']",
+                      "actions": {
+                        "Condition_-_is_manager_available": {
+                          "actions": {
+                            "Add_comment_to_incident_-_manager_available": {
+                              "runAfter": {
+                                "Send_an_email_-_to_manager_with_password_details": [
+                                  "Succeeded"
+                                ]
+                              },
+                              "type": "ApiConnection",
+                              "inputs": {
+                                "body": {
+                                  "incidentArmId": "@body('Alert_-_Get_incident')?['id']",
+                                  "message": "<p>User @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])} password was reset in AAD and their manager @{body('Parse_JSON_-_HTTP_-_get_manager')?['userPrincipalName']} was contacted using playbook.</p>"
+                                },
+                                "host": {
+                                  "connection": {
+                                    "name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
+                                  }
+                                },
+                                "method": "post",
+                                "path": "/Incidents/Comment"
+                              }
+                            },
+                            "Parse_JSON_-_HTTP_-_get_manager": {
+                              "type": "ParseJson",
+                              "inputs": {
+                                "content": "@body('HTTP_-_get_manager')",
+                                "schema": {
+                                  "properties": {
+                                    "userPrincipalName": {
+                                      "type": "string"
+                                    }
+                                  },
+                                  "type": "object"
+                                }
+                              }
+                            },
+                            "Send_an_email_-_to_manager_with_password_details": {
+                              "runAfter": {
+                                "Parse_JSON_-_HTTP_-_get_manager": [
+                                  "Succeeded"
+                                ]
+                              },
+                              "type": "ApiConnection",
+                              "inputs": {
+                                "body": {
+                                  "Body": "<p>User, @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}, was involved in part of a security incident. &nbsp;As part of remediation, the user password has been reset.<br>\n<br>\nThe temporary password is: @{variables('Password')}<br>\n<br>\nThe user will be required to reset this password upon login.</p>",
+                                  "Subject": "A user password was reset due to security incident.",
+                                  "To": "@body('Parse_JSON_-_HTTP_-_get_manager')?['userPrincipalName']"
+                                },
+                                "host": {
+                                  "connection": {
+                                    "name": "@parameters('$connections')['office365']['connectionId']"
+                                  }
+                                },
+                                "method": "post",
+                                "path": "/v2/Mail"
+                              }
+                            }
+                          },
+                          "runAfter": {
+                            "HTTP_-_get_manager": [
+                              "Succeeded",
+                              "Failed"
+                            ]
+                          },
+                          "else": {
+                            "actions": {
+                              "Add_comment_to_incident_-_manager_not_available": {
+                                "type": "ApiConnection",
+                                "inputs": {
+                                  "body": {
+                                    "incidentArmId": "@body('Alert_-_Get_incident')?['id']",
+                                    "message": "<p>User @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])} password was reset in AAD but the user doesn't have a manager.<br>\n<br>\nThe temporary password is: @{variables('Password')}<br>\n<br>\nThe user will be required to reset this password upon login.</p>"
+                                  },
+                                  "host": {
+                                    "connection": {
+                                      "name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
+                                    }
+                                  },
+                                  "method": "post",
+                                  "path": "/Incidents/Comment"
+                                }
+                              }
+                            }
+                          },
+                          "expression": {
+                            "and": [
+                              {
+                                "equals": [
+                                  "@outputs('HTTP_-_get_manager')['statusCode']",
+                                  200
+                                ]
+                              }
+                            ]
+                          },
+                          "type": "If"
+                        },
+                        "HTTP_-_get_manager": {
+                          "runAfter": {
+                            "HTTP_-_reset_a_password": [
+                              "Succeeded"
+                            ]
+                          },
+                          "type": "Http",
+                          "inputs": {
+                            "authentication": {
+                              "audience": "https://graph.microsoft.com",
+                              "type": "ManagedServiceIdentity"
+                            },
+                            "method": "GET",
+                            "uri": "https://graph.microsoft.com/v1.0/users/@{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}/manager"
+                          }
+                        },
+                        "HTTP_-_reset_a_password": {
+                          "type": "Http",
+                          "inputs": {
+                            "authentication": {
+                              "audience": "https://graph.microsoft.com",
+                              "type": "ManagedServiceIdentity"
+                            },
+                            "body": {
+                              "passwordProfile": {
+                                "forceChangePasswordNextSignIn": true,
+                                "forceChangePasswordNextSignInWithMfa": false,
+                                "password": "@{variables('Password')}"
+                              }
+                            },
+                            "method": "PATCH",
+                            "uri": "https://graph.microsoft.com/v1.0/users/@{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}"
+                          }
+                        }
+                      },
+                      "runAfter": {
+                        "Entities_-_Get_Accounts": [
+                          "Succeeded"
+                        ]
+                      },
+                      "type": "Foreach"
+                    },
+                    "Initialize_variable": {
+                      "type": "InitializeVariable",
+                      "inputs": {
+                        "variables": [
+                          {
+                            "name": "Password",
+                            "type": "String",
+                            "value": "null"
+                          }
+                        ]
+                      }
+                    },
+                    "Set_variable_-_password": {
+                      "runAfter": {
+                        "Initialize_variable": [
+                          "Succeeded"
+                        ]
+                      },
+                      "type": "SetVariable",
+                      "inputs": {
+                        "name": "Password",
+                        "value": "@{substring(guid(), 0, 10)}"
+                      }
+                    }
                   }
-                ],
-                "tactics": [
-                  "CredentialAccess"
-                ],
-                "techniques": [
-                  "T1110"
-                ],
-                "entityMappings": [
-                  {
-                    "entityType": "Account",
-                    "fieldMappings": [
-                      {
-                        "identifier": "Name",
-                        "columnName": "Name"
+                },
+                "parameters": {
+                  "$connections": {
+                    "value": {
+                      "microsoftsentinel": {
+                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
+                        "connectionName": "[[variables('MicrosoftSentinelConnectionName')]",
+                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
+                        "connectionProperties": {
+                          "authentication": {
+                            "type": "ManagedServiceIdentity"
+                          }
+                        }
                       },
-                      {
-                        "identifier": "UPNSuffix",
-                        "columnName": "UPNSuffix"
+                      "office365": {
+                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('office365ConnectionName'))]",
+                        "connectionName": "[[variables('office365ConnectionName')]",
+                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]"
                       }
-                    ]
+                    }
                   }
-                ]
-              }
+                }
+              },
+              "name": "[[parameters('PlaybookName')]",
+              "type": "Microsoft.Logic/workflows",
+              "location": "[[variables('workspace-location-inline')]",
+              "tags": {
+                "LogicAppsCategory": "security",
+                "hidden-SentinelTemplateName": "Reset-AADUserPassword_alert",
+                "hidden-SentinelTemplateVersion": "1.1",
+                "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
+              },
+              "identity": {
+                "type": "SystemAssigned"
+              },
+              "apiVersion": "2017-07-01",
+              "dependsOn": [
+                "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
+                "[[resourceId('Microsoft.Web/connections', variables('office365ConnectionName'))]"
+              ]
             },
             {
-              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
-              "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId47'),'/'))))]",
+              "type": "Microsoft.Web/connections",
+              "apiVersion": "2016-06-01",
+              "name": "[[variables('MicrosoftSentinelConnectionName')]",
+              "location": "[[variables('workspace-location-inline')]",
+              "kind": "V1",
               "properties": {
-                "description": "Azure Active Directory Analytics Rule 47",
-                "parentId": "[variables('analyticRuleId47')]",
-                "contentId": "[variables('_analyticRulecontentId47')]",
-                "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion47')]",
-                "source": {
-                  "kind": "Solution",
-                  "name": "Azure Active Directory",
-                  "sourceId": "[variables('_solutionId')]"
-                },
-                "author": {
-                  "name": "Microsoft",
-                  "email": "[variables('_email')]"
-                },
-                "support": {
-                  "tier": "Microsoft",
-                  "name": "Microsoft Corporation",
-                  "email": "support@microsoft.com",
-                  "link": "https://support.microsoft.com/"
+                "displayName": "[[variables('MicrosoftSentinelConnectionName')]",
+                "parameterValueType": "Alternative",
+                "api": {
+                  "id": "[[variables('_connection-2')]"
                 }
               }
-            }
-          ]
-        },
-        "packageKind": "Solution",
-        "packageVersion": "[variables('_solutionVersion')]",
-        "packageName": "[variables('_solutionName')]",
-        "packageId": "[variables('_solutionId')]",
-        "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_analyticRulecontentId47')]",
-        "contentKind": "AnalyticsRule",
-        "displayName": "GitHub Signin Burst from Multiple Locations",
-        "contentProductId": "[variables('_analyticRulecontentProductId47')]",
-        "id": "[variables('_analyticRulecontentProductId47')]",
-        "version": "[variables('analyticRuleVersion47')]"
-      }
-    },
-    {
-      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
-      "apiVersion": "2023-04-01-preview",
-      "name": "[variables('analyticRuleTemplateSpecName48')]",
-      "location": "[parameters('workspace-location')]",
-      "dependsOn": [
-        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
-      ],
-      "properties": {
-        "description": "SigninAttemptsByIPviaDisabledAccounts_AnalyticalRules Analytics Rule with template version 3.0.3",
-        "mainTemplate": {
-          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion48')]",
-          "parameters": {},
-          "variables": {},
-          "resources": [
+            },
             {
-              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRulecontentId48')]",
-              "apiVersion": "2022-04-01-preview",
-              "kind": "Scheduled",
-              "location": "[parameters('workspace-location')]",
+              "type": "Microsoft.Web/connections",
+              "apiVersion": "2016-06-01",
+              "name": "[[variables('office365ConnectionName')]",
+              "location": "[[variables('workspace-location-inline')]",
+              "kind": "V1",
               "properties": {
-                "description": "Identifies IPs with failed attempts to sign in to one or more disabled accounts using the IP through which successful signins from other accounts have happened.\nThis could indicate an attacker who obtained credentials for a list of accounts and is attempting to login with those accounts, some of which may have already been disabled.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n50057 - User account is disabled. The account has been disabled by an administrator.\nThis query has also been updated to include UEBA logs IdentityInfo and BehaviorAnalytics for contextual information around the results.",
-                "displayName": "Sign-ins from IPs that attempt sign-ins to disabled accounts",
-                "enabled": false,
-                "query": "let aadFunc = (tableName: string) {\nlet failed_signins = table(tableName)\n| where ResultType == \"50057\"\n| where ResultDescription == \"User account is disabled. The account has been disabled by an administrator.\";\nlet disabled_users = failed_signins | summarize by UserPrincipalName;\ntable(tableName)\n  | where ResultType == 0\n  | where isnotempty(UserPrincipalName)\n  | where UserPrincipalName !in (disabled_users)\n| summarize\n        successfulAccountsTargettedCount = dcount(UserPrincipalName),\n        successfulAccountSigninSet = make_set(UserPrincipalName, 100),\n        successfulApplicationSet = make_set(AppDisplayName, 100)\n    by IPAddress, Type\n    // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\n    | where successfulAccountsTargettedCount < 50\n    | where isnotempty(successfulAccountsTargettedCount)\n  | join kind=inner (failed_signins\n| summarize\n    StartTime = min(TimeGenerated),\n    EndTime = max(TimeGenerated),\n    totalDisabledAccountLoginAttempts = count(),\n    disabledAccountsTargettedCount = dcount(UserPrincipalName),\n    applicationsTargeted = dcount(AppDisplayName),\n    disabledAccountSet = make_set(UserPrincipalName, 100),\n    disabledApplicationSet = make_set(AppDisplayName, 100)\nby IPAddress, Type\n| order by totalDisabledAccountLoginAttempts desc) on IPAddress\n| project StartTime, EndTime, IPAddress, totalDisabledAccountLoginAttempts, disabledAccountsTargettedCount, disabledAccountSet, disabledApplicationSet, successfulApplicationSet, successfulAccountsTargettedCount, successfulAccountSigninSet, Type\n| order by totalDisabledAccountLoginAttempts};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n| join kind=leftouter (\n    BehaviorAnalytics\n    | where ActivityType in (\"FailedLogOn\", \"LogOn\")\n    | where EventSource =~ \"Azure AD\"\n    | project UsersInsights, DevicesInsights, ActivityInsights, InvestigationPriority, SourceIPAddress, UserPrincipalName\n    | project-rename IPAddress = SourceIPAddress\n    | summarize\n        Users = make_set(UserPrincipalName, 100),\n        UsersInsights = make_set(UsersInsights, 100),\n        DevicesInsights = make_set(DevicesInsights, 100),\n        IPInvestigationPriority = sum(InvestigationPriority)\n    by IPAddress\n) on IPAddress\n| extend SFRatio = toreal(toreal(disabledAccountsTargettedCount)/toreal(successfulAccountsTargettedCount))\n| where SFRatio >= 0.5\n| sort by IPInvestigationPriority desc\n",
-                "queryFrequency": "P1D",
-                "queryPeriod": "P1D",
-                "severity": "Medium",
-                "suppressionDuration": "PT1H",
-                "suppressionEnabled": false,
-                "triggerOperator": "GreaterThan",
-                "triggerThreshold": 0,
-                "status": "Available",
-                "requiredDataConnectors": [
-                  {
-                    "connectorId": "AzureActiveDirectory",
-                    "dataTypes": [
-                      "SigninLogs"
-                    ]
-                  },
-                  {
-                    "connectorId": "AzureActiveDirectory",
-                    "dataTypes": [
-                      "AADNonInteractiveUserSignInLogs"
-                    ]
-                  },
-                  {
-                    "connectorId": "BehaviorAnalytics",
-                    "dataTypes": [
-                      "BehaviorAnalytics"
-                    ]
-                  }
-                ],
-                "tactics": [
-                  "InitialAccess",
-                  "Persistence"
-                ],
-                "techniques": [
-                  "T1078",
-                  "T1098"
-                ],
-                "entityMappings": [
-                  {
-                    "entityType": "IP",
-                    "fieldMappings": [
-                      {
-                        "identifier": "Address",
-                        "columnName": "IPAddress"
-                      }
-                    ]
-                  }
-                ]
+                "displayName": "[[variables('office365ConnectionName')]",
+                "api": {
+                  "id": "[[variables('_connection-3')]"
+                }
               }
             },
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId48'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId5'),'/'))))]",
               "properties": {
-                "description": "Azure Active Directory Analytics Rule 48",
-                "parentId": "[variables('analyticRuleId48')]",
-                "contentId": "[variables('_analyticRulecontentId48')]",
-                "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion48')]",
+                "parentId": "[variables('playbookId5')]",
+                "contentId": "[variables('_playbookContentId5')]",
+                "kind": "Playbook",
+                "version": "[variables('playbookVersion5')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Azure Active Directory",
@@ -10692,112 +10358,372 @@
                 }
               }
             }
-          ]
+          ],
+          "metadata": {
+            "title": "Reset Azure AD User Password - Alert Trigger",
+            "description": "This playbook will reset the user password using Graph API.  It will send the password (which is a random guid substring) to the user's manager.  The user will have to reset the password upon login.",
+            "prerequisites": [
+              "None"
+            ],
+            "postDeployment": [
+              "1. Assign Password Administrator permission to managed identity.",
+              "2. Assign Microsoft Sentinel Responder permission to managed identity.",
+              "3. Authorize Office 365 Outlook connection"
+            ],
+            "lastUpdateTime": "2022-07-11T00:00:00Z",
+            "entities": [
+              "Account"
+            ],
+            "tags": [
+              "Remediation"
+            ],
+            "releaseNotes": [
+              {
+                "version": "1.0.0",
+                "title": " Added manager notification action",
+                "notes": [
+                  "Initial version"
+                ]
+              }
+            ]
+          }
         },
         "packageKind": "Solution",
         "packageVersion": "[variables('_solutionVersion')]",
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_analyticRulecontentId48')]",
-        "contentKind": "AnalyticsRule",
-        "displayName": "Sign-ins from IPs that attempt sign-ins to disabled accounts",
-        "contentProductId": "[variables('_analyticRulecontentProductId48')]",
-        "id": "[variables('_analyticRulecontentProductId48')]",
-        "version": "[variables('analyticRuleVersion48')]"
+        "contentId": "[variables('_playbookContentId5')]",
+        "contentKind": "Playbook",
+        "displayName": "Reset-AADPassword-AlertTrigger",
+        "contentProductId": "[variables('_playbookcontentProductId5')]",
+        "id": "[variables('_playbookcontentProductId5')]",
+        "version": "[variables('playbookVersion5')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('analyticRuleTemplateSpecName49')]",
+      "name": "[variables('playbookTemplateSpecName6')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "SigninBruteForce-AzurePortal_AnalyticalRules Analytics Rule with template version 3.0.3",
+        "description": "Reset-AADPassword-IncidentTrigger Playbook with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion49')]",
-          "parameters": {},
-          "variables": {},
+          "contentVersion": "[variables('playbookVersion6')]",
+          "parameters": {
+            "PlaybookName": {
+              "defaultValue": "Reset-AADPassword-IncidentTrigger",
+              "type": "string"
+            }
+          },
+          "variables": {
+            "MicrosoftSentinelConnectionName": "[[concat('microsoftsentinel-', parameters('PlaybookName'))]",
+            "office365ConnectionName": "[[concat('office365-', parameters('PlaybookName'))]",
+            "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
+            "_connection-2": "[[variables('connection-2')]",
+            "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]",
+            "_connection-3": "[[variables('connection-3')]",
+            "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
+            "workspace-name": "[parameters('workspace')]",
+            "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
+          },
           "resources": [
             {
-              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRulecontentId49')]",
-              "apiVersion": "2022-04-01-preview",
-              "kind": "Scheduled",
-              "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "Identifies evidence of brute force activity against Azure Portal by highlighting multiple authentication failures and by a successful authentication within a given time window. \nDefault Failure count is 10 and default Time Window is 20 minutes.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.",
-                "displayName": "Brute force attack against Azure Portal",
-                "enabled": false,
-                "query": "let timeRange = 24h;\nlet failureCountThreshold = 10;\nlet authenticationWindow = 20m;\nlet aadFunc = (tableName:string){\n table(tableName)\n| where AppDisplayName has \"Azure Portal\"\n| extend\n     DeviceDetail = todynamic(DeviceDetail),\n     //Status = todynamic(Status),\n     LocationDetails = todynamic(LocationDetails)\n| extend\n     OS = tostring(DeviceDetail.operatingSystem),\n     Browser = tostring(DeviceDetail.browser),\n     //StatusCode = tostring(Status.errorCode),\n     //StatusDetails = tostring(Status.additionalDetails),\n     State = tostring(LocationDetails.state),\n     City = tostring(LocationDetails.city),\n     Region = tostring(LocationDetails.countryOrRegion)\n// Split out failure versus non-failure types\n| extend FailureOrSuccess = iff(ResultType in (\"0\", \"50125\", \"50140\", \"70043\", \"70044\"), \"Success\", \"Failure\")  \n// sort for sessionizing - by UserPrincipalName and time of the authentication outcome\n| sort by UserPrincipalName asc, TimeGenerated asc\n// sessionize into failure groupings until either the account changes or there is a success\n| extend SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, UserPrincipalName != prev(UserPrincipalName) or prev(FailureOrSuccess) == \"Success\")\n// bin outcomes based on authenticationWindow\n| summarize FailureOrSuccessCount = count() by  FailureOrSuccess, UserId, UserDisplayName, AppDisplayName, IPAddress, Browser, OS, State, City, Region, Type, CorrelationId, bin(TimeGenerated, authenticationWindow), ResultType, UserPrincipalName,SessionStartedUtc\n// count the failures in each session\n| summarize FailureCountBeforeSuccess=sumif(FailureOrSuccessCount, FailureOrSuccess == \"Failure\"), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), makelist(FailureOrSuccess), IPAddress = make_set(IPAddress,15), make_set(Browser,15), make_set(City,15), make_set(State,15), make_set(Region,15), make_set(ResultType,15) by SessionStartedUtc, UserPrincipalName, CorrelationId, AppDisplayName, UserId, Type\n// the session must not start with a success, and must end with one\n| where array_index_of(list_FailureOrSuccess, \"Success\") != 0\n| where array_index_of(list_FailureOrSuccess, \"Success\") == array_length(list_FailureOrSuccess) - 1\n| project-away SessionStartedUtc, list_FailureOrSuccess\n// where the number of failures before the success is above the threshold \n| where FailureCountBeforeSuccess >= failureCountThreshold \n// expand out ip for entity assignment\n| mv-expand IPAddress\n| extend IPAddress = tostring(IPAddress)\n| extend timestamp = StartTime \n};\n let aadSignin = aadFunc(\"SigninLogs\");\n let aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\n union isfuzzy=true aadSignin, aadNonInt\n | extend Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n",
-                "queryFrequency": "P1D",
-                "queryPeriod": "P1D",
-                "severity": "Medium",
-                "suppressionDuration": "PT1H",
-                "suppressionEnabled": false,
-                "triggerOperator": "GreaterThan",
-                "triggerThreshold": 0,
-                "status": "Available",
-                "requiredDataConnectors": [
-                  {
-                    "connectorId": "AzureActiveDirectory",
-                    "dataTypes": [
-                      "SigninLogs"
-                    ]
+                "provisioningState": "Succeeded",
+                "state": "Enabled",
+                "definition": {
+                  "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
+                  "contentVersion": "1.0.0.0",
+                  "parameters": {
+                    "$connections": {
+                      "type": "Object"
+                    }
                   },
-                  {
-                    "connectorId": "AzureActiveDirectory",
-                    "dataTypes": [
-                      "AADNonInteractiveUserSignInLogs"
-                    ]
-                  }
-                ],
-                "tactics": [
-                  "CredentialAccess"
-                ],
-                "techniques": [
-                  "T1110"
-                ],
-                "entityMappings": [
-                  {
-                    "entityType": "Account",
-                    "fieldMappings": [
-                      {
-                        "identifier": "Name",
-                        "columnName": "Name"
+                  "triggers": {
+                    "Microsoft_Sentinel_incident": {
+                      "type": "ApiConnectionWebhook",
+                      "inputs": {
+                        "body": {
+                          "callback_url": "@{listCallbackUrl()}"
+                        },
+                        "host": {
+                          "connection": {
+                            "name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
+                          }
+                        },
+                        "path": "/incident-creation"
+                      }
+                    }
+                  },
+                  "actions": {
+                    "Entities_-_Get_Accounts": {
+                      "runAfter": {
+                        "Set_variable_-_password": [
+                          "Succeeded"
+                        ]
+                      },
+                      "type": "ApiConnection",
+                      "inputs": {
+                        "body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
+                        "host": {
+                          "connection": {
+                            "name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
+                          }
+                        },
+                        "method": "post",
+                        "path": "/entities/account"
+                      }
+                    },
+                    "For_each": {
+                      "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']",
+                      "actions": {
+                        "Condition_-_is_manager_available": {
+                          "actions": {
+                            "Add_comment_to_incident_-_manager_available": {
+                              "runAfter": {
+                                "Send_an_email_-_to_manager_with_password_details": [
+                                  "Succeeded"
+                                ]
+                              },
+                              "type": "ApiConnection",
+                              "inputs": {
+                                "body": {
+                                  "incidentArmId": "@triggerBody()?['object']?['id']",
+                                  "message": "<p>User @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])} password was reset in AAD and their manager @{body('Parse_JSON_-_HTTP_-_get_manager')?['userPrincipalName']} was contacted using playbook.</p>"
+                                },
+                                "host": {
+                                  "connection": {
+                                    "name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
+                                  }
+                                },
+                                "method": "post",
+                                "path": "/Incidents/Comment"
+                              }
+                            },
+                            "Parse_JSON_-_HTTP_-_get_manager": {
+                              "type": "ParseJson",
+                              "inputs": {
+                                "content": "@body('HTTP_-_get_manager')",
+                                "schema": {
+                                  "properties": {
+                                    "userPrincipalName": {
+                                      "type": "string"
+                                    }
+                                  },
+                                  "type": "object"
+                                }
+                              }
+                            },
+                            "Send_an_email_-_to_manager_with_password_details": {
+                              "runAfter": {
+                                "Parse_JSON_-_HTTP_-_get_manager": [
+                                  "Succeeded"
+                                ]
+                              },
+                              "type": "ApiConnection",
+                              "inputs": {
+                                "body": {
+                                  "Body": "<p>User, @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}, was involved in part of a security incident. &nbsp;As part of remediation, the user password has been reset.<br>\n<br>\nThe temporary password is: @{variables('Password')}<br>\n<br>\nThe user will be required to reset this password upon login.</p>",
+                                  "Subject": "A user password was reset due to security incident.",
+                                  "To": "@body('Parse_JSON_-_HTTP_-_get_manager')?['userPrincipalName']"
+                                },
+                                "host": {
+                                  "connection": {
+                                    "name": "@parameters('$connections')['office365']['connectionId']"
+                                  }
+                                },
+                                "method": "post",
+                                "path": "/v2/Mail"
+                              }
+                            }
+                          },
+                          "runAfter": {
+                            "HTTP_-_get_manager": [
+                              "Succeeded",
+                              "Failed"
+                            ]
+                          },
+                          "else": {
+                            "actions": {
+                              "Add_comment_to_incident_-_manager_not_available": {
+                                "type": "ApiConnection",
+                                "inputs": {
+                                  "body": {
+                                    "incidentArmId": "@triggerBody()?['object']?['id']",
+                                    "message": "<p>User @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])} password was reset in AAD but the user doesn't have a manager.<br>\n<br>\nThe temporary password is: @{variables('Password')}<br>\n<br>\nThe user will be required to reset this password upon login.</p>"
+                                  },
+                                  "host": {
+                                    "connection": {
+                                      "name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
+                                    }
+                                  },
+                                  "method": "post",
+                                  "path": "/Incidents/Comment"
+                                }
+                              }
+                            }
+                          },
+                          "expression": {
+                            "and": [
+                              {
+                                "equals": [
+                                  "@outputs('HTTP_-_get_manager')['statusCode']",
+                                  200
+                                ]
+                              }
+                            ]
+                          },
+                          "type": "If"
+                        },
+                        "HTTP_-_get_manager": {
+                          "runAfter": {
+                            "HTTP_-_reset_a_password": [
+                              "Succeeded"
+                            ]
+                          },
+                          "type": "Http",
+                          "inputs": {
+                            "authentication": {
+                              "audience": "https://graph.microsoft.com",
+                              "type": "ManagedServiceIdentity"
+                            },
+                            "method": "GET",
+                            "uri": "https://graph.microsoft.com/v1.0/users/@{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}/manager"
+                          }
+                        },
+                        "HTTP_-_reset_a_password": {
+                          "type": "Http",
+                          "inputs": {
+                            "authentication": {
+                              "audience": "https://graph.microsoft.com",
+                              "type": "ManagedServiceIdentity"
+                            },
+                            "body": {
+                              "passwordProfile": {
+                                "forceChangePasswordNextSignIn": true,
+                                "forceChangePasswordNextSignInWithMfa": false,
+                                "password": "@{variables('Password')}"
+                              }
+                            },
+                            "method": "PATCH",
+                            "uri": "https://graph.microsoft.com/v1.0/users/@{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}"
+                          }
+                        }
+                      },
+                      "runAfter": {
+                        "Entities_-_Get_Accounts": [
+                          "Succeeded"
+                        ]
+                      },
+                      "type": "Foreach"
+                    },
+                    "Initialize_variable": {
+                      "type": "InitializeVariable",
+                      "inputs": {
+                        "variables": [
+                          {
+                            "name": "Password",
+                            "type": "String",
+                            "value": "null"
+                          }
+                        ]
+                      }
+                    },
+                    "Set_variable_-_password": {
+                      "runAfter": {
+                        "Initialize_variable": [
+                          "Succeeded"
+                        ]
                       },
-                      {
-                        "identifier": "UPNSuffix",
-                        "columnName": "UPNSuffix"
+                      "type": "SetVariable",
+                      "inputs": {
+                        "name": "Password",
+                        "value": "@{substring(guid(), 0, 10)}"
                       }
-                    ]
-                  },
-                  {
-                    "entityType": "IP",
-                    "fieldMappings": [
-                      {
-                        "identifier": "Address",
-                        "columnName": "IPAddress"
+                    }
+                  }
+                },
+                "parameters": {
+                  "$connections": {
+                    "value": {
+                      "microsoftsentinel": {
+                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
+                        "connectionName": "[[variables('MicrosoftSentinelConnectionName')]",
+                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
+                        "connectionProperties": {
+                          "authentication": {
+                            "type": "ManagedServiceIdentity"
+                          }
+                        }
+                      },
+                      "office365": {
+                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('office365ConnectionName'))]",
+                        "connectionName": "[[variables('office365ConnectionName')]",
+                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]"
                       }
-                    ]
+                    }
                   }
-                ]
+                }
+              },
+              "name": "[[parameters('PlaybookName')]",
+              "type": "Microsoft.Logic/workflows",
+              "location": "[[variables('workspace-location-inline')]",
+              "tags": {
+                "LogicAppsCategory": "security",
+                "hidden-SentinelTemplateName": "Reset-AADUserPassword",
+                "hidden-SentinelTemplateVersion": "1.1",
+                "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
+              },
+              "identity": {
+                "type": "SystemAssigned"
+              },
+              "apiVersion": "2017-07-01",
+              "dependsOn": [
+                "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
+                "[[resourceId('Microsoft.Web/connections', variables('office365ConnectionName'))]"
+              ]
+            },
+            {
+              "type": "Microsoft.Web/connections",
+              "apiVersion": "2016-06-01",
+              "name": "[[variables('MicrosoftSentinelConnectionName')]",
+              "location": "[[variables('workspace-location-inline')]",
+              "kind": "V1",
+              "properties": {
+                "displayName": "[[variables('MicrosoftSentinelConnectionName')]",
+                "parameterValueType": "Alternative",
+                "api": {
+                  "id": "[[variables('_connection-2')]"
+                }
+              }
+            },
+            {
+              "type": "Microsoft.Web/connections",
+              "apiVersion": "2016-06-01",
+              "name": "[[variables('office365ConnectionName')]",
+              "location": "[[variables('workspace-location-inline')]",
+              "kind": "V1",
+              "properties": {
+                "displayName": "[[variables('office365ConnectionName')]",
+                "api": {
+                  "id": "[[variables('_connection-3')]"
+                }
               }
             },
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId49'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId6'),'/'))))]",
               "properties": {
-                "description": "Azure Active Directory Analytics Rule 49",
-                "parentId": "[variables('analyticRuleId49')]",
-                "contentId": "[variables('_analyticRulecontentId49')]",
-                "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion49')]",
+                "parentId": "[variables('playbookId6')]",
+                "contentId": "[variables('_playbookContentId6')]",
+                "kind": "Playbook",
+                "version": "[variables('playbookVersion6')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Azure Active Directory",
@@ -10815,380 +10741,453 @@
                 }
               }
             }
-          ]
+          ],
+          "metadata": {
+            "title": "Reset Azure AD User Password - Incident Trigger",
+            "description": "This playbook will reset the user password using Graph API.  It will send the password (which is a random guid substring) to the user's manager.  The user will have to reset the password upon login.",
+            "prerequisites": [
+              "None"
+            ],
+            "postDeployment": [
+              "1. Assign Password Administrator permission to managed identity.",
+              "2. Assign Microsoft Sentinel Responder permission to managed identity.",
+              "3. Authorize Office 365 Outlook connection"
+            ],
+            "lastUpdateTime": "2022-07-11T00:00:00Z",
+            "entities": [
+              "Account"
+            ],
+            "tags": [
+              "Remediation"
+            ],
+            "releaseNotes": [
+              {
+                "version": "1.0.0",
+                "title": " Added manager notification action",
+                "notes": [
+                  "Initial version"
+                ]
+              }
+            ]
+          }
         },
         "packageKind": "Solution",
         "packageVersion": "[variables('_solutionVersion')]",
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_analyticRulecontentId49')]",
-        "contentKind": "AnalyticsRule",
-        "displayName": "Brute force attack against Azure Portal",
-        "contentProductId": "[variables('_analyticRulecontentProductId49')]",
-        "id": "[variables('_analyticRulecontentProductId49')]",
-        "version": "[variables('analyticRuleVersion49')]"
+        "contentId": "[variables('_playbookContentId6')]",
+        "contentKind": "Playbook",
+        "displayName": "Reset-AADPassword-IncidentTrigger",
+        "contentProductId": "[variables('_playbookcontentProductId6')]",
+        "id": "[variables('_playbookcontentProductId6')]",
+        "version": "[variables('playbookVersion6')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('analyticRuleTemplateSpecName50')]",
+      "name": "[variables('playbookTemplateSpecName7')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "SigninPasswordSpray_AnalyticalRules Analytics Rule with template version 3.0.3",
+        "description": "Block-AADUser-EntityTrigger Playbook with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion50')]",
-          "parameters": {},
-          "variables": {},
+          "contentVersion": "[variables('playbookVersion7')]",
+          "parameters": {
+            "PlaybookName": {
+              "defaultValue": "Block-AADUser-EntityTrigger",
+              "type": "string"
+            }
+          },
+          "variables": {
+            "AzureADConnectionName": "[[concat('azuread-', parameters('PlaybookName'))]",
+            "MicrosoftSentinelConnectionName": "[[concat('microsoftsentinel-', parameters('PlaybookName'))]",
+            "Office365ConnectionName": "[[concat('office365-', parameters('PlaybookName'))]",
+            "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuread')]",
+            "_connection-1": "[[variables('connection-1')]",
+            "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
+            "_connection-2": "[[variables('connection-2')]",
+            "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]",
+            "_connection-3": "[[variables('connection-3')]",
+            "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
+            "workspace-name": "[parameters('workspace')]",
+            "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
+          },
           "resources": [
             {
-              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRulecontentId50')]",
-              "apiVersion": "2022-04-01-preview",
-              "kind": "Scheduled",
-              "location": "[parameters('workspace-location')]",
+              "type": "Microsoft.Web/connections",
+              "apiVersion": "2016-06-01",
+              "name": "[[variables('AzureADConnectionName')]",
+              "location": "[[variables('workspace-location-inline')]",
               "properties": {
-                "description": "Identifies evidence of password spray activity against Azure AD applications by looking for failures from multiple accounts from the same\nIP address within a time window. If the number of accounts breaches the threshold just once, all failures from the IP address within the time range\nare bought into the result. Details on whether there were successful authentications by the IP address within the time window are also included.\nThis can be an indicator that an attack was successful.\nThe default failure acccount threshold is 5, Default time window for failures is 20m and default look back window is 3 days\nNote: Due to the number of possible accounts involved in a password spray it is not possible to map identities to a custom entity.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.",
-                "displayName": "Password spray attack against Azure AD application",
-                "enabled": false,
-                "query": "let timeRange = 3d;\nlet lookBack = 7d;\nlet authenticationWindow = 20m;\nlet authenticationThreshold = 5;\nlet isGUID = \"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\";\nlet failureCodes = dynamic([50053, 50126, 50055]); // invalid password, account is locked - too many sign ins, expired password\nlet successCodes = dynamic([0, 50055, 50057, 50155, 50105, 50133, 50005, 50076, 50079, 50173, 50158, 50072, 50074, 53003, 53000, 53001, 50129]);\n// Lookup up resolved identities from last 7 days\nlet aadFunc = (tableName:string){\nlet identityLookup = table(tableName)\n| where TimeGenerated >= ago(lookBack)\n| where not(Identity matches regex isGUID)\n| where isnotempty(UserId)\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName, Type;\n// collect window threshold breaches\ntable(tableName)\n| where TimeGenerated > ago(timeRange)\n| where ResultType in(failureCodes)\n| summarize FailedPrincipalCount = dcount(UserPrincipalName) by bin(TimeGenerated, authenticationWindow), IPAddress, AppDisplayName, Type\n| where FailedPrincipalCount >= authenticationThreshold\n| summarize WindowThresholdBreaches = count() by IPAddress, Type\n| join kind= inner (\n// where we breached a threshold, join the details back on all failure data\ntable(tableName)\n| where TimeGenerated > ago(timeRange)\n| where ResultType in(failureCodes)\n| extend LocationDetails = todynamic(LocationDetails)\n| extend FullLocation = strcat(LocationDetails.countryOrRegion,'|', LocationDetails.state, '|', LocationDetails.city)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), make_set(ClientAppUsed,20), make_set(FullLocation,20), FailureCount = count() by IPAddress, AppDisplayName, UserPrincipalName, UserDisplayName, Identity, UserId, Type\n// lookup any unresolved identities\n| extend UnresolvedUserId = iff(Identity matches regex isGUID, UserId, \"\")\n| join kind= leftouter (\n identityLookup\n) on $left.UnresolvedUserId==$right.UserId\n| extend UserDisplayName=iff(isempty(lu_UserDisplayName), UserDisplayName, lu_UserDisplayName)\n| extend UserPrincipalName=iff(isempty(lu_UserPrincipalName), UserPrincipalName, lu_UserPrincipalName)\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), make_set(UserPrincipalName,20), make_set(UserDisplayName,20), make_set(set_ClientAppUsed,20), make_set(set_FullLocation,20), make_list(FailureCount,20) by IPAddress, AppDisplayName, Type\n| extend FailedPrincipalCount = array_length(set_UserPrincipalName)\n) on IPAddress\n| project IPAddress, StartTime, EndTime, TargetedApplication=AppDisplayName, FailedPrincipalCount, UserPrincipalNames=set_UserPrincipalName, UserDisplayNames=set_UserDisplayName, ClientAppsUsed=set_set_ClientAppUsed, Locations=set_set_FullLocation, FailureCountByPrincipal=list_FailureCount, WindowThresholdBreaches, Type\n| join kind= inner (\ntable(tableName) // get data on success vs. failure history for each IP\n| where TimeGenerated > ago(timeRange)\n| where ResultType in(successCodes) or ResultType in(failureCodes) // success or failure types\n| summarize GlobalSuccessPrincipalCount = dcountif(UserPrincipalName, (ResultType in (successCodes))), ResultTypeSuccesses = make_set_if(ResultType, (ResultType in (successCodes))), GlobalFailPrincipalCount = dcountif(UserPrincipalName, (ResultType in (failureCodes))), ResultTypeFailures = make_set_if(ResultType, (ResultType in (failureCodes))) by IPAddress, Type\n| where GlobalFailPrincipalCount > GlobalSuccessPrincipalCount // where the number of failed principals is greater than success - eliminates FPs from IPs who authenticate successfully alot and as a side effect have alot of failures\n) on IPAddress\n| project-away IPAddress1\n| extend timestamp=StartTime\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
-                "queryFrequency": "P1D",
-                "queryPeriod": "P7D",
-                "severity": "Medium",
-                "suppressionDuration": "PT1H",
-                "suppressionEnabled": false,
-                "triggerOperator": "GreaterThan",
-                "triggerThreshold": 0,
-                "status": "Available",
-                "requiredDataConnectors": [
-                  {
-                    "connectorId": "AzureActiveDirectory",
-                    "dataTypes": [
-                      "SigninLogs"
-                    ]
-                  },
-                  {
-                    "connectorId": "AzureActiveDirectory",
-                    "dataTypes": [
-                      "AADNonInteractiveUserSignInLogs"
-                    ]
-                  }
-                ],
-                "tactics": [
-                  "CredentialAccess"
-                ],
-                "techniques": [
-                  "T1110"
-                ],
-                "entityMappings": [
-                  {
-                    "entityType": "IP",
-                    "fieldMappings": [
-                      {
-                        "identifier": "Address",
-                        "columnName": "IPAddress"
-                      }
-                    ]
-                  }
-                ]
+                "displayName": "[[variables('AzureADConnectionName')]",
+                "api": {
+                  "id": "[[variables('_connection-1')]"
+                }
               }
             },
             {
-              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
-              "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId50'),'/'))))]",
+              "type": "Microsoft.Web/connections",
+              "apiVersion": "2016-06-01",
+              "name": "[[variables('MicrosoftSentinelConnectionName')]",
+              "location": "[[variables('workspace-location-inline')]",
+              "kind": "V1",
               "properties": {
-                "description": "Azure Active Directory Analytics Rule 50",
-                "parentId": "[variables('analyticRuleId50')]",
-                "contentId": "[variables('_analyticRulecontentId50')]",
-                "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion50')]",
-                "source": {
-                  "kind": "Solution",
-                  "name": "Azure Active Directory",
-                  "sourceId": "[variables('_solutionId')]"
-                },
-                "author": {
-                  "name": "Microsoft",
-                  "email": "[variables('_email')]"
-                },
-                "support": {
-                  "tier": "Microsoft",
-                  "name": "Microsoft Corporation",
-                  "email": "support@microsoft.com",
-                  "link": "https://support.microsoft.com/"
+                "displayName": "[[variables('MicrosoftSentinelConnectionName')]",
+                "parameterValueType": "Alternative",
+                "api": {
+                  "id": "[[variables('_connection-2')]"
+                }
+              }
+            },
+            {
+              "type": "Microsoft.Web/connections",
+              "apiVersion": "2016-06-01",
+              "name": "[[variables('Office365ConnectionName')]",
+              "location": "[[variables('workspace-location-inline')]",
+              "properties": {
+                "displayName": "[[variables('Office365ConnectionName')]",
+                "api": {
+                  "id": "[[variables('_connection-3')]"
                 }
               }
-            }
-          ]
-        },
-        "packageKind": "Solution",
-        "packageVersion": "[variables('_solutionVersion')]",
-        "packageName": "[variables('_solutionName')]",
-        "packageId": "[variables('_solutionId')]",
-        "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_analyticRulecontentId50')]",
-        "contentKind": "AnalyticsRule",
-        "displayName": "Password spray attack against Azure AD application",
-        "contentProductId": "[variables('_analyticRulecontentProductId50')]",
-        "id": "[variables('_analyticRulecontentProductId50')]",
-        "version": "[variables('analyticRuleVersion50')]"
-      }
-    },
-    {
-      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
-      "apiVersion": "2023-04-01-preview",
-      "name": "[variables('analyticRuleTemplateSpecName51')]",
-      "location": "[parameters('workspace-location')]",
-      "dependsOn": [
-        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
-      ],
-      "properties": {
-        "description": "SuccessThenFail_DiffIP_SameUserandApp_AnalyticalRules Analytics Rule with template version 3.0.3",
-        "mainTemplate": {
-          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion51')]",
-          "parameters": {},
-          "variables": {},
-          "resources": [
+            },
             {
-              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRulecontentId51')]",
-              "apiVersion": "2022-04-01-preview",
-              "kind": "Scheduled",
-              "location": "[parameters('workspace-location')]",
+              "type": "Microsoft.Logic/workflows",
+              "apiVersion": "2017-07-01",
+              "name": "[[parameters('PlaybookName')]",
+              "location": "[[variables('workspace-location-inline')]",
+              "tags": {
+                "LogicAppsCategory": "security",
+                "hidden-SentinelTemplateName": "Block-AADUser-EntityTrigger",
+                "hidden-SentinelTemplateVersion": "1.1",
+                "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
+              },
+              "identity": {
+                "type": "SystemAssigned"
+              },
+              "dependsOn": [
+                "[[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]",
+                "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
+                "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]"
+              ],
               "properties": {
-                "description": "Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP (may indicate a malicious attempt at password guessing with known account). UEBA added for context.",
-                "displayName": "Successful logon from IP and failure from a different IP",
-                "enabled": false,
-                "query": "let riskScoreCutoff = 20; //Adjust this based on volume of results\nlet logonDiff = 10m; let aadFunc = (tableName:string){ table(tableName)\n| where ResultType == \"0\"\n| where AppDisplayName !in (\"Office 365 Exchange Online\", \"Skype for Business Online\") // To remove false-positives, add more Apps to this array\n// ---------- Fix for SuccessBlock to also consider IPv6\n| extend SuccessIPv6Block = strcat(split(IPAddress, \":\")[0], \":\", split(IPAddress, \":\")[1], \":\", split(IPAddress, \":\")[2], \":\", split(IPAddress, \":\")[3])\n| extend SuccessIPv4Block = strcat(split(IPAddress, \".\")[0], \".\", split(IPAddress, \".\")[1])\n// ------------------\n| project SuccessLogonTime = TimeGenerated, UserPrincipalName, SuccessIPAddress = IPAddress, SuccessLocation = Location, AppDisplayName, SuccessIPBlock = iff(IPAddress contains \":\", strcat(split(IPAddress, \":\")[0], \":\", split(IPAddress, \":\")[1]), strcat(split(IPAddress, \".\")[0], \".\", split(IPAddress, \".\")[1])), Type\n| join kind= inner (\n    table(tableName)\n    | where ResultType !in (\"0\", \"50140\")\n    | where ResultDescription !~ \"Other\"\n    | where AppDisplayName !in (\"Office 365 Exchange Online\", \"Skype for Business Online\")\n    | project FailedLogonTime = TimeGenerated, UserPrincipalName, FailedIPAddress = IPAddress, FailedLocation = Location, AppDisplayName, ResultType, ResultDescription, Type \n) on UserPrincipalName, AppDisplayName\n| where SuccessLogonTime < FailedLogonTime and FailedLogonTime - SuccessLogonTime <= logonDiff and FailedIPAddress !startswith SuccessIPBlock\n| summarize FailedLogonTime = max(FailedLogonTime), SuccessLogonTime = max(SuccessLogonTime) by UserPrincipalName, SuccessIPAddress, SuccessLocation, AppDisplayName, FailedIPAddress, FailedLocation, ResultType, ResultDescription, Type\n| extend timestamp = SuccessLogonTime\n| extend UserPrincipalName = tolower(UserPrincipalName)};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n| extend Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n// UEBA context below - make sure you have these 2 datatypes, otherwise the query will not work. If so, comment all that is below.\n| join kind=leftouter (\n    IdentityInfo\n    | summarize LatestReportTime = arg_max(TimeGenerated, *) by AccountUPN\n    | extend BlastRadiusInt = iif(BlastRadius == \"High\", 1, 0)\n    | project AccountUPN, Tags, JobTitle, GroupMembership, AssignedRoles, UserType, IsAccountEnabled, BlastRadiusInt\n    | summarize\n        Tags = make_set(Tags, 1000),\n        GroupMembership = make_set(GroupMembership, 1000),\n        AssignedRoles = make_set(AssignedRoles, 1000),\n        BlastRadiusInt = sum(BlastRadiusInt),\n        UserType = make_set(UserType, 1000),\n        UserAccountControl = make_set(UserType, 1000)\n    by AccountUPN\n    | extend UserPrincipalName=tolower(AccountUPN)\n) on UserPrincipalName\n| join kind=leftouter (\n    BehaviorAnalytics\n    | where ActivityType in (\"FailedLogOn\", \"LogOn\")\n    | where isnotempty(SourceIPAddress)\n    | project UsersInsights, DevicesInsights, ActivityInsights, InvestigationPriority, SourceIPAddress\n    | project-rename FailedIPAddress = SourceIPAddress\n    | summarize\n        UsersInsights = make_set(UsersInsights, 1000),\n        DevicesInsights = make_set(DevicesInsights, 1000),\n        IPInvestigationPriority = sum(InvestigationPriority)\n    by FailedIPAddress)\non FailedIPAddress\n| extend UEBARiskScore = BlastRadiusInt + IPInvestigationPriority\n| where  UEBARiskScore > riskScoreCutoff\n| sort by UEBARiskScore desc \n",
-                "queryFrequency": "P1D",
-                "queryPeriod": "P1D",
-                "severity": "Medium",
-                "suppressionDuration": "PT1H",
-                "suppressionEnabled": false,
-                "triggerOperator": "GreaterThan",
-                "triggerThreshold": 0,
-                "status": "Available",
-                "requiredDataConnectors": [
-                  {
-                    "connectorId": "AzureActiveDirectory",
-                    "dataTypes": [
-                      "SigninLogs"
-                    ]
-                  },
-                  {
-                    "connectorId": "AzureActiveDirectory",
-                    "dataTypes": [
-                      "AADNonInteractiveUserSignInLogs"
-                    ]
+                "state": "Enabled",
+                "definition": {
+                  "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
+                  "contentVersion": "1.0.0.0",
+                  "parameters": {
+                    "$connections": {
+                      "type": "Object"
+                    }
                   },
-                  {
-                    "connectorId": "BehaviorAnalytics",
-                    "dataTypes": [
-                      "BehaviorAnalytics"
-                    ]
+                  "triggers": {
+                    "Microsoft_Sentinel_entity": {
+                      "type": "ApiConnectionWebhook",
+                      "inputs": {
+                        "body": {
+                          "callback_url": "@{listCallbackUrl()}"
+                        },
+                        "host": {
+                          "connection": {
+                            "name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
+                          }
+                        },
+                        "path": "/entity/@{encodeURIComponent('Account')}"
+                      }
+                    }
                   },
-                  {
-                    "connectorId": "IdentityInfo",
-                    "dataTypes": [
-                      "IdentityInfo"
-                    ]
-                  }
-                ],
-                "tactics": [
-                  "CredentialAccess",
-                  "InitialAccess"
-                ],
-                "techniques": [
-                  "T1110",
-                  "T1078"
-                ],
-                "entityMappings": [
-                  {
-                    "entityType": "Account",
-                    "fieldMappings": [
-                      {
-                        "identifier": "Name",
-                        "columnName": "Name"
+                  "actions": {
+                    "Condition": {
+                      "actions": {
+                        "Condition_-_if_user_have_manager": {
+                          "actions": {
+                            "Condition_2": {
+                              "actions": {
+                                "Add_comment_to_incident_-_with_manager_-_no_admin": {
+                                  "type": "ApiConnection",
+                                  "inputs": {
+                                    "body": {
+                                      "incidentArmId": "@triggerBody()?['IncidentArmID']",
+                                      "message": "<p>User @{triggerBody()?['Entity']?['properties']?['Name']} &nbsp;(UPN - @{variables('AccountDetails')}) was disabled in AAD via playbook Block-AADUser. Manager (@{body('Parse_JSON_-_get_user_manager')?['userPrincipalName']}) is notified.</p>"
+                                    },
+                                    "host": {
+                                      "connection": {
+                                        "name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
+                                      }
+                                    },
+                                    "method": "post",
+                                    "path": "/Incidents/Comment"
+                                  }
+                                }
+                              },
+                              "runAfter": {
+                                "Get_user_-_details": [
+                                  "Succeeded"
+                                ]
+                              },
+                              "expression": {
+                                "and": [
+                                  {
+                                    "not": {
+                                      "equals": [
+                                        "@triggerBody()?['IncidentArmID']",
+                                        "@null"
+                                      ]
+                                    }
+                                  }
+                                ]
+                              },
+                              "type": "If"
+                            },
+                            "Get_user_-_details": {
+                              "type": "ApiConnection",
+                              "inputs": {
+                                "host": {
+                                  "connection": {
+                                    "name": "@parameters('$connections')['azuread']['connectionId']"
+                                  }
+                                },
+                                "method": "get",
+                                "path": "/v1.0/users/@{encodeURIComponent(variables('AccountDetails'))}"
+                              }
+                            },
+                            "Send_an_email_-_to_manager_-_no_admin": {
+                              "runAfter": {
+                                "Condition_2": [
+                                  "Succeeded"
+                                ]
+                              },
+                              "type": "ApiConnection",
+                              "inputs": {
+                                "body": {
+                                  "Body": "<p>Security notification! This is automated email sent by Microsoft Sentinel Automation!<br>\n<br>\nYour direct report @{triggerBody()?['Entity']?['properties']?['Name']} has been disabled in Azure AD due to the security incident. Can you please notify the user and work with him to reach&nbsp;our support.<br>\n<br>\nDirect report details:<br>\nFirst name: @{body('Get_user_-_details')?['displayName']}<br>\nSurname: @{body('Get_user_-_details')?['surname']}<br>\nJob title: @{body('Get_user_-_details')?['jobTitle']}<br>\nOffice location: @{body('Get_user_-_details')?['officeLocation']}<br>\nBusiness phone: @{body('Get_user_-_details')?['businessPhones']}<br>\nMobile phone: @{body('Get_user_-_details')?['mobilePhone']}<br>\nMail: @{body('Get_user_-_details')?['mail']}<br>\n<br>\nThank you!</p>",
+                                  "Importance": "High",
+                                  "Subject": "@{triggerBody()?['Entity']?['properties']?['Name']}  has been disabled in Azure AD due to the security risk!",
+                                  "To": "@body('Parse_JSON_-_get_user_manager')?['userPrincipalName']"
+                                },
+                                "host": {
+                                  "connection": {
+                                    "name": "@parameters('$connections')['office365']['connectionId']"
+                                  }
+                                },
+                                "method": "post",
+                                "path": "/v2/Mail"
+                              }
+                            }
+                          },
+                          "runAfter": {
+                            "Parse_JSON_-_get_user_manager": [
+                              "Succeeded"
+                            ]
+                          },
+                          "else": {
+                            "actions": {
+                              "Condition_3": {
+                                "actions": {
+                                  "Add_comment_to_incident_-_no_manager_-_no_admin": {
+                                    "type": "ApiConnection",
+                                    "inputs": {
+                                      "body": {
+                                        "incidentArmId": "@triggerBody()?['IncidentArmID']",
+                                        "message": "<p>User @{triggerBody()?['Entity']?['properties']?['Name']} (UPN - @{variables('AccountDetails')}) was disabled in AAD via playbook Block-AADUser. Manager has not been notified, since it is not found for this user!</p>"
+                                      },
+                                      "host": {
+                                        "connection": {
+                                          "name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
+                                        }
+                                      },
+                                      "method": "post",
+                                      "path": "/Incidents/Comment"
+                                    }
+                                  }
+                                },
+                                "expression": {
+                                  "and": [
+                                    {
+                                      "not": {
+                                        "equals": [
+                                          "@triggerBody()?['IncidentArmID']",
+                                          "@null"
+                                        ]
+                                      }
+                                    }
+                                  ]
+                                },
+                                "type": "If"
+                              }
+                            }
+                          },
+                          "expression": {
+                            "and": [
+                              {
+                                "not": {
+                                  "equals": [
+                                    "@body('Parse_JSON_-_get_user_manager')?['userPrincipalName']",
+                                    "@null"
+                                  ]
+                                }
+                              }
+                            ]
+                          },
+                          "type": "If"
+                        },
+                        "HTTP_-_get_user_manager": {
+                          "type": "Http",
+                          "inputs": {
+                            "authentication": {
+                              "audience": "https://graph.microsoft.com/",
+                              "type": "ManagedServiceIdentity"
+                            },
+                            "method": "GET",
+                            "uri": "https://graph.microsoft.com/v1.0/users/@{variables('AccountDetails')}/manager"
+                          }
+                        },
+                        "Parse_JSON_-_get_user_manager": {
+                          "runAfter": {
+                            "HTTP_-_get_user_manager": [
+                              "Succeeded",
+                              "Failed"
+                            ]
+                          },
+                          "type": "ParseJson",
+                          "inputs": {
+                            "content": "@body('HTTP_-_get_user_manager')",
+                            "schema": {
+                              "properties": {
+                                "userPrincipalName": {
+                                  "type": "string"
+                                }
+                              },
+                              "type": "object"
+                            }
+                          }
+                        }
                       },
-                      {
-                        "identifier": "UPNSuffix",
-                        "columnName": "UPNSuffix"
+                      "runAfter": {
+                        "Update_user_-_disable_user": [
+                          "Succeeded",
+                          "Failed"
+                        ]
+                      },
+                      "else": {
+                        "actions": {
+                          "Add_comment_to_incident_-_error_details": {
+                            "type": "ApiConnection",
+                            "inputs": {
+                              "body": {
+                                "incidentArmId": "@triggerBody()?['IncidentArmID']",
+                                "message": "<p>Block-AADUser playbook could not disable user @{triggerBody()?['Entity']?['properties']?['Name']}.<br>\nError message: @{body('Update_user_-_disable_user')['error']['message']}<br>\nNote: If user is admin, this playbook don't have privilages to block admin users!</p>"
+                              },
+                              "host": {
+                                "connection": {
+                                  "name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
+                                }
+                              },
+                              "method": "post",
+                              "path": "/Incidents/Comment"
+                            }
+                          }
+                        }
+                      },
+                      "expression": {
+                        "and": [
+                          {
+                            "equals": [
+                              "@body('Update_user_-_disable_user')",
+                              "@null"
+                            ]
+                          }
+                        ]
+                      },
+                      "type": "If"
+                    },
+                    "Initialize_variable_Account_Details": {
+                      "type": "InitializeVariable",
+                      "inputs": {
+                        "variables": [
+                          {
+                            "name": "AccountDetails",
+                            "type": "string"
+                          }
+                        ]
                       }
-                    ]
-                  },
-                  {
-                    "entityType": "IP",
-                    "fieldMappings": [
-                      {
-                        "identifier": "Address",
-                        "columnName": "SuccessIPAddress"
+                    },
+                    "Set_variable": {
+                      "runAfter": {
+                        "Initialize_variable_Account_Details": [
+                          "Succeeded"
+                        ]
+                      },
+                      "type": "SetVariable",
+                      "inputs": {
+                        "name": "AccountDetails",
+                        "value": "@{concat(triggerBody()?['Entity']?['properties']?['Name'],'@',triggerBody()?['Entity']?['properties']?['UPNSuffix'])}"
                       }
-                    ]
-                  },
-                  {
-                    "entityType": "IP",
-                    "fieldMappings": [
-                      {
-                        "identifier": "Address",
-                        "columnName": "FailedIPAddress"
+                    },
+                    "Update_user_-_disable_user": {
+                      "runAfter": {
+                        "Set_variable": [
+                          "Succeeded"
+                        ]
+                      },
+                      "type": "ApiConnection",
+                      "inputs": {
+                        "body": {
+                          "accountEnabled": false
+                        },
+                        "host": {
+                          "connection": {
+                            "name": "@parameters('$connections')['azuread']['connectionId']"
+                          }
+                        },
+                        "method": "patch",
+                        "path": "/v1.0/users/@{encodeURIComponent(variables('AccountDetails'))}"
                       }
-                    ]
+                    }
                   }
-                ]
-              }
-            },
-            {
-              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
-              "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId51'),'/'))))]",
-              "properties": {
-                "description": "Azure Active Directory Analytics Rule 51",
-                "parentId": "[variables('analyticRuleId51')]",
-                "contentId": "[variables('_analyticRulecontentId51')]",
-                "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion51')]",
-                "source": {
-                  "kind": "Solution",
-                  "name": "Azure Active Directory",
-                  "sourceId": "[variables('_solutionId')]"
-                },
-                "author": {
-                  "name": "Microsoft",
-                  "email": "[variables('_email')]"
                 },
-                "support": {
-                  "tier": "Microsoft",
-                  "name": "Microsoft Corporation",
-                  "email": "support@microsoft.com",
-                  "link": "https://support.microsoft.com/"
-                }
-              }
-            }
-          ]
-        },
-        "packageKind": "Solution",
-        "packageVersion": "[variables('_solutionVersion')]",
-        "packageName": "[variables('_solutionName')]",
-        "packageId": "[variables('_solutionId')]",
-        "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_analyticRulecontentId51')]",
-        "contentKind": "AnalyticsRule",
-        "displayName": "Successful logon from IP and failure from a different IP",
-        "contentProductId": "[variables('_analyticRulecontentProductId51')]",
-        "id": "[variables('_analyticRulecontentProductId51')]",
-        "version": "[variables('analyticRuleVersion51')]"
-      }
-    },
-    {
-      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
-      "apiVersion": "2023-04-01-preview",
-      "name": "[variables('analyticRuleTemplateSpecName52')]",
-      "location": "[parameters('workspace-location')]",
-      "dependsOn": [
-        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
-      ],
-      "properties": {
-        "description": "SuspiciousAADJoinedDeviceUpdate_AnalyticalRules Analytics Rule with template version 3.0.3",
-        "mainTemplate": {
-          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion52')]",
-          "parameters": {},
-          "variables": {},
-          "resources": [
-            {
-              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRulecontentId52')]",
-              "apiVersion": "2022-04-01-preview",
-              "kind": "Scheduled",
-              "location": "[parameters('workspace-location')]",
-              "properties": {
-                "description": "This query looks for suspicious updates to an Azure AD joined device where the device name is changed and the device falls out of compliance.\nThis could occur when a threat actor updates the details of an Autopilot provisioned device using a stolen device ticket, in order to access certificates and keys.\nRef: https://dirkjanm.io/assets/raw/Insomnihack%20Breaking%20and%20fixing%20Azure%20AD%20device%20identity%20security.pdf",
-                "displayName": "Suspicious AAD Joined Device Update",
-                "enabled": false,
-                "query": "AuditLogs\n| where OperationName =~ \"Update device\"\n| mv-apply TargetResource=TargetResources on (\n    where TargetResource.type =~ \"Device\"\n    | extend ModifiedProperties = TargetResource.modifiedProperties\n    | extend DeviceId = TargetResource.id)\n| mv-apply Prop=ModifiedProperties on ( \n    where Prop.displayName =~ \"CloudDisplayName\"\n    | extend OldName = Prop.oldValue \n    | extend NewName = Prop.newValue)\n| mv-apply Prop=ModifiedProperties on ( \n    where Prop.displayName =~ \"IsCompliant\"\n    | extend OldComplianceState = Prop.oldValue  \n    | extend NewComplianceState = Prop.newValue)\n| mv-apply Prop=ModifiedProperties on ( \n    where Prop.displayName =~ \"TargetId.DeviceTrustType\"\n    | extend OldTrustType = Prop.oldValue  \n    | extend NewTrustType = Prop.newValue)\n| mv-apply Prop=ModifiedProperties on ( \n    where Prop.displayName =~ \"Included Updated Properties\" \n    | extend UpdatedProperties = Prop.newValue)\n| extend OldDeviceName = tostring(parse_json(tostring(OldName))[0])\n| extend NewDeviceName = tostring(parse_json(tostring(NewName))[0])\n| extend OldComplianceState = tostring(parse_json(tostring(OldComplianceState))[0])\n| extend NewComplianceState = tostring(parse_json(tostring(NewComplianceState))[0])\n| extend InitiatedByUser = tostring(iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName))\n| extend UpdatedPropertiesCount = array_length(split(UpdatedProperties, ','))\n| where OldDeviceName != NewDeviceName\n| where OldComplianceState =~ 'true' and NewComplianceState =~ 'false'\n// Most common is transferring from AAD Registered to AAD Joined - we just want AAD Joined devices\n| where NewTrustType == '\"AzureAd\"' and OldTrustType != '\"Workplace\"'\n// We can modify this value to tune FPs - more properties changed about the device beyond its name the more suspicious it could be\n| where UpdatedPropertiesCount > 1\n| project-reorder TimeGenerated, DeviceId, NewDeviceName, OldDeviceName, NewComplianceState, InitiatedByUser, AADOperationType, OldTrustType, NewTrustType, UpdatedProperties, UpdatedPropertiesCount\n",
-                "queryFrequency": "P1D",
-                "queryPeriod": "P1D",
-                "severity": "Medium",
-                "suppressionDuration": "PT1H",
-                "suppressionEnabled": false,
-                "triggerOperator": "GreaterThan",
-                "triggerThreshold": 0,
-                "status": "Available",
-                "requiredDataConnectors": [
-                  {
-                    "connectorId": "AzureActiveDirectory",
-                    "dataTypes": [
-                      "AuditLogs"
-                    ]
-                  }
-                ],
-                "tactics": [
-                  "CredentialAccess"
-                ],
-                "techniques": [
-                  "T1528"
-                ],
-                "entityMappings": [
-                  {
-                    "entityType": "Host",
-                    "fieldMappings": [
-                      {
-                        "identifier": "HostName",
-                        "columnName": "NewDeviceName"
-                      }
-                    ]
-                  },
-                  {
-                    "entityType": "Host",
-                    "fieldMappings": [
-                      {
-                        "identifier": "HostName",
-                        "columnName": "OldDeviceName"
-                      }
-                    ]
-                  },
-                  {
-                    "entityType": "Host",
-                    "fieldMappings": [
-                      {
-                        "identifier": "AzureID",
-                        "columnName": "DeviceId"
-                      }
-                    ]
-                  },
-                  {
-                    "entityType": "Account",
-                    "fieldMappings": [
-                      {
-                        "identifier": "AadUserId",
-                        "columnName": "InitiatedByUser"
+                "parameters": {
+                  "$connections": {
+                    "value": {
+                      "azuread": {
+                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]",
+                        "connectionName": "[[variables('AzureADConnectionName')]",
+                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuread')]"
+                      },
+                      "microsoftsentinel": {
+                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
+                        "connectionName": "[[variables('MicrosoftSentinelConnectionName')]",
+                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
+                        "connectionProperties": {
+                          "authentication": {
+                            "type": "ManagedServiceIdentity"
+                          }
+                        }
+                      },
+                      "office365": {
+                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]",
+                        "connectionName": "[[variables('Office365ConnectionName')]",
+                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]"
                       }
-                    ]
+                    }
                   }
-                ],
-                "alertDetailsOverride": {
-                  "alertDisplayNameFormat": "Suspicious AAD Joined Device Update {{OldDeviceName}} renamed to {{NewDeviceName}} and {{UpdatedPropertiesCount}} properties changed",
-                  "alertDescriptionFormat": "This query looks for suspicious updates to an Azure AD joined device where the device name is changed and the device falls out of compliance.\nIn this case {{OldDeviceName}} was renamed to {{NewDeviceName}} and {{UpdatedPropertiesCount}} properties were changed.\nThis could occur when a threat actor steals a Device ticket from an Autopilot provisioned device and uses it to AAD Join a new  device.\nRef: https://dirkjanm.io/assets/raw/Insomnihack%20Breaking%20and%20fixing%20Azure%20AD%20device%20identity%20security.pdf\n"
                 }
               }
             },
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId52'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId7'),'/'))))]",
               "properties": {
-                "description": "Azure Active Directory Analytics Rule 52",
-                "parentId": "[variables('analyticRuleId52')]",
-                "contentId": "[variables('_analyticRulecontentId52')]",
-                "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion52')]",
+                "parentId": "[variables('playbookId7')]",
+                "contentId": "[variables('_playbookContentId7')]",
+                "kind": "Playbook",
+                "version": "[variables('playbookVersion7')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Azure Active Directory",
@@ -11206,241 +11205,396 @@
                 }
               }
             }
-          ]
+          ],
+          "metadata": {
+            "title": "Block AAD user - Entity trigger",
+            "description": "This playbook disables the selected user (account entity) in Azure Active Directoy. If this playbook triggered from an incident context, it will add a comment to the incident. This playbook will notify the disabled user manager if available. Note: This playbook will not disable admin user!",
+            "postDeployment": [
+              "1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity.",
+              "2. Grant User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All permissions to the managed identity.",
+              "3. Authorize Azure AD and Office 365 Outlook Logic App connections."
+            ],
+            "lastUpdateTime": "2022-12-08T00:00:00Z",
+            "entities": [
+              "Account"
+            ],
+            "tags": [
+              "Remediation"
+            ],
+            "releaseNotes": [
+              {
+                "version": "1.0.0",
+                "title": "Added manager notification action",
+                "notes": [
+                  "Initial version"
+                ]
+              }
+            ]
+          }
         },
         "packageKind": "Solution",
         "packageVersion": "[variables('_solutionVersion')]",
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_analyticRulecontentId52')]",
-        "contentKind": "AnalyticsRule",
-        "displayName": "Suspicious AAD Joined Device Update",
-        "contentProductId": "[variables('_analyticRulecontentProductId52')]",
-        "id": "[variables('_analyticRulecontentProductId52')]",
-        "version": "[variables('analyticRuleVersion52')]"
+        "contentId": "[variables('_playbookContentId7')]",
+        "contentKind": "Playbook",
+        "displayName": "Block-AADUser-EntityTrigger",
+        "contentProductId": "[variables('_playbookcontentProductId7')]",
+        "id": "[variables('_playbookcontentProductId7')]",
+        "version": "[variables('playbookVersion7')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('analyticRuleTemplateSpecName53')]",
+      "name": "[variables('playbookTemplateSpecName8')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "SuspiciousOAuthApp_OfflineAccess_AnalyticalRules Analytics Rule with template version 3.0.3",
+        "description": "Reset-AADUserPassword-EntityTrigger Playbook with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion53')]",
-          "parameters": {},
-          "variables": {},
+          "contentVersion": "[variables('playbookVersion8')]",
+          "parameters": {
+            "PlaybookName": {
+              "defaultValue": "Reset-AADUserPassword-EntityTrigger",
+              "type": "string"
+            }
+          },
+          "variables": {
+            "MicrosoftSentinelConnectionName": "[[concat('microsoftsentinel-', parameters('PlaybookName'))]",
+            "office365ConnectionName": "[[concat('office365-', parameters('PlaybookName'))]",
+            "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
+            "_connection-2": "[[variables('connection-2')]",
+            "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]",
+            "_connection-3": "[[variables('connection-3')]",
+            "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
+            "workspace-name": "[parameters('workspace')]",
+            "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
+          },
           "resources": [
             {
-              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRulecontentId53')]",
-              "apiVersion": "2022-04-01-preview",
-              "kind": "Scheduled",
-              "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "This will alert when a user consents to provide a previously-unknown Azure application with offline access via OAuth.\nOffline access will provide the Azure App with access to the listed resources without requiring two-factor authentication.\nConsent to applications with offline access and read capabilities should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.",
-                "displayName": "Suspicious application consent for offline access",
-                "enabled": false,
-                "query": "let detectionTime = 1d;\nlet joinLookback = 14d;\nAuditLogs\n| where TimeGenerated > ago(detectionTime)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Consent to application\"\n| where TargetResources has \"offline\"\n| mv-apply TargetResource=TargetResources on \n  (\n      where TargetResource.type =~ \"ServicePrincipal\"\n      | extend ModifiedProperties = TargetResource.modifiedProperties,\n               AppDisplayName = tostring(TargetResource.displayName),\n               AppClientId = tolower(tostring(TargetResource.id))\n  )\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\"] with (format=\"csv\")))\n| mv-apply Properties=ModifiedProperties on \n  (\n      where Properties.displayName =~ \"ConsentAction.Permissions\"\n      | extend ConsentFull = tostring(Properties.newValue)\n      | extend ConsentFull = trim(@'\"',tostring(ConsentFull))\n  )\n| parse ConsentFull with * \"ConsentType: \" GrantConsentType \", Scope: \" GrantScope1 \"]\" *\n| where ConsentFull has \"offline_access\" and ConsentFull has_any (\"Files.Read\", \"Mail.Read\", \"Notes.Read\", \"ChannelMessage.Read\", \"Chat.Read\", \"TeamsActivity.Read\", \"Group.Read\", \"EWS.AccessAsUser.All\", \"EAS.AccessAsUser.All\")\n| where GrantConsentType != \"AllPrincipals\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\n| extend GrantIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\n| extend GrantInitiatedBy = tostring(iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName))\n| extend GrantUserAgent = tostring(iff(AdditionalDetails[0].key =~ \"User-Agent\", AdditionalDetails[0].value, \"\"))\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\n| join kind = leftouter (AuditLogs\n| where TimeGenerated > ago(joinLookback)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Add service principal\"\n| mv-apply TargetResource=TargetResources on \n  (\n      where TargetResource.type =~ \"ServicePrincipal\"\n      | extend ModifiedProperties = TargetResource.modifiedProperties,\n               AppClientId = tolower(TargetResource.id)\n  )\n| mv-apply ModifiedProperties=TargetResource.modifiedProperties on \n   (\n      where ModifiedProperties.displayName =~ \"AppAddress\" and ModifiedProperties.newValue has \"AddressType\"\n      | extend AppReplyURLs = ModifiedProperties.newValue\n   )\n | distinct AppClientId, tostring(AppReplyURLs)\n)\non AppClientId\n| join kind = innerunique (AuditLogs\n| where TimeGenerated > ago(joinLookback)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Add OAuth2PermissionGrant\" or OperationName =~ \"Add delegated permission grant\"\n | mv-apply TargetResource=TargetResources on \n  (\n      where TargetResource.type =~ \"ServicePrincipal\" and array_length(TargetResource.modifiedProperties) > 0 and isnotnull(TargetResource.displayName)\n      | extend GrantAuthentication = tostring(TargetResource.displayName)\n  )\n| extend GrantOperation = OperationName\n| project GrantAuthentication, GrantOperation, CorrelationId\n) on CorrelationId\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\n| extend timestamp = TimeGenerated, Name = tostring(split(GrantInitiatedBy,'@',0)[0]), UPNSuffix = tostring(split(GrantInitiatedBy,'@',1)[0])\n",
-                "queryFrequency": "P1D",
-                "queryPeriod": "P14D",
-                "severity": "Low",
-                "suppressionDuration": "PT1H",
-                "suppressionEnabled": false,
-                "triggerOperator": "GreaterThan",
-                "triggerThreshold": 0,
-                "status": "Available",
-                "requiredDataConnectors": [
-                  {
-                    "connectorId": "AzureActiveDirectory",
-                    "dataTypes": [
-                      "AuditLogs"
-                    ]
-                  }
-                ],
-                "tactics": [
-                  "CredentialAccess"
-                ],
-                "techniques": [
-                  "T1528"
-                ],
-                "entityMappings": [
-                  {
-                    "entityType": "Account",
-                    "fieldMappings": [
-                      {
-                        "identifier": "Name",
-                        "columnName": "Name"
+                "provisioningState": "Succeeded",
+                "state": "Enabled",
+                "definition": {
+                  "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
+                  "contentVersion": "1.0.0.0",
+                  "parameters": {
+                    "$connections": {
+                      "type": "Object"
+                    }
+                  },
+                  "triggers": {
+                    "Microsoft_Sentinel_entity": {
+                      "type": "ApiConnectionWebhook",
+                      "inputs": {
+                        "body": {
+                          "callback_url": "@{listCallbackUrl()}"
+                        },
+                        "host": {
+                          "connection": {
+                            "name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
+                          }
+                        },
+                        "path": "/entity/@{encodeURIComponent('Account')}"
+                      }
+                    }
+                  },
+                  "actions": {
+                    "Condition_-_is_manager_available": {
+                      "actions": {
+                        "Condition_2": {
+                          "actions": {
+                            "Add_comment_to_incident_-_manager_available": {
+                              "type": "ApiConnection",
+                              "inputs": {
+                                "body": {
+                                  "incidentArmId": "@triggerBody()?['IncidentArmID']",
+                                  "message": "<p>User @{variables('AccountDetails')} password was reset in AAD and their manager @{body('Parse_JSON_-_HTTP_-_get_manager')?['userPrincipalName']} was contacted using playbook.</p>"
+                                },
+                                "host": {
+                                  "connection": {
+                                    "name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
+                                  }
+                                },
+                                "method": "post",
+                                "path": "/Incidents/Comment"
+                              }
+                            }
+                          },
+                          "runAfter": {
+                            "Send_an_email_-_to_manager_with_password_details": [
+                              "Succeeded"
+                            ]
+                          },
+                          "expression": {
+                            "and": [
+                              {
+                                "not": {
+                                  "equals": [
+                                    "@triggerBody()?['IncidentArmID']",
+                                    "@null"
+                                  ]
+                                }
+                              }
+                            ]
+                          },
+                          "type": "If"
+                        },
+                        "Parse_JSON_-_HTTP_-_get_manager": {
+                          "type": "ParseJson",
+                          "inputs": {
+                            "content": "@body('HTTP_-_get_manager')",
+                            "schema": {
+                              "properties": {
+                                "userPrincipalName": {
+                                  "type": "string"
+                                }
+                              },
+                              "type": "object"
+                            }
+                          }
+                        },
+                        "Send_an_email_-_to_manager_with_password_details": {
+                          "runAfter": {
+                            "Parse_JSON_-_HTTP_-_get_manager": [
+                              "Succeeded"
+                            ]
+                          },
+                          "type": "ApiConnection",
+                          "inputs": {
+                            "body": {
+                              "Body": "<p>User, @{variables('AccountDetails')}, was involved in part of a security incident. &nbsp;As part of remediation, the user password has been reset.<br>\n<br>\nThe temporary password is: @{variables('Password')}<br>\n<br>\nThe user will be required to reset this password upon login.</p>",
+                              "Subject": "A user password was reset due to security incident.",
+                              "To": "@body('Parse_JSON_-_HTTP_-_get_manager')?['userPrincipalName']"
+                            },
+                            "host": {
+                              "connection": {
+                                "name": "@parameters('$connections')['office365']['connectionId']"
+                              }
+                            },
+                            "method": "post",
+                            "path": "/v2/Mail"
+                          }
+                        }
+                      },
+                      "runAfter": {
+                        "HTTP_-_get_manager": [
+                          "Succeeded",
+                          "Failed"
+                        ]
+                      },
+                      "else": {
+                        "actions": {
+                          "Condition": {
+                            "actions": {
+                              "Add_comment_to_incident_-_manager_not_available": {
+                                "type": "ApiConnection",
+                                "inputs": {
+                                  "body": {
+                                    "incidentArmId": "@triggerBody()?['IncidentArmID']",
+                                    "message": "<p>User @{variables('AccountDetails')} password was reset in AAD but the user doesn't have a manager.<br>\n<br>\nThe temporary password is: @{variables('Password')}<br>\n<br>\nThe user will be required to reset this password upon login.</p>"
+                                  },
+                                  "host": {
+                                    "connection": {
+                                      "name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
+                                    }
+                                  },
+                                  "method": "post",
+                                  "path": "/Incidents/Comment"
+                                }
+                              }
+                            },
+                            "expression": {
+                              "and": [
+                                {
+                                  "not": {
+                                    "equals": [
+                                      "@triggerBody()?['IncidentArmID']",
+                                      "@null"
+                                    ]
+                                  }
+                                }
+                              ]
+                            },
+                            "type": "If"
+                          }
+                        }
+                      },
+                      "expression": {
+                        "and": [
+                          {
+                            "equals": [
+                              "@outputs('HTTP_-_get_manager')['statusCode']",
+                              200
+                            ]
+                          }
+                        ]
                       },
-                      {
-                        "identifier": "UPNSuffix",
-                        "columnName": "UPNSuffix"
+                      "type": "If"
+                    },
+                    "HTTP_-_get_manager": {
+                      "runAfter": {
+                        "HTTP_-_reset_a_password": [
+                          "Succeeded"
+                        ]
+                      },
+                      "type": "Http",
+                      "inputs": {
+                        "authentication": {
+                          "audience": "https://graph.microsoft.com",
+                          "type": "ManagedServiceIdentity"
+                        },
+                        "method": "GET",
+                        "uri": "https://graph.microsoft.com/v1.0/users/@{variables('AccountDetails')}/manager"
                       }
-                    ]
-                  },
-                  {
-                    "entityType": "IP",
-                    "fieldMappings": [
-                      {
-                        "identifier": "Address",
-                        "columnName": "GrantIpAddress"
+                    },
+                    "HTTP_-_reset_a_password": {
+                      "runAfter": {
+                        "Initialize_variable_Account": [
+                          "Succeeded"
+                        ]
+                      },
+                      "type": "Http",
+                      "inputs": {
+                        "authentication": {
+                          "audience": "https://graph.microsoft.com",
+                          "type": "ManagedServiceIdentity"
+                        },
+                        "body": {
+                          "passwordProfile": {
+                            "forceChangePasswordNextSignIn": true,
+                            "forceChangePasswordNextSignInWithMfa": false,
+                            "password": "@{variables('Password')}"
+                          }
+                        },
+                        "method": "PATCH",
+                        "uri": "https://graph.microsoft.com/v1.0/users/@{variables('AccountDetails')}"
+                      }
+                    },
+                    "Initialize_variable": {
+                      "type": "InitializeVariable",
+                      "inputs": {
+                        "variables": [
+                          {
+                            "name": "Password",
+                            "type": "String",
+                            "value": "null"
+                          }
+                        ]
+                      }
+                    },
+                    "Initialize_variable_Account": {
+                      "runAfter": {
+                        "Set_variable_-_password": [
+                          "Succeeded"
+                        ]
+                      },
+                      "type": "InitializeVariable",
+                      "inputs": {
+                        "variables": [
+                          {
+                            "name": "AccountDetails",
+                            "type": "string",
+                            "value": "@{concat(triggerBody()?['Entity']?['properties']?['Name'],'@',triggerBody()?['Entity']?['properties']?['UPNSuffix'])}"
+                          }
+                        ]
                       }
-                    ]
+                    },
+                    "Set_variable_-_password": {
+                      "runAfter": {
+                        "Initialize_variable": [
+                          "Succeeded"
+                        ]
+                      },
+                      "type": "SetVariable",
+                      "inputs": {
+                        "name": "Password",
+                        "value": "@{substring(guid(), 0, 10)}"
+                      }
+                    }
                   }
-                ]
-              }
+                },
+                "parameters": {
+                  "$connections": {
+                    "value": {
+                      "microsoftsentinel": {
+                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
+                        "connectionName": "[[variables('MicrosoftSentinelConnectionName')]",
+                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
+                        "connectionProperties": {
+                          "authentication": {
+                            "type": "ManagedServiceIdentity"
+                          }
+                        }
+                      },
+                      "office365": {
+                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('office365ConnectionName'))]",
+                        "connectionName": "[[variables('office365ConnectionName')]",
+                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]"
+                      }
+                    }
+                  }
+                }
+              },
+              "name": "[[parameters('PlaybookName')]",
+              "type": "Microsoft.Logic/workflows",
+              "location": "[[variables('workspace-location-inline')]",
+              "tags": {
+                "LogicAppsCategory": "security",
+                "hidden-SentinelTemplateName": "Reset-AADUserPassword-EntityTrigger",
+                "hidden-SentinelTemplateVersion": "1.1",
+                "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
+              },
+              "identity": {
+                "type": "SystemAssigned"
+              },
+              "apiVersion": "2017-07-01",
+              "dependsOn": [
+                "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
+                "[[resourceId('Microsoft.Web/connections', variables('office365ConnectionName'))]"
+              ]
             },
             {
-              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
-              "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId53'),'/'))))]",
+              "type": "Microsoft.Web/connections",
+              "apiVersion": "2016-06-01",
+              "name": "[[variables('MicrosoftSentinelConnectionName')]",
+              "location": "[[variables('workspace-location-inline')]",
+              "kind": "V1",
               "properties": {
-                "description": "Azure Active Directory Analytics Rule 53",
-                "parentId": "[variables('analyticRuleId53')]",
-                "contentId": "[variables('_analyticRulecontentId53')]",
-                "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion53')]",
-                "source": {
-                  "kind": "Solution",
-                  "name": "Azure Active Directory",
-                  "sourceId": "[variables('_solutionId')]"
-                },
-                "author": {
-                  "name": "Microsoft",
-                  "email": "[variables('_email')]"
-                },
-                "support": {
-                  "tier": "Microsoft",
-                  "name": "Microsoft Corporation",
-                  "email": "support@microsoft.com",
-                  "link": "https://support.microsoft.com/"
+                "displayName": "[[variables('MicrosoftSentinelConnectionName')]",
+                "parameterValueType": "Alternative",
+                "api": {
+                  "id": "[[variables('_connection-2')]"
                 }
               }
-            }
-          ]
-        },
-        "packageKind": "Solution",
-        "packageVersion": "[variables('_solutionVersion')]",
-        "packageName": "[variables('_solutionName')]",
-        "packageId": "[variables('_solutionId')]",
-        "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_analyticRulecontentId53')]",
-        "contentKind": "AnalyticsRule",
-        "displayName": "Suspicious application consent for offline access",
-        "contentProductId": "[variables('_analyticRulecontentProductId53')]",
-        "id": "[variables('_analyticRulecontentProductId53')]",
-        "version": "[variables('analyticRuleVersion53')]"
-      }
-    },
-    {
-      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
-      "apiVersion": "2023-04-01-preview",
-      "name": "[variables('analyticRuleTemplateSpecName54')]",
-      "location": "[parameters('workspace-location')]",
-      "dependsOn": [
-        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
-      ],
-      "properties": {
-        "description": "SuspiciousServicePrincipalcreationactivity_AnalyticalRules Analytics Rule with template version 3.0.3",
-        "mainTemplate": {
-          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion54')]",
-          "parameters": {},
-          "variables": {},
-          "resources": [
-            {
-              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRulecontentId54')]",
-              "apiVersion": "2022-04-01-preview",
-              "kind": "Scheduled",
-              "location": "[parameters('workspace-location')]",
-              "properties": {
-                "description": "This alert will detect creation of an SPN, permissions granted, credentials created, activity and deletion of the SPN in a time frame (default 10 minutes)",
-                "displayName": "Suspicious Service Principal creation activity",
-                "enabled": false,
-                "query": "let queryfrequency = 1h;\nlet wait_for_deletion = 10m;\nlet account_created =\n  AuditLogs \n  | where ActivityDisplayName == \"Add service principal\"\n  | where Result == \"success\"\n  | extend AppID = tostring(AdditionalDetails[1].value)\n  | extend creationTime = ActivityDateTime\n  | extend userPrincipalName_creator = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n  | extend ipAddress_creator = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\nlet account_activity =\n  AADServicePrincipalSignInLogs\n  | extend Activities = pack(\"ActivityTime\", TimeGenerated ,\"IpAddress\", IPAddress, \"ResourceDisplayName\", ResourceDisplayName)\n  | extend AppID = AppId\n  | summarize make_list(Activities) by AppID;\nlet account_deleted =\n  AuditLogs \n  | where OperationName == \"Remove service principal\"\n  | where Result == \"success\"\n  | extend AppID = tostring(AdditionalDetails[1].value)\n  | extend deletionTime = ActivityDateTime\n  | extend userPrincipalName_deleter = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n  | extend ipAddress_deleter = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\nlet account_credentials =\n  AuditLogs\n  | where OperationName has_all (\"Update application\", \"Certificates and secrets management\")\n  | where Result == \"success\"\n  | extend AppID = tostring(AdditionalDetails[1].value)\n  | extend credentialCreationTime = ActivityDateTime;\nlet roles_assigned =\n  AuditLogs\n  | where ActivityDisplayName == \"Add app role assignment to service principal\"\n  | extend AppID = tostring(TargetResources[1].displayName)\n  | extend AssignedRole =  iff(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].displayName)==\"AppRole.Value\", tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue))),\"\")\n  | extend AssignedRoles = pack(\"Role\", AssignedRole)\n  | summarize make_list(AssignedRoles) by AppID;\naccount_created\n| where TimeGenerated between (ago(wait_for_deletion+queryfrequency)..ago(wait_for_deletion))\n| join kind= inner (account_activity) on AppID\n| join kind= inner (account_deleted) on AppID\n| join kind= inner (account_credentials) on AppID\n| join kind= inner (roles_assigned) on AppID\n| where deletionTime - creationTime between (time(0s)..wait_for_deletion)\n| extend AliveTime = deletionTime - creationTime\n| project AADTenantId, AppID, creationTime, deletionTime, userPrincipalName_creator, userPrincipalName_deleter, ipAddress_creator, ipAddress_deleter, list_Activities, list_AssignedRoles, AliveTime\n",
-                "queryFrequency": "PT1H",
-                "queryPeriod": "PT70M",
-                "severity": "Low",
-                "suppressionDuration": "PT1H",
-                "suppressionEnabled": false,
-                "triggerOperator": "GreaterThan",
-                "triggerThreshold": 0,
-                "status": "Available",
-                "requiredDataConnectors": [
-                  {
-                    "connectorId": "AzureActiveDirectory",
-                    "dataTypes": [
-                      "AuditLogs",
-                      "AADServicePrincipalSignInLogs"
-                    ]
-                  }
-                ],
-                "tactics": [
-                  "CredentialAccess",
-                  "PrivilegeEscalation",
-                  "InitialAccess"
-                ],
-                "techniques": [
-                  "T1078",
-                  "T1528"
-                ],
-                "entityMappings": [
-                  {
-                    "entityType": "Account",
-                    "fieldMappings": [
-                      {
-                        "identifier": "FullName",
-                        "columnName": "userPrincipalName_creator"
-                      }
-                    ]
-                  },
-                  {
-                    "entityType": "Account",
-                    "fieldMappings": [
-                      {
-                        "identifier": "FullName",
-                        "columnName": "userPrincipalName_deleter"
-                      }
-                    ]
-                  },
-                  {
-                    "entityType": "IP",
-                    "fieldMappings": [
-                      {
-                        "identifier": "Address",
-                        "columnName": "ipAddress_creator"
-                      }
-                    ]
-                  },
-                  {
-                    "entityType": "IP",
-                    "fieldMappings": [
-                      {
-                        "identifier": "Address",
-                        "columnName": "ipAddress_deleter"
-                      }
-                    ]
-                  }
-                ]
+            },
+            {
+              "type": "Microsoft.Web/connections",
+              "apiVersion": "2016-06-01",
+              "name": "[[variables('office365ConnectionName')]",
+              "location": "[[variables('workspace-location-inline')]",
+              "kind": "V1",
+              "properties": {
+                "displayName": "[[variables('office365ConnectionName')]",
+                "api": {
+                  "id": "[[variables('_connection-3')]"
+                }
               }
             },
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId54'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId8'),'/'))))]",
               "properties": {
-                "description": "Azure Active Directory Analytics Rule 54",
-                "parentId": "[variables('analyticRuleId54')]",
-                "contentId": "[variables('_analyticRulecontentId54')]",
-                "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion54')]",
+                "parentId": "[variables('playbookId8')]",
+                "contentId": "[variables('_playbookContentId8')]",
+                "kind": "Playbook",
+                "version": "[variables('playbookVersion8')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Azure Active Directory",
@@ -11458,129 +11612,317 @@
                 }
               }
             }
-          ]
+          ],
+          "metadata": {
+            "title": "Reset Azure AD User Password - Entity trigger",
+            "description": "This playbook will reset the user password using Graph API.  It will send the password (which is a random guid substring) to the user's manager.  The user will have to reset the password upon login.",
+            "postDeployment": [
+              "1. Assign Password Administrator permission to managed identity.",
+              "2. Assign Microsoft Sentinel Responder permission to managed identity.",
+              "3. Authorize Office 365 Outlook connection"
+            ],
+            "lastUpdateTime": "2022-12-06T00:00:00Z",
+            "entities": [
+              "Account"
+            ],
+            "tags": [
+              "Remediation"
+            ],
+            "releaseNotes": {
+              "version": "1.1",
+              "title": "[variables('blanks')]",
+              "notes": [
+                "Initial version"
+              ]
+            }
+          }
         },
         "packageKind": "Solution",
         "packageVersion": "[variables('_solutionVersion')]",
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_analyticRulecontentId54')]",
-        "contentKind": "AnalyticsRule",
-        "displayName": "Suspicious Service Principal creation activity",
-        "contentProductId": "[variables('_analyticRulecontentProductId54')]",
-        "id": "[variables('_analyticRulecontentProductId54')]",
-        "version": "[variables('analyticRuleVersion54')]"
+        "contentId": "[variables('_playbookContentId8')]",
+        "contentKind": "Playbook",
+        "displayName": "Reset-AADUserPassword-EntityTrigger",
+        "contentProductId": "[variables('_playbookcontentProductId8')]",
+        "id": "[variables('_playbookcontentProductId8')]",
+        "version": "[variables('playbookVersion8')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('analyticRuleTemplateSpecName55')]",
+      "name": "[variables('playbookTemplateSpecName9')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "UnusualGuestActivity_AnalyticalRules Analytics Rule with template version 3.0.3",
+        "description": "Revoke-AADSignInSessions-alert Playbook with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion55')]",
-          "parameters": {},
-          "variables": {},
+          "contentVersion": "[variables('playbookVersion9')]",
+          "parameters": {
+            "PlaybookName": {
+              "defaultValue": "Revoke-AADSignInSessions-alert",
+              "type": "string"
+            },
+            "UserName": {
+              "defaultValue": "<username>@<domain>",
+              "type": "string"
+            }
+          },
+          "variables": {
+            "AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]",
+            "Office365ConnectionName": "[[concat('office365-', parameters('PlaybookName'))]",
+            "Office365UsersConnectionName": "[[concat('office365users-', parameters('PlaybookName'))]",
+            "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
+            "_connection-1": "[[variables('connection-1')]",
+            "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]",
+            "_connection-2": "[[variables('connection-2')]",
+            "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365users')]",
+            "_connection-3": "[[variables('connection-3')]",
+            "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
+            "workspace-name": "[parameters('workspace')]",
+            "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
+          },
           "resources": [
             {
-              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRulecontentId55')]",
-              "apiVersion": "2022-04-01-preview",
-              "kind": "Scheduled",
-              "location": "[parameters('workspace-location')]",
+              "type": "Microsoft.Web/connections",
+              "apiVersion": "2016-06-01",
+              "name": "[[variables('AzureSentinelConnectionName')]",
+              "location": "[[variables('workspace-location-inline')]",
+              "kind": "V1",
               "properties": {
-                "description": "By default guests have capability to invite more external guest users, guests also can do suspicious Azure AD enumeration. This detection look at guests\nusers, who have been invited or have invited recently, who also are logging via various PowerShell CLI.\nRef : 'https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/",
-                "displayName": "External guest invitation followed by Azure AD PowerShell signin",
-                "enabled": false,
-                "query": "let queryfrequency = 1h;\nlet queryperiod = 1d;\nAuditLogs\n| where TimeGenerated > ago(queryperiod)\n| where OperationName in (\"Invite external user\", \"Bulk invite users - started (bulk)\", \"Invite external user with reset invitation status\")\n| extend InitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\n// Uncomment the following line to filter events where the inviting user was a guest user\n//| where InitiatedBy has_any (\"live.com#\", \"#EXT#\")\n| mv-apply TargetResource = TargetResources on \n  (\n      where TargetResource.type =~ \"User\"\n      | extend InvitedUser = tostring(TargetResource.userPrincipalName)\n  )\n| mv-expand UserToCompare = pack_array(InitiatedBy, InvitedUser) to typeof(string)\n| where UserToCompare has_any (\"live.com#\", \"#EXT#\")\n| extend\n    parsedUser = replace_string(tolower(iff(UserToCompare startswith \"live.com#\", tostring(split(UserToCompare, \"#\")[1]), tostring(split(UserToCompare, \"#EXT#\")[0]))), \"@\", \"_\"),\n    InvitationTime = TimeGenerated\n| join (\n    (union isfuzzy=true SigninLogs, AADNonInteractiveUserSignInLogs)\n    | where TimeGenerated > ago(queryfrequency)\n    | where UserType != \"Member\"\n    | where AppId has_any                       // This web may contain a list of these apps: https://msshells.net/\n        (\"1b730954-1685-4b74-9bfd-dac224a7b894\",// Azure Active Directory PowerShell\n         \"04b07795-8ddb-461a-bbee-02f9e1bf7b46\",// Microsoft Azure CLI\n         \"1950a258-227b-4e31-a9cf-717495945fc2\",// Microsoft Azure PowerShell\n         \"a0c73c16-a7e3-4564-9a95-2bdf47383716\",// Microsoft Exchange Online Remote PowerShell\n         \"fb78d390-0c51-40cd-8e17-fdbfab77341b\",// Microsoft Exchange REST API Based Powershell\n         \"d1ddf0e4-d672-4dae-b554-9d5bdfd93547\",// Microsoft Intune PowerShell\n         \"9bc3ab49-b65d-410a-85ad-de819febfddc\",// Microsoft SharePoint Online Management Shell\n         \"12128f48-ec9e-42f0-b203-ea49fb6af367\",// MS Teams Powershell Cmdlets\n         \"23d8f6bd-1eb0-4cc2-a08c-7bf525c67bcd\",// Power BI PowerShell\n         \"31359c7f-bd7e-475c-86db-fdb8c937548e\",// PnP Management Shell\n         \"90f610bf-206d-4950-b61d-37fa6fd1b224\",// Aadrm Admin Powershell\n         \"14d82eec-204b-4c2f-b7e8-296a70dab67e\" // Microsoft Graph PowerShell\n        )\n    | summarize arg_min(TimeGenerated, *) by UserPrincipalName\n    | extend\n        parsedUser = replace_string(UserPrincipalName, \"@\", \"_\"),\n        SigninTime = TimeGenerated\n    )\n    on parsedUser\n| project InvitationTime, InitiatedBy, OperationName, InvitedUser, SigninTime, SigninCategory = Category1, SigninUserPrincipalName = UserPrincipalName, IPAddress, AppDisplayName, ResourceDisplayName, UserAgent, InvitationAdditionalDetails = AdditionalDetails, InvitationTargetResources = TargetResources\n| extend InvitedUserName = tostring(split(InvitedUser,'@',0)[0]), InvitedUserUPNSuffix = tostring(split(InvitedUser,'@',1)[0]), \n         InitiatedByName = tostring(split(InitiatedBy,'@',0)[0]), InitiatedByUPNSuffix = tostring(split(InitiatedBy,'@',1)[0])\n",
-                "queryFrequency": "PT1H",
-                "queryPeriod": "P1D",
-                "severity": "Medium",
-                "suppressionDuration": "PT1H",
-                "suppressionEnabled": false,
-                "triggerOperator": "GreaterThan",
-                "triggerThreshold": 0,
-                "status": "Available",
-                "requiredDataConnectors": [
-                  {
-                    "connectorId": "AzureActiveDirectory",
-                    "dataTypes": [
-                      "AuditLogs"
-                    ]
+                "displayName": "[[parameters('PlaybookName')]",
+                "parameterValueType": "Alternative",
+                "api": {
+                  "id": "[[variables('_connection-1')]"
+                }
+              }
+            },
+            {
+              "type": "Microsoft.Web/connections",
+              "apiVersion": "2016-06-01",
+              "name": "[[variables('Office365ConnectionName')]",
+              "location": "[[variables('workspace-location-inline')]",
+              "properties": {
+                "displayName": "[[parameters('UserName')]",
+                "api": {
+                  "id": "[[variables('_connection-2')]"
+                }
+              }
+            },
+            {
+              "type": "Microsoft.Web/connections",
+              "apiVersion": "2016-06-01",
+              "name": "[[variables('Office365UsersConnectionName')]",
+              "location": "[[variables('workspace-location-inline')]",
+              "properties": {
+                "displayName": "[[parameters('UserName')]",
+                "api": {
+                  "id": "[[variables('_connection-3')]"
+                }
+              }
+            },
+            {
+              "type": "Microsoft.Logic/workflows",
+              "apiVersion": "2017-07-01",
+              "name": "[[parameters('PlaybookName')]",
+              "location": "[[variables('workspace-location-inline')]",
+              "tags": {
+                "LogicAppsCategory": "security",
+                "hidden-SentinelTemplateName": "Revoke-AADSigninSessions_alert",
+                "hidden-SentinelTemplateVersion": "1.0",
+                "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
+              },
+              "identity": {
+                "type": "SystemAssigned"
+              },
+              "dependsOn": [
+                "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
+                "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]",
+                "[[resourceId('Microsoft.Web/connections', variables('Office365UsersConnectionName'))]"
+              ],
+              "properties": {
+                "state": "Enabled",
+                "definition": {
+                  "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
+                  "actions": {
+                    "Alert_-_Get_incident": {
+                      "inputs": {
+                        "host": {
+                          "connection": {
+                            "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+                          }
+                        },
+                        "method": "get",
+                        "path": "/Incidents/subscriptions/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/resourceGroups/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/workspaces/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/alerts/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}"
+                      },
+                      "type": "ApiConnection"
+                    },
+                    "Entities_-_Get_Accounts": {
+                      "inputs": {
+                        "body": "@triggerBody()?['Entities']",
+                        "host": {
+                          "connection": {
+                            "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+                          }
+                        },
+                        "method": "post",
+                        "path": "/entities/account"
+                      },
+                      "runAfter": {
+                        "Alert_-_Get_incident": [
+                          "Succeeded"
+                        ]
+                      },
+                      "type": "ApiConnection"
+                    },
+                    "For_each": {
+                      "actions": {
+                        "Add_comment_to_incident_(V3)": {
+                          "inputs": {
+                            "body": {
+                              "incidentArmId": "@body('Alert_-_Get_incident')?['id']",
+                              "message": "<p>User @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])} singin sessions were revoked in AAD and their manager @{body('Get_manager_(V2)')?['displayName']} was contacted using playbook.</p>"
+                            },
+                            "host": {
+                              "connection": {
+                                "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+                              }
+                            },
+                            "method": "post",
+                            "path": "/Incidents/Comment"
+                          },
+                          "runAfter": {
+                            "Send_an_email_(V2)": [
+                              "Succeeded"
+                            ]
+                          },
+                          "type": "ApiConnection"
+                        },
+                        "Get_manager_(V2)": {
+                          "inputs": {
+                            "host": {
+                              "connection": {
+                                "name": "@parameters('$connections')['office365users']['connectionId']"
+                              }
+                            },
+                            "method": "get",
+                            "path": "/codeless/v1.0/users/@{encodeURIComponent(concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix']))}/manager"
+                          },
+                          "runAfter": {
+                            "HTTP": [
+                              "Succeeded"
+                            ]
+                          },
+                          "type": "ApiConnection"
+                        },
+                        "HTTP": {
+                          "inputs": {
+                            "authentication": {
+                              "audience": "https://graph.microsoft.com",
+                              "type": "ManagedServiceIdentity"
+                            },
+                            "method": "POST",
+                            "uri": "https://graph.microsoft.com/v1.0/users/@{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}/revokeSignInSessions"
+                          },
+                          "type": "Http"
+                        },
+                        "Send_an_email_(V2)": {
+                          "inputs": {
+                            "body": {
+                              "Body": "<p>User, @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}, was involved in part of a security incident. &nbsp;As part of remediation, the user signin sessions have been revoked. &nbsp;The user will need to reauthenticate in all applications.</p>",
+                              "Subject": "User signin sessions were reset due to security incident.",
+                              "To": "@body('Get_manager_(V2)')?['mail']"
+                            },
+                            "host": {
+                              "connection": {
+                                "name": "@parameters('$connections')['office365']['connectionId']"
+                              }
+                            },
+                            "method": "post",
+                            "path": "/v2/Mail"
+                          },
+                          "runAfter": {
+                            "Get_manager_(V2)": [
+                              "Succeeded"
+                            ]
+                          },
+                          "type": "ApiConnection"
+                        }
+                      },
+                      "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']",
+                      "runAfter": {
+                        "Entities_-_Get_Accounts": [
+                          "Succeeded"
+                        ]
+                      },
+                      "type": "Foreach"
+                    }
                   },
-                  {
-                    "connectorId": "AzureActiveDirectory",
-                    "dataTypes": [
-                      "SigninLogs"
-                    ]
+                  "contentVersion": "1.0.0.0",
+                  "parameters": {
+                    "$connections": {
+                      "type": "Object"
+                    }
+                  },
+                  "triggers": {
+                    "Microsoft_Sentinel_alert": {
+                      "inputs": {
+                        "body": {
+                          "callback_url": "@{listCallbackUrl()}"
+                        },
+                        "host": {
+                          "connection": {
+                            "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+                          }
+                        },
+                        "path": "/subscribe"
+                      },
+                      "type": "ApiConnectionWebhook"
+                    }
                   }
-                ],
-                "tactics": [
-                  "InitialAccess",
-                  "Persistence",
-                  "Discovery"
-                ],
-                "techniques": [
-                  "T1078",
-                  "T1136",
-                  "T1087"
-                ],
-                "entityMappings": [
-                  {
-                    "entityType": "Account",
-                    "fieldMappings": [
-                      {
-                        "identifier": "Name",
-                        "columnName": "InvitedUserName"
+                },
+                "parameters": {
+                  "$connections": {
+                    "value": {
+                      "azuresentinel": {
+                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
+                        "connectionName": "[[variables('AzureSentinelConnectionName')]",
+                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
+                        "connectionProperties": {
+                          "authentication": {
+                            "type": "ManagedServiceIdentity"
+                          }
+                        }
                       },
-                      {
-                        "identifier": "UPNSuffix",
-                        "columnName": "InvitedUserUPNSuffix"
-                      }
-                    ]
-                  },
-                  {
-                    "entityType": "Account",
-                    "fieldMappings": [
-                      {
-                        "identifier": "Name",
-                        "columnName": "InitiatedByName"
+                      "office365": {
+                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]",
+                        "connectionName": "[[variables('Office365ConnectionName')]",
+                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]"
                       },
-                      {
-                        "identifier": "UPNSuffix",
-                        "columnName": "InitiatedByUPNSuffix"
-                      }
-                    ]
-                  },
-                  {
-                    "entityType": "IP",
-                    "fieldMappings": [
-                      {
-                        "identifier": "Address",
-                        "columnName": "IPAddress"
+                      "office365users": {
+                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('Office365UsersConnectionName'))]",
+                        "connectionName": "[[variables('Office365UsersConnectionName')]",
+                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365users')]"
                       }
-                    ]
+                    }
                   }
-                ]
+                }
               }
             },
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId55'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId9'),'/'))))]",
               "properties": {
-                "description": "Azure Active Directory Analytics Rule 55",
-                "parentId": "[variables('analyticRuleId55')]",
-                "contentId": "[variables('_analyticRulecontentId55')]",
-                "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion55')]",
+                "parentId": "[variables('playbookId9')]",
+                "contentId": "[variables('_playbookContentId9')]",
+                "kind": "Playbook",
+                "version": "[variables('playbookVersion9')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Azure Active Directory",
@@ -11598,368 +11940,317 @@
                 }
               }
             }
-          ]
+          ],
+          "metadata": {
+            "title": "Revoke-AADSignInSessions alert trigger",
+            "description": "This playbook will revoke all signin sessions for the user using Graph API.  It will send an email to the user's manager.",
+            "prerequisites": [
+              "1. You must create an app registration for graph api with appropriate permissions.",
+              "2.  You will need to add the managed identity that is created by the logic app to the Password Administrator role in Azure AD."
+            ],
+            "comments": "This playbook will revoke all signin sessions for the user using Graph API using a Beta API.  It will send and email to the user's manager.",
+            "lastUpdateTime": "2021-07-14T00:00:00Z",
+            "entities": [
+              "Account"
+            ],
+            "tags": [
+              "Remediation"
+            ],
+            "releaseNotes": {
+              "version": "1.0",
+              "title": "[variables('blanks')]",
+              "notes": [
+                "Initial version"
+              ]
+            }
+          }
         },
         "packageKind": "Solution",
         "packageVersion": "[variables('_solutionVersion')]",
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_analyticRulecontentId55')]",
-        "contentKind": "AnalyticsRule",
-        "displayName": "External guest invitation followed by Azure AD PowerShell signin",
-        "contentProductId": "[variables('_analyticRulecontentProductId55')]",
-        "id": "[variables('_analyticRulecontentProductId55')]",
-        "version": "[variables('analyticRuleVersion55')]"
+        "contentId": "[variables('_playbookContentId9')]",
+        "contentKind": "Playbook",
+        "displayName": "Revoke-AADSignInSessions-alert",
+        "contentProductId": "[variables('_playbookcontentProductId9')]",
+        "id": "[variables('_playbookcontentProductId9')]",
+        "version": "[variables('playbookVersion9')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('analyticRuleTemplateSpecName56')]",
+      "name": "[variables('playbookTemplateSpecName10')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "UserAccounts-CABlockedSigninSpikes_AnalyticalRules Analytics Rule with template version 3.0.3",
+        "description": "Revoke-AADSignInSessions-incident Playbook with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion56')]",
-          "parameters": {},
-          "variables": {},
+          "contentVersion": "[variables('playbookVersion10')]",
+          "parameters": {
+            "PlaybookName": {
+              "defaultValue": "Revoke-AADSignInSessions-incident",
+              "type": "string"
+            },
+            "UserName": {
+              "defaultValue": "<username>@<domain>",
+              "type": "string"
+            }
+          },
+          "variables": {
+            "AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]",
+            "Office365ConnectionName": "[[concat('office365-', parameters('PlaybookName'))]",
+            "Office365UsersConnectionName": "[[concat('office365users-', parameters('PlaybookName'))]",
+            "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
+            "_connection-1": "[[variables('connection-1')]",
+            "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]",
+            "_connection-2": "[[variables('connection-2')]",
+            "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365users')]",
+            "_connection-3": "[[variables('connection-3')]",
+            "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
+            "workspace-name": "[parameters('workspace')]",
+            "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
+          },
           "resources": [
             {
-              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRulecontentId56')]",
-              "apiVersion": "2022-04-01-preview",
-              "kind": "Scheduled",
-              "location": "[parameters('workspace-location')]",
+              "type": "Microsoft.Web/connections",
+              "apiVersion": "2016-06-01",
+              "name": "[[variables('AzureSentinelConnectionName')]",
+              "location": "[[variables('workspace-location-inline')]",
+              "kind": "V1",
               "properties": {
-                "description": " Identifies spike in failed sign-ins from user accounts due to conditional access policied.\nSpike is determined based on Time series anomaly which will look at historical baseline values.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\nThis query has also been updated to include UEBA logs IdentityInfo and BehaviorAnalytics for contextual information around the results.",
-                "displayName": "User Accounts - Sign in Failure due to CA Spikes",
-                "enabled": false,
-                "query": "let riskScoreCutoff = 20; //Adjust this based on volume of results\nlet starttime = 14d;\nlet timeframe = 1d;\nlet scorethreshold = 3;\nlet baselinethreshold = 50;\nlet aadFunc = (tableName:string){\n  // Failed Signins attempts with reasoning related to conditional access policies.\n  table(tableName)\n  | where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\n  | where ResultDescription has_any (\"conditional access\", \"CA\") or ResultType in (50005, 50131, 53000, 53001, 53002, 52003, 70044)\n  | extend UserPrincipalName = tolower(UserPrincipalName)\n  | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt;\nlet TimeSeriesAlerts = \nallSignins\n| make-series DailyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step 1d by UserPrincipalName\n| extend (anomalies, score, baseline) = series_decompose_anomalies(DailyCount, scorethreshold, -1, 'linefit')\n| mv-expand DailyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\n// Filtering low count events per baselinethreshold\n| where anomalies > 0 and baseline > baselinethreshold\n| extend AnomalyHour = TimeGenerated\n| project UserPrincipalName, AnomalyHour, TimeGenerated, DailyCount, baseline, anomalies, score;\n// Filter the alerts for specified timeframe\nTimeSeriesAlerts\n| where TimeGenerated > startofday(ago(timeframe))\n| join kind=inner ( \n  allSignins\n  | where TimeGenerated > startofday(ago(timeframe))\n  // create a new column and round to hour\n  | extend DateHour = bin(TimeGenerated, 1h)\n  | summarize PartialFailedSignins = count(), LatestAnomalyTime = arg_max(TimeGenerated, *) by bin(TimeGenerated, 1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\n) on UserPrincipalName, $left.AnomalyHour == $right.DateHour\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, PartialFailedSignins, TotalFailedSignins = DailyCount, baseline, anomalies, score\n| extend timestamp = LatestAnomalyTime, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n| extend UserPrincipalName = tolower(UserPrincipalName)\n| join kind=leftouter (\n    IdentityInfo\n    | summarize LatestReportTime = arg_max(TimeGenerated, *) by AccountUPN\n    | extend BlastRadiusInt = iif(BlastRadius == \"High\", 1, 0)\n    | project AccountUPN, Tags, JobTitle, GroupMembership, AssignedRoles, UserType, IsAccountEnabled, BlastRadiusInt\n    | summarize\n        Tags = make_set(Tags, 1000),\n        GroupMembership = make_set(GroupMembership, 1000),\n        AssignedRoles = make_set(AssignedRoles, 1000),\n        BlastRadiusInt = sum(BlastRadiusInt),\n        UserType = make_set(UserType, 1000),\n        UserAccountControl = make_set(UserType, 1000)\n    by AccountUPN\n    | extend UserPrincipalName=tolower(AccountUPN)\n) on UserPrincipalName\n| join kind=leftouter (\n    BehaviorAnalytics\n    | where ActivityType in (\"FailedLogOn\", \"LogOn\")\n    | where isnotempty(SourceIPAddress)\n    | project UsersInsights, DevicesInsights, ActivityInsights, InvestigationPriority, SourceIPAddress\n    | project-rename IPAddress = SourceIPAddress\n    | summarize\n        UsersInsights = make_set(UsersInsights, 1000),\n        DevicesInsights = make_set(DevicesInsights, 1000),\n        IPInvestigationPriority = sum(InvestigationPriority)\n    by IPAddress)\non IPAddress\n| extend UEBARiskScore = BlastRadiusInt + IPInvestigationPriority\n| where UEBARiskScore > riskScoreCutoff\n| sort by UEBARiskScore desc \n",
-                "queryFrequency": "P1D",
-                "queryPeriod": "P14D",
-                "severity": "Medium",
-                "suppressionDuration": "PT1H",
-                "suppressionEnabled": false,
-                "triggerOperator": "GreaterThan",
-                "triggerThreshold": 0,
-                "status": "Available",
-                "requiredDataConnectors": [
-                  {
-                    "connectorId": "AzureActiveDirectory",
-                    "dataTypes": [
-                      "SigninLogs"
-                    ]
-                  },
-                  {
-                    "connectorId": "AzureActiveDirectory",
-                    "dataTypes": [
-                      "AADNonInteractiveUserSignInLogs"
-                    ]
-                  },
-                  {
-                    "connectorId": "BehaviorAnalytics",
-                    "dataTypes": [
-                      "BehaviorAnalytics"
-                    ]
-                  },
-                  {
-                    "connectorId": "IdentityInfo",
-                    "dataTypes": [
-                      "IdentityInfo"
-                    ]
-                  }
-                ],
-                "tactics": [
-                  "InitialAccess"
-                ],
-                "techniques": [
-                  "T1078"
-                ],
-                "entityMappings": [
-                  {
-                    "entityType": "Account",
-                    "fieldMappings": [
-                      {
-                        "identifier": "Name",
-                        "columnName": "Name"
-                      },
-                      {
-                        "identifier": "UPNSuffix",
-                        "columnName": "UPNSuffix"
-                      }
-                    ]
-                  },
-                  {
-                    "entityType": "IP",
-                    "fieldMappings": [
-                      {
-                        "identifier": "Address",
-                        "columnName": "IPAddress"
-                      }
-                    ]
-                  }
-                ]
+                "displayName": "[[parameters('PlaybookName')]",
+                "parameterValueType": "Alternative",
+                "api": {
+                  "id": "[[variables('_connection-1')]"
+                }
+              }
+            },
+            {
+              "type": "Microsoft.Web/connections",
+              "apiVersion": "2016-06-01",
+              "name": "[[variables('Office365ConnectionName')]",
+              "location": "[[variables('workspace-location-inline')]",
+              "properties": {
+                "displayName": "[[parameters('UserName')]",
+                "api": {
+                  "id": "[[variables('_connection-2')]"
+                }
               }
             },
             {
-              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
-              "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId56'),'/'))))]",
+              "type": "Microsoft.Web/connections",
+              "apiVersion": "2016-06-01",
+              "name": "[[variables('Office365UsersConnectionName')]",
+              "location": "[[variables('workspace-location-inline')]",
               "properties": {
-                "description": "Azure Active Directory Analytics Rule 56",
-                "parentId": "[variables('analyticRuleId56')]",
-                "contentId": "[variables('_analyticRulecontentId56')]",
-                "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion56')]",
-                "source": {
-                  "kind": "Solution",
-                  "name": "Azure Active Directory",
-                  "sourceId": "[variables('_solutionId')]"
-                },
-                "author": {
-                  "name": "Microsoft",
-                  "email": "[variables('_email')]"
-                },
-                "support": {
-                  "tier": "Microsoft",
-                  "name": "Microsoft Corporation",
-                  "email": "support@microsoft.com",
-                  "link": "https://support.microsoft.com/"
+                "displayName": "[[parameters('UserName')]",
+                "api": {
+                  "id": "[[variables('_connection-3')]"
                 }
               }
-            }
-          ]
-        },
-        "packageKind": "Solution",
-        "packageVersion": "[variables('_solutionVersion')]",
-        "packageName": "[variables('_solutionName')]",
-        "packageId": "[variables('_solutionId')]",
-        "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_analyticRulecontentId56')]",
-        "contentKind": "AnalyticsRule",
-        "displayName": "User Accounts - Sign in Failure due to CA Spikes",
-        "contentProductId": "[variables('_analyticRulecontentProductId56')]",
-        "id": "[variables('_analyticRulecontentProductId56')]",
-        "version": "[variables('analyticRuleVersion56')]"
-      }
-    },
-    {
-      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
-      "apiVersion": "2023-04-01-preview",
-      "name": "[variables('analyticRuleTemplateSpecName57')]",
-      "location": "[parameters('workspace-location')]",
-      "dependsOn": [
-        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
-      ],
-      "properties": {
-        "description": "UseraddedtoPrivilgedGroups_AnalyticalRules Analytics Rule with template version 3.0.3",
-        "mainTemplate": {
-          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion57')]",
-          "parameters": {},
-          "variables": {},
-          "resources": [
+            },
             {
-              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRulecontentId57')]",
-              "apiVersion": "2022-04-01-preview",
-              "kind": "Scheduled",
-              "location": "[parameters('workspace-location')]",
+              "type": "Microsoft.Logic/workflows",
+              "apiVersion": "2017-07-01",
+              "name": "[[parameters('PlaybookName')]",
+              "location": "[[variables('workspace-location-inline')]",
+              "tags": {
+                "LogicAppsCategory": "security",
+                "hidden-SentinelTemplateName": "Revoke-AADSigninSessions",
+                "hidden-SentinelTemplateVersion": "1.0",
+                "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
+              },
+              "identity": {
+                "type": "SystemAssigned"
+              },
+              "dependsOn": [
+                "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
+                "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]",
+                "[[resourceId('Microsoft.Web/connections', variables('Office365UsersConnectionName'))]"
+              ],
               "properties": {
-                "description": "This will alert when a user is added to any of the Privileged Groups.\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\nFor Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles",
-                "displayName": "User added to Azure Active Directory Privileged Groups",
-                "enabled": false,
-                "query": "let OperationList = dynamic([\"Add member to role\",\"Add member to role in PIM requested (permanent)\"]);\nlet PrivilegedGroups = dynamic([\"UserAccountAdmins\",\"PrivilegedRoleAdmins\",\"TenantAdmins\"]);\nAuditLogs\n//| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"RoleManagement\"\n| where OperationName in~ (OperationList)\n| mv-apply TargetResource = TargetResources on \n  (\n      where TargetResource.type =~ \"User\"\n      | extend TargetUserPrincipalName = tostring(TargetResource.userPrincipalName),\n               modProps = TargetResource.modifiedProperties\n  )\n| mv-apply Property = modProps on \n  (\n      where Property.displayName =~ \"Role.WellKnownObjectName\"\n      | extend DisplayName = trim('\"',tostring(Property.displayName)),\n               GroupName = trim('\"',tostring(Property.newValue))\n  )\n| extend AppId = InitiatedBy.app.appId,\n      InitiatedByDisplayName = case(isnotempty(InitiatedBy.app.displayName), InitiatedBy.app.displayName, isnotempty(InitiatedBy.user.displayName), InitiatedBy.user.displayName, \"not available\"),\n      ServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId),\n      ServicePrincipalName = tostring(InitiatedBy.app.servicePrincipalName),\n      UserId = InitiatedBy.user.id,\n      UserIPAddress = InitiatedBy.user.ipAddress,\n      UserRoles = InitiatedBy.user.roles,\n      UserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\n| where GroupName in~ (PrivilegedGroups)\n// If you don't want to alert for operations from PIM, remove below filtering for MS-PIM.\n//| where InitiatedByDisplayName != \"MS-PIM\"\n| project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName, TargetUserPrincipalName\n| extend AccountCustomEntity = case(isnotempty(ServicePrincipalName), ServicePrincipalName, \n                                    isnotempty(UserPrincipalName), UserPrincipalName,  \n                                    \"\")\n| extend AccountName = tostring(split(AccountCustomEntity,'@',0)[0]), AccountUPNSuffix = tostring(split(AccountCustomEntity,'@',1)[0])\n| extend TargetName = tostring(split(TargetUserPrincipalName,'@',0)[0]), TargetUPNSuffix = tostring(split(TargetUserPrincipalName,'@',1)[0])\n",
-                "queryFrequency": "PT1H",
-                "queryPeriod": "PT1H",
-                "severity": "Medium",
-                "suppressionDuration": "PT1H",
-                "suppressionEnabled": false,
-                "triggerOperator": "GreaterThan",
-                "triggerThreshold": 0,
-                "status": "Available",
-                "requiredDataConnectors": [
-                  {
-                    "connectorId": "AzureActiveDirectory",
-                    "dataTypes": [
-                      "AuditLogs"
-                    ]
-                  }
-                ],
-                "tactics": [
-                  "Persistence",
-                  "PrivilegeEscalation"
-                ],
-                "techniques": [
-                  "T1098",
-                  "T1078"
-                ],
-                "entityMappings": [
-                  {
-                    "entityType": "Account",
-                    "fieldMappings": [
-                      {
-                        "identifier": "Name",
-                        "columnName": "AccountName"
+                "state": "Enabled",
+                "definition": {
+                  "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
+                  "actions": {
+                    "Alert_-_Get_incident": {
+                      "inputs": {
+                        "host": {
+                          "connection": {
+                            "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+                          }
+                        },
+                        "method": "get",
+                        "path": "/Incidents/subscriptions/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/resourceGroups/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/workspaces/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/alerts/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}"
                       },
-                      {
-                        "identifier": "UPNSuffix",
-                        "columnName": "AccountUPNSuffix"
-                      }
-                    ]
+                      "type": "ApiConnection"
+                    },
+                    "Entities_-_Get_Accounts": {
+                      "inputs": {
+                        "body": "@triggerBody()?['Entities']",
+                        "host": {
+                          "connection": {
+                            "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+                          }
+                        },
+                        "method": "post",
+                        "path": "/entities/account"
+                      },
+                      "runAfter": {
+                        "Alert_-_Get_incident": [
+                          "Succeeded"
+                        ]
+                      },
+                      "type": "ApiConnection"
+                    },
+                    "For_each": {
+                      "actions": {
+                        "Add_comment_to_incident_(V3)": {
+                          "inputs": {
+                            "body": {
+                              "incidentArmId": "@body('Alert_-_Get_incident')?['id']",
+                              "message": "<p>User @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])} singin sessions were revoked in AAD and their manager @{body('Get_manager_(V2)')?['displayName']} was contacted using playbook.</p>"
+                            },
+                            "host": {
+                              "connection": {
+                                "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+                              }
+                            },
+                            "method": "post",
+                            "path": "/Incidents/Comment"
+                          },
+                          "runAfter": {
+                            "Send_an_email_(V2)": [
+                              "Succeeded"
+                            ]
+                          },
+                          "type": "ApiConnection"
+                        },
+                        "Get_manager_(V2)": {
+                          "inputs": {
+                            "host": {
+                              "connection": {
+                                "name": "@parameters('$connections')['office365users']['connectionId']"
+                              }
+                            },
+                            "method": "get",
+                            "path": "/codeless/v1.0/users/@{encodeURIComponent(concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix']))}/manager"
+                          },
+                          "runAfter": {
+                            "HTTP": [
+                              "Succeeded"
+                            ]
+                          },
+                          "type": "ApiConnection"
+                        },
+                        "HTTP": {
+                          "inputs": {
+                            "authentication": {
+                              "audience": "https://graph.microsoft.com",
+                              "type": "ManagedServiceIdentity"
+                            },
+                            "method": "POST",
+                            "uri": "https://graph.microsoft.com/v1.0/users/@{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}/revokeSignInSessions"
+                          },
+                          "type": "Http"
+                        },
+                        "Send_an_email_(V2)": {
+                          "inputs": {
+                            "body": {
+                              "Body": "<p>User, @{concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix'])}, was involved in part of a security incident. &nbsp;As part of remediation, the user signin sessions have been revoked. &nbsp;The user will need to reauthenticate in all applications.</p>",
+                              "Subject": "User signin sessions were reset due to security incident.",
+                              "To": "@body('Get_manager_(V2)')?['mail']"
+                            },
+                            "host": {
+                              "connection": {
+                                "name": "@parameters('$connections')['office365']['connectionId']"
+                              }
+                            },
+                            "method": "post",
+                            "path": "/v2/Mail"
+                          },
+                          "runAfter": {
+                            "Get_manager_(V2)": [
+                              "Succeeded"
+                            ]
+                          },
+                          "type": "ApiConnection"
+                        }
+                      },
+                      "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']",
+                      "runAfter": {
+                        "Entities_-_Get_Accounts": [
+                          "Succeeded"
+                        ]
+                      },
+                      "type": "Foreach"
+                    }
                   },
-                  {
-                    "entityType": "Account",
-                    "fieldMappings": [
-                      {
-                        "identifier": "Name",
-                        "columnName": "TargetName"
+                  "contentVersion": "1.0.0.0",
+                  "parameters": {
+                    "$connections": {
+                      "type": "Object"
+                    }
+                  },
+                  "triggers": {
+                    "Microsoft_Sentinel_alert": {
+                      "inputs": {
+                        "body": {
+                          "callback_url": "@{listCallbackUrl()}"
+                        },
+                        "host": {
+                          "connection": {
+                            "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+                          }
+                        },
+                        "path": "/subscribe"
                       },
-                      {
-                        "identifier": "UPNSuffix",
-                        "columnName": "TargetUPNSuffix"
-                      }
-                    ]
+                      "type": "ApiConnectionWebhook"
+                    }
                   }
-                ]
-              }
-            },
-            {
-              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
-              "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId57'),'/'))))]",
-              "properties": {
-                "description": "Azure Active Directory Analytics Rule 57",
-                "parentId": "[variables('analyticRuleId57')]",
-                "contentId": "[variables('_analyticRulecontentId57')]",
-                "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion57')]",
-                "source": {
-                  "kind": "Solution",
-                  "name": "Azure Active Directory",
-                  "sourceId": "[variables('_solutionId')]"
-                },
-                "author": {
-                  "name": "Microsoft",
-                  "email": "[variables('_email')]"
                 },
-                "support": {
-                  "tier": "Microsoft",
-                  "name": "Microsoft Corporation",
-                  "email": "support@microsoft.com",
-                  "link": "https://support.microsoft.com/"
-                }
-              }
-            }
-          ]
-        },
-        "packageKind": "Solution",
-        "packageVersion": "[variables('_solutionVersion')]",
-        "packageName": "[variables('_solutionName')]",
-        "packageId": "[variables('_solutionId')]",
-        "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_analyticRulecontentId57')]",
-        "contentKind": "AnalyticsRule",
-        "displayName": "User added to Azure Active Directory Privileged Groups",
-        "contentProductId": "[variables('_analyticRulecontentProductId57')]",
-        "id": "[variables('_analyticRulecontentProductId57')]",
-        "version": "[variables('analyticRuleVersion57')]"
-      }
-    },
-    {
-      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
-      "apiVersion": "2023-04-01-preview",
-      "name": "[variables('analyticRuleTemplateSpecName58')]",
-      "location": "[parameters('workspace-location')]",
-      "dependsOn": [
-        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
-      ],
-      "properties": {
-        "description": "UserAssignedPrivilegedRole_AnalyticalRules Analytics Rule with template version 3.0.3",
-        "mainTemplate": {
-          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion58')]",
-          "parameters": {},
-          "variables": {},
-          "resources": [
-            {
-              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRulecontentId58')]",
-              "apiVersion": "2022-04-01-preview",
-              "kind": "Scheduled",
-              "location": "[parameters('workspace-location')]",
-              "properties": {
-                "description": "Identifies when a new privileged role is assigned to a user.  Any account eligible for a role is now being given privileged access. If the assignment is unexpected or into a role that isn't the responsibility of the account holder, investigate.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1",
-                "displayName": "User Assigned Privileged Role",
-                "enabled": false,
-                "query": "AuditLogs\n| where Category =~ \"RoleManagement\"\n| where AADOperationType in (\"Assign\", \"AssignEligibleRole\")\n| where ActivityDisplayName has_any (\"Add eligible member to role\", \"Add member to role\")\n| mv-apply TargetResource = TargetResources on \n  (\n      where TargetResource.type in~ (\"User\", \"ServicePrincipal\")\n      | extend Target = iff(TargetResource.type =~ \"ServicePrincipal\", tostring(TargetResource.displayName), tostring(TargetResource.userPrincipalName)),\n               props = TargetResource.modifiedProperties\n  )\n| mv-apply Property = props on \n  (\n      where Property.displayName =~ \"Role.DisplayName\"\n      | extend RoleName = trim('\"',tostring(Property.newValue))\n  )\n| where RoleName contains \"Admin\"\n| extend InitiatingApp = tostring(InitiatedBy.app.displayName)\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(InitiatedBy.user.userPrincipalName))\n// Uncomment below to not alert for PIM activations\n//| where Initiator != \"MS-PIM\"\n| summarize by bin(TimeGenerated, 1h), OperationName,  RoleName, Target, Initiator, Result\n| extend TargetName = tostring(split(Target,'@',0)[0]), TargetUPNSuffix = tostring(split(Target,'@',1)[0]), InitiatorName = tostring(split(Initiator,'@',0)[0]), InitiatorUPNSuffix = tostring(split(Initiator,'@',1)[0])\n",
-                "queryFrequency": "PT2H",
-                "queryPeriod": "PT2H",
-                "severity": "High",
-                "suppressionDuration": "PT1H",
-                "suppressionEnabled": false,
-                "triggerOperator": "GreaterThan",
-                "triggerThreshold": 0,
-                "status": "Available",
-                "requiredDataConnectors": [
-                  {
-                    "connectorId": "AzureActiveDirectory",
-                    "dataTypes": [
-                      "AuditLogs"
-                    ]
-                  }
-                ],
-                "tactics": [
-                  "Persistence"
-                ],
-                "techniques": [
-                  "T1078"
-                ],
-                "entityMappings": [
-                  {
-                    "entityType": "Account",
-                    "fieldMappings": [
-                      {
-                        "identifier": "Name",
-                        "columnName": "TargetName"
+                "parameters": {
+                  "$connections": {
+                    "value": {
+                      "azuresentinel": {
+                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
+                        "connectionName": "[[variables('AzureSentinelConnectionName')]",
+                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
+                        "connectionProperties": {
+                          "authentication": {
+                            "type": "ManagedServiceIdentity"
+                          }
+                        }
                       },
-                      {
-                        "identifier": "UPNSuffix",
-                        "columnName": "TargetUPNSuffix"
-                      }
-                    ]
-                  },
-                  {
-                    "entityType": "Account",
-                    "fieldMappings": [
-                      {
-                        "identifier": "Name",
-                        "columnName": "InitiatorName"
+                      "office365": {
+                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]",
+                        "connectionName": "[[variables('Office365ConnectionName')]",
+                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]"
                       },
-                      {
-                        "identifier": "UPNSuffix",
-                        "columnName": "InitiatorUPNSuffix"
+                      "office365users": {
+                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('Office365UsersConnectionName'))]",
+                        "connectionName": "[[variables('Office365UsersConnectionName')]",
+                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365users')]"
                       }
-                    ]
+                    }
                   }
-                ]
+                }
               }
             },
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId58'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId10'),'/'))))]",
               "properties": {
-                "description": "Azure Active Directory Analytics Rule 58",
-                "parentId": "[variables('analyticRuleId58')]",
-                "contentId": "[variables('_analyticRulecontentId58')]",
-                "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion58')]",
+                "parentId": "[variables('playbookId10')]",
+                "contentId": "[variables('_playbookContentId10')]",
+                "kind": "Playbook",
+                "version": "[variables('playbookVersion10')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Azure Active Directory",
@@ -11977,126 +12268,204 @@
                 }
               }
             }
-          ]
+          ],
+          "metadata": {
+            "title": "Revoke AAD SignIn Sessions - incident trigger",
+            "description": "This playbook will revoke all signin sessions for the user using Graph API.  It will send an email to the user's manager.",
+            "prerequisites": "1. You will need to grant User.ReadWrite.All permissions to the managed identity.",
+            "lastUpdateTime": "2021-07-14T00:00:00Z",
+            "entities": [
+              "Account"
+            ],
+            "tags": [
+              "Remediation"
+            ],
+            "releaseNotes": {
+              "version": "1.0",
+              "title": "[variables('blanks')]",
+              "notes": [
+                "Initial version"
+              ]
+            }
+          }
         },
         "packageKind": "Solution",
         "packageVersion": "[variables('_solutionVersion')]",
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_analyticRulecontentId58')]",
-        "contentKind": "AnalyticsRule",
-        "displayName": "User Assigned Privileged Role",
-        "contentProductId": "[variables('_analyticRulecontentProductId58')]",
-        "id": "[variables('_analyticRulecontentProductId58')]",
-        "version": "[variables('analyticRuleVersion58')]"
+        "contentId": "[variables('_playbookContentId10')]",
+        "contentKind": "Playbook",
+        "displayName": "Revoke-AADSignInSessions-incident",
+        "contentProductId": "[variables('_playbookcontentProductId10')]",
+        "id": "[variables('_playbookcontentProductId10')]",
+        "version": "[variables('playbookVersion10')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('analyticRuleTemplateSpecName59')]",
+      "name": "[variables('playbookTemplateSpecName11')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "NewOnmicrosoftDomainAdded_AnalyticalRules Analytics Rule with template version 3.0.3",
+        "description": "Revoke-AADSignIn-Session-entityTrigger Playbook with template version 3.0.3",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion59')]",
-          "parameters": {},
-          "variables": {},
+          "contentVersion": "[variables('playbookVersion11')]",
+          "parameters": {
+            "PlaybookName": {
+              "defaultValue": "Revoke-AADSignIn-Session-entityTrigger",
+              "type": "string"
+            }
+          },
+          "variables": {
+            "MicrosoftSentinelConnectionName": "[[concat('MicrosoftSentinel-', parameters('PlaybookName'))]",
+            "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]",
+            "_connection-2": "[[variables('connection-2')]",
+            "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
+            "workspace-name": "[parameters('workspace')]",
+            "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
+          },
           "resources": [
             {
-              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRulecontentId59')]",
-              "apiVersion": "2022-04-01-preview",
-              "kind": "Scheduled",
-              "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "This detection looks for new onmicrosoft domains being added to a tenant. \nAn attacker who compromises a tenant may register a new onmicrosoft domain in order to masquerade as a service provider for launching phishing campaigns.\nDomain additions are not a common occurrence and users should validate that the domain was added by a legitimate user, with a legitimate purpose.",
-                "displayName": "New onmicrosoft domain added to tenant",
-                "enabled": false,
-                "query": "AuditLogs\n| where AADOperationType == \"Add\"\n| where Result == \"success\"\n| where OperationName in (\"Add verified domain\", \"Add unverified domain\")\n| extend InitiatedBy = parse_json(InitiatedBy)\n| extend InitiatingUser = tostring(InitiatedBy.user.userPrincipalName)\n| extend InitiatingIp = tostring(InitiatedBy.user.ipAddress)\n| extend InitiatingApp = tostring(InitiatedBy.app.displayName)\n| extend InitiatingSPID = tostring(InitiatedBy.app.servicePrincipalId)\n| extend DomainAdded = tostring(TargetResources[0].displayName)\n| where DomainAdded has \"onmicrosoft\"\n| extend ActionInitiatedBy = case(isnotempty(InitiatingUser), InitiatingUser, strcat(InitiatingApp, \" - \", InitiatingSPID))\n| extend UserName = split(InitiatingUser, \"@\")[0]\n| extend UPNSuffix = split(InitiatingUser, \"@\")[1]\n| project-reorder TimeGenerated, OperationName, DomainAdded, ActionInitiatedBy, InitiatingIp\n",
-                "queryFrequency": "PT1H",
-                "queryPeriod": "PT1H",
-                "severity": "Medium",
-                "suppressionDuration": "PT1H",
-                "suppressionEnabled": false,
-                "triggerOperator": "GreaterThan",
-                "triggerThreshold": 0,
-                "status": "Available",
-                "requiredDataConnectors": [
-                  {
-                    "connectorId": "AzureActiveDirectory",
-                    "dataTypes": [
-                      "AuditLogs"
-                    ]
-                  }
-                ],
-                "tactics": [
-                  "ResourceDevelopment"
-                ],
-                "techniques": [
-                  "T1585"
-                ],
-                "entityMappings": [
-                  {
-                    "entityType": "Account",
-                    "fieldMappings": [
-                      {
-                        "identifier": "Name",
-                        "columnName": "UserName"
-                      },
-                      {
-                        "identifier": "UPNSuffix",
-                        "columnName": "UPNSuffix"
-                      },
-                      {
-                        "identifier": "AadUserId",
-                        "columnName": "InitiatingSPID"
-                      }
-                    ]
+                "provisioningState": "Succeeded",
+                "state": "Enabled",
+                "definition": {
+                  "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
+                  "contentVersion": "1.0.0.0",
+                  "parameters": {
+                    "$connections": {
+                      "type": "Object"
+                    }
                   },
-                  {
-                    "entityType": "IP",
-                    "fieldMappings": [
-                      {
-                        "identifier": "Address",
-                        "columnName": "InitiatingIp"
+                  "triggers": {
+                    "Microsoft_Sentinel_entity": {
+                      "type": "ApiConnectionWebhook",
+                      "inputs": {
+                        "body": {
+                          "callback_url": "@{listCallbackUrl()}"
+                        },
+                        "host": {
+                          "connection": {
+                            "name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
+                          }
+                        },
+                        "path": "/entity/@{encodeURIComponent('Account')}"
                       }
-                    ]
+                    }
                   },
-                  {
-                    "entityType": "DNS",
-                    "fieldMappings": [
-                      {
-                        "identifier": "DomainName",
-                        "columnName": "DomainAdded"
+                  "actions": {
+                    "Condition": {
+                      "actions": {
+                        "Add_comment_to_incident_(V3)_-_session_revoked": {
+                          "type": "ApiConnection",
+                          "inputs": {
+                            "body": {
+                              "incidentArmId": "@triggerBody()?['IncidentArmID']",
+                              "message": "<p>Sign-in session revoked for the user - @{concat(triggerBody()?['Entity']?['properties']?['Name'], '@', triggerBody()?['Entity']?['properties']?['upnSuffix'])}</p>"
+                            },
+                            "host": {
+                              "connection": {
+                                "name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
+                              }
+                            },
+                            "method": "post",
+                            "path": "/Incidents/Comment"
+                          }
+                        }
+                      },
+                      "runAfter": {
+                        "HTTP_-_revoke_sign-in_session": [
+                          "Succeeded"
+                        ]
+                      },
+                      "expression": {
+                        "and": [
+                          {
+                            "not": {
+                              "equals": [
+                                "@triggerBody()?['IncidentArmID']",
+                                "@null"
+                              ]
+                            }
+                          }
+                        ]
+                      },
+                      "type": "If"
+                    },
+                    "HTTP_-_revoke_sign-in_session": {
+                      "type": "Http",
+                      "inputs": {
+                        "authentication": {
+                          "audience": "https://graph.microsoft.com",
+                          "type": "ManagedServiceIdentity"
+                        },
+                        "method": "POST",
+                        "uri": "https://graph.microsoft.com/v1.0/users/@{concat(triggerBody()?['Entity']?['properties']?['Name'], '@', triggerBody()?['Entity']?['properties']?['upnSuffix'])}/revokeSignInSessions"
                       }
-                    ]
+                    }
                   }
-                ],
-                "eventGroupingSettings": {
-                  "aggregationKind": "SingleAlert"
                 },
-                "alertDetailsOverride": {
-                  "alertDisplayNameFormat": "{{DomainAdded}} added to tenant by {{ActionInitiatedBy}}",
-                  "alertDescriptionFormat": "This detection looks for new onmicrosoft domains being added to a tenant. An attacker who compromises a tenant may register a new onmicrosoft domain in order to masquerade as a service provider for launching phishing accounts. Domain additions are not a common occurrence and users should validate that {{ActionInitiatedBy}} added {{DomainAdded}} with a legitimate purpose."
+                "parameters": {
+                  "$connections": {
+                    "value": {
+                      "microsoftsentinel": {
+                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
+                        "connectionName": "[[variables('MicrosoftSentinelConnectionName')]",
+                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]",
+                        "connectionProperties": {
+                          "authentication": {
+                            "type": "ManagedServiceIdentity"
+                          }
+                        }
+                      }
+                    }
+                  }
+                }
+              },
+              "name": "[[parameters('PlaybookName')]",
+              "type": "Microsoft.Logic/workflows",
+              "location": "[[variables('workspace-location-inline')]",
+              "tags": {
+                "hidden-SentinelTemplateName": "Revoke-AADSignIn-Session-entityTrigger",
+                "hidden-SentinelTemplateVersion": "1.0",
+                "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
+              },
+              "identity": {
+                "type": "SystemAssigned"
+              },
+              "apiVersion": "2017-07-01",
+              "dependsOn": [
+                "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]"
+              ]
+            },
+            {
+              "type": "Microsoft.Web/connections",
+              "apiVersion": "2016-06-01",
+              "name": "[[variables('MicrosoftSentinelConnectionName')]",
+              "location": "[[variables('workspace-location-inline')]",
+              "kind": "V1",
+              "properties": {
+                "displayName": "[[variables('MicrosoftSentinelConnectionName')]",
+                "parameterValueType": "Alternative",
+                "api": {
+                  "id": "[[variables('_connection-2')]"
                 }
               }
             },
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId59'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId11'),'/'))))]",
               "properties": {
-                "description": "Azure Active Directory Analytics Rule 59",
-                "parentId": "[variables('analyticRuleId59')]",
-                "contentId": "[variables('_analyticRulecontentId59')]",
-                "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion59')]",
+                "parentId": "[variables('playbookId11')]",
+                "contentId": "[variables('_playbookContentId11')]",
+                "kind": "Playbook",
+                "version": "[variables('playbookVersion11')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Azure Active Directory",
@@ -12114,19 +12483,38 @@
                 }
               }
             }
-          ]
+          ],
+          "metadata": {
+            "title": "Revoke AAD Sign-in session using entity trigger",
+            "description": "This playbook will revoke user's sign-in sessions and user will have to perform authentication again. It invalidates all the refresh tokens issued to applications for a user (as well as session cookies in a user's browser), by resetting the signInSessionsValidFromDateTime user property to the current date-time.",
+            "postDeployment": [
+              "1. Add Microsoft Sentinel Responder role to the managed identity.",
+              "2. Assign User.ReadWrite.All and Directory.ReadWrite.All API permissions to the managed identity."
+            ],
+            "lastUpdateTime": "2022-12-22T00:00:00Z",
+            "entities": [
+              "Account"
+            ],
+            "releaseNotes": {
+              "version": "1.0",
+              "title": "[variables('blanks')]",
+              "notes": [
+                "Initial version"
+              ]
+            }
+          }
         },
         "packageKind": "Solution",
         "packageVersion": "[variables('_solutionVersion')]",
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_analyticRulecontentId59')]",
-        "contentKind": "AnalyticsRule",
-        "displayName": "New onmicrosoft domain added to tenant",
-        "contentProductId": "[variables('_analyticRulecontentProductId59')]",
-        "id": "[variables('_analyticRulecontentProductId59')]",
-        "version": "[variables('analyticRuleVersion59')]"
+        "contentId": "[variables('_playbookContentId11')]",
+        "contentKind": "Playbook",
+        "displayName": "Revoke-AADSignIn-Session-entityTrigger",
+        "contentProductId": "[variables('_playbookcontentProductId11')]",
+        "id": "[variables('_playbookcontentProductId11')]",
+        "version": "[variables('playbookVersion11')]"
       }
     },
     {
@@ -12139,7 +12527,7 @@
         "contentSchemaVersion": "3.0.0",
         "displayName": "Azure Active Directory",
         "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
-        "descriptionHtml": "<p><strong>Note:</strong> <em>There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</em></p>\n<p>The <a href=\"https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis\"> Azure Active Directory</a>  solution for Microsoft Sentinel enables you to ingest Azure Active Directory <a href=\"https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-audit-logs\">Audit</a>, <a href=\"https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins\">Sign-in</a>, <a href=\"https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-provisioning-logs\">Provisioning</a>, <a href=\"https://docs.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk#risky-users\">Risk Events and Risky User/Service Principal</a> logs using Diagnostic Settings into Microsoft Sentinel.</p>\n<p><strong>Workbooks:</strong> 2, <strong>Analytic Rules:</strong> 59, <strong>Playbooks:</strong> 11</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
+        "descriptionHtml": "<p><strong>Note:</strong> <em>There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</em></p>\n<p>The <a href=\"https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis\"> Azure Active Directory</a>  solution for Microsoft Sentinel enables you to ingest Azure Active Directory <a href=\"https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-audit-logs\">Audit</a>, <a href=\"https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins\">Sign-in</a>, <a href=\"https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-provisioning-logs\">Provisioning</a>, <a href=\"https://docs.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk#risky-users\">Risk Events and Risky User/Service Principal</a> logs using Diagnostic Settings into Microsoft Sentinel.</p>\n<p><strong>Data Connectors:</strong> 1, <strong>Workbooks:</strong> 2, <strong>Analytic Rules:</strong> 59, <strong>Playbooks:</strong> 11</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
         "contentKind": "Solution",
         "contentProductId": "[variables('_solutioncontentProductId')]",
         "id": "[variables('_solutioncontentProductId')]",
@@ -12165,59 +12553,9 @@
           "operator": "AND",
           "criteria": [
             {
-              "kind": "Playbook",
-              "contentId": "[variables('_Block-AADUser-alert-trigger')]",
-              "version": "[variables('playbookVersion1')]"
-            },
-            {
-              "kind": "Playbook",
-              "contentId": "[variables('_Block-AADUser-entity-trigger')]",
-              "version": "[variables('playbookVersion2')]"
-            },
-            {
-              "kind": "Playbook",
-              "contentId": "[variables('_Block-AADUser-incident-trigger')]",
-              "version": "[variables('playbookVersion3')]"
-            },
-            {
-              "kind": "Playbook",
-              "contentId": "[variables('_Prompt-User-alert-trigger')]",
-              "version": "[variables('playbookVersion4')]"
-            },
-            {
-              "kind": "Playbook",
-              "contentId": "[variables('_Prompt-User-incident-trigger')]",
-              "version": "[variables('playbookVersion5')]"
-            },
-            {
-              "kind": "Playbook",
-              "contentId": "[variables('_Reset-AADUserPassword-alert-trigger')]",
-              "version": "[variables('playbookVersion6')]"
-            },
-            {
-              "kind": "Playbook",
-              "contentId": "[variables('_Reset-AADUserPassword-entity-trigger')]",
-              "version": "[variables('playbookVersion7')]"
-            },
-            {
-              "kind": "Playbook",
-              "contentId": "[variables('_Reset-AADUserPassword-incident-trigger')]",
-              "version": "[variables('playbookVersion8')]"
-            },
-            {
-              "kind": "Playbook",
-              "contentId": "[variables('_Revoke-AADSignInSessions-alert-trigger')]",
-              "version": "[variables('playbookVersion9')]"
-            },
-            {
-              "kind": "Playbook",
-              "contentId": "[variables('_Revoke-AADSignInSessions-entity-trigger')]",
-              "version": "[variables('playbookVersion10')]"
-            },
-            {
-              "kind": "Playbook",
-              "contentId": "[variables('_Revoke-AADSignInSessions-incident-trigger')]",
-              "version": "[variables('playbookVersion11')]"
+              "kind": "DataConnector",
+              "contentId": "[variables('_dataConnectorContentId1')]",
+              "version": "[variables('dataConnectorVersion1')]"
             },
             {
               "kind": "Workbook",
@@ -12523,6 +12861,61 @@
               "kind": "AnalyticsRule",
               "contentId": "[variables('analyticRulecontentId59')]",
               "version": "[variables('analyticRuleVersion59')]"
+            },
+            {
+              "kind": "Playbook",
+              "contentId": "[variables('_Block-AADUser-alert-trigger')]",
+              "version": "[variables('playbookVersion1')]"
+            },
+            {
+              "kind": "Playbook",
+              "contentId": "[variables('_Block-AADUser-incident-trigger')]",
+              "version": "[variables('playbookVersion2')]"
+            },
+            {
+              "kind": "Playbook",
+              "contentId": "[variables('_Prompt-User-alert-trigger')]",
+              "version": "[variables('playbookVersion3')]"
+            },
+            {
+              "kind": "Playbook",
+              "contentId": "[variables('_Prompt-User-incident-trigger')]",
+              "version": "[variables('playbookVersion4')]"
+            },
+            {
+              "kind": "Playbook",
+              "contentId": "[variables('_Reset-AADUserPassword-alert-trigger')]",
+              "version": "[variables('playbookVersion5')]"
+            },
+            {
+              "kind": "Playbook",
+              "contentId": "[variables('_Reset-AADUserPassword-incident-trigger')]",
+              "version": "[variables('playbookVersion6')]"
+            },
+            {
+              "kind": "Playbook",
+              "contentId": "[variables('_Block-AADUser-entity-trigger')]",
+              "version": "[variables('playbookVersion7')]"
+            },
+            {
+              "kind": "Playbook",
+              "contentId": "[variables('_Reset-AADUserPassword-entity-trigger')]",
+              "version": "[variables('playbookVersion8')]"
+            },
+            {
+              "kind": "Playbook",
+              "contentId": "[variables('_Revoke-AADSignInSessions-alert-trigger')]",
+              "version": "[variables('playbookVersion9')]"
+            },
+            {
+              "kind": "Playbook",
+              "contentId": "[variables('_Revoke-AADSignInSessions-incident-trigger')]",
+              "version": "[variables('playbookVersion10')]"
+            },
+            {
+              "kind": "Playbook",
+              "contentId": "[variables('_Revoke-AADSignInSessions-entity-trigger')]",
+              "version": "[variables('playbookVersion11')]"
             }
           ]
         },

From 33f402e67dc5c397b65e6473d458ac3cb3c7bc50 Mon Sep 17 00:00:00 2001
From: PrasadBoke <v-prasadboke@microsoft.com>
Date: Tue, 26 Sep 2023 16:04:07 +0530
Subject: [PATCH 5/5] Update ReleaseNotes.md

---
 Solutions/Azure Active Directory/ReleaseNotes.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Solutions/Azure Active Directory/ReleaseNotes.md b/Solutions/Azure Active Directory/ReleaseNotes.md
index 3ab7989e706..cf294f260bc 100644
--- a/Solutions/Azure Active Directory/ReleaseNotes.md	
+++ b/Solutions/Azure Active Directory/ReleaseNotes.md	
@@ -1,6 +1,6 @@
 | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History**                                                                                                                     |
 |-------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------------|                                                              
-| 3.0.3       | 22-09-2023                     | 1 **Analytic Rules** updated in the solution (PIM Elevation Request Rejected)  |
+| 3.0.3       | 22-09-2023                     | 2 **Analytic Rules** updated in the solution (PIM Elevation Request Rejected),(NRT Authentication Methods Changed for VIP Users)  |
 | 3.0.2       | 08-08-2023                     | 1 **Analytic Rules** updated in the solution (Credential added after admin consented to Application)  |
 | 3.0.1       | 01-08-2023                     | Added new **Analytic Rule** (New onmicrosoft domain added to tenant)                                                                   |
 | 3.0.0       | 19-07-2023                     | 2 **Analytic Rules** updated in the solution (User Assigned Privileged Role,Successful logon from IP and failure from a different IP)  |