![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/DataminrPulse.svg\")
",
+ "Description": "Dataminr Pulse brings the most advanced AI-powered real-time intelligence into Microsoft Sentinel, easily fitting into your workflows and enabling rapid identification and mitigation of emerging threats so you can deliver faster time to detection and response.",
+ "Analytic Rules": [
+ "Analytic Rules/DataminrSentinelAlerts.yaml"
+ ],
+ "Workbooks": [
+ "Workbooks/DataminrPulseAlerts.json"
+ ],
+ "Watchlists": [
+ "Watchlists/DataminrPulse-Asset/DataminrPulseAsset.json",
+ "Watchlists/DataminrPulse-VulnerableDomain/DataminrPulseVulnerableDomain.json",
+ "Watchlists/DataminrPulse-VulnerableHash/DataminrPulseVulnerableHash.json",
+ "Watchlists/DataminrPulse-VulnerableIp/DataminrPulseVulnerableIp.json",
+ "Watchlists/DataminrPulse-VulnerableMalware/DataminrPulseVulnerableMalware.json"
+ ],
+ "Playbooks": [
+ "Playbooks/DataminrPulseAlertEnrichment/azuredeploy.json"
+ ],
+ "Parsers": [
+ "Parsers/DataminrPulseAlerts.yaml",
+ "Parsers/DataminrPulseCyberAlerts.yaml"
+ ],
+ "Data Connectors": [
+ "Data Connectors/DataminrPulseAlerts/DataminrPulseAlerts_FunctionApp.json"
+ ],
+ "BasePath": "C:\\Azure-Sentinel\\Solutions\\Dataminr Pulse",
+ "Version": "3.0.0",
+ "Metadata": "SolutionMetadata.json",
+ "TemplateSpec": true,
+ "Is1PConnector": false
+}
\ No newline at end of file
diff --git a/Solutions/Dataminr Pulse/Package/3.0.0.zip b/Solutions/Dataminr Pulse/Package/3.0.0.zip
new file mode 100644
index 00000000000..906fe54b6c8
Binary files /dev/null and b/Solutions/Dataminr Pulse/Package/3.0.0.zip differ
diff --git a/Solutions/Dataminr Pulse/Package/createUiDefinition.json b/Solutions/Dataminr Pulse/Package/createUiDefinition.json
new file mode 100644
index 00000000000..c13d6a27cb6
--- /dev/null
+++ b/Solutions/Dataminr Pulse/Package/createUiDefinition.json
@@ -0,0 +1,296 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
+ "handler": "Microsoft.Azure.CreateUIDef",
+ "version": "0.1.2-preview",
+ "parameters": {
+ "config": {
+ "isWizard": false,
+ "basics": {
+ "description": "\n\n**Note:**• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Dataminr%20Pulse/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nDataminr Pulse brings the most advanced AI-powered real-time intelligence into Microsoft Sentinel, easily fitting into your workflows and enabling rapid identification and mitigation of emerging threats so you can deliver faster time to detection and response.\n\n**Data Connectors:** 1, **Parsers:** 2, **Workbooks:** 1, **Analytic Rules:** 1, **Watchlists:** 5, **Playbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "subscription": {
+ "resourceProviders": [
+ "Microsoft.OperationsManagement/solutions",
+ "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "Microsoft.Insights/workbooks",
+ "Microsoft.Logic/workflows"
+ ]
+ },
+ "location": {
+ "metadata": {
+ "hidden": "Hiding location, we get it from the log analytics workspace"
+ },
+ "visible": false
+ },
+ "resourceGroup": {
+ "allowExisting": true
+ }
+ }
+ },
+ "basics": [
+ {
+ "name": "getLAWorkspace",
+ "type": "Microsoft.Solutions.ArmApiControl",
+ "toolTip": "This filters by workspaces that exist in the Resource Group selected",
+ "condition": "[greater(length(resourceGroup().name),0)]",
+ "request": {
+ "method": "GET",
+ "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
+ }
+ },
+ {
+ "name": "workspace",
+ "type": "Microsoft.Common.DropDown",
+ "label": "Workspace",
+ "placeholder": "Select a workspace",
+ "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
+ "constraints": {
+ "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
+ "required": true
+ },
+ "visible": true
+ }
+ ],
+ "steps": [
+ {
+ "name": "dataconnectors",
+ "label": "Data Connectors",
+ "bladeTitle": "Data Connectors",
+ "elements": [
+ {
+ "name": "dataconnectors1-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This Solution installs the data connector for Dataminr Pulse. You can get Dataminr Pulse custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+ }
+ },
+ {
+ "name": "dataconnectors-parser-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel."
+ }
+ },
+ {
+ "name": "dataconnectors-link2",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "link": {
+ "label": "Learn more about connecting data sources",
+ "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
+ }
+ }
+ }
+ ]
+ },
+ {
+ "name": "workbooks",
+ "label": "Workbooks",
+ "subLabel": {
+ "preValidation": "Configure the workbooks",
+ "postValidation": "Done"
+ },
+ "bladeTitle": "Workbooks",
+ "elements": [
+ {
+ "name": "workbooks-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This solution installs workbook(s) to help you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view."
+ }
+ },
+ {
+ "name": "workbooks-link",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "link": {
+ "label": "Learn more",
+ "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data"
+ }
+ }
+ },
+ {
+ "name": "workbook1",
+ "type": "Microsoft.Common.Section",
+ "label": "Dataminr Pulse Alerts",
+ "elements": [
+ {
+ "name": "workbook1-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This Workbook provides insight into the data coming from DataminrPulse."
+ }
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "name": "analytics",
+ "label": "Analytics",
+ "subLabel": {
+ "preValidation": "Configure the analytics",
+ "postValidation": "Done"
+ },
+ "bladeTitle": "Analytics",
+ "elements": [
+ {
+ "name": "analytics-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view."
+ }
+ },
+ {
+ "name": "analytics-link",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "link": {
+ "label": "Learn more",
+ "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
+ }
+ }
+ },
+ {
+ "name": "analytic1",
+ "type": "Microsoft.Common.Section",
+ "label": "Dataminr - urgent alerts detected",
+ "elements": [
+ {
+ "name": "analytic1-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Rule helps to detect whenever there is an alert found which has urgent alert-type in Dataminr."
+ }
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "name": "watchlists",
+ "label": "Watchlists",
+ "subLabel": {
+ "preValidation": "Configure the watchlists",
+ "postValidation": "Done"
+ },
+ "bladeTitle": "Watchlists",
+ "elements": [
+ {
+ "name": "watchlists-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Microsoft Sentinel watchlists enable the collection of data from external data sources for correlation with the events in your Microsoft Sentinel environment. Once created, you can use watchlists in your search, detection rules, threat hunting, and response playbooks. Watchlists are stored in your Microsoft Sentinel workspace as name-value pairs and are cached for optimal query performance and low latency. Once deployment is successful, the installed watchlists will be available in the Watchlists blade under 'My Watchlists'.",
+ "link": {
+ "label": "Learn more",
+ "uri": "https://aka.ms/sentinelwatchlists"
+ }
+ }
+ },
+ {
+ "name": "watchlist1",
+ "type": "Microsoft.Common.Section",
+ "label": "DataminrPulseAsset",
+ "elements": [
+ {
+ "name": "watchlist1-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Watchlist contains data of assets to use in Close Proximity Overview dashboard."
+ }
+ }
+ ]
+ },
+ {
+ "name": "watchlist2",
+ "type": "Microsoft.Common.Section",
+ "label": "DataminrPulseVulnerableDomain",
+ "elements": [
+ {
+ "name": "watchlist2-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Watchlist contains data of vulnerable domains of Dataminr to use in IOC Overview dashboard."
+ }
+ }
+ ]
+ },
+ {
+ "name": "watchlist3",
+ "type": "Microsoft.Common.Section",
+ "label": "DataminrPulseVulnerableHash",
+ "elements": [
+ {
+ "name": "watchlist3-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Watchlist contains data of vulnerable hashes of Dataminr to use in IOC Overview dashboard."
+ }
+ }
+ ]
+ },
+ {
+ "name": "watchlist4",
+ "type": "Microsoft.Common.Section",
+ "label": "DataminrPulseVulnerableIp",
+ "elements": [
+ {
+ "name": "watchlist4-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Watchlist contains data of vulnerable ips of Dataminr to use in IOC Overview dashboard."
+ }
+ }
+ ]
+ },
+ {
+ "name": "watchlist5",
+ "type": "Microsoft.Common.Section",
+ "label": "DataminrPulseVulnerableMalware",
+ "elements": [
+ {
+ "name": "watchlist5-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Watchlist contains data of vulnerable malwares of Dataminr to use in IOC Overview dashboard."
+ }
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "name": "playbooks",
+ "label": "Playbooks",
+ "subLabel": {
+ "preValidation": "Configure the playbooks",
+ "postValidation": "Done"
+ },
+ "bladeTitle": "Playbooks",
+ "elements": [
+ {
+ "name": "playbooks-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This solution installs the Playbook templates to help implement your Security Orchestration, Automation and Response (SOAR) operations. After installing the solution, these will be deployed under Playbook Templates in the Automation blade in Microsoft Sentinel. They can be configured and managed from the Manage solution view in Content Hub."
+ }
+ },
+ {
+ "name": "playbooks-link",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "link": {
+ "label": "Learn more",
+ "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
+ }
+ }
+ }
+ ]
+ }
+ ],
+ "outputs": {
+ "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
+ "location": "[location()]",
+ "workspace": "[basics('workspace')]"
+ }
+ }
+}
diff --git a/Solutions/Dataminr Pulse/Package/mainTemplate.json b/Solutions/Dataminr Pulse/Package/mainTemplate.json
new file mode 100644
index 00000000000..b8402490e49
--- /dev/null
+++ b/Solutions/Dataminr Pulse/Package/mainTemplate.json
@@ -0,0 +1,3777 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "author": "Dataminr - info@dataminr.com",
+ "comments": "Solution template for Dataminr Pulse"
+ },
+ "parameters": {
+ "location": {
+ "type": "string",
+ "minLength": 1,
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
+ }
+ },
+ "workspace-location": {
+ "type": "string",
+ "defaultValue": "",
+ "metadata": {
+ "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
+ }
+ },
+ "workspace": {
+ "defaultValue": "",
+ "type": "string",
+ "metadata": {
+ "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
+ }
+ },
+ "workbook1-name": {
+ "type": "string",
+ "defaultValue": "Dataminr Pulse Alerts",
+ "minLength": 1,
+ "metadata": {
+ "description": "Name for the workbook"
+ }
+ },
+ "watchlist1-id": {
+ "type": "string",
+ "defaultValue": "DataminrPulseAsset",
+ "minLength": 1,
+ "metadata": {
+ "description": "Unique id for the watchlist"
+ }
+ },
+ "watchlist2-id": {
+ "type": "string",
+ "defaultValue": "DataminrPulseVulnerableDomain",
+ "minLength": 1,
+ "metadata": {
+ "description": "Unique id for the watchlist"
+ }
+ },
+ "watchlist3-id": {
+ "type": "string",
+ "defaultValue": "DataminrPulseVulnerableHash",
+ "minLength": 1,
+ "metadata": {
+ "description": "Unique id for the watchlist"
+ }
+ },
+ "watchlist4-id": {
+ "type": "string",
+ "defaultValue": "DataminrPulseVulnerableIp",
+ "minLength": 1,
+ "metadata": {
+ "description": "Unique id for the watchlist"
+ }
+ },
+ "watchlist5-id": {
+ "type": "string",
+ "defaultValue": "DataminrPulseVulnerableMalware",
+ "minLength": 1,
+ "metadata": {
+ "description": "Unique id for the watchlist"
+ }
+ }
+ },
+ "variables": {
+ "email": "info@dataminr.com",
+ "_email": "[variables('email')]",
+ "_solutionName": "Dataminr Pulse",
+ "_solutionVersion": "3.0.0",
+ "solutionId": "dataminr_pulse.dataminr_sentinel",
+ "_solutionId": "[variables('solutionId')]",
+ "analyticRuleVersion1": "1.0.0",
+ "analyticRulecontentId1": "64a46029-3236-4d03-b5df-207366a623f1",
+ "_analyticRulecontentId1": "[variables('analyticRulecontentId1')]",
+ "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]",
+ "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1'))))]",
+ "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId1'),'-', variables('analyticRuleVersion1'))))]",
+ "workbookVersion1": "1.0.0",
+ "workbookContentId1": "DataminrPulseAlerts",
+ "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]",
+ "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]",
+ "_workbookContentId1": "[variables('workbookContentId1')]",
+ "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
+ "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]",
+ "DataminrPulseAsset": "DataminrPulseAsset",
+ "_DataminrPulseAsset": "[variables('DataminrPulseAsset')]",
+ "DataminrPulseVulnerableDomain": "DataminrPulseVulnerableDomain",
+ "_DataminrPulseVulnerableDomain": "[variables('DataminrPulseVulnerableDomain')]",
+ "DataminrPulseVulnerableHash": "DataminrPulseVulnerableHash",
+ "_DataminrPulseVulnerableHash": "[variables('DataminrPulseVulnerableHash')]",
+ "DataminrPulseVulnerableIp": "DataminrPulseVulnerableIp",
+ "_DataminrPulseVulnerableIp": "[variables('DataminrPulseVulnerableIp')]",
+ "DataminrPulseVulnerableMalware": "DataminrPulseVulnerableMalware",
+ "_DataminrPulseVulnerableMalware": "[variables('DataminrPulseVulnerableMalware')]",
+ "DataminrPulseAlertEnrichment": "DataminrPulseAlertEnrichment",
+ "_DataminrPulseAlertEnrichment": "[variables('DataminrPulseAlertEnrichment')]",
+ "playbookVersion1": "1.0",
+ "playbookContentId1": "DataminrPulseAlertEnrichment",
+ "_playbookContentId1": "[variables('playbookContentId1')]",
+ "playbookId1": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId1'))]",
+ "playbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId1'))))]",
+ "_playbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId1'),'-', variables('playbookVersion1'))))]",
+ "blanks": "[replace('b', 'b', '')]",
+ "parserName1": "DataminrPulseAlerts",
+ "_parserName1": "[concat(parameters('workspace'),'/',variables('parserName1'))]",
+ "parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
+ "_parserId1": "[variables('parserId1')]",
+ "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1'))))]",
+ "parserVersion1": "1.0.0",
+ "parserContentId1": "DataminrPulseAlerts-Parser",
+ "_parserContentId1": "[variables('parserContentId1')]",
+ "_parsercontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('_parserContentId1'),'-', variables('parserVersion1'))))]",
+ "parserName2": "DataminrPulseCyberAlerts",
+ "_parserName2": "[concat(parameters('workspace'),'/',variables('parserName2'))]",
+ "parserId2": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName2'))]",
+ "_parserId2": "[variables('parserId2')]",
+ "parserTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId2'))))]",
+ "parserVersion2": "1.0.0",
+ "parserContentId2": "DataminrPulseCyberAlerts-Parser",
+ "_parserContentId2": "[variables('parserContentId2')]",
+ "_parsercontentProductId2": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('_parserContentId2'),'-', variables('parserVersion2'))))]",
+ "uiConfigId1": "DataminrPulseAlerts",
+ "_uiConfigId1": "[variables('uiConfigId1')]",
+ "dataConnectorContentId1": "DataminrPulseAlerts",
+ "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
+ "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
+ "_dataConnectorId1": "[variables('dataConnectorId1')]",
+ "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
+ "dataConnectorVersion1": "1.0.0",
+ "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
+ "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
+ },
+ "resources": [
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('analyticRuleTemplateSpecName1')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "DataminrSentinelAlerts_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('analyticRuleVersion1')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+ "name": "[variables('analyticRulecontentId1')]",
+ "apiVersion": "2022-04-01-preview",
+ "kind": "Scheduled",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "description": "Rule helps to detect whenever there is an alert found which has urgent alert-type in Dataminr.",
+ "displayName": "Dataminr - urgent alerts detected",
+ "enabled": false,
+ "query": "DataminrPulseAlerts\n| where EventSource in~ ('Greynoise', 'Shodan', 'VirusTotal', 'alienvault open threat exchange', 'urlscan')\n and AlertType == \"Urgent\"\n",
+ "queryFrequency": "PT5M",
+ "queryPeriod": "PT5M",
+ "severity": "Medium",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "status": "Available",
+ "requiredDataConnectors": [
+ {
+ "dataTypes": [
+ "DataminrPulseAlerts"
+ ],
+ "connectorId": "DataminrPulseAlerts"
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": [
+ "T1546"
+ ],
+ "entityMappings": [
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "columnName": "PostLink",
+ "identifier": "Url"
+ }
+ ]
+ }
+ ],
+ "eventGroupingSettings": {
+ "aggregationKind": "SingleAlert"
+ },
+ "alertDetailsOverride": {
+ "alertDisplayNameFormat": "Dataminr Alert: {{AlertId}}",
+ "alertDescriptionFormat": "{{Caption}}"
+ },
+ "incidentConfiguration": {
+ "createIncident": true
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId1'),'/'))))]",
+ "properties": {
+ "description": "Dataminr Pulse Analytics Rule 1",
+ "parentId": "[variables('analyticRuleId1')]",
+ "contentId": "[variables('_analyticRulecontentId1')]",
+ "kind": "AnalyticsRule",
+ "version": "[variables('analyticRuleVersion1')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Dataminr Pulse",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Dataminr",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Dataminr Support",
+ "email": "support@dataminr.com",
+ "tier": "Partner",
+ "link": "https://www.dataminr.com/dataminr-support#support"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_analyticRulecontentId1')]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "Dataminr - urgent alerts detected",
+ "contentProductId": "[variables('_analyticRulecontentProductId1')]",
+ "id": "[variables('_analyticRulecontentProductId1')]",
+ "version": "[variables('analyticRuleVersion1')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('workbookTemplateSpecName1')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "DataminrPulseAlertsWorkbook Workbook with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('workbookVersion1')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.Insights/workbooks",
+ "name": "[variables('workbookContentId1')]",
+ "location": "[parameters('workspace-location')]",
+ "kind": "shared",
+ "apiVersion": "2021-08-01",
+ "metadata": {
+ "description": "This Workbook provides insight into the data coming from DataminrPulse."
+ },
+ "properties": {
+ "displayName": "[parameters('workbook1-name')]",
+ "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"da8b6813-e862-406d-be73-aed634a083a2\",\"cellValue\":\"setTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Alert Overview\",\"subTarget\":\"Alert Overview\",\"style\":\"link\",\"linkIsContextBlade\":true},{\"id\":\"75b5e827-ff38-4252-bbd1-6beedbfe4534\",\"cellValue\":\"setTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Cyber Threat Overview\",\"subTarget\":\"Cyber Threat Overview\",\"style\":\"link\"},{\"id\":\"e4bdb76d-c81a-498f-b0ba-5130dba5d9ab\",\"cellValue\":\"setTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"IOC Overview\",\"subTarget\":\"IOC Overview\",\"style\":\"link\"},{\"id\":\"d76fe7f8-78c7-4537-8de6-7d8a1d050478\",\"cellValue\":\"setTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Close Proximity Overview\",\"subTarget\":\"Close Proximity Overview\",\"style\":\"link\"},{\"id\":\"6de2158e-490d-4bed-85c4-f6e87706afc5\",\"cellValue\":\"setTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Alerts Drilldown\",\"subTarget\":\"Alerts Drilldown\",\"style\":\"link\"}]},\"name\":\"links - 13\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Dataminr Alert Overview\\r\\n### Watchlists created in Dataminr\"},\"name\":\"text - 0\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"9c52736d-df9f-4db2-a196-6395ba392fe2\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"select_time_range\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":86400000}},{\"id\":\"21aeafb7-3429-4c8c-b74b-d296f0ce22b2\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"watchlist\",\"label\":\"Watchlist\",\"type\":2,\"isRequired\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"DataminrPulseCyberAlerts\\r\\n| mv-expand todynamic(WatchlistsMatchedByType)\\r\\n| where isnotempty(WatchlistsMatchedByType[\\\"name\\\"])\\r\\n| distinct tostring(WatchlistsMatchedByType[\\\"name\\\"])\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"select_time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"value::all\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Help\",\"expandable\":true,\"items\":[{\"type\":1,\"content\":{\"json\":\"This dashboards shows high level analytics about the Dataminr alerts from the selected Watchlist.\"},\"name\":\"text - 0\"}]},\"name\":\"Help\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DataminrPulseCyberAlerts\\r\\n| where ('*' == ('{watchlist}') or set_has_element(todynamic(WatchlistNames),'{watchlist}')) and isnotempty(AlertType)\\r\\n| summarize distinct_count=dcount(AlertId) by AlertType\\r\\n| sort by distinct_count desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Alerts by Type\",\"noDataMessage\":\"No data found in selected timerange.\",\"timeContextFromParameter\":\"select_time_range\",\"showRefreshButton\":true,\"exportFieldName\":\"x\",\"exportParameterName\":\"alert_type\",\"exportDefaultValue\":\"None\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"categoricalbar\",\"chartSettings\":{\"xAxis\":\"AlertType\",\"seriesLabelSettings\":[{\"seriesName\":\"Urgent\",\"color\":\"orange\"},{\"seriesName\":\"Alert\",\"color\":\"yellow\"},{\"seriesName\":\"Flash\",\"color\":\"redBright\"}],\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true}}}}},\"customWidth\":\"50\",\"name\":\"Alerts by Type\",\"styleSettings\":{\"padding\":\"24px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DataminrPulseCyberAlerts\\r\\n| where ('*' == ('{watchlist}') or set_has_element(todynamic(WatchlistNames),'{watchlist}'))\\r\\n| mv-expand todynamic(Company)\\r\\n| extend companyName = tostring(Company[\\\"name\\\"])\\r\\n| where isnotempty(Company)\\r\\n| summarize Count=dcount(AlertId) by companyName\\r\\n| sort by Count desc\",\"size\":3,\"showAnalytics\":true,\"title\":\"Alerts by Company\",\"noDataMessage\":\"No data found in selected timerange.\",\"timeContextFromParameter\":\"select_time_range\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"yAxis\":[\"Count\"],\"group\":\"companyName\",\"createOtherGroup\":10,\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true}}}}},\"customWidth\":\"50\",\"name\":\"Alerts by Company\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 _Click on a bars in the above 'Alert by Type' chart to view more details_\"},\"name\":\"text - 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DataminrPulseCyberAlerts\\r\\n| where ('*' == ('{watchlist}') or set_has_element(todynamic(WatchlistNames),'{watchlist}'))\\r\\n and isnotempty(AlertType) and AlertType == '{alert_type}'\\r\\n| summarize count=dcount(AlertId) by AlertType\",\"size\":4,\"showAnalytics\":true,\"title\":\"Selected Alerts Type Data\",\"noDataMessage\":\"No data found in selected timerange.\",\"timeContextFromParameter\":\"select_time_range\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"rowLimit\":10000}},\"conditionalVisibility\":{\"parameterName\":\"alert_type\",\"comparison\":\"isNotEqualTo\",\"value\":\"None\"},\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"89d85ee2-81ec-42ed-bd7e-d8e7bcee1ab1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Category_name\",\"label\":\"Category Name\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"DataminrPulseCyberAlerts \\r\\n| mv-expand todynamic(Category)\\r\\n| extend categories = tostring(Category[\\\"name\\\"])\\r\\n| where ('*' == ('{watchlist}') or set_has_element(todynamic(WatchlistNames),'{watchlist}')) and isnotempty(categories)\\r\\n| distinct categories\\r\\n\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"select_time_range\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DataminrPulseCyberAlerts \\r\\n| mv-expand todynamic(Category)\\r\\n| extend Date = format_datetime(todatetime(TimeGenerated), 'yyyy-MM-dd'), CategoryName = tostring(Category[\\\"name\\\"])\\r\\n| where ('*' == ('{watchlist}') or set_has_element(todynamic(WatchlistNames),'{watchlist}')) and ('*' in ({Category_name}) or CategoryName in ({Category_name})) and isnotempty(CategoryName)\\r\\n| summarize Dcount=dcount(AlertId) by Date, CategoryName\\r\\n| project Date, Dcount, CategoryName\\r\\n| order by Date asc\",\"size\":0,\"aggregation\":5,\"showAnalytics\":true,\"title\":\"Alerts Trend\",\"noDataMessage\":\"No data found in selected timerange.\",\"timeContextFromParameter\":\"select_time_range\",\"showRefreshButton\":true,\"exportedParameters\":[{\"fieldName\":\"x\",\"parameterName\":\"date_Occurrence_Trend\",\"parameterType\":1,\"defaultValue\":\"None\"},{\"fieldName\":\"series\",\"parameterName\":\"CategoryName_Occurrence_Trend\",\"parameterType\":1,\"defaultValue\":\"None\"}],\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"chartSettings\":{\"xAxis\":\"Date\",\"group\":\"CategoryName\",\"createOtherGroup\":99,\"showDataPoints\":true}},\"customWidth\":\"50\",\"name\":\"Alerts Trend\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DataminrPulseCyberAlerts\\r\\n| where ('*' == ('{watchlist}') or set_has_element(todynamic(WatchlistNames),'{watchlist}')) and isnotempty(EventLocationName) and isnotempty(WatchlistsMatchedByType)\\r\\n| summarize dcount=dcount(AlertId) by Latitude, Longitude, EventLocationName\\r\\n| extend latlng = strcat(\\\"Latitude : \\\",Latitude,\\\"\\\\nLongitude : \\\",Longitude,\\\"\\\\nName : \\\",EventLocationName,\\\"\\\\nCount : \\\",dcount)\\r\\n| order by dcount desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Alerts by Location\",\"noDataMessage\":\"No data found in selected timerange.\",\"timeContextFromParameter\":\"select_time_range\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"map\",\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"lat\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"countID\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"mapSettings\":{\"locInfo\":\"LatLong\",\"latitude\":\"Latitude\",\"longitude\":\"Longitude\",\"sizeSettings\":\"dcount\",\"sizeAggregation\":\"Sum\",\"labelSettings\":\"latlng\",\"legendMetric\":\"dcount\",\"numberOfMetrics\":99,\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"nodeColorField\":\"dcount\",\"colorAggregation\":\"Sum\",\"type\":\"heatmap\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"name\":\"Alerts by Location\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 _Click on a data points in the above 'Alerts Trend' chart to view more details_\"},\"customWidth\":\"45\",\"name\":\"text - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DataminrPulseCyberAlerts \\r\\n| extend TimeGenerated = tostring(TimeGenerated), Channel = substring(SourceChannels,1,strlen(SourceChannels)-2), category = parse_json(Category), embededLabels = parse_json(EmbeddedLabels)\\r\\n| mv-apply category on (summarize Topics = make_list(category.name))\\r\\n| mv-apply embededLabels on (summarize addresses = make_list(embededLabels.addresses))\\r\\n| extend CategoryName = array_index_of(Topics,'{CategoryName_Occurrence_Trend}'), Date = format_datetime(todatetime(TimeGenerated), 'yyyy-MM-dd')\\r\\n| where TimeGenerated contains '{date_Occurrence_Trend}' and CategoryName >= 0 and ('*' == ('{watchlist}') or set_has_element(todynamic(WatchlistNames),'{watchlist}'))\\r\\n| summarize any(*) by AlertId, Date\\r\\n| project-rename [\\\"Alert ID\\\"] = AlertId, [\\\"Alert Type\\\"] = any_AlertType, [\\\"Category Names\\\"] = any_Topics, Companies = any_Company, [\\\"Cyber Addresses\\\"] = any_addresses, [\\\"Location Name\\\"] = any_EventLocationName, [\\\"Matched Watchlist\\\"] = any_WatchlistNames, Source = any_EventSource, [\\\"Source Channels\\\"]= any_Channel, [\\\"Publisher Name\\\"] = any_PublisherCategoryName, [\\\"Time Generated\\\"] = any_TimeGenerated, Caption = any_Caption\\r\\n| project [\\\"Alert ID\\\"], [\\\"Alert Type\\\"], Caption, [\\\"Category Names\\\"], Companies, [\\\"Cyber Addresses\\\"], [\\\"Location Name\\\"], format_datetime(todatetime([\\\"Time Generated\\\"]), 'yy-MM-dd HH:mm:ss'), [\\\"Matched Watchlist\\\"], Source, parse_json([\\\"Source Channels\\\"]), [\\\"Publisher Name\\\"]\\r\\n| sort by [\\\"Time Generated\\\"] asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Selected Alerts Trend Data\",\"noDataMessage\":\"No data found in selected timerange.\",\"timeContextFromParameter\":\"select_time_range\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"conditionalVisibilities\":[{\"parameterName\":\"date_Occurrence_Trend\",\"comparison\":\"isNotEqualTo\",\"value\":\"None\"},{\"parameterName\":\"CategoryName_Occurrence_Trend\",\"comparison\":\"isNotEqualTo\",\"value\":\"None\"},{\"parameterName\":\"CategoryName_Occurrence_Trend\",\"comparison\":\"isNotEqualTo\",\"value\":\"Other\"}],\"name\":\"query - 7\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DataminrPulseCyberAlerts\\r\\n| where ('*' == ('{watchlist}') or set_has_element(todynamic(WatchlistNames),'{watchlist}'))\\r\\n| extend EventTime = unixtime_milliseconds_todatetime(toint(EventTime)), Channel = substring(SourceChannels,1,strlen(SourceChannels)-2)\\r\\n| summarize any(*) by AlertId\\r\\n| project-rename ['Alert ID'] = AlertId, Time = any_TimeGenerated, [\\\"Alert Type\\\"] = any_AlertType, Source = any_EventSource, [\\\"Source Channels\\\"]= any_Channel, Publisher = any_PublisherCategoryName, Caption = any_Caption, Company = any_CompanyNames, Topics = any_CategoryNames\\r\\n| project ['Alert ID'], format_datetime(todatetime(Time), 'yy-MM-dd HH:mm:ss'), [\\\"Alert Type\\\"], Caption, Company, Source, parse_json([\\\"Source Channels\\\"]), Publisher, Topics\\r\\n| order by Time desc\\r\\n| limit 10\",\"size\":3,\"showAnalytics\":true,\"title\":\"Recent 10 Alerts\",\"noDataMessage\":\"No data found in selected timerange.\",\"timeContextFromParameter\":\"select_time_range\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Alert ID\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkIsContextBlade\":true}}],\"filter\":true}},\"name\":\"Recent 10 Alerts\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"📝 ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 13\"}]},\"conditionalVisibility\":{\"parameterName\":\"setTab\",\"comparison\":\"isEqualTo\",\"value\":\"Alert Overview\"},\"name\":\"group - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Dataminr Close Proximity Overview\\r\\n### Show Dataminr alerts in close proximity of important Customer locations\"},\"name\":\"text - 0\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"7b8368ba-ff5f-4cc6-a7b3-4bc4a7c00789\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Select_Time_Range\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Help\",\"expandable\":true,\"items\":[{\"type\":1,\"content\":{\"json\":\"This dashboards shows Dataminr alerts within threshold miles from important customer locations.\\r\\n\\r\\nThe important customer locations are configured as part of Sentinel Watchlist. The Watchlist file is included as part of this app.\\r\\n\\r\\nPlease update the Watchlist file manually.\"},\"name\":\"text - 0\"}]},\"name\":\"group - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"_GetWatchlist('DataminrPulseAsset')\\r\\n| extend crossjoin = 1\\r\\n| join kind=inner (DataminrPulseAlerts | extend crossjoin = 1) on crossjoin\\r\\n| extend asset_distance_miles = abs(3956 * (2 * asin(sqrt(pow(sin(((Latitude*pi()/180)-(todouble(asset_lat)*pi()/180)) / 2),2) + cos((Latitude*pi()/180)) * cos((todouble(asset_lat)*pi()/180)) * pow(sin(((Longitude*pi()/180)-(todouble(asset_long)*pi()/180)) / 2),2)))))\\r\\n| where asset_distance_miles <= toreal(alerting_distance_miles)\\r\\n| summarize any(asset_name), dcount=dcount(AlertId) by AlertId, tostring(asset_lat), tostring(asset_long)\\r\\n| extend latlng = strcat(\\\"Name : \\\",any_asset_name,\\\"\\\\nLatitude : \\\",asset_lat,\\\"\\\\nLongitude: \\\",asset_long)\\r\\n| order by asset_lat desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Alerts in Close Proximity Map\",\"noDataMessage\":\"No data found in selected timerange.\",\"timeContextFromParameter\":\"Select_Time_Range\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"map\",\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"AlertId\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"dcount\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"mapSettings\":{\"locInfo\":\"LatLong\",\"latitude\":\"asset_lat\",\"longitude\":\"asset_long\",\"sizeSettings\":\"dcount\",\"sizeAggregation\":\"Sum\",\"labelSettings\":\"latlng\",\"legendMetric\":\"dcount\",\"numberOfMetrics\":0,\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"nodeColorField\":\"dcount\",\"colorAggregation\":\"Sum\",\"type\":\"heatmap\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"showPin\":false,\"name\":\"Alerts in Close Proximity Map\",\"styleSettings\":{\"padding\":\"20px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"_GetWatchlist('DataminrPulseAsset')\\r\\n| extend crossjoin = 1\\r\\n| join kind=inner (DataminrPulseAlerts | extend crossjoin = 1) on crossjoin\\r\\n| extend asset_distance_miles = abs(3956 * (2 * asin(sqrt(pow(sin(((Latitude*pi()/180)-(todouble(asset_lat)*pi()/180)) / 2),2) + cos((Latitude*pi()/180)) * cos((todouble(asset_lat)*pi()/180)) * pow(sin(((Longitude*pi()/180)-(todouble(asset_long)*pi()/180)) / 2),2)))))\\r\\n| where asset_distance_miles <= toreal(alerting_distance_miles)\\r\\n| project-rename [\\\"Asset Name\\\"] = asset_name, [\\\"Asset Type\\\"] = asset_type, [\\\"Alert ID\\\"] = AlertId, [\\\"Asset Distance Miles\\\"] = asset_distance_miles\\r\\n| project [\\\"Asset Name\\\"], [\\\"Asset Type\\\"], Caption, [\\\"Alert ID\\\"], [\\\"Asset Distance Miles\\\"]\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\" Alerts in Close Proximity\",\"noDataMessage\":\"No data found in selected timerange.\",\"timeContextFromParameter\":\"Select_Time_Range\",\"showRefreshButton\":true,\"exportFieldName\":\"Alert ID\",\"exportParameterName\":\"alertid\",\"exportDefaultValue\":\"None\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"showExpandCollapseGrid\":true,\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"50\",\"name\":\"Alerts in Close Proximity\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"50\",\"name\":\"text - 7\"},{\"type\":1,\"content\":{\"json\":\"💡 _Click on a row in the above 'Alerts in Close Proximity' grid to view more details_\"},\"customWidth\":\"50\",\"name\":\"text - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DataminrPulseAlerts\\r\\n| where AlertId == '{alertid}'\",\"size\":4,\"showAnalytics\":true,\"title\":\"Selected Close Proximity Alert Data\",\"timeContextFromParameter\":\"Select_Time_Range\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\"},\"conditionalVisibility\":{\"parameterName\":\"alertid\",\"comparison\":\"isNotEqualTo\",\"value\":\"None\"},\"name\":\"query - 5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"_GetWatchlist('DataminrPulseAsset')\\r\\n| project-rename [\\\"Asset Name\\\"] = asset_name, [\\\"Asset Type\\\"] = asset_type, [\\\"Asset Description\\\"] = asset_description, [\\\"Alerting Distance Miles\\\"] = alerting_distance_miles, [\\\"Asset Latitude\\\"] = asset_lat, [\\\"Asset Longitude\\\"] = asset_long\\r\\n| project [\\\"Asset Name\\\"], [\\\"Asset Type\\\"], [\\\"Asset Description\\\"], [\\\"Alerting Distance Miles\\\"], [\\\"Asset Latitude\\\"], [\\\"Asset Longitude\\\"]\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Configured Important Locations\",\"noDataMessage\":\"No data found in selected timerange.\",\"timeContextFromParameter\":\"Select_Time_Range\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"Asset Latitude\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"Asset Latitude\",\"sortOrder\":1}]},\"name\":\"Configured Important Locations\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"📝 ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 9\"}]},\"conditionalVisibility\":{\"parameterName\":\"setTab\",\"comparison\":\"isEqualTo\",\"value\":\"Close Proximity Overview\"},\"name\":\"Close Proximity Overview\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Dataminr IOC Overview\\r\\n### IOCs (IP, URL, domain, hashes, filenames) extracted from alerts created by Dataminr\"},\"showPin\":false,\"name\":\"text - 0\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"4889f111-32cd-4a9f-8ad3-3d5a1a43d812\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"time\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Help\",\"expandable\":true,\"items\":[{\"type\":1,\"content\":{\"json\":\"This dashboards shows Indicator of Compromise in the current Sentinel environment.\\r\\n\\r\\nEach row in the panels showing vulnerable IOCs are clickable. Click the row to view more details about the vulnerable IOC.\\r\\n\\r\\n\"},\"name\":\"text - 0\"}]},\"name\":\"group - 14\"},{\"type\":1,\"content\":{\"json\":\"#### 📝 Note: To view the Affected IOCs related panles in this dashboard, ASim parsers must be deployed in the workspace and lookup csv data must be available in watchlist. \"},\"name\":\"text - 21\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true\\r\\n(ASimNetworkSession\\r\\n | where EventVendor !contains_cs(\\\"Dataminr\\\")\\r\\n | summarize src_ip = make_set(SrcIpAddr), dst_ip = make_set(DstIpAddr)\\r\\n | summarize ip = make_set(set_union(src_ip, dst_ip))),\\r\\n(ASimDns\\r\\n | where EventVendor !contains_cs(\\\"Dataminr\\\")\\r\\n | summarize src_ip = make_set(SrcIpAddr), dst_ip = make_set(DstIpAddr)\\r\\n | summarize ip = make_set(set_union(src_ip, dst_ip))),\\r\\n(ASimWebSession\\r\\n | where EventVendor !contains_cs(\\\"Dataminr\\\")\\r\\n | summarize src_ip = make_set(SrcIpAddr), dst_ip = make_set(DstIpAddr)\\r\\n | summarize ip = make_set(set_union(src_ip, dst_ip))),\\r\\n(ASimAuditEvent\\r\\n | where EventVendor !contains_cs(\\\"Dataminr\\\")\\r\\n | summarize src_ip = make_set(SrcIpAddr), dst_ip = make_set(TargetIpAddr)\\r\\n | summarize ip = make_set(set_union(src_ip, dst_ip)))\\r\\n| mv-expand ip\\r\\n| where isnotempty(ip)\\r\\n| extend ip = tostring(ip)\\r\\n| join kind=inner (_GetWatchlist(\\\"DataminrPulseVulnerableIp\\\")\\r\\n | project ip, caption) on ip\\r\\n| project-rename [\\\"ASIM Ip\\\"] = ip, [\\\"Lookup Ip\\\"] = ip1\\r\\n| summarize ip_count=dcount([\\\"ASIM Ip\\\"])\\r\\n| project ip_count\",\"size\":4,\"showAnalytics\":true,\"title\":\"Affected IP Address\",\"noDataMessage\":\"No data found in selected timerange.\",\"timeContextFromParameter\":\"time\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"formatter\":12,\"formatOptions\":{\"palette\":\"none\"}},\"rightContent\":{\"columnMatch\":\"ip_count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"none\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"},\"emptyValCustomText\":\"0\"}},\"showBorder\":false,\"size\":\"auto\"},\"graphSettings\":{\"type\":0,\"centerContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"none\"}},\"nodeIdField\":\"Count\",\"sourceIdField\":\"Count\",\"targetIdField\":\"Count\",\"graphOrientation\":3,\"showOrientationToggles\":false,\"nodeSize\":\"\",\"staticNodeSize\":100,\"colorSettings\":\"\",\"hivesMargin\":5},\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"25\",\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true\\r\\n(imFileEvent\\r\\n | where EventVendor !contains_cs(\\\"Dataminr\\\")\\r\\n | summarize src_md5=make_set(SrcFileMD5), src_sha1=make_set(SrcFileSHA1), src_sha256=make_set(SrcFileSHA256), src_sha512=make_set(SrcFileSHA512), dst_md5=make_set(TargetFileMD5), dst_sha1=make_set(TargetFileSHA1), dst_sha256=make_set(TargetFileSHA256), dst_sha512=make_set(TargetFileSHA512)\\r\\n | summarize Hashes = make_set(set_union(src_md5, src_sha1, src_sha256, src_sha512, dst_md5, dst_sha1, dst_sha256, dst_sha512))\\r\\n | project Hashes),\\r\\n(ASimProcessEvent\\r\\n | where EventVendor !contains_cs(\\\"Dataminr\\\")\\r\\n | summarize src_md5=make_set(ParentProcessMD5), src_sha1=make_set(ParentProcessSHA1), src_sha256=make_set(ParentProcessSHA256), src_sha512=make_set(ParentProcessSHA512), dst_md5=make_set(TargetProcessMD5), dst_sha1=make_set(TargetProcessSHA1), dst_sha256=make_set(TargetProcessSHA256), dst_sha512=make_set(TargetProcessSHA512), act_md5 = make_set(ActingProcessMD5), act_sha1=make_set(ActingProcessSHA1), act_sha256=make_set(ActingProcessSHA256), act_sha512=make_set(ActingProcessSHA512)\\r\\n | summarize Hashes = make_set(set_union(src_md5, src_sha1, src_sha256, src_sha512, dst_md5, dst_sha1, dst_sha256, dst_sha512, act_md5, act_sha1, act_sha256, act_sha512))\\r\\n | project Hashes),\\r\\n(ASimWebSession\\r\\n | where EventVendor !contains_cs(\\\"Dataminr\\\")\\r\\n | summarize file_md5=make_set(FileMD5), file_sha1=make_set(FileSHA1), file_sha256=make_set(FileSHA256), file_sha512=make_set(FileSHA512)\\r\\n | summarize Hashes = make_set(set_union(file_md5, file_sha1, file_sha256, file_sha512))\\r\\n | project Hashes)\\r\\n| mv-expand Hashes\\r\\n| where isnotempty(Hashes)\\r\\n| extend Hashes = tostring(Hashes)\\r\\n| join kind=inner (_GetWatchlist('DataminrPulseVulnerableHash')\\r\\n | project Hashes=SearchKey, caption) on Hashes\\r\\n| project-rename [\\\"ASIM Hashes\\\"] = Hashes, [\\\"Lookup Hashes\\\"] = Hashes1\\r\\n| summarize hash_count = dcount([\\\"ASIM Hashes\\\"])\\r\\n| project hash_count\",\"size\":4,\"showAnalytics\":true,\"title\":\"Affected Hashes\",\"noDataMessage\":\"No data found in selected timerange.\",\"timeContextFromParameter\":\"time\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"formatter\":12,\"formatOptions\":{\"palette\":\"none\"}},\"rightContent\":{\"columnMatch\":\"hash_count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"none\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"},\"emptyValCustomText\":\"0\"}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"25\",\"name\":\"query - 2 - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true\\r\\n(ASimWebSession\\r\\n | where EventVendor !contains_cs(\\\"Dataminr\\\")\\r\\n | project url=Url),\\r\\n(imFileEvent\\r\\n | where EventVendor !contains_cs(\\\"Dataminr\\\")\\r\\n | project url = TargetUrl),\\r\\n(ASimAuditEvent\\r\\n | where EventVendor !contains_cs(\\\"Dataminr\\\")\\r\\n | project url = TargetUrl)\\r\\n| join kind=inner (_GetWatchlist('DataminrPulseVulnerableDomain')\\r\\n | project url, caption) on url\\r\\n| project-rename [\\\"ASIM URLs\\\"] = url, [\\\"Lookup URLs\\\"] = url1\\r\\n| summarize domain_count=dcount([\\\"ASIM URLs\\\"])\\r\\n| project domain_count\",\"size\":4,\"showAnalytics\":true,\"title\":\"Affected Domains\",\"noDataMessage\":\"No data found in selected timerange.\",\"timeContextFromParameter\":\"time\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"formatter\":12,\"formatOptions\":{\"palette\":\"none\"}},\"rightContent\":{\"columnMatch\":\"domain_count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"none\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"},\"emptyValCustomText\":\"0\"}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"25\",\"name\":\"query - 2 - Copy - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true\\r\\n(ASimAuditEvent\\r\\n | where EventVendor !contains_cs(\\\"Dataminr\\\")\\r\\n | extend malware = ThreatName\\r\\n | project malware),\\r\\n(ASimNetworkSession\\r\\n | where EventVendor !contains_cs(\\\"Dataminr\\\")\\r\\n | extend malware = ThreatName\\r\\n | project malware),\\r\\n(ASimDns\\r\\n | where EventVendor !contains_cs(\\\"Dataminr\\\")\\r\\n | extend malware = ThreatName\\r\\n | project malware),\\r\\n(ASimWebSession\\r\\n | where EventVendor !contains_cs(\\\"Dataminr\\\")\\r\\n | extend malware = ThreatName\\r\\n | project malware)\\r\\n| join kind=inner (_GetWatchlist('DataminrPulseVulnerableMalware')\\r\\n | project malware, caption) on malware\\r\\n| project-rename [\\\"ASIM Malwares\\\"] = malware, [\\\"Lookup Hashes\\\"] = malware1\\r\\n| summarize malware_count= dcount([\\\"ASIM Malwares\\\"])\\r\\n| project malware_count\",\"size\":4,\"showAnalytics\":true,\"title\":\"Affected Malwares\",\"noDataMessage\":\"No data found in selected timerange.\",\"timeContextFromParameter\":\"time\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"formatter\":12,\"formatOptions\":{\"palette\":\"none\"}},\"rightContent\":{\"columnMatch\":\"malware_count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"none\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"},\"emptyValCustomText\":\"0\"}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"25\",\"name\":\"query - 2 - Copy - Copy - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true\\r\\n(ASimNetworkSession\\r\\n | where EventVendor !contains_cs(\\\"Dataminr\\\")\\r\\n | extend ip = pack_array(SrcIpAddr, DstIpAddr)\\r\\n | project ip, EventSchema, EventVendor, EventProduct, TimeGenerated, EventSeverity, EventType),\\r\\n(ASimDns\\r\\n | where EventVendor !contains_cs(\\\"Dataminr\\\")\\r\\n | extend ip = pack_array(SrcIpAddr, DstIpAddr)\\r\\n | project ip, EventSchema, EventVendor, EventProduct, TimeGenerated, EventSeverity, EventType),\\r\\n(ASimWebSession\\r\\n | where EventVendor !contains_cs(\\\"Dataminr\\\")\\r\\n | extend ip = pack_array(SrcIpAddr, DstIpAddr)\\r\\n | project ip, EventSchema, EventVendor, EventProduct, TimeGenerated, EventSeverity, EventType),\\r\\n(ASimAuditEvent\\r\\n | where EventVendor !contains_cs(\\\"Dataminr\\\")\\r\\n | extend ip = pack_array(SrcIpAddr, TargetIpAddr)\\r\\n | project ip, EventSchema, EventVendor, EventProduct, TimeGenerated, EventSeverity, EventType)\\r\\n| mv-expand ip\\r\\n| where isnotempty(ip)\\r\\n| extend ip = tostring(ip)\\r\\n| join kind=inner (_GetWatchlist(\\\"DataminrPulseVulnerableIp\\\")\\r\\n | project ip, caption) on ip\\r\\n| project [\\\"Ip Addresses\\\"]=ip, EventSchema, EventVendor, EventProduct, TimeGenerated, EventSeverity, EventType, caption\",\"size\":0,\"showAnalytics\":true,\"title\":\"Affected IP Address Details\",\"noDataMessage\":\"No data found in selected timerange.\",\"timeContextFromParameter\":\"time\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"25\",\"name\":\"query - 17\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true\\r\\n (imFileEvent\\r\\n | where EventVendor !contains_cs(\\\"Dataminr\\\")\\r\\n | extend Hashes = pack_array(SrcFileMD5, SrcFileSHA1, SrcFileSHA256, SrcFileSHA512, TargetFileMD5, TargetFileSHA1, TargetFileSHA256, TargetFileSHA512)\\r\\n | project Hashes, EventSchema, EventVendor, EventProduct, EventSeverity, EventType),\\r\\n (ASimProcessEvent\\r\\n | where EventVendor !contains_cs(\\\"Dataminr\\\")\\r\\n | extend Hashes= pack_array(ParentProcessMD5, ParentProcessSHA1, ParentProcessSHA256, ParentProcessSHA512, ActingProcessMD5, ActingProcessSHA1, ActingProcessSHA256, ActingProcessSHA512, TargetProcessMD5, TargetProcessSHA1, TargetProcessSHA256, TargetProcessSHA512)\\r\\n | project Hashes, EventSchema, EventVendor, EventProduct, EventSeverity, EventType ),\\r\\n (ASimWebSession\\r\\n | where EventVendor !contains_cs(\\\"Dataminr\\\")\\r\\n | extend Hashes = pack_array(FileMD5, FileSHA1, FileSHA256, FileSHA512)\\r\\n | project Hashes, EventSchema, EventVendor, EventProduct, EventSeverity, EventType)\\r\\n| mv-expand todynamic(Hashes)\\r\\n| where isnotempty(Hashes)\\r\\n| extend Hashes = tostring(Hashes)\\r\\n| join kind=inner (_GetWatchlist('DataminrPulseVulnerableHash')\\r\\n | project Hashes=SearchKey, caption) on Hashes\\r\\n| project Hashes, EventSchema, EventVendor, EventProduct, EventSeverity, EventType, caption\",\"size\":0,\"showAnalytics\":true,\"title\":\"Affected Hashes Details\",\"noDataMessage\":\"No data found in selected timerange.\",\"timeContextFromParameter\":\"time\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"25\",\"name\":\"query - 17 - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true\\r\\n (ASimWebSession\\r\\n | where EventVendor !contains_cs(\\\"Dataminr\\\")\\r\\n | extend url=Url\\r\\n | project url, EventSchema, EventVendor, EventProduct, TimeGenerated, EventSeverity, EventType),\\r\\n (imFileEvent\\r\\n | where EventVendor !contains_cs(\\\"Dataminr\\\")\\r\\n | extend url = TargetUrl\\r\\n | project url, EventSchema, EventVendor, EventProduct, TimeGenerated, EventSeverity, EventType),\\r\\n (ASimAuditEvent\\r\\n | where EventVendor !contains_cs(\\\"Dataminr\\\")\\r\\n | extend url = TargetUrl\\r\\n | project url, EventSchema, EventVendor, EventProduct, TimeGenerated, EventSeverity, EventType)\\r\\n| where isnotempty(url)\\r\\n| join kind=inner (_GetWatchlist('DataminrPulseVulnerableDomain')\\r\\n | project url, caption) on url\\r\\n| project URL=url, EventSchema, EventVendor, EventProduct, TimeGenerated, EventSeverity, EventType\",\"size\":0,\"showAnalytics\":true,\"title\":\"Affected Domains Details\",\"noDataMessage\":\"No data found in selected timerange.\",\"timeContextFromParameter\":\"time\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"25\",\"name\":\"query - 17 - Copy - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true\\r\\n (ASimAuditEvent\\r\\n | where EventVendor !contains_cs(\\\"Dataminr\\\")\\r\\n | extend malware = ThreatName\\r\\n | project malware, EventSchema, EventVendor, EventProduct, TimeGenerated, EventSeverity, EventType),\\r\\n (ASimNetworkSession\\r\\n | where EventVendor !contains_cs(\\\"Dataminr\\\")\\r\\n | extend malware = ThreatName\\r\\n | project malware, EventSchema, EventVendor, EventProduct, TimeGenerated, EventSeverity, EventType),\\r\\n (ASimDns\\r\\n | where EventVendor !contains_cs(\\\"Dataminr\\\")\\r\\n | extend malware = ThreatName\\r\\n | project malware, EventSchema, EventVendor, EventProduct, TimeGenerated, EventSeverity, EventType),\\r\\n (ASimWebSession\\r\\n | where EventVendor !contains_cs(\\\"Dataminr\\\")\\r\\n | extend malware = ThreatName\\r\\n | project malware, EventSchema, EventVendor, EventProduct, TimeGenerated, EventSeverity, EventType)\\r\\n| where isnotempty(malware) \\r\\n| join kind=inner (_GetWatchlist('DataminrPulseVulnerableMalware')\\r\\n | project malware, caption) on malware\\r\\n| project malware, EventSchema, EventVendor, EventProduct, TimeGenerated, EventSeverity, EventType\",\"size\":0,\"showAnalytics\":true,\"title\":\"Affected Malwares Details\",\"noDataMessage\":\"No data found in selected timerange.\",\"timeContextFromParameter\":\"time\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"25\",\"name\":\"query - 17 - Copy - Copy - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DataminrPulseCyberAlerts\\r\\n| extend embededLabels = parse_json(EmbeddedLabels)\\r\\n| mv-apply embededLabels on (summarize addresses = make_list(embededLabels.data.addresses))\\r\\n| mv-apply addresses on (summarize ip = make_list(addresses.ip))\\r\\n| where isnotempty(ip)\\r\\n| mv-expand ip\\r\\n| summarize Count=count_distinct(AlertId) by tostring(ip)\\r\\n| project-rename [\\\"IP Addresses\\\"] = ip\\r\\n| order by Count desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Dataminr: Vulnerable IP Addresses\",\"noDataMessage\":\"No data found in selected timerange.\",\"timeContextFromParameter\":\"time\",\"showRefreshButton\":true,\"exportFieldName\":\"IP Addresses\",\"exportParameterName\":\"SelectedIP\",\"exportDefaultValue\":\"none\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"IP Addresses\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"85%\"}},{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"greenRed\",\"customColumnWidthSetting\":\"15%\"}}],\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"25\",\"name\":\"query - 6\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DataminrPulseCyberAlerts\\r\\n| extend embededLabels = parse_json(EmbeddedLabels)\\r\\n| mv-apply embededLabels on (summarize hashValues = make_list(embededLabels.data.hashValues))\\r\\n| mv-apply hashValues on (summarize Hash=make_list(hashValues.value))\\r\\n| where isnotempty(Hash)\\r\\n| mv-expand Hash\\r\\n| summarize Count=count_distinct(AlertId) by tostring(Hash)\\r\\n| order by Count desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Dataminr: Vulnerable Hashes\",\"noDataMessage\":\"No data found in selected timerange.\",\"timeContextFromParameter\":\"time\",\"showRefreshButton\":true,\"exportFieldName\":\"Hash\",\"exportParameterName\":\"SelectedHash\",\"exportDefaultValue\":\"none\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Hash\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"85%\"}},{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"greenRed\",\"customColumnWidthSetting\":\"15%\"}}],\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"25\",\"name\":\"query - 6 - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DataminrPulseCyberAlerts\\r\\n| extend embededLabels = parse_json(EmbeddedLabels)\\r\\n| mv-apply embededLabels on (summarize urls = make_list(embededLabels.data.URLs))\\r\\n| where isnotempty(urls)\\r\\n| extend Domain = extract_all(@'\\\\\\\"?(?:[^\\\"]*https*:\\\\/\\\\/)*((w*\\\\.))*((?PalertId: @{items('For_each_alert')?['alertId']}
\neventTime: @{addToTime('1970-01-01T00:00:00Z',div(int(items('For_each_alert')?['eventTime']),1000),'second')}
\nwatchlistsMatchedByType: @{variables('watchlistsMatchedByType')}
\nsource_channels : @{items('For_each_alert')?['source']?['channels']}
\ncaption : @{items('For_each_alert')?['caption']}
\nalertType : @{items('For_each_alert')?['alertType']?['id']}
\nrelated Terms: @{variables('relatedTermsText')}
\nexpandAlertURL: @{items('For_each_alert')?['expandAlertURL']}
\ncategories: @{variables('categories')}
\ncompanies: @{variables('companies')}
\neventLocation related details
\ncoordinates: @{items('For_each_alert')?['eventLocation']?['coordinates']}
\nname: @{items('For_each_alert')?['eventLocation']?['name']}
\n
\nCYBER related metadata
\nvulnerabilities : @{variables('vulnerabilities')}
\nip addresses : @{variables('ip')}
\nport : @{variables('port')}
\nasns : @{variables('asns')}
\norgs : @{items('For_each_alert')?['metadata']?['cyber']?['orgs']}
\nproducts : @{items('For_each_alert')?['metadata']?['cyber']?['products']}
\nURLs : @{items('For_each_alert')?['metadata']?['cyber']?['URLs']}
\nthreats : @{items('For_each_alert')?['metadata']?['cyber']?['threats']}
\nasOrgs : @{variables('asOrg')}
\nhashes : @{variables('hashValues')}
\nMalwares : @{items('For_each_alert')?['metadata']?['cyber']?['malwares']}
No data found from DataminrPulse related to query parameter : @{variables('query')}
" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@empty(body('Parse_Alerts_Data_into_JSON')?['data']?['alerts'])", + false + ] + } + ] + }, + "type": "If" + }, + "If_loop_exit_due_to_authentication_error": { + "actions": { + "Terminate_": { + "type": "Terminate", + "inputs": { + "runError": { + "code": "@{outputs('Generate_auth_token')['statusCode']}", + "message": "@variables('AuthErrorMessage')" + }, + "runStatus": "Failed" + } + } + }, + "runAfter": { + "Initialize_hashValues": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "equals": [ + "@empty(variables('AuthErrorMessage'))", + false + ] + } + ] + }, + "type": "If" + }, + "If_status_code_is_not_200": { + "actions": { + "Terminate": { + "type": "Terminate", + "inputs": { + "runError": { + "code": "@{outputs('Get_Alerts_from_Dataminr_Pulse_API')['statusCode']}", + "message": "@{body('Get_Alerts_from_Dataminr_Pulse_API')?['errors'][0]?['message']}" + }, + "runStatus": "Failed" + } + } + }, + "runAfter": { + "If_loop_exit_due_to_authentication_error": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@outputs('Get_Alerts_from_Dataminr_Pulse_API')['statusCode']", + 200 + ] + } + } + ] + }, + "type": "If" + }, + "Initialize_AuthErrorMessage": { + "runAfter": { + "Initialize_ErrorMessage": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "AuthErrorMessage", + "type": "string" + } + ] + } + }, + "Initialize_BaseUrl": { + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "BaseUrl", + "type": "string", + "value": "[[parameters('BaseURL')]" + } + ] + } + }, + "Initialize_DmaTokenKey": { + "runAfter": { + "Initialize_AuthErrorMessage": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "DmaTokenKey", + "type": "string", + "value": "DataMinrPulse-DmaToken" + } + ] + } + }, + "Initialize_ErrorMessage": { + "runAfter": { + "Initialize_BaseUrl": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "ErrorMessage", + "type": "string" + } + ] + } + }, + "Initialize_ExpireTimeKey": { + "runAfter": { + "Initialize_RefreshTokenKey": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "ExpireTimeKey", + "type": "string", + "value": "DataMinrPulse-Expire" + } + ] + } + }, + "Initialize_KeyVaultName": { + "runAfter": { + "Initialize_ExpireTimeKey": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "KeyVaultName", + "type": "string", + "value": "[[parameters('KeyVaultName')]" + } + ] + } + }, + "Initialize_RefreshTokenKey": { + "runAfter": { + "Initialize_DmaTokenKey": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "RefreshTokenKey", + "type": "string", + "value": "DataMinrPulse-RefreshToken" + } + ] + } + }, + "Initialize_asOrg": { + "runAfter": { + "Initialize_asns": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "asOrg", + "type": "array" + } + ] + } + }, + "Initialize_asns": { + "runAfter": { + "Initialize_vulnerabilities": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "asns", + "type": "array" + } + ] + } + }, + "Initialize_categories": { + "runAfter": { + "Initialize_relatedTermsText": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "categories", + "type": "array" + } + ] + } + }, + "Initialize_companies": { + "runAfter": { + "Initialize_watchlistsMatchedByType": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "companies", + "type": "array" + } + ] + } + }, + "Initialize_count": { + "runAfter": { + "Initialize_query": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "count", + "type": "integer", + "value": 2 + } + ] + } + }, + "Initialize_hashValues": { + "runAfter": { + "Initialize_asOrg": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "hashValues", + "type": "array" + } + ] + } + }, + "Initialize_ip": { + "runAfter": { + "Initialize_relatedTermsUrl": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "ip", + "type": "string" + } + ] + } + }, + "Initialize_port": { + "runAfter": { + "Initialize_ip": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "port", + "type": "string" + } + ] + } + }, + "Initialize_query": { + "runAfter": { + "Initialize_KeyVaultName": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "query", + "type": "string" + } + ] + } + }, + "Initialize_relatedTermsText": { + "runAfter": { + "Initialize_count": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "relatedTermsText", + "type": "array" + } + ] + } + }, + "Initialize_relatedTermsUrl": { + "runAfter": { + "Initialize_companies": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "relatedTermsUrl", + "type": "array" + } + ] + } + }, + "Initialize_vulnerabilities": { + "runAfter": { + "Initialize_port": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "vulnerabilities", + "type": "array" + } + ] + } + }, + "Initialize_watchlistsMatchedByType": { + "runAfter": { + "Until_retry_count_gets_0": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "watchlistsMatchedByType", + "type": "array" + } + ] + } + }, + "Until_retry_count_gets_0": { + "actions": { + "Get_Alerts_from_Dataminr_Pulse_API": { + "runAfter": { + "Get_DmaToken": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "headers": { + "Authorization": "Dmauth @{body('Get_DmaToken')?['value']}" + }, + "method": "GET", + "queries": { + "alertversion": "14", + "query": "@variables('query')" + }, + "uri": "@{concat(variables('BaseUrl'),'api/3/alerts')}" + } + }, + "Get_DmaToken": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['keyvault']['connectionId']" + } + }, + "method": "get", + "path": "/secrets/@{encodeURIComponent('DataMinrPulse-DmaToken')}/value" + }, + "runtimeConfiguration": { + "secureData": { + "properties": [ + "inputs", + "outputs" + ] + } + } + }, + "_if_status_code_is_200": { + "actions": { + "Parse_Alerts_Data_into_JSON": { + "type": "ParseJson", + "inputs": { + "content": "@body('Get_Alerts_from_Dataminr_Pulse_API')", + "schema": { + "properties": { + "data": { + "properties": { + "alerts": { + "items": { + "properties": { + "alertId": { + "type": "string" + }, + "alertType": { + "properties": { + "color": { + "type": "string" + }, + "id": { + "type": "string" + }, + "name": { + "type": "string" + } + }, + "type": "object" + }, + "availableRelatedAlerts": { + "type": "integer" + }, + "caption": { + "type": "string" + }, + "categories": { + "items": { + "properties": { + "id": { + "type": "string" + }, + "idStr": { + "type": "string" + }, + "name": { + "type": "string" + }, + "path": { + "type": "string" + }, + "requested": { + "type": "string" + }, + "retired": { + "type": "boolean" + }, + "topicType": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "companies": { + "items": { + "properties": { + "dm_bucket": { + "items": { + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "dm_sector": { + "items": { + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "id": { + "type": "string" + }, + "idStr": { + "type": "string" + }, + "name": { + "type": "string" + }, + "retired": { + "type": "boolean" + }, + "ticker": { + "type": "string" + }, + "topicType": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "eventLocation": { + "properties": { + "coordinates": { + "items": { + "type": "number" + }, + "type": "array" + }, + "name": { + "type": "string" + }, + "places": { + "items": { + "type": "string" + }, + "type": "array" + }, + "probability": { + "type": "integer" + }, + "radius": { + "type": [ + "number", + "integer" + ] + } + }, + "type": "object" + }, + "eventMapLargeURL": { + "type": "string" + }, + "eventMapSmallURL": { + "type": "string" + }, + "eventTime": { + "type": "integer" + }, + "eventVolume": { + "type": "integer" + }, + "expandAlertURL": { + "type": "string" + }, + "expandMapURL": { + "type": "string" + }, + "headerColor": { + "type": "string" + }, + "headerLabel": { + "type": "string" + }, + "metadata": { + "properties": { + "cyber": { + "properties": { + "URLs": { + "items": { + "type": "string" + }, + "type": "array" + }, + "addresses": { + "items": { + "properties": { + "ip": { + "type": "string" + }, + "port": { + "type": "integer" + }, + "version": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "asOrgs": { + "items": { + "properties": { + "asOrg": { + "type": "string" + }, + "asn": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "asns": { + "items": { + "type": "string" + }, + "type": "array" + }, + "hashValues": { + "items": { + "properties": { + "type": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "hashes": { + "items": { + "type": "string" + }, + "type": "array" + }, + "malwares": { + "items": { + "type": "string" + }, + "type": "array" + }, + "orgs": { + "items": { + "type": "string" + }, + "type": "array" + }, + "products": { + "items": { + "properties": { + "productName": { + "type": "string" + }, + "productVendor": { + "type": "string" + } + }, + "type": [ + "object", + "string" + ] + }, + "type": "array" + }, + "threats": { + "items": { + "type": "string" + }, + "type": "array" + }, + "vulnerabilities": { + "items": { + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "post": { + "properties": { + "languages": { + "items": { + "properties": { + "lang": { + "type": "string" + }, + "position": { + "type": "integer" + } + }, + "type": "object" + }, + "type": "array" + }, + "link": { + "type": "string" + }, + "media": { + "type": "array" + }, + "text": { + "type": "string" + }, + "timestamp": { + "type": "integer" + }, + "translatedText": { + "type": "string" + } + }, + "type": "object" + }, + "publisherCategory": { + "properties": { + "color": { + "type": "string" + }, + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "shortName": { + "type": "string" + } + }, + "type": "object" + }, + "relatedTerms": { + "items": { + "properties": { + "text": { + "type": "string" + }, + "url": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "relatedTermsQueryURL": { + "type": "string" + }, + "sectors": { + "items": { + "properties": { + "id": { + "type": "string" + }, + "idStr": { + "type": "string" + }, + "name": { + "type": "string" + }, + "retired": { + "type": "boolean" + }, + "topicType": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "source": { + "properties": { + "channels": { + "items": { + "type": "string" + }, + "type": "array" + }, + "verified": { + "type": "boolean" + } + }, + "type": "object" + }, + "subCaption": { + "properties": { + "bullets": { + "properties": { + "content": { + "type": "string" + }, + "media": { + "type": "string" + }, + "source": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "userRecentImages": { + "type": "array" + }, + "userTopHashtags": { + "type": "array" + }, + "watchlistsMatchedByType": { + "items": { + "properties": { + "externalTopicIds": { + "items": { + "type": "string" + }, + "type": "array" + }, + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "type": { + "type": "string" + }, + "userProperties": { + "properties": { + "omnilist": { + "type": "string" + }, + "uiListType": { + "type": "string" + }, + "watchlistColor": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "to": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + } + }, + "Set_count_variable_to_0": { + "runAfter": { + "Parse_Alerts_Data_into_JSON": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "count", + "value": 0 + } + } + }, + "runAfter": { + "Get_Alerts_from_Dataminr_Pulse_API": [ + "Succeeded", + "Failed" + ] + }, + "else": { + "actions": { + "_if_status_code_is_401": { + "actions": { + "Generate_auth_token": { + "type": "Http", + "inputs": { + "body": "client_id=@{body('Get_ClientId')?['value']}&client_secret=@{body('Get_ClientSecret')?['value']}&grant_type=api_key", + "headers": { + "Content-Type": "application/x-www-form-urlencoded" + }, + "method": "POST", + "uri": "@{concat(variables('BaseUrl'),'auth/2/token')}" + }, + "runtimeConfiguration": { + "secureData": { + "properties": [ + "outputs" + ] + } + } + }, + "If_Generate_auth_token_status_code_is_200": { + "actions": { + "If_Update_DmaToken_status_code_is_200": { + "runAfter": { + "Update_DmaToken_in_Keyvault": [ + "Succeeded", + "Failed" + ] + }, + "else": { + "actions": { + "Set_AuthErrorMessage_for_updating_DmaToken": { + "type": "SetVariable", + "inputs": { + "name": "AuthErrorMessage", + "value": "Error:@{body('Update_DmaToken_in_Keyvault')?['error']?['message']}" + } + }, + "Set_count_equals_to_0": { + "runAfter": { + "Set_AuthErrorMessage_for_updating_DmaToken": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "count", + "value": 0 + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@outputs('Update_DmaToken_in_Keyvault')['statusCode']", + 200 + ] + } + ] + }, + "type": "If" + }, + "Parse_JSON": { + "type": "ParseJson", + "inputs": { + "content": "@body('Generate_auth_token')", + "schema": { + "properties": { + "dmaToken": { + "type": "string" + }, + "expire": { + "type": "integer" + }, + "refreshToken": { + "type": "string" + } + }, + "type": "object" + } + } + }, + "Update_DmaToken_in_Keyvault": { + "runAfter": { + "Parse_JSON": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "authentication": { + "audience": "[[concat('https://',parameters('azure key vault'),'.net')]", + "type": "ManagedServiceIdentity" + }, + "body": { + "value": "@{body('Parse_JSON')?['dmaToken']}" + }, + "method": "PUT", + "uri": "@{concat('https://',variables('KeyVaultName'),'.',parameters('azure key vault'),'.net/secrets/',body('Get_DmaToken')?['name'],'?api-version=7.2')}" + } + }, + "if_count_value_is_greater_than_0": { + "actions": { + "Decrement_count_by_1": { + "type": "DecrementVariable", + "inputs": { + "name": "count", + "value": 1 + } + } + }, + "runAfter": { + "If_Update_DmaToken_status_code_is_200": [ + "Succeeded", + "Failed", + "Skipped" + ] + }, + "expression": { + "and": [ + { + "greater": [ + "@variables('count')", + 0 + ] + } + ] + }, + "type": "If" + } + }, + "runAfter": { + "Generate_auth_token": [ + "Succeeded", + "Failed" + ] + }, + "else": { + "actions": { + "Set_ErrorMessage": { + "type": "SetVariable", + "inputs": { + "name": "AuthErrorMessage", + "value": "Message:@{body('Generate_auth_token')?['errors'][0]?['message']}" + } + }, + "Set_count_to_0_as_error_in_authentication": { + "runAfter": { + "Set_ErrorMessage": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "count", + "value": 0 + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@outputs('Generate_auth_token')['statusCode']", + 200 + ] + } + ] + }, + "type": "If" + } + }, + "else": { + "actions": { + "Set_Errormessage_ofr_status_code_other_than_200_and_401": { + "type": "SetVariable", + "inputs": { + "name": "ErrorMessage", + "value": "Error:@{body('Get_Alerts_from_Dataminr_Pulse_API')?['errors'][0]?['message']}" + } + }, + "Set_retry_count_to_0": { + "runAfter": { + "Set_Errormessage_ofr_status_code_other_than_200_and_401": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "count", + "value": 0 + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@outputs('Get_Alerts_from_Dataminr_Pulse_API')['statusCode']", + 401 + ] + } + ] + }, + "type": "If" + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@outputs('Get_Alerts_from_Dataminr_Pulse_API')['statusCode']", + 200 + ] + } + ] + }, + "type": "If" + } + }, + "runAfter": { + "Get_ClientSecret": [ + "Succeeded" + ] + }, + "expression": "@equals(variables('count'), 0)", + "limit": { + "count": 60, + "timeout": "PT1H" + }, + "type": "Until" + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "keyvault": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]", + "connectionName": "[[variables('KeyvaultConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Keyvault')]" + } + } + } + } + }, + "name": "[[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[[variables('workspace-location-inline')]", + "tags": { + "hidden-SentinelTemplateName": "DataminrPulseAlertEnrichment", + "hidden-SentinelTemplateVersion": "1.0", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2019-05-01", + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('MicrosoftSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('MicrosoftSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('KeyvaultConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('KeyvaultConnectionName')]", + "api": { + "id": "[[variables('_connection-3')]" + }, + "parameterValues": { + "token:TenantId": "[[parameters('tenantId')]", + "token:grantType": "code", + "vaultName": "[[parameters('keyvaultName')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId1'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId1')]", + "contentId": "[variables('_playbookContentId1')]", + "kind": "Playbook", + "version": "[variables('playbookVersion1')]", + "source": { + "kind": "Solution", + "name": "Dataminr Pulse", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Dataminr", + "email": "[variables('_email')]" + }, + "support": { + "name": "Dataminr Support", + "email": "support@dataminr.com", + "tier": "Partner", + "link": "https://www.dataminr.com/dataminr-support#support" + } + } + } + ], + "metadata": { + "title": "DataminrPulseAlertEnrichment", + "description": "This playbook provides an end-to-end example of how alert enrichment works. This will extract the IP, Domain, HostName, URL or Hashes from the generated incident and call the Get alerts API of Dataminr Pulse to get the data associated with that parameter and enrich the incident by adding Dataminr Pulse alerts data as an incident comment.", + "prerequisites": [ + "1. Users must have a valid pair of Dataminr Pulse API Client ID and secret credentials.", + "2. Store client credentials in Key Vault and obtain keyvault name and tenantId.", + "a. Create a Key Vault with unique name", + "b. Go to KeyVault -> secrets -> Generate/import and create 'DataMinrPulse-clientId'& 'DataMinrPulse-clientSecret' to store client_id and client_secret respectively. Also create a secret named 'DataMinrPulse-DmaToken' to store dmaToken." + ], + "postDeployment": [ + "**a. Authorize connections**", + "Once deployment is complete, authorize each connection.", + "1. Click the Keyvault connection resource", + "2. Click edit API connection", + "3. Click Authorize", + "4. Sign in", + "5. Click Save", + "6. Repeat steps for other connections", + "**b. Assign Role to add comment in incident**", + "After authorizing each connection, assign role to this playbook.", + "1. Go to Log Analytics Workspace →Note: There may be known issues pertaining to this Solution, please refer to them before installing.
\nDataminr Pulse brings the most advanced AI-powered real-time intelligence into Microsoft Sentinel, easily fitting into your workflows and enabling rapid identification and mitigation of emerging threats so you can deliver faster time to detection and response.
\nData Connectors: 1, Parsers: 2, Workbooks: 1, Analytic Rules: 1, Watchlists: 5, Playbooks: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "",
+ "contentId": "[variables('_solutionId')]",
+ "parentId": "[variables('_solutionId')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Dataminr Pulse",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Dataminr",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Dataminr Support",
+ "email": "support@dataminr.com",
+ "tier": "Partner",
+ "link": "https://www.dataminr.com/dataminr-support#support"
+ },
+ "dependencies": {
+ "operator": "AND",
+ "criteria": [
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRulecontentId1')]",
+ "version": "[variables('analyticRuleVersion1')]"
+ },
+ {
+ "kind": "Workbook",
+ "contentId": "[variables('_workbookContentId1')]",
+ "version": "[variables('workbookVersion1')]"
+ },
+ {
+ "kind": "Watchlist",
+ "contentId": "[variables('_DataminrPulseAsset')]",
+ "version": "3.0.0"
+ },
+ {
+ "kind": "Watchlist",
+ "contentId": "[variables('_DataminrPulseVulnerableDomain')]",
+ "version": "3.0.0"
+ },
+ {
+ "kind": "Watchlist",
+ "contentId": "[variables('_DataminrPulseVulnerableHash')]",
+ "version": "3.0.0"
+ },
+ {
+ "kind": "Watchlist",
+ "contentId": "[variables('_DataminrPulseVulnerableIp')]",
+ "version": "3.0.0"
+ },
+ {
+ "kind": "Watchlist",
+ "contentId": "[variables('_DataminrPulseVulnerableMalware')]",
+ "version": "3.0.0"
+ },
+ {
+ "kind": "Playbook",
+ "contentId": "[variables('_DataminrPulseAlertEnrichment')]",
+ "version": "[variables('playbookVersion1')]"
+ },
+ {
+ "kind": "Parser",
+ "contentId": "[variables('_parserContentId1')]",
+ "version": "[variables('parserVersion1')]"
+ },
+ {
+ "kind": "Parser",
+ "contentId": "[variables('_parserContentId2')]",
+ "version": "[variables('parserVersion2')]"
+ },
+ {
+ "kind": "DataConnector",
+ "contentId": "[variables('_dataConnectorContentId1')]",
+ "version": "[variables('dataConnectorVersion1')]"
+ }
+ ]
+ },
+ "firstPublishDate": "2023-04-12",
+ "lastPublishDate": "2023-04-12",
+ "providers": [
+ "Dataminr"
+ ],
+ "categories": {
+ "domains": [
+ "Security - Others",
+ "Security - Threat Intelligence",
+ "Security - Automation (SOAR)"
+ ]
+ }
+ },
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]"
+ }
+ ],
+ "outputs": {}
+}
diff --git a/Solutions/Dataminr Pulse/Parsers/DataminrPulseAlerts.yaml b/Solutions/Dataminr Pulse/Parsers/DataminrPulseAlerts.yaml
new file mode 100644
index 00000000000..de837d16391
--- /dev/null
+++ b/Solutions/Dataminr Pulse/Parsers/DataminrPulseAlerts.yaml
@@ -0,0 +1,102 @@
+id: a4fddd3e-9993-4c86-b5e8-8e36d8ce1197
+Function:
+ Title: Parser for DataminrPulseAlerts
+ Version: '1.0.0'
+ LastUpdated: '2023-09-01'
+Category: Microsoft Sentinel Parser
+FunctionName: DataminrPulseAlerts
+FunctionAlias: DataminrPulseAlerts
+FunctionQuery: |
+ let DataminrPulseAlerts_view = view() {
+ DataminrPulse_Alerts_CL
+ | extend category = parse_json(categories_s)
+ | mv-apply category on (summarize CategoryNames = make_list(category.name))
+ | extend company = parse_json(companies_s)
+ | mv-apply company on (summarize CompanyNames = make_list(company.name))
+ | extend watchlist = parse_json(watchlistsMatchedByType_s)
+ | mv-apply watchlist on (summarize WatchlistNames = make_list(watchlist.name))
+ | summarize any(*) by index_s
+ | extend
+ EventVendor="Dataminr",
+ EventProduct="Pulse",
+ AlertId = column_ifexists('index_s', ''),
+ AlertType = column_ifexists('any_alertType_name_s', ''),
+ AvailableRelatedAlerts = column_ifexists('any_availableRelatedAlerts_d', ''),
+ Caption = column_ifexists('any_headline_s', ''),
+ Company = column_ifexists('any_companies_s', ''),
+ CompanyNames = tostring(column_ifexists('any_CompanyNames', '')),
+ Category = column_ifexists('any_categories_s', ''),
+ CategoryNames = tostring(column_ifexists('any_CategoryNames', '')),
+ Latitude = column_ifexists('any_location_latitude_d', ''),
+ Longitude = column_ifexists('any_location_longitude_d', ''),
+ EventLocationName = column_ifexists('any_location_name_s', ''),
+ EventLocationPlace = column_ifexists('any_location_places_s', ''),
+ EventLocationProbability = column_ifexists('any_location_probability_d', ''),
+ EventLocationRadius = column_ifexists('any_location_radius_d', ''),
+ EventSource = column_ifexists('any_headlineData_via_s', ''),
+ EventTime = column_ifexists('any_timestamp_d', ''),
+ EventVolume = column_ifexists('any_volume_d', ''),
+ EmbeddedLabels = column_ifexists('any__embedded_labels_s', ''),
+ PostLanguagae = column_ifexists('any_odsStatus_languages_s', ''),
+ PostLink = column_ifexists('any_odsStatus_link_s', ''),
+ PostMedia = column_ifexists('any_odsStatus_media_s', ''),
+ PostText = column_ifexists('any_odsStatus_text_s', ''),
+ PostTimestamp = column_ifexists('any_odsStatus_timestamp_d', ''),
+ PostTranslatedText = column_ifexists('any_odsStatus_translatedText_s', ''),
+ PublisherCategoryName = column_ifexists('any_publisherCategory_name_s', ''),
+ RelatedTerms = column_ifexists('any_referenceTerms_s', ''),
+ Sectors = column_ifexists('any_sectors_s', ''),
+ SourceChannels = column_ifexists('any_odsStatus_source_channels_s', ''),
+ SourceDisplayName = column_ifexists('any_odsStatus_source_display_name_s', ''),
+ SourceEntityName = column_ifexists('any_odsStatus_source_entity_name_s', ''),
+ SourceLink = column_ifexists('any_odsStatus_source_link_s', ''),
+ SourceVerified = column_ifexists('any_odsStatus_source_verified_s', ''),
+ SubCaptionBulletsContent = column_ifexists('any_dataMap_bullets_content_s', ''),
+ SubCaptionBulletsMedia = column_ifexists('any_dataMap_bullets_media_s', ''),
+ SubCaptionBulletsSource = column_ifexists('any_dataMap_bullets_source_s', ''),
+ WatchlistsMatchedByType = column_ifexists('any_watchlistsMatchedByType_s', ''),
+ WatchlistNames = tostring(column_ifexists('any_WatchlistNames', ''))
+ | project-rename TimeGenerated = any_TimeGenerated
+ | project
+ TimeGenerated,
+ EventVendor,
+ EventProduct,
+ AlertId,
+ AlertType,
+ AvailableRelatedAlerts,
+ Caption,
+ Company,
+ CompanyNames,
+ Category,
+ CategoryNames,
+ Latitude,
+ Longitude,
+ EventLocationName,
+ EventLocationPlace,
+ EventLocationProbability,
+ EventLocationRadius,
+ EventSource,
+ EventTime,
+ EventVolume,
+ EmbeddedLabels,
+ PostLanguagae,
+ PostLink,
+ PostMedia,
+ PostText,
+ PostTimestamp,
+ PostTranslatedText,
+ PublisherCategoryName,
+ RelatedTerms,
+ Sectors,
+ SourceChannels,
+ SourceDisplayName,
+ SourceEntityName,
+ SourceLink,
+ SourceVerified,
+ SubCaptionBulletsContent,
+ SubCaptionBulletsMedia,
+ SubCaptionBulletsSource,
+ WatchlistsMatchedByType,
+ WatchlistNames
+ };
+ DataminrPulseAlerts_view
\ No newline at end of file
diff --git a/Solutions/Dataminr Pulse/Parsers/DataminrPulseCyberAlerts.yaml b/Solutions/Dataminr Pulse/Parsers/DataminrPulseCyberAlerts.yaml
new file mode 100644
index 00000000000..13ccee70174
--- /dev/null
+++ b/Solutions/Dataminr Pulse/Parsers/DataminrPulseCyberAlerts.yaml
@@ -0,0 +1,105 @@
+id: 922c64bb-819b-4e3f-811a-0dfbff8eb667
+Function:
+ Title: Parser for DataminrPulseCyberAlerts
+ Version: '1.0.0'
+ LastUpdated: '2023-09-01'
+Category: Microsoft Sentinel Parser
+FunctionName: DataminrPulseCyberAlerts
+FunctionAlias: DataminrPulseCyberAlerts
+FunctionQuery: |
+ let DataminrPulseCyberAlerts_view = view() {
+ DataminrPulse_Alerts_CL
+ | mv-expand todynamic(watchlistsMatchedByType_s)
+ | extend property = watchlistsMatchedByType_s["userProperties"]
+ | where property["uiListType"] == "CYBER"
+ | extend category = parse_json(categories_s)
+ | mv-apply category on (summarize CategoryNames = make_list(category.name))
+ | extend company = parse_json(companies_s)
+ | mv-apply company on (summarize CompanyNames = make_list(company.name))
+ | extend watchlist = parse_json(watchlistsMatchedByType_s)
+ | mv-apply watchlist on (summarize WatchlistNames = make_list(watchlist.name))
+ | summarize any(*) by index_s
+ | extend
+ EventVendor="Dataminr",
+ EventProduct="Pulse",
+ AlertId = column_ifexists('index_s', ''),
+ AlertType = column_ifexists('any_alertType_name_s', ''),
+ AvailableRelatedAlerts = column_ifexists('any_availableRelatedAlerts_d', ''),
+ Caption = column_ifexists('any_headline_s', ''),
+ Company = column_ifexists('any_companies_s', ''),
+ CompanyNames = tostring(column_ifexists('any_CompanyNames', '')),
+ Category = column_ifexists('any_categories_s', ''),
+ CategoryNames = tostring(column_ifexists('any_CategoryNames', '')),
+ Latitude = column_ifexists('any_location_latitude_d', ''),
+ Longitude = column_ifexists('any_location_longitude_d', ''),
+ EventLocationName = column_ifexists('any_location_name_s', ''),
+ EventLocationPlace = column_ifexists('any_location_places_s', ''),
+ EventLocationProbability = column_ifexists('any_location_probability_d', ''),
+ EventLocationRadius = column_ifexists('any_location_radius_d', ''),
+ EventSource = column_ifexists('any_headlineData_via_s', ''),
+ EventTime = column_ifexists('any_timestamp_d', ''),
+ EventVolume = column_ifexists('any_volume_d', ''),
+ EmbeddedLabels = column_ifexists('any__embedded_labels_s', ''),
+ PostLanguagae = column_ifexists('any_odsStatus_languages_s', ''),
+ PostLink = column_ifexists('any_odsStatus_link_s', ''),
+ PostMedia = column_ifexists('any_odsStatus_media_s', ''),
+ PostText = column_ifexists('any_odsStatus_text_s', ''),
+ PostTimestamp = column_ifexists('any_odsStatus_timestamp_d', ''),
+ PostTranslatedText = column_ifexists('any_odsStatus_translatedText_s', ''),
+ PublisherCategoryName = column_ifexists('any_publisherCategory_name_s', ''),
+ RelatedTerms = column_ifexists('any_referenceTerms_s', ''),
+ Sectors = column_ifexists('any_sectors_s', ''),
+ SourceChannels = column_ifexists('any_odsStatus_source_channels_s', ''),
+ SourceDisplayName = column_ifexists('any_odsStatus_source_display_name_s', ''),
+ SourceEntityName = column_ifexists('any_odsStatus_source_entity_name_s', ''),
+ SourceLink = column_ifexists('any_odsStatus_source_link_s', ''),
+ SourceVerified = column_ifexists('any_odsStatus_source_verified_s', ''),
+ SubCaptionBulletsContent = column_ifexists('any_dataMap_bullets_content_s', ''),
+ SubCaptionBulletsMedia = column_ifexists('any_dataMap_bullets_media_s', ''),
+ SubCaptionBulletsSource = column_ifexists('any_dataMap_bullets_source_s', ''),
+ WatchlistsMatchedByType = column_ifexists('any_watchlistsMatchedByType_s', ''),
+ WatchlistNames = tostring(column_ifexists('any_WatchlistNames', ''))
+ | project-rename TimeGenerated = any_TimeGenerated
+ | project
+ TimeGenerated,
+ EventVendor,
+ EventProduct,
+ AlertId,
+ AlertType,
+ AvailableRelatedAlerts,
+ Caption,
+ Company,
+ CompanyNames,
+ CategoryNames,
+ Category,
+ Latitude,
+ Longitude,
+ EventLocationName,
+ EventLocationPlace,
+ EventLocationProbability,
+ EventLocationRadius,
+ EventSource,
+ EventTime,
+ EventVolume,
+ EmbeddedLabels,
+ PostLanguagae,
+ PostLink,
+ PostMedia,
+ PostText,
+ PostTimestamp,
+ PostTranslatedText,
+ PublisherCategoryName,
+ RelatedTerms,
+ Sectors,
+ SourceChannels,
+ SourceDisplayName,
+ SourceEntityName,
+ SourceLink,
+ SourceVerified,
+ SubCaptionBulletsContent,
+ SubCaptionBulletsMedia,
+ SubCaptionBulletsSource,
+ WatchlistsMatchedByType,
+ WatchlistNames
+ };
+ DataminrPulseCyberAlerts_view
\ No newline at end of file
diff --git a/Solutions/Dataminr Pulse/Playbooks/DataminrPulseAlertEnrichment/Images/DataminrPulseAlertEnrichment.png b/Solutions/Dataminr Pulse/Playbooks/DataminrPulseAlertEnrichment/Images/DataminrPulseAlertEnrichment.png
new file mode 100644
index 00000000000..cf1ab10063e
Binary files /dev/null and b/Solutions/Dataminr Pulse/Playbooks/DataminrPulseAlertEnrichment/Images/DataminrPulseAlertEnrichment.png differ
diff --git a/Solutions/Dataminr Pulse/Playbooks/DataminrPulseAlertEnrichment/README.md b/Solutions/Dataminr Pulse/Playbooks/DataminrPulseAlertEnrichment/README.md
new file mode 100644
index 00000000000..26b9a20e787
--- /dev/null
+++ b/Solutions/Dataminr Pulse/Playbooks/DataminrPulseAlertEnrichment/README.md
@@ -0,0 +1,95 @@
+# Dataminr Pulse Alert Enrichment
+
+* [Summary](#Summary)
+* [Prerequisites](#Prerequisites)
+* [Deployment instructions](#Deployment-instructions)
+* [Post-Deployment instructions](#Post-Deployment-instructions)
+
+
+## Summary
+
+This playbook provides an end-to-end example of how alert enrichment works. This will extract the IP, Domain, HostName, URL or Hashes from the generated incident and call the Get alerts API of Dataminr Pulse to get the data associated with that parameter and enrich the incident by adding Dataminr Pulse alerts data as an incident comment.
+
+### Prerequisites
+
+1. Users must have a valid pair of Dataminr Pulse API Client ID and secret credentials.
+2. Store client credentials in Key Vault and obtain keyvault name and tenantId.
+ * Create a Key Vault with unique name
+ * Go to KeyVault -> secrets -> Generate/import and create 'DataMinrPulse-clientId'& 'DataMinrPulse-clientSecret' to store client_id and client_secret respectively. Also create a secret named 'DataMinrPulse-DmaToken' to store dmaToken.
+
+### Deployment instructions
+
+1. To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
+2. Fill in the required parameters:
+ * Playbook Name: Enter the playbook name here
+ * Key Vault Name: Name of keyvault where secrets are stored.
+ * Tenant Id: TenantId of azure active directory where keyvault is located.
+ * BaseURL: Baseurl for your Dataminr account.
+
+[](https%3A%2F%2Fportal.azure.com%2F%23create%2FMicrosoft.Template%2Furi%2Fhttps%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FDataminr%20Pulse%2FPlaybooks%2FDataminrPulseAlertEnrichment%2Fazuredeploy.json) [](https%3A%2F%2Fportal.azure.us%2F%23create%2FMicrosoft.Template%2Furi%2Fhttps%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FDataminr%20Pulse%2FPlaybooks%2FDataminrPulseAlertEnrichment%2Fazuredeploy.json)
+
+
+### Post-Deployment instructions
+
+#### a. Authorize connections
+
+Once deployment is complete, authorize each connection.
+
+1. Click the Keyvault connection resource
+2. Click edit API connection
+3. Click Authorize
+4. Sign in
+5. Click Save
+6. Repeat steps for other connections
+
+#### b. Assign Role to add comment in incident
+
+After authorizing each connection, assign role to this playbook.
+
+1. Go to Log Analytics Workspace → alertId: @{items('For_each_alert')?['alertId']}
\neventTime: @{addToTime('1970-01-01T00:00:00Z',div(int(items('For_each_alert')?['eventTime']),1000),'second')}
\nwatchlistsMatchedByType: @{variables('watchlistsMatchedByType')}
\nsource_channels : @{items('For_each_alert')?['source']?['channels']}
\ncaption : @{items('For_each_alert')?['caption']}
\nalertType : @{items('For_each_alert')?['alertType']?['id']}
\nrelated Terms: @{variables('relatedTermsText')}
\nexpandAlertURL: @{items('For_each_alert')?['expandAlertURL']}
\ncategories: @{variables('categories')}
\ncompanies: @{variables('companies')}
\neventLocation related details
\ncoordinates: @{items('For_each_alert')?['eventLocation']?['coordinates']}
\nname: @{items('For_each_alert')?['eventLocation']?['name']}
\n
\nCYBER related metadata
\nvulnerabilities : @{variables('vulnerabilities')}
\nip addresses : @{variables('ip')}
\nport : @{variables('port')}
\nasns : @{variables('asns')}
\norgs : @{items('For_each_alert')?['metadata']?['cyber']?['orgs']}
\nproducts : @{items('For_each_alert')?['metadata']?['cyber']?['products']}
\nURLs : @{items('For_each_alert')?['metadata']?['cyber']?['URLs']}
\nthreats : @{items('For_each_alert')?['metadata']?['cyber']?['threats']}
\nasOrgs : @{variables('asOrg')}
\nhashes : @{variables('hashValues')}
\nMalwares : @{items('For_each_alert')?['metadata']?['cyber']?['malwares']}
No data found from DataminrPulse related to query parameter : @{variables('query')}
" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@empty(body('Parse_Alerts_Data_into_JSON')?['data']?['alerts'])", + false + ] + } + ] + }, + "type": "If" + }, + "If_loop_exit_due_to_authentication_error": { + "actions": { + "Terminate_": { + "runAfter": {}, + "type": "Terminate", + "inputs": { + "runError": { + "code": "@{outputs('Generate_auth_token')['statusCode']}", + "message": "@variables('AuthErrorMessage')" + }, + "runStatus": "Failed" + } + } + }, + "runAfter": { + "Initialize_hashValues": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "equals": [ + "@empty(variables('AuthErrorMessage'))", + false + ] + } + ] + }, + "type": "If" + }, + "If_status_code_is_not_200": { + "actions": { + "Terminate": { + "runAfter": {}, + "type": "Terminate", + "inputs": { + "runError": { + "code": "@{outputs('Get_Alerts_from_Dataminr_Pulse_API')['statusCode']}", + "message": "@{body('Get_Alerts_from_Dataminr_Pulse_API')?['errors'][0]?['message']}" + }, + "runStatus": "Failed" + } + } + }, + "runAfter": { + "If_loop_exit_due_to_authentication_error": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@outputs('Get_Alerts_from_Dataminr_Pulse_API')['statusCode']", + 200 + ] + } + } + ] + }, + "type": "If" + }, + "Initialize_AuthErrorMessage": { + "runAfter": { + "Initialize_ErrorMessage": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "AuthErrorMessage", + "type": "string" + } + ] + } + }, + "Initialize_BaseUrl": { + "runAfter": {}, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "BaseUrl", + "type": "string", + "value": "[parameters('BaseURL')]" + } + ] + } + }, + "Initialize_DmaTokenKey": { + "runAfter": { + "Initialize_AuthErrorMessage": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "DmaTokenKey", + "type": "string", + "value": "DataMinrPulse-DmaToken" + } + ] + } + }, + "Initialize_ErrorMessage": { + "runAfter": { + "Initialize_BaseUrl": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "ErrorMessage", + "type": "string" + } + ] + } + }, + "Initialize_ExpireTimeKey": { + "runAfter": { + "Initialize_RefreshTokenKey": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "ExpireTimeKey", + "type": "string", + "value": "DataMinrPulse-Expire" + } + ] + } + }, + "Initialize_KeyVaultName": { + "runAfter": { + "Initialize_ExpireTimeKey": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "KeyVaultName", + "type": "string", + "value": "[parameters('KeyVaultName')]" + } + ] + } + }, + "Initialize_RefreshTokenKey": { + "runAfter": { + "Initialize_DmaTokenKey": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "RefreshTokenKey", + "type": "string", + "value": "DataMinrPulse-RefreshToken" + } + ] + } + }, + "Initialize_asOrg": { + "runAfter": { + "Initialize_asns": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "asOrg", + "type": "array" + } + ] + } + }, + "Initialize_asns": { + "runAfter": { + "Initialize_vulnerabilities": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "asns", + "type": "array" + } + ] + } + }, + "Initialize_categories": { + "runAfter": { + "Initialize_relatedTermsText": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "categories", + "type": "array" + } + ] + } + }, + "Initialize_companies": { + "runAfter": { + "Initialize_watchlistsMatchedByType": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "companies", + "type": "array" + } + ] + } + }, + "Initialize_count": { + "runAfter": { + "Initialize_query": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "count", + "type": "integer", + "value": 2 + } + ] + } + }, + "Initialize_hashValues": { + "runAfter": { + "Initialize_asOrg": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "hashValues", + "type": "array" + } + ] + } + }, + "Initialize_ip": { + "runAfter": { + "Initialize_relatedTermsUrl": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "ip", + "type": "string" + } + ] + } + }, + "Initialize_port": { + "runAfter": { + "Initialize_ip": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "port", + "type": "string" + } + ] + } + }, + "Initialize_query": { + "runAfter": { + "Initialize_KeyVaultName": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "query", + "type": "string" + } + ] + } + }, + "Initialize_relatedTermsText": { + "runAfter": { + "Initialize_count": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "relatedTermsText", + "type": "array" + } + ] + } + }, + "Initialize_relatedTermsUrl": { + "runAfter": { + "Initialize_companies": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "relatedTermsUrl", + "type": "array" + } + ] + } + }, + "Initialize_vulnerabilities": { + "runAfter": { + "Initialize_port": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "vulnerabilities", + "type": "array" + } + ] + } + }, + "Initialize_watchlistsMatchedByType": { + "runAfter": { + "Until_retry_count_gets_0": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "watchlistsMatchedByType", + "type": "array" + } + ] + } + }, + "Until_retry_count_gets_0": { + "actions": { + "Get_Alerts_from_Dataminr_Pulse_API": { + "runAfter": { + "Get_DmaToken": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "headers": { + "Authorization": "Dmauth @{body('Get_DmaToken')?['value']}" + }, + "method": "GET", + "queries": { + "alertversion": "14", + "query": "@variables('query')" + }, + "uri": "@{concat(variables('BaseUrl'),'api/3/alerts')}" + } + }, + "Get_DmaToken": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['keyvault']['connectionId']" + } + }, + "method": "get", + "path": "/secrets/@{encodeURIComponent('DataMinrPulse-DmaToken')}/value" + }, + "runtimeConfiguration": { + "secureData": { + "properties": [ + "inputs", + "outputs" + ] + } + } + }, + "_if_status_code_is_200": { + "actions": { + "Parse_Alerts_Data_into_JSON": { + "runAfter": {}, + "type": "ParseJson", + "inputs": { + "content": "@body('Get_Alerts_from_Dataminr_Pulse_API')", + "schema": { + "properties": { + "data": { + "properties": { + "alerts": { + "items": { + "properties": { + "alertId": { + "type": "string" + }, + "alertType": { + "properties": { + "color": { + "type": "string" + }, + "id": { + "type": "string" + }, + "name": { + "type": "string" + } + }, + "type": "object" + }, + "availableRelatedAlerts": { + "type": "integer" + }, + "caption": { + "type": "string" + }, + "categories": { + "items": { + "properties": { + "id": { + "type": "string" + }, + "idStr": { + "type": "string" + }, + "name": { + "type": "string" + }, + "path": { + "type": "string" + }, + "requested": { + "type": "string" + }, + "retired": { + "type": "boolean" + }, + "topicType": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "companies": { + "items": { + "properties": { + "dm_bucket": { + "items": { + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "dm_sector": { + "items": { + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "id": { + "type": "string" + }, + "idStr": { + "type": "string" + }, + "name": { + "type": "string" + }, + "retired": { + "type": "boolean" + }, + "ticker": { + "type": "string" + }, + "topicType": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "eventLocation": { + "properties": { + "coordinates": { + "items": { + "type": "number" + }, + "type": "array" + }, + "name": { + "type": "string" + }, + "places": { + "items": { + "type": "string" + }, + "type": "array" + }, + "probability": { + "type": "integer" + }, + "radius": { + "type": [ + "number", + "integer" + ] + } + }, + "type": "object" + }, + "eventMapLargeURL": { + "type": "string" + }, + "eventMapSmallURL": { + "type": "string" + }, + "eventTime": { + "type": "integer" + }, + "eventVolume": { + "type": "integer" + }, + "expandAlertURL": { + "type": "string" + }, + "expandMapURL": { + "type": "string" + }, + "headerColor": { + "type": "string" + }, + "headerLabel": { + "type": "string" + }, + "metadata": { + "properties": { + "cyber": { + "properties": { + "URLs": { + "items": { + "type": "string" + }, + "type": "array" + }, + "addresses": { + "items": { + "properties": { + "ip": { + "type": "string" + }, + "port": { + "type": "integer" + }, + "version": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "asOrgs": { + "items": { + "properties": { + "asOrg": { + "type": "string" + }, + "asn": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "asns": { + "items": { + "type": "string" + }, + "type": "array" + }, + "hashValues": { + "items": { + "properties": { + "type": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "hashes": { + "items": { + "type": "string" + }, + "type": "array" + }, + "malwares": { + "items": { + "type": "string" + }, + "type": "array" + }, + "orgs": { + "items": { + "type": "string" + }, + "type": "array" + }, + "products": { + "items": { + "properties": { + "productName": { + "type": "string" + }, + "productVendor": { + "type": "string" + } + }, + "type": [ + "object", + "string" + ] + }, + "type": "array" + }, + "threats": { + "items": { + "type": "string" + }, + "type": "array" + }, + "vulnerabilities": { + "items": { + "properties": { + "id": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "post": { + "properties": { + "languages": { + "items": { + "properties": { + "lang": { + "type": "string" + }, + "position": { + "type": "integer" + } + }, + "type": "object" + }, + "type": "array" + }, + "link": { + "type": "string" + }, + "media": { + "type": "array" + }, + "text": { + "type": "string" + }, + "timestamp": { + "type": "integer" + }, + "translatedText": { + "type": "string" + } + }, + "type": "object" + }, + "publisherCategory": { + "properties": { + "color": { + "type": "string" + }, + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "shortName": { + "type": "string" + } + }, + "type": "object" + }, + "relatedTerms": { + "items": { + "properties": { + "text": { + "type": "string" + }, + "url": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "relatedTermsQueryURL": { + "type": "string" + }, + "sectors": { + "items": { + "properties": { + "id": { + "type": "string" + }, + "idStr": { + "type": "string" + }, + "name": { + "type": "string" + }, + "retired": { + "type": "boolean" + }, + "topicType": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "source": { + "properties": { + "channels": { + "items": { + "type": "string" + }, + "type": "array" + }, + "verified": { + "type": "boolean" + } + }, + "type": "object" + }, + "subCaption": { + "properties": { + "bullets": { + "properties": { + "content": { + "type": "string" + }, + "media": { + "type": "string" + }, + "source": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "userRecentImages": { + "type": "array" + }, + "userTopHashtags": { + "type": "array" + }, + "watchlistsMatchedByType": { + "items": { + "properties": { + "externalTopicIds": { + "items": { + "type": "string" + }, + "type": "array" + }, + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "type": { + "type": "string" + }, + "userProperties": { + "properties": { + "omnilist": { + "type": "string" + }, + "uiListType": { + "type": "string" + }, + "watchlistColor": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "to": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + } + }, + "Set_count_variable_to_0": { + "runAfter": { + "Parse_Alerts_Data_into_JSON": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "count", + "value": 0 + } + } + }, + "runAfter": { + "Get_Alerts_from_Dataminr_Pulse_API": [ + "Succeeded", + "Failed" + ] + }, + "else": { + "actions": { + "_if_status_code_is_401": { + "actions": { + "Generate_auth_token": { + "runAfter": {}, + "type": "Http", + "inputs": { + "body": "client_id=@{body('Get_ClientId')?['value']}&client_secret=@{body('Get_ClientSecret')?['value']}&grant_type=api_key", + "headers": { + "Content-Type": "application/x-www-form-urlencoded" + }, + "method": "POST", + "uri": "@{concat(variables('BaseUrl'),'auth/2/token')}" + }, + "runtimeConfiguration": { + "secureData": { + "properties": [ + "outputs" + ] + } + } + }, + "If_Generate_auth_token_status_code_is_200": { + "actions": { + "If_Update_DmaToken_status_code_is_200": { + "actions": {}, + "runAfter": { + "Update_DmaToken_in_Keyvault": [ + "Succeeded", + "Failed" + ] + }, + "else": { + "actions": { + "Set_AuthErrorMessage_for_updating_DmaToken": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "AuthErrorMessage", + "value": "Error:@{body('Update_DmaToken_in_Keyvault')?['error']?['message']}" + } + }, + "Set_count_equals_to_0": { + "runAfter": { + "Set_AuthErrorMessage_for_updating_DmaToken": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "count", + "value": 0 + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@outputs('Update_DmaToken_in_Keyvault')['statusCode']", + 200 + ] + } + ] + }, + "type": "If" + }, + "Parse_JSON": { + "runAfter": {}, + "type": "ParseJson", + "inputs": { + "content": "@body('Generate_auth_token')", + "schema": { + "properties": { + "dmaToken": { + "type": "string" + }, + "expire": { + "type": "integer" + }, + "refreshToken": { + "type": "string" + } + }, + "type": "object" + } + } + }, + "Update_DmaToken_in_Keyvault": { + "runAfter": { + "Parse_JSON": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "authentication": { + "audience": "[concat('https://',parameters('azure key vault'),'.net')]", + "type": "ManagedServiceIdentity" + }, + "body": { + "value": "@{body('Parse_JSON')?['dmaToken']}" + }, + "method": "PUT", + "uri": "@{concat('https://',variables('KeyVaultName'),'.',parameters('azure key vault'),'.net/secrets/',body('Get_DmaToken')?['name'],'?api-version=7.2')}" + } + }, + "if_count_value_is_greater_than_0": { + "actions": { + "Decrement_count_by_1": { + "runAfter": {}, + "type": "DecrementVariable", + "inputs": { + "name": "count", + "value": 1 + } + } + }, + "runAfter": { + "If_Update_DmaToken_status_code_is_200": [ + "Succeeded", + "Failed", + "Skipped" + ] + }, + "expression": { + "and": [ + { + "greater": [ + "@variables('count')", + 0 + ] + } + ] + }, + "type": "If" + } + }, + "runAfter": { + "Generate_auth_token": [ + "Succeeded", + "Failed" + ] + }, + "else": { + "actions": { + "Set_ErrorMessage": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "AuthErrorMessage", + "value": "Message:@{body('Generate_auth_token')?['errors'][0]?['message']}" + } + }, + "Set_count_to_0_as_error_in_authentication": { + "runAfter": { + "Set_ErrorMessage": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "count", + "value": 0 + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@outputs('Generate_auth_token')['statusCode']", + 200 + ] + } + ] + }, + "type": "If" + } + }, + "runAfter": {}, + "else": { + "actions": { + "Set_Errormessage_ofr_status_code_other_than_200_and_401": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "ErrorMessage", + "value": "Error:@{body('Get_Alerts_from_Dataminr_Pulse_API')?['errors'][0]?['message']}" + } + }, + "Set_retry_count_to_0": { + "runAfter": { + "Set_Errormessage_ofr_status_code_other_than_200_and_401": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "count", + "value": 0 + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@outputs('Get_Alerts_from_Dataminr_Pulse_API')['statusCode']", + 401 + ] + } + ] + }, + "type": "If" + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@outputs('Get_Alerts_from_Dataminr_Pulse_API')['statusCode']", + 200 + ] + } + ] + }, + "type": "If" + } + }, + "runAfter": { + "Get_ClientSecret": [ + "Succeeded" + ] + }, + "expression": "@equals(variables('count'), 0)", + "limit": { + "count": 60, + "timeout": "PT1H" + }, + "type": "Until" + } + }, + "outputs": {} + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "connectionName": "[variables('MicrosoftSentinelConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "keyvault": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]", + "connectionName": "[variables('KeyvaultConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Keyvault')]" + } + } + } + } + }, + "name": "[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[resourceGroup().location]", + "tags": { + "hidden-SentinelTemplateName": "DataminrPulseAlertEnrichment", + "hidden-SentinelTemplateVersion": "1.0" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2019-05-01", + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('MicrosoftSentinelConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[variables('MicrosoftSentinelConnectionName')]", + "customParameterValues": {}, + "parameterValueType": "Alternative", + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('KeyvaultConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[variables('KeyvaultConnectionName')]", + "customParameterValues": {}, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Keyvault')]" + }, + "parameterValues": { + "token:TenantId": "[parameters('tenantId')]", + "token:grantType": "code", + "vaultName": "[parameters('keyvaultName')]" + } + } + } + ] +} \ No newline at end of file diff --git a/Solutions/Dataminr Pulse/ReleaseNotes.md b/Solutions/Dataminr Pulse/ReleaseNotes.md new file mode 100644 index 00000000000..6875632b16f --- /dev/null +++ b/Solutions/Dataminr Pulse/ReleaseNotes.md @@ -0,0 +1,3 @@ +| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | +|-------------|--------------------------------|---------------------------------------------| +| 3.0.0 | 14-07-2023 | Initial Version Release | \ No newline at end of file diff --git a/Solutions/Dataminr Pulse/SolutionMetadata.json b/Solutions/Dataminr Pulse/SolutionMetadata.json new file mode 100644 index 00000000000..859907c861d --- /dev/null +++ b/Solutions/Dataminr Pulse/SolutionMetadata.json @@ -0,0 +1,22 @@ +{ + "publisherId": "dataminr_pulse", + "offerId": "dataminr_sentinel", + "firstPublishDate": "2023-04-12", + "lastPublishDate": "2023-04-12", + "providers": [ + "Dataminr" + ], + "categories": { + "domains": [ + "Security - Others", + "Security - Threat Intelligence", + "Security - Automation (SOAR)" + ] + }, + "support": { + "name": "Dataminr Support", + "email": "support@dataminr.com", + "tier": "Partner", + "link": "https://www.dataminr.com/dataminr-support#support" + } +} \ No newline at end of file diff --git a/Solutions/Dataminr Pulse/Watchlists/DataminrPulse-Asset/DataminrPulseAsset.json b/Solutions/Dataminr Pulse/Watchlists/DataminrPulse-Asset/DataminrPulseAsset.json new file mode 100644 index 00000000000..a8bdaffd1f6 --- /dev/null +++ b/Solutions/Dataminr Pulse/Watchlists/DataminrPulse-Asset/DataminrPulseAsset.json @@ -0,0 +1,33 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "workspaceName": { + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Sentinel is setup." + } + } + }, + "resources": [ + { + "name": "[concat(parameters('workspaceName'), '/Microsoft.SecurityInsights/ReferenceTemplate')]", + "type": "Microsoft.OperationalInsights/workspaces/providers/Watchlists", + "properties": { + "displayName": "DataminrPulseAsset", + "watchlistAlias": "DataminrPulseAsset", + "source": "dataminr_asset_close_proximity_alerting.csv", + "description": "Watchlist contains data of assets to use in Close Proximity Overview dashboard.", + "provider": "Custom", + "isDeleted": false, + "defaultDuration": "P1000Y", + "contentType": "Text/Csv", + "numberOfLinesToSkip": 0, + "itemsSearchKey": "asset_name", + "rawContent": "asset_name, asset_type, asset_description, asset_lat, asset_long, alerting_distance_miles\r\nDataminr_Newyork,Office,Dataminr Inc.,135 Madison Ave Floor 10, New York, NY 10016,United States,40.745900,-73.983940,5\r\nDataminr_Bozeman,Office,Dataminr Inc.,131 W Main St, Unit D, Bozeman, MT 59715,45.6794878,-111.0398014,5\r\nDataminr_Virginia,Office,Dataminr Inc.,2101 Wilson Blvd #1002,Arlington, VA 22201,United States,38.8940199,-77.0683043,5\r\nDataminr_Dublin,Office,Dataminr Inc.,2 Windmill Lane,D02 K156, Dublin, Ireland,53.3458505,-6.245248,5\r\nDataminr_London,Office,Dataminr Inc.,10 York Rd, London SE1 7ND, UK,51.5037543,-0.1181606,5\r\nDataminr_Melbourne,Office,Dataminr Inc.,120 Spencer St, Melbourne VIC 3000, Australia,-37.8182119,144.9521438,5\r\nDataminr_Seattle,Office,Dataminr Inc.,925 4th Ave #11th, Seattle, WA 98104,47.6054854,-122.3354275,5" + }, + "apiVersion": "2022-08-01" + } + ] + } + \ No newline at end of file diff --git a/Solutions/Dataminr Pulse/Watchlists/DataminrPulse-VulnerableDomain/DataminrPulseVulnerableDomain.json b/Solutions/Dataminr Pulse/Watchlists/DataminrPulse-VulnerableDomain/DataminrPulseVulnerableDomain.json new file mode 100644 index 00000000000..a396dce2c98 --- /dev/null +++ b/Solutions/Dataminr Pulse/Watchlists/DataminrPulse-VulnerableDomain/DataminrPulseVulnerableDomain.json @@ -0,0 +1,32 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "workspaceName": { + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Sentinel is setup" + } + } + }, + "resources": [ + { + "name": "[concat(parameters('workspaceName'), '/Microsoft.SecurityInsights/ReferenceTemplate')]", + "type": "Microsoft.OperationalInsights/workspaces/providers/Watchlists", + "properties": { + "displayName": "DataminrPulseVulnerableDomain", + "watchlistAlias": "DataminrPulseVulnerableDomain", + "source": "dataminr_vulnerable_domains_30d.csv", + "description": "Watchlist contains data of vulnerable domains of Dataminr to use in IOC Overview dashboard.", + "provider": "Custom", + "isDeleted": false, + "defaultDuration": "P1000Y", + "contentType": "Text/Csv", + "numberOfLinesToSkip": 0, + "itemsSearchKey": "url", + "rawContent": "_time,domain,url,caption,company,source\r\n1678819858,000webhostapp.com,https://centers4f3ty67v3rific4ti0nc0mf1rm4t10n.0source00webhostapp.com/verifications-security-pages.php,Phishing URL detected impersonating Facebook: Local Source via urlscan.,Meta Platforms, Inc.,urlscan\r\n1678819910,amazonaws.com,ec2-175-41-177-135.ap-southeast-1.compute.amazonaws.com,Amazon Web Services IP 175.41.177.135 has open RDP port 3389: Local Source via Shodan.,Amazon Web Services, Inc.,Shodan\r\n1678819861,anaturaledit.co.uk,https://anaturaledit.co.uk/login.html?dozpufx=FHOwMm3Oe5wz6vzgjhEbSKgoX9TeV&oxvprhsis=UUhdLARKkboE1nwm9et&nohjyzal=Aq5U1zYzvKYhERjGv8D1JxSYh,Phishing URL detected impersonating Microsoft: Local Source via urlscan.,Microsoft Corporation,urlscan\r\n1678819858,co.nz,bestandlesstravel.co.nz,Rackspace IP 119.9.51.147 hosts server configuration with CVE(s): Local Source via Shodan.,Rackspace Hosting, Inc.,Shodan\r\n1678819901,columbia.edu,ds1.cs.columbia.edu,Columbia Sportswear IP 128.59.22.27 has exposed MongoDB database: Local Source via Shodan.,Columbia Sportswear Company,Shodan\r\n1678819879,com.au,ec2-3-104-52-84.ap-southeast-2.compute.amazonaws.com,Amazon IP 3.104.52.84 hosts server configuration with CVE(s): Local Source via Shodan.,Amazon.com, Inc.,Shodan\r\n1678810260,connectlon.org,https://connectlon.org/login,Phishing URL detected impersonating Microsoft: Local Source via urlscan.,Microsoft Corporation,urlscan\r\n1678819887,easynet.nl,213.201.230.reverse.easynet.nl,GTT Communications IP 213.201.230.96 hosts server configuration with CVE(s): Local Source via Shodan.,GTT Communications, Inc.,Shodan\r\n1678819860,filedn.com,https://filedn.com/lmtf06DxeexRuabg6razTLL/testoff%20(1).html,Phishing URL detected impersonating Microsoft: Local Source via urlscan.,Microsoft Corporation,urlscan\r\n1678819879,firebaseapp.com,https://business-page-appeal-19f1a.firebaseapp.com/,Phishing URL detected impersonating Facebook: Local Source via urlscan.,Meta Platforms, Inc.,urlscan\r\n1678819860,fleek.co,https://twilight-bonus-4110.on.fleek.co/support-closing.html,Phishing URL detected impersonating Microsoft: Local Source via urlscan.,Microsoft Corporation,urlscan\r\n1678819879,fleek.one,https://storageapi-stg.fleek.one/8837a275-8aca-4d7b-9c7f-25709249184e-bucket/way/wordindx.html,Phishing URL detected impersonating Microsoft: Local Source via urlscan.,Microsoft Corporation,urlscan\r\n1678819910,gassafetycerts.com,ec2-79-125-76-130.eu-west-1.compute.amazonaws.com,Amazon Web Services IP 79.125.76.130 hosts server configuration with CVE(s): Local Source via Shodan.,Amazon Web Services, Inc.,Shodan\r\n1678819888,googlefiber.net,136-36-82-15.googlefiber.net,Google IP 136.36.82.15 hosts server configuration with CVE(s): Local Source via Shodan.,Google LLC,Shodan\r\n1678819908,googleusercontent.com,15.56.64.34.bc.googleusercontent.com,Google IP 34.64.56.15 has exposed MySQL database: Local Source via Shodan.,Google LLC,Shodan\r\n1678819864,guesteasy.uk,http://guesteasy.uk/0000/quad/,Phishing URL detected impersonating Microsoft: Local Source via urlscan.,Microsoft Corporation,urlscan\r\n1678819875,inet.fi,mobile-user-c2fb13-242.dhcp.inet.fi,Telia Company IP 194.251.19.242 has exposed MS-SQL Server 2017 RTM database: Local Source via Shodan.,Telia Company AB (publ),Shodan\r\n1678819849,jblapps.com,oa.jblapps.com,Verizon IP 202.94.114.21 hosts server configuration with CVE(s): Local Source via Shodan.,Jabil Inc.,Shodan\r\n1678819859,jhadlkacoiwuz.co.vu,http://jhadlkacoiwuz.co.vu/Policies.html,Phishing URL detected impersonating Facebook: Local Source via urlscan.,Meta Platforms, Inc.,urlscan\r\n1678819905,kyivstar.net,94-153-188-61.mobile.kyivstar.net,Kyivstar IP 94.153.188.61 has exposed MySQL database: Local Source via Shodan.,VEON Ltd.,Shodan\r\n1678819842,leadcom.biz,https://leadcom.biz/godaddy/godaddy.php?user=,Phishing URL detected impersonating Godaddy: Local Source via urlscan.,GoDaddy Inc.,urlscan\r\n1678819844,llnw.net,lvp-029.phx7.llnw.net,Limelight Networks IP 68.142.64.87 hosts server configuration with CVE(s): Local Source via Shodan.,Limelight Networks, Inc.,Shodan\r\n1678819887,mirai.ne.jp,p211246.bsn.mirai.ne.jp,Mirai IP 210.172.211.246 has exposed PostgreSQL database: Local Source via Shodan.,Toyota Motor Corporation,Shodan\r\n1678819906,mitre.org,mrt-js.mitre.org,The MITRE Corporation IP 66.170.227.78 hosts server configuration with CVE(s): Local Source via Shodan.,The MITRE Corporation,Shodan\r\n1678819863,mystudywriters.com,https://mystudywriters.com/static/css/godaddy/godaddy.php?user=*@*,Phishing URL detected impersonating Godaddy: Local Source via urlscan.,GoDaddy Inc.,urlscan\r\n1678819845,negozialia.com,ec2-46-137-73-18.eu-west-1.compute.amazonaws.com,Amazon Web Services IP 46.137.73.18 hosts server configuration with CVE(s): Local Source via Shodan.,Amazon Web Services, Inc.,NULL\r\n1678819879,network-support.us,http://network-support.us/landing/form/4fc67c03-4ed5-4240-9ce9-14d9d4d33c02,Phishing URL detected impersonating Microsoft: Local Source via urlscan.,Microsoft Corporation,urlscan\r\n1678819885,oxford-union.org,speakers.oxford-union.org,Amazon Web Services IP 46.137.87.82 hosts server configuration with CVE(s): Local Source via Shodan.,Amazon Web Services, Inc.,Shodan\r\n1678819904,r2ceurope.com,153.vps.r2ceurope.com,VMware IP 185.69.233.145 hosts server configuration with CVE(s): Local Source via Shodan.,VMware, Inc.,Shodan\r\n1678819905,route-server.jp,b4kebweac120.route-server.jp,KDDI IP 180.235.234.120 has exposed MySQL database: Local Source via Shodan.,NULL,Shodan\r\n1678819842,sharestion.com,https://www.sharestion.com/gbr/73a29c01-4e78-437f-a0d4-c8553e1960c1/14ebb15a-e337-46a2-8cfc-e84e6ad3b319/4a07b645-7049-4161-ac15-d994427c31b9/login?id=a2dPQ0dqZkxYV1duc3crcHhqdE9iT2w4K0VHZkxMWTJVYjIzamV5N0NXZE9EcEhlYnJpbjd2NEJtRGNoQldicWpoOGo5dFVWalMvWFY2eXVFZmtOYW45RlNPbzRsT2FNZDhZVEdORkNBS3ZoMnUwNjlhcERZdTVaYTZJYUJwK2V4NEFUUTVGM0U1cmVjUCt1Qi9qVVNWTEJNSHNwUG05bExPblFvcWJOc3FpbEdoSkFTbXgwL3E2Um5TYzB1TEJBVndITXNJSk9heDNjbi82WXNTak92L1UreDZ1WXNGdGFNcTg0REc2L1BVT0dNbkRnN080YXFXRHI5TXlOdXJPZ3ZMNUJFUzliRDZqUE9iLzZCM2JLakIveVRhM2daNTUremVTTkpGQncrUGZOejdEMjQwaXlZMldsbWpMbUxkUURyWXZVYmRReUY5UzY1bHA4QzR1NVhTbXcrOG5lcVNaZzM5cGlGc0tmdExIWC9Bb3gzaVpSK04wR2xORE9TcWFx,Phishing URL detected impersonating Microsoft: Local Source via urlscan.,Microsoft Corporation,urlscan\r\n1678819889,sprintdatacenter.net,n8236h209.sprintdatacenter.net,Sprint data center IP 188.68.236.209 has exposed MS-SQL Server 2014 SP2 database: Local Source via Shodan.,Sprintex Limited,Shodan\r\n1678819890,steadfastdns.net,ip24.23-29-134.static.steadfastdns.net,Fortinet IP 23.29.134.24 hosts server configuration with CVE(s): Local Source via Shodan.,Fortinet, Inc.,Shodan\r\n1678819850,taica.family,ec2-176-32-71-215.ap-northeast-1.compute.amazonaws.com,Amazon Web Services IP 176.32.71.215 hosts server configuration with CVE(s): Local Source via Shodan.,Amazon Web Services, Inc.,Shodan\r\n1678819858,tiptoealaska.com,http://tiptoealaska.com/,Phishing URL detected impersonating Facebook: Local Source via urlscan.,Meta Platforms, Inc.,urlscan\r\n1678811471,trucktrax.biz,http://trucktrax.biz/,Phishing URL detected impersonating Facebook: Local Source via urlscan.,Meta Platforms, Inc.,urlscan\r\n1678819902,tylertech.com,tylertech.com,Tyler Technologies IP 207.182.213.172 hosts server configuration with CVE(s): Local Source via Shodan.,Tyler Technologies, Inc.,Shodan\r\n1678819875,verizonwireless.com,scspersonas-qe3-tdc.verizonwireless.com,Verizon IP 8.15.65.94 has SSL certificate expiring within 24 hours: Local Source via Shodan.,Verizon Communications Inc.,Shodan\r\n1678819848,wavenetuk.net,195-26-42-122.dsl.wavenetuk.net,Wavenet IP 195.26.42.122 has open Telnet port 23: Local Source via Shodan.,DEEPMIND TECHNOLOGIES LIMITED,Shodan\r\n1678819880,web.app,https://business-page-appeal-12e2c.web.app/,Phishing URL detected impersonating Facebook: Local Source via urlscan.,Meta Platforms, Inc.,urlscan\r\n1678819892,ziggo.nl,84-25-193-69.cable.dynamic.v4.ziggo.nl,Ziggo IP 84.25.193.69 has exposed PostgreSQL database: Local Source via Shodan.,VodafoneZiggo Group B.V.,Shodan\r\n" + }, + "apiVersion": "2022-08-01" + } + ] +} diff --git a/Solutions/Dataminr Pulse/Watchlists/DataminrPulse-VulnerableHash/DataminrPulseVulnerableHash.json b/Solutions/Dataminr Pulse/Watchlists/DataminrPulse-VulnerableHash/DataminrPulseVulnerableHash.json new file mode 100644 index 00000000000..c7d42568bbe --- /dev/null +++ b/Solutions/Dataminr Pulse/Watchlists/DataminrPulse-VulnerableHash/DataminrPulseVulnerableHash.json @@ -0,0 +1,33 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "workspaceName": { + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Sentinel is setup" + } + } + }, + "resources": [ + { + "name": "[concat(parameters('workspaceName'), '/Microsoft.SecurityInsights/ReferenceTemplate')]", + "type": "Microsoft.OperationalInsights/workspaces/providers/Watchlists", + "properties": { + "displayName": "DataminrPulseVulnerableHash", + "watchlistAlias": "DataminrPulseVulnerableHash", + "source": "dataminr_vulnerable_hashes_30d.csv", + "description": "Watchlist contains data of vulnerable hashes of Dataminr to use in IOC Overview dashboard.", + "provider": "Custom", + "isDeleted": false, + "defaultDuration": "P1000Y", + "contentType": "Text/Csv", + "numberOfLinesToSkip": 0, + "itemsSearchKey": "hash", + "rawContent": "hash,caption,_time,source\r\n3f7eae6cc61fdc2553a2acdede69be84945a7a724b632dea3ff8466f74b56249,Sample of android malware GodFather impersonating MYT Music app to target Turkish users detected and analyzed: Blog via VirusTotal.,1671560525,VirusTotal\r\n" + }, + "apiVersion": "2022-08-01" + } + ] + } + \ No newline at end of file diff --git a/Solutions/Dataminr Pulse/Watchlists/DataminrPulse-VulnerableIp/DataminrPulseVulnerableIp.json b/Solutions/Dataminr Pulse/Watchlists/DataminrPulse-VulnerableIp/DataminrPulseVulnerableIp.json new file mode 100644 index 00000000000..f86995ca0bf --- /dev/null +++ b/Solutions/Dataminr Pulse/Watchlists/DataminrPulse-VulnerableIp/DataminrPulseVulnerableIp.json @@ -0,0 +1,32 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "workspaceName": { + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Sentinel is setup" + } + } + }, + "resources": [ + { + "name": "[concat(parameters('workspaceName'), '/Microsoft.SecurityInsights/ReferenceTemplate')]", + "type": "Microsoft.OperationalInsights/workspaces/providers/Watchlists", + "properties": { + "displayName": "DataminrPulseVulnerableIp", + "watchlistAlias": "DataminrPulseVulnerableIp", + "source": "dataminr_vulnerable_ips_30d.csv", + "description": "Watchlist contains data of vulnerable ips of Dataminr to use in IOC Overview dashboard.", + "provider": "Custom", + "isDeleted": false, + "defaultDuration": "P1000Y", + "contentType": "Text/Csv", + "numberOfLinesToSkip": 0, + "itemsSearchKey": "ip", + "rawContent": "ip,_time,caption,company\r\n119.9.46.78,1678819861,Rackspace IP 119.9.46.78 hosts server configuratiServiceson with CVE(s): Local Source via Shodan.,Rackspace Hosting, Inc.\r\n119.9.51.147,1678819858,Rackspace IP 119.9.51.147 hosts server configuration with CVE(s): Local Source via Shodan.,Rackspace Hosting, Inc.\r\n122.248.205.188,1678819876,Amazon Web Services IP 122.248.205.188 hosts server configuration with CVE(s): Local Source via Shodan.,Amazon Web Services, Inc.\r\n128.59.22.27,1678819901,Columbia Sportswear IP 128.59.22.27 has exposed MongoDB database: Local Source via Shodan.,Columbia Sportswear Company\r\n13.124.104.139,1678819887,Amazon Web Services IP 13.124.104.139 has exposed MySQL database: Local Source via Shodan.,Amazon Web Services, Inc.\r\n13.124.15.202,1678819887,Amazon Web Services IP 13.124.15.202 has exposed MySQL database: Local Source via Shodan.,Amazon Web Services, Inc.\r\n13.125.134.248,1678819904,Amazon Web Services IP 13.125.134.248 has exposed MySQL database: Local Source via Shodan.,Amazon Web Services, Inc.\r\n13.125.61.135,1678819886,Amazon Web Services IP 13.125.61.135 has exposed PostgreSQL database: Local Source via Shodan.,Amazon Web Services, Inc.\r\n13.209.157.214,1678819907,Amazon Web Services IP 13.209.157.214 has exposed MySQL database: Local Source via Shodan.,Amazon Web Services, Inc.\r\n13.209.212.118,1678819910,Amazon Web Services IP 13.209.212.118 has exposed PostgreSQL database: Local Source via Shodan.,Amazon Web Services, Inc.\r\n13.209.58.95,1678819886,Amazon Web Services IP 13.209.58.95 has exposed MySQL database: Local Source via Shodan.,Amazon Web Services, Inc.\r\n13.236.26.207,1678819863,Amazon IP 13.236.26.207 has exposed MS-SQL Server 2017 CU19 database: Local Source via Shodan.,Amazon.com, Inc.\r\n13.238.230.228,1678819876,Amazon IP 13.238.230.228 has exposed MySQL database: Local Source via Shodan.,Amazon.com, Inc.\r\n13.54.80.13,1678819889,Amazon IP 13.54.80.13 has exposed MySQL database: Local Source via Shodan.,Amazon.com, Inc.\r\n136.36.82.15,1678819888,Google IP 136.36.82.15 hosts server configuration with CVE(s): Local Source via Shodan.,Google LLC\r\n147.161.131.98,1678819910,Zscaler IP 147.161.131.98 has open Memcached port 11211: Local Source via Shodan.,Zscaler, Inc.\r\n149.18.115.9,1678819849,AT&T IP 149.18.115.9 has exposed MS-SQL Server 2022 CTP1.0+ database: Local Source via Shodan.,AT&T Inc.\r\n149.18.118.63,1678819850,AT&T IP 149.18.118.63 has exposed MS-SQL Server 2022 CTP1.0+ database: Local Source via Shodan.,AT&T Inc.\r\n149.18.119.207,1678819901,AT&T IP 149.18.119.207 has exposed MS-SQL Server 2022 CTP1.0+ database: Local Source via Shodan.,AT&T Inc.\r\n149.18.119.238,1678819903,AT&T IP 149.18.119.238 has exposed MS-SQL Server 2022 CTP1.0+ database: Local Source via Shodan.,AT&T Inc.\r\n149.18.124.59,1678819875,AT&T IP 149.18.124.59 has exposed MS-SQL Server 2022 CTP1.0+ database: Local Source via Shodan.,AT&T Inc.\r\n149.18.125.143,1678819864,AT&T IP 149.18.125.143 has exposed MS-SQL Server 2022 CTP1.0+ database: Local Source via Shodan.,AT&T Inc.\r\n149.18.127.170,1678819909,AT&T IP 149.18.127.170 has exposed MS-SQL Server 2022 CTP1.0+ database: Local Source via Shodan.,AT&T Inc.\r\n15.164.118.15,1678819847,Amazon Web Services IP 15.164.118.15 has exposed MS-SQL Server 2019 CU8 database: Local Source via Shodan.,Amazon Web Services, Inc.\r\n15.164.129.2,1678819893,Amazon Web Services IP 15.164.129.2 has exposed MongoDB database: Local Source via Shodan.,Amazon Web Services, Inc.\r\n15.164.15.11,1678819841,Amazon Web Services IP 15.164.15.11 has exposed MySQL database: Local Source via Shodan.,Amazon Web Services, Inc.\r\n15.164.199.202,1678819859,Amazon Web Services IP 15.164.199.202 has exposed MySQL database: Local Source via Shodan.,Amazon Web Services, Inc.\r\n15.165.176.124,1678819890,Amazon Web Services IP 15.165.176.124 has exposed MySQL database: Local Source via Shodan.,Amazon Web Services, Inc.\r\n15.165.242.79,1678819906,Amazon Web Services IP 15.165.242.79 has exposed MySQL database: Local Source via Shodan.,Amazon Web Services, Inc.\r\n175.41.138.27,1678819906,Amazon Web Services IP 175.41.138.27 has exposed PostgreSQL database: Local Source via Shodan.,Amazon Web Services, Inc.\r\n175.41.147.118,1678819903,Amazon Web Services IP 175.41.147.118 hosts server configuration with CVE(s): Local Source via Shodan.,Amazon Web Services, Inc.\r\n175.41.177.135,1678819910,Amazon Web Services IP 175.41.177.135 has open RDP port 3389: Local Source via Shodan.,Amazon Web Services, Inc.\r\n175.41.246.120,1678819893,Amazon Web Services IP 175.41.246.120 has exposed MySQL database: Local Source via Shodan.,Amazon Web Services, Inc.\r\n176.32.71.215,1678819850,Amazon Web Services IP 176.32.71.215 hosts server configuration with CVE(s): Local Source via Shodan.,Amazon Web Services, Inc.\r\n180.235.234.120,1678819905,KDDI IP 180.235.234.120 has exposed MySQL database: Local Source via Shodan.,NULL\r\n185.180.12.68,1678819858,Phishing URL detected impersonating Microsoft: Local Source via urlscan.,Microsoft Corporation\r\n185.59.220.194,1678819879,Phishing URL detected impersonating Microsoft: Local Source via urlscan.,Microsoft Corporation\r\n185.69.233.145,1678819904,VMware IP 185.69.233.145 hosts server configuration with CVE(s): Local Source via Shodan.,VMware, Inc.\r\n188.68.236.209,1678819889,Sprint data center IP 188.68.236.209 has exposed MS-SQL Server 2014 SP2 database: Local Source via Shodan.,Sprintex Limited\r\n194.251.19.242,1678819875,Telia Company IP 194.251.19.242 has exposed MS-SQL Server 2017 RTM database: Local Source via Shodan.,Telia Company AB (publ)\r\n195.26.42.122,1678819848,Wavenet IP 195.26.42.122 has open Telnet port 23: Local Source via Shodan.,DEEPMIND TECHNOLOGIES LIMITED\r\n202.159.8.148,1678819850,Microsoft IP 202.159.8.148 hosts server configuration with CVE(s): Local Source via Shodan.,Microsoft Corporation\r\n202.94.114.21,1678819849,Verizon IP 202.94.114.21 hosts server configuration with CVE(s): Local Source via Shodan.,Jabil Inc.\r\n206.62.165.185,1678819846,Matrix IP 206.62.165.185 has exposed MySQL database: Local Source via Shodan.,Toyota Motor Corporation\r\n207.182.213.172,1678819902,Tyler Technologies IP 207.182.213.172 hosts server configuration with CVE(s): Local Source via Shodan.,Tyler Technologies, Inc.\r\n210.172.211.246,1678819887,Mirai IP 210.172.211.246 has exposed PostgreSQL database: Local Source via Shodan.,Toyota Motor Corporation\r\n213.201.230.96,1678819887,GTT Communications IP 213.201.230.96 hosts server configuration with CVE(s): Local Source via Shodan.,GTT Communications, Inc.\r\n213.71.13.147,1678819864,Verizon IP 213.71.13.147 hosts server configuration with CVE(s): Local Source via Shodan.,Verizon Communications Inc.\r\n23.109.93.100,1678819860,Phishing URL detected impersonating Microsoft: Local Source via urlscan.,Microsoft Corporation\r\n23.228.187.201,1678819877,Google IP 23.228.187.201 hosts server configuration with CVE(s): Local Source via Shodan.,Google LLC\r\n23.29.134.24,1678819890,Fortinet IP 23.29.134.24 hosts server configuration with CVE(s): Local Source via Shodan.,Fortinet, Inc.\r\n3.104.237.239,1678819888,Amazon IP 3.104.237.239 has exposed PostgreSQL database: Local Source via Shodan.,Amazon.com, Inc.\r\n3.104.52.84,1678819879,Amazon IP 3.104.52.84 hosts server configuration with CVE(s): Local Source via Shodan.,Amazon.com, Inc.\r\n3.106.51.243,1678819893,Amazon IP 3.106.51.243 has exposed MySQL database: Local Source via Shodan.,Amazon.com, Inc.\r\n3.217.14.223,1678819879,Phishing URL detected impersonating Microsoft: Local Source via urlscan.,Microsoft Corporation\r\n3.24.249.113,1678819849,Amazon IP 3.24.249.113 has exposed MySQL database: Local Source via Shodan.,Amazon.com, Inc.\r\n3.34.0.4,1678819906,Amazon Web Services IP 3.34.0.4 has exposed MySQL database: Local Source via Shodan.,Amazon Web Services, Inc.\r\n3.34.15.214,1678819900,Amazon Web Services IP 3.34.15.214 has exposed PostgreSQL database: Local Source via Shodan.,Amazon Web Services, Inc.\r\n3.34.231.79,1678819903,Amazon Web Services IP 3.34.231.79 has exposed MySQL database: Local Source via Shodan.,Amazon Web Services, Inc.\r\n3.34.70.32,1678819892,Amazon Web Services IP 3.34.70.32 has exposed MySQL database: Local Source via Shodan.,Amazon Web Services, Inc.\r\n3.34.86.214,1678819909,Amazon Web Services IP 3.34.86.214 has exposed MySQL database: Local Source via Shodan.,Amazon Web Services, Inc.\r\n3.34.98.152,1678819848,Amazon Web Services IP 3.34.98.152 has exposed MongoDB database: Local Source via Shodan.,Amazon Web Services, Inc.\r\n3.35.191.42,1678819849,Amazon Web Services IP 3.35.191.42 has exposed PostgreSQL database: Local Source via Shodan.,Amazon Web Services, Inc.\r\n3.35.247.137,1678810284,Amazon Web Services IP 3.35.247.137 has exposed MySQL database: Local Source via Shodan.,Amazon Web Services, Inc.\r\n3.35.54.62,1678819858,Amazon Web Services IP 3.35.54.62 has exposed MySQL database: Local Source via Shodan.,Amazon Web Services, Inc.\r\n3.37.202.208,1678819905,Amazon Web Services IP 3.37.202.208 has exposed MySQL database: Local Source via Shodan.,Amazon Web Services, Inc.\r\n3.38.55.14,1678819843,Amazon Web Services IP 3.38.55.14 has exposed MySQL database: Local Source via Shodan.,Amazon Web Services, Inc.\r\n3.39.26.110,1678819879,Amazon Web Services IP 3.39.26.110 has exposed MySQL database: Local Source via Shodan.,Amazon Web Services, Inc.\r\n3.39.70.101,1678819848,Amazon Web Services IP 3.39.70.101 has exposed MySQL database: Local Source via Shodan.,Amazon Web Services, Inc.\r\n3.39.83.10,1678819901,Amazon Web Services IP 3.39.83.10 has exposed MySQL database: Local Source via Shodan.,Amazon Web Services, Inc.\r\n3.39.88.211,1678819901,Amazon Web Services IP 3.39.88.211 has exposed PostgreSQL database: Local Source via Shodan.,Amazon Web Services, Inc.\r\n34.101.186.137,1678819889,Google IP 34.101.186.137 hosts server configuration with CVE(s): Local Source via Shodan.,Google LLC\r\n34.101.219.45,1678819859,Google IP 34.101.219.45 has exposed PostgreSQL database: Local Source via Shodan.,Google LLC\r\n34.101.225.45,1678810262,Google IP 34.101.225.45 hosts server configuration with CVE(s): Local Source via Shodan.,Google LLC\r\n34.101.82.9,1678819902,Google IP 34.101.82.9 has exposed MySQL database: Local Source via Shodan.,Google LLC\r\n34.223.244.1,1678819858,Expedia IP 34.223.244.1 has exposed Elastic database: Local Source via Shodan.,Expedia Group, Inc.\r\n34.64.165.63,1678819867,Google IP 34.64.165.63 hosts server configuration with CVE(s): Local Source via Shodan.,Google LLC\r\n34.64.171.179,1678819887,Google IP 34.64.171.179 has SSL certificate expiring within 24 hours: Local Source via Shodan.,Google LLC\r\n34.64.233.209,1678819901,Google IP 34.64.233.209 has open RDP port 3389: Local Source via Shodan.,Google LLC\r\n34.64.56.15,1678819908,Google IP 34.64.56.15 has exposed MySQL database: Local Source via Shodan.,Google LLC\r\n35.219.4.100,1678819892,Google IP 35.219.4.100 has exposed MongoDB database: Local Source via Shodan.,Google LLC\r\n46.137.73.18,1678819846,Amazon Web Services IP 46.137.73.18 hosts server configuration with CVE(s): Local Source via Shodan.,Amazon Web Services, Inc.\r\n46.137.87.82,1678819885,Amazon Web Services IP 46.137.87.82 hosts server configuration with CVE(s): Local Source via Shodan.,Amazon Web Services, Inc.\r\n46.51.135.214,1678819847,Amazon Web Services IP 46.51.135.214 hosts server configuration with CVE(s): Local Source via Shodan.,Amazon Web Services, Inc.\r\n47.254.71.1,1678819859,Phishing URL detected impersonating Facebook: Local Source via urlscan.,Meta Platforms, Inc.\r\n52.78.153.43,1678819902,Amazon Web Services IP 52.78.153.43 has exposed MySQL database: Local Source via Shodan.,Amazon Web Services, Inc.\r\n52.78.58.206,1678810284,Amazon Web Services IP 52.78.58.206 has exposed PostgreSQL database: Local Source via Shodan.,Amazon Web Services, Inc.\r\n52.79.161.41,1678819874,Amazon Web Services IP 52.79.161.41 has exposed MySQL database: Local Source via Shodan.,Amazon Web Services, Inc.\r\n52.79.75.171,1678819909,Amazon Web Services IP 52.79.75.171 has exposed MySQL database: Local Source via Shodan.,Amazon Web Services, Inc.\r\n54.180.56.82,1678819892,Amazon Web Services IP 54.180.56.82 has exposed PostgreSQL database: Local Source via Shodan.,Amazon Web Services, Inc.\r\n54.180.96.177,1678819859,Amazon Web Services IP 54.180.96.177 has exposed MySQL database: Local Source via Shodan.,Amazon Web Services, Inc.\r\n65.154.226.14,1678819879,Palo Alto Networks IP 65.154.226.14 has open SMB port 445: Local Source via Shodan.,Palo Alto Networks, Inc.\r\n66.170.109.0,1678819906,VMware IP 66.170.109.0 has open RDP port 3389: Local Source via Shodan.,VMware, Inc.\r\n66.170.227.78,1678819906,The MITRE Corporation IP 66.170.227.78 hosts server configuration with CVE(s): Local Source via Shodan.,The MITRE Corporation\r\n66.29.128.152,1678819863,Phishing URL detected impersonating Godaddy: Local Source via urlscan.,GoDaddy Inc.\r\n68.142.64.87,1678819844,Limelight Networks IP 68.142.64.87 hosts server configuration with CVE(s): Local Source via Shodan.,Limelight Networks, Inc.\r\n69.49.244.24,1678819864,Phishing URL detected impersonating Microsoft: Local Source via urlscan.,Microsoft Corporation\r\n79.125.76.130,1678819910,Amazon Web Services IP 79.125.76.130 hosts server configuration with CVE(s): Local Source via Shodan.,Amazon Web Services, Inc.\r\n8.15.65.94,1678819875,Verizon IP 8.15.65.94 has SSL certificate expiring within 24 hours: Local Source via Shodan.,Verizon Communications Inc.\r\n83.246.46.51,1678819879,VMware IP 83.246.46.51 hosts server configuration with CVE(s): Local Source via Shodan.,VMware, Inc.\r\n84.25.193.69,1678819892,Ziggo IP 84.25.193.69 has exposed PostgreSQL database: Local Source via Shodan.,VodafoneZiggo Group B.V.\r\n94.153.188.61,1678819905,Kyivstar IP 94.153.188.61 has exposed MySQL database: Local Source via Shodan.,VEON Ltd.\r\n" + }, + "apiVersion": "2022-08-01" + } + ] +} diff --git a/Solutions/Dataminr Pulse/Watchlists/DataminrPulse-VulnerableMalware/DataminrPulseVulnerableMalware.json b/Solutions/Dataminr Pulse/Watchlists/DataminrPulse-VulnerableMalware/DataminrPulseVulnerableMalware.json new file mode 100644 index 00000000000..31a57022bb5 --- /dev/null +++ b/Solutions/Dataminr Pulse/Watchlists/DataminrPulse-VulnerableMalware/DataminrPulseVulnerableMalware.json @@ -0,0 +1,32 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "workspaceName": { + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Sentinel is setup" + } + } + }, + "resources": [ + { + "name": "[concat(parameters('workspaceName'), '/Microsoft.SecurityInsights/ReferenceTemplate')]", + "type": "Microsoft.OperationalInsights/workspaces/providers/Watchlists", + "properties": { + "displayName": "DataminrPulseVulnerableMalware", + "watchlistAlias": "DataminrPulseVulnerableMalware", + "source": "dataminr_vulnerable_malwares_30d.csv", + "description": "Watchlist contains data of vulnerable malwares of Dataminr to use in IOC Overview dashboard.", + "provider": "Custom", + "isDeleted": false, + "defaultDuration": "P1000Y", + "contentType": "Text/Csv", + "numberOfLinesToSkip": 0, + "itemsSearchKey": "malware", + "rawContent": "malware,caption,_time,hash,ip,source\r\nGodFather,Sample of android malware GodFather impersonating MYT Music app to tadeployingrget Turkish users detected and analyzed: Blog via VirusTotal.,1671560525,3f7eae6cc61fdc2553a2acdede69be84945a7a724b632dea3ff8466f74b56249,,VirusTotal\r\nGodFather,Sample of android malware GodFather impersonating as MYT Music app to target Turkish users detected and analyzed: Blog via VirusTotal.,1671553995,e67b8b78550396f542ded77d2118487ac1afb0d4ac6b70774889bbb4e6d88265,,VirusTotal\r\nOWASSRF,CrowdStrike shares tool to check logs for evidence of OWASSRF exploitation: Local Source via GitHub.,1671564801,,,GitHub\r\nPupy RAT,C2 server associated with threat actors deploying Pupy RAT malware by exploiting Windows Problem Reporting detected: Blog via VirusTotal.,1673020170,,103.79.76[.]40,VirusTotal\r\nW4SP Stealer,Hackers targeting PyPI Python package repository using W4SP Stealer malware hidden inside malicious packages to steal software developers' data: Blog via Bleeping Computer.,1671562554,,,Bleeping Computer\r\n" + }, + "apiVersion": "2022-08-01" + } + ] +} diff --git a/Solutions/Dataminr Pulse/Workbooks/DataminrPulseAlerts.json b/Solutions/Dataminr Pulse/Workbooks/DataminrPulseAlerts.json new file mode 100644 index 00000000000..d84eda1bccd --- /dev/null +++ b/Solutions/Dataminr Pulse/Workbooks/DataminrPulseAlerts.json @@ -0,0 +1,3549 @@ +{ + "version": "Notebook/1.0", + "items": [ + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "tabs", + "links": [ + { + "id": "da8b6813-e862-406d-be73-aed634a083a2", + "cellValue": "setTab", + "linkTarget": "parameter", + "linkLabel": "Alert Overview", + "subTarget": "Alert Overview", + "style": "link", + "linkIsContextBlade": true + }, + { + "id": "75b5e827-ff38-4252-bbd1-6beedbfe4534", + "cellValue": "setTab", + "linkTarget": "parameter", + "linkLabel": "Cyber Threat Overview", + "subTarget": "Cyber Threat Overview", + "style": "link" + }, + { + "id": "e4bdb76d-c81a-498f-b0ba-5130dba5d9ab", + "cellValue": "setTab", + "linkTarget": "parameter", + "linkLabel": "IOC Overview", + "subTarget": "IOC Overview", + "style": "link" + }, + { + "id": "d76fe7f8-78c7-4537-8de6-7d8a1d050478", + "cellValue": "setTab", + "linkTarget": "parameter", + "linkLabel": "Close Proximity Overview", + "subTarget": "Close Proximity Overview", + "style": "link" + }, + { + "id": "6de2158e-490d-4bed-85c4-f6e87706afc5", + "cellValue": "setTab", + "linkTarget": "parameter", + "linkLabel": "Alerts Drilldown", + "subTarget": "Alerts Drilldown", + "style": "link" + } + ] + }, + "name": "links - 13" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# Dataminr Alert Overview\r\n### Watchlists created in Dataminr" + }, + "name": "text - 0" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "9c52736d-df9f-4db2-a196-6395ba392fe2", + "version": "KqlParameterItem/1.0", + "name": "select_time_range", + "label": "Time Range", + "type": 4, + "isRequired": true, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 300000 + }, + { + "durationMs": 900000 + }, + { + "durationMs": 1800000 + }, + { + "durationMs": 3600000 + }, + { + "durationMs": 14400000 + }, + { + "durationMs": 43200000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 172800000 + }, + { + "durationMs": 259200000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 1209600000 + }, + { + "durationMs": 2419200000 + }, + { + "durationMs": 2592000000 + }, + { + "durationMs": 5184000000 + }, + { + "durationMs": 7776000000 + } + ], + "allowCustom": true + }, + "timeContext": { + "durationMs": 86400000 + }, + "value": { + "durationMs": 86400000 + } + }, + { + "id": "21aeafb7-3429-4c8c-b74b-d296f0ce22b2", + "version": "KqlParameterItem/1.0", + "name": "watchlist", + "label": "Watchlist", + "type": 2, + "isRequired": true, + "quote": "'", + "delimiter": ",", + "query": "DataminrPulseCyberAlerts\r\n| mv-expand todynamic(WatchlistsMatchedByType)\r\n| where isnotempty(WatchlistsMatchedByType[\"name\"])\r\n| distinct tostring(WatchlistsMatchedByType[\"name\"])", + "typeSettings": { + "additionalResourceOptions": [ + "value::all" + ], + "selectAllValue": "*", + "showDefault": false + }, + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "select_time_range", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "value": "value::all" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 1" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "Help", + "expandable": true, + "items": [ + { + "type": 1, + "content": { + "json": "This dashboards shows high level analytics about the Dataminr alerts from the selected Watchlist." + }, + "name": "text - 0" + } + ] + }, + "name": "Help" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DataminrPulseCyberAlerts\r\n| where ('*' == ('{watchlist}') or set_has_element(todynamic(WatchlistNames),'{watchlist}')) and isnotempty(AlertType)\r\n| summarize distinct_count=dcount(AlertId) by AlertType\r\n| sort by distinct_count desc", + "size": 0, + "showAnalytics": true, + "title": "Alerts by Type", + "noDataMessage": "No data found in selected timerange.", + "timeContextFromParameter": "select_time_range", + "showRefreshButton": true, + "exportFieldName": "x", + "exportParameterName": "alert_type", + "exportDefaultValue": "None", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "categoricalbar", + "chartSettings": { + "xAxis": "AlertType", + "seriesLabelSettings": [ + { + "seriesName": "Urgent", + "color": "orange" + }, + { + "seriesName": "Alert", + "color": "yellow" + }, + { + "seriesName": "Flash", + "color": "redBright" + } + ], + "ySettings": { + "numberFormatSettings": { + "unit": 0, + "options": { + "style": "decimal", + "useGrouping": true + } + } + } + } + }, + "customWidth": "50", + "name": "Alerts by Type", + "styleSettings": { + "padding": "24px", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DataminrPulseCyberAlerts\r\n| where ('*' == ('{watchlist}') or set_has_element(todynamic(WatchlistNames),'{watchlist}'))\r\n| mv-expand todynamic(Company)\r\n| extend companyName = tostring(Company[\"name\"])\r\n| where isnotempty(Company)\r\n| summarize Count=dcount(AlertId) by companyName\r\n| sort by Count desc", + "size": 3, + "showAnalytics": true, + "title": "Alerts by Company", + "noDataMessage": "No data found in selected timerange.", + "timeContextFromParameter": "select_time_range", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "yAxis": [ + "Count" + ], + "group": "companyName", + "createOtherGroup": 10, + "ySettings": { + "numberFormatSettings": { + "unit": 0, + "options": { + "style": "decimal", + "useGrouping": true + } + } + } + } + }, + "customWidth": "50", + "name": "Alerts by Company", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 1, + "content": { + "json": "💡 _Click on a bars in the above 'Alert by Type' chart to view more details_" + }, + "name": "text - 10" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DataminrPulseCyberAlerts\r\n| where ('*' == ('{watchlist}') or set_has_element(todynamic(WatchlistNames),'{watchlist}'))\r\n and isnotempty(AlertType) and AlertType == '{alert_type}'\r\n| summarize count=dcount(AlertId) by AlertType", + "size": 4, + "showAnalytics": true, + "title": "Selected Alerts Type Data", + "noDataMessage": "No data found in selected timerange.", + "timeContextFromParameter": "select_time_range", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "rowLimit": 10000 + } + }, + "conditionalVisibility": { + "parameterName": "alert_type", + "comparison": "isNotEqualTo", + "value": "None" + }, + "name": "query - 8", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "89d85ee2-81ec-42ed-bd7e-d8e7bcee1ab1", + "version": "KqlParameterItem/1.0", + "name": "Category_name", + "label": "Category Name", + "type": 2, + "isRequired": true, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "query": "DataminrPulseCyberAlerts \r\n| mv-expand todynamic(Category)\r\n| extend categories = tostring(Category[\"name\"])\r\n| where ('*' == ('{watchlist}') or set_has_element(todynamic(WatchlistNames),'{watchlist}')) and isnotempty(categories)\r\n| distinct categories\r\n", + "typeSettings": { + "additionalResourceOptions": [ + "value::all" + ], + "selectAllValue": "*", + "showDefault": false + }, + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "select_time_range", + "defaultValue": "value::all", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "value": [ + "value::all" + ] + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 10" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DataminrPulseCyberAlerts \r\n| mv-expand todynamic(Category)\r\n| extend Date = format_datetime(todatetime(TimeGenerated), 'yyyy-MM-dd'), CategoryName = tostring(Category[\"name\"])\r\n| where ('*' == ('{watchlist}') or set_has_element(todynamic(WatchlistNames),'{watchlist}')) and ('*' in ({Category_name}) or CategoryName in ({Category_name})) and isnotempty(CategoryName)\r\n| summarize Dcount=dcount(AlertId) by Date, CategoryName\r\n| project Date, Dcount, CategoryName\r\n| order by Date asc", + "size": 0, + "aggregation": 5, + "showAnalytics": true, + "title": "Alerts Trend", + "noDataMessage": "No data found in selected timerange.", + "timeContextFromParameter": "select_time_range", + "showRefreshButton": true, + "exportedParameters": [ + { + "fieldName": "x", + "parameterName": "date_Occurrence_Trend", + "parameterType": 1, + "defaultValue": "None" + }, + { + "fieldName": "series", + "parameterName": "CategoryName_Occurrence_Trend", + "parameterType": 1, + "defaultValue": "None" + } + ], + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "timechart", + "chartSettings": { + "xAxis": "Date", + "group": "CategoryName", + "createOtherGroup": 99, + "showDataPoints": true + } + }, + "customWidth": "50", + "name": "Alerts Trend", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DataminrPulseCyberAlerts\r\n| where ('*' == ('{watchlist}') or set_has_element(todynamic(WatchlistNames),'{watchlist}')) and isnotempty(EventLocationName) and isnotempty(WatchlistsMatchedByType)\r\n| summarize dcount=dcount(AlertId) by Latitude, Longitude, EventLocationName\r\n| extend latlng = strcat(\"Latitude : \",Latitude,\"\\nLongitude : \",Longitude,\"\\nName : \",EventLocationName,\"\\nCount : \",dcount)\r\n| order by dcount desc", + "size": 0, + "showAnalytics": true, + "title": "Alerts by Location", + "noDataMessage": "No data found in selected timerange.", + "timeContextFromParameter": "select_time_range", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "map", + "graphSettings": { + "type": 0, + "topContent": { + "columnMatch": "lat", + "formatter": 1 + }, + "centerContent": { + "columnMatch": "countID", + "formatter": 1, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + } + }, + "mapSettings": { + "locInfo": "LatLong", + "latitude": "Latitude", + "longitude": "Longitude", + "sizeSettings": "dcount", + "sizeAggregation": "Sum", + "labelSettings": "latlng", + "legendMetric": "dcount", + "numberOfMetrics": 99, + "legendAggregation": "Sum", + "itemColorSettings": { + "nodeColorField": "dcount", + "colorAggregation": "Sum", + "type": "heatmap", + "heatmapPalette": "greenRed" + } + } + }, + "customWidth": "50", + "name": "Alerts by Location", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 1, + "content": { + "json": "💡 _Click on a data points in the above 'Alerts Trend' chart to view more details_" + }, + "customWidth": "45", + "name": "text - 11" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DataminrPulseCyberAlerts \r\n| extend TimeGenerated = tostring(TimeGenerated), Channel = substring(SourceChannels,1,strlen(SourceChannels)-2), category = parse_json(Category), embededLabels = parse_json(EmbeddedLabels)\r\n| mv-apply category on (summarize Topics = make_list(category.name))\r\n| mv-apply embededLabels on (summarize addresses = make_list(embededLabels.addresses))\r\n| extend CategoryName = array_index_of(Topics,'{CategoryName_Occurrence_Trend}'), Date = format_datetime(todatetime(TimeGenerated), 'yyyy-MM-dd')\r\n| where TimeGenerated contains '{date_Occurrence_Trend}' and CategoryName >= 0 and ('*' == ('{watchlist}') or set_has_element(todynamic(WatchlistNames),'{watchlist}'))\r\n| summarize any(*) by AlertId, Date\r\n| project-rename [\"Alert ID\"] = AlertId, [\"Alert Type\"] = any_AlertType, [\"Category Names\"] = any_Topics, Companies = any_Company, [\"Cyber Addresses\"] = any_addresses, [\"Location Name\"] = any_EventLocationName, [\"Matched Watchlist\"] = any_WatchlistNames, Source = any_EventSource, [\"Source Channels\"]= any_Channel, [\"Publisher Name\"] = any_PublisherCategoryName, [\"Time Generated\"] = any_TimeGenerated, Caption = any_Caption\r\n| project [\"Alert ID\"], [\"Alert Type\"], Caption, [\"Category Names\"], Companies, [\"Cyber Addresses\"], [\"Location Name\"], format_datetime(todatetime([\"Time Generated\"]), 'yy-MM-dd HH:mm:ss'), [\"Matched Watchlist\"], Source, parse_json([\"Source Channels\"]), [\"Publisher Name\"]\r\n| sort by [\"Time Generated\"] asc", + "size": 0, + "showAnalytics": true, + "title": "Selected Alerts Trend Data", + "noDataMessage": "No data found in selected timerange.", + "timeContextFromParameter": "select_time_range", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "rowLimit": 10000, + "filter": true + }, + "sortBy": [] + }, + "conditionalVisibilities": [ + { + "parameterName": "date_Occurrence_Trend", + "comparison": "isNotEqualTo", + "value": "None" + }, + { + "parameterName": "CategoryName_Occurrence_Trend", + "comparison": "isNotEqualTo", + "value": "None" + }, + { + "parameterName": "CategoryName_Occurrence_Trend", + "comparison": "isNotEqualTo", + "value": "Other" + } + ], + "name": "query - 7", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DataminrPulseCyberAlerts\r\n| where ('*' == ('{watchlist}') or set_has_element(todynamic(WatchlistNames),'{watchlist}'))\r\n| extend EventTime = unixtime_milliseconds_todatetime(toint(EventTime)), Channel = substring(SourceChannels,1,strlen(SourceChannels)-2)\r\n| summarize any(*) by AlertId\r\n| project-rename ['Alert ID'] = AlertId, Time = any_TimeGenerated, [\"Alert Type\"] = any_AlertType, Source = any_EventSource, [\"Source Channels\"]= any_Channel, Publisher = any_PublisherCategoryName, Caption = any_Caption, Company = any_CompanyNames, Topics = any_CategoryNames\r\n| project ['Alert ID'], format_datetime(todatetime(Time), 'yy-MM-dd HH:mm:ss'), [\"Alert Type\"], Caption, Company, Source, parse_json([\"Source Channels\"]), Publisher, Topics\r\n| order by Time desc\r\n| limit 10", + "size": 3, + "showAnalytics": true, + "title": "Recent 10 Alerts", + "noDataMessage": "No data found in selected timerange.", + "timeContextFromParameter": "select_time_range", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Alert ID", + "formatter": 7, + "formatOptions": { + "linkTarget": "GenericDetails", + "linkIsContextBlade": true + } + } + ], + "filter": true + }, + "sortBy": [] + }, + "name": "Recent 10 Alerts", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 1, + "content": { + "json": "📝 ***Refresh the web page to fetch details of recently collected events***" + }, + "name": "text - 13" + } + ] + }, + "conditionalVisibility": { + "parameterName": "setTab", + "comparison": "isEqualTo", + "value": "Alert Overview" + }, + "name": "group - 2" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# Dataminr Close Proximity Overview\r\n### Show Dataminr alerts in close proximity of important Customer locations" + }, + "name": "text - 0" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "7b8368ba-ff5f-4cc6-a7b3-4bc4a7c00789", + "version": "KqlParameterItem/1.0", + "name": "Select_Time_Range", + "label": "Time Range", + "type": 4, + "isRequired": true, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 300000 + }, + { + "durationMs": 900000 + }, + { + "durationMs": 1800000 + }, + { + "durationMs": 3600000 + }, + { + "durationMs": 14400000 + }, + { + "durationMs": 43200000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 172800000 + }, + { + "durationMs": 259200000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 1209600000 + }, + { + "durationMs": 2419200000 + }, + { + "durationMs": 2592000000 + }, + { + "durationMs": 5184000000 + }, + { + "durationMs": 7776000000 + } + ], + "allowCustom": true + }, + "timeContext": { + "durationMs": 86400000 + }, + "value": { + "durationMs": 86400000 + } + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 1" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "Help", + "expandable": true, + "items": [ + { + "type": 1, + "content": { + "json": "This dashboards shows Dataminr alerts within threshold miles from important customer locations.\r\n\r\nThe important customer locations are configured as part of Sentinel Watchlist. The Watchlist file is included as part of this app.\r\n\r\nPlease update the Watchlist file manually." + }, + "name": "text - 0" + } + ] + }, + "name": "group - 8" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "_GetWatchlist('DataminrPulseAsset')\r\n| extend crossjoin = 1\r\n| join kind=inner (DataminrPulseAlerts | extend crossjoin = 1) on crossjoin\r\n| extend asset_distance_miles = abs(3956 * (2 * asin(sqrt(pow(sin(((Latitude*pi()/180)-(todouble(asset_lat)*pi()/180)) / 2),2) + cos((Latitude*pi()/180)) * cos((todouble(asset_lat)*pi()/180)) * pow(sin(((Longitude*pi()/180)-(todouble(asset_long)*pi()/180)) / 2),2)))))\r\n| where asset_distance_miles <= toreal(alerting_distance_miles)\r\n| summarize any(asset_name), dcount=dcount(AlertId) by AlertId, tostring(asset_lat), tostring(asset_long)\r\n| extend latlng = strcat(\"Name : \",any_asset_name,\"\\nLatitude : \",asset_lat,\"\\nLongitude: \",asset_long)\r\n| order by asset_lat desc\r\n", + "size": 0, + "showAnalytics": true, + "title": "Alerts in Close Proximity Map", + "noDataMessage": "No data found in selected timerange.", + "timeContextFromParameter": "Select_Time_Range", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "map", + "graphSettings": { + "type": 0, + "topContent": { + "columnMatch": "AlertId", + "formatter": 1 + }, + "centerContent": { + "columnMatch": "dcount", + "formatter": 1, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + } + }, + "mapSettings": { + "locInfo": "LatLong", + "latitude": "asset_lat", + "longitude": "asset_long", + "sizeSettings": "dcount", + "sizeAggregation": "Sum", + "labelSettings": "latlng", + "legendMetric": "dcount", + "numberOfMetrics": 0, + "legendAggregation": "Sum", + "itemColorSettings": { + "nodeColorField": "dcount", + "colorAggregation": "Sum", + "type": "heatmap", + "heatmapPalette": "greenRed" + } + } + }, + "customWidth": "50", + "showPin": false, + "name": "Alerts in Close Proximity Map", + "styleSettings": { + "padding": "20px", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "_GetWatchlist('DataminrPulseAsset')\r\n| extend crossjoin = 1\r\n| join kind=inner (DataminrPulseAlerts | extend crossjoin = 1) on crossjoin\r\n| extend asset_distance_miles = abs(3956 * (2 * asin(sqrt(pow(sin(((Latitude*pi()/180)-(todouble(asset_lat)*pi()/180)) / 2),2) + cos((Latitude*pi()/180)) * cos((todouble(asset_lat)*pi()/180)) * pow(sin(((Longitude*pi()/180)-(todouble(asset_long)*pi()/180)) / 2),2)))))\r\n| where asset_distance_miles <= toreal(alerting_distance_miles)\r\n| project-rename [\"Asset Name\"] = asset_name, [\"Asset Type\"] = asset_type, [\"Alert ID\"] = AlertId, [\"Asset Distance Miles\"] = asset_distance_miles\r\n| project [\"Asset Name\"], [\"Asset Type\"], Caption, [\"Alert ID\"], [\"Asset Distance Miles\"]\r\n", + "size": 0, + "showAnalytics": true, + "title": " Alerts in Close Proximity", + "noDataMessage": "No data found in selected timerange.", + "timeContextFromParameter": "Select_Time_Range", + "showRefreshButton": true, + "exportFieldName": "Alert ID", + "exportParameterName": "alertid", + "exportDefaultValue": "None", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "showExpandCollapseGrid": true, + "gridSettings": { + "rowLimit": 10000, + "filter": true + }, + "sortBy": [] + }, + "customWidth": "50", + "name": "Alerts in Close Proximity", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 1, + "content": { + "json": "" + }, + "customWidth": "50", + "name": "text - 7" + }, + { + "type": 1, + "content": { + "json": "💡 _Click on a row in the above 'Alerts in Close Proximity' grid to view more details_" + }, + "customWidth": "50", + "name": "text - 6" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DataminrPulseAlerts\r\n| where AlertId == '{alertid}'", + "size": 4, + "showAnalytics": true, + "title": "Selected Close Proximity Alert Data", + "timeContextFromParameter": "Select_Time_Range", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table" + }, + "conditionalVisibility": { + "parameterName": "alertid", + "comparison": "isNotEqualTo", + "value": "None" + }, + "name": "query - 5", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "_GetWatchlist('DataminrPulseAsset')\r\n| project-rename [\"Asset Name\"] = asset_name, [\"Asset Type\"] = asset_type, [\"Asset Description\"] = asset_description, [\"Alerting Distance Miles\"] = alerting_distance_miles, [\"Asset Latitude\"] = asset_lat, [\"Asset Longitude\"] = asset_long\r\n| project [\"Asset Name\"], [\"Asset Type\"], [\"Asset Description\"], [\"Alerting Distance Miles\"], [\"Asset Latitude\"], [\"Asset Longitude\"]\r\n", + "size": 0, + "showAnalytics": true, + "title": "Configured Important Locations", + "noDataMessage": "No data found in selected timerange.", + "timeContextFromParameter": "Select_Time_Range", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "rowLimit": 10000, + "filter": true, + "sortBy": [ + { + "itemKey": "Asset Latitude", + "sortOrder": 1 + } + ] + }, + "sortBy": [ + { + "itemKey": "Asset Latitude", + "sortOrder": 1 + } + ] + }, + "name": "Configured Important Locations", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 1, + "content": { + "json": "📝 ***Refresh the web page to fetch details of recently collected events***" + }, + "name": "text - 9" + } + ] + }, + "conditionalVisibility": { + "parameterName": "setTab", + "comparison": "isEqualTo", + "value": "Close Proximity Overview" + }, + "name": "Close Proximity Overview" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# Dataminr IOC Overview\r\n### IOCs (IP, URL, domain, hashes, filenames) extracted from alerts created by Dataminr" + }, + "showPin": false, + "name": "text - 0" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "4889f111-32cd-4a9f-8ad3-3d5a1a43d812", + "version": "KqlParameterItem/1.0", + "name": "time", + "label": "Time Range", + "type": 4, + "isRequired": true, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 300000 + }, + { + "durationMs": 900000 + }, + { + "durationMs": 1800000 + }, + { + "durationMs": 3600000 + }, + { + "durationMs": 14400000 + }, + { + "durationMs": 43200000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 172800000 + }, + { + "durationMs": 259200000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 1209600000 + }, + { + "durationMs": 2419200000 + }, + { + "durationMs": 2592000000 + }, + { + "durationMs": 5184000000 + }, + { + "durationMs": 7776000000 + } + ], + "allowCustom": true + }, + "timeContext": { + "durationMs": 86400000 + }, + "value": { + "durationMs": 86400000 + } + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 1" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "Help", + "expandable": true, + "items": [ + { + "type": 1, + "content": { + "json": "This dashboards shows Indicator of Compromise in the current Sentinel environment.\r\n\r\nEach row in the panels showing vulnerable IOCs are clickable. Click the row to view more details about the vulnerable IOC.\r\n\r\n" + }, + "name": "text - 0" + } + ] + }, + "name": "group - 14" + }, + { + "type": 1, + "content": { + "json": "#### 📝 Note: To view the Affected IOCs related panles in this dashboard, ASim parsers must be deployed in the workspace and lookup csv data must be available in watchlist. " + }, + "name": "text - 21" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "union isfuzzy=true\r\n(ASimNetworkSession\r\n | where EventVendor !contains_cs(\"Dataminr\")\r\n | summarize src_ip = make_set(SrcIpAddr), dst_ip = make_set(DstIpAddr)\r\n | summarize ip = make_set(set_union(src_ip, dst_ip))),\r\n(ASimDns\r\n | where EventVendor !contains_cs(\"Dataminr\")\r\n | summarize src_ip = make_set(SrcIpAddr), dst_ip = make_set(DstIpAddr)\r\n | summarize ip = make_set(set_union(src_ip, dst_ip))),\r\n(ASimWebSession\r\n | where EventVendor !contains_cs(\"Dataminr\")\r\n | summarize src_ip = make_set(SrcIpAddr), dst_ip = make_set(DstIpAddr)\r\n | summarize ip = make_set(set_union(src_ip, dst_ip))),\r\n(ASimAuditEvent\r\n | where EventVendor !contains_cs(\"Dataminr\")\r\n | summarize src_ip = make_set(SrcIpAddr), dst_ip = make_set(TargetIpAddr)\r\n | summarize ip = make_set(set_union(src_ip, dst_ip)))\r\n| mv-expand ip\r\n| where isnotempty(ip)\r\n| extend ip = tostring(ip)\r\n| join kind=inner (_GetWatchlist(\"DataminrPulseVulnerableIp\")\r\n | project ip, caption) on ip\r\n| project-rename [\"ASIM Ip\"] = ip, [\"Lookup Ip\"] = ip1\r\n| summarize ip_count=dcount([\"ASIM Ip\"])\r\n| project ip_count", + "size": 4, + "showAnalytics": true, + "title": "Affected IP Address", + "noDataMessage": "No data found in selected timerange.", + "timeContextFromParameter": "time", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": { + "formatter": 12, + "formatOptions": { + "palette": "none" + } + }, + "rightContent": { + "columnMatch": "ip_count", + "formatter": 12, + "formatOptions": { + "palette": "none" + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal" + }, + "emptyValCustomText": "0" + } + }, + "showBorder": false, + "size": "auto" + }, + "graphSettings": { + "type": 0, + "topContent": {}, + "centerContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "none" + } + }, + "nodeIdField": "Count", + "sourceIdField": "Count", + "targetIdField": "Count", + "graphOrientation": 3, + "showOrientationToggles": false, + "nodeSize": null, + "staticNodeSize": 100, + "colorSettings": null, + "hivesMargin": 5 + }, + "textSettings": { + "style": "bignumber" + } + }, + "customWidth": "25", + "name": "query - 2", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "union isfuzzy=true\r\n(imFileEvent\r\n | where EventVendor !contains_cs(\"Dataminr\")\r\n | summarize src_md5=make_set(SrcFileMD5), src_sha1=make_set(SrcFileSHA1), src_sha256=make_set(SrcFileSHA256), src_sha512=make_set(SrcFileSHA512), dst_md5=make_set(TargetFileMD5), dst_sha1=make_set(TargetFileSHA1), dst_sha256=make_set(TargetFileSHA256), dst_sha512=make_set(TargetFileSHA512)\r\n | summarize Hashes = make_set(set_union(src_md5, src_sha1, src_sha256, src_sha512, dst_md5, dst_sha1, dst_sha256, dst_sha512))\r\n | project Hashes),\r\n(ASimProcessEvent\r\n | where EventVendor !contains_cs(\"Dataminr\")\r\n | summarize src_md5=make_set(ParentProcessMD5), src_sha1=make_set(ParentProcessSHA1), src_sha256=make_set(ParentProcessSHA256), src_sha512=make_set(ParentProcessSHA512), dst_md5=make_set(TargetProcessMD5), dst_sha1=make_set(TargetProcessSHA1), dst_sha256=make_set(TargetProcessSHA256), dst_sha512=make_set(TargetProcessSHA512), act_md5 = make_set(ActingProcessMD5), act_sha1=make_set(ActingProcessSHA1), act_sha256=make_set(ActingProcessSHA256), act_sha512=make_set(ActingProcessSHA512)\r\n | summarize Hashes = make_set(set_union(src_md5, src_sha1, src_sha256, src_sha512, dst_md5, dst_sha1, dst_sha256, dst_sha512, act_md5, act_sha1, act_sha256, act_sha512))\r\n | project Hashes),\r\n(ASimWebSession\r\n | where EventVendor !contains_cs(\"Dataminr\")\r\n | summarize file_md5=make_set(FileMD5), file_sha1=make_set(FileSHA1), file_sha256=make_set(FileSHA256), file_sha512=make_set(FileSHA512)\r\n | summarize Hashes = make_set(set_union(file_md5, file_sha1, file_sha256, file_sha512))\r\n | project Hashes)\r\n| mv-expand Hashes\r\n| where isnotempty(Hashes)\r\n| extend Hashes = tostring(Hashes)\r\n| join kind=inner (_GetWatchlist('DataminrPulseVulnerableHash')\r\n | project Hashes=SearchKey, caption) on Hashes\r\n| project-rename [\"ASIM Hashes\"] = Hashes, [\"Lookup Hashes\"] = Hashes1\r\n| summarize hash_count = dcount([\"ASIM Hashes\"])\r\n| project hash_count", + "size": 4, + "showAnalytics": true, + "title": "Affected Hashes", + "noDataMessage": "No data found in selected timerange.", + "timeContextFromParameter": "time", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": { + "formatter": 12, + "formatOptions": { + "palette": "none" + } + }, + "rightContent": { + "columnMatch": "hash_count", + "formatter": 12, + "formatOptions": { + "palette": "none" + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal" + }, + "emptyValCustomText": "0" + } + }, + "showBorder": false, + "size": "auto" + } + }, + "customWidth": "25", + "name": "query - 2 - Copy", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "union isfuzzy=true\r\n(ASimWebSession\r\n | where EventVendor !contains_cs(\"Dataminr\")\r\n | project url=Url),\r\n(imFileEvent\r\n | where EventVendor !contains_cs(\"Dataminr\")\r\n | project url = TargetUrl),\r\n(ASimAuditEvent\r\n | where EventVendor !contains_cs(\"Dataminr\")\r\n | project url = TargetUrl)\r\n| join kind=inner (_GetWatchlist('DataminrPulseVulnerableDomain')\r\n | project url, caption) on url\r\n| project-rename [\"ASIM URLs\"] = url, [\"Lookup URLs\"] = url1\r\n| summarize domain_count=dcount([\"ASIM URLs\"])\r\n| project domain_count", + "size": 4, + "showAnalytics": true, + "title": "Affected Domains", + "noDataMessage": "No data found in selected timerange.", + "timeContextFromParameter": "time", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": { + "formatter": 12, + "formatOptions": { + "palette": "none" + } + }, + "rightContent": { + "columnMatch": "domain_count", + "formatter": 12, + "formatOptions": { + "palette": "none" + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal" + }, + "emptyValCustomText": "0" + } + }, + "showBorder": false, + "size": "auto" + } + }, + "customWidth": "25", + "name": "query - 2 - Copy - Copy", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "union isfuzzy=true\r\n(ASimAuditEvent\r\n | where EventVendor !contains_cs(\"Dataminr\")\r\n | extend malware = ThreatName\r\n | project malware),\r\n(ASimNetworkSession\r\n | where EventVendor !contains_cs(\"Dataminr\")\r\n | extend malware = ThreatName\r\n | project malware),\r\n(ASimDns\r\n | where EventVendor !contains_cs(\"Dataminr\")\r\n | extend malware = ThreatName\r\n | project malware),\r\n(ASimWebSession\r\n | where EventVendor !contains_cs(\"Dataminr\")\r\n | extend malware = ThreatName\r\n | project malware)\r\n| join kind=inner (_GetWatchlist('DataminrPulseVulnerableMalware')\r\n | project malware, caption) on malware\r\n| project-rename [\"ASIM Malwares\"] = malware, [\"Lookup Hashes\"] = malware1\r\n| summarize malware_count= dcount([\"ASIM Malwares\"])\r\n| project malware_count", + "size": 4, + "showAnalytics": true, + "title": "Affected Malwares", + "noDataMessage": "No data found in selected timerange.", + "timeContextFromParameter": "time", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": { + "formatter": 12, + "formatOptions": { + "palette": "none" + } + }, + "rightContent": { + "columnMatch": "malware_count", + "formatter": 12, + "formatOptions": { + "palette": "none" + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal" + }, + "emptyValCustomText": "0" + } + }, + "showBorder": false, + "size": "auto" + } + }, + "customWidth": "25", + "name": "query - 2 - Copy - Copy - Copy", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "union isfuzzy=true\r\n(ASimNetworkSession\r\n | where EventVendor !contains_cs(\"Dataminr\")\r\n | extend ip = pack_array(SrcIpAddr, DstIpAddr)\r\n | project ip, EventSchema, EventVendor, EventProduct, TimeGenerated, EventSeverity, EventType),\r\n(ASimDns\r\n | where EventVendor !contains_cs(\"Dataminr\")\r\n | extend ip = pack_array(SrcIpAddr, DstIpAddr)\r\n | project ip, EventSchema, EventVendor, EventProduct, TimeGenerated, EventSeverity, EventType),\r\n(ASimWebSession\r\n | where EventVendor !contains_cs(\"Dataminr\")\r\n | extend ip = pack_array(SrcIpAddr, DstIpAddr)\r\n | project ip, EventSchema, EventVendor, EventProduct, TimeGenerated, EventSeverity, EventType),\r\n(ASimAuditEvent\r\n | where EventVendor !contains_cs(\"Dataminr\")\r\n | extend ip = pack_array(SrcIpAddr, TargetIpAddr)\r\n | project ip, EventSchema, EventVendor, EventProduct, TimeGenerated, EventSeverity, EventType)\r\n| mv-expand ip\r\n| where isnotempty(ip)\r\n| extend ip = tostring(ip)\r\n| join kind=inner (_GetWatchlist(\"DataminrPulseVulnerableIp\")\r\n | project ip, caption) on ip\r\n| project [\"Ip Addresses\"]=ip, EventSchema, EventVendor, EventProduct, TimeGenerated, EventSeverity, EventType, caption", + "size": 0, + "showAnalytics": true, + "title": "Affected IP Address Details", + "noDataMessage": "No data found in selected timerange.", + "timeContextFromParameter": "time", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "customWidth": "25", + "name": "query - 17", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "union isfuzzy=true\r\n (imFileEvent\r\n | where EventVendor !contains_cs(\"Dataminr\")\r\n | extend Hashes = pack_array(SrcFileMD5, SrcFileSHA1, SrcFileSHA256, SrcFileSHA512, TargetFileMD5, TargetFileSHA1, TargetFileSHA256, TargetFileSHA512)\r\n | project Hashes, EventSchema, EventVendor, EventProduct, EventSeverity, EventType),\r\n (ASimProcessEvent\r\n | where EventVendor !contains_cs(\"Dataminr\")\r\n | extend Hashes= pack_array(ParentProcessMD5, ParentProcessSHA1, ParentProcessSHA256, ParentProcessSHA512, ActingProcessMD5, ActingProcessSHA1, ActingProcessSHA256, ActingProcessSHA512, TargetProcessMD5, TargetProcessSHA1, TargetProcessSHA256, TargetProcessSHA512)\r\n | project Hashes, EventSchema, EventVendor, EventProduct, EventSeverity, EventType ),\r\n (ASimWebSession\r\n | where EventVendor !contains_cs(\"Dataminr\")\r\n | extend Hashes = pack_array(FileMD5, FileSHA1, FileSHA256, FileSHA512)\r\n | project Hashes, EventSchema, EventVendor, EventProduct, EventSeverity, EventType)\r\n| mv-expand todynamic(Hashes)\r\n| where isnotempty(Hashes)\r\n| extend Hashes = tostring(Hashes)\r\n| join kind=inner (_GetWatchlist('DataminrPulseVulnerableHash')\r\n | project Hashes=SearchKey, caption) on Hashes\r\n| project Hashes, EventSchema, EventVendor, EventProduct, EventSeverity, EventType, caption", + "size": 0, + "showAnalytics": true, + "title": "Affected Hashes Details", + "noDataMessage": "No data found in selected timerange.", + "timeContextFromParameter": "time", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "customWidth": "25", + "name": "query - 17 - Copy", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "union isfuzzy=true\r\n (ASimWebSession\r\n | where EventVendor !contains_cs(\"Dataminr\")\r\n | extend url=Url\r\n | project url, EventSchema, EventVendor, EventProduct, TimeGenerated, EventSeverity, EventType),\r\n (imFileEvent\r\n | where EventVendor !contains_cs(\"Dataminr\")\r\n | extend url = TargetUrl\r\n | project url, EventSchema, EventVendor, EventProduct, TimeGenerated, EventSeverity, EventType),\r\n (ASimAuditEvent\r\n | where EventVendor !contains_cs(\"Dataminr\")\r\n | extend url = TargetUrl\r\n | project url, EventSchema, EventVendor, EventProduct, TimeGenerated, EventSeverity, EventType)\r\n| where isnotempty(url)\r\n| join kind=inner (_GetWatchlist('DataminrPulseVulnerableDomain')\r\n | project url, caption) on url\r\n| project URL=url, EventSchema, EventVendor, EventProduct, TimeGenerated, EventSeverity, EventType", + "size": 0, + "showAnalytics": true, + "title": "Affected Domains Details", + "noDataMessage": "No data found in selected timerange.", + "timeContextFromParameter": "time", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "customWidth": "25", + "name": "query - 17 - Copy - Copy", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "union isfuzzy=true\r\n (ASimAuditEvent\r\n | where EventVendor !contains_cs(\"Dataminr\")\r\n | extend malware = ThreatName\r\n | project malware, EventSchema, EventVendor, EventProduct, TimeGenerated, EventSeverity, EventType),\r\n (ASimNetworkSession\r\n | where EventVendor !contains_cs(\"Dataminr\")\r\n | extend malware = ThreatName\r\n | project malware, EventSchema, EventVendor, EventProduct, TimeGenerated, EventSeverity, EventType),\r\n (ASimDns\r\n | where EventVendor !contains_cs(\"Dataminr\")\r\n | extend malware = ThreatName\r\n | project malware, EventSchema, EventVendor, EventProduct, TimeGenerated, EventSeverity, EventType),\r\n (ASimWebSession\r\n | where EventVendor !contains_cs(\"Dataminr\")\r\n | extend malware = ThreatName\r\n | project malware, EventSchema, EventVendor, EventProduct, TimeGenerated, EventSeverity, EventType)\r\n| where isnotempty(malware) \r\n| join kind=inner (_GetWatchlist('DataminrPulseVulnerableMalware')\r\n | project malware, caption) on malware\r\n| project malware, EventSchema, EventVendor, EventProduct, TimeGenerated, EventSeverity, EventType", + "size": 0, + "showAnalytics": true, + "title": "Affected Malwares Details", + "noDataMessage": "No data found in selected timerange.", + "timeContextFromParameter": "time", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "customWidth": "25", + "name": "query - 17 - Copy - Copy - Copy", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DataminrPulseCyberAlerts\r\n| extend embededLabels = parse_json(EmbeddedLabels)\r\n| mv-apply embededLabels on (summarize addresses = make_list(embededLabels.data.addresses))\r\n| mv-apply addresses on (summarize ip = make_list(addresses.ip))\r\n| where isnotempty(ip)\r\n| mv-expand ip\r\n| summarize Count=count_distinct(AlertId) by tostring(ip)\r\n| project-rename [\"IP Addresses\"] = ip\r\n| order by Count desc", + "size": 0, + "showAnalytics": true, + "title": "Dataminr: Vulnerable IP Addresses", + "noDataMessage": "No data found in selected timerange.", + "timeContextFromParameter": "time", + "showRefreshButton": true, + "exportFieldName": "IP Addresses", + "exportParameterName": "SelectedIP", + "exportDefaultValue": "none", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "formatters": [ + { + "columnMatch": "IP Addresses", + "formatter": 0, + "formatOptions": { + "customColumnWidthSetting": "85%" + } + }, + { + "columnMatch": "Count", + "formatter": 4, + "formatOptions": { + "palette": "greenRed", + "customColumnWidthSetting": "15%" + } + } + ], + "rowLimit": 10000, + "filter": true + } + }, + "customWidth": "25", + "name": "query - 6", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DataminrPulseCyberAlerts\r\n| extend embededLabels = parse_json(EmbeddedLabels)\r\n| mv-apply embededLabels on (summarize hashValues = make_list(embededLabels.data.hashValues))\r\n| mv-apply hashValues on (summarize Hash=make_list(hashValues.value))\r\n| where isnotempty(Hash)\r\n| mv-expand Hash\r\n| summarize Count=count_distinct(AlertId) by tostring(Hash)\r\n| order by Count desc", + "size": 0, + "showAnalytics": true, + "title": "Dataminr: Vulnerable Hashes", + "noDataMessage": "No data found in selected timerange.", + "timeContextFromParameter": "time", + "showRefreshButton": true, + "exportFieldName": "Hash", + "exportParameterName": "SelectedHash", + "exportDefaultValue": "none", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Hash", + "formatter": 0, + "formatOptions": { + "customColumnWidthSetting": "85%" + } + }, + { + "columnMatch": "Count", + "formatter": 4, + "formatOptions": { + "palette": "greenRed", + "customColumnWidthSetting": "15%" + } + } + ], + "rowLimit": 10000, + "filter": true + } + }, + "customWidth": "25", + "name": "query - 6 - Copy", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DataminrPulseCyberAlerts\r\n| extend embededLabels = parse_json(EmbeddedLabels)\r\n| mv-apply embededLabels on (summarize urls = make_list(embededLabels.data.URLs))\r\n| where isnotempty(urls)\r\n| extend Domain = extract_all(@'\\\"?(?:[^\"]*https*:\\/\\/)*((w*\\.))*((?P