From 21e83757bfa3b15cfa1759a5309de558e3236162 Mon Sep 17 00:00:00 2001 From: Ido Shabi Date: Thu, 5 Dec 2024 13:59:32 +0200 Subject: [PATCH 1/4] adding solution for packing new connector --- .../Auth0/Data Connectors/Auth0_CCP/DCR.json | 121 +++ .../Auth0_CCP/DataConnectorDefinition.json | 116 +++ .../Auth0_CCP/PollingConfig.json | 49 ++ .../Data Connectors/Auth0_CCP/table.json | 102 +++ Solutions/Auth0/Data/Solution_Auth0.json | 11 +- Solutions/Auth0/Package/3.1.0.zip | Bin 0 -> 14875 bytes .../Auth0/Package/createUiDefinition.json | 6 +- Solutions/Auth0/Package/mainTemplate.json | 785 +++++++++++++++++- Solutions/Auth0/Package/testParameters.json | 14 + Solutions/Auth0/Parsers/Auth0AM.yaml | 334 +++----- 10 files changed, 1255 insertions(+), 283 deletions(-) create mode 100644 Solutions/Auth0/Data Connectors/Auth0_CCP/DCR.json create mode 100644 Solutions/Auth0/Data Connectors/Auth0_CCP/DataConnectorDefinition.json create mode 100644 Solutions/Auth0/Data Connectors/Auth0_CCP/PollingConfig.json create mode 100644 Solutions/Auth0/Data Connectors/Auth0_CCP/table.json create mode 100644 Solutions/Auth0/Package/3.1.0.zip diff --git a/Solutions/Auth0/Data Connectors/Auth0_CCP/DCR.json b/Solutions/Auth0/Data Connectors/Auth0_CCP/DCR.json new file mode 100644 index 00000000000..25fd7a05dca --- /dev/null +++ b/Solutions/Auth0/Data Connectors/Auth0_CCP/DCR.json @@ -0,0 +1,121 @@ +{ + "name": "Auth0LogsDCR", + "apiVersion": "2021-09-01-preview", + "type": "Microsoft.Insights/dataCollectionRules", + "location": "[parameters('workspace-location')]", + "kind": null, + "properties": { + "streamDeclarations": { + "Custom-Auth0Logs": { + "columns": [ + { + "name": "date", + "type": "datetime" + }, + { + "name": "type", + "type": "string" + }, + { + "name": "description", + "type": "string" + }, + { + "name": "connection", + "type": "string" + }, + { + "name": "connection_id", + "type": "string" + }, + { + "name": "client_id", + "type": "string" + }, + { + "name": "client_name", + "type": "string" + }, + { + "name": "ip", + "type": "string" + }, + { + "name": "user_agent", + "type": "string" + }, + { + "name": "hostname", + "type": "string" + }, + { + "name": "user_id", + "type": "string" + }, + { + "name": "user_name", + "type": "string" + }, + { + "name": "audience", + "type": "string" + }, + { + "name": "scope", + "type": "string" + }, + { + "name": "strategy", + "type": "string" + }, + { + "name": "strategy_type", + "type": "string" + }, + { + "name": "location_info", + "type": "dynamic" + }, + { + "name": "details", + "type": "dynamic" + }, + { + "name": "log_id", + "type": "string" + }, + { + "name": "tenant_name", + "type": "string" + }, + { + "name": "isMobile", + "type": "boolean" + } + ] + } + }, + "destinations": { + "logAnalytics": [ + { + "workspaceResourceId": "[variables('workspaceResourceId')]", + "name": "clv2ws1" + } + ] + }, + "dataFlows": [ + { + "streams": [ + "Custom-Auth0Logs" + ], + "destinations": [ + "clv2ws1" + ], + "transformKql": "source| extend TimeGenerated = ['date'] , EventType = type | project-rename Description = description, Connection = connection, ConnectionId = connection_id, ClientId = client_id, ClientName = client_name, SrcIpAddr = ip, HttpUserAgent = user_agent, SrcHostname = hostname, ActorUserId = user_id, ActorUsername = user_name, Audience = audience, Scope = scope, Strategy = strategy, StrategyType = strategy_type, LocationInfo = location_info, Details = details, LogId = log_id, TenantName = tenant_name, IsMobile = isMobile | project-away ['date'], type", + "outputStream": "Custom-Auth0Logs_CL" + } + + ], + "dataCollectionEndpointId": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]" + } +} \ No newline at end of file diff --git a/Solutions/Auth0/Data Connectors/Auth0_CCP/DataConnectorDefinition.json b/Solutions/Auth0/Data Connectors/Auth0_CCP/DataConnectorDefinition.json new file mode 100644 index 00000000000..fad39ad8f22 --- /dev/null +++ b/Solutions/Auth0/Data Connectors/Auth0_CCP/DataConnectorDefinition.json @@ -0,0 +1,116 @@ +{ + "name": "Auth0ConnectorCCPDefinition", + "apiVersion": "2022-09-01-preview", + "type": "Microsoft.SecurityInsights/dataConnectorDefinitions", + "location": "[parameters('workspace-location')]", + "kind": "Customizable", + "properties": { + "connectorUiConfig": { + "id": "Auth0ConnectorCCPDefinition", + "title": "Auth0 Logs", + "publisher": "Microsoft", + "descriptionMarkdown": "The [Auth0](https://auth0.com/docs/api/management/v2/logs/get-logs) data connector allows ingesting logs from Auth0 API into Microsoft Sentinel. The data connector is built on Microsoft Sentinel Codeless Connector Platform. It uses Auth0 API to fetch logs and it supports DCR-based [ingestion time transformations](https://docs.microsoft.com/azure/azure-monitor/logs/custom-logs-overview) that parses the received security data into a custom table so that queries don't need to parse it again, thus resulting in better performance.", + "graphQueries": [ + { + "metricName": "Total logs received", + "legend": "Auth0 Logs", + "baseQuery": "Auth0Logs_CL" + } + ], + "sampleQueries": [ + { + "description": "Get Sample of Auth0 logs", + "query": "Auth0Logs_CL | take 10" + } + ], + "dataTypes": [ + { + "name": "Auth0Logs_CL", + "lastDataReceivedQuery": "Auth0Logs_CL\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "HasDataConnectors", + "value": null + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "tenant": null, + "licenses": null, + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and Write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true, + "action": false + } + } + ] + }, + "instructionSteps": [ + { + "instructions": [ + { + "type": "Markdown", + "parameters": { + "content": "#### STEP 1 - Configuration steps for the Auth0 Management API" + } + }, + { + "type": "Markdown", + "parameters": { + "content": "Follow the instructions to obtain the credentials. \n 1. In Auth0 Dashboard, go to [**Applications > Applications**]\n 2. Select your Application. This should be a [**Machine-to-Machine**] Application configured with at least [**read:logs**] and [**read:logs_users**] permissions. \n 3. Copy [**Domain, ClientID, Client Secret**]" + } + }, + { + "parameters": { + "label": "Base API URL", + "placeholder": "https://example.auth0.com", + "type": "text", + "name": "Domain" + }, + "type": "Textbox" + }, + { + "parameters": { + "label": "Client ID", + "placeholder": "Client ID", + "type": "text", + "name": "ClientId" + }, + "type": "Textbox" + }, + { + "type": "Textbox", + "parameters": { + "label": "Client Secret", + "placeholder": "API Token", + "type": "password", + "name": "ClientSecret" + } + }, + { + "parameters": { + "label": "toggle", + "name": "toggle" + }, + "type": "ConnectionToggleButton" + } + ], + "innerSteps": null + } + ], + "isConnectivityCriteriasMatchSome": false + } + } +} \ No newline at end of file diff --git a/Solutions/Auth0/Data Connectors/Auth0_CCP/PollingConfig.json b/Solutions/Auth0/Data Connectors/Auth0_CCP/PollingConfig.json new file mode 100644 index 00000000000..037a3a82ea8 --- /dev/null +++ b/Solutions/Auth0/Data Connectors/Auth0_CCP/PollingConfig.json @@ -0,0 +1,49 @@ +{ + "type": "Microsoft.SecurityInsights/dataConnectors", + "apiVersion": "2021-10-01-preview", + "name": "Auth0Logs", + "location": "[parameters('workspace-location')]", + "kind": "RestApiPoller", + "properties": { + "connectorDefinitionName": "Auth0ConnectorCCPDefinition", + "dataType": "Auth0Logs_CL", + "auth": { + "type": "OAuth2", + "ClientId": "[[parameters('ClientId')]", + "ClientSecret": "[[parameters('ClientSecret')]", + "GrantType": "client_credentials", + "TokenEndpoint": "[[concat(parameters('Domain'),'/oauth/token')]", + "TokenEndpointQueryParameters": { + "audience": "[[concat(parameters('Domain'),'/api/v2/')]" + } + }, + "request": { + "apiEndpoint": "[[concat(parameters('Domain'),'/api/v2/logs')]", + "headers": { + "Accept": "application/json" + }, + "httpMethod": "Get", + "QueryParameters": { + } + }, + "response": { + "eventsJsonPaths": [ + "$" + ], + "format": "json" + }, + "dcrConfig": { + "streamName": "Custom-Auth0Logs", + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" + }, + "Paging": { + "pagingType" : "PersistentToken", + "nextPageParaName" : "from", + "nextPageTokenJsonPath" : "$.[-1:].log_id", + "PageSizeParameterName": "take", + "PageSize": 100 + } + + } +} \ No newline at end of file diff --git a/Solutions/Auth0/Data Connectors/Auth0_CCP/table.json b/Solutions/Auth0/Data Connectors/Auth0_CCP/table.json new file mode 100644 index 00000000000..e102871e429 --- /dev/null +++ b/Solutions/Auth0/Data Connectors/Auth0_CCP/table.json @@ -0,0 +1,102 @@ +{ + "name": "Auth0Logs_CL", + "apiVersion": "2021-03-01-privatepreview", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "location": "[parameters('workspace-location')]", + "kind": null, + "properties": { + "schema": { + "name": "Auth0Logs_CL", + "columns": [ + { + "name": "TimeGenerated", + "type": "datetime" + }, + { + "name": "event_date", + "type": "datetime" + }, + { + "name": "EventType", + "type": "string" + }, + { + "name": "Description", + "type": "string" + }, + { + "name": "Connection", + "type": "string" + }, + { + "name": "ConnectionId", + "type": "string" + }, + { + "name": "ClientId", + "type": "string" + }, + { + "name": "ClientName", + "type": "string" + }, + { + "name": "SrcIpAddr", + "type": "string" + }, + { + "name": "HttpUserAgent", + "type": "string" + }, + { + "name": "SrcHostname", + "type": "string" + }, + { + "name": "ActorUserId", + "type": "string" + }, + { + "name": "ActorUsername", + "type": "string" + }, + { + "name": "Audience", + "type": "string" + }, + { + "name": "Scope", + "type": "string" + }, + { + "name": "Strategy", + "type": "string" + }, + { + "name": "StrategyType", + "type": "string" + }, + { + "name": "LocationInfo", + "type": "dynamic" + }, + { + "name": "Details", + "type": "dynamic" + }, + { + "name": "LogId", + "type": "string" + }, + { + "name": "TenantName", + "type": "string" + }, + { + "name": "IsMobile", + "type": "boolean" + } + ] + } + } +} \ No newline at end of file diff --git a/Solutions/Auth0/Data/Solution_Auth0.json b/Solutions/Auth0/Data/Solution_Auth0.json index 36a16f4e62e..699023aeeb4 100644 --- a/Solutions/Auth0/Data/Solution_Auth0.json +++ b/Solutions/Auth0/Data/Solution_Auth0.json @@ -4,15 +4,16 @@ "Logo": "", "Description": "The [Auth0 Access Management](https://auth0.com/access-management) solution for Microsoft Sentinel provides the capability to ingest [Auth0 log events](https://auth0.com/docs/api/management/v2/#!/Logs/get_logs) into your Microsoft Sentinel workspace.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n\r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\r\n\n b. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)\r\n\n", "Data Connectors": [ - "Data Connectors/Auth0_FunctionApp.json" + "Data Connectors/Auth0_FunctionApp.json", + "Data Connectors/Auth0_CCP/DataConnectorDefinition.json" ], "Parsers": [ - "Parsers/Auth0.yaml", - "Parsers/Auth0AM.yaml" + "Parsers/Auth0AM.yaml", + "Parsers/Auth0.yaml" ], "Metadata": "SolutionMetadata.json", - "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Auth0", - "Version": "3.0.0", + "BasePath": "C:\\Github\\Azure-Sentinel\\Solutions\\Auth0", + "Version": "3.1.0", "TemplateSpec": true, "Is1PConnector": false, "createPackage": false diff --git a/Solutions/Auth0/Package/3.1.0.zip b/Solutions/Auth0/Package/3.1.0.zip new file mode 100644 index 0000000000000000000000000000000000000000..2b3484b5942bfd11b89581fc15e37d4b53c19d70 GIT binary patch literal 14875 zcmbWeQ~5whG>wG?^iYffPfhOlhFTDjT}u3oJ~|LgiTB>Y%QEE>}=^Qo$PE+ z)NP`$*${tp&;8_c0&k3Zyf`Rm#gY!mERfr+;-Zq|uZzaJjI?-anp2uxvsvc%7V}p1 z7BO$S^yn<|@g)h6*?Il(T~=)x4o7DbOF= zIszD0E#7BE%MQNpt&=g;Vb+D?VC^C3^Y}tTpB$r?s!N*=_^8a zr$8BpObU?|Mfa?*VVT{zWNE%SsUBk`a-d%R{HL~o?X4Z4UaS56WnXG~d3-E(v;TD* ztRu0HmL33(amwOEtq((6vJ2T_?4)iEDot_Kp6o1mSCh&y;xH?|rswxHQR@T3MZfWk z1-)ZDxeHs#5QP{wb^^rz%0{x6Pkc)_X5!&~+pm=S7%Qs3en=~HyQt=^m!2+VRwuD}P9Ne7;ycC@z z47}2an??~$<51#|BYLV)5QSjULKv4`Z+Mf_>ozF>>X;BMq1zx0>m9))PlinG zn$azrXYh@%wCQ2xY1E_gEcT8!_s}gF&6B9oA~`=-LHh!e5IVHv#KYz-OnanPjyE2k z!72bF7A?iwS&n!`F;lVx{3*GY`ou<)>RZEKyyFnyf-*~TN!wO~*EN3PWCCT%TB$Wp#4UA&G}drl>jdRyaaEpf<>Qsc&=?rra}2UI_p%wt zHZ%0;I$0e1KHz+ie*!kRgU+%f5=bl6^q3)DK1EFmyagnrX*k#rvQR+|ddMzau+53n z1BdO>ZPg|0!N?3mO^09+l{&bL#(2!Vsmz?i%mxeAKHLk8P1h_q}QYKwe&~0pyUthZ2gg!^(!S z;i3Y3hcK_<1B^>7<}P`Bm@bI^wEb;+L|fn;G@7@SWg$t--@6Qrv&p}UhY~xV4wXKfkd%r}2-bc3 z*q`P$^n?J1(v&tg*o36aDDJc()rvPK9Q+XyS2wfIa(uBr;(v^kqUoU5pKKBU9v4`^ z3-WCP{ur{CIRvIY3B4W=%1&eVa(KsL_X)s~d55RwgH?BNMf4Lw!GMIQSPQc13lWGY z{OQt2c+$A@UcG`4{~Q0I1$;HL*37&ruc%cHwkb1$ z*N$a|Pl8~$(w^HGw$RKR$tCDC@h2VftfxZ>SxU~y%5L!n`NLrD_Gt5Y^kycj=$ldC z;?4nO`&MV6_u@5QwVW6mb)UMj+V#aSh^$ThCQYw1s*dWVY1W}n)%O$y+a+5oEGR5A zwl7rX;b0^^1|4$R2ww@9x|h-7q!11bMT`VRkASO|P=~GSjtLz~Z9V*4s6m*ei}^;^ zzznQa-3r|sU#q_9*Kpv+O$Dpqs?F@zHD!Ff0No~WL#tnkoRXH;1pMz^O}4I-t?(yb ze5~)5vX+-J75+PYmgH0I;j0^Imq$B?Xg`KXs#};Q^Ql;kNgJCEq|wg)A2V#CXtKq! z*)||Ec-z($IKF(UrQ z%otMgt_XV98X}Gey40GaV`IIES}3#d1^W>~%tT@hSw)w;6QAZ+30*edcmk;S{bW7Oa?CQMaSl-!B9~Pd^zlW==QHIdQwxQiVrr_T#?m>74$KVkfL(uGujW zX*aS1ZEvYiFFDsfOzwBbdt3?h8>O^vEHP`96wTndy%?1KzgtM^qz02!(j+; zY*W`0*sq*--qNx|4hrKNuAhHiwg@MTk+tWw%pn6*86{@CF_MTu_Ky*rpHMJ6BI`7c zf_VL!#yPzrMszUAE?fN%JKXmfirp{QHUKn0RepEPMb z3QV?V%|H?j%H`9zTU>&_LP{qwl*BPHnEk;!zEq9jj)b(Y7dZ%a*7RV|4PxHq9vAoP zeE60m*tYK$@ezhpH@RM7tX1bv9joAMM@X(x`Fv6cFq_!1+{-p$Qj3;Z0j$upk{0Y~IbIlN6c} z>Ic)(V-CrVG|^rVAF4Tn0K&`FXncdjmPTcK_!%9ekjSwPSHoGfPo*Sx{8{dtSmmGk zqUs$HfQeJkcYA_d6Y3AcMED7oOOAS=7$12&fjGNXtuJlruKMB_#O zLfn8r`T41yayI&|0ETqW6tSCHki$h4wCsEF;E+fN0&sXV1MmJ>9-ga=lnag!^HDl7 z*f$Vu!gQHo6;4N%<66HS8x!58#~%emuldD?xcspb8kx|HeM#02VN|aT2z~SYE1XHp z92!IVo*90WdO?QCV(BC`H;D*Anc|9~2xZw>B2IzbZIw8Pq3aLqq09-J=PXZz?Fs#& zKFIDpwB)Eb87`1=5{hQzEmO9oBG_bP%{2*}&M1jdMUcJajzVzZWt)ZHODMzMg*|(6 z>}&d9x&3H4{(c5mGaUpKZFZEZh^GhXDQa>(B6-or>?xQsSjUg<)Fr=$1Lvh5UUtf> zR+&$(&y#rBo_-ys};*Y)DER%?Gc!Tu6aj|({c(|urpw|?PHnvq>%5Q`^wg1Au~sC+pfmi z8poi+D)%~Te|E58MY$F@mlujH6tD;xvc%2fQ7N;Iwwug4B1#NbSTyyh0PV~}hS&Yb zX+UKs34NxDYzRzozkGL?9~vLp_4Oj#%xvN>>bZjP^UAS>RFjlIej}wDgj}vAo5`vP z_=S8k`rrDropwxrYI=R54+t!Oa;L`^@uksbRAs;+MK3BmkPnyng^D&}C7(bPQCUIS zN5^OIwVb~!6vyn#z$sAxbKv!nEx{f=NNJKS(#_mNszJOt<4X_NmjvpZa76(TNNmpA zB%IwkNOsWY>!APsr%Xp!hEwQ`de~pA<1UXX8Zj_(lIbRH2O_iU0Ja;nomK|=XUnJu z?|bt_E9bW>fa8z^6WA>7sSsS=QVS*)L= zpO!l#=vNNt_*fv$zF-(AH((Z6kDK(X*?&cr017v&Ulyq z7w{Fh67jLEF+|lf>b!RJKzbI<33}P1lhKCDzRN@(pUGh1yb6Lyvv>OgE4-`hcJQ+=N^Z zyF!bHxX%7Y;H6D9U^-h__;)_&iuCLSry9-|6!6+A3zQ}}zAJ1IJ_eJEvw?Wc9r@mH zf;F442sW($s6L)u+>(<7buRldLn=znDn;^9KOtDfqC1bZ4%>O8`Pcctmo3P`w&KM5 zrNB=wn@QTVKJixW*_E_ZK?9rx5k6TPSlQJ;dx-P+F#3@nc)k&>9Qc9S(f=?ApOWAS zF_Y^Eaqy2LA|%J!vOM1wr8YBshR)b8&a{v{P}l<^EqgzJH!v~*-j?45!7h=0&;i=? zm|*RV#|c4Q-FxErF>H673n0&&TAKEi|-TkbJy6+7g)n&K%u+uAq(zz`4v zm087f!^xELT%**)0J=++!Sc2Q#*T@_+40kjFX9f@i&B>gs5f1$xMl=9?b3QDi17Y+ zyw1MP!$|;5N6DnH|A9*@etcmCksPANvbLj_qk$SS_aQwG&KFvxNJ!0lLtod6L}CXL zvXM7u@RvdO0Y8-&X=+_dz0f)bV0@!IIm{|z?SvfM8+v{I%X&(i^Y1-l&bPPS6%1D? zJTcw{`Hg%&BeS)YBJR-WG6!ajNF$r3W5lfE@?Pf1#lhGHBcz&7J|3lJyJ_c%f#HTq zV%Z>sVCD>%XEa?(laKD_6z&rQgQTRM)pi)kA=C^chc{-iuW002A0YB&yFppvwGjH8 zVM|CSr#nZh25|~kz&GsGM}mgH7RNR=!LvX2Ifg|z8z*}M++zs44)=k6v&-z46Yv== z&&j@rZMz-tVnKjk<|Ryz5Dkew zkC9vT#Q6n95r;-{!lBkBF8SKpfctmh>rnt;iCXm-%Xfx%q%`}9(GT{XYh12m%&Ww`4uh`f$dd+H5fYZKd@I17{do z1R>|P*NK3;f~Z&dAGlZ0`~8=f%rqB-G#9kcek(iOzG-67GV2-n++sE+oFrN+43jAG zK$eX|lfyqy{(b!AR_qVyawX%{*_8YM9NfHa4xT+fpIE^+F6d}saB)`aQ6wpg5sh7o5uvSDGZu96|EV3+_PFWEZxgyP#YE`>(ZQ13& zA)`ujuYSP2RrvBOv!-xtIsam0D$M}UUm*LIw8GVRxT_$4s}#Wb;2!xrxAYo-Et4;P zj*9B`N%c#(i0cM(UnO^1ZA(-}X0_1zV=ECtj&NS^BBR08IR-y7r!p*HkbulcCtnLK8;>!gsKs>08QyEnGAEVJNpdWG1QFgBpuOI1p-ljs#-RZEXuvSpFT?T0} zK668_?avrmsbU%_)Ne(No5sl*^?f+hX#L90Fl>bK?n`0xwX4Ze zQ-POg>f`s64^73noe$X9d@P%N!QOWb?xHbD-QB?&Z(^~mijni=} zzI+iFO1y;_LC=)x^}DjlP?7H6n4|#QN!sj`jht}A3;=!pZOnOptK?+jaA-0hv6kN{ zYxY)h3>EHuUyl3UcF3SDvw6#dwCgBD?K#I<;S7YSRS1a`0p++hYZv}Q(=wcWdlr*M zypO_qH*Xe|{___)P=1t=D`OpuK@LDs{maG$^}_~#Q&%Jm+Y6#M(6aHOX;_4^!>>}J zsIGsmxosWCBSy%GT$0(Bwwo&=Os~Cng}qb6UkB)_F?Y&WL7=rbBldoby#MZhu*CZD z$P7}0T2&-w*ateCssLp<2NQMI!pe7{?Pqi#GRz_yJN)A^lZ7m*FJK_2CqzTb#X+pj zHTZTEg46(ky+i$hr1qYfIJGeCkArjx9lXu-vSP+dswBf*rg??}1gjx)piZ1OF>Y;! zx9^(^>U;hYW|l^95@WVysixHH@L-Ku!bjv%JSqMQQ6hzLZw^ehn|PT{Cn!8zU&2qh zFFPs32rA`J_i*s=L=F{k??DpG(9WAkyrt-B*j3IdLzVO$*V~>GhEG~pmAh70o9}u>uU1d&c z28d+6ynH4mk!Nb0$e8y1Gd!PD<=Fx;Zc!vH0VDZl#E`zbc>ML$<0vN(LKFfk(khg6 z#Sf|WDH9(v3UTL))I%6~9`O$Himw`aQZI0qZbwBCzH4q5ro|o-eKc)_^qnwE2I#(J zOf#c?K0Qz~j+IncEFALBS}6+m+~R{IslPJh$^|-z!*oljA4JVgqCFTH=z|sllAzR$ z7$yfj!ewHEkB|EVVRc$_^Q#hjC1G~4uW`ChefZs+p6?&t&d%y@XB$&NOKE3cW!eS2 zG~Ym$EWhAix*B*_TkFJG+K=qK+3t9ez(Qsa_$is4H40X9`z#Wo`l@LU!vPW6KZ?d zVeQfTKY$r~{(C`I%XWMJxMx1Yd{?o3u|rtz!4>`PTZh^)hS-)qOjHjZrAyT7;Jgo& z__IE?DPrnd!x$ojW)F-6%$xzKbqLD~e6=kA7Rx)N@`vF4xT^2_`%dnB51_ZyV+YXV z{dRP_|F^63w)J+gwiNL>^ITOniqV`4$+jx|58IFrMxk_cRa<`T-HpkgiMOtVViE?I z1;W|{x%&o#sH)8s5z>VgK)9UFsS<1nGTyyki8wpsK#8krgCX-|bW*m6U^4mTn+80E z8KxyHi@k(-%ekqw%1vQxUHabpK5J1K2&j9 z-m~^ERX}^Q_HALlEnmgr0ZMX*c^&9YHcnx!pOpgc18;Pp(5<$C!oc zPZb3c;G{snqFf1WlNu@{Nu&;ig%b2dlHY(~s9^83-p*y54fnPN;U6D%$-YoYdaF3C zj+o@dV`Bwb$TCeEmXhdN=Ho{C<$Fe%JFBt0st!QPSX$FmQqxo%E#-buGm{x?2J^Iq zou^Q`zcWJ1^ecmhe+JXnCBr9~_Y2M&ADysEiLHcN*`rxpJ0Lt4lw)WFBopu$zi zhO9sZP_Sy?Dux;KnnKyG9GY)}tdezHaVp(E3fo^g-B(Fp+*gZgGk$%=^r1R_tOfD( z*ZBIc$HJtVsSBnDCz=)^=$+Gechgo`mGSzwmg#CrM)N6+^=!7)GHR!E$7+V-Ok0MI z==QhSaEopV-O~-DNiS`ew@zr5O=y;gX_oF(<3w}gWPRhfHZz)3{hTthamLoE>_ul? z7F`Uc*^IHpB!gB8mCS8)>sH$o$`#W{r*y-nbOYBEqL!nRuVIG1TMBS%FxjGsr%Q&e zPN`bj#mfJj=BbpfA)A?`Ev%S0yI|^|wO!C&t@4E~p4%Ai;?04QRe|qd=1E$4V#4M< zGx9Q|_n50fuV3lPP~N3%y7#FH^n8eT?%_Pd9oSBhB6>T_w2-hlAX zv>qb@_+X{XBMR&Hos3XTH+Ew0D+RO#Wd<}f0gza~?gs;;RM|UNSzzDh{l8FX>WDnD z!Yy~Wj>Ea^a>)q|=dd#5%&}-#Sh`gB!E)mV0~h{Q@aP^YTGdOy1st;R#vxjpY6ND& zM*$qswxHD{{#lk$T3OOI2L;ni_i5;UBjKhBrs(z%gA5qzZ3ALCA+M<)@l()MJeNgmE7?VaCB zjE0topOJE4i96(RmpT{{Z<#GMF%anAO%$e>8#>W}r< zPv;fx)oH?-RBo7z5BOyr)6H(48inR##JAk9Xq9+nT&6;*4O!FAzaWX**@qlU%j%cG z+2?KwoH%i94sQjo?x_Ox2*OV-+Mu7YQVZG)?Vsxvx_Cu>y?+n2x^FlS(7497A+B5^ zvq^x#XKgxEL3-qbzlsk|N@g=m(+kagA*Ly&@eps%U{Bqu-R~9WAk$~a5bkn{MP1lh zlgO3qq9#Vh;N44R1w~1Nh&nudI$hGDG&XTl*ppltyL` zZ7pR&ZY*uRuO+uMQZpCs-t$c?8agl8u{!dzWYr#S1*mo}mbg5E2Zt&6?Wt?_5xbM% z>NitG-y78sG#ndIqD0P2sDCdx=SHU=VABLr!xs1U$E)JTLZ%>XFYxhjO`mzll-K$2aWLsU-EroV z*bVJM`MBwt7$oq=CK)QZ0lp^T-0+#~Fz7F{$4L5vcUyRPaN+3^7bT_l8$t$5o;YWX z%j=?Vh{-vfjxatw6Pfo&CjxlDWcD6U6vNO6nC>KjBT}(Kkj?c&#yFw&Vy3Qvt(_LF zt+tG_bpsgkd5apOgEO$X+hwY)RxC1?Hw)TV9lKo;u4;ezTbhBH@4TYJSY|eGID%YN zYeba)*26|wMVeC5W_#p&f?yt)5hn3{k4B+2sl0>c;efe`Q-)q~bnyFu@3_l-9FwA1 znb@`SoW(Vogiu55n~j9k!8;uRHYrNsw~tIOdAuiFeEtm~#i}uYHb&{ch*%y!s=chL zzHkxElbbypQ*65JVDP#ty?ZG?>`KO>8(#7{Gy!U{t*3S{!)}{vj6!+RG646CT36Ew>k*F z1Z~)W8i1Vn3B{$uoYgjdo#6PB5hxq^b)7^^*cUJTSoiM8$u?`#`iNMd=_L3%D1t@1 z$lS`j4lW<@D}$7qiCcZNp}Ro-q{w|j3KrA-h*4QbaHtc0nX1s&poMbrVunDFriISy zNY3CqK~I9UBZ@r2r2nrpA8WL}(@0uxL+uD-%g68v!>YZ+U}5&^Io_h^hi2P=siowH zFzr-*-4tEjY1l>}e>K}HRk!|S4o^~8y~f5FeJO01h)b9zzIVgaj`gEk?GvrAfHw$@*r9 zjdSJ}CMb-DUBzoyG_2f3s>acmt$lPg7PzSi&lcCQ>Gr@r9#9Mp_;*{!1w;DQtVg@d zJ4!ySHBGq90?zhtLQSq;FoeAi&JDy*zkiSD-dAg$x%Dv%B)oy|N)z&9Up_Sk`-nmv zHE+Fhtqgl>?1($JttIp5S92Lk-Ok5<1%G#O4OIQ)rY6`sqRI^q}r6NN? z;}-stlTp=i9be|!2-Y6Fm9K9#2YwGDLeB$k1($E3*+v-FHFC+#F0Hy%^X|d-_l|M>pN$-%^#f*&$o8s?F{zul!UM-hYlP zHFJ5kIczpL^fr0qK5<*kyuTY{cO4Hh*i+nRmq)BB|5^$2I$GoHuDVaWycm6Z-p6Sl zy>}~1oFU%3-16GC z==9dyDOcSA-m$35;458|7vh{AgcEhglVzb)Xm@3fowiamYK%MePP|Er7o_Az#hzp^ zmY3a+O5SX*W(UzVeQXpX_{!MRJ^QF|bQ@PGU8D^vt|6w_yU_ICB}KZ~tDzFg_x9us z9fR(e2sw7D_*Aiw;UAlieXsx+iT$);hFRsjZ#&>F<(iZ%&7f$ zrh2_TiO*_E2?uP8zY^bp{q1lsX>*|Z@Yyo6Z}d+;Wk+u?h+(@+e6~ZJ&JD0Y{jPCS zASnDYq?=PyY-;{~S7VOGHw@p7e?pZQl?<>IqIWGTy!?mGxq61haP)~t`B%Cj3o{Kw z8I8r+&R1c+d7dv&OzSRYS0SMH6wf&hv8v7EmnqhrPItLTXarqC(9&FsY z|8<69?^CF`Q(MQUz=MbM0OM6;J_{&sCU_&c9&!M$0R#TRT;zMwgdgZBxh!YZg!IjK z%Uawf`}Y#?C`Z+x}IzZRl z?%nc=kHFUj<}jwIHl5fo`&1~ec?7RVV{og1qp2S+Cf)-yC7$P>Vw2i1=LA1d4!pQC zGT{tFKe<=9r|FwO<-^}p&>WFu@Sr=_x-L35F@;DzGlwihgh}n?6 zLF%nL$YQ?GYEYiG$T2Epp5bNcR`)m$_>cTIR~8utO4J~JIpKxMx2aIo9VRk$yD?S-+En7o=}n_XZbip5Zb zl%o}X5zj&W%$=gW@0!>`TJWnh@t*Z5l zN#vcm6n+TPBB)RV%#%xcP?S&s-wi_3QksCg)sfrd$#suEB-~EA?IIjQ3{sI9KaW_i zYaWZFFBd9OM$^E1R*Nw|mOg`01oulX4q_MJKkMA-*jZiS4$nC*mxFt_9s!HB1ZL=?Gs|n7Pr?(>MPR1JW54VVL&*o0FViy* zO;BZBaEYnr5Zj!ICZb)aHX${VbMxo3I^;PGS2iP8)9;LXFVH`it4BA?dX*dn3KIT9M7m7>CEO3|s zM4v{XU8$Pc;g5_EoAik_3d9Y0AOSBGn%w+zhx2ZRD zrX1?y{MuZ%`HyT~0S^Yw6)itL$G9IM7c2Q@1$tfx`2Ks|I}=mIi0n#7x~#ZdSvl9M zP($|k2vFalor1!EFv{rq`$q}-s5M(rl}-%?dk*9?s1hh07lyNkA6TdUITc5+$b~xC z!XaHnU@A!l=3AYlr61>1);r3jN1bvXZEAX!yIp!HXF?wsf?1#V+48N~cb}O|zOg_J zCnKuN+Zwc~W%)165vGeQa2HPzri&b^AEdP*Chw`B2(5a7@ ztmb2w_`XeXGPF8K4#X%90>!Wqbp2f~@qZ{y-O9^Ci|^7A9*jf`4fa*1%K|gfHmY@8Xd0 z8KQR)S+AKAaFi?IuvN{223D|3$P@lYsN@AEu9_t=@*es1+QSo-2kCBL*& zMfr=p#+e4QiAcxT?>p$vtKqAUK{m7MA(a!~#)D6y3l-xRX1iQw9Vkh6a9b^&OStl) zr4*59#Cl}46jX!XkGti-6uzlLgh|RL&y)A@5JQPZd0WKkEGkqLceml78t=HGpepaJ zAzrkYbxH+oZULj45x~6Q=?8E8}>Q53sf`&JY3KCvDKR+iLj05R>9SGASM)Mlsa}oFR{&9G={2BDmxTRj= zw32!V~9Lce1IJ| zxUhV7CIe6eT3HM3)fnr)*M#aj&$p@j6m;!|HyD|&?u-I(VJHJ1vDNE%!SD=qv0j#y z7bTZSX=STT>1EL)Esr(q(azRpeil)SL1_q`qk7o)nTw3poFdj?f)wNaoyK8GhU!|U z;sJ50lFb+9mLVw5ZKdHx z@g$wGFf;y4?jlRQ^$744a`ZCIt`$o9sX~wr!7*`Z`)hxFcrQQd2Pt;NX8TO3+MNf( zhN0p?QCOf+&}L$g?m`=2lJyboeM46nIxH$(8KM#?^-cCxOIm4zhFeWAVsDTjm&SV? zvPx@!#%RUSm^m!hSXuyA6*t}cSXQ})>0-r4+~P62;5D#P!RaoBhWZY9Yv<$y*5f1!Z$yIF zpM938nh-;(oql2{_9_|p+oR{}_n~Po{g6YR7)bJ+c9FrtoB(z~cnItAgovN2C94&0 zHL;o+d^{jy>R`SMF6$07TZ7g>gVPdV`tu*)ndkfF{dLj@u;#cae-PQSiyD2i6P`DX z3c^qkT0@wTqZ+{En8O7J1RF&87iPG~TEc}(0vN?fl19W)0rk2RQtA`gQWDp$uHLKs zAm%#^Ed2~_eefNdvtdTRAWgHcS!y{gw6HpX@ijG*XZ{*fN3)G`E3;Aj0`E0%5Dp#CP-lFeh0nN{ z(@1t4lUg7sFC&0aI9%cq&~Eg92NblMeSPzclZ*b*NB4k#N@)Aa2;vDfQv97Du|0)t zMcj-f{UV3;Ur_A$F<&$ugV6G`Eg3f30OU>x$}YZMl%&B~z6GsQOE8&jFZ zKH~m1U{UgT9$*dW&=53D45!+;@h#Ez1f*F3r7+_IbkFN7_5ilNjP;gWxscp2u4Cop z!8Mky>>*x28bWIS*$vDt4!a0WTkK=OnXIUhnIkFvjZf*RP#aXa!e_6aqIsh$IeOK`Mz?Njb>`pnQ5JmNAZWOWPA5OWoz2IqP>MQZmrYVr%~ROCZD-QC352XuBmtNw8OM?)aqZq;UmXk~{g>{~0n+(x5L8DC& zKFP#4L1WlPap+qNYfK3FaA}2o$U4i6520!eb6$wdm8wnMrUA&!)`4S6hrD%Wn^pEE z+lyr4Rv)S^N_-$Z^HGSC$QpVMJaG@$j4Qe(9^g)xXqzb#cIm?e`9fgw)}S_pq)g0C%~V~3QnZVY{QujdRKE!wsF3i z>2*e2Ev8gSA$fz{0{Nhr@s)9Eb7Z{_xiMyf#n-VZo_-$lzwh#WWv?B3myL)8A6a;G zcYHHWXgjngK`U12TB8O#d!^SizXL06%grk?ZSYmo6|~98|HA&`Hy6BRvn37I(G|Y2 z(xa+Rhcb55<87UutuDd4b=oG^vR9vG@;CSx>S_lPxh63stPHCX+th4lL--wC41z5$ zq6Pe(k7V;s0WzaJ(ekt|Prea2FM~-?Q`~X#(?e`)$;qV0FL7*}sea39V&har=Trz3 zsN0rICv|uESVA{VfR8gMxDyX5xj*Mw8okN-8W0s#S8o(ooW7eWsjFIs=eEbf9TYw) z(liHTVzf}wtR%AUp{+=OjpBFciu^)5v; zlx!k;q6JR)&5&~R=dX8jk~0{fabFUVWe-@=;HMy=o6Pw)Q>t7W zWx0`#Nr^)2(ZU@tjz=ZTiO`OJ2t~%1a&{DDaP)8ZYb8yRzWy4BxIkY|`ff}}@!zrI zqce(>qV6UBmp|CCV{d{ru=u)1+nNw?{YeQPKrfLYJU1?9Ej}Y%P&XlzWmds`?@{ln zOcPk~PRcH*Xi%foHXC}92zpAd3{CFDa&FeL*o2b@ zN*CVY*CI%m0=_Xb#1Z;1DEKnJWuF7VUkUgeg(H*wTrX>PRb@Vvz5rp}w+liDRiG-5 zsm7}64V6{xQC)@L`-HBx*vZThB;JL|OzM@D?J7++udC{+jdCDJc^w@YE~|>x@v;F= z&Cy8B$;?Sk7ni?$|2i{c91DGPW+HiC->A(m%kL*t=B@c6NKZb?VmuyI2^6nGSqhTYdDmrCySTU;qQcuR5XQNl`iqQAS zEN}p6^txe`J})=&Us2ih=dj_6>4X2Iuo9g`Cs>}p?*T(Jqs~~P$?m|})4bcjx{Y^= z-vEY%C^ulBU%%f^zlQ@V^=d)T#~LA1ppW;iYqC>hTX!@g*N4V9HHNRbfb2bn7)snh z7g(Ar`9vN}rbIY74+^MRf{hFz;R%=r7~Tx2B)hQLC=k&zeg(ox^KFDA4SpN99{f`JF(2EmNVIpY39?4mclt?bjO#ec7=4`qm zBtH>{cs*@k(ZXtOzc8w}0E2Op~&bySEX&Pz+mUurnUs+zey(K|V;4nK-3c82xlDb`FgC{}F^K>*3nBc0C1`nV+nc{u!hsUFWgdF~%#J`7 zT-iE28tYY5k>b9Iy6J#E;zMx(ZkH*|TjcT1JEET8vw&cu4|BhskEr4pKF}+u83?Z2 zn_6${wS$KG8pkDCzfrl&QGM){r}iCURCrT}t3hpiyhM6&#CCnb9Gw@C9K@(UzV{vY zVpkw9oja5lEAh{nJ{|yXdkofLA*?(Ho{V2&{?DL$Ki--5fGZov>CJfD*%|p)?<;@n zkQi4=3>TQR<^4ip(&$^e15+}q9@7^{9*J0|35GX)pUN0ksBgj!SfD^ZqBM#@#~OJf z(pnxgzEkht2&~ZFWH$dT>UjVtli0z2^aJ?DWv@Qghq7OwB;{z(ClF|X~gL{J@bq>?FlN3Zu< zkT@7y4)AuLAF7YP-z>##$Mqilwek}dpUFUO{nes~u+Jirf(R-tpD2~mp<&iY=D!y` z{L~=X{^rttI@SX`ML&^%-1cVqbxQ z_O`ESczD@lw~^GGtc%PC**qBSe>UZxImstFH&ljM0p$Fs}%upf%?T?+MjiQ53tv9vXqyv$+D_Q&mZ-zpZ-IOvJv zg&#cvjWW*kbMDvw_xD#`3K#?h=zou3{zs?$KidBW$oyZ6{I7h=|6SqyKf3e(L%YaJ Vf&V810fGG2gZ~=?IR3}#{{rhwe0u-@ literal 0 HcmV?d00001 diff --git a/Solutions/Auth0/Package/createUiDefinition.json b/Solutions/Auth0/Package/createUiDefinition.json index 0f9a38e6d70..1e1f10c5d84 100644 --- a/Solutions/Auth0/Package/createUiDefinition.json +++ b/Solutions/Auth0/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Auth0/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Auth0 Access Management](https://auth0.com/access-management) solution for Microsoft Sentinel provides the capability to ingest [Auth0 log events](https://auth0.com/docs/api/management/v2/#!/Logs/get_logs) into your Microsoft Sentinel workspace.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n\r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\r\n\n b. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)\r\n\n\n\n**Data Connectors:** 1, **Parsers:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Auth0/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Auth0 Access Management](https://auth0.com/access-management) solution for Microsoft Sentinel provides the capability to ingest [Auth0 log events](https://auth0.com/docs/api/management/v2/#!/Logs/get_logs) into your Microsoft Sentinel workspace.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n\r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\r\n\n b. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)\r\n\n\n\n**Data Connectors:** 2, **Parsers:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -64,10 +64,10 @@ } }, { - "name": "dataconnectors-parser-text", + "name": "dataconnectors2-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel." + "text": "This Solution installs the data connector for Auth0. You can get Auth0 data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." } }, { diff --git a/Solutions/Auth0/Package/mainTemplate.json b/Solutions/Auth0/Package/mainTemplate.json index cce343752b2..e2f3eec4538 100644 --- a/Solutions/Auth0/Package/mainTemplate.json +++ b/Solutions/Auth0/Package/mainTemplate.json @@ -27,13 +27,27 @@ "metadata": { "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" } + }, + "resourceGroupName": { + "type": "string", + "defaultValue": "[resourceGroup().name]", + "metadata": { + "description": "resource group name where Microsoft Sentinel is setup" + } + }, + "subscription": { + "type": "string", + "defaultValue": "[last(split(subscription().id, '/'))]", + "metadata": { + "description": "subscription id where Microsoft Sentinel is setup" + } } }, "variables": { "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "Auth0", - "_solutionVersion": "3.0.0", + "_solutionVersion": "3.1.0", "solutionId": "azuresentinel.azure-sentinel-solution-auth0", "_solutionId": "[variables('solutionId')]", "uiConfigId1": "Auth0", @@ -45,19 +59,26 @@ "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", "dataConnectorVersion1": "1.0.0", "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", + "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", + "dataConnectorCCPVersion": "1.0.0", + "_dataConnectorContentIdConnectorDefinition2": "Auth0ConnectorCCPDefinition", + "dataConnectorTemplateNameConnectorDefinition2": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnectorDefinition2')))]", + "_dataConnectorContentIdConnections2": "Auth0ConnectorCCPDefinitionConnections", + "dataConnectorTemplateNameConnections2": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnections2')))]", + "blanks": "[replace('b', 'b', '')]", "parserObject1": { - "_parserName1": "[concat(parameters('workspace'),'/','Auth0')]", - "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Auth0')]", - "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('Auth0-Parser')))]", + "_parserName1": "[concat(parameters('workspace'),'/','Auth0AM')]", + "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Auth0AM')]", + "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('Auth0AM-Parser')))]", "parserVersion1": "1.0.0", - "parserContentId1": "Auth0-Parser" + "parserContentId1": "Auth0AM-Parser" }, "parserObject2": { - "_parserName2": "[concat(parameters('workspace'),'/','Auth0AM')]", - "_parserId2": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Auth0AM')]", - "parserTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('Auth0AM-Parser')))]", + "_parserName2": "[concat(parameters('workspace'),'/','Auth0')]", + "_parserId2": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Auth0')]", + "parserTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('Auth0-Parser')))]", "parserVersion2": "1.0.0", - "parserContentId2": "Auth0AM-Parser" + "parserContentId2": "Auth0-Parser" }, "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" }, @@ -71,7 +92,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Auth0 data connector with template version 3.0.0", + "description": "Auth0 data connector with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -87,7 +108,7 @@ "properties": { "connectorUiConfig": { "id": "[variables('_uiConfigId1')]", - "title": "Auth0 Access Management(using Azure Function)", + "title": "Auth0 Access Management(using Azure Function) (using Azure Functions)", "publisher": "Auth0", "descriptionMarkdown": "The [Auth0 Access Management](https://auth0.com/access-management) data connector provides the capability to ingest [Auth0 log events](https://auth0.com/docs/api/management/v2/#!/Logs/get_logs) into Microsoft Sentinel", "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution.", @@ -258,7 +279,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('_dataConnectorContentId1')]", "contentKind": "DataConnector", - "displayName": "Auth0 Access Management(using Azure Function)", + "displayName": "Auth0 Access Management(using Azure Function) (using Azure Functions)", "contentProductId": "[variables('_dataConnectorcontentProductId1')]", "id": "[variables('_dataConnectorcontentProductId1')]", "version": "[variables('dataConnectorVersion1')]" @@ -302,7 +323,7 @@ "kind": "GenericUI", "properties": { "connectorUiConfig": { - "title": "Auth0 Access Management(using Azure Function)", + "title": "Auth0 Access Management(using Azure Function) (using Azure Functions)", "publisher": "Auth0", "descriptionMarkdown": "The [Auth0 Access Management](https://auth0.com/access-management) data connector provides the capability to ingest [Auth0 log events](https://auth0.com/docs/api/management/v2/#!/Logs/get_logs) into Microsoft Sentinel", "graphQueries": [ @@ -423,6 +444,695 @@ } } }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnectorDefinition2'), variables('dataConnectorCCPVersion'))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "contentId": "[variables('_dataConnectorContentIdConnectorDefinition2')]", + "displayName": "Auth0 Logs", + "contentKind": "DataConnector", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorCCPVersion')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition2'))]", + "apiVersion": "2022-09-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", + "location": "[parameters('workspace-location')]", + "kind": "Customizable", + "properties": { + "connectorUiConfig": { + "id": "Auth0ConnectorCCPDefinition", + "title": "Auth0 Logs", + "publisher": "Microsoft", + "descriptionMarkdown": "The [Auth0](https://auth0.com/docs/api/management/v2/logs/get-logs) data connector allows ingesting logs from Auth0 API into Microsoft Sentinel. The data connector is built on Microsoft Sentinel Codeless Connector Platform. It uses Auth0 API to fetch logs and it supports DCR-based [ingestion time transformations](https://docs.microsoft.com/azure/azure-monitor/logs/custom-logs-overview) that parses the received security data into a custom table so that queries don't need to parse it again, thus resulting in better performance.", + "graphQueries": [ + { + "metricName": "Total logs received", + "legend": "Auth0 Logs", + "baseQuery": "Auth0Logs_CL" + } + ], + "sampleQueries": [ + { + "description": "Get Sample of Auth0 logs", + "query": "Auth0Logs_CL | take 10" + } + ], + "dataTypes": [ + { + "name": "Auth0Logs_CL", + "lastDataReceivedQuery": "Auth0Logs_CL\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "HasDataConnectors", + "value": null + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "tenant": null, + "licenses": null, + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and Write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true, + "action": false + } + } + ] + }, + "instructionSteps": [ + { + "instructions": [ + { + "type": "Markdown", + "parameters": { + "content": "#### STEP 1 - Configuration steps for the Auth0 Management API" + } + }, + { + "type": "Markdown", + "parameters": { + "content": "Follow the instructions to obtain the credentials. \n 1. In Auth0 Dashboard, go to [**Applications > Applications**]\n 2. Select your Application. This should be a [**Machine-to-Machine**] Application configured with at least [**read:logs**] and [**read:logs_users**] permissions. \n 3. Copy [**Domain, ClientID, Client Secret**]" + } + }, + { + "parameters": { + "label": "Base API URL", + "placeholder": "https://example.auth0.com", + "type": "text", + "name": "Domain" + }, + "type": "Textbox" + }, + { + "parameters": { + "label": "Client ID", + "placeholder": "Client ID", + "type": "text", + "name": "ClientId" + }, + "type": "Textbox" + }, + { + "type": "Textbox", + "parameters": { + "label": "Client Secret", + "placeholder": "API Token", + "type": "password", + "name": "ClientSecret" + } + }, + { + "parameters": { + "label": "toggle", + "name": "toggle" + }, + "type": "ConnectionToggleButton" + } + ], + "innerSteps": null + } + ], + "isConnectivityCriteriasMatchSome": false + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition2')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition2'))]", + "contentId": "[variables('_dataConnectorContentIdConnectorDefinition2')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorCCPVersion')]", + "source": { + "sourceId": "[variables('_solutionId')]", + "name": "[variables('_solutionName')]", + "kind": "Solution" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + }, + "dependencies": { + "criteria": [ + { + "version": "[variables('dataConnectorCCPVersion')]", + "contentId": "[variables('_dataConnectorContentIdConnections2')]", + "kind": "ResourcesDataConnector" + } + ] + } + } + }, + { + "name": "Auth0LogsDCR", + "apiVersion": "2022-06-01", + "type": "Microsoft.Insights/dataCollectionRules", + "location": "[parameters('workspace-location')]", + "kind": "[variables('blanks')]", + "properties": { + "streamDeclarations": { + "Custom-Auth0Logs": { + "columns": [ + { + "name": "date", + "type": "datetime" + }, + { + "name": "type", + "type": "string" + }, + { + "name": "description", + "type": "string" + }, + { + "name": "connection", + "type": "string" + }, + { + "name": "connection_id", + "type": "string" + }, + { + "name": "client_id", + "type": "string" + }, + { + "name": "client_name", + "type": "string" + }, + { + "name": "ip", + "type": "string" + }, + { + "name": "user_agent", + "type": "string" + }, + { + "name": "hostname", + "type": "string" + }, + { + "name": "user_id", + "type": "string" + }, + { + "name": "user_name", + "type": "string" + }, + { + "name": "audience", + "type": "string" + }, + { + "name": "scope", + "type": "string" + }, + { + "name": "strategy", + "type": "string" + }, + { + "name": "strategy_type", + "type": "string" + }, + { + "name": "location_info", + "type": "dynamic" + }, + { + "name": "details", + "type": "dynamic" + }, + { + "name": "log_id", + "type": "string" + }, + { + "name": "tenant_name", + "type": "string" + }, + { + "name": "isMobile", + "type": "boolean" + } + ] + } + }, + "destinations": { + "logAnalytics": [ + { + "workspaceResourceId": "[variables('workspaceResourceId')]", + "name": "clv2ws1" + } + ] + }, + "dataFlows": [ + { + "streams": [ + "Custom-Auth0Logs" + ], + "destinations": [ + "clv2ws1" + ], + "transformKql": "source| extend TimeGenerated = ['date'] , EventType = type | project-rename Description = description, Connection = connection, ConnectionId = connection_id, ClientId = client_id, ClientName = client_name, SrcIpAddr = ip, HttpUserAgent = user_agent, SrcHostname = hostname, ActorUserId = user_id, ActorUsername = user_name, Audience = audience, Scope = scope, Strategy = strategy, StrategyType = strategy_type, LocationInfo = location_info, Details = details, LogId = log_id, TenantName = tenant_name, IsMobile = isMobile | project-away ['date'], type", + "outputStream": "Custom-Auth0Logs_CL" + } + ], + "dataCollectionEndpointId": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]" + } + }, + { + "name": "Auth0Logs_CL", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "location": "[parameters('workspace-location')]", + "kind": null, + "properties": { + "schema": { + "name": "Auth0Logs_CL", + "columns": [ + { + "name": "TimeGenerated", + "type": "datetime" + }, + { + "name": "event_date", + "type": "datetime" + }, + { + "name": "EventType", + "type": "string" + }, + { + "name": "Description", + "type": "string" + }, + { + "name": "Connection", + "type": "string" + }, + { + "name": "ConnectionId", + "type": "string" + }, + { + "name": "ClientId", + "type": "string" + }, + { + "name": "ClientName", + "type": "string" + }, + { + "name": "SrcIpAddr", + "type": "string" + }, + { + "name": "HttpUserAgent", + "type": "string" + }, + { + "name": "SrcHostname", + "type": "string" + }, + { + "name": "ActorUserId", + "type": "string" + }, + { + "name": "ActorUsername", + "type": "string" + }, + { + "name": "Audience", + "type": "string" + }, + { + "name": "Scope", + "type": "string" + }, + { + "name": "Strategy", + "type": "string" + }, + { + "name": "StrategyType", + "type": "string" + }, + { + "name": "LocationInfo", + "type": "dynamic" + }, + { + "name": "Details", + "type": "dynamic" + }, + { + "name": "LogId", + "type": "string" + }, + { + "name": "TenantName", + "type": "string" + }, + { + "name": "IsMobile", + "type": "boolean" + } + ] + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentIdConnectorDefinition2'),'-', variables('dataConnectorCCPVersion'))))]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "version": "[variables('dataConnectorCCPVersion')]" + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition2'))]", + "apiVersion": "2022-09-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", + "location": "[parameters('workspace-location')]", + "kind": "Customizable", + "properties": { + "connectorUiConfig": { + "id": "Auth0ConnectorCCPDefinition", + "title": "Auth0 Logs", + "publisher": "Microsoft", + "descriptionMarkdown": "The [Auth0](https://auth0.com/docs/api/management/v2/logs/get-logs) data connector allows ingesting logs from Auth0 API into Microsoft Sentinel. The data connector is built on Microsoft Sentinel Codeless Connector Platform. It uses Auth0 API to fetch logs and it supports DCR-based [ingestion time transformations](https://docs.microsoft.com/azure/azure-monitor/logs/custom-logs-overview) that parses the received security data into a custom table so that queries don't need to parse it again, thus resulting in better performance.", + "graphQueries": [ + { + "metricName": "Total logs received", + "legend": "Auth0 Logs", + "baseQuery": "Auth0Logs_CL" + } + ], + "sampleQueries": [ + { + "description": "Get Sample of Auth0 logs", + "query": "Auth0Logs_CL | take 10" + } + ], + "dataTypes": [ + { + "name": "Auth0Logs_CL", + "lastDataReceivedQuery": "Auth0Logs_CL\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "HasDataConnectors", + "value": null + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "tenant": null, + "licenses": null, + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and Write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true, + "action": false + } + } + ] + }, + "instructionSteps": [ + { + "instructions": [ + { + "type": "Markdown", + "parameters": { + "content": "#### STEP 1 - Configuration steps for the Auth0 Management API" + } + }, + { + "type": "Markdown", + "parameters": { + "content": "Follow the instructions to obtain the credentials. \n 1. In Auth0 Dashboard, go to [**Applications > Applications**]\n 2. Select your Application. This should be a [**Machine-to-Machine**] Application configured with at least [**read:logs**] and [**read:logs_users**] permissions. \n 3. Copy [**Domain, ClientID, Client Secret**]" + } + }, + { + "parameters": { + "label": "Base API URL", + "placeholder": "https://example.auth0.com", + "type": "text", + "name": "Domain" + }, + "type": "Textbox" + }, + { + "parameters": { + "label": "Client ID", + "placeholder": "Client ID", + "type": "text", + "name": "ClientId" + }, + "type": "Textbox" + }, + { + "type": "Textbox", + "parameters": { + "label": "Client Secret", + "placeholder": "API Token", + "type": "password", + "name": "ClientSecret" + } + }, + { + "parameters": { + "label": "toggle", + "name": "toggle" + }, + "type": "ConnectionToggleButton" + } + ], + "innerSteps": null + } + ], + "isConnectivityCriteriasMatchSome": false + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition2')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition2'))]", + "contentId": "[variables('_dataConnectorContentIdConnectorDefinition2')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorCCPVersion')]", + "source": { + "sourceId": "[variables('_solutionId')]", + "name": "[variables('_solutionName')]", + "kind": "Solution" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + }, + "dependencies": { + "criteria": [ + { + "version": "[variables('dataConnectorCCPVersion')]", + "contentId": "[variables('_dataConnectorContentIdConnections2')]", + "kind": "ResourcesDataConnector" + } + ] + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnections2'), variables('dataConnectorCCPVersion'))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "contentId": "[variables('_dataConnectorContentIdConnections2')]", + "displayName": "Auth0 Logs", + "contentKind": "ResourcesDataConnector", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorCCPVersion')]", + "parameters": { + "connectorDefinitionName": { + "defaultValue": "Auth0 Logs", + "type": "string", + "minLength": 1 + }, + "workspace": { + "defaultValue": "[parameters('workspace')]", + "type": "string" + }, + "dcrConfig": { + "defaultValue": { + "dataCollectionEndpoint": "data collection Endpoint", + "dataCollectionRuleImmutableId": "data collection rule immutableId" + }, + "type": "object" + }, + "Domain": { + "defaultValue": "Domain", + "type": "string", + "minLength": 1 + }, + "ClientId": { + "defaultValue": "ClientId", + "type": "string", + "minLength": 1 + }, + "ClientSecret": { + "defaultValue": "ClientSecret", + "type": "string", + "minLength": 1 + } + }, + "variables": { + "_dataConnectorContentIdConnections2": "[variables('_dataConnectorContentIdConnections2')]" + }, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnections2')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentIdConnections2'))]", + "contentId": "[variables('_dataConnectorContentIdConnections2')]", + "kind": "ResourcesDataConnector", + "version": "[variables('dataConnectorCCPVersion')]", + "source": { + "sourceId": "[variables('_solutionId')]", + "name": "[variables('_solutionName')]", + "kind": "Solution" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'Auth0Logs')]", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "RestApiPoller", + "properties": { + "connectorDefinitionName": "Auth0ConnectorCCPDefinition", + "dataType": "Auth0Logs_CL", + "auth": { + "type": "OAuth2", + "ClientId": "[[parameters('ClientId')]", + "ClientSecret": "[[parameters('ClientSecret')]", + "GrantType": "client_credentials", + "TokenEndpoint": "[[concat(parameters('Domain'),'/oauth/token')]", + "TokenEndpointQueryParameters": { + "audience": "[[concat(parameters('Domain'),'/api/v2/')]" + } + }, + "request": { + "apiEndpoint": "[[concat(parameters('Domain'),'/api/v2/logs')]", + "headers": { + "Accept": "application/json" + }, + "httpMethod": "Get", + "QueryParameters": {} + }, + "response": { + "eventsJsonPaths": [ + "$" + ], + "format": "json" + }, + "dcrConfig": { + "streamName": "Custom-Auth0Logs", + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" + }, + "Paging": { + "pagingType": "PersistentToken", + "nextPageParaName": "from", + "nextPageTokenJsonPath": "$.[-1:].log_id", + "PageSizeParameterName": "take", + "PageSize": 100 + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','rdc','-', uniqueString(concat(variables('_solutionId'),'-','ResourcesDataConnector','-',variables('_dataConnectorContentIdConnections2'),'-', variables('dataConnectorCCPVersion'))))]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "version": "[variables('dataConnectorCCPVersion')]" + } + }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", @@ -432,7 +1142,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Auth0 Data Parser with template version 3.0.0", + "description": "Auth0AM Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject1').parserVersion1]", @@ -446,10 +1156,10 @@ "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "Auth0", + "displayName": "Parser for Auth0 Auth0AM_CL", "category": "Microsoft Sentinel Parser", - "functionAlias": "Auth0", - "query": "union isfuzzy=true Auth0AM_CL, Auth0_CL\n| project-rename EventType = type_s,\n HttpRequestMethod = details_request_method_s,\n ActorSessionId = _id_s,\n HttpUserAgent = user_agent_s,\n TargetUsername = user_name_s,\n ActorUserId = client_id_s,\n IpAddr=ip_s,\n Dst = details_request_body_audience_s,\n EventEndTime = date_t,\n EventResultDetails = details_response_statusCode_d\n", + "functionAlias": "Auth0AM", + "query": "let AutoLogsview = view() {union isfuzzy=true (Auth0Logs_CL| project-rename EventCode = EventType, IPAddress = SrcIpAddr, UserAgent = HttpUserAgent, Hostname = SrcHostname, UserId = ActorUserId, UserPrincipalName= ActorUsername, Date = TimeGenerated), (Auth0AM_CL | project Audience = tostring(column_ifexists('audience_s', \"\"))\n, Auth0ClientEnvIos = tostring(column_ifexists('auth0__s', \"\"))\n, Auth0ClientEnvNode = tostring(column_ifexists('auth0_client_env_node_s', \"\"))\n, Auth0ClientEnvSwift = tostring(column_ifexists('auth0_client_env_swift_s', \"\"))\n, Auth0ClientName = tostring(column_ifexists('auth0_client_name_s', \"\"))\n, Auth0ClientVersion = tostring(column_ifexists('auth0_client_version_s', \"\"))\n, ClientId = tostring(column_ifexists('client_id_s', \"\"))\n, ClientIp = tostring(column_ifexists('client_ip_s', \"\"))\n, ClientName = tostring(column_ifexists('client_name_s', \"\"))\n, ConnectionId = tostring(column_ifexists('connection_id_s', \"\"))\n, Connection = tostring(column_ifexists('connection_s', \"\"))\n, Date = todatetime(column_ifexists('date_t', \"\"))\n, Description = tostring(column_ifexists('description_s', \"\"))\n, DetailsAccessedSecrets = tostring(column_ifexists('details_accessedSecrets_s', \"\"))\n, DetailsActionsExecutions = todynamic(column_ifexists('details_actions_executions_s', \"\"))\n, DetailsAllowedOrigins = todynamic(column_ifexists('details_allowedOrigins_s', \"\"))\n, DetailsClientId = tostring(column_ifexists('details_body_client_id_s', \"\"))\n, DetailsConnection = tostring(column_ifexists('details_body_connection_s', \"\"))\n, DetailsEmail = tostring(column_ifexists('details_body_email_s', \"\"))\n, DetailsEmailVerified = tobool(column_ifexists('details_body_email_verified_b', \"\"))\n, DetailsIdentifierType = tostring(column_ifexists('details_body_identifier_type_s', \"\"))\n, DetailsIdentifierValue = tostring(column_ifexists('details_body_identifier_value_s', \"\"))\n, DetailsNewEmail = tostring(column_ifexists('details_body_newEmail_s', \"\"))\n, DetailsTenant = tostring(column_ifexists('details_body_tenant_s', \"\"))\n, DetailsUserId = tostring(column_ifexists('details_body_user_id_g', \"\"))\n, DetailsVerify = tobool(column_ifexists('details_body_verify_b', \"\"))\n, DetailsCode = tostring(column_ifexists('details_code_s', \"\"))\n, DetailsCompletedAt = unixtime_milliseconds_todatetime(tolong(column_ifexists('details_completedAt_d', \"\")))\n, DetailsConsoleOut = tostring(column_ifexists('details_consoleOut_s', \"\"))\n, DetailsElapsedTime = toint(column_ifexists('details_elapsedTime_d', \"\"))\n, DetailsErrorMessage = tostring(column_ifexists('details_error_message_s', \"\"))\n, DetailsHeadersOrigin = tostring(column_ifexists('details_headers_origin_s', \"\"))\n, DetailsXforwardedProtocol = tostring(column_ifexists('details_headers_x_forwarded_proto_s', \"\"))\n, DetailsHost = tostring(column_ifexists('details_host_s', \"\"))\n, DetailsInitiatedAt = unixtime_milliseconds_todatetime(tolong((column_ifexists('details_initiatedAt_d', \"\"))))\n, DetailsMethod = tostring(column_ifexists('details_method_s', \"\"))\n, DetailsOrigin = tostring(column_ifexists('details_origin_s', \"\"))\n, DetailsOriginalUrl = tostring(column_ifexists('details_originalUrl_s', \"\"))\n, DetailsPrompts = todynamic(column_ifexists('details_prompts_s', \"\"))\n, RequestAuthCredentialsJTI = tostring(column_ifexists('details_request_auth_credentials_jti_g', \"\"))\n, RequestAuthCredentialsScopes = todynamic(column_ifexists('details_request_auth_credentials_scopes_s', \"\"))\n, RequestAuthStrategy = tostring(column_ifexists('details_request_auth_strategy_s', \"\"))\n, RequestUserEmail = tostring(column_ifexists('details_request_auth_user_email_s', \"\"))\n, RequestUserPrincipalName = tostring(column_ifexists('details_request_auth_user_name_s', \"\"))\n, RequestAuthUserId = tostring(column_ifexists('details_request_auth_user_user_id_s', \"\"))\n, RequestMetadataPrimaryLocale = todynamic(column_ifexists('details_request_body_app_metadata_primary_locale_s', \"\"))\n, RequestMetadataSecondaryLocale= todynamic(column_ifexists('details_request_body_app_metadata_secondary_locales_s', \"\"))\n, RequestConnection = tostring(column_ifexists('details_request_body_connection_s', \"\"))\n, RequestEmail = tostring(column_ifexists('details_request_body_email_s', \"\"))\n, RequestEmailVerified = tobool(column_ifexists('details_request_body_email_verified_b', \"\"))\n, RequestBodyPassword = tostring(column_ifexists('details_request_body_password_s', \"\"))\n, RequestChannel = tostring(column_ifexists('details_request_channel_s', \"\"))\n, RequestIP = tostring(column_ifexists('details_request_ip_s', \"\"))\n, RequestMethod = tostring(column_ifexists('details_request_method_s', \"\"))\n, RequestPath = tostring(column_ifexists('details_request_path_s', \"\"))\n, RequestUserAgent = tostring(column_ifexists('details_request_userAgent_s', \"\"))\n, ResponseAppMetadataPrimaryLocale = todynamic(column_ifexists('details_response_body_app_metadata_primary_locale_s', \"\"))\n, ResponseAppMetadataSecondaryLocale = todynamic(column_ifexists('details_response_body_app_metadata_secondary_locales_s', \"\"))\n, ResponseBlocked = tobool(column_ifexists('details_response_body_blocked_b', \"\"))\n, ResponseClientID = tostring(column_ifexists('details_response_body_client_id_s', \"\"))\n, ResponseCreatedAt = tostring(column_ifexists('details_response_body_created_at_t', \"\"))\n, ResponseEmail = tostring(column_ifexists('details_response_body_email_s', \"\"))\n, ResponseEmailVerified = tobool(column_ifexists('details_response_body_email_verified_b', \"\"))\n, ResponseFamilyName = tostring(column_ifexists('details_response_body_family_name_s', \"\"))\n, ResponseGivenName = tostring(column_ifexists('details_response_body_given_name_s', \"\"))\n, ResponseIdentities = todynamic(column_ifexists('details_response_body_identities_s', \"\"))\n, ResponseLastIP = tostring(column_ifexists('details_response_body_last_ip_s', \"\"))\n, ResponseLastLogin = todatetime(column_ifexists('details_response_body_last_login_t', \"\"))\n, ResponseLastPasswordReset = todatetime(column_ifexists('details_response_body_last_password_reset_t', \"\"))\n, ResponseLoginsCount = toint(column_ifexists('details_response_body_logins_count_d', \"\"))\n, ResponseName = tostring(column_ifexists('details_response_body_name_s', \"\"))\n, ResponseNickname = tostring(column_ifexists('details_response_body_nickname_s', \"\"))\n, ResponsePhoneVerified = tobool(column_ifexists('details_response_body_phone_verified_b', \"\"))\n, ResponsePicture = tostring(column_ifexists('details_response_body_picture_s', \"\"))\n, ResponseUpdatedAt = todatetime(column_ifexists('details_response_body_updated_at_t', \"\"))\n, ResponseUserDiscriminator = tostring(column_ifexists('details_response_body_user_discriminator_s', \"\"))\n, ResponseUserId = tostring(split(column_ifexists('details_response_body_user_id_s', \"\"), \"|\")[1])\n, ResponseStatusCode = toint(column_ifexists('details_response_statusCode_d', \"\"))\n, SessionId = tostring(column_ifexists('details_session_id_s', \"\"))\n, StatsLoginsCount = toint(column_ifexists('details_stats_loginsCount_d', \"\"))\n, XHR = tobool(column_ifexists('details_xhr_b', \"\"))\n, Hostname = tostring(column_ifexists('hostname_s', \"\"))\n, IPAddress = tostring(column_ifexists('ip_s', \"\"))\n, IsMobile = tobool(column_ifexists('isMobile_b', \"\"))\n, LogId = tostring(column_ifexists('log_id_s', \"\"))\n, Scope = tostring(column_ifexists('scope_s', \"\"))\n, Strategy = tostring(column_ifexists('strategy_s', \"\"))\n, StrategyType = tostring(column_ifexists('strategy_type_s', \"\"))\n, Type = tostring(column_ifexists('Type', \"\"))\n, EventCode = tostring(column_ifexists('type_s', \"\"))\n, UserAgent = tostring(column_ifexists('user_agent_s', \"\"))\n, UserId = tostring(split(column_ifexists('user_id_s', \"\"), '|')[1])\n, UserPrincipalName = tolower(tostring(column_ifexists('user_name_s', \"\")))) | extend EventDescritpion = case(EventCode == \"api_limit\",\"Rate Limit on the Authentication or Management APIs\",EventCode == \"appi\",\"Notice for API Peak Performance initiated\",EventCode == \"ciba_exchange_failed\",\"Failed CIBA Exchange\",EventCode == \"ciba_exchange_succeeded\",\"Successful CIBA Exchange\",EventCode == \"ciba_start_failed\",\"Failed CIBA Start\",EventCode == \"ciba_start_succeeded\",\"Successful CIBA Start\",EventCode == \"cls\",\"Code/Link Sent\",EventCode == \"cs\",\"Code Sent\",EventCode == \"depnote\",\"Deprecation Notice\",EventCode == \"f\",\"Failed Login\",EventCode == \"fc\",\"Failed by Connector\",EventCode == \"fce\",\"Failed Change Email\",EventCode == \"fco\",\"Failed by CORS\",EventCode == \"fcoa\",\"Failed cross-origin authentication\",EventCode == \"fcp\",\"Failed Change Password\",EventCode == \"fcph\",\"Failed Post Change Password Hook\",EventCode == \"fcpn\",\"Failed Change Phone Number\",EventCode == \"fcpr\",\"Failed Change Password Request\",EventCode == \"fcpro\",\"Failed Connector Provisioning\",EventCode == \"fcu\",\"Failed Change Username\",EventCode == \"fd\",\"Failed Delegation\",EventCode == \"fdeac\",\"Failed Device Activation\",EventCode == \"fdeaz\",\"Failed Device Authorization Request\",EventCode == \"fdecc\",\"User Canceled Device Confirmation\",EventCode == \"fdu\",\"Failed User Deletion\",EventCode == \"feacft\",\"Failed Exchange\",EventCode == \"feccft\",\"Failed Exchange\",EventCode == \"fede\",\"Failed Exchange\",EventCode == \"fens\",\"Failed Exchange\",EventCode == \"feoobft\",\"Failed Exchange\",EventCode == \"feotpft\",\"Failed Exchange\",EventCode == \"fepft\",\"Failed Exchange\",EventCode == \"fepotpft\",\"Failed Exchange\",EventCode == \"fercft\",\"Failed Exchange\",EventCode == \"ferrt\",\"Failed Exchange\",EventCode == \"fertft\",\"Failed Exchange\",EventCode == \"fi\",\"Failed invite accept\",EventCode == \"flo\",\"Failed Logout\",EventCode == \"fn\",\"Failed Sending Notification\",EventCode == \"fp\",\"Failed Login (Incorrect Password)\",EventCode == \"fpar\",\"Failed Pushed Authorization Request\",EventCode == \"fs\",\"Failed Signup\",EventCode == \"fsa\",\"Failed Silent Auth\",EventCode == \"fu\",\"Failed Login (Invalid Email/Username)\",EventCode == \"fui\",\"Failed users import\",EventCode == \"fv\",\"Failed Verification Email\",EventCode == \"fvr\",\"Failed Verification Email Request\",EventCode == \"gd_auth_email_verification\",\"Email Verification Confirmed\",EventCode == \"gd_auth_fail_email_verification\",\"Email Verification Failed\",EventCode == \"gd_auth_failed\",\"MFA Auth failed\",EventCode == \"gd_auth_rejected\",\"MFA Auth rejected\",EventCode == \"gd_auth_succeed\",\"MFA Auth success\",EventCode == \"gd_enrollment_complete\",\"MFA enrollment complete\",EventCode == \"gd_otp_rate_limit_exceed\",\"Too many MFA failures\",EventCode == \"gd_recovery_failed\",\"Recovery failed\",EventCode == \"gd_recovery_rate_limit_exceed\",\"Multi-factor recovery code has failed too many times\",EventCode == \"gd_recovery_succeed\",\"MFA recovery success\",EventCode == \"gd_send_email\",\"MFA Email Sent\",EventCode == \"gd_send_email_verification\",\"Email Verification Sent\",EventCode == \"gd_send_email_verification_failure\",\"Email Verification Failed\",EventCode == \"gd_send_pn\",\"Push notification sent\",EventCode == \"gd_send_pn_failure\",\"Error Sending MFA Push Notification\",EventCode == \"gd_send_sms\",\"MFA SMS Sent\",EventCode == \"gd_send_sms_failure\",\"Error Sending MFA SMS\",EventCode == \"gd_send_voice\",\"MFA voice call success\",EventCode == \"gd_send_voice_failure\",\"MFA voice call failed\",EventCode == \"gd_start_auth\",\"Second factor started\",EventCode == \"gd_start_enroll\",\"MFA Enroll started\",EventCode == \"gd_start_enroll_failed\",\"MFA Enrollment Failed\",EventCode == \"gd_tenant_update\",\"Guardian tenant update\",EventCode == \"gd_unenroll\",\"Unenroll device account\",EventCode == \"gd_update_device_account\",\"Update device account\",EventCode == \"gd_webauthn_challenge_failed\",\"WebAuthn browser error\",EventCode == \"gd_webauthn_enrollment_failed\",\"WebAuthn browser error\",EventCode == \"kms_key_management_failure\",\"Failed KMS API Operation\",EventCode == \"kms_key_management_success\",\"Success KMS API Operation\",EventCode == \"kms_key_state_changed\",\"KMS Key State Change\",EventCode == \"limit_delegation\",\"Too Many Calls to /delegation\",EventCode == \"limit_mu\",\"Blocked IP Address\",EventCode == \"limit_sul\",\"Blocked Account\",EventCode == \"limit_wc\",\"Blocked Account\",EventCode == \"mfar\",\"MFA Required\",EventCode == \"mgmt_api_read\",\"Management API read Operation\",EventCode == \"oidc_backchannel_logout_failed\",\"Failed OIDC Back-Channel Logout request\",EventCode == \"oidc_backchannel_logout_succeeded\",\"Successful OIDC Back-Channel Logout request\",EventCode == \"organization_member_added\",\"Organization Member Added\",EventCode == \"pla\",\"Pre-login assessment\",EventCode == \"pwd_leak\",\"Breached password\",EventCode == \"resource_cleanup\",\"Success Resource Cleanup\",EventCode == \"rich_consents_access_error\",\"Rich Consents Access Error\",EventCode == \"s\",\"Success Login\",EventCode == \"sapi\",\"Success API Operation\",EventCode == \"sce\",\"Success Change Email\",EventCode == \"scoa\",\"Success cross-origin authentication\",EventCode == \"scp\",\"Success Change Password\",EventCode == \"scpn\",\"Success Change Phone Number\",EventCode == \"scpr\",\"Success Change Password Request\",EventCode == \"scu\",\"Success Change Username\",EventCode == \"scv\",\"Success Credential Validation\",EventCode == \"sd\",\"Success Delegation\",EventCode == \"sdu\",\"Success User Deletion\",EventCode == \"seacft\",\"Success Exchange\",EventCode == \"seccft\",\"Success Exchange\",EventCode == \"sede\",\"Success Exchange\",EventCode == \"sens\",\"Success Exchange\",EventCode == \"seoobft\",\"Success Exchange\",EventCode == \"seotpft\",\"Success Exchange\",EventCode == \"sepft\",\"Success Exchange\",EventCode == \"sepkoobft\",\"Success Exchange\",EventCode == \"sepkotpft\",\"Success Exchange\",EventCode == \"sepkrcft\",\"Success Exchange\",EventCode == \"sercft\",\"Success Exchange\",EventCode == \"sertft\",\"Success Exchange\",EventCode == \"si\",\"Successfully accepted a user invite\",EventCode == \"signup_pwd_leak\",\"Breached Password on Signup\",EventCode == \"slo\",\"Success Logout\",EventCode == \"srrt\",\"Success Revocation\",EventCode == \"ss\",\"Success Signup\",EventCode == \"ss_sso_failure\",\"Failed SS-SSO Operation\",EventCode == \"ss_sso_info\",\"Information from an SS-SSO Operation\",EventCode == \"ss_sso_success\",\"Success SS-SSO Operation\",EventCode == \"ssa\",\"Success Silent Auth\",EventCode == \"sui\",\"Successfully imported users\",EventCode == \"sv\",\"Success Verification Email\",EventCode == \"svr\",\"Success Verification Email Request\",EventCode == \"ublkdu\",\"User login block released\",EventCode == \"w\",\"Warning During Login\",EventCode == \"wum\",\"Warning User Management\",\"\")};\n AutoLogsview()\n", "functionParameters": "", "version": 2, "tags": [ @@ -468,7 +1178,7 @@ "[variables('parserObject1')._parserId1]" ], "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Auth0')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Auth0AM')]", "contentId": "[variables('parserObject1').parserContentId1]", "kind": "Parser", "version": "[variables('parserObject1').parserVersion1]", @@ -498,7 +1208,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('parserObject1').parserContentId1]", "contentKind": "Parser", - "displayName": "Auth0", + "displayName": "Parser for Auth0 Auth0AM_CL", "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]", "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]", "version": "[variables('parserObject1').parserVersion1]" @@ -511,10 +1221,10 @@ "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "Auth0", + "displayName": "Parser for Auth0 Auth0AM_CL", "category": "Microsoft Sentinel Parser", - "functionAlias": "Auth0", - "query": "union isfuzzy=true Auth0AM_CL, Auth0_CL\n| project-rename EventType = type_s,\n HttpRequestMethod = details_request_method_s,\n ActorSessionId = _id_s,\n HttpUserAgent = user_agent_s,\n TargetUsername = user_name_s,\n ActorUserId = client_id_s,\n IpAddr=ip_s,\n Dst = details_request_body_audience_s,\n EventEndTime = date_t,\n EventResultDetails = details_response_statusCode_d\n", + "functionAlias": "Auth0AM", + "query": "let AutoLogsview = view() {union isfuzzy=true (Auth0Logs_CL| project-rename EventCode = EventType, IPAddress = SrcIpAddr, UserAgent = HttpUserAgent, Hostname = SrcHostname, UserId = ActorUserId, UserPrincipalName= ActorUsername, Date = TimeGenerated), (Auth0AM_CL | project Audience = tostring(column_ifexists('audience_s', \"\"))\n, Auth0ClientEnvIos = tostring(column_ifexists('auth0__s', \"\"))\n, Auth0ClientEnvNode = tostring(column_ifexists('auth0_client_env_node_s', \"\"))\n, Auth0ClientEnvSwift = tostring(column_ifexists('auth0_client_env_swift_s', \"\"))\n, Auth0ClientName = tostring(column_ifexists('auth0_client_name_s', \"\"))\n, Auth0ClientVersion = tostring(column_ifexists('auth0_client_version_s', \"\"))\n, ClientId = tostring(column_ifexists('client_id_s', \"\"))\n, ClientIp = tostring(column_ifexists('client_ip_s', \"\"))\n, ClientName = tostring(column_ifexists('client_name_s', \"\"))\n, ConnectionId = tostring(column_ifexists('connection_id_s', \"\"))\n, Connection = tostring(column_ifexists('connection_s', \"\"))\n, Date = todatetime(column_ifexists('date_t', \"\"))\n, Description = tostring(column_ifexists('description_s', \"\"))\n, DetailsAccessedSecrets = tostring(column_ifexists('details_accessedSecrets_s', \"\"))\n, DetailsActionsExecutions = todynamic(column_ifexists('details_actions_executions_s', \"\"))\n, DetailsAllowedOrigins = todynamic(column_ifexists('details_allowedOrigins_s', \"\"))\n, DetailsClientId = tostring(column_ifexists('details_body_client_id_s', \"\"))\n, DetailsConnection = tostring(column_ifexists('details_body_connection_s', \"\"))\n, DetailsEmail = tostring(column_ifexists('details_body_email_s', \"\"))\n, DetailsEmailVerified = tobool(column_ifexists('details_body_email_verified_b', \"\"))\n, DetailsIdentifierType = tostring(column_ifexists('details_body_identifier_type_s', \"\"))\n, DetailsIdentifierValue = tostring(column_ifexists('details_body_identifier_value_s', \"\"))\n, DetailsNewEmail = tostring(column_ifexists('details_body_newEmail_s', \"\"))\n, DetailsTenant = tostring(column_ifexists('details_body_tenant_s', \"\"))\n, DetailsUserId = tostring(column_ifexists('details_body_user_id_g', \"\"))\n, DetailsVerify = tobool(column_ifexists('details_body_verify_b', \"\"))\n, DetailsCode = tostring(column_ifexists('details_code_s', \"\"))\n, DetailsCompletedAt = unixtime_milliseconds_todatetime(tolong(column_ifexists('details_completedAt_d', \"\")))\n, DetailsConsoleOut = tostring(column_ifexists('details_consoleOut_s', \"\"))\n, DetailsElapsedTime = toint(column_ifexists('details_elapsedTime_d', \"\"))\n, DetailsErrorMessage = tostring(column_ifexists('details_error_message_s', \"\"))\n, DetailsHeadersOrigin = tostring(column_ifexists('details_headers_origin_s', \"\"))\n, DetailsXforwardedProtocol = tostring(column_ifexists('details_headers_x_forwarded_proto_s', \"\"))\n, DetailsHost = tostring(column_ifexists('details_host_s', \"\"))\n, DetailsInitiatedAt = unixtime_milliseconds_todatetime(tolong((column_ifexists('details_initiatedAt_d', \"\"))))\n, DetailsMethod = tostring(column_ifexists('details_method_s', \"\"))\n, DetailsOrigin = tostring(column_ifexists('details_origin_s', \"\"))\n, DetailsOriginalUrl = tostring(column_ifexists('details_originalUrl_s', \"\"))\n, DetailsPrompts = todynamic(column_ifexists('details_prompts_s', \"\"))\n, RequestAuthCredentialsJTI = tostring(column_ifexists('details_request_auth_credentials_jti_g', \"\"))\n, RequestAuthCredentialsScopes = todynamic(column_ifexists('details_request_auth_credentials_scopes_s', \"\"))\n, RequestAuthStrategy = tostring(column_ifexists('details_request_auth_strategy_s', \"\"))\n, RequestUserEmail = tostring(column_ifexists('details_request_auth_user_email_s', \"\"))\n, RequestUserPrincipalName = tostring(column_ifexists('details_request_auth_user_name_s', \"\"))\n, RequestAuthUserId = tostring(column_ifexists('details_request_auth_user_user_id_s', \"\"))\n, RequestMetadataPrimaryLocale = todynamic(column_ifexists('details_request_body_app_metadata_primary_locale_s', \"\"))\n, RequestMetadataSecondaryLocale= todynamic(column_ifexists('details_request_body_app_metadata_secondary_locales_s', \"\"))\n, RequestConnection = tostring(column_ifexists('details_request_body_connection_s', \"\"))\n, RequestEmail = tostring(column_ifexists('details_request_body_email_s', \"\"))\n, RequestEmailVerified = tobool(column_ifexists('details_request_body_email_verified_b', \"\"))\n, RequestBodyPassword = tostring(column_ifexists('details_request_body_password_s', \"\"))\n, RequestChannel = tostring(column_ifexists('details_request_channel_s', \"\"))\n, RequestIP = tostring(column_ifexists('details_request_ip_s', \"\"))\n, RequestMethod = tostring(column_ifexists('details_request_method_s', \"\"))\n, RequestPath = tostring(column_ifexists('details_request_path_s', \"\"))\n, RequestUserAgent = tostring(column_ifexists('details_request_userAgent_s', \"\"))\n, ResponseAppMetadataPrimaryLocale = todynamic(column_ifexists('details_response_body_app_metadata_primary_locale_s', \"\"))\n, ResponseAppMetadataSecondaryLocale = todynamic(column_ifexists('details_response_body_app_metadata_secondary_locales_s', \"\"))\n, ResponseBlocked = tobool(column_ifexists('details_response_body_blocked_b', \"\"))\n, ResponseClientID = tostring(column_ifexists('details_response_body_client_id_s', \"\"))\n, ResponseCreatedAt = tostring(column_ifexists('details_response_body_created_at_t', \"\"))\n, ResponseEmail = tostring(column_ifexists('details_response_body_email_s', \"\"))\n, ResponseEmailVerified = tobool(column_ifexists('details_response_body_email_verified_b', \"\"))\n, ResponseFamilyName = tostring(column_ifexists('details_response_body_family_name_s', \"\"))\n, ResponseGivenName = tostring(column_ifexists('details_response_body_given_name_s', \"\"))\n, ResponseIdentities = todynamic(column_ifexists('details_response_body_identities_s', \"\"))\n, ResponseLastIP = tostring(column_ifexists('details_response_body_last_ip_s', \"\"))\n, ResponseLastLogin = todatetime(column_ifexists('details_response_body_last_login_t', \"\"))\n, ResponseLastPasswordReset = todatetime(column_ifexists('details_response_body_last_password_reset_t', \"\"))\n, ResponseLoginsCount = toint(column_ifexists('details_response_body_logins_count_d', \"\"))\n, ResponseName = tostring(column_ifexists('details_response_body_name_s', \"\"))\n, ResponseNickname = tostring(column_ifexists('details_response_body_nickname_s', \"\"))\n, ResponsePhoneVerified = tobool(column_ifexists('details_response_body_phone_verified_b', \"\"))\n, ResponsePicture = tostring(column_ifexists('details_response_body_picture_s', \"\"))\n, ResponseUpdatedAt = todatetime(column_ifexists('details_response_body_updated_at_t', \"\"))\n, ResponseUserDiscriminator = tostring(column_ifexists('details_response_body_user_discriminator_s', \"\"))\n, ResponseUserId = tostring(split(column_ifexists('details_response_body_user_id_s', \"\"), \"|\")[1])\n, ResponseStatusCode = toint(column_ifexists('details_response_statusCode_d', \"\"))\n, SessionId = tostring(column_ifexists('details_session_id_s', \"\"))\n, StatsLoginsCount = toint(column_ifexists('details_stats_loginsCount_d', \"\"))\n, XHR = tobool(column_ifexists('details_xhr_b', \"\"))\n, Hostname = tostring(column_ifexists('hostname_s', \"\"))\n, IPAddress = tostring(column_ifexists('ip_s', \"\"))\n, IsMobile = tobool(column_ifexists('isMobile_b', \"\"))\n, LogId = tostring(column_ifexists('log_id_s', \"\"))\n, Scope = tostring(column_ifexists('scope_s', \"\"))\n, Strategy = tostring(column_ifexists('strategy_s', \"\"))\n, StrategyType = tostring(column_ifexists('strategy_type_s', \"\"))\n, Type = tostring(column_ifexists('Type', \"\"))\n, EventCode = tostring(column_ifexists('type_s', \"\"))\n, UserAgent = tostring(column_ifexists('user_agent_s', \"\"))\n, UserId = tostring(split(column_ifexists('user_id_s', \"\"), '|')[1])\n, UserPrincipalName = tolower(tostring(column_ifexists('user_name_s', \"\")))) | extend EventDescritpion = case(EventCode == \"api_limit\",\"Rate Limit on the Authentication or Management APIs\",EventCode == \"appi\",\"Notice for API Peak Performance initiated\",EventCode == \"ciba_exchange_failed\",\"Failed CIBA Exchange\",EventCode == \"ciba_exchange_succeeded\",\"Successful CIBA Exchange\",EventCode == \"ciba_start_failed\",\"Failed CIBA Start\",EventCode == \"ciba_start_succeeded\",\"Successful CIBA Start\",EventCode == \"cls\",\"Code/Link Sent\",EventCode == \"cs\",\"Code Sent\",EventCode == \"depnote\",\"Deprecation Notice\",EventCode == \"f\",\"Failed Login\",EventCode == \"fc\",\"Failed by Connector\",EventCode == \"fce\",\"Failed Change Email\",EventCode == \"fco\",\"Failed by CORS\",EventCode == \"fcoa\",\"Failed cross-origin authentication\",EventCode == \"fcp\",\"Failed Change Password\",EventCode == \"fcph\",\"Failed Post Change Password Hook\",EventCode == \"fcpn\",\"Failed Change Phone Number\",EventCode == \"fcpr\",\"Failed Change Password Request\",EventCode == \"fcpro\",\"Failed Connector Provisioning\",EventCode == \"fcu\",\"Failed Change Username\",EventCode == \"fd\",\"Failed Delegation\",EventCode == \"fdeac\",\"Failed Device Activation\",EventCode == \"fdeaz\",\"Failed Device Authorization Request\",EventCode == \"fdecc\",\"User Canceled Device Confirmation\",EventCode == \"fdu\",\"Failed User Deletion\",EventCode == \"feacft\",\"Failed Exchange\",EventCode == \"feccft\",\"Failed Exchange\",EventCode == \"fede\",\"Failed Exchange\",EventCode == \"fens\",\"Failed Exchange\",EventCode == \"feoobft\",\"Failed Exchange\",EventCode == \"feotpft\",\"Failed Exchange\",EventCode == \"fepft\",\"Failed Exchange\",EventCode == \"fepotpft\",\"Failed Exchange\",EventCode == \"fercft\",\"Failed Exchange\",EventCode == \"ferrt\",\"Failed Exchange\",EventCode == \"fertft\",\"Failed Exchange\",EventCode == \"fi\",\"Failed invite accept\",EventCode == \"flo\",\"Failed Logout\",EventCode == \"fn\",\"Failed Sending Notification\",EventCode == \"fp\",\"Failed Login (Incorrect Password)\",EventCode == \"fpar\",\"Failed Pushed Authorization Request\",EventCode == \"fs\",\"Failed Signup\",EventCode == \"fsa\",\"Failed Silent Auth\",EventCode == \"fu\",\"Failed Login (Invalid Email/Username)\",EventCode == \"fui\",\"Failed users import\",EventCode == \"fv\",\"Failed Verification Email\",EventCode == \"fvr\",\"Failed Verification Email Request\",EventCode == \"gd_auth_email_verification\",\"Email Verification Confirmed\",EventCode == \"gd_auth_fail_email_verification\",\"Email Verification Failed\",EventCode == \"gd_auth_failed\",\"MFA Auth failed\",EventCode == \"gd_auth_rejected\",\"MFA Auth rejected\",EventCode == \"gd_auth_succeed\",\"MFA Auth success\",EventCode == \"gd_enrollment_complete\",\"MFA enrollment complete\",EventCode == \"gd_otp_rate_limit_exceed\",\"Too many MFA failures\",EventCode == \"gd_recovery_failed\",\"Recovery failed\",EventCode == \"gd_recovery_rate_limit_exceed\",\"Multi-factor recovery code has failed too many times\",EventCode == \"gd_recovery_succeed\",\"MFA recovery success\",EventCode == \"gd_send_email\",\"MFA Email Sent\",EventCode == \"gd_send_email_verification\",\"Email Verification Sent\",EventCode == \"gd_send_email_verification_failure\",\"Email Verification Failed\",EventCode == \"gd_send_pn\",\"Push notification sent\",EventCode == \"gd_send_pn_failure\",\"Error Sending MFA Push Notification\",EventCode == \"gd_send_sms\",\"MFA SMS Sent\",EventCode == \"gd_send_sms_failure\",\"Error Sending MFA SMS\",EventCode == \"gd_send_voice\",\"MFA voice call success\",EventCode == \"gd_send_voice_failure\",\"MFA voice call failed\",EventCode == \"gd_start_auth\",\"Second factor started\",EventCode == \"gd_start_enroll\",\"MFA Enroll started\",EventCode == \"gd_start_enroll_failed\",\"MFA Enrollment Failed\",EventCode == \"gd_tenant_update\",\"Guardian tenant update\",EventCode == \"gd_unenroll\",\"Unenroll device account\",EventCode == \"gd_update_device_account\",\"Update device account\",EventCode == \"gd_webauthn_challenge_failed\",\"WebAuthn browser error\",EventCode == \"gd_webauthn_enrollment_failed\",\"WebAuthn browser error\",EventCode == \"kms_key_management_failure\",\"Failed KMS API Operation\",EventCode == \"kms_key_management_success\",\"Success KMS API Operation\",EventCode == \"kms_key_state_changed\",\"KMS Key State Change\",EventCode == \"limit_delegation\",\"Too Many Calls to /delegation\",EventCode == \"limit_mu\",\"Blocked IP Address\",EventCode == \"limit_sul\",\"Blocked Account\",EventCode == \"limit_wc\",\"Blocked Account\",EventCode == \"mfar\",\"MFA Required\",EventCode == \"mgmt_api_read\",\"Management API read Operation\",EventCode == \"oidc_backchannel_logout_failed\",\"Failed OIDC Back-Channel Logout request\",EventCode == \"oidc_backchannel_logout_succeeded\",\"Successful OIDC Back-Channel Logout request\",EventCode == \"organization_member_added\",\"Organization Member Added\",EventCode == \"pla\",\"Pre-login assessment\",EventCode == \"pwd_leak\",\"Breached password\",EventCode == \"resource_cleanup\",\"Success Resource Cleanup\",EventCode == \"rich_consents_access_error\",\"Rich Consents Access Error\",EventCode == \"s\",\"Success Login\",EventCode == \"sapi\",\"Success API Operation\",EventCode == \"sce\",\"Success Change Email\",EventCode == \"scoa\",\"Success cross-origin authentication\",EventCode == \"scp\",\"Success Change Password\",EventCode == \"scpn\",\"Success Change Phone Number\",EventCode == \"scpr\",\"Success Change Password Request\",EventCode == \"scu\",\"Success Change Username\",EventCode == \"scv\",\"Success Credential Validation\",EventCode == \"sd\",\"Success Delegation\",EventCode == \"sdu\",\"Success User Deletion\",EventCode == \"seacft\",\"Success Exchange\",EventCode == \"seccft\",\"Success Exchange\",EventCode == \"sede\",\"Success Exchange\",EventCode == \"sens\",\"Success Exchange\",EventCode == \"seoobft\",\"Success Exchange\",EventCode == \"seotpft\",\"Success Exchange\",EventCode == \"sepft\",\"Success Exchange\",EventCode == \"sepkoobft\",\"Success Exchange\",EventCode == \"sepkotpft\",\"Success Exchange\",EventCode == \"sepkrcft\",\"Success Exchange\",EventCode == \"sercft\",\"Success Exchange\",EventCode == \"sertft\",\"Success Exchange\",EventCode == \"si\",\"Successfully accepted a user invite\",EventCode == \"signup_pwd_leak\",\"Breached Password on Signup\",EventCode == \"slo\",\"Success Logout\",EventCode == \"srrt\",\"Success Revocation\",EventCode == \"ss\",\"Success Signup\",EventCode == \"ss_sso_failure\",\"Failed SS-SSO Operation\",EventCode == \"ss_sso_info\",\"Information from an SS-SSO Operation\",EventCode == \"ss_sso_success\",\"Success SS-SSO Operation\",EventCode == \"ssa\",\"Success Silent Auth\",EventCode == \"sui\",\"Successfully imported users\",EventCode == \"sv\",\"Success Verification Email\",EventCode == \"svr\",\"Success Verification Email Request\",EventCode == \"ublkdu\",\"User login block released\",EventCode == \"w\",\"Warning During Login\",EventCode == \"wum\",\"Warning User Management\",\"\")};\n AutoLogsview()\n", "functionParameters": "", "version": 2, "tags": [ @@ -534,7 +1244,7 @@ "[variables('parserObject1')._parserId1]" ], "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Auth0')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Auth0AM')]", "contentId": "[variables('parserObject1').parserContentId1]", "kind": "Parser", "version": "[variables('parserObject1').parserVersion1]", @@ -564,7 +1274,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Auth0AM Data Parser with template version 3.0.0", + "description": "Auth0 Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject2').parserVersion2]", @@ -578,10 +1288,10 @@ "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "Parser for Auth0 Auth0AM_CL", + "displayName": "Auth0", "category": "Microsoft Sentinel Parser", - "functionAlias": "Auth0AM", - "query": "let logData = () \n {\n // Parse Auth0 Log data from custom table\n Auth0AM_CL\n | where isnotempty(type_s)\n | project TimeGenerated\n , Audience = tostring(column_ifexists('audience_s', \"\"))\n , Auth0ClientEnvIos = tostring(column_ifexists('auth0__s', \"\"))\n , Auth0ClientEnvNode = tostring(column_ifexists('auth0_client_env_node_s', \"\"))\n , Auth0ClientEnvSwift = tostring(column_ifexists('auth0_client_env_swift_s', \"\"))\n , Auth0ClientName = tostring(column_ifexists('auth0_client_name_s', \"\"))\n , Auth0ClientVersion = tostring(column_ifexists('auth0_client_version_s', \"\"))\n , ClientId = tostring(column_ifexists('client_id_s', \"\"))\n , ClientIp = tostring(column_ifexists('client_ip_s', \"\"))\n , ClientName = tostring(column_ifexists('client_name_s', \"\"))\n , ConnectionId = tostring(column_ifexists('connection_id_s', \"\"))\n , Connection = tostring(column_ifexists('connection_s', \"\"))\n , Date = todatetime(column_ifexists('date_t', \"\"))\n , Description = tostring(column_ifexists('description_s', \"\"))\n , DetailsAccessedSecrets = tostring(column_ifexists('details_accessedSecrets_s', \"\"))\n , DetailsActionsExecutions = todynamic(column_ifexists('details_actions_executions_s', \"\"))\n , DetailsAllowedOrigins = todynamic(column_ifexists('details_allowedOrigins_s', \"\"))\n , DetailsClientId = tostring(column_ifexists('details_body_client_id_s', \"\"))\n , DetailsConnection = tostring(column_ifexists('details_body_connection_s', \"\"))\n , DetailsEmail = tostring(column_ifexists('details_body_email_s', \"\"))\n , DetailsEmailVerified = tobool(column_ifexists('details_body_email_verified_b', \"\"))\n , DetailsIdentifierType = tostring(column_ifexists('details_body_identifier_type_s', \"\"))\n , DetailsIdentifierValue = tostring(column_ifexists('details_body_identifier_value_s', \"\"))\n , DetailsNewEmail = tostring(column_ifexists('details_body_newEmail_s', \"\"))\n , DetailsTenant = tostring(column_ifexists('details_body_tenant_s', \"\"))\n , DetailsUserId = tostring(column_ifexists('details_body_user_id_g', \"\"))\n , DetailsVerify = tobool(column_ifexists('details_body_verify_b', \"\"))\n , DetailsCode = tostring(column_ifexists('details_code_s', \"\"))\n , DetailsCompletedAt = unixtime_milliseconds_todatetime(tolong(column_ifexists('details_completedAt_d', \"\")))\n , DetailsConsoleOut = tostring(column_ifexists('details_consoleOut_s', \"\"))\n , DetailsElapsedTime = toint(column_ifexists('details_elapsedTime_d', \"\"))\n , DetailsErrorMessage = tostring(column_ifexists('details_error_message_s', \"\"))\n , DetailsHeadersOrigin = tostring(column_ifexists('details_headers_origin_s', \"\"))\n , DetailsXforwardedProtocol = tostring(column_ifexists('details_headers_x_forwarded_proto_s', \"\"))\n , DetailsHost = tostring(column_ifexists('details_host_s', \"\"))\n , DetailsInitiatedAt = unixtime_milliseconds_todatetime(tolong((column_ifexists('details_initiatedAt_d', \"\"))))\n , DetailsMethod = tostring(column_ifexists('details_method_s', \"\"))\n , DetailsOrigin = tostring(column_ifexists('details_origin_s', \"\"))\n , DetailsOriginalUrl = tostring(column_ifexists('details_originalUrl_s', \"\"))\n , DetailsPrompts = todynamic(column_ifexists('details_prompts_s', \"\"))\n , RequestAuthCredentialsJTI = tostring(column_ifexists('details_request_auth_credentials_jti_g', \"\"))\n , RequestAuthCredentialsScopes = todynamic(column_ifexists('details_request_auth_credentials_scopes_s', \"\"))\n , RequestAuthStrategy = tostring(column_ifexists('details_request_auth_strategy_s', \"\"))\n , RequestUserEmail = tostring(column_ifexists('details_request_auth_user_email_s', \"\"))\n , RequestUserPrincipalName = tostring(column_ifexists('details_request_auth_user_name_s', \"\"))\n , RequestAuthUserId = tostring(column_ifexists('details_request_auth_user_user_id_s', \"\"))\n , RequestMetadataPrimaryLocale = todynamic(column_ifexists('details_request_body_app_metadata_primary_locale_s', \"\"))\n , RequestMetadataSecondaryLocale= todynamic(column_ifexists('details_request_body_app_metadata_secondary_locales_s', \"\"))\n , RequestConnection = tostring(column_ifexists('details_request_body_connection_s', \"\"))\n , RequestEmail = tostring(column_ifexists('details_request_body_email_s', \"\"))\n , RequestEmailVerified = tobool(column_ifexists('details_request_body_email_verified_b', \"\"))\n , RequestBodyPassword = tostring(column_ifexists('details_request_body_password_s', \"\"))\n , RequestChannel = tostring(column_ifexists('details_request_channel_s', \"\"))\n , RequestIP = tostring(column_ifexists('details_request_ip_s', \"\"))\n , RequestMethod = tostring(column_ifexists('details_request_method_s', \"\"))\n , RequestPath = tostring(column_ifexists('details_request_path_s', \"\"))\n , RequestUserAgent = tostring(column_ifexists('details_request_userAgent_s', \"\"))\n , ResponseAppMetadataPrimaryLocale = todynamic(column_ifexists('details_response_body_app_metadata_primary_locale_s', \"\"))\n , ResponseAppMetadataSecondaryLocale = todynamic(column_ifexists('details_response_body_app_metadata_secondary_locales_s', \"\"))\n , ResponseBlocked = tobool(column_ifexists('details_response_body_blocked_b', \"\"))\n , ResponseClientID = tostring(column_ifexists('details_response_body_client_id_s', \"\"))\n , ResponseCreatedAt = tostring(column_ifexists('details_response_body_created_at_t', \"\"))\n , ResponseEmail = tostring(column_ifexists('details_response_body_email_s', \"\"))\n , ResponseEmailVerified = tobool(column_ifexists('details_response_body_email_verified_b', \"\"))\n , ResponseFamilyName = tostring(column_ifexists('details_response_body_family_name_s', \"\"))\n , ResponseGivenName = tostring(column_ifexists('details_response_body_given_name_s', \"\"))\n , ResponseIdentities = todynamic(column_ifexists('details_response_body_identities_s', \"\"))\n , ResponseLastIP = tostring(column_ifexists('details_response_body_last_ip_s', \"\"))\n , ResponseLastLogin = todatetime(column_ifexists('details_response_body_last_login_t', \"\"))\n , ResponseLastPasswordReset = todatetime(column_ifexists('details_response_body_last_password_reset_t', \"\"))\n , ResponseLoginsCount = toint(column_ifexists('details_response_body_logins_count_d', \"\"))\n , ResponseName = tostring(column_ifexists('details_response_body_name_s', \"\"))\n , ResponseNickname = tostring(column_ifexists('details_response_body_nickname_s', \"\"))\n , ResponsePhoneVerified = tobool(column_ifexists('details_response_body_phone_verified_b', \"\"))\n , ResponsePicture = tostring(column_ifexists('details_response_body_picture_s', \"\"))\n , ResponseUpdatedAt = todatetime(column_ifexists('details_response_body_updated_at_t', \"\"))\n , ResponseUserDiscriminator = tostring(column_ifexists('details_response_body_user_discriminator_s', \"\"))\n , ResponseUserId = tostring(split(column_ifexists('details_response_body_user_id_s', \"\"), \"|\")[1])\n , ResponseStatusCode = toint(column_ifexists('details_response_statusCode_d', \"\"))\n , SessionId = tostring(column_ifexists('details_session_id_s', \"\"))\n , StatsLoginsCount = toint(column_ifexists('details_stats_loginsCount_d', \"\"))\n , XHR = tobool(column_ifexists('details_xhr_b', \"\"))\n , Hostname = tostring(column_ifexists('hostname_s', \"\"))\n , IPAddress = tostring(column_ifexists('ip_s', \"\"))\n , IsMobile = tobool(column_ifexists('isMobile_b', \"\"))\n , LogId = tostring(column_ifexists('log_id_s', \"\"))\n , Scope = tostring(column_ifexists('scope_s', \"\"))\n , Strategy = tostring(column_ifexists('strategy_s', \"\"))\n , StrategyType = tostring(column_ifexists('strategy_type_s', \"\"))\n , Type = tostring(column_ifexists('Type', \"\"))\n , EventCode = tostring(column_ifexists('type_s', \"\"))\n , UserAgent = tostring(column_ifexists('user_agent_s', \"\"))\n , UserId = tostring(split(column_ifexists('user_id_s', \"\"), '|')[1])\n , UserPrincipalName = tolower(tostring(column_ifexists('user_name_s', \"\")))\n | extend TimeGenerated = Date\n | extend IPGeoLocation = geo_info_from_ip_address\n ;\n };\n let FailedByCORS = ()\n // fco =Origin is not in the Allowed Origins list for the specified application\n {\n logData\n | where EventCode == \"fco\"\n | extend LogType = \"Failed By CORS\"\n | project TimeGenerated, ClientId, Description, DetailsAllowedOrigins, DetailsHeadersOrigin\n , DetailsXforwardedProtocol, DetailsHost, DetailsMethod, DetailsOrigin, DetailsOriginalUrl\n , XHR, Hostname, IPAddress, IPGeoLocation, IsMobile, LogId, UserAgent, LogType\n };\n let FailedExchange = ()\n // feccft = Failed exchange of Access Token for a Client Credentials Grant\n // fepft = Failed exchange of Password for Access Token\n {\n logData\n | where EventCode == \"feccft\"\n or EventCode == \"fepft\"\n | extend EventDescritpion = iff(EventCode == \"feccft\", \"Failed exchange of Access Token for a Client Credentials Grant\", \"Failed exchange of Password for Access Token\")\n | extend LogType = \"Failed Exchange\"\n | project TimeGenerated, Audience, ClientId, ClientIp,ClientName, ConnectionId\n ,Connection, Description, Hostname, IPAddress, IPGeoLocation, IsMobile, LogId, Scope\n , UserAgent, UserPrincipalName, EventDescritpion, LogType\n };\n let FailedLogin = () \n // fp =\tFailed Login (Incorrect Password)\t\n {\n logData\n | where EventCode == \"fp\"\n | extend LogType = \"Failed Login\"\n | project TimeGenerated, ClientId, ClientName, ConnectionId, Connection, Description\n , DetailsErrorMessage, IPAddress, IPGeoLocation, IsMobile, LogId, Strategy, StrategyType, UserAgent\n , UserId, UserPrincipalName, LogType\n };\n let BlockedIpAddress = ()\n // limit_mu = An IP address is blocked because it attempted too many failed logins without a successful login. Or an IP address is blocked because it attempted too many sign-ups, whether successful or failed. For more information, \n // see Attack Protection - https://auth0.com/docs/configure/attack-protection\n {\n logData\n | where EventCode == \"limit_mu\"\n | extend LogType = \"Blocked IP Address\"\n | project TimeGenerated, ClientId, ConnectionId, Connection, Description, IsMobile\n , LogId, UserAgent\n , UserPrincipalName, LogType\n };\n let ManagementAPIReadOperation = ()\n // mgmt_api_read = API GET operation returning secrets completed successfully\n {\n logData\n | where EventCode == \"mgmt_api_read\"\n | extend LogType = \"Management API Read Operation\"\n | project TimeGenerated, ClientId, ConnectionId, Connection, Description, RequestAuthStrategy\n , RequestChannel, RequestIP, RequestMethod, RequestPath, RequestUserAgent, ResponseStatusCode\n , IPAddress, IsMobile, LogId, UserAgent, UserId, LogType\n };\n let BreachedPassword = () \n // pwd_leak = Someone behind the IP address ip attempted to login with a leaked password.\n {\n logData\n | where EventCode == \"pwd_leak\"\n | extend LogType = \"Breached Password\"\n | project TimeGenerated, ClientId, ConnectionId, Connection, Description, Hostname, IPAddress\n , IPGeoLocation, IsMobile, LogId, UserAgent, UserPrincipalName, LogType\n };\n let SuccessLogin = ()\n // s = Successful login event.\n {\n logData\n | where EventCode == \"s\"\n | extend LogType = \"Success Login\"\n | project TimeGenerated, ClientId, ClientName, ConnectionId, Connection, DetailsActionsExecutions\n , DetailsCompletedAt, DetailsElapsedTime, DetailsInitiatedAt, DetailsPrompts, SessionId, StatsLoginsCount\n , Hostname, IPAddress, IPGeoLocation, IsMobile, LogId, Strategy, UserAgent, UserId, UserPrincipalName, LogType\n };\n let SuccessAPIOperation = ()\n // sapi = Successful management API write event.\n {\n logData\n | where EventCode == \"sapi\"\n | extend LogType = \"Success API Operation\"\n | project TimeGenerated, ClientId, Description, RequestAuthCredentialsScopes, RequestAuthStrategy\n , RequestMetadataPrimaryLocale, RequestMetadataSecondaryLocale, RequestConnection, RequestEmail, RequestEmailVerified\n , RequestBodyPassword, RequestChannel, RequestIP, RequestPath, RequestUserAgent, ResponseAppMetadataPrimaryLocale\n , ResponseAppMetadataSecondaryLocale, ResponseBlocked, ResponseCreatedAt, ResponseEmail, ResponseEmailVerified\n , ResponseGivenName, ResponseFamilyName, ResponseIdentities, ResponseLastIP, ResponseLastLogin, ResponseLastPasswordReset\n , ResponseLoginsCount, ResponseName, ResponsePhoneVerified, ResponsePicture, ResponseUpdatedAt, ResponseUserDiscriminator\n , ResponseUserId, ResponseStatusCode, IPAddress, IPGeoLocation, IsMobile, LogId, UserAgent, LogType\n };\n let SuccessChangeEmail = ()\n // sce = Success Change Email\n {\n logData\n | where EventCode == \"sce\"\n | extend LogType = \"Success Change Email\"\n | project TimeGenerated, ClientId, ClientName, ConnectionId, Connection, Description, DetailsClientId, DetailsConnection\n , DetailsEmail, DetailsEmailVerified, DetailsTenant, DetailsUserId, DetailsVerify, RequestAuthCredentialsScopes, RequestAuthStrategy\n , RequestMetadataPrimaryLocale, RequestMetadataSecondaryLocale, RequestConnection, RequestEmail, RequestEmailVerified, RequestBodyPassword\n , RequestChannel, RequestIP, RequestMethod, RequestPath, RequestUserAgent, ResponseAppMetadataPrimaryLocale, ResponseAppMetadataSecondaryLocale\n , ResponseBlocked, ResponseCreatedAt, ResponseEmail, ResponseEmailVerified, ResponseGivenName, ResponseFamilyName, ResponseIdentities\n , ResponseLastIP, ResponseLastLogin, ResponseLastPasswordReset, ResponseLoginsCount, ResponseName, ResponseNickname, ResponsePhoneVerified\n , ResponsePicture, ResponseUpdatedAt, ResponseUserDiscriminator, ResponseUserId, ResponseStatusCode, IPAddress, IPGeoLocation, IsMobile, LogId, Strategy\n , StrategyType, UserAgent, UserId, UserPrincipalName, LogType\n };\n let SuccessChangePassword = () \n // scp = Success Change Password\n {\n logData\n | where EventCode == \"scp\"\n | extend LogType = \"Success Change Password\"\n | project TimeGenerated, ClientId, ClientName, ConnectionId, Connection, Description, DetailsClientId, DetailsConnection\n , DetailsEmail, DetailsIdentifierType, DetailsIdentifierValue, DetailsTenant, DetailsUserId, DetailsVerify, IPAddress\n , IPGeoLocation, IsMobile, LogId, Strategy, StrategyType, UserAgent, UserId, UserPrincipalName, LogType\n };\n let SuccessExchange = ()\n // seacft = Successful exchange of authorization code for Access Token\n // seccft = Successful exchange of Access Token for a Client Credentials Grant\n // sepft = Successful exchange of Password for Access Token\n // sertft = Successful exchange of Refresh Token for Access Token\n {\n logData\n | where EventCode == \"seacft\"\n or EventCode == \"seccft\"\n or EventCode == \"sepft\"\n or EventCode == \"sertft\"\n | extend EventDescritpion = case (\n EventCode == \"seacft\", \"Successful exchange of authorization code for Access Token\"\n , EventCode == \"seccft\", \"Successful exchange of Access Token for a Client Credentials Grant\"\n , EventCode == \"sepft\", \"Successful exchange of Password for Access Token\"\n , EventCode == \"sertft\", \"Successful exchange of Refresh Token for Access Token\"\n , \"\"\n )\n | extend LogType = \"Success Exchange\"\n | project TimeGenerated, Audience, Auth0ClientEnvNode, Auth0ClientEnvSwift, Auth0ClientName, Auth0ClientVersion, ClientId\n , ClientIp, ClientName, ConnectionId, Connection, Description, DetailsActionsExecutions, DetailsCode, Hostname\n , IPAddress, IPGeoLocation, IsMobile, LogId, Scope, UserAgent, UserId, UserPrincipalName, EventDescritpion, LogType\n };\nunion FailedByCORS, FailedExchange, FailedLogin, BlockedIpAddress, ManagementAPIReadOperation, BreachedPassword\n , SuccessLogin, SuccessAPIOperation, SuccessChangeEmail, SuccessChangePassword, SuccessExchange\n", + "functionAlias": "Auth0", + "query": "union isfuzzy=true Auth0AM_CL, Auth0_CL\n| project-rename EventType = type_s,\n HttpRequestMethod = details_request_method_s,\n ActorSessionId = _id_s,\n HttpUserAgent = user_agent_s,\n TargetUsername = user_name_s,\n ActorUserId = client_id_s,\n IpAddr=ip_s,\n Dst = details_request_body_audience_s,\n EventEndTime = date_t,\n EventResultDetails = details_response_statusCode_d\n", "functionParameters": "", "version": 2, "tags": [ @@ -600,7 +1310,7 @@ "[variables('parserObject2')._parserId2]" ], "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Auth0AM')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Auth0')]", "contentId": "[variables('parserObject2').parserContentId2]", "kind": "Parser", "version": "[variables('parserObject2').parserVersion2]", @@ -630,7 +1340,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('parserObject2').parserContentId2]", "contentKind": "Parser", - "displayName": "Parser for Auth0 Auth0AM_CL", + "displayName": "Auth0", "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject2').parserContentId2,'-', '1.0.0')))]", "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject2').parserContentId2,'-', '1.0.0')))]", "version": "[variables('parserObject2').parserVersion2]" @@ -643,10 +1353,10 @@ "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "Parser for Auth0 Auth0AM_CL", + "displayName": "Auth0", "category": "Microsoft Sentinel Parser", - "functionAlias": "Auth0AM", - "query": "let logData = () \n {\n // Parse Auth0 Log data from custom table\n Auth0AM_CL\n | where isnotempty(type_s)\n | project TimeGenerated\n , Audience = tostring(column_ifexists('audience_s', \"\"))\n , Auth0ClientEnvIos = tostring(column_ifexists('auth0__s', \"\"))\n , Auth0ClientEnvNode = tostring(column_ifexists('auth0_client_env_node_s', \"\"))\n , Auth0ClientEnvSwift = tostring(column_ifexists('auth0_client_env_swift_s', \"\"))\n , Auth0ClientName = tostring(column_ifexists('auth0_client_name_s', \"\"))\n , Auth0ClientVersion = tostring(column_ifexists('auth0_client_version_s', \"\"))\n , ClientId = tostring(column_ifexists('client_id_s', \"\"))\n , ClientIp = tostring(column_ifexists('client_ip_s', \"\"))\n , ClientName = tostring(column_ifexists('client_name_s', \"\"))\n , ConnectionId = tostring(column_ifexists('connection_id_s', \"\"))\n , Connection = tostring(column_ifexists('connection_s', \"\"))\n , Date = todatetime(column_ifexists('date_t', \"\"))\n , Description = tostring(column_ifexists('description_s', \"\"))\n , DetailsAccessedSecrets = tostring(column_ifexists('details_accessedSecrets_s', \"\"))\n , DetailsActionsExecutions = todynamic(column_ifexists('details_actions_executions_s', \"\"))\n , DetailsAllowedOrigins = todynamic(column_ifexists('details_allowedOrigins_s', \"\"))\n , DetailsClientId = tostring(column_ifexists('details_body_client_id_s', \"\"))\n , DetailsConnection = tostring(column_ifexists('details_body_connection_s', \"\"))\n , DetailsEmail = tostring(column_ifexists('details_body_email_s', \"\"))\n , DetailsEmailVerified = tobool(column_ifexists('details_body_email_verified_b', \"\"))\n , DetailsIdentifierType = tostring(column_ifexists('details_body_identifier_type_s', \"\"))\n , DetailsIdentifierValue = tostring(column_ifexists('details_body_identifier_value_s', \"\"))\n , DetailsNewEmail = tostring(column_ifexists('details_body_newEmail_s', \"\"))\n , DetailsTenant = tostring(column_ifexists('details_body_tenant_s', \"\"))\n , DetailsUserId = tostring(column_ifexists('details_body_user_id_g', \"\"))\n , DetailsVerify = tobool(column_ifexists('details_body_verify_b', \"\"))\n , DetailsCode = tostring(column_ifexists('details_code_s', \"\"))\n , DetailsCompletedAt = unixtime_milliseconds_todatetime(tolong(column_ifexists('details_completedAt_d', \"\")))\n , DetailsConsoleOut = tostring(column_ifexists('details_consoleOut_s', \"\"))\n , DetailsElapsedTime = toint(column_ifexists('details_elapsedTime_d', \"\"))\n , DetailsErrorMessage = tostring(column_ifexists('details_error_message_s', \"\"))\n , DetailsHeadersOrigin = tostring(column_ifexists('details_headers_origin_s', \"\"))\n , DetailsXforwardedProtocol = tostring(column_ifexists('details_headers_x_forwarded_proto_s', \"\"))\n , DetailsHost = tostring(column_ifexists('details_host_s', \"\"))\n , DetailsInitiatedAt = unixtime_milliseconds_todatetime(tolong((column_ifexists('details_initiatedAt_d', \"\"))))\n , DetailsMethod = tostring(column_ifexists('details_method_s', \"\"))\n , DetailsOrigin = tostring(column_ifexists('details_origin_s', \"\"))\n , DetailsOriginalUrl = tostring(column_ifexists('details_originalUrl_s', \"\"))\n , DetailsPrompts = todynamic(column_ifexists('details_prompts_s', \"\"))\n , RequestAuthCredentialsJTI = tostring(column_ifexists('details_request_auth_credentials_jti_g', \"\"))\n , RequestAuthCredentialsScopes = todynamic(column_ifexists('details_request_auth_credentials_scopes_s', \"\"))\n , RequestAuthStrategy = tostring(column_ifexists('details_request_auth_strategy_s', \"\"))\n , RequestUserEmail = tostring(column_ifexists('details_request_auth_user_email_s', \"\"))\n , RequestUserPrincipalName = tostring(column_ifexists('details_request_auth_user_name_s', \"\"))\n , RequestAuthUserId = tostring(column_ifexists('details_request_auth_user_user_id_s', \"\"))\n , RequestMetadataPrimaryLocale = todynamic(column_ifexists('details_request_body_app_metadata_primary_locale_s', \"\"))\n , RequestMetadataSecondaryLocale= todynamic(column_ifexists('details_request_body_app_metadata_secondary_locales_s', \"\"))\n , RequestConnection = tostring(column_ifexists('details_request_body_connection_s', \"\"))\n , RequestEmail = tostring(column_ifexists('details_request_body_email_s', \"\"))\n , RequestEmailVerified = tobool(column_ifexists('details_request_body_email_verified_b', \"\"))\n , RequestBodyPassword = tostring(column_ifexists('details_request_body_password_s', \"\"))\n , RequestChannel = tostring(column_ifexists('details_request_channel_s', \"\"))\n , RequestIP = tostring(column_ifexists('details_request_ip_s', \"\"))\n , RequestMethod = tostring(column_ifexists('details_request_method_s', \"\"))\n , RequestPath = tostring(column_ifexists('details_request_path_s', \"\"))\n , RequestUserAgent = tostring(column_ifexists('details_request_userAgent_s', \"\"))\n , ResponseAppMetadataPrimaryLocale = todynamic(column_ifexists('details_response_body_app_metadata_primary_locale_s', \"\"))\n , ResponseAppMetadataSecondaryLocale = todynamic(column_ifexists('details_response_body_app_metadata_secondary_locales_s', \"\"))\n , ResponseBlocked = tobool(column_ifexists('details_response_body_blocked_b', \"\"))\n , ResponseClientID = tostring(column_ifexists('details_response_body_client_id_s', \"\"))\n , ResponseCreatedAt = tostring(column_ifexists('details_response_body_created_at_t', \"\"))\n , ResponseEmail = tostring(column_ifexists('details_response_body_email_s', \"\"))\n , ResponseEmailVerified = tobool(column_ifexists('details_response_body_email_verified_b', \"\"))\n , ResponseFamilyName = tostring(column_ifexists('details_response_body_family_name_s', \"\"))\n , ResponseGivenName = tostring(column_ifexists('details_response_body_given_name_s', \"\"))\n , ResponseIdentities = todynamic(column_ifexists('details_response_body_identities_s', \"\"))\n , ResponseLastIP = tostring(column_ifexists('details_response_body_last_ip_s', \"\"))\n , ResponseLastLogin = todatetime(column_ifexists('details_response_body_last_login_t', \"\"))\n , ResponseLastPasswordReset = todatetime(column_ifexists('details_response_body_last_password_reset_t', \"\"))\n , ResponseLoginsCount = toint(column_ifexists('details_response_body_logins_count_d', \"\"))\n , ResponseName = tostring(column_ifexists('details_response_body_name_s', \"\"))\n , ResponseNickname = tostring(column_ifexists('details_response_body_nickname_s', \"\"))\n , ResponsePhoneVerified = tobool(column_ifexists('details_response_body_phone_verified_b', \"\"))\n , ResponsePicture = tostring(column_ifexists('details_response_body_picture_s', \"\"))\n , ResponseUpdatedAt = todatetime(column_ifexists('details_response_body_updated_at_t', \"\"))\n , ResponseUserDiscriminator = tostring(column_ifexists('details_response_body_user_discriminator_s', \"\"))\n , ResponseUserId = tostring(split(column_ifexists('details_response_body_user_id_s', \"\"), \"|\")[1])\n , ResponseStatusCode = toint(column_ifexists('details_response_statusCode_d', \"\"))\n , SessionId = tostring(column_ifexists('details_session_id_s', \"\"))\n , StatsLoginsCount = toint(column_ifexists('details_stats_loginsCount_d', \"\"))\n , XHR = tobool(column_ifexists('details_xhr_b', \"\"))\n , Hostname = tostring(column_ifexists('hostname_s', \"\"))\n , IPAddress = tostring(column_ifexists('ip_s', \"\"))\n , IsMobile = tobool(column_ifexists('isMobile_b', \"\"))\n , LogId = tostring(column_ifexists('log_id_s', \"\"))\n , Scope = tostring(column_ifexists('scope_s', \"\"))\n , Strategy = tostring(column_ifexists('strategy_s', \"\"))\n , StrategyType = tostring(column_ifexists('strategy_type_s', \"\"))\n , Type = tostring(column_ifexists('Type', \"\"))\n , EventCode = tostring(column_ifexists('type_s', \"\"))\n , UserAgent = tostring(column_ifexists('user_agent_s', \"\"))\n , UserId = tostring(split(column_ifexists('user_id_s', \"\"), '|')[1])\n , UserPrincipalName = tolower(tostring(column_ifexists('user_name_s', \"\")))\n | extend TimeGenerated = Date\n | extend IPGeoLocation = geo_info_from_ip_address\n ;\n };\n let FailedByCORS = ()\n // fco =Origin is not in the Allowed Origins list for the specified application\n {\n logData\n | where EventCode == \"fco\"\n | extend LogType = \"Failed By CORS\"\n | project TimeGenerated, ClientId, Description, DetailsAllowedOrigins, DetailsHeadersOrigin\n , DetailsXforwardedProtocol, DetailsHost, DetailsMethod, DetailsOrigin, DetailsOriginalUrl\n , XHR, Hostname, IPAddress, IPGeoLocation, IsMobile, LogId, UserAgent, LogType\n };\n let FailedExchange = ()\n // feccft = Failed exchange of Access Token for a Client Credentials Grant\n // fepft = Failed exchange of Password for Access Token\n {\n logData\n | where EventCode == \"feccft\"\n or EventCode == \"fepft\"\n | extend EventDescritpion = iff(EventCode == \"feccft\", \"Failed exchange of Access Token for a Client Credentials Grant\", \"Failed exchange of Password for Access Token\")\n | extend LogType = \"Failed Exchange\"\n | project TimeGenerated, Audience, ClientId, ClientIp,ClientName, ConnectionId\n ,Connection, Description, Hostname, IPAddress, IPGeoLocation, IsMobile, LogId, Scope\n , UserAgent, UserPrincipalName, EventDescritpion, LogType\n };\n let FailedLogin = () \n // fp =\tFailed Login (Incorrect Password)\t\n {\n logData\n | where EventCode == \"fp\"\n | extend LogType = \"Failed Login\"\n | project TimeGenerated, ClientId, ClientName, ConnectionId, Connection, Description\n , DetailsErrorMessage, IPAddress, IPGeoLocation, IsMobile, LogId, Strategy, StrategyType, UserAgent\n , UserId, UserPrincipalName, LogType\n };\n let BlockedIpAddress = ()\n // limit_mu = An IP address is blocked because it attempted too many failed logins without a successful login. Or an IP address is blocked because it attempted too many sign-ups, whether successful or failed. For more information, \n // see Attack Protection - https://auth0.com/docs/configure/attack-protection\n {\n logData\n | where EventCode == \"limit_mu\"\n | extend LogType = \"Blocked IP Address\"\n | project TimeGenerated, ClientId, ConnectionId, Connection, Description, IsMobile\n , LogId, UserAgent\n , UserPrincipalName, LogType\n };\n let ManagementAPIReadOperation = ()\n // mgmt_api_read = API GET operation returning secrets completed successfully\n {\n logData\n | where EventCode == \"mgmt_api_read\"\n | extend LogType = \"Management API Read Operation\"\n | project TimeGenerated, ClientId, ConnectionId, Connection, Description, RequestAuthStrategy\n , RequestChannel, RequestIP, RequestMethod, RequestPath, RequestUserAgent, ResponseStatusCode\n , IPAddress, IsMobile, LogId, UserAgent, UserId, LogType\n };\n let BreachedPassword = () \n // pwd_leak = Someone behind the IP address ip attempted to login with a leaked password.\n {\n logData\n | where EventCode == \"pwd_leak\"\n | extend LogType = \"Breached Password\"\n | project TimeGenerated, ClientId, ConnectionId, Connection, Description, Hostname, IPAddress\n , IPGeoLocation, IsMobile, LogId, UserAgent, UserPrincipalName, LogType\n };\n let SuccessLogin = ()\n // s = Successful login event.\n {\n logData\n | where EventCode == \"s\"\n | extend LogType = \"Success Login\"\n | project TimeGenerated, ClientId, ClientName, ConnectionId, Connection, DetailsActionsExecutions\n , DetailsCompletedAt, DetailsElapsedTime, DetailsInitiatedAt, DetailsPrompts, SessionId, StatsLoginsCount\n , Hostname, IPAddress, IPGeoLocation, IsMobile, LogId, Strategy, UserAgent, UserId, UserPrincipalName, LogType\n };\n let SuccessAPIOperation = ()\n // sapi = Successful management API write event.\n {\n logData\n | where EventCode == \"sapi\"\n | extend LogType = \"Success API Operation\"\n | project TimeGenerated, ClientId, Description, RequestAuthCredentialsScopes, RequestAuthStrategy\n , RequestMetadataPrimaryLocale, RequestMetadataSecondaryLocale, RequestConnection, RequestEmail, RequestEmailVerified\n , RequestBodyPassword, RequestChannel, RequestIP, RequestPath, RequestUserAgent, ResponseAppMetadataPrimaryLocale\n , ResponseAppMetadataSecondaryLocale, ResponseBlocked, ResponseCreatedAt, ResponseEmail, ResponseEmailVerified\n , ResponseGivenName, ResponseFamilyName, ResponseIdentities, ResponseLastIP, ResponseLastLogin, ResponseLastPasswordReset\n , ResponseLoginsCount, ResponseName, ResponsePhoneVerified, ResponsePicture, ResponseUpdatedAt, ResponseUserDiscriminator\n , ResponseUserId, ResponseStatusCode, IPAddress, IPGeoLocation, IsMobile, LogId, UserAgent, LogType\n };\n let SuccessChangeEmail = ()\n // sce = Success Change Email\n {\n logData\n | where EventCode == \"sce\"\n | extend LogType = \"Success Change Email\"\n | project TimeGenerated, ClientId, ClientName, ConnectionId, Connection, Description, DetailsClientId, DetailsConnection\n , DetailsEmail, DetailsEmailVerified, DetailsTenant, DetailsUserId, DetailsVerify, RequestAuthCredentialsScopes, RequestAuthStrategy\n , RequestMetadataPrimaryLocale, RequestMetadataSecondaryLocale, RequestConnection, RequestEmail, RequestEmailVerified, RequestBodyPassword\n , RequestChannel, RequestIP, RequestMethod, RequestPath, RequestUserAgent, ResponseAppMetadataPrimaryLocale, ResponseAppMetadataSecondaryLocale\n , ResponseBlocked, ResponseCreatedAt, ResponseEmail, ResponseEmailVerified, ResponseGivenName, ResponseFamilyName, ResponseIdentities\n , ResponseLastIP, ResponseLastLogin, ResponseLastPasswordReset, ResponseLoginsCount, ResponseName, ResponseNickname, ResponsePhoneVerified\n , ResponsePicture, ResponseUpdatedAt, ResponseUserDiscriminator, ResponseUserId, ResponseStatusCode, IPAddress, IPGeoLocation, IsMobile, LogId, Strategy\n , StrategyType, UserAgent, UserId, UserPrincipalName, LogType\n };\n let SuccessChangePassword = () \n // scp = Success Change Password\n {\n logData\n | where EventCode == \"scp\"\n | extend LogType = \"Success Change Password\"\n | project TimeGenerated, ClientId, ClientName, ConnectionId, Connection, Description, DetailsClientId, DetailsConnection\n , DetailsEmail, DetailsIdentifierType, DetailsIdentifierValue, DetailsTenant, DetailsUserId, DetailsVerify, IPAddress\n , IPGeoLocation, IsMobile, LogId, Strategy, StrategyType, UserAgent, UserId, UserPrincipalName, LogType\n };\n let SuccessExchange = ()\n // seacft = Successful exchange of authorization code for Access Token\n // seccft = Successful exchange of Access Token for a Client Credentials Grant\n // sepft = Successful exchange of Password for Access Token\n // sertft = Successful exchange of Refresh Token for Access Token\n {\n logData\n | where EventCode == \"seacft\"\n or EventCode == \"seccft\"\n or EventCode == \"sepft\"\n or EventCode == \"sertft\"\n | extend EventDescritpion = case (\n EventCode == \"seacft\", \"Successful exchange of authorization code for Access Token\"\n , EventCode == \"seccft\", \"Successful exchange of Access Token for a Client Credentials Grant\"\n , EventCode == \"sepft\", \"Successful exchange of Password for Access Token\"\n , EventCode == \"sertft\", \"Successful exchange of Refresh Token for Access Token\"\n , \"\"\n )\n | extend LogType = \"Success Exchange\"\n | project TimeGenerated, Audience, Auth0ClientEnvNode, Auth0ClientEnvSwift, Auth0ClientName, Auth0ClientVersion, ClientId\n , ClientIp, ClientName, ConnectionId, Connection, Description, DetailsActionsExecutions, DetailsCode, Hostname\n , IPAddress, IPGeoLocation, IsMobile, LogId, Scope, UserAgent, UserId, UserPrincipalName, EventDescritpion, LogType\n };\nunion FailedByCORS, FailedExchange, FailedLogin, BlockedIpAddress, ManagementAPIReadOperation, BreachedPassword\n , SuccessLogin, SuccessAPIOperation, SuccessChangeEmail, SuccessChangePassword, SuccessExchange\n", + "functionAlias": "Auth0", + "query": "union isfuzzy=true Auth0AM_CL, Auth0_CL\n| project-rename EventType = type_s,\n HttpRequestMethod = details_request_method_s,\n ActorSessionId = _id_s,\n HttpUserAgent = user_agent_s,\n TargetUsername = user_name_s,\n ActorUserId = client_id_s,\n IpAddr=ip_s,\n Dst = details_request_body_audience_s,\n EventEndTime = date_t,\n EventResultDetails = details_response_statusCode_d\n", "functionParameters": "", "version": 2, "tags": [ @@ -666,7 +1376,7 @@ "[variables('parserObject2')._parserId2]" ], "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Auth0AM')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Auth0')]", "contentId": "[variables('parserObject2').parserContentId2]", "kind": "Parser", "version": "[variables('parserObject2').parserVersion2]", @@ -692,12 +1402,12 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.0", + "version": "3.1.0", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Auth0", "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", - "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Auth0 Access Management solution for Microsoft Sentinel provides the capability to ingest Auth0 log events into your Microsoft Sentinel workspace.

\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n

  1. Azure Monitor HTTP Data Collector API

    \n
    2. \n

  2. Azure Functions

    \n
    3. \n
\n

Data Connectors: 1, Parsers: 2

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Auth0 Access Management solution for Microsoft Sentinel provides the capability to ingest Auth0 log events into your Microsoft Sentinel workspace.

\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n

  1. Azure Monitor HTTP Data Collector API

    \n
    2. \n

  2. Azure Functions

    \n
    3. \n
\n

Data Connectors: 2, Parsers: 2

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -727,6 +1437,11 @@ "contentId": "[variables('_dataConnectorContentId1')]", "version": "[variables('dataConnectorVersion1')]" }, + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentIdConnections2')]", + "version": "[variables('dataConnectorCCPVersion')]" + }, { "kind": "Parser", "contentId": "[variables('parserObject1').parserContentId1]", diff --git a/Solutions/Auth0/Package/testParameters.json b/Solutions/Auth0/Package/testParameters.json index e55ec41a9ac..554801e41b7 100644 --- a/Solutions/Auth0/Package/testParameters.json +++ b/Solutions/Auth0/Package/testParameters.json @@ -20,5 +20,19 @@ "metadata": { "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" } + }, + "resourceGroupName": { + "type": "string", + "defaultValue": "[resourceGroup().name]", + "metadata": { + "description": "resource group name where Microsoft Sentinel is setup" + } + }, + "subscription": { + "type": "string", + "defaultValue": "[last(split(subscription().id, '/'))]", + "metadata": { + "description": "subscription id where Microsoft Sentinel is setup" + } } } diff --git a/Solutions/Auth0/Parsers/Auth0AM.yaml b/Solutions/Auth0/Parsers/Auth0AM.yaml index 6851b06a24a..4992d476049 100644 --- a/Solutions/Auth0/Parsers/Auth0AM.yaml +++ b/Solutions/Auth0/Parsers/Auth0AM.yaml @@ -7,243 +7,97 @@ Category: Microsoft Sentinel Parser FunctionName: Auth0AM FunctionAlias: Auth0AM FunctionQuery: | - let logData = () - { - // Parse Auth0 Log data from custom table - Auth0AM_CL - | where isnotempty(type_s) - | project TimeGenerated - , Audience = tostring(column_ifexists('audience_s', "")) - , Auth0ClientEnvIos = tostring(column_ifexists('auth0__s', "")) - , Auth0ClientEnvNode = tostring(column_ifexists('auth0_client_env_node_s', "")) - , Auth0ClientEnvSwift = tostring(column_ifexists('auth0_client_env_swift_s', "")) - , Auth0ClientName = tostring(column_ifexists('auth0_client_name_s', "")) - , Auth0ClientVersion = tostring(column_ifexists('auth0_client_version_s', "")) - , ClientId = tostring(column_ifexists('client_id_s', "")) - , ClientIp = tostring(column_ifexists('client_ip_s', "")) - , ClientName = tostring(column_ifexists('client_name_s', "")) - , ConnectionId = tostring(column_ifexists('connection_id_s', "")) - , Connection = tostring(column_ifexists('connection_s', "")) - , Date = todatetime(column_ifexists('date_t', "")) - , Description = tostring(column_ifexists('description_s', "")) - , DetailsAccessedSecrets = tostring(column_ifexists('details_accessedSecrets_s', "")) - , DetailsActionsExecutions = todynamic(column_ifexists('details_actions_executions_s', "")) - , DetailsAllowedOrigins = todynamic(column_ifexists('details_allowedOrigins_s', "")) - , DetailsClientId = tostring(column_ifexists('details_body_client_id_s', "")) - , DetailsConnection = tostring(column_ifexists('details_body_connection_s', "")) - , DetailsEmail = tostring(column_ifexists('details_body_email_s', "")) - , DetailsEmailVerified = tobool(column_ifexists('details_body_email_verified_b', "")) - , DetailsIdentifierType = tostring(column_ifexists('details_body_identifier_type_s', "")) - , DetailsIdentifierValue = tostring(column_ifexists('details_body_identifier_value_s', "")) - , DetailsNewEmail = tostring(column_ifexists('details_body_newEmail_s', "")) - , DetailsTenant = tostring(column_ifexists('details_body_tenant_s', "")) - , DetailsUserId = tostring(column_ifexists('details_body_user_id_g', "")) - , DetailsVerify = tobool(column_ifexists('details_body_verify_b', "")) - , DetailsCode = tostring(column_ifexists('details_code_s', "")) - , DetailsCompletedAt = unixtime_milliseconds_todatetime(tolong(column_ifexists('details_completedAt_d', ""))) - , DetailsConsoleOut = tostring(column_ifexists('details_consoleOut_s', "")) - , DetailsElapsedTime = toint(column_ifexists('details_elapsedTime_d', "")) - , DetailsErrorMessage = tostring(column_ifexists('details_error_message_s', "")) - , DetailsHeadersOrigin = tostring(column_ifexists('details_headers_origin_s', "")) - , DetailsXforwardedProtocol = tostring(column_ifexists('details_headers_x_forwarded_proto_s', "")) - , DetailsHost = tostring(column_ifexists('details_host_s', "")) - , DetailsInitiatedAt = unixtime_milliseconds_todatetime(tolong((column_ifexists('details_initiatedAt_d', "")))) - , DetailsMethod = tostring(column_ifexists('details_method_s', "")) - , DetailsOrigin = tostring(column_ifexists('details_origin_s', "")) - , DetailsOriginalUrl = tostring(column_ifexists('details_originalUrl_s', "")) - , DetailsPrompts = todynamic(column_ifexists('details_prompts_s', "")) - , RequestAuthCredentialsJTI = tostring(column_ifexists('details_request_auth_credentials_jti_g', "")) - , RequestAuthCredentialsScopes = todynamic(column_ifexists('details_request_auth_credentials_scopes_s', "")) - , RequestAuthStrategy = tostring(column_ifexists('details_request_auth_strategy_s', "")) - , RequestUserEmail = tostring(column_ifexists('details_request_auth_user_email_s', "")) - , RequestUserPrincipalName = tostring(column_ifexists('details_request_auth_user_name_s', "")) - , RequestAuthUserId = tostring(column_ifexists('details_request_auth_user_user_id_s', "")) - , RequestMetadataPrimaryLocale = todynamic(column_ifexists('details_request_body_app_metadata_primary_locale_s', "")) - , RequestMetadataSecondaryLocale= todynamic(column_ifexists('details_request_body_app_metadata_secondary_locales_s', "")) - , RequestConnection = tostring(column_ifexists('details_request_body_connection_s', "")) - , RequestEmail = tostring(column_ifexists('details_request_body_email_s', "")) - , RequestEmailVerified = tobool(column_ifexists('details_request_body_email_verified_b', "")) - , RequestBodyPassword = tostring(column_ifexists('details_request_body_password_s', "")) - , RequestChannel = tostring(column_ifexists('details_request_channel_s', "")) - , RequestIP = tostring(column_ifexists('details_request_ip_s', "")) - , RequestMethod = tostring(column_ifexists('details_request_method_s', "")) - , RequestPath = tostring(column_ifexists('details_request_path_s', "")) - , RequestUserAgent = tostring(column_ifexists('details_request_userAgent_s', "")) - , ResponseAppMetadataPrimaryLocale = todynamic(column_ifexists('details_response_body_app_metadata_primary_locale_s', "")) - , ResponseAppMetadataSecondaryLocale = todynamic(column_ifexists('details_response_body_app_metadata_secondary_locales_s', "")) - , ResponseBlocked = tobool(column_ifexists('details_response_body_blocked_b', "")) - , ResponseClientID = tostring(column_ifexists('details_response_body_client_id_s', "")) - , ResponseCreatedAt = tostring(column_ifexists('details_response_body_created_at_t', "")) - , ResponseEmail = tostring(column_ifexists('details_response_body_email_s', "")) - , ResponseEmailVerified = tobool(column_ifexists('details_response_body_email_verified_b', "")) - , ResponseFamilyName = tostring(column_ifexists('details_response_body_family_name_s', "")) - , ResponseGivenName = tostring(column_ifexists('details_response_body_given_name_s', "")) - , ResponseIdentities = todynamic(column_ifexists('details_response_body_identities_s', "")) - , ResponseLastIP = tostring(column_ifexists('details_response_body_last_ip_s', "")) - , ResponseLastLogin = todatetime(column_ifexists('details_response_body_last_login_t', "")) - , ResponseLastPasswordReset = todatetime(column_ifexists('details_response_body_last_password_reset_t', "")) - , ResponseLoginsCount = toint(column_ifexists('details_response_body_logins_count_d', "")) - , ResponseName = tostring(column_ifexists('details_response_body_name_s', "")) - , ResponseNickname = tostring(column_ifexists('details_response_body_nickname_s', "")) - , ResponsePhoneVerified = tobool(column_ifexists('details_response_body_phone_verified_b', "")) - , ResponsePicture = tostring(column_ifexists('details_response_body_picture_s', "")) - , ResponseUpdatedAt = todatetime(column_ifexists('details_response_body_updated_at_t', "")) - , ResponseUserDiscriminator = tostring(column_ifexists('details_response_body_user_discriminator_s', "")) - , ResponseUserId = tostring(split(column_ifexists('details_response_body_user_id_s', ""), "|")[1]) - , ResponseStatusCode = toint(column_ifexists('details_response_statusCode_d', "")) - , SessionId = tostring(column_ifexists('details_session_id_s', "")) - , StatsLoginsCount = toint(column_ifexists('details_stats_loginsCount_d', "")) - , XHR = tobool(column_ifexists('details_xhr_b', "")) - , Hostname = tostring(column_ifexists('hostname_s', "")) - , IPAddress = tostring(column_ifexists('ip_s', "")) - , IsMobile = tobool(column_ifexists('isMobile_b', "")) - , LogId = tostring(column_ifexists('log_id_s', "")) - , Scope = tostring(column_ifexists('scope_s', "")) - , Strategy = tostring(column_ifexists('strategy_s', "")) - , StrategyType = tostring(column_ifexists('strategy_type_s', "")) - , Type = tostring(column_ifexists('Type', "")) - , EventCode = tostring(column_ifexists('type_s', "")) - , UserAgent = tostring(column_ifexists('user_agent_s', "")) - , UserId = tostring(split(column_ifexists('user_id_s', ""), '|')[1]) - , UserPrincipalName = tolower(tostring(column_ifexists('user_name_s', ""))) - | extend TimeGenerated = Date - | extend IPGeoLocation = geo_info_from_ip_address - ; - }; - let FailedByCORS = () - // fco =Origin is not in the Allowed Origins list for the specified application - { - logData - | where EventCode == "fco" - | extend LogType = "Failed By CORS" - | project TimeGenerated, ClientId, Description, DetailsAllowedOrigins, DetailsHeadersOrigin - , DetailsXforwardedProtocol, DetailsHost, DetailsMethod, DetailsOrigin, DetailsOriginalUrl - , XHR, Hostname, IPAddress, IPGeoLocation, IsMobile, LogId, UserAgent, LogType - }; - let FailedExchange = () - // feccft = Failed exchange of Access Token for a Client Credentials Grant - // fepft = Failed exchange of Password for Access Token - { - logData - | where EventCode == "feccft" - or EventCode == "fepft" - | extend EventDescritpion = iff(EventCode == "feccft", "Failed exchange of Access Token for a Client Credentials Grant", "Failed exchange of Password for Access Token") - | extend LogType = "Failed Exchange" - | project TimeGenerated, Audience, ClientId, ClientIp,ClientName, ConnectionId - ,Connection, Description, Hostname, IPAddress, IPGeoLocation, IsMobile, LogId, Scope - , UserAgent, UserPrincipalName, EventDescritpion, LogType - }; - let FailedLogin = () - // fp = Failed Login (Incorrect Password) - { - logData - | where EventCode == "fp" - | extend LogType = "Failed Login" - | project TimeGenerated, ClientId, ClientName, ConnectionId, Connection, Description - , DetailsErrorMessage, IPAddress, IPGeoLocation, IsMobile, LogId, Strategy, StrategyType, UserAgent - , UserId, UserPrincipalName, LogType - }; - let BlockedIpAddress = () - // limit_mu = An IP address is blocked because it attempted too many failed logins without a successful login. Or an IP address is blocked because it attempted too many sign-ups, whether successful or failed. For more information, - // see Attack Protection - https://auth0.com/docs/configure/attack-protection - { - logData - | where EventCode == "limit_mu" - | extend LogType = "Blocked IP Address" - | project TimeGenerated, ClientId, ConnectionId, Connection, Description, IsMobile - , LogId, UserAgent - , UserPrincipalName, LogType - }; - let ManagementAPIReadOperation = () - // mgmt_api_read = API GET operation returning secrets completed successfully - { - logData - | where EventCode == "mgmt_api_read" - | extend LogType = "Management API Read Operation" - | project TimeGenerated, ClientId, ConnectionId, Connection, Description, RequestAuthStrategy - , RequestChannel, RequestIP, RequestMethod, RequestPath, RequestUserAgent, ResponseStatusCode - , IPAddress, IsMobile, LogId, UserAgent, UserId, LogType - }; - let BreachedPassword = () - // pwd_leak = Someone behind the IP address ip attempted to login with a leaked password. - { - logData - | where EventCode == "pwd_leak" - | extend LogType = "Breached Password" - | project TimeGenerated, ClientId, ConnectionId, Connection, Description, Hostname, IPAddress - , IPGeoLocation, IsMobile, LogId, UserAgent, UserPrincipalName, LogType - }; - let SuccessLogin = () - // s = Successful login event. - { - logData - | where EventCode == "s" - | extend LogType = "Success Login" - | project TimeGenerated, ClientId, ClientName, ConnectionId, Connection, DetailsActionsExecutions - , DetailsCompletedAt, DetailsElapsedTime, DetailsInitiatedAt, DetailsPrompts, SessionId, StatsLoginsCount - , Hostname, IPAddress, IPGeoLocation, IsMobile, LogId, Strategy, UserAgent, UserId, UserPrincipalName, LogType - }; - let SuccessAPIOperation = () - // sapi = Successful management API write event. - { - logData - | where EventCode == "sapi" - | extend LogType = "Success API Operation" - | project TimeGenerated, ClientId, Description, RequestAuthCredentialsScopes, RequestAuthStrategy - , RequestMetadataPrimaryLocale, RequestMetadataSecondaryLocale, RequestConnection, RequestEmail, RequestEmailVerified - , RequestBodyPassword, RequestChannel, RequestIP, RequestPath, RequestUserAgent, ResponseAppMetadataPrimaryLocale - , ResponseAppMetadataSecondaryLocale, ResponseBlocked, ResponseCreatedAt, ResponseEmail, ResponseEmailVerified - , ResponseGivenName, ResponseFamilyName, ResponseIdentities, ResponseLastIP, ResponseLastLogin, ResponseLastPasswordReset - , ResponseLoginsCount, ResponseName, ResponsePhoneVerified, ResponsePicture, ResponseUpdatedAt, ResponseUserDiscriminator - , ResponseUserId, ResponseStatusCode, IPAddress, IPGeoLocation, IsMobile, LogId, UserAgent, LogType - }; - let SuccessChangeEmail = () - // sce = Success Change Email - { - logData - | where EventCode == "sce" - | extend LogType = "Success Change Email" - | project TimeGenerated, ClientId, ClientName, ConnectionId, Connection, Description, DetailsClientId, DetailsConnection - , DetailsEmail, DetailsEmailVerified, DetailsTenant, DetailsUserId, DetailsVerify, RequestAuthCredentialsScopes, RequestAuthStrategy - , RequestMetadataPrimaryLocale, RequestMetadataSecondaryLocale, RequestConnection, RequestEmail, RequestEmailVerified, RequestBodyPassword - , RequestChannel, RequestIP, RequestMethod, RequestPath, RequestUserAgent, ResponseAppMetadataPrimaryLocale, ResponseAppMetadataSecondaryLocale - , ResponseBlocked, ResponseCreatedAt, ResponseEmail, ResponseEmailVerified, ResponseGivenName, ResponseFamilyName, ResponseIdentities - , ResponseLastIP, ResponseLastLogin, ResponseLastPasswordReset, ResponseLoginsCount, ResponseName, ResponseNickname, ResponsePhoneVerified - , ResponsePicture, ResponseUpdatedAt, ResponseUserDiscriminator, ResponseUserId, ResponseStatusCode, IPAddress, IPGeoLocation, IsMobile, LogId, Strategy - , StrategyType, UserAgent, UserId, UserPrincipalName, LogType - }; - let SuccessChangePassword = () - // scp = Success Change Password - { - logData - | where EventCode == "scp" - | extend LogType = "Success Change Password" - | project TimeGenerated, ClientId, ClientName, ConnectionId, Connection, Description, DetailsClientId, DetailsConnection - , DetailsEmail, DetailsIdentifierType, DetailsIdentifierValue, DetailsTenant, DetailsUserId, DetailsVerify, IPAddress - , IPGeoLocation, IsMobile, LogId, Strategy, StrategyType, UserAgent, UserId, UserPrincipalName, LogType - }; - let SuccessExchange = () - // seacft = Successful exchange of authorization code for Access Token - // seccft = Successful exchange of Access Token for a Client Credentials Grant - // sepft = Successful exchange of Password for Access Token - // sertft = Successful exchange of Refresh Token for Access Token - { - logData - | where EventCode == "seacft" - or EventCode == "seccft" - or EventCode == "sepft" - or EventCode == "sertft" - | extend EventDescritpion = case ( - EventCode == "seacft", "Successful exchange of authorization code for Access Token" - , EventCode == "seccft", "Successful exchange of Access Token for a Client Credentials Grant" - , EventCode == "sepft", "Successful exchange of Password for Access Token" - , EventCode == "sertft", "Successful exchange of Refresh Token for Access Token" - , "" - ) - | extend LogType = "Success Exchange" - | project TimeGenerated, Audience, Auth0ClientEnvNode, Auth0ClientEnvSwift, Auth0ClientName, Auth0ClientVersion, ClientId - , ClientIp, ClientName, ConnectionId, Connection, Description, DetailsActionsExecutions, DetailsCode, Hostname - , IPAddress, IPGeoLocation, IsMobile, LogId, Scope, UserAgent, UserId, UserPrincipalName, EventDescritpion, LogType - }; - union FailedByCORS, FailedExchange, FailedLogin, BlockedIpAddress, ManagementAPIReadOperation, BreachedPassword - , SuccessLogin, SuccessAPIOperation, SuccessChangeEmail, SuccessChangePassword, SuccessExchange \ No newline at end of file + let AutoLogsview = view() {union isfuzzy=true (Auth0Logs_CL| project-rename EventCode = EventType, IPAddress = SrcIpAddr, UserAgent = HttpUserAgent, Hostname = SrcHostname, UserId = ActorUserId, UserPrincipalName= ActorUsername, Date = TimeGenerated), (Auth0AM_CL | project Audience = tostring(column_ifexists('audience_s', "")) + , Auth0ClientEnvIos = tostring(column_ifexists('auth0__s', "")) + , Auth0ClientEnvNode = tostring(column_ifexists('auth0_client_env_node_s', "")) + , Auth0ClientEnvSwift = tostring(column_ifexists('auth0_client_env_swift_s', "")) + , Auth0ClientName = tostring(column_ifexists('auth0_client_name_s', "")) + , Auth0ClientVersion = tostring(column_ifexists('auth0_client_version_s', "")) + , ClientId = tostring(column_ifexists('client_id_s', "")) + , ClientIp = tostring(column_ifexists('client_ip_s', "")) + , ClientName = tostring(column_ifexists('client_name_s', "")) + , ConnectionId = tostring(column_ifexists('connection_id_s', "")) + , Connection = tostring(column_ifexists('connection_s', "")) + , Date = todatetime(column_ifexists('date_t', "")) + , Description = tostring(column_ifexists('description_s', "")) + , DetailsAccessedSecrets = tostring(column_ifexists('details_accessedSecrets_s', "")) + , DetailsActionsExecutions = todynamic(column_ifexists('details_actions_executions_s', "")) + , DetailsAllowedOrigins = todynamic(column_ifexists('details_allowedOrigins_s', "")) + , DetailsClientId = tostring(column_ifexists('details_body_client_id_s', "")) + , DetailsConnection = tostring(column_ifexists('details_body_connection_s', "")) + , DetailsEmail = tostring(column_ifexists('details_body_email_s', "")) + , DetailsEmailVerified = tobool(column_ifexists('details_body_email_verified_b', "")) + , DetailsIdentifierType = tostring(column_ifexists('details_body_identifier_type_s', "")) + , DetailsIdentifierValue = tostring(column_ifexists('details_body_identifier_value_s', "")) + , DetailsNewEmail = tostring(column_ifexists('details_body_newEmail_s', "")) + , DetailsTenant = tostring(column_ifexists('details_body_tenant_s', "")) + , DetailsUserId = tostring(column_ifexists('details_body_user_id_g', "")) + , DetailsVerify = tobool(column_ifexists('details_body_verify_b', "")) + , DetailsCode = tostring(column_ifexists('details_code_s', "")) + , DetailsCompletedAt = unixtime_milliseconds_todatetime(tolong(column_ifexists('details_completedAt_d', ""))) + , DetailsConsoleOut = tostring(column_ifexists('details_consoleOut_s', "")) + , DetailsElapsedTime = toint(column_ifexists('details_elapsedTime_d', "")) + , DetailsErrorMessage = tostring(column_ifexists('details_error_message_s', "")) + , DetailsHeadersOrigin = tostring(column_ifexists('details_headers_origin_s', "")) + , DetailsXforwardedProtocol = tostring(column_ifexists('details_headers_x_forwarded_proto_s', "")) + , DetailsHost = tostring(column_ifexists('details_host_s', "")) + , DetailsInitiatedAt = unixtime_milliseconds_todatetime(tolong((column_ifexists('details_initiatedAt_d', "")))) + , DetailsMethod = tostring(column_ifexists('details_method_s', "")) + , DetailsOrigin = tostring(column_ifexists('details_origin_s', "")) + , DetailsOriginalUrl = tostring(column_ifexists('details_originalUrl_s', "")) + , DetailsPrompts = todynamic(column_ifexists('details_prompts_s', "")) + , RequestAuthCredentialsJTI = tostring(column_ifexists('details_request_auth_credentials_jti_g', "")) + , RequestAuthCredentialsScopes = todynamic(column_ifexists('details_request_auth_credentials_scopes_s', "")) + , RequestAuthStrategy = tostring(column_ifexists('details_request_auth_strategy_s', "")) + , RequestUserEmail = tostring(column_ifexists('details_request_auth_user_email_s', "")) + , RequestUserPrincipalName = tostring(column_ifexists('details_request_auth_user_name_s', "")) + , RequestAuthUserId = tostring(column_ifexists('details_request_auth_user_user_id_s', "")) + , RequestMetadataPrimaryLocale = todynamic(column_ifexists('details_request_body_app_metadata_primary_locale_s', "")) + , RequestMetadataSecondaryLocale= todynamic(column_ifexists('details_request_body_app_metadata_secondary_locales_s', "")) + , RequestConnection = tostring(column_ifexists('details_request_body_connection_s', "")) + , RequestEmail = tostring(column_ifexists('details_request_body_email_s', "")) + , RequestEmailVerified = tobool(column_ifexists('details_request_body_email_verified_b', "")) + , RequestBodyPassword = tostring(column_ifexists('details_request_body_password_s', "")) + , RequestChannel = tostring(column_ifexists('details_request_channel_s', "")) + , RequestIP = tostring(column_ifexists('details_request_ip_s', "")) + , RequestMethod = tostring(column_ifexists('details_request_method_s', "")) + , RequestPath = tostring(column_ifexists('details_request_path_s', "")) + , RequestUserAgent = tostring(column_ifexists('details_request_userAgent_s', "")) + , ResponseAppMetadataPrimaryLocale = todynamic(column_ifexists('details_response_body_app_metadata_primary_locale_s', "")) + , ResponseAppMetadataSecondaryLocale = todynamic(column_ifexists('details_response_body_app_metadata_secondary_locales_s', "")) + , ResponseBlocked = tobool(column_ifexists('details_response_body_blocked_b', "")) + , ResponseClientID = tostring(column_ifexists('details_response_body_client_id_s', "")) + , ResponseCreatedAt = tostring(column_ifexists('details_response_body_created_at_t', "")) + , ResponseEmail = tostring(column_ifexists('details_response_body_email_s', "")) + , ResponseEmailVerified = tobool(column_ifexists('details_response_body_email_verified_b', "")) + , ResponseFamilyName = tostring(column_ifexists('details_response_body_family_name_s', "")) + , ResponseGivenName = tostring(column_ifexists('details_response_body_given_name_s', "")) + , ResponseIdentities = todynamic(column_ifexists('details_response_body_identities_s', "")) + , ResponseLastIP = tostring(column_ifexists('details_response_body_last_ip_s', "")) + , ResponseLastLogin = todatetime(column_ifexists('details_response_body_last_login_t', "")) + , ResponseLastPasswordReset = todatetime(column_ifexists('details_response_body_last_password_reset_t', "")) + , ResponseLoginsCount = toint(column_ifexists('details_response_body_logins_count_d', "")) + , ResponseName = tostring(column_ifexists('details_response_body_name_s', "")) + , ResponseNickname = tostring(column_ifexists('details_response_body_nickname_s', "")) + , ResponsePhoneVerified = tobool(column_ifexists('details_response_body_phone_verified_b', "")) + , ResponsePicture = tostring(column_ifexists('details_response_body_picture_s', "")) + , ResponseUpdatedAt = todatetime(column_ifexists('details_response_body_updated_at_t', "")) + , ResponseUserDiscriminator = tostring(column_ifexists('details_response_body_user_discriminator_s', "")) + , ResponseUserId = tostring(split(column_ifexists('details_response_body_user_id_s', ""), "|")[1]) + , ResponseStatusCode = toint(column_ifexists('details_response_statusCode_d', "")) + , SessionId = tostring(column_ifexists('details_session_id_s', "")) + , StatsLoginsCount = toint(column_ifexists('details_stats_loginsCount_d', "")) + , XHR = tobool(column_ifexists('details_xhr_b', "")) + , Hostname = tostring(column_ifexists('hostname_s', "")) + , IPAddress = tostring(column_ifexists('ip_s', "")) + , IsMobile = tobool(column_ifexists('isMobile_b', "")) + , LogId = tostring(column_ifexists('log_id_s', "")) + , Scope = tostring(column_ifexists('scope_s', "")) + , Strategy = tostring(column_ifexists('strategy_s', "")) + , StrategyType = tostring(column_ifexists('strategy_type_s', "")) + , Type = tostring(column_ifexists('Type', "")) + , EventCode = tostring(column_ifexists('type_s', "")) + , UserAgent = tostring(column_ifexists('user_agent_s', "")) + , UserId = tostring(split(column_ifexists('user_id_s', ""), '|')[1]) + , UserPrincipalName = tolower(tostring(column_ifexists('user_name_s', "")))) | extend EventDescritpion = case(EventCode == "api_limit","Rate Limit on the Authentication or Management APIs",EventCode == "appi","Notice for API Peak Performance initiated",EventCode == "ciba_exchange_failed","Failed CIBA Exchange",EventCode == "ciba_exchange_succeeded","Successful CIBA Exchange",EventCode == "ciba_start_failed","Failed CIBA Start",EventCode == "ciba_start_succeeded","Successful CIBA Start",EventCode == "cls","Code/Link Sent",EventCode == "cs","Code Sent",EventCode == "depnote","Deprecation Notice",EventCode == "f","Failed Login",EventCode == "fc","Failed by Connector",EventCode == "fce","Failed Change Email",EventCode == "fco","Failed by CORS",EventCode == "fcoa","Failed cross-origin authentication",EventCode == "fcp","Failed Change Password",EventCode == "fcph","Failed Post Change Password Hook",EventCode == "fcpn","Failed Change Phone Number",EventCode == "fcpr","Failed Change Password Request",EventCode == "fcpro","Failed Connector Provisioning",EventCode == "fcu","Failed Change Username",EventCode == "fd","Failed Delegation",EventCode == "fdeac","Failed Device Activation",EventCode == "fdeaz","Failed Device Authorization Request",EventCode == "fdecc","User Canceled Device Confirmation",EventCode == "fdu","Failed User Deletion",EventCode == "feacft","Failed Exchange",EventCode == "feccft","Failed Exchange",EventCode == "fede","Failed Exchange",EventCode == "fens","Failed Exchange",EventCode == "feoobft","Failed Exchange",EventCode == "feotpft","Failed Exchange",EventCode == "fepft","Failed Exchange",EventCode == "fepotpft","Failed Exchange",EventCode == "fercft","Failed Exchange",EventCode == "ferrt","Failed Exchange",EventCode == "fertft","Failed Exchange",EventCode == "fi","Failed invite accept",EventCode == "flo","Failed Logout",EventCode == "fn","Failed Sending Notification",EventCode == "fp","Failed Login (Incorrect Password)",EventCode == "fpar","Failed Pushed Authorization Request",EventCode == "fs","Failed Signup",EventCode == "fsa","Failed Silent Auth",EventCode == "fu","Failed Login (Invalid Email/Username)",EventCode == "fui","Failed users import",EventCode == "fv","Failed Verification Email",EventCode == "fvr","Failed Verification Email Request",EventCode == "gd_auth_email_verification","Email Verification Confirmed",EventCode == "gd_auth_fail_email_verification","Email Verification Failed",EventCode == "gd_auth_failed","MFA Auth failed",EventCode == "gd_auth_rejected","MFA Auth rejected",EventCode == "gd_auth_succeed","MFA Auth success",EventCode == "gd_enrollment_complete","MFA enrollment complete",EventCode == "gd_otp_rate_limit_exceed","Too many MFA failures",EventCode == "gd_recovery_failed","Recovery failed",EventCode == "gd_recovery_rate_limit_exceed","Multi-factor recovery code has failed too many times",EventCode == "gd_recovery_succeed","MFA recovery success",EventCode == "gd_send_email","MFA Email Sent",EventCode == "gd_send_email_verification","Email Verification Sent",EventCode == "gd_send_email_verification_failure","Email Verification Failed",EventCode == "gd_send_pn","Push notification sent",EventCode == "gd_send_pn_failure","Error Sending MFA Push Notification",EventCode == "gd_send_sms","MFA SMS Sent",EventCode == "gd_send_sms_failure","Error Sending MFA SMS",EventCode == "gd_send_voice","MFA voice call success",EventCode == "gd_send_voice_failure","MFA voice call failed",EventCode == "gd_start_auth","Second factor started",EventCode == "gd_start_enroll","MFA Enroll started",EventCode == "gd_start_enroll_failed","MFA Enrollment Failed",EventCode == "gd_tenant_update","Guardian tenant update",EventCode == "gd_unenroll","Unenroll device account",EventCode == "gd_update_device_account","Update device account",EventCode == "gd_webauthn_challenge_failed","WebAuthn browser error",EventCode == "gd_webauthn_enrollment_failed","WebAuthn browser error",EventCode == "kms_key_management_failure","Failed KMS API Operation",EventCode == "kms_key_management_success","Success KMS API Operation",EventCode == "kms_key_state_changed","KMS Key State Change",EventCode == "limit_delegation","Too Many Calls to /delegation",EventCode == "limit_mu","Blocked IP Address",EventCode == "limit_sul","Blocked Account",EventCode == "limit_wc","Blocked Account",EventCode == "mfar","MFA Required",EventCode == "mgmt_api_read","Management API read Operation",EventCode == "oidc_backchannel_logout_failed","Failed OIDC Back-Channel Logout request",EventCode == "oidc_backchannel_logout_succeeded","Successful OIDC Back-Channel Logout request",EventCode == "organization_member_added","Organization Member Added",EventCode == "pla","Pre-login assessment",EventCode == "pwd_leak","Breached password",EventCode == "resource_cleanup","Success Resource Cleanup",EventCode == "rich_consents_access_error","Rich Consents Access Error",EventCode == "s","Success Login",EventCode == "sapi","Success API Operation",EventCode == "sce","Success Change Email",EventCode == "scoa","Success cross-origin authentication",EventCode == "scp","Success Change Password",EventCode == "scpn","Success Change Phone Number",EventCode == "scpr","Success Change Password Request",EventCode == "scu","Success Change Username",EventCode == "scv","Success Credential Validation",EventCode == "sd","Success Delegation",EventCode == "sdu","Success User Deletion",EventCode == "seacft","Success Exchange",EventCode == "seccft","Success Exchange",EventCode == "sede","Success Exchange",EventCode == "sens","Success Exchange",EventCode == "seoobft","Success Exchange",EventCode == "seotpft","Success Exchange",EventCode == "sepft","Success Exchange",EventCode == "sepkoobft","Success Exchange",EventCode == "sepkotpft","Success Exchange",EventCode == "sepkrcft","Success Exchange",EventCode == "sercft","Success Exchange",EventCode == "sertft","Success Exchange",EventCode == "si","Successfully accepted a user invite",EventCode == "signup_pwd_leak","Breached Password on Signup",EventCode == "slo","Success Logout",EventCode == "srrt","Success Revocation",EventCode == "ss","Success Signup",EventCode == "ss_sso_failure","Failed SS-SSO Operation",EventCode == "ss_sso_info","Information from an SS-SSO Operation",EventCode == "ss_sso_success","Success SS-SSO Operation",EventCode == "ssa","Success Silent Auth",EventCode == "sui","Successfully imported users",EventCode == "sv","Success Verification Email",EventCode == "svr","Success Verification Email Request",EventCode == "ublkdu","User login block released",EventCode == "w","Warning During Login",EventCode == "wum","Warning User Management","")}; + AutoLogsview() \ No newline at end of file From 387dc48ab94abad3c48eedc0f34bcf6f5605d7cd Mon Sep 17 00:00:00 2001 From: PrasadBoke Date: Fri, 13 Dec 2024 17:01:03 +0530 Subject: [PATCH 2/4] parameters corrected --- Solutions/Auth0/Data Connectors/Auth0_CCP/DCR.json | 4 ++-- .../Auth0_CCP/DataConnectorDefinition.json | 2 +- .../Auth0/Data Connectors/Auth0_CCP/PollingConfig.json | 10 +++++----- Solutions/Auth0/Data Connectors/Auth0_CCP/table.json | 2 +- 4 files changed, 9 insertions(+), 9 deletions(-) diff --git a/Solutions/Auth0/Data Connectors/Auth0_CCP/DCR.json b/Solutions/Auth0/Data Connectors/Auth0_CCP/DCR.json index 25fd7a05dca..ddaa2fdd51c 100644 --- a/Solutions/Auth0/Data Connectors/Auth0_CCP/DCR.json +++ b/Solutions/Auth0/Data Connectors/Auth0_CCP/DCR.json @@ -2,7 +2,7 @@ "name": "Auth0LogsDCR", "apiVersion": "2021-09-01-preview", "type": "Microsoft.Insights/dataCollectionRules", - "location": "[parameters('workspace-location')]", + "location": "{{location}}", "kind": null, "properties": { "streamDeclarations": { @@ -98,7 +98,7 @@ "destinations": { "logAnalytics": [ { - "workspaceResourceId": "[variables('workspaceResourceId')]", + "workspaceResourceId": "{{workspaceResourceId}}", "name": "clv2ws1" } ] diff --git a/Solutions/Auth0/Data Connectors/Auth0_CCP/DataConnectorDefinition.json b/Solutions/Auth0/Data Connectors/Auth0_CCP/DataConnectorDefinition.json index fad39ad8f22..25d12da3894 100644 --- a/Solutions/Auth0/Data Connectors/Auth0_CCP/DataConnectorDefinition.json +++ b/Solutions/Auth0/Data Connectors/Auth0_CCP/DataConnectorDefinition.json @@ -2,7 +2,7 @@ "name": "Auth0ConnectorCCPDefinition", "apiVersion": "2022-09-01-preview", "type": "Microsoft.SecurityInsights/dataConnectorDefinitions", - "location": "[parameters('workspace-location')]", + "location": "{{location}}", "kind": "Customizable", "properties": { "connectorUiConfig": { diff --git a/Solutions/Auth0/Data Connectors/Auth0_CCP/PollingConfig.json b/Solutions/Auth0/Data Connectors/Auth0_CCP/PollingConfig.json index 037a3a82ea8..ebfa3dc582e 100644 --- a/Solutions/Auth0/Data Connectors/Auth0_CCP/PollingConfig.json +++ b/Solutions/Auth0/Data Connectors/Auth0_CCP/PollingConfig.json @@ -2,15 +2,15 @@ "type": "Microsoft.SecurityInsights/dataConnectors", "apiVersion": "2021-10-01-preview", "name": "Auth0Logs", - "location": "[parameters('workspace-location')]", + "location": "{{location}}", "kind": "RestApiPoller", "properties": { "connectorDefinitionName": "Auth0ConnectorCCPDefinition", "dataType": "Auth0Logs_CL", "auth": { "type": "OAuth2", - "ClientId": "[[parameters('ClientId')]", - "ClientSecret": "[[parameters('ClientSecret')]", + "ClientId": "{{ClientId}}", + "ClientSecret": "{{ClientSecret}}", "GrantType": "client_credentials", "TokenEndpoint": "[[concat(parameters('Domain'),'/oauth/token')]", "TokenEndpointQueryParameters": { @@ -34,8 +34,8 @@ }, "dcrConfig": { "streamName": "Custom-Auth0Logs", - "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", - "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" + "dataCollectionEndpoint": "{{dataCollectionEndpoint}}", + "dataCollectionRuleImmutableId": "{{dataCollectionRuleImmutableId}}" }, "Paging": { "pagingType" : "PersistentToken", diff --git a/Solutions/Auth0/Data Connectors/Auth0_CCP/table.json b/Solutions/Auth0/Data Connectors/Auth0_CCP/table.json index e102871e429..0f5dcb885db 100644 --- a/Solutions/Auth0/Data Connectors/Auth0_CCP/table.json +++ b/Solutions/Auth0/Data Connectors/Auth0_CCP/table.json @@ -2,7 +2,7 @@ "name": "Auth0Logs_CL", "apiVersion": "2021-03-01-privatepreview", "type": "Microsoft.OperationalInsights/workspaces/tables", - "location": "[parameters('workspace-location')]", + "location": "{{location}}", "kind": null, "properties": { "schema": { From 006b8f898369e4d7a2936288fb238af5ef01f93b Mon Sep 17 00:00:00 2001 From: PrasadBoke Date: Fri, 13 Dec 2024 17:01:13 +0530 Subject: [PATCH 3/4] Solution packaged --- Solutions/Auth0/Package/3.1.0.zip | Bin 14875 -> 14860 bytes .../Auth0/Package/createUiDefinition.json | 7 ------- Solutions/Auth0/Package/mainTemplate.json | 12 +++--------- 3 files changed, 3 insertions(+), 16 deletions(-) diff --git a/Solutions/Auth0/Package/3.1.0.zip b/Solutions/Auth0/Package/3.1.0.zip index 2b3484b5942bfd11b89581fc15e37d4b53c19d70..d605b9004cd8530f0e22ec42fb53e83617de3e78 100644 GIT binary patch literal 14860 zcmb8WV{m3c*Y_K9VmlMtwspm}?Oe&k6MJIYoY=N)+qQk?e$I>M{cx(@)2sIGy}MSg zwLa|Xe^vMXDFVPD&_Q7S8AMo=7RY~VSRlk8CO|VI7c(_0F*9>3dn*?!2YUu5dZQ0ubY}G0tj>uuCB%8zl+so-7@71p0b+cbSn zU4~d@Q=KY$=FR>>r_Rmm;%fC5fGj&$a$h=i_5DdwTSzMIa6Kbydi%pX6Dh}cDD}B0 z9962-ZKz{lZ6h<-$OE;IZyzA_vmVsfz!HWeN&Q;Z9X}JIWM8*mriaJ-ufLA_=N&#K z37UE-T?<_yhQr*BMnRoq_O&fJ-yd?zx?j{Jm66&jhI=kT*UyD?7VaR~Uc z*;i-13Fw05B0P+Q3d8|8`5P@#W7D^^eCRkM$O*ynAz0RBvRu@*K>XB2;8AU3m|cKp z_ZN+CXbfzanQ_K3WxZ`O0l{Y}T_yoREiLQ@$b1dRWQ8#YXp^Gy-^P(-TSWLG|L_S- z2J);KuL4tHr%dL#$7LelI-8W9Er6>tLXka-nSJQ5RI{+q{W{!S#4EL;3OJ?;Rh}qe z+?WvoQs`pX+#Krd-0_Pe29@(jSd)kC7KpA+~!JVYu4~LEpQuk%7{blN{GI( zBK|$@9C+%B5PVU_o|QGwvg9A??voew_~j!(d{{;{yt-K-FBKEDK+;v?h=~(wG^>2Z7xYJXj0C_JO%Up&r4|Mz#vNR` zzxYQA$7V{Gg~^|BOhlnia@l};bA`+eq-A>!A5>NZrt37JLVXHFA z!t@a4GaSjrZ03AJRjq8!5MQdgk;hTVJ8(~O$ zGg9TM772nwR_QHWkYyY|S?h}~hAYyAYx=r}y4y?G=ag$BTjt%(VF)2p4(aqYQ!Dk6 z9?f+uUzZr<%1;#Cq{-8e5jl;3Uy=(7zjo!u5sge*Z60UD84S!r49)wBA>~q+mqepY zX7#a93Fnqnm^IF>ej1rVqHvEwHs##51vFpw|K>DP7WZ~&bDRN!?LNV$pOOqE7iqnU z3@jWrqUKck|DrHcRRUbBNU2*Q!jYIJ+Nnz-G8AQ3GzkP!F33h-Kgl8& zTjaFryPb%A`pJ_wFqjTsYakA4Y-4tFw?P7xYDk=N)PSTcrfoaFne8;0-&ClSfzuSXV z`kH2tuYqEmCiLXLf@yL$moEIvoxYUrh}EOgsoROUH9S!JXMR!cz*RLnZ-Q}EbY2XVVM=JdY) z8Vi<#J)ciZW&#VM;Y^%vW@en0Yp4afu(|uem9=%p z#)`MK%rlck{#vIxiGKP>Qce`YALp7HH$iCgXzR*7 zi1hJ}rwD+C={1Z{$c6#|i9iJbQT$&L2nhW@B@pGG1lk!{*{hn_Iokdc!v9b4Q~xJ? z8vjH5E`MJFH#q7}zEys0ftK4Qk)@aq#V35;Nb73EWr|TISK5q@ZpG`>XZ~dC#|S+@ z#UCA`P&?MTD%hlK-FzVyMkVf@jU;zS-IQS?o3UiWjk=O>yEpiLB?_|rjFUTd*|p=R z)VZevtlZB^@!>FZjAYD0M%Cp#kFyl@TXn=Jog(}?o-hBp`XJ4Cz^>*KY^4%q`^2yhpS~1C) zU>ca23azk6@3Flbz(4*#K^1yof*12Qs=nvaHD|&eB@;QIkstjj^t&y1(ie@CQva;? z#4nY@68<#O5Ycmh`Fc7g^0tWVv+&pm{mtAKxYn|!BHfe&H1c}V=vjjSd@L}xRxk2Lb zDx)nrQeR(kXq?RHeX|p!-18kBo|j(0r`3j0vxR#Un$e@gk53NyYOOuF zQ=z<9Hy|%ku`?>u-aK22|Ig|<_uhA?Pp zi;W|;!<chKYTo{~u>#B&H89i88?GZr4g&qq34}uXVc2aS!vPA%E$)PfurTd!&2uwh0)x!cHi$=XZ03kAsnL5eu+3?x>roy!uYY>usI)5% zK|(4YGw^B=vN@wnG(0!KQw%07C;}k6*J)Lg|Hx{1appbF-^~ar)=l)-g?&h!WaSux z#9H4XZCe>P01*W@z*3w#bxDI-)kDk=!U&k9Fw5xZ0??palggpVB?5ujGt_rST|Ru8 z=FQFg)~Op$`a0MCf&{kL^aVRP0Gff}Xgp9?yZYF5bHU{Ty2Nu)rhxHu$d%>{Op4L>qAfwBvcEa-(7%F)*to_ww4Y@9n+{^>WloWZK zg9mZalJASY)27egF6xVR>rZZ92dVmyN`52w2YtfOx*ZNjRtFY%GwPTI;nH#icGqie z_KlMCvZ{Gj%z-*ZK%h69#w=66US4F+>; zLwjn_rw}@S&~9#A+6%R%q^!5AN$w>l!1=#3J*iW@5#GVfEyRQkZ-|vSrORo{74b8j zDr5jD`_@U79`OBI+5H=TPZHi(h*pwUqtx!rn&|F&DRoR!$Xzq%&68Km{E_f6TVmys z4=0g2&!pS?gva}mkhBlaN^@!(n+6`#f4XfryMR%B7|RGW5MzwHF(I+0S@m5H%pg4*6+fo;2lU0!IlCGXjWfM^%+FHlS8J zZkjg3)X2#Dqx->Zn3Vx4ghyyCB=`Pj4AQhj7&OPBaItmIH_dnB@mYEv7Asn3Ilf80 zXOTXF9&57~bI7H3W1qeA7DIArZmpp%RO^4BR?6)+@OyqCJE45?M_J;^Zf9YytuzHp z34sl|&4C))L(>PQ!yDVW;;LFB`L1TOZxiwz!!ZyN~$tGno17m6DCqY`?gBpyE!m8(Z(2Y;^@E^HnQ7bP}?5QPUS z%{}sMZ!`t~1ydRvUuETf%53{%vxfx7sMXg$aw;SR>t}(93Ln3GQ?C zWYmMUwWr3ON$-*<^%YnPqV)`a=uEjC8~p54A{Me~jkP<2sEJ+x7PonO)NVtZh)&y! zAQel>h3wDVkrY;p*nmbcO(71)duo4BNLVlc$lh;8Mat>)=Ac%@W`@i1 z6hzbe8=BdG0=`C&-S+Z0wcHhj-=v-GSo0?pV7Or*GF6~7-Awj|1V9gY@mvr~Ex>}` z00y@ZY*~tgDT=7G11cjc0)z+y8~eg^NRiDDO7r1R`9N;0<&QEELnwl}zTQ%!ESE!j|e8K{+t@HCT&oe>W`s-zv;yYpz!$ ziEjJOniYv{D_eZ8PMSvZwxrX}1itk*mF>k6F7pRMr--kBENTaoLAVAjI2Y@A(it<@ zkxsR@qL|P7-A4d^c2+EDDtbDV<5!e=;avhH4Aq}%tA~TpvjJtMiX|*jN(h2m30W;SyO_L{y&ro`rWPWulOfk z%+PRHN0;%vPfSjAmj1pZpTXfeD|1rzTMSwOa;T<}>*O5!zo;bic1Hbs<;Ix;iwl|b zgRLkptaNv*CRjMgB%OIWkM<4Jm1KK(#JWYmV614T^qdZ}e(FSf!?EDDsIC)y7{*Q8 z@eVdAw9WV&%aI(1!?(eg_YfGfb&wL@&CT^f%|U5tLEuAm!-Rx7n}%MZ@dd+ z4jf2Vxx|Y}vly~k3Y)-c~iKbijcle*`8Nd|I|-76oR zz-#G&U(o(L20s|I%{^w(poPc}I)`udrjBr@ZfYOf{c`d=MSS1{!+NSgy;x^+gP92Q8-79oI2OCQS=c#qS3fH^0~Y)85S^B;2mUsTy6T6G%K##=YvK zotBf-Ra~nZDdHeW#oa-wi83D-0Gw(0`bB>&tq(Jucu6`pbo3~}URmjJzEp|bW&zJS z1x-#a?^X>tL=c)Uq}51hmFwT4<-ngjD9EwM3XS23hMP>Pt`LpqzqUw)sQ79X`#rn< z6@fI9E6eHUMfE1552mh-=fVE;QMhnAC(!=UUu5h46VDoV zv5`}k$s;Ol@WT;{$<-$6j!JV^;-H>uG12;h7Uc4b5;H&D(GDaAFLpuO{WgKp>qbn^ z5REV^D~FdR14LdZbrfEis&!=jF4qh@P%nCXt6wzUPjzETi1HJrvK3=GuL~~!P!bFm zo~EA14@VF{KK5V&5<`;ge+y^5GlOW?V94xOqL%7U z0i3R;ld*O1YuMuoS2Kn}I7|)rheSM)eM!9_9+rd9oY0A%1F%8-)u|n-LG4{ZUvZ*BInp0 z5V!1RnboFzRs6v<3$>u&WT)wqfA%Wc_mBco%w53m0aVRQHgm8}q-EtDW@aew3i*n{ zl4DNx7v07%{5=4`uO>_jz6}ECp{!{Z7CN0-C+uyp%rNC4IrLkBv~5ITK?yt?#JM>b z#0`ueS(*Z*M(j&dj_6-eVC!|=m$@EQLC2cXM1GdGajnE&%z4jAt0&-i14B9o{RW@!(1$x~ zOP9M1eNCwzPrgC8L`S6!dpP9{*{aj+@GzwTb;34bE;wJp`0M??d0)&D?BIOOqJcz}O^pWO3&iI!<*6ZX@b&KQG)J`l|2d61Xw;yu)&es6CCmZyJND3!)RWw z6Y%6c$aB7x#T%~7{3M8`0V!bRcx^8G$7SX`vG|dkyAWgzNsLnR7Qn@mDLVxkn!983 zcXX5dlK`)ev#0x=_Q&ssvxCF)KewY!r^m131^0#$q6slJs>+7BNO)D8Kg7Z|MtGW(rpNdvkzd4cEsv=17!{@=dG;fyN-B7 zv6yncb8B4f7T9}s#eV!Y#(uZOru6S1OU|nWJh|l|cI?hUJk>hIwHnxn?8X*R{bkPc zrm+imj={sW3F~3DXh}{F0~swb_&lBV^^y5zdx7VFIo}z#Ft|ec0^a=iO6PkYUtIV; zU(}ecV7AoZOnxZW7R7kiiePDM!VG8|?M?t!z4agvS5i93b)nq$_UU+UsGi-6aUp*VwnO$J?gYU z5#e&W#19bev&1yxW}!(NK{eBjAZTo$Cf`{@RTRK>?U43q9Ff#eYA~zNWtswDagofE zNS&|v-KB~kRr?p(H)7Fb;TJV#Jg`r8$>p92vRib?H`15wf3Ngt|BWI?D#Rotm z{E1Pa8q_yeoh11v0Nl>GPb^SAjfm)Sa)8YP`Bd_|YFU1dO3O;Md7Y&iD1bAV31akGDAHzdPr zsF3JoL=);}^rWe>=*)|9QSmwqqNKoZdmHi%lEQYg!4 zq{tyq7rM4Crn9uoCQdJ@PH%feSOB2RHqB~8h6+uJ3r#{ywP33&iugrmvW>RF=1IpO zY|~pzhH^H+7qWMk6IY+zS>FU&=4;5Kn&f$p8&=;-#yNI3Gp#JAnQW)%Di-W5C&*mJ zh}n21mJ*p?%2*&Z#*kfP^Uvb>7PDbj(m_{}Up1bC7kVme#C2HS-y#Lj{0UfJIeNY6 zalGvG8_trnR3x&)2e0D%pS?ypoYza9M{C}jCo0NWtopT9vbmT4(mtdCvse$;99Z8Y zTNH9omOa$oCYpy6Uz^VE9&zleaO@G&?9A!M$>+zY`^SDdPioWk@~ce7n_Z>znw@o7 zwKbS$HYOC&_g{3WS~**|Y zt{)*e54ApqOyBuh#co_^o$*9 zeg*?2D|bSza4xOI-IpK{jvfjd`0td0;5FCSGNe9Mp!b6-FPUKL>_XMBS)Ef+0nX+m zmFWI~R}a=JtEnRZMFConSDzukXAG(ThWzBqC^bZ`H)FX!yS9J-gKgp&T{Er!fKU&k z>guZuo16WPwpRfn{<9?Jteq+12Ek?>8;RllSZRW$t{s1ywlC=!>8M@pCgz)!r94)X zpiR*IVkJI7`Me-tvcL>`%a`JFSd-(GIhilw?pPcBuzR{$BeT17?<+1@8N$_hp6_63 z%w;cU%3$=Qr~CZHu%~T|@7S|L88KsYxy-t@VI27b>jp`STfegP$g!V=g8UE#rYf?*;hA$DQ{%%a?dYmo;n4b zoKrnV4X=}Zz1;lU2Q`bma0YJtLfGJ~5_2Binf!H21iDymQlZ47zAR;XTXi0!a{&fE znYB!PiwzE0)r+4*FlIwO`z|}6fH`eW0j*ionVxUk1!bOC3!oz8wf;9 z5#zpiR8O^O@r+Z{ww~Z#@@Bq%_1@-QdSQv(-O$gkXXJl&mzhqxrxP#jS)dVeq}}Xi zZB9nWz0tG-6nNL#nZar~)uH||V>G6eJf@f)+5q?VeptFyd_%*Rkq=c87YohH-B>rX zyj!ch22(Z|mOc?*p4jMm%r(JTnfhbGgTPe9 z-KE*l}-M+L7`e^DYY_E<%+;5MuKIAsWrcaUdxg z8Bz>*8}x9;!f^jSON`bNmwJfGA@dEbK=t=kM|=@P0AmO!2SFli52q(zKKg`d$rf3`_%)=)z3s$IGXOZa}Q zr|YzN$+?NeIVSj(b|ff2xG@GiC#O4Hj`m^|Gn-YDBz)!Z(N6N^_A&_j9MnX|H51b; zhlLjm{F+u2rqX6l9bFYYOmUs#lYcs_X>iUk!`F+#Zpm)>9qsOyQa7sXBSNc~FXZNz z(9;N@B7IEdq6>xF*#mM^SjK~6)5&N<2yb#>l{8osYzw`u>uYa-u@fvWVf*TiQ-)MS z!6QQT3m;{L^!W6FjQimeT_0kU@b%|-yjyMzetr|oG~8lb^QW-2!;J(r&?{9Ew`3(8 ziFT3Zvi2gjocl)RFV2ms6+Q@|g1390g3k-}G_NL2t5Mt%0Ru2S;)7noRgL+u8hS&k{x z$*KA%r0p}dcU5e@i{7$zQU)He0-ZB~W4Avxw)@zQyyv@1c}(Yoh@lDU(5VIQHgea$Dr?7-46W;~eh@gIBj)fA9N!5B~ChRg3n0nWH^ke?!ta8-M*42v}qW?dHGTqTcON zXt+kZ)R1W~7(j-hP};r-ALQSdvB#^ar@*+hacr3tKuZ9 zc;3F!eq7gkmZtM%%Q>_DMAmq3?pQ+`)Il525gc3S5iIwh zIQ6UtdpZXthnu{mtGubJg5g)tdILA}D*4aWM{wq7*pW(u2rEUAc1ld&I)`!x4x<*) z{2NcSpv&m|Z7q=-iNAwQ6d>D-*R%0A?aKMraIjr+;hjYp5Y8kHI$+gad-hgLfPDKD zh)wzMRy)|%EHo!Ty_HOdom5L@hOmuPjh?TuU2~B3d8OJp&W%?EJ44ylGPZ9d`;eTD zapT%va#q3f3nv4M{w=ZmxkX)J@u;0outDmlv?m~g;5`Y%-!oABKZj_MzQ<18Bu#$_ z=QHiHZdk5`>bdM9O-grn6;!aV^B9Cl;=QPB`3^Vutshf z)vAN?zv@rnA(GO#q|PxQy}?D0ZdU`}Girh6zdOsL(weg(wHxtmD(x3l;Y#EzIDegv z>);g6r!=#?;c@D1{Vk?tBLdnrEm%Qi!ng%;>L}z*a?lj~VtHU6q(%%t|LCJ0@=LG0ECFqDGQwiJa zSMyCj;1A>llKljX1Y11n$lo1$J|@PG5MT>+eA(nDm5bDaMD`l!#F&?PEmeIQ``#~?n|ZAS=&~2s_YWs`?iJrJqZQR`$lH?RUPiWKAUjEjXw!o*;Nf&0 zqXFUb_?i`kv{RBIWEJ8xH9imju)9Dta@d(DUrx%~_X**7`Z7=zwR=(M81|5P{ryvJ z(3%q?iOK2p^;ZCIXlA&=cSN-^AOLOD?WOS%PSOVv3(nj=KI%Ec0fXb~bPkGdcuzQK z(HT3VLaDCy`)2-{tDoquS^LtR{oRg7Aq5&4klHDt%v)pfLcr!+7Nqo(|jv3uip zVDEydWV4{nV!k^yvMd=Gv4>VHKM)vVhRoD_l98V|PdHo7l|+Mafl?Wfpw1`cvilg@ zVC!@H@MCJuN2sc_k6%(xiQlMas+vFb!p5yn3) zF_=?g_u1$CbLr~p-BN+BipkkPf|HWj1{ADvIEq*w-nywb)|@5EehB5k62ij=PuFbI zkmbS{`tO-iE9d}uZGSwlpCFSDlm@wx#l)4%1C+)2c%aPL_+mo_m6w_3aUNIbBx$ii zNLM)VeVia+@UOjMCu0|m#i4!?(CNvj(WHx~iVD)t2Yg6zs-U{m18daS%A|T@7%H`V zj!`f`hLq&tl}udApJJusHudO}ZihL~@6BNjD5llaVIFMRKN~RuJM#6um^T4>ViEx6(q-zk)%UGZB>+0H?V`K`oLnS z4P@#%UL#=Yes5yOV17LsJ=zqBl~2i~k070n(=sTDXd=4C6k+Ig0wR*}BkR2G9efa_q9qF{$qrvH`%rr%F#1yumgMw#VLe~U*h{>IAmaQTHS zQ|?Jd(fXY1{ZVoyx+g4*cp86tp7Ru9BxV%*g^Q&XZb=ETd9MUeB*r-OR^)-nqh^k*nEPwLUUdQmP!AG;g?Q+i=_h;41AXq%kVrWN)&DER>V5` z0w5-$yyUx!%c)OsYcNttVX?Yu=zAm}VuTfGVBCaTzJ~`}VahHwRlU1uKk@Ewlf;TU zW($!jdC!L?(fS1LGOD8BZ6&#`Xqf#|lgX>smoE&arj(lT9?#UeNP#Z{#FBLA;20v82v-9Lyl z&@Y&{*`p7gSE=O#g79U>`a$;j42C87F*rM;T9lgXHZ41X%V?7REZKah`1)zTz>?jm znrunLJ@Pho>D8)n6`i8IQ^}s!&cS4!C-w0<>vpgCecqF?^tywWm!sb$iEK&U7G0w) z3s`0dmSv!A>qDJqs3((ZrfS5uYg5!de!{t9Q5S)8{GmoLr{q=(wZ%})KXvP&*wqVl zRwvqxaN{6q%-?+OMTk-l66o)e>j`F#*8fm*7Z~x<>FK`X8Id4h!TiAzJ_>eGu4%Q1 z(8bAnf!wb1g4|nP0G&N+`)G9MOeN0Mbc>8tW0|7d!GW8TB0}Ce{LyWT2~Hvx5^iNGS<%CyJgq@NSA6p?t-y_Haj2i);_RIW};!P6|v>I8U}si zbYXI%+HPGR32U%<7s1){M90bOKsq{W-`pY z+Zl6PfzmnN$q{)k7eroC=k}Uc_ammmrv9!%#a!8$O&$#iJiosS-SV38Of?h>ELX!a z^Fsm2!_GxerqVU;S5itTS!+oRq6w~S2lHoG@or=Q4Rm|oF;n-xZ+t<51JWqqwX2d> zN4_NS4YltzetTYzUX+rGIACrfq?fzP_F{#vsnU1E-PxPP6GLp7@2hX7%F^6wcOGJ# z>CSwZO}b21vX<@fN#hN@wUnbF?JSDIO?*&YMMs+iw}frCIIzq~H~8b|vb8p=gmZux zg9F)KYcC0VX@Q&BurN{CHa)@Od^7)ymH8wT@( z^v91U?V2N>RE-ma+lZOl$Sv~vTM5Yv*lgEK5uMgu+ zQN>hWu+VxKV2qm{lcf(?MSz;fa9pH&dXifKn@pWwV$RKJoR&S9{v?N&C281W0yjZI zm>TqOEr9#M{*2MVaj1O7t8@VPJ{!q+Lx1Y1kReV_9iz9g`Dxd$jlxO2i^TNTJva$B zo5S)~AHV|xXkz?G;Rlsrsf&x>OV*qcZjUto!9%-fm(aoAA_W;{vf4F(m-Q*-Vm6SI zqJhYS5x2+*o58&*>xa?^FV=O~Qxzh3&^R^%eBMm{SBYXvm4GP14!aWVwS~kEx=kZe6`v1&c@so|z{rLPDwE|Ws+@~s!;VIgBVt4N*pGpz zozjjRL$dlO&9mKsK)v0_L*t5`dHj6U8pVn@sf4^Bc9M8is3GDwT})Cnt{(He3d35+ z@o*0x&n*!!%S{%xo*K9A@Ib3t<`+h$^S+wjiyrH9GZ-)k6ZEn;3Q{gL#xDdv;x;A> zI9$=+n|HXr=35Qa>^tcSg~8oM44HR7_kVXAc$N{l$9>q+j~XoUGLj-3y4^wF2E)M~ z3wq{H5O7b_T5>aJgQ0&7K@QPp5f_nmU?J>M(XV$4&clw)g~`snU_Po4?kxO}N~ok2 zYJ-aIEOy%`VJ;dFzpME`;UbFq;PdE%RqSnSwcCJ1ZG%45v~)05UU`-D9M+3cO=o%h z65)GqJ0zJ3Q$g>N6mr!M^g7^N;Q$*FIbl6(x;==LI?k;G*9j>i4CRnVo^&X&uf)<& zp6(~OQ%`Q^WXqs8B%k3W= z$3P=yGmc+#p~AB*hc^rUIhTed-RRblYv~`uZ{Y7!&`DnMLC;VU9xF}dvQ>{>@6odD zpSSI0g#I;JDTr9+M!$q=$tOrt-}M(q$|y*0YoUmR{l z*WMjUT_V>gS+E>JT^(hH-+tIr_*^tMd*x#^p8*WzJBa=WGEa;`F1nmQX)^M`DZ&(l zq5UBK8@gF&9!xq=RI8AcAu-WvwF~cLo%K$qtL7m(yCfjDlhGYIP&U7eDb8sPNn?z%#Umra= z6gf!o>-59h(dVmJNh+dC*oFLNSfNm6xab8A&$4bxQPwjVU{TF72{nzVgR8FfVxCw& zG*d=5rklxjL1A}llF~RX?M`oomtwVdaP-q4mvsjVAZzhishHA^LTlZLH!%Fv0GMYoZt9S(8?pCk29$1AymGz6ie+u ztv*+V8wjzed{z5^A-p^nd1M})MEc$qjWHom-WHwXR#Y^ZjIAA$S(;p2{U;oQ)_tR3 zN>$&SMp~nag}kOhEy=nd3fta`s7$Xsg|55qBTd0r+^YNQO*MIp9dQwOrIKjz_@=T% zBR2%bMeC4J1?i9pxA_2R{|3hS+dreLN6uiUn9*?_tK}4aR=1pvq+I+5dLP$agl_3HcX3qUm2!<-_#HDOPE@ug)Rrc6rYh7MJIXCX$~6+@{x?RS+$(aBmOSX$TKr{i z%o=}d)k;rw(~bf~QD6Hta^*j3YORa33XaOYLsi@nIxlwVPt4^x{Wn6HwI z|DC$f^t+V7%$K3c>OiJWB^mgv7s4cbcnM<}GMG=YlV>Aj`&eO`*)@_Q0-@BvvnX96 zoXDVUs9B9Lc=%=@N^Y8B5zArV+AW1vXNb+!#Icl?pmtYW$L%>+OL8Kt6O1L=D980; z*NHO{WaBfWs7107o@v>g{2ECcX&UA3B!~W-C9Wh1;$RZ~`E9-Jv4FHM#}1^~ECm za_dcpx~DC;w_xShga?q=a{mL zBs>?sC6BVH1*v@9tPYAy0IOkt@VC!-u(!xdLAB)8A5;k}Atf2iErN-DzX-QW1T5l| z!x=a$SAxN2rJfa36>tQ#tH`D#CuU@DkL9&W5(G>Fb@pyFueTzc}P zD5gA`mT?S>rdl2-#VP|mjt9Uo6JU$5TJn3`ty#KfI4A55OqZxCDC5i}Ztd+pHD0eP z0me(DJ)(rchf&Zj2dSbUb5rUeS09py(mh%tJPGy@B19W(y*D)0fD+w10~jpo)~#4{ z$3A4%Q~@?=lp#m%*&C#a%|h_tsC0lj6)7Q#HF#;28x2mk;friwn`FmG=vD6Ikj6^% zY(8VOjDLzz8hIcjg)7!_B)Nb2zzqzzcz+x^5ZoIV81K0Y(n7?AcH&O4714ND`&?56 zk6zznQYyD!lYI>>0x>TBLrmPiC3eyjw?48A0WWkz7nF}58=Nqx7rxL9;kWJ$+>^J& z-gclkKBS>iq~ok)X%=F!kaRX4|4!{V*F+~awRyj?=3zS8v6NRD_$n7;T1WAKY zyq-%8%Rm&ZT*n&Ebl|#MnE;{h;C4CTUyUCSYxh80%Q5<3N3HBY=l;$ky;+Y z)$A{t=(Xy=!N?kyzj5S`_Mv-`!uJ|rbwr$Zg}pm!9%DaNCoeuRTM<5N5gorj)b3Dx zrl_x4Kc3+^7dv_twCX4~+8)LpEh=?W)Ef4%%jBfP?BrJ~`$b_^c$qw7`d^?5wcd>Y@ClPf7T8AnvlS)H9tbN#M8+pt}Z zwE5KC`Q451XhnJGuHj|i)|r_&p0uhKTX!LgZ8uB;A@{cZ#j^4Z(3+wJZ)r0q5?a~_ zg^FpG=6hk5=*9sPY%;Z)Xs2Jt2fq7UB6dB&2n)2N?qi;ijIyB3+Wtc@Zoa>f{)3OK z;Rj{!FoS^D7J&Z4M?k^Q!T&cy`QOnJED-GfP?G=En*9IM{ofLmkRYJ{Au9iS@c+;$ q|2;9v{}CJ<8sz_iRrwe8Kdg!(0P-LF0s;c|&l>*qBHaIZ`+oq*?X08# literal 14875 zcmbWeQ~5whG>wG?^iYffPfhOlhFTDjT}u3oJ~|LgiTB>Y%QEE>}=^Qo$PE+ z)NP`$*${tp&;8_c0&k3Zyf`Rm#gY!mERfr+;-Zq|uZzaJjI?-anp2uxvsvc%7V}p1 z7BO$S^yn<|@g)h6*?Il(T~=)x4o7DbOF= zIszD0E#7BE%MQNpt&=g;Vb+D?VC^C3^Y}tTpB$r?s!N*=_^8a zr$8BpObU?|Mfa?*VVT{zWNE%SsUBk`a-d%R{HL~o?X4Z4UaS56WnXG~d3-E(v;TD* ztRu0HmL33(amwOEtq((6vJ2T_?4)iEDot_Kp6o1mSCh&y;xH?|rswxHQR@T3MZfWk z1-)ZDxeHs#5QP{wb^^rz%0{x6Pkc)_X5!&~+pm=S7%Qs3en=~HyQt=^m!2+VRwuD}P9Ne7;ycC@z z47}2an??~$<51#|BYLV)5QSjULKv4`Z+Mf_>ozF>>X;BMq1zx0>m9))PlinG zn$azrXYh@%wCQ2xY1E_gEcT8!_s}gF&6B9oA~`=-LHh!e5IVHv#KYz-OnanPjyE2k z!72bF7A?iwS&n!`F;lVx{3*GY`ou<)>RZEKyyFnyf-*~TN!wO~*EN3PWCCT%TB$Wp#4UA&G}drl>jdRyaaEpf<>Qsc&=?rra}2UI_p%wt zHZ%0;I$0e1KHz+ie*!kRgU+%f5=bl6^q3)DK1EFmyagnrX*k#rvQR+|ddMzau+53n z1BdO>ZPg|0!N?3mO^09+l{&bL#(2!Vsmz?i%mxeAKHLk8P1h_q}QYKwe&~0pyUthZ2gg!^(!S z;i3Y3hcK_<1B^>7<}P`Bm@bI^wEb;+L|fn;G@7@SWg$t--@6Qrv&p}UhY~xV4wXKfkd%r}2-bc3 z*q`P$^n?J1(v&tg*o36aDDJc()rvPK9Q+XyS2wfIa(uBr;(v^kqUoU5pKKBU9v4`^ z3-WCP{ur{CIRvIY3B4W=%1&eVa(KsL_X)s~d55RwgH?BNMf4Lw!GMIQSPQc13lWGY z{OQt2c+$A@UcG`4{~Q0I1$;HL*37&ruc%cHwkb1$ z*N$a|Pl8~$(w^HGw$RKR$tCDC@h2VftfxZ>SxU~y%5L!n`NLrD_Gt5Y^kycj=$ldC z;?4nO`&MV6_u@5QwVW6mb)UMj+V#aSh^$ThCQYw1s*dWVY1W}n)%O$y+a+5oEGR5A zwl7rX;b0^^1|4$R2ww@9x|h-7q!11bMT`VRkASO|P=~GSjtLz~Z9V*4s6m*ei}^;^ zzznQa-3r|sU#q_9*Kpv+O$Dpqs?F@zHD!Ff0No~WL#tnkoRXH;1pMz^O}4I-t?(yb ze5~)5vX+-J75+PYmgH0I;j0^Imq$B?Xg`KXs#};Q^Ql;kNgJCEq|wg)A2V#CXtKq! z*)||Ec-z($IKF(UrQ z%otMgt_XV98X}Gey40GaV`IIES}3#d1^W>~%tT@hSw)w;6QAZ+30*edcmk;S{bW7Oa?CQMaSl-!B9~Pd^zlW==QHIdQwxQiVrr_T#?m>74$KVkfL(uGujW zX*aS1ZEvYiFFDsfOzwBbdt3?h8>O^vEHP`96wTndy%?1KzgtM^qz02!(j+; zY*W`0*sq*--qNx|4hrKNuAhHiwg@MTk+tWw%pn6*86{@CF_MTu_Ky*rpHMJ6BI`7c zf_VL!#yPzrMszUAE?fN%JKXmfirp{QHUKn0RepEPMb z3QV?V%|H?j%H`9zTU>&_LP{qwl*BPHnEk;!zEq9jj)b(Y7dZ%a*7RV|4PxHq9vAoP zeE60m*tYK$@ezhpH@RM7tX1bv9joAMM@X(x`Fv6cFq_!1+{-p$Qj3;Z0j$upk{0Y~IbIlN6c} z>Ic)(V-CrVG|^rVAF4Tn0K&`FXncdjmPTcK_!%9ekjSwPSHoGfPo*Sx{8{dtSmmGk zqUs$HfQeJkcYA_d6Y3AcMED7oOOAS=7$12&fjGNXtuJlruKMB_#O zLfn8r`T41yayI&|0ETqW6tSCHki$h4wCsEF;E+fN0&sXV1MmJ>9-ga=lnag!^HDl7 z*f$Vu!gQHo6;4N%<66HS8x!58#~%emuldD?xcspb8kx|HeM#02VN|aT2z~SYE1XHp z92!IVo*90WdO?QCV(BC`H;D*Anc|9~2xZw>B2IzbZIw8Pq3aLqq09-J=PXZz?Fs#& zKFIDpwB)Eb87`1=5{hQzEmO9oBG_bP%{2*}&M1jdMUcJajzVzZWt)ZHODMzMg*|(6 z>}&d9x&3H4{(c5mGaUpKZFZEZh^GhXDQa>(B6-or>?xQsSjUg<)Fr=$1Lvh5UUtf> zR+&$(&y#rBo_-ys};*Y)DER%?Gc!Tu6aj|({c(|urpw|?PHnvq>%5Q`^wg1Au~sC+pfmi z8poi+D)%~Te|E58MY$F@mlujH6tD;xvc%2fQ7N;Iwwug4B1#NbSTyyh0PV~}hS&Yb zX+UKs34NxDYzRzozkGL?9~vLp_4Oj#%xvN>>bZjP^UAS>RFjlIej}wDgj}vAo5`vP z_=S8k`rrDropwxrYI=R54+t!Oa;L`^@uksbRAs;+MK3BmkPnyng^D&}C7(bPQCUIS zN5^OIwVb~!6vyn#z$sAxbKv!nEx{f=NNJKS(#_mNszJOt<4X_NmjvpZa76(TNNmpA zB%IwkNOsWY>!APsr%Xp!hEwQ`de~pA<1UXX8Zj_(lIbRH2O_iU0Ja;nomK|=XUnJu z?|bt_E9bW>fa8z^6WA>7sSsS=QVS*)L= zpO!l#=vNNt_*fv$zF-(AH((Z6kDK(X*?&cr017v&Ulyq z7w{Fh67jLEF+|lf>b!RJKzbI<33}P1lhKCDzRN@(pUGh1yb6Lyvv>OgE4-`hcJQ+=N^Z zyF!bHxX%7Y;H6D9U^-h__;)_&iuCLSry9-|6!6+A3zQ}}zAJ1IJ_eJEvw?Wc9r@mH zf;F442sW($s6L)u+>(<7buRldLn=znDn;^9KOtDfqC1bZ4%>O8`Pcctmo3P`w&KM5 zrNB=wn@QTVKJixW*_E_ZK?9rx5k6TPSlQJ;dx-P+F#3@nc)k&>9Qc9S(f=?ApOWAS zF_Y^Eaqy2LA|%J!vOM1wr8YBshR)b8&a{v{P}l<^EqgzJH!v~*-j?45!7h=0&;i=? zm|*RV#|c4Q-FxErF>H673n0&&TAKEi|-TkbJy6+7g)n&K%u+uAq(zz`4v zm087f!^xELT%**)0J=++!Sc2Q#*T@_+40kjFX9f@i&B>gs5f1$xMl=9?b3QDi17Y+ zyw1MP!$|;5N6DnH|A9*@etcmCksPANvbLj_qk$SS_aQwG&KFvxNJ!0lLtod6L}CXL zvXM7u@RvdO0Y8-&X=+_dz0f)bV0@!IIm{|z?SvfM8+v{I%X&(i^Y1-l&bPPS6%1D? zJTcw{`Hg%&BeS)YBJR-WG6!ajNF$r3W5lfE@?Pf1#lhGHBcz&7J|3lJyJ_c%f#HTq zV%Z>sVCD>%XEa?(laKD_6z&rQgQTRM)pi)kA=C^chc{-iuW002A0YB&yFppvwGjH8 zVM|CSr#nZh25|~kz&GsGM}mgH7RNR=!LvX2Ifg|z8z*}M++zs44)=k6v&-z46Yv== z&&j@rZMz-tVnKjk<|Ryz5Dkew zkC9vT#Q6n95r;-{!lBkBF8SKpfctmh>rnt;iCXm-%Xfx%q%`}9(GT{XYh12m%&Ww`4uh`f$dd+H5fYZKd@I17{do z1R>|P*NK3;f~Z&dAGlZ0`~8=f%rqB-G#9kcek(iOzG-67GV2-n++sE+oFrN+43jAG zK$eX|lfyqy{(b!AR_qVyawX%{*_8YM9NfHa4xT+fpIE^+F6d}saB)`aQ6wpg5sh7o5uvSDGZu96|EV3+_PFWEZxgyP#YE`>(ZQ13& zA)`ujuYSP2RrvBOv!-xtIsam0D$M}UUm*LIw8GVRxT_$4s}#Wb;2!xrxAYo-Et4;P zj*9B`N%c#(i0cM(UnO^1ZA(-}X0_1zV=ECtj&NS^BBR08IR-y7r!p*HkbulcCtnLK8;>!gsKs>08QyEnGAEVJNpdWG1QFgBpuOI1p-ljs#-RZEXuvSpFT?T0} zK668_?avrmsbU%_)Ne(No5sl*^?f+hX#L90Fl>bK?n`0xwX4Ze zQ-POg>f`s64^73noe$X9d@P%N!QOWb?xHbD-QB?&Z(^~mijni=} zzI+iFO1y;_LC=)x^}DjlP?7H6n4|#QN!sj`jht}A3;=!pZOnOptK?+jaA-0hv6kN{ zYxY)h3>EHuUyl3UcF3SDvw6#dwCgBD?K#I<;S7YSRS1a`0p++hYZv}Q(=wcWdlr*M zypO_qH*Xe|{___)P=1t=D`OpuK@LDs{maG$^}_~#Q&%Jm+Y6#M(6aHOX;_4^!>>}J zsIGsmxosWCBSy%GT$0(Bwwo&=Os~Cng}qb6UkB)_F?Y&WL7=rbBldoby#MZhu*CZD z$P7}0T2&-w*ateCssLp<2NQMI!pe7{?Pqi#GRz_yJN)A^lZ7m*FJK_2CqzTb#X+pj zHTZTEg46(ky+i$hr1qYfIJGeCkArjx9lXu-vSP+dswBf*rg??}1gjx)piZ1OF>Y;! zx9^(^>U;hYW|l^95@WVysixHH@L-Ku!bjv%JSqMQQ6hzLZw^ehn|PT{Cn!8zU&2qh zFFPs32rA`J_i*s=L=F{k??DpG(9WAkyrt-B*j3IdLzVO$*V~>GhEG~pmAh70o9}u>uU1d&c z28d+6ynH4mk!Nb0$e8y1Gd!PD<=Fx;Zc!vH0VDZl#E`zbc>ML$<0vN(LKFfk(khg6 z#Sf|WDH9(v3UTL))I%6~9`O$Himw`aQZI0qZbwBCzH4q5ro|o-eKc)_^qnwE2I#(J zOf#c?K0Qz~j+IncEFALBS}6+m+~R{IslPJh$^|-z!*oljA4JVgqCFTH=z|sllAzR$ z7$yfj!ewHEkB|EVVRc$_^Q#hjC1G~4uW`ChefZs+p6?&t&d%y@XB$&NOKE3cW!eS2 zG~Ym$EWhAix*B*_TkFJG+K=qK+3t9ez(Qsa_$is4H40X9`z#Wo`l@LU!vPW6KZ?d zVeQfTKY$r~{(C`I%XWMJxMx1Yd{?o3u|rtz!4>`PTZh^)hS-)qOjHjZrAyT7;Jgo& z__IE?DPrnd!x$ojW)F-6%$xzKbqLD~e6=kA7Rx)N@`vF4xT^2_`%dnB51_ZyV+YXV z{dRP_|F^63w)J+gwiNL>^ITOniqV`4$+jx|58IFrMxk_cRa<`T-HpkgiMOtVViE?I z1;W|{x%&o#sH)8s5z>VgK)9UFsS<1nGTyyki8wpsK#8krgCX-|bW*m6U^4mTn+80E z8KxyHi@k(-%ekqw%1vQxUHabpK5J1K2&j9 z-m~^ERX}^Q_HALlEnmgr0ZMX*c^&9YHcnx!pOpgc18;Pp(5<$C!oc zPZb3c;G{snqFf1WlNu@{Nu&;ig%b2dlHY(~s9^83-p*y54fnPN;U6D%$-YoYdaF3C zj+o@dV`Bwb$TCeEmXhdN=Ho{C<$Fe%JFBt0st!QPSX$FmQqxo%E#-buGm{x?2J^Iq zou^Q`zcWJ1^ecmhe+JXnCBr9~_Y2M&ADysEiLHcN*`rxpJ0Lt4lw)WFBopu$zi zhO9sZP_Sy?Dux;KnnKyG9GY)}tdezHaVp(E3fo^g-B(Fp+*gZgGk$%=^r1R_tOfD( z*ZBIc$HJtVsSBnDCz=)^=$+Gechgo`mGSzwmg#CrM)N6+^=!7)GHR!E$7+V-Ok0MI z==QhSaEopV-O~-DNiS`ew@zr5O=y;gX_oF(<3w}gWPRhfHZz)3{hTthamLoE>_ul? z7F`Uc*^IHpB!gB8mCS8)>sH$o$`#W{r*y-nbOYBEqL!nRuVIG1TMBS%FxjGsr%Q&e zPN`bj#mfJj=BbpfA)A?`Ev%S0yI|^|wO!C&t@4E~p4%Ai;?04QRe|qd=1E$4V#4M< zGx9Q|_n50fuV3lPP~N3%y7#FH^n8eT?%_Pd9oSBhB6>T_w2-hlAX zv>qb@_+X{XBMR&Hos3XTH+Ew0D+RO#Wd<}f0gza~?gs;;RM|UNSzzDh{l8FX>WDnD z!Yy~Wj>Ea^a>)q|=dd#5%&}-#Sh`gB!E)mV0~h{Q@aP^YTGdOy1st;R#vxjpY6ND& zM*$qswxHD{{#lk$T3OOI2L;ni_i5;UBjKhBrs(z%gA5qzZ3ALCA+M<)@l()MJeNgmE7?VaCB zjE0topOJE4i96(RmpT{{Z<#GMF%anAO%$e>8#>W}r< zPv;fx)oH?-RBo7z5BOyr)6H(48inR##JAk9Xq9+nT&6;*4O!FAzaWX**@qlU%j%cG z+2?KwoH%i94sQjo?x_Ox2*OV-+Mu7YQVZG)?Vsxvx_Cu>y?+n2x^FlS(7497A+B5^ zvq^x#XKgxEL3-qbzlsk|N@g=m(+kagA*Ly&@eps%U{Bqu-R~9WAk$~a5bkn{MP1lh zlgO3qq9#Vh;N44R1w~1Nh&nudI$hGDG&XTl*ppltyL` zZ7pR&ZY*uRuO+uMQZpCs-t$c?8agl8u{!dzWYr#S1*mo}mbg5E2Zt&6?Wt?_5xbM% z>NitG-y78sG#ndIqD0P2sDCdx=SHU=VABLr!xs1U$E)JTLZ%>XFYxhjO`mzll-K$2aWLsU-EroV z*bVJM`MBwt7$oq=CK)QZ0lp^T-0+#~Fz7F{$4L5vcUyRPaN+3^7bT_l8$t$5o;YWX z%j=?Vh{-vfjxatw6Pfo&CjxlDWcD6U6vNO6nC>KjBT}(Kkj?c&#yFw&Vy3Qvt(_LF zt+tG_bpsgkd5apOgEO$X+hwY)RxC1?Hw)TV9lKo;u4;ezTbhBH@4TYJSY|eGID%YN zYeba)*26|wMVeC5W_#p&f?yt)5hn3{k4B+2sl0>c;efe`Q-)q~bnyFu@3_l-9FwA1 znb@`SoW(Vogiu55n~j9k!8;uRHYrNsw~tIOdAuiFeEtm~#i}uYHb&{ch*%y!s=chL zzHkxElbbypQ*65JVDP#ty?ZG?>`KO>8(#7{Gy!U{t*3S{!)}{vj6!+RG646CT36Ew>k*F z1Z~)W8i1Vn3B{$uoYgjdo#6PB5hxq^b)7^^*cUJTSoiM8$u?`#`iNMd=_L3%D1t@1 z$lS`j4lW<@D}$7qiCcZNp}Ro-q{w|j3KrA-h*4QbaHtc0nX1s&poMbrVunDFriISy zNY3CqK~I9UBZ@r2r2nrpA8WL}(@0uxL+uD-%g68v!>YZ+U}5&^Io_h^hi2P=siowH zFzr-*-4tEjY1l>}e>K}HRk!|S4o^~8y~f5FeJO01h)b9zzIVgaj`gEk?GvrAfHw$@*r9 zjdSJ}CMb-DUBzoyG_2f3s>acmt$lPg7PzSi&lcCQ>Gr@r9#9Mp_;*{!1w;DQtVg@d zJ4!ySHBGq90?zhtLQSq;FoeAi&JDy*zkiSD-dAg$x%Dv%B)oy|N)z&9Up_Sk`-nmv zHE+Fhtqgl>?1($JttIp5S92Lk-Ok5<1%G#O4OIQ)rY6`sqRI^q}r6NN? z;}-stlTp=i9be|!2-Y6Fm9K9#2YwGDLeB$k1($E3*+v-FHFC+#F0Hy%^X|d-_l|M>pN$-%^#f*&$o8s?F{zul!UM-hYlP zHFJ5kIczpL^fr0qK5<*kyuTY{cO4Hh*i+nRmq)BB|5^$2I$GoHuDVaWycm6Z-p6Sl zy>}~1oFU%3-16GC z==9dyDOcSA-m$35;458|7vh{AgcEhglVzb)Xm@3fowiamYK%MePP|Er7o_Az#hzp^ zmY3a+O5SX*W(UzVeQXpX_{!MRJ^QF|bQ@PGU8D^vt|6w_yU_ICB}KZ~tDzFg_x9us z9fR(e2sw7D_*Aiw;UAlieXsx+iT$);hFRsjZ#&>F<(iZ%&7f$ zrh2_TiO*_E2?uP8zY^bp{q1lsX>*|Z@Yyo6Z}d+;Wk+u?h+(@+e6~ZJ&JD0Y{jPCS zASnDYq?=PyY-;{~S7VOGHw@p7e?pZQl?<>IqIWGTy!?mGxq61haP)~t`B%Cj3o{Kw z8I8r+&R1c+d7dv&OzSRYS0SMH6wf&hv8v7EmnqhrPItLTXarqC(9&FsY z|8<69?^CF`Q(MQUz=MbM0OM6;J_{&sCU_&c9&!M$0R#TRT;zMwgdgZBxh!YZg!IjK z%Uawf`}Y#?C`Z+x}IzZRl z?%nc=kHFUj<}jwIHl5fo`&1~ec?7RVV{og1qp2S+Cf)-yC7$P>Vw2i1=LA1d4!pQC zGT{tFKe<=9r|FwO<-^}p&>WFu@Sr=_x-L35F@;DzGlwihgh}n?6 zLF%nL$YQ?GYEYiG$T2Epp5bNcR`)m$_>cTIR~8utO4J~JIpKxMx2aIo9VRk$yD?S-+En7o=}n_XZbip5Zb zl%o}X5zj&W%$=gW@0!>`TJWnh@t*Z5l zN#vcm6n+TPBB)RV%#%xcP?S&s-wi_3QksCg)sfrd$#suEB-~EA?IIjQ3{sI9KaW_i zYaWZFFBd9OM$^E1R*Nw|mOg`01oulX4q_MJKkMA-*jZiS4$nC*mxFt_9s!HB1ZL=?Gs|n7Pr?(>MPR1JW54VVL&*o0FViy* zO;BZBaEYnr5Zj!ICZb)aHX${VbMxo3I^;PGS2iP8)9;LXFVH`it4BA?dX*dn3KIT9M7m7>CEO3|s zM4v{XU8$Pc;g5_EoAik_3d9Y0AOSBGn%w+zhx2ZRD zrX1?y{MuZ%`HyT~0S^Yw6)itL$G9IM7c2Q@1$tfx`2Ks|I}=mIi0n#7x~#ZdSvl9M zP($|k2vFalor1!EFv{rq`$q}-s5M(rl}-%?dk*9?s1hh07lyNkA6TdUITc5+$b~xC z!XaHnU@A!l=3AYlr61>1);r3jN1bvXZEAX!yIp!HXF?wsf?1#V+48N~cb}O|zOg_J zCnKuN+Zwc~W%)165vGeQa2HPzri&b^AEdP*Chw`B2(5a7@ ztmb2w_`XeXGPF8K4#X%90>!Wqbp2f~@qZ{y-O9^Ci|^7A9*jf`4fa*1%K|gfHmY@8Xd0 z8KQR)S+AKAaFi?IuvN{223D|3$P@lYsN@AEu9_t=@*es1+QSo-2kCBL*& zMfr=p#+e4QiAcxT?>p$vtKqAUK{m7MA(a!~#)D6y3l-xRX1iQw9Vkh6a9b^&OStl) zr4*59#Cl}46jX!XkGti-6uzlLgh|RL&y)A@5JQPZd0WKkEGkqLceml78t=HGpepaJ zAzrkYbxH+oZULj45x~6Q=?8E8}>Q53sf`&JY3KCvDKR+iLj05R>9SGASM)Mlsa}oFR{&9G={2BDmxTRj= zw32!V~9Lce1IJ| zxUhV7CIe6eT3HM3)fnr)*M#aj&$p@j6m;!|HyD|&?u-I(VJHJ1vDNE%!SD=qv0j#y z7bTZSX=STT>1EL)Esr(q(azRpeil)SL1_q`qk7o)nTw3poFdj?f)wNaoyK8GhU!|U z;sJ50lFb+9mLVw5ZKdHx z@g$wGFf;y4?jlRQ^$744a`ZCIt`$o9sX~wr!7*`Z`)hxFcrQQd2Pt;NX8TO3+MNf( zhN0p?QCOf+&}L$g?m`=2lJyboeM46nIxH$(8KM#?^-cCxOIm4zhFeWAVsDTjm&SV? zvPx@!#%RUSm^m!hSXuyA6*t}cSXQ})>0-r4+~P62;5D#P!RaoBhWZY9Yv<$y*5f1!Z$yIF zpM938nh-;(oql2{_9_|p+oR{}_n~Po{g6YR7)bJ+c9FrtoB(z~cnItAgovN2C94&0 zHL;o+d^{jy>R`SMF6$07TZ7g>gVPdV`tu*)ndkfF{dLj@u;#cae-PQSiyD2i6P`DX z3c^qkT0@wTqZ+{En8O7J1RF&87iPG~TEc}(0vN?fl19W)0rk2RQtA`gQWDp$uHLKs zAm%#^Ed2~_eefNdvtdTRAWgHcS!y{gw6HpX@ijG*XZ{*fN3)G`E3;Aj0`E0%5Dp#CP-lFeh0nN{ z(@1t4lUg7sFC&0aI9%cq&~Eg92NblMeSPzclZ*b*NB4k#N@)Aa2;vDfQv97Du|0)t zMcj-f{UV3;Ur_A$F<&$ugV6G`Eg3f30OU>x$}YZMl%&B~z6GsQOE8&jFZ zKH~m1U{UgT9$*dW&=53D45!+;@h#Ez1f*F3r7+_IbkFN7_5ilNjP;gWxscp2u4Cop z!8Mky>>*x28bWIS*$vDt4!a0WTkK=OnXIUhnIkFvjZf*RP#aXa!e_6aqIsh$IeOK`Mz?Njb>`pnQ5JmNAZWOWPA5OWoz2IqP>MQZmrYVr%~ROCZD-QC352XuBmtNw8OM?)aqZq;UmXk~{g>{~0n+(x5L8DC& zKFP#4L1WlPap+qNYfK3FaA}2o$U4i6520!eb6$wdm8wnMrUA&!)`4S6hrD%Wn^pEE z+lyr4Rv)S^N_-$Z^HGSC$QpVMJaG@$j4Qe(9^g)xXqzb#cIm?e`9fgw)}S_pq)g0C%~V~3QnZVY{QujdRKE!wsF3i z>2*e2Ev8gSA$fz{0{Nhr@s)9Eb7Z{_xiMyf#n-VZo_-$lzwh#WWv?B3myL)8A6a;G zcYHHWXgjngK`U12TB8O#d!^SizXL06%grk?ZSYmo6|~98|HA&`Hy6BRvn37I(G|Y2 z(xa+Rhcb55<87UutuDd4b=oG^vR9vG@;CSx>S_lPxh63stPHCX+th4lL--wC41z5$ zq6Pe(k7V;s0WzaJ(ekt|Prea2FM~-?Q`~X#(?e`)$;qV0FL7*}sea39V&har=Trz3 zsN0rICv|uESVA{VfR8gMxDyX5xj*Mw8okN-8W0s#S8o(ooW7eWsjFIs=eEbf9TYw) z(liHTVzf}wtR%AUp{+=OjpBFciu^)5v; zlx!k;q6JR)&5&~R=dX8jk~0{fabFUVWe-@=;HMy=o6Pw)Q>t7W zWx0`#Nr^)2(ZU@tjz=ZTiO`OJ2t~%1a&{DDaP)8ZYb8yRzWy4BxIkY|`ff}}@!zrI zqce(>qV6UBmp|CCV{d{ru=u)1+nNw?{YeQPKrfLYJU1?9Ej}Y%P&XlzWmds`?@{ln zOcPk~PRcH*Xi%foHXC}92zpAd3{CFDa&FeL*o2b@ zN*CVY*CI%m0=_Xb#1Z;1DEKnJWuF7VUkUgeg(H*wTrX>PRb@Vvz5rp}w+liDRiG-5 zsm7}64V6{xQC)@L`-HBx*vZThB;JL|OzM@D?J7++udC{+jdCDJc^w@YE~|>x@v;F= z&Cy8B$;?Sk7ni?$|2i{c91DGPW+HiC->A(m%kL*t=B@c6NKZb?VmuyI2^6nGSqhTYdDmrCySTU;qQcuR5XQNl`iqQAS zEN}p6^txe`J})=&Us2ih=dj_6>4X2Iuo9g`Cs>}p?*T(Jqs~~P$?m|})4bcjx{Y^= z-vEY%C^ulBU%%f^zlQ@V^=d)T#~LA1ppW;iYqC>hTX!@g*N4V9HHNRbfb2bn7)snh z7g(Ar`9vN}rbIY74+^MRf{hFz;R%=r7~Tx2B)hQLC=k&zeg(ox^KFDA4SpN99{f`JF(2EmNVIpY39?4mclt?bjO#ec7=4`qm zBtH>{cs*@k(ZXtOzc8w}0E2Op~&bySEX&Pz+mUurnUs+zey(K|V;4nK-3c82xlDb`FgC{}F^K>*3nBc0C1`nV+nc{u!hsUFWgdF~%#J`7 zT-iE28tYY5k>b9Iy6J#E;zMx(ZkH*|TjcT1JEET8vw&cu4|BhskEr4pKF}+u83?Z2 zn_6${wS$KG8pkDCzfrl&QGM){r}iCURCrT}t3hpiyhM6&#CCnb9Gw@C9K@(UzV{vY zVpkw9oja5lEAh{nJ{|yXdkofLA*?(Ho{V2&{?DL$Ki--5fGZov>CJfD*%|p)?<;@n zkQi4=3>TQR<^4ip(&$^e15+}q9@7^{9*J0|35GX)pUN0ksBgj!SfD^ZqBM#@#~OJf z(pnxgzEkht2&~ZFWH$dT>UjVtli0z2^aJ?DWv@Qghq7OwB;{z(ClF|X~gL{J@bq>?FlN3Zu< zkT@7y4)AuLAF7YP-z>##$Mqilwek}dpUFUO{nes~u+Jirf(R-tpD2~mp<&iY=D!y` z{L~=X{^rttI@SX`ML&^%-1cVqbxQ z_O`ESczD@lw~^GGtc%PC**qBSe>UZxImstFH&ljM0p$Fs}%upf%?T?+MjiQ53tv9vXqyv$+D_Q&mZ-zpZ-IOvJv zg&#cvjWW*kbMDvw_xD#`3K#?h=zou3{zs?$KidBW$oyZ6{I7h=|6SqyKf3e(L%YaJ Vf&V810fGG2gZ~=?IR3}#{{rhwe0u-@ diff --git a/Solutions/Auth0/Package/createUiDefinition.json b/Solutions/Auth0/Package/createUiDefinition.json index 1e1f10c5d84..62617e2288a 100644 --- a/Solutions/Auth0/Package/createUiDefinition.json +++ b/Solutions/Auth0/Package/createUiDefinition.json @@ -63,13 +63,6 @@ "text": "This Solution installs the data connector for Auth0. You can get Auth0 custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." } }, - { - "name": "dataconnectors2-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This Solution installs the data connector for Auth0. You can get Auth0 data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." - } - }, { "name": "dataconnectors-link2", "type": "Microsoft.Common.TextBlock", diff --git a/Solutions/Auth0/Package/mainTemplate.json b/Solutions/Auth0/Package/mainTemplate.json index e2f3eec4538..f376d0cfb4f 100644 --- a/Solutions/Auth0/Package/mainTemplate.json +++ b/Solutions/Auth0/Package/mainTemplate.json @@ -504,8 +504,6 @@ "isPreview": false }, "permissions": { - "tenant": null, - "licenses": null, "resourceProvider": [ { "provider": "Microsoft.OperationalInsights/workspaces", @@ -570,8 +568,7 @@ }, "type": "ConnectionToggleButton" } - ], - "innerSteps": null + ] } ], "isConnectivityCriteriasMatchSome": false @@ -888,8 +885,6 @@ "isPreview": false }, "permissions": { - "tenant": null, - "licenses": null, "resourceProvider": [ { "provider": "Microsoft.OperationalInsights/workspaces", @@ -954,8 +949,7 @@ }, "type": "ConnectionToggleButton" } - ], - "innerSteps": null + ] } ], "isConnectivityCriteriasMatchSome": false @@ -1041,7 +1035,7 @@ }, "ClientSecret": { "defaultValue": "ClientSecret", - "type": "string", + "type": "securestring", "minLength": 1 } }, From c74c61941a5d8fb9eacd6413a2637dccd7f5e0ad Mon Sep 17 00:00:00 2001 From: PrasadBoke Date: Fri, 13 Dec 2024 17:01:16 +0530 Subject: [PATCH 4/4] Update ReleaseNotes.md --- Solutions/Auth0/ReleaseNotes.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Solutions/Auth0/ReleaseNotes.md b/Solutions/Auth0/ReleaseNotes.md index 57a5750bf45..fcf5af95a86 100644 --- a/Solutions/Auth0/ReleaseNotes.md +++ b/Solutions/Auth0/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|--------------------------------------------------------| -| 3.0.0 | 24-08-2024 | Updated the python runtime version to 3.11 | +| 3.0.1 | 13-12-2024 | Added new CCP **Data Connector** to the Solution | +| 3.0.0 | 24-08-2024 | Updated the **Data Connector** Function app python runtime version to 3.11 | | 3.0.0 | 11-12-2023 | Added new **Parser** (Auth0AM) |