diff --git a/.github/workflows/package-on-merge.yaml b/.github/workflows/package-on-merge.yaml index b8190dc6893..db82ad6a5fb 100644 --- a/.github/workflows/package-on-merge.yaml +++ b/.github/workflows/package-on-merge.yaml @@ -196,7 +196,6 @@ jobs: uses: peter-evans/create-pull-request@5b4a9f6a9e2af26e5f02351490b90d01eb8ec1e5 with: committer: GitHub - author: "v-atulyadav@microsoft.com>" assignees: "${{ env.ASSIGNEES }}" signoff: false branch: "${{ env.CURRENT_BRANCH_NAME }}-automated-pr" diff --git a/.script/tests/KqlvalidationsTests/CustomTables/DefendAuditData.json b/.script/tests/KqlvalidationsTests/CustomTables/DefendAuditData.json new file mode 100644 index 00000000000..68bc1a8ade5 --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/DefendAuditData.json @@ -0,0 +1,65 @@ +{ + "Name": "DefendAuditData", + "Properties": [ + { + "Name": "TimeGenerated", + "Type": "DateTime" + }, + { + "Name": "Event", + "Type": "String" + }, + { + "Name": "Recipients", + "Type": "String" + }, + { + "Name": "From", + "Type": "String" + }, + { + "Name": "Subject", + "Type": "String" + }, + { + "Name": "Attachments", + "Type": "String" + }, + { + "Name": "MessageId", + "Type": "String" + }, + { + "Name": "ThreatLevel", + "Type": "String" + }, + { + "Name": "TrustLevel", + "Type": "String" + }, + { + "Name": "FirstTimeSender", + "Type": "Bool" + }, + { + "Name": "Payload", + "Type": "String" + }, + { + "Name": "LinksClicked", + "Type": "Double" + }, + { + "Name": "SenderIP", + "Type": "String" + }, + { + "Name": "Url", + "Type": "String" + }, + { + "Name": "PhishType", + "Type": "String" + } + ] + } \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/EgressDefend_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/EgressDefend_CL.json new file mode 100644 index 00000000000..e61084d3f4c --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/EgressDefend_CL.json @@ -0,0 +1,65 @@ +{ + "Name": "EgressDefend_CL", + "Properties": [ + { + "Name": "TimeGenerated", + "Type": "DateTime" + }, + { + "Name": "event_s", + "Type": "String" + }, + { + "Name": "email_rcptTo_s", + "Type": "String" + }, + { + "Name": "email_mailFrom_s", + "Type": "String" + }, + { + "Name": "email_subject_s", + "Type": "String" + }, + { + "Name": "email_attachments_s", + "Type": "String" + }, + { + "Name": "email_messageId_s", + "Type": "String" + }, + { + "Name": "email_threat_s", + "Type": "String" + }, + { + "Name": "email_trust_s", + "Type": "String" + }, + { + "Name": "email_firstTimeSender_b", + "Type": "Bool" + }, + { + "Name": "email_payload_Type_s", + "Type": "String" + }, + { + "Name": "email_linksClicked_d", + "Type": "Double" + }, + { + "Name": "email_senderIp_s", + "Type": "String" + }, + { + "Name": "linkClicked_s", + "Type": "String" + }, + { + "Name": "email_phishType_s", + "Type": "String" + } + ] + } \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/Malware_Data_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/Malware_Data_CL.json new file mode 100644 index 00000000000..2ed2dd44524 --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/Malware_Data_CL.json @@ -0,0 +1,161 @@ +{ + "Name": "Malware_Data_CL", + "Properties": [ + { + "Name": "TenantId", + "Type": "string" + }, + { + "Name": "SourceSystem", + "Type": "string" + }, + { + "Name": "MG", + "Type": "string" + }, + { + "Name": "ManagementGroupName", + "Type": "string" + }, + { + "Name": "TimeGenerated", + "Type": "datetime" + }, + { + "Name": "Computer", + "Type": "string" + }, + { + "Name": "RawData", + "Type": "string" + }, + { + "Name": "id_d", + "Type": "real" + }, + { + "Name": "relatedSearchTags_s", + "Type": "string" + }, + { + "Name": "feeds_s", + "Type": "string" + }, + { + "Name": "blockSet_s", + "Type": "string" + }, + { + "Name": "campaignBrandSet_s", + "Type": "string" + }, + { + "Name": "extractedStringSet_s", + "Type": "string" + }, + { + "Name": "domainSet_s", + "Type": "string" + }, + { + "Name": "senderEmailSet_s", + "Type": "string" + }, + { + "Name": "executableSet_s", + "Type": "string" + }, + { + "Name": "senderIpSet_s", + "Type": "string" + }, + { + "Name": "senderNameSet_s", + "Type": "string" + }, + { + "Name": "spamUrlSet_s", + "Type": "string" + }, + { + "Name": "subjectSet_s", + "Type": "string" + }, + { + "Name": "campaignLanguageSet_s", + "Type": "string" + }, + { + "Name": "campaignScreenshotSet_s", + "Type": "string" + }, + { + "Name": "lastPublished_d", + "Type": "real" + }, + { + "Name": "firstPublished_d", + "Type": "real" + }, + { + "Name": "label_s", + "Type": "string" + }, + { + "Name": "executiveSummary_s", + "Type": "string" + }, + { + "Name": "hasReport_b", + "Type": "bool" + }, + { + "Name": "reportURL_s", + "Type": "string" + }, + { + "Name": "apiReportURL_s", + "Type": "string" + }, + { + "Name": "threatDetailURL_s", + "Type": "string" + }, + { + "Name": "deliveryMechanisms_s", + "Type": "string" + }, + { + "Name": "malwareFamilySet_s", + "Type": "string" + }, + { + "Name": "threatType_s", + "Type": "string" + }, + { + "Name": "secureEmailGatewaySet_s", + "Type": "string" + }, + { + "Name": "naicsCodes_s", + "Type": "string" + }, + { + "Name": "ReportDownload_HTML__s", + "Type": "string" + }, + { + "Name": "ReportDownload_PDF__s", + "Type": "string" + }, + { + "Name": "Type", + "Type": "string" + }, + { + "Name": "_ResourceId", + "Type": "string" + } + ] +} \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/ThreatIntelligenceIndicator.json b/.script/tests/KqlvalidationsTests/CustomTables/ThreatIntelligenceIndicator.json new file mode 100644 index 00000000000..6765a8fe86e --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/ThreatIntelligenceIndicator.json @@ -0,0 +1,261 @@ +{ + "Name": "Malware_data_CL", + "Properties": [ + { + "Name": "TenantId", + "Type": "string" + }, + { + "Name": "TimeGenerated", + "Type": "datetime" + }, + { + "Name": "SourceSystem", + "Type": "string" + }, + { + "Name": "Action", + "Type": "string" + }, + { + "Name": "ActivityGroupNames", + "Type": "string" + }, + { + "Name": "AdditionalInformation", + "Type": "string" + }, + { + "Name": "ApplicationId", + "Type": "string" + }, + { + "Name": "AzureTenantId", + "Type": "string" + }, + { + "Name": "ConfidenceScore", + "Type": "real" + }, + { + "Name": "Description", + "Type": "string" + }, + { + "Name": "DiamondModel", + "Type": "string" + }, + { + "Name": "ExternalIndicatorId", + "Type": "string" + }, + { + "Name": "ExpirationDateTime", + "Type": "datetime" + }, + { + "Name": "IndicatorId", + "Type": "string" + }, + { + "Name": "ThreatType", + "Type": "string" + }, + { + "Name": "Active", + "Type": "bool" + }, + { + "Name": "KillChainActions", + "Type": "bool" + }, + { + "Name": "KillChainC2", + "Type": "bool" + }, + { + "Name": "KillChainDelivery", + "Type": "bool" + }, + { + "Name": "KillChainExploitation", + "Type": "bool" + }, + { + "Name": "KillChainReconnaissance", + "Type": "bool" + }, + { + "Name": "KillChainWeaponization", + "Type": "bool" + }, + { + "Name": "KnownFalsePositives", + "Type": "string" + }, + { + "Name": "MalwareNames", + "Type": "string" + }, + { + "Name": "PassiveOnly", + "Type": "bool" + }, + { + "Name": "ThreatSeverity", + "Type": "int" + }, + { + "Name": "Tags", + "Type": "string" + }, + { + "Name": "TrafficLightProtocolLevel", + "Type": "string" + }, + { + "Name": "EmailEncoding", + "Type": "string" + }, + { + "Name": "EmailLanguage", + "Type": "string" + }, + { + "Name": "EmailRecipient", + "Type": "string" + }, + { + "Name": "EmailSenderAddress", + "Type": "string" + }, + { + "Name": "EmailSenderName", + "Type": "string" + }, + { + "Name": "EmailSourceDomain", + "Type": "string" + }, + { + "Name": "EmailSourceIpAddress", + "Type": "string" + }, + { + "Name": "EmailSubject", + "Type": "string" + }, + { + "Name": "EmailXMailer", + "Type": "string" + }, + { + "Name": "FileCompileDateTime", + "Type": "datetime" + }, + { + "Name": "FileCreatedDateTime", + "Type": "datetime" + }, + { + "Name": "FileHashType", + "Type": "string" + }, + { + "Name": "FileHashValue", + "Type": "string" + }, + { + "Name": "FileMutexName", + "Type": "string" + }, + { + "Name": "FileName", + "Type": "string" + }, + { + "Name": "FilePacker", + "Type": "string" + }, + { + "Name": "FilePath", + "Type": "string" + }, + { + "Name": "FileSize", + "Type": "int" + }, + { + "Name": "FileType", + "Type": "string" + }, + { + "Name": "DomainName", + "Type": "string" + }, + { + "Name": "NetworkIP", + "Type": "string" + }, + { + "Name": "NetworkPort", + "Type": "int" + }, + { + "Name": "NetworkDestinationAsn", + "Type": "int" + }, + { + "Name": "NetworkDestinationCidrBlock", + "Type": "string" + }, + { + "Name": "NetworkDestinationIP", + "Type": "string" + }, + { + "Name": "NetworkCidrBlock", + "Type": "string" + }, + { + "Name": "NetworkDestinationPort", + "Type": "int" + }, + { + "Name": "NetworkProtocol", + "Type": "int" + }, + { + "Name": "NetworkSourceAsn", + "Type": "int" + }, + { + "Name": "NetworkSourceCidrBlock", + "Type": "string" + }, + { + "Name": "NetworkSourceIP", + "Type": "string" + }, + { + "Name": "NetworkSourcePort", + "Type": "int" + }, + { + "Name": "Url", + "Type": "string" + }, + { + "Name": "UserAgent", + "Type": "string" + }, + { + "Name": "IndicatorProvider", + "Type": "string" + }, + { + "Name": "Type", + "Type": "string" + } + ] +} \ No newline at end of file diff --git a/.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json b/.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json index 8e7b619ca5f..3be39f4ff72 100644 --- a/.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json +++ b/.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json @@ -75,6 +75,7 @@ "DigitalGuardianDLP", "DigitalShadows", "Dynamics365", + "EgressDefend", "ESETEnterpriseInspector", "ESETPROTECT", "EsetSMC", diff --git a/ASIM/dev/ASimTester/filteringTest/ASimFilteringTest.py b/ASIM/dev/ASimTester/filteringTest/ASimFilteringTest.py index 3651066a704..0f3aa6b9e20 100644 --- a/ASIM/dev/ASimTester/filteringTest/ASimFilteringTest.py +++ b/ASIM/dev/ASimTester/filteringTest/ASimFilteringTest.py @@ -6,16 +6,20 @@ import yaml import contextlib import argparse +import re from datetime import datetime, timedelta, timezone from azure.monitor.query import LogsQueryClient, LogsQueryStatus from azure.identity import DefaultAzureCredential from azure.core.exceptions import HttpResponseError -from azure.identity import DefaultAzureCredential -from schemasParameters import all_schemas_parameters DUMMY_VALUE = "\'!not_REAL_vAlUe\'" +MAX_FILTERING_PARAMETERS = 2 +# Negative value as it is cannot be a port number and less likely to be an ID of some event. Also, the absolute value is greater than the maximal possible port number. +INT_DUMMY_VALUE = -967799 +# The index of the column with the value from a query response. +COLUMN_INDEX_IN_ROW = 0 argparse_parser = argparse.ArgumentParser() argparse_parser.add_argument("ws_id", help = "workspace ID") @@ -78,7 +82,7 @@ def create_parameters_string(parser_file): # Creating a string of the values in the list with commas between them -# Example: for a list: ['ab', 'cd', 'ef'] the output will be: 'ab','cd','ef' +# Example: for a list: ['ab', 'cd', 'ef'] the output will be: "'ab','cd','ef'" def create_values_string(values_list): joined_string = ','.join([f"'{val}'" for val in values_list]) return joined_string @@ -114,50 +118,78 @@ def get_substring_or_default(default, substring, rows, current_list): return substring # Checking if there is at least one value in rows that the substring is not contained in. for row in rows: - value = row[0] + value = row[COLUMN_INDEX_IN_ROW] if substring not in value: return substring return default -def get_prefix(str, rows, current_list): +def get_prefix(str, rows, current_list, delimiter): ''' - Returns the prefix of a string until its last dot, under certain conditions: + Returns the prefix of a string until its last occurrence of the delimiter, under certain conditions: - The prefix is not present in the 'current_list'. - The prefix is not contained in all of the values in rows. - If the string does not contain a dot or fails to meet the conditions above, the original string is returned. + If the string does not contain the delimiter or fails to meet the conditions above, the original string is returned. Example: + delimiter = '.' str = "example.com.subdomain" output = "example.com" ''' - last_dot_index = str.rfind('.') - # If there is no dot in the string, return the string - if last_dot_index == -1: + last_delimiter_index = str.rfind(delimiter) + # If there is no delimiter in the string, return the string + if last_delimiter_index == -1: return str - substring = str[:last_dot_index] + substring = str[:last_delimiter_index] return get_substring_or_default(str, substring, rows, current_list) -def get_postfix(str, rows, current_list): +def get_postfix(str, rows, current_list, delimiter): ''' - Returns the postfix of a string following its first dot, under certain conditions: + Returns the postfix of a string following the first occurrence of the delimiter, under certain conditions: - The postfix is not present in the 'current_list'. - The postfix is not contained in all of the values in rows. - If the string does not contain a dot or fails to meet the conditions above, the original string is returned. + If the string does not contain the delimiter or fails to meet the conditions above, the original string is returned. Example: + delimiter = '.' str = "example.com.subdomain" output = "com.subdomain" ''' - first_dot_index = str.find('.') - # If there is no dot in the string, return the string - if first_dot_index == -1: + first_delimiter_index = str.find(delimiter) + # If there is no delimiter in the string, return the string + if first_delimiter_index == -1: return str - substring = str[first_dot_index + 1:] + substring = str[first_delimiter_index + 1:] return get_substring_or_default(str, substring, rows, current_list) +def get_non_word_character_from_rows(rows): + ''' + Returns the most frequent non-word character from the first 5 values in rows. + Example: + rows = ["123.456.4.1/4" , "44-55.5.1293", "11/33.99.13.12"] + output = '.' (as '.' appearers in the values of rows more than '/' and '-') + ''' + character_count = {} + number_of_rows_to_check = 5 + # Counting each occurrence of a non-word character + for index, row in enumerate(rows): + if index == number_of_rows_to_check: + break + value = row[COLUMN_INDEX_IN_ROW] + # Getting a list of all non-word characters in value using regex + non_words_characters_list = re.findall(r'\W', value) + # Incrementing the count for each non-word character by one + for character in non_words_characters_list: + character_count[character] = character_count.get(character, 0) + 1 + + # Return the character with maximal count. If no non-word character was found return space by default. + return max(character_count, key=character_count.get) if len(character_count) > 0 else ' ' + + + + class FilteringTest(unittest.TestCase): # "Main" function which opens the parser file, checks if it has all the required fields, checks if there is data in the provided workspace and then initiates the tests for each parameter in the parser. def tests_main_func(self): @@ -264,7 +296,7 @@ def scalar_test(self, param, query_definition, column_name_in_table): self.scalar_test_check_filtering(param_name, query_with_filter, value_to_filter) # Performing a query with a non-existing value, expecting to return no results - self.scalar_test_check_fictive_value(param_name, query_definition, column_name_in_table ) + self.scalar_test_check_fictive_value(param_name, query_definition, column_name_in_table, param['Type']) def scalar_test_check_filtering(self, param_name, query_with_filter, value_to_filter ): @@ -275,11 +307,12 @@ def scalar_test_check_filtering(self, param_name, query_with_filter, value_to_fi self.assertEqual(1, len(filtered_response.tables[0].rows), f"Parameter: {param_name} - Expected to have results for only one value after filtering. Filtered by value: {value_to_filter}") - def scalar_test_check_fictive_value(self, param_name, query_definition, column_name_in_table): - no_results_query = query_definition + create_execution_strings_with_one_parameter(param_name, DUMMY_VALUE, column_name_in_table) + def scalar_test_check_fictive_value(self, parameter_name, query_definition, column_name_in_table, parameter_type): + fictive_value = INT_DUMMY_VALUE if parameter_type == "int" else DUMMY_VALUE + no_results_query = query_definition + create_execution_strings_with_one_parameter(parameter_name, fictive_value, column_name_in_table) no_results_response = self.send_query(no_results_query) with self.subTest(): - self.assertEqual(0, len(no_results_response.tables[0].rows), f"Parameter: {param_name} - Returned results for non existing filter value. Filtered by value: {DUMMY_VALUE}") + self.assertEqual(0, len(no_results_response.tables[0].rows), f"Parameter: {parameter_name} - Returned results for non existing filter value. Filtered by value: {fictive_value}") # Return an array of at most two values from rows. Each string in the returned array is not a substring of all values in rows. @@ -291,10 +324,10 @@ def get_values_for_dynamic_tests(self, rows): # Searching values in rows which are not contained in at least one other value for row in rows: # if we already found two values that satisfy the conditions we can return them - if len(values) == 2: + if len(values) == MAX_FILTERING_PARAMETERS: break - value = row[0] + value = row[COLUMN_INDEX_IN_ROW] # if the value in an empty string we want to skip it if value == "": continue @@ -307,81 +340,172 @@ def get_values_for_dynamic_tests(self, rows): break return values - - # Performing assertions for dynamic tests with parameter filtering. Values for the parameter are taken from values_list - def dynamic_tests_assertions(self, param_name, query_definition, column_name_in_table, values_list, no_filter_response): - pass #TODO will be added in next PR + # Performing assertions for dynamic tests with parameter filtering. Values for the parameter are taken from values_list. Refer to dynamic_tests_helper function for parameters description. + def dynamic_tests_assertions(self, parameter_name, query_definition, column_name_in_table, values_list, num_of_rows_when_no_filters_in_query): + filter_parameters = create_values_string(values_list) + query_with_filter = query_definition + create_execution_strings_with_one_parameter(parameter_name,f"dynamic([{filter_parameters}])" ,column_name_in_table) + + query_response = self.send_query(query_with_filter) + num_of_rows_with_filter_in_query = len(query_response.tables[0].rows) + with self.subTest(): + self.assertNotEqual(0, num_of_rows_with_filter_in_query, f"Parameter: {parameter_name} - Got no results at all after filtering. Filtered by value: {filter_parameters}") + with self.subTest(): + if (num_of_rows_when_no_filters_in_query == 1): + self.assertEqual(1, num_of_rows_when_no_filters_in_query, f"Parameter: {parameter_name} - Expected to have one result after filtering. Filtered by value: {filter_parameters}") + else: + self.assertLess(num_of_rows_with_filter_in_query, num_of_rows_when_no_filters_in_query, f"Parameter: {parameter_name} - Expected to have less results after filtering. Filtered by value: {filter_parameters}") - # Performing filtering with one and two values (if possible) for dynamic parameters. - def dynamic_tests_helper(self, param_name, query_definition, no_filter_response, column_name_in_table, values_list, test_type): - pass #TODO will be added in next PR - - # Performing filtering for dynamic parameters with full values from no_filter_response (similar test will be done for substrings/prefixes) - def dynamic_full_values_tests(self, param_name, query_definition, no_filter_response, column_name_in_table): - pass #TODO will be added in next PR + def dynamic_tests_helper(self, parameter_name, query_definition, num_of_rows_when_no_filters_in_query, column_name_in_table, values_list, test_type): + """ + Performing filtering with one and two values (if possible) for dynamic parameters. + + Parameters + ---------- + parameter_name : Name of a parser's parameter + query_definition : A definition of the parser's query + num_of_rows_when_no_filters_in_query : The number of rows in a response of parser's query without performing any filtering. With filtering, we expect to have less rows. + column_name_in_table : The name of the column in the query response on which the parameter performs filtering + values_list : List of at most two values that will be used to perform filtering. + test_type : Name of the specific tests performed. It can be default testing or specific testing for has_any/has_any_prefix parameters + """ + if len(values_list) == 0: + self.fail(f"Parameter: {parameter_name} - Unable to find substrings to perform {test_type} tests") + filtering_with_one_value_list = [values_list[0]] + # Performing filtering with one value + self.dynamic_tests_assertions(parameter_name, query_definition, column_name_in_table, filtering_with_one_value_list, num_of_rows_when_no_filters_in_query ) - # Performing a query with a non-existing value, expecting to return no results - def dynamic_tests_check_fictive_value(self, param_name, query_definition, column_name_in_table): - pass #TODO will be added in next PR + # Performing filtering with two values if possible + if len(values_list) == 1 or num_of_rows_when_no_filters_in_query <= MAX_FILTERING_PARAMETERS: + self.fail(f"Parameter: {parameter_name} - Not enough data to perform two values {test_type} tests") + self.dynamic_tests_assertions(parameter_name,query_definition, column_name_in_table, values_list, num_of_rows_when_no_filters_in_query) + + # Performing filtering for dynamic parameters with values which taken from no_filter_rows. Refer to has_any_test function for parameters description. + def dynamic_default_tests(self, parameter_name, query_definition, no_filter_rows, column_name_in_table): + selected_values = self.get_values_for_dynamic_tests(no_filter_rows) + with self.subTest(): + self.dynamic_tests_helper(parameter_name, query_definition, len(no_filter_rows), column_name_in_table, selected_values, "default") - def add_substring_to_list(self, rows, substrings_list, num_of_substrings): + # Performing a query with a non-existing value, expecting to return no results. Refer to has_any_test function for parameters description. + def dynamic_tests_check_fictive_value(self, parameter_name, query_definition, column_name_in_table): + no_results_query = query_definition + create_execution_strings_with_one_parameter(parameter_name,f"dynamic([{DUMMY_VALUE}])" ,column_name_in_table) + no_results_response = self.send_query(no_results_query) + with self.subTest(): + self.assertEqual(0, len(no_results_response.tables[0].rows), f"Parameter: {parameter_name} - Returned results for non existing filter value. Filtered by value: {DUMMY_VALUE}") + + + def get_substrings_list(self, rows, num_of_substrings, delimiter): ''' - The function return a list with at most "num_of_substrings" substrings of values from "rows" to "substrings_list". - A substring of a value will be either its postfix from after the first dot in the value or its prefix until the first dot in the value. + The function return a list with at most "num_of_substrings" substrings of values from "rows" to substrings_list. + A substring of a value will be either its postfix from after the first occurrence of delimiter in the value or its prefix until the last occurrence of delimiter in the value. ''' - copy_substrings_list = substrings_list[:] + substrings_list = [] # Looking for values with substrings that can be appended to the list for row in rows: - if len(copy_substrings_list) == num_of_substrings: + if len(substrings_list) == num_of_substrings: break - value = row[0] - post = get_postfix(value, rows, copy_substrings_list) - # Post will equal value if: value dont contain a dot, post is in the list, post is contained in an item in the list. + value = row[COLUMN_INDEX_IN_ROW] + post = get_postfix(value, rows, substrings_list, delimiter) + # Post will equal value if: value dont contain the delimiter, post is in the list, post is contained in an item in the list. if post != value: - copy_substrings_list.append(post) + substrings_list.append(post) else: - pre = get_prefix(value, rows, copy_substrings_list) - # pre will equal value if: value dont contain a dot, pre is in the list, pre is contained in an item in the list. + pre = get_prefix(value, rows, substrings_list, delimiter) + # pre will equal value if: value dont contain the delimiter, pre is in the list, pre is contained in an item in the list. if pre != value: - copy_substrings_list.append(pre) + substrings_list.append(pre) - return copy_substrings_list + return substrings_list - def has_any_test(self, param_name, query_definition, no_filter_response, column_name_in_table): - pass #TODO will be added in next PR - + def has_any_test(self, parameter_name, query_definition, no_filter_rows, column_name_in_table): + """ + Test for dynamic parameters with a name that ends with "has_any". Filtering is made with substrings of values from no_filter_rows. + + Parameters + ---------- + parameter_name : Name of a parser's parameter + query_definition : A definition of the parser's query + no_filter_rows : The rows from a response for the parser query with no filter applied + column_name_in_table : The name of the column in the query response on which the parameter performs filtering + """ + delimiter = get_non_word_character_from_rows(no_filter_rows) + # Getting substrings that will be the values of the filtering parameters + selected_substrings = self.get_substrings_list(no_filter_rows, MAX_FILTERING_PARAMETERS, delimiter) + with self.subTest(): + self.dynamic_tests_helper(parameter_name, query_definition, len(no_filter_rows), column_name_in_table, selected_substrings, "has_any") + - def add_prefix_to_list(self, rows, prefix_list, num_of_prefixes): + def get_prefix_list(self, rows, num_of_prefixes, delimiter): ''' The function return a list with at most "num_of_prefixes" prefixes of values from "rows" to "prefix_list". A prefix of a value will be the prefix until the first dot in the value (including the dot). ''' - copy_prefix_list = prefix_list[:] + prefix_list = [] # Looking for values with prefix that can be appended to the list for row in rows: - if len(copy_prefix_list) == num_of_prefixes: + if len(prefix_list) == num_of_prefixes: break - value = row[0] - pre = get_prefix(value, rows, copy_prefix_list) + value = row[COLUMN_INDEX_IN_ROW] + pre = get_prefix(value, rows, prefix_list, delimiter) # pre will equal value if: value dont contain a dot, pre is in the list, pre is contained in an item in the list. if pre != value: - copy_prefix_list.append(f"{pre}.") + prefix_list.append(f"{pre}.") - return copy_prefix_list + return prefix_list + + + def has_any_prefix_test(self, parameter_name, query_definition, no_filter_rows, column_name_in_table): + """ + Test for dynamic parameters with a name that ends with "has_any_prefix". Filtering is made with prefixes of values from no_filter_rows. + + Parameters + ---------- + parameter_name : Name of a parser's parameter + query_definition : A definition of the parser's query + no_filter_rows : The rows from a response for the parser query with no filter applied + column_name_in_table : The name of the column in the query response on which the parameter performs filtering + """ + # Getting prefixes that will be the values of the filtering parameters + selected_prefixes = self.get_prefix_list(no_filter_rows, MAX_FILTERING_PARAMETERS, '.') + with self.subTest(): + self.dynamic_tests_helper(parameter_name, query_definition, len(no_filter_rows), column_name_in_table, selected_prefixes, "has_any_prefix") + + + def dynamic_test(self, parameter, query_definition, column_name_in_table): + """ + Test for dynamic parameters. Dynamic parameter receive as value an array of strings. + + Parameters + ---------- + param : A parameter field from the parser yaml file + query_definition : A definition of the parser's query + column_name_in_table : The name of the column in the query response on which the parameter performs filtering + """ + parameter_name = parameter['Name'] + no_filter_query = query_definition + create_execution_string_without_parameters(column_name_in_table) + no_filter_response = self.send_query(no_filter_query) + no_filter_rows = no_filter_response.tables[0].rows + self.assertNotEqual(len(no_filter_rows) , 0 , f"No data for parameter:{parameter_name}") + with self.subTest(): + self.assertNotEqual(len(no_filter_rows), 1, f"Only one value exists for parameter: {parameter_name} - validations for this parameter are partial" ) - def has_any_prefix_test(self, param_name, query_definition, no_filter_response, column_name_in_table): - pass #TODO will be added in next PR + # Default testing applied for every dynamic parameter + self.dynamic_default_tests(parameter_name, query_definition, no_filter_rows, column_name_in_table) + # Specific tests for "has_any" or "has_any_prefix" parameters + if parameter_name.endswith('has_any'): + self.has_any_test(parameter_name, query_definition,no_filter_rows, column_name_in_table) + elif parameter_name.endswith('has_any_prefix'): + self.has_any_prefix_test(parameter_name, query_definition, no_filter_rows, column_name_in_table) - def dynamic_test(self, param, query_definition, column_name_in_table): - pass #TODO will be added in next PR + # Performing a query with a non-existing value, expecting to return no results + self.dynamic_tests_check_fictive_value(parameter_name, query_definition, column_name_in_table) def disabled_test(self, query_definition): @@ -425,16 +549,102 @@ def send_query(self, query_str): query = query_str, timespan = (start_time, end_time) ) + failed_query_message = f"The following query failed:\n{query_str}" if response.status == LogsQueryStatus.PARTIAL: - self.fail("Query failed") + self.fail(f"Got partial response for the following query:\n{query_str}") elif response.status == LogsQueryStatus.FAILURE: - self.fail(f"The following query failed:\n{query_str}") + self.fail(failed_query_message) elif response.tables == None or len(response.tables) == 0: self.fail("No data tables were returned in the response for the query") else: return response except HttpResponseError as err: - self.fail("Query failed") + self.fail(failed_query_message) + +############################################################################################################################## + +# For each schema supported by the test there is a mapping between each of the schema's parameter to the +all_schemas_parameters = { + "AuditEvent" : + { + "actorusername_has_any" : "ActorUsername", + "disabled" : "", + "endtime" : "EventEndTime", + "eventresult" : "EventResult", + "eventtype_in" : "EventType", + "newvalue_has_any" : "NewValue", + "object_has_any" : "Object", + "operation_has_any" : "Operation", + "srcipaddr_has_any_prefix" : "SrcIpAddr", + "starttime" : "EventStartTime", + }, + "Authentication" : + { + "disabled" : "", + "endtime" : "EventEndTime", + "starttime" : "EventStartTime", + "targetusername_has" : "TargetUsername" + }, + "Dns" : + { + "disabled" : "", + "domain_has_any" : "Domain", + "eventtype" : "EventType", + "endtime" : "EventEndTime", + "response_has_any_prefix" : "DnsResponseName", + "response_has_ipv4" : "DnsResponseName", + "responsecodename" : "DnsResponseCodeName", + "srcipaddr" : "SrcIpAddr", + "starttime" : "EventStartTime" + }, + "NetworkSession" : + { + "disabled" : "", + "dstipaddr_has_any_prefix" : "DstIpAddr", + "dstportnumber" : "DstPortNumber", + "dvcaction" : "DvcAction", + "endtime" : "EventEndTime", + "eventresult" : "EventResult", + "hostname_has_any" : "Hostname", + "ipaddr_has_any_prefix" : "IpAddr", + "srcipaddr_has_any_prefix" : "SrcIpAddr", + "starttime" : "EventStartTime" + }, + "ProcessEvent" : + { + "actingprocess_has_any" : "ActingProcessName", + "actorusername" : "ActorUsername", + "actorusername_has" : "ActorUsername", + "commandline_has_all" : "CommandLine", + "commandline_has_any" : "CommandLine", + "commandline_has_any_ip_prefix" : "CommandLine", + "disabled" : "", + "dvchostname_has_any" : "DvcHostname", + "dvcipaddr_has_any_prefix" : "DvcIpAddr", + "dvcname_has_any" : "", + "endtime" : "EventEndTime", + "hashes_has_any" : "Hash", + "parentprocess_has_any" : "ParentProcessName", + "starttime" : "EventStartTime", + "targetprocess_has_any" : "TargetProcessName", + "targetusername" : "TargetUsername", + "targetusername_has" : "TargetUsername" + }, + "WebSession" : + { + "disabled" : "", + "endtime" : "EventEndTime", + "eventresult" : "EventResult", + "eventresultdetails_in" : "EventResultDetails", + "httpuseragent_has_any" : "HttpUserAgent", + "ipaddr_has_any_prefix" : "IpAddr", + "srcipaddr_has_any_prefix" : "SrcIpAddr", + "starttime" : "EventStartTime", + "url_has_any" : "Url" + } +} + +############################################################################################################################## if __name__ == '__main__': diff --git a/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py b/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py index 67b82316016..e410724d10d 100644 --- a/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py +++ b/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py @@ -6,7 +6,7 @@ import sys from distutils.version import StrictVersion -SCRIPT_VERSION = 2.3 +SCRIPT_VERSION = 2.31 PY3 = sys.version_info.major == 3 # GENERAL SCRIPT CONSTANTS @@ -873,7 +873,7 @@ def main(): (IncomingEventsVerifications(), "Starting validation tests for capturing incoming events")] print_notice("\nStarting to run the validation script for the {} scenario".format(STREAM_SCENARIO)) time.sleep(1) - print_notice("Please validate you are sending CEF messages to the agent machine") + print_notice("Please validate you are sending messages to the agent machine") for class_test in class_tests_array: print_notice("\n----- {} {}".format(class_test[1], '-' * (60 - len(class_test[1])))) verification_object = class_test[0] @@ -886,9 +886,9 @@ def main(): print_error("\nTotal amount of failed tests is: " + str(FAILED_TESTS_COUNT)) else: print_ok("All tests passed successfully") - print_notice("This script generated an output file located here - {}" - "\nPlease review it if you would like to get more information on failed tests.".format( - LOG_OUTPUT_FILE)) + print_notice("This script generated an output file located here - {}" + "\nPlease review it if you would like to get more information on failed tests.".format( + LOG_OUTPUT_FILE)) if not args.collect: print_notice( "\nIf you would like to open a support case please run this script with the \'collect\' feature flag in order to collect additional system data for troubleshooting." diff --git a/Hunting Queries/AuditLogs/RareAuditActivityByApp.yaml b/Hunting Queries/AuditLogs/RareAuditActivityByApp.yaml index 1b11320a007..27705e5842f 100644 --- a/Hunting Queries/AuditLogs/RareAuditActivityByApp.yaml +++ b/Hunting Queries/AuditLogs/RareAuditActivityByApp.yaml @@ -1,6 +1,8 @@ id: 5c799718-b361-4a91-9cb2-0c291e602707 name: Rare Audit activity initiated by App description: | + 'Compares the current day to last 14 days of audits to identify new audit activities. Useful for tracking malicious activity related to user/group additions/removals by Azure Apps and automated approvals.' +description_detailed: | 'Compares the current day to the last 14 days of audits to identify new audit activities by OperationName, InitiatedByApp, UserPrincipalName, PropertyName, newValue This can be useful when attempting to track down malicious activity related to additions of new users, @@ -67,7 +69,7 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPCustomEntity -version: 1.0.0 +version: 1.0.1 metadata: source: kind: Community diff --git a/Hunting Queries/AuditLogs/RareAuditActivityByUser.yaml b/Hunting Queries/AuditLogs/RareAuditActivityByUser.yaml index abef849c47c..7d1e0cae62b 100644 --- a/Hunting Queries/AuditLogs/RareAuditActivityByUser.yaml +++ b/Hunting Queries/AuditLogs/RareAuditActivityByUser.yaml @@ -1,6 +1,8 @@ id: ea107ccc-2b80-410e-96e1-be6607ce293b name: Rare Audit activity initiated by User description: | + 'Compares current day to last 14 days of audits to identify new audit activities. Useful for tracking malicious activity related to user/group additions/removals by specific users.' +description_detailed: | 'Compares the current day to the last 14 days of audits to identify new audit activities by OperationName, InitiatedByUser, UserPrincipalName, PropertyName, newValue This can be useful when attempting to track down malicious activity related to additions of @@ -62,7 +64,7 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPCustomEntity -version: 1.0.0 +version: 1.0.1 metadata: source: kind: Community diff --git a/Hunting Queries/GitHub/Unusual Number of Repository Clones.yaml b/Hunting Queries/GitHub/Unusual Number of Repository Clones.yaml index 3ad47e2a6e0..2b10a901abb 100644 --- a/Hunting Queries/GitHub/Unusual Number of Repository Clones.yaml +++ b/Hunting Queries/GitHub/Unusual Number of Repository Clones.yaml @@ -1,6 +1,8 @@ id: ccef3c74-4b4f-445b-8109-06d38687e4a4 name: GitHub Repo Clone - Time Series Anomly description: | + 'Attacker can exfiltrate data from your GitHub repository by cloning it. This hunting query tracks clone activities for each repository, allowing quick identification of anomalies/excessive clones to investigate repo access & permissions.' +description_detailed: | 'Attacker can exfiltrate data from you GitHub repository after gaining access to it by performing clone action. This hunting queries allows you to track the clones activities for each of your repositories. The visualization allow you to quickly identify anomalies/excessive clone, to further investigate repo access & permissions' requiredDataConnectors: [] tactics: @@ -19,7 +21,7 @@ query: | | make-series num=sum(tolong(Count)) default=0 on TimeGenerated in range(min_t, max_t, 1h) by Repository | extend (anomalies, score, baseline) = series_decompose_anomalies(num, 1.5, -1, 'linefit') | render timechart -version: 1.0.0 +version: 1.0.1 metadata: source: kind: Community diff --git a/Hunting Queries/Microsoft 365 Defender/Cloud Apps/file-download-events.yaml b/Hunting Queries/Microsoft 365 Defender/Cloud Apps/file-download-events.yaml new file mode 100644 index 00000000000..ce72be9515e --- /dev/null +++ b/Hunting Queries/Microsoft 365 Defender/Cloud Apps/file-download-events.yaml @@ -0,0 +1,28 @@ +id: f8f8d4a5-7d7d-4c5d-9b5c-9c5d7d8f8f8f +name: File download events in the last 7 days +description: | + This query looks for file download events identified by Microsoft Defender for Cloud Apps. It will require an corresponding app connector in Microsoft Defender for Cloud Apps. + Reference - https://learn.microsoft.com/defender-cloud-apps/enable-instant-visibility-protection-and-governance-actions-for-your-apps +requiredDataConnectors: +- connectorId: MicrosoftThreatProtection + dataTypes: + - CloudAppEvents +tactics: +- Exfiltration +query: > + let LookBack = 7d; + CloudAppEvents + | where ActionType == "FileDownloaded" and Timestamp > ago(LookBack) + | extend FileName = RawEventData.SourceFileName + | extend Site = RawEventData.SiteUrl + | extend FileLabel = RawEventData.SensitivityLabelId + | extend SiteLabel = RawEventData.SiteSensitivityLabelId + | project Timestamp,AccountObjectId,AccountDisplayName,ActionType,Application,FileName,Site,FileLabel,SiteLabel +entityMappings: + - entityType: Account + fieldMappings: + - identifier: ObjectGuid + columnName: AccountObjectId + - identifier: DisplayName + columnName: AccountDisplayName +version: 1.0.0 diff --git a/Hunting Queries/MultipleDataSources/AzureResourceCreationWithNetworkActivity.yaml b/Hunting Queries/MultipleDataSources/AzureResourceCreationWithNetworkActivity.yaml index cc24df2f5ff..4040ccb9f72 100644 --- a/Hunting Queries/MultipleDataSources/AzureResourceCreationWithNetworkActivity.yaml +++ b/Hunting Queries/MultipleDataSources/AzureResourceCreationWithNetworkActivity.yaml @@ -1,6 +1,8 @@ id: ac25d05d-362d-4a8d-b4e7-58c0edd2379c name: Anomalous Resource Creation and related Network Activity description: | + 'Indicates when an anomalous number of resources are created in Azure via AzureActivity log. Resource creation could indicate malicious or spurious use of your Azure Resource allocation.' +description_detailed: | 'Indicates when an anomalous number of resources are created successfully in Azure via the AzureActivity log. This is then joined with the AzureNetworkAnalytics_CL data to identify any network related activity for the created resource. The anomaly detection identifies activities that have occured both since the start of the day 1 day ago and the start of the day 7 days ago. @@ -102,7 +104,7 @@ query: | activity | join kind= leftouter (NetworkAnalytics ) on $left.Resource == $right.NSG_Name | extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress -version: 1.0.0 +version: 1.0.1 metadata: source: kind: Community diff --git a/Hunting Queries/MultipleDataSources/FailedSigninsWithAuditDetails.yaml b/Hunting Queries/MultipleDataSources/FailedSigninsWithAuditDetails.yaml index 82e9c47ff3d..0d7b75e38fa 100644 --- a/Hunting Queries/MultipleDataSources/FailedSigninsWithAuditDetails.yaml +++ b/Hunting Queries/MultipleDataSources/FailedSigninsWithAuditDetails.yaml @@ -1,6 +1,8 @@ id: 22f33a4c-e60f-4817-bbfe-9e2ed33cb596 name: Failed service logon attempt by user account with available AuditData description: | + 'User account failed to logon in current period. Excludes Windows Sign in attempts and limits to only more than 10 failed logons or 3 different IPs used. Results may indicate a potential malicious use of an account that is rarely used.' +description_detailed: | 'User account failed to logon in current period (default last 1 day). Excludes Windows Sign in attempts due to noise and limits to only more than 10 failed logons or 3 different IPs used. Additionally, Azure Audit Log data from the last several days(default 7 days) related to the given UserPrincipalName will be joined if available. This can help to understand any events for this same user related to User or Group Management. @@ -70,7 +72,7 @@ query: | | project StartTimeUtc, EndTimeUtc, DataType = Type, Category, OperationName, UserPrincipalName, InitiatedBy, Activity, FailedLogonCount, DistinctIPAddressCount, DistinctResultCount, CorrelationId, Id | order by UserPrincipalName, StartTimeUtc | extend timestamp = StartTimeUtc, AccountCustomEntity = UserPrincipalName -version: 1.0.0 +version: 1.0.1 metadata: source: kind: Community diff --git a/Hunting Queries/MultipleDataSources/PermutationsOnLogonNames.yaml b/Hunting Queries/MultipleDataSources/PermutationsOnLogonNames.yaml index 344af1ed739..615bc2f99ea 100644 --- a/Hunting Queries/MultipleDataSources/PermutationsOnLogonNames.yaml +++ b/Hunting Queries/MultipleDataSources/PermutationsOnLogonNames.yaml @@ -1,6 +1,8 @@ id: 472e83d6-ccec-47b8-b1cd-75500f936981 name: Permutations on logon attempts by UserPrincipalNames indicating potential brute force description: | + 'This identifies failed logon attempts using permutations based on known first and last names within 10m time windows. Iteration through separators or order changes in the logon name may indicate potential Brute Force logon attempts.' +description_detailed: | 'Attackers sometimes try variations on account logon names, this will identify failed attempts on logging in using permutations based on known first and last name within 10m time windows, for UserPrincipalNames that separated by hyphen(-), underscore(_) and dot(.). If there is iteration through these separators or order changes in the logon name it may indicate potential Brute Force logon attempts. @@ -111,7 +113,7 @@ query: | FailedLogonCountForLast = fl_CountForLast | sort by UserNameMatchOnFirstCount desc, UserNameMatchOnLastCount desc | extend timestamp = TimeGenerated -version: 1.0.0 +version: 1.0.1 metadata: source: kind: Community diff --git a/Hunting Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml b/Hunting Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml index dec4008666b..0eda8e389be 100644 --- a/Hunting Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml +++ b/Hunting Queries/MultipleDataSources/RareDNSLookupWithDataTransfer.yaml @@ -1,6 +1,8 @@ id: 06c52a66-fffe-4d3b-a05a-646ff65b7ec2 name: RareDNSLookupWithDataTransfer description: | + 'This query helps identify rare DNS connections and resulting data transfer to/from the associated domain. It can help identify unexpected large data transfers to or from internal systems which may indicate data exfil or malicious tool download.' +description_detailed: | 'This query is designed to help identify rare DNS connections and resulting data transfer to/from the associated domain. This can help identify unexpected large data transfers to or from internal systems which may indicate data exfil or malicious tool download. Feel free to add additional data sources to connect DNS results too various network data that has byte transfer information included.' @@ -100,7 +102,7 @@ query: | // This is used here as the goal of the query is to connect rare DNS lookups to a data type that can show byte transfers to that given DestinationIP | where isnotempty(DataType) | extend timestamp = LookupStartTime, IPCustomEntity = DestinationIP -version: 1.0.1 +version: 1.0.2 metadata: source: kind: Community diff --git a/Hunting Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml b/Hunting Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml index 8de7f5aaffe..f4402a438d7 100644 --- a/Hunting Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml +++ b/Hunting Queries/MultipleDataSources/RareDomainsInCloudLogs.yaml @@ -1,6 +1,8 @@ id: 66fb97d1-55c3-4268-ac22-b9742d0fdccc name: Rare domains seen in Cloud Logs description: | + 'This script identifies rare domain accounts accessing cloud resources by examining logs. You can lower the domainLimit value to see domains with fewer access attempts. For example, set domainLimit = 2 to see domains with 2 or fewer access attempts.' +description_detailed: | 'This will identify rare domain accounts accessing or attempting to access cloud resources by examining the AuditLogs, OfficeActivity and SigninLogs Rare does not mean malicious, but it may be something you would be interested in investigating further Additionally, it is possible that there may be many domains if you have allowed access by 3rd party domain accounts. @@ -94,7 +96,7 @@ query: | Results | project TimeGenerated, Type, RareDomain, UserPrincipalName, OperationName, Category, Result, UPNRefCount | order by TimeGenerated asc | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName -version: 1.0.1 +version: 1.0.2 metadata: source: kind: Community diff --git a/Hunting Queries/MultipleDataSources/TrackingPasswordChanges.yaml b/Hunting Queries/MultipleDataSources/TrackingPasswordChanges.yaml index b1a2bac20d7..cb19e18b4a2 100644 --- a/Hunting Queries/MultipleDataSources/TrackingPasswordChanges.yaml +++ b/Hunting Queries/MultipleDataSources/TrackingPasswordChanges.yaml @@ -1,6 +1,8 @@ id: bac44fe4-c0bc-4e90-aa48-2e346fda803f name: Tracking Password Changes description: | + 'This script identifies password changes or resets across multiple host and cloud sources. Account manipulation, including password changes and resets, may help adversaries maintain access to credentials and permission levels.' +description_detailed: | 'Identifies when a password change or reset occurs across multiple host and cloud based sources. Account manipulation including password changes and resets may aid adversaries in maintaining access to credentials and certain permission levels within an environment.' @@ -74,7 +76,7 @@ query: | ) ) | extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = IPAddress -version: 1.0.0 +version: 1.0.1 metadata: source: kind: Community diff --git a/Hunting Queries/MultipleDataSources/TrackingPrivAccounts.yaml b/Hunting Queries/MultipleDataSources/TrackingPrivAccounts.yaml index 5015834fbb1..5c40b3fc8fb 100644 --- a/Hunting Queries/MultipleDataSources/TrackingPrivAccounts.yaml +++ b/Hunting Queries/MultipleDataSources/TrackingPrivAccounts.yaml @@ -1,6 +1,8 @@ id: 431cccd3-2dff-46ee-b34b-61933e45f556 name: Tracking Privileged Account Rare Activity description: | + 'This query determines rare activity by a high-value account on a system or service. If any account with rare activity is found, the query retrieves related activity from that account on the same day and summarizes the information.' +description_detailed: | 'This query will determine rare activity by a high-value account carried out on a system or service. High Value accounts are determined by Group Membership to High Value groups via events listed below. Rare here means an activity type seen in the last day which has not been seen in the previous 7 days. @@ -173,7 +175,7 @@ query: | RelatedActivityEndTimeUtc = rel_EndTime, RelatedActivityEventType = rel_EventType, RelatedActivityClientIPSet = rel_ClientIPSet, RelatedActivityServiceOrSystemCount = rel_ServiceOrSystemCount, RelatedActivityServiceOrSystemSet = rel_ServiceOrSystemSet, RelatedActivityCount = rel_Count | extend timestamp = RareActivtyStartTimeUtc, AccountCustomEntity = AccountName -version: 1.0.1 +version: 1.0.2 metadata: source: kind: Community diff --git a/Hunting Queries/SigninLogs/AnomalousUserAppSigninLocationIncrease.yaml b/Hunting Queries/SigninLogs/AnomalousUserAppSigninLocationIncrease.yaml index 7483c2a42a4..74700fc2ecc 100644 --- a/Hunting Queries/SigninLogs/AnomalousUserAppSigninLocationIncrease.yaml +++ b/Hunting Queries/SigninLogs/AnomalousUserAppSigninLocationIncrease.yaml @@ -1,6 +1,8 @@ id: 8159c663-6724-41b8-9ae8-b328aa8d0c4c name: Anomalous sign-in location by user account and authenticating application description: | + 'This query examines Azure Active Directory sign-ins for each application and identifies the most anomalous change in a user's location profile. The goal is to detect user account compromise, possibly via a specific application vector.' +description_detailed: | 'This query over Azure Active Directory sign-in considers all user sign-ins for each Azure Active Directory application and picks out the most anomalous change in location profile for a user within an individual application. The intent is to hunt for user account compromise, possibly via a specific application @@ -36,7 +38,7 @@ entityMappings: fieldMappings: - identifier: FullName columnName: AccountCustomEntity -version: 1.0.0 +version: 1.0.1 metadata: source: kind: Community diff --git a/Hunting Queries/SigninLogs/AnomalousUserAppSigninLocationIncreaseDetail.yaml b/Hunting Queries/SigninLogs/AnomalousUserAppSigninLocationIncreaseDetail.yaml index 16c12d97f58..041f0029b04 100644 --- a/Hunting Queries/SigninLogs/AnomalousUserAppSigninLocationIncreaseDetail.yaml +++ b/Hunting Queries/SigninLogs/AnomalousUserAppSigninLocationIncreaseDetail.yaml @@ -1,6 +1,8 @@ id: 7f6e8f14-62fa-4ce6-a490-c07f1d9888ba name: Anomalous sign-in location by user account and authenticating application - with sign-in details description: | + 'This query examines Azure Active Directory sign-ins and identifies anomalous changes in a user's location profile. A variation joins results back onto the original sign-in data to review the location set with each identified user in tabular form.' +description_detailed: | 'This query over Azure Active Directory sign-in considers all user sign-ins for each Azure Active Directory application and picks out the most anomalous change in location profile for a user within an individual application. The intent is to hunt for user account compromise, possibly via a specific application @@ -46,7 +48,7 @@ entityMappings: fieldMappings: - identifier: FullName columnName: AccountCustomEntity -version: 1.0.0 +version: 1.0.1 metadata: source: kind: Community diff --git a/Hunting Queries/SigninLogs/InactiveAccounts.yaml b/Hunting Queries/SigninLogs/InactiveAccounts.yaml index 7265ffc548c..69ab15ce984 100644 --- a/Hunting Queries/SigninLogs/InactiveAccounts.yaml +++ b/Hunting Queries/SigninLogs/InactiveAccounts.yaml @@ -1,6 +1,8 @@ id: 847c2652-547d-4d5f-9b71-d2f8d81eac62 name: Inactive or new account signins description: | + 'Query for new sign-ins from stale/inactive accounts. UEBA filters based on ActivityInsights. Results for accounts created in the last 7 days are filtered out.' +description_detailed: | 'Query for accounts seen signing in for the first time. These could be associated with stale/inactive accounts that ought to have been deleted but were not and may have been subsequently compromised. UEBA is used to filter out based on ActivityInsights where we see certain First Time User events identified as true. @@ -81,7 +83,7 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPCustomEntity -version: 1.0.0 +version: 1.0.1 metadata: source: kind: Community diff --git a/Hunting Queries/SigninLogs/LoginSpikeWithIncreaseFailureRate.yaml b/Hunting Queries/SigninLogs/LoginSpikeWithIncreaseFailureRate.yaml index 8e89d3553b1..355159bb4de 100644 --- a/Hunting Queries/SigninLogs/LoginSpikeWithIncreaseFailureRate.yaml +++ b/Hunting Queries/SigninLogs/LoginSpikeWithIncreaseFailureRate.yaml @@ -1,6 +1,8 @@ id: 528c1708-a67e-4e2f-b76d-d5e5e88a22aa name: Login spike with increase failure rate description: | + 'Query over SigninLogs summarizes login attempts per hour on weekdays. Kusto anomaly detection finds login spikes. Calculates percentage change between anomalous period and average logins. Determines success and failure rate for logins for 1 hour period.' +description_detailed: | 'This query over SiginLogs will summarise the total number of login attempts for each hour of the day on week days, this can be edited. The query then uses Kusto anomaly detection to find login spikes for each hour across all days. The query will then calculate the percentage change between the anomalous period and the average logins for that period. Finally the query will determine the success @@ -62,7 +64,7 @@ query: | //Comment out line below to see all anomalous results | where FailureRate >= failureThreshold and PercentageChange >= percentageChangeThreshold | extend timestamp = TimeGenerated -version: 1.0.0 +version: 1.0.1 metadata: source: kind: Community diff --git a/Hunting Queries/Syslog/disabled_account_squid_usage.yaml b/Hunting Queries/Syslog/disabled_account_squid_usage.yaml index 668237d7997..d0863064d37 100644 --- a/Hunting Queries/Syslog/disabled_account_squid_usage.yaml +++ b/Hunting Queries/Syslog/disabled_account_squid_usage.yaml @@ -1,6 +1,8 @@ id: 959fe0f0-7ac0-467c-944f-5b8c6fdc9e72 name: Disabled accounts using Squid proxy description: | + 'Query finds accounts recorded as disabled by AD in previous time period but still using proxy in current time period. Presumes default squid log format is used. http://www.squid-cache.org/Doc/config/access_log/' +description_detailed: | 'Look for accounts that have a been recorded as disabled by AD in the previous time period but are still using the proxy during the current time period. This query presumes the default squid log format is being used. http://www.squid-cache.org/Doc/config/access_log/' requiredDataConnectors: @@ -41,7 +43,7 @@ query: | | where Status !contains 'DENIED' | join kind=inner disabledAccounts on $left.User == $right.UserPrincipalName | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, URLCustomEntity = URL -version: 1.0.0 +version: 1.0.1 metadata: source: kind: Community diff --git a/Hunting Queries/W3CIISLog/ClientIPwithManyUserAgents.yaml b/Hunting Queries/W3CIISLog/ClientIPwithManyUserAgents.yaml index f14faa58921..d5c3ab71aae 100644 --- a/Hunting Queries/W3CIISLog/ClientIPwithManyUserAgents.yaml +++ b/Hunting Queries/W3CIISLog/ClientIPwithManyUserAgents.yaml @@ -1,6 +1,8 @@ id: 4edbb420-2df7-4089-9906-c335f065803e name: Same IP address with multiple csUserAgent description: | + 'This alerts when a client IP connects with 1-15 different useragents in less than 1 hour. Limited to 50 or less connections to avoid high traffic. May indicate malicious activity as a probing method.' +description_detailed: | 'This alerts when the same client IP (cIP) is connecting with more than 1 but less than 15 different useragent string (csUserAgent) in less than 1 hour. We limit to 50 or less connections to avoid high traffic sites. This may indicate malicious activity as this is a method of probing an environment References: Status code mappings for your convenience @@ -25,7 +27,7 @@ query: | | extend csUserAgentPerIPCount = arraylength(set_csUserAgent) | where csUserAgentPerIPCount between ( 2 .. 15 ) and ConnectionCount <=50 | extend timestamp = StartTime, IPCustomEntity = cIP, HostCustomEntity = Computer -version: 1.0.0 +version: 1.0.1 metadata: source: kind: Community diff --git a/Hunting Queries/W3CIISLog/Potential_IIS_BF.yaml b/Hunting Queries/W3CIISLog/Potential_IIS_BF.yaml index 359a7e7cee4..55bbdf53f4d 100644 --- a/Hunting Queries/W3CIISLog/Potential_IIS_BF.yaml +++ b/Hunting Queries/W3CIISLog/Potential_IIS_BF.yaml @@ -1,6 +1,8 @@ id: 934011da-1fe6-4507-aadb-d3914c877bcd name: Potential IIS brute force description: | + 'Query shows 1200+ failed attempts by cIP per hour on server, then successful logon. Only includes > 1 user agent string or port. Could indicate successful probing and brute force success on IIS servers.' +description_detailed: | 'This query shows when 1200 (20 per minute) or more failed attempts by cIP per hour occur on a given server and then a successful logon by cIP. This only includes when more than 1 user agent strings is used or more than 1 port is used. This could be indicative of successful probing and password brute force success on your IIS servers. @@ -70,7 +72,7 @@ query: | | summarize makeset(LogonSuccessTime) by FailStartTime, FailEndTime, Computer, sSiteName, sIP, cIP, tostring(set_csUserName), csUserNameCount, csUriQuery, csMethod, scStatus, scSubStatus, scWin32Status, tostring(set_sPort), tostring(set_csUserAgent), ConnectionCount, csUserAgentPerIPCount, sPortCount, scStatusFull, scStatusFull_Friendly, scWin32Status_Hex, scWin32Status_Friendly | project FailStartTime, FailEndTime, set_LogonSuccessTime, Computer, sSiteName, sIP, cIP, set_csUserName, csUserNameCount, csUriQuery, csMethod, scStatus, scSubStatus, scWin32Status, set_sPort, set_csUserAgent, ConnectionCount, csUserAgentPerIPCount, sPortCount, scStatusFull, scStatusFull_Friendly, scWin32Status_Hex, scWin32Status_Friendly | extend timestamp = FailStartTime, IPCustomEntity = cIP, HostCustomEntity = Computer -version: 1.0.0 +version: 1.0.1 metadata: source: kind: Community diff --git a/Hunting Queries/W3CIISLog/Potential_IIS_CodeInject.yaml b/Hunting Queries/W3CIISLog/Potential_IIS_CodeInject.yaml index a41c00ba6fd..eec446b7f01 100644 --- a/Hunting Queries/W3CIISLog/Potential_IIS_CodeInject.yaml +++ b/Hunting Queries/W3CIISLog/Potential_IIS_CodeInject.yaml @@ -1,6 +1,8 @@ id: 96977c95-74b4-4cc2-b1a7-6a3ab17bd3f9 name: Potential IIS code injection attempt description: | + 'Potential code injection into web server roles via IIS logs scan. Represents attempt to gain initial access using drive-by compromise technique. Detection flags events for review and filtering of authorized activity.' +description_detailed: | 'Potential code injection into web server roles via scan of IIS logs. This represents an attempt to gain initial access to a system using a drive-by compromise technique. This sort of attack happens routinely as part of security scans, of both authorized and malicious types. The initial goal of this detection is to flag these events when they occur and give an opportunity to review the data and filter out authorized activity.' @@ -81,7 +83,7 @@ entityMappings: fieldMappings: - identifier: FullName columnName: HostCustomEntity -version: 1.0.0 +version: 1.0.1 metadata: source: kind: Community diff --git a/Hunting Queries/W3CIISLog/RareClientFileAccess.yaml b/Hunting Queries/W3CIISLog/RareClientFileAccess.yaml index 3c16b79ad6d..e69a6bca905 100644 --- a/Hunting Queries/W3CIISLog/RareClientFileAccess.yaml +++ b/Hunting Queries/W3CIISLog/RareClientFileAccess.yaml @@ -1,6 +1,8 @@ id: a787a819-40df-4c9f-a5ae-850d5a2a0cf6 name: URI requests from single client description: | + 'This finds connections to server files requested by only one client. Effective when actor uses static operational IP addresses. Threshold can be modified. Larger execution window increases reliability of results.' +description_detailed: | 'This will look for connections to files on the server that are requested by only a single client. This analytic will be effective where an actor is utilising relatively static operational IP addresses. The threshold can be modified. The larger the execution window for this query the more reliable the results returned.' @@ -40,7 +42,7 @@ entityMappings: fieldMappings: - identifier: UserAgent columnName: csUserAgent -version: 1.0.1 +version: 1.0.2 metadata: source: kind: Community diff --git a/Hunting Queries/W3CIISLog/SuspectedMailBoxExportHostonOWA.yaml b/Hunting Queries/W3CIISLog/SuspectedMailBoxExportHostonOWA.yaml index 5f19bdaa99e..e2f6fef86af 100644 --- a/Hunting Queries/W3CIISLog/SuspectedMailBoxExportHostonOWA.yaml +++ b/Hunting Queries/W3CIISLog/SuspectedMailBoxExportHostonOWA.yaml @@ -1,6 +1,8 @@ id: a523786c-8382-4029-80e9-f1a7ecd067c1 name: Suspect Mailbox Export on IIS/OWA description: | + 'The hunting query looks for suspicious files accessed on a IIS server that might indicate exfiltration hosting. This technique has been observed when exporting mailbox files from OWA servers.' +description_detailed: | 'The hunting query looks for suspicious files accessed on a IIS server that might indicate exfiltration hosting. This technique has been observed when exporting mailbox files from OWA servers. Reference: https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/' @@ -46,7 +48,7 @@ entityMappings: fieldMappings: - identifier: FullName columnName: Computer -version: 1.0.0 +version: 1.0.1 metadata: source: kind: Community diff --git a/Hunting Queries/WireData/WireDataBeacon.yaml b/Hunting Queries/WireData/WireDataBeacon.yaml index 29471aaa692..da030045ff5 100644 --- a/Hunting Queries/WireData/WireDataBeacon.yaml +++ b/Hunting Queries/WireData/WireDataBeacon.yaml @@ -1,6 +1,8 @@ id: 33aa0e01-87e2-43ea-87f9-2f7e3ff1d532 name: Detect beacon like pattern based on repetitive time intervals in Wire Data Traffic description: | + 'Query identifies beaconing patterns from Wire Data logs. Uses KQL functions to calculate time delta and find beaconing percentage. Results of beaconing to untrusted public networks can be investigated.' +description_detailed: | 'This query will identify beaconing patterns from Wire Data logs based on timedelta patterns. The query leverages various KQL functions to calculate time delta and then compare it with total events observed in a day to find percentage of beaconing. Results of such beaconing patterns to untrusted public networks can be a good starting point for investigation. @@ -41,7 +43,7 @@ query: | | extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100 | where BeaconPercent > PercentBeaconThreshold | extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP -version: 1.0.1 +version: 1.0.2 metadata: source: kind: Community diff --git a/Hunting Queries/ZoomLogs/MultipleRegistrationDenies.yaml b/Hunting Queries/ZoomLogs/MultipleRegistrationDenies.yaml index 942e60d5ede..40802ddd2a8 100644 --- a/Hunting Queries/ZoomLogs/MultipleRegistrationDenies.yaml +++ b/Hunting Queries/ZoomLogs/MultipleRegistrationDenies.yaml @@ -1,6 +1,8 @@ id: e119c365-9213-45a1-bbd7-8faf6d103d30 name: User denied multiple registration events successfully registering description: | + 'Query identifies users denied registration for multiple webinars or recordings but successfully registered for at least one event. Threshold variable adjusts number of events user needs to be rejected from.' +description_detailed: | 'This hunting query identifies users that have attempted to register for multiple webinars or recordings and has been denied by the organizer but have also successfully register for at least one event. The number of events a user needs to be rejected from to be included in this query is adjusted with the threshold variable.' requiredDataConnectors: [] tactics: @@ -33,7 +35,7 @@ entityMappings: fieldMappings: - identifier: FullName columnName: AccountCustomEntity -version: 1.0.0 +version: 1.0.1 metadata: source: kind: Community diff --git a/Logos/Egress-logo.svg b/Logos/Egress-logo.svg new file mode 100644 index 00000000000..a4c8bbe46d6 --- /dev/null +++ b/Logos/Egress-logo.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/Playbooks/2S-Sentinel2MISP/MISP-Forwarder/azuredeploy.json b/Playbooks/2S-Sentinel2MISP/MISP-Forwarder/azuredeploy.json new file mode 100644 index 00000000000..b5b58ab52b4 --- /dev/null +++ b/Playbooks/2S-Sentinel2MISP/MISP-Forwarder/azuredeploy.json @@ -0,0 +1,222 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "title": "2S-MISP-Forwarder", + "description": "This Playbook will forward selected Threat Intelligence from your Sentinel Workspace to an orchestrator playbook. By default it supports sending filehashes and filenames from Defender 365 'Malware was prevented' alerts.", + "prerequisites": "1. The webhook URI from the MISP-Orchestrator playbook. 2. Microsoft 365 Defender connector configured.", + "lastUpdateTime": "2023-08-09T09:51:37Z", + "tags": ["Microsoft Sentinel", "ThreatIntelligenceIndicator", "MISP"], + "support": { + "tier": "Community" + }, + "author": { + "name": "Sopra Steria" + } + }, +"parameters": { +"PlaybookName": { +"defaultValue": "MISP-Forwarder", +"type": "string" +}, +"OrchestratorURI": { +"type": "string", +"metadata": { + "description": "Enter value for OrchestratorURI" +} +} +}, +"variables": { +"azuresentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]" +}, +"resources": [ +{ +"properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "defaultValue": {}, + "type": "Object" + }, + "OrchestratorURI": { + "defaultValue": "[parameters('OrchestratorURI')]", + "type": "string" + } + }, + "triggers": { + "Microsoft_Sentinel_incident": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/incident-creation" + } + } + }, + "actions": { + "For_each": { + "foreach": "@variables('EntitiesArray')", + "actions": { + "Condition": { + "actions": { + "HTTP": { + "runAfter": {}, + "type": "Http", + "inputs": { + "body": "@body('Parse_JSON_2')", + "headers": { + "IncidentId": "@triggerBody()?['object']?['id']", + "IncidentTitle": "@triggerBody()?['object']?['properties']?['title']" + }, + "method": "POST", + "uri": "@parameters('OrchestratorURI')" + } + } + }, + "runAfter": { + "Parse_JSON_2": [ + "Succeeded" + ] + }, + "expression": { + "or": [ + { + "equals": [ + "@body('Parse_JSON_2')?['kind']", + "FileHash" + ] + }, + { + "equals": [ + "@body('Parse_Json_2')['kind']", + "File" + ] + } + ] + }, + "type": "If" + }, + "Parse_JSON_2": { + "runAfter": {}, + "type": "ParseJson", + "inputs": { + "content": "@items('For_each')", + "schema": {} + } + } +}, +"runAfter": { + "Initialize_variable_CurrentEntity": [ + "Succeeded" + ] +}, +"type": "Foreach", +"runtimeConfiguration": { + "concurrency": { + "repetitions": 1 + } +} +}, +"Initialize_variable_CurrentEntity": { +"runAfter": { + "Initialize_variable_EntitiesArray": [ + "Succeeded" + ] +}, +"type": "InitializeVariable", +"inputs": { + "variables": [ + { + "name": "CurrentEntity", + "type": "string" + } + ] +} +}, +"Initialize_variable_EntitiesArray": { +"runAfter": { + "Parse_JSON": [ + "Succeeded" + ] +}, +"type": "InitializeVariable", +"inputs": { + "variables": [ + { + "name": "EntitiesArray", + "type": "array", + "value": "@body('Parse_JSON')" + } + ] +} +}, +"Parse_JSON": { +"runAfter": {}, +"type": "ParseJson", +"inputs": { +"content": "@triggerBody()?['object']?['properties']?['relatedEntities']", +"schema": {} +} +} +}, +"outputs": {} +}, +"parameters": { +"$connections": { +"value": { +"azuresentinel": { +"connectionId": "[resourceId('Microsoft.Web/connections', variables('azuresentinelConnectionName'))]", +"connectionName": "[variables('azuresentinelConnectionName')]", +"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]", +"connectionProperties": { +"authentication": { +"type": "ManagedServiceIdentity" +} +} +} +} +} +} +}, +"name": "[parameters('PlaybookName')]", +"type": "Microsoft.Logic/workflows", +"location": "[resourceGroup().location]", +"identity": { +"type": "SystemAssigned" +}, +"tags": { +"hidden-SentinelTemplateName": "MISP-Forwarder", +"hidden-SentinelTemplateVersion": "1.0" +}, +"apiVersion": "2017-07-01", +"dependsOn": [ +"[resourceId('Microsoft.Web/connections', variables('azuresentinelConnectionName'))]" +] +}, +{ +"type": "Microsoft.Web/connections", +"apiVersion": "2016-06-01", +"name": "[variables('azuresentinelConnectionName')]", +"location": "[resourceGroup().location]", +"kind": "V1", +"properties": { +"displayName": "[variables('azuresentinelConnectionName')]", +"customParameterValues": {}, +"parameterValueType": "Alternative", +"api": { +"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]" +} +} +} +] +} \ No newline at end of file diff --git a/Playbooks/2S-Sentinel2MISP/MISP-Orchestrator/azuredeploy.json b/Playbooks/2S-Sentinel2MISP/MISP-Orchestrator/azuredeploy.json new file mode 100644 index 00000000000..784277ae834 --- /dev/null +++ b/Playbooks/2S-Sentinel2MISP/MISP-Orchestrator/azuredeploy.json @@ -0,0 +1,1038 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "title": "2S-MISP-Orchestrator", + "description": "This Playbook is designed to ingest Threat Intelligence Indicators of Compromise (IOCs) from the MISP-Forwarder Playbooks and send it in the correct form to your MISP-server. It will create a new MISP event for each incident in Defender, and add information to that event.", + "prerequisites": "1. MISP server URI. 2. MISP server key. ", + "lastUpdateTime": "2023-08-09T09:51:37Z", + "tags": ["Microsoft Sentinel", "ThreatIntelligenceIndicator", "MISP"], + "support": { + "tier": "Community" + }, + "author": { + "name": "Sopra Steria" + } + }, +"parameters": { +"PlaybookName": { +"defaultValue": "MISP-Orchestrator", +"type": "string" +}, +"MISP-Key": { +"type": "string", +"metadata": { + "description": "Enter value for MISP-Key" +} +}, +"MISP-Org": { +"type": "string", +"metadata": { + "description": "Enter value for MISP-Org" +} +}, +"MISP-URI": { +"type": "string", +"metadata": { + "description": "Enter value for MISP-URI" +} +} +}, +"variables": {}, +"resources": [ +{ +"properties": { +"provisioningState": "Succeeded", +"state": "Disabled", +"definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "MISP-Key": { + "defaultValue": "[parameters('MISP-Key')]", + "type": "string" + }, + "MISP-Org": { + "defaultValue": "[parameters('MISP-Org')]", + "type": "string" + }, + "MISP-URI": { + "defaultValue": "[parameters('MISP-URI')]", + "type": "string" + } + }, + "triggers": { + "TriggerOnHTTPEntities": { + "type": "Request", + "kind": "Http", + "inputs": { + "schema": {} + } + } +}, +"actions": { + "Condition_-_Check_SetEventIdFailed": { + "actions": { + "Condition_-_Check_IoC_kind": { + "actions": { + "Add_IoC_to_existing_event_MISP_-_FileHash": { + "runAfter": {}, + "type": "Http", + "inputs": { + "body": { + "comment": "Filehash from DFE malware alert", + "event_id": "@variables('EventId')", + "type": "@toLower(string(body('Parse_Body_to_Json')['properties']['algorithm']))", + "value": "@body('Parse_Body_to_Json')?['properties']?['hashValue']" + }, + "headers": { + "Accept": "application/json", + "Authorization": "@variables('MISPKey')", + "Content-Type": "application/json" + }, + "method": "POST", + "uri": "@{variables('MISPURI')}/attributes/add/@{variables('EventId')}" + } + } + }, + "runAfter": {}, + "else": { + "actions": { + "Add_IoC_to_existing_event_MISP_-_FileName": { + "runAfter": {}, + "type": "Http", + "inputs": { + "body": { + "comment": "Filename from DFE malware alert", + "event_id": "@variables('EventId')", + "type": "filename", + "value": "@body('Parse_Body_to_Json')['properties']['fileName']" + }, + "headers": { + "Accept": "application/json", + "Authorization": "@variables('MISPKey')", + "Content-Type": "application/json" + }, + "method": "POST", + "uri": "@{variables('MISPURI')}/attributes/add/@{variables('EventId')}" + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@body('Parse_Body_to_Json')?['kind']", + "FileHash" + ] + } + ] + }, + "type": "If" +} +}, +"runAfter": { +"Set_variable_SetEventIdFailed_False": [ + "Succeeded", + "Skipped" +], +"Set_variable_SetEventIdFailed_True": [ + "Succeeded", + "Skipped" +] +}, +"else": { +"actions": { + "Add_attribute_-_IncidentID_internal_only": { + "runAfter": { + "Add_event_tag_MISP_-_tlp_green": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "body": { + "category": "Internal reference", + "comment": "IncidentId from Defender for Endpoint malware alert", + "distribution": "0", + "event_id": "@{variables('EventId')}", + "type": "text", + "value": "@variables('IncidentId')" + }, + "headers": { + "Accept": "application/json", + "Authorization": "@variables('MISPKey')", + "Content-Type": "application/json" + }, + "method": "POST", + "uri": "@{variables('MISPURI')}/attributes/add/@{variables('EventId')}" + } + }, + "Add_attribute_-_IncidentUri_link_internal_only": { + "runAfter": { + "Add_attribute_-_IncidentID_internal_only": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "body": { + "category": "Internal reference", + "comment": "Incident link Sentinel", + "distribution": "0", + "event_id": "@{variables('EventId')}", + "type": "other", + "value": "@variables('IncidentIdUri')" + }, + "headers": { + "Accept": "application/json", + "Authorization": "@variables('MISPKey')", + "Content-Type": "application/json" + }, + "method": "POST", + "uri": "@{variables('MISPURI')}/attributes/add/@{variables('EventId')}" + } + }, + "Add_event_tag_MISP_-_tlp_green": { + "runAfter": { + "Set_variable_EventId_for_new_events": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "headers": { + "Accept": "application/json", + "Authorization": "@variables('MISPKey')", + "Content-Type": "application/json" + }, + "method": "POST", + "uri": "@{variables('MISPURI')}/events/addTag/@{variables('EventId')}/10789" + } + }, + "Condition_-_Check_IoC_kind_fresh_incidents": { + "actions": { + "Add_IoC_to_new_event_MISP_-_FileHash": { + "runAfter": {}, + "type": "Http", + "inputs": { + "body": { + "comment": "Filehash from DFE malware alert", + "event_id": "@{variables('EventId')}", + "type": "@toLower(string(body('Parse_Body_to_Json')['properties']['algorithm']))", + "value": "@body('Parse_Body_to_Json')?['properties']?['hashValue']" + }, + "headers": { + "Accept": "application/json", + "Authorization": "@variables('MISPKey')", + "Content-Type": "application/json" + }, + "method": "POST", + "uri": "@{variables('MISPURI')}/attributes/add/@{variables('EventId')}" + } + } + }, + "runAfter": { + "Add_attribute_-_IncidentUri_link_internal_only": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Add_IoC_to_new_event_MISP_-_FileName": { + "runAfter": {}, + "type": "Http", + "inputs": { + "body": { + "comment": "Filename from DFE malware alert", + "event_id": "@variables('EventId')", + "type": "filename", + "value": "@body('Parse_Body_to_Json')['properties']['fileName']" + }, + "headers": { + "Accept": "application/json", + "Authorization": "@variables('MISPKey')", + "Content-Type": "application/json" + }, + "method": "POST", + "uri": "@{variables('MISPURI')}/attributes/add/@{variables('EventId')}" + } + } + } +}, +"expression": { + "and": [ + { + "equals": [ + "@body('Parse_Body_to_Json')?['kind']", + "FileHash" + ] + } + ] +}, +"type": "If" +}, +"Create_new_event_MISP": { +"runAfter": {}, +"type": "Http", +"inputs": { +"body": { + "Tag": { + "id": "@variables('EventId')", + "name": "tlp:green" + }, + "event_creator_email": "admin@admin.com", + "info": "@{variables('IncidentTitle')} ", + "org_id": "2", + "published": false +}, +"headers": { + "Accept": "application/json", + "Authorization": "@variables('MISPKey')", + "Content-Type": "application/json" +}, +"method": "POST", +"uri": "@{variables('MISPURI')}/events/add/" +} +}, +"Parse_new_event_to_Json": { +"runAfter": { +"Create_new_event_MISP": [ + "Succeeded" +] +}, +"type": "ParseJson", +"inputs": { +"content": "@body('Create_new_event_MISP')", +"schema": { + "properties": { + "Event": { + "properties": { + "Attribute": { + "type": "array" + }, + "CryptographicKey": { + "type": "array" + }, + "EventReport": { + "type": "array" + }, + "Galaxy": { + "type": "array" + }, + "Object": { + "type": "array" + }, + "Org": { + "properties": { + "id": { + "type": "string" + }, + "local": { + "type": "boolean" + }, + "name": { + "type": "string" + }, + "uuid": { + "type": "string" + } + }, + "type": "object" + }, + "Orgc": { + "properties": { + "id": { + "type": "string" + }, + "local": { + "type": "boolean" + }, + "name": { + "type": "string" + }, + "uuid": { + "type": "string" + } + }, + "type": "object" + }, + "RelatedEvent": { + "type": "array" + }, + "ShadowAttribute": { + "type": "array" + }, + "analysis": { + "type": "string" + }, + "attribute_count": { + "type": "string" + }, + "date": { + "type": "string" + }, + "disable_correlation": { + "type": "boolean" + }, + "distribution": { + "type": "string" + }, + "event_creator_email": { + "type": "string" + }, + "extends_uuid": { + "type": "string" + }, + "id": { + "type": "string" + }, + "info": { + "type": "string" + }, + "locked": { + "type": "boolean" + }, + "org_id": { + "type": "string" + }, + "orgc_id": { + "type": "string" + }, + "proposal_email_lock": { + "type": "boolean" + }, + "protected": {}, + "publish_timestamp": { + "type": "string" + }, + "published": { + "type": "boolean" + }, + "sharing_group_id": { + "type": "string" + }, + "threat_level_id": { + "type": "string" + }, + "timestamp": { + "type": "string" + }, + "uuid": { + "type": "string" + } + }, + "type": "object" + } +}, +"type": "object" +} +} +}, +"Set_variable_EventId_for_new_events": { +"runAfter": { +"Parse_new_event_to_Json": [ +"Succeeded" +] +}, +"type": "SetVariable", +"inputs": { +"name": "EventId", +"value": "@body('Parse_new_event_to_Json')?['Event']?['id']" +} +} +} +}, +"expression": { +"and": [ +{ +"equals": [ +"@variables('SetEventIdFailed')", +"@false" +] +} +] +}, +"type": "If" +}, +"Get_EventInfo_MISP": { +"runAfter": { +"Initialize_variable_TimeVariable": [ +"Succeeded" +] +}, +"type": "Http", +"inputs": { +"body": { +"attribute": "@variables('IncidentId')", +"eventinfo": "@{variables('IncidentTitle')}", +"org": "@{variables('MISPOrg')}" +}, +"headers": { +"Accept": "application/json", +"Authorization": "@variables('MISPKey')", +"Content-Type": "application/json" +}, +"method": "POST", +"uri": "@{variables('MISPURI')}/events/restSearch" +} +}, +"Initialize_variable_EventId": { +"runAfter": { +"Parse_EventInfo_to_Json": [ +"Succeeded" +] +}, +"type": "InitializeVariable", +"inputs": { +"variables": [ +{ +"name": "EventId", +"type": "string" +} +] +} +}, +"Initialize_variable_IncidentId": { +"runAfter": { +"Initialize_variable_IncidentIdUri": [ +"Succeeded" +] +}, +"type": "InitializeVariable", +"inputs": { +"variables": [ +{ +"name": "IncidentId", +"type": "string", +"value": "@{split(string(body('Parse_Headers_to_Json')['IncidentId']), '/')[12]}" +} +] +} +}, +"Initialize_variable_IncidentIdUri": { +"runAfter": { +"Parse_Headers_to_Json": [ +"Succeeded" +] +}, +"type": "InitializeVariable", +"inputs": { +"variables": [ +{ +"name": "IncidentIdUri", +"type": "string", +"value": "@{string(body('Parse_Headers_to_Json')['IncidentId'])}" +} +] +} +}, +"Initialize_variable_IncidentTitle": { +"runAfter": { +"Initialize_variable_SubscriptionId": [ +"Succeeded" +] +}, +"type": "InitializeVariable", +"inputs": { +"variables": [ +{ +"name": "IncidentTitle", +"type": "string", +"value": "@{string(body('Parse_Headers_to_Json')['IncidentTitle'])}" +} +] +} +}, +"Initialize_variable_MISP_Key": { +"runAfter": {}, +"type": "InitializeVariable", +"inputs": { +"variables": [ +{ +"name": "MISPKey", +"type": "string", +"value": "@parameters('MISP-Key')" +} +] +} +}, +"Initialize_variable_MISP_Org": { +"runAfter": { +"Initialize_variable_MISP_Key": [ +"Succeeded" +] +}, +"type": "InitializeVariable", +"inputs": { +"variables": [ +{ +"name": "MISPOrg", +"type": "string", +"value": "@parameters('MISP-Org')" +} +] +} +}, +"Initialize_variable_MISP_Uri": { +"runAfter": { +"Initialize_variable_MISP_Org": [ +"Succeeded" +] +}, +"type": "InitializeVariable", +"inputs": { +"variables": [ +{ +"name": "MISPURI", +"type": "string", +"value": "@parameters('MISP-URI')" +} +] +} +}, +"Initialize_variable_SetEventIdFailed": { +"runAfter": { +"Initialize_variable_EventId": [ +"Succeeded" +] +}, +"type": "InitializeVariable", +"inputs": { +"variables": [ +{ +"name": "SetEventIdFailed", +"type": "boolean" +} +] +} +}, +"Initialize_variable_SubscriptionId": { +"runAfter": { +"Initialize_variable_IncidentId": [ +"Succeeded" +] +}, +"type": "InitializeVariable", +"inputs": { +"variables": [ +{ +"name": "SubscriptionId", +"type": "string", +"value": "@{split(string(body('Parse_Headers_to_Json')['IncidentId']), '/')[2]}" +} +] +} +}, +"Initialize_variable_TimeVariable": { +"runAfter": { +"Initialize_variable_IncidentTitle": [ +"Succeeded" +] +}, +"type": "InitializeVariable", +"inputs": { +"variables": [ +{ +"name": "TimeVariable", +"type": "string" +} +] +} +}, +"Parse_Body_to_Json": { +"runAfter": { +"Initialize_variable_MISP_Uri": [ +"Succeeded" +] +}, +"type": "ParseJson", +"inputs": { +"content": "@triggerBody()", +"schema": { +"properties": { +"id": { +"type": "string" +}, +"kind": { +"type": "string" +}, +"name": { +"type": "string" +}, +"properties": { +"properties": { +"algorithm": { +"type": "string" +}, +"friendlyName": { +"type": "string" +}, +"hashValue": { +"type": "string" +} +}, +"type": "object" +}, +"type": { +"type": "string" +} +}, +"type": "object" +} +} +}, +"Parse_EventInfo_to_Json": { +"runAfter": { +"Get_EventInfo_MISP": [ +"Succeeded" +] +}, +"type": "ParseJson", +"inputs": { +"content": "@body('Get_EventInfo_MISP')", +"schema": { +"properties": { +"response": { +"items": { +"properties": { +"Event": { + "properties": { + "Attribute": { + "type": "array" + }, + "CryptographicKey": { + "type": "array" + }, + "EventReport": { + "type": "array" + }, + "Galaxy": { + "type": "array" + }, + "Object": { + "type": "array" + }, + "Org": { + "properties": { + "id": { + "type": "string" + }, + "local": { + "type": "boolean" + }, + "name": { + "type": "string" + }, + "uuid": { + "type": "string" + } + }, + "type": "object" + }, + "Orgc": { + "properties": { + "id": { + "type": "string" + }, + "local": { + "type": "boolean" + }, + "name": { + "type": "string" + }, + "uuid": { + "type": "string" + } + }, + "type": "object" + }, + "RelatedEvent": { + "type": "array" + }, + "ShadowAttribute": { + "type": "array" + }, + "Tag": { + "items": { + "properties": { + "colour": { + "type": "string" + }, + "exportable": { + "type": "boolean" + }, + "hide_tag": { + "type": "boolean" + }, + "id": { + "type": "string" + }, + "is_custom_galaxy": { + "type": "boolean" + }, + "is_galaxy": { + "type": "boolean" + }, + "local": { + "type": "integer" + }, + "local_only": { + "type": "boolean" + }, + "name": { + "type": "string" + }, + "numerical_value": {}, + "relationship_type": {}, + "user_id": { + "type": "string" + } + }, + "required": [ + "id", + "name", + "colour", + "exportable", + "user_id", + "hide_tag", + "numerical_value", + "is_galaxy", + "is_custom_galaxy", + "local_only", + "local", + "relationship_type" + ], + "type": "object" + }, + "type": "array" +}, +"analysis": { + "type": "string" +}, +"attribute_count": { + "type": "string" +}, +"date": { + "type": "string" +}, +"disable_correlation": { + "type": "boolean" +}, +"distribution": { + "type": "string" +}, +"event_creator_email": { + "type": "string" +}, +"extends_uuid": { + "type": "string" +}, +"id": { + "type": "string" +}, +"info": { + "type": "string" +}, +"locked": { + "type": "boolean" +}, +"org_id": { + "type": "string" +}, +"orgc_id": { + "type": "string" +}, +"proposal_email_lock": { + "type": "boolean" +}, +"protected": {}, +"publish_timestamp": { +"type": "string" +}, +"published": { +"type": "boolean" +}, +"sharing_group_id": { +"type": "string" +}, +"threat_level_id": { +"type": "string" +}, +"timestamp": { +"type": "string" +}, +"uuid": { +"type": "string" +} +}, +"type": "object" +} +}, +"required": [ +"Event" +], +"type": "object" +}, +"type": "array" +} +}, +"type": "object" +} +} +}, +"Parse_Headers_to_Json": { +"runAfter": { +"Parse_Body_to_Json": [ +"Succeeded" +] +}, +"type": "ParseJson", +"inputs": { +"content": "@triggerOutputs()['headers']", +"schema": { +"properties": { +"Accept-Encoding": { +"type": "string" +}, +"Accept-Language": { +"type": "string" +}, +"Content-Length": { +"type": "string" +}, +"Content-Type": { +"type": "string" +}, +"Host": { +"type": "string" +}, +"IndicentId": { +"type": "string" +}, +"IndicentTitle": { +"type": "string" +}, +"User-Agent": { +"type": "string" +}, +"x-ms-action-tracking-id": { +"type": "string" +}, +"x-ms-activity-vector": { +"type": "string" +}, +"x-ms-client-request-id": { +"type": "string" +}, +"x-ms-client-tracking-id": { +"type": "string" +}, +"x-ms-correlation-id": { +"type": "string" +}, +"x-ms-execution-location": { +"type": "string" +}, +"x-ms-tracking-id": { +"type": "string" +}, +"x-ms-workflow-id": { +"type": "string" +}, +"x-ms-workflow-name": { +"type": "string" +}, +"x-ms-workflow-operation-name": { +"type": "string" +}, +"x-ms-workflow-repeatitem-batch-index": { +"type": "string" +}, +"x-ms-workflow-repeatitem-index": { +"type": "string" +}, +"x-ms-workflow-repeatitem-scope-name": { +"type": "string" +}, +"x-ms-workflow-resourcegroup-name": { +"type": "string" +}, +"x-ms-workflow-run-id": { +"type": "string" +}, +"x-ms-workflow-run-tracking-id": { +"type": "string" +}, +"x-ms-workflow-subscription-id": { +"type": "string" +}, +"x-ms-workflow-system-id": { +"type": "string" +}, +"x-ms-workflow-version": { +"type": "string" +} +}, +"type": "object" +} +} +}, +"Set_variable_EventId": { +"runAfter": { +"Initialize_variable_SetEventIdFailed": [ +"Succeeded" +] +}, +"type": "SetVariable", +"inputs": { +"name": "EventId", +"value": "@{string(body('Parse_EventInfo_to_Json')['response'][0]['Event']['id'])}" +} +}, +"Set_variable_SetEventIdFailed_False": { +"runAfter": { +"Set_variable_EventId": [ +"Succeeded" +] +}, +"type": "SetVariable", +"inputs": { +"name": "SetEventIdFailed", +"value": "@false" +} +}, +"Set_variable_SetEventIdFailed_True": { +"runAfter": { +"Set_variable_EventId": [ +"Failed", +"TimedOut" +] +}, +"type": "SetVariable", +"inputs": { +"name": "SetEventIdFailed", +"value": "@true" +} +} +}, +"outputs": {} +}, +"parameters": {} +}, +"name": "[parameters('PlaybookName')]", +"type": "Microsoft.Logic/workflows", +"location": "[resourceGroup().location]", +"identity": { +"type": "SystemAssigned" +}, +"tags": { +"hidden-SentinelTemplateName": "MISP-Orchestrator", +"hidden-SentinelTemplateVersion": "1.0" +}, +"apiVersion": "2017-07-01", +"dependsOn": [] +} +] +} \ No newline at end of file diff --git a/Playbooks/2S-Sentinel2MISP/README.MD b/Playbooks/2S-Sentinel2MISP/README.MD new file mode 100644 index 00000000000..ec378224c2b --- /dev/null +++ b/Playbooks/2S-Sentinel2MISP/README.MD @@ -0,0 +1,84 @@ +# MISP to Sentinel + +This is a short introduction to the MISP to Sentinel project. Keep in mind, this is a proof of concept and would require modification for production use. The solution consist of two parts, a forwarder called `MISP-Forwarder` and an orchestrator called `MISP-Orchestrator`. The purpose of having two parts is to allow you to deploy the forwarder to multiple Microsoft Sentinel workspaces to feed more data into MISP. When it comes to the fidelity of the data, for this PoC we only support filenames and hashes. + +## Design + +The design is pretty straightforward, we filter on malware was prevented (highly likely that it's a known bad entity) + +```mermaid +flowchart LR + A[Microsoft 365 Defender] -->|Malware alert| B[Microsoft Sentinel] + B --> INC[Incident] + INC --> |If alert contains 'Malware was prevented'| AR[Automation Rule] + AR --> PB[MISP-Forwarder] + PB --> |Send entities, incident URI and id|PB2[MISP-Orchestrator] + PB2 --> MISP[MISP Server] +``` + +## Setup + +### Deploy MISP Orchestrator + +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fquickstarts%2Fmicrosoft.storage%2Fstorage-account-create%2Fazuredeploy.json) + +1. Deploy the `MISP-Orchestrator` +2. Fill out the information needed: + * `MISP Key` (this is the MISP API key) + * `MISP Uri` (this is the URI for the MISP-server) + * `MISP Org` (Name of your MISP organization) +3. Update the `Create new event MISP` step with the correct `event_creator_mail` + * **NOTE**: This should be the same user that you created the MISP key for and not an admin role +4. Make a note of the `HTTP POST URL` from the 'When a HTTP request is received' step +5. Current setup is fine for testing/development purposes + * Highly recommend deploying a key vault and use that for authorization in production + +### Deploy MISP Forwarder + +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fquickstarts%2Fmicrosoft.storage%2Fstorage-account-create%2Fazuredeploy.json) + +1. Deploy the `MISP-Forwarder` + * Add the `HTTP POST URL` to the `OrchestratorUri` parameter + * Give the Managed Identity for this playbook the `Microsoft Sentinel Reader` role +2. Create an automation rule called `FWD-MISP` + * Trigger + * 'When incident is created' + * Conditions + * If Incident provider Equals Microsoft 365 Defender + * AND Title Contains malware was prevented + * AND Tag Does not contain FWD-MISP + * Actions + * Run playbook `MISP-Forwarder` + * And then Add tags FWD-MISP + + +### Add keyvault for MISPKEY secret + +1. Create new keyvault +2. Give the managed identity of the `MISP-Orchestrator` read access on the KV, and add it to `Get, List` on the access policies +3. Add a new secret `MISPKEY` and add your MISPKEY to it +4. Add a new `Get Secret` step and configure it to retrieve your secret +5. Swap all the `MISPKEY`-variable references in HTTP Auth headers for the value of the KV secret + +## Known issues + +### Public IP requirement + +This configuration requires you to have a public IP on your MISP server. +We did this by exposing it behind a Application Gateway and configuring a WAF with an allowlist. This allows us to deploy this the Orchestrator-playbook as a premium logic app with a static IP and can let that IP through. + +### Tags + +For some tests the internal tags were numbered differently, but this is as easy as changing out the numbers in the HTTP steps for the number of the tag in your MISP instance. You can also add more, both global and local tags. + +# Contributing + +If you want to contribute - feel free to do so. Adding new entity types, or support for private IPs in Azure are both things that would be nice. + +## Creators + +This 'solution' was originally created by Sopra Steria Nordics Security Operation Center. + +![](https://www.soprasteria.no/images/librariesprovider2/sopra-steria-no-images/now-sine-bilder/soc-visuell-profil.jpg?sfvrsn=ce3122dc_1) + +To learn more about us [click here.](https://azuremarketplace.microsoft.com/en-us/marketplace/consulting-services/soprasteria-fr.cyber-soc-sentinel) diff --git a/Playbooks/Enrich-AzureResourceGraph/azuredeploy.json b/Playbooks/Enrich-AzureResourceGraph/azuredeploy.json new file mode 100644 index 00000000000..64a26980da5 --- /dev/null +++ b/Playbooks/Enrich-AzureResourceGraph/azuredeploy.json @@ -0,0 +1,626 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "title": "Query Azure Resource Graph with HTTP input and output", + "description": "This playbook queries Azure Resource Graph and returns azure information related to the resource like Subscription, Resourcegroups, Tags and Management groups.", + "mainSteps": [ + "Only Azure resource graph referenced resources are covered." + ], + "prerequisites": [ + "1. Set service principal with Reader role to query resourcegraph.\n2. Set keyvault to store client id and secret.\n3. Pass those parameters at deployment time." + ], + "postDeployment": [ + "None" + ], + "lastUpdateTime": "2023-04-01T10:00:00.000Z", + "entities": [], + "tags": [ + "Enrichment", + "AzureResourceGraph" + ], + "support": { + "tier": "community" + }, + "author": { + "name": "juju4" + }, + "source": { + "kind": "Community" + }, + "version": "1.0.0", + "releaseNotes": [ + { + "version": "1.0.0", + "title": "Query Azure Resource Graph with HTTP input and output", + "notes": [ + "Initial version" + ] + } + ] + }, + "parameters": { + "resourceTags": { + "type": "object", + "defaultValue": { + "LogicAppsCategory": "security" + }, + "metadata": { + "description": "The Azure tags to set on the resource." + } + }, + "PlaybookName": { + "defaultValue": "Enrich-AzureResourceGraph", + "type": "string", + "metadata": { + "description": "The Playbook aka LogicApp name." + } + }, + "KeyvaultName": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Vault name containing clientid and clientsecret for ResourceGraph" + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Location for all resources." + } + } + }, + "variables": { + "KeyvaultConnectionName": "[concat('Keyvault-', parameters('PlaybookName'))]" + }, + "resources": [ + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('KeyvaultConnectionName')]", + "location": "[parameters('location')]", + "tags": "[parameters('resourceTags')]", + "properties": { + "parameterValueType": "Alternative", + "alternativeParameterValues": { + "vaultName": "[parameters('KeyvaultName')]" + }, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('location'), '/managedApis/keyvault')]" + } + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2019-05-01", + "name": "[parameters('PlaybookName')]", + "location": "[parameters('location')]", + "tags": "[parameters('resourceTags')]", + "identity": { + "type": "SystemAssigned" + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]" + ], + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "defaultValue": {}, + "type": "Object" + } + }, + "triggers": { + "request": { + "type": "Request", + "kind": "Http", + "inputs": { + "schema": { + "properties": { + "query": { + "type": "string" + }, + "resourceName": { + "type": "string" + } + }, + "type": "object" + } + } + } + }, + "actions": { + "Condition": { + "actions": { + "Set_variable_arg_query_-_default": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "arg_query", + "value": "resources | where name == \"@{triggerBody()?['resourceName']}\" | join kind=inner (resourcecontainers | where type == 'microsoft.resources/subscriptions' | project subscriptionId, subscriptionName = name, subproperties = properties) on subscriptionId | project subscriptionName, resourceGroup, name, type, tags, subproperties" + } + } + }, + "runAfter": { + "Initialize_variable": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Set_variable_arg_query_-_custom_query": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "arg_query", + "value": "@triggerBody()?['query']" + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@triggerBody()?['query']", + "@null" + ] + } + ] + }, + "type": "If" + }, + "Condition_status_code_not_200": { + "actions": { + "Set_variable_html_output_not_200": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "html_output", + "value": "Error (@{outputs('HTTP_Query_Azure_Resource_Graph')['statusCode']}): @{body('Parse_JSON_Query_Azure_Resource_Graph')?['error']?['innererror']?['innererror']} - innererror: @{body('Parse_JSON_Query_Azure_Resource_Graph')?['error']?['innererror']}" + } + } + }, + "runAfter": { + "Parse_JSON_Query_Azure_Resource_Graph": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Create_HTML_table": { + "runAfter": {}, + "type": "Table", + "inputs": { + "columns": [ + { + "header": "name", + "value": "@item()?['name']" + }, + { + "header": "subscriptionName", + "value": "@item()?['subscriptionName']" + }, + { + "header": "resourceGroup", + "value": "@item()?['resourceGroup']" + }, + { + "header": "ipAddress", + "value": "@item()?['ipAddress']" + }, + { + "header": "publicIpName", + "value": "@item()?['publicIpName']" + }, + { + "header": "tags_businesscontact", + "value": "@item()?['tags_businesscontact']" + }, + { + "header": "tags_engcontact", + "value": "@item()?['tags_engcontact']" + }, + { + "header": "tags_contact", + "value": "@item()?['tags_contact']" + } + ], + "format": "HTML", + "from": "@body('Parse_JSON_Query_Azure_Resource_Graph')?['data']" + } + }, + "Set_variable_html_output_200": { + "runAfter": { + "Create_HTML_table": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "html_output", + "value": "@body('Create_HTML_table')" + } + } + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@outputs('HTTP_Query_Azure_Resource_Graph')['statusCode']", + 200 + ] + } + } + ] + }, + "type": "If" + }, + "Get_secret_azureresourcegraph-clientid": { + "runAfter": { + "Condition": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['keyvault']['connectionId']" + } + }, + "method": "get", + "path": "/secrets/@{encodeURIComponent('azureresourcegraph-clientid')}/value" + } + }, + "Get_secret_azureresourcegraph-clientsecret": { + "runAfter": { + "Get_secret_azureresourcegraph-clientid": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['keyvault']['connectionId']" + } + }, + "method": "get", + "path": "/secrets/@{encodeURIComponent('azureresourcegraph-clientsecret')}/value" + }, + "runtimeConfiguration": { + "secureData": { + "properties": [ + "outputs" + ] + } + } + }, + "HTTP_Azure_Login": { + "runAfter": { + "Get_secret_azureresourcegraph-clientsecret": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "body": "resource=https://management.azure.com&grant_type=client_credentials&client_id=@{body('Get_secret_azureresourcegraph-clientid')?['value']}&client_secret=@{body('Get_secret_azureresourcegraph-clientsecret')?['value']}", + "headers": { + "Content-Type": "application/x-www-form-urlencoded" + }, + "method": "POST", + "uri": "[concat('https://login.microsoftonline.com/', subscription().tenantId, '/oauth2/token')]" + } + }, + "HTTP_Query_Azure_Resource_Graph": { + "runAfter": { + "Parse_JSON": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "body": { + "managementGroups": [ + "[subscription().tenantId]" + ], + "query": "@{variables('arg_query')}" + }, + "headers": { + "Authorization": "Bearer @{body('Parse_JSON')?['access_token']}" + }, + "method": "POST", + "uri": "https://management.azure.com/providers/Microsoft.ResourceGraph/resources?api-version=2021-03-01" + } + }, + "Initialize_variable": { + "runAfter": { + "Initialize_variable_arg_query": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "html_output", + "type": "string" + } + ] + } + }, + "Initialize_variable_arg_query": { + "runAfter": {}, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "arg_query", + "type": "string", + "value": "" + } + ] + } + }, + "Parse_JSON": { + "runAfter": { + "HTTP_Azure_Login": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@body('HTTP_Azure_Login')", + "schema": { + "properties": { + "access_token": { + "type": "string" + }, + "expires_in": { + "type": "string" + }, + "expires_on": { + "type": "string" + }, + "ext_expires_in": { + "type": "string" + }, + "not_before": { + "type": "string" + }, + "resource": { + "type": "string" + }, + "token_type": { + "type": "string" + } + }, + "type": "object" + } + }, + "runtimeConfiguration": { + "secureData": { + "properties": [ + "inputs" + ] + } + } + }, + "Parse_JSON_Query_Azure_Resource_Graph": { + "runAfter": { + "HTTP_Query_Azure_Resource_Graph": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@body('HTTP_Query_Azure_Resource_Graph')", + "schema": { + "properties": { + "count": { + "type": "integer" + }, + "data": { + "items": { + "properties": { + "ipAddress": { + "type": [ + "string", + "null" + ] + }, + "name": { + "type": "string" + }, + "publicIPAllocationMethod": { + "type": [ + "string", + "null" + ] + }, + "publicIpName": { + "type": [ + "string", + "null" + ] + }, + "resourceGroup": { + "type": "string" + }, + "subproperties": { + "properties": { + "managedByTenants": { + "type": "array" + }, + "managementGroupAncestorsChain": { + "items": { + "properties": { + "displayName": { + "type": "string" + }, + "name": { + "type": "string" + } + }, + "required": [ + "displayName", + "name" + ], + "type": "object" + }, + "type": "array" + }, + "state": { + "type": "string" + }, + "subscriptionPolicies": { + "properties": { + "locationPlacementId": { + "type": "string" + }, + "quotaId": { + "type": "string" + }, + "spendingLimit": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "subscriptionName": { + "type": "string" + }, + "tags_businesscontact": { + "type": [ + "string", + "null" + ] + }, + "tags_contact": { + "type": [ + "string", + "null" + ] + }, + "tags_engcontact": { + "type": [ + "string", + "null" + ] + }, + "type": { + "type": "string" + }, + "vmStatus": { + "type": "string" + } + }, + "required": [ + "name" + ], + "type": "object" + }, + "type": "array" + }, + "error": { + "properties": { + "code": { + "type": "string" + }, + "correlationId": { + "type": "string" + }, + "innererror": { + "properties": { + "code": { + "type": "string" + }, + "innererror": { + "properties": { + "code": { + "type": "string" + }, + "message": { + "type": "string" + } + }, + "type": "object" + }, + "message": { + "type": "string" + } + }, + "type": "object" + }, + "message": { + "type": "string" + } + }, + "type": "object" + }, + "facets": { + "type": "array" + }, + "resultTruncated": { + "type": "string" + }, + "totalRecords": { + "type": "integer" + } + }, + "type": "object" + } + } + }, + "Response": { + "runAfter": { + "Condition_status_code_not_200": [ + "Succeeded" + ] + }, + "type": "Response", + "inputs": { + "body": { + "azureresourcegraph": "@body('Parse_JSON_Query_Azure_Resource_Graph')?['data']", + "azureresourcegraph_count": "@{body('Parse_JSON_Query_Azure_Resource_Graph')?['count']}", + "azureresourcegraph_query": "@{variables('arg_query')}", + "html_output": "@{variables('html_output')}", + "resourceName": "@{triggerBody()?['resourceName']}", + "status_code": "@outputs('HTTP_Query_Azure_Resource_Graph')['statusCode']" + }, + "statusCode": 200 + } + } + }, + "outputs": {} + }, + "parameters": { + "$connections": { + "value": { + "keyvault": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]", + "connectionName": "[variables('KeyvaultConnectionName')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + }, + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('location'), '/managedApis/keyvault')]" + } + } + } + } + } + } + ] +} diff --git a/Playbooks/Enrich-AzureResourceGraph/images/Enrich-AzureResourceGraph.png b/Playbooks/Enrich-AzureResourceGraph/images/Enrich-AzureResourceGraph.png new file mode 100644 index 00000000000..63cdd4fe0eb Binary files /dev/null and b/Playbooks/Enrich-AzureResourceGraph/images/Enrich-AzureResourceGraph.png differ diff --git a/Playbooks/Enrich-AzureResourceGraph/readme.md b/Playbooks/Enrich-AzureResourceGraph/readme.md new file mode 100644 index 00000000000..7c222fb2b6d --- /dev/null +++ b/Playbooks/Enrich-AzureResourceGraph/readme.md @@ -0,0 +1,244 @@ +# Enrich-AzureResourceGraph + +This LogicApp is querying Azure ResourceGraph and return typical azure information related to the resource like subscription, resourcegroup, tags and management groups. +It is encapsulated in other Logic app to enrich Sentinel incident (like Enrich-AzureResourceGraph-Incident). + +## Quick Deployment + +[Learn more about automation rules](https://docs.microsoft.com/azure/sentinel/automate-incident-handling-with-automation-rules#creating-and-managing-automation-rules) + +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FEnrich-AzureResourceGraph%2Fazuredeploy.json) +[![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FEnrich-AzureResourceGraph%2Fazuredeploy.json) + + +## Prerequisites + +* AzureResourceGraph data access requires Reader access for targeted scope +* Service principal client id and secret stored in Azure keyvault as 'azureresourcegraph-clientid' and 'azureresourcegraph-clientsecret' (Possible change to Managed Identity as supported by HTTP block) +* Default playbooks have a limit of 3 join. It is possible to extend this by opening an Azure support case with following inputs + * Service Principal Client and Object id if service principal + * LogicApp resource id and identity object id if managed identity + * Example failed run because of it with correlation id and timestamp + * Expect about a week delay for change to be effective after support validation + * "There is a default limit of 3 join and 3 mv-expand operators in a single Resource Graph SDK query. You can request an increase in these limits for your tenant through Help + support." - https://learn.microsoft.com/en-us/azure/governance/resource-graph/concepts/query-language#supported-tabulartop-level-operators + +## Screenshots +![Enrich-AzureResourceGraph](./images/Enrich-AzureResourceGraph.png) + +## Workflow explained +(step by step pseudo-code) + +1. When a HTTP request is received +2. Get Azure ResourceGraph client id and secret from Keyvault +3. Do Azure Login +4. Do Azure ResourceGraph query +5. Return response through HTTP + +Included queries (KQL, Azure ResourceGraph... +Current default query is +``` +resources +| where name == \"@{triggerBody()?['resourceName']}\" +| join kind=inner ( + resourcecontainers + | where type == 'microsoft.resources/subscriptions' + | project subscriptionId, subscriptionName = name, subproperties = properties +) on subscriptionId +| project subscriptionName, resourceGroup, name, type, tags, subproperties +``` + +Possible custom queries +* RDP port Internet-facing +``` +resources +| where type =~ 'Microsoft.Compute/virtualMachines' +| join kind=inner (resourcecontainers + | where type == 'microsoft.resources/subscriptions' + | project subscriptionId, subscriptionName = name, subproperties = properties + ) on subscriptionId +| extend instance_id = properties.vmId +| extend resourceid = id +| extend vmStatus = properties.extended.instanceView.powerState.displayStatus +| join kind=leftouter ( + Resources + | where type =~ "Microsoft.Network/networkInterfaces" + | mv-expand properties.ipConfigurations + | where isnotempty(properties_ipConfigurations.properties.publicIPAddress.id) + | extend publicIpId = tostring(properties_ipConfigurations.properties.publicIPAddress.id) + | join ( + Resources + | where type =~ "microsoft.network/publicipaddresses" + ) on $left.publicIpId == $right.id + | extend ipAddress = tostring(properties1.ipAddress) + | extend publicIPAllocationMethod = tostring(properties1.publicIPAllocationMethod) + | extend publicIpName = tostring(name1) + | extend vmId = tostring(properties.virtualMachine.id) + | extend nsgId = tostring(properties.networkSecurityGroup.id) + | project publicIpName,publicIPAllocationMethod,ipAddress,vmId,nsgId + ) on $left.id == $right.vmId +| join ( + resources + | where type =~ "microsoft.network/networksecuritygroups" + |mv-expand rules=properties.securityRules + |extend direction=tostring(rules.properties.direction) + |extend priority=toint(rules.properties.priority) + |extend rule_name = rules.name + |extend nsg_name = name + |extend description=rules.properties.description + |extend destination_prefix=iif(rules.properties.destinationAddressPrefixes=='[]', rules.properties.destinationAddressPrefix, strcat_array(rules.properties.destinationAddressPrefixes, ",")) + |extend destination_asgs=iif(isempty(rules.properties.destinationApplicationSecurityGroups), '', strcat_array(parse_json(rules.properties.destinationApplicationSecurityGroups), ",")) + |extend destination=iif(isempty(destination_asgs), destination_prefix, destination_asgs) + |extend destination=iif(destination=='*', "Any", destination) + |extend destination_port=iif(isempty(rules.properties.destinationPortRange), strcat_array(rules.properties.destinationPortRanges,","), rules.properties.destinationPortRange) + |extend source_prefix=iif(rules.properties.sourceAddressPrefixes=='[]', rules.properties.sourceAddressPrefix, strcat_array(rules.properties.sourceAddressPrefixes, ",")) + |extend source_asgs=iif(isempty(rules.properties.sourceApplicationSecurityGroups), "", strcat_array(parse_json(rules.properties.sourceApplicationSecurityGroups), ",")) + |extend source=iif(isempty(source_asgs), source_prefix, tostring(source_asgs)) + |extend source=iif(source=='*', 'Any', source) + |extend source_port=iif(isempty(rules.properties.sourcePortRange), strcat_array(rules.properties.sourcePortRanges,","), rules.properties.sourcePortRange) + |extend action=rules.properties.access + |extend subnets = strcat_array(properties.subnets, ",") + | where direction == "Inbound" and destination_port==3389 and source == "Any" and action == "Allow" + | extend nsg_rdp_name = nsg_name + | extend nsg_rdp_rulename = rule_name + | extend nsg_rdp_ruledescription = description + | project nsg_rdp_name, nsg_rdp_rulename, nsg_rdp_ruledescription, id + ) on $left.nsgId == $right.id +| where vmStatus == "VM running" +| project resourceid,instance_id,subscriptionName, resourceGroup, name, type, vmStatus, tags.environment, tags.contact, tags.businesscontact, tags.engcontact, subproperties, publicIpName, publicIPAllocationMethod, ipAddress, nsgId, nsg_rdp_name, nsg_rdp_rulename, nsg_rdp_ruledescription +``` +* SSH port Internet-facing +``` +resources +| where type =~ 'Microsoft.Compute/virtualMachines' +| join kind=inner (resourcecontainers + | where type == 'microsoft.resources/subscriptions' + | project subscriptionId, subscriptionName = name, subproperties = properties + ) on subscriptionId +| extend instance_id = properties.vmId +| extend resourceid = id +| extend vmStatus = properties.extended.instanceView.powerState.displayStatus +| join kind=leftouter ( + Resources + | where type =~ "Microsoft.Network/networkInterfaces" + | mv-expand properties.ipConfigurations + | where isnotempty(properties_ipConfigurations.properties.publicIPAddress.id) + | extend publicIpId = tostring(properties_ipConfigurations.properties.publicIPAddress.id) + | join ( + Resources + | where type =~ "microsoft.network/publicipaddresses" + ) on $left.publicIpId == $right.id + | extend ipAddress = tostring(properties1.ipAddress) + | extend publicIPAllocationMethod = tostring(properties1.publicIPAllocationMethod) + | extend publicIpName = tostring(name1) + | extend vmId = tostring(properties.virtualMachine.id) + | extend nsgId = tostring(properties.networkSecurityGroup.id) + | project publicIpName,publicIPAllocationMethod,ipAddress,vmId,nsgId + ) on $left.id == $right.vmId +| join ( + resources + | where type =~ "microsoft.network/networksecuritygroups" + |mv-expand rules=properties.securityRules + |extend direction=tostring(rules.properties.direction) + |extend priority=toint(rules.properties.priority) + |extend rule_name = rules.name + |extend nsg_name = name + |extend description=rules.properties.description + |extend destination_prefix=iif(rules.properties.destinationAddressPrefixes=='[]', rules.properties.destinationAddressPrefix, strcat_array(rules.properties.destinationAddressPrefixes, ",")) + |extend destination_asgs=iif(isempty(rules.properties.destinationApplicationSecurityGroups), '', strcat_array(parse_json(rules.properties.destinationApplicationSecurityGroups), ",")) + |extend destination=iif(isempty(destination_asgs), destination_prefix, destination_asgs) + |extend destination=iif(destination=='*', "Any", destination) + |extend destination_port=iif(isempty(rules.properties.destinationPortRange), strcat_array(rules.properties.destinationPortRanges,","), rules.properties.destinationPortRange) + |extend source_prefix=iif(rules.properties.sourceAddressPrefixes=='[]', rules.properties.sourceAddressPrefix, strcat_array(rules.properties.sourceAddressPrefixes, ",")) + |extend source_asgs=iif(isempty(rules.properties.sourceApplicationSecurityGroups), "", strcat_array(parse_json(rules.properties.sourceApplicationSecurityGroups), ",")) + |extend source=iif(isempty(source_asgs), source_prefix, tostring(source_asgs)) + |extend source=iif(source=='*', 'Any', source) + |extend source_port=iif(isempty(rules.properties.sourcePortRange), strcat_array(rules.properties.sourcePortRanges,","), rules.properties.sourcePortRange) + |extend action=rules.properties.access + |extend subnets = strcat_array(properties.subnets, ",") + | where direction == "Inbound" and destination_port==22 and source == "Any" and action == "Allow" + | extend nsg_ssh_name = nsg_name + | extend nsg_ssh_rulename = rule_name + | extend nsg_ssh_ruledescription = description + | project nsg_ssh_name, nsg_ssh_rulename, nsg_ssh_ruledescription, id + ) on $left.nsgId == $right.id +| where vmStatus == "VM running" +| project resourceid,instance_id,subscriptionName, resourceGroup, name, type, vmStatus, tags.environment, tags.contact, tags.businesscontact, tags.engcontact, subproperties, publicIpName, publicIPAllocationMethod, ipAddress, nsgId, nsg_ssh_name, nsg_ssh_rulename, nsg_ssh_ruledescription +``` +* MsSQL port Internet-facing +``` +resources +| where type =~ 'Microsoft.Compute/virtualMachines' +| join kind=inner (resourcecontainers + | where type == 'microsoft.resources/subscriptions' + | project subscriptionId, subscriptionName = name, subproperties = properties + ) on subscriptionId +| extend instance_id = properties.vmId +| extend resourceid = id +| extend vmStatus = properties.extended.instanceView.powerState.displayStatus +| join kind=leftouter ( + Resources + | where type =~ "Microsoft.Network/networkInterfaces" + | mv-expand properties.ipConfigurations + | where isnotempty(properties_ipConfigurations.properties.publicIPAddress.id) + | extend publicIpId = tostring(properties_ipConfigurations.properties.publicIPAddress.id) + | join ( + Resources + | where type =~ "microsoft.network/publicipaddresses" + ) on $left.publicIpId == $right.id + | extend ipAddress = tostring(properties1.ipAddress) + | extend publicIPAllocationMethod = tostring(properties1.publicIPAllocationMethod) + | extend publicIpName = tostring(name1) + | extend vmId = tostring(properties.virtualMachine.id) + | extend nsgId = tostring(properties.networkSecurityGroup.id) + | project publicIpName,publicIPAllocationMethod,ipAddress,vmId,nsgId + ) on $left.id == $right.vmId +| join ( + resources + | where type =~ "microsoft.network/networksecuritygroups" + |mv-expand rules=properties.securityRules + |extend direction=tostring(rules.properties.direction) + |extend priority=toint(rules.properties.priority) + |extend rule_name = rules.name + |extend nsg_name = name + |extend description=rules.properties.description + |extend destination_prefix=iif(rules.properties.destinationAddressPrefixes=='[]', rules.properties.destinationAddressPrefix, strcat_array(rules.properties.destinationAddressPrefixes, ",")) + |extend destination_asgs=iif(isempty(rules.properties.destinationApplicationSecurityGroups), '', strcat_array(parse_json(rules.properties.destinationApplicationSecurityGroups), ",")) + |extend destination=iif(isempty(destination_asgs), destination_prefix, destination_asgs) + |extend destination=iif(destination=='*', "Any", destination) + |extend destination_port=iif(isempty(rules.properties.destinationPortRange), strcat_array(rules.properties.destinationPortRanges,","), rules.properties.destinationPortRange) + |extend source_prefix=iif(rules.properties.sourceAddressPrefixes=='[]', rules.properties.sourceAddressPrefix, strcat_array(rules.properties.sourceAddressPrefixes, ",")) + |extend source_asgs=iif(isempty(rules.properties.sourceApplicationSecurityGroups), "", strcat_array(parse_json(rules.properties.sourceApplicationSecurityGroups), ",")) + |extend source=iif(isempty(source_asgs), source_prefix, tostring(source_asgs)) + |extend source=iif(source=='*', 'Any', source) + |extend source_port=iif(isempty(rules.properties.sourcePortRange), strcat_array(rules.properties.sourcePortRanges,","), rules.properties.sourcePortRange) + |extend action=rules.properties.access + |extend subnets = strcat_array(properties.subnets, ",") + | where direction == "Inbound" and destination_port==1433 and source == "Any" and action == "Allow" + | extend nsg_name = nsg_name + | extend nsg_rulename = rule_name + | extend nsg_ruledescription = description + | project nsg_name, nsg_rulename, nsg_ruledescription, id + ) on $left.nsgId == $right.id +| where vmStatus == "VM running" +| project resourceid,instance_id,subscriptionName, resourceGroup, name, type, vmStatus, tags.environment, tags.contact, tags.businesscontact, tags.engcontact, subproperties, publicIpName, publicIPAllocationMethod, ipAddress, nsgId, nsg_name, nsg_rulename, nsg_ruledescription +``` +* Cognitive services Internet facing +``` +resources +| where type == "microsoft.cognitiveservices/accounts" +| where properties.networkAcls.defaultAction != "Deny" or + array_length(properties.networkAcls.ipRules) == 0 or + array_length(properties.networkAcls.virtualNetworkRules) == 0 +| join kind=inner (resourcecontainers + | where type == 'microsoft.resources/subscriptions' + | project subscriptionId, subscriptionName = name, subproperties = properties + ) on subscriptionId +| project subscriptionName,resourceGroup,name,type,location,kind,tostring(properties),tostring(tags), tags.contact, tags.businesscontact, tags.engcontact, subproperties +| limit @{variables('report_limit')} +``` +* Defender for Cloud Attack Paths +``` +securityresources +| where type == 'microsoft.security/attackpaths' +| project name, display=tostring(properties.displayName), description=tostring(properties.description), aptype=tostring(properties.attackPathType) +``` diff --git a/Sample Data/Custom/Behavior-Analytics.csv b/Sample Data/Custom/Behavior-Analytics.csv new file mode 100644 index 00000000000..a0ac35f3e00 --- /dev/null +++ b/Sample Data/Custom/Behavior-Analytics.csv @@ -0,0 +1,1001 @@ +TenantId,SourceRecordId,TimeGenerated [UTC],TimeProcessed [UTC],ActivityType,ActionType,UserName,UserPrincipalName,EventSource,SourceIPAddress,SourceIPLocation,SourceDevice,DestinationIPAddress,DestinationIPLocation,DestinationDevice,EventVendor,EventProductVersion,ActorName,ActorPrincipalName,TargetName,TargetPrincipalName,Device,UsersInsights,DevicesInsights,ActivityInsights,SourceSystem,NativeTableName,InvestigationPriority,Type,_ResourceId +16b57a29-661a-855a-1866-22d1b0a7179d,693c9590-3811-11ee-8474-000d3a0b500f,"8/11/2023, 6:36:04.536 AM","8/11/2023, 6:37:43.499 AM",ProcessTracking,Process Creation,test,test@test.com,SecurityEvent,,,devicename01,,,,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-962075""}","{""IsLocalAdmin"":""True""}","{""MandatoryLabel"":""S-1-16-12288"",""NewProcessId"":""0x2360"",""NewProcessName"":""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"",""Process"":""powershell.exe"",""ParentProcessName"":""C:\\Windows\\System32\\cmd.exe"",""ProcessId"":""0x26b0"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6ddb1ad6-3811-11ee-8474-000d3a0b562f,"8/11/2023, 6:36:15.648 AM","8/11/2023, 6:37:45.337 AM",ProcessTracking,Process Creation,test,test@test.com,SecurityEvent,,,devicename01,,,,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-962075""}","{""IsLocalAdmin"":""True""}","{""MandatoryLabel"":""S-1-16-12288"",""NewProcessId"":""0x2d74"",""NewProcessName"":""C:\\Windows\\System32\\conhost.exe"",""Process"":""conhost.exe"",""ParentProcessName"":""C:\\Windows\\System32\\winrshost.exe"",""ProcessId"":""0x43e8"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,78a19364-3811-11ee-8472-000d3a0b599c,"8/11/2023, 6:36:53.437 AM","8/11/2023, 6:37:43.499 AM",ProcessTracking,Process Creation,test,test@test.com,SecurityEvent,,,devicename01,,,,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-962075""}","{""IsLocalAdmin"":""True""}","{""MandatoryLabel"":""S-1-16-12288"",""NewProcessId"":""0x17ec"",""NewProcessName"":""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"",""Process"":""powershell.exe"",""ParentProcessName"":""C:\\Windows\\System32\\cmd.exe"",""ProcessId"":""0x3250"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6ddb1adf-3811-11ee-8474-000d3a0b562f,"8/11/2023, 6:36:15.648 AM","8/11/2023, 6:37:45.338 AM",ProcessTracking,Process Creation,test,test@test.com,SecurityEvent,,,devicename01,,,,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-962075""}","{""IsLocalAdmin"":""True""}","{""MandatoryLabel"":""S-1-16-12288"",""NewProcessId"":""0x2cc"",""NewProcessName"":""C:\\Windows\\System32\\cmd.exe"",""Process"":""cmd.exe"",""ParentProcessName"":""C:\\Windows\\System32\\winrshost.exe"",""ProcessId"":""0x1b94"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6ddb1aeb-3811-11ee-8474-000d3a0b562f,"8/11/2023, 6:36:15.686 AM","8/11/2023, 6:37:45.338 AM",ProcessTracking,Process Creation,test,test@test.com,SecurityEvent,,,devicename01,,,,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-962075""}","{""IsLocalAdmin"":""True""}","{""MandatoryLabel"":""S-1-16-12288"",""NewProcessId"":""0x21b4"",""NewProcessName"":""C:\\Windows\\System32\\cmd.exe"",""Process"":""cmd.exe"",""ParentProcessName"":""C:\\Windows\\System32\\winrshost.exe"",""ProcessId"":""0x43e8"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6ddb1ab7-3811-11ee-8474-000d3a0b562f,"8/11/2023, 6:36:15.605 AM","8/11/2023, 6:37:45.336 AM",ProcessTracking,Process Creation,test,test@test.com,SecurityEvent,,,devicename01,,,,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-962075""}","{""IsLocalAdmin"":""True""}","{""MandatoryLabel"":""S-1-16-12288"",""NewProcessId"":""0x1148"",""NewProcessName"":""C:\\Windows\\System32\\conhost.exe"",""Process"":""conhost.exe"",""ParentProcessName"":""C:\\Windows\\System32\\winrshost.exe"",""ProcessId"":""0x1b94"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6a6b0415-3811-11ee-8474-000d3a0b587a,"8/11/2023, 6:36:31.460 AM","8/11/2023, 6:37:45.216 AM",ProcessTracking,Process Creation,test,test@test.com,SecurityEvent,,,devicename01,,,,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-962075""}","{""IsLocalAdmin"":""True""}","{""MandatoryLabel"":""S-1-16-12288"",""NewProcessId"":""0x268c"",""NewProcessName"":""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"",""Process"":""powershell.exe"",""ParentProcessName"":""C:\\Windows\\System32\\cmd.exe"",""ProcessId"":""0x2fe0"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,85e32170-3811-11ee-8474-000d3a0b5640,"8/11/2023, 6:37:15.779 AM","8/11/2023, 6:37:45.340 AM",ProcessTracking,Process Creation,test,test@test.com,SecurityEvent,,,devicename01,,,,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-962075""}","{""IsLocalAdmin"":""True""}","{""MandatoryLabel"":""S-1-16-12288"",""NewProcessId"":""0x808"",""NewProcessName"":""C:\\Windows\\System32\\conhost.exe"",""Process"":""conhost.exe"",""ParentProcessName"":""C:\\Windows\\System32\\winrshost.exe"",""ProcessId"":""0x2470"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,825d67d1-3811-11ee-8474-000d3a0b57dd,"8/11/2023, 6:37:12.075 AM","8/11/2023, 6:37:45.217 AM",ProcessTracking,Process Creation,test,test@test.com,SecurityEvent,,,devicename01,,,,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-962075""}","{""IsLocalAdmin"":""True""}","{""MandatoryLabel"":""S-1-16-12288"",""NewProcessId"":""0x42a8"",""NewProcessName"":""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"",""Process"":""powershell.exe"",""ParentProcessName"":""C:\\Windows\\System32\\cmd.exe"",""ProcessId"":""0x2f30"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,74d2a92a-3811-11ee-8474-000d3a0b59dd,"8/11/2023, 6:36:40.719 AM","8/11/2023, 6:37:46.099 AM",ProcessTracking,Process Creation,test,test@test.com,SecurityEvent,,,devicename01,,,,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-962075""}","{""IsLocalAdmin"":""True""}","{""MandatoryLabel"":""S-1-16-12288"",""NewProcessId"":""0x18e4"",""NewProcessName"":""C:\\Windows\\System32\\cmd.exe"",""Process"":""cmd.exe"",""ParentProcessName"":""C:\\Windows\\System32\\winrshost.exe"",""ProcessId"":""0x2814"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6e4894c4-3811-11ee-8474-000d3a0b5533,"8/11/2023, 6:36:08.774 AM","8/11/2023, 6:37:46.525 AM",ProcessTracking,Process Creation,test,test@test.com,SecurityEvent,,,devicename01,,,,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-962075""}","{""IsLocalAdmin"":""True""}","{""MandatoryLabel"":""S-1-16-12288"",""NewProcessId"":""0x299c"",""NewProcessName"":""C:\\Windows\\System32\\conhost.exe"",""Process"":""conhost.exe"",""ParentProcessName"":""C:\\Windows\\System32\\winrshost.exe"",""ProcessId"":""0x3320"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,85e321fc-3811-11ee-8474-000d3a0b5640,"8/11/2023, 6:37:15.861 AM","8/11/2023, 6:37:45.340 AM",ProcessTracking,Process Creation,test,test@test.com,SecurityEvent,,,devicename01,,,,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-962075""}","{""IsLocalAdmin"":""True""}","{""MandatoryLabel"":""S-1-16-12288"",""NewProcessId"":""0x2354"",""NewProcessName"":""C:\\Windows\\System32\\cmd.exe"",""Process"":""cmd.exe"",""ParentProcessName"":""C:\\Windows\\System32\\winrshost.exe"",""ProcessId"":""0x2470"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7d08dcf3-3811-11ee-8474-000d3a0b5c46,"8/11/2023, 6:36:56.838 AM","8/11/2023, 6:37:45.217 AM",ProcessTracking,Process Creation,test,test@test.com,SecurityEvent,,,devicename01,,,,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-962075""}","{""IsLocalAdmin"":""True""}","{""MandatoryLabel"":""S-1-16-12288"",""NewProcessId"":""0x1e4c"",""NewProcessName"":""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"",""Process"":""powershell.exe"",""ParentProcessName"":""C:\\Windows\\System32\\cmd.exe"",""ProcessId"":""0x2610"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,74d2a921-3811-11ee-8474-000d3a0b59dd,"8/11/2023, 6:36:40.690 AM","8/11/2023, 6:37:46.099 AM",ProcessTracking,Process Creation,test,test@test.com,SecurityEvent,,,devicename01,,,,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-962075""}","{""IsLocalAdmin"":""True""}","{""MandatoryLabel"":""S-1-16-12288"",""NewProcessId"":""0x2698"",""NewProcessName"":""C:\\Windows\\System32\\conhost.exe"",""Process"":""conhost.exe"",""ParentProcessName"":""C:\\Windows\\System32\\winrshost.exe"",""ProcessId"":""0x2814"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6e4894c9-3811-11ee-8474-000d3a0b5533,"8/11/2023, 6:36:08.819 AM","8/11/2023, 6:37:46.525 AM",ProcessTracking,Process Creation,test,test@test.com,SecurityEvent,,,devicename01,,,,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-962075""}","{""IsLocalAdmin"":""True""}","{""MandatoryLabel"":""S-1-16-12288"",""NewProcessId"":""0x3bf4"",""NewProcessName"":""C:\\Windows\\System32\\cmd.exe"",""Process"":""cmd.exe"",""ParentProcessName"":""C:\\Windows\\System32\\winrshost.exe"",""ProcessId"":""0x3320"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,65770595-3811-11ee-8474-000d3a0b500f,"8/11/2023, 6:36:14.411 AM","8/11/2023, 6:37:46.526 AM",ProcessTracking,Process Creation,test,test@test.com,SecurityEvent,,,devicename01,,,,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-962075""}","{""IsLocalAdmin"":""True""}","{""NewProcessId"":""0x3380"",""NewProcessName"":""C:\\Windows\\System32\\conhost.exe"",""Process"":""conhost.exe"",""ProcessId"":""0x504"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6ddb1af7-3811-11ee-8474-000d3a0b562f,"8/11/2023, 6:36:15.973 AM","8/11/2023, 6:37:45.338 AM",ProcessTracking,Process Creation,test,test@test.com,SecurityEvent,,,devicename01,,,,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-962075""}","{""IsLocalAdmin"":""True""}","{""MandatoryLabel"":""S-1-16-12288"",""NewProcessId"":""0x3f14"",""NewProcessName"":""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"",""Process"":""powershell.exe"",""ParentProcessName"":""C:\\Windows\\System32\\cmd.exe"",""ProcessId"":""0x2cc"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,59bdd395-3811-11ee-8474-000d3a0b5ceb,"8/11/2023, 6:36:00.815 AM","8/11/2023, 6:37:46.554 AM",ProcessTracking,Process Creation,test,test@test.com,SecurityEvent,,,devicename01,,,,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-962075""}","{""IsLocalAdmin"":""True""}","{""CommandLine"":""C:\\Windows\\system32\\cmd.exe /C powershell -NoLogo -NonInteractive -NoProfile -OutputFormat TEXT -Command \""& {Get-ChildItem -Path HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall | ForEach-Object {'DisplayName='+$_.GetValue('DisplayName')+';InstallDate='+ $_.GetValue('InstallDate')+';Vendor='+$_.GetValue('Publisher'), '|'}; Get-ChildItem -Path HKLM:\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall | ForEach-Object {'DisplayName='+$_.GetValue('DisplayName')+';InstallDate='+ $_.GetValue('InstallDate')+';Vendor='+$_.GetValue('Publisher'), '|'}; }\"""",""NewProcessId"":""0x28f0"",""NewProcessName"":""C:\\Windows\\System32\\cmd.exe"",""Process"":""cmd.exe"",""ProcessId"":""0x31b8"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,76ccc2d3-3811-11ee-8474-000d3a0b5625,"8/11/2023, 6:36:31.816 AM","8/11/2023, 6:37:45.218 AM",ProcessTracking,Process Creation,test,test@test.com,SecurityEvent,,,devicename01,,,,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-962075""}","{""IsLocalAdmin"":""True""}","{""MandatoryLabel"":""S-1-16-12288"",""NewProcessId"":""0x179c"",""NewProcessName"":""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"",""Process"":""powershell.exe"",""ParentProcessName"":""C:\\Windows\\System32\\cmd.exe"",""ProcessId"":""0x120c"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,657705a5-3811-11ee-8474-000d3a0b500f,"8/11/2023, 6:36:14.489 AM","8/11/2023, 6:37:46.526 AM",ProcessTracking,Process Creation,test,test@test.com,SecurityEvent,,,devicename01,,,,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-962075""}","{""IsLocalAdmin"":""True""}","{""NewProcessId"":""0x30b8"",""NewProcessName"":""C:\\Windows\\System32\\cmd.exe"",""Process"":""cmd.exe"",""ProcessId"":""0x504"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,58b47808-3811-11ee-8474-000d3a0b55d9,"8/11/2023, 6:35:40.471 AM","8/11/2023, 6:37:46.554 AM",ProcessTracking,Process Creation,test,test@test.com,SecurityEvent,,,devicename01,,,,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-962075""}","{""IsLocalAdmin"":""True""}","{""MandatoryLabel"":""S-1-16-12288"",""NewProcessId"":""0x23d8"",""NewProcessName"":""C:\\Windows\\System32\\conhost.exe"",""Process"":""conhost.exe"",""ParentProcessName"":""C:\\Windows\\System32\\winrshost.exe"",""ProcessId"":""0x2228"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6ddb1af0-3811-11ee-8474-000d3a0b562f,"8/11/2023, 6:36:15.967 AM","8/11/2023, 6:37:45.340 AM",ProcessTracking,Process Creation,test,test@test.com,SecurityEvent,,,devicename01,,,,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-962075""}","{""IsLocalAdmin"":""True""}","{""MandatoryLabel"":""S-1-16-12288"",""NewProcessId"":""0x3420"",""NewProcessName"":""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"",""Process"":""powershell.exe"",""ParentProcessName"":""C:\\Windows\\System32\\cmd.exe"",""ProcessId"":""0x21b4"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,74d2a931-3811-11ee-8474-000d3a0b59dd,"8/11/2023, 6:36:40.731 AM","8/11/2023, 6:37:46.099 AM",ProcessTracking,Process Creation,test,test@test.com,SecurityEvent,,,devicename01,,,,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-962075""}","{""IsLocalAdmin"":""True""}","{""MandatoryLabel"":""S-1-16-12288"",""NewProcessId"":""0xad0"",""NewProcessName"":""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"",""Process"":""powershell.exe"",""ParentProcessName"":""C:\\Windows\\System32\\cmd.exe"",""ProcessId"":""0x18e4"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,87ac43a9-3811-11ee-8474-000d3a0b5ff5,"8/11/2023, 6:37:19.503 AM","8/11/2023, 6:37:46.554 AM",ProcessTracking,Process Creation,test,test@test.com,SecurityEvent,,,devicename01,,,,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-962075""}","{""IsLocalAdmin"":""True""}","{""MandatoryLabel"":""S-1-16-12288"",""NewProcessId"":""0x1904"",""NewProcessName"":""C:\\Windows\\System32\\conhost.exe"",""Process"":""conhost.exe"",""ParentProcessName"":""C:\\Windows\\System32\\winrshost.exe"",""ProcessId"":""0x1004"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,59bdd310-3811-11ee-8474-000d3a0b5ceb,"8/11/2023, 6:35:32.953 AM","8/11/2023, 6:37:46.554 AM",ProcessTracking,Process Creation,test,test@test.com,SecurityEvent,,,devicename01,,,,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-962075""}","{""IsLocalAdmin"":""True""}","{""CommandLine"":""C:\\Windows\\system32\\cmd.exe /C powershell -NoLogo -NonInteractive -NoProfile -Command \""& {[System.Console]::OutputEncoding = New-Object System.Text.UTF8Encoding($False); $FormatEnumerationLimit = -1; $Host.UI.RawUI.BufferSize = New-Object Management.Automation.Host.Size (4096, 1024); get-counter -ea silentlycontinue -SampleInterval 300 -MaxSamples 2 -counter @(('\\logicaldisk(c:)\\% disk read time'),('\\logicaldisk(c:)\\% disk write time'),('\\logicaldisk(c:)\\disk read bytes/sec'),('\\logicaldisk(c:)\\disk write bytes/sec'),('\\logicaldisk(c:)\\free megabytes'),('\\logicaldisk(d:)\\% disk read time'),('\\logicaldisk(d:)\\% disk write time'),('\\logicaldisk(d:)\\disk read bytes/sec'),('\\logicaldisk(d:)\\disk write bytes/sec'),('\\logicaldisk(d:)\\free megabytes'),('\\logicaldisk(e:)\\% disk read time'),('\\logicaldisk(e:)\\% disk write time'),('\\logicaldisk(e:)\\disk read bytes/sec'),('\\logicaldisk(e:)\\disk write bytes/sec'),('\\logicaldisk(e:)\\free megabytes'),('\\logicaldisk(f:)\\% disk read time'),('\\logicaldisk(f:)\\% disk write time'),('\\logicaldisk(f:)\\disk read bytes/sec'),('\\logicaldisk(f:)\\disk write bytes/sec'),('\\logicaldisk(f:)\\free megabytes'),('\\logicaldisk(h:)\\% disk read time'),('\\logicaldisk(h:)\\% disk write time'),('\\logicaldisk(h:)\\disk read bytes/sec'),('\\logicaldisk(h:)\\disk write bytes/sec'),('\\logicaldisk(h:)\\free megabytes'),('\\logicaldisk(m:)\\% disk read time'),('\\logicaldisk(m:)\\% disk write time'),('\\logicaldisk(m:)\\disk read bytes/sec'),('\\logicaldisk(m:)\\disk write bytes/sec'),('\\logicaldisk(m:)\\free megabytes'),('\\logicaldisk(p:)\\% disk read time'),('\\logicaldisk(p:)\\% disk write time'),('\\logicaldisk(p:)\\disk read bytes/sec'),('\\logicaldisk(p:)\\disk write bytes/sec'),('\\logicaldisk(p:)\\free megabytes'),('\\logicaldisk(r:)\\% disk read time'),('\\logicaldisk(r:)\\% disk write time'),('\\logicaldisk(r:)\\disk read bytes/sec'),('\\logicaldisk(r:)\\disk write bytes/sec'),('\\logicaldisk(r:)\\free megabytes'),('\\logicaldisk(s:)\\% disk read time'),('\\logicaldisk(s:)\\% disk write time'),('\\logicaldisk(s:)\\disk read bytes/sec'),('\\logicaldisk(s:)\\disk write bytes/sec'),('\\logicaldisk(s:)\\free megabytes'),('\\memory\\available bytes'),('\\memory\\committed bytes'),('\\memory\\pages input/sec'),('\\memory\\pages output/sec'),('\\network adapter(microsoft hyper-v network adapter)\\bytes received/sec'),('\\network adapter(microsoft hyper-v network adapter)\\bytes sent/sec'),('\\network adapter(microsoft hyper-v network adapter)\\packets outbound errors'),('\\network adapter(microsoft hyper-v network adapter)\\packets received errors'),('\\network adapter(microsoft hyper-v network adapter)\\packets received/sec'),('\\network adapter(microsoft hyper-v network adapter)\\packets sent/sec'),('\\paging file(_total)\\% usage'),('\\processor(_total)\\% privileged time'),('\\processor(_total)\\% processor time'),('\\processor(_total)\\% user time'),('\\system\\system up time')) | Format-List -Property Readings; }\"""",""NewProcessId"":""0x2dc4"",""NewProcessName"":""C:\\Windows\\System32\\cmd.exe"",""Process"":""cmd.exe"",""ProcessId"":""0x5868"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,86c74536-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:36:57.376 AM","8/11/2023, 6:37:46.787 AM",ProcessTracking,Process Creation,test,test@test.com,SecurityEvent,,,devicename01,,,,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-962075""}","{""IsLocalAdmin"":""True""}","{""MandatoryLabel"":""S-1-16-12288"",""NewProcessId"":""0x1514"",""NewProcessName"":""C:\\Windows\\System32\\conhost.exe"",""Process"":""conhost.exe"",""ParentProcessName"":""C:\\Windows\\System32\\winrshost.exe"",""ProcessId"":""0x7b0"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,58b4782b-3811-11ee-8474-000d3a0b55d9,"8/11/2023, 6:35:40.505 AM","8/11/2023, 6:37:46.554 AM",ProcessTracking,Process Creation,test,test@test.com,SecurityEvent,,,devicename01,,,,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-962075""}","{""IsLocalAdmin"":""True""}","{""MandatoryLabel"":""S-1-16-12288"",""NewProcessId"":""0x1d94"",""NewProcessName"":""C:\\Windows\\System32\\cmd.exe"",""Process"":""cmd.exe"",""ParentProcessName"":""C:\\Windows\\System32\\winrshost.exe"",""ProcessId"":""0x2228"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,85e3221b-3811-11ee-8474-000d3a0b5640,"8/11/2023, 6:37:15.892 AM","8/11/2023, 6:37:45.340 AM",ProcessTracking,Process Creation,test,test@test.com,SecurityEvent,,,devicename01,,,,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-962075""}","{""IsLocalAdmin"":""True""}","{""MandatoryLabel"":""S-1-16-12288"",""NewProcessId"":""0x176c"",""NewProcessName"":""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"",""Process"":""powershell.exe"",""ParentProcessName"":""C:\\Windows\\System32\\cmd.exe"",""ProcessId"":""0x2354"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,59bdd3dd-3811-11ee-8474-000d3a0b5ceb,"8/11/2023, 6:36:03.535 AM","8/11/2023, 6:37:46.554 AM",ProcessTracking,Process Creation,test,test@test.com,SecurityEvent,,,devicename01,,,,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-962075""}","{""IsLocalAdmin"":""True""}","{""CommandLine"":""C:\\Windows\\system32\\cmd.exe /C powershell -NoLogo -NonInteractive -NoProfile -OutputFormat TEXT -Command \""& {Get-Command exsetup |%{$_.Fileversioninfo.ProductVersion}}\"""",""NewProcessId"":""0x2588"",""NewProcessName"":""C:\\Windows\\System32\\cmd.exe"",""Process"":""cmd.exe"",""ProcessId"":""0x4104"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,5a07432f-3811-11ee-8472-000d3a0b599c,"8/11/2023, 6:35:54.589 AM","8/11/2023, 6:37:46.828 AM",ProcessTracking,Process Creation,test,test@test.com,SecurityEvent,,,devicename01,,,,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-962075""}","{""IsLocalAdmin"":""True""}","{""MandatoryLabel"":""S-1-16-12288"",""NewProcessId"":""0x2468"",""NewProcessName"":""C:\\Windows\\System32\\conhost.exe"",""Process"":""conhost.exe"",""ParentProcessName"":""C:\\Windows\\System32\\winrshost.exe"",""ProcessId"":""0x1f28"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,657705ac-3811-11ee-8474-000d3a0b500f,"8/11/2023, 6:36:14.520 AM","8/11/2023, 6:37:46.526 AM",ProcessTracking,Process Creation,test,test@test.com,SecurityEvent,,,devicename01,,,,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-962075""}","{""IsLocalAdmin"":""True""}","{""NewProcessId"":""0x3de8"",""NewProcessName"":""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"",""Process"":""powershell.exe"",""ProcessId"":""0x30b8"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,764a4a36-3811-11ee-8472-000d3a0b5d22,"8/11/2023, 6:36:51.281 AM","8/11/2023, 6:37:46.827 AM",ProcessTracking,Process Creation,test,test@test.com,SecurityEvent,,,devicename01,,,,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-962075""}","{""IsLocalAdmin"":""True""}","{""MandatoryLabel"":""S-1-16-12288"",""NewProcessId"":""0xd80"",""NewProcessName"":""C:\\Windows\\System32\\conhost.exe"",""Process"":""conhost.exe"",""ParentProcessName"":""C:\\Windows\\System32\\winrshost.exe"",""ProcessId"":""0x354c"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6943b556-3811-11ee-8474-000d3a0b500f,"8/11/2023, 6:36:07.691 AM","8/11/2023, 6:37:46.554 AM",ProcessTracking,Process Creation,test,test@test.com,SecurityEvent,,,devicename01,,,,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-962075""}","{""IsLocalAdmin"":""True""}","{""CommandLine"":""C:\\Windows\\system32\\cmd.exe /C powershell -NoLogo -NonInteractive -NoProfile -OutputFormat TEXT -Command \""& {get-childitem -ea silentlycontinue 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Class\\{4D36E972-E325-11CE-BFC1-08002bE10318}' | foreach-object {get-itemproperty $_.pspath} | where-object {$_.flowcontrol -or $_.teammode -or $_.teamtype -eq 0} | foreach-object {'id=', $_.pschildname, ';provider=',$_.providername, ';teamname=', $_.oldfriendly, ';teammode=',$_.teammode, ';networkaddress=', $_.networkaddress,';netinterfaceid=', $_.netcfginstanceid,';altteamname=', $_.teamname, '|'};}\"""",""NewProcessId"":""0x78c4"",""NewProcessName"":""C:\\Windows\\System32\\cmd.exe"",""Process"":""cmd.exe"",""ProcessId"":""0x2b74"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6e4894cb-3811-11ee-8474-000d3a0b5533,"8/11/2023, 6:36:08.843 AM","8/11/2023, 6:37:46.525 AM",ProcessTracking,Process Creation,test,test@test.com,SecurityEvent,,,devicename01,,,,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-962075""}","{""IsLocalAdmin"":""True""}","{""MandatoryLabel"":""S-1-16-12288"",""NewProcessId"":""0x2b10"",""NewProcessName"":""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"",""Process"":""powershell.exe"",""ParentProcessName"":""C:\\Windows\\System32\\cmd.exe"",""ProcessId"":""0x3bf4"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6943b59b-3811-11ee-8474-000d3a0b500f,"8/11/2023, 6:36:08.238 AM","8/11/2023, 6:37:46.554 AM",ProcessTracking,Process Creation,test,test@test.com,SecurityEvent,,,devicename01,,,,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-962075""}","{""IsLocalAdmin"":""True""}","{""CommandLine"":""C:\\Windows\\system32\\cmd.exe /C powershell -NoLogo -NonInteractive -NoProfile -OutputFormat TEXT -Command \""& {$Host.UI.RawUI.BufferSize = New-Object Management.Automation.Host.Size (4096, 512);get-counter -ea silentlycontinue -counter @(('\\network interface(*)\\bytes received/sec'), ('\\network adapter(*)\\bytes received/sec')) | fl readings}\"""",""NewProcessId"":""0x427c"",""NewProcessName"":""C:\\Windows\\System32\\cmd.exe"",""Process"":""cmd.exe"",""ProcessId"":""0x7a6c"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,59bdd3a1-3811-11ee-8474-000d3a0b5ceb,"8/11/2023, 6:36:00.831 AM","8/11/2023, 6:37:46.554 AM",ProcessTracking,Process Creation,test,test@test.com,SecurityEvent,,,devicename01,,,,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-962075""}","{""IsLocalAdmin"":""True""}","{""CommandLine"":""powershell -NoLogo -NonInteractive -NoProfile -OutputFormat TEXT -Command \""& {Get-ChildItem -Path HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall | ForEach-Object {'DisplayName='+$_.GetValue('DisplayName')+';InstallDate='+ $_.GetValue('InstallDate')+';Vendor='+$_.GetValue('Publisher'), '|'}; Get-ChildItem -Path HKLM:\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall | ForEach-Object {'DisplayName='+$_.GetValue('DisplayName')+';InstallDate='+ $_.GetValue('InstallDate')+';Vendor='+$_.GetValue('Publisher'), '|'}; }\"""",""NewProcessId"":""0x69ec"",""NewProcessName"":""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"",""Process"":""powershell.exe"",""ProcessId"":""0x28f0"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,57e3ef3f-3811-11ee-8474-000d3a0b578d,"8/11/2023, 6:35:58.768 AM","8/11/2023, 6:37:09.594 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename02,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-935224""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,63253fa0-3811-11ee-8474-000d3a0b5c67,"8/11/2023, 6:36:18.860 AM","8/11/2023, 6:37:10.753 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename03,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-935224""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,63277ca4-3811-11ee-8474-000d3a0b5c67,"8/11/2023, 6:36:19.230 AM","8/11/2023, 6:37:10.754 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename04,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-935224""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,62836721-3811-11ee-8472-000d3a0b599c,"8/11/2023, 6:36:18.146 AM","8/11/2023, 6:37:15.868 AM",LogOn,SpecialPrivilegesLogon,,,SecurityEvent,,,,,,devicename05,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-146008104-301941981-575165538-19984""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,64a73b40-3811-11ee-8474-000d3a0b5925,"8/11/2023, 6:36:21.264 AM","8/11/2023, 6:37:10.754 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename06,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-935224""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,48b9809c-3811-11ee-8474-000d3a0b509d,"8/11/2023, 6:35:34.961 AM","8/11/2023, 6:37:10.754 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename07,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-935224""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,57698dda-3811-11ee-8474-000d3a0b509d,"8/11/2023, 6:36:01.165 AM","8/11/2023, 6:37:10.754 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename08,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-880781""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,57698e1b-3811-11ee-8474-000d3a0b509d,"8/11/2023, 6:36:01.271 AM","8/11/2023, 6:37:10.754 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename09,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-880781""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6283677e-3811-11ee-8472-000d3a0b599c,"8/11/2023, 6:36:18.434 AM","8/11/2023, 6:37:15.869 AM",LogOn,SpecialPrivilegesLogon,,,SecurityEvent,,,,,,devicename10,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-146008104-301941981-575165538-19984""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,67d928fd-3811-11ee-8474-000d3a0b5946,"8/11/2023, 6:36:28.284 AM","8/11/2023, 6:37:11.317 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename11,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-962075""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,73b50dc0-3811-11ee-8474-000d3a0b508e,"8/11/2023, 6:36:48.741 AM","8/11/2023, 6:37:11.986 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename12,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-865745""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6283676d-3811-11ee-8472-000d3a0b599c,"8/11/2023, 6:36:18.363 AM","8/11/2023, 6:37:15.869 AM",LogOn,SpecialPrivilegesLogon,,,SecurityEvent,,,,,,devicename13,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-146008104-301941981-575165538-19984""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,5c18100b-3811-11ee-8474-000d3a0b5716,"8/11/2023, 6:36:06.856 AM","8/11/2023, 6:37:14.135 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename14,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-962075""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,62836969-3811-11ee-8472-000d3a0b599c,"8/11/2023, 6:36:18.587 AM","8/11/2023, 6:37:15.869 AM",LogOn,SpecialPrivilegesLogon,,,SecurityEvent,,,,,,devicename15,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-146008104-301941981-575165538-19984""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7229e18a-3811-11ee-8474-000d3a0b558a,"8/11/2023, 6:36:44.171 AM","8/11/2023, 6:37:15.273 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename16,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-962075""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,4cea9c96-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:35:42.201 AM","8/11/2023, 6:37:17.747 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename17,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-146008104-301941981-575165538-28771""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,53d25aad-3811-11ee-8474-000d3a0b57eb,"8/11/2023, 6:35:50.682 AM","8/11/2023, 6:37:17.086 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename18,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-962075""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,629fdf15-3811-11ee-8472-000d3a0b599c,"8/11/2023, 6:36:18.900 AM","8/11/2023, 6:37:15.869 AM",LogOn,SpecialPrivilegesLogon,,,SecurityEvent,,,,,,devicename19,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-146008104-301941981-575165538-19984""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,57e2fd8d-3811-11ee-8474-000d3a0b5533,"8/11/2023, 6:35:58.357 AM","8/11/2023, 6:37:17.088 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename20,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-962075""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,74163e6b-3811-11ee-8474-000d3a0b5f80,"8/11/2023, 6:30:39.383 AM","8/11/2023, 6:37:11.557 AM",LogOn,SpecialPrivilegesLogon,,,SecurityEvent,,,,,,devicename21,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-950590""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,57cfcc4e-3811-11ee-8474-000d3a0b500f,"8/11/2023, 6:35:59.549 AM","8/11/2023, 6:37:11.805 AM",LogOn,ResourceAccess,,,SecurityEvent,-,,,,,devicename22,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-909631""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6beeb09b-3811-11ee-8474-000d3a0b5640,"8/11/2023, 6:36:33.513 AM","8/11/2023, 6:37:19.574 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename23,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-876048""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,629fdf4b-3811-11ee-8472-000d3a0b599c,"8/11/2023, 6:36:19.040 AM","8/11/2023, 6:37:15.869 AM",LogOn,SpecialPrivilegesLogon,,,SecurityEvent,,,,,,devicename24,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-146008104-301941981-575165538-19984""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,718ca929-3811-11ee-8474-000d3a0b539d,"8/11/2023, 6:36:43.712 AM","8/11/2023, 6:37:13.771 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename25,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-880781""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,60dd27e6-3811-11ee-8474-000d3a0b5cad,"8/11/2023, 6:36:15.073 AM","8/11/2023, 6:37:17.736 AM",LogOn,SpecialPrivilegesLogon,,,SecurityEvent,,,,,,devicename26,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-876048""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,566bf51e-3811-11ee-8474-000d3a0b5ff5,"8/11/2023, 6:35:58.239 AM","8/11/2023, 6:37:11.426 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename27,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-876048""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6cc4fa9b-3811-11ee-8472-000d3a0b55fc,"8/11/2023, 6:36:37.324 AM","8/11/2023, 6:37:06.727 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename28,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-876048""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,55eeb776-3811-11ee-8474-000d3a0b5ceb,"8/11/2023, 6:35:55.111 AM","8/11/2023, 6:37:15.869 AM",LogOn,SpecialPrivilegesLogon,,,SecurityEvent,,,,,,devicename29,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-876048""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6f150414-3811-11ee-8474-000d3a0b5b78,"8/11/2023, 6:36:37.579 AM","8/11/2023, 6:37:06.275 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename30,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-876048""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,628369b1-3811-11ee-8472-000d3a0b599c,"8/11/2023, 6:36:18.771 AM","8/11/2023, 6:37:15.869 AM",LogOn,SpecialPrivilegesLogon,,,SecurityEvent,,,,,,devicename31,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-876048""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,5f9315aa-3811-11ee-8474-000d3a0b57f3,"8/11/2023, 6:36:11.939 AM","8/11/2023, 6:37:06.730 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename32,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-876048""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,717fd11a-3811-11ee-8474-000d3a0b579b,"8/11/2023, 6:36:43.606 AM","8/11/2023, 6:37:15.869 AM",LogOn,SpecialPrivilegesLogon,,,SecurityEvent,,,,,,devicename33,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-876048""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6e78e89b-3811-11ee-8472-000d3a0b5d22,"8/11/2023, 6:36:35.232 AM","8/11/2023, 6:37:06.275 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename34,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-876048""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,60dd2807-3811-11ee-8474-000d3a0b5cad,"8/11/2023, 6:36:15.250 AM","8/11/2023, 6:37:17.736 AM",LogOn,SpecialPrivilegesLogon,,,SecurityEvent,,,,,,devicename35,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-876048""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,60d3e148-3811-11ee-8474-000d3a0b5640,"8/11/2023, 6:36:13.518 AM","8/11/2023, 6:37:17.736 AM",LogOn,SpecialPrivilegesLogon,,,SecurityEvent,,,,,,devicename36,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-876048""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6f1503c4-3811-11ee-8474-000d3a0b5b78,"8/11/2023, 6:36:37.403 AM","8/11/2023, 6:37:06.276 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename37,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-876048""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,5ba04eba-3811-11ee-8474-000d3a0b5946,"8/11/2023, 6:36:00.900 AM","8/11/2023, 6:37:18.508 AM",ProcessTracking,Process Creation,test,test@test.com,SecurityEvent,,,devicename01,,,devicename38,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-876048""}","{""IsLocalAdmin"":""True""}","{""MandatoryLabel"":""S-1-16-12288"",""NewProcessId"":""0x5d40"",""NewProcessName"":""C:\\Program Files\\Microsoft SQL Server\\130\\DTS\\Binn\\DTExec.exe"",""Process"":""DTExec.exe"",""ParentProcessName"":""F:\\Microsoft SQL Server\\MSSQL13.MSSQLSERVER\\MSSQL\\Binn\\SQLAGENT.EXE"",""ProcessId"":""0x1f40"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6b602e83-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:36:32.299 AM","8/11/2023, 6:37:11.497 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename39,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-930238""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,60d3e16a-3811-11ee-8474-000d3a0b5640,"8/11/2023, 6:36:13.683 AM","8/11/2023, 6:37:17.736 AM",LogOn,SpecialPrivilegesLogon,,,SecurityEvent,,,,,,devicename40,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-876048""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,61a3687b-3811-11ee-8472-000d3a0b5131,"8/11/2023, 6:36:15.193 AM","8/11/2023, 6:37:15.449 AM",LogOn,SpecialPrivilegesLogon,,,SecurityEvent,,,,,,devicename41,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-930238""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6b602e91-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:36:32.562 AM","8/11/2023, 6:37:11.498 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename42,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-930238""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,61a3676c-3811-11ee-8472-000d3a0b5131,"8/11/2023, 6:36:15.115 AM","8/11/2023, 6:37:15.449 AM",LogOn,SpecialPrivilegesLogon,,,SecurityEvent,,,,,,devicename43,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-930238""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,61a3689c-3811-11ee-8472-000d3a0b5131,"8/11/2023, 6:36:15.193 AM","8/11/2023, 6:37:15.450 AM",LogOn,SpecialPrivilegesLogon,,,SecurityEvent,,,,,,devicename44,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-930238""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6f15047e-3811-11ee-8474-000d3a0b5b78,"8/11/2023, 6:36:38.019 AM","8/11/2023, 6:37:06.276 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename45,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-930238""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,60dd273f-3811-11ee-8474-000d3a0b5cad,"8/11/2023, 6:36:14.925 AM","8/11/2023, 6:37:17.736 AM",LogOn,SpecialPrivilegesLogon,,,SecurityEvent,,,,,,devicename46,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-930238""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,61a368c2-3811-11ee-8472-000d3a0b5131,"8/11/2023, 6:36:15.193 AM","8/11/2023, 6:37:15.450 AM",LogOn,SpecialPrivilegesLogon,,,SecurityEvent,,,,,,devicename47,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-930238""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,73b50d6a-3811-11ee-8474-000d3a0b508e,"8/11/2023, 6:36:48.510 AM","8/11/2023, 6:37:13.012 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename48,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-930238""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6f4d7bb8-3811-11ee-8472-000d3a0b55fc,"8/11/2023, 6:36:38.521 AM","8/11/2023, 6:37:11.258 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename49,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-930238""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,73b50d06-3811-11ee-8474-000d3a0b508e,"8/11/2023, 6:36:48.305 AM","8/11/2023, 6:37:13.012 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename50,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-930238""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,4a0afb2d-3811-11ee-8474-000d3a0b5b3a,"8/11/2023, 6:29:51.287 AM","8/11/2023, 6:37:21.532 AM",LogOn,SpecialPrivilegesLogon,,,SecurityEvent,,,,,,devicename51,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-955652""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6b602e70-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:36:30.933 AM","8/11/2023, 6:37:11.498 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename52,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-146008104-301941981-575165538-19984""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6cc4fb38-3811-11ee-8472-000d3a0b55fc,"8/11/2023, 6:36:37.383 AM","8/11/2023, 6:37:07.405 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename53,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-146008104-301941981-575165538-19984""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,5f93151b-3811-11ee-8474-000d3a0b57f3,"8/11/2023, 6:36:11.913 AM","8/11/2023, 6:37:07.405 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename54,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-146008104-301941981-575165538-19984""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6f4d7b99-3811-11ee-8472-000d3a0b55fc,"8/11/2023, 6:36:38.452 AM","8/11/2023, 6:37:11.258 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename55,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-146008104-301941981-575165538-19984""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6f4d7bc2-3811-11ee-8472-000d3a0b55fc,"8/11/2023, 6:36:38.596 AM","8/11/2023, 6:37:11.258 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename56,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-146008104-301941981-575165538-19984""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6f4d7bec-3811-11ee-8472-000d3a0b55fc,"8/11/2023, 6:36:39.068 AM","8/11/2023, 6:37:11.258 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename57,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-146008104-301941981-575165538-19984""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,717fd177-3811-11ee-8474-000d3a0b579b,"8/11/2023, 6:36:43.393 AM","8/11/2023, 6:37:09.992 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename58,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-146008104-301941981-575165538-19984""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,49fa811b-3811-11ee-8474-000d3a0b5a73,"8/11/2023, 6:35:38.020 AM","8/11/2023, 6:37:15.584 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename59,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-146008104-301941981-575165538-19984""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6b602eb1-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:36:33.031 AM","8/11/2023, 6:37:11.498 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename60,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-146008104-301941981-575165538-19984""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,75cbd8d3-3811-11ee-8472-000d3a0b5d22,"8/11/2023, 6:36:51.578 AM","8/11/2023, 6:37:13.744 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename61,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-912322""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,4868c876-3811-11ee-8474-000d3a0b5b70,"8/11/2023, 6:35:33.725 AM","8/11/2023, 6:37:13.745 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename62,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-912322""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7229dfb7-3811-11ee-8474-000d3a0b558a,"8/11/2023, 6:36:43.761 AM","8/11/2023, 6:37:15.270 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename63,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-912322""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,743eaba9-3811-11ee-8474-000d3a0b500f,"8/11/2023, 6:36:48.437 AM","8/11/2023, 6:37:17.459 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename64,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-912322""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,602ed839-3811-11ee-8474-000d3a0b5caf,"8/11/2023, 6:36:15.938 AM","8/11/2023, 6:37:17.417 AM",LogOn,SpecialPrivilegesLogon,,,SecurityEvent,,,,,,devicename65,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-912322""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,717fd1a1-3811-11ee-8474-000d3a0b579b,"8/11/2023, 6:36:43.453 AM","8/11/2023, 6:37:15.277 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename66,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-912322""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,743eace5-3811-11ee-8474-000d3a0b500f,"8/11/2023, 6:36:48.611 AM","8/11/2023, 6:37:17.459 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename67,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-912322""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,602ed8e9-3811-11ee-8474-000d3a0b5caf,"8/11/2023, 6:36:16.108 AM","8/11/2023, 6:37:17.417 AM",LogOn,SpecialPrivilegesLogon,,,SecurityEvent,,,,,,devicename68,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-935224""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,5f9302cd-3811-11ee-8474-000d3a0b57f3,"8/11/2023, 6:36:13.830 AM","8/11/2023, 6:37:11.500 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename69,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-935224""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,54254108-3811-11ee-8472-000d3a0b5131,"8/11/2023, 6:35:45.504 AM","8/11/2023, 6:37:11.094 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename70,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-935224""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6ad59e3c-3811-11ee-8474-000d3a0b558a,"8/11/2023, 6:36:31.752 AM","8/11/2023, 6:37:12.128 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename71,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-935224""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6ad59fab-3811-11ee-8474-000d3a0b558a,"8/11/2023, 6:36:32.180 AM","8/11/2023, 6:37:12.128 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename72,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-935224""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6f4d7b76-3811-11ee-8472-000d3a0b55fc,"8/11/2023, 6:36:38.274 AM","8/11/2023, 6:37:10.275 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename73,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-935224""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,552d2cf2-3811-11ee-8472-000d3a0b599c,"8/11/2023, 6:35:57.043 AM","8/11/2023, 6:37:09.443 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename74,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-935224""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6f52aba4-3811-11ee-8474-000d3a0b5cd0,"8/11/2023, 6:36:39.810 AM","8/11/2023, 6:37:12.237 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename75,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-935224""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,2,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,4d3786f1-3811-11ee-8474-000d3a0b57f3,"8/11/2023, 6:35:41.148 AM","8/11/2023, 6:37:15.182 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename76,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-935224""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,54b19f44-3811-11ee-8474-000d3a0b5925,"8/11/2023, 6:35:53.225 AM","8/11/2023, 6:37:16.343 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,-,,,,,devicename77,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-935224""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6f52abda-3811-11ee-8474-000d3a0b5cd0,"8/11/2023, 6:36:40.508 AM","8/11/2023, 6:37:12.237 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename78,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-935224""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,2,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,566785cd-3811-11ee-8474-000d3a0b517f,"8/11/2023, 6:30:03.420 AM","8/11/2023, 6:37:09.511 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename79,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-935224""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,4d378703-3811-11ee-8474-000d3a0b57f3,"8/11/2023, 6:35:41.400 AM","8/11/2023, 6:37:15.182 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename80,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-935224""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,4ad71ce8-3811-11ee-8474-000d3a0b5c67,"8/11/2023, 6:34:08.534 AM","8/11/2023, 6:37:05.854 AM",LogOn,Sign-in,test,test@test.com,Azure AD,127.0.0.1,"chennai, india",,,,devicename81,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-935224""}","{""UserAgentFamily"":""Edge""}","{""ActionUncommonlyPerformedByUser"":""False"",""App"":""Azure Portal"",""Resource"":""Windows Azure Service Management API"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6f52ab35-3811-11ee-8474-000d3a0b5cd0,"8/11/2023, 6:36:38.780 AM","8/11/2023, 6:37:12.237 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename82,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-935224""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,2,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6f4d7bca-3811-11ee-8472-000d3a0b55fc,"8/11/2023, 6:36:38.738 AM","8/11/2023, 6:37:10.275 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename83,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-935224""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,78900fa8-3811-11ee-8474-000d3a0b5b3a,"8/11/2023, 6:36:53.290 AM","8/11/2023, 6:37:22.316 AM",LogOn,SpecialPrivilegesLogon,,,SecurityEvent,,,,,,devicename84,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-949820""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6f52abe4-3811-11ee-8474-000d3a0b5cd0,"8/11/2023, 6:36:40.760 AM","8/11/2023, 6:37:12.237 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename85,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-949820""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,2,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6abd8563-3811-11ee-8474-000d3a0b578d,"8/11/2023, 6:36:33.047 AM","8/11/2023, 6:37:12.239 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename86,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-949820""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,2,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6abd852a-3811-11ee-8474-000d3a0b578d,"8/11/2023, 6:36:32.571 AM","8/11/2023, 6:37:12.239 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename87,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-949820""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,2,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6abd8468-3811-11ee-8474-000d3a0b578d,"8/11/2023, 6:36:31.547 AM","8/11/2023, 6:37:12.239 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename88,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-949820""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,2,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,54254118-3811-11ee-8472-000d3a0b5131,"8/11/2023, 6:35:45.960 AM","8/11/2023, 6:37:11.095 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename89,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-949820""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,54254127-3811-11ee-8472-000d3a0b5131,"8/11/2023, 6:35:46.013 AM","8/11/2023, 6:37:11.095 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename90,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-949820""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,77827260-3811-11ee-8474-000d3a0b5bc7,"8/11/2023, 6:36:53.559 AM","8/11/2023, 6:37:10.276 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename91,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-949820""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,75cbd2e5-3811-11ee-8472-000d3a0b5d22,"8/11/2023, 6:36:51.327 AM","8/11/2023, 6:37:12.497 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename92,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-900610""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,778271c7-3811-11ee-8474-000d3a0b5bc7,"8/11/2023, 6:36:53.215 AM","8/11/2023, 6:37:10.276 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename93,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-900610""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,5cca0ea5-3811-11ee-8474-000d3a0b5cd0,"8/11/2023, 6:36:07.629 AM","8/11/2023, 6:37:17.453 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename94,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-900610""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,5cca0eda-3811-11ee-8474-000d3a0b5cd0,"8/11/2023, 6:36:07.700 AM","8/11/2023, 6:37:17.453 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename95,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-900610""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,5cca0f52-3811-11ee-8474-000d3a0b5cd0,"8/11/2023, 6:36:07.872 AM","8/11/2023, 6:37:17.453 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename96,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-900610""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,4a0afb45-3811-11ee-8474-000d3a0b5b3a,"8/11/2023, 6:29:51.287 AM","8/11/2023, 6:37:15.285 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename97,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-950678""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,624a86d1-3811-11ee-8474-000d3a0b5ceb,"8/11/2023, 6:30:17.917 AM","8/11/2023, 6:37:15.286 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename98,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-950678""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,64c62dab-3811-11ee-8474-000d3a0b5374,"8/11/2023, 6:30:20.042 AM","8/11/2023, 6:37:15.286 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename99,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-950678""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,64c62e75-3811-11ee-8474-000d3a0b5374,"8/11/2023, 6:30:20.105 AM","8/11/2023, 6:37:15.286 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename100,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-950678""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,59352ae7-3811-11ee-8474-000d3a0b558a,"8/11/2023, 6:34:50.866 AM","8/11/2023, 6:37:14.883 AM",LogOn,Sign-in,test,test@test.com,Azure AD,127.0.0.1,"london, united kingdom",devicename01,,,devicename101,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-950678""}","{""IsLocalAdmin"":""True""}","{""ActionUncommonlyPerformedByUser"":""False"",""App"":""Office 365 SharePoint Online"",""Resource"":""Office 365 SharePoint Online"",""FirstTimeUserConnectedFromDevice"":""False"",""DeviceUncommonlyUsedAmongPeers"":""True"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,59a2ca4f-3811-11ee-8474-000d3a0b558a,"8/11/2023, 6:36:01.378 AM","8/11/2023, 6:37:11.875 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename102,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-146008104-301941981-575165538-19984""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,59a2caab-3811-11ee-8474-000d3a0b558a,"8/11/2023, 6:36:01.677 AM","8/11/2023, 6:37:11.875 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename103,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-146008104-301941981-575165538-19984""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,59a2cb28-3811-11ee-8474-000d3a0b558a,"8/11/2023, 6:36:01.961 AM","8/11/2023, 6:37:11.875 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename104,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-146008104-301941981-575165538-19984""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,59a2ca7f-3811-11ee-8474-000d3a0b558a,"8/11/2023, 6:36:01.529 AM","8/11/2023, 6:37:11.875 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename105,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-146008104-301941981-575165538-19984""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7ab489d3-3811-11ee-8474-000d3a0b5b3a,"8/11/2023, 6:37:00.603 AM","8/11/2023, 6:37:18.365 AM",LogOn,ExplicitCredentialsLogon,app_scad_fetch_test,,SecurityEvent,-,,,,,devicename106,,,,,,,,"{""AccountDomain"":""NEAS""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,59a2cad6-3811-11ee-8474-000d3a0b558a,"8/11/2023, 6:36:01.820 AM","8/11/2023, 6:37:11.876 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename107,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-146008104-301941981-575165538-19984""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7aa2f184-3811-11ee-8474-000d3a0b5549,"8/11/2023, 6:30:46.898 AM","8/11/2023, 6:37:20.450 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename108,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-146008104-301941981-575165538-19984""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,59a2cb51-3811-11ee-8474-000d3a0b558a,"8/11/2023, 6:36:02.245 AM","8/11/2023, 6:37:11.876 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename109,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-146008104-301941981-575165538-19984""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,59a2cb3b-3811-11ee-8474-000d3a0b558a,"8/11/2023, 6:36:02.107 AM","8/11/2023, 6:37:11.876 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename110,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-146008104-301941981-575165538-19984""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,55eeb785-3811-11ee-8474-000d3a0b5ceb,"8/11/2023, 6:35:55.111 AM","8/11/2023, 6:37:11.876 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename111,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-146008104-301941981-575165538-19984""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7ab4893a-3811-11ee-8474-000d3a0b5b3a,"8/11/2023, 6:37:00.507 AM","8/11/2023, 6:37:18.365 AM",LogOn,ExplicitCredentialsLogon,app_scad_fetch_test,,SecurityEvent,-,,,,,devicename112,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-146008104-301941981-575165538-19984""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,571187b5-3811-11ee-8474-000d3a0b5925,"8/11/2023, 6:35:57.858 AM","8/11/2023, 6:37:15.150 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename113,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-964806""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,5f9ef074-3811-11ee-8474-000d3a0b57f3,"8/11/2023, 6:30:12.559 AM","8/11/2023, 6:37:19.751 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename114,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-964806""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7ab489b9-3811-11ee-8474-000d3a0b5b3a,"8/11/2023, 6:37:00.599 AM","8/11/2023, 6:37:18.365 AM",LogOn,ExplicitCredentialsLogon,app_scad_fetch_test,,SecurityEvent,-,,,,,devicename115,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-964806""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,5e3a46f5-3811-11ee-8472-000d3a0b5a24,"8/11/2023, 6:30:10.512 AM","8/11/2023, 6:37:19.751 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename116,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-964806""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,55f99d36-3811-11ee-8474-000d3a0b558a,"8/11/2023, 6:30:02.544 AM","8/11/2023, 6:37:19.753 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename117,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-964806""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,57c4397d-3811-11ee-8474-000d3a0b517f,"8/11/2023, 6:30:04.576 AM","8/11/2023, 6:37:19.753 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename118,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-964806""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7ab48952-3811-11ee-8474-000d3a0b5b3a,"8/11/2023, 6:37:00.507 AM","8/11/2023, 6:37:18.365 AM",LogOn,ExplicitCredentialsLogon,app_scad_fetch_test,,SecurityEvent,-,,,,,devicename119,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-964806""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,65c3e681-3811-11ee-8474-000d3a0b5640,"8/11/2023, 6:30:22.510 AM","8/11/2023, 6:37:12.563 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename120,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-928069""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,5a9c23a4-3811-11ee-8474-000d3a0b5c4f,"8/11/2023, 6:36:03.520 AM","8/11/2023, 6:37:11.674 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename121,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-876048""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,5a9c23bf-3811-11ee-8474-000d3a0b5c4f,"8/11/2023, 6:36:03.648 AM","8/11/2023, 6:37:11.675 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename122,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-876048""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,5a9c2372-3811-11ee-8474-000d3a0b5c4f,"8/11/2023, 6:36:03.378 AM","8/11/2023, 6:37:11.675 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename123,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-876048""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,5a425e0f-3811-11ee-8474-000d3a0b517f,"8/11/2023, 6:30:06.545 AM","8/11/2023, 6:37:20.940 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename124,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-950590""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,5a9c2360-3811-11ee-8474-000d3a0b5c4f,"8/11/2023, 6:36:03.280 AM","8/11/2023, 6:37:11.675 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename125,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-876048""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,5a9c23dd-3811-11ee-8474-000d3a0b5c4f,"8/11/2023, 6:36:03.783 AM","8/11/2023, 6:37:11.675 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename126,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-876048""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,5a9c2340-3811-11ee-8474-000d3a0b5c4f,"8/11/2023, 6:36:03.215 AM","8/11/2023, 6:37:11.675 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename127,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-876048""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,5a9c238d-3811-11ee-8474-000d3a0b5c4f,"8/11/2023, 6:36:03.428 AM","8/11/2023, 6:37:11.675 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename128,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-876048""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,65c3e46e-3811-11ee-8474-000d3a0b5640,"8/11/2023, 6:30:22.495 AM","8/11/2023, 6:37:17.343 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename129,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-961774""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,5a9c2410-3811-11ee-8474-000d3a0b5c4f,"8/11/2023, 6:36:03.940 AM","8/11/2023, 6:37:11.675 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename130,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-876048""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,60d3e154-3811-11ee-8474-000d3a0b5640,"8/11/2023, 6:36:13.518 AM","8/11/2023, 6:37:11.675 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename131,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-876048""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,60d3e173-3811-11ee-8474-000d3a0b5640,"8/11/2023, 6:36:13.684 AM","8/11/2023, 6:37:11.675 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename132,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-876048""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,707a6c3c-3811-11ee-8474-000d3a0b558a,"8/11/2023, 6:36:43.455 AM","8/11/2023, 6:37:14.133 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename133,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-876048""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7aebf10d-3811-11ee-8474-000d3a0b539d,"8/11/2023, 6:36:58.443 AM","8/11/2023, 6:37:14.135 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename134,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-876048""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,717fd26e-3811-11ee-8474-000d3a0b579b,"8/11/2023, 6:36:43.572 AM","8/11/2023, 6:37:15.280 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename135,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-876048""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,5e485c7d-3811-11ee-8474-000d3a0b5e42,"8/11/2023, 6:36:11.280 AM","8/11/2023, 6:37:15.990 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename136,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-876048""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,61a36886-3811-11ee-8472-000d3a0b5131,"8/11/2023, 6:36:15.193 AM","8/11/2023, 6:37:12.336 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename137,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-930238""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,61a36777-3811-11ee-8472-000d3a0b5131,"8/11/2023, 6:36:15.115 AM","8/11/2023, 6:37:12.342 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename138,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-930238""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,61a368a9-3811-11ee-8472-000d3a0b5131,"8/11/2023, 6:36:15.193 AM","8/11/2023, 6:37:12.342 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename139,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-930238""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,61a368d0-3811-11ee-8472-000d3a0b5131,"8/11/2023, 6:36:15.193 AM","8/11/2023, 6:37:12.342 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename140,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-930238""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,72013029-3811-11ee-8474-000d3a0b5abf,"8/11/2023, 6:36:45.596 AM","8/11/2023, 6:37:15.973 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename141,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-930238""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,73b50d0a-3811-11ee-8474-000d3a0b508e,"8/11/2023, 6:36:48.305 AM","8/11/2023, 6:37:12.549 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename142,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-930238""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,73b50d6d-3811-11ee-8474-000d3a0b508e,"8/11/2023, 6:36:48.510 AM","8/11/2023, 6:37:12.549 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename143,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-930238""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,4a0afb33-3811-11ee-8474-000d3a0b5b3a,"8/11/2023, 6:29:51.287 AM","8/11/2023, 6:37:15.560 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename144,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-955652""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6c15daa4-3811-11ee-8474-000d3a0b579b,"8/11/2023, 6:36:36.060 AM","8/11/2023, 6:37:18.649 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename145,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-902696""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6c15dabe-3811-11ee-8474-000d3a0b579b,"8/11/2023, 6:36:36.083 AM","8/11/2023, 6:37:18.649 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename146,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-902696""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,54c38324-3811-11ee-8474-000d3a0b539d,"8/11/2023, 6:35:54.773 AM","8/11/2023, 6:37:19.870 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename147,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-945708""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,602ed8eb-3811-11ee-8474-000d3a0b5caf,"8/11/2023, 6:36:16.108 AM","8/11/2023, 6:37:20.791 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename148,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-935224""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,4a49aee9-3811-11ee-8472-000d3a0b55fc,"8/11/2023, 6:35:35.202 AM","8/11/2023, 6:37:17.626 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename149,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-935224""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,4a49aede-3811-11ee-8472-000d3a0b55fc,"8/11/2023, 6:35:35.017 AM","8/11/2023, 6:37:17.626 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename150,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-935224""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,4a49aef1-3811-11ee-8472-000d3a0b55fc,"8/11/2023, 6:35:35.459 AM","8/11/2023, 6:37:17.626 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename151,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-935224""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,4a49af02-3811-11ee-8472-000d3a0b55fc,"8/11/2023, 6:35:35.610 AM","8/11/2023, 6:37:17.626 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename152,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-935224""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,4a49af32-3811-11ee-8472-000d3a0b55fc,"8/11/2023, 6:35:36.146 AM","8/11/2023, 6:37:17.626 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename153,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-935224""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,4a49af12-3811-11ee-8472-000d3a0b55fc,"8/11/2023, 6:35:35.917 AM","8/11/2023, 6:37:17.626 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename154,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-935224""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,4a49af44-3811-11ee-8472-000d3a0b55fc,"8/11/2023, 6:35:36.539 AM","8/11/2023, 6:37:17.626 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename155,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-935224""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,4a49af54-3811-11ee-8472-000d3a0b55fc,"8/11/2023, 6:35:36.604 AM","8/11/2023, 6:37:17.626 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename156,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-935224""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,4a49af22-3811-11ee-8472-000d3a0b55fc,"8/11/2023, 6:35:35.991 AM","8/11/2023, 6:37:17.626 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename157,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-935224""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,4a49af7e-3811-11ee-8472-000d3a0b55fc,"8/11/2023, 6:35:37.142 AM","8/11/2023, 6:37:17.626 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename158,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-935224""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,70bb0fa4-3811-11ee-8474-000d3a0b57f3,"8/11/2023, 6:36:41.586 AM","8/11/2023, 6:37:22.144 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename159,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-935224""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,4a49afb2-3811-11ee-8472-000d3a0b55fc,"8/11/2023, 6:35:37.738 AM","8/11/2023, 6:37:17.626 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename160,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-935224""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,4a49af93-3811-11ee-8472-000d3a0b55fc,"8/11/2023, 6:35:37.304 AM","8/11/2023, 6:37:17.626 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename161,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-935224""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,61b63a23-3811-11ee-8474-000d3a0b5186,"8/11/2023, 6:36:11.921 AM","8/11/2023, 6:37:17.232 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename162,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-935224""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,56cfa49f-3811-11ee-8474-000d3a0b5787,"8/11/2023, 6:36:00.438 AM","8/11/2023, 6:37:14.028 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename163,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-935224""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7aebeedf-3811-11ee-8474-000d3a0b539d,"8/11/2023, 6:36:57.365 AM","8/11/2023, 6:37:14.030 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename164,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-935224""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,4a49afc4-3811-11ee-8472-000d3a0b55fc,"8/11/2023, 6:35:37.904 AM","8/11/2023, 6:37:17.626 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename165,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-935224""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,4a49af71-3811-11ee-8472-000d3a0b55fc,"8/11/2023, 6:35:37.119 AM","8/11/2023, 6:37:17.626 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename166,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-935224""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,58196f3c-3811-11ee-8474-000d3a0b5186,"8/11/2023, 6:35:58.645 AM","8/11/2023, 6:37:17.627 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename167,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-935224""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,602ed83f-3811-11ee-8474-000d3a0b5caf,"8/11/2023, 6:36:15.939 AM","8/11/2023, 6:37:20.791 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename168,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-935224""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6e1521a5-3811-11ee-8472-000d3a0b5211,"8/11/2023, 6:36:37.425 AM","8/11/2023, 6:37:20.170 AM",ProcessTracking,Process Creation,app_CloudMap,,SecurityEvent,,,devicename01,,,devicename169,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-935224""}","{""IsLocalAdmin"":""True""}","{""CommandLine"":""E:\\Octopus\\Applications\\Intern_Services_Production\\Neas.CloudMap.Downloaders.NwcSaf\\2021.2.25.0_2\\Neas.CloudMap.Downloaders.NwcSaf.exe"",""MandatoryLabel"":""S-1-16-8192"",""NewProcessId"":""0x8ec"",""NewProcessName"":""E:\\Octopus\\Applications\\Intern_Services_Production\\Neas.CloudMap.Downloaders.NwcSaf\\2021.2.25.0_2\\Neas.CloudMap.Downloaders.NwcSaf.exe"",""Process"":""Neas.CloudMap.Downloaders.NwcSaf.exe"",""ParentProcessName"":""C:\\Windows\\System32\\cmd.exe"",""ProcessId"":""0x328"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,5d126575-3811-11ee-8474-000d3a0b5f80,"8/11/2023, 6:36:08.327 AM","8/11/2023, 6:37:13.334 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename170,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-935224""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,58196ff1-3811-11ee-8474-000d3a0b5186,"8/11/2023, 6:35:59.029 AM","8/11/2023, 6:37:17.627 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename171,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-935224""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,497a9d1c-3811-11ee-8474-000d3a0b5e42,"8/11/2023, 6:35:36.158 AM","8/11/2023, 6:37:20.792 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename172,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-935224""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,4a49afaa-3811-11ee-8472-000d3a0b55fc,"8/11/2023, 6:35:37.731 AM","8/11/2023, 6:37:17.627 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename173,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-935224""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,58196efa-3811-11ee-8474-000d3a0b5186,"8/11/2023, 6:35:58.452 AM","8/11/2023, 6:37:17.627 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename174,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-935224""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,58197029-3811-11ee-8474-000d3a0b5186,"8/11/2023, 6:35:59.171 AM","8/11/2023, 6:37:17.627 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename175,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-935224""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,4a49af64-3811-11ee-8472-000d3a0b55fc,"8/11/2023, 6:35:36.725 AM","8/11/2023, 6:37:17.627 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename176,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-935224""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,58255987-3811-11ee-8474-000d3a0b5186,"8/11/2023, 6:35:59.777 AM","8/11/2023, 6:37:17.627 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename177,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-935224""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,58196f58-3811-11ee-8474-000d3a0b5186,"8/11/2023, 6:35:58.660 AM","8/11/2023, 6:37:17.627 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename178,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-935224""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,4c359cbb-3811-11ee-8474-000d3a0b5374,"8/11/2023, 6:35:40.912 AM","8/11/2023, 6:37:22.513 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename179,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-935224""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,69f9ca0a-3811-11ee-8474-000d3a0b517f,"8/11/2023, 6:36:31.129 AM","8/11/2023, 6:37:20.343 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename180,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-935224""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7bb2031f-3811-11ee-8474-000d3a0b500f,"8/11/2023, 6:36:29.605 AM","8/11/2023, 6:37:22.303 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename181,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-935224""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,58197060-3811-11ee-8474-000d3a0b5186,"8/11/2023, 6:35:59.614 AM","8/11/2023, 6:37:17.627 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename182,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-935224""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,58256683-3811-11ee-8474-000d3a0b5186,"8/11/2023, 6:36:00.358 AM","8/11/2023, 6:37:17.627 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename183,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-935224""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,696a3813-3811-11ee-8474-000d3a0b5ca5,"8/11/2023, 6:36:27.327 AM","8/11/2023, 6:37:22.140 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename184,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-817953""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,582566ad-3811-11ee-8474-000d3a0b5186,"8/11/2023, 6:36:00.730 AM","8/11/2023, 6:37:17.627 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename185,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-817953""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,5819709a-3811-11ee-8474-000d3a0b5186,"8/11/2023, 6:35:59.690 AM","8/11/2023, 6:37:17.627 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename186,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-817953""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,58256670-3811-11ee-8474-000d3a0b5186,"8/11/2023, 6:36:00.162 AM","8/11/2023, 6:37:17.627 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename187,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-817953""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,58256922-3811-11ee-8474-000d3a0b5186,"8/11/2023, 6:36:01.305 AM","8/11/2023, 6:37:17.627 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename188,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-817953""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,58256908-3811-11ee-8474-000d3a0b5186,"8/11/2023, 6:36:01.213 AM","8/11/2023, 6:37:17.627 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename189,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-817953""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,5825693e-3811-11ee-8474-000d3a0b5186,"8/11/2023, 6:36:01.491 AM","8/11/2023, 6:37:17.627 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename190,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-817953""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,582568eb-3811-11ee-8474-000d3a0b5186,"8/11/2023, 6:36:00.943 AM","8/11/2023, 6:37:17.627 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename191,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-817953""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,58256697-3811-11ee-8474-000d3a0b5186,"8/11/2023, 6:36:00.656 AM","8/11/2023, 6:37:17.627 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename192,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-817953""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7aa2f19a-3811-11ee-8474-000d3a0b5549,"8/11/2023, 6:30:46.898 AM","8/11/2023, 6:37:18.379 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename193,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-817953""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,5fc249e3-3811-11ee-8474-000d3a0b5b70,"8/11/2023, 6:36:12.964 AM","8/11/2023, 6:37:13.911 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename194,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-817953""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,5fd9fb43-3811-11ee-8474-000d3a0b5b70,"8/11/2023, 6:36:13.261 AM","8/11/2023, 6:37:13.912 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename195,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-817953""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,49fa8148-3811-11ee-8474-000d3a0b5a73,"8/11/2023, 6:35:38.257 AM","8/11/2023, 6:37:13.912 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename196,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-817953""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7f20787d-3811-11ee-8474-000d3a0b579b,"8/11/2023, 6:37:05.789 AM","8/11/2023, 6:37:48.631 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename197,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-817953""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,82e959f5-3811-11ee-8474-000d3a0b5ff5,"8/11/2023, 6:37:11.056 AM","8/11/2023, 6:37:49.798 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename198,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-817953""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,84199802-3811-11ee-8474-000d3a0b5c92,"8/11/2023, 6:37:14.231 AM","8/11/2023, 6:37:48.631 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename199,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-817953""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,85e87234-3811-11ee-8474-000d3a0b508e,"8/11/2023, 6:37:16.654 AM","8/11/2023, 6:37:49.799 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename200,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-817953""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,82e959ff-3811-11ee-8474-000d3a0b5ff5,"8/11/2023, 6:37:11.056 AM","8/11/2023, 6:37:48.632 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename201,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-817953""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,85e8772e-3811-11ee-8474-000d3a0b508e,"8/11/2023, 6:37:17.232 AM","8/11/2023, 6:37:49.799 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename202,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-817953""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,77700a18-3811-11ee-8474-000d3a0b5ceb,"8/11/2023, 6:36:51.978 AM","8/11/2023, 6:37:48.632 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename203,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-817953""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,85e878b9-3811-11ee-8474-000d3a0b508e,"8/11/2023, 6:37:17.373 AM","8/11/2023, 6:37:49.799 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename204,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-817953""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,85ac34ee-3811-11ee-8474-000d3a0b5787,"8/11/2023, 6:37:16.169 AM","8/11/2023, 6:37:49.800 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename205,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-817953""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7edc9d70-3811-11ee-8474-000d3a0b517f,"8/11/2023, 6:37:05.602 AM","8/11/2023, 6:37:49.800 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename206,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-817953""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,841997fa-3811-11ee-8474-000d3a0b5c92,"8/11/2023, 6:37:14.231 AM","8/11/2023, 6:37:49.800 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename207,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-817953""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6c0c7e1d-3811-11ee-8474-000d3a0b550c,"8/11/2023, 6:36:35.284 AM","8/11/2023, 6:37:46.634 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename208,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-817953""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6c0c7e39-3811-11ee-8474-000d3a0b550c,"8/11/2023, 6:36:35.384 AM","8/11/2023, 6:37:46.634 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename209,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-817953""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,85461e54-3811-11ee-8474-000d3a0b579b,"8/11/2023, 6:37:15.528 AM","8/11/2023, 6:37:42.531 AM",LogOn,SpecialPrivilegesLogon,,,SecurityEvent,,,,,,devicename210,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-957939""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,65638bb0-3811-11ee-8472-000d3a0b55fc,"8/11/2023, 6:36:23.086 AM","8/11/2023, 6:37:43.670 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename211,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,65638bcf-3811-11ee-8472-000d3a0b55fc,"8/11/2023, 6:36:23.119 AM","8/11/2023, 6:37:43.670 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename212,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,85962479-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:37:11.721 AM","8/11/2023, 6:37:46.355 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename213,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,85462076-3811-11ee-8474-000d3a0b579b,"8/11/2023, 6:37:15.716 AM","8/11/2023, 6:37:42.531 AM",LogOn,SpecialPrivilegesLogon,,,SecurityEvent,,,,,,devicename214,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-957939""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,86b45779-3811-11ee-8474-000d3a0b5559,"8/11/2023, 6:37:17.654 AM","8/11/2023, 6:37:44.455 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename215,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-957939""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,8546207f-3811-11ee-8474-000d3a0b579b,"8/11/2023, 6:37:15.716 AM","8/11/2023, 6:37:44.455 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename216,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-957939""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,85ac35ce-3811-11ee-8474-000d3a0b5787,"8/11/2023, 6:37:16.279 AM","8/11/2023, 6:37:44.455 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename217,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-957939""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,85962469-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:37:11.643 AM","8/11/2023, 6:37:46.355 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename218,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-957939""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,85962455-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:37:11.549 AM","8/11/2023, 6:37:46.355 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename219,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-957939""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,85461e60-3811-11ee-8474-000d3a0b579b,"8/11/2023, 6:37:15.528 AM","8/11/2023, 6:37:44.455 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename220,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-957939""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,86b45772-3811-11ee-8474-000d3a0b5559,"8/11/2023, 6:37:17.654 AM","8/11/2023, 6:37:42.531 AM",LogOn,SpecialPrivilegesLogon,,,SecurityEvent,,,,,,devicename221,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-957939""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9caea2-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:00.970 AM","8/11/2023, 6:37:49.837 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename222,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-957939""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,8596248b-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:37:11.830 AM","8/11/2023, 6:37:46.355 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename223,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-957939""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9cae9e-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:00.877 AM","8/11/2023, 6:37:49.837 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename224,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-957939""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,67f3a39a-3811-11ee-8474-000d3a0b5186,"8/11/2023, 6:36:26.946 AM","8/11/2023, 6:37:49.596 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,-,,,,,devicename225,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-957939""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,8596249b-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:37:11.924 AM","8/11/2023, 6:37:46.355 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename226,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-957939""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9caea0-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:00.955 AM","8/11/2023, 6:37:49.837 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename227,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-957939""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,859624a8-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:37:12.049 AM","8/11/2023, 6:37:46.355 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename228,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-957939""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9caeaa-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:00.986 AM","8/11/2023, 6:37:49.837 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename229,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-957939""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,859624d8-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:37:13.189 AM","8/11/2023, 6:37:46.355 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename230,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-957939""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9caea4-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:00.970 AM","8/11/2023, 6:37:49.837 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename231,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-957939""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,63daa3a5-3811-11ee-8472-000d3a0b599c,"8/11/2023, 6:35:50.777 AM","8/11/2023, 6:37:48.234 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename232,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-957939""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9caeab-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:00.986 AM","8/11/2023, 6:37:49.838 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename233,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-957939""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,859624fa-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:37:13.268 AM","8/11/2023, 6:37:46.355 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename234,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-957939""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9caead-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:00.986 AM","8/11/2023, 6:37:49.838 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename235,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-957939""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,8596251e-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:37:15.502 AM","8/11/2023, 6:37:46.355 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename236,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-957939""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9caeb4-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:01.002 AM","8/11/2023, 6:37:49.838 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename237,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-957939""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,859624c4-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:37:12.799 AM","8/11/2023, 6:37:46.355 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename238,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-957939""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9caeb6-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:01.002 AM","8/11/2023, 6:37:49.838 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename239,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-957939""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,8596250f-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:37:13.377 AM","8/11/2023, 6:37:46.355 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename240,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-957939""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9caeb8-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:01.002 AM","8/11/2023, 6:37:49.838 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename241,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-957939""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9caebe-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:01.017 AM","8/11/2023, 6:37:49.838 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename242,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-957939""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,85962536-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:37:15.565 AM","8/11/2023, 6:37:46.355 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename243,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-957939""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,85962546-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:37:16.174 AM","8/11/2023, 6:37:46.355 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename244,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-957939""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9caec2-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:01.017 AM","8/11/2023, 6:37:49.838 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename245,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-957939""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,8596256f-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:37:16.408 AM","8/11/2023, 6:37:46.355 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename246,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-957939""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9caec0-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:01.017 AM","8/11/2023, 6:37:49.838 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename247,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-957939""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9caec9-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:01.017 AM","8/11/2023, 6:37:49.839 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename248,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-957939""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,85962564-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:37:16.299 AM","8/11/2023, 6:37:46.355 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename249,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-957939""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,64c6b1f0-3811-11ee-8474-000d3a0b5ca5,"8/11/2023, 6:36:23.062 AM","8/11/2023, 6:37:51.308 AM",LogOn,SpecialPrivilegesLogon,,,SecurityEvent,,,,,,devicename250,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9caeeb-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:01.017 AM","8/11/2023, 6:37:49.839 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename251,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9caec5-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:01.017 AM","8/11/2023, 6:37:49.839 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename252,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6f69071b-3811-11ee-8474-000d3a0b5caf,"8/11/2023, 6:36:39.627 AM","8/11/2023, 6:37:50.706 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename253,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9caecb-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:01.017 AM","8/11/2023, 6:37:49.839 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename254,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,73835a29-3811-11ee-8474-000d3a0b5b70,"8/11/2023, 6:36:42.345 AM","8/11/2023, 6:37:46.355 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename255,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9caf05-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:01.048 AM","8/11/2023, 6:37:49.839 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename256,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,73835ae5-3811-11ee-8474-000d3a0b5b70,"8/11/2023, 6:36:44.188 AM","8/11/2023, 6:37:46.355 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename257,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9caf00-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:01.048 AM","8/11/2023, 6:37:49.839 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename258,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,73835ab6-3811-11ee-8474-000d3a0b5b70,"8/11/2023, 6:36:44.032 AM","8/11/2023, 6:37:46.356 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename259,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9caf10-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:01.048 AM","8/11/2023, 6:37:49.839 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename260,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,73835a8b-3811-11ee-8474-000d3a0b5b70,"8/11/2023, 6:36:42.626 AM","8/11/2023, 6:37:46.356 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename261,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9caeb1-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:01.002 AM","8/11/2023, 6:37:49.839 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename262,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,73835b17-3811-11ee-8474-000d3a0b5b70,"8/11/2023, 6:36:45.173 AM","8/11/2023, 6:37:46.356 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename263,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9caf22-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:01.048 AM","8/11/2023, 6:37:49.840 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename264,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9cae9f-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:00.955 AM","8/11/2023, 6:37:46.356 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename265,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,859624e5-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:37:13.252 AM","8/11/2023, 6:37:46.356 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename266,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,73835a5f-3811-11ee-8474-000d3a0b5b70,"8/11/2023, 6:36:42.532 AM","8/11/2023, 6:37:46.356 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename267,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9caf13-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:01.048 AM","8/11/2023, 6:37:49.840 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename268,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9caf39-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:01.064 AM","8/11/2023, 6:37:49.840 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename269,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9caea1-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:00.970 AM","8/11/2023, 6:37:46.356 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename270,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9caf19-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:01.048 AM","8/11/2023, 6:37:49.840 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename271,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9caf41-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:01.064 AM","8/11/2023, 6:37:49.840 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename272,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9cae9d-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:00.877 AM","8/11/2023, 6:37:46.356 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename273,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9caf33-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:01.064 AM","8/11/2023, 6:37:49.840 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename274,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9caea3-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:00.970 AM","8/11/2023, 6:37:46.356 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename275,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9caf48-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:01.080 AM","8/11/2023, 6:37:49.840 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename276,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9caea8-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:00.986 AM","8/11/2023, 6:37:46.356 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename277,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9caeb0-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:01.002 AM","8/11/2023, 6:37:46.356 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename278,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9caf56-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:01.080 AM","8/11/2023, 6:37:49.840 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename279,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9caeac-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:00.986 AM","8/11/2023, 6:37:46.356 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename280,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9caeb3-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:01.002 AM","8/11/2023, 6:37:46.356 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename281,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9caf62-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:01.080 AM","8/11/2023, 6:37:49.840 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename282,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9caea9-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:00.986 AM","8/11/2023, 6:37:46.356 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename283,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9caf7c-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:01.095 AM","8/11/2023, 6:37:49.841 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename284,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9caec1-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:01.017 AM","8/11/2023, 6:37:46.356 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename285,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9caf6a-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:01.080 AM","8/11/2023, 6:37:49.841 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename286,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9caec4-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:01.017 AM","8/11/2023, 6:37:46.356 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename287,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9caf8a-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:01.095 AM","8/11/2023, 6:37:49.841 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename288,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9caf97-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:01.111 AM","8/11/2023, 6:37:49.841 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename289,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9caeb5-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:01.002 AM","8/11/2023, 6:37:46.356 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename290,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9cafa6-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:01.127 AM","8/11/2023, 6:37:49.841 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename291,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9caebd-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:01.017 AM","8/11/2023, 6:37:46.356 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename292,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9caebf-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:01.017 AM","8/11/2023, 6:37:46.356 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename293,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9cafae-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:01.158 AM","8/11/2023, 6:37:49.841 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename294,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9cafb4-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:01.158 AM","8/11/2023, 6:37:49.841 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename295,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9caeb7-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:01.002 AM","8/11/2023, 6:37:46.356 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename296,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9cafb7-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:01.173 AM","8/11/2023, 6:37:49.841 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename297,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9caec8-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:01.017 AM","8/11/2023, 6:37:46.356 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename298,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9cafbd-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:01.189 AM","8/11/2023, 6:37:49.841 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename299,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9caeca-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:01.017 AM","8/11/2023, 6:37:46.356 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename300,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,8596245a-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:37:11.549 AM","8/11/2023, 6:37:49.866 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename301,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,8596246e-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:37:11.643 AM","8/11/2023, 6:37:49.866 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename302,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9caecc-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:01.017 AM","8/11/2023, 6:37:46.356 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename303,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,85962491-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:37:11.830 AM","8/11/2023, 6:37:49.866 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename304,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9caefc-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:01.048 AM","8/11/2023, 6:37:46.356 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename305,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,859624a0-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:37:11.924 AM","8/11/2023, 6:37:49.866 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename306,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9caf03-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:01.048 AM","8/11/2023, 6:37:46.356 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename307,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,859624cc-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:37:12.799 AM","8/11/2023, 6:37:49.866 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename308,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9caf0a-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:01.048 AM","8/11/2023, 6:37:46.356 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename309,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9caf21-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:01.048 AM","8/11/2023, 6:37:46.356 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename310,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,859624ad-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:37:12.049 AM","8/11/2023, 6:37:49.866 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename311,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,8596247f-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:37:11.721 AM","8/11/2023, 6:37:49.866 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename312,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9caf51-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:01.080 AM","8/11/2023, 6:37:46.356 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename313,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9caf3d-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:01.064 AM","8/11/2023, 6:37:46.356 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename314,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,859624dd-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:37:13.189 AM","8/11/2023, 6:37:49.867 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename315,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9caf45-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:01.080 AM","8/11/2023, 6:37:46.356 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename316,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,859624ed-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:37:13.252 AM","8/11/2023, 6:37:49.867 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename317,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9caf5e-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:01.080 AM","8/11/2023, 6:37:46.356 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename318,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,85962501-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:37:13.268 AM","8/11/2023, 6:37:49.867 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename319,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9caf85-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:01.095 AM","8/11/2023, 6:37:46.356 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename320,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,8596253e-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:37:15.565 AM","8/11/2023, 6:37:49.867 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename321,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9caf0d-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:01.048 AM","8/11/2023, 6:37:46.356 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename322,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,85962518-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:37:13.377 AM","8/11/2023, 6:37:49.867 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename323,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9caf77-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:01.095 AM","8/11/2023, 6:37:46.356 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename324,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,85962523-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:37:15.502 AM","8/11/2023, 6:37:49.867 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename325,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9caf35-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:01.064 AM","8/11/2023, 6:37:46.356 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename326,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,8596254d-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:37:16.174 AM","8/11/2023, 6:37:49.867 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename327,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9caf93-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:01.111 AM","8/11/2023, 6:37:46.356 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename328,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,8596256a-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:37:16.299 AM","8/11/2023, 6:37:49.867 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename329,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9caf2f-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:01.064 AM","8/11/2023, 6:37:46.356 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename330,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,85962574-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:37:16.408 AM","8/11/2023, 6:37:49.868 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename331,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9caf16-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:01.048 AM","8/11/2023, 6:37:46.356 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename332,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9cafa2-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:01.127 AM","8/11/2023, 6:37:46.356 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename333,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9cafb1-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:01.158 AM","8/11/2023, 6:37:46.356 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename334,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9cafb6-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:01.173 AM","8/11/2023, 6:37:46.356 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename335,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9cafab-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:01.158 AM","8/11/2023, 6:37:46.356 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename336,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9cafba-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:01.189 AM","8/11/2023, 6:37:46.356 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename337,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9caf67-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:01.080 AM","8/11/2023, 6:37:46.356 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename338,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-903714""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6258e7da-3811-11ee-8474-000d3a0b509d,"8/11/2023, 6:36:18.834 AM","8/11/2023, 6:37:49.909 AM",LogOn,SpecialPrivilegesLogon,,,SecurityEvent,,,,,,devicename339,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-839862""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,60e0f848-3811-11ee-8474-000d3a0b5c46,"8/11/2023, 6:36:14.521 AM","8/11/2023, 6:37:48.701 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename340,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-839862""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,62921bd6-3811-11ee-8474-000d3a0b509d,"8/11/2023, 6:36:19.208 AM","8/11/2023, 6:37:49.909 AM",LogOn,SpecialPrivilegesLogon,,,SecurityEvent,,,,,,devicename341,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-839862""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,628f979c-3811-11ee-8474-000d3a0b509d,"8/11/2023, 6:36:18.938 AM","8/11/2023, 6:37:49.909 AM",LogOn,SpecialPrivilegesLogon,,,SecurityEvent,,,,,,devicename342,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-839862""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,628f97a0-3811-11ee-8474-000d3a0b509d,"8/11/2023, 6:36:18.938 AM","8/11/2023, 6:37:48.701 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename343,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-839862""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6258e7df-3811-11ee-8474-000d3a0b509d,"8/11/2023, 6:36:18.834 AM","8/11/2023, 6:37:48.701 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename344,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-839862""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,61e14f83-3811-11ee-8474-000d3a0b5abf,"8/11/2023, 6:36:16.454 AM","8/11/2023, 6:37:49.909 AM",LogOn,SpecialPrivilegesLogon,,,SecurityEvent,,,,,,devicename345,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-839862""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,62921bd8-3811-11ee-8474-000d3a0b509d,"8/11/2023, 6:36:19.208 AM","8/11/2023, 6:37:48.701 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename346,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-839862""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,62921be1-3811-11ee-8474-000d3a0b509d,"8/11/2023, 6:36:19.312 AM","8/11/2023, 6:37:49.909 AM",LogOn,SpecialPrivilegesLogon,,,SecurityEvent,,,,,,devicename347,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-839862""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,62921be2-3811-11ee-8474-000d3a0b509d,"8/11/2023, 6:36:19.312 AM","8/11/2023, 6:37:48.701 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename348,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-839862""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,61e1507c-3811-11ee-8474-000d3a0b5abf,"8/11/2023, 6:36:16.899 AM","8/11/2023, 6:37:49.909 AM",LogOn,SpecialPrivilegesLogon,,,SecurityEvent,,,,,,devicename349,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-839862""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,61e15051-3811-11ee-8474-000d3a0b5abf,"8/11/2023, 6:36:16.796 AM","8/11/2023, 6:37:49.909 AM",LogOn,SpecialPrivilegesLogon,,,SecurityEvent,,,,,,devicename350,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-839862""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,876509ca-3811-11ee-8474-000d3a0b5374,"8/11/2023, 6:37:16.549 AM","8/11/2023, 6:37:47.156 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename351,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-839862""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,8490c900-3811-11ee-8472-000d3a0b5231,"8/11/2023, 6:37:14.164 AM","8/11/2023, 6:37:47.665 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename352,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-839862""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,88553e69-3811-11ee-8474-000d3a0b5716,"8/11/2023, 6:37:20.916 AM","8/11/2023, 6:37:47.156 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename353,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-839862""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,8765075e-3811-11ee-8474-000d3a0b5374,"8/11/2023, 6:37:16.445 AM","8/11/2023, 6:37:47.156 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename354,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-839862""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,88553e6e-3811-11ee-8474-000d3a0b5716,"8/11/2023, 6:37:20.917 AM","8/11/2023, 6:37:47.665 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename355,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-839862""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,77df397d-3811-11ee-8474-000d3a0b587a,"8/11/2023, 6:36:53.374 AM","8/11/2023, 6:37:51.619 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename356,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-839862""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,85ac45bb-3811-11ee-8474-000d3a0b5787,"8/11/2023, 6:37:14.933 AM","8/11/2023, 6:37:47.666 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename357,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-839862""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,77df376e-3811-11ee-8474-000d3a0b587a,"8/11/2023, 6:36:52.565 AM","8/11/2023, 6:37:51.619 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename358,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-839862""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,77df38fa-3811-11ee-8474-000d3a0b587a,"8/11/2023, 6:36:53.108 AM","8/11/2023, 6:37:51.619 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename359,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-839862""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,87df6493-3811-11ee-8474-000d3a0b579b,"8/11/2023, 6:37:22.067 AM","8/11/2023, 6:37:51.621 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename360,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-839862""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,77873d43-3811-11ee-8474-000d3a0b5bc7,"8/11/2023, 6:36:53.741 AM","8/11/2023, 6:37:51.622 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename361,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-839862""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,77873ce6-3811-11ee-8474-000d3a0b5bc7,"8/11/2023, 6:36:53.660 AM","8/11/2023, 6:37:51.622 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename362,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-839862""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,84f6211b-3811-11ee-8474-000d3a0b5bc7,"8/11/2023, 6:37:16.088 AM","8/11/2023, 6:37:42.183 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename363,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-839862""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,74312909-3811-11ee-8472-000d3a0b5a24,"8/11/2023, 6:30:38.774 AM","8/11/2023, 6:37:44.382 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename364,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-957983""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,64e2b5bd-3811-11ee-8474-000d3a0b5374,"8/11/2023, 6:30:20.261 AM","8/11/2023, 6:37:44.257 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename365,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-819342""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,64e2b734-3811-11ee-8474-000d3a0b5374,"8/11/2023, 6:30:20.511 AM","8/11/2023, 6:37:44.258 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename366,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-819342""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,64e2b72e-3811-11ee-8474-000d3a0b5374,"8/11/2023, 6:30:20.511 AM","8/11/2023, 6:37:43.961 AM",LogOn,SpecialPrivilegesLogon,,,SecurityEvent,,,,,,devicename367,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-819342""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,64e2b5b3-3811-11ee-8474-000d3a0b5374,"8/11/2023, 6:30:20.261 AM","8/11/2023, 6:37:43.961 AM",LogOn,SpecialPrivilegesLogon,,,SecurityEvent,,,,,,devicename368,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-819342""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,84c5a1b5-3811-11ee-8474-000d3a0b5c67,"8/11/2023, 6:37:15.653 AM","8/11/2023, 6:37:50.521 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename369,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-819342""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,84c5a1ea-3811-11ee-8474-000d3a0b5c67,"8/11/2023, 6:37:16.224 AM","8/11/2023, 6:37:50.521 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename370,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-819342""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,5e0c821d-3811-11ee-8474-000d3a0b522e,"8/11/2023, 6:30:10.794 AM","8/11/2023, 6:37:44.160 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename371,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-819342""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,61bc69c3-3811-11ee-8474-000d3a0b5946,"8/11/2023, 6:30:16.262 AM","8/11/2023, 6:37:44.160 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename372,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-819342""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,62ee69ae-3811-11ee-8474-000d3a0b5c67,"8/11/2023, 6:30:18.464 AM","8/11/2023, 6:37:50.513 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename373,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-819342""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,62e76662-3811-11ee-8474-000d3a0b55b2,"8/11/2023, 6:36:17.930 AM","8/11/2023, 6:37:48.034 AM",LogOn,ResourceAccess,,,SecurityEvent,-,,,,,devicename374,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-819342""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,686e2668-3811-11ee-8474-000d3a0b5abf,"8/11/2023, 6:30:23.698 AM","8/11/2023, 6:37:45.090 AM",LogOn,SpecialPrivilegesLogon,,,SecurityEvent,,,,,,devicename375,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-950276""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,73000566-3811-11ee-8472-000d3a0b55fc,"8/11/2023, 6:36:45.308 AM","8/11/2023, 6:37:42.379 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename376,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-950276""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,644ea191-3811-11ee-8474-000d3a0b5787,"8/11/2023, 6:30:19.652 AM","8/11/2023, 6:37:45.090 AM",LogOn,SpecialPrivilegesLogon,,,SecurityEvent,,,,,,devicename377,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-950276""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,67f97990-3811-11ee-8474-000d3a0b5abf,"8/11/2023, 6:30:23.510 AM","8/11/2023, 6:37:45.090 AM",LogOn,SpecialPrivilegesLogon,,,SecurityEvent,,,,,,devicename378,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-950276""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,73000699-3811-11ee-8472-000d3a0b55fc,"8/11/2023, 6:36:45.490 AM","8/11/2023, 6:37:42.385 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename379,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-950276""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,71b8487e-3811-11ee-8474-000d3a0b587a,"8/11/2023, 6:36:44.113 AM","8/11/2023, 6:37:48.391 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename380,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-950276""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,64133511-3811-11ee-8474-000d3a0b5c92,"8/11/2023, 6:36:20.999 AM","8/11/2023, 6:37:46.744 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename381,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-950276""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,641334ec-3811-11ee-8474-000d3a0b5c92,"8/11/2023, 6:36:20.999 AM","8/11/2023, 6:37:50.400 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename382,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-950276""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,5d848eda-3811-11ee-8474-000d3a0b5c0b,"8/11/2023, 6:36:11.125 AM","8/11/2023, 6:37:51.117 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename383,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-950276""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,8299d160-3811-11ee-8474-000d3a0b5a94,"8/11/2023, 6:35:23.767 AM","8/11/2023, 6:37:42.063 AM",FailedLogOn,Other,test,test@test.com,Azure AD,127.0.0.1,"delhi, india",,,,devicename384,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-950276""}","{""UserAgentFamily"":""Edge""}","{""ActionUncommonlyPerformedByUser"":""False"",""App"":""GVWProd_EXT_SSO"",""Resource"":""Windows Azure Active Directory"",""UncommonHighVolumeOfActions"":""False"",""UnusualNumberOfDistinctUsersFailedSignInFromIPAddress"":""False"",""UnusualNumberOfFailedSignInOfThisUser"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,642328bf-3811-11ee-8474-000d3a0b5533,"8/11/2023, 6:36:22.216 AM","8/11/2023, 6:37:48.913 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename385,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-950276""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6423290a-3811-11ee-8474-000d3a0b5533,"8/11/2023, 6:36:22.276 AM","8/11/2023, 6:37:48.913 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename386,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-950276""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,61b64bd7-3811-11ee-8474-000d3a0b5625,"8/11/2023, 6:36:17.315 AM","8/11/2023, 6:37:51.118 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename387,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-950276""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,64bcd9c9-3811-11ee-8474-000d3a0b5c67,"8/11/2023, 6:34:53.613 AM","8/11/2023, 6:37:42.063 AM",LogOn,Sign-in,test,test@test.com,Azure AD,127.0.0.1,"delhi, india",,,,devicename388,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-950276""}","{""UserAgentFamily"":""Edge""}","{""ActionUncommonlyPerformedByUser"":""False"",""App"":""GVWProd_EXT_SSO"",""Resource"":""Windows Azure Active Directory"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,64232915-3811-11ee-8474-000d3a0b5533,"8/11/2023, 6:36:22.276 AM","8/11/2023, 6:37:48.913 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename389,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-950276""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,5d848f18-3811-11ee-8474-000d3a0b5c0b,"8/11/2023, 6:36:11.151 AM","8/11/2023, 6:37:51.118 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename390,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-950276""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,63cf8399-3811-11ee-8474-000d3a0b57eb,"8/11/2023, 6:36:20.352 AM","8/11/2023, 6:37:48.924 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename391,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-950276""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,61b64beb-3811-11ee-8474-000d3a0b5625,"8/11/2023, 6:36:17.338 AM","8/11/2023, 6:37:51.118 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename392,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-950276""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6423291e-3811-11ee-8474-000d3a0b5533,"8/11/2023, 6:36:22.276 AM","8/11/2023, 6:37:48.913 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename393,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-950276""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,670c652d-3811-11ee-8474-000d3a0b5186,"8/11/2023, 6:36:23.689 AM","8/11/2023, 6:37:41.984 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename394,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-950276""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,64232900-3811-11ee-8474-000d3a0b5533,"8/11/2023, 6:36:22.276 AM","8/11/2023, 6:37:51.119 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename395,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-950276""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,63cf8395-3811-11ee-8474-000d3a0b57eb,"8/11/2023, 6:36:20.330 AM","8/11/2023, 6:37:48.924 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename396,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-950276""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,642328eb-3811-11ee-8474-000d3a0b5533,"8/11/2023, 6:36:22.276 AM","8/11/2023, 6:37:51.119 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename397,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-950276""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,642328f5-3811-11ee-8474-000d3a0b5533,"8/11/2023, 6:36:22.276 AM","8/11/2023, 6:37:51.119 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename398,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-950276""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,63cf839c-3811-11ee-8474-000d3a0b57eb,"8/11/2023, 6:36:20.489 AM","8/11/2023, 6:37:48.924 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename399,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-950276""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,62b4f1e8-3811-11ee-8474-000d3a0b57dd,"8/11/2023, 6:36:18.599 AM","8/11/2023, 6:37:51.119 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename400,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-950276""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,642328b5-3811-11ee-8474-000d3a0b5533,"8/11/2023, 6:36:22.215 AM","8/11/2023, 6:37:51.119 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename401,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-950276""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,62b05423-3811-11ee-8474-000d3a0b57dd,"8/11/2023, 6:36:18.576 AM","8/11/2023, 6:37:51.119 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename402,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-950276""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,82ed21a5-3811-11ee-8474-000d3a0b5c92,"8/11/2023, 6:37:11.506 AM","8/11/2023, 6:37:47.214 AM",LogOn,ExplicitCredentialsLogon,narvankr,,SecurityEvent,-,,,,,devicename403,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-950276""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,61ab6700-3811-11ee-8472-000d3a0b55fc,"8/11/2023, 6:36:10.673 AM","8/11/2023, 6:37:49.807 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename404,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2184418533-3760115178-3925849122-380069""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c5a760e-3811-11ee-8474-000d3a0b5ff5,"8/11/2023, 6:37:01.142 AM","8/11/2023, 6:37:45.285 AM",LogOn,ResourceAccess,,,SecurityEvent,-,,,,,devicename405,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-875368""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c5a75f2-3811-11ee-8474-000d3a0b5ff5,"8/11/2023, 6:37:00.950 AM","8/11/2023, 6:37:45.285 AM",LogOn,ResourceAccess,,,SecurityEvent,-,,,,,devicename406,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-875368""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c5a75bf-3811-11ee-8474-000d3a0b5ff5,"8/11/2023, 6:37:00.766 AM","8/11/2023, 6:37:45.285 AM",LogOn,ResourceAccess,,,SecurityEvent,-,,,,,devicename407,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-875368""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c5a7612-3811-11ee-8474-000d3a0b5ff5,"8/11/2023, 6:37:01.328 AM","8/11/2023, 6:37:45.286 AM",LogOn,ResourceAccess,,,SecurityEvent,-,,,,,devicename408,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-875368""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6a5c90b4-3811-11ee-8474-000d3a0b5787,"8/11/2023, 6:36:30.801 AM","8/11/2023, 6:37:43.300 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename409,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-875368""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7ad5e7a6-3811-11ee-8474-000d3a0b5716,"8/11/2023, 6:36:59.390 AM","8/11/2023, 6:37:49.298 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename410,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-815328""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7ad5e7b6-3811-11ee-8474-000d3a0b5716,"8/11/2023, 6:36:59.391 AM","8/11/2023, 6:37:49.298 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename411,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-815328""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,73835e47-3811-11ee-8474-000d3a0b5b70,"8/11/2023, 6:36:46.666 AM","8/11/2023, 6:37:48.535 AM",LogOn,SpecialPrivilegesLogon,,,SecurityEvent,,,,,,devicename412,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-956459""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7ad5e789-3811-11ee-8474-000d3a0b5716,"8/11/2023, 6:36:59.390 AM","8/11/2023, 6:37:49.298 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename413,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-815328""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7ad5e755-3811-11ee-8474-000d3a0b5716,"8/11/2023, 6:36:59.360 AM","8/11/2023, 6:37:49.298 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename414,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-815328""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,60ae7a02-3811-11ee-8474-000d3a0b5f80,"8/11/2023, 6:36:17.364 AM","8/11/2023, 6:37:51.696 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename415,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-956459""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6eb8de63-3811-11ee-8474-000d3a0b500f,"8/11/2023, 6:36:40.597 AM","8/11/2023, 6:37:47.768 AM",LogOn,SpecialPrivilegesLogon,,,SecurityEvent,,,,,,devicename416,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-915136""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,702dd98c-3811-11ee-8474-000d3a0b5b5d,"8/11/2023, 6:36:42.794 AM","8/11/2023, 6:37:42.605 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename417,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-915136""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6d168f01-3811-11ee-8474-000d3a0b5c4f,"8/11/2023, 6:36:35.653 AM","8/11/2023, 6:37:42.605 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename418,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-915136""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,74f073a7-3811-11ee-8474-000d3a0b57eb,"8/11/2023, 6:36:49.694 AM","8/11/2023, 6:37:51.217 AM",LogOn,SpecialPrivilegesLogon,,,SecurityEvent,,,,,,devicename419,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-915136""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6d168de3-3811-11ee-8474-000d3a0b5c4f,"8/11/2023, 6:36:35.447 AM","8/11/2023, 6:37:42.606 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename420,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-915136""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,770cadcb-3811-11ee-8474-000d3a0b5925,"8/11/2023, 6:36:52.719 AM","8/11/2023, 6:37:47.768 AM",LogOn,SpecialPrivilegesLogon,,,SecurityEvent,,,,,,devicename421,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-915136""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7274533b-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:36:43.773 AM","8/11/2023, 6:37:42.606 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename422,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-915136""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,770cb663-3811-11ee-8474-000d3a0b5925,"8/11/2023, 6:36:53.319 AM","8/11/2023, 6:37:47.768 AM",LogOn,SpecialPrivilegesLogon,,,SecurityEvent,,,,,,devicename423,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-915136""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7274562d-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:36:44.549 AM","8/11/2023, 6:37:42.606 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename424,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-915136""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,74f073ad-3811-11ee-8474-000d3a0b57eb,"8/11/2023, 6:36:49.694 AM","8/11/2023, 6:37:44.369 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename425,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-915136""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,72745478-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:36:43.977 AM","8/11/2023, 6:37:42.606 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename426,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-915136""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,770cade0-3811-11ee-8474-000d3a0b5925,"8/11/2023, 6:36:52.719 AM","8/11/2023, 6:37:42.607 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename427,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-915136""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6399e0e4-3811-11ee-8474-000d3a0b5716,"8/11/2023, 6:36:19.395 AM","8/11/2023, 6:37:44.388 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename428,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-961171""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,770cb66f-3811-11ee-8474-000d3a0b5925,"8/11/2023, 6:36:53.319 AM","8/11/2023, 6:37:42.607 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename429,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-915136""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,60ac3bbe-3811-11ee-8474-000d3a0b5f80,"8/11/2023, 6:36:16.974 AM","8/11/2023, 6:37:44.389 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename430,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-961171""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,5fed07bf-3811-11ee-8474-000d3a0b5b3a,"8/11/2023, 6:35:55.134 AM","8/11/2023, 6:37:50.827 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename431,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-961171""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,5fed07b3-3811-11ee-8474-000d3a0b5b3a,"8/11/2023, 6:35:55.134 AM","8/11/2023, 6:37:52.249 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename432,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-961171""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,846be0c7-3811-11ee-8474-000d3a0b5c46,"8/11/2023, 6:37:15.590 AM","8/11/2023, 6:37:46.632 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename433,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-961171""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,655b4002-3811-11ee-8474-000d3a0b517f,"8/11/2023, 6:30:22.995 AM","8/11/2023, 6:37:48.737 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename434,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-963712""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,68ea8453-3811-11ee-8474-000d3a0b5995,"8/11/2023, 6:30:25.150 AM","8/11/2023, 6:37:48.737 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename435,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-963712""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,5cd74793-3811-11ee-8474-000d3a0b5625,"8/11/2023, 6:30:08.482 AM","8/11/2023, 6:37:48.739 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename436,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-963712""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,8546ef81-3811-11ee-8474-000d3a0b5ff5,"8/11/2023, 6:37:15.719 AM","8/11/2023, 6:37:47.742 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename437,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-963712""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,8546f1e3-3811-11ee-8474-000d3a0b5ff5,"8/11/2023, 6:37:15.891 AM","8/11/2023, 6:37:47.742 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename438,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-963712""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,8546f2b7-3811-11ee-8474-000d3a0b5ff5,"8/11/2023, 6:37:15.978 AM","8/11/2023, 6:37:47.742 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename439,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-963712""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,838d7e43-3811-11ee-8474-000d3a0b5b70,"8/11/2023, 6:37:13.558 AM","8/11/2023, 6:37:47.744 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename440,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-963712""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,87974bd5-3811-11ee-8474-000d3a0b5a00,"8/11/2023, 6:37:19.114 AM","8/11/2023, 6:37:44.622 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename441,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-912565""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,879749cc-3811-11ee-8474-000d3a0b5a00,"8/11/2023, 6:37:18.666 AM","8/11/2023, 6:37:44.622 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename442,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-912565""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,85b96f30-3811-11ee-8474-000d3a0b578d,"8/11/2023, 6:37:19.331 AM","8/11/2023, 6:37:46.643 AM",LogOn,SpecialPrivilegesLogon,,,SecurityEvent,,,,,,devicename443,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-912565""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,85b96f37-3811-11ee-8474-000d3a0b578d,"8/11/2023, 6:37:19.331 AM","8/11/2023, 6:37:44.623 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename444,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-912565""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,8851e16d-3811-11ee-8472-000d3a0b5a24,"8/11/2023, 6:37:20.792 AM","8/11/2023, 6:37:44.623 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename445,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-912565""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,8851e2e4-3811-11ee-8472-000d3a0b5a24,"8/11/2023, 6:37:21.115 AM","8/11/2023, 6:37:44.623 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename446,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-912565""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,68ea8561-3811-11ee-8474-000d3a0b5995,"8/11/2023, 6:30:25.353 AM","8/11/2023, 6:37:42.848 AM",LogOn,SpecialPrivilegesLogon,,,SecurityEvent,,,,,,devicename447,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-912882""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,68ea8562-3811-11ee-8474-000d3a0b5995,"8/11/2023, 6:30:25.353 AM","8/11/2023, 6:37:44.057 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename448,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-912882""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6e9dd10f-3811-11ee-8474-000d3a0b5b3a,"8/11/2023, 6:30:31.087 AM","8/11/2023, 6:37:49.987 AM",LogOn,SpecialPrivilegesLogon,,,SecurityEvent,,,,,,devicename449,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-956262""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,622c3d21-3811-11ee-8474-000d3a0b57f3,"8/11/2023, 6:30:16.574 AM","8/11/2023, 6:37:52.193 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename450,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-956262""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7091c0ee-3811-11ee-8472-000d3a0b55fc,"8/11/2023, 6:30:33.243 AM","8/11/2023, 6:37:49.987 AM",LogOn,SpecialPrivilegesLogon,,,SecurityEvent,,,,,,devicename451,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-956262""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,62ee6487-3811-11ee-8474-000d3a0b5c67,"8/11/2023, 6:30:18.105 AM","8/11/2023, 6:37:52.198 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename452,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-956262""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,62ee6877-3811-11ee-8474-000d3a0b5c67,"8/11/2023, 6:30:18.370 AM","8/11/2023, 6:37:52.198 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename453,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-956262""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,62ee686a-3811-11ee-8474-000d3a0b5c67,"8/11/2023, 6:30:18.370 AM","8/11/2023, 6:37:49.987 AM",LogOn,SpecialPrivilegesLogon,,,SecurityEvent,,,,,,devicename454,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-956262""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,635df5d3-3811-11ee-8474-000d3a0b5787,"8/11/2023, 6:30:19.136 AM","8/11/2023, 6:37:49.987 AM",LogOn,SpecialPrivilegesLogon,,,SecurityEvent,,,,,,devicename455,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-956262""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,62ee647a-3811-11ee-8474-000d3a0b5c67,"8/11/2023, 6:30:18.105 AM","8/11/2023, 6:37:49.987 AM",LogOn,SpecialPrivilegesLogon,,,SecurityEvent,,,,,,devicename456,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-956262""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6a5c915a-3811-11ee-8474-000d3a0b5787,"8/11/2023, 6:36:30.991 AM","8/11/2023, 6:37:43.392 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename457,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-956262""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,676372b2-3811-11ee-8472-000d3a0b599c,"8/11/2023, 6:36:17.279 AM","8/11/2023, 6:37:52.043 AM",LogOn,ResourceAccess,,,SecurityEvent,-,,,,,devicename458,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-941506""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7f856fb9-3811-11ee-8474-000d3a0b5c46,"8/11/2023, 6:37:05.982 AM","8/11/2023, 6:37:44.989 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename459,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-941506""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,1,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7f856ff3-3811-11ee-8474-000d3a0b5c46,"8/11/2023, 6:37:06.002 AM","8/11/2023, 6:37:44.989 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename460,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-941506""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,1,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7f8570af-3811-11ee-8474-000d3a0b5c46,"8/11/2023, 6:37:06.527 AM","8/11/2023, 6:37:44.989 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename461,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-941506""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,1,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7f8570de-3811-11ee-8474-000d3a0b5c46,"8/11/2023, 6:37:06.547 AM","8/11/2023, 6:37:44.989 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename462,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-941506""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,1,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7b10037e-3811-11ee-8474-000d3a0b500f,"8/11/2023, 6:37:00.334 AM","8/11/2023, 6:37:50.880 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename463,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-941506""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,1,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,81e8607b-3811-11ee-8474-000d3a0b500f,"8/11/2023, 6:37:09.212 AM","8/11/2023, 6:37:50.880 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename464,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-941506""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7f857193-3811-11ee-8474-000d3a0b5c46,"8/11/2023, 6:37:06.808 AM","8/11/2023, 6:37:44.989 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename465,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-941506""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,1,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7f857206-3811-11ee-8474-000d3a0b5c46,"8/11/2023, 6:37:06.829 AM","8/11/2023, 6:37:44.989 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename466,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-941506""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,1,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,81e8600b-3811-11ee-8474-000d3a0b500f,"8/11/2023, 6:37:09.201 AM","8/11/2023, 6:37:50.880 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename467,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-941506""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,81e86061-3811-11ee-8474-000d3a0b500f,"8/11/2023, 6:37:09.212 AM","8/11/2023, 6:37:50.880 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename468,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-941506""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7e037cfb-3811-11ee-8474-000d3a0b5946,"8/11/2023, 6:37:05.276 AM","8/11/2023, 6:37:44.989 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename469,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-941506""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,1,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7cfec269-3811-11ee-8474-000d3a0b558a,"8/11/2023, 6:36:49.925 AM","8/11/2023, 6:37:49.747 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename470,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-3881367877-1803122152-1111938564-3131""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,81e86056-3811-11ee-8474-000d3a0b500f,"8/11/2023, 6:37:09.211 AM","8/11/2023, 6:37:50.880 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename471,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-3881367877-1803122152-1111938564-3131""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7cfec282-3811-11ee-8474-000d3a0b558a,"8/11/2023, 6:36:50.830 AM","8/11/2023, 6:37:49.747 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename472,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-3881367877-1803122152-1111938564-3131""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7cfec287-3811-11ee-8474-000d3a0b558a,"8/11/2023, 6:36:50.835 AM","8/11/2023, 6:37:49.747 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename473,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-3881367877-1803122152-1111938564-3131""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,82fb67ec-3811-11ee-8472-000d3a0b55fc,"8/11/2023, 6:37:10.134 AM","8/11/2023, 6:37:44.991 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename474,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-3881367877-1803122152-1111938564-3131""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,1,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7cfec29d-3811-11ee-8474-000d3a0b558a,"8/11/2023, 6:36:51.013 AM","8/11/2023, 6:37:49.748 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename475,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-3881367877-1803122152-1111938564-3131""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7cfec2b4-3811-11ee-8474-000d3a0b558a,"8/11/2023, 6:36:51.021 AM","8/11/2023, 6:37:49.748 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename476,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-3881367877-1803122152-1111938564-3131""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7cfec2d2-3811-11ee-8474-000d3a0b558a,"8/11/2023, 6:36:51.478 AM","8/11/2023, 6:37:49.748 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename477,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-3881367877-1803122152-1111938564-3131""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,82fb67c8-3811-11ee-8472-000d3a0b55fc,"8/11/2023, 6:37:10.110 AM","8/11/2023, 6:37:44.991 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename478,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-3881367877-1803122152-1111938564-3131""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,1,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6e9dd182-3811-11ee-8474-000d3a0b5b3a,"8/11/2023, 6:30:31.120 AM","8/11/2023, 6:37:51.612 AM",LogOn,SpecialPrivilegesLogon,,,SecurityEvent,,,,,,devicename479,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-3881367877-1803122152-1111938564-3131""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,81e8afe6-3811-11ee-8474-000d3a0b5787,"8/11/2023, 6:36:40.914 AM","8/11/2023, 6:37:52.705 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename480,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-3881367877-1803122152-1111938564-3131""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6afd490a-3811-11ee-8474-000d3a0b5e42,"8/11/2023, 6:34:55.648 AM","8/11/2023, 6:37:52.663 AM",LogOn,Sign-in,test,test@test.com,Azure AD,127.0.0.1,"trafford park, united kingdom",devicename01,,,devicename481,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-3881367877-1803122152-1111938564-3131""}","{""IsLocalAdmin"":""True""}","{""ActionUncommonlyPerformedByUser"":""False"",""App"":""Office365 Shell WCSS-Client"",""Resource"":""Microsoft Graph"",""FirstTimeUserConnectedFromDevice"":""False"",""DeviceUncommonlyUsedAmongPeers"":""True"",""DeviceUncommonlyUsedInTenant"":""True"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,82fb681f-3811-11ee-8472-000d3a0b55fc,"8/11/2023, 6:37:11.453 AM","8/11/2023, 6:37:44.991 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename482,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-3881367877-1803122152-1111938564-3131""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,1,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,82fb683b-3811-11ee-8472-000d3a0b55fc,"8/11/2023, 6:37:11.473 AM","8/11/2023, 6:37:44.991 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename483,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-3881367877-1803122152-1111938564-3131""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,1,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,82fb68a3-3811-11ee-8472-000d3a0b55fc,"8/11/2023, 6:37:11.746 AM","8/11/2023, 6:37:44.991 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename484,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-3881367877-1803122152-1111938564-3131""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,1,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,82fb6886-3811-11ee-8472-000d3a0b55fc,"8/11/2023, 6:37:11.724 AM","8/11/2023, 6:37:44.991 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename485,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-3881367877-1803122152-1111938564-3131""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,1,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,5737b065-3811-11ee-8474-000d3a0b5ceb,"8/11/2023, 6:35:58.473 AM","8/11/2023, 6:37:46.906 AM",LogOn,SpecialPrivilegesLogon,,,SecurityEvent,,,,,,devicename486,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927932""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,5737b0ce-3811-11ee-8474-000d3a0b5ceb,"8/11/2023, 6:35:58.605 AM","8/11/2023, 6:37:46.906 AM",LogOn,SpecialPrivilegesLogon,,,SecurityEvent,,,,,,devicename487,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927932""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,5f312b56-3811-11ee-8472-000d3a0b55fc,"8/11/2023, 6:36:12.183 AM","8/11/2023, 6:37:51.412 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename488,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927932""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,85b20138-3811-11ee-8472-000d3a0b599c,"8/11/2023, 6:37:15.820 AM","8/11/2023, 6:37:48.481 AM",LogOn,SpecialPrivilegesLogon,,,SecurityEvent,,,,,,devicename489,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927932""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,5f312b88-3811-11ee-8472-000d3a0b55fc,"8/11/2023, 6:36:12.211 AM","8/11/2023, 6:37:51.412 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename490,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927932""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,5737b32b-3811-11ee-8474-000d3a0b5ceb,"8/11/2023, 6:35:59.063 AM","8/11/2023, 6:37:46.906 AM",LogOn,SpecialPrivilegesLogon,,,SecurityEvent,,,,,,devicename491,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927932""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,63daa459-3811-11ee-8472-000d3a0b599c,"8/11/2023, 6:36:21.879 AM","8/11/2023, 6:37:51.414 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename492,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927932""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,781e07a7-3811-11ee-8474-000d3a0b5c46,"8/11/2023, 6:30:45.351 AM","8/11/2023, 6:37:49.747 AM",LogOn,SpecialPrivilegesLogon,,,SecurityEvent,,,,,,devicename493,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-933874""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,781e07b9-3811-11ee-8474-000d3a0b5c46,"8/11/2023, 6:30:45.351 AM","8/11/2023, 6:37:51.808 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename494,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-933874""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7091c111-3811-11ee-8472-000d3a0b55fc,"8/11/2023, 6:30:33.274 AM","8/11/2023, 6:37:49.747 AM",LogOn,SpecialPrivilegesLogon,,,SecurityEvent,,,,,,devicename495,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-933874""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,77df398f-3811-11ee-8474-000d3a0b587a,"8/11/2023, 6:30:43.242 AM","8/11/2023, 6:37:51.804 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename496,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-933874""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,74856540-3811-11ee-8474-000d3a0b57f3,"8/11/2023, 6:36:45.690 AM","8/11/2023, 6:37:53.378 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename497,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-912143""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,78135cec-3811-11ee-8472-000d3a0b55fc,"8/11/2023, 6:30:43.883 AM","8/11/2023, 6:37:51.808 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename498,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-933874""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,83c66d27-3811-11ee-8474-000d3a0b509d,"8/11/2023, 6:30:58.069 AM","8/11/2023, 6:37:51.808 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename499,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-933874""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,898d1fe7-3811-11ee-8472-000d3a0b599c,"8/11/2023, 6:37:22.498 AM","8/11/2023, 6:37:45.102 AM",LogOn,SpecialPrivilegesLogon,,,SecurityEvent,,,,,,devicename500,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-822679""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,75c8ed4d-3811-11ee-8472-000d3a0b5211,"8/11/2023, 6:36:50.318 AM","8/11/2023, 6:37:48.522 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename501,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931197""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,57f00b60-3811-11ee-8474-000d3a0b5787,"8/11/2023, 6:36:00.262 AM","8/11/2023, 6:37:51.162 AM",LogOn,SpecialPrivilegesLogon,,,SecurityEvent,,,,,,devicename502,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931197""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,84e2eb0c-3811-11ee-8474-000d3a0b55d9,"8/11/2023, 6:37:17.064 AM","8/11/2023, 6:37:52.839 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename503,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931197""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,57f00b71-3811-11ee-8474-000d3a0b5787,"8/11/2023, 6:36:00.262 AM","8/11/2023, 6:37:52.853 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename504,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931197""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6c0c7e31-3811-11ee-8474-000d3a0b550c,"8/11/2023, 6:36:35.380 AM","8/11/2023, 6:37:43.751 AM",LogOn,SpecialPrivilegesLogon,,,SecurityEvent,,,,,,devicename505,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931197""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,78681795-3811-11ee-8474-000d3a0b5ceb,"8/11/2023, 6:36:55.075 AM","8/11/2023, 6:37:43.751 AM",LogOn,SpecialPrivilegesLogon,,,SecurityEvent,,,,,,devicename506,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-822679""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6eccea08-3811-11ee-8474-000d3a0b57eb,"8/11/2023, 6:36:37.047 AM","8/11/2023, 6:37:48.068 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename507,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-146008104-301941981-575165538-41004""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,75aa4bb0-3811-11ee-8474-000d3a0b5c4f,"8/11/2023, 6:36:49.202 AM","8/11/2023, 6:37:48.070 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename508,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-146008104-301941981-575165538-41004""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6b67dab7-3811-11ee-8474-000d3a0b579b,"8/11/2023, 6:36:33.021 AM","8/11/2023, 6:37:48.070 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename509,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-146008104-301941981-575165538-41004""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,75aa4c76-3811-11ee-8474-000d3a0b5c4f,"8/11/2023, 6:36:49.721 AM","8/11/2023, 6:37:48.070 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename510,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-146008104-301941981-575165538-41004""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,859e0b8f-3811-11ee-8474-000d3a0b5cad,"8/11/2023, 6:37:18.014 AM","8/11/2023, 6:37:50.038 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename511,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-146008104-301941981-575165538-41004""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,85698ddf-3811-11ee-8474-000d3a0b5cd0,"8/11/2023, 6:37:17.651 AM","8/11/2023, 6:37:49.076 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename512,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-146008104-301941981-575165538-41004""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6ee3c151-3811-11ee-8472-000d3a0b59bc,"8/11/2023, 6:36:39.523 AM","8/11/2023, 6:37:46.432 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename513,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-146008104-301941981-575165538-41004""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,861cfdb1-3811-11ee-8474-000d3a0b57dd,"8/11/2023, 6:37:17.407 AM","8/11/2023, 6:37:52.493 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename514,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-146008104-301941981-575165538-41004""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7d9a3329-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:37:03.117 AM","8/11/2023, 6:37:52.493 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename515,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-146008104-301941981-575165538-41004""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7d9a32be-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:37:03.094 AM","8/11/2023, 6:37:52.493 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename516,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-146008104-301941981-575165538-41004""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7e638512-3811-11ee-8474-000d3a0b55b2,"8/11/2023, 6:37:03.653 AM","8/11/2023, 6:37:52.493 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename517,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-146008104-301941981-575165538-41004""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,572974f4-3811-11ee-8474-000d3a0b5b3a,"8/11/2023, 6:35:58.736 AM","8/11/2023, 6:37:52.494 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename518,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-146008104-301941981-575165538-41004""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,73835f80-3811-11ee-8474-000d3a0b5b70,"8/11/2023, 6:36:47.072 AM","8/11/2023, 6:37:47.894 AM",LogOn,SpecialPrivilegesLogon,,,SecurityEvent,,,,,,devicename519,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,76f1289c-3811-11ee-8474-000d3a0b5c46,"8/11/2023, 6:36:50.114 AM","8/11/2023, 6:37:52.494 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename520,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6c3e9244-3811-11ee-8474-000d3a0b5d20,"8/11/2023, 6:36:34.066 AM","8/11/2023, 6:37:52.595 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename521,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,76f128c6-3811-11ee-8474-000d3a0b5c46,"8/11/2023, 6:36:50.144 AM","8/11/2023, 6:37:52.494 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename522,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6c3e924e-3811-11ee-8474-000d3a0b5d20,"8/11/2023, 6:36:34.069 AM","8/11/2023, 6:37:52.595 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename523,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,76f128a4-3811-11ee-8474-000d3a0b5c46,"8/11/2023, 6:36:50.118 AM","8/11/2023, 6:37:52.494 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename524,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6c3e9312-3811-11ee-8474-000d3a0b5d20,"8/11/2023, 6:36:34.468 AM","8/11/2023, 6:37:52.595 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename525,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6f6078ad-3811-11ee-8474-000d3a0b5625,"8/11/2023, 6:36:37.378 AM","8/11/2023, 6:37:52.494 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename526,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,62324b16-3811-11ee-8472-000d3a0b5d22,"8/11/2023, 6:36:16.037 AM","8/11/2023, 6:37:48.925 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename527,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,8794bde1-3811-11ee-8474-000d3a0b539d,"8/11/2023, 6:37:20.422 AM","8/11/2023, 6:37:52.494 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename528,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6c3e931e-3811-11ee-8474-000d3a0b5d20,"8/11/2023, 6:36:34.492 AM","8/11/2023, 6:37:52.595 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename529,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,8794bdfa-3811-11ee-8474-000d3a0b539d,"8/11/2023, 6:37:20.452 AM","8/11/2023, 6:37:52.494 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename530,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,63689e8f-3811-11ee-8474-000d3a0b550c,"8/11/2023, 6:36:19.597 AM","8/11/2023, 6:37:52.596 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename531,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,8794bf04-3811-11ee-8474-000d3a0b539d,"8/11/2023, 6:37:21.720 AM","8/11/2023, 6:37:52.494 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename532,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,63689eb2-3811-11ee-8474-000d3a0b550c,"8/11/2023, 6:36:19.626 AM","8/11/2023, 6:37:52.596 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename533,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,8794be66-3811-11ee-8474-000d3a0b539d,"8/11/2023, 6:37:20.659 AM","8/11/2023, 6:37:52.494 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename534,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,63689fc2-3811-11ee-8474-000d3a0b550c,"8/11/2023, 6:36:19.755 AM","8/11/2023, 6:37:52.596 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename535,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,8794bf5b-3811-11ee-8474-000d3a0b539d,"8/11/2023, 6:37:21.746 AM","8/11/2023, 6:37:52.494 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename536,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,63689fed-3811-11ee-8474-000d3a0b550c,"8/11/2023, 6:36:19.785 AM","8/11/2023, 6:37:52.596 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename537,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,8794bf44-3811-11ee-8474-000d3a0b539d,"8/11/2023, 6:37:21.739 AM","8/11/2023, 6:37:52.494 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename538,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6368a098-3811-11ee-8474-000d3a0b550c,"8/11/2023, 6:36:19.819 AM","8/11/2023, 6:37:52.596 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename539,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,8794bf95-3811-11ee-8474-000d3a0b539d,"8/11/2023, 6:37:21.787 AM","8/11/2023, 6:37:52.494 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename540,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6a61770c-3811-11ee-8474-000d3a0b587a,"8/11/2023, 6:36:30.877 AM","8/11/2023, 6:37:52.599 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename541,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6a61776e-3811-11ee-8474-000d3a0b587a,"8/11/2023, 6:36:31.098 AM","8/11/2023, 6:37:52.599 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename542,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,8794bfdd-3811-11ee-8474-000d3a0b539d,"8/11/2023, 6:37:22.018 AM","8/11/2023, 6:37:52.495 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename543,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6d168cb8-3811-11ee-8474-000d3a0b5c4f,"8/11/2023, 6:36:35.153 AM","8/11/2023, 6:37:44.377 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename544,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedAmongPeers"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""FirstTimeUserPerformedAction"":""False"",""ActionUncommonlyPerformedAmongPeers"":""True"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,8794bfc5-3811-11ee-8474-000d3a0b539d,"8/11/2023, 6:37:21.996 AM","8/11/2023, 6:37:52.495 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename545,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6d168d41-3811-11ee-8474-000d3a0b5c4f,"8/11/2023, 6:36:35.238 AM","8/11/2023, 6:37:44.377 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename546,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedAmongPeers"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""FirstTimeUserPerformedAction"":""False"",""ActionUncommonlyPerformedAmongPeers"":""True"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6a617786-3811-11ee-8474-000d3a0b587a,"8/11/2023, 6:36:31.124 AM","8/11/2023, 6:37:52.599 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename547,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6a617794-3811-11ee-8474-000d3a0b587a,"8/11/2023, 6:36:31.125 AM","8/11/2023, 6:37:52.599 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename548,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,8794bf7e-3811-11ee-8474-000d3a0b539d,"8/11/2023, 6:37:21.762 AM","8/11/2023, 6:37:52.495 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename549,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9cabb9-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:00.533 AM","8/11/2023, 6:37:52.495 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename550,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,74df79f0-3811-11ee-8474-000d3a0b5abf,"8/11/2023, 6:36:49.108 AM","8/11/2023, 6:37:52.600 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename551,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,64f52b38-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:36:23.037 AM","8/11/2023, 6:37:51.448 AM",LogOn,SpecialPrivilegesLogon,,,SecurityEvent,,,,,,devicename552,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9cabc9-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:00.760 AM","8/11/2023, 6:37:52.495 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename553,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,74df7a2a-3811-11ee-8474-000d3a0b5abf,"8/11/2023, 6:36:49.161 AM","8/11/2023, 6:37:52.600 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename554,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,8419991a-3811-11ee-8474-000d3a0b5c92,"8/11/2023, 6:37:14.543 AM","8/11/2023, 6:37:51.449 AM",LogOn,SpecialPrivilegesLogon,,,SecurityEvent,,,,,,devicename555,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7a79b77b-3811-11ee-8474-000d3a0b500f,"8/11/2023, 6:36:58.637 AM","8/11/2023, 6:37:53.739 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename556,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9cabbf-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:00.741 AM","8/11/2023, 6:37:52.495 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename557,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7acfd01b-3811-11ee-8474-000d3a0b5640,"8/11/2023, 6:36:58.572 AM","8/11/2023, 6:37:53.740 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename558,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,70e29c06-3811-11ee-8474-000d3a0b5e42,"8/11/2023, 6:36:43.089 AM","8/11/2023, 6:37:51.449 AM",LogOn,SpecialPrivilegesLogon,,,SecurityEvent,,,,,,devicename559,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,79cfa5a5-3811-11ee-8474-000d3a0b5b3a,"8/11/2023, 6:36:57.426 AM","8/11/2023, 6:37:52.600 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename560,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7a79b7af-3811-11ee-8474-000d3a0b500f,"8/11/2023, 6:36:58.662 AM","8/11/2023, 6:37:53.739 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename561,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9cabdf-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:01.173 AM","8/11/2023, 6:37:52.495 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename562,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7acfd021-3811-11ee-8474-000d3a0b5640,"8/11/2023, 6:36:58.634 AM","8/11/2023, 6:37:53.740 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename563,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c9cac0b-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:01.197 AM","8/11/2023, 6:37:52.495 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename564,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,79cfa5ae-3811-11ee-8474-000d3a0b5b3a,"8/11/2023, 6:36:57.440 AM","8/11/2023, 6:37:52.600 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename565,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7a79b80c-3811-11ee-8474-000d3a0b500f,"8/11/2023, 6:36:58.692 AM","8/11/2023, 6:37:53.739 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename566,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7acfd01f-3811-11ee-8474-000d3a0b5640,"8/11/2023, 6:36:58.614 AM","8/11/2023, 6:37:53.740 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename567,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6254113c-3811-11ee-8474-000d3a0b5ceb,"8/11/2023, 6:36:16.325 AM","8/11/2023, 6:37:53.744 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename568,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,79cfa5cc-3811-11ee-8474-000d3a0b5b3a,"8/11/2023, 6:36:57.470 AM","8/11/2023, 6:37:52.601 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename569,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,61d41d44-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:36:16.318 AM","8/11/2023, 6:37:52.495 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename570,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7acfd01d-3811-11ee-8474-000d3a0b5640,"8/11/2023, 6:36:58.608 AM","8/11/2023, 6:37:53.740 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename571,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,62541248-3811-11ee-8474-000d3a0b5ceb,"8/11/2023, 6:36:16.594 AM","8/11/2023, 6:37:53.744 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename572,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,79cfa5b8-3811-11ee-8474-000d3a0b5b3a,"8/11/2023, 6:36:57.454 AM","8/11/2023, 6:37:52.601 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename573,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,61d41d53-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:36:16.351 AM","8/11/2023, 6:37:52.495 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename574,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7acfd024-3811-11ee-8474-000d3a0b5640,"8/11/2023, 6:36:58.648 AM","8/11/2023, 6:37:53.740 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename575,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6a0ee930-3811-11ee-8474-000d3a0b57dd,"8/11/2023, 6:36:21.674 AM","8/11/2023, 6:37:54.099 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename576,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7acfd027-3811-11ee-8474-000d3a0b5640,"8/11/2023, 6:36:58.668 AM","8/11/2023, 6:37:53.741 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename577,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6a0ee90c-3811-11ee-8474-000d3a0b57dd,"8/11/2023, 6:36:21.631 AM","8/11/2023, 6:37:54.099 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename578,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,62541194-3811-11ee-8474-000d3a0b5ceb,"8/11/2023, 6:36:16.419 AM","8/11/2023, 6:37:53.744 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename579,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,79cfa654-3811-11ee-8474-000d3a0b5b3a,"8/11/2023, 6:36:57.664 AM","8/11/2023, 6:37:52.601 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename580,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,61d41d75-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:36:16.420 AM","8/11/2023, 6:37:52.496 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename581,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7acfd02a-3811-11ee-8474-000d3a0b5640,"8/11/2023, 6:36:58.668 AM","8/11/2023, 6:37:53.741 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename582,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,62994360-3811-11ee-8474-000d3a0b57eb,"8/11/2023, 6:36:17.797 AM","8/11/2023, 6:37:53.748 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename583,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,738455e0-3811-11ee-8474-000d3a0b5ceb,"8/11/2023, 6:36:46.008 AM","8/11/2023, 6:37:54.330 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename584,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,79cfa7f1-3811-11ee-8474-000d3a0b5b3a,"8/11/2023, 6:36:57.714 AM","8/11/2023, 6:37:52.602 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename585,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,61d41d83-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:36:16.441 AM","8/11/2023, 6:37:52.496 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename586,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,586d32da-3811-11ee-8472-000d3a0b5d22,"8/11/2023, 6:36:02.941 AM","8/11/2023, 6:37:53.750 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename587,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,60e0d67d-3811-11ee-8474-000d3a0b5925,"8/11/2023, 6:30:13.902 AM","8/11/2023, 6:37:51.612 AM",LogOn,SpecialPrivilegesLogon,,,SecurityEvent,,,,,,devicename588,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,738456a9-3811-11ee-8474-000d3a0b5ceb,"8/11/2023, 6:36:46.225 AM","8/11/2023, 6:37:54.330 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename589,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,64bcc4ee-3811-11ee-8474-000d3a0b5716,"8/11/2023, 6:36:22.006 AM","8/11/2023, 6:37:53.743 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename590,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,79cfa664-3811-11ee-8474-000d3a0b5b3a,"8/11/2023, 6:36:57.687 AM","8/11/2023, 6:37:52.602 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename591,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,61d41d9c-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:36:16.476 AM","8/11/2023, 6:37:52.496 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename592,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,738456af-3811-11ee-8474-000d3a0b5ceb,"8/11/2023, 6:36:46.230 AM","8/11/2023, 6:37:54.330 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename593,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,64bcc4e5-3811-11ee-8474-000d3a0b5716,"8/11/2023, 6:36:21.963 AM","8/11/2023, 6:37:53.743 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename594,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,586d32f0-3811-11ee-8472-000d3a0b5d22,"8/11/2023, 6:36:02.973 AM","8/11/2023, 6:37:53.750 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename595,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,61d41dbd-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:36:16.486 AM","8/11/2023, 6:37:52.496 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename596,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,8253d185-3811-11ee-8474-000d3a0b5ca5,"8/11/2023, 6:37:11.932 AM","8/11/2023, 6:37:54.331 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename597,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,79db6dcb-3811-11ee-8474-000d3a0b5b3a,"8/11/2023, 6:36:57.724 AM","8/11/2023, 6:37:52.602 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename598,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,586d3184-3811-11ee-8472-000d3a0b5d22,"8/11/2023, 6:36:00.757 AM","8/11/2023, 6:37:53.750 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename599,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,64bcc4eb-3811-11ee-8474-000d3a0b5716,"8/11/2023, 6:36:21.983 AM","8/11/2023, 6:37:53.743 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename600,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,738456bb-3811-11ee-8474-000d3a0b5ceb,"8/11/2023, 6:36:46.244 AM","8/11/2023, 6:37:54.330 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename601,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,61d41deb-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:36:16.502 AM","8/11/2023, 6:37:52.496 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename602,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,8253d242-3811-11ee-8474-000d3a0b5ca5,"8/11/2023, 6:37:12.074 AM","8/11/2023, 6:37:54.331 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename603,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6a0ee950-3811-11ee-8474-000d3a0b57dd,"8/11/2023, 6:36:29.454 AM","8/11/2023, 6:37:52.603 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename604,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6a5a846a-3811-11ee-8474-000d3a0b550c,"8/11/2023, 6:36:31.242 AM","8/11/2023, 6:37:53.749 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename605,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,738456d4-3811-11ee-8474-000d3a0b5ceb,"8/11/2023, 6:36:46.258 AM","8/11/2023, 6:37:54.330 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename606,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,832a44db-3811-11ee-8474-000d3a0b5ca5,"8/11/2023, 6:37:13.425 AM","8/11/2023, 6:37:54.331 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename607,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6a0eea40-3811-11ee-8474-000d3a0b57dd,"8/11/2023, 6:36:30.114 AM","8/11/2023, 6:37:52.603 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename608,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6a5a8464-3811-11ee-8474-000d3a0b550c,"8/11/2023, 6:36:31.240 AM","8/11/2023, 6:37:53.749 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename609,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,832a496c-3811-11ee-8474-000d3a0b5ca5,"8/11/2023, 6:37:13.686 AM","8/11/2023, 6:37:54.331 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename610,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,738456c1-3811-11ee-8474-000d3a0b5ceb,"8/11/2023, 6:36:46.246 AM","8/11/2023, 6:37:54.330 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename611,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,832a4a61-3811-11ee-8474-000d3a0b5ca5,"8/11/2023, 6:37:14.020 AM","8/11/2023, 6:37:54.331 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename612,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6a0eea56-3811-11ee-8474-000d3a0b57dd,"8/11/2023, 6:36:30.134 AM","8/11/2023, 6:37:52.604 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename613,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7bdde266-3811-11ee-8472-000d3a0b5231,"8/11/2023, 6:37:00.725 AM","8/11/2023, 6:37:53.752 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename614,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,73845708-3811-11ee-8474-000d3a0b5ceb,"8/11/2023, 6:36:46.296 AM","8/11/2023, 6:37:54.330 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename615,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7bdde248-3811-11ee-8472-000d3a0b5231,"8/11/2023, 6:37:00.675 AM","8/11/2023, 6:37:53.752 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename616,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,79e9c539-3811-11ee-8474-000d3a0b57eb,"8/11/2023, 6:36:56.250 AM","8/11/2023, 6:37:54.332 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename617,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,738456dc-3811-11ee-8474-000d3a0b5ceb,"8/11/2023, 6:36:46.263 AM","8/11/2023, 6:37:54.330 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename618,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,797476f7-3811-11ee-8472-000d3a0b5211,"8/11/2023, 6:36:57.741 AM","8/11/2023, 6:37:52.606 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename619,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7bdde257-3811-11ee-8472-000d3a0b5231,"8/11/2023, 6:37:00.724 AM","8/11/2023, 6:37:53.752 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename620,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7974770d-3811-11ee-8472-000d3a0b5211,"8/11/2023, 6:36:57.756 AM","8/11/2023, 6:37:52.606 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename621,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,79e9c59a-3811-11ee-8474-000d3a0b57eb,"8/11/2023, 6:36:56.454 AM","8/11/2023, 6:37:54.332 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename622,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7106c922-3811-11ee-8474-000d3a0b5b70,"8/11/2023, 6:36:43.207 AM","8/11/2023, 6:37:54.332 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename623,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,79747709-3811-11ee-8472-000d3a0b5211,"8/11/2023, 6:36:57.752 AM","8/11/2023, 6:37:52.606 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename624,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,74312732-3811-11ee-8472-000d3a0b5a24,"8/11/2023, 6:36:47.940 AM","8/11/2023, 6:37:54.332 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename625,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7bdde276-3811-11ee-8472-000d3a0b5231,"8/11/2023, 6:37:00.780 AM","8/11/2023, 6:37:53.752 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename626,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,79e9c5cf-3811-11ee-8474-000d3a0b57eb,"8/11/2023, 6:36:56.682 AM","8/11/2023, 6:37:54.333 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename627,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,73a625ff-3811-11ee-8472-000d3a0b599c,"8/11/2023, 6:36:46.552 AM","8/11/2023, 6:37:53.753 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename628,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,79747713-3811-11ee-8472-000d3a0b5211,"8/11/2023, 6:36:57.787 AM","8/11/2023, 6:37:52.606 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename629,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,74312748-3811-11ee-8472-000d3a0b5a24,"8/11/2023, 6:36:47.966 AM","8/11/2023, 6:37:54.332 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename630,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,79e9c5f6-3811-11ee-8474-000d3a0b57eb,"8/11/2023, 6:36:56.767 AM","8/11/2023, 6:37:54.333 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename631,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,79747759-3811-11ee-8472-000d3a0b5211,"8/11/2023, 6:36:58.186 AM","8/11/2023, 6:37:52.606 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename632,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,79e9c699-3811-11ee-8474-000d3a0b57eb,"8/11/2023, 6:36:56.955 AM","8/11/2023, 6:37:54.333 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename633,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7431276c-3811-11ee-8472-000d3a0b5a24,"8/11/2023, 6:36:48.000 AM","8/11/2023, 6:37:54.332 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename634,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7a483144-3811-11ee-8474-000d3a0b5f80,"8/11/2023, 6:36:57.690 AM","8/11/2023, 6:37:54.332 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename635,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,79747764-3811-11ee-8472-000d3a0b5211,"8/11/2023, 6:36:58.209 AM","8/11/2023, 6:37:52.607 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename636,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,79e9c662-3811-11ee-8474-000d3a0b57eb,"8/11/2023, 6:36:56.800 AM","8/11/2023, 6:37:54.333 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename637,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7974776c-3811-11ee-8472-000d3a0b5211,"8/11/2023, 6:36:58.229 AM","8/11/2023, 6:37:52.607 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename638,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,65809210-3811-11ee-8474-000d3a0b5625,"8/11/2023, 6:36:20.316 AM","8/11/2023, 6:37:54.335 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename639,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7a483157-3811-11ee-8474-000d3a0b5f80,"8/11/2023, 6:36:57.716 AM","8/11/2023, 6:37:54.332 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename640,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,79747788-3811-11ee-8472-000d3a0b5211,"8/11/2023, 6:36:58.262 AM","8/11/2023, 6:37:52.607 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename641,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,658092a7-3811-11ee-8474-000d3a0b5625,"8/11/2023, 6:36:20.578 AM","8/11/2023, 6:37:54.335 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename642,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7a483188-3811-11ee-8474-000d3a0b5f80,"8/11/2023, 6:36:57.728 AM","8/11/2023, 6:37:54.333 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename643,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7974778f-3811-11ee-8472-000d3a0b5211,"8/11/2023, 6:36:58.269 AM","8/11/2023, 6:37:52.607 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename644,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,658092db-3811-11ee-8474-000d3a0b5625,"8/11/2023, 6:36:21.457 AM","8/11/2023, 6:37:54.335 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename645,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,762fc293-3811-11ee-8474-000d3a0b5c0b,"8/11/2023, 6:36:50.086 AM","8/11/2023, 6:37:52.607 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename646,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7a483198-3811-11ee-8474-000d3a0b5f80,"8/11/2023, 6:36:57.739 AM","8/11/2023, 6:37:54.333 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename647,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6580933f-3811-11ee-8474-000d3a0b5625,"8/11/2023, 6:36:21.503 AM","8/11/2023, 6:37:54.335 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename648,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,762fc2a3-3811-11ee-8474-000d3a0b5c0b,"8/11/2023, 6:36:50.106 AM","8/11/2023, 6:37:52.608 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename649,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,658093b7-3811-11ee-8474-000d3a0b5625,"8/11/2023, 6:36:21.579 AM","8/11/2023, 6:37:54.335 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename650,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7a4831d2-3811-11ee-8474-000d3a0b5f80,"8/11/2023, 6:36:57.782 AM","8/11/2023, 6:37:54.333 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename651,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6580945c-3811-11ee-8474-000d3a0b5625,"8/11/2023, 6:36:21.977 AM","8/11/2023, 6:37:54.335 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename652,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,762fc2ab-3811-11ee-8474-000d3a0b5c0b,"8/11/2023, 6:36:50.107 AM","8/11/2023, 6:37:52.608 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename653,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7925ad9b-3811-11ee-8472-000d3a0b55fc,"8/11/2023, 6:36:56.701 AM","8/11/2023, 6:37:54.333 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename654,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7a55c238-3811-11ee-8474-000d3a0b5946,"8/11/2023, 6:36:56.470 AM","8/11/2023, 6:37:52.608 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename655,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7925ada4-3811-11ee-8472-000d3a0b55fc,"8/11/2023, 6:36:56.714 AM","8/11/2023, 6:37:54.333 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename656,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7a55c268-3811-11ee-8474-000d3a0b5946,"8/11/2023, 6:36:56.472 AM","8/11/2023, 6:37:52.608 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename657,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7a55c557-3811-11ee-8474-000d3a0b5946,"8/11/2023, 6:36:56.670 AM","8/11/2023, 6:37:52.609 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename658,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7925ae1a-3811-11ee-8472-000d3a0b55fc,"8/11/2023, 6:36:56.831 AM","8/11/2023, 6:37:54.333 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename659,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7a55c59c-3811-11ee-8474-000d3a0b5946,"8/11/2023, 6:36:56.696 AM","8/11/2023, 6:37:52.609 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename660,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7925ae06-3811-11ee-8472-000d3a0b55fc,"8/11/2023, 6:36:56.812 AM","8/11/2023, 6:37:54.333 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename661,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7a55c5b5-3811-11ee-8474-000d3a0b5946,"8/11/2023, 6:36:56.700 AM","8/11/2023, 6:37:52.609 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename662,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7925ae10-3811-11ee-8472-000d3a0b55fc,"8/11/2023, 6:36:56.818 AM","8/11/2023, 6:37:54.334 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename663,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7a55c693-3811-11ee-8474-000d3a0b5946,"8/11/2023, 6:36:56.786 AM","8/11/2023, 6:37:52.609 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename664,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7925ae75-3811-11ee-8472-000d3a0b55fc,"8/11/2023, 6:36:56.992 AM","8/11/2023, 6:37:54.334 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename665,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7925ae53-3811-11ee-8472-000d3a0b55fc,"8/11/2023, 6:36:56.969 AM","8/11/2023, 6:37:54.334 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename666,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7a55c6c4-3811-11ee-8474-000d3a0b5946,"8/11/2023, 6:36:56.814 AM","8/11/2023, 6:37:52.609 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename667,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7a55c715-3811-11ee-8474-000d3a0b5946,"8/11/2023, 6:36:56.948 AM","8/11/2023, 6:37:52.609 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename668,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7925ae6a-3811-11ee-8472-000d3a0b55fc,"8/11/2023, 6:36:56.991 AM","8/11/2023, 6:37:54.334 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename669,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7a55c72d-3811-11ee-8474-000d3a0b5946,"8/11/2023, 6:36:56.973 AM","8/11/2023, 6:37:52.610 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename670,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,79fa9601-3811-11ee-8474-000d3a0b5bc7,"8/11/2023, 6:36:57.341 AM","8/11/2023, 6:37:54.334 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename671,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7ee61457-3811-11ee-8474-000d3a0b5269,"8/11/2023, 6:37:06.533 AM","8/11/2023, 6:37:52.610 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename672,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,79fa9622-3811-11ee-8474-000d3a0b5bc7,"8/11/2023, 6:36:57.364 AM","8/11/2023, 6:37:54.334 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename673,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7ee61452-3811-11ee-8474-000d3a0b5269,"8/11/2023, 6:37:06.533 AM","8/11/2023, 6:37:52.610 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename674,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,79fa963e-3811-11ee-8474-000d3a0b5bc7,"8/11/2023, 6:36:57.377 AM","8/11/2023, 6:37:54.334 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename675,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,634f3df3-3811-11ee-8474-000d3a0b57f3,"8/11/2023, 6:36:20.336 AM","8/11/2023, 6:37:52.612 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename676,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,79fa966c-3811-11ee-8474-000d3a0b5bc7,"8/11/2023, 6:36:57.451 AM","8/11/2023, 6:37:54.334 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename677,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,79fa965b-3811-11ee-8474-000d3a0b5bc7,"8/11/2023, 6:36:57.389 AM","8/11/2023, 6:37:54.334 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename678,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,634f3dfb-3811-11ee-8474-000d3a0b57f3,"8/11/2023, 6:36:20.340 AM","8/11/2023, 6:37:52.612 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename679,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c95770d-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:36:58.094 AM","8/11/2023, 6:37:44.236 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename680,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}","{""IsLocalAdmin"":""True""}","{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedAmongPeers"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""FirstTimeUserPerformedAction"":""False"",""ActionUncommonlyPerformedAmongPeers"":""True"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,79fa967c-3811-11ee-8474-000d3a0b5bc7,"8/11/2023, 6:36:57.452 AM","8/11/2023, 6:37:54.335 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename681,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,8412fc6c-3811-11ee-8472-000d3a0b5920,"8/11/2023, 6:35:41.968 AM","8/11/2023, 6:37:49.317 AM",LogOn,Sign-in,test,test@test.com,Azure AD,127.0.0.1,"bengaluru, india",devicename01,,,devicename682,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}","{""UserAgentFamily"":""Chrome""}","{""ActionUncommonlyPerformedByUser"":""False"",""App"":""Microsoft Teams Web Client"",""Resource"":""Microsoft Teams Services"",""FirstTimeUserConnectedFromDevice"":""False"",""DeviceUncommonlyUsedAmongPeers"":""True"",""DeviceUncommonlyUsedInTenant"":""True"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,634f3e5c-3811-11ee-8474-000d3a0b57f3,"8/11/2023, 6:36:20.570 AM","8/11/2023, 6:37:52.612 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename683,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7767a8ee-3811-11ee-8474-000d3a0b5a94,"8/11/2023, 6:35:39.642 AM","8/11/2023, 6:37:48.787 AM",LogOn,Sign-in,test,test@test.com,Azure AD,127.0.0.1,"bengaluru, india",devicename01,,,devicename684,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}","{""UserAgentFamily"":""Chrome""}","{""ActionUncommonlyPerformedByUser"":""False"",""App"":""Office365 Shell WCSS-Client"",""Resource"":""Microsoft Graph"",""FirstTimeUserConnectedFromDevice"":""False"",""DeviceUncommonlyUsedAmongPeers"":""True"",""DeviceUncommonlyUsedInTenant"":""True"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6bc777cb-3811-11ee-8474-000d3a0b5559,"8/11/2023, 6:36:10.506 AM","8/11/2023, 6:37:38.770 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename685,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,673cbfb3-3811-11ee-8474-000d3a0b5b70,"8/11/2023, 6:36:27.135 AM","8/11/2023, 6:37:39.515 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename686,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,86de873f-3811-11ee-8472-000d3a0b599c,"8/11/2023, 6:37:18.740 AM","8/11/2023, 6:37:36.850 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename687,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6ee58a52-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:36:38.064 AM","8/11/2023, 6:37:36.850 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename688,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,76ad1a85-3811-11ee-8472-000d3a0b59bc,"8/11/2023, 6:36:52.695 AM","8/11/2023, 6:37:41.313 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename689,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6bc778ef-3811-11ee-8474-000d3a0b5559,"8/11/2023, 6:36:30.484 AM","8/11/2023, 6:37:38.770 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename690,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,60ac740c-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:36:15.902 AM","8/11/2023, 6:37:36.850 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename691,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,76ad1a70-3811-11ee-8472-000d3a0b59bc,"8/11/2023, 6:36:52.695 AM","8/11/2023, 6:37:41.313 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename692,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,60ac741a-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:36:15.905 AM","8/11/2023, 6:37:36.851 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename693,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,60ac7435-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:36:15.911 AM","8/11/2023, 6:37:36.851 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename694,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,60ac7422-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:36:15.908 AM","8/11/2023, 6:37:36.851 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename695,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,60ac7440-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:36:15.912 AM","8/11/2023, 6:37:36.851 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename696,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,60ac742a-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:36:15.911 AM","8/11/2023, 6:37:36.851 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename697,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,60ac7455-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:36:15.933 AM","8/11/2023, 6:37:36.851 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename698,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,60ac7413-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:36:15.905 AM","8/11/2023, 6:37:36.851 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename699,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,60ac7447-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:36:15.917 AM","8/11/2023, 6:37:36.851 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename700,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,60ac7450-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:36:15.928 AM","8/11/2023, 6:37:36.851 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename701,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,60ac7467-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:36:15.950 AM","8/11/2023, 6:37:36.851 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename702,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,60ac745b-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:36:15.935 AM","8/11/2023, 6:37:36.852 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename703,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,60ac7461-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:36:15.948 AM","8/11/2023, 6:37:36.852 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename704,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6f40f038-3811-11ee-8474-000d3a0b5186,"8/11/2023, 6:36:41.359 AM","8/11/2023, 6:37:32.478 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename705,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,60ac747b-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:36:15.952 AM","8/11/2023, 6:37:36.852 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename706,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,705a1156-3811-11ee-8474-000d3a0b5ff5,"8/11/2023, 6:36:40.428 AM","8/11/2023, 6:37:34.142 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename707,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,60ac7470-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:36:15.950 AM","8/11/2023, 6:37:36.852 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename708,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,705eb0d9-3811-11ee-8474-000d3a0b5ff5,"8/11/2023, 6:36:40.462 AM","8/11/2023, 6:37:34.143 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename709,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,60ac7483-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:36:15.954 AM","8/11/2023, 6:37:36.852 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename710,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,60ac74a9-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:36:15.980 AM","8/11/2023, 6:37:36.852 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename711,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,60ac74b8-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:36:15.982 AM","8/11/2023, 6:37:36.852 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename712,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,60ac748a-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:36:15.963 AM","8/11/2023, 6:37:36.853 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename713,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,60ac74c0-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:36:15.985 AM","8/11/2023, 6:37:36.853 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename714,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,60ac74b1-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:36:15.981 AM","8/11/2023, 6:37:36.853 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename715,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,60ac74c9-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:36:15.985 AM","8/11/2023, 6:37:36.853 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename716,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,60ac74db-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:36:15.988 AM","8/11/2023, 6:37:36.853 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename717,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,60ac74d2-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:36:15.988 AM","8/11/2023, 6:37:36.853 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename718,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,60ac74e5-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:36:15.989 AM","8/11/2023, 6:37:36.853 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename719,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,60ac751b-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:36:16.071 AM","8/11/2023, 6:37:36.854 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename720,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,60ac74ef-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:36:15.990 AM","8/11/2023, 6:37:36.854 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename721,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,60ac7528-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:36:16.092 AM","8/11/2023, 6:37:36.854 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename722,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,60ac74f9-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:36:15.993 AM","8/11/2023, 6:37:36.854 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename723,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,60ac7500-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:36:16.009 AM","8/11/2023, 6:37:36.855 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename724,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7612094c-3811-11ee-8474-000d3a0b59dd,"8/11/2023, 6:36:49.236 AM","8/11/2023, 6:37:38.095 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename725,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,60ac7507-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:36:16.013 AM","8/11/2023, 6:37:36.854 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename726,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,5fcdfb97-3811-11ee-8474-000d3a0b5ceb,"8/11/2023, 6:36:12.894 AM","8/11/2023, 6:37:36.857 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename727,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6ecaaa4a-3811-11ee-8474-000d3a0b5c0b,"8/11/2023, 6:36:37.493 AM","8/11/2023, 6:37:34.150 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename728,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,79fa9aba-3811-11ee-8474-000d3a0b5bc7,"8/11/2023, 6:36:58.850 AM","8/11/2023, 6:37:41.224 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename729,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6f607838-3811-11ee-8474-000d3a0b5625,"8/11/2023, 6:36:38.361 AM","8/11/2023, 6:37:34.157 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename730,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,85ac3440-3811-11ee-8474-000d3a0b5787,"8/11/2023, 6:37:16.326 AM","8/11/2023, 6:37:41.235 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename731,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,85aefd0f-3811-11ee-8474-000d3a0b5549,"8/11/2023, 6:37:15.879 AM","8/11/2023, 6:37:41.713 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename732,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7354202c-3811-11ee-8474-000d3a0b57f3,"8/11/2023, 6:36:45.028 AM","8/11/2023, 6:37:41.716 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename733,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,85ac34cf-3811-11ee-8474-000d3a0b5787,"8/11/2023, 6:37:16.438 AM","8/11/2023, 6:37:41.236 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename734,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,5f72bf99-3811-11ee-8474-000d3a0b5186,"8/11/2023, 6:36:12.509 AM","8/11/2023, 6:37:41.718 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename735,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,5f72bfa3-3811-11ee-8474-000d3a0b5186,"8/11/2023, 6:36:12.510 AM","8/11/2023, 6:37:41.718 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename736,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,71c6e0e7-3811-11ee-8474-000d3a0b55b2,"8/11/2023, 6:36:44.072 AM","8/11/2023, 6:37:42.559 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename737,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,86b45af4-3811-11ee-8474-000d3a0b5559,"8/11/2023, 6:37:17.919 AM","8/11/2023, 6:37:43.228 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename738,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7a3d3788-3811-11ee-8474-000d3a0b5ff5,"8/11/2023, 6:36:59.037 AM","8/11/2023, 6:37:43.244 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename739,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6878f048-3811-11ee-8474-000d3a0b5716,"8/11/2023, 6:36:28.284 AM","8/11/2023, 6:37:43.265 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename740,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-927452""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,79174605-3811-11ee-8474-000d3a0b5cd0,"8/11/2023, 6:36:55.929 AM","8/11/2023, 6:37:39.992 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename741,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-814078""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,79174653-3811-11ee-8474-000d3a0b5cd0,"8/11/2023, 6:36:55.930 AM","8/11/2023, 6:37:39.992 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename742,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-814078""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,79174582-3811-11ee-8474-000d3a0b5cd0,"8/11/2023, 6:36:55.919 AM","8/11/2023, 6:37:39.992 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename743,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-814078""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7917469f-3811-11ee-8474-000d3a0b5cd0,"8/11/2023, 6:36:55.930 AM","8/11/2023, 6:37:39.992 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename744,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-814078""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7bd281c8-3811-11ee-8474-000d3a0b5caf,"8/11/2023, 6:36:59.428 AM","8/11/2023, 6:37:36.310 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename745,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-814078""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,86a36b99-3811-11ee-8474-000d3a0b5f80,"8/11/2023, 6:37:19.286 AM","8/11/2023, 6:37:36.320 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename746,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-814078""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,62f55b28-3811-11ee-8472-000d3a0b55fc,"8/11/2023, 6:36:18.283 AM","8/11/2023, 6:37:40.942 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename747,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-814078""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,86e3d30e-3811-11ee-8474-000d3a0b500f,"8/11/2023, 6:37:18.960 AM","8/11/2023, 6:37:42.559 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename748,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-814078""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,86e3d510-3811-11ee-8474-000d3a0b500f,"8/11/2023, 6:37:19.278 AM","8/11/2023, 6:37:42.559 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename749,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-814078""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,8593bc64-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:37:18.479 AM","8/11/2023, 6:37:41.202 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename750,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-814078""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,81ee497e-3811-11ee-8472-000d3a0b599c,"8/11/2023, 6:37:09.569 AM","8/11/2023, 6:37:42.565 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename751,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-814078""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,85aaffe9-3811-11ee-8472-000d3a0b599c,"8/11/2023, 6:37:17.601 AM","8/11/2023, 6:37:40.957 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename752,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-814078""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,62fa16f6-3811-11ee-8472-000d3a0b55fc,"8/11/2023, 6:36:18.132 AM","8/11/2023, 6:37:42.562 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename753,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-814078""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,8835d2df-3811-11ee-8472-000d3a0b599c,"8/11/2023, 6:37:20.797 AM","8/11/2023, 6:37:41.229 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename754,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-814078""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,62fa1816-3811-11ee-8472-000d3a0b55fc,"8/11/2023, 6:36:18.400 AM","8/11/2023, 6:37:42.563 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename755,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-814078""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,86b458f9-3811-11ee-8474-000d3a0b5559,"8/11/2023, 6:37:17.513 AM","8/11/2023, 6:37:43.221 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename756,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-814078""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,76ec61fe-3811-11ee-8474-000d3a0b5caf,"8/11/2023, 6:36:51.623 AM","8/11/2023, 6:37:37.203 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename757,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-814078""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,73739a98-3811-11ee-8474-000d3a0b5ceb,"8/11/2023, 6:36:45.869 AM","8/11/2023, 6:37:36.037 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename758,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-814078""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7a3d376b-3811-11ee-8474-000d3a0b5ff5,"8/11/2023, 6:36:59.029 AM","8/11/2023, 6:37:43.244 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename759,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-814078""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7c516266-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:37:02.555 AM","8/11/2023, 6:37:36.040 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename760,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-814078""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7a3d382e-3811-11ee-8474-000d3a0b5ff5,"8/11/2023, 6:36:59.143 AM","8/11/2023, 6:37:43.249 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename761,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-814078""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,898d32aa-3811-11ee-8472-000d3a0b599c,"8/11/2023, 6:37:24.063 AM","8/11/2023, 6:37:42.618 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename762,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-814078""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,898d3347-3811-11ee-8472-000d3a0b599c,"8/11/2023, 6:37:24.205 AM","8/11/2023, 6:37:42.618 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename763,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-814078""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,5e7e756a-3811-11ee-8474-000d3a0b57f3,"8/11/2023, 6:36:11.740 AM","8/11/2023, 6:37:40.945 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename764,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-814078""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,5e9f3288-3811-11ee-8474-000d3a0b5b3a,"8/11/2023, 6:36:10.622 AM","8/11/2023, 6:37:40.961 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename765,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-814078""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,898d319f-3811-11ee-8472-000d3a0b599c,"8/11/2023, 6:37:23.837 AM","8/11/2023, 6:37:42.618 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename766,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-814078""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,82b129a7-3811-11ee-8474-000d3a0b57eb,"8/11/2023, 6:36:38.843 AM","8/11/2023, 6:37:41.970 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename767,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-814078""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,77149bea-3811-11ee-8474-000d3a0b5abf,"8/11/2023, 6:36:48.548 AM","8/11/2023, 6:37:36.832 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename768,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-957809""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,61a1a6a2-3811-11ee-8474-000d3a0b5ff5,"8/11/2023, 6:30:14.590 AM","8/11/2023, 6:37:37.937 AM",LogOn,SpecialPrivilegesLogon,,,SecurityEvent,,,,,,devicename769,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-949787""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,770cb05a-3811-11ee-8474-000d3a0b5925,"8/11/2023, 6:30:43.398 AM","8/11/2023, 6:37:37.938 AM",LogOn,SpecialPrivilegesLogon,,,SecurityEvent,,,,,,devicename770,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-949787""}",{},"{""LastTimeUserPerformedAction"":""08/10/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,78135d78-3811-11ee-8472-000d3a0b55fc,"8/11/2023, 6:30:43.976 AM","8/11/2023, 6:37:37.938 AM",LogOn,SpecialPrivilegesLogon,,,SecurityEvent,,,,,,devicename771,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-949787""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,793f544d-3811-11ee-8474-000d3a0b500f,"8/11/2023, 6:30:46.117 AM","8/11/2023, 6:37:37.938 AM",LogOn,SpecialPrivilegesLogon,,,SecurityEvent,,,,,,devicename772,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-949787""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6da72ff9-3811-11ee-8474-000d3a0b57dd,"8/11/2023, 6:36:37.386 AM","8/11/2023, 6:37:41.315 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename773,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-957809""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6ed019a6-3811-11ee-8474-000d3a0b59dd,"8/11/2023, 6:36:37.729 AM","8/11/2023, 6:37:41.315 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename774,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-957809""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6ebc53ab-3811-11ee-8474-000d3a0b5c0b,"8/11/2023, 6:36:38.932 AM","8/11/2023, 6:37:41.317 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename775,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-957809""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,73835f4c-3811-11ee-8474-000d3a0b5b70,"8/11/2023, 6:36:46.932 AM","8/11/2023, 6:37:41.320 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename776,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-957809""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,86362232-3811-11ee-8474-000d3a0b5c0b,"8/11/2023, 6:31:00.271 AM","8/11/2023, 6:37:39.212 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename777,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-775814""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7caaf02d-3811-11ee-8474-000d3a0b579b,"8/11/2023, 6:37:01.329 AM","8/11/2023, 6:37:35.855 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename778,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-775814""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,5f47828e-3811-11ee-8474-000d3a0b5c67,"8/11/2023, 6:30:11.090 AM","8/11/2023, 6:37:36.207 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename779,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-775814""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,5f4783dd-3811-11ee-8474-000d3a0b5c67,"8/11/2023, 6:30:11.231 AM","8/11/2023, 6:37:36.207 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename780,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-775814""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,5d0b4b89-3811-11ee-8474-000d3a0b5575,"8/11/2023, 6:30:09.372 AM","8/11/2023, 6:37:36.207 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename781,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-775814""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6e203f47-3811-11ee-8474-000d3a0b500f,"8/11/2023, 6:36:35.990 AM","8/11/2023, 6:37:36.050 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename782,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-775814""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7caaf096-3811-11ee-8474-000d3a0b579b,"8/11/2023, 6:37:01.608 AM","8/11/2023, 6:37:35.864 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename783,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-775814""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,62fa16ad-3811-11ee-8472-000d3a0b55fc,"8/11/2023, 6:30:17.167 AM","8/11/2023, 6:37:36.215 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename784,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-775814""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,5ed4c6f4-3811-11ee-8474-000d3a0b59dd,"8/11/2023, 6:30:11.684 AM","8/11/2023, 6:37:36.216 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename785,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-775814""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6e152289-3811-11ee-8472-000d3a0b5211,"8/11/2023, 6:36:37.423 AM","8/11/2023, 6:37:35.956 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename786,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-775814""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,618750c3-3811-11ee-8474-000d3a0b5a00,"8/11/2023, 6:36:18.153 AM","8/11/2023, 6:37:39.108 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename787,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-775814""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,5e7e7845-3811-11ee-8474-000d3a0b57f3,"8/11/2023, 6:30:11.528 AM","8/11/2023, 6:37:36.215 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename788,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-775814""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,76b4a332-3811-11ee-8474-000d3a0b55b2,"8/11/2023, 6:36:51.743 AM","8/11/2023, 6:37:39.160 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename789,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-775814""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6399dfa9-3811-11ee-8474-000d3a0b5716,"8/11/2023, 6:36:19.020 AM","8/11/2023, 6:37:38.970 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename790,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-775814""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,1,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,687f9f7a-3811-11ee-8474-000d3a0b59dd,"8/11/2023, 6:36:28.625 AM","8/11/2023, 6:37:37.678 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename791,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-775814""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,67ddbca0-3811-11ee-8472-000d3a0b55fc,"8/11/2023, 6:36:27.209 AM","8/11/2023, 6:37:39.587 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename792,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-775814""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,86eb0f6b-3811-11ee-8474-000d3a0b5926,"8/11/2023, 6:37:12.715 AM","8/11/2023, 6:37:43.611 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename793,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-775814""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,718400d8-3811-11ee-8474-000d3a0b5ff5,"8/11/2023, 6:30:34.602 AM","8/11/2023, 6:37:39.754 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename794,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-954170""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,67ddb98f-3811-11ee-8472-000d3a0b55fc,"8/11/2023, 6:36:27.062 AM","8/11/2023, 6:37:35.869 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename795,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-954170""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,761b94aa-3811-11ee-8474-000d3a0b59dd,"8/11/2023, 6:36:51.253 AM","8/11/2023, 6:37:35.850 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename796,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-954170""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,66ac16f8-3811-11ee-8474-000d3a0b587a,"8/11/2023, 6:36:24.594 AM","8/11/2023, 6:37:35.870 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename797,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-954170""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7b74ff52-3811-11ee-8474-000d3a0b5186,"8/11/2023, 6:37:00.135 AM","8/11/2023, 6:37:35.942 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename798,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-954170""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7331d71a-3811-11ee-8474-000d3a0b5c46,"8/11/2023, 6:36:47.273 AM","8/11/2023, 6:37:39.142 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename799,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-954170""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7ba20d00-3811-11ee-8474-000d3a0b522e,"8/11/2023, 6:36:50.287 AM","8/11/2023, 6:37:39.155 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename800,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-954170""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,73835a98-3811-11ee-8474-000d3a0b5b70,"8/11/2023, 6:36:47.281 AM","8/11/2023, 6:37:41.491 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename801,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-954170""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6e250036-3811-11ee-8474-000d3a0b500f,"8/11/2023, 6:36:18.151 AM","8/11/2023, 6:37:37.857 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename802,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2039611301-3171054439-936439132-3437""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,5bb1fb8a-3811-11ee-8474-000d3a0b500f,"8/11/2023, 6:30:07.060 AM","8/11/2023, 6:37:43.264 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename803,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2039611301-3171054439-936439132-3437""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7dc73ed9-3811-11ee-8474-000d3a0b5ff5,"8/11/2023, 6:37:04.219 AM","8/11/2023, 6:37:45.238 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename804,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-949787""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,62fa1834-3811-11ee-8472-000d3a0b55fc,"8/11/2023, 6:30:17.230 AM","8/11/2023, 6:37:36.229 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename805,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-717586""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,61a365b6-3811-11ee-8472-000d3a0b5131,"8/11/2023, 6:36:14.301 AM","8/11/2023, 6:37:36.445 AM",LogOn,ResourceAccess,,,SecurityEvent,-,,,,,devicename806,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-960429""}",{},"{""LastTimeUserPerformedAction"":""08/10/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,62fa1872-3811-11ee-8472-000d3a0b55fc,"8/11/2023, 6:30:17.246 AM","8/11/2023, 6:37:36.229 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename807,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-717586""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,79615882-3811-11ee-8472-000d3a0b5231,"8/11/2023, 6:36:56.890 AM","8/11/2023, 6:37:36.693 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename808,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-900030""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7d6446cc-3811-11ee-8474-000d3a0b539d,"8/11/2023, 6:37:01.881 AM","8/11/2023, 6:37:43.193 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename809,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-900030""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,744140a9-3811-11ee-8474-000d3a0b5559,"8/11/2023, 6:36:49.345 AM","8/11/2023, 6:37:50.031 AM",LogOn,SpecialPrivilegesLogon,,,SecurityEvent,,,,,,devicename810,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/10/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,74413fc6-3811-11ee-8474-000d3a0b5559,"8/11/2023, 6:36:49.077 AM","8/11/2023, 6:37:50.031 AM",LogOn,SpecialPrivilegesLogon,,,SecurityEvent,,,,,,devicename811,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6fe475f0-3811-11ee-8474-000d3a0b5b3a,"8/11/2023, 6:36:41.994 AM","8/11/2023, 6:37:52.817 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename812,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/10/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,744140ba-3811-11ee-8474-000d3a0b5559,"8/11/2023, 6:36:49.367 AM","8/11/2023, 6:37:52.818 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename813,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,74414000-3811-11ee-8474-000d3a0b5559,"8/11/2023, 6:36:49.100 AM","8/11/2023, 6:37:52.817 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename814,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,60e0ccce-3811-11ee-8474-000d3a0b5925,"8/11/2023, 6:36:15.325 AM","8/11/2023, 6:37:51.181 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename815,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,86113871-3811-11ee-8474-000d3a0b550c,"8/11/2023, 6:37:18.690 AM","8/11/2023, 6:37:54.135 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename816,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7a53bd07-3811-11ee-8474-000d3a0b5995,"8/11/2023, 6:36:56.120 AM","8/11/2023, 6:37:57.601 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename817,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,664149af-3811-11ee-8472-000d3a0b59bc,"8/11/2023, 6:36:26.041 AM","8/11/2023, 6:37:48.802 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename818,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,80fd7294-3811-11ee-8472-000d3a0b599c,"8/11/2023, 6:37:07.934 AM","8/11/2023, 6:37:48.962 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename819,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,5737aec4-3811-11ee-8474-000d3a0b5ceb,"8/11/2023, 6:35:58.024 AM","8/11/2023, 6:37:50.680 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename820,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,80fd72ad-3811-11ee-8472-000d3a0b599c,"8/11/2023, 6:37:08.005 AM","8/11/2023, 6:37:48.962 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename821,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,5737af6a-3811-11ee-8474-000d3a0b5ceb,"8/11/2023, 6:35:58.211 AM","8/11/2023, 6:37:50.680 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename822,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,80fd72a0-3811-11ee-8472-000d3a0b599c,"8/11/2023, 6:37:08.005 AM","8/11/2023, 6:37:48.963 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename823,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,80fd72ba-3811-11ee-8472-000d3a0b599c,"8/11/2023, 6:37:08.006 AM","8/11/2023, 6:37:48.963 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename824,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,5737b193-3811-11ee-8474-000d3a0b5ceb,"8/11/2023, 6:35:58.742 AM","8/11/2023, 6:37:50.680 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename825,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,79cbcc4e-3811-11ee-8474-000d3a0b59dd,"8/11/2023, 6:36:55.628 AM","8/11/2023, 6:37:48.803 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename826,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,5737b2aa-3811-11ee-8474-000d3a0b5ceb,"8/11/2023, 6:35:58.940 AM","8/11/2023, 6:37:50.681 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename827,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,61b64c07-3811-11ee-8474-000d3a0b5625,"8/11/2023, 6:36:17.395 AM","8/11/2023, 6:37:50.442 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename828,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,5737b2b3-3811-11ee-8474-000d3a0b5ceb,"8/11/2023, 6:35:58.940 AM","8/11/2023, 6:37:57.132 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename829,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,61b64c0c-3811-11ee-8474-000d3a0b5625,"8/11/2023, 6:36:17.396 AM","8/11/2023, 6:37:50.442 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename830,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,88e0e087-3811-11ee-8474-000d3a0b5b5d,"8/11/2023, 6:37:22.689 AM","8/11/2023, 6:37:48.803 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename831,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,61b64c11-3811-11ee-8474-000d3a0b5625,"8/11/2023, 6:36:17.397 AM","8/11/2023, 6:37:50.442 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename832,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,5737b1ab-3811-11ee-8474-000d3a0b5ceb,"8/11/2023, 6:35:58.742 AM","8/11/2023, 6:37:57.132 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename833,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,61b64c03-3811-11ee-8474-000d3a0b5625,"8/11/2023, 6:36:17.381 AM","8/11/2023, 6:37:50.442 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename834,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,5737aed3-3811-11ee-8474-000d3a0b5ceb,"8/11/2023, 6:35:58.024 AM","8/11/2023, 6:37:57.132 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename835,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,74f07233-3811-11ee-8474-000d3a0b57eb,"8/11/2023, 6:36:49.528 AM","8/11/2023, 6:37:51.092 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename836,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,8a7acbbf-3811-11ee-8474-000d3a0b522e,"8/11/2023, 6:37:24.321 AM","8/11/2023, 6:37:48.803 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename837,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,5737af7b-3811-11ee-8474-000d3a0b5ceb,"8/11/2023, 6:35:58.211 AM","8/11/2023, 6:37:57.133 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename838,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,72745138-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:36:43.486 AM","8/11/2023, 6:37:50.484 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename839,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,65638ea8-3811-11ee-8472-000d3a0b55fc,"8/11/2023, 6:36:23.530 AM","8/11/2023, 6:37:51.092 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename840,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,64f52af8-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:36:22.990 AM","8/11/2023, 6:37:50.643 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename841,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,71ff2e78-3811-11ee-8474-000d3a0b57f3,"8/11/2023, 6:36:44.159 AM","8/11/2023, 6:37:50.678 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename842,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,86c74ad6-3811-11ee-8474-000d3a0b5476,"8/11/2023, 6:37:18.416 AM","8/11/2023, 6:37:50.652 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename843,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,833788b0-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:09.279 AM","8/11/2023, 6:37:50.681 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename844,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,833789ed-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:37:14.980 AM","8/11/2023, 6:37:50.681 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename845,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6e608912-3811-11ee-8474-000d3a0b508e,"8/11/2023, 6:36:38.007 AM","8/11/2023, 6:37:50.681 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename846,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7919a66a-3811-11ee-8474-000d3a0b5cd0,"8/11/2023, 6:36:55.773 AM","8/11/2023, 6:37:50.681 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename847,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7cc7a2f9-3811-11ee-8474-000d3a0b5625,"8/11/2023, 6:36:53.007 AM","8/11/2023, 6:37:50.685 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename848,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7cc7a335-3811-11ee-8474-000d3a0b5625,"8/11/2023, 6:36:53.306 AM","8/11/2023, 6:37:50.685 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename849,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6e60892b-3811-11ee-8474-000d3a0b508e,"8/11/2023, 6:36:38.019 AM","8/11/2023, 6:37:50.681 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename850,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7919a670-3811-11ee-8474-000d3a0b5cd0,"8/11/2023, 6:36:55.781 AM","8/11/2023, 6:37:50.681 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename851,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6e608942-3811-11ee-8474-000d3a0b508e,"8/11/2023, 6:36:38.019 AM","8/11/2023, 6:37:50.681 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename852,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,85e875b7-3811-11ee-8474-000d3a0b508e,"8/11/2023, 6:37:17.060 AM","8/11/2023, 6:37:50.651 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename853,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7919a679-3811-11ee-8474-000d3a0b5cd0,"8/11/2023, 6:36:55.790 AM","8/11/2023, 6:37:50.681 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename854,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6e608958-3811-11ee-8474-000d3a0b508e,"8/11/2023, 6:36:38.020 AM","8/11/2023, 6:37:50.681 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename855,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,68dcdcb1-3811-11ee-8472-000d3a0b55fc,"8/11/2023, 6:36:27.602 AM","8/11/2023, 6:37:50.662 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename856,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,679037ba-3811-11ee-8474-000d3a0b517f,"8/11/2023, 6:36:25.962 AM","8/11/2023, 6:37:50.685 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename857,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7919a675-3811-11ee-8474-000d3a0b5cd0,"8/11/2023, 6:36:55.786 AM","8/11/2023, 6:37:50.682 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename858,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,68dcdcbd-3811-11ee-8472-000d3a0b55fc,"8/11/2023, 6:36:27.602 AM","8/11/2023, 6:37:50.662 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename859,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,633fe404-3811-11ee-8474-000d3a0b5e42,"8/11/2023, 6:36:18.361 AM","8/11/2023, 6:37:51.447 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename860,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7d1d7046-3811-11ee-8472-000d3a0b5231,"8/11/2023, 6:37:02.477 AM","8/11/2023, 6:37:50.652 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename861,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,68dcdca2-3811-11ee-8472-000d3a0b55fc,"8/11/2023, 6:36:27.586 AM","8/11/2023, 6:37:50.662 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename862,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7919a67c-3811-11ee-8474-000d3a0b5cd0,"8/11/2023, 6:36:55.795 AM","8/11/2023, 6:37:50.682 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename863,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,5924cb7b-3811-11ee-8474-000d3a0b5533,"8/11/2023, 6:36:00.527 AM","8/11/2023, 6:37:51.447 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename864,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,68dcdcc6-3811-11ee-8472-000d3a0b55fc,"8/11/2023, 6:36:27.602 AM","8/11/2023, 6:37:50.662 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename865,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,869656ff-3811-11ee-8474-000d3a0b5269,"8/11/2023, 6:37:18.448 AM","8/11/2023, 6:37:51.448 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename866,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,62324abe-3811-11ee-8472-000d3a0b5d22,"8/11/2023, 6:36:15.982 AM","8/11/2023, 6:37:50.682 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename867,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6e057f06-3811-11ee-8474-000d3a0b5787,"8/11/2023, 6:36:37.865 AM","8/11/2023, 6:37:51.448 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename868,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7819b983-3811-11ee-8474-000d3a0b500f,"8/11/2023, 6:36:53.417 AM","8/11/2023, 6:37:51.594 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename869,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6878f1c8-3811-11ee-8474-000d3a0b5716,"8/11/2023, 6:36:26.824 AM","8/11/2023, 6:37:51.594 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename870,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,612283fe-3811-11ee-8474-000d3a0b5374,"8/11/2023, 6:36:15.487 AM","8/11/2023, 6:37:51.450 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename871,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,86965710-3811-11ee-8474-000d3a0b5269,"8/11/2023, 6:37:18.448 AM","8/11/2023, 6:37:51.448 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename872,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,62324ac5-3811-11ee-8472-000d3a0b5d22,"8/11/2023, 6:36:15.991 AM","8/11/2023, 6:37:50.683 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename873,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,732ab6c4-3811-11ee-8474-000d3a0b5c46,"8/11/2023, 6:36:44.501 AM","8/11/2023, 6:37:53.316 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename874,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,86965718-3811-11ee-8474-000d3a0b5269,"8/11/2023, 6:37:18.448 AM","8/11/2023, 6:37:51.448 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename875,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,775dbe38-3811-11ee-8474-000d3a0b5c0b,"8/11/2023, 6:36:47.987 AM","8/11/2023, 6:37:53.588 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename876,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,62324acf-3811-11ee-8472-000d3a0b5d22,"8/11/2023, 6:36:15.998 AM","8/11/2023, 6:37:50.683 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename877,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6ecaaaab-3811-11ee-8474-000d3a0b5c0b,"8/11/2023, 6:36:36.928 AM","8/11/2023, 6:37:53.604 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename878,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,81486958-3811-11ee-8474-000d3a0b5bc7,"8/11/2023, 6:37:10.101 AM","8/11/2023, 6:37:53.616 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename879,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,86965708-3811-11ee-8474-000d3a0b5269,"8/11/2023, 6:37:18.448 AM","8/11/2023, 6:37:51.448 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename880,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,73e8f35f-3811-11ee-8474-000d3a0b5995,"8/11/2023, 6:36:48.369 AM","8/11/2023, 6:37:53.593 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename881,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,81486964-3811-11ee-8474-000d3a0b5bc7,"8/11/2023, 6:37:11.381 AM","8/11/2023, 6:37:53.617 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename882,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,732ab804-3811-11ee-8474-000d3a0b5c46,"8/11/2023, 6:36:44.750 AM","8/11/2023, 6:37:53.316 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename883,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,62324ae8-3811-11ee-8472-000d3a0b5d22,"8/11/2023, 6:36:16.012 AM","8/11/2023, 6:37:50.683 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename884,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,643bd36e-3811-11ee-8472-000d3a0b59bc,"8/11/2023, 6:36:19.547 AM","8/11/2023, 6:37:53.316 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename885,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,790ca927-3811-11ee-8474-000d3a0b5269,"8/11/2023, 6:36:55.327 AM","8/11/2023, 6:37:53.620 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename886,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,61228476-3811-11ee-8474-000d3a0b5374,"8/11/2023, 6:36:16.857 AM","8/11/2023, 6:37:51.450 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename887,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,841d1e6a-3811-11ee-8474-000d3a0b5946,"8/11/2023, 6:37:13.276 AM","8/11/2023, 6:37:51.449 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename888,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7b100837-3811-11ee-8474-000d3a0b500f,"8/11/2023, 6:37:00.338 AM","8/11/2023, 6:37:53.317 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename889,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,82062f52-3811-11ee-8472-000d3a0b599c,"8/11/2023, 6:37:10.685 AM","8/11/2023, 6:37:53.807 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename890,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,80565c7e-3811-11ee-8474-000d3a0b5c92,"8/11/2023, 6:37:06.831 AM","8/11/2023, 6:37:53.807 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename891,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,62324adb-3811-11ee-8472-000d3a0b5d22,"8/11/2023, 6:36:16.005 AM","8/11/2023, 6:37:50.683 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename892,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,80565ce8-3811-11ee-8474-000d3a0b5c92,"8/11/2023, 6:37:07.528 AM","8/11/2023, 6:37:53.807 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename893,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7815e59b-3811-11ee-8472-000d3a0b5211,"8/11/2023, 6:36:54.868 AM","8/11/2023, 6:37:53.622 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename894,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,660222c1-3811-11ee-8474-000d3a0b5b70,"8/11/2023, 6:36:22.261 AM","8/11/2023, 6:37:53.807 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename895,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,841d1d49-3811-11ee-8474-000d3a0b5946,"8/11/2023, 6:37:10.713 AM","8/11/2023, 6:37:51.449 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename896,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,585e7f90-3811-11ee-8474-000d3a0b558a,"8/11/2023, 6:35:59.385 AM","8/11/2023, 6:37:53.808 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename897,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,585e7e72-3811-11ee-8474-000d3a0b558a,"8/11/2023, 6:35:58.924 AM","8/11/2023, 6:37:53.808 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename898,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,790ca938-3811-11ee-8474-000d3a0b5269,"8/11/2023, 6:36:55.335 AM","8/11/2023, 6:37:53.620 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename899,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,585e7f9f-3811-11ee-8474-000d3a0b558a,"8/11/2023, 6:35:59.416 AM","8/11/2023, 6:37:53.809 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename900,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,72c46209-3811-11ee-8472-000d3a0b5131,"8/11/2023, 6:36:42.119 AM","8/11/2023, 6:37:51.449 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename901,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,585e7fba-3811-11ee-8474-000d3a0b558a,"8/11/2023, 6:35:59.417 AM","8/11/2023, 6:37:53.809 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename902,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6e057f10-3811-11ee-8474-000d3a0b5787,"8/11/2023, 6:36:37.867 AM","8/11/2023, 6:37:51.448 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename903,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,585e7fad-3811-11ee-8474-000d3a0b558a,"8/11/2023, 6:35:59.416 AM","8/11/2023, 6:37:53.809 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename904,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,790ca941-3811-11ee-8474-000d3a0b5269,"8/11/2023, 6:36:55.335 AM","8/11/2023, 6:37:53.620 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename905,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7996da82-3811-11ee-8474-000d3a0b5ceb,"8/11/2023, 6:36:56.391 AM","8/11/2023, 6:37:53.809 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename906,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,845415db-3811-11ee-8474-000d3a0b5f80,"8/11/2023, 6:37:14.288 AM","8/11/2023, 6:37:53.809 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename907,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,72c462a4-3811-11ee-8472-000d3a0b5131,"8/11/2023, 6:36:42.744 AM","8/11/2023, 6:37:51.449 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename908,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,845415e3-3811-11ee-8474-000d3a0b5f80,"8/11/2023, 6:37:14.318 AM","8/11/2023, 6:37:53.809 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename909,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6e057eee-3811-11ee-8474-000d3a0b5787,"8/11/2023, 6:36:37.849 AM","8/11/2023, 6:37:51.448 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename910,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,790ca930-3811-11ee-8474-000d3a0b5269,"8/11/2023, 6:36:55.334 AM","8/11/2023, 6:37:53.620 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename911,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,845415f3-3811-11ee-8474-000d3a0b5f80,"8/11/2023, 6:37:14.320 AM","8/11/2023, 6:37:53.809 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename912,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,72c462ab-3811-11ee-8472-000d3a0b5131,"8/11/2023, 6:36:42.822 AM","8/11/2023, 6:37:51.449 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename913,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6e057f25-3811-11ee-8474-000d3a0b5787,"8/11/2023, 6:36:37.869 AM","8/11/2023, 6:37:51.448 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename914,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,845415eb-3811-11ee-8474-000d3a0b5f80,"8/11/2023, 6:37:14.319 AM","8/11/2023, 6:37:53.809 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename915,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,79048df0-3811-11ee-8474-000d3a0b5186,"8/11/2023, 6:36:29.336 AM","8/11/2023, 6:37:54.594 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename916,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,72c462b3-3811-11ee-8472-000d3a0b5131,"8/11/2023, 6:36:42.822 AM","8/11/2023, 6:37:51.449 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename917,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,5f5bf9df-3811-11ee-8474-000d3a0b5f80,"8/11/2023, 6:35:51.842 AM","8/11/2023, 6:37:55.871 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,-,,,,,devicename918,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,72c462bb-3811-11ee-8472-000d3a0b5131,"8/11/2023, 6:36:42.822 AM","8/11/2023, 6:37:51.449 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename919,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,79048e0a-3811-11ee-8474-000d3a0b5186,"8/11/2023, 6:36:29.343 AM","8/11/2023, 6:37:54.594 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename920,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,72c46329-3811-11ee-8472-000d3a0b5131,"8/11/2023, 6:36:44.369 AM","8/11/2023, 6:37:51.449 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename921,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,79048e22-3811-11ee-8474-000d3a0b5186,"8/11/2023, 6:36:29.346 AM","8/11/2023, 6:37:54.594 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename922,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,72c46344-3811-11ee-8472-000d3a0b5131,"8/11/2023, 6:36:44.479 AM","8/11/2023, 6:37:51.449 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename923,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,717fcd34-3811-11ee-8474-000d3a0b579b,"8/11/2023, 6:36:43.750 AM","8/11/2023, 6:37:57.287 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename924,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,72c4634a-3811-11ee-8472-000d3a0b5131,"8/11/2023, 6:36:44.479 AM","8/11/2023, 6:37:51.449 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename925,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,701991e1-3811-11ee-8474-000d3a0b57dd,"8/11/2023, 6:36:35.616 AM","8/11/2023, 6:37:57.289 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,-,,,,,devicename926,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""FirstTimeUserLoggedOnToDevice"":""False"",""DeviceUncommonlyUsedInTenant"":""True"",""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,7904929b-3811-11ee-8474-000d3a0b5186,"8/11/2023, 6:36:30.294 AM","8/11/2023, 6:37:54.595 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename927,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,72c4634f-3811-11ee-8472-000d3a0b5131,"8/11/2023, 6:36:44.479 AM","8/11/2023, 6:37:51.450 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename928,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,68d71e96-3811-11ee-8474-000d3a0b5bc7,"8/11/2023, 6:30:24.370 AM","8/11/2023, 6:37:57.963 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename929,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,79048e16-3811-11ee-8474-000d3a0b5186,"8/11/2023, 6:36:29.344 AM","8/11/2023, 6:37:54.595 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename930,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,68f36eda-3811-11ee-8472-000d3a0b5131,"8/11/2023, 6:36:29.336 AM","8/11/2023, 6:37:54.595 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename931,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,68f36ee6-3811-11ee-8472-000d3a0b5131,"8/11/2023, 6:36:29.344 AM","8/11/2023, 6:37:54.596 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename932,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,68f36ee0-3811-11ee-8472-000d3a0b5131,"8/11/2023, 6:36:29.343 AM","8/11/2023, 6:37:54.596 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename933,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,717fcd39-3811-11ee-8474-000d3a0b579b,"8/11/2023, 6:36:43.750 AM","8/11/2023, 6:37:57.287 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename934,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,61bfa9c5-3811-11ee-8474-000d3a0b5186,"8/11/2023, 6:36:16.169 AM","8/11/2023, 6:37:57.288 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename935,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,68f36eef-3811-11ee-8472-000d3a0b5131,"8/11/2023, 6:36:29.346 AM","8/11/2023, 6:37:54.596 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename936,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,618c2042-3811-11ee-8474-000d3a0b5a00,"8/11/2023, 6:30:15.433 AM","8/11/2023, 6:37:57.963 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename937,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,67228bc0-3811-11ee-8474-000d3a0b5b3a,"8/11/2023, 6:36:26.214 AM","8/11/2023, 6:37:54.596 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename938,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,62e3ebc7-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:36:16.942 AM","8/11/2023, 6:37:54.596 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename939,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6c73a9b7-3811-11ee-8474-000d3a0b57dd,"8/11/2023, 6:30:30.665 AM","8/11/2023, 6:37:57.963 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename940,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,62e3ebba-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:36:16.941 AM","8/11/2023, 6:37:54.596 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename941,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,79dd4892-3811-11ee-8474-000d3a0b5e42,"8/11/2023, 6:30:45.742 AM","8/11/2023, 6:37:57.963 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename942,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,79dd48d7-3811-11ee-8474-000d3a0b5e42,"8/11/2023, 6:30:45.851 AM","8/11/2023, 6:37:57.963 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename943,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,62e3ebab-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:36:16.880 AM","8/11/2023, 6:37:54.596 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename944,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,62e3ebd8-3811-11ee-8474-000d3a0b5718,"8/11/2023, 6:36:16.950 AM","8/11/2023, 6:37:54.596 AM",LogOn,ExplicitCredentialsLogon,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename945,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-931512""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,5ed4cc6f-3811-11ee-8474-000d3a0b59dd,"8/11/2023, 6:30:12.168 AM","8/11/2023, 6:37:53.714 AM",LogOn,SpecialPrivilegesLogon,,,SecurityEvent,,,,,,devicename946,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-963639""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6d1a554c-3811-11ee-8474-000d3a0b57f3,"8/11/2023, 6:36:36.234 AM","8/11/2023, 6:37:52.391 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename947,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-963639""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,60e0cddd-3811-11ee-8474-000d3a0b5925,"8/11/2023, 6:36:15.600 AM","8/11/2023, 6:37:50.856 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename948,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-963639""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6bb9757f-3811-11ee-8474-000d3a0b522e,"8/11/2023, 6:30:28.806 AM","8/11/2023, 6:37:53.714 AM",LogOn,SpecialPrivilegesLogon,,,SecurityEvent,,,,,,devicename949,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-963639""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6bb9758c-3811-11ee-8474-000d3a0b522e,"8/11/2023, 6:30:28.806 AM","8/11/2023, 6:37:58.202 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename950,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-963639""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6d1a5622-3811-11ee-8474-000d3a0b57f3,"8/11/2023, 6:36:36.380 AM","8/11/2023, 6:37:52.393 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename951,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-963639""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,8546f00c-3811-11ee-8474-000d3a0b5ff5,"8/11/2023, 6:37:16.055 AM","8/11/2023, 6:37:58.399 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename952,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-963639""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,654c13b1-3811-11ee-8474-000d3a0b55b2,"8/11/2023, 6:30:20.933 AM","8/11/2023, 6:37:58.205 AM",LogOn,ResourceAccess,,,SecurityEvent,127.0.0.1,,,,,devicename953,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-963639""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,6fdb83e3-3811-11ee-8474-000d3a0b5ca5,"8/11/2023, 6:36:41.735 AM","8/11/2023, 6:37:58.405 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename954,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-963639""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,68b7be58-3811-11ee-8474-000d3a0b55d9,"8/11/2023, 6:36:27.778 AM","8/11/2023, 6:37:49.857 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename955,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-963639""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,68b7be82-3811-11ee-8474-000d3a0b55d9,"8/11/2023, 6:36:27.832 AM","8/11/2023, 6:37:49.857 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,-,,,,,devicename956,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-963639""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,824d8e78-3811-11ee-8474-000d3a0b508e,"8/11/2023, 6:37:09.414 AM","8/11/2023, 6:37:49.286 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename957,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-963639""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,816a7e7e-3811-11ee-8474-000d3a0b5995,"8/11/2023, 6:37:08.992 AM","8/11/2023, 6:37:49.287 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename958,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-963639""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,78206831-3811-11ee-8474-000d3a0b5c46,"8/11/2023, 6:36:53.196 AM","8/11/2023, 6:37:58.645 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename959,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-963639""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,73835fa4-3811-11ee-8474-000d3a0b5b70,"8/11/2023, 6:36:47.151 AM","8/11/2023, 6:37:49.287 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename960,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-963639""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,867ada8f-3811-11ee-8474-000d3a0b5716,"8/11/2023, 6:37:20.796 AM","8/11/2023, 6:37:58.646 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename961,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-963639""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,824d9177-3811-11ee-8474-000d3a0b508e,"8/11/2023, 6:37:09.727 AM","8/11/2023, 6:37:49.287 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename962,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-963639""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,86e6db2f-3811-11ee-8474-000d3a0b5ca5,"8/11/2023, 6:37:18.936 AM","8/11/2023, 6:37:58.646 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename963,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-963639""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,692df0b8-3811-11ee-8472-000d3a0b55fc,"8/11/2023, 6:36:28.538 AM","8/11/2023, 6:37:53.366 AM",LogOn,SpecialPrivilegesLogon,test,test@test.com,SecurityEvent,,,,,,devicename964,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-963639""}",{},"{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, +16b57a29-661a-855a-1866-22d1b0a7179d,692df103-3811-11ee-8472-000d3a0b55fc,"8/11/2023, 6:36:28.549 AM","8/11/2023, 6:37:55.136 AM",LogOn,ResourceAccess,test,test@test.com,SecurityEvent,127.0.0.1,,,,,devicename965,,,,,,,,"{""OnPremisesSID"":""S-1-5-21-2680824871-1255999119-832436803-963639""}","{""IsLocalAdmin"":""True""}","{""LastTimeUserPerformedAction"":""08/11/2023 00:00:00"",""UncommonHighVolumeOfActions"":""False""}",,,0,BehaviorAnalytics, diff --git a/Sample Data/Custom/CofenseIntelligence/Malware_Data_CL.csv b/Sample Data/Custom/CofenseIntelligence/Malware_Data_CL.csv new file mode 100644 index 00000000000..b4875e28034 --- /dev/null +++ b/Sample Data/Custom/CofenseIntelligence/Malware_Data_CL.csv @@ -0,0 +1,21 @@ +TimeGenerated [UTC],id_d,feeds_s,blockSet_s,campaignBrandSet_s,extractedStringSet_s,domainSet_s,senderEmailSet_s,executableSet_s,senderIpSet_s,senderNameSet_s,spamUrlSet_s,subjectSet_s,campaignLanguageSet_s,campaignScreenshotSet_s,lastPublished_d,firstPublished_d,label_s,executiveSummary_s,hasReport_b,reportURL_s,apiReportURL_s,threatDetailURL_s,deliveryMechanisms_s,malwareFamilySet_s,threatType_s,secureEmailGatewaySet_s,naicsCodes_s,ReportDownload_HTML__s,ReportDownload_PDF__s,Type +"5/29/2023, 8:27:53 AM",322141,"[{""id"": 23,""permissions"": {""WRITE"": false,""OWNER"": false,""READ"": true},""displayName"": ""Cofense""}]","[ { ""malwareFamily"": { ""familyName"": ""FormBook"", ""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications."" }, ""impact"": ""Moderate"", ""ipDetail"": { ""ip"": ""5.2.85.31"", ""lookupOn"": 1684173583539, ""latitude"": 41.0214, ""longitude"": 28.9948, ""timeZone"": ""Europe/Istanbul"", ""continentName"": ""Asia"", ""continentCode"": ""AS"", ""countryName"": ""Turkey"", ""countryIsoCode"": ""TR"", ""asn"": 3188, ""asnOrganization"": ""Alastyr Telekomunikasyon A.S."", ""isp"": ""Alastyr Telekomunikasyon A.S."", ""organization"": ""Alastyr Telekomunikasyon A.S."" }, ""confidence"": 100, ""blockType"": ""Domain Name"", ""role"": ""C2"", ""roleDescription"": ""Command and control location used by malware"", ""data"": ""www.bronzesailing.com"", ""data_1"": ""www.bronzesailing.com"" }, { ""malwareFamily"": { ""familyName"": ""FormBook"", ""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications."" }, ""impact"": ""Major"", ""confidence"": 100, ""blockType"": ""URL"", ""role"": ""C2"", ""roleDescription"": ""Command and control location used by malware"", ""data"": ""http://www.ebcbank.net/m82/"", ""data_1"": { ""url"": ""http://www.ebcbank.net/m82/"", ""domain"": ""ebcbank.net"", ""path"": ""/m82/"", ""protocol"": ""http"", ""host"": ""www.ebcbank.net"" } }, { ""malwareFamily"": { ""familyName"": ""FormBook"", ""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications."" }, ""impact"": ""Major"", ""confidence"": 100, ""blockType"": ""URL"", ""role"": ""C2"", ""roleDescription"": ""Command and control location used by malware"", ""data"": ""http://www.let-travel.africa/m82/"", ""data_1"": { ""url"": ""http://www.let-travel.africa/m82/"", ""domain"": ""let-travel.africa"", ""path"": ""/m82/"", ""protocol"": ""http"", ""host"": ""www.let-travel.africa"" } }, { ""malwareFamily"": { ""familyName"": ""FormBook"", ""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications."" }, ""impact"": ""Moderate"", ""ipDetail"": { ""ip"": ""198.185.159.144"", ""lookupOn"": 1684173713930, ""latitude"": 40.509, ""longitude"": -75.4471, ""metroCode"": 504, ""timeZone"": ""America/New_York"", ""continentName"": ""North America"", ""continentCode"": ""NA"", ""countryName"": ""United States"", ""countryIsoCode"": ""US"", ""subdivisionName"": ""Pennsylvania"", ""subdivisionIsoCode"": ""PA"", ""postalCode"": ""18060"", ""asn"": 53831, ""asnOrganization"": ""Squarespace, Inc."", ""isp"": ""Squarespace"", ""organization"": ""Squarespace"" }, ""confidence"": 100, ""blockType"": ""Domain Name"", ""role"": ""C2"", ""roleDescription"": ""Command and control location used by malware"", ""data"": ""www.jamesdevereux.com"", ""data_1"": ""www.jamesdevereux.com"" }, { ""malwareFamily"": { ""familyName"": ""FormBook"", ""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications."" }, ""impact"": ""Moderate"", ""ipDetail"": { ""ip"": ""35.227.197.36"", ""lookupOn"": 1683904728865, ""latitude"": 42.2734, ""longitude"": -83.7133, ""metroCode"": 505, ""timeZone"": ""America/Detroit"", ""continentName"": ""North America"", ""continentCode"": ""NA"", ""countryName"": ""United States"", ""countryIsoCode"": ""US"", ""subdivisionName"": ""Michigan"", ""subdivisionIsoCode"": ""MI"", ""postalCode"": ""48104"", ""isp"": ""Merit Network"", ""organization"": ""Merit Network"" }, ""confidence"": 100, ""blockType"": ""Domain Name"", ""role"": ""C2"", ""roleDescription"": ""Command and control location used by malware"", ""data"": ""www.selfcleaninghairbrush.co.uk"", ""data_1"": ""www.selfcleaninghairbrush.co.uk"" }, { ""malwareFamily"": { ""familyName"": ""FormBook"", ""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications."" }, ""impact"": ""Major"", ""ipDetail"": { ""ip"": ""104.21.46.181"", ""lookupOn"": 1684173661276, ""latitude"": 37.7697, ""longitude"": -122.3933, ""metroCode"": 807, ""timeZone"": ""America/Los_Angeles"", ""continentName"": ""North America"", ""continentCode"": ""NA"", ""countryName"": ""United States"", ""countryIsoCode"": ""US"", ""subdivisionName"": ""California"", ""subdivisionIsoCode"": ""CA"", ""postalCode"": ""94107"", ""asn"": 13335, ""asnOrganization"": ""CloudFlare"", ""isp"": ""CloudFlare"", ""organization"": ""CloudFlare"" }, ""confidence"": 100, ""blockType"": ""URL"", ""role"": ""C2"", ""roleDescription"": ""Command and control location used by malware"", ""data"": ""http://www.kickskaart.com/m82/"", ""data_1"": { ""url"": ""http://www.kickskaart.com/m82/"", ""domain"": ""kickskaart.com"", ""path"": ""/m82/"", ""protocol"": ""http"", ""host"": ""www.kickskaart.com"" } }, { ""malwareFamily"": { ""familyName"": ""FormBook"", ""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications."" }, ""impact"": ""Major"", ""ipDetail"": { ""ip"": ""23.227.38.74"", ""lookupOn"": 1684173527995, ""latitude"": 45.4166, ""longitude"": -75.6904, ""timeZone"": ""America/Toronto"", ""continentName"": ""North America"", ""continentCode"": ""NA"", ""countryName"": ""Canada"", ""countryIsoCode"": ""CA"", ""subdivisionName"": ""Ontario"", ""subdivisionIsoCode"": ""ON"", ""postalCode"": ""K2P"", ""asn"": 62679, ""asnOrganization"": ""Shopify, Inc."", ""isp"": ""Shopify"", ""organization"": ""Shopify"" }, ""confidence"": 100, ""blockType"": ""URL"", ""role"": ""C2"", ""roleDescription"": ""Command and control location used by malware"", ""data"": ""http://www.illubio.com/m82/"", ""data_1"": { ""url"": ""http://www.illubio.com/m82/"", ""domain"": ""illubio.com"", ""path"": ""/m82/"", ""protocol"": ""http"", ""host"": ""www.illubio.com"" } }, { ""malwareFamily"": { ""familyName"": ""FormBook"", ""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications."" }, ""impact"": ""Moderate"", ""ipDetail"": { ""ip"": ""81.169.145.159"", ""lookupOn"": 1684173583789, ""latitude"": 52.5155, ""longitude"": 13.4062, ""timeZone"": ""Europe/Berlin"", ""continentName"": ""Europe"", ""continentCode"": ""EU"", ""countryName"": ""Germany"", ""countryIsoCode"": ""DE"", ""subdivisionName"": ""Land Berlin"", ""subdivisionIsoCode"": ""BE"", ""postalCode"": ""10317"", ""asn"": 6724, ""asnOrganization"": ""Strato AG"", ""isp"": ""Strato AG"", ""organization"": ""Strato AG"" }, ""confidence"": 100, ""blockType"": ""Domain Name"", ""role"": ""C2"", ""roleDescription"": ""Command and control location used by malware"", ""data"": ""www.klosterbraeu-unterliezheim.com"", ""data_1"": ""www.klosterbraeu-unterliezheim.com"" }, { ""malwareFamily"": { ""familyName"": ""FormBook"", ""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications."" }, ""impact"": ""Major"", ""ipDetail"": { ""ip"": ""172.241.173.228"", ""lookupOn"": 1684173713695, ""latitude"": 40.7214, ""longitude"": -73.7431, ""metroCode"": 501, ""timeZone"": ""America/New_York"", ""continentName"": ""North America"", ""continentCode"": ""NA"", ""countryName"": ""United States"", ""countryIsoCode"": ""US"", ""subdivisionName"": ""New York"", ""subdivisionIsoCode"": ""NY"", ""postalCode"": ""11428"", ""asn"": 15003, ""asnOrganization"": ""Nobis Technology Group, LLC"", ""isp"": ""Nobis Technology Group, LLC"", ""organization"": ""Nobis Technology Group, LLC"" }, ""confidence"": 100, ""blockType"": ""URL"", ""role"": ""C2"", ""roleDescription"": ""Command and control location used by malware"", ""data"": ""http://www.hongmeiyan.com/m82/"", ""data_1"": { ""url"": ""http://www.hongmeiyan.com/m82/"", ""domain"": ""hongmeiyan.com"", ""path"": ""/m82/"", ""protocol"": ""http"", ""host"": ""www.hongmeiyan.com"" } }, { ""malwareFamily"": { ""familyName"": ""FormBook"", ""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications."" }, ""impact"": ""Major"", ""ipDetail"": { ""ip"": ""72.1.32.168"", ""lookupOn"": 1684173681390, ""latitude"": 32.7153, ""longitude"": -117.1573, ""metroCode"": 825, ""timeZone"": ""America/Los_Angeles"", ""continentName"": ""North America"", ""continentCode"": ""NA"", ""countryName"": ""United States"", ""countryIsoCode"": ""US"", ""subdivisionName"": ""California"", ""subdivisionIsoCode"": ""CA"", ""postalCode"": ""92150"", ""asn"": 10732, ""asnOrganization"": ""TierraNet Inc."", ""isp"": ""TierraNet"", ""organization"": ""TierraNet"" }, ""confidence"": 100, ""blockType"": ""URL"", ""role"": ""C2"", ""roleDescription"": ""Command and control location used by malware"", ""data"": ""http://www.brazimaid.com/m82/"", ""data_1"": { ""url"": ""http://www.brazimaid.com/m82/"", ""domain"": ""brazimaid.com"", ""path"": ""/m82/"", ""protocol"": ""http"", ""host"": ""www.brazimaid.com"" } }, { ""malwareFamily"": { ""familyName"": ""FormBook"", ""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications."" }, ""impact"": ""Major"", ""ipDetail"": { ""ip"": ""199.15.163.128"", ""lookupOn"": 1684173681672, ""latitude"": 34.1006, ""longitude"": -118.3275, ""metroCode"": 803, ""timeZone"": ""America/Los_Angeles"", ""continentName"": ""North America"", ""continentCode"": ""NA"", ""countryName"": ""United States"", ""countryIsoCode"": ""US"", ""subdivisionName"": ""California"", ""subdivisionIsoCode"": ""CA"", ""postalCode"": ""90028"", ""isp"": ""DeviantArt"", ""organization"": ""DeviantArt"" }, ""confidence"": 100, ""blockType"": ""URL"", ""role"": ""C2"", ""roleDescription"": ""Command and control location used by malware"", ""data"": ""http://www.power-bank.co.uk/m82/"", ""data_1"": { ""url"": ""http://www.power-bank.co.uk/m82/"", ""domain"": ""power-bank.co.uk"", ""path"": ""/m82/"", ""protocol"": ""http"", ""host"": ""www.power-bank.co.uk"" } }, { ""malwareFamily"": { ""familyName"": ""FormBook"", ""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications."" }, ""impact"": ""Moderate"", ""ipDetail"": { ""ip"": ""172.67.222.126"", ""lookupOn"": 1684173650812, ""latitude"": 37.7697, ""longitude"": -122.3933, ""metroCode"": 807, ""timeZone"": ""America/Los_Angeles"", ""continentName"": ""North America"", ""continentCode"": ""NA"", ""countryName"": ""United States"", ""countryIsoCode"": ""US"", ""subdivisionName"": ""California"", ""subdivisionIsoCode"": ""CA"", ""postalCode"": ""94107"", ""isp"": ""CloudFlare"", ""organization"": ""CloudFlare"" }, ""confidence"": 100, ""blockType"": ""Domain Name"", ""role"": ""C2"", ""roleDescription"": ""Command and control location used by malware"", ""data"": ""www.hjddbb.com"", ""data_1"": ""www.hjddbb.com"" }, { ""malwareFamily"": { ""familyName"": ""FormBook"", ""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications."" }, ""impact"": ""Moderate"", ""ipDetail"": { ""ip"": ""172.67.130.165"", ""lookupOn"": 1684173713823, ""latitude"": 37.7697, ""longitude"": -122.3933, ""metroCode"": 807, ""timeZone"": ""America/Los_Angeles"", ""continentName"": ""North America"", ""continentCode"": ""NA"", ""countryName"": ""United States"", ""countryIsoCode"": ""US"", ""subdivisionName"": ""California"", ""subdivisionIsoCode"": ""CA"", ""postalCode"": ""94107"", ""isp"": ""CloudFlare"", ""organization"": ""CloudFlare"" }, ""confidence"": 100, ""blockType"": ""Domain Name"", ""role"": ""C2"", ""roleDescription"": ""Command and control location used by malware"", ""data"": ""www.baumanbilliardsnv.com"", ""data_1"": ""www.baumanbilliardsnv.com"" }, { ""malwareFamily"": { ""familyName"": ""FormBook"", ""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications."" }, ""impact"": ""Moderate"", ""ipDetail"": { ""ip"": ""198.54.117.211"", ""lookupOn"": 1684173650796, ""latitude"": 34.0355, ""longitude"": -118.4298, ""metroCode"": 803, ""timeZone"": ""America/Los_Angeles"", ""continentName"": ""North America"", ""continentCode"": ""NA"", ""countryName"": ""United States"", ""countryIsoCode"": ""US"", ""subdivisionName"": ""California"", ""subdivisionIsoCode"": ""CA"", ""postalCode"": ""90064"", ""asn"": 22612, ""asnOrganization"": ""Namecheap, Inc."", ""isp"": ""Namecheap"", ""organization"": ""Namecheap"" }, ""confidence"": 100, ""blockType"": ""Domain Name"", ""role"": ""C2"", ""roleDescription"": ""Command and control location used by malware"", ""data"": ""www.exitsategy.com"", ""data_1"": ""www.exitsategy.com"" }, { ""malwareFamily"": { ""familyName"": ""FormBook"", ""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications."" }, ""impact"": ""Major"", ""ipDetail"": { ""ip"": ""198.49.23.145"", ""lookupOn"": 1684173616237, ""latitude"": 40.7214, ""longitude"": -74.0052, ""metroCode"": 501, ""timeZone"": ""America/New_York"", ""continentName"": ""North America"", ""continentCode"": ""NA"", ""countryName"": ""United States"", ""countryIsoCode"": ""US"", ""subdivisionName"": ""New York"", ""subdivisionIsoCode"": ""NY"", ""postalCode"": ""10013"", ""asn"": 53831, ""asnOrganization"": ""Squarespace, Inc."", ""isp"": ""Squarespace"", ""organization"": ""Squarespace"" }, ""confidence"": 100, ""blockType"": ""URL"", ""role"": ""C2"", ""roleDescription"": ""Command and control location used by malware"", ""data"": ""http://www.jamesdevereux.com/m82/"", ""data_1"": { ""url"": ""http://www.jamesdevereux.com/m82/"", ""domain"": ""jamesdevereux.com"", ""path"": ""/m82/"", ""protocol"": ""http"", ""host"": ""www.jamesdevereux.com"" } }, { ""malwareFamily"": { ""familyName"": ""FormBook"", ""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications."" }, ""impact"": ""Major"", ""confidence"": 100, ""blockType"": ""URL"", ""role"": ""C2"", ""roleDescription"": ""Command and control location used by malware"", ""data"": ""http://www.ctjh9u8e.vip/m82/"", ""data_1"": { ""url"": ""http://www.ctjh9u8e.vip/m82/"", ""domain"": ""ctjh9u8e.vip"", ""path"": ""/m82/"", ""protocol"": ""http"", ""host"": ""www.ctjh9u8e.vip"" } }, { ""malwareFamily"": { ""familyName"": ""FormBook"", ""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications."" }, ""impact"": ""Moderate"", ""ipDetail"": { ""ip"": ""3.64.163.50"", ""lookupOn"": 1684173582778, ""latitude"": 41.1412, ""longitude"": -73.2637, ""metroCode"": 501, ""timeZone"": ""America/New_York"", ""continentName"": ""North America"", ""continentCode"": ""NA"", ""countryName"": ""United States"", ""countryIsoCode"": ""US"", ""subdivisionName"": ""Connecticut"", ""subdivisionIsoCode"": ""CT"", ""postalCode"": ""06828"", ""isp"": ""General Electric Company"", ""organization"": ""General Electric Company"" }, ""confidence"": 100, ""blockType"": ""Domain Name"", ""role"": ""C2"", ""roleDescription"": ""Command and control location used by malware"", ""data"": ""www.alphabet1x.com"", ""data_1"": ""www.alphabet1x.com"" }, { ""malwareFamily"": { ""familyName"": ""FormBook"", ""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications."" }, ""impact"": ""Moderate"", ""confidence"": 100, ""blockType"": ""Domain Name"", ""role"": ""C2"", ""roleDescription"": ""Command and control location used by malware"", ""data"": ""www.xn--oy2b27nt6b.net"", ""data_1"": ""www.xn--oy2b27nt6b.net"" }, { ""malwareFamily"": { ""familyName"": ""FormBook"", ""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications."" }, ""impact"": ""Moderate"", ""ipDetail"": { ""ip"": ""156.241.129.24"", ""lookupOn"": 1684173616191, ""latitude"": -26.2309, ""longitude"": 28.0583, ""timeZone"": ""Africa/Johannesburg"", ""continentName"": ""Africa"", ""continentCode"": ""AF"", ""countryName"": ""South Africa"", ""countryIsoCode"": ""ZA"", ""subdivisionName"": ""Gauteng"", ""subdivisionIsoCode"": ""GT"", ""postalCode"": ""2000"", ""asn"": 37353, ""asnOrganization"": ""MacroLAN"", ""isp"": ""MacroLAN"", ""organization"": ""MacroLAN"" }, ""confidence"": 100, ""blockType"": ""Domain Name"", ""role"": ""C2"", ""roleDescription"": ""Command and control location used by malware"", ""data"": ""www.bestcp.net"", ""data_1"": ""www.bestcp.net"" }, { ""malwareFamily"": { ""familyName"": ""FormBook"", ""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications."" }, ""impact"": ""Major"", ""ipDetail"": { ""ip"": ""198.54.117.217"", ""lookupOn"": 1684173616636, ""latitude"": 34.0355, ""longitude"": -118.4298, ""metroCode"": 803, ""timeZone"": ""America/Los_Angeles"", ""continentName"": ""North America"", ""continentCode"": ""NA"", ""countryName"": ""United States"", ""countryIsoCode"": ""US"", ""subdivisionName"": ""California"", ""subdivisionIsoCode"": ""CA"", ""postalCode"": ""90064"", ""asn"": 22612, ""asnOrganization"": ""Namecheap, Inc."", ""isp"": ""Namecheap"", ""organization"": ""Namecheap"" }, ""confidence"": 100, ""blockType"": ""URL"", ""role"": ""C2"", ""roleDescription"": ""Command and control location used by malware"", ""data"": ""http://www.exitsategy.com/m82/"", ""data_1"": { ""url"": ""http://www.exitsategy.com/m82/"", ""domain"": ""exitsategy.com"", ""path"": ""/m82/"", ""protocol"": ""http"", ""host"": ""www.exitsategy.com"" } }, { ""malwareFamily"": { ""familyName"": ""FormBook"", ""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications."" }, ""impact"": ""Major"", ""confidence"": 100, ""blockType"": ""URL"", ""role"": ""C2"", ""roleDescription"": ""Command and control location used by malware"", ""data"": ""http://www.xn--oy2b27nt6b.net/m82/"", ""data_1"": { ""url"": ""http://www.xn--oy2b27nt6b.net/m82/"", ""domain"": ""xn--oy2b27nt6b.net"", ""path"": ""/m82/"", ""protocol"": ""http"", ""host"": ""www.xn--oy2b27nt6b.net"" } }, { ""malwareFamily"": { ""familyName"": ""FormBook"", ""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications."" }, ""impact"": ""Moderate"", ""confidence"": 100, ""blockType"": ""Domain Name"", ""role"": ""C2"", ""roleDescription"": ""Command and control location used by malware"", ""data"": ""www.ctjh9u8e.vip"", ""data_1"": ""www.ctjh9u8e.vip"" }, { ""malwareFamily"": { ""familyName"": ""FormBook"", ""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications."" }, ""impact"": ""Major"", ""ipDetail"": { ""ip"": ""62.244.31.245"", ""lookupOn"": 1684173681773, ""latitude"": 50.4333, ""longitude"": 30.5167, ""timeZone"": ""Europe/Kiev"", ""continentName"": ""Europe"", ""continentCode"": ""EU"", ""countryName"": ""Ukraine"", ""countryIsoCode"": ""UA"", ""subdivisionName"": ""Kyiv City"", ""subdivisionIsoCode"": ""30"", ""asn"": 3254, ""asnOrganization"": ""Lucky Net Ltd"", ""isp"": ""Lucky Net Ltd"", ""organization"": ""Lucky Net Ltd"" }, ""confidence"": 100, ""blockType"": ""URL"", ""role"": ""C2"", ""roleDescription"": ""Command and control location used by malware"", ""data"": ""http://www.happyhousegarment.com/m82/"", ""data_1"": { ""url"": ""http://www.happyhousegarment.com/m82/"", ""domain"": ""happyhousegarment.com"", ""path"": ""/m82/"", ""protocol"": ""http"", ""host"": ""www.happyhousegarment.com"" } }, { ""malwareFamily"": { ""familyName"": ""FormBook"", ""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications."" }, ""impact"": ""Moderate"", ""ipDetail"": { ""ip"": ""160.124.149.66"", ""lookupOn"": 1684173661222, ""latitude"": -25.7597, ""longitude"": 28.2651, ""timeZone"": ""Africa/Johannesburg"", ""continentName"": ""Africa"", ""continentCode"": ""AF"", ""countryName"": ""South Africa"", ""countryIsoCode"": ""ZA"", ""subdivisionName"": ""Gauteng"", ""subdivisionIsoCode"": ""GT"", ""postalCode"": ""0173"", ""asn"": 6083, ""asnOrganization"": ""POSIX-AFRICA"", ""isp"": ""Posix-africa"", ""organization"": ""Posix-africa"" }, ""confidence"": 100, ""blockType"": ""Domain Name"", ""role"": ""C2"", ""roleDescription"": ""Command and control location used by malware"", ""data"": ""www.austinrelocationexpert.com"", ""data_1"": ""www.austinrelocationexpert.com"" }, { ""malwareFamily"": { ""familyName"": ""FormBook"", ""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications."" }, ""impact"": ""Major"", ""ipDetail"": { ""ip"": ""172.67.130.165"", ""lookupOn"": 1684173713823, ""latitude"": 37.7697, ""longitude"": -122.3933, ""metroCode"": 807, ""timeZone"": ""America/Los_Angeles"", ""continentName"": ""North America"", ""continentCode"": ""NA"", ""countryName"": ""United States"", ""countryIsoCode"": ""US"", ""subdivisionName"": ""California"", ""subdivisionIsoCode"": ""CA"", ""postalCode"": ""94107"", ""isp"": ""CloudFlare"", ""organization"": ""CloudFlare"" }, ""confidence"": 100, ""blockType"": ""URL"", ""role"": ""C2"", ""roleDescription"": ""Command and control location used by malware"", ""data"": ""http://www.baumanbilliardsnv.com/m82/"", ""data_1"": { ""url"": ""http://www.baumanbilliardsnv.com/m82/"", ""domain"": ""baumanbilliardsnv.com"", ""path"": ""/m82/"", ""protocol"": ""http"", ""host"": ""www.baumanbilliardsnv.com"" } }, { ""malwareFamily"": { ""familyName"": ""FormBook"", ""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications."" }, ""impact"": ""Moderate"", ""confidence"": 100, ""blockType"": ""Domain Name"", ""role"": ""C2"", ""roleDescription"": ""Command and control location used by malware"", ""data"": ""www.greatharmony.africa"", ""data_1"": ""www.greatharmony.africa"" }, { ""malwareFamily"": { ""familyName"": ""FormBook"", ""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications."" }, ""impact"": ""Moderate"", ""confidence"": 100, ""blockType"": ""Domain Name"", ""role"": ""C2"", ""roleDescription"": ""Command and control location used by malware"", ""data"": ""www.chochonux.com"", ""data_1"": ""www.chochonux.com"" }, { ""malwareFamily"": { ""familyName"": ""FormBook"", ""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications."" }, ""impact"": ""Moderate"", ""ipDetail"": { ""ip"": ""103.17.9.208"", ""lookupOn"": 1684173619794, ""latitude"": 25.0418, ""longitude"": 121.4966, ""timeZone"": ""Asia/Taipei"", ""continentName"": ""Asia"", ""continentCode"": ""AS"", ""countryName"": ""Taiwan"", ""countryIsoCode"": ""TW"", ""asn"": 131149, ""asnOrganization"": ""Yuan-Jhen Info., Co., Ltd"", ""isp"": ""Yuan-Jhen Info., Co."", ""organization"": ""Yuan-Jhen Info., Co."" }, ""confidence"": 100, ""blockType"": ""Domain Name"", ""role"": ""C2"", ""roleDescription"": ""Command and control location used by malware"", ""data"": ""www.danhaii.com"", ""data_1"": ""www.danhaii.com"" }, { ""malwareFamily"": { ""familyName"": ""FormBook"", ""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications."" }, ""impact"": ""Major"", ""confidence"": 100, ""blockType"": ""URL"", ""role"": ""C2"", ""roleDescription"": ""Command and control location used by malware"", ""data"": ""http://www.heatbling.com/m82/"", ""data_1"": { ""url"": ""http://www.heatbling.com/m82/"", ""domain"": ""heatbling.com"", ""path"": ""/m82/"", ""protocol"": ""http"", ""host"": ""www.heatbling.com"" } }, { ""malwareFamily"": { ""familyName"": ""FormBook"", ""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications."" }, ""impact"": ""Major"", ""ipDetail"": { ""ip"": ""172.67.172.16"", ""lookupOn"": 1684173594306, ""latitude"": 37.7697, ""longitude"": -122.3933, ""metroCode"": 807, ""timeZone"": ""America/Los_Angeles"", ""continentName"": ""North America"", ""continentCode"": ""NA"", ""countryName"": ""United States"", ""countryIsoCode"": ""US"", ""subdivisionName"": ""California"", ""subdivisionIsoCode"": ""CA"", ""postalCode"": ""94107"", ""isp"": ""CloudFlare"", ""organization"": ""CloudFlare"" }, ""confidence"": 100, ""blockType"": ""URL"", ""role"": ""C2"", ""roleDescription"": ""Command and control location used by malware"", ""data"": ""http://www.cassino-portugal.com/m82/"", ""data_1"": { ""url"": ""http://www.cassino-portugal.com/m82/"", ""domain"": ""cassino-portugal.com"", ""path"": ""/m82/"", ""protocol"": ""http"", ""host"": ""www.cassino-portugal.com"" } }, { ""malwareFamily"": { ""familyName"": ""FormBook"", ""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications."" }, ""impact"": ""Major"", ""confidence"": 100, ""blockType"": ""URL"", ""role"": ""C2"", ""roleDescription"": ""Command and control location used by malware"", ""data"": ""http://www.compassandpathwriting.com/m82/"", ""data_1"": { ""url"": ""http://www.compassandpathwriting.com/m82/"", ""domain"": ""compassandpathwriting.com"", ""path"": ""/m82/"", ""protocol"": ""http"", ""host"": ""www.compassandpathwriting.com"" } }, { ""malwareFamily"": { ""familyName"": ""FormBook"", ""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications."" }, ""impact"": ""Major"", ""ipDetail"": { ""ip"": ""217.160.0.219"", ""lookupOn"": 1684173713315, ""latitude"": 52.5285, ""longitude"": 13.4109, ""timeZone"": ""Europe/Berlin"", ""continentName"": ""Europe"", ""continentCode"": ""EU"", ""countryName"": ""Germany"", ""countryIsoCode"": ""DE"", ""subdivisionName"": ""Land Berlin"", ""subdivisionIsoCode"": ""BE"", ""postalCode"": ""10119"", ""asn"": 8560, ""asnOrganization"": ""1&1 Internet SE"", ""isp"": ""1&1 Internet AG"", ""organization"": ""1&1 Internet AG"" }, ""confidence"": 100, ""blockType"": ""URL"", ""role"": ""C2"", ""roleDescription"": ""Command and control location used by malware"", ""data"": ""http://www.hausmeisterservice-berlin.net/m82/"", ""data_1"": { ""url"": ""http://www.hausmeisterservice-berlin.net/m82/"", ""domain"": ""hausmeisterservice-berlin.net"", ""path"": ""/m82/"", ""protocol"": ""http"", ""host"": ""www.hausmeisterservice-berlin.net"" } }, { ""malwareFamily"": { ""familyName"": ""FormBook"", ""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""","[{""totalCount"": 1,""brand"": {""id"": 2051,""text"": ""None""}}]",[],[],[],"[{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""vendorDetections"": [],""fileName"": ""PI.exe"",""type"": ""Attachment"",""severityLevel"": ""Major"",""md5Hex"": ""3c5bcd6427bdec6f9dc27f22123322a3"",""fileNameExtension"": ""exe""}]",[],[],[],"[{""totalCount"": 1,""subject"": ""RE: Revise PI""}]","[{""languageDefinition"": {""isoCode"": ""en"",""name"": ""English"",""nativeName"": ""English"",""family"": ""Indo-European""}}]",[],1684173569692,1684173567787,Finance - FormBook,Finance-themed emails deliver FormBook.,TRUE,https://www.threathq.com/api/l/activethreatreport/322141/html,https://www.threathq.com/apiv1/t3/malware/322141/html,https://www.threathq.com/p42/search/default?m=322141,[],"[{""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""}]",MALWARE,[],[],https://cisiqa2905emood2nmyxy26.azurewebsites.net/api/DownloadThreatReports?url=https://www.threathq.com/apiv1/t3/malware/322141/html,https://cisiqa2905emood2nmyxy26.azurewebsites.net/api/DownloadThreatReports?url=https://www.threathq.com/apiv1/t3/malware/322141/pdf,Malware_Data_CL +"5/29/2023, 8:27:53 AM",321832,"[{""id"": 23,""permissions"": {""WRITE"": false,""READ"": true,""OWNER"": false},""displayName"": ""Cofense""}]","[{""malwareFamily"": {""familyName"": ""Credential Phishing"",""description"": ""An instance of credential phishing""},""impact"": ""Major"",""ipDetail"": {""ip"": ""43.154.1.144"",""lookupOn"": 1683556242692,""latitude"": 35.6427,""longitude"": 139.7677,""timeZone"": ""Asia/Tokyo"",""continentName"": ""Asia"",""continentCode"": ""AS"",""countryName"": ""Japan"",""countryIsoCode"": ""JP"",""subdivisionName"": ""Tokyo"",""subdivisionIsoCode"": ""13"",""postalCode"": ""100-0001"",""isp"": ""Chiyoda-ku"",""organization"": ""Chiyoda-ku""},""confidence"": 100,""blockType"": ""URL"",""role"": ""Credential Phishing"",""roleDescription"": ""Credential Phishing"",""data"": ""http://5753f48eb66f4d06cd0e063985ca5048.ctres.sbs/"",""data_1"": {""url"": ""http://5753f48eb66f4d06cd0e063985ca5048.ctres.sbs/"",""domain"": ""ctres.sbs"",""path"": ""/"",""protocol"": ""http"",""host"": ""5753f48eb66f4d06cd0e063985ca5048.ctres.sbs""}},{""malwareFamily"": {""familyName"": ""Credential Phishing"",""description"": ""An instance of credential phishing""},""impact"": ""Major"",""ipDetail"": {""ip"": ""43.154.112.71"",""lookupOn"": 1683556242639,""latitude"": 35.6427,""longitude"": 139.7677,""timeZone"": ""Asia/Tokyo"",""continentName"": ""Asia"",""continentCode"": ""AS"",""countryName"": ""Japan"",""countryIsoCode"": ""JP"",""subdivisionName"": ""Tokyo"",""subdivisionIsoCode"": ""13"",""postalCode"": ""100-0001"",""isp"": ""Chiyoda-ku"",""organization"": ""Chiyoda-ku""},""confidence"": 100,""blockType"": ""URL"",""role"": ""Credential Phishing"",""roleDescription"": ""Credential Phishing"",""data"": ""http://www.nterf.sbs"",""data_1"": {""url"": ""http://www.nterf.sbs"",""domain"": ""nterf.sbs"",""path"": """",""protocol"": ""http"",""host"": ""www.nterf.sbs""}}]","[{""totalCount"": 1,""brand"": {""id"": 1954,""text"": ""China Union Pay""}}]",[],[],[],[],[],[],[],"[{""totalCount"": 1,""subject"": ""2023年第二季度个人劳动补贴申领-详情查看附件""}]","[{""languageDefinition"": {""isoCode"": ""zh-cs"",""name"": ""Chinese (Simplified)"",""cultureCode"": ""0x0004""}}]",[],1685017565289,1683816881254,Credential Phishing,Email campaign that delivers credential phishing URLs,TRUE,https://www.threathq.com/api/l/activethreatreport/321832/html,https://www.threathq.com/apiv1/t3/malware/321832/html,https://www.threathq.com/p42/search/default?m=321832,[],"[{""familyName"": ""Credential Phishing"",""description"": ""An instance of credential phishing""}]",MALWARE,"[{""segName"": ""Outlook 365""},{""segName"": ""Proofpoint Hosted""}]","[{""label"": ""Securities, Commodity Contracts, and Other Financial Investments and Related Activities"",""code"": 523}]",https://cisiqa2905emood2nmyxy26.azurewebsites.net/api/DownloadThreatReports?url=https://www.threathq.com/apiv1/t3/malware/321832/html,https://cisiqa2905emood2nmyxy26.azurewebsites.net/api/DownloadThreatReports?url=https://www.threathq.com/apiv1/t3/malware/321832/pdf,Malware_Data_CL +"5/29/2023, 8:27:53 AM",321836,"[{""id"": 23,""permissions"": {""WRITE"": false,""READ"": true,""OWNER"": false},""displayName"": ""Cofense""}]","[{""malwareFamily"": {""familyName"": ""Credential Phishing"",""description"": ""An instance of credential phishing""},""impact"": ""Major"",""ipDetail"": {""ip"": ""43.154.1.144"",""lookupOn"": 1683556242692,""latitude"": 35.6427,""longitude"": 139.7677,""timeZone"": ""Asia/Tokyo"",""continentName"": ""Asia"",""continentCode"": ""AS"",""countryName"": ""Japan"",""countryIsoCode"": ""JP"",""subdivisionName"": ""Tokyo"",""subdivisionIsoCode"": ""13"",""postalCode"": ""100-0001"",""isp"": ""Chiyoda-ku"",""organization"": ""Chiyoda-ku""},""confidence"": 100,""blockType"": ""URL"",""role"": ""Credential Phishing"",""roleDescription"": ""Credential Phishing"",""data"": ""http://0168b654a8457045e7c10361a5eb380e.bwyre.sbs/"",""data_1"": {""url"": ""http://0168b654a8457045e7c10361a5eb380e.bwyre.sbs/"",""domain"": ""bwyre.sbs"",""path"": ""/"",""protocol"": ""http"",""host"": ""0168b654a8457045e7c10361a5eb380e.bwyre.sbs""}},{""malwareFamily"": {""familyName"": ""Credential Phishing"",""description"": ""An instance of credential phishing""},""impact"": ""Major"",""ipDetail"": {""ip"": ""43.154.112.71"",""lookupOn"": 1683556242639,""latitude"": 35.6427,""longitude"": 139.7677,""timeZone"": ""Asia/Tokyo"",""continentName"": ""Asia"",""continentCode"": ""AS"",""countryName"": ""Japan"",""countryIsoCode"": ""JP"",""subdivisionName"": ""Tokyo"",""subdivisionIsoCode"": ""13"",""postalCode"": ""100-0001"",""isp"": ""Chiyoda-ku"",""organization"": ""Chiyoda-ku""},""confidence"": 100,""blockType"": ""URL"",""role"": ""Credential Phishing"",""roleDescription"": ""Credential Phishing"",""data"": ""http://www.mruwf.sbs/"",""data_1"": {""url"": ""http://www.mruwf.sbs/"",""domain"": ""mruwf.sbs"",""path"": ""/"",""protocol"": ""http"",""host"": ""www.mruwf.sbs""}}]","[{""totalCount"": 1,""brand"": {""id"": 1954,""text"": ""China Union Pay""}}]",[],[],[],[],[],[],[],"[{""totalCount"": 1,""subject"": ""薪资资料补充!""}]","[{""languageDefinition"": {""isoCode"": ""zh-cs"",""name"": ""Chinese (Simplified)"",""cultureCode"": ""0x0004""}}]",[],1685017581048,1683816995246,Credential Phishing,Email campaign that delivers credential phishing URLs,TRUE,https://www.threathq.com/api/l/activethreatreport/321836/html,https://www.threathq.com/apiv1/t3/malware/321836/html,https://www.threathq.com/p42/search/default?m=321836,[],"[{""familyName"": ""Credential Phishing"",""description"": ""An instance of credential phishing""}]",MALWARE,"[{""segName"": ""Microsoft O365""}]","[{""label"": ""Oil and Gas Extraction"",""code"": 211}]",https://cisiqa2905emood2nmyxy26.azurewebsites.net/api/DownloadThreatReports?url=https://www.threathq.com/apiv1/t3/malware/321836/html,https://cisiqa2905emood2nmyxy26.azurewebsites.net/api/DownloadThreatReports?url=https://www.threathq.com/apiv1/t3/malware/321836/pdf,Malware_Data_CL +"5/29/2023, 8:27:53 AM",321838,"[{""id"": 23,""permissions"": {""WRITE"": false,""READ"": true,""OWNER"": false},""displayName"": ""Cofense""}]","[{""malwareFamily"": {""familyName"": ""Credential Phishing"",""description"": ""An instance of credential phishing""},""impact"": ""Major"",""ipDetail"": {""ip"": ""43.155.108.39"",""lookupOn"": 1683639642657,""latitude"": 35.6427,""longitude"": 139.7677,""timeZone"": ""Asia/Tokyo"",""continentName"": ""Asia"",""continentCode"": ""AS"",""countryName"": ""Japan"",""countryIsoCode"": ""JP"",""subdivisionName"": ""Tokyo"",""subdivisionIsoCode"": ""13"",""postalCode"": ""100-0001"",""isp"": ""Chiyoda-ku"",""organization"": ""Chiyoda-ku""},""confidence"": 100,""blockType"": ""URL"",""role"": ""Credential Phishing"",""roleDescription"": ""Credential Phishing"",""data"": ""http://ac2f54bc04de450d6e7ce231114ac45e.etate.sbs/pc.html"",""data_1"": {""url"": ""http://ac2f54bc04de450d6e7ce231114ac45e.etate.sbs/pc.html"",""domain"": ""etate.sbs"",""path"": ""/pc.html"",""protocol"": ""http"",""host"": ""ac2f54bc04de450d6e7ce231114ac45e.etate.sbs""}},{""malwareFamily"": {""familyName"": ""Credential Phishing"",""description"": ""An instance of credential phishing""},""impact"": ""Major"",""ipDetail"": {""ip"": ""43.154.220.114"",""lookupOn"": 1683638743428,""latitude"": 35.6427,""longitude"": 139.7677,""timeZone"": ""Asia/Tokyo"",""continentName"": ""Asia"",""continentCode"": ""AS"",""countryName"": ""Japan"",""countryIsoCode"": ""JP"",""subdivisionName"": ""Tokyo"",""subdivisionIsoCode"": ""13"",""postalCode"": ""100-0001"",""isp"": ""Chiyoda-ku"",""organization"": ""Chiyoda-ku""},""confidence"": 100,""blockType"": ""URL"",""role"": ""Credential Phishing"",""roleDescription"": ""Credential Phishing"",""data"": ""http://www.iuyhj.sbs/"",""data_1"": {""url"": ""http://www.iuyhj.sbs/"",""domain"": ""iuyhj.sbs"",""path"": ""/"",""protocol"": ""http"",""host"": ""www.iuyhj.sbs""}}]","[{""totalCount"": 1,""brand"": {""id"": 1954,""text"": ""China Union Pay""}}]",[],[],[],[],[],[],[],"[{""totalCount"": 1,""subject"": ""季度二补助已下发至个人""}]","[{""languageDefinition"": {""isoCode"": ""zh-cs"",""name"": ""Chinese (Simplified)"",""cultureCode"": ""0x0004""}}]",[],1685017598831,1683817056578,Credential Phishing,Email campaign that delivers credential phishing URLs,TRUE,https://www.threathq.com/api/l/activethreatreport/321838/html,https://www.threathq.com/apiv1/t3/malware/321838/html,https://www.threathq.com/p42/search/default?m=321838,[],"[{""familyName"": ""Credential Phishing"",""description"": ""An instance of credential phishing""}]",MALWARE,"[{""segName"": ""Outlook 365""},{""segName"": ""Proofpoint Hosted""}]","[{""label"": ""Securities, Commodity Contracts, and Other Financial Investments and Related Activities"",""code"": 523}]",https://cisiqa2905emood2nmyxy26.azurewebsites.net/api/DownloadThreatReports?url=https://www.threathq.com/apiv1/t3/malware/321838/html,https://cisiqa2905emood2nmyxy26.azurewebsites.net/api/DownloadThreatReports?url=https://www.threathq.com/apiv1/t3/malware/321838/pdf,Malware_Data_CL +"5/29/2023, 8:27:53 AM",321910,"[{""id"": 23,""permissions"": {""WRITE"": false,""READ"": true,""OWNER"": false},""displayName"": ""Cofense""}]","[{""malwareFamily"": {""familyName"": ""Credential Phishing"",""description"": ""An instance of credential phishing""},""impact"": ""Major"",""confidence"": 100,""blockType"": ""URL"",""role"": ""Credential Phishing"",""roleDescription"": ""Credential Phishing"",""data"": ""http://www.iuyhi.sbs"",""data_1"": {""url"": ""http://www.iuyhi.sbs"",""domain"": ""iuyhi.sbs"",""path"": """",""protocol"": ""http"",""host"": ""www.iuyhi.sbs""}}]","[{""totalCount"": 1,""brand"": {""id"": 1954,""text"": ""China Union Pay""}}]",[],[],[],[],[],[],[],"[{""totalCount"": 1,""subject"": ""季度二补助已下发至个人""}]","[{""languageDefinition"": {""isoCode"": ""zh-cs"",""name"": ""Chinese (Simplified)"",""cultureCode"": ""0x0004""}}]",[],1685017629264,1683824498045,Credential Phishing,Email campaign that delivers credential phishing URLs,TRUE,https://www.threathq.com/api/l/activethreatreport/321910/html,https://www.threathq.com/apiv1/t3/malware/321910/html,https://www.threathq.com/p42/search/default?m=321910,[],"[{""familyName"": ""Credential Phishing"",""description"": ""An instance of credential phishing""}]",MALWARE,"[{""segName"": ""Outlook 365""},{""segName"": ""Proofpoint Hosted""}]","[{""label"": ""Real Estate"",""code"": 531}]",https://cisiqa2905emood2nmyxy26.azurewebsites.net/api/DownloadThreatReports?url=https://www.threathq.com/apiv1/t3/malware/321910/html,https://cisiqa2905emood2nmyxy26.azurewebsites.net/api/DownloadThreatReports?url=https://www.threathq.com/apiv1/t3/malware/321910/pdf,Malware_Data_CL +"5/29/2023, 8:27:53 AM",321753,"[{""id"": 23,""permissions"": {""WRITE"": false,""READ"": true,""OWNER"": false},""displayName"": ""Cofense""}]","[{""malwareFamily"": {""familyName"": ""Credential Phishing"",""description"": ""An instance of credential phishing""},""impact"": ""Major"",""ipDetail"": {""ip"": ""43.154.220.114"",""lookupOn"": 1683638743428,""latitude"": 35.6427,""longitude"": 139.7677,""timeZone"": ""Asia/Tokyo"",""continentName"": ""Asia"",""continentCode"": ""AS"",""countryName"": ""Japan"",""countryIsoCode"": ""JP"",""subdivisionName"": ""Tokyo"",""subdivisionIsoCode"": ""13"",""postalCode"": ""100-0001"",""isp"": ""Chiyoda-ku"",""organization"": ""Chiyoda-ku""},""confidence"": 100,""blockType"": ""URL"",""role"": ""Credential Phishing"",""roleDescription"": ""Credential Phishing"",""data"": ""http://www.iuyhj.sbs/"",""data_1"": {""url"": ""http://www.iuyhj.sbs/"",""domain"": ""iuyhj.sbs"",""path"": ""/"",""protocol"": ""http"",""host"": ""www.iuyhj.sbs""}}]","[{""totalCount"": 1,""brand"": {""id"": 1954,""text"": ""China Union Pay""}}]",[],[],[],[],[],[],[],"[{""totalCount"": 1,""subject"": ""季度二补助已下发至个人""}]","[{""languageDefinition"": {""isoCode"": ""zh-cs"",""name"": ""Chinese (Simplified)"",""cultureCode"": ""0x0004""}}]",[],1685017531989,1683809268419,Credential Phishing,Email campaign that delivers credential phishing URLs,TRUE,https://www.threathq.com/api/l/activethreatreport/321753/html,https://www.threathq.com/apiv1/t3/malware/321753/html,https://www.threathq.com/p42/search/default?m=321753,[],"[{""familyName"": ""Credential Phishing"",""description"": ""An instance of credential phishing""}]",MALWARE,"[{""segName"": ""Unknown""}]",[],https://cisiqa2905emood2nmyxy26.azurewebsites.net/api/DownloadThreatReports?url=https://www.threathq.com/apiv1/t3/malware/321753/html,https://cisiqa2905emood2nmyxy26.azurewebsites.net/api/DownloadThreatReports?url=https://www.threathq.com/apiv1/t3/malware/321753/pdf,Malware_Data_CL +"5/29/2023, 8:27:53 AM",322139,"[{""id"": 23,""permissions"": {""WRITE"": false,""OWNER"": false,""READ"": true},""displayName"": ""Cofense""}]","[{""malwareFamily"": {""familyName"": ""Agent Tesla"",""description"": ""Agent Tesla collects sensitive information, such as saved credentials for web, ftp, email, and instant messaging clients. Additionally, Tesla gathers data about the victim's PC and captures keystrokes.""},""impact"": ""Major"",""ipDetail"": {""ip"": ""149.154.167.220"",""lookupOn"": 1684166382699,""latitude"": 51.4964,""longitude"": -0.1224,""timeZone"": ""Europe/London"",""continentName"": ""Europe"",""continentCode"": ""EU"",""countryName"": ""United Kingdom"",""countryIsoCode"": ""GB"",""asn"": 62041,""asnOrganization"": ""Telegram Messenger LLP"",""isp"": ""LLC Globalnet"",""organization"": ""Telegram Messenger Network""},""confidence"": 100,""blockType"": ""URL"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""https://api.telegram.org/bot6155153237:AAHwniNOLh5IeMqe3WWu52NIjrXAphPX4U4/"",""data_1"": {""url"": ""https://api.telegram.org/bot6155153237:AAHwniNOLh5IeMqe3WWu52NIjrXAphPX4U4/"",""domain"": ""telegram.org"",""path"": ""/bot6155153237:AAHwniNOLh5IeMqe3WWu52NIjrXAphPX4U4/"",""protocol"": ""https"",""host"": ""api.telegram.org""}}]","[{""totalCount"": 1,""brand"": {""id"": 685,""text"": ""DHL""}}]",[],[],[],"[{""malwareFamily"": {""familyName"": ""Agent Tesla"",""description"": ""Agent Tesla collects sensitive information, such as saved credentials for web, ftp, email, and instant messaging clients. Additionally, Tesla gathers data about the victim's PC and captures keystrokes.""},""vendorDetections"": [],""fileName"": ""AWB DHL DOCUMENTS_419.exe"",""type"": ""Attachment"",""severityLevel"": ""Major"",""md5Hex"": ""4f60b5c28326ac01e7d4222df9527620"",""fileNameExtension"": ""exe""}]",[],[],[],"[{""totalCount"": 1,""subject"": ""DHL Express Shipment Confirmation""}]","[{""languageDefinition"": {""isoCode"": ""en"",""name"": ""English"",""nativeName"": ""English"",""family"": ""Indo-European""}}]",[],1684170781338,1684170780025,Shipping - Agent Tesla Keylogger,DHL-spoofing emails deliver Agent Tesla Keylogger.,TRUE,https://www.threathq.com/api/l/activethreatreport/322139/html,https://www.threathq.com/apiv1/t3/malware/322139/html,https://www.threathq.com/p42/search/default?m=322139,[],"[{""familyName"": ""Agent Tesla"",""description"": ""Agent Tesla collects sensitive information, such as saved credentials for web, ftp, email, and instant messaging clients. Additionally, Tesla gathers data about the victim's PC and captures keystrokes.""}]",MALWARE,[],[],https://cisiqa2905emood2nmyxy26.azurewebsites.net/api/DownloadThreatReports?url=https://www.threathq.com/apiv1/t3/malware/322139/html,https://cisiqa2905emood2nmyxy26.azurewebsites.net/api/DownloadThreatReports?url=https://www.threathq.com/apiv1/t3/malware/322139/pdf,Malware_Data_CL +"5/29/2023, 8:27:53 AM",321885,"[{""id"": 23,""permissions"": {""WRITE"": false,""READ"": true,""OWNER"": false},""displayName"": ""Cofense""}]","[{""malwareFamily"": {""familyName"": ""Credential Phishing"",""description"": ""An instance of credential phishing""},""impact"": ""Major"",""ipDetail"": {""ip"": ""43.154.220.114"",""lookupOn"": 1683638743428,""latitude"": 35.6427,""longitude"": 139.7677,""timeZone"": ""Asia/Tokyo"",""continentName"": ""Asia"",""continentCode"": ""AS"",""countryName"": ""Japan"",""countryIsoCode"": ""JP"",""subdivisionName"": ""Tokyo"",""subdivisionIsoCode"": ""13"",""postalCode"": ""100-0001"",""isp"": ""Chiyoda-ku"",""organization"": ""Chiyoda-ku""},""confidence"": 100,""blockType"": ""URL"",""role"": ""Credential Phishing"",""roleDescription"": ""Credential Phishing"",""data"": ""http://www.iuyhj.sbs/"",""data_1"": {""url"": ""http://www.iuyhj.sbs/"",""domain"": ""iuyhj.sbs"",""path"": ""/"",""protocol"": ""http"",""host"": ""www.iuyhj.sbs""}},{""malwareFamily"": {""familyName"": ""Credential Phishing"",""description"": ""An instance of credential phishing""},""impact"": ""Major"",""ipDetail"": {""ip"": ""43.155.108.39"",""lookupOn"": 1683639642657,""latitude"": 35.6427,""longitude"": 139.7677,""timeZone"": ""Asia/Tokyo"",""continentName"": ""Asia"",""continentCode"": ""AS"",""countryName"": ""Japan"",""countryIsoCode"": ""JP"",""subdivisionName"": ""Tokyo"",""subdivisionIsoCode"": ""13"",""postalCode"": ""100-0001"",""isp"": ""Chiyoda-ku"",""organization"": ""Chiyoda-ku""},""confidence"": 100,""blockType"": ""URL"",""role"": ""Credential Phishing"",""roleDescription"": ""Credential Phishing"",""data"": ""http://d79a70e87467f8f1f1cc14ed708e08ea.etate.sbs/"",""data_1"": {""url"": ""http://d79a70e87467f8f1f1cc14ed708e08ea.etate.sbs/"",""domain"": ""etate.sbs"",""path"": ""/"",""protocol"": ""http"",""host"": ""d79a70e87467f8f1f1cc14ed708e08ea.etate.sbs""}}]","[{""totalCount"": 1,""brand"": {""id"": 1954,""text"": ""China Union Pay""}}]",[],[],[],[],[],[],[],"[{""totalCount"": 1,""subject"": ""季度二补助已下发至个人""}]","[{""languageDefinition"": {""isoCode"": ""zh-cs"",""name"": ""Chinese (Simplified)"",""cultureCode"": ""0x0004""}}]",[],1685017614949,1683820760116,Credential Phishing,Email campaign that delivers credential phishing URLs,TRUE,https://www.threathq.com/api/l/activethreatreport/321885/html,https://www.threathq.com/apiv1/t3/malware/321885/html,https://www.threathq.com/p42/search/default?m=321885,[],"[{""familyName"": ""Credential Phishing"",""description"": ""An instance of credential phishing""}]",MALWARE,"[{""segName"": ""Outlook 365""}]","[{""label"": ""Manufacturing"",""code"": 31}]",https://cisiqa2905emood2nmyxy26.azurewebsites.net/api/DownloadThreatReports?url=https://www.threathq.com/apiv1/t3/malware/321885/html,https://cisiqa2905emood2nmyxy26.azurewebsites.net/api/DownloadThreatReports?url=https://www.threathq.com/apiv1/t3/malware/321885/pdf,Malware_Data_CL +"5/29/2023, 8:27:59 AM",322148,"[{""id"": 23,""permissions"": {""WRITE"": false,""OWNER"": false,""READ"": true},""displayName"": ""Cofense""}]","[{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Moderate"",""ipDetail"": {""ip"": ""107.148.139.225"",""lookupOn"": 1684173810780,""latitude"": 37.3387,""longitude"": -121.8914,""metroCode"": 807,""timeZone"": ""America/Los_Angeles"",""continentName"": ""North America"",""continentCode"": ""NA"",""countryName"": ""United States"",""countryIsoCode"": ""US"",""subdivisionName"": ""California"",""subdivisionIsoCode"": ""CA"",""postalCode"": ""95113"",""asn"": 54600,""asnOrganization"": ""PEG TECH INC"",""isp"": ""Peg Tech"",""organization"": ""Peg Tech""},""confidence"": 100,""blockType"": ""Domain Name"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""www.bl-fakel.com"",""data_1"": ""www.bl-fakel.com""},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Major"",""ipDetail"": {""ip"": ""38.54.177.111"",""lookupOn"": 1684173735457,""latitude"": 37.751,""longitude"": -97.822,""continentName"": ""North America"",""continentCode"": ""NA"",""countryName"": ""United States"",""countryIsoCode"": ""US"",""asn"": 174,""asnOrganization"": ""Cogent Communications"",""isp"": ""Cogent Communications"",""organization"": ""Cogent Communications""},""confidence"": 100,""blockType"": ""URL"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""http://www.kohakucho.net/bb27/"",""data_1"": {""url"": ""http://www.kohakucho.net/bb27/"",""domain"": ""kohakucho.net"",""path"": ""/bb27/"",""protocol"": ""http"",""host"": ""www.kohakucho.net""}},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Moderate"",""ipDetail"": {""ip"": ""31.207.33.122"",""lookupOn"": 1684173866250,""latitude"": 46.1417,""longitude"": -0.2218,""timeZone"": ""Europe/Paris"",""continentName"": ""Europe"",""continentCode"": ""EU"",""countryName"": ""France"",""countryIsoCode"": ""FR"",""asn"": 16347,""asnOrganization"": ""ADISTA SAS"",""isp"": ""Ligne Web Services EURL"",""organization"": ""Ligne Web Services EURL""},""confidence"": 100,""blockType"": ""Domain Name"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""www.destockplaza.com"",""data_1"": ""www.destockplaza.com""},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Major"",""ipDetail"": {""ip"": ""23.227.38.74"",""lookupOn"": 1684173527995,""latitude"": 45.4166,""longitude"": -75.6904,""timeZone"": ""America/Toronto"",""continentName"": ""North America"",""continentCode"": ""NA"",""countryName"": ""Canada"",""countryIsoCode"": ""CA"",""subdivisionName"": ""Ontario"",""subdivisionIsoCode"": ""ON"",""postalCode"": ""K2P"",""asn"": 62679,""asnOrganization"": ""Shopify, Inc."",""isp"": ""Shopify"",""organization"": ""Shopify""},""confidence"": 100,""blockType"": ""URL"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""http://www.czaos.com/bb27/"",""data_1"": {""url"": ""http://www.czaos.com/bb27/"",""domain"": ""czaos.com"",""path"": ""/bb27/"",""protocol"": ""http"",""host"": ""www.czaos.com""}},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Major"",""confidence"": 100,""blockType"": ""URL"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""http://www.wildhartbranding.africa/bb27/"",""data_1"": {""url"": ""http://www.wildhartbranding.africa/bb27/"",""domain"": ""wildhartbranding.africa"",""path"": ""/bb27/"",""protocol"": ""http"",""host"": ""www.wildhartbranding.africa""}},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Moderate"",""ipDetail"": {""ip"": ""50.116.93.86"",""lookupOn"": 1684173855273,""latitude"": 29.8301,""longitude"": -95.4739,""metroCode"": 618,""timeZone"": ""America/Chicago"",""continentName"": ""North America"",""continentCode"": ""NA"",""countryName"": ""United States"",""countryIsoCode"": ""US"",""subdivisionName"": ""Texas"",""subdivisionIsoCode"": ""TX"",""postalCode"": ""77092"",""asn"": 20013,""asnOrganization"": ""CyrusOne LLC"",""isp"": ""Websitewelcome.com"",""organization"": ""CyrusOne LLC""},""confidence"": 100,""blockType"": ""Domain Name"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""www.decoracioneskyr.com"",""data_1"": ""www.decoracioneskyr.com""},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Moderate"",""ipDetail"": {""ip"": ""156.235.134.214"",""lookupOn"": 1684173834384,""latitude"": 37.751,""longitude"": -97.822,""continentName"": ""North America"",""continentCode"": ""NA"",""countryName"": ""United States"",""countryIsoCode"": ""US"",""asn"": 35916,""asnOrganization"": ""MULTACOM CORPORATION"",""isp"": ""Multacom Corporation"",""organization"": ""Multacom Corporation""},""confidence"": 100,""blockType"": ""Domain Name"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""www.qy-zh.net"",""data_1"": ""www.qy-zh.net""},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Major"",""confidence"": 100,""blockType"": ""URL"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""http://www.fastloans.africa/bb27/"",""data_1"": {""url"": ""http://www.fastloans.africa/bb27/"",""domain"": ""fastloans.africa"",""path"": ""/bb27/"",""protocol"": ""http"",""host"": ""www.fastloans.africa""}},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Moderate"",""ipDetail"": {""ip"": ""209.141.38.71"",""lookupOn"": 1684173821366,""latitude"": 36.175,""longitude"": -115.1372,""metroCode"": 839,""timeZone"": ""America/Los_Angeles"",""continentName"": ""North America"",""continentCode"": ""NA"",""countryName"": ""United States"",""countryIsoCode"": ""US"",""subdivisionName"": ""Nevada"",""subdivisionIsoCode"": ""NV"",""postalCode"": ""89101"",""asn"": 53667,""asnOrganization"": ""FranTech Solutions"",""isp"": ""FranTech Solutions"",""organization"": ""FranTech Solutions""},""confidence"": 100,""blockType"": ""Domain Name"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""www.herbal-nutrition.uk"",""data_1"": ""www.herbal-nutrition.uk""},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Major"",""ipDetail"": {""ip"": ""198.54.117.211"",""lookupOn"": 1684173650796,""latitude"": 34.0355,""longitude"": -118.4298,""metroCode"": 803,""timeZone"": ""America/Los_Angeles"",""continentName"": ""North America"",""continentCode"": ""NA"",""countryName"": ""United States"",""countryIsoCode"": ""US"",""subdivisionName"": ""California"",""subdivisionIsoCode"": ""CA"",""postalCode"": ""90064"",""asn"": 22612,""asnOrganization"": ""Namecheap, Inc."",""isp"": ""Namecheap"",""organization"": ""Namecheap""},""confidence"": 100,""blockType"": ""URL"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""http://www.lifestyleisrael.com/bb27/"",""data_1"": {""url"": ""http://www.lifestyleisrael.com/bb27/"",""domain"": ""lifestyleisrael.com"",""path"": ""/bb27/"",""protocol"": ""http"",""host"": ""www.lifestyleisrael.com""}},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Moderate"",""ipDetail"": {""ip"": ""192.254.234.51"",""lookupOn"": 1684173833281,""latitude"": 29.8301,""longitude"": -95.4739,""metroCode"": 618,""timeZone"": ""America/Chicago"",""continentName"": ""North America"",""continentCode"": ""NA"",""countryName"": ""United States"",""countryIsoCode"": ""US"",""subdivisionName"": ""Texas"",""subdivisionIsoCode"": ""TX"",""postalCode"": ""77092"",""asn"": 46606,""asnOrganization"": ""Unified Layer"",""isp"": ""Websitewelcome.com"",""organization"": ""Unified Layer""},""confidence"": 100,""blockType"": ""Domain Name"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""www.kalidaddigifirm.com"",""data_1"": ""www.kalidaddigifirm.com""},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Major"",""confidence"": 100,""blockType"": ""URL"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""http://www.flezibuy.africa/bb27/"",""data_1"": {""url"": ""http://www.flezibuy.africa/bb27/"",""domain"": ""flezibuy.africa"",""path"": ""/bb27/"",""protocol"": ""http"",""host"": ""www.flezibuy.africa""}},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Moderate"",""ipDetail"": {""ip"": ""3.33.152.147"",""lookupOn"": 1684173855362,""latitude"": 41.1412,""longitude"": -73.2637,""metroCode"": 501,""timeZone"": ""America/New_York"",""continentName"": ""North America"",""continentCode"": ""NA"",""countryName"": ""United States"",""countryIsoCode"": ""US"",""subdivisionName"": ""Connecticut"",""subdivisionIsoCode"": ""CT"",""postalCode"": ""06828"",""isp"": ""General Electric Company"",""organization"": ""General Electric Company""},""confidence"": 100,""blockType"": ""Domain Name"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""www.theguttercleaningservice.com"",""data_1"": ""www.theguttercleaningservice.com""},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Moderate"",""confidence"": 100,""blockType"": ""Domain Name"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""www.darkdefender.club"",""data_1"": ""www.darkdefender.club""},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Moderate"",""ipDetail"": {""ip"": ""23.227.38.74"",""lookupOn"": 1684173527995,""latitude"": 45.4166,""longitude"": -75.6904,""timeZone"": ""America/Toronto"",""continentName"": ""North America"",""continentCode"": ""NA"",""countryName"": ""Canada"",""countryIsoCode"": ""CA"",""subdivisionName"": ""Ontario"",""subdivisionIsoCode"": ""ON"",""postalCode"": ""K2P"",""asn"": 62679,""asnOrganization"": ""Shopify, Inc."",""isp"": ""Shopify"",""organization"": ""Shopify""},""confidence"": 100,""blockType"": ""Domain Name"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""www.humiflares.com"",""data_1"": ""www.humiflares.com""},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Major"",""ipDetail"": {""ip"": ""69.10.36.99"",""lookupOn"": 1684173758387,""latitude"": 40.7801,""longitude"": -74.0633,""metroCode"": 501,""timeZone"": ""America/New_York"",""continentName"": ""North America"",""continentCode"": ""NA"",""countryName"": ""United States"",""countryIsoCode"": ""US"",""subdivisionName"": ""New Jersey"",""subdivisionIsoCode"": ""NJ"",""postalCode"": ""07094"",""asn"": 19318,""asnOrganization"": ""NEW JERSEY INTERNATIONAL INTERNET EXCHANGE LLC"",""isp"": ""Interserver"",""organization"": ""Interserver""},""confidence"": 100,""blockType"": ""URL"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""http://www.binarytradefx.com/bb27/"",""data_1"": {""url"": ""http://www.binarytradefx.com/bb27/"",""domain"": ""binarytradefx.com"",""path"": ""/bb27/"",""protocol"": ""http"",""host"": ""www.binarytradefx.com""}},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Moderate"",""confidence"": 100,""blockType"": ""Domain Name"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""www.ctjhcu8.vip"",""data_1"": ""www.ctjhcu8.vip""},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Major"",""ipDetail"": {""ip"": ""156.241.129.244"",""lookupOn"": 1684173747803,""latitude"": -26.2309,""longitude"": 28.0583,""timeZone"": ""Africa/Johannesburg"",""continentName"": ""Africa"",""continentCode"": ""AF"",""countryName"": ""South Africa"",""countryIsoCode"": ""ZA"",""subdivisionName"": ""Gauteng"",""subdivisionIsoCode"": ""GT"",""postalCode"": ""2000"",""asn"": 37353,""asnOrganization"": ""MacroLAN"",""isp"": ""MacroLAN"",""organization"": ""MacroLAN""},""confidence"": 100,""blockType"": ""URL"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""http://www.longtengry.net/bb27/"",""data_1"": {""url"": ""http://www.longtengry.net/bb27/"",""domain"": ""longtengry.net"",""path"": ""/bb27/"",""protocol"": ""http"",""host"": ""www.longtengry.net""}},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Major"",""confidence"": 100,""blockType"": ""URL"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""http://www.yourtree.africa/bb27/"",""data_1"": {""url"": ""http://www.yourtree.africa/bb27/"",""domain"": ""yourtree.africa"",""path"": ""/bb27/"",""protocol"": ""http"",""host"": ""www.yourtree.africa""}},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Moderate"",""ipDetail"": {""ip"": ""104.21.18.131"",""lookupOn"": 1684173821154,""latitude"": 37.7697,""longitude"": -122.3933,""metroCode"": 807,""timeZone"": ""America/Los_Angeles"",""continentName"": ""North America"",""continentCode"": ""NA"",""countryName"": ""United States"",""countryIsoCode"": ""US"",""subdivisionName"": ""California"",""subdivisionIsoCode"": ""CA"",""postalCode"": ""94107"",""asn"": 13335,""asnOrganization"": ""CloudFlare"",""isp"": ""CloudFlare"",""organization"": ""CloudFlare""},""confidence"": 100,""blockType"": ""Domain Name"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""www.pipeops.app"",""data_1"": ""www.pipeops.app""},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Major"",""confidence"": 100,""blockType"": ""URL"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""http://www.californiatribes.info/bb27/"",""data_1"": {""url"": ""http://www.californiatribes.info/bb27/"",""domain"": ""californiatribes.info"",""path"": ""/bb27/"",""protocol"": ""http"",""host"": ""www.californiatribes.info""}},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Moderate"",""confidence"": 100,""blockType"": ""Domain Name"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""www.yourtree.africa"",""data_1"": ""www.yourtree.africa""},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Moderate"",""confidence"": 100,""blockType"": ""Domain Name"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""www.illuminwellness.com"",""data_1"": ""www.illuminwellness.com""},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Moderate"",""confidence"": 100,""blockType"": ""Domain Name"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""www.ebctec.net"",""data_1"": ""www.ebctec.net""},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Major"",""ipDetail"": {""ip"": ""117.50.172.191"",""lookupOn"": 1684173789376,""latitude"": 43.88,""longitude"": 125.3228,""timeZone"": ""Asia/Shanghai"",""continentName"": ""Asia"",""continentCode"": ""AS"",""countryName"": ""China"",""countryIsoCode"": ""CN"",""subdivisionName"": ""Jilin"",""subdivisionIsoCode"": ""22"",""isp"": ""Jilin Gosun Technology Co."",""organization"": ""Jilin Gosun Technology Co.""},""confidence"": 100,""blockType"": ""URL"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""http://www.fmgy.love/bb27/"",""data_1"": {""url"": ""http://www.fmgy.love/bb27/"",""domain"": ""fmgy.love"",""path"": ""/bb27/"",""protocol"": ""http"",""host"": ""www.fmgy.love""}},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Moderate"",""ipDetail"": {""ip"": ""142.251.33.115"",""lookupOn"": 1684173810300,""latitude"": 37.4192,""longitude"": -122.0574,""metroCode"": 807,""timeZone"": ""America/Los_Angeles"",""continentName"": ""North America"",""continentCode"": ""NA"",""countryName"": ""United States"",""countryIsoCode"": ""US"",""subdivisionName"": ""California"",""subdivisionIsoCode"": ""CA"",""postalCode"": ""94043"",""asn"": 15169,""asnOrganization"": ""Google Inc."",""isp"": ""Google"",""organization"": ""Google""},""confidence"": 100,""blockType"": ""Domain Name"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""www.slatevehicles.net"",""data_1"": ""www.slatevehicles.net""},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Moderate"",""confidence"": 100,""blockType"": ""Domain Name"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""www.wildhartbranding.africa"",""data_1"": ""www.wildhartbranding.africa""},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Major"",""ipDetail"": {""ip"": ""192.254.234.51"",""lookupOn"": 1684173833281,""latitude"": 29.8301,""longitude"": -95.4739,""metroCode"": 618,""timeZone"": ""America/Chicago"",""continentName"": ""North America"",""continentCode"": ""NA"",""countryName"": ""United States"",""countryIsoCode"": ""US"",""subdivisionName"": ""Texas"",""subdivisionIsoCode"": ""TX"",""postalCode"": ""77092"",""asn"": 46606,""asnOrganization"": ""Unified Layer"",""isp"": ""Websitewelcome.com"",""organization"": ""Unified Layer""},""confidence"": 100,""blockType"": ""URL"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""http://www.kalidaddigifirm.com/bb27/"",""data_1"": {""url"": ""http://www.kalidaddigifirm.com/bb27/"",""domain"": ""kalidaddigifirm.com"",""path"": ""/bb27/"",""protocol"": ""http"",""host"": ""www.kalidaddigifirm.com""}},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Major"",""ipDetail"": {""ip"": ""217.70.184.50"",""lookupOn"": 1684173747375,""latitude"": 48.8582,""longitude"": 2.3387,""timeZone"": ""Europe/Paris"",""continentName"": ""Europe"",""continentCode"": ""EU"",""countryName"": ""France"",""countryIsoCode"": ""FR"",""asn"": 29169,""asnOrganization"": ""GANDI SAS"",""isp"": ""GANDI SAS"",""organization"": ""GANDI SAS""},""confidence"": 100,""blockType"": ""URL"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""http://www.apr360.info/bb27/"",""data_1"": {""url"": ""http://www.apr360.info/bb27/"",""domain"": ""apr360.info"",""path"": ""/bb27/"",""protocol"": ""http"",""host"": ""www.apr360.info""}},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Moderate"",""ipDetail"": {""ip"": ""154.39.239.118"",""lookupOn"": 1684173844897,""latitude"": 37.751,""longitude"": -97.822,""continentName"": ""North America"",""continentCode"": ""NA"",""countryName"": ""United States"",""countryIsoCode"": ""US"",""asn"": 174,""asnOrganization"": ""Cogent Communications"",""isp"": ""Cogent Communications"",""organization"": ""Cogent Communications""},""confidence"": 100,""blockType"": ""Domain Name"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""www.deer-bit.com"",""data_1"": ""www.deer-bit.com""},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Major"",""ipDetail"": {""ip"": ""199.59.243.223"",""lookupOn"": 1684173734137,""latitude"": 40.7391,""longitude"": -73.9826,""metroCode"": 501,""timeZone"": ""America/New_York"",""continentName"": ""North America"",""continentCode"": ""NA"",""countryName"": ""United States"",""countryIsoCode"": ""US"",""subdivisionName"": ""New York"",""subdivisionIsoCode"": ""NY"",""postalCode"": ""10010"",""asn"": 53665,""asnOrganization"": ""Bodis, LLC"",""isp"": ""Bodis, LLC"",""organization"": ""Bodis, LLC""},""confidence"": 100,""blockType"": ""URL"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""http://www.californialivingbenifits.com/bb27/"",""data_1"": {""url"": ""http://www.californialivingbenifits.com/bb27/"",""domain"": ""californialivingbenifits.com"",""path"": ""/bb27/"",""protocol"": ""http"",""host"": ""www.californialivingbenifits.com""}},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Major"",""confidence"": 100,""blockType"": ""URL"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""http://www.ctjhcu8.vip/bb27/"",""data_1"": {""url"": ""http://www.ctjhcu8.vip/bb27/"",""domain"": ""ctjhcu8.vip"",""path"": ""/bb27/"",""protocol"": ""http"",""host"": ""www.ctjhcu8.vip""}},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Major"",""confidence"": 100,""blockType"": ""URL"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""http://www.igogo.africa/bb27/"",""data_1"": {""url"": ""http://www.igogo.africa/bb27/"",""domain"": ""igogo.africa"",""path"": ""/bb27/"",""protocol"": ""http"",""host"": ""www.igogo.africa""}},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Moderate"",""confidence"": 100,""blockType"": ""Domain Name"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""www.juyjuy9.club"",""data_1"": ""www.juyjuy9.club""},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Major"",""confidence"": 100,""blockType"": ""URL"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""http://www.illuminwellness.com/bb27/"",""data_1"": {""url"": ""http://www.illuminwellness.com/bb27/"",""domain"": ""illuminwellness.com"",""path"": ""/bb27/"",""protocol"": ""http"",""host"": ""www.illuminwellness.com""}","[{""totalCount"": 1,""brand"": {""id"": 2051,""text"": ""None""}}]",[],[],[],"[{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""vendorDetections"": [],""fileName"": ""fBdjlGMFMSWy49.bin"",""type"": ""Download"",""dateEntered"": 1684173530805,""severityLevel"": ""Major"",""md5Hex"": ""9db73b411c0fad6a6ab61cb9b54bf6f8"",""fileNameExtension"": ""bin""},{""deliveryMechanism"": {""mechanismName"": ""DotNET Loader"",""description"": ""An obfuscated DotNET (or .NET) executable used for downloading, unpacking, or decompressing and subsequently executing malware. DotNET Loaders may have the ability to call out to a C2.""},""vendorDetections"": [],""fileName"": ""LV-700317.exe"",""type"": ""Attachment"",""severityLevel"": ""Major"",""md5Hex"": ""0616aa1c76c5df2d2b8e53d966afc790"",""fileNameExtension"": ""exe""}]",[],[],[],"[{""totalCount"": 1,""subject"": ""SWIFT NOTICE - LV700317""}]","[{""languageDefinition"": {""isoCode"": ""en"",""name"": ""English"",""nativeName"": ""English"",""family"": ""Indo-European""}}]",[],1684173550887,1684173548947,"Finance - DotNETLoader, FormBook",Finance-themed emails deliver FormBook via DotNETLoader.,TRUE,https://www.threathq.com/api/l/activethreatreport/322148/html,https://www.threathq.com/apiv1/t3/malware/322148/html,https://www.threathq.com/p42/search/default?m=322148,"[{""mechanismName"": ""DotNET Loader"",""description"": ""An obfuscated DotNET (or .NET) executable used for downloading, unpacking, or decompressing and subsequently executing malware. DotNET Loaders may have the ability to call out to a C2.""}]","[{""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""}]",MALWARE,[],[],https://cisiqa2905emood2nmyxy26.azurewebsites.net/api/DownloadThreatReports?url=https://www.threathq.com/apiv1/t3/malware/322148/html,https://cisiqa2905emood2nmyxy26.azurewebsites.net/api/DownloadThreatReports?url=https://www.threathq.com/apiv1/t3/malware/322148/pdf,Malware_Data_CL +"5/29/2023, 8:27:59 AM",322142,"[{""id"": 23,""permissions"": {""WRITE"": false,""OWNER"": false,""READ"": true},""displayName"": ""Cofense""}]","[{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Moderate"",""ipDetail"": {""ip"": ""5.2.85.31"",""lookupOn"": 1684173583539,""latitude"": 41.0214,""longitude"": 28.9948,""timeZone"": ""Europe/Istanbul"",""continentName"": ""Asia"",""continentCode"": ""AS"",""countryName"": ""Turkey"",""countryIsoCode"": ""TR"",""asn"": 3188,""asnOrganization"": ""Alastyr Telekomunikasyon A.S."",""isp"": ""Alastyr Telekomunikasyon A.S."",""organization"": ""Alastyr Telekomunikasyon A.S.""},""confidence"": 100,""blockType"": ""Domain Name"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""www.bronzesailing.com"",""data_1"": ""www.bronzesailing.com""},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Major"",""confidence"": 100,""blockType"": ""URL"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""http://www.ebcbank.net/m82/"",""data_1"": {""url"": ""http://www.ebcbank.net/m82/"",""domain"": ""ebcbank.net"",""path"": ""/m82/"",""protocol"": ""http"",""host"": ""www.ebcbank.net""}},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Major"",""confidence"": 100,""blockType"": ""URL"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""http://www.let-travel.africa/m82/"",""data_1"": {""url"": ""http://www.let-travel.africa/m82/"",""domain"": ""let-travel.africa"",""path"": ""/m82/"",""protocol"": ""http"",""host"": ""www.let-travel.africa""}},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Moderate"",""ipDetail"": {""ip"": ""198.185.159.144"",""lookupOn"": 1684173713930,""latitude"": 40.509,""longitude"": -75.4471,""metroCode"": 504,""timeZone"": ""America/New_York"",""continentName"": ""North America"",""continentCode"": ""NA"",""countryName"": ""United States"",""countryIsoCode"": ""US"",""subdivisionName"": ""Pennsylvania"",""subdivisionIsoCode"": ""PA"",""postalCode"": ""18060"",""asn"": 53831,""asnOrganization"": ""Squarespace, Inc."",""isp"": ""Squarespace"",""organization"": ""Squarespace""},""confidence"": 100,""blockType"": ""Domain Name"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""www.jamesdevereux.com"",""data_1"": ""www.jamesdevereux.com""},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Moderate"",""ipDetail"": {""ip"": ""35.227.197.36"",""lookupOn"": 1683904728865,""latitude"": 42.2734,""longitude"": -83.7133,""metroCode"": 505,""timeZone"": ""America/Detroit"",""continentName"": ""North America"",""continentCode"": ""NA"",""countryName"": ""United States"",""countryIsoCode"": ""US"",""subdivisionName"": ""Michigan"",""subdivisionIsoCode"": ""MI"",""postalCode"": ""48104"",""isp"": ""Merit Network"",""organization"": ""Merit Network""},""confidence"": 100,""blockType"": ""Domain Name"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""www.selfcleaninghairbrush.co.uk"",""data_1"": ""www.selfcleaninghairbrush.co.uk""},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Major"",""ipDetail"": {""ip"": ""104.21.46.181"",""lookupOn"": 1684173661276,""latitude"": 37.7697,""longitude"": -122.3933,""metroCode"": 807,""timeZone"": ""America/Los_Angeles"",""continentName"": ""North America"",""continentCode"": ""NA"",""countryName"": ""United States"",""countryIsoCode"": ""US"",""subdivisionName"": ""California"",""subdivisionIsoCode"": ""CA"",""postalCode"": ""94107"",""asn"": 13335,""asnOrganization"": ""CloudFlare"",""isp"": ""CloudFlare"",""organization"": ""CloudFlare""},""confidence"": 100,""blockType"": ""URL"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""http://www.kickskaart.com/m82/"",""data_1"": {""url"": ""http://www.kickskaart.com/m82/"",""domain"": ""kickskaart.com"",""path"": ""/m82/"",""protocol"": ""http"",""host"": ""www.kickskaart.com""}},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Major"",""ipDetail"": {""ip"": ""23.227.38.74"",""lookupOn"": 1684173527995,""latitude"": 45.4166,""longitude"": -75.6904,""timeZone"": ""America/Toronto"",""continentName"": ""North America"",""continentCode"": ""NA"",""countryName"": ""Canada"",""countryIsoCode"": ""CA"",""subdivisionName"": ""Ontario"",""subdivisionIsoCode"": ""ON"",""postalCode"": ""K2P"",""asn"": 62679,""asnOrganization"": ""Shopify, Inc."",""isp"": ""Shopify"",""organization"": ""Shopify""},""confidence"": 100,""blockType"": ""URL"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""http://www.illubio.com/m82/"",""data_1"": {""url"": ""http://www.illubio.com/m82/"",""domain"": ""illubio.com"",""path"": ""/m82/"",""protocol"": ""http"",""host"": ""www.illubio.com""}},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Moderate"",""ipDetail"": {""ip"": ""81.169.145.159"",""lookupOn"": 1684173583789,""latitude"": 52.5155,""longitude"": 13.4062,""timeZone"": ""Europe/Berlin"",""continentName"": ""Europe"",""continentCode"": ""EU"",""countryName"": ""Germany"",""countryIsoCode"": ""DE"",""subdivisionName"": ""Land Berlin"",""subdivisionIsoCode"": ""BE"",""postalCode"": ""10317"",""asn"": 6724,""asnOrganization"": ""Strato AG"",""isp"": ""Strato AG"",""organization"": ""Strato AG""},""confidence"": 100,""blockType"": ""Domain Name"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""www.klosterbraeu-unterliezheim.com"",""data_1"": ""www.klosterbraeu-unterliezheim.com""},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Major"",""ipDetail"": {""ip"": ""172.241.173.228"",""lookupOn"": 1684173713695,""latitude"": 40.7214,""longitude"": -73.7431,""metroCode"": 501,""timeZone"": ""America/New_York"",""continentName"": ""North America"",""continentCode"": ""NA"",""countryName"": ""United States"",""countryIsoCode"": ""US"",""subdivisionName"": ""New York"",""subdivisionIsoCode"": ""NY"",""postalCode"": ""11428"",""asn"": 15003,""asnOrganization"": ""Nobis Technology Group, LLC"",""isp"": ""Nobis Technology Group, LLC"",""organization"": ""Nobis Technology Group, LLC""},""confidence"": 100,""blockType"": ""URL"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""http://www.hongmeiyan.com/m82/"",""data_1"": {""url"": ""http://www.hongmeiyan.com/m82/"",""domain"": ""hongmeiyan.com"",""path"": ""/m82/"",""protocol"": ""http"",""host"": ""www.hongmeiyan.com""}},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Major"",""ipDetail"": {""ip"": ""72.1.32.168"",""lookupOn"": 1684173681390,""latitude"": 32.7153,""longitude"": -117.1573,""metroCode"": 825,""timeZone"": ""America/Los_Angeles"",""continentName"": ""North America"",""continentCode"": ""NA"",""countryName"": ""United States"",""countryIsoCode"": ""US"",""subdivisionName"": ""California"",""subdivisionIsoCode"": ""CA"",""postalCode"": ""92150"",""asn"": 10732,""asnOrganization"": ""TierraNet Inc."",""isp"": ""TierraNet"",""organization"": ""TierraNet""},""confidence"": 100,""blockType"": ""URL"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""http://www.brazimaid.com/m82/"",""data_1"": {""url"": ""http://www.brazimaid.com/m82/"",""domain"": ""brazimaid.com"",""path"": ""/m82/"",""protocol"": ""http"",""host"": ""www.brazimaid.com""}},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Major"",""ipDetail"": {""ip"": ""199.15.163.128"",""lookupOn"": 1684173681672,""latitude"": 34.1006,""longitude"": -118.3275,""metroCode"": 803,""timeZone"": ""America/Los_Angeles"",""continentName"": ""North America"",""continentCode"": ""NA"",""countryName"": ""United States"",""countryIsoCode"": ""US"",""subdivisionName"": ""California"",""subdivisionIsoCode"": ""CA"",""postalCode"": ""90028"",""isp"": ""DeviantArt"",""organization"": ""DeviantArt""},""confidence"": 100,""blockType"": ""URL"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""http://www.power-bank.co.uk/m82/"",""data_1"": {""url"": ""http://www.power-bank.co.uk/m82/"",""domain"": ""power-bank.co.uk"",""path"": ""/m82/"",""protocol"": ""http"",""host"": ""www.power-bank.co.uk""}},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Moderate"",""ipDetail"": {""ip"": ""172.67.222.126"",""lookupOn"": 1684173650812,""latitude"": 37.7697,""longitude"": -122.3933,""metroCode"": 807,""timeZone"": ""America/Los_Angeles"",""continentName"": ""North America"",""continentCode"": ""NA"",""countryName"": ""United States"",""countryIsoCode"": ""US"",""subdivisionName"": ""California"",""subdivisionIsoCode"": ""CA"",""postalCode"": ""94107"",""isp"": ""CloudFlare"",""organization"": ""CloudFlare""},""confidence"": 100,""blockType"": ""Domain Name"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""www.hjddbb.com"",""data_1"": ""www.hjddbb.com""},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Moderate"",""ipDetail"": {""ip"": ""172.67.130.165"",""lookupOn"": 1684173713823,""latitude"": 37.7697,""longitude"": -122.3933,""metroCode"": 807,""timeZone"": ""America/Los_Angeles"",""continentName"": ""North America"",""continentCode"": ""NA"",""countryName"": ""United States"",""countryIsoCode"": ""US"",""subdivisionName"": ""California"",""subdivisionIsoCode"": ""CA"",""postalCode"": ""94107"",""isp"": ""CloudFlare"",""organization"": ""CloudFlare""},""confidence"": 100,""blockType"": ""Domain Name"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""www.baumanbilliardsnv.com"",""data_1"": ""www.baumanbilliardsnv.com""},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Moderate"",""ipDetail"": {""ip"": ""198.54.117.211"",""lookupOn"": 1684173650796,""latitude"": 34.0355,""longitude"": -118.4298,""metroCode"": 803,""timeZone"": ""America/Los_Angeles"",""continentName"": ""North America"",""continentCode"": ""NA"",""countryName"": ""United States"",""countryIsoCode"": ""US"",""subdivisionName"": ""California"",""subdivisionIsoCode"": ""CA"",""postalCode"": ""90064"",""asn"": 22612,""asnOrganization"": ""Namecheap, Inc."",""isp"": ""Namecheap"",""organization"": ""Namecheap""},""confidence"": 100,""blockType"": ""Domain Name"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""www.exitsategy.com"",""data_1"": ""www.exitsategy.com""},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Major"",""ipDetail"": {""ip"": ""198.49.23.145"",""lookupOn"": 1684173616237,""latitude"": 40.7214,""longitude"": -74.0052,""metroCode"": 501,""timeZone"": ""America/New_York"",""continentName"": ""North America"",""continentCode"": ""NA"",""countryName"": ""United States"",""countryIsoCode"": ""US"",""subdivisionName"": ""New York"",""subdivisionIsoCode"": ""NY"",""postalCode"": ""10013"",""asn"": 53831,""asnOrganization"": ""Squarespace, Inc."",""isp"": ""Squarespace"",""organization"": ""Squarespace""},""confidence"": 100,""blockType"": ""URL"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""http://www.jamesdevereux.com/m82/"",""data_1"": {""url"": ""http://www.jamesdevereux.com/m82/"",""domain"": ""jamesdevereux.com"",""path"": ""/m82/"",""protocol"": ""http"",""host"": ""www.jamesdevereux.com""}},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Major"",""confidence"": 100,""blockType"": ""URL"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""http://www.ctjh9u8e.vip/m82/"",""data_1"": {""url"": ""http://www.ctjh9u8e.vip/m82/"",""domain"": ""ctjh9u8e.vip"",""path"": ""/m82/"",""protocol"": ""http"",""host"": ""www.ctjh9u8e.vip""}},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Moderate"",""ipDetail"": {""ip"": ""3.64.163.50"",""lookupOn"": 1684173582778,""latitude"": 41.1412,""longitude"": -73.2637,""metroCode"": 501,""timeZone"": ""America/New_York"",""continentName"": ""North America"",""continentCode"": ""NA"",""countryName"": ""United States"",""countryIsoCode"": ""US"",""subdivisionName"": ""Connecticut"",""subdivisionIsoCode"": ""CT"",""postalCode"": ""06828"",""isp"": ""General Electric Company"",""organization"": ""General Electric Company""},""confidence"": 100,""blockType"": ""Domain Name"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""www.alphabet1x.com"",""data_1"": ""www.alphabet1x.com""},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Moderate"",""confidence"": 100,""blockType"": ""Domain Name"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""www.xn--oy2b27nt6b.net"",""data_1"": ""www.xn--oy2b27nt6b.net""},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Moderate"",""ipDetail"": {""ip"": ""156.241.129.24"",""lookupOn"": 1684173616191,""latitude"": -26.2309,""longitude"": 28.0583,""timeZone"": ""Africa/Johannesburg"",""continentName"": ""Africa"",""continentCode"": ""AF"",""countryName"": ""South Africa"",""countryIsoCode"": ""ZA"",""subdivisionName"": ""Gauteng"",""subdivisionIsoCode"": ""GT"",""postalCode"": ""2000"",""asn"": 37353,""asnOrganization"": ""MacroLAN"",""isp"": ""MacroLAN"",""organization"": ""MacroLAN""},""confidence"": 100,""blockType"": ""Domain Name"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""www.bestcp.net"",""data_1"": ""www.bestcp.net""},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Major"",""ipDetail"": {""ip"": ""198.54.117.217"",""lookupOn"": 1684173616636,""latitude"": 34.0355,""longitude"": -118.4298,""metroCode"": 803,""timeZone"": ""America/Los_Angeles"",""continentName"": ""North America"",""continentCode"": ""NA"",""countryName"": ""United States"",""countryIsoCode"": ""US"",""subdivisionName"": ""California"",""subdivisionIsoCode"": ""CA"",""postalCode"": ""90064"",""asn"": 22612,""asnOrganization"": ""Namecheap, Inc."",""isp"": ""Namecheap"",""organization"": ""Namecheap""},""confidence"": 100,""blockType"": ""URL"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""http://www.exitsategy.com/m82/"",""data_1"": {""url"": ""http://www.exitsategy.com/m82/"",""domain"": ""exitsategy.com"",""path"": ""/m82/"",""protocol"": ""http"",""host"": ""www.exitsategy.com""}},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Major"",""confidence"": 100,""blockType"": ""URL"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""http://www.xn--oy2b27nt6b.net/m82/"",""data_1"": {""url"": ""http://www.xn--oy2b27nt6b.net/m82/"",""domain"": ""xn--oy2b27nt6b.net"",""path"": ""/m82/"",""protocol"": ""http"",""host"": ""www.xn--oy2b27nt6b.net""}},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Moderate"",""confidence"": 100,""blockType"": ""Domain Name"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""www.ctjh9u8e.vip"",""data_1"": ""www.ctjh9u8e.vip""},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Major"",""ipDetail"": {""ip"": ""62.244.31.245"",""lookupOn"": 1684173681773,""latitude"": 50.4333,""longitude"": 30.5167,""timeZone"": ""Europe/Kiev"",""continentName"": ""Europe"",""continentCode"": ""EU"",""countryName"": ""Ukraine"",""countryIsoCode"": ""UA"",""subdivisionName"": ""Kyiv City"",""subdivisionIsoCode"": ""30"",""asn"": 3254,""asnOrganization"": ""Lucky Net Ltd"",""isp"": ""Lucky Net Ltd"",""organization"": ""Lucky Net Ltd""},""confidence"": 100,""blockType"": ""URL"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""http://www.happyhousegarment.com/m82/"",""data_1"": {""url"": ""http://www.happyhousegarment.com/m82/"",""domain"": ""happyhousegarment.com"",""path"": ""/m82/"",""protocol"": ""http"",""host"": ""www.happyhousegarment.com""}},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Moderate"",""ipDetail"": {""ip"": ""160.124.149.66"",""lookupOn"": 1684173661222,""latitude"": -25.7597,""longitude"": 28.2651,""timeZone"": ""Africa/Johannesburg"",""continentName"": ""Africa"",""continentCode"": ""AF"",""countryName"": ""South Africa"",""countryIsoCode"": ""ZA"",""subdivisionName"": ""Gauteng"",""subdivisionIsoCode"": ""GT"",""postalCode"": ""0173"",""asn"": 6083,""asnOrganization"": ""POSIX-AFRICA"",""isp"": ""Posix-africa"",""organization"": ""Posix-africa""},""confidence"": 100,""blockType"": ""Domain Name"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""www.austinrelocationexpert.com"",""data_1"": ""www.austinrelocationexpert.com""},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Major"",""ipDetail"": {""ip"": ""172.67.130.165"",""lookupOn"": 1684173713823,""latitude"": 37.7697,""longitude"": -122.3933,""metroCode"": 807,""timeZone"": ""America/Los_Angeles"",""continentName"": ""North America"",""continentCode"": ""NA"",""countryName"": ""United States"",""countryIsoCode"": ""US"",""subdivisionName"": ""California"",""subdivisionIsoCode"": ""CA"",""postalCode"": ""94107"",""isp"": ""CloudFlare"",""organization"": ""CloudFlare""},""confidence"": 100,""blockType"": ""URL"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""http://www.baumanbilliardsnv.com/m82/"",""data_1"": {""url"": ""http://www.baumanbilliardsnv.com/m82/"",""domain"": ""baumanbilliardsnv.com"",""path"": ""/m82/"",""protocol"": ""http"",""host"": ""www.baumanbilliardsnv.com""}},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Moderate"",""confidence"": 100,""blockType"": ""Domain Name"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""www.greatharmony.africa"",""data_1"": ""www.greatharmony.africa""},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Moderate"",""confidence"": 100,""blockType"": ""Domain Name"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""www.chochonux.com"",""data_1"": ""www.chochonux.com""},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Moderate"",""ipDetail"": {""ip"": ""103.17.9.208"",""lookupOn"": 1684173619794,""latitude"": 25.0418,""longitude"": 121.4966,""timeZone"": ""Asia/Taipei"",""continentName"": ""Asia"",""continentCode"": ""AS"",""countryName"": ""Taiwan"",""countryIsoCode"": ""TW"",""asn"": 131149,""asnOrganization"": ""Yuan-Jhen Info., Co., Ltd"",""isp"": ""Yuan-Jhen Info., Co."",""organization"": ""Yuan-Jhen Info., Co.""},""confidence"": 100,""blockType"": ""Domain Name"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""www.danhaii.com"",""data_1"": ""www.danhaii.com""},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Major"",""confidence"": 100,""blockType"": ""URL"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""http://www.heatbling.com/m82/"",""data_1"": {""url"": ""http://www.heatbling.com/m82/"",""domain"": ""heatbling.com"",""path"": ""/m82/"",""protocol"": ""http"",""host"": ""www.heatbling.com""}},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Major"",""ipDetail"": {""ip"": ""172.67.172.16"",""lookupOn"": 1684173594306,""latitude"": 37.7697,""longitude"": -122.3933,""metroCode"": 807,""timeZone"": ""America/Los_Angeles"",""continentName"": ""North America"",""continentCode"": ""NA"",""countryName"": ""United States"",""countryIsoCode"": ""US"",""subdivisionName"": ""California"",""subdivisionIsoCode"": ""CA"",""postalCode"": ""94107"",""isp"": ""CloudFlare"",""organization"": ""CloudFlare""},""confidence"": 100,""blockType"": ""URL"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""http://www.cassino-portugal.com/m82/"",""data_1"": {""url"": ""http://www.cassino-portugal.com/m82/"",""domain"": ""cassino-portugal.com"",""path"": ""/m82/"",""protocol"": ""http"",""host"": ""www.cassino-portugal.com""}},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Major"",""confidence"": 100,""blockType"": ""URL"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""http://www.compassandpathwriting.com/m82/"",""data_1"": {""url"": ""http://www.compassandpathwriting.com/m82/"",""domain"": ""compassandpathwriting.com"",""path"": ""/m82/"",""protocol"": ""http"",""host"": ""www.compassandpathwriting.com""}},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Major"",""ipDetail"": {""ip"": ""217.160.0.219"",""lookupOn"": 1684173713315,""latitude"": 52.5285,""longitude"": 13.4109,""timeZone"": ""Europe/Berlin"",""continentName"": ""Europe"",""continentCode"": ""EU"",""countryName"": ""Germany"",""countryIsoCode"": ""DE"",""subdivisionName"": ""Land Berlin"",""subdivisionIsoCode"": ""BE"",""postalCode"": ""10119"",""asn"": 8560,""asnOrganization"": ""1&1 Internet SE"",""isp"": ""1&1 Internet AG"",""organization"": ""1&1 Internet AG""},""confidence"": 100,""blockType"": ""URL"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""http://www.hausmeisterservice-berlin.net/m82/"",""data_1"": {""url"": ""http://www.hausmeisterservice-berlin.net/m82/"",""domain"": ""hausmeisterservice-berlin.net"",""path"": ""/m82/"",""protocol"": ""http"",""host"": ""www.hausmeisterservice-berlin.net""}},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""","[{""totalCount"": 1,""brand"": {""id"": 2051,""text"": ""None""}}]",[],[],[],"[{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""vendorDetections"": [],""fileName"": ""PI.exe"",""type"": ""Attachment"",""severityLevel"": ""Major"",""md5Hex"": ""3c5bcd6427bdec6f9dc27f22123322a3"",""fileNameExtension"": ""exe""}]",[],[],[],"[{""totalCount"": 1,""subject"": ""RE: Revise PI""}]","[{""languageDefinition"": {""isoCode"": ""en"",""name"": ""English"",""nativeName"": ""English"",""family"": ""Indo-European""}}]",[],1684173569692,1684173567787,Finance - FormBook,Finance-themed emails deliver FormBook.,TRUE,https://www.threathq.com/api/l/activethreatreport/322141/html,https://www.threathq.com/apiv1/t3/malware/322141/html,https://www.threathq.com/p42/search/default?m=322141,[],"[{""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""}]",MALWARE,[],[],https://cisiqa2905emood2nmyxy26.azurewebsites.net/api/DownloadThreatReports?url=https://www.threathq.com/apiv1/t3/malware/322141/html,https://cisiqa2905emood2nmyxy26.azurewebsites.net/api/DownloadThreatReports?url=https://www.threathq.com/apiv1/t3/malware/322141/pdf,Malware_Data_CL +"5/29/2023, 8:27:59 AM",322149,"[{""id"": 23,""permissions"": {""WRITE"": false,""OWNER"": false,""READ"": true},""displayName"": ""Cofense""}]","[{""malwareFamily"": {""familyName"": ""Snake Keylogger"",""description"": ""Snake Keylogger is a keylogger that has many capabilities.""},""impact"": ""Major"",""ipDetail"": {""ip"": ""149.154.167.220"",""lookupOn"": 1684166382699,""latitude"": 51.4964,""longitude"": -0.1224,""timeZone"": ""Europe/London"",""continentName"": ""Europe"",""continentCode"": ""EU"",""countryName"": ""United Kingdom"",""countryIsoCode"": ""GB"",""asn"": 62041,""asnOrganization"": ""Telegram Messenger LLP"",""isp"": ""LLC Globalnet"",""organization"": ""Telegram Messenger Network""},""confidence"": 100,""blockType"": ""URL"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""https://api.telegram.org/bot6221660400:AAGb-WADrhdDFxd9kxzjtg3jdDw9-uvNVlM/"",""data_1"": {""url"": ""https://api.telegram.org/bot6221660400:AAGb-WADrhdDFxd9kxzjtg3jdDw9-uvNVlM/"",""domain"": ""telegram.org"",""path"": ""/bot6221660400:AAGb-WADrhdDFxd9kxzjtg3jdDw9-uvNVlM/"",""protocol"": ""https"",""host"": ""api.telegram.org""}}]","[{""totalCount"": 1,""brand"": {""id"": 2051,""text"": ""None""}}]",[],[],[],"[{""malwareFamily"": {""familyName"": ""Snake Keylogger"",""description"": ""Snake Keylogger is a keylogger that has many capabilities.""},""vendorDetections"": [],""fileName"": ""PO #V-23-IPY-078-D.exe"",""type"": ""Attachment"",""severityLevel"": ""Major"",""md5Hex"": ""4d5ab04ad0bc66b1b7c4daed53932e59"",""fileNameExtension"": ""exe""}]",[],[],[],"[{""totalCount"": 1,""subject"": ""URGENT REQUEST - 2023-BLA-007 ""}]","[{""languageDefinition"": {""isoCode"": ""en"",""name"": ""English"",""nativeName"": ""English"",""family"": ""Indo-European""}}]",[],1684172377663,1684172376351,Finance - Snake Keylogger,Finance-themed emails deliver Snake Keylogger.,TRUE,https://www.threathq.com/api/l/activethreatreport/322142/html,https://www.threathq.com/apiv1/t3/malware/322142/html,https://www.threathq.com/p42/search/default?m=322142,[],"[{""familyName"": ""Snake Keylogger"",""description"": ""Snake Keylogger is a keylogger that has many capabilities.""}]",MALWARE,[],[],https://cisiqa2905emood2nmyxy26.azurewebsites.net/api/DownloadThreatReports?url=https://www.threathq.com/apiv1/t3/malware/322142/html,https://cisiqa2905emood2nmyxy26.azurewebsites.net/api/DownloadThreatReports?url=https://www.threathq.com/apiv1/t3/malware/322142/pdf,Malware_Data_CL +"5/29/2023, 8:28:05 AM",322150,"[{""id"": 23,""permissions"": {""WRITE"": false,""OWNER"": false,""READ"": true},""displayName"": ""Cofense""}]","[{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Moderate"",""ipDetail"": {""ip"": ""107.148.139.225"",""lookupOn"": 1684173810780,""latitude"": 37.3387,""longitude"": -121.8914,""metroCode"": 807,""timeZone"": ""America/Los_Angeles"",""continentName"": ""North America"",""continentCode"": ""NA"",""countryName"": ""United States"",""countryIsoCode"": ""US"",""subdivisionName"": ""California"",""subdivisionIsoCode"": ""CA"",""postalCode"": ""95113"",""asn"": 54600,""asnOrganization"": ""PEG TECH INC"",""isp"": ""Peg Tech"",""organization"": ""Peg Tech""},""confidence"": 100,""blockType"": ""Domain Name"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""www.bl-fakel.com"",""data_1"": ""www.bl-fakel.com""},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Major"",""ipDetail"": {""ip"": ""38.54.177.111"",""lookupOn"": 1684173735457,""latitude"": 37.751,""longitude"": -97.822,""continentName"": ""North America"",""continentCode"": ""NA"",""countryName"": ""United States"",""countryIsoCode"": ""US"",""asn"": 174,""asnOrganization"": ""Cogent Communications"",""isp"": ""Cogent Communications"",""organization"": ""Cogent Communications""},""confidence"": 100,""blockType"": ""URL"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""http://www.kohakucho.net/bb27/"",""data_1"": {""url"": ""http://www.kohakucho.net/bb27/"",""domain"": ""kohakucho.net"",""path"": ""/bb27/"",""protocol"": ""http"",""host"": ""www.kohakucho.net""}},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Moderate"",""ipDetail"": {""ip"": ""31.207.33.122"",""lookupOn"": 1684173866250,""latitude"": 46.1417,""longitude"": -0.2218,""timeZone"": ""Europe/Paris"",""continentName"": ""Europe"",""continentCode"": ""EU"",""countryName"": ""France"",""countryIsoCode"": ""FR"",""asn"": 16347,""asnOrganization"": ""ADISTA SAS"",""isp"": ""Ligne Web Services EURL"",""organization"": ""Ligne Web Services EURL""},""confidence"": 100,""blockType"": ""Domain Name"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""www.destockplaza.com"",""data_1"": ""www.destockplaza.com""},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Major"",""ipDetail"": {""ip"": ""23.227.38.74"",""lookupOn"": 1684173527995,""latitude"": 45.4166,""longitude"": -75.6904,""timeZone"": ""America/Toronto"",""continentName"": ""North America"",""continentCode"": ""NA"",""countryName"": ""Canada"",""countryIsoCode"": ""CA"",""subdivisionName"": ""Ontario"",""subdivisionIsoCode"": ""ON"",""postalCode"": ""K2P"",""asn"": 62679,""asnOrganization"": ""Shopify, Inc."",""isp"": ""Shopify"",""organization"": ""Shopify""},""confidence"": 100,""blockType"": ""URL"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""http://www.czaos.com/bb27/"",""data_1"": {""url"": ""http://www.czaos.com/bb27/"",""domain"": ""czaos.com"",""path"": ""/bb27/"",""protocol"": ""http"",""host"": ""www.czaos.com""}},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Major"",""confidence"": 100,""blockType"": ""URL"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""http://www.wildhartbranding.africa/bb27/"",""data_1"": {""url"": ""http://www.wildhartbranding.africa/bb27/"",""domain"": ""wildhartbranding.africa"",""path"": ""/bb27/"",""protocol"": ""http"",""host"": ""www.wildhartbranding.africa""}},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Moderate"",""ipDetail"": {""ip"": ""50.116.93.86"",""lookupOn"": 1684173855273,""latitude"": 29.8301,""longitude"": -95.4739,""metroCode"": 618,""timeZone"": ""America/Chicago"",""continentName"": ""North America"",""continentCode"": ""NA"",""countryName"": ""United States"",""countryIsoCode"": ""US"",""subdivisionName"": ""Texas"",""subdivisionIsoCode"": ""TX"",""postalCode"": ""77092"",""asn"": 20013,""asnOrganization"": ""CyrusOne LLC"",""isp"": ""Websitewelcome.com"",""organization"": ""CyrusOne LLC""},""confidence"": 100,""blockType"": ""Domain Name"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""www.decoracioneskyr.com"",""data_1"": ""www.decoracioneskyr.com""},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Moderate"",""ipDetail"": {""ip"": ""156.235.134.214"",""lookupOn"": 1684173834384,""latitude"": 37.751,""longitude"": -97.822,""continentName"": ""North America"",""continentCode"": ""NA"",""countryName"": ""United States"",""countryIsoCode"": ""US"",""asn"": 35916,""asnOrganization"": ""MULTACOM CORPORATION"",""isp"": ""Multacom Corporation"",""organization"": ""Multacom Corporation""},""confidence"": 100,""blockType"": ""Domain Name"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""www.qy-zh.net"",""data_1"": ""www.qy-zh.net""},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Major"",""confidence"": 100,""blockType"": ""URL"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""http://www.fastloans.africa/bb27/"",""data_1"": {""url"": ""http://www.fastloans.africa/bb27/"",""domain"": ""fastloans.africa"",""path"": ""/bb27/"",""protocol"": ""http"",""host"": ""www.fastloans.africa""}},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Moderate"",""ipDetail"": {""ip"": ""209.141.38.71"",""lookupOn"": 1684173821366,""latitude"": 36.175,""longitude"": -115.1372,""metroCode"": 839,""timeZone"": ""America/Los_Angeles"",""continentName"": ""North America"",""continentCode"": ""NA"",""countryName"": ""United States"",""countryIsoCode"": ""US"",""subdivisionName"": ""Nevada"",""subdivisionIsoCode"": ""NV"",""postalCode"": ""89101"",""asn"": 53667,""asnOrganization"": ""FranTech Solutions"",""isp"": ""FranTech Solutions"",""organization"": ""FranTech Solutions""},""confidence"": 100,""blockType"": ""Domain Name"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""www.herbal-nutrition.uk"",""data_1"": ""www.herbal-nutrition.uk""},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Major"",""ipDetail"": {""ip"": ""198.54.117.211"",""lookupOn"": 1684173650796,""latitude"": 34.0355,""longitude"": -118.4298,""metroCode"": 803,""timeZone"": ""America/Los_Angeles"",""continentName"": ""North America"",""continentCode"": ""NA"",""countryName"": ""United States"",""countryIsoCode"": ""US"",""subdivisionName"": ""California"",""subdivisionIsoCode"": ""CA"",""postalCode"": ""90064"",""asn"": 22612,""asnOrganization"": ""Namecheap, Inc."",""isp"": ""Namecheap"",""organization"": ""Namecheap""},""confidence"": 100,""blockType"": ""URL"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""http://www.lifestyleisrael.com/bb27/"",""data_1"": {""url"": ""http://www.lifestyleisrael.com/bb27/"",""domain"": ""lifestyleisrael.com"",""path"": ""/bb27/"",""protocol"": ""http"",""host"": ""www.lifestyleisrael.com""}},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Moderate"",""ipDetail"": {""ip"": ""192.254.234.51"",""lookupOn"": 1684173833281,""latitude"": 29.8301,""longitude"": -95.4739,""metroCode"": 618,""timeZone"": ""America/Chicago"",""continentName"": ""North America"",""continentCode"": ""NA"",""countryName"": ""United States"",""countryIsoCode"": ""US"",""subdivisionName"": ""Texas"",""subdivisionIsoCode"": ""TX"",""postalCode"": ""77092"",""asn"": 46606,""asnOrganization"": ""Unified Layer"",""isp"": ""Websitewelcome.com"",""organization"": ""Unified Layer""},""confidence"": 100,""blockType"": ""Domain Name"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""www.kalidaddigifirm.com"",""data_1"": ""www.kalidaddigifirm.com""},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Major"",""confidence"": 100,""blockType"": ""URL"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""http://www.flezibuy.africa/bb27/"",""data_1"": {""url"": ""http://www.flezibuy.africa/bb27/"",""domain"": ""flezibuy.africa"",""path"": ""/bb27/"",""protocol"": ""http"",""host"": ""www.flezibuy.africa""}},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Moderate"",""ipDetail"": {""ip"": ""3.33.152.147"",""lookupOn"": 1684173855362,""latitude"": 41.1412,""longitude"": -73.2637,""metroCode"": 501,""timeZone"": ""America/New_York"",""continentName"": ""North America"",""continentCode"": ""NA"",""countryName"": ""United States"",""countryIsoCode"": ""US"",""subdivisionName"": ""Connecticut"",""subdivisionIsoCode"": ""CT"",""postalCode"": ""06828"",""isp"": ""General Electric Company"",""organization"": ""General Electric Company""},""confidence"": 100,""blockType"": ""Domain Name"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""www.theguttercleaningservice.com"",""data_1"": ""www.theguttercleaningservice.com""},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Moderate"",""confidence"": 100,""blockType"": ""Domain Name"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""www.darkdefender.club"",""data_1"": ""www.darkdefender.club""},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Moderate"",""ipDetail"": {""ip"": ""23.227.38.74"",""lookupOn"": 1684173527995,""latitude"": 45.4166,""longitude"": -75.6904,""timeZone"": ""America/Toronto"",""continentName"": ""North America"",""continentCode"": ""NA"",""countryName"": ""Canada"",""countryIsoCode"": ""CA"",""subdivisionName"": ""Ontario"",""subdivisionIsoCode"": ""ON"",""postalCode"": ""K2P"",""asn"": 62679,""asnOrganization"": ""Shopify, Inc."",""isp"": ""Shopify"",""organization"": ""Shopify""},""confidence"": 100,""blockType"": ""Domain Name"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""www.humiflares.com"",""data_1"": ""www.humiflares.com""},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Major"",""ipDetail"": {""ip"": ""69.10.36.99"",""lookupOn"": 1684173758387,""latitude"": 40.7801,""longitude"": -74.0633,""metroCode"": 501,""timeZone"": ""America/New_York"",""continentName"": ""North America"",""continentCode"": ""NA"",""countryName"": ""United States"",""countryIsoCode"": ""US"",""subdivisionName"": ""New Jersey"",""subdivisionIsoCode"": ""NJ"",""postalCode"": ""07094"",""asn"": 19318,""asnOrganization"": ""NEW JERSEY INTERNATIONAL INTERNET EXCHANGE LLC"",""isp"": ""Interserver"",""organization"": ""Interserver""},""confidence"": 100,""blockType"": ""URL"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""http://www.binarytradefx.com/bb27/"",""data_1"": {""url"": ""http://www.binarytradefx.com/bb27/"",""domain"": ""binarytradefx.com"",""path"": ""/bb27/"",""protocol"": ""http"",""host"": ""www.binarytradefx.com""}},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Moderate"",""confidence"": 100,""blockType"": ""Domain Name"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""www.ctjhcu8.vip"",""data_1"": ""www.ctjhcu8.vip""},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Major"",""ipDetail"": {""ip"": ""156.241.129.244"",""lookupOn"": 1684173747803,""latitude"": -26.2309,""longitude"": 28.0583,""timeZone"": ""Africa/Johannesburg"",""continentName"": ""Africa"",""continentCode"": ""AF"",""countryName"": ""South Africa"",""countryIsoCode"": ""ZA"",""subdivisionName"": ""Gauteng"",""subdivisionIsoCode"": ""GT"",""postalCode"": ""2000"",""asn"": 37353,""asnOrganization"": ""MacroLAN"",""isp"": ""MacroLAN"",""organization"": ""MacroLAN""},""confidence"": 100,""blockType"": ""URL"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""http://www.longtengry.net/bb27/"",""data_1"": {""url"": ""http://www.longtengry.net/bb27/"",""domain"": ""longtengry.net"",""path"": ""/bb27/"",""protocol"": ""http"",""host"": ""www.longtengry.net""}},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Major"",""confidence"": 100,""blockType"": ""URL"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""http://www.yourtree.africa/bb27/"",""data_1"": {""url"": ""http://www.yourtree.africa/bb27/"",""domain"": ""yourtree.africa"",""path"": ""/bb27/"",""protocol"": ""http"",""host"": ""www.yourtree.africa""}},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Moderate"",""ipDetail"": {""ip"": ""104.21.18.131"",""lookupOn"": 1684173821154,""latitude"": 37.7697,""longitude"": -122.3933,""metroCode"": 807,""timeZone"": ""America/Los_Angeles"",""continentName"": ""North America"",""continentCode"": ""NA"",""countryName"": ""United States"",""countryIsoCode"": ""US"",""subdivisionName"": ""California"",""subdivisionIsoCode"": ""CA"",""postalCode"": ""94107"",""asn"": 13335,""asnOrganization"": ""CloudFlare"",""isp"": ""CloudFlare"",""organization"": ""CloudFlare""},""confidence"": 100,""blockType"": ""Domain Name"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""www.pipeops.app"",""data_1"": ""www.pipeops.app""},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Major"",""confidence"": 100,""blockType"": ""URL"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""http://www.californiatribes.info/bb27/"",""data_1"": {""url"": ""http://www.californiatribes.info/bb27/"",""domain"": ""californiatribes.info"",""path"": ""/bb27/"",""protocol"": ""http"",""host"": ""www.californiatribes.info""}},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Moderate"",""confidence"": 100,""blockType"": ""Domain Name"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""www.yourtree.africa"",""data_1"": ""www.yourtree.africa""},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Moderate"",""confidence"": 100,""blockType"": ""Domain Name"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""www.illuminwellness.com"",""data_1"": ""www.illuminwellness.com""},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Moderate"",""confidence"": 100,""blockType"": ""Domain Name"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""www.ebctec.net"",""data_1"": ""www.ebctec.net""},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Major"",""ipDetail"": {""ip"": ""117.50.172.191"",""lookupOn"": 1684173789376,""latitude"": 43.88,""longitude"": 125.3228,""timeZone"": ""Asia/Shanghai"",""continentName"": ""Asia"",""continentCode"": ""AS"",""countryName"": ""China"",""countryIsoCode"": ""CN"",""subdivisionName"": ""Jilin"",""subdivisionIsoCode"": ""22"",""isp"": ""Jilin Gosun Technology Co."",""organization"": ""Jilin Gosun Technology Co.""},""confidence"": 100,""blockType"": ""URL"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""http://www.fmgy.love/bb27/"",""data_1"": {""url"": ""http://www.fmgy.love/bb27/"",""domain"": ""fmgy.love"",""path"": ""/bb27/"",""protocol"": ""http"",""host"": ""www.fmgy.love""}},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Moderate"",""ipDetail"": {""ip"": ""142.251.33.115"",""lookupOn"": 1684173810300,""latitude"": 37.4192,""longitude"": -122.0574,""metroCode"": 807,""timeZone"": ""America/Los_Angeles"",""continentName"": ""North America"",""continentCode"": ""NA"",""countryName"": ""United States"",""countryIsoCode"": ""US"",""subdivisionName"": ""California"",""subdivisionIsoCode"": ""CA"",""postalCode"": ""94043"",""asn"": 15169,""asnOrganization"": ""Google Inc."",""isp"": ""Google"",""organization"": ""Google""},""confidence"": 100,""blockType"": ""Domain Name"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""www.slatevehicles.net"",""data_1"": ""www.slatevehicles.net""},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Moderate"",""confidence"": 100,""blockType"": ""Domain Name"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""www.wildhartbranding.africa"",""data_1"": ""www.wildhartbranding.africa""},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Major"",""ipDetail"": {""ip"": ""192.254.234.51"",""lookupOn"": 1684173833281,""latitude"": 29.8301,""longitude"": -95.4739,""metroCode"": 618,""timeZone"": ""America/Chicago"",""continentName"": ""North America"",""continentCode"": ""NA"",""countryName"": ""United States"",""countryIsoCode"": ""US"",""subdivisionName"": ""Texas"",""subdivisionIsoCode"": ""TX"",""postalCode"": ""77092"",""asn"": 46606,""asnOrganization"": ""Unified Layer"",""isp"": ""Websitewelcome.com"",""organization"": ""Unified Layer""},""confidence"": 100,""blockType"": ""URL"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""http://www.kalidaddigifirm.com/bb27/"",""data_1"": {""url"": ""http://www.kalidaddigifirm.com/bb27/"",""domain"": ""kalidaddigifirm.com"",""path"": ""/bb27/"",""protocol"": ""http"",""host"": ""www.kalidaddigifirm.com""}},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Major"",""ipDetail"": {""ip"": ""217.70.184.50"",""lookupOn"": 1684173747375,""latitude"": 48.8582,""longitude"": 2.3387,""timeZone"": ""Europe/Paris"",""continentName"": ""Europe"",""continentCode"": ""EU"",""countryName"": ""France"",""countryIsoCode"": ""FR"",""asn"": 29169,""asnOrganization"": ""GANDI SAS"",""isp"": ""GANDI SAS"",""organization"": ""GANDI SAS""},""confidence"": 100,""blockType"": ""URL"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""http://www.apr360.info/bb27/"",""data_1"": {""url"": ""http://www.apr360.info/bb27/"",""domain"": ""apr360.info"",""path"": ""/bb27/"",""protocol"": ""http"",""host"": ""www.apr360.info""}},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Moderate"",""ipDetail"": {""ip"": ""154.39.239.118"",""lookupOn"": 1684173844897,""latitude"": 37.751,""longitude"": -97.822,""continentName"": ""North America"",""continentCode"": ""NA"",""countryName"": ""United States"",""countryIsoCode"": ""US"",""asn"": 174,""asnOrganization"": ""Cogent Communications"",""isp"": ""Cogent Communications"",""organization"": ""Cogent Communications""},""confidence"": 100,""blockType"": ""Domain Name"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""www.deer-bit.com"",""data_1"": ""www.deer-bit.com""},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Major"",""ipDetail"": {""ip"": ""199.59.243.223"",""lookupOn"": 1684173734137,""latitude"": 40.7391,""longitude"": -73.9826,""metroCode"": 501,""timeZone"": ""America/New_York"",""continentName"": ""North America"",""continentCode"": ""NA"",""countryName"": ""United States"",""countryIsoCode"": ""US"",""subdivisionName"": ""New York"",""subdivisionIsoCode"": ""NY"",""postalCode"": ""10010"",""asn"": 53665,""asnOrganization"": ""Bodis, LLC"",""isp"": ""Bodis, LLC"",""organization"": ""Bodis, LLC""},""confidence"": 100,""blockType"": ""URL"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""http://www.californialivingbenifits.com/bb27/"",""data_1"": {""url"": ""http://www.californialivingbenifits.com/bb27/"",""domain"": ""californialivingbenifits.com"",""path"": ""/bb27/"",""protocol"": ""http"",""host"": ""www.californialivingbenifits.com""}},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Major"",""confidence"": 100,""blockType"": ""URL"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""http://www.ctjhcu8.vip/bb27/"",""data_1"": {""url"": ""http://www.ctjhcu8.vip/bb27/"",""domain"": ""ctjhcu8.vip"",""path"": ""/bb27/"",""protocol"": ""http"",""host"": ""www.ctjhcu8.vip""}},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Major"",""confidence"": 100,""blockType"": ""URL"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""http://www.igogo.africa/bb27/"",""data_1"": {""url"": ""http://www.igogo.africa/bb27/"",""domain"": ""igogo.africa"",""path"": ""/bb27/"",""protocol"": ""http"",""host"": ""www.igogo.africa""}},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Moderate"",""confidence"": 100,""blockType"": ""Domain Name"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""www.juyjuy9.club"",""data_1"": ""www.juyjuy9.club""},{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""impact"": ""Major"",""confidence"": 100,""blockType"": ""URL"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""http://www.illuminwellness.com/bb27/"",""data_1"": {""url"": ""http://www.illuminwellness.com/bb27/"",""domain"": ""illuminwellness.com"",""path"": ""/bb27/"",""protocol"": ""http"",""host"": ""www.illuminwellness.com""}","[{""totalCount"": 1,""brand"": {""id"": 2051,""text"": ""None""}}]",[],[],[],"[{""malwareFamily"": {""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""},""vendorDetections"": [],""fileName"": ""fBdjlGMFMSWy49.bin"",""type"": ""Download"",""dateEntered"": 1684173530805,""severityLevel"": ""Major"",""md5Hex"": ""9db73b411c0fad6a6ab61cb9b54bf6f8"",""fileNameExtension"": ""bin""},{""deliveryMechanism"": {""mechanismName"": ""DotNET Loader"",""description"": ""An obfuscated DotNET (or .NET) executable used for downloading, unpacking, or decompressing and subsequently executing malware. DotNET Loaders may have the ability to call out to a C2.""},""vendorDetections"": [],""fileName"": ""LV-700317.exe"",""type"": ""Attachment"",""severityLevel"": ""Major"",""md5Hex"": ""0616aa1c76c5df2d2b8e53d966afc790"",""fileNameExtension"": ""exe""}]",[],[],[],"[{""totalCount"": 1,""subject"": ""SWIFT NOTICE - LV700317""}]","[{""languageDefinition"": {""isoCode"": ""en"",""name"": ""English"",""nativeName"": ""English"",""family"": ""Indo-European""}}]",[],1684173550887,1684173548947,"Finance - DotNETLoader, FormBook",Finance-themed emails deliver FormBook via DotNETLoader.,TRUE,https://www.threathq.com/api/l/activethreatreport/322148/html,https://www.threathq.com/apiv1/t3/malware/322148/html,https://www.threathq.com/p42/search/default?m=322148,"[{""mechanismName"": ""DotNET Loader"",""description"": ""An obfuscated DotNET (or .NET) executable used for downloading, unpacking, or decompressing and subsequently executing malware. DotNET Loaders may have the ability to call out to a C2.""}]","[{""familyName"": ""FormBook"",""description"": ""FormBook is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.""}]",MALWARE,[],[],https://cisiqa2905emood2nmyxy26.azurewebsites.net/api/DownloadThreatReports?url=https://www.threathq.com/apiv1/t3/malware/322148/html,https://cisiqa2905emood2nmyxy26.azurewebsites.net/api/DownloadThreatReports?url=https://www.threathq.com/apiv1/t3/malware/322148/pdf,Malware_Data_CL +"5/29/2023, 8:28:05 AM",322151,"[{""id"": 23,""permissions"": {""WRITE"": false,""OWNER"": false,""READ"": true},""displayName"": ""Cofense""}]","[{""malwareFamily"": {""familyName"": ""Credential Phishing"",""description"": ""An instance of credential phishing""},""impact"": ""Major"",""ipDetail"": {""ip"": ""104.26.2.25"",""lookupOn"": 1683906402659,""latitude"": 37.7697,""longitude"": -122.3933,""metroCode"": 807,""timeZone"": ""America/Los_Angeles"",""continentName"": ""North America"",""continentCode"": ""NA"",""countryName"": ""United States"",""countryIsoCode"": ""US"",""subdivisionName"": ""California"",""subdivisionIsoCode"": ""CA"",""postalCode"": ""94107"",""asn"": 13335,""asnOrganization"": ""CloudFlare"",""isp"": ""CloudFlare"",""organization"": ""CloudFlare""},""confidence"": 100,""blockType"": ""URL"",""role"": ""Credential Phishing"",""roleDescription"": ""Credential Phishing"",""infrastructureTypeSubclass"": {""description"": ""URL embedded in the email or attached file.""},""data"": ""http://bio.link/faxnsinehs"",""data_1"": {""url"": ""http://bio.link/faxnsinehs"",""domain"": ""bio.link"",""path"": ""/faxnsinehs"",""protocol"": ""http"",""host"": ""bio.link""}},{""malwareFamily"": {""familyName"": ""Credential Phishing"",""description"": ""An instance of credential phishing""},""impact"": ""Major"",""ipDetail"": {""ip"": ""104.21.25.153"",""lookupOn"": 1684155762919,""latitude"": 37.7697,""longitude"": -122.3933,""metroCode"": 807,""timeZone"": ""America/Los_Angeles"",""continentName"": ""North America"",""continentCode"": ""NA"",""countryName"": ""United States"",""countryIsoCode"": ""US"",""subdivisionName"": ""California"",""subdivisionIsoCode"": ""CA"",""postalCode"": ""94107"",""asn"": 13335,""asnOrganization"": ""CloudFlare"",""isp"": ""CloudFlare"",""organization"": ""CloudFlare""},""confidence"": 100,""blockType"": ""URL"",""role"": ""Credential Phishing"",""roleDescription"": ""Credential Phishing"",""infrastructureTypeSubclass"": {""description"": ""Additional phishing URLs not found in the original email""},""data"": ""https://abgbuillders.com"",""data_1"": {""url"": ""https://abgbuillders.com"",""domain"": ""abgbuillders.com"",""path"": """",""protocol"": ""https"",""host"": ""abgbuillders.com""}},{""malwareFamily"": {""familyName"": ""Credential Phishing"",""description"": ""An instance of credential phishing""},""impact"": ""Major"",""ipDetail"": {""ip"": ""104.234.147.50"",""lookupOn"": 1683897462884,""latitude"": 44.3167,""longitude"": -79.8833,""timeZone"": ""America/Toronto"",""continentName"": ""North America"",""continentCode"": ""NA"",""countryName"": ""Canada"",""countryIsoCode"": ""CA"",""subdivisionName"": ""Ontario"",""subdivisionIsoCode"": ""ON"",""asn"": 30407,""asnOrganization"": ""Velcom"",""isp"": ""Velcom"",""organization"": ""Velcom""},""confidence"": 100,""blockType"": ""URL"",""role"": ""Credential Phishing"",""roleDescription"": ""Credential Phishing"",""infrastructureTypeSubclass"": {""description"": ""Additional phishing URLs not found in the original email""},""data"": ""https://starlktech.com/__//eqooqp/qcwvj2/x2.0/cwvjqtkbg?"",""data_1"": {""url"": ""https://starlktech.com/__//eqooqp/qcwvj2/x2.0/cwvjqtkbg?"",""domain"": ""starlktech.com"",""query"": """",""path"": ""/__//eqooqp/qcwvj2/x2.0/cwvjqtkbg"",""protocol"": ""https"",""host"": ""starlktech.com""}},{""malwareFamily"": {""familyName"": ""Credential Phishing"",""description"": ""An instance of credential phishing""},""impact"": ""Major"",""ipDetail"": {""ip"": ""104.234.147.50"",""lookupOn"": 1683897462884,""latitude"": 44.3167,""longitude"": -79.8833,""timeZone"": ""America/Toronto"",""continentName"": ""North America"",""continentCode"": ""NA"",""countryName"": ""Canada"",""countryIsoCode"": ""CA"",""subdivisionName"": ""Ontario"",""subdivisionIsoCode"": ""ON"",""asn"": 30407,""asnOrganization"": ""Velcom"",""isp"": ""Velcom"",""organization"": ""Velcom""},""confidence"": 100,""blockType"": ""URL"",""role"": ""Credential Phishing"",""roleDescription"": ""Credential Phishing"",""infrastructureTypeSubclass"": {""description"": ""Additional phishing URLs not found in the original email""},""data"": ""https://belfastscd.org/__//eqooqp/qcwvj2/x2.0/cwvjqtkbg?"",""data_1"": {""url"": ""https://belfastscd.org/__//eqooqp/qcwvj2/x2.0/cwvjqtkbg?"",""domain"": ""belfastscd.org"",""query"": """",""path"": ""/__//eqooqp/qcwvj2/x2.0/cwvjqtkbg"",""protocol"": ""https"",""host"": ""belfastscd.org""}}]","[{""totalCount"": 3,""brand"": {""id"": 2051,""text"": ""None""}}]",[],[],[],[],[],[],[],"[{""totalCount"": 3,""subject"": ""Completed Document Inv 47875-AM/NS/MG.pdf""}]","[{""languageDefinition"": {""isoCode"": ""en"",""name"": ""English"",""nativeName"": ""English"",""family"": ""Indo-European""}}]",[],1684155717609,1684155716401,Finance - Credential Phishing,Finance-themed emails deliver Credential Phishing via an embedded link.,TRUE,https://www.threathq.com/api/l/activethreatreport/322149/html,https://www.threathq.com/apiv1/t3/malware/322149/html,https://www.threathq.com/p42/search/default?m=322149,[],"[{""familyName"": ""Credential Phishing"",""description"": ""An instance of credential phishing""}]",MALWARE,[],[],https://cisiqa2905emood2nmyxy26.azurewebsites.net/api/DownloadThreatReports?url=https://www.threathq.com/apiv1/t3/malware/322149/html,https://cisiqa2905emood2nmyxy26.azurewebsites.net/api/DownloadThreatReports?url=https://www.threathq.com/apiv1/t3/malware/322149/pdf,Malware_Data_CL +"5/29/2023, 8:28:05 AM",322152,"[{""id"": 23,""permissions"": {""WRITE"": false,""OWNER"": false,""READ"": true},""displayName"": ""Cofense""}]","[{""malwareFamily"": {""familyName"": ""Credential Phishing"",""description"": ""An instance of credential phishing""},""impact"": ""Major"",""ipDetail"": {""ip"": ""50.87.153.168"",""lookupOn"": 1683898482759,""latitude"": 40.2181,""longitude"": -111.6133,""metroCode"": 770,""timeZone"": ""America/Denver"",""continentName"": ""North America"",""continentCode"": ""NA"",""countryName"": ""United States"",""countryIsoCode"": ""US"",""subdivisionName"": ""Utah"",""subdivisionIsoCode"": ""UT"",""postalCode"": ""84606"",""asn"": 46606,""asnOrganization"": ""Unified Layer"",""isp"": ""Unified Layer"",""organization"": ""Unified Layer""},""confidence"": 100,""blockType"": ""URL"",""role"": ""Credential Phishing"",""roleDescription"": ""Credential Phishing"",""infrastructureTypeSubclass"": {""description"": ""Threat Actor controlled host or email address to which harvested credentials are exfiltrated.""},""data"": ""https://epanews.cl/.well-known/att/req.php"",""data_1"": {""url"": ""https://epanews.cl/.well-known/att/req.php"",""domain"": ""epanews.cl"",""path"": ""/.well-known/att/req.php"",""protocol"": ""https"",""host"": ""epanews.cl""}}]","[{""totalCount"": 3,""brand"": {""id"": 2051,""text"": ""None""}}]",[],[],[],"[{""deliveryMechanism"": {""mechanismName"": ""Malicious HTML"",""description"": ""HTML file that contains embedded malicious content including links that can be be clicked or that can redirect the browser to a different location.""},""vendorDetections"": [],""fileName"": "" Employees 2023 Pay Amendments.html"",""type"": ""Attachment"",""dateEntered"": 1684156086584,""severityLevel"": ""Major"",""md5Hex"": ""5a66c373153cf432bc541a5ca939c870"",""fileNameExtension"": ""html""}]",[],[],[],"[{""totalCount"": 1,""subject"": "" Payroll Financial Report On May 12, 2023 ; 18:29:33 PM""},{""totalCount"": 1,""subject"": "" Payroll Financtial Report On May 11, 2023 ; 21:02:10 PM""},{""totalCount"": 1,""subject"": "" Payroll Financtial Report On May 11, 2023 ; 21:16:42 PM""}]","[{""languageDefinition"": {""isoCode"": ""en"",""name"": ""English"",""nativeName"": ""English"",""family"": ""Indo-European""}}]",[],1684156250623,1684156249394,"Finance - HTML, Credential Phishing",Finance-themed emails deliver Credential Phishing via an HTML attachment.,TRUE,https://www.threathq.com/api/l/activethreatreport/322150/html,https://www.threathq.com/apiv1/t3/malware/322150/html,https://www.threathq.com/p42/search/default?m=322150,"[{""mechanismName"": ""Malicious HTML"",""description"": ""HTML file that contains embedded malicious content including links that can be be clicked or that can redirect the browser to a different location.""}]","[{""familyName"": ""Credential Phishing"",""description"": ""An instance of credential phishing""}]",MALWARE,[],[],https://cisiqa2905emood2nmyxy26.azurewebsites.net/api/DownloadThreatReports?url=https://www.threathq.com/apiv1/t3/malware/322150/html,https://cisiqa2905emood2nmyxy26.azurewebsites.net/api/DownloadThreatReports?url=https://www.threathq.com/apiv1/t3/malware/322150/pdf,Malware_Data_CL +"5/29/2023, 8:28:05 AM",322153,"[{""id"": 23,""permissions"": {""WRITE"": false,""OWNER"": false,""READ"": true},""displayName"": ""Cofense""}]","[{""malwareFamily"": {""familyName"": ""Credential Phishing"",""description"": ""An instance of credential phishing""},""impact"": ""Major"",""ipDetail"": {""ip"": ""209.94.90.1"",""lookupOn"": 1683906282637,""latitude"": 37.5602,""longitude"": -106.1392,""metroCode"": 773,""timeZone"": ""America/Denver"",""continentName"": ""North America"",""continentCode"": ""NA"",""countryName"": ""United States"",""countryIsoCode"": ""US"",""subdivisionName"": ""Colorado"",""subdivisionIsoCode"": ""CO"",""postalCode"": ""81144"",""asn"": 10446,""asnOrganization"": ""Zero Error Networks"",""isp"": ""Zero Error Networks"",""organization"": ""Zero Error Networks""},""confidence"": 100,""blockType"": ""URL"",""role"": ""Credential Phishing"",""roleDescription"": ""Credential Phishing"",""infrastructureTypeSubclass"": {""description"": ""Additional phishing URLs not found in the original email""},""data"": ""https://ipfs.io/ipfs/bafybeiaf5nmcrmrvw4o6yengckdg2ks6lxwkdb6d745cbftbic3kvfhgji/intelresu_onedriveo90.html"",""data_1"": {""url"": ""https://ipfs.io/ipfs/bafybeiaf5nmcrmrvw4o6yengckdg2ks6lxwkdb6d745cbftbic3kvfhgji/intelresu_onedriveo90.html"",""domain"": ""ipfs.io"",""path"": ""/ipfs/bafybeiaf5nmcrmrvw4o6yengckdg2ks6lxwkdb6d745cbftbic3kvfhgji/intelresu_onedriveo90.html"",""protocol"": ""https"",""host"": ""ipfs.io""}},{""malwareFamily"": {""familyName"": ""Credential Phishing"",""description"": ""An instance of credential phishing""},""impact"": ""Major"",""confidence"": 100,""blockType"": ""URL"",""role"": ""Credential Phishing"",""roleDescription"": ""Credential Phishing"",""infrastructureTypeSubclass"": {""description"": ""URL embedded in the email or attached file.""},""data"": ""https://hhabitat.co.nz/"",""data_1"": {""url"": ""https://hhabitat.co.nz/"",""domain"": ""hhabitat.co.nz"",""path"": ""/"",""protocol"": ""https"",""host"": ""hhabitat.co.nz""}},{""malwareFamily"": {""familyName"": ""Credential Phishing"",""description"": ""An instance of credential phishing""},""impact"": ""Major"",""ipDetail"": {""ip"": ""169.46.89.154"",""lookupOn"": 1684156782641,""latitude"": 32.9193,""longitude"": -96.982,""metroCode"": 623,""timeZone"": ""America/Chicago"",""continentName"": ""North America"",""continentCode"": ""NA"",""countryName"": ""United States"",""countryIsoCode"": ""US"",""subdivisionName"": ""Texas"",""subdivisionIsoCode"": ""TX"",""postalCode"": ""75063"",""asn"": 36351,""asnOrganization"": ""SoftLayer Technologies Inc."",""isp"": ""SoftLayer Technologies"",""organization"": ""SoftLayer Technologies""},""confidence"": 100,""blockType"": ""URL"",""role"": ""Credential Phishing"",""roleDescription"": ""Credential Phishing"",""infrastructureTypeSubclass"": {""description"": ""Additional phishing URLs not found in the original email""},""data"": ""https://yuomei000sp.us-south.cf.appdomain.cloud/?rbox=intelresu&email="",""data_1"": {""url"": ""https://yuomei000sp.us-south.cf.appdomain.cloud/?rbox=intelresu&email="",""domain"": ""appdomain.cloud"",""query"": ""rbox=intelresu&email="",""path"": ""/"",""protocol"": ""https"",""host"": ""yuomei000sp.us-south.cf.appdomain.cloud""}},{""malwareFamily"": {""familyName"": ""Credential Phishing"",""description"": ""An instance of credential phishing""},""impact"": ""Major"",""confidence"": 100,""blockType"": ""URL"",""role"": ""Credential Phishing"",""roleDescription"": ""Credential Phishing"",""infrastructureTypeSubclass"": {""description"": ""URL embedded in the email or attached file.""},""data"": ""https://masresidency.in/"",""data_1"": {""url"": ""https://masresidency.in/"",""domain"": ""masresidency.in"",""path"": ""/"",""protocol"": ""https"",""host"": ""masresidency.in""}}]","[{""totalCount"": 3,""brand"": {""id"": 2051,""text"": ""None""}}]",[],[],[],[],[],[],[],"[{""totalCount"": 3,""subject"": ""You Received a secure file""}]","[{""languageDefinition"": {""isoCode"": ""en"",""name"": ""English"",""nativeName"": ""English"",""family"": ""Indo-European""}}]",[],1684156741768,1684156740578,Notification - Credential Phishing,Notification-themed emails deliver Credential Phishing via an embedded link.,TRUE,https://www.threathq.com/api/l/activethreatreport/322151/html,https://www.threathq.com/apiv1/t3/malware/322151/html,https://www.threathq.com/p42/search/default?m=322151,[],"[{""familyName"": ""Credential Phishing"",""description"": ""An instance of credential phishing""}]",MALWARE,[],[],https://cisiqa2905emood2nmyxy26.azurewebsites.net/api/DownloadThreatReports?url=https://www.threathq.com/apiv1/t3/malware/322151/html,https://cisiqa2905emood2nmyxy26.azurewebsites.net/api/DownloadThreatReports?url=https://www.threathq.com/apiv1/t3/malware/322151/pdf,Malware_Data_CL +"5/29/2023, 8:28:05 AM",322154,"[{""id"": 23,""permissions"": {""WRITE"": false,""OWNER"": false,""READ"": true},""displayName"": ""Cofense""}]","[{""malwareFamily"": {""familyName"": ""Agent Tesla"",""description"": ""Agent Tesla collects sensitive information, such as saved credentials for web, ftp, email, and instant messaging clients. Additionally, Tesla gathers data about the victim's PC and captures keystrokes.""},""impact"": ""Major"",""ipDetail"": {""ip"": ""141.95.172.69"",""lookupOn"": 1684171602816,""latitude"": 50.7967,""longitude"": -1.0833,""timeZone"": ""Europe/London"",""continentName"": ""Europe"",""continentCode"": ""EU"",""countryName"": ""United Kingdom"",""countryIsoCode"": ""GB"",""subdivisionName"": ""Portsmouth"",""subdivisionIsoCode"": ""POR"",""postalCode"": ""PO5"",""isp"": ""IBM EMEA value added network"",""organization"": ""AT&T EMEA value added network""},""confidence"": 100,""blockType"": ""Email"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""pejesoar.smtp@oiliskim.com"",""data_1"": ""pejesoar.smtp@oiliskim.com""},{""deliveryMechanism"": {""mechanismName"": ""CVE-2017-11882"",""description"": ""Microsoft Office exploit taking advantage of flaw in Microsoft Equation Editor allowing for arbitrary code execution""},""impact"": ""Major"",""confidence"": 100,""blockType"": ""URL"",""role"": ""Payload"",""roleDescription"": ""Location from which a payload is obtained"",""data"": ""http://103.155.81.71/Explorer/vbc.exe"",""data_1"": {""url"": ""http://103.155.81.71/Explorer/vbc.exe"",""path"": ""/Explorer/vbc.exe"",""protocol"": ""http"",""host"": ""103.155.81.71""}}]","[{""totalCount"": 1,""brand"": {""id"": 2051,""text"": ""None""}}]",[],[],[],"[{""deliveryMechanism"": {""mechanismName"": ""CVE-2017-11882"",""description"": ""Microsoft Office exploit taking advantage of flaw in Microsoft Equation Editor allowing for arbitrary code execution""},""vendorDetections"": [],""fileName"": ""293729.xls"",""type"": ""Attachment"",""severityLevel"": ""Major"",""md5Hex"": ""3d693e6dfb41df25907b1ad400ac43f4"",""fileNameExtension"": ""xls""},{""malwareFamily"": {""familyName"": ""Agent Tesla"",""description"": ""Agent Tesla collects sensitive information, such as saved credentials for web, ftp, email, and instant messaging clients. Additionally, Tesla gathers data about the victim's PC and captures keystrokes.""},""vendorDetections"": [],""fileName"": ""vbc.exe"",""type"": ""Download"",""dateEntered"": 1684171578694,""severityLevel"": ""Major"",""md5Hex"": ""433b617e1991fb112c8aabfc41eb0b8d"",""fileNameExtension"": ""exe""}]",[],[],[],"[{""totalCount"": 1,""subject"": ""order confirmation""}]","[{""languageDefinition"": {""isoCode"": ""en"",""name"": ""English"",""nativeName"": ""English"",""family"": ""Indo-European""}}]",[],1684171584760,1684171583418,"Finance - CVE-2017-11882, Agent Tesla Keylogger",Finance-themed emails deliver Agent Tesla Keylogger via CVE-2017-11882.,TRUE,https://www.threathq.com/api/l/activethreatreport/322152/html,https://www.threathq.com/apiv1/t3/malware/322152/html,https://www.threathq.com/p42/search/default?m=322152,"[{""mechanismName"": ""CVE-2017-11882"",""description"": ""Microsoft Office exploit taking advantage of flaw in Microsoft Equation Editor allowing for arbitrary code execution""}]","[{""familyName"": ""Agent Tesla"",""description"": ""Agent Tesla collects sensitive information, such as saved credentials for web, ftp, email, and instant messaging clients. Additionally, Tesla gathers data about the victim's PC and captures keystrokes.""}]",MALWARE,[],[],https://cisiqa2905emood2nmyxy26.azurewebsites.net/api/DownloadThreatReports?url=https://www.threathq.com/apiv1/t3/malware/322152/html,https://cisiqa2905emood2nmyxy26.azurewebsites.net/api/DownloadThreatReports?url=https://www.threathq.com/apiv1/t3/malware/322152/pdf,Malware_Data_CL +"5/29/2023, 8:28:05 AM",322155,"[{""id"": 23,""permissions"": {""WRITE"": false,""OWNER"": false,""READ"": true},""displayName"": ""Cofense""}]","[{""malwareFamily"": {""familyName"": ""Snake Keylogger"",""description"": ""Snake Keylogger is a keylogger that has many capabilities.""},""impact"": ""Major"",""ipDetail"": {""ip"": ""149.154.167.220"",""lookupOn"": 1684166382699,""latitude"": 51.4964,""longitude"": -0.1224,""timeZone"": ""Europe/London"",""continentName"": ""Europe"",""continentCode"": ""EU"",""countryName"": ""United Kingdom"",""countryIsoCode"": ""GB"",""asn"": 62041,""asnOrganization"": ""Telegram Messenger LLP"",""isp"": ""LLC Globalnet"",""organization"": ""Telegram Messenger Network""},""confidence"": 100,""blockType"": ""URL"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""https://api.telegram.org/bot5843567515:AAEdtJWwcJKNn64U81CKVdG-li_Ejds8raM/"",""data_1"": {""url"": ""https://api.telegram.org/bot5843567515:AAEdtJWwcJKNn64U81CKVdG-li_Ejds8raM/"",""domain"": ""telegram.org"",""path"": ""/bot5843567515:AAEdtJWwcJKNn64U81CKVdG-li_Ejds8raM/"",""protocol"": ""https"",""host"": ""api.telegram.org""}}]","[{""totalCount"": 1,""brand"": {""id"": 2051,""text"": ""None""}}]",[],[],[],"[{""malwareFamily"": {""familyName"": ""Snake Keylogger"",""description"": ""Snake Keylogger is a keylogger that has many capabilities.""},""vendorDetections"": [],""fileName"": ""Dekont_2023050124093516589076505.doc.exe"",""type"": ""Attachment"",""severityLevel"": ""Major"",""md5Hex"": ""5fada9cc420b6a9c86f55771b427d72b"",""fileNameExtension"": ""exe""}]",[],[],[],"[{""totalCount"": 1,""subject"": ""SWIFT Giden mesaj bildirimi - 6028,80 USD - I103""}]","[{""languageDefinition"": {""isoCode"": ""tr"",""name"": ""Turkish"",""nativeName"": ""Türkçe"",""family"": ""Turkic""}}]",[],1684172380842,1684172379585,Finance - Snake Keylogger,Finance-themed emails deliver Snake Keylogger.,TRUE,https://www.threathq.com/api/l/activethreatreport/322153/html,https://www.threathq.com/apiv1/t3/malware/322153/html,https://www.threathq.com/p42/search/default?m=322153,[],"[{""familyName"": ""Snake Keylogger"",""description"": ""Snake Keylogger is a keylogger that has many capabilities.""}]",MALWARE,[],[],https://cisiqa2905emood2nmyxy26.azurewebsites.net/api/DownloadThreatReports?url=https://www.threathq.com/apiv1/t3/malware/322153/html,https://cisiqa2905emood2nmyxy26.azurewebsites.net/api/DownloadThreatReports?url=https://www.threathq.com/apiv1/t3/malware/322153/pdf,Malware_Data_CL +"5/29/2023, 8:28:05 AM",322162,"[{""id"": 23,""permissions"": {""WRITE"": false,""OWNER"": false,""READ"": true},""displayName"": ""Cofense""}]","[{""malwareFamily"": {""familyName"": ""Snake Keylogger"",""description"": ""Snake Keylogger is a keylogger that has many capabilities.""},""impact"": ""Major"",""ipDetail"": {""ip"": ""195.142.133.156"",""lookupOn"": 1684172442894,""latitude"": 41.0214,""longitude"": 28.9684,""timeZone"": ""Europe/Istanbul"",""continentName"": ""Asia"",""continentCode"": ""AS"",""countryName"": ""Turkey"",""countryIsoCode"": ""TR"",""subdivisionName"": ""Istanbul"",""subdivisionIsoCode"": ""34"",""asn"": 199484,""asnOrganization"": ""SAGLAYICI Teknoloji Bilisim Yayincilik Hiz. Ticaret Ltd. Sti."",""isp"": ""SAGLAYICI Teknoloji Bilisim Yayincilik Hiz. Ticare"",""organization"": ""SAGLAYICI Teknoloji Bilisim Yayincilik Hiz. Ticare""},""confidence"": 100,""blockType"": ""Email"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""turgut.altun@apareia.com.tr"",""data_1"": ""turgut.altun@apareia.com.tr""}]","[{""totalCount"": 1,""brand"": {""id"": 2051,""text"": ""None""}}]",[],[],[],"[{""malwareFamily"": {""familyName"": ""Snake Keylogger"",""description"": ""Snake Keylogger is a keylogger that has many capabilities.""},""vendorDetections"": [],""fileName"": ""86-YT9653568998.exe"",""type"": ""Attachment"",""severityLevel"": ""Major"",""md5Hex"": ""34a0008338f2edf8f5e06b73dd310027"",""fileNameExtension"": ""exe""}]",[],[],[],"[{""totalCount"": 1,""subject"": ""SALES ORDER""}]","[{""languageDefinition"": {""isoCode"": ""en"",""name"": ""English"",""nativeName"": ""English"",""family"": ""Indo-European""}}]",[],1684172383736,1684172382484,Finance - Snake Keylogger,Finance-themed emails deliver Snake Keylogger.,TRUE,https://www.threathq.com/api/l/activethreatreport/322154/html,https://www.threathq.com/apiv1/t3/malware/322154/html,https://www.threathq.com/p42/search/default?m=322154,[],"[{""familyName"": ""Snake Keylogger"",""description"": ""Snake Keylogger is a keylogger that has many capabilities.""}]",MALWARE,[],[],https://cisiqa2905emood2nmyxy26.azurewebsites.net/api/DownloadThreatReports?url=https://www.threathq.com/apiv1/t3/malware/322154/html,https://cisiqa2905emood2nmyxy26.azurewebsites.net/api/DownloadThreatReports?url=https://www.threathq.com/apiv1/t3/malware/322154/pdf,Malware_Data_CL +"5/29/2023, 8:28:05 AM",322163,"[{""id"": 23,""permissions"": {""WRITE"": false,""OWNER"": false,""READ"": true},""displayName"": ""Cofense""}]","[{""malwareFamily"": {""familyName"": ""Agent Tesla"",""description"": ""Agent Tesla collects sensitive information, such as saved credentials for web, ftp, email, and instant messaging clients. Additionally, Tesla gathers data about the victim's PC and captures keystrokes.""},""impact"": ""Major"",""ipDetail"": {""ip"": ""67.225.192.144"",""lookupOn"": 1684172262778,""latitude"": 42.7257,""longitude"": -84.636,""metroCode"": 551,""timeZone"": ""America/Detroit"",""continentName"": ""North America"",""continentCode"": ""NA"",""countryName"": ""United States"",""countryIsoCode"": ""US"",""subdivisionName"": ""Michigan"",""subdivisionIsoCode"": ""MI"",""postalCode"": ""48917"",""asn"": 32244,""asnOrganization"": ""Liquid Web, L.L.C"",""isp"": ""Liquid Web, L.L.C"",""organization"": ""Liquid Web, L.L.C""},""confidence"": 100,""blockType"": ""Email"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""accounts@mylaconsultancy.com"",""data_1"": ""accounts@mylaconsultancy.com""},{""malwareFamily"": {""familyName"": ""Agent Tesla"",""description"": ""Agent Tesla collects sensitive information, such as saved credentials for web, ftp, email, and instant messaging clients. Additionally, Tesla gathers data about the victim's PC and captures keystrokes.""},""impact"": ""Major"",""ipDetail"": {""ip"": ""142.250.217.101"",""lookupOn"": 1684172262791,""latitude"": 37.4192,""longitude"": -122.0574,""metroCode"": 807,""timeZone"": ""America/Los_Angeles"",""continentName"": ""North America"",""continentCode"": ""NA"",""countryName"": ""United States"",""countryIsoCode"": ""US"",""subdivisionName"": ""California"",""subdivisionIsoCode"": ""CA"",""postalCode"": ""94043"",""asn"": 15169,""asnOrganization"": ""Google Inc."",""isp"": ""Google"",""organization"": ""Google""},""confidence"": 100,""blockType"": ""Email"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""realifenergy@gmail.com"",""data_1"": ""realifenergy@gmail.com""}]","[{""totalCount"": 1,""brand"": {""id"": 2051,""text"": ""None""}}]",[],[],[],"[{""malwareFamily"": {""familyName"": ""Agent Tesla"",""description"": ""Agent Tesla collects sensitive information, such as saved credentials for web, ftp, email, and instant messaging clients. Additionally, Tesla gathers data about the victim's PC and captures keystrokes.""},""vendorDetections"": [],""fileName"": ""INV&PKL.exe"",""type"": ""Attachment"",""severityLevel"": ""Major"",""md5Hex"": ""c314cca5005e7dff7a4a1bd57ebbd274"",""fileNameExtension"": ""exe""}]",[],[],[],"[{""totalCount"": 1,""subject"": ""Shipping Advice of IG190507601""}]","[{""languageDefinition"": {""isoCode"": ""en"",""name"": ""English"",""nativeName"": ""English"",""family"": ""Indo-European""}}]",[],1684172208193,1684172206848,Shipping - Agent Tesla Keylogger,Shipping-themed emails deliver Agent Tesla Keylogger.,TRUE,https://www.threathq.com/api/l/activethreatreport/322155/html,https://www.threathq.com/apiv1/t3/malware/322155/html,https://www.threathq.com/p42/search/default?m=322155,[],"[{""familyName"": ""Agent Tesla"",""description"": ""Agent Tesla collects sensitive information, such as saved credentials for web, ftp, email, and instant messaging clients. Additionally, Tesla gathers data about the victim's PC and captures keystrokes.""}]",MALWARE,[],[],https://cisiqa2905emood2nmyxy26.azurewebsites.net/api/DownloadThreatReports?url=https://www.threathq.com/apiv1/t3/malware/322155/html,https://cisiqa2905emood2nmyxy26.azurewebsites.net/api/DownloadThreatReports?url=https://www.threathq.com/apiv1/t3/malware/322155/pdf,Malware_Data_CL +"5/29/2023, 8:28:05 AM",322163,"[{""id"": 23,""permissions"": {""WRITE"": false,""OWNER"": false,""READ"": true},""displayName"": ""Cofense""}]","[{""malwareFamily"": {""familyName"": ""Agent Tesla"",""description"": ""Agent Tesla collects sensitive information, such as saved credentials for web, ftp, email, and instant messaging clients. Additionally, Tesla gathers data about the victim's PC and captures keystrokes.""},""impact"": ""Major"",""ipDetail"": {""ip"": ""67.225.192.144"",""lookupOn"": 1684172262778,""latitude"": 42.7257,""longitude"": -84.636,""metroCode"": 551,""timeZone"": ""America/Detroit"",""continentName"": ""North America"",""continentCode"": ""NA"",""countryName"": ""United States"",""countryIsoCode"": ""US"",""subdivisionName"": ""Michigan"",""subdivisionIsoCode"": ""MI"",""postalCode"": ""48917"",""asn"": 32244,""asnOrganization"": ""Liquid Web, L.L.C"",""isp"": ""Liquid Web, L.L.C"",""organization"": ""Liquid Web, L.L.C""},""confidence"": 100,""blockType"": ""Email"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""accounts@mylaconsultancy.com"",""data_1"": ""accounts@mylaconsultancy.com""},{""malwareFamily"": {""familyName"": ""Agent Tesla"",""description"": ""Agent Tesla collects sensitive information, such as saved credentials for web, ftp, email, and instant messaging clients. Additionally, Tesla gathers data about the victim's PC and captures keystrokes.""},""impact"": ""Major"",""ipDetail"": {""ip"": ""142.250.217.101"",""lookupOn"": 1684172262791,""latitude"": 37.4192,""longitude"": -122.0574,""metroCode"": 807,""timeZone"": ""America/Los_Angeles"",""continentName"": ""North America"",""continentCode"": ""NA"",""countryName"": ""United States"",""countryIsoCode"": ""US"",""subdivisionName"": ""California"",""subdivisionIsoCode"": ""CA"",""postalCode"": ""94043"",""asn"": 15169,""asnOrganization"": ""Google Inc."",""isp"": ""Google"",""organization"": ""Google""},""confidence"": 100,""blockType"": ""Email"",""role"": ""C2"",""roleDescription"": ""Command and control location used by malware"",""data"": ""realifenergy@gmail.com"",""data_1"": ""realifenergy@gmail.com""}]","[{""totalCount"": 1,""brand"": {""id"": 2051,""text"": ""None""}}]",[],[],[],"[{""malwareFamily"": {""familyName"": ""Agent Tesla"",""description"": ""Agent Tesla collects sensitive information, such as saved credentials for web, ftp, email, and instant messaging clients. Additionally, Tesla gathers data about the victim's PC and captures keystrokes.""},""vendorDetections"": [],""fileName"": ""INV&PKL.exe"",""type"": ""Attachment"",""severityLevel"": ""Major"",""md5Hex"": ""c314cca5005e7dff7a4a1bd57ebbd274"",""fileNameExtension"": ""exe""}]",[],[],[],"[{""totalCount"": 1,""subject"": ""Shipping Advice of IG190507601""}]","[{""languageDefinition"": {""isoCode"": ""en"",""name"": ""English"",""nativeName"": ""English"",""family"": ""Indo-European""}}]",[],1684172208193,1684172206848,Shipping - Agent Tesla Keylogger,Shipping-themed emails deliver Agent Tesla Keylogger.,TRUE,https://www.threathq.com/api/l/activethreatreport/322155/html,https://www.threathq.com/apiv1/t3/malware/322155/html,https://www.threathq.com/p42/search/default?m=322155,[],"[{""familyName"": ""Agent Tesla"",""description"": ""Agent Tesla collects sensitive information, such as saved credentials for web, ftp, email, and instant messaging clients. Additionally, Tesla gathers data about the victim's PC and captures keystrokes.""}]",MALWARE,[],[],https://cisiqa2905emood2nmyxy26.azurewebsites.net/api/DownloadThreatReports?url=https://www.threathq.com/apiv1/t3/malware/322155/html,https://cisiqa2905emood2nmyxy26.azurewebsites.net/api/DownloadThreatReports?url=https://www.threathq.com/apiv1/t3/malware/322155/pdf,Malware_Data_CL \ No newline at end of file diff --git a/Sample Data/Custom/CofenseIntelligence/ThreatIntelligenceIndicator.csv b/Sample Data/Custom/CofenseIntelligence/ThreatIntelligenceIndicator.csv new file mode 100644 index 00000000000..a1de3b91a15 --- /dev/null +++ b/Sample Data/Custom/CofenseIntelligence/ThreatIntelligenceIndicator.csv @@ -0,0 +1,21 @@ +TenantId,TimeGenerated [UTC],SourceSystem,Action,ActivityGroupNames,AdditionalInformation,ApplicationId,AzureTenantId,ConfidenceScore,Description,DiamondModel,ExternalIndicatorId,ExpirationDateTime [UTC],IndicatorId,ThreatType,Active,KillChainActions,KillChainC2,KillChainDelivery,KillChainExploitation,KillChainReconnaissance,KillChainWeaponization,KnownFalsePositives,MalwareNames,PassiveOnly,ThreatSeverity,Tags,TrafficLightProtocolLevel,EmailEncoding,EmailLanguage,EmailRecipient,EmailSenderAddress,EmailSenderName,EmailSourceDomain,EmailSourceIpAddress,EmailSubject,EmailXMailer,FileCompileDateTime [UTC],FileCreatedDateTime [UTC],FileHashType,FileHashValue,FileMutexName,FileName,FilePacker,FilePath,FileSize,FileType,DomainName,NetworkIP,NetworkPort,NetworkDestinationAsn,NetworkDestinationCidrBlock,NetworkDestinationIP,NetworkCidrBlock,NetworkDestinationPort,NetworkProtocol,NetworkSourceAsn,NetworkSourceCidrBlock,NetworkSourceIP,NetworkSourcePort,Url,UserAgent,IndicatorProvider,Type +2f6ff951-1800-43fd-b53b-00000000000,"6/27/2023, 7:31:16 AM",Cofense Intelligence,alert,,,,2f6ff951-1800-43fd-b53b-00000000000,100,Role: Credential Phishing,,indicator--7b991d89-3b96-ed5e-ec77-031e76c1bb41,"1/1/10000, 12:00:00 AM",288F43EF5CC92FB5AD3F5EE2F50BC355A4EEF93172C9FC00E5519AC0212186C4,URL,TRUE,,,,,,,,,,,"[""threatID-320873""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,https://moob.financial/email/verification/rsvsok/,,,ThreatIntelligenceIndicator +2f6ff951-1800-43fd-b53b-00000000001,"6/27/2023, 7:31:19 AM",Cofense Intelligence,alert,,,,2f6ff951-1800-43fd-b53b-00000000001,50,Role: Location from which a payload is obtained,,indicator--ba032448-8e6f-7e8b-98d9-f058b41bc8d6,"1/1/10000, 12:00:00 AM",C2D93EF5D34ED4155F1C555D0FFB16323543AD883744316996D20D98BD601236,Domain Name,TRUE,,,,,,,,,,,"[""threatID-320863""]",unknown,,,,,,,,,,,,,,,,,,,,obasicofunciona.com.br,,,,,,,,,,,,,https://superduperince.ru/.ded/next.php,,,ThreatIntelligenceIndicator +2f6ff951-1800-43fd-b53b-00000000002,"6/27/2023, 7:31:19 AM",Cofense Intelligence,alert,,,,2f6ff951-1800-43fd-b53b-00000000002,1,Role: Command and control location used by malware,,indicator--c1ef6919-43bd-01cf-65c1-2e140ebc81f6,"1/1/10000, 12:00:00 AM",B7C7E3798D05625A3DF62B33D70803ED2CC5E84F62A6E41BA6B48602DFB93EB9,File,TRUE,,,,,,,,,,,"[""threatID-320408""]",unknown,,,,,,,,,,,,,,,,,,,,solazone.com.au,,,,,,,,,,,,,https://puppylovespeech.com/css/hill.php,,,ThreatIntelligenceIndicator +2f6ff951-1800-43fd-b53b-00000000003,"6/27/2023, 7:31:19 AM",Cofense Intelligence,alert,,,,2f6ff951-1800-43fd-b53b-00000000003,30,Role: URL provided in email as means for infection,,indicator--6fca43ad-74d7-c359-dc75-08ca94be9f9c,"1/1/10000, 12:00:00 AM",A99A06C620061BE55202B7251F21B877649B2BE0F70B6C992F87692771FABE7C,URL,TRUE,,,,,,,,,,,"[""threatID-320865""]",unknown,,,,,,,,,,,,,,,,,,,,dsauvsiv.top,,,,,,,,,,,,,https://about.metahelpcase.com/J6n17h,,,ThreatIntelligenceIndicator +2f6ff951-1800-43fd-b53b-00000000004,"6/27/2023, 7:31:19 AM",Cofense Intelligence,alert,,,,2f6ff951-1800-43fd-b53b-00000000004,100,Role: Download,,indicator--3c9cb30c-6589-1843-e78a-ecdc1b4699a3,"1/1/10000, 12:00:00 AM",5F4568B4D99705A5E7A8064399AC2BEDEBE5591B905FEB59E521B4D0E9CBE248,Domain Name,TRUE,,,,,,,,,,,"[""threatID-320887""]",unknown,,,,,,,,,,,,,,,,,,,,uniformesjollpat.com,,,,,,,,,,,,,https://www.afrique-hydraulique.com/dhcw,,,ThreatIntelligenceIndicator +2f6ff951-1800-43fd-b53b-00000000005,"6/27/2023, 7:31:19 AM",Cofense Intelligence,alert,,,,2f6ff951-1800-43fd-b53b-00000000005,50,Role: Attachment,,indicator--6bbc5ebd-78a2-1feb-d868-504fd1e1b909,"1/1/10000, 12:00:00 AM",D541BF4C6B71CAD7F2DE014DF54D69E64E72C481BFE23B326E8F8A2322270C5C,File,TRUE,,,,,,,,,,,"[""threatID-320880""]",unknown,,,,,,,,,,,,,,,,,,,,shilhaandara.com,,,,,,,,,,,,,https://www.canva.com/design/DAFiTZjJVV8/RMJDHpqhsfIvqzclmALJuA/edit?utm_content=DAFiTZjJVV8&utm_campaign=designshare&utm_medium=link2&utm_source=sharebutton,,,ThreatIntelligenceIndicator +2f6ff951-1800-43fd-b53b-00000000006,"6/27/2023, 7:31:19 AM",Cofense Intelligence,alert,,,,2f6ff951-1800-43fd-b53b-00000000006,1,Role: Drop,,indicator--88fa1d65-f7ed-5419-98b8-e588d2af6eea,"1/1/10000, 12:00:00 AM",10EC2D1F6C06DFBF7AA02519895F6C77EFAA162776990C300A56C657DE1C09A9,URL,TRUE,,,,,,,,,,,"[""threatID-320399""]",unknown,,,,,,,,,,,,,,,,,,,,metalmaxms.com.br,,,,,,,,,,,,,https://login-microsooftteam.msnrdr02.com/,,,ThreatIntelligenceIndicator +2f6ff951-1800-43fd-b53b-00000000007,"6/27/2023, 7:31:19 AM",Cofense Intelligence,alert,,,,2f6ff951-1800-43fd-b53b-00000000007,30,Role: Creds Phishing,,indicator--1cc50aa0-3d84-1a40-c80c-d9ccb30388ba,"1/1/10000, 12:00:00 AM",D9BF176934995EEF0390FB5D87AC8701B12C7045CB851DAD041111714892C9B4,Domain Name,TRUE,,,,,,,,,,,"[""threatID-320405""]",unknown,,,,,,,,,,,,,,,,,,,,erivhx.fun,,,,,,,,,,,,,https://sso.repository2.cfd/common/login,,,ThreatIntelligenceIndicator +2f6ff951-1800-43fd-b53b-00000000008,"6/27/2023, 7:31:19 AM",Cofense Intelligence,alert,,,,2f6ff951-1800-43fd-b53b-00000000008,100,Role: 3rd party location used by malware to identify the IP address of the infected machine,,indicator--905c2635-3d33-b6d0-0a5e-d28bd9c8895b,"1/1/10000, 12:00:00 AM",8CC1B72E1363FF1C848E2C148E23B5D2075897A98046A67E9F2032BEE0F8360B,File,TRUE,,,,,,,,,,,"[""threatID-320423""]",unknown,,,,,,,,,,,,,,,,,,,,sanitidom.com,,,,,,,,,,,,,,,,ThreatIntelligenceIndicator +2f6ff951-1800-43fd-b53b-00000000009,"6/27/2023, 7:31:19 AM",Cofense Intelligence,alert,,,,2f6ff951-1800-43fd-b53b-00000000009,50,Role: Credential Phishing,,indicator--b0273edc-ed8a-1a84-d42b-21a7d0cb78e1,"1/1/10000, 12:00:00 AM",93C079EC7EEC0EE848CE14989CF23C3D4FDC6C7EAA2001D000BF4A1089DCBEB9,URL,TRUE,,,,,,,,,,,"[""threatID-320423""]",unknown,,,,,,,,,,,,,,,,,,,,www.jonamicrolending.africa/322430,,,,,,,,,,,,,,,,ThreatIntelligenceIndicator +2f6ff951-1800-43fd-b53b-00000000010,"6/27/2023, 7:31:19 AM",Cofense Intelligence,alert,,,,2f6ff951-1800-43fd-b53b-00000000010,1,Role: Location from which a payload is obtained,,indicator--77854686-48b0-9a39-2e58-a5460cd77693,"1/1/10000, 12:00:00 AM",9843F3A11A45C3E8CC6097290880D94B15B5521B196B144B4D2F5F083FC8ECF1,Domain Name,TRUE,,,,,,,,,,,"[""threatID-324696""]",unknown,,,,,,,,,,,,,,,,,,,,www.mentospk.online,,,,,,,,,,,,,http://www.paintellensburg.com/he2a/,,,ThreatIntelligenceIndicator +2f6ff951-1800-43fd-b53b-00000000011,"6/27/2023, 7:31:19 AM",Cofense Intelligence,alert,,,,2f6ff951-1800-43fd-b53b-00000000011,30,Role: Command and control location used by malware,,indicator--ad7796d3-9da3-afaf-1942-e06f0b7e44f7,"1/1/10000, 12:00:00 AM",68EA2EEC84AEC06CC91AD48D91679A039FF76A2C465D9C5FFA68FDAE74154745,File,TRUE,,,,,,,,,,,"[""threatID-320417""]",unknown,,,,,,,,,,,,,,,,,,,,www.earticlesdirect.com,,,,,,,,,,,,,https://783ecd0e.eb2ba1a4ef967759ebcfc8f4.workers.dev/,,,ThreatIntelligenceIndicator +2f6ff951-1800-43fd-b53b-00000000012,"6/27/2023, 7:31:19 AM",Cofense Intelligence,alert,,,,2f6ff951-1800-43fd-b53b-00000000012,100,Role: URL provided in email as means for infection,,indicator--ffbc7939-dfd2-ff0e-b626-eae2e13523f7,"1/1/10000, 12:00:00 AM",3DDDBC51EE3E3A90127D641B8DC3F542A91AF08581F7DF4B51443D5F97302768,URL,TRUE,,,,,,,,,,,"[""threatID-320398""]",unknown,,,,,,,,,,,,,,,,,,,,www.kgconstrucoes.com,,,,,,,,,,,,,,,,ThreatIntelligenceIndicator +2f6ff951-1800-43fd-b53b-00000000013,"6/27/2023, 7:31:19 AM",Cofense Intelligence,alert,,,,2f6ff951-1800-43fd-b53b-00000000013,50,Role: Download,,indicator--16d955b1-828f-69f9-b9e4-092ae76871f3,"1/1/10000, 12:00:00 AM",06C71D4E9C8BFB178D1154B2D9AA21ECF291978375611D91AC6330C5BE9CD0D6,Domain Name,TRUE,,,,,,,,,,,"[""threatID-320864""]",unknown,,,,,,,,,,,,,,,,,,,,www.judiangka.boats/322430,,,,,,,,,,,,,https://api.getjusto.com/redirect?to=https://56754548765254787143098.excel-international.in/.danceingwithallyougat/withipoplive/allnawaiste/index.php?userid=,,,ThreatIntelligenceIndicator +2f6ff951-1800-43fd-b53b-00000000014,"6/27/2023, 7:31:19 AM",Cofense Intelligence,alert,,,,2f6ff951-1800-43fd-b53b-00000000014,1,Role: Attachment,,indicator--5309cfda-16a2-0336-96d4-440fed754c14,"1/1/10000, 12:00:00 AM",13CBEE40CB0143B1B89B724322FE22D57EF9B027B5B802A07EDEADDA918C38A8,URL,TRUE,,,,,,,,,,,"[""threatID-320872""]",unknown,,,,,,,,,,,,,,,,,,,,www.samefood.co.uk/322429,,,,,,,,,,,,,https://broadwayadvisory.com/new/se/sf_rand_string_lowercase6,,,ThreatIntelligenceIndicator +2f6ff951-1800-43fd-b53b-00000000015,"6/27/2023, 7:31:19 AM",Cofense Intelligence,alert,,,,2f6ff951-1800-43fd-b53b-00000000015,30,Role: Drop,,indicator--33c81b5f-30aa-9b5b-93f1-0b4578d2916e,"1/1/10000, 12:00:00 AM",41A1F2C609828F3DD184997B6444D7F647D562EEEABC0815B2790B11F09D7B67,Domain Name,TRUE,,,,,,,,,,,"[""threatID-320860""]",unknown,,,,,,,,,,,,,,,,,,,,www.94ebuy.com/322429,,,,,,,,,,,,,https://dnewsdaily.shop/fv/host%5B18%5D/admin/js/mp.php,,,ThreatIntelligenceIndicator +2f6ff951-1800-43fd-b53b-00000000016,"6/27/2023, 7:31:19 AM",Cofense Intelligence,alert,,,,2f6ff951-1800-43fd-b53b-00000000016,100,Role: Creds Phishing,,indicator--39040a08-6b89-1e97-bb06-4e81201973c1,"1/1/10000, 12:00:00 AM",DDE91E792100C6F8A42A405667349D18A3C2EDEAF1D3866FF38B7E9ED531B516,File,TRUE,,,,,,,,,,,"[""threatID-320868""]",unknown,,,,,,,,,,,,,,,,,,,,www.kyosaiohruri.com/322434,,,,,,,,,,,,,https://gteck1.box.com/s/on4t6ax55n8vjpunwq2ht8jj974dd3z0,,,ThreatIntelligenceIndicator +2f6ff951-1800-43fd-b53b-00000000017,"6/27/2023, 7:31:19 AM",Cofense Intelligence,alert,,,,2f6ff951-1800-43fd-b53b-00000000017,50,Role: 3rd party location used by malware to identify the IP address of the infected machine,,indicator--f2d0b2bd-32fc-aae4-62fd-5818f93a1602,"1/1/10000, 12:00:00 AM",60A71BADFBC619A00C67E4BF5BD86AD695F5493D8F627A1F6D5E6E59A91B8E0D,URL,TRUE,,,,,,,,,,,"[""threatID-320414""]",unknown,,,,,,,,,,,,,,,,,,,,www.comedyescape.show,,,,,,,,,,,,,https://dot-antique-wok.glitch.me,,,ThreatIntelligenceIndicator +2f6ff951-1800-43fd-b53b-00000000018,"6/27/2023, 7:31:19 AM",Cofense Intelligence,alert,,,,2f6ff951-1800-43fd-b53b-00000000018,1,Role: Credential Phishing,,indicator--88f489a5-bca0-6080-c92c-2f50aa6890b0,"1/1/10000, 12:00:00 AM",B097B0B4F7BAA5FF15939E13713F85E03B1C1E86379AAC77FC39E67F88854F1B,Domain Name,TRUE,,,,,,,,,,,"[""threatID-320423""]",unknown,,,,,,,,,,,,,,,,,,,,www.henryerayenteaches.africa,,,,,,,,,,,,,https://sanitidom.com/tu/,,,ThreatIntelligenceIndicator +2f6ff951-1800-43fd-b53b-00000000019,"6/27/2023, 7:31:19 AM",Cofense Intelligence,alert,,,,2f6ff951-1800-43fd-b53b-00000000019,30,Role: Location from which a payload is obtained,,indicator--838e8b72-838a-2790-c0ff-60119ab7beb3,"1/1/10000, 12:00:00 AM",5D8DE1B303F135F62E167F6A731D8599E20DD8C6B0B73DF035551480C9FC8D54,File,TRUE,,,,,,,,,,,"[""threatID-324696""]",unknown,,,,,,,,,,,,,,,,,,,,www.sustainalistapothecary.com/322429,,,,,,,,,,,,,http://www.myjbtest.net/he2a/,,,ThreatIntelligenceIndicator \ No newline at end of file diff --git a/Sample Data/Egress Defend_RawLogs.json b/Sample Data/Egress Defend_RawLogs.json new file mode 100644 index 00000000000..2aa58c67730 --- /dev/null +++ b/Sample Data/Egress Defend_RawLogs.json @@ -0,0 +1,1130 @@ +[ + { + "event": "inboundEmail", + "time": "2023-08-01T06:00:48.188Z", + "emailDetails": { + "to": [ + { + "domain": "sanitized.com", + "localPart": "joe.bloggs", + "displayName": "" + } + ], + "from": [ + { + "domain": "sanitized.com", + "localPart": "sanitized", + "displayName": "" + } + ], + "rcptTo": [ + "sanitized@sanitized.com" + ], + "mailFrom": "sanitized@sanitized.com", + "threat": "dangerous", + "subject": "Message in Teams", + "receivedAt": "2023-08-01T06:00:48.101Z", + "fromAddressDomainCreatedDate": null, + "linksClicked": 0, + "trust": "medium", + "auth": { + "rawAuth": "london1.sensitive.com; spf=pass smtp.mailfrom=sanitized.com smtp.ip=209.85.128.51 ajax.calculated=False; dkim=fail header.d=qjwqod9oqn916gcyqg0ya1e8x.sensitive.com ajax.calculated=False; dmarc=pass header.from=sanitized.com", + "spf": "pass", + "dkim": "fail", + "dmarc": "pass" + }, + "primaryDomain": "sensitive.com", + "messageId": "sanitized@sanitized.com", + "firstTimeSender": true, + "links": [ + { + "domain": "links.sensitive.com", + "occurrences": 17, + "clicks": 0, + "inAttachment": false + } + ], + "attachments": [], + "senderIp": "209.85.128.51", + "msScl": -1, + "replyTo": null, + "phishType": [ + "technical", + "brandImpersonation", + "grayMail" + ], + "payloadType": null, + "emailSummaryLink": "https://summary.uk.defend.egress.com/v3/summary?ref=api&sensitive=64c89f900939b5bf10d6a37c" + } + }, + { + "event": "inboundEmail", + "time": "2023-08-01T06:00:48.547Z", + "emailDetails": { + "to": [ + { + "domain": "sensitive.com", + "localPart": "joe.bloggs", + "displayName": "" + } + ], + "from": [ + { + "domain": "sanitized.com", + "localPart": "sanitized", + "displayName": "" + } + ], + "rcptTo": [ + "sanitized@sanitized.com" + ], + "mailFrom": "sanitized@sanitized.com", + "threat": "dangerous", + "subject": "your new shipment", + "receivedAt": "2023-08-01T06:00:48.481Z", + "fromAddressDomainCreatedDate": null, + "linksClicked": 0, + "trust": "medium", + "auth": { + "rawAuth": "london1.sensitive.com; spf=pass smtp.mailfrom=sanitized.com smtp.ip=209.85.221.46 ajax.calculated=False; dkim=fail header.d=qjwqod9oqn916gcyqg0ya1e8x.sensitive.com ajax.calculated=False; dmarc=pass header.from=sanitized.com", + "spf": "pass", + "dkim": "fail", + "dmarc": "pass" + }, + "primaryDomain": "sensitive.com", + "messageId": "sanitized@sanitized.com", + "firstTimeSender": true, + "links": [ + { + "domain": "links.sensitive.com", + "occurrences": 2, + "clicks": 0, + "inAttachment": false + }, + { + "domain": "sanitized.com", + "occurrences": 1, + "clicks": 0, + "inAttachment": false + } + ], + "attachments": [], + "senderIp": "209.85.221.46", + "msScl": -1, + "replyTo": null, + "phishType": [ + "technical", + "brandImpersonation", + "mailFraud" + ], + "payloadType": "links", + "emailSummaryLink": "https://summary.uk.defend.egress.com/v3/summary?ref=api&sanitized=sanitized" + } + }, + { + "event": "inboundEmail", + "time": "2023-08-01T06:00:48.769Z", + "emailDetails": { + "to": [ + { + "domain": "sensitive.com", + "localPart": "joe.bloggs", + "displayName": "" + } + ], + "from": [ + { + "domain": "sanitized.com", + "localPart": "sanitized", + "displayName": "" + } + ], + "rcptTo": [ + "sanitized@sanitized.com" + ], + "mailFrom": "sanitized@sanitized.com", + "threat": "dangerous", + "subject": "Message in Teams", + "receivedAt": "2023-08-01T06:00:48.7Z", + "fromAddressDomainCreatedDate": null, + "linksClicked": 0, + "trust": "medium", + "auth": { + "rawAuth": "london1.sensitive.com; spf=pass smtp.mailfrom=sanitized.com smtp.ip=209.85.221.48 ajax.calculated=False; dkim=fail header.d=qjwqod9oqn916gcyqg0ya1e8x.sensitive.com ajax.calculated=False; dmarc=pass header.from=sanitized.com", + "spf": "pass", + "dkim": "fail", + "dmarc": "pass" + }, + "primaryDomain": "sensitive.com", + "messageId": "sanitized@sanitized.com", + "firstTimeSender": true, + "links": [ + { + "domain": "links.sensitive.com", + "occurrences": 17, + "clicks": 0, + "inAttachment": false + } + ], + "attachments": [], + "senderIp": "209.85.221.48", + "msScl": -1, + "replyTo": null, + "phishType": [ + "technical", + "brandImpersonation", + "grayMail" + ], + "payloadType": null, + "emailSummaryLink": "https://summary.uk.defend.egress.com/v3/summary?ref=api&sanitized=sanitized" + } + }, + { + "event": "inboundEmail", + "time": "2023-08-01T06:00:48.926Z", + "emailDetails": { + "to": [ + { + "domain": "sensitive.com", + "localPart": "joe.bloggs", + "displayName": "" + } + ], + "from": [ + { + "domain": "sanitized.com", + "localPart": "sanitized", + "displayName": "" + } + ], + "rcptTo": [ + "sanitized@sanitized.com" + ], + "mailFrom": "sanitized@sanitized.com", + "threat": "suspicious", + "subject": "hi", + "receivedAt": "2023-08-01T06:00:48.864Z", + "fromAddressDomainCreatedDate": null, + "linksClicked": 0, + "trust": "medium", + "auth": { + "rawAuth": "london1.sensitive.com; spf=pass smtp.mailfrom=sanitized.com smtp.ip=209.85.128.54 ajax.calculated=False; dkim=fail header.d=qjwqod9oqn916gcyqg0ya1e8x.sensitive.com ajax.calculated=False; dmarc=pass header.from=sanitized.com", + "spf": "pass", + "dkim": "fail", + "dmarc": "pass" + }, + "primaryDomain": "sensitive.com", + "messageId": "sanitized@sanitized.com", + "firstTimeSender": true, + "links": [], + "attachments": [], + "senderIp": "209.85.128.54", + "msScl": -1, + "replyTo": null, + "phishType": null, + "payloadType": null, + "emailSummaryLink": "https://summary.uk.defend.egress.com/v3/summary?ref=api&sensitive=64c89f90875b0691a4ce99be" + } + }, + { + "event": "inboundEmail", + "time": "2023-08-01T06:00:49.369Z", + "emailDetails": { + "to": [ + { + "domain": "sensitive.com", + "localPart": "joe.bloggs", + "displayName": "" + } + ], + "from": [ + { + "domain": "sanitized.com", + "localPart": "sanitized", + "displayName": "" + } + ], + "rcptTo": [ + "sanitized@sanitized.com" + ], + "mailFrom": "sanitized@sanitized.com", + "threat": "suspicious", + "subject": "hi", + "receivedAt": "2023-08-01T06:00:49.257Z", + "fromAddressDomainCreatedDate": null, + "linksClicked": 0, + "trust": "medium", + "auth": { + "rawAuth": "london1.sensitive.com; spf=pass smtp.mailfrom=sanitized.com smtp.ip=209.85.128.46 ajax.calculated=False; dkim=fail header.d=qjwqod9oqn916gcyqg0ya1e8x.sensitive.com ajax.calculated=False; dmarc=pass header.from=sanitized.com", + "spf": "pass", + "dkim": "fail", + "dmarc": "pass" + }, + "primaryDomain": "sensitive.com", + "messageId": "sanitized@sanitized.com", + "firstTimeSender": true, + "links": [], + "attachments": [], + "senderIp": "209.85.128.46", + "msScl": -1, + "replyTo": null, + "phishType": null, + "payloadType": null, + "emailSummaryLink": "https://summary.uk.defend.egress.com/v3/summary?ref=api&sensitive=64c89f91290869a242d69716" + } + }, + { + "event": "inboundEmail", + "time": "2023-08-01T06:00:49.382Z", + "emailDetails": { + "to": [ + { + "domain": "sensitive.com", + "localPart": "joe.bloggs", + "displayName": "" + } + ], + "from": [ + { + "domain": "sanitized.com", + "localPart": "sanitized", + "displayName": "" + } + ], + "rcptTo": [ + "sanitized@sanitized.com" + ], + "mailFrom": "sanitized@sanitized.com", + "threat": "suspicious", + "subject": "hi", + "receivedAt": "2023-08-01T06:00:49.319Z", + "fromAddressDomainCreatedDate": null, + "linksClicked": 0, + "trust": "medium", + "auth": { + "rawAuth": "london1.sensitive.com; spf=pass smtp.mailfrom=sanitized.com smtp.ip=209.85.128.48 ajax.calculated=False; dkim=fail header.d=qjwqod9oqn916gcyqg0ya1e8x.sensitive.com ajax.calculated=False; dmarc=pass header.from=sanitized.com", + "spf": "pass", + "dkim": "fail", + "dmarc": "pass" + }, + "primaryDomain": "sensitive.com", + "messageId": "sanitized@sanitized.com", + "firstTimeSender": true, + "links": [], + "attachments": [], + "senderIp": "209.85.128.48", + "msScl": -1, + "replyTo": null, + "phishType": null, + "payloadType": null, + "emailSummaryLink": "https://summary.uk.defend.egress.com/v3/summary?ref=api&sensitive=64c89f91c6621a4be2afce81" + } + }, + { + "event": "inboundEmail", + "time": "2023-08-01T06:00:49.533Z", + "emailDetails": { + "to": [ + { + "domain": "sensitive.com", + "localPart": "joe.bloggs", + "displayName": "" + } + ], + "from": [ + { + "domain": "sanitized.com", + "localPart": "sanitized", + "displayName": "" + } + ], + "rcptTo": [ + "sanitized@sanitized.com" + ], + "mailFrom": "sanitized@sanitized.com", + "threat": "suspicious", + "subject": "hi", + "receivedAt": "2023-08-01T06:00:49.466Z", + "fromAddressDomainCreatedDate": null, + "linksClicked": 0, + "trust": "medium", + "auth": { + "rawAuth": "london1.sensitive.com; spf=pass smtp.mailfrom=sanitized.com smtp.ip=209.85.128.51 ajax.calculated=False; dkim=fail header.d=qjwqod9oqn916gcyqg0ya1e8x.sensitive.com ajax.calculated=False; dmarc=pass header.from=sanitized.com", + "spf": "pass", + "dkim": "fail", + "dmarc": "pass" + }, + "primaryDomain": "sensitive.com", + "messageId": "sanitized@sanitized.com", + "firstTimeSender": true, + "links": [], + "attachments": [], + "senderIp": "209.85.128.51", + "msScl": -1, + "replyTo": null, + "phishType": null, + "payloadType": null, + "emailSummaryLink": "https://summary.uk.defend.egress.com/v3/summary?ref=api&sensitive=64c89f91875b0691a4ce99c2" + } + }, + { + "event": "inboundEmail", + "time": "2023-08-01T06:00:50.231Z", + "emailDetails": { + "to": [ + { + "domain": "sensitive.com", + "localPart": "joe.bloggs", + "displayName": "" + } + ], + "from": [ + { + "domain": "sanitized.com", + "localPart": "sanitized", + "displayName": "" + } + ], + "rcptTo": [ + "sanitized@sanitized.com" + ], + "mailFrom": "sanitized@sanitized.com", + "threat": "dangerous", + "subject": "attn: change to remittance details", + "receivedAt": "2023-08-01T06:00:50.161Z", + "fromAddressDomainCreatedDate": null, + "linksClicked": 0, + "trust": "medium", + "auth": { + "rawAuth": "london1.sensitive.com; spf=pass smtp.mailfrom=sanitized.com smtp.ip=209.85.221.41 ajax.calculated=False; dkim=fail header.d=qjwqod9oqn916gcyqg0ya1e8x.sensitive.com ajax.calculated=False; dmarc=pass header.from=sanitized.com", + "spf": "pass", + "dkim": "fail", + "dmarc": "pass" + }, + "primaryDomain": "sensitive.com", + "messageId": "sanitized@sanitized.com", + "firstTimeSender": true, + "links": [ + { + "domain": "www.egress.com", + "occurrences": 17, + "clicks": 0, + "inAttachment": false + }, + { + "domain": "twitter.com", + "occurrences": 4, + "clicks": 0, + "inAttachment": false + }, + { + "domain": "www.linkedin.com", + "occurrences": 4, + "clicks": 0, + "inAttachment": false + }, + { + "domain": "www.facebook.com", + "occurrences": 4, + "clicks": 0, + "inAttachment": false + }, + { + "domain": "www.company.com", + "occurrences": 1, + "clicks": 0, + "inAttachment": false + } + ], + "attachments": [], + "senderIp": "209.85.221.41", + "msScl": -1, + "replyTo": null, + "phishType": [ + "technical", + "scam419" + ], + "payloadType": "links", + "emailSummaryLink": "https://summary.uk.defend.egress.com/v3/summary?ref=api&sensitive=64c89f92ea42d27723e20209" + } + }, + { + "event": "inboundEmail", + "time": "2023-08-01T06:00:50.392Z", + "emailDetails": { + "to": [ + { + "domain": "sensitive.com", + "localPart": "joe.bloggs", + "displayName": "" + } + ], + "from": [ + { + "domain": "sanitized.com", + "localPart": "sanitized", + "displayName": "" + } + ], + "rcptTo": [ + "sanitized@sanitized.com" + ], + "mailFrom": "sanitized@sanitized.com", + "threat": "dangerous", + "subject": "attn: change to remittance details", + "receivedAt": "2023-08-01T06:00:50.288Z", + "fromAddressDomainCreatedDate": null, + "linksClicked": 0, + "trust": "medium", + "auth": { + "rawAuth": "london1.sensitive.com; spf=pass smtp.mailfrom=sanitized.com smtp.ip=209.85.128.47 ajax.calculated=False; dkim=fail header.d=qjwqod9oqn916gcyqg0ya1e8x.sensitive.com ajax.calculated=False; dmarc=pass header.from=sanitized.com", + "spf": "pass", + "dkim": "fail", + "dmarc": "pass" + }, + "primaryDomain": "sensitive.com", + "messageId": "sanitized@sanitized.com", + "firstTimeSender": true, + "links": [ + { + "domain": "www.egress.com", + "occurrences": 17, + "clicks": 0, + "inAttachment": false + }, + { + "domain": "twitter.com", + "occurrences": 4, + "clicks": 0, + "inAttachment": false + }, + { + "domain": "www.linkedin.com", + "occurrences": 4, + "clicks": 0, + "inAttachment": false + }, + { + "domain": "www.facebook.com", + "occurrences": 4, + "clicks": 0, + "inAttachment": false + }, + { + "domain": "www.company.com", + "occurrences": 1, + "clicks": 0, + "inAttachment": false + } + ], + "attachments": [], + "senderIp": "209.85.128.47", + "msScl": -1, + "replyTo": null, + "phishType": [ + "technical", + "scam419" + ], + "payloadType": "links", + "emailSummaryLink": "https://summary.uk.defend.egress.com/v3/summary?ref=api&sensitive=64c89f92eb3d8b99554a9ce5" + } + }, + { + "event": "inboundEmail", + "time": "2023-08-01T06:00:50.606Z", + "emailDetails": { + "to": [ + { + "domain": "sensitive.com", + "localPart": "joe.bloggs", + "displayName": "" + } + ], + "from": [ + { + "domain": "sanitized.com", + "localPart": "sanitized", + "displayName": "" + } + ], + "rcptTo": [ + "sanitized@sanitized.com" + ], + "mailFrom": "sanitized@sanitized.com", + "threat": "suspicious", + "subject": "hi", + "receivedAt": "2023-08-01T06:00:50.538Z", + "fromAddressDomainCreatedDate": null, + "linksClicked": 0, + "trust": "medium", + "auth": { + "rawAuth": "london1.sensitive.com; spf=pass smtp.mailfrom=sanitized.com smtp.ip=209.85.221.52 ajax.calculated=False; dkim=fail header.d=qjwqod9oqn916gcyqg0ya1e8x.sensitive.com ajax.calculated=False; dmarc=pass header.from=sanitized.com", + "spf": "pass", + "dkim": "fail", + "dmarc": "pass" + }, + "primaryDomain": "sensitive.com", + "messageId": "sanitized@sanitized.com", + "firstTimeSender": true, + "links": [], + "attachments": [], + "senderIp": "209.85.221.52", + "msScl": -1, + "replyTo": null, + "phishType": null, + "payloadType": null, + "emailSummaryLink": "https://summary.uk.defend.egress.com/v3/summary?ref=api&sensitive=64c89f9208598b66277cfcfe" + } + }, + { + "event": "inboundEmail", + "time": "2023-08-01T06:00:50.609Z", + "emailDetails": { + "to": [ + { + "domain": "sensitive.com", + "localPart": "joe.bloggs", + "displayName": "" + } + ], + "from": [ + { + "domain": "sanitized.com", + "localPart": "sanitized", + "displayName": "" + } + ], + "rcptTo": [ + "sanitized@sanitized.com" + ], + "mailFrom": "sanitized@sanitized.com", + "threat": "suspicious", + "subject": "hi", + "receivedAt": "2023-08-01T06:00:50.52Z", + "fromAddressDomainCreatedDate": null, + "linksClicked": 0, + "trust": "medium", + "auth": { + "rawAuth": "london1.sensitive.com; spf=pass smtp.mailfrom=sanitized.com smtp.ip=209.85.221.46 ajax.calculated=False; dkim=fail header.d=qjwqod9oqn916gcyqg0ya1e8x.sensitive.com ajax.calculated=False; dmarc=pass header.from=sanitized.com", + "spf": "pass", + "dkim": "fail", + "dmarc": "pass" + }, + "primaryDomain": "sensitive.com", + "messageId": "sanitized@sanitized.com", + "firstTimeSender": true, + "links": [], + "attachments": [], + "senderIp": "209.85.221.46", + "msScl": -1, + "replyTo": null, + "phishType": null, + "payloadType": null, + "emailSummaryLink": "https://summary.uk.defend.egress.com/v3/summary?ref=api&sensitive=64c89f926479c17a33d47806" + } + }, + { + "event": "inboundEmail", + "time": "2023-08-01T06:00:51.06Z", + "emailDetails": { + "to": [ + { + "domain": "sensitive.com", + "localPart": "joe.bloggs", + "displayName": "" + } + ], + "from": [ + { + "domain": "sanitized.com", + "localPart": "sanitized", + "displayName": "" + } + ], + "rcptTo": [ + "sanitized@sanitized.com" + ], + "mailFrom": "sanitized@sanitized.com", + "threat": "suspicious", + "subject": "hi", + "receivedAt": "2023-08-01T06:00:50.975Z", + "fromAddressDomainCreatedDate": null, + "linksClicked": 0, + "trust": "medium", + "auth": { + "rawAuth": "london1.sensitive.com; spf=pass smtp.mailfrom=sanitized.com smtp.ip=209.85.221.48 ajax.calculated=False; dkim=fail header.d=qjwqod9oqn916gcyqg0ya1e8x.sensitive.com ajax.calculated=False; dmarc=pass header.from=sanitized.com", + "spf": "pass", + "dkim": "fail", + "dmarc": "pass" + }, + "primaryDomain": "sensitive.com", + "messageId": "sanitized@sanitized.com", + "firstTimeSender": true, + "links": [], + "attachments": [], + "senderIp": "209.85.221.48", + "msScl": -1, + "replyTo": null, + "phishType": null, + "payloadType": null, + "emailSummaryLink": "https://summary.uk.defend.egress.com/v3/summary?ref=api&sensitive=64c89f92d27c23754f4525b3" + } + }, + { + "event": "inboundEmail", + "time": "2023-08-01T06:00:51.582Z", + "emailDetails": { + "to": [ + { + "domain": "sensitive.com", + "localPart": "joe.bloggs", + "displayName": "" + } + ], + "from": [ + { + "domain": "sanitized.com", + "localPart": "sanitized", + "displayName": "" + } + ], + "rcptTo": [ + "sanitized@sanitized.com" + ], + "mailFrom": "sanitized@sanitized.com", + "threat": "suspicious", + "subject": "hi", + "receivedAt": "2023-08-01T06:00:51.519Z", + "fromAddressDomainCreatedDate": null, + "linksClicked": 0, + "trust": "medium", + "auth": { + "rawAuth": "london1.sensitive.com; spf=pass smtp.mailfrom=sanitized.com smtp.ip=209.85.128.50 ajax.calculated=False; dkim=fail header.d=qjwqod9oqn916gcyqg0ya1e8x.sensitive.com ajax.calculated=False; dmarc=pass header.from=sanitized.com", + "spf": "pass", + "dkim": "fail", + "dmarc": "pass" + }, + "primaryDomain": "sensitive.com", + "messageId": "sanitized@sanitized.com", + "firstTimeSender": true, + "links": [], + "attachments": [], + "senderIp": "209.85.128.50", + "msScl": -1, + "replyTo": null, + "phishType": null, + "payloadType": null, + "emailSummaryLink": "https://summary.uk.defend.egress.com/v3/summary?ref=api&sensitive=64c89f93020d1ea114e943f1" + } + }, + { + "event": "inboundEmail", + "time": "2023-08-01T06:00:51.618Z", + "emailDetails": { + "to": [ + { + "domain": "sensitive.com", + "localPart": "joe.bloggs", + "displayName": "" + } + ], + "from": [ + { + "domain": "sanitized.com", + "localPart": "sanitized", + "displayName": "" + } + ], + "rcptTo": [ + "sanitized@sanitized.com" + ], + "mailFrom": "sanitized@sanitized.com", + "threat": "suspicious", + "subject": "hi", + "receivedAt": "2023-08-01T06:00:51.561Z", + "fromAddressDomainCreatedDate": null, + "linksClicked": 0, + "trust": "medium", + "auth": { + "rawAuth": "london1.sensitive.com; spf=pass smtp.mailfrom=sanitized.com smtp.ip=209.85.128.43 ajax.calculated=False; dkim=fail header.d=qjwqod9oqn916gcyqg0ya1e8x.sensitive.com ajax.calculated=False; dmarc=pass header.from=sanitized.com", + "spf": "pass", + "dkim": "fail", + "dmarc": "pass" + }, + "primaryDomain": "sensitive.com", + "messageId": "sanitized@sanitized.com", + "firstTimeSender": true, + "links": [], + "attachments": [], + "senderIp": "209.85.128.43", + "msScl": -1, + "replyTo": null, + "phishType": null, + "payloadType": null, + "emailSummaryLink": "https://summary.uk.defend.egress.com/v3/summary?ref=api&sensitive=64c89f93875b0691a4ce99ca" + } + }, + { + "event": "inboundEmail", + "time": "2023-08-01T06:00:52.388Z", + "emailDetails": { + "to": [ + { + "domain": "sensitive.com", + "localPart": "joe.bloggs", + "displayName": "" + } + ], + "from": [ + { + "domain": "sanitized.com", + "localPart": "sanitized", + "displayName": "" + } + ], + "rcptTo": [ + "sanitized@sanitized.com" + ], + "mailFrom": "sanitized@sanitized.com", + "threat": "suspicious", + "subject": "hi", + "receivedAt": "2023-08-01T06:00:52.309Z", + "fromAddressDomainCreatedDate": null, + "linksClicked": 0, + "trust": "medium", + "auth": { + "rawAuth": "london1.sensitive.com; spf=pass smtp.mailfrom=sanitized.com smtp.ip=209.85.128.48 ajax.calculated=False; dkim=fail header.d=qjwqod9oqn916gcyqg0ya1e8x.sensitive.com ajax.calculated=False; dmarc=pass header.from=sanitized.com", + "spf": "pass", + "dkim": "fail", + "dmarc": "pass" + }, + "primaryDomain": "sensitive.com", + "messageId": "sanitized@sanitized.com", + "firstTimeSender": true, + "links": [], + "attachments": [], + "senderIp": "209.85.128.48", + "msScl": -1, + "replyTo": null, + "phishType": null, + "payloadType": null, + "emailSummaryLink": "https://summary.uk.defend.egress.com/v3/summary?ref=api&sensitive=64c89f94e14ff028cb87ee53" + } + }, + { + "event": "inboundEmail", + "time": "2023-08-01T06:00:52.42Z", + "emailDetails": { + "to": [ + { + "domain": "sensitive.com", + "localPart": "joe.bloggs", + "displayName": "" + } + ], + "from": [ + { + "domain": "sanitized.com", + "localPart": "sanitized", + "displayName": "" + } + ], + "rcptTo": [ + "sanitized@sanitized.com" + ], + "mailFrom": "sanitized@sanitized.com", + "threat": "suspicious", + "subject": "hi", + "receivedAt": "2023-08-01T06:00:52.35Z", + "fromAddressDomainCreatedDate": null, + "linksClicked": 0, + "trust": "medium", + "auth": { + "rawAuth": "london1.sensitive.com; spf=pass smtp.mailfrom=sanitized.com smtp.ip=209.85.221.48 ajax.calculated=False; dkim=fail header.d=qjwqod9oqn916gcyqg0ya1e8x.sensitive.com ajax.calculated=False; dmarc=pass header.from=sanitized.com", + "spf": "pass", + "dkim": "fail", + "dmarc": "pass" + }, + "primaryDomain": "sensitive.com", + "messageId": "sanitized@sanitized.com", + "firstTimeSender": true, + "links": [], + "attachments": [], + "senderIp": "209.85.221.48", + "msScl": -1, + "replyTo": null, + "phishType": null, + "payloadType": null, + "emailSummaryLink": "https://summary.uk.defend.egress.com/v3/summary?ref=api&sensitive=64c89f94a43ef17193f59e98" + } + }, + { + "event": "inboundEmail", + "time": "2023-08-01T06:00:53.164Z", + "emailDetails": { + "to": [ + { + "domain": "sensitive.com", + "localPart": "joe.bloggs", + "displayName": "" + } + ], + "from": [ + { + "domain": "sanitized.com", + "localPart": "sanitized", + "displayName": "" + } + ], + "rcptTo": [ + "sanitized@sanitized.com" + ], + "mailFrom": "sanitized@sanitized.com", + "threat": "suspicious", + "subject": "hi", + "receivedAt": "2023-08-01T06:00:53.048Z", + "fromAddressDomainCreatedDate": null, + "linksClicked": 0, + "trust": "medium", + "auth": { + "rawAuth": "london1.sensitive.com; spf=pass smtp.mailfrom=sanitized.com smtp.ip=209.85.167.41 ajax.calculated=False; dkim=fail header.d=qjwqod9oqn916gcyqg0ya1e8x.sensitive.com ajax.calculated=False; dmarc=pass header.from=sanitized.com", + "spf": "pass", + "dkim": "fail", + "dmarc": "pass" + }, + "primaryDomain": "sensitive.com", + "messageId": "sanitized@sanitized.com", + "firstTimeSender": true, + "links": [], + "attachments": [], + "senderIp": "209.85.167.41", + "msScl": -1, + "replyTo": null, + "phishType": null, + "payloadType": null, + "emailSummaryLink": "https://summary.uk.defend.egress.com/v3/summary?ref=api&sensitive=64c89f95f74259c36404f8ed" + } + }, + { + "event": "inboundEmail", + "time": "2023-08-01T06:00:53.284Z", + "emailDetails": { + "to": [ + { + "domain": "sensitive.com", + "localPart": "joe.bloggs", + "displayName": "" + } + ], + "from": [ + { + "domain": "sanitized.com", + "localPart": "sanitized", + "displayName": "" + } + ], + "rcptTo": [ + "sanitized@sanitized.com" + ], + "mailFrom": "sanitized@sanitized.com", + "threat": "suspicious", + "subject": "hi", + "receivedAt": "2023-08-01T06:00:53.19Z", + "fromAddressDomainCreatedDate": null, + "linksClicked": 0, + "trust": "medium", + "auth": { + "rawAuth": "london1.sensitive.com; spf=pass smtp.mailfrom=sanitized.com smtp.ip=209.85.128.47 ajax.calculated=False; dkim=fail header.d=qjwqod9oqn916gcyqg0ya1e8x.sensitive.com ajax.calculated=False; dmarc=pass header.from=sanitized.com", + "spf": "pass", + "dkim": "fail", + "dmarc": "pass" + }, + "primaryDomain": "sensitive.com", + "messageId": "sanitized@sanitized.com", + "firstTimeSender": true, + "links": [], + "attachments": [], + "senderIp": "209.85.128.47", + "msScl": -1, + "replyTo": null, + "phishType": null, + "payloadType": null, + "emailSummaryLink": "https://summary.uk.defend.egress.com/v3/summary?ref=api&sensitive=64c89f958815f2de7d66591d" + } + }, + { + "event": "inboundEmail", + "time": "2023-08-01T06:00:54.213Z", + "emailDetails": { + "to": [ + { + "domain": "sensitive.com", + "localPart": "joe.bloggs", + "displayName": "" + } + ], + "from": [ + { + "domain": "sanitized.com", + "localPart": "sanitized", + "displayName": "" + } + ], + "rcptTo": [ + "sanitized@sanitized.com" + ], + "mailFrom": "sanitized@sanitized.com", + "threat": "suspicious", + "subject": "hi", + "receivedAt": "2023-08-01T06:00:54.155Z", + "fromAddressDomainCreatedDate": null, + "linksClicked": 0, + "trust": "medium", + "auth": { + "rawAuth": "london1.sensitive.com; spf=pass smtp.mailfrom=sanitized.com smtp.ip=209.85.208.170 ajax.calculated=False; dkim=fail header.d=qjwqod9oqn916gcyqg0ya1e8x.sensitive.com ajax.calculated=False; dmarc=pass header.from=sanitized.com", + "spf": "pass", + "dkim": "fail", + "dmarc": "pass" + }, + "primaryDomain": "sensitive.com", + "messageId": "sanitized@sanitized.com", + "firstTimeSender": true, + "links": [], + "attachments": [], + "senderIp": "209.85.208.170", + "msScl": -1, + "replyTo": null, + "phishType": null, + "payloadType": null, + "emailSummaryLink": "https://summary.uk.defend.egress.com/v3/summary?ref=api&sensitive=64c89f96875b0691a4ce99d5" + } + }, + { + "event": "linkClick", + "time": "2023-08-01T20:09:57.094Z", + "linkClicked": "www.5z8.info", + "emailDetails": { + "to": [ + { + "domain": "sensitive.com", + "localPart": "joe.bloggs", + "displayName": "" + } + ], + "from": [ + { + "domain": "sanitized.com", + "localPart": "teams", + "displayName": "" + } + ], + "rcptTo": [ + "sanitized@sanitized.com" + ], + "mailFrom": "sanitized@sanitized.com", + "threat": "dangerous", + "subject": "New Message In Teams", + "receivedAt": "2021-11-03T14:36:18.515Z", + "fromAddressDomainCreatedDate": "1991-05-02T04:00:00Z", + "linksClicked": 157, + "trust": "low", + "auth": { + "rawAuth": "london1.sensitive.com; spf=fail smtp.mailfrom=sanitized.com smtp.ip=81.145.208.196 ajax.calculated=False; dkim=none header.d=none ajax.calculated=False; dmarc=fail header.from=sanitized.com", + "spf": "pass", + "dkim": "pass", + "dmarc": "pass" + }, + "primaryDomain": "sensitive.com", + "messageId": "sanitized@sanitized.com", + "firstTimeSender": true, + "links": [ + { + "domain": "www.sanitized.com", + "occurrences": 4, + "clicks": 0, + "inAttachment": false + }, + { + "domain": "links.sensitive.com", + "occurrences": 13, + "clicks": 0, + "inAttachment": false + } + ], + "attachments": [], + "senderIp": "81.145.208.196", + "msScl": -1, + "replyTo": null, + "phishType": [ + "brandImpersonation", + "grayMail" + ], + "payloadType": "links", + "emailSummaryLink": "https://summary.uk.defend.egress.com/v3/summary?ref=api&sensitive=61829e626e54e3a6b62dbfad" + } + }, + { + "event": "linkClick", + "time": "2023-08-01T22:14:02.352Z", + "linkClicked": "www.5z8.info", + "emailDetails": { + "to": [ + { + "domain": "sensitive.com", + "localPart": "joe.bloggs", + "displayName": "" + } + ], + "from": [ + { + "domain": "sanitized.com", + "localPart": "teams", + "displayName": "" + } + ], + "rcptTo": [ + "sanitized@sanitized.com" + ], + "mailFrom": "sanitized@sanitized.com", + "threat": "dangerous", + "subject": "New Message In Teams", + "receivedAt": "2021-11-03T14:36:18.515Z", + "fromAddressDomainCreatedDate": "1991-05-02T04:00:00Z", + "linksClicked": 157, + "trust": "low", + "auth": { + "rawAuth": "london1.sensitive.com; spf=fail smtp.mailfrom=sanitized.com smtp.ip=81.145.208.196 ajax.calculated=False; dkim=none header.d=none ajax.calculated=False; dmarc=fail header.from=sanitized.com", + "spf": "pass", + "dkim": "pass", + "dmarc": "pass" + }, + "primaryDomain": "sensitive.com", + "messageId": "sanitized@sanitized.com", + "firstTimeSender": true, + "links": [ + { + "domain": "www.sanitized.com", + "occurrences": 4, + "clicks": 0, + "inAttachment": false + }, + { + "domain": "links.sensitive.com", + "occurrences": 13, + "clicks": 0, + "inAttachment": false + } + ], + "attachments": [], + "senderIp": "81.145.208.196", + "msScl": -1, + "replyTo": null, + "phishType": [ + "brandImpersonation", + "grayMail" + ], + "payloadType": "links", + "emailSummaryLink": "https://summary.uk.defend.egress.com/v3/summary?ref=api&sensitive=61829e626e54e3a6b62dbfad" + } + } +] \ No newline at end of file diff --git a/Sample Data/Egress Defend_Schema.csv b/Sample Data/Egress Defend_Schema.csv new file mode 100644 index 00000000000..6c116e02243 --- /dev/null +++ b/Sample Data/Egress Defend_Schema.csv @@ -0,0 +1,37 @@ +ColumnName,ColumnOrdinal,DataType,ColumnType +TenantId,0,"System.String",string +SourceSystem,1,"System.String",string +MG,2,"System.String",string +ManagementGroupName,3,"System.String",string +TimeGenerated,4,"System.DateTime",datetime +Computer,5,"System.String",string +RawData,6,"System.String",string +"event_s",7,"System.String",string +"time_t",8,"System.DateTime",datetime +"email_to_s",9,"System.String",string +"email_from_s",10,"System.String",string +"email_rcptTo_s",11,"System.String",string +"email_mailFrom_s",12,"System.String",string +"email_threat_s",13,"System.String",string +"email_subject_s",14,"System.String",string +"email_receivedAt_t",15,"System.DateTime",datetime +"email_fromAddressDomainCreatedDate_t",16,"System.DateTime",datetime +"email_linksClicked_d",17,"System.Double",real +"email_trust_s",18,"System.String",string +"email_auth_rawAuth_s",19,"System.String",string +"email_auth_spf_s",20,"System.String",string +"email_auth_dkim_s",21,"System.String",string +"email_auth_dmarc_s",22,"System.String",string +"email_primaryDomain_s",23,"System.String",string +"email_messageId_s",24,"System.String",string +"email_firstTimeSender_b",25,"System.SByte",bool +"email_links_s",26,"System.String",string +"email_attachments_s",27,"System.String",string +"email_senderIp_s",28,"System.String",string +"email_msScl_d",29,"System.Double",real +"email_phishType_s",30,"System.String",string +"email_payloadType_s",31,"System.String",string +"email_emailSummaryLink_s",32,"System.String",string +"linkClicked_s",33,"System.String",string +Type,34,"System.String",string +"_ResourceId",35,"System.String",string diff --git a/Sample Data/EgressDefendSampleData.csv b/Sample Data/EgressDefendSampleData.csv new file mode 100644 index 00000000000..e542bb3c85e --- /dev/null +++ b/Sample Data/EgressDefendSampleData.csv @@ -0,0 +1,39 @@ +TenantId,SourceSystem,MG,ManagementGroupName,TimeGenerated [UTC],Computer,RawData,event_s,time_t [UTC],email_to_s,email_from_s,email_rcptTo_s,email_mailFrom_s,email_threat_s,email_subject_s,email_receivedAt_t [UTC],email_fromAddressDomainCreatedDate_t [UTC],email_linksClicked_d,email_trust_s,email_auth_rawAuth_s,email_auth_spf_s,email_auth_dkim_s,email_auth_dmarc_s,email_primaryDomain_s,email_messageId_s,email_firstTimeSender_b,email_links_s,email_attachments_s,email_senderIp_s,email_msScl_d,email_phishType_s,email_payloadType_s,email_emailSummaryLink_s,linkClicked_s,Type,_ResourceId +5bdb42e4-4fc8-46c0-af6d-41516e8390ee,OpsManager,,,"07/08/2023, 06:08:48.117",,,inboundEmail,"07/08/2023, 06:00:48.045","[{""domain"":""sensitive.com"",""localPart"":""joe.bloggs"",""displayName"":""""}]","[{""domain"":""gmail.com"",""localPart"":""egress.defend.sales"",""displayName"":""""}]","[""joe.bloggs@sensitive.com""]",egress.defend.sales@gmail.com,suspicious,hi,"07/08/2023, 06:00:47.952",,0,medium,london1.sensitive.com; spf=pass smtp.mailfrom=gmail.com smtp.ip=209.85.221.43 ajax.calculated=False; dkim=fail header.d=qjwqod9oqn916gcyqg0ya1e8x.sensitive.com ajax.calculated=False; dmarc=pass header.from=gmail.com,pass,fail,pass,sensitive.com,64d0888c.df0a0220.85c70.59fb@mx.google.com,TRUE,[],[],209.85.221.43,-1,,,https://summary.uk.defend.egress.com/v3/summary?ref=api&sensitive=64d0888f3a4fa1ca72708674,,sensitive_CL, +5bdb42e4-4fc8-46c0-af6d-41516e8390ee,OpsManager,,,"07/08/2023, 06:08:48.117",,,inboundEmail,"07/08/2023, 06:00:49.423","[{""domain"":""sensitive.com"",""localPart"":""joe.bloggs"",""displayName"":""""}]","[{""domain"":""gmail.com"",""localPart"":""egress.defend.sales"",""displayName"":""""}]","[""joe.bloggs@sensitive.com""]",egress.defend.sales@gmail.com,dangerous,attn: change to remittance details,"07/08/2023, 06:00:49.290",,0,medium,london1.sensitive.com; spf=pass smtp.mailfrom=gmail.com smtp.ip=209.85.221.44 ajax.calculated=False; dkim=fail header.d=qjwqod9oqn916gcyqg0ya1e8x.sensitive.com ajax.calculated=False; dmarc=pass header.from=gmail.com,pass,fail,pass,sensitive.com,64d0888b.df0a0220.3e519.5b0b@mx.google.com,TRUE,"[{""domain"":""www.egress.com"",""occurrences"":17,""clicks"":0,""inAttachment"":false},{""domain"":""twitter.com"",""occurrences"":4,""clicks"":0,""inAttachment"":false},{""domain"":""www.linkedin.com"",""occurrences"":4,""clicks"":0,""inAttachment"":false},{""domain"":""www.facebook.com"",""occurrences"":4,""clicks"":0,""inAttachment"":false},{""domain"":""www.company.com"",""occurrences"":1,""clicks"":0,""inAttachment"":false}]",[],209.85.221.44,-1,"[""technical"",""scam419""]",links,https://summary.uk.defend.egress.com/v3/summary?ref=api&sensitive=64d088911f6c7a425a80f6bf,,sensitive_CL, +5bdb42e4-4fc8-46c0-af6d-41516e8390ee,OpsManager,,,"07/08/2023, 06:08:48.117",,,inboundEmail,"07/08/2023, 06:00:50.200","[{""domain"":""sensitive.com"",""localPart"":""joe.bloggs"",""displayName"":""""}]","[{""domain"":""gmail.com"",""localPart"":""egress.defend.sales"",""displayName"":""""}]","[""joe.bloggs@sensitive.com""]",egress.defend.sales@gmail.com,suspicious,hi,"07/08/2023, 06:00:50.082",,0,medium,london1.sensitive.com; spf=pass smtp.mailfrom=gmail.com smtp.ip=209.85.221.43 ajax.calculated=False; dkim=fail header.d=qjwqod9oqn916gcyqg0ya1e8x.sensitive.com ajax.calculated=False; dmarc=pass header.from=gmail.com,pass,fail,pass,sensitive.com,64d0888d.5d0a0220.e4d0e.5c0b@mx.google.com,TRUE,[],[],209.85.221.43,-1,,,https://summary.uk.defend.egress.com/v3/summary?ref=api&sensitive=64d0889260636f9b431971e8,,sensitive_CL, +5bdb42e4-4fc8-46c0-af6d-41516e8390ee,OpsManager,,,"07/08/2023, 06:08:48.117",,,inboundEmail,"07/08/2023, 06:00:50.483","[{""domain"":""sensitive.com"",""localPart"":""joe.bloggs"",""displayName"":""""}]","[{""domain"":""gmail.com"",""localPart"":""egress.defend.sales"",""displayName"":""""}]","[""joe.bloggs@sensitive.com""]",egress.defend.sales@gmail.com,suspicious,hi,"07/08/2023, 06:00:50.374",,0,medium,london1.sensitive.com; spf=pass smtp.mailfrom=gmail.com smtp.ip=209.85.221.42 ajax.calculated=False; dkim=fail header.d=qjwqod9oqn916gcyqg0ya1e8x.sensitive.com ajax.calculated=False; dmarc=pass header.from=gmail.com,pass,fail,pass,sensitive.com,64d0888d.df0a0220.75cdf.18f2@mx.google.com,TRUE,[],[],209.85.221.42,-1,,,https://summary.uk.defend.egress.com/v3/summary?ref=api&sensitive=64d08892654ef718cd98dcfa,,sensitive_CL, +5bdb42e4-4fc8-46c0-af6d-41516e8390ee,OpsManager,,,"07/08/2023, 06:08:48.117",,,inboundEmail,"07/08/2023, 06:00:51.159","[{""domain"":""sensitive.com"",""localPart"":""joe.bloggs"",""displayName"":""""}]","[{""domain"":""gmail.com"",""localPart"":""egress.defend.sales"",""displayName"":""""}]","[""joe.bloggs@sensitive.com""]",egress.defend.sales@gmail.com,suspicious,hi,"07/08/2023, 06:00:51.069",,0,medium,london1.sensitive.com; spf=pass smtp.mailfrom=gmail.com smtp.ip=209.85.167.54 ajax.calculated=False; dkim=fail header.d=qjwqod9oqn916gcyqg0ya1e8x.sensitive.com ajax.calculated=False; dmarc=pass header.from=gmail.com,pass,fail,pass,sensitive.com,64d0888e.7b0a0220.708db.6e33@mx.google.com,TRUE,[],[],209.85.167.54,-1,,,https://summary.uk.defend.egress.com/v3/summary?ref=api&sensitive=64d08893e66ce3fa2864856d,,sensitive_CL, +5bdb42e4-4fc8-46c0-af6d-41516e8390ee,OpsManager,,,"07/08/2023, 06:08:48.117",,,inboundEmail,"07/08/2023, 06:00:51.301","[{""domain"":""sensitive.com"",""localPart"":""joe.bloggs"",""displayName"":""""}]","[{""domain"":""gmail.com"",""localPart"":""egress.defend.sales"",""displayName"":""""}]","[""joe.bloggs@sensitive.com""]",egress.defend.sales@gmail.com,suspicious,hi,"07/08/2023, 06:00:51.202",,0,medium,london1.sensitive.com; spf=pass smtp.mailfrom=gmail.com smtp.ip=209.85.221.53 ajax.calculated=False; dkim=fail header.d=qjwqod9oqn916gcyqg0ya1e8x.sensitive.com ajax.calculated=False; dmarc=pass header.from=gmail.com,pass,fail,pass,sensitive.com,64d0888f.df0a0220.f4669.d7d7@mx.google.com,TRUE,[],[],209.85.221.53,-1,,,https://summary.uk.defend.egress.com/v3/summary?ref=api&sensitive=64d08893be16ea3b564b6091,,sensitive_CL, +5bdb42e4-4fc8-46c0-af6d-41516e8390ee,OpsManager,,,"07/08/2023, 06:08:48.117",,,inboundEmail,"07/08/2023, 06:00:51.351","[{""domain"":""sensitive.com"",""localPart"":""joe.bloggs"",""displayName"":""""}]","[{""domain"":""gmail.com"",""localPart"":""egress.defend.sales"",""displayName"":""""}]","[""joe.bloggs@sensitive.com""]",egress.defend.sales@gmail.com,suspicious,hi,"07/08/2023, 06:00:51.227",,0,medium,london1.sensitive.com; spf=pass smtp.mailfrom=gmail.com smtp.ip=209.85.128.45 ajax.calculated=False; dkim=fail header.d=qjwqod9oqn916gcyqg0ya1e8x.sensitive.com ajax.calculated=False; dmarc=pass header.from=gmail.com,pass,fail,pass,sensitive.com,64d0888f.7b0a0220.c704e.5e3d@mx.google.com,TRUE,[],[],209.85.128.45,-1,,,https://summary.uk.defend.egress.com/v3/summary?ref=api&sensitive=64d08893431698aaf1a7b2f4,,sensitive_CL, +5bdb42e4-4fc8-46c0-af6d-41516e8390ee,OpsManager,,,"07/08/2023, 06:08:48.117",,,inboundEmail,"07/08/2023, 06:00:52.514","[{""domain"":""sensitive.com"",""localPart"":""joe.bloggs"",""displayName"":""""}]","[{""domain"":""gmail.com"",""localPart"":""egress.defend.sales"",""displayName"":""""}]","[""joe.bloggs@sensitive.com""]",egress.defend.sales@gmail.com,suspicious,hi,"07/08/2023, 06:00:52.406",,0,medium,london1.sensitive.com; spf=pass smtp.mailfrom=gmail.com smtp.ip=209.85.128.46 ajax.calculated=False; dkim=fail header.d=qjwqod9oqn916gcyqg0ya1e8x.sensitive.com ajax.calculated=False; dmarc=pass header.from=gmail.com,pass,fail,pass,sensitive.com,64d0888f.1c0a0220.2bec.9cc6@mx.google.com,TRUE,[],[],209.85.128.46,-1,,,https://summary.uk.defend.egress.com/v3/summary?ref=api&sensitive=64d08894b7362aa466006cdc,,sensitive_CL, +5bdb42e4-4fc8-46c0-af6d-41516e8390ee,OpsManager,,,"07/08/2023, 06:08:48.117",,,inboundEmail,"07/08/2023, 06:00:52.697","[{""domain"":""sensitive.com"",""localPart"":""joe.bloggs"",""displayName"":""""}]","[{""domain"":""gmail.com"",""localPart"":""egress.defend.sales"",""displayName"":""""}]","[""joe.bloggs@sensitive.com""]",egress.defend.sales@gmail.com,suspicious,hi,"07/08/2023, 06:00:52.589",,0,medium,london1.sensitive.com; spf=pass smtp.mailfrom=gmail.com smtp.ip=209.85.128.45 ajax.calculated=False; dkim=fail header.d=qjwqod9oqn916gcyqg0ya1e8x.sensitive.com ajax.calculated=False; dmarc=pass header.from=gmail.com,pass,fail,pass,sensitive.com,64d08890.7b0a0220.d8e0f.6480@mx.google.com,TRUE,[],[],209.85.128.45,-1,,,https://summary.uk.defend.egress.com/v3/summary?ref=api&sensitive=64d088944729be417be49847,,sensitive_CL, +5bdb42e4-4fc8-46c0-af6d-41516e8390ee,OpsManager,,,"07/08/2023, 06:08:48.117",,,inboundEmail,"07/08/2023, 06:00:53.267","[{""domain"":""sensitive.com"",""localPart"":""joe.bloggs"",""displayName"":""""}]","[{""domain"":""gmail.com"",""localPart"":""egress.defend.sales"",""displayName"":""""}]","[""joe.bloggs@sensitive.com""]",egress.defend.sales@gmail.com,suspicious,hi,"07/08/2023, 06:00:53.143",,0,medium,london1.sensitive.com; spf=pass smtp.mailfrom=gmail.com smtp.ip=209.85.128.52 ajax.calculated=False; dkim=fail header.d=qjwqod9oqn916gcyqg0ya1e8x.sensitive.com ajax.calculated=False; dmarc=pass header.from=gmail.com,pass,fail,pass,sensitive.com,64d08890.7b0a0220.866e1.a1e4@mx.google.com,TRUE,[],[],209.85.128.52,-1,,,https://summary.uk.defend.egress.com/v3/summary?ref=api&sensitive=64d088956d6e426ec3f77d6d,,sensitive_CL, +5bdb42e4-4fc8-46c0-af6d-41516e8390ee,OpsManager,,,"07/08/2023, 06:08:48.117",,,inboundEmail,"07/08/2023, 06:00:53.975","[{""domain"":""sensitive.com"",""localPart"":""joe.bloggs"",""displayName"":""""}]","[{""domain"":""gmail.com"",""localPart"":""egress.defend.sales"",""displayName"":""""}]","[""joe.bloggs@sensitive.com""]",egress.defend.sales@gmail.com,suspicious,hi,"07/08/2023, 06:00:53.871",,0,medium,london1.sensitive.com; spf=pass smtp.mailfrom=gmail.com smtp.ip=209.85.128.46 ajax.calculated=False; dkim=fail header.d=qjwqod9oqn916gcyqg0ya1e8x.sensitive.com ajax.calculated=False; dmarc=pass header.from=gmail.com,pass,fail,pass,sensitive.com,64d08890.050a0220.f0cae.6771@mx.google.com,TRUE,[],[],209.85.128.46,-1,,,https://summary.uk.defend.egress.com/v3/summary?ref=api&sensitive=64d08895f97519e2908aed1f,,sensitive_CL, +5bdb42e4-4fc8-46c0-af6d-41516e8390ee,OpsManager,,,"07/08/2023, 06:08:48.117",,,inboundEmail,"07/08/2023, 06:00:54.173","[{""domain"":""sensitive.com"",""localPart"":""joe.bloggs"",""displayName"":""""}]","[{""domain"":""gmail.com"",""localPart"":""egress.defend.sales"",""displayName"":""""}]","[""joe.bloggs@sensitive.com""]",egress.defend.sales@gmail.com,suspicious,hi,"07/08/2023, 06:00:54.069",,0,medium,london1.sensitive.com; spf=pass smtp.mailfrom=gmail.com smtp.ip=209.85.221.52 ajax.calculated=False; dkim=fail header.d=qjwqod9oqn916gcyqg0ya1e8x.sensitive.com ajax.calculated=False; dmarc=pass header.from=gmail.com,pass,fail,pass,sensitive.com,64d08890.df0a0220.ef077.5d20@mx.google.com,TRUE,[],[],209.85.221.52,-1,,,https://summary.uk.defend.egress.com/v3/summary?ref=api&sensitive=64d088960100575bac8f48f6,,sensitive_CL, +5bdb42e4-4fc8-46c0-af6d-41516e8390ee,OpsManager,,,"07/08/2023, 06:08:48.117",,,inboundEmail,"07/08/2023, 06:00:55.925","[{""domain"":""sensitive.com"",""localPart"":""joe.bloggs"",""displayName"":""""}]","[{""domain"":""gmail.com"",""localPart"":""egress.defend.sales"",""displayName"":""""}]","[""joe.bloggs@sensitive.com""]",egress.defend.sales@gmail.com,suspicious,hi,"07/08/2023, 06:00:55.828",,0,medium,london1.sensitive.com; spf=pass smtp.mailfrom=gmail.com smtp.ip=209.85.128.49 ajax.calculated=False; dkim=fail header.d=qjwqod9oqn916gcyqg0ya1e8x.sensitive.com ajax.calculated=False; dmarc=pass header.from=gmail.com,pass,fail,pass,sensitive.com,64d0888d.df0a0220.468bb.5662@mx.google.com,TRUE,[],[],209.85.128.49,-1,,,https://summary.uk.defend.egress.com/v3/summary?ref=api&sensitive=64d088970100575bac8f48ff,,sensitive_CL, +5bdb42e4-4fc8-46c0-af6d-41516e8390ee,OpsManager,,,"07/08/2023, 06:08:48.117",,,inboundEmail,"07/08/2023, 06:01:58.284","[{""domain"":""sensitive.com"",""localPart"":""joe.bloggs"",""displayName"":""""}]","[{""domain"":""gmail.com"",""localPart"":""egress.defend.sales"",""displayName"":""""}]","[""joe.bloggs@sensitive.com""]",egress.defend.sales@gmail.com,suspicious,hi,"07/08/2023, 06:01:58.194",,0,medium,london1.sensitive.com; spf=pass smtp.mailfrom=gmail.com smtp.ip=209.85.221.48 ajax.calculated=False; dkim=fail header.d=qjwqod9oqn916gcyqg0ya1e8x.sensitive.com ajax.calculated=False; dmarc=pass header.from=gmail.com,pass,fail,pass,sensitive.com,64d088d3.df0a0220.ef077.5d47@mx.google.com,TRUE,[],[],209.85.221.48,-1,,,https://summary.uk.defend.egress.com/v3/summary?ref=api&sensitive=64d088d60100575bac8f49a5,,sensitive_CL, +5bdb42e4-4fc8-46c0-af6d-41516e8390ee,OpsManager,,,"07/08/2023, 06:08:48.117",,,inboundEmail,"07/08/2023, 06:01:59.013","[{""domain"":""sensitive.com"",""localPart"":""joe.bloggs"",""displayName"":""""}]","[{""domain"":""gmail.com"",""localPart"":""egress.defend.sales"",""displayName"":""""}]","[""joe.bloggs@sensitive.com""]",egress.defend.sales@gmail.com,suspicious,hi,"07/08/2023, 06:01:58.923",,0,medium,london1.sensitive.com; spf=pass smtp.mailfrom=gmail.com smtp.ip=209.85.128.50 ajax.calculated=False; dkim=fail header.d=qjwqod9oqn916gcyqg0ya1e8x.sensitive.com ajax.calculated=False; dmarc=pass header.from=gmail.com,pass,fail,pass,sensitive.com,64d088d3.7b0a0220.b99e3.a67b@mx.google.com,TRUE,[],[],209.85.128.50,-1,,,https://summary.uk.defend.egress.com/v3/summary?ref=api&sensitive=64d088d6cf3745888fc526dc,,sensitive_CL, +5bdb42e4-4fc8-46c0-af6d-41516e8390ee,OpsManager,,,"07/08/2023, 06:08:48.117",,,inboundEmail,"07/08/2023, 06:01:59.052","[{""domain"":""sensitive.com"",""localPart"":""joe.bloggs"",""displayName"":""""}]","[{""domain"":""gmail.com"",""localPart"":""egress.defend.sales"",""displayName"":""""}]","[""joe.bloggs@sensitive.com""]",egress.defend.sales@gmail.com,suspicious,hi,"07/08/2023, 06:01:58.885",,0,medium,london1.sensitive.com; spf=pass smtp.mailfrom=gmail.com smtp.ip=209.85.128.44 ajax.calculated=False; dkim=fail header.d=qjwqod9oqn916gcyqg0ya1e8x.sensitive.com ajax.calculated=False; dmarc=pass header.from=gmail.com,pass,fail,pass,sensitive.com,64d088d4.df0a0220.7732d.5763@mx.google.com,TRUE,[],[],209.85.128.44,-1,,,https://summary.uk.defend.egress.com/v3/summary?ref=api&sensitive=64d088d6753f6168b765e44b,,sensitive_CL, +5bdb42e4-4fc8-46c0-af6d-41516e8390ee,OpsManager,,,"07/08/2023, 06:08:48.117",,,inboundEmail,"07/08/2023, 06:01:59.275","[{""domain"":""sensitive.com"",""localPart"":""joe.bloggs"",""displayName"":""""}]","[{""domain"":""gmail.com"",""localPart"":""egress.defend.sales"",""displayName"":""""}]","[""joe.bloggs@sensitive.com""]",egress.defend.sales@gmail.com,suspicious,hi,"07/08/2023, 06:01:59.174",,0,medium,london1.sensitive.com; spf=pass smtp.mailfrom=gmail.com smtp.ip=209.85.221.42 ajax.calculated=False; dkim=fail header.d=qjwqod9oqn916gcyqg0ya1e8x.sensitive.com ajax.calculated=False; dmarc=pass header.from=gmail.com,pass,fail,pass,sensitive.com,64d088d4.df0a0220.f4669.d7f2@mx.google.com,TRUE,[],[],209.85.221.42,-1,,,https://summary.uk.defend.egress.com/v3/summary?ref=api&sensitive=64d088d78c3f58475c7b9635,,sensitive_CL, +5bdb42e4-4fc8-46c0-af6d-41516e8390ee,OpsManager,,,"07/08/2023, 06:08:48.117",,,inboundEmail,"07/08/2023, 06:01:59.325","[{""domain"":""sensitive.com"",""localPart"":""joe.bloggs"",""displayName"":""""}]","[{""domain"":""gmail.com"",""localPart"":""egress.defend.sales"",""displayName"":""""}]","[""joe.bloggs@sensitive.com""]",egress.defend.sales@gmail.com,suspicious,hi,"07/08/2023, 06:01:59.240",,0,medium,london1.sensitive.com; spf=pass smtp.mailfrom=gmail.com smtp.ip=209.85.128.41 ajax.calculated=False; dkim=fail header.d=qjwqod9oqn916gcyqg0ya1e8x.sensitive.com ajax.calculated=False; dmarc=pass header.from=gmail.com,pass,fail,pass,sensitive.com,64d088d3.5d0a0220.fba21.5dfd@mx.google.com,TRUE,[],[],209.85.128.41,-1,,,https://summary.uk.defend.egress.com/v3/summary?ref=api&sensitive=64d088d77f1c29dbf3a719db,,sensitive_CL, +5bdb42e4-4fc8-46c0-af6d-41516e8390ee,OpsManager,,,"07/08/2023, 06:08:48.117",,,inboundEmail,"07/08/2023, 06:01:59.897","[{""domain"":""sensitive.com"",""localPart"":""joe.bloggs"",""displayName"":""""}]","[{""domain"":""gmail.com"",""localPart"":""egress.defend.sales"",""displayName"":""""}]","[""joe.bloggs@sensitive.com""]",egress.defend.sales@gmail.com,suspicious,hi,"07/08/2023, 06:01:59.816",,0,medium,london1.sensitive.com; spf=pass smtp.mailfrom=gmail.com smtp.ip=209.85.128.50 ajax.calculated=False; dkim=fail header.d=qjwqod9oqn916gcyqg0ya1e8x.sensitive.com ajax.calculated=False; dmarc=pass header.from=gmail.com,pass,fail,pass,sensitive.com,64d088d4.050a0220.19726.6b7e@mx.google.com,TRUE,[],[],209.85.128.50,-1,,,https://summary.uk.defend.egress.com/v3/summary?ref=api&sensitive=64d088d78230a746c938cdb0,,sensitive_CL, +5bdb42e4-4fc8-46c0-af6d-41516e8390ee,OpsManager,,,"07/08/2023, 06:05:45.334",,,inboundEmail,"07/08/2023, 06:00:48.045","[{""domain"":""sensitive.com"",""localPart"":""joe.bloggs"",""displayName"":""""}]","[{""domain"":""gmail.com"",""localPart"":""egress.defend.sales"",""displayName"":""""}]","[""joe.bloggs@sensitive.com""]",egress.defend.sales@gmail.com,suspicious,hi,"07/08/2023, 06:00:47.952",,0,medium,london1.sensitive.com; spf=pass smtp.mailfrom=gmail.com smtp.ip=209.85.221.43 ajax.calculated=False; dkim=fail header.d=qjwqod9oqn916gcyqg0ya1e8x.sensitive.com ajax.calculated=False; dmarc=pass header.from=gmail.com,pass,fail,pass,sensitive.com,64d0888c.df0a0220.85c70.59fb@mx.google.com,TRUE,[],[],209.85.221.43,-1,,,https://summary.uk.defend.egress.com/v3/summary?ref=api&sensitive=64d0888f3a4fa1ca72708674,,sensitive_CL, +5bdb42e4-4fc8-46c0-af6d-41516e8390ee,OpsManager,,,"07/08/2023, 06:05:45.334",,,inboundEmail,"07/08/2023, 06:00:49.423","[{""domain"":""sensitive.com"",""localPart"":""joe.bloggs"",""displayName"":""""}]","[{""domain"":""gmail.com"",""localPart"":""egress.defend.sales"",""displayName"":""""}]","[""joe.bloggs@sensitive.com""]",egress.defend.sales@gmail.com,dangerous,attn: change to remittance details,"07/08/2023, 06:00:49.290",,0,medium,london1.sensitive.com; spf=pass smtp.mailfrom=gmail.com smtp.ip=209.85.221.44 ajax.calculated=False; dkim=fail header.d=qjwqod9oqn916gcyqg0ya1e8x.sensitive.com ajax.calculated=False; dmarc=pass header.from=gmail.com,pass,fail,pass,sensitive.com,64d0888b.df0a0220.3e519.5b0b@mx.google.com,TRUE,"[{""domain"":""www.egress.com"",""occurrences"":17,""clicks"":0,""inAttachment"":false},{""domain"":""twitter.com"",""occurrences"":4,""clicks"":0,""inAttachment"":false},{""domain"":""www.linkedin.com"",""occurrences"":4,""clicks"":0,""inAttachment"":false},{""domain"":""www.facebook.com"",""occurrences"":4,""clicks"":0,""inAttachment"":false},{""domain"":""www.company.com"",""occurrences"":1,""clicks"":0,""inAttachment"":false}]",[],209.85.221.44,-1,"[""technical"",""scam419""]",links,https://summary.uk.defend.egress.com/v3/summary?ref=api&sensitive=64d088911f6c7a425a80f6bf,,sensitive_CL, +5bdb42e4-4fc8-46c0-af6d-41516e8390ee,OpsManager,,,"07/08/2023, 06:05:45.334",,,inboundEmail,"07/08/2023, 06:00:50.200","[{""domain"":""sensitive.com"",""localPart"":""joe.bloggs"",""displayName"":""""}]","[{""domain"":""gmail.com"",""localPart"":""egress.defend.sales"",""displayName"":""""}]","[""joe.bloggs@sensitive.com""]",egress.defend.sales@gmail.com,suspicious,hi,"07/08/2023, 06:00:50.082",,0,medium,london1.sensitive.com; spf=pass smtp.mailfrom=gmail.com smtp.ip=209.85.221.43 ajax.calculated=False; dkim=fail header.d=qjwqod9oqn916gcyqg0ya1e8x.sensitive.com ajax.calculated=False; dmarc=pass header.from=gmail.com,pass,fail,pass,sensitive.com,64d0888d.5d0a0220.e4d0e.5c0b@mx.google.com,TRUE,[],[],209.85.221.43,-1,,,https://summary.uk.defend.egress.com/v3/summary?ref=api&sensitive=64d0889260636f9b431971e8,,sensitive_CL, +5bdb42e4-4fc8-46c0-af6d-41516e8390ee,OpsManager,,,"07/08/2023, 06:05:45.334",,,inboundEmail,"07/08/2023, 06:00:50.483","[{""domain"":""sensitive.com"",""localPart"":""joe.bloggs"",""displayName"":""""}]","[{""domain"":""gmail.com"",""localPart"":""egress.defend.sales"",""displayName"":""""}]","[""joe.bloggs@sensitive.com""]",egress.defend.sales@gmail.com,suspicious,hi,"07/08/2023, 06:00:50.374",,0,medium,london1.sensitive.com; spf=pass smtp.mailfrom=gmail.com smtp.ip=209.85.221.42 ajax.calculated=False; dkim=fail header.d=qjwqod9oqn916gcyqg0ya1e8x.sensitive.com ajax.calculated=False; dmarc=pass header.from=gmail.com,pass,fail,pass,sensitive.com,64d0888d.df0a0220.75cdf.18f2@mx.google.com,TRUE,[],[],209.85.221.42,-1,,,https://summary.uk.defend.egress.com/v3/summary?ref=api&sensitive=64d08892654ef718cd98dcfa,,sensitive_CL, +5bdb42e4-4fc8-46c0-af6d-41516e8390ee,OpsManager,,,"07/08/2023, 06:05:45.334",,,inboundEmail,"07/08/2023, 06:00:51.159","[{""domain"":""sensitive.com"",""localPart"":""joe.bloggs"",""displayName"":""""}]","[{""domain"":""gmail.com"",""localPart"":""egress.defend.sales"",""displayName"":""""}]","[""joe.bloggs@sensitive.com""]",egress.defend.sales@gmail.com,suspicious,hi,"07/08/2023, 06:00:51.069",,0,medium,london1.sensitive.com; spf=pass smtp.mailfrom=gmail.com smtp.ip=209.85.167.54 ajax.calculated=False; dkim=fail header.d=qjwqod9oqn916gcyqg0ya1e8x.sensitive.com ajax.calculated=False; dmarc=pass header.from=gmail.com,pass,fail,pass,sensitive.com,64d0888e.7b0a0220.708db.6e33@mx.google.com,TRUE,[],[],209.85.167.54,-1,,,https://summary.uk.defend.egress.com/v3/summary?ref=api&sensitive=64d08893e66ce3fa2864856d,,sensitive_CL, +5bdb42e4-4fc8-46c0-af6d-41516e8390ee,OpsManager,,,"07/08/2023, 06:05:45.334",,,inboundEmail,"07/08/2023, 06:00:51.301","[{""domain"":""sensitive.com"",""localPart"":""joe.bloggs"",""displayName"":""""}]","[{""domain"":""gmail.com"",""localPart"":""egress.defend.sales"",""displayName"":""""}]","[""joe.bloggs@sensitive.com""]",egress.defend.sales@gmail.com,suspicious,hi,"07/08/2023, 06:00:51.202",,0,medium,london1.sensitive.com; spf=pass smtp.mailfrom=gmail.com smtp.ip=209.85.221.53 ajax.calculated=False; dkim=fail header.d=qjwqod9oqn916gcyqg0ya1e8x.sensitive.com ajax.calculated=False; dmarc=pass header.from=gmail.com,pass,fail,pass,sensitive.com,64d0888f.df0a0220.f4669.d7d7@mx.google.com,TRUE,[],[],209.85.221.53,-1,,,https://summary.uk.defend.egress.com/v3/summary?ref=api&sensitive=64d08893be16ea3b564b6091,,sensitive_CL, +5bdb42e4-4fc8-46c0-af6d-41516e8390ee,OpsManager,,,"07/08/2023, 06:05:45.334",,,inboundEmail,"07/08/2023, 06:00:51.351","[{""domain"":""sensitive.com"",""localPart"":""joe.bloggs"",""displayName"":""""}]","[{""domain"":""gmail.com"",""localPart"":""egress.defend.sales"",""displayName"":""""}]","[""joe.bloggs@sensitive.com""]",egress.defend.sales@gmail.com,suspicious,hi,"07/08/2023, 06:00:51.227",,0,medium,london1.sensitive.com; spf=pass smtp.mailfrom=gmail.com smtp.ip=209.85.128.45 ajax.calculated=False; dkim=fail header.d=qjwqod9oqn916gcyqg0ya1e8x.sensitive.com ajax.calculated=False; dmarc=pass header.from=gmail.com,pass,fail,pass,sensitive.com,64d0888f.7b0a0220.c704e.5e3d@mx.google.com,TRUE,[],[],209.85.128.45,-1,,,https://summary.uk.defend.egress.com/v3/summary?ref=api&sensitive=64d08893431698aaf1a7b2f4,,sensitive_CL, +5bdb42e4-4fc8-46c0-af6d-41516e8390ee,OpsManager,,,"07/08/2023, 06:05:45.334",,,inboundEmail,"07/08/2023, 06:00:52.514","[{""domain"":""sensitive.com"",""localPart"":""joe.bloggs"",""displayName"":""""}]","[{""domain"":""gmail.com"",""localPart"":""egress.defend.sales"",""displayName"":""""}]","[""joe.bloggs@sensitive.com""]",egress.defend.sales@gmail.com,suspicious,hi,"07/08/2023, 06:00:52.406",,0,medium,london1.sensitive.com; spf=pass smtp.mailfrom=gmail.com smtp.ip=209.85.128.46 ajax.calculated=False; dkim=fail header.d=qjwqod9oqn916gcyqg0ya1e8x.sensitive.com ajax.calculated=False; dmarc=pass header.from=gmail.com,pass,fail,pass,sensitive.com,64d0888f.1c0a0220.2bec.9cc6@mx.google.com,TRUE,[],[],209.85.128.46,-1,,,https://summary.uk.defend.egress.com/v3/summary?ref=api&sensitive=64d08894b7362aa466006cdc,,sensitive_CL, +5bdb42e4-4fc8-46c0-af6d-41516e8390ee,OpsManager,,,"07/08/2023, 06:05:45.334",,,inboundEmail,"07/08/2023, 06:00:52.697","[{""domain"":""sensitive.com"",""localPart"":""joe.bloggs"",""displayName"":""""}]","[{""domain"":""gmail.com"",""localPart"":""egress.defend.sales"",""displayName"":""""}]","[""joe.bloggs@sensitive.com""]",egress.defend.sales@gmail.com,suspicious,hi,"07/08/2023, 06:00:52.589",,0,medium,london1.sensitive.com; spf=pass smtp.mailfrom=gmail.com smtp.ip=209.85.128.45 ajax.calculated=False; dkim=fail header.d=qjwqod9oqn916gcyqg0ya1e8x.sensitive.com ajax.calculated=False; dmarc=pass header.from=gmail.com,pass,fail,pass,sensitive.com,64d08890.7b0a0220.d8e0f.6480@mx.google.com,TRUE,[],[],209.85.128.45,-1,,,https://summary.uk.defend.egress.com/v3/summary?ref=api&sensitive=64d088944729be417be49847,,sensitive_CL, +5bdb42e4-4fc8-46c0-af6d-41516e8390ee,OpsManager,,,"07/08/2023, 06:05:45.334",,,inboundEmail,"07/08/2023, 06:00:53.267","[{""domain"":""sensitive.com"",""localPart"":""joe.bloggs"",""displayName"":""""}]","[{""domain"":""gmail.com"",""localPart"":""egress.defend.sales"",""displayName"":""""}]","[""joe.bloggs@sensitive.com""]",egress.defend.sales@gmail.com,suspicious,hi,"07/08/2023, 06:00:53.143",,0,medium,london1.sensitive.com; spf=pass smtp.mailfrom=gmail.com smtp.ip=209.85.128.52 ajax.calculated=False; dkim=fail header.d=qjwqod9oqn916gcyqg0ya1e8x.sensitive.com ajax.calculated=False; dmarc=pass header.from=gmail.com,pass,fail,pass,sensitive.com,64d08890.7b0a0220.866e1.a1e4@mx.google.com,TRUE,[],[],209.85.128.52,-1,,,https://summary.uk.defend.egress.com/v3/summary?ref=api&sensitive=64d088956d6e426ec3f77d6d,,sensitive_CL, +5bdb42e4-4fc8-46c0-af6d-41516e8390ee,OpsManager,,,"07/08/2023, 06:05:45.334",,,inboundEmail,"07/08/2023, 06:00:53.975","[{""domain"":""sensitive.com"",""localPart"":""joe.bloggs"",""displayName"":""""}]","[{""domain"":""gmail.com"",""localPart"":""egress.defend.sales"",""displayName"":""""}]","[""joe.bloggs@sensitive.com""]",egress.defend.sales@gmail.com,suspicious,hi,"07/08/2023, 06:00:53.871",,0,medium,london1.sensitive.com; spf=pass smtp.mailfrom=gmail.com smtp.ip=209.85.128.46 ajax.calculated=False; dkim=fail header.d=qjwqod9oqn916gcyqg0ya1e8x.sensitive.com ajax.calculated=False; dmarc=pass header.from=gmail.com,pass,fail,pass,sensitive.com,64d08890.050a0220.f0cae.6771@mx.google.com,TRUE,[],[],209.85.128.46,-1,,,https://summary.uk.defend.egress.com/v3/summary?ref=api&sensitive=64d08895f97519e2908aed1f,,sensitive_CL, +5bdb42e4-4fc8-46c0-af6d-41516e8390ee,OpsManager,,,"07/08/2023, 06:05:45.334",,,inboundEmail,"07/08/2023, 06:00:54.173","[{""domain"":""sensitive.com"",""localPart"":""joe.bloggs"",""displayName"":""""}]","[{""domain"":""gmail.com"",""localPart"":""egress.defend.sales"",""displayName"":""""}]","[""joe.bloggs@sensitive.com""]",egress.defend.sales@gmail.com,suspicious,hi,"07/08/2023, 06:00:54.069",,0,medium,london1.sensitive.com; spf=pass smtp.mailfrom=gmail.com smtp.ip=209.85.221.52 ajax.calculated=False; dkim=fail header.d=qjwqod9oqn916gcyqg0ya1e8x.sensitive.com ajax.calculated=False; dmarc=pass header.from=gmail.com,pass,fail,pass,sensitive.com,64d08890.df0a0220.ef077.5d20@mx.google.com,TRUE,[],[],209.85.221.52,-1,,,https://summary.uk.defend.egress.com/v3/summary?ref=api&sensitive=64d088960100575bac8f48f6,,sensitive_CL, +5bdb42e4-4fc8-46c0-af6d-41516e8390ee,OpsManager,,,"07/08/2023, 06:05:45.334",,,inboundEmail,"07/08/2023, 06:00:55.925","[{""domain"":""sensitive.com"",""localPart"":""joe.bloggs"",""displayName"":""""}]","[{""domain"":""gmail.com"",""localPart"":""egress.defend.sales"",""displayName"":""""}]","[""joe.bloggs@sensitive.com""]",egress.defend.sales@gmail.com,suspicious,hi,"07/08/2023, 06:00:55.828",,0,medium,london1.sensitive.com; spf=pass smtp.mailfrom=gmail.com smtp.ip=209.85.128.49 ajax.calculated=False; dkim=fail header.d=qjwqod9oqn916gcyqg0ya1e8x.sensitive.com ajax.calculated=False; dmarc=pass header.from=gmail.com,pass,fail,pass,sensitive.com,64d0888d.df0a0220.468bb.5662@mx.google.com,TRUE,[],[],209.85.128.49,-1,,,https://summary.uk.defend.egress.com/v3/summary?ref=api&sensitive=64d088970100575bac8f48ff,,sensitive_CL, +5bdb42e4-4fc8-46c0-af6d-41516e8390ee,OpsManager,,,"07/08/2023, 06:05:45.334",,,inboundEmail,"07/08/2023, 06:01:58.284","[{""domain"":""sensitive.com"",""localPart"":""joe.bloggs"",""displayName"":""""}]","[{""domain"":""gmail.com"",""localPart"":""egress.defend.sales"",""displayName"":""""}]","[""joe.bloggs@sensitive.com""]",egress.defend.sales@gmail.com,suspicious,hi,"07/08/2023, 06:01:58.194",,0,medium,london1.sensitive.com; spf=pass smtp.mailfrom=gmail.com smtp.ip=209.85.221.48 ajax.calculated=False; dkim=fail header.d=qjwqod9oqn916gcyqg0ya1e8x.sensitive.com ajax.calculated=False; dmarc=pass header.from=gmail.com,pass,fail,pass,sensitive.com,64d088d3.df0a0220.ef077.5d47@mx.google.com,TRUE,[],[],209.85.221.48,-1,,,https://summary.uk.defend.egress.com/v3/summary?ref=api&sensitive=64d088d60100575bac8f49a5,,sensitive_CL, +5bdb42e4-4fc8-46c0-af6d-41516e8390ee,OpsManager,,,"07/08/2023, 06:05:45.334",,,inboundEmail,"07/08/2023, 06:01:59.013","[{""domain"":""sensitive.com"",""localPart"":""joe.bloggs"",""displayName"":""""}]","[{""domain"":""gmail.com"",""localPart"":""egress.defend.sales"",""displayName"":""""}]","[""joe.bloggs@sensitive.com""]",egress.defend.sales@gmail.com,suspicious,hi,"07/08/2023, 06:01:58.923",,0,medium,london1.sensitive.com; spf=pass smtp.mailfrom=gmail.com smtp.ip=209.85.128.50 ajax.calculated=False; dkim=fail header.d=qjwqod9oqn916gcyqg0ya1e8x.sensitive.com ajax.calculated=False; dmarc=pass header.from=gmail.com,pass,fail,pass,sensitive.com,64d088d3.7b0a0220.b99e3.a67b@mx.google.com,TRUE,[],[],209.85.128.50,-1,,,https://summary.uk.defend.egress.com/v3/summary?ref=api&sensitive=64d088d6cf3745888fc526dc,,sensitive_CL, +5bdb42e4-4fc8-46c0-af6d-41516e8390ee,OpsManager,,,"07/08/2023, 06:05:45.334",,,inboundEmail,"07/08/2023, 06:01:59.052","[{""domain"":""sensitive.com"",""localPart"":""joe.bloggs"",""displayName"":""""}]","[{""domain"":""gmail.com"",""localPart"":""egress.defend.sales"",""displayName"":""""}]","[""joe.bloggs@sensitive.com""]",egress.defend.sales@gmail.com,suspicious,hi,"07/08/2023, 06:01:58.885",,0,medium,london1.sensitive.com; spf=pass smtp.mailfrom=gmail.com smtp.ip=209.85.128.44 ajax.calculated=False; dkim=fail header.d=qjwqod9oqn916gcyqg0ya1e8x.sensitive.com ajax.calculated=False; dmarc=pass header.from=gmail.com,pass,fail,pass,sensitive.com,64d088d4.df0a0220.7732d.5763@mx.google.com,TRUE,[],[],209.85.128.44,-1,,,https://summary.uk.defend.egress.com/v3/summary?ref=api&sensitive=64d088d6753f6168b765e44b,,sensitive_CL, +5bdb42e4-4fc8-46c0-af6d-41516e8390ee,OpsManager,,,"07/08/2023, 06:05:45.334",,,inboundEmail,"07/08/2023, 06:01:59.275","[{""domain"":""sensitive.com"",""localPart"":""joe.bloggs"",""displayName"":""""}]","[{""domain"":""gmail.com"",""localPart"":""egress.defend.sales"",""displayName"":""""}]","[""joe.bloggs@sensitive.com""]",egress.defend.sales@gmail.com,suspicious,hi,"07/08/2023, 06:01:59.174",,0,medium,london1.sensitive.com; spf=pass smtp.mailfrom=gmail.com smtp.ip=209.85.221.42 ajax.calculated=False; dkim=fail header.d=qjwqod9oqn916gcyqg0ya1e8x.sensitive.com ajax.calculated=False; dmarc=pass header.from=gmail.com,pass,fail,pass,sensitive.com,64d088d4.df0a0220.f4669.d7f2@mx.google.com,TRUE,[],[],209.85.221.42,-1,,,https://summary.uk.defend.egress.com/v3/summary?ref=api&sensitive=64d088d78c3f58475c7b9635,,sensitive_CL, +5bdb42e4-4fc8-46c0-af6d-41516e8390ee,OpsManager,,,"07/08/2023, 06:05:45.334",,,inboundEmail,"07/08/2023, 06:01:59.325","[{""domain"":""sensitive.com"",""localPart"":""joe.bloggs"",""displayName"":""""}]","[{""domain"":""gmail.com"",""localPart"":""egress.defend.sales"",""displayName"":""""}]","[""joe.bloggs@sensitive.com""]",egress.defend.sales@gmail.com,suspicious,hi,"07/08/2023, 06:01:59.240",,0,medium,london1.sensitive.com; spf=pass smtp.mailfrom=gmail.com smtp.ip=209.85.128.41 ajax.calculated=False; dkim=fail header.d=qjwqod9oqn916gcyqg0ya1e8x.sensitive.com ajax.calculated=False; dmarc=pass header.from=gmail.com,pass,fail,pass,sensitive.com,64d088d3.5d0a0220.fba21.5dfd@mx.google.com,TRUE,[],[],209.85.128.41,-1,,,https://summary.uk.defend.egress.com/v3/summary?ref=api&sensitive=64d088d77f1c29dbf3a719db,,sensitive_CL, +5bdb42e4-4fc8-46c0-af6d-41516e8390ee,OpsManager,,,"07/08/2023, 06:05:45.334",,,inboundEmail,"07/08/2023, 06:01:59.897","[{""domain"":""sensitive.com"",""localPart"":""joe.bloggs"",""displayName"":""""}]","[{""domain"":""gmail.com"",""localPart"":""egress.defend.sales"",""displayName"":""""}]","[""joe.bloggs@sensitive.com""]",egress.defend.sales@gmail.com,suspicious,hi,"07/08/2023, 06:01:59.816",,0,medium,london1.sensitive.com; spf=pass smtp.mailfrom=gmail.com smtp.ip=209.85.128.50 ajax.calculated=False; dkim=fail header.d=qjwqod9oqn916gcyqg0ya1e8x.sensitive.com ajax.calculated=False; dmarc=pass header.from=gmail.com,pass,fail,pass,sensitive.com,64d088d4.050a0220.19726.6b7e@mx.google.com,TRUE,[],[],209.85.128.50,-1,,,https://summary.uk.defend.egress.com/v3/summary?ref=api&sensitive=64d088d78230a746c938cdb0,,sensitive_CL, diff --git a/Solutions/Alibaba Cloud/Data/Solution_Alibaba Cloud.json b/Solutions/Alibaba Cloud/Data/Solution_Alibaba Cloud.json index bab6bf0ac12..5035d08f4ab 100644 --- a/Solutions/Alibaba Cloud/Data/Solution_Alibaba Cloud.json +++ b/Solutions/Alibaba Cloud/Data/Solution_Alibaba Cloud.json @@ -10,7 +10,7 @@ "DataConnectors/AliCloud_API_FunctionApp.json" ], "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Alibaba Cloud", - "Version": "2.0.1", + "Version": "3.0.0", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "Is1Pconnector": false diff --git a/Solutions/Alibaba Cloud/SolutionMetadata.json b/Solutions/Alibaba Cloud/SolutionMetadata.json index 5ddbeabbe13..23820d0cf34 100644 --- a/Solutions/Alibaba Cloud/SolutionMetadata.json +++ b/Solutions/Alibaba Cloud/SolutionMetadata.json @@ -7,9 +7,9 @@ "domains" : ["Cloud Provider"] }, "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" } } \ No newline at end of file diff --git a/Solutions/Azure Active Directory/Analytic Rules/SigninAttemptsByIPviaDisabledAccounts.yaml b/Solutions/Azure Active Directory/Analytic Rules/SigninAttemptsByIPviaDisabledAccounts.yaml index 26c06047489..44df9684358 100644 --- a/Solutions/Azure Active Directory/Analytic Rules/SigninAttemptsByIPviaDisabledAccounts.yaml +++ b/Solutions/Azure Active Directory/Analytic Rules/SigninAttemptsByIPviaDisabledAccounts.yaml @@ -30,36 +30,35 @@ relevantTechniques: - T1098 query: | let aadFunc = (tableName: string) { - table(tableName) + let failed_signins = table(tableName) | where ResultType == "50057" - | where ResultDescription == "User account is disabled. The account has been disabled by an administrator." + | where ResultDescription == "User account is disabled. The account has been disabled by an administrator."; + let disabled_users = failed_signins | summarize by UserPrincipalName; + table(tableName) + | where ResultType == 0 + | where isnotempty(UserPrincipalName) + | where UserPrincipalName !in (disabled_users) + | summarize + successfulAccountsTargettedCount = dcount(UserPrincipalName), + successfulAccountSigninSet = make_set(UserPrincipalName, 100), + successfulApplicationSet = make_set(AppDisplayName, 100) + by IPAddress, Type + // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe + | where successfulAccountsTargettedCount < 50 + | where isnotempty(successfulAccountsTargettedCount) + | join kind=inner (failed_signins | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), - disabledAccountLoginAttempts = count(), - disabledAccountsTargeted = dcount(UserPrincipalName), + totalDisabledAccountLoginAttempts = count(), + disabledAccountsTargettedCount = dcount(UserPrincipalName), applicationsTargeted = dcount(AppDisplayName), - disabledAccountSet = make_set(UserPrincipalName), - applicationSet = make_set(AppDisplayName) + disabledAccountSet = make_set(UserPrincipalName, 100), + disabledApplicationSet = make_set(AppDisplayName, 100) by IPAddress, Type - | order by disabledAccountLoginAttempts desc - | join kind= leftouter ( - // Consider these IPs suspicious - and alert any related successful sign-ins - table(tableName) - | where ResultType == 0 - | summarize - successfulAccountSigninCount = dcount(UserPrincipalName), - successfulAccountSigninSet = make_set(UserPrincipalName, 15) - by IPAddress, Type - // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe - | where successfulAccountSigninCount < 100 - ) on IPAddress - // IPs from which attempts to authenticate as disabled user accounts originated, and had a non-zero success rate for some other account - | where isnotempty(successfulAccountSigninCount) - | project StartTime, EndTime, IPAddress, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, successfulAccountSigninCount, successfulAccountSigninSet, Type - | order by disabledAccountLoginAttempts - | extend timestamp = StartTime, IPCustomEntity = IPAddress - }; + | order by totalDisabledAccountLoginAttempts desc) on IPAddress + | project StartTime, EndTime, IPAddress, totalDisabledAccountLoginAttempts, disabledAccountsTargettedCount, disabledAccountSet, disabledApplicationSet, successfulApplicationSet, successfulAccountsTargettedCount, successfulAccountSigninSet, Type + | order by totalDisabledAccountLoginAttempts}; let aadSignin = aadFunc("SigninLogs"); let aadNonInt = aadFunc("AADNonInteractiveUserSignInLogs"); union isfuzzy=true aadSignin, aadNonInt @@ -70,17 +69,19 @@ query: | | project UsersInsights, DevicesInsights, ActivityInsights, InvestigationPriority, SourceIPAddress, UserPrincipalName | project-rename IPAddress = SourceIPAddress | summarize - Users = make_set(UserPrincipalName, 1000), - UsersInsights = make_set(UsersInsights, 1000), - DevicesInsights = make_set(DevicesInsights, 1000), + Users = make_set(UserPrincipalName, 100), + UsersInsights = make_set(UsersInsights, 100), + DevicesInsights = make_set(DevicesInsights, 100), IPInvestigationPriority = sum(InvestigationPriority) by IPAddress ) on IPAddress + | extend SFRatio = toreal(toreal(disabledAccountsTargettedCount)/toreal(successfulAccountsTargettedCount)) + | where SFRatio >= 0.5 | sort by IPInvestigationPriority desc entityMappings: - entityType: IP fieldMappings: - identifier: Address columnName: IPAddress -version: 2.1.2 +version: 2.1.3 kind: Scheduled diff --git a/Solutions/CiscoWSA/Data/Solution_CiscoWSA.json b/Solutions/CiscoWSA/Data/Solution_CiscoWSA.json index 4a730208e8f..9f608969122 100644 --- a/Solutions/CiscoWSA/Data/Solution_CiscoWSA.json +++ b/Solutions/CiscoWSA/Data/Solution_CiscoWSA.json @@ -1,10 +1,10 @@ { - "Name": "CiscoWSA", - "Author": "Microsoft - support@microsoft.com", - "Logo": "", - "Description": "The [Cisco Web Security Appliance (WSA)](https://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html) solution provides the capability to ingest [Cisco WSA Access Logs](https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa_14-0/User-Guide/b_WSA_UserGuide_14_0/b_WSA_UserGuide_11_7_chapter_010101.html) into Microsoft Sentinel.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n\r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n a. [Agent-based log collection (Syslog)](https://docs.microsoft.com/azure/sentinel/connect-syslog)\r\n\n", - "Workbooks": [ - "Workbooks/CiscoWSA.json" + "Name": "CiscoWSA", + "Author": "Microsoft - support@microsoft.com", + "Logo": "", + "Description": "The [Cisco Web Security Appliance (WSA)](https://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html) solution provides the capability to ingest [Cisco WSA Access Logs](https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa_14-0/User-Guide/b_WSA_UserGuide_14_0/b_WSA_UserGuide_11_7_chapter_010101.html) into Microsoft Sentinel.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n\r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n a. [Agent-based log collection (Syslog)](https://docs.microsoft.com/azure/sentinel/connect-syslog)\r\n\n", + "Workbooks": [ + "Workbooks/CiscoWSA.json" ], "Parsers": [ "Parsers/CiscoWSAEvent.txt" @@ -24,7 +24,7 @@ "Data Connectors": [ "Data Connectors/Connector_WSA_Syslog.json" ], - "Analytic Rules": [ + "Analytic Rules": [ "Analytic Rules/CiscoWSAAccessToUnwantedSite.yaml", "Analytic Rules/CiscoWSADataExfiltration.yaml", "Analytic Rules/CiscoWSAMultipleErrorsToUnwantedCategory.yaml", @@ -37,9 +37,9 @@ "Analytic Rules/CiscoWSAUnexpectedUrl.yaml", "Analytic Rules/CiscoWSAUnscannableFile.yaml" ], - "BasePath": "C:\\GitHub\\azure\\Solutions\\CiscoWSA", - "Version": "2.0.1", + "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\CiscoWSA", + "Version": "3.0.0", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "Is1Pconnector": false - } \ No newline at end of file +} \ No newline at end of file diff --git a/Solutions/CiscoWSA/Package/3.0.0.zip b/Solutions/CiscoWSA/Package/3.0.0.zip new file mode 100644 index 00000000000..16e2d06700c Binary files /dev/null and b/Solutions/CiscoWSA/Package/3.0.0.zip differ diff --git a/Solutions/CiscoWSA/Package/createUiDefinition.json b/Solutions/CiscoWSA/Package/createUiDefinition.json index a7feedce331..e81fbf8586a 100644 --- a/Solutions/CiscoWSA/Package/createUiDefinition.json +++ b/Solutions/CiscoWSA/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Cisco Web Security Appliance (WSA)](https://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html) solution provides the capability to ingest [Cisco WSA Access Logs](https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa_14-0/User-Guide/b_WSA_UserGuide_14_0/b_WSA_UserGuide_11_7_chapter_010101.html) into Microsoft Sentinel.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n\r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n a. [Agent-based log collection (Syslog)](https://docs.microsoft.com/azure/sentinel/connect-syslog)\r\n\n\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 11, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/CiscoWSA/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Cisco Web Security Appliance (WSA)](https://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html) solution provides the capability to ingest [Cisco WSA Access Logs](https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa_14-0/User-Guide/b_WSA_UserGuide_14_0/b_WSA_UserGuide_11_7_chapter_010101.html) into Microsoft Sentinel.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n\r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n a. [Agent-based log collection (Syslog)](https://docs.microsoft.com/azure/sentinel/connect-syslog)\r\n\n\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 11, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -107,6 +107,20 @@ "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data" } } + }, + { + "name": "workbook1", + "type": "Microsoft.Common.Section", + "label": "CiscoWSA", + "elements": [ + { + "name": "workbook1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Sets the time name for analysis" + } + } + ] } ] }, @@ -301,7 +315,7 @@ "name": "huntingqueries-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This solution installs the following hunting queries. After installing the solution, run these hunting queries to hunt for threats in Manage solution view." + "text": "This solution installs the following hunting queries. After installing the solution, run these hunting queries to hunt for threats in Manage solution view. " } }, { @@ -323,7 +337,7 @@ "name": "huntingquery1-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches for blocked files. It depends on the CiscoWSA data connector and CiscoWSAEvent data type and CiscoWSA parser." + "text": "Query searches for blocked files. This hunting query depends on CiscoWSA data connector (CiscoWSAEvent Parser or Table)" } } ] @@ -337,7 +351,7 @@ "name": "huntingquery2-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches for rare applications. It depends on the CiscoWSA data connector and CiscoWSAEvent data type and CiscoWSA parser." + "text": "Query searches for rare applications. This hunting query depends on CiscoWSA data connector (CiscoWSAEvent Parser or Table)" } } ] @@ -351,7 +365,7 @@ "name": "huntingquery3-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches for top applications. It depends on the CiscoWSA data connector and CiscoWSAEvent data type and CiscoWSA parser." + "text": "Query searches for top applications. This hunting query depends on CiscoWSA data connector (CiscoWSAEvent Parser or Table)" } } ] @@ -365,7 +379,7 @@ "name": "huntingquery4-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches for top URLs. It depends on the CiscoWSA data connector and CiscoWSAEvent data type and CiscoWSA parser." + "text": "Query searches for top URLs. This hunting query depends on CiscoWSA data connector (CiscoWSAEvent Parser or Table)" } } ] @@ -379,7 +393,7 @@ "name": "huntingquery5-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches for uncategorized URLs. It depends on the CiscoWSA data connector and CiscoWSAEvent data type and CiscoWSA parser." + "text": "Query searches for uncategorized URLs. This hunting query depends on CiscoWSA data connector (CiscoWSAEvent Parser or Table)" } } ] @@ -393,7 +407,7 @@ "name": "huntingquery6-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches for uploaded files. It depends on the CiscoWSA data connector and CiscoWSAEvent data type and CiscoWSA parser." + "text": "Query searches for uploaded files. This hunting query depends on CiscoWSA data connector (CiscoWSAEvent Parser or Table)" } } ] @@ -407,7 +421,7 @@ "name": "huntingquery7-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches for rare URLs with errors. It depends on the CiscoWSA data connector and CiscoWSAEvent data type and CiscoWSA parser." + "text": "Query searches for rare URLs with errors. This hunting query depends on CiscoWSA data connector (CiscoWSAEvent Parser or Table)" } } ] @@ -421,7 +435,7 @@ "name": "huntingquery8-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches connections to Url shorteners resources. It depends on the CiscoWSA data connector and CiscoWSAEvent data type and CiscoWSA parser." + "text": "Query searches connections to Url shorteners resources. This hunting query depends on CiscoWSA data connector (CiscoWSAEvent Parser or Table)" } } ] @@ -435,7 +449,7 @@ "name": "huntingquery9-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches for potentially risky resources. It depends on the CiscoWSA data connector and CiscoWSAEvent data type and CiscoWSA parser." + "text": "Query searches for potentially risky resources. This hunting query depends on CiscoWSA data connector (CiscoWSAEvent Parser or Table)" } } ] @@ -449,7 +463,7 @@ "name": "huntingquery10-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches for user errors during accessing resource. It depends on the CiscoWSA data connector and CiscoWSAEvent data type and CiscoWSA parser." + "text": "Query searches for user errors during accessing resource. This hunting query depends on CiscoWSA data connector (CiscoWSAEvent Parser or Table)" } } ] @@ -463,4 +477,4 @@ "workspace": "[basics('workspace')]" } } -} \ No newline at end of file +} diff --git a/Solutions/CiscoWSA/Package/mainTemplate.json b/Solutions/CiscoWSA/Package/mainTemplate.json index 62fc912b1bd..048ba21c0c9 100644 --- a/Solutions/CiscoWSA/Package/mainTemplate.json +++ b/Solutions/CiscoWSA/Package/mainTemplate.json @@ -38,167 +38,176 @@ } }, "variables": { - "solutionId": "azuresentinel.azure-sentinel-solution-ciscowsa", - "_solutionId": "[variables('solutionId')]", "email": "support@microsoft.com", "_email": "[variables('email')]", + "_solutionName": "CiscoWSA", + "_solutionVersion": "3.0.0", + "solutionId": "azuresentinel.azure-sentinel-solution-ciscowsa", + "_solutionId": "[variables('solutionId')]", "workbookVersion1": "1.0.0", "workbookContentId1": "CiscoWSAWorkbook", "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]", - "workbookTemplateSpecName1": "[concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1')))]", + "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]", "_workbookContentId1": "[variables('workbookContentId1')]", "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", - "parserVersion1": "1.0.0", - "parserContentId1": "CiscoWSAEvent-Parser", - "_parserContentId1": "[variables('parserContentId1')]", + "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]", "parserName1": "CiscoWSA Data Parser", "_parserName1": "[concat(parameters('workspace'),'/',variables('parserName1'))]", "parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]", "_parserId1": "[variables('parserId1')]", - "parserTemplateSpecName1": "[concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1')))]", + "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1'))))]", + "parserVersion1": "1.0.0", + "parserContentId1": "CiscoWSAEvent-Parser", + "_parserContentId1": "[variables('parserContentId1')]", + "_parsercontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('_parserContentId1'),'-', variables('parserVersion1'))))]", "huntingQueryVersion1": "1.0.0", "huntingQuerycontentId1": "ebbd2b87-44c6-481a-8e4f-eaf5aa76e017", "_huntingQuerycontentId1": "[variables('huntingQuerycontentId1')]", "huntingQueryId1": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId1'))]", - "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId1')))]", + "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId1'))))]", + "_huntingQuerycontentProductId1": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId1'),'-', variables('huntingQueryVersion1'))))]", "huntingQueryVersion2": "1.0.0", "huntingQuerycontentId2": "686ec2d3-fdbb-4fa2-b834-ff1d0f2486fb", "_huntingQuerycontentId2": "[variables('huntingQuerycontentId2')]", "huntingQueryId2": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId2'))]", - "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId2')))]", + "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId2'))))]", + "_huntingQuerycontentProductId2": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId2'),'-', variables('huntingQueryVersion2'))))]", "huntingQueryVersion3": "1.0.0", "huntingQuerycontentId3": "6d4d7689-5e1d-4687-b1fc-eb0b7340c9a3", "_huntingQuerycontentId3": "[variables('huntingQuerycontentId3')]", "huntingQueryId3": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId3'))]", - "huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId3')))]", + "huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId3'))))]", + "_huntingQuerycontentProductId3": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId3'),'-', variables('huntingQueryVersion3'))))]", "huntingQueryVersion4": "1.0.0", "huntingQuerycontentId4": "aaf6ba04-7a00-401e-a650-06e213f3bfbc", "_huntingQuerycontentId4": "[variables('huntingQuerycontentId4')]", "huntingQueryId4": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId4'))]", - "huntingQueryTemplateSpecName4": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId4')))]", + "huntingQueryTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId4'))))]", + "_huntingQuerycontentProductId4": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId4'),'-', variables('huntingQueryVersion4'))))]", "huntingQueryVersion5": "1.0.0", "huntingQuerycontentId5": "deddf5e8-8fee-4ec5-9121-415eb954c34d", "_huntingQuerycontentId5": "[variables('huntingQuerycontentId5')]", "huntingQueryId5": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId5'))]", - "huntingQueryTemplateSpecName5": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId5')))]", + "huntingQueryTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId5'))))]", + "_huntingQuerycontentProductId5": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId5'),'-', variables('huntingQueryVersion5'))))]", "huntingQueryVersion6": "1.0.0", "huntingQuerycontentId6": "9d08418d-e21e-4fd6-b9bc-d80ce786d2da", "_huntingQuerycontentId6": "[variables('huntingQuerycontentId6')]", "huntingQueryId6": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId6'))]", - "huntingQueryTemplateSpecName6": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId6')))]", + "huntingQueryTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId6'))))]", + "_huntingQuerycontentProductId6": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId6'),'-', variables('huntingQueryVersion6'))))]", "huntingQueryVersion7": "1.0.0", "huntingQuerycontentId7": "88edb5d8-3ad9-4004-aefa-43c289483935", "_huntingQuerycontentId7": "[variables('huntingQuerycontentId7')]", "huntingQueryId7": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId7'))]", - "huntingQueryTemplateSpecName7": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId7')))]", + "huntingQueryTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId7'))))]", + "_huntingQuerycontentProductId7": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId7'),'-', variables('huntingQueryVersion7'))))]", "huntingQueryVersion8": "1.0.0", "huntingQuerycontentId8": "04582ef2-42be-4371-9ecf-635337c92ddb", "_huntingQuerycontentId8": "[variables('huntingQuerycontentId8')]", "huntingQueryId8": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId8'))]", - "huntingQueryTemplateSpecName8": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId8')))]", + "huntingQueryTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId8'))))]", + "_huntingQuerycontentProductId8": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId8'),'-', variables('huntingQueryVersion8'))))]", "huntingQueryVersion9": "1.0.0", "huntingQuerycontentId9": "8c35faed-a8cf-4d8d-8c67-f14f2ff6e7e9", "_huntingQuerycontentId9": "[variables('huntingQuerycontentId9')]", "huntingQueryId9": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId9'))]", - "huntingQueryTemplateSpecName9": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId9')))]", + "huntingQueryTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId9'))))]", + "_huntingQuerycontentProductId9": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId9'),'-', variables('huntingQueryVersion9'))))]", "huntingQueryVersion10": "1.0.0", "huntingQuerycontentId10": "77ec347d-db28-4556-8a5a-dbc2ec7c9461", "_huntingQuerycontentId10": "[variables('huntingQuerycontentId10')]", "huntingQueryId10": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId10'))]", - "huntingQueryTemplateSpecName10": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId10')))]", + "huntingQueryTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId10'))))]", + "_huntingQuerycontentProductId10": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId10'),'-', variables('huntingQueryVersion10'))))]", "uiConfigId1": "CiscoWSA", "_uiConfigId1": "[variables('uiConfigId1')]", "dataConnectorContentId1": "CiscoWSA", "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", "_dataConnectorId1": "[variables('dataConnectorId1')]", - "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1')))]", + "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", "dataConnectorVersion1": "1.0.0", + "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", "analyticRuleVersion1": "1.0.1", "analyticRulecontentId1": "38029e86-030c-46c4-8a91-a2be7c74d74c", "_analyticRulecontentId1": "[variables('analyticRulecontentId1')]", "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]", - "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1')))]", + "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1'))))]", + "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId1'),'-', variables('analyticRuleVersion1'))))]", "analyticRuleVersion2": "1.0.1", "analyticRulecontentId2": "32c460ad-2d40-43e9-8ead-5cdd1d7a3163", "_analyticRulecontentId2": "[variables('analyticRulecontentId2')]", "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId2'))]", - "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2')))]", + "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2'))))]", + "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId2'),'-', variables('analyticRuleVersion2'))))]", "analyticRuleVersion3": "1.0.0", "analyticRulecontentId3": "ebf9db0c-ba7b-4249-b9ec-50a05fa7c7c9", "_analyticRulecontentId3": "[variables('analyticRulecontentId3')]", "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId3'))]", - "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId3')))]", + "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId3'))))]", + "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId3'),'-', variables('analyticRuleVersion3'))))]", "analyticRuleVersion4": "1.0.0", "analyticRulecontentId4": "1db49647-435c-41ad-bf8c-7130ba75429d", "_analyticRulecontentId4": "[variables('analyticRulecontentId4')]", "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId4'))]", - "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId4')))]", + "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId4'))))]", + "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId4'),'-', variables('analyticRuleVersion4'))))]", "analyticRuleVersion5": "1.0.1", "analyticRulecontentId5": "93186e3d-5dc2-4a00-a993-fa1448db8734", "_analyticRulecontentId5": "[variables('analyticRulecontentId5')]", "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId5'))]", - "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId5')))]", + "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId5'))))]", + "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId5'),'-', variables('analyticRuleVersion5'))))]", "analyticRuleVersion6": "1.0.0", "analyticRulecontentId6": "46b6c6fc-2c1a-4270-be10-9d444d83f027", "_analyticRulecontentId6": "[variables('analyticRulecontentId6')]", "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId6'))]", - "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId6')))]", + "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId6'))))]", + "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId6'),'-', variables('analyticRuleVersion6'))))]", "analyticRuleVersion7": "1.0.0", "analyticRulecontentId7": "6f756792-4888-48a5-97cf-40d9430dc932", "_analyticRulecontentId7": "[variables('analyticRulecontentId7')]", "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId7'))]", - "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId7')))]", + "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId7'))))]", + "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId7'),'-', variables('analyticRuleVersion7'))))]", "analyticRuleVersion8": "1.0.0", "analyticRulecontentId8": "4250b050-e1c6-4926-af04-9484bbd7e94f", "_analyticRulecontentId8": "[variables('analyticRulecontentId8')]", "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId8'))]", - "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId8')))]", + "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId8'))))]", + "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId8'),'-', variables('analyticRuleVersion8'))))]", "analyticRuleVersion9": "1.0.0", "analyticRulecontentId9": "8e9d1f70-d529-4598-9d3e-5dd5164d1d02", "_analyticRulecontentId9": "[variables('analyticRulecontentId9')]", "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId9'))]", - "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId9')))]", + "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId9'))))]", + "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId9'),'-', variables('analyticRuleVersion9'))))]", "analyticRuleVersion10": "1.0.0", "analyticRulecontentId10": "010644fd-2830-4451-9e0e-606cc192f2e7", "_analyticRulecontentId10": "[variables('analyticRulecontentId10')]", "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId10'))]", - "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId10')))]", + "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId10'))))]", + "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId10'),'-', variables('analyticRuleVersion10'))))]", "analyticRuleVersion11": "1.0.0", "analyticRulecontentId11": "9b61a945-ebcb-4245-b6e4-51f3addb5248", "_analyticRulecontentId11": "[variables('analyticRulecontentId11')]", "analyticRuleId11": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId11'))]", - "analyticRuleTemplateSpecName11": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId11')))]" + "analyticRuleTemplateSpecName11": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId11'))))]", + "_analyticRulecontentProductId11": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId11'),'-', variables('analyticRuleVersion11'))))]", + "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" }, "resources": [ { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('workbookTemplateSpecName1')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Workbook" - }, - "properties": { - "description": "CiscoWSA Workbook with template", - "displayName": "CiscoWSA workbook template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('workbookTemplateSpecName1'),'/',variables('workbookVersion1'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Workbook" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('workbookTemplateSpecName1'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoWSAWorkbook Workbook with template version 2.0.1", + "description": "CiscoWSAWorkbook Workbook with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -246,41 +255,47 @@ "email": "support@microsoft.com", "tier": "Microsoft", "link": "https://support.microsoft.com" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "contentId": "Syslog", + "kind": "DataType" + }, + { + "contentId": "CiscoWSA", + "kind": "DataConnector" + } + ] } } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_workbookContentId1')]", + "contentKind": "Workbook", + "displayName": "[parameters('workbook1-name')]", + "contentProductId": "[variables('_workbookcontentProductId1')]", + "id": "[variables('_workbookcontentProductId1')]", + "version": "[variables('workbookVersion1')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('parserTemplateSpecName1')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Parser" - }, - "properties": { - "description": "CiscoWSAEvent Data Parser with template", - "displayName": "CiscoWSAEvent Data Parser template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('parserTemplateSpecName1'),'/',variables('parserVersion1'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Parser" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('parserTemplateSpecName1'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoWSAEvent Data Parser with template version 2.0.1", + "description": "CiscoWSAEvent Data Parser with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserVersion1')]", @@ -289,7 +304,7 @@ "resources": [ { "name": "[variables('_parserName1')]", - "apiVersion": "2020-08-01", + "apiVersion": "2022-10-01", "type": "Microsoft.OperationalInsights/workspaces/savedSearches", "location": "[parameters('workspace-location')]", "properties": { @@ -297,7 +312,8 @@ "displayName": "CiscoWSA Data Parser", "category": "Samples", "functionAlias": "CiscoWSAEvent", - "query": "\nlet cisco_wsa_access_logs =() {\r\nSyslog\r\n| where ProcessName in (\"cisco_wsa\")\r\n| extend LogType = iff(SyslogMessage matches regex @\"\\A\\d{10}\\.\\d{3}\\s\\d+\\s\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\", \"Squid Logs\" , iif(SyslogMessage matches regex @\"\\A\\d{4}\\-\\d{2}\\-\\d{2}\\s\\d{2}:\\d{2}:\\d{2}\\s\\d{10}\\.\\d{3}\", \"W3C Logs\",dynamic(\"\")))\r\n| extend EventVendor = 'Cisco'\r\n| extend EventProduct = 'Web Security Appliance'\r\n| extend EventType = 'Access Log'\r\n| extend EventFields = split(SyslogMessage, ' ')\r\n| extend ScanningVerdictFields = iif(LogType == \"Squid Logs\", parse_csv(tostring(extract(@'<(.*?)>', 1, SyslogMessage))), dynamic(\"\"))\r\n| extend EventStartTime = case(LogType has \"Squid Logs\", unixtime_seconds_todatetime(todouble(EventFields[0])),\r\n\t\t\t\t\t\t LogType has \"W3C Logs\", todatetime(strcat(EventFields[0], ' ', EventFields[1])), datetime(null))\r\n| extend Latency = case(LogType has \"Squid Logs\", toint(EventFields[1]),\r\n LogType has \"W3C Logs\", toint(EventFields[3]), int(null))\r\n| extend SrcIpAddr = case(LogType has \"Squid Logs\", tostring(EventFields[2]),\r\n\t\t\t\t\t LogType has \"W3C Logs\", tostring(EventFields[5]), \"\")\r\n| extend EventResultDetails = case(LogType has \"Squid Logs\", extract(@'\\A(.*?)\\/[1-5]\\d{2}', 1, tostring(EventFields[3])),\r\n\t\t\t\t\t\t\tLogType has \"W3C Logs\", tostring(EventFields[6]), \"\")\r\n| extend HttpStatusCode = iif(LogType == \"Squid Logs\", extract(@'\\A.*?\\/([1-5]\\d{2})', 1, tostring(EventFields[3])), dynamic(\"\"))\r\n| extend DstBytes = case(LogType has \"Squid Logs\", toint(EventFields[4]),\r\n\t\t\t\t\tLogType has \"W3C Logs\", toint(EventFields[8]), int(null))\r\n| extend HttpRequestMethod = case(LogType has \"Squid Logs\", tostring(EventFields[5]),\r\n\t\t\t\t\t\t\t LogType has \"W3C Logs\", tostring(EventFields[9]), \"\")\r\n| extend UrlOriginal = case(LogType has \"Squid Logs\", tostring(EventFields[6]),\r\n\t\t\t\t\t\t\t LogType has \"W3C Logs\", tostring(EventFields[10]), \"\")\r\n| extend SrcUserName = case(LogType has \"Squid Logs\", tostring(EventFields[7]),\r\n\t\t\t\t\t\t\t LogType has \"W3C Logs\", tostring(EventFields[13]), \"\")\r\n| extend ContactedServerCode = iif(LogType == \"Squid Logs\", extract(@'\\A(\\w+)\\/\\d{1,3}', 1, tostring(EventFields[8])), dynamic(\"\"))\r\n| extend DstIpAddr = case(LogType has \"Squid Logs\", extract(@'\\A\\w+\\/(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})', 1, tostring(EventFields[8])),\r\n\t\t\t\t\t LogType has \"W3C Logs\", tostring(EventFields[11]), \"\")\r\n| extend DstDvcHostname = case(LogType has \"Squid Logs\", extract(@'\\A\\w+\\/(\\D+)', 1, tostring(EventFields[8])),\r\n\t\t\t\t\t\tLogType has \"W3C Logs\", tostring(EventFields[18]), \"\")\r\n| extend ResponseBodyMimeType = case(LogType has \"Squid Logs\", tostring(EventFields[9]),\r\n\t\t\t\t\t\t\t\tLogType has \"W3C Logs\", tostring(EventFields[14]), \"\")\r\n| extend DvcAction = case(LogType has \"Squid Logs\", extract(@'\\A(.*?)\\-', 1, tostring(EventFields[10])),\r\n\t\t\t\t\tLogType has \"W3C Logs\", tostring(EventFields[15]), \"\")\r\n| extend PolicyGroupName = iif(LogType == \"Squid Logs\", extract(@'\\A.*?\\-(.*?)\\-', 1, tostring(EventFields[10])), dynamic(\"\"))\r\n| extend IdentityPolicyGroupName = iif(LogType == \"Squid Logs\", extract(@'\\A.*?\\-.*?\\-(.*?)\\-', 1, tostring(EventFields[10])), dynamic(\"\"))\r\n| extend OutboundMalwareScanningPolicyGroupName = iif(LogType == \"Squid Logs\", extract(@'\\A.*?\\-.*?\\-.*?\\-(.*?)\\-', 1, tostring(EventFields[10])), dynamic(\"\"))\r\n| extend DataSecurityPolicyGroupName = iif(LogType == \"Squid Logs\", extract(@'\\A.*?\\-.*?\\-.*?\\-.*?\\-(.*?)\\-', 1, tostring(EventFields[10])), dynamic(\"\"))\r\n| extend ExternalDplPolicyGroupName = iif(LogType == \"Squid Logs\", extract(@'\\A.*?\\-.*?\\-.*?\\-.*?\\-.*?\\-(.*?)\\-', 1, tostring(EventFields[10])), dynamic(\"\"))\r\n| extend RoutingPolicy = iif(LogType == \"Squid Logs\", extract(@'\\A(.*?\\-){6}(.*)', 2, tostring(EventFields[10])), dynamic(\"\"))\r\n| extend SuspectedUserAgent = case(LogType has \"Squid Logs\", tostring(EventFields[-1]),\r\n\t\t\t\t\t\t\t LogType has \"W3C Logs\", tostring(EventFields[62]), \"\")\r\n| extend UrlCategory = case(LogType has \"Squid Logs\", tostring(ScanningVerdictFields[0]),\r\n\t\t\t\t\t\tLogType has \"W3C Logs\", tostring(EventFields[21]), \"\")\r\n| extend WebReputationScore = iif(LogType == \"Squid Logs\", tostring(ScanningVerdictFields[1]), dynamic(\"\"))\r\n| extend MalwareScanningVerdict = iif(LogType == \"Squid Logs\", tostring(ScanningVerdictFields[2]), dynamic(\"\"))\r\n| extend ThreatName = iif(LogType == \"Squid Logs\", tostring(ScanningVerdictFields[3]), dynamic(\"\"))\r\n| extend ThreatRiskRatioValue = iif(LogType == \"Squid Logs\", tostring(ScanningVerdictFields[4]), dynamic(\"\"))\r\n| extend ThreatIdentifier = iif(LogType == \"Squid Logs\", tostring(ScanningVerdictFields[5]), dynamic(\"\"))\r\n| extend TraceIdentifier = iif(LogType == \"Squid Logs\", tostring(ScanningVerdictFields[6]), dynamic(\"\"))\r\n| extend McAfeeMalwareScanningVerdict = case(LogType has \"Squid Logs\", tostring(ScanningVerdictFields[7]),\r\n\t\t\t\t\t\t\t\t\t\tLogType has \"W3C Logs\", tostring(EventFields[28]), \"\")\r\n| extend McAfeeScannedFileName = case(LogType has \"Squid Logs\", tostring(ScanningVerdictFields[8]),\r\n\t\t\t\t\t\t\t\tLogType has \"W3C Logs\", tostring(EventFields[29]), \"\")\r\n| extend McAfeeScanError = case(LogType has \"Squid Logs\", tostring(ScanningVerdictFields[9]),\r\n\t\t\t\t\t\t\tLogType has \"W3C Logs\", tostring(EventFields[30]), \"\")\r\n| extend McAfeeDetectionType = case(LogType has \"Squid Logs\", tostring(ScanningVerdictFields[10]),\r\n\t\t\t\t\t\t\t\tLogType has \"W3C Logs\", tostring(EventFields[31]), \"\")\r\n| extend McAfeeThreatCategory = case(LogType has \"Squid Logs\", tostring(ScanningVerdictFields[11]),\r\n\t\t\t\t\t\t\t\tLogType has \"W3C Logs\", tostring(EventFields[32]), \"\")\r\n| extend McAfeeThreatName = case(LogType has \"Squid Logs\", tostring(ScanningVerdictFields[12]),\r\n\t\t\t\t\t\t\tLogType has \"W3C Logs\", tostring(EventFields[33]), \"\")\r\n| extend SophosScanningVerdict = case(LogType has \"Squid Logs\", tostring(ScanningVerdictFields[13]),\r\n\t\t\t\t\t\t\t\tLogType has \"W3C Logs\", tostring(EventFields[34]), \"\")\r\n| extend SophosScanReturnCode = case(LogType has \"Squid Logs\", tostring(ScanningVerdictFields[14]),\r\n\t\t\t\t\t\t\t\tLogType has \"W3C Logs\", tostring(EventFields[35]), \"\")\r\n| extend SophosScannedFileName = case(LogType has \"Squid Logs\", tostring(ScanningVerdictFields[15]),\r\n\t\t\t\t\t\t\t\tLogType has \"W3C Logs\", tostring(EventFields[36]), \"\")\r\n| extend SophosThreatName = case(LogType has \"Squid Logs\", tostring(ScanningVerdictFields[16]),\r\n\t\t\t\t\t\t\tLogType has \"W3C Logs\", tostring(EventFields[37]), \"\")\r\n| extend CiscoDataSecurityScanningVerdict = case(LogType has \"Squid Logs\", case(tostring(ScanningVerdictFields[17]) == '0', 'Allow',\r\n tostring(ScanningVerdictFields[17]) == '1', 'Block',\r\n '-'),\r\n\t\t\t\t\t\t\t\t\t\t\t LogType has \"W3C Logs\", tostring(EventFields[38]), \"\")\r\n| extend ExternalDlpScannningVerdict = case(LogType has \"Squid Logs\", case(tostring(ScanningVerdictFields[18]) == '0', 'Allow',\r\n tostring(ScanningVerdictFields[18]) == '1', 'Block',\r\n '-'), LogType has \"W3C Logs\", tostring(EventFields[39]), \"\")\r\n| extend ResponseSideScanningUrlCategoryVerdict = case(LogType has \"Squid Logs\", tostring(ScanningVerdictFields[19]),\r\n\t\t\t\t\t\t\t\t\t\t\t\t LogType has \"W3C Logs\", tostring(EventFields[41]), \"\")\r\n| extend DcaUrlCategoryVerdict = iif(LogType == \"Squid Logs\", tostring(ScanningVerdictFields[20]), dynamic(\"\"))\r\n| extend ResponseThreatCategory = iif(LogType == \"Squid Logs\", tostring(ScanningVerdictFields[21]), dynamic(\"\"))\r\n| extend WebReputationThreatType = iif(LogType == \"Squid Logs\", tostring(ScanningVerdictFields[22]), dynamic(\"\"))\r\n| extend GteEncapsulatedUrl = iif(LogType == \"Squid Logs\", tostring(ScanningVerdictFields[23]), dynamic(\"\"))\r\n| extend AvcApplicationName = case(LogType has \"Squid Logs\", tostring(ScanningVerdictFields[24]),\r\n\t\t\t\t\t\t\t\tLogType has \"W3C Logs\", tostring(EventFields[43]), \"\")\r\n| extend AvcApplicationType = case(LogType has \"Squid Logs\", tostring(ScanningVerdictFields[25]),\r\n\t\t\t\t\t\t\t\tLogType has \"W3C Logs\", tostring(EventFields[44]), \"\")\r\n| extend AvcApplicationBehavior = case(LogType has \"Squid Logs\", tostring(ScanningVerdictFields[26]),\r\n\t\t\t\t\t\t\t\tLogType has \"W3C Logs\", tostring(EventFields[45]), \"\")\r\n| extend SafeBrowsingScanningVerdict = case(LogType has \"Squid Logs\", tostring(ScanningVerdictFields[27]),\r\n\t\t\t\t\t\t\t\tLogType has \"W3C Logs\", tostring(EventFields[46]), \"\")\r\n| extend ['AvgBandwidth(Kb/sec)'] = case(LogType has \"Squid Logs\", todouble(ScanningVerdictFields[28]),\r\n\t\t\t\t\t\t\t\tLogType has \"W3C Logs\", todouble(EventFields[47]), double(null))\r\n| extend Throttled = case(LogType has \"Squid Logs\", tostring(ScanningVerdictFields[29]),\r\n\t\t\t\t\tLogType has \"W3C Logs\", tostring(EventFields[48]), \"\")\r\n| extend UserType = case(LogType has \"Squid Logs\", tostring(ScanningVerdictFields[30]),\r\n\t\t\t\t\tLogType has \"W3C Logs\", tostring(EventFields[49]), \"\")\r\n| extend RequestSideAntiMalwareScanningVerdict = iif(LogType == \"Squid Logs\", tostring(ScanningVerdictFields[31]), dynamic(\"\"))\r\n| extend ClientRequestThreatName = iif(LogType == \"Squid Logs\", tostring(ScanningVerdictFields[32]), dynamic(\"\"))\r\n| extend AmpScanningVerdict = case(LogType has \"Squid Logs\", tostring(ScanningVerdictFields[33]),\r\n\t\t\t\t\tLogType has \"W3C Logs\", tostring(EventFields[56]), \"\")\r\n| extend AmpThreatName = case(LogType has \"Squid Logs\", tostring(ScanningVerdictFields[34]),\r\n\t\t\t\t\tLogType has \"W3C Logs\", tostring(EventFields[57]), \"\")\r\n| extend AmpReputationScore = case(LogType has \"Squid Logs\", tostring(ScanningVerdictFields[35]),\r\n\t\t\t\t\tLogType has \"W3C Logs\", tostring(EventFields[58]), \"\")\r\n| extend AmpUploadIndicator = case(LogType has \"Squid Logs\", tostring(ScanningVerdictFields[36]),\r\n\t\t\t\t\tLogType has \"W3C Logs\", tostring(EventFields[59]), \"\")\r\n| extend AmpFileName = case(LogType has \"Squid Logs\", tostring(ScanningVerdictFields[37]),\r\n\t\t\t\t\tLogType has \"W3C Logs\", tostring(EventFields[60]), \"\")\r\n| extend AmpFileHashSha256 = case(LogType has \"Squid Logs\", tostring(ScanningVerdictFields[38]),\r\n\t\t\t\t\tLogType has \"W3C Logs\", tostring(EventFields[61]), \"\")\r\n| extend ArchiveScanningVerdict = iif(LogType == \"Squid Logs\", tostring(ScanningVerdictFields[39]), dynamic(\"\"))\r\n| extend ArchiveScanningVerdictDetail = iif(LogType == \"Squid Logs\", tostring(ScanningVerdictFields[40]), dynamic(\"\"))\r\n| extend ArchiveScannerFileVerdict = iif(LogType == \"Squid Logs\", tostring(ScanningVerdictFields[41]), dynamic(\"\"))\r\n| extend WebTapBehavior = iif(LogType == \"Squid Logs\", tostring(ScanningVerdictFields[42]), dynamic(\"\"))\r\n| extend YouTubeUrlCategory = iif(LogType == \"Squid Logs\", tostring(ScanningVerdictFields[43]), dynamic(\"\"))\r\n| extend BlockedFileTypeDetail = iif(LogType == \"Squid Logs\", extract_all(@\"(?P[a-zA-Z0-9- ]+):(?P[a-zA-Z0-9-_:/@.#{};= ]+)\", dynamic([\"key\",\"value\"]), tostring(ScanningVerdictFields[44])), dynamic(\"\"))\r\n| extend HttpReferrerOriginal = iif(LogType == \"W3C Logs\", tostring(EventFields[4]), dynamic(\"\"))\r\n| extend SrcBytes = iif(LogType == \"W3C Logs\", toint(EventFields[7]), dynamic(null))\r\n| extend RequestUri = iif(LogType == \"W3C Logs\", tostring(EventFields[12]), dynamic(\"\"))\r\n| extend HttpRequestXff = iif(LogType == \"W3C Logs\", tostring(EventFields[16]), dynamic(\"\"))\r\n| extend SrcPortNumber = iif(LogType == \"W3C Logs\", tostring(EventFields[17]), dynamic(\"\"))\r\n| extend DstPortNumber = iif(LogType == \"W3C Logs\", tostring(EventFields[19]), dynamic(\"\"))\r\n| extend NetworkApplicationProtocol = iif(LogType == \"W3C Logs\", tostring(EventFields[20]), dynamic(\"\"))\r\n| extend WbrsScore = iif(LogType == \"W3C Logs\", tostring(EventFields[22]), dynamic(\"\"))\r\n| extend WebrootScanningVerdict = iif(LogType == \"W3C Logs\", tostring(EventFields[23]), dynamic(\"\"))\r\n| extend WebrootThreatName = iif(LogType == \"W3C Logs\", tostring(EventFields[24]), dynamic(\"\"))\r\n| extend WebrootThreatRiskRatio = iif(LogType == \"W3C Logs\", tostring(EventFields[25]), dynamic(\"\"))\r\n| extend WebrootSpyId = iif(LogType == \"W3C Logs\", tostring(EventFields[26]), dynamic(\"\"))\r\n| extend WebrootTraceId = iif(LogType == \"W3C Logs\", tostring(EventFields[27]), dynamic(\"\"))\r\n| extend RequestSideScanningUrlCategoryVerdict = iif(LogType == \"W3C Logs\", tostring(EventFields[40]), dynamic(\"\"))\r\n| extend WebReputationThreatCategory = iif(LogType == \"W3C Logs\", tostring(EventFields[42]), dynamic(\"\"))\r\n| extend ResponseSideThreatName = iif(LogType == \"W3C Logs\", tostring(EventFields[50]), dynamic(\"\"))\r\n| extend ResponseSideThreatCategoryCode = iif(LogType == \"W3C Logs\", tostring(EventFields[51]), dynamic(\"\"))\r\n| extend ResponseSideThreatCategory = iif(LogType == \"W3C Logs\", tostring(EventFields[52]), dynamic(\"\"))\r\n| extend RequestSideDvsThreatName = iif(LogType == \"W3C Logs\", tostring(EventFields[53]), dynamic(\"\"))\r\n| extend RequestSideDvsScanningVerdict = iif(LogType == \"W3C Logs\", tostring(EventFields[54]), dynamic(\"\"))\r\n| extend RequestSideDvsVerdictName = iif(LogType == \"W3C Logs\", tostring(EventFields[55]), dynamic(\"\"))\r\n| extend NetworkBytes = toint(EventFields[63])\r\n};\r\ncisco_wsa_access_logs\r\n| project-away SyslogMessage\r\n , EventFields\r\n , ScanningVerdictFields\r\n\t\t\t , LogType\r\n", + "query": "\n\r\nlet AllData = Syslog\r\n| where ProcessName =~ \"sentinel\"\r\n| extend LogType = iff(SyslogMessage matches regex @\"\\d{10}\\.\\d{3}\\s\\d+\\s\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\", \"Squid Logs\" , iif(SyslogMessage matches regex @\"\\d{4}\\-\\d{2}\\-\\d{2}\\s\\d{2}:\\d{2}:\\d{2}\\s\\d{10}\\.\\d{3}\", \"W3C Logs\",dynamic(\"\")))\r\n| extend EventVendor = 'Cisco'\r\n| extend EventProduct = 'Web Security Appliance'\r\n| extend EventType = 'Access Log';\r\nlet SquidLogData = AllData\r\n| where LogType == \"Squid Logs\"\r\n| parse SyslogMessage with * \" \" EventStartTimeEpoch:real \" \" Latency:int \" \" SrcIpAddr \" \" EventResultDetails \"/\" HttpStatusCode:int \" \" DstBytes:int \" \" HttpRequestMethod:string \" \" UrlOriginal:string \" \" SrcUserName:string \" \" ContactedServerCode:string \"/\" DstDvcHostname:string \" \" ResponseBodyMimeType \" \" DvcAction:string \"-\" PolicyGroupName \"-\" IdentityPolicyGroupName:string \"-\" OutboundMalwareScanningPolicyGroupName:string \"-\" DataSecurityPolicyGroupName:string \"-\" ExternalDplPolicyGroupName:string \"-\" RoutingPolicy:string \"<\" ScanningVerdictFields \">\" * \" \" * \" \" RemainingMessage\r\n| extend ScanningVerdictFields = split(ScanningVerdictFields,',')\r\n| parse-kv RemainingMessage as (Date:string, [\"Dst-IP\"]:string, UserAgent: string, ADGroup:string, AuthMethod:string, TransID:long, TotalBytes:int, RequestBytes:int, ResponseBytes:int, ElapseTime:int) with (pair_delimiter=' ', kv_delimiter=':', quote='\"')\r\n| extend EventStartTime = unixtime_seconds_todatetime(todouble(EventStartTimeEpoch))\r\n, SuspectedUserAgent = UserAgent\r\n, UrlCategory = trim('\"',tostring(ScanningVerdictFields[0]))\r\n, WebReputationScore = tostring(ScanningVerdictFields[1])\r\n, MalwareScanningVerdict = tostring(ScanningVerdictFields[2])\r\n, ThreatName = trim('\"',tostring(ScanningVerdictFields[3]))\r\n, ThreatRiskRatioValue = tostring(ScanningVerdictFields[4])\r\n, ThreatIdentifier = tostring(ScanningVerdictFields[5])\r\n, TraceIdentifier = tostring(ScanningVerdictFields[6])\r\n, McAfeeMalwareScanningVerdict = tostring(ScanningVerdictFields[7])\r\n, McAfeeScannedFileName = trim('\"',tostring(ScanningVerdictFields[8]))\r\n, McAfeeScanError = tostring(ScanningVerdictFields[9])\r\n, McAfeeDetectionType = tostring(ScanningVerdictFields[10])\r\n, McAfeeThreatCategory = tostring(ScanningVerdictFields[11])\r\n, McAfeeThreatName = trim('\"',tostring(ScanningVerdictFields[12]))\r\n, SophosScanningVerdict = tostring(ScanningVerdictFields[13])\r\n, SophosScanReturnCode = tostring(ScanningVerdictFields[14])\r\n, SophosScannedFileName = trim('\"',tostring(ScanningVerdictFields[15]))\r\n, SophosThreatName = trim('\"',tostring(ScanningVerdictFields[16]))\r\n, CiscoDataSecurityScanningVerdict = case(tostring(ScanningVerdictFields[17]) == '0', 'Allow',\r\n tostring(ScanningVerdictFields[17]) == '1', 'Block',\r\n '-')\r\n, ExternalDlpScannningVerdict = case(tostring(ScanningVerdictFields[18]) == '0', 'Allow',\r\n tostring(ScanningVerdictFields[18]) == '1', 'Block',\r\n '-')\r\n, ResponseSideScanningUrlCategoryVerdict = trim('\"',tostring(ScanningVerdictFields[19]))\r\n, DcaUrlCategoryVerdict = tostring(ScanningVerdictFields[20])\r\n, ResponseThreatCategory = trim('\"',tostring(ScanningVerdictFields[21]))\r\n, WebReputationThreatType = trim('\"',tostring(ScanningVerdictFields[22]))\r\n, GteEncapsulatedUrl = trim('\"',tostring(ScanningVerdictFields[23]))\r\n, AvcApplicationName = trim('\"',tostring(ScanningVerdictFields[24]))\r\n, AvcApplicationType = trim('\"',tostring(ScanningVerdictFields[25]))\r\n, AvcApplicationBehavior = trim('\"',tostring(ScanningVerdictFields[26]))\r\n, SafeBrowsingScanningVerdict = trim('\"',tostring(ScanningVerdictFields[27]))\r\n, ['AvgBandwidth(Kb/sec)'] = tostring(ScanningVerdictFields[28])\r\n, Throttled = tostring(ScanningVerdictFields[29])\r\n, UserType = tostring(ScanningVerdictFields[30])\r\n, RequestSideAntiMalwareScanningVerdict = trim('\"',tostring(ScanningVerdictFields[31]))\r\n, ClientRequestThreatName = trim('\"',tostring(ScanningVerdictFields[32]))\r\n, AmpScanningVerdict = tostring(ScanningVerdictFields[33])\r\n, AmpThreatName = trim('\"',tostring(ScanningVerdictFields[34]))\r\n, AmpReputationScore = tostring(ScanningVerdictFields[35])\r\n, AmpUploadIndicator = tostring(ScanningVerdictFields[36])\r\n, AmpFileName = trim('\"',tostring(ScanningVerdictFields[37]))\r\n, AmpFileHashSha256 = trim('\"',tostring(ScanningVerdictFields[38]))\r\n, ArchiveScanningVerdict = tostring(ScanningVerdictFields[39])\r\n, ArchiveScanningVerdictDetail = tostring(ScanningVerdictFields[40])\r\n, ArchiveScannerFileVerdict = trim('\"',tostring(ScanningVerdictFields[41]))\r\n, WebTapBehavior = tostring(ScanningVerdictFields[42])\r\n, YouTubeUrlCategory = tostring(ScanningVerdictFields[43])\r\n, BlockedFileTypeDetail = tostring(ScanningVerdictFields[44]);\r\nlet W3CLogData = AllData\r\n| where LogType == \"W3C Logs\"\r\n| extend EventFields = split(SyslogMessage, ' ')\r\n| extend EventStartTime = strcat(EventFields[0], ' ', EventFields[1])\r\n, Latency = toint(EventFields[3])\r\n, SrcIpAddr = tostring(EventFields[5])\r\n, EventResultDetails = tostring(EventFields[6])\r\n, DstBytes = toint(EventFields[8])\r\n, HttpRequestMethod = tostring(EventFields[9])\r\n, UrlOriginal = tostring(EventFields[10])\r\n, SrcUserName = tostring(EventFields[13])\r\n, DstIpAddr = tostring(EventFields[11])\r\n, DstDvcHostname = tostring(EventFields[18])\r\n, ResponseBodyMimeType = tostring(EventFields[14])\r\n, DvcAction = tostring(EventFields[15])\r\n, SuspectedUserAgent = tostring(EventFields[62])\r\n, UrlCategory = tostring(EventFields[21])\r\n, McAfeeMalwareScanningVerdict = tostring(EventFields[28])\r\n, McAfeeScannedFileName = (EventFields[29])\r\n, McAfeeScanError = tostring(EventFields[30])\r\n, McAfeeDetectionType = tostring(EventFields[31])\r\n, McAfeeThreatCategory = tostring(EventFields[32])\r\n, McAfeeThreatName = tostring(EventFields[33])\r\n, SophosScanningVerdict = tostring(EventFields[34])\r\n, SophosScanReturnCode = tostring(EventFields[35])\r\n, SophosScannedFileName = tostring(EventFields[36])\r\n, SophosThreatName = tostring(EventFields[37])\r\n, CiscoDataSecurityScanningVerdict = tostring(EventFields[38])\r\n, ExternalDlpScannningVerdict = tostring(EventFields[39])\r\n, ResponseSideScanningUrlCategoryVerdict = tostring(EventFields[41])\r\n, AvcApplicationName = tostring(EventFields[43])\r\n, AvcApplicationType = tostring(EventFields[44])\r\n, AvcApplicationBehavior = tostring(EventFields[45])\r\n, SafeBrowsingScanningVerdict = tostring(EventFields[46])\r\n, ['AvgBandwidth(Kb/sec)'] = todouble(EventFields[47])\r\n, Throttled = tostring(EventFields[48])\r\n, UserType = tostring(EventFields[49])\r\n, AmpScanningVerdict = tostring(EventFields[56])\r\n, AmpThreatName = tostring(EventFields[57])\r\n, AmpReputationScore = tostring(EventFields[58])\r\n, AmpUploadIndicator = tostring(EventFields[59])\r\n, AmpFileName = tostring(EventFields[60])\r\n, AmpFileHashSha256 = tostring(EventFields[61])\r\n, HttpReferrerOriginal = tostring(EventFields[4])\r\n, SrcBytes = toint(EventFields[7])\r\n, RequestUri = tostring(EventFields[12])\r\n, HttpRequestXff = tostring(EventFields[16])\r\n, SrcPortNumber = tostring(EventFields[17])\r\n, DstPortNumber = tostring(EventFields[19])\r\n, NetworkApplicationProtocol = tostring(EventFields[20])\r\n, WbrsScore = tostring(EventFields[22])\r\n, WebrootScanningVerdict = tostring(EventFields[23])\r\n, WebrootThreatName = tostring(EventFields[24])\r\n, WebrootThreatRiskRatio = tostring(EventFields[25])\r\n, WebrootSpyId = tostring(EventFields[26])\r\n, WebrootTraceId = tostring(EventFields[27])\r\n, RequestSideScanningUrlCategoryVerdict = tostring(EventFields[40])\r\n, WebReputationThreatCategory = tostring(EventFields[42])\r\n, ResponseSideThreatName = tostring(EventFields[50])\r\n, ResponseSideThreatCategoryCode = tostring(EventFields[51])\r\n, ResponseSideThreatCategory = tostring(EventFields[52])\r\n, RequestSideDvsThreatName = tostring(EventFields[53])\r\n, RequestSideDvsScanningVerdict = tostring(EventFields[54])\r\n, RequestSideDvsVerdictName = tostring(EventFields[55])\r\n, NetworkBytes = toint(EventFields[63]);\r\nunion SquidLogData, W3CLogData", + "functionParameters": "", "version": 1, "tags": [ { @@ -337,12 +353,23 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_parserContentId1')]", + "contentKind": "Parser", + "displayName": "CiscoWSA Data Parser", + "contentProductId": "[variables('_parsercontentProductId1')]", + "id": "[variables('_parsercontentProductId1')]", + "version": "[variables('parserVersion1')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "apiVersion": "2021-06-01", + "apiVersion": "2022-10-01", "name": "[variables('_parserName1')]", "location": "[parameters('workspace-location')]", "properties": { @@ -350,8 +377,15 @@ "displayName": "CiscoWSA Data Parser", "category": "Samples", "functionAlias": "CiscoWSAEvent", - "query": "\nlet cisco_wsa_access_logs =() {\r\nSyslog\r\n| where ProcessName in (\"cisco_wsa\")\r\n| extend LogType = iff(SyslogMessage matches regex @\"\\A\\d{10}\\.\\d{3}\\s\\d+\\s\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\", \"Squid Logs\" , iif(SyslogMessage matches regex @\"\\A\\d{4}\\-\\d{2}\\-\\d{2}\\s\\d{2}:\\d{2}:\\d{2}\\s\\d{10}\\.\\d{3}\", \"W3C Logs\",dynamic(\"\")))\r\n| extend EventVendor = 'Cisco'\r\n| extend EventProduct = 'Web Security Appliance'\r\n| extend EventType = 'Access Log'\r\n| extend EventFields = split(SyslogMessage, ' ')\r\n| extend ScanningVerdictFields = iif(LogType == \"Squid Logs\", parse_csv(tostring(extract(@'<(.*?)>', 1, SyslogMessage))), dynamic(\"\"))\r\n| extend EventStartTime = case(LogType has \"Squid Logs\", unixtime_seconds_todatetime(todouble(EventFields[0])),\r\n\t\t\t\t\t\t LogType has \"W3C Logs\", todatetime(strcat(EventFields[0], ' ', EventFields[1])), datetime(null))\r\n| extend Latency = case(LogType has \"Squid Logs\", toint(EventFields[1]),\r\n LogType has \"W3C Logs\", toint(EventFields[3]), int(null))\r\n| extend SrcIpAddr = case(LogType has \"Squid Logs\", tostring(EventFields[2]),\r\n\t\t\t\t\t LogType has \"W3C Logs\", tostring(EventFields[5]), \"\")\r\n| extend EventResultDetails = case(LogType has \"Squid Logs\", extract(@'\\A(.*?)\\/[1-5]\\d{2}', 1, tostring(EventFields[3])),\r\n\t\t\t\t\t\t\tLogType has \"W3C Logs\", tostring(EventFields[6]), \"\")\r\n| extend HttpStatusCode = iif(LogType == \"Squid Logs\", extract(@'\\A.*?\\/([1-5]\\d{2})', 1, tostring(EventFields[3])), dynamic(\"\"))\r\n| extend DstBytes = case(LogType has \"Squid Logs\", toint(EventFields[4]),\r\n\t\t\t\t\tLogType has \"W3C Logs\", toint(EventFields[8]), int(null))\r\n| extend HttpRequestMethod = case(LogType has \"Squid Logs\", tostring(EventFields[5]),\r\n\t\t\t\t\t\t\t LogType has \"W3C Logs\", tostring(EventFields[9]), \"\")\r\n| extend UrlOriginal = case(LogType has \"Squid Logs\", tostring(EventFields[6]),\r\n\t\t\t\t\t\t\t LogType has \"W3C Logs\", tostring(EventFields[10]), \"\")\r\n| extend SrcUserName = case(LogType has \"Squid Logs\", tostring(EventFields[7]),\r\n\t\t\t\t\t\t\t LogType has \"W3C Logs\", tostring(EventFields[13]), \"\")\r\n| extend ContactedServerCode = iif(LogType == \"Squid Logs\", extract(@'\\A(\\w+)\\/\\d{1,3}', 1, tostring(EventFields[8])), dynamic(\"\"))\r\n| extend DstIpAddr = case(LogType has \"Squid Logs\", extract(@'\\A\\w+\\/(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})', 1, tostring(EventFields[8])),\r\n\t\t\t\t\t LogType has \"W3C Logs\", tostring(EventFields[11]), \"\")\r\n| extend DstDvcHostname = case(LogType has \"Squid Logs\", extract(@'\\A\\w+\\/(\\D+)', 1, tostring(EventFields[8])),\r\n\t\t\t\t\t\tLogType has \"W3C Logs\", tostring(EventFields[18]), \"\")\r\n| extend ResponseBodyMimeType = case(LogType has \"Squid Logs\", tostring(EventFields[9]),\r\n\t\t\t\t\t\t\t\tLogType has \"W3C Logs\", tostring(EventFields[14]), \"\")\r\n| extend DvcAction = case(LogType has \"Squid Logs\", extract(@'\\A(.*?)\\-', 1, tostring(EventFields[10])),\r\n\t\t\t\t\tLogType has \"W3C Logs\", tostring(EventFields[15]), \"\")\r\n| extend PolicyGroupName = iif(LogType == \"Squid Logs\", extract(@'\\A.*?\\-(.*?)\\-', 1, tostring(EventFields[10])), dynamic(\"\"))\r\n| extend IdentityPolicyGroupName = iif(LogType == \"Squid Logs\", extract(@'\\A.*?\\-.*?\\-(.*?)\\-', 1, tostring(EventFields[10])), dynamic(\"\"))\r\n| extend OutboundMalwareScanningPolicyGroupName = iif(LogType == \"Squid Logs\", extract(@'\\A.*?\\-.*?\\-.*?\\-(.*?)\\-', 1, tostring(EventFields[10])), dynamic(\"\"))\r\n| extend DataSecurityPolicyGroupName = iif(LogType == \"Squid Logs\", extract(@'\\A.*?\\-.*?\\-.*?\\-.*?\\-(.*?)\\-', 1, tostring(EventFields[10])), dynamic(\"\"))\r\n| extend ExternalDplPolicyGroupName = iif(LogType == \"Squid Logs\", extract(@'\\A.*?\\-.*?\\-.*?\\-.*?\\-.*?\\-(.*?)\\-', 1, tostring(EventFields[10])), dynamic(\"\"))\r\n| extend RoutingPolicy = iif(LogType == \"Squid Logs\", extract(@'\\A(.*?\\-){6}(.*)', 2, tostring(EventFields[10])), dynamic(\"\"))\r\n| extend SuspectedUserAgent = case(LogType has \"Squid Logs\", tostring(EventFields[-1]),\r\n\t\t\t\t\t\t\t LogType has \"W3C Logs\", tostring(EventFields[62]), \"\")\r\n| extend UrlCategory = case(LogType has \"Squid Logs\", tostring(ScanningVerdictFields[0]),\r\n\t\t\t\t\t\tLogType has \"W3C Logs\", tostring(EventFields[21]), \"\")\r\n| extend WebReputationScore = iif(LogType == \"Squid Logs\", tostring(ScanningVerdictFields[1]), dynamic(\"\"))\r\n| extend MalwareScanningVerdict = iif(LogType == \"Squid Logs\", tostring(ScanningVerdictFields[2]), dynamic(\"\"))\r\n| extend ThreatName = iif(LogType == \"Squid Logs\", tostring(ScanningVerdictFields[3]), dynamic(\"\"))\r\n| extend ThreatRiskRatioValue = iif(LogType == \"Squid Logs\", tostring(ScanningVerdictFields[4]), dynamic(\"\"))\r\n| extend ThreatIdentifier = iif(LogType == \"Squid Logs\", tostring(ScanningVerdictFields[5]), dynamic(\"\"))\r\n| extend TraceIdentifier = iif(LogType == \"Squid Logs\", tostring(ScanningVerdictFields[6]), dynamic(\"\"))\r\n| extend McAfeeMalwareScanningVerdict = case(LogType has \"Squid Logs\", tostring(ScanningVerdictFields[7]),\r\n\t\t\t\t\t\t\t\t\t\tLogType has \"W3C Logs\", tostring(EventFields[28]), \"\")\r\n| extend McAfeeScannedFileName = case(LogType has \"Squid Logs\", tostring(ScanningVerdictFields[8]),\r\n\t\t\t\t\t\t\t\tLogType has \"W3C Logs\", tostring(EventFields[29]), \"\")\r\n| extend McAfeeScanError = case(LogType has \"Squid Logs\", tostring(ScanningVerdictFields[9]),\r\n\t\t\t\t\t\t\tLogType has \"W3C Logs\", tostring(EventFields[30]), \"\")\r\n| extend McAfeeDetectionType = case(LogType has \"Squid Logs\", tostring(ScanningVerdictFields[10]),\r\n\t\t\t\t\t\t\t\tLogType has \"W3C Logs\", tostring(EventFields[31]), \"\")\r\n| extend McAfeeThreatCategory = case(LogType has \"Squid Logs\", tostring(ScanningVerdictFields[11]),\r\n\t\t\t\t\t\t\t\tLogType has \"W3C Logs\", tostring(EventFields[32]), \"\")\r\n| extend McAfeeThreatName = case(LogType has \"Squid Logs\", tostring(ScanningVerdictFields[12]),\r\n\t\t\t\t\t\t\tLogType has \"W3C Logs\", tostring(EventFields[33]), \"\")\r\n| extend SophosScanningVerdict = case(LogType has \"Squid Logs\", tostring(ScanningVerdictFields[13]),\r\n\t\t\t\t\t\t\t\tLogType has \"W3C Logs\", tostring(EventFields[34]), \"\")\r\n| extend SophosScanReturnCode = case(LogType has \"Squid Logs\", tostring(ScanningVerdictFields[14]),\r\n\t\t\t\t\t\t\t\tLogType has \"W3C Logs\", tostring(EventFields[35]), \"\")\r\n| extend SophosScannedFileName = case(LogType has \"Squid Logs\", tostring(ScanningVerdictFields[15]),\r\n\t\t\t\t\t\t\t\tLogType has \"W3C Logs\", tostring(EventFields[36]), \"\")\r\n| extend SophosThreatName = case(LogType has \"Squid Logs\", tostring(ScanningVerdictFields[16]),\r\n\t\t\t\t\t\t\tLogType has \"W3C Logs\", tostring(EventFields[37]), \"\")\r\n| extend CiscoDataSecurityScanningVerdict = case(LogType has \"Squid Logs\", case(tostring(ScanningVerdictFields[17]) == '0', 'Allow',\r\n tostring(ScanningVerdictFields[17]) == '1', 'Block',\r\n '-'),\r\n\t\t\t\t\t\t\t\t\t\t\t LogType has \"W3C Logs\", tostring(EventFields[38]), \"\")\r\n| extend ExternalDlpScannningVerdict = case(LogType has \"Squid Logs\", case(tostring(ScanningVerdictFields[18]) == '0', 'Allow',\r\n tostring(ScanningVerdictFields[18]) == '1', 'Block',\r\n '-'), LogType has \"W3C Logs\", tostring(EventFields[39]), \"\")\r\n| extend ResponseSideScanningUrlCategoryVerdict = case(LogType has \"Squid Logs\", tostring(ScanningVerdictFields[19]),\r\n\t\t\t\t\t\t\t\t\t\t\t\t LogType has \"W3C Logs\", tostring(EventFields[41]), \"\")\r\n| extend DcaUrlCategoryVerdict = iif(LogType == \"Squid Logs\", tostring(ScanningVerdictFields[20]), dynamic(\"\"))\r\n| extend ResponseThreatCategory = iif(LogType == \"Squid Logs\", tostring(ScanningVerdictFields[21]), dynamic(\"\"))\r\n| extend WebReputationThreatType = iif(LogType == \"Squid Logs\", tostring(ScanningVerdictFields[22]), dynamic(\"\"))\r\n| extend GteEncapsulatedUrl = iif(LogType == \"Squid Logs\", tostring(ScanningVerdictFields[23]), dynamic(\"\"))\r\n| extend AvcApplicationName = case(LogType has \"Squid Logs\", tostring(ScanningVerdictFields[24]),\r\n\t\t\t\t\t\t\t\tLogType has \"W3C Logs\", tostring(EventFields[43]), \"\")\r\n| extend AvcApplicationType = case(LogType has \"Squid Logs\", tostring(ScanningVerdictFields[25]),\r\n\t\t\t\t\t\t\t\tLogType has \"W3C Logs\", tostring(EventFields[44]), \"\")\r\n| extend AvcApplicationBehavior = case(LogType has \"Squid Logs\", tostring(ScanningVerdictFields[26]),\r\n\t\t\t\t\t\t\t\tLogType has \"W3C Logs\", tostring(EventFields[45]), \"\")\r\n| extend SafeBrowsingScanningVerdict = case(LogType has \"Squid Logs\", tostring(ScanningVerdictFields[27]),\r\n\t\t\t\t\t\t\t\tLogType has \"W3C Logs\", tostring(EventFields[46]), \"\")\r\n| extend ['AvgBandwidth(Kb/sec)'] = case(LogType has \"Squid Logs\", todouble(ScanningVerdictFields[28]),\r\n\t\t\t\t\t\t\t\tLogType has \"W3C Logs\", todouble(EventFields[47]), double(null))\r\n| extend Throttled = case(LogType has \"Squid Logs\", tostring(ScanningVerdictFields[29]),\r\n\t\t\t\t\tLogType has \"W3C Logs\", tostring(EventFields[48]), \"\")\r\n| extend UserType = case(LogType has \"Squid Logs\", tostring(ScanningVerdictFields[30]),\r\n\t\t\t\t\tLogType has \"W3C Logs\", tostring(EventFields[49]), \"\")\r\n| extend RequestSideAntiMalwareScanningVerdict = iif(LogType == \"Squid Logs\", tostring(ScanningVerdictFields[31]), dynamic(\"\"))\r\n| extend ClientRequestThreatName = iif(LogType == \"Squid Logs\", tostring(ScanningVerdictFields[32]), dynamic(\"\"))\r\n| extend AmpScanningVerdict = case(LogType has \"Squid Logs\", tostring(ScanningVerdictFields[33]),\r\n\t\t\t\t\tLogType has \"W3C Logs\", tostring(EventFields[56]), \"\")\r\n| extend AmpThreatName = case(LogType has \"Squid Logs\", tostring(ScanningVerdictFields[34]),\r\n\t\t\t\t\tLogType has \"W3C Logs\", tostring(EventFields[57]), \"\")\r\n| extend AmpReputationScore = case(LogType has \"Squid Logs\", tostring(ScanningVerdictFields[35]),\r\n\t\t\t\t\tLogType has \"W3C Logs\", tostring(EventFields[58]), \"\")\r\n| extend AmpUploadIndicator = case(LogType has \"Squid Logs\", tostring(ScanningVerdictFields[36]),\r\n\t\t\t\t\tLogType has \"W3C Logs\", tostring(EventFields[59]), \"\")\r\n| extend AmpFileName = case(LogType has \"Squid Logs\", tostring(ScanningVerdictFields[37]),\r\n\t\t\t\t\tLogType has \"W3C Logs\", tostring(EventFields[60]), \"\")\r\n| extend AmpFileHashSha256 = case(LogType has \"Squid Logs\", tostring(ScanningVerdictFields[38]),\r\n\t\t\t\t\tLogType has \"W3C Logs\", tostring(EventFields[61]), \"\")\r\n| extend ArchiveScanningVerdict = iif(LogType == \"Squid Logs\", tostring(ScanningVerdictFields[39]), dynamic(\"\"))\r\n| extend ArchiveScanningVerdictDetail = iif(LogType == \"Squid Logs\", tostring(ScanningVerdictFields[40]), dynamic(\"\"))\r\n| extend ArchiveScannerFileVerdict = iif(LogType == \"Squid Logs\", tostring(ScanningVerdictFields[41]), dynamic(\"\"))\r\n| extend WebTapBehavior = iif(LogType == \"Squid Logs\", tostring(ScanningVerdictFields[42]), dynamic(\"\"))\r\n| extend YouTubeUrlCategory = iif(LogType == \"Squid Logs\", tostring(ScanningVerdictFields[43]), dynamic(\"\"))\r\n| extend BlockedFileTypeDetail = iif(LogType == \"Squid Logs\", extract_all(@\"(?P[a-zA-Z0-9- ]+):(?P[a-zA-Z0-9-_:/@.#{};= ]+)\", dynamic([\"key\",\"value\"]), tostring(ScanningVerdictFields[44])), dynamic(\"\"))\r\n| extend HttpReferrerOriginal = iif(LogType == \"W3C Logs\", tostring(EventFields[4]), dynamic(\"\"))\r\n| extend SrcBytes = iif(LogType == \"W3C Logs\", toint(EventFields[7]), dynamic(null))\r\n| extend RequestUri = iif(LogType == \"W3C Logs\", tostring(EventFields[12]), dynamic(\"\"))\r\n| extend HttpRequestXff = iif(LogType == \"W3C Logs\", tostring(EventFields[16]), dynamic(\"\"))\r\n| extend SrcPortNumber = iif(LogType == \"W3C Logs\", tostring(EventFields[17]), dynamic(\"\"))\r\n| extend DstPortNumber = iif(LogType == \"W3C Logs\", tostring(EventFields[19]), dynamic(\"\"))\r\n| extend NetworkApplicationProtocol = iif(LogType == \"W3C Logs\", tostring(EventFields[20]), dynamic(\"\"))\r\n| extend WbrsScore = iif(LogType == \"W3C Logs\", tostring(EventFields[22]), dynamic(\"\"))\r\n| extend WebrootScanningVerdict = iif(LogType == \"W3C Logs\", tostring(EventFields[23]), dynamic(\"\"))\r\n| extend WebrootThreatName = iif(LogType == \"W3C Logs\", tostring(EventFields[24]), dynamic(\"\"))\r\n| extend WebrootThreatRiskRatio = iif(LogType == \"W3C Logs\", tostring(EventFields[25]), dynamic(\"\"))\r\n| extend WebrootSpyId = iif(LogType == \"W3C Logs\", tostring(EventFields[26]), dynamic(\"\"))\r\n| extend WebrootTraceId = iif(LogType == \"W3C Logs\", tostring(EventFields[27]), dynamic(\"\"))\r\n| extend RequestSideScanningUrlCategoryVerdict = iif(LogType == \"W3C Logs\", tostring(EventFields[40]), dynamic(\"\"))\r\n| extend WebReputationThreatCategory = iif(LogType == \"W3C Logs\", tostring(EventFields[42]), dynamic(\"\"))\r\n| extend ResponseSideThreatName = iif(LogType == \"W3C Logs\", tostring(EventFields[50]), dynamic(\"\"))\r\n| extend ResponseSideThreatCategoryCode = iif(LogType == \"W3C Logs\", tostring(EventFields[51]), dynamic(\"\"))\r\n| extend ResponseSideThreatCategory = iif(LogType == \"W3C Logs\", tostring(EventFields[52]), dynamic(\"\"))\r\n| extend RequestSideDvsThreatName = iif(LogType == \"W3C Logs\", tostring(EventFields[53]), dynamic(\"\"))\r\n| extend RequestSideDvsScanningVerdict = iif(LogType == \"W3C Logs\", tostring(EventFields[54]), dynamic(\"\"))\r\n| extend RequestSideDvsVerdictName = iif(LogType == \"W3C Logs\", tostring(EventFields[55]), dynamic(\"\"))\r\n| extend NetworkBytes = toint(EventFields[63])\r\n};\r\ncisco_wsa_access_logs\r\n| project-away SyslogMessage\r\n , EventFields\r\n , ScanningVerdictFields\r\n\t\t\t , LogType\r\n", - "version": 1 + "query": "\n\r\nlet AllData = Syslog\r\n| where ProcessName =~ \"sentinel\"\r\n| extend LogType = iff(SyslogMessage matches regex @\"\\d{10}\\.\\d{3}\\s\\d+\\s\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\", \"Squid Logs\" , iif(SyslogMessage matches regex @\"\\d{4}\\-\\d{2}\\-\\d{2}\\s\\d{2}:\\d{2}:\\d{2}\\s\\d{10}\\.\\d{3}\", \"W3C Logs\",dynamic(\"\")))\r\n| extend EventVendor = 'Cisco'\r\n| extend EventProduct = 'Web Security Appliance'\r\n| extend EventType = 'Access Log';\r\nlet SquidLogData = AllData\r\n| where LogType == \"Squid Logs\"\r\n| parse SyslogMessage with * \" \" EventStartTimeEpoch:real \" \" Latency:int \" \" SrcIpAddr \" \" EventResultDetails \"/\" HttpStatusCode:int \" \" DstBytes:int \" \" HttpRequestMethod:string \" \" UrlOriginal:string \" \" SrcUserName:string \" \" ContactedServerCode:string \"/\" DstDvcHostname:string \" \" ResponseBodyMimeType \" \" DvcAction:string \"-\" PolicyGroupName \"-\" IdentityPolicyGroupName:string \"-\" OutboundMalwareScanningPolicyGroupName:string \"-\" DataSecurityPolicyGroupName:string \"-\" ExternalDplPolicyGroupName:string \"-\" RoutingPolicy:string \"<\" ScanningVerdictFields \">\" * \" \" * \" \" RemainingMessage\r\n| extend ScanningVerdictFields = split(ScanningVerdictFields,',')\r\n| parse-kv RemainingMessage as (Date:string, [\"Dst-IP\"]:string, UserAgent: string, ADGroup:string, AuthMethod:string, TransID:long, TotalBytes:int, RequestBytes:int, ResponseBytes:int, ElapseTime:int) with (pair_delimiter=' ', kv_delimiter=':', quote='\"')\r\n| extend EventStartTime = unixtime_seconds_todatetime(todouble(EventStartTimeEpoch))\r\n, SuspectedUserAgent = UserAgent\r\n, UrlCategory = trim('\"',tostring(ScanningVerdictFields[0]))\r\n, WebReputationScore = tostring(ScanningVerdictFields[1])\r\n, MalwareScanningVerdict = tostring(ScanningVerdictFields[2])\r\n, ThreatName = trim('\"',tostring(ScanningVerdictFields[3]))\r\n, ThreatRiskRatioValue = tostring(ScanningVerdictFields[4])\r\n, ThreatIdentifier = tostring(ScanningVerdictFields[5])\r\n, TraceIdentifier = tostring(ScanningVerdictFields[6])\r\n, McAfeeMalwareScanningVerdict = tostring(ScanningVerdictFields[7])\r\n, McAfeeScannedFileName = trim('\"',tostring(ScanningVerdictFields[8]))\r\n, McAfeeScanError = tostring(ScanningVerdictFields[9])\r\n, McAfeeDetectionType = tostring(ScanningVerdictFields[10])\r\n, McAfeeThreatCategory = tostring(ScanningVerdictFields[11])\r\n, McAfeeThreatName = trim('\"',tostring(ScanningVerdictFields[12]))\r\n, SophosScanningVerdict = tostring(ScanningVerdictFields[13])\r\n, SophosScanReturnCode = tostring(ScanningVerdictFields[14])\r\n, SophosScannedFileName = trim('\"',tostring(ScanningVerdictFields[15]))\r\n, SophosThreatName = trim('\"',tostring(ScanningVerdictFields[16]))\r\n, CiscoDataSecurityScanningVerdict = case(tostring(ScanningVerdictFields[17]) == '0', 'Allow',\r\n tostring(ScanningVerdictFields[17]) == '1', 'Block',\r\n '-')\r\n, ExternalDlpScannningVerdict = case(tostring(ScanningVerdictFields[18]) == '0', 'Allow',\r\n tostring(ScanningVerdictFields[18]) == '1', 'Block',\r\n '-')\r\n, ResponseSideScanningUrlCategoryVerdict = trim('\"',tostring(ScanningVerdictFields[19]))\r\n, DcaUrlCategoryVerdict = tostring(ScanningVerdictFields[20])\r\n, ResponseThreatCategory = trim('\"',tostring(ScanningVerdictFields[21]))\r\n, WebReputationThreatType = trim('\"',tostring(ScanningVerdictFields[22]))\r\n, GteEncapsulatedUrl = trim('\"',tostring(ScanningVerdictFields[23]))\r\n, AvcApplicationName = trim('\"',tostring(ScanningVerdictFields[24]))\r\n, AvcApplicationType = trim('\"',tostring(ScanningVerdictFields[25]))\r\n, AvcApplicationBehavior = trim('\"',tostring(ScanningVerdictFields[26]))\r\n, SafeBrowsingScanningVerdict = trim('\"',tostring(ScanningVerdictFields[27]))\r\n, ['AvgBandwidth(Kb/sec)'] = tostring(ScanningVerdictFields[28])\r\n, Throttled = tostring(ScanningVerdictFields[29])\r\n, UserType = tostring(ScanningVerdictFields[30])\r\n, RequestSideAntiMalwareScanningVerdict = trim('\"',tostring(ScanningVerdictFields[31]))\r\n, ClientRequestThreatName = trim('\"',tostring(ScanningVerdictFields[32]))\r\n, AmpScanningVerdict = tostring(ScanningVerdictFields[33])\r\n, AmpThreatName = trim('\"',tostring(ScanningVerdictFields[34]))\r\n, AmpReputationScore = tostring(ScanningVerdictFields[35])\r\n, AmpUploadIndicator = tostring(ScanningVerdictFields[36])\r\n, AmpFileName = trim('\"',tostring(ScanningVerdictFields[37]))\r\n, AmpFileHashSha256 = trim('\"',tostring(ScanningVerdictFields[38]))\r\n, ArchiveScanningVerdict = tostring(ScanningVerdictFields[39])\r\n, ArchiveScanningVerdictDetail = tostring(ScanningVerdictFields[40])\r\n, ArchiveScannerFileVerdict = trim('\"',tostring(ScanningVerdictFields[41]))\r\n, WebTapBehavior = tostring(ScanningVerdictFields[42])\r\n, YouTubeUrlCategory = tostring(ScanningVerdictFields[43])\r\n, BlockedFileTypeDetail = tostring(ScanningVerdictFields[44]);\r\nlet W3CLogData = AllData\r\n| where LogType == \"W3C Logs\"\r\n| extend EventFields = split(SyslogMessage, ' ')\r\n| extend EventStartTime = strcat(EventFields[0], ' ', EventFields[1])\r\n, Latency = toint(EventFields[3])\r\n, SrcIpAddr = tostring(EventFields[5])\r\n, EventResultDetails = tostring(EventFields[6])\r\n, DstBytes = toint(EventFields[8])\r\n, HttpRequestMethod = tostring(EventFields[9])\r\n, UrlOriginal = tostring(EventFields[10])\r\n, SrcUserName = tostring(EventFields[13])\r\n, DstIpAddr = tostring(EventFields[11])\r\n, DstDvcHostname = tostring(EventFields[18])\r\n, ResponseBodyMimeType = tostring(EventFields[14])\r\n, DvcAction = tostring(EventFields[15])\r\n, SuspectedUserAgent = tostring(EventFields[62])\r\n, UrlCategory = tostring(EventFields[21])\r\n, McAfeeMalwareScanningVerdict = tostring(EventFields[28])\r\n, McAfeeScannedFileName = (EventFields[29])\r\n, McAfeeScanError = tostring(EventFields[30])\r\n, McAfeeDetectionType = tostring(EventFields[31])\r\n, McAfeeThreatCategory = tostring(EventFields[32])\r\n, McAfeeThreatName = tostring(EventFields[33])\r\n, SophosScanningVerdict = tostring(EventFields[34])\r\n, SophosScanReturnCode = tostring(EventFields[35])\r\n, SophosScannedFileName = tostring(EventFields[36])\r\n, SophosThreatName = tostring(EventFields[37])\r\n, CiscoDataSecurityScanningVerdict = tostring(EventFields[38])\r\n, ExternalDlpScannningVerdict = tostring(EventFields[39])\r\n, ResponseSideScanningUrlCategoryVerdict = tostring(EventFields[41])\r\n, AvcApplicationName = tostring(EventFields[43])\r\n, AvcApplicationType = tostring(EventFields[44])\r\n, AvcApplicationBehavior = tostring(EventFields[45])\r\n, SafeBrowsingScanningVerdict = tostring(EventFields[46])\r\n, ['AvgBandwidth(Kb/sec)'] = todouble(EventFields[47])\r\n, Throttled = tostring(EventFields[48])\r\n, UserType = tostring(EventFields[49])\r\n, AmpScanningVerdict = tostring(EventFields[56])\r\n, AmpThreatName = tostring(EventFields[57])\r\n, AmpReputationScore = tostring(EventFields[58])\r\n, AmpUploadIndicator = tostring(EventFields[59])\r\n, AmpFileName = tostring(EventFields[60])\r\n, AmpFileHashSha256 = tostring(EventFields[61])\r\n, HttpReferrerOriginal = tostring(EventFields[4])\r\n, SrcBytes = toint(EventFields[7])\r\n, RequestUri = tostring(EventFields[12])\r\n, HttpRequestXff = tostring(EventFields[16])\r\n, SrcPortNumber = tostring(EventFields[17])\r\n, DstPortNumber = tostring(EventFields[19])\r\n, NetworkApplicationProtocol = tostring(EventFields[20])\r\n, WbrsScore = tostring(EventFields[22])\r\n, WebrootScanningVerdict = tostring(EventFields[23])\r\n, WebrootThreatName = tostring(EventFields[24])\r\n, WebrootThreatRiskRatio = tostring(EventFields[25])\r\n, WebrootSpyId = tostring(EventFields[26])\r\n, WebrootTraceId = tostring(EventFields[27])\r\n, RequestSideScanningUrlCategoryVerdict = tostring(EventFields[40])\r\n, WebReputationThreatCategory = tostring(EventFields[42])\r\n, ResponseSideThreatName = tostring(EventFields[50])\r\n, ResponseSideThreatCategoryCode = tostring(EventFields[51])\r\n, ResponseSideThreatCategory = tostring(EventFields[52])\r\n, RequestSideDvsThreatName = tostring(EventFields[53])\r\n, RequestSideDvsScanningVerdict = tostring(EventFields[54])\r\n, RequestSideDvsVerdictName = tostring(EventFields[55])\r\n, NetworkBytes = toint(EventFields[63]);\r\nunion SquidLogData, W3CLogData", + "functionParameters": "", + "version": 1, + "tags": [ + { + "name": "description", + "value": "CiscoWSA Data Parser" + } + ] } }, { @@ -385,33 +419,15 @@ } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('huntingQueryTemplateSpecName1')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "CiscoWSA Hunting Query 1 with template", - "displayName": "CiscoWSA Hunting Query template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('huntingQueryTemplateSpecName1'),'/',variables('huntingQueryVersion1'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName1'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoWSABlockedFiles_HuntingQueries Hunting Query with template version 2.0.1", + "description": "CiscoWSABlockedFiles_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryVersion1')]", @@ -420,7 +436,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", + "apiVersion": "2022-10-01", "name": "CiscoWSA_Hunting_Query_1", "location": "[parameters('workspace-location')]", "properties": { @@ -473,37 +489,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId1')]", + "contentKind": "HuntingQuery", + "displayName": "Cisco WSA - Blocked files", + "contentProductId": "[variables('_huntingQuerycontentProductId1')]", + "id": "[variables('_huntingQuerycontentProductId1')]", + "version": "[variables('huntingQueryVersion1')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('huntingQueryTemplateSpecName2')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "CiscoWSA Hunting Query 2 with template", - "displayName": "CiscoWSA Hunting Query template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('huntingQueryTemplateSpecName2'),'/',variables('huntingQueryVersion2'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName2'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoWSARareApplications_HuntingQueries Hunting Query with template version 2.0.1", + "description": "CiscoWSARareApplications_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryVersion2')]", @@ -512,7 +521,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", + "apiVersion": "2022-10-01", "name": "CiscoWSA_Hunting_Query_2", "location": "[parameters('workspace-location')]", "properties": { @@ -565,37 +574,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId2')]", + "contentKind": "HuntingQuery", + "displayName": "Cisco WSA - Rare aplications", + "contentProductId": "[variables('_huntingQuerycontentProductId2')]", + "id": "[variables('_huntingQuerycontentProductId2')]", + "version": "[variables('huntingQueryVersion2')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('huntingQueryTemplateSpecName3')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "CiscoWSA Hunting Query 3 with template", - "displayName": "CiscoWSA Hunting Query template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('huntingQueryTemplateSpecName3'),'/',variables('huntingQueryVersion3'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName3'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoWSATopApplications_HuntingQueries Hunting Query with template version 2.0.1", + "description": "CiscoWSATopApplications_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryVersion3')]", @@ -604,7 +606,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", + "apiVersion": "2022-10-01", "name": "CiscoWSA_Hunting_Query_3", "location": "[parameters('workspace-location')]", "properties": { @@ -657,37 +659,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId3')]", + "contentKind": "HuntingQuery", + "displayName": "Cisco WSA - Top aplications", + "contentProductId": "[variables('_huntingQuerycontentProductId3')]", + "id": "[variables('_huntingQuerycontentProductId3')]", + "version": "[variables('huntingQueryVersion3')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('huntingQueryTemplateSpecName4')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "CiscoWSA Hunting Query 4 with template", - "displayName": "CiscoWSA Hunting Query template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('huntingQueryTemplateSpecName4'),'/',variables('huntingQueryVersion4'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName4'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoWSATopResources_HuntingQueries Hunting Query with template version 2.0.1", + "description": "CiscoWSATopResources_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryVersion4')]", @@ -696,7 +691,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", + "apiVersion": "2022-10-01", "name": "CiscoWSA_Hunting_Query_4", "location": "[parameters('workspace-location')]", "properties": { @@ -749,37 +744,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId4')]", + "contentKind": "HuntingQuery", + "displayName": "Cisco WSA - Top URLs", + "contentProductId": "[variables('_huntingQuerycontentProductId4')]", + "id": "[variables('_huntingQuerycontentProductId4')]", + "version": "[variables('huntingQueryVersion4')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('huntingQueryTemplateSpecName5')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "CiscoWSA Hunting Query 5 with template", - "displayName": "CiscoWSA Hunting Query template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('huntingQueryTemplateSpecName5'),'/',variables('huntingQueryVersion5'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName5'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoWSAUncategorizedResources_HuntingQueries Hunting Query with template version 2.0.1", + "description": "CiscoWSAUncategorizedResources_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryVersion5')]", @@ -788,7 +776,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", + "apiVersion": "2022-10-01", "name": "CiscoWSA_Hunting_Query_5", "location": "[parameters('workspace-location')]", "properties": { @@ -841,37 +829,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId5')]", + "contentKind": "HuntingQuery", + "displayName": "Cisco WSA - Uncategorized URLs", + "contentProductId": "[variables('_huntingQuerycontentProductId5')]", + "id": "[variables('_huntingQuerycontentProductId5')]", + "version": "[variables('huntingQueryVersion5')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('huntingQueryTemplateSpecName6')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "CiscoWSA Hunting Query 6 with template", - "displayName": "CiscoWSA Hunting Query template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('huntingQueryTemplateSpecName6'),'/',variables('huntingQueryVersion6'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName6'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoWSAUploadedFiles_HuntingQueries Hunting Query with template version 2.0.1", + "description": "CiscoWSAUploadedFiles_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryVersion6')]", @@ -880,7 +861,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", + "apiVersion": "2022-10-01", "name": "CiscoWSA_Hunting_Query_6", "location": "[parameters('workspace-location')]", "properties": { @@ -933,37 +914,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId6')]", + "contentKind": "HuntingQuery", + "displayName": "Cisco WSA - Uploaded files", + "contentProductId": "[variables('_huntingQuerycontentProductId6')]", + "id": "[variables('_huntingQuerycontentProductId6')]", + "version": "[variables('huntingQueryVersion6')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('huntingQueryTemplateSpecName7')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "CiscoWSA Hunting Query 7 with template", - "displayName": "CiscoWSA Hunting Query template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('huntingQueryTemplateSpecName7'),'/',variables('huntingQueryVersion7'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName7'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoWSAUrlRareErrorUrl_HuntingQueries Hunting Query with template version 2.0.1", + "description": "CiscoWSAUrlRareErrorUrl_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryVersion7')]", @@ -972,7 +946,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", + "apiVersion": "2022-10-01", "name": "CiscoWSA_Hunting_Query_7", "location": "[parameters('workspace-location')]", "properties": { @@ -1025,37 +999,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId7')]", + "contentKind": "HuntingQuery", + "displayName": "Cisco WSA - Rare URL with error", + "contentProductId": "[variables('_huntingQuerycontentProductId7')]", + "id": "[variables('_huntingQuerycontentProductId7')]", + "version": "[variables('huntingQueryVersion7')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('huntingQueryTemplateSpecName8')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "CiscoWSA Hunting Query 8 with template", - "displayName": "CiscoWSA Hunting Query template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('huntingQueryTemplateSpecName8'),'/',variables('huntingQueryVersion8'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName8'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoWSAUrlShortenerLinks_HuntingQueries Hunting Query with template version 2.0.1", + "description": "CiscoWSAUrlShortenerLinks_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryVersion8')]", @@ -1064,7 +1031,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", + "apiVersion": "2022-10-01", "name": "CiscoWSA_Hunting_Query_8", "location": "[parameters('workspace-location')]", "properties": { @@ -1117,37 +1084,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId8')]", + "contentKind": "HuntingQuery", + "displayName": "Cisco WSA - URL shorteners", + "contentProductId": "[variables('_huntingQuerycontentProductId8')]", + "id": "[variables('_huntingQuerycontentProductId8')]", + "version": "[variables('huntingQueryVersion8')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('huntingQueryTemplateSpecName9')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "CiscoWSA Hunting Query 9 with template", - "displayName": "CiscoWSA Hunting Query template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('huntingQueryTemplateSpecName9'),'/',variables('huntingQueryVersion9'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName9'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoWSAUrlSuspiciousResources_HuntingQueries Hunting Query with template version 2.0.1", + "description": "CiscoWSAUrlSuspiciousResources_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryVersion9')]", @@ -1156,7 +1116,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", + "apiVersion": "2022-10-01", "name": "CiscoWSA_Hunting_Query_9", "location": "[parameters('workspace-location')]", "properties": { @@ -1209,37 +1169,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId9')]", + "contentKind": "HuntingQuery", + "displayName": "Cisco WSA - Potentially risky resources", + "contentProductId": "[variables('_huntingQuerycontentProductId9')]", + "id": "[variables('_huntingQuerycontentProductId9')]", + "version": "[variables('huntingQueryVersion9')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('huntingQueryTemplateSpecName10')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "CiscoWSA Hunting Query 10 with template", - "displayName": "CiscoWSA Hunting Query template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('huntingQueryTemplateSpecName10'),'/',variables('huntingQueryVersion10'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName10'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoWSAUrlUsersWithErrors_HuntingQueries Hunting Query with template version 2.0.1", + "description": "CiscoWSAUrlUsersWithErrors_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryVersion10')]", @@ -1248,7 +1201,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", + "apiVersion": "2022-10-01", "name": "CiscoWSA_Hunting_Query_10", "location": "[parameters('workspace-location')]", "properties": { @@ -1301,37 +1254,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId10')]", + "contentKind": "HuntingQuery", + "displayName": "Cisco WSA - User errors", + "contentProductId": "[variables('_huntingQuerycontentProductId10')]", + "id": "[variables('_huntingQuerycontentProductId10')]", + "version": "[variables('huntingQueryVersion10')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('dataConnectorTemplateSpecName1')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "DataConnector" - }, - "properties": { - "description": "CiscoWSA data connector with template", - "displayName": "CiscoWSA template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('dataConnectorTemplateSpecName1'),'/',variables('dataConnectorVersion1'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "DataConnector" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoWSA data connector with template version 2.0.1", + "description": "CiscoWSA data connector with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -1501,7 +1447,7 @@ }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", + "apiVersion": "2023-04-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", "properties": { "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", @@ -1526,12 +1472,23 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_dataConnectorContentId1')]", + "contentKind": "DataConnector", + "displayName": "Cisco Web Security Appliance", + "contentProductId": "[variables('_dataConnectorcontentProductId1')]", + "id": "[variables('_dataConnectorcontentProductId1')]", + "version": "[variables('dataConnectorVersion1')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", + "apiVersion": "2023-04-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", "dependsOn": [ "[variables('_dataConnectorId1')]" @@ -1721,33 +1678,15 @@ } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName1')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "CiscoWSA Analytics Rule 1 with template", - "displayName": "CiscoWSA Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName1'),'/',variables('analyticRuleVersion1'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName1'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoWSAAccessToUnwantedSite_AnalyticalRules Analytics Rule with template version 2.0.1", + "description": "CiscoWSAAccessToUnwantedSite_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion1')]", @@ -1756,7 +1695,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId1')]", + "name": "[variables('analyticRulecontentId1')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -1775,21 +1714,24 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "CiscoWSA", "dataTypes": [ "CiscoWSAEvent" - ], - "connectorId": "CiscoWSA" + ] } ], "tactics": [ "InitialAccess" ], + "techniques": [ + "T1566" + ], "entityMappings": [ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "Name" } ], "entityType": "Account" @@ -1825,37 +1767,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId1')]", + "contentKind": "AnalyticsRule", + "displayName": "Cisco WSA - Access to unwanted site", + "contentProductId": "[variables('_analyticRulecontentProductId1')]", + "id": "[variables('_analyticRulecontentProductId1')]", + "version": "[variables('analyticRuleVersion1')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName2')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "CiscoWSA Analytics Rule 2 with template", - "displayName": "CiscoWSA Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName2'),'/',variables('analyticRuleVersion2'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName2'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoWSADataExfiltration_AnalyticalRules Analytics Rule with template version 2.0.1", + "description": "CiscoWSADataExfiltration_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion2')]", @@ -1864,7 +1799,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId2')]", + "name": "[variables('analyticRulecontentId2')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -1883,21 +1818,24 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "CiscoWSA", "dataTypes": [ "CiscoWSAEvent" - ], - "connectorId": "CiscoWSA" + ] } ], "tactics": [ "Exfiltration" ], + "techniques": [ + "T1567" + ], "entityMappings": [ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "Name" } ], "entityType": "Account" @@ -1933,37 +1871,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId2')]", + "contentKind": "AnalyticsRule", + "displayName": "Cisco WSA - Unexpected uploads", + "contentProductId": "[variables('_analyticRulecontentProductId2')]", + "id": "[variables('_analyticRulecontentProductId2')]", + "version": "[variables('analyticRuleVersion2')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName3')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "CiscoWSA Analytics Rule 3 with template", - "displayName": "CiscoWSA Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName3'),'/',variables('analyticRuleVersion3'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName3'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoWSAMultipleErrorsToUnwantedCategory_AnalyticalRules Analytics Rule with template version 2.0.1", + "description": "CiscoWSAMultipleErrorsToUnwantedCategory_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion3')]", @@ -1972,7 +1903,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId3')]", + "name": "[variables('analyticRulecontentId3')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -1991,22 +1922,26 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "CiscoWSA", "dataTypes": [ "CiscoWSAEvent" - ], - "connectorId": "CiscoWSA" + ] } ], "tactics": [ "InitialAccess", "CommandAndControl" ], + "techniques": [ + "T1189", + "T1102" + ], "entityMappings": [ { "fieldMappings": [ { - "identifier": "Url", - "columnName": "URLCustomEntity" + "columnName": "URLCustomEntity", + "identifier": "Url" } ], "entityType": "URL" @@ -2014,8 +1949,8 @@ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "Name" } ], "entityType": "Account" @@ -2051,37 +1986,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId3')]", + "contentKind": "AnalyticsRule", + "displayName": "Cisco WSA - Multiple errors to resource from risky category", + "contentProductId": "[variables('_analyticRulecontentProductId3')]", + "id": "[variables('_analyticRulecontentProductId3')]", + "version": "[variables('analyticRuleVersion3')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName4')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "CiscoWSA Analytics Rule 4 with template", - "displayName": "CiscoWSA Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName4'),'/',variables('analyticRuleVersion4'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName4'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoWSAMultipleErrorsToUrl_AnalyticalRules Analytics Rule with template version 2.0.1", + "description": "CiscoWSAMultipleErrorsToUrl_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion4')]", @@ -2090,7 +2018,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId4')]", + "name": "[variables('analyticRulecontentId4')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -2109,21 +2037,24 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "CiscoWSA", "dataTypes": [ "CiscoWSAEvent" - ], - "connectorId": "CiscoWSA" + ] } ], "tactics": [ "CommandAndControl" ], + "techniques": [ + "T1102" + ], "entityMappings": [ { "fieldMappings": [ { - "identifier": "Url", - "columnName": "URLCustomEntity" + "columnName": "URLCustomEntity", + "identifier": "Url" } ], "entityType": "URL" @@ -2131,8 +2062,8 @@ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "Name" } ], "entityType": "Account" @@ -2168,37 +2099,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId4')]", + "contentKind": "AnalyticsRule", + "displayName": "Cisco WSA - Multiple errors to URL", + "contentProductId": "[variables('_analyticRulecontentProductId4')]", + "id": "[variables('_analyticRulecontentProductId4')]", + "version": "[variables('analyticRuleVersion4')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName5')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "CiscoWSA Analytics Rule 5 with template", - "displayName": "CiscoWSA Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName5'),'/',variables('analyticRuleVersion5'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName5'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoWSAMultipleInfectedFiles_AnalyticalRules Analytics Rule with template version 2.0.1", + "description": "CiscoWSAMultipleInfectedFiles_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion5')]", @@ -2207,7 +2131,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId5')]", + "name": "[variables('analyticRulecontentId5')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -2226,21 +2150,24 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "CiscoWSA", "dataTypes": [ "CiscoWSAEvent" - ], - "connectorId": "CiscoWSA" + ] } ], "tactics": [ "InitialAccess" ], + "techniques": [ + "T1189" + ], "entityMappings": [ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "IPCustomEntity" + "columnName": "IPCustomEntity", + "identifier": "Address" } ], "entityType": "IP" @@ -2248,8 +2175,8 @@ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "Name" } ], "entityType": "Account" @@ -2285,37 +2212,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId5')]", + "contentKind": "AnalyticsRule", + "displayName": "Cisco WSA - Multiple infected files", + "contentProductId": "[variables('_analyticRulecontentProductId5')]", + "id": "[variables('_analyticRulecontentProductId5')]", + "version": "[variables('analyticRuleVersion5')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName6')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "CiscoWSA Analytics Rule 6 with template", - "displayName": "CiscoWSA Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName6'),'/',variables('analyticRuleVersion6'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName6'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoWSAMultipleUnwantedFileTypes_AnalyticalRules Analytics Rule with template version 2.0.1", + "description": "CiscoWSAMultipleUnwantedFileTypes_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion6')]", @@ -2324,7 +2244,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId6')]", + "name": "[variables('analyticRulecontentId6')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -2343,21 +2263,24 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "CiscoWSA", "dataTypes": [ "CiscoWSAEvent" - ], - "connectorId": "CiscoWSA" + ] } ], "tactics": [ "InitialAccess" ], + "techniques": [ + "T1189" + ], "entityMappings": [ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "IPCustomEntity" + "columnName": "IPCustomEntity", + "identifier": "Address" } ], "entityType": "IP" @@ -2365,8 +2288,8 @@ { "fieldMappings": [ { - "identifier": "Url", - "columnName": "UrlCustomEntity" + "columnName": "UrlCustomEntity", + "identifier": "Url" } ], "entityType": "URL" @@ -2402,37 +2325,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId6')]", + "contentKind": "AnalyticsRule", + "displayName": "Cisco WSA - Multiple attempts to download unwanted file", + "contentProductId": "[variables('_analyticRulecontentProductId6')]", + "id": "[variables('_analyticRulecontentProductId6')]", + "version": "[variables('analyticRuleVersion6')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName7')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "CiscoWSA Analytics Rule 7 with template", - "displayName": "CiscoWSA Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName7'),'/',variables('analyticRuleVersion7'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName7'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoWSAProtocolAbuse_AnalyticalRules Analytics Rule with template version 2.0.1", + "description": "CiscoWSAProtocolAbuse_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion7')]", @@ -2441,7 +2357,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId7')]", + "name": "[variables('analyticRulecontentId7')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -2460,21 +2376,24 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "CiscoWSA", "dataTypes": [ "CiscoWSAEvent" - ], - "connectorId": "CiscoWSA" + ] } ], "tactics": [ "Exfiltration" ], + "techniques": [ + "T1048" + ], "entityMappings": [ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "IPCustomEntity" + "columnName": "IPCustomEntity", + "identifier": "Address" } ], "entityType": "IP" @@ -2482,8 +2401,8 @@ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "Name" } ], "entityType": "Account" @@ -2519,37 +2438,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId7')]", + "contentKind": "AnalyticsRule", + "displayName": "Cisco WSA - Suspected protocol abuse", + "contentProductId": "[variables('_analyticRulecontentProductId7')]", + "id": "[variables('_analyticRulecontentProductId7')]", + "version": "[variables('analyticRuleVersion7')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName8')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "CiscoWSA Analytics Rule 8 with template", - "displayName": "CiscoWSA Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName8'),'/',variables('analyticRuleVersion8'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName8'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoWSAPublicIPSource_AnalyticalRules Analytics Rule with template version 2.0.1", + "description": "CiscoWSAPublicIPSource_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion8')]", @@ -2558,7 +2470,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId8')]", + "name": "[variables('analyticRulecontentId8')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -2577,21 +2489,24 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "CiscoWSA", "dataTypes": [ "CiscoWSAEvent" - ], - "connectorId": "CiscoWSA" + ] } ], "tactics": [ "InitialAccess" ], + "techniques": [ + "T1189" + ], "entityMappings": [ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "IPCustomEntity" + "columnName": "IPCustomEntity", + "identifier": "Address" } ], "entityType": "IP" @@ -2627,37 +2542,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId8')]", + "contentKind": "AnalyticsRule", + "displayName": "Cisco WSA - Internet access from public IP", + "contentProductId": "[variables('_analyticRulecontentProductId8')]", + "id": "[variables('_analyticRulecontentProductId8')]", + "version": "[variables('analyticRuleVersion8')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName9')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "CiscoWSA Analytics Rule 9 with template", - "displayName": "CiscoWSA Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName9'),'/',variables('analyticRuleVersion9'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName9'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoWSAUnexpectedFileType_AnalyticalRules Analytics Rule with template version 2.0.1", + "description": "CiscoWSAUnexpectedFileType_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion9')]", @@ -2666,7 +2574,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId9')]", + "name": "[variables('analyticRulecontentId9')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -2685,21 +2593,24 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "CiscoWSA", "dataTypes": [ "CiscoWSAEvent" - ], - "connectorId": "CiscoWSA" + ] } ], "tactics": [ "InitialAccess" ], + "techniques": [ + "T1189" + ], "entityMappings": [ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "IPCustomEntity" + "columnName": "IPCustomEntity", + "identifier": "Address" } ], "entityType": "IP" @@ -2707,8 +2618,8 @@ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "Name" } ], "entityType": "Account" @@ -2744,37 +2655,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId9')]", + "contentKind": "AnalyticsRule", + "displayName": "Cisco WSA - Unexpected file type", + "contentProductId": "[variables('_analyticRulecontentProductId9')]", + "id": "[variables('_analyticRulecontentProductId9')]", + "version": "[variables('analyticRuleVersion9')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName10')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "CiscoWSA Analytics Rule 10 with template", - "displayName": "CiscoWSA Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName10'),'/',variables('analyticRuleVersion10'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName10'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoWSAUnexpectedUrl_AnalyticalRules Analytics Rule with template version 2.0.1", + "description": "CiscoWSAUnexpectedUrl_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion10')]", @@ -2783,7 +2687,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId10')]", + "name": "[variables('analyticRulecontentId10')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -2802,21 +2706,24 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "CiscoWSA", "dataTypes": [ "CiscoWSAEvent" - ], - "connectorId": "CiscoWSA" + ] } ], "tactics": [ "CommandAndControl" ], + "techniques": [ + "T1102" + ], "entityMappings": [ { "fieldMappings": [ { - "identifier": "Url", - "columnName": "URLCustomEntity" + "columnName": "URLCustomEntity", + "identifier": "Url" } ], "entityType": "URL" @@ -2824,8 +2731,8 @@ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "Name" } ], "entityType": "Account" @@ -2861,37 +2768,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId10')]", + "contentKind": "AnalyticsRule", + "displayName": "Cisco WSA - Unexpected URL", + "contentProductId": "[variables('_analyticRulecontentProductId10')]", + "id": "[variables('_analyticRulecontentProductId10')]", + "version": "[variables('analyticRuleVersion10')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName11')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "CiscoWSA Analytics Rule 11 with template", - "displayName": "CiscoWSA Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName11'),'/',variables('analyticRuleVersion11'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName11'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoWSAUnscannableFile_AnalyticalRules Analytics Rule with template version 2.0.1", + "description": "CiscoWSAUnscannableFile_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion11')]", @@ -2900,7 +2800,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId11')]", + "name": "[variables('analyticRulecontentId11')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -2919,21 +2819,24 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "CiscoWSA", "dataTypes": [ "CiscoWSAEvent" - ], - "connectorId": "CiscoWSA" + ] } ], "tactics": [ "InitialAccess" ], + "techniques": [ + "T1189" + ], "entityMappings": [ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "IPCustomEntity" + "columnName": "IPCustomEntity", + "identifier": "Address" } ], "entityType": "IP" @@ -2941,8 +2844,8 @@ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "FileCustomEntity" + "columnName": "FileCustomEntity", + "identifier": "Name" } ], "entityType": "File" @@ -2950,8 +2853,8 @@ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "Name" } ], "entityType": "Account" @@ -2987,17 +2890,35 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId11')]", + "contentKind": "AnalyticsRule", + "displayName": "Cisco WSA - Unscannable file or scan error", + "contentProductId": "[variables('_analyticRulecontentProductId11')]", + "id": "[variables('_analyticRulecontentProductId11')]", + "version": "[variables('analyticRuleVersion11')]" } }, { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", + "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "2.0.1", + "version": "3.0.0", "kind": "Solution", - "contentSchemaVersion": "2.0.0", + "contentSchemaVersion": "3.0.0", + "displayName": "CiscoWSA", + "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", + "descriptionHtml": "

Note: There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Cisco Web Security Appliance (WSA) solution provides the capability to ingest Cisco WSA Access Logs into Microsoft Sentinel.

\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n
  1. Agent-based log collection (Syslog)
    2. \n
\n

Data Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 11, Hunting Queries: 10

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "", "contentId": "[variables('_solutionId')]", "parentId": "[variables('_solutionId')]", "source": { @@ -3146,7 +3067,7 @@ ], "categories": { "domains": [ - "Security – Network" + "Security - Network" ] } }, diff --git a/Solutions/CiscoWSA/Parsers/CiscoWSAEvent.txt b/Solutions/CiscoWSA/Parsers/CiscoWSAEvent.txt index c5e24e6f41c..0007c5a9ed8 100644 --- a/Solutions/CiscoWSA/Parsers/CiscoWSAEvent.txt +++ b/Solutions/CiscoWSA/Parsers/CiscoWSAEvent.txt @@ -1,5 +1,5 @@ // USAGE: -// 1. Open Log Analytics/Azure Sentinel Logs blade. Copy the query below and paste into the Logs query window. +// 1. Open Log Analytics/Microsoft Sentinel Logs blade. Copy the query below and paste into the Logs query window. // 2. In the query window, on the second line of the query, enter the hostname(s) of your Cisco WSA device(s) and any other unique identifiers for the logstream. // For example: | where Computer in ("server1", "server2") // 3. Click the Save button above the query. A pane will appear on the right, select "as Function" from the drop down. Enter a Function Name. @@ -13,149 +13,132 @@ // This Kusto function expects the following fiels order for CiscoWSA logs in w3c format: // date time timestamp x-elapsed-time referer c-ip sc-result-code cs-bytes sc-body-size cs-method cs-url s-hostname cs-uri cs-username "cs-mime-type" x-acltag X-Forwarded-For c-port s-computerName s-port cs-version x-webcat-code-abbr x-wbrs-score x-webroot-scanverdict x-webroot-threat-name x-webroot-trr x-webroot-spyid x-webroot-trace-id x-mcafee-scanverdict x-mcafee-filename x-mcafee-av-scanerror x-mcafee-av-detecttype x-mcafee-av-virustype x-mcafee-virus-name x-sophos-scanverdict x-sophos-scanerror x-sophos-file-name x-sophos-virus-name x-ids-verdict x-icap-verdict x-webcat-req-code-abbr x-webcat-resp-code-abbr x-wbrs-threat-type x-avc-app x-avc-type x-avc-behavior x-request-rewrite x-avg-bw x-bw-throttled user-type x-resp-dvs-threat-name x-resp-dvs-scanverdict x-resp-dvs-verdictname x-req-dvs-threat-name x-req-dvs-scanverdict x-req-dvs-verdictname x-amp-verdict x-amp-malware-name x-amp-score x-amp-upload x-amp-filename x-amp-sha x-suspect-user-agent bytes // Description of log fields for different formats can be found here: https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa_14-0/User-Guide/b_WSA_UserGuide_14_0/b_WSA_UserGuide_11_7_chapter_010101.html#con_1621159 -let cisco_wsa_access_logs =() { -Syslog -| where ProcessName in ("cisco_wsa") -| extend LogType = iff(SyslogMessage matches regex @"\A\d{10}\.\d{3}\s\d+\s\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", "Squid Logs" , iif(SyslogMessage matches regex @"\A\d{4}\-\d{2}\-\d{2}\s\d{2}:\d{2}:\d{2}\s\d{10}\.\d{3}", "W3C Logs",dynamic(""))) + +let AllData = Syslog +| where ProcessName =~ "sentinel" +| extend LogType = iff(SyslogMessage matches regex @"\d{10}\.\d{3}\s\d+\s\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", "Squid Logs" , iif(SyslogMessage matches regex @"\d{4}\-\d{2}\-\d{2}\s\d{2}:\d{2}:\d{2}\s\d{10}\.\d{3}", "W3C Logs",dynamic(""))) | extend EventVendor = 'Cisco' | extend EventProduct = 'Web Security Appliance' -| extend EventType = 'Access Log' +| extend EventType = 'Access Log'; +let SquidLogData = AllData +| where LogType == "Squid Logs" +| parse SyslogMessage with * " " EventStartTimeEpoch:real " " Latency:int " " SrcIpAddr " " EventResultDetails "/" HttpStatusCode:int " " DstBytes:int " " HttpRequestMethod:string " " UrlOriginal:string " " SrcUserName:string " " ContactedServerCode:string "/" DstDvcHostname:string " " ResponseBodyMimeType " " DvcAction:string "-" PolicyGroupName "-" IdentityPolicyGroupName:string "-" OutboundMalwareScanningPolicyGroupName:string "-" DataSecurityPolicyGroupName:string "-" ExternalDplPolicyGroupName:string "-" RoutingPolicy:string "<" ScanningVerdictFields ">" * " " * " " RemainingMessage +| extend ScanningVerdictFields = split(ScanningVerdictFields,',') +| parse-kv RemainingMessage as (Date:string, ["Dst-IP"]:string, UserAgent: string, ADGroup:string, AuthMethod:string, TransID:long, TotalBytes:int, RequestBytes:int, ResponseBytes:int, ElapseTime:int) with (pair_delimiter=' ', kv_delimiter=':', quote='"') +| extend EventStartTime = unixtime_seconds_todatetime(todouble(EventStartTimeEpoch)) +, SuspectedUserAgent = UserAgent +, UrlCategory = trim('"',tostring(ScanningVerdictFields[0])) +, WebReputationScore = tostring(ScanningVerdictFields[1]) +, MalwareScanningVerdict = tostring(ScanningVerdictFields[2]) +, ThreatName = trim('"',tostring(ScanningVerdictFields[3])) +, ThreatRiskRatioValue = tostring(ScanningVerdictFields[4]) +, ThreatIdentifier = tostring(ScanningVerdictFields[5]) +, TraceIdentifier = tostring(ScanningVerdictFields[6]) +, McAfeeMalwareScanningVerdict = tostring(ScanningVerdictFields[7]) +, McAfeeScannedFileName = trim('"',tostring(ScanningVerdictFields[8])) +, McAfeeScanError = tostring(ScanningVerdictFields[9]) +, McAfeeDetectionType = tostring(ScanningVerdictFields[10]) +, McAfeeThreatCategory = tostring(ScanningVerdictFields[11]) +, McAfeeThreatName = trim('"',tostring(ScanningVerdictFields[12])) +, SophosScanningVerdict = tostring(ScanningVerdictFields[13]) +, SophosScanReturnCode = tostring(ScanningVerdictFields[14]) +, SophosScannedFileName = trim('"',tostring(ScanningVerdictFields[15])) +, SophosThreatName = trim('"',tostring(ScanningVerdictFields[16])) +, CiscoDataSecurityScanningVerdict = case(tostring(ScanningVerdictFields[17]) == '0', 'Allow', + tostring(ScanningVerdictFields[17]) == '1', 'Block', + '-') +, ExternalDlpScannningVerdict = case(tostring(ScanningVerdictFields[18]) == '0', 'Allow', + tostring(ScanningVerdictFields[18]) == '1', 'Block', + '-') +, ResponseSideScanningUrlCategoryVerdict = trim('"',tostring(ScanningVerdictFields[19])) +, DcaUrlCategoryVerdict = tostring(ScanningVerdictFields[20]) +, ResponseThreatCategory = trim('"',tostring(ScanningVerdictFields[21])) +, WebReputationThreatType = trim('"',tostring(ScanningVerdictFields[22])) +, GteEncapsulatedUrl = trim('"',tostring(ScanningVerdictFields[23])) +, AvcApplicationName = trim('"',tostring(ScanningVerdictFields[24])) +, AvcApplicationType = trim('"',tostring(ScanningVerdictFields[25])) +, AvcApplicationBehavior = trim('"',tostring(ScanningVerdictFields[26])) +, SafeBrowsingScanningVerdict = trim('"',tostring(ScanningVerdictFields[27])) +, ['AvgBandwidth(Kb/sec)'] = tostring(ScanningVerdictFields[28]) +, Throttled = tostring(ScanningVerdictFields[29]) +, UserType = tostring(ScanningVerdictFields[30]) +, RequestSideAntiMalwareScanningVerdict = trim('"',tostring(ScanningVerdictFields[31])) +, ClientRequestThreatName = trim('"',tostring(ScanningVerdictFields[32])) +, AmpScanningVerdict = tostring(ScanningVerdictFields[33]) +, AmpThreatName = trim('"',tostring(ScanningVerdictFields[34])) +, AmpReputationScore = tostring(ScanningVerdictFields[35]) +, AmpUploadIndicator = tostring(ScanningVerdictFields[36]) +, AmpFileName = trim('"',tostring(ScanningVerdictFields[37])) +, AmpFileHashSha256 = trim('"',tostring(ScanningVerdictFields[38])) +, ArchiveScanningVerdict = tostring(ScanningVerdictFields[39]) +, ArchiveScanningVerdictDetail = tostring(ScanningVerdictFields[40]) +, ArchiveScannerFileVerdict = trim('"',tostring(ScanningVerdictFields[41])) +, WebTapBehavior = tostring(ScanningVerdictFields[42]) +, YouTubeUrlCategory = tostring(ScanningVerdictFields[43]) +, BlockedFileTypeDetail = tostring(ScanningVerdictFields[44]); +let W3CLogData = AllData +| where LogType == "W3C Logs" | extend EventFields = split(SyslogMessage, ' ') -| extend ScanningVerdictFields = iif(LogType == "Squid Logs", parse_csv(tostring(extract(@'<(.*?)>', 1, SyslogMessage))), dynamic("")) -| extend EventStartTime = case(LogType has "Squid Logs", unixtime_seconds_todatetime(todouble(EventFields[0])), - LogType has "W3C Logs", todatetime(strcat(EventFields[0], ' ', EventFields[1])), datetime(null)) -| extend Latency = case(LogType has "Squid Logs", toint(EventFields[1]), - LogType has "W3C Logs", toint(EventFields[3]), int(null)) -| extend SrcIpAddr = case(LogType has "Squid Logs", tostring(EventFields[2]), - LogType has "W3C Logs", tostring(EventFields[5]), "") -| extend EventResultDetails = case(LogType has "Squid Logs", extract(@'\A(.*?)\/[1-5]\d{2}', 1, tostring(EventFields[3])), - LogType has "W3C Logs", tostring(EventFields[6]), "") -| extend HttpStatusCode = iif(LogType == "Squid Logs", extract(@'\A.*?\/([1-5]\d{2})', 1, tostring(EventFields[3])), dynamic("")) -| extend DstBytes = case(LogType has "Squid Logs", toint(EventFields[4]), - LogType has "W3C Logs", toint(EventFields[8]), int(null)) -| extend HttpRequestMethod = case(LogType has "Squid Logs", tostring(EventFields[5]), - LogType has "W3C Logs", tostring(EventFields[9]), "") -| extend UrlOriginal = case(LogType has "Squid Logs", tostring(EventFields[6]), - LogType has "W3C Logs", tostring(EventFields[10]), "") -| extend SrcUserName = case(LogType has "Squid Logs", tostring(EventFields[7]), - LogType has "W3C Logs", tostring(EventFields[13]), "") -| extend ContactedServerCode = iif(LogType == "Squid Logs", extract(@'\A(\w+)\/\d{1,3}', 1, tostring(EventFields[8])), dynamic("")) -| extend DstIpAddr = case(LogType has "Squid Logs", extract(@'\A\w+\/(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})', 1, tostring(EventFields[8])), - LogType has "W3C Logs", tostring(EventFields[11]), "") -| extend DstDvcHostname = case(LogType has "Squid Logs", extract(@'\A\w+\/(\D+)', 1, tostring(EventFields[8])), - LogType has "W3C Logs", tostring(EventFields[18]), "") -| extend ResponseBodyMimeType = case(LogType has "Squid Logs", tostring(EventFields[9]), - LogType has "W3C Logs", tostring(EventFields[14]), "") -| extend DvcAction = case(LogType has "Squid Logs", extract(@'\A(.*?)\-', 1, tostring(EventFields[10])), - LogType has "W3C Logs", tostring(EventFields[15]), "") -| extend PolicyGroupName = iif(LogType == "Squid Logs", extract(@'\A.*?\-(.*?)\-', 1, tostring(EventFields[10])), dynamic("")) -| extend IdentityPolicyGroupName = iif(LogType == "Squid Logs", extract(@'\A.*?\-.*?\-(.*?)\-', 1, tostring(EventFields[10])), dynamic("")) -| extend OutboundMalwareScanningPolicyGroupName = iif(LogType == "Squid Logs", extract(@'\A.*?\-.*?\-.*?\-(.*?)\-', 1, tostring(EventFields[10])), dynamic("")) -| extend DataSecurityPolicyGroupName = iif(LogType == "Squid Logs", extract(@'\A.*?\-.*?\-.*?\-.*?\-(.*?)\-', 1, tostring(EventFields[10])), dynamic("")) -| extend ExternalDplPolicyGroupName = iif(LogType == "Squid Logs", extract(@'\A.*?\-.*?\-.*?\-.*?\-.*?\-(.*?)\-', 1, tostring(EventFields[10])), dynamic("")) -| extend RoutingPolicy = iif(LogType == "Squid Logs", extract(@'\A(.*?\-){6}(.*)', 2, tostring(EventFields[10])), dynamic("")) -| extend SuspectedUserAgent = case(LogType has "Squid Logs", tostring(EventFields[-1]), - LogType has "W3C Logs", tostring(EventFields[62]), "") -| extend UrlCategory = case(LogType has "Squid Logs", tostring(ScanningVerdictFields[0]), - LogType has "W3C Logs", tostring(EventFields[21]), "") -| extend WebReputationScore = iif(LogType == "Squid Logs", tostring(ScanningVerdictFields[1]), dynamic("")) -| extend MalwareScanningVerdict = iif(LogType == "Squid Logs", tostring(ScanningVerdictFields[2]), dynamic("")) -| extend ThreatName = iif(LogType == "Squid Logs", tostring(ScanningVerdictFields[3]), dynamic("")) -| extend ThreatRiskRatioValue = iif(LogType == "Squid Logs", tostring(ScanningVerdictFields[4]), dynamic("")) -| extend ThreatIdentifier = iif(LogType == "Squid Logs", tostring(ScanningVerdictFields[5]), dynamic("")) -| extend TraceIdentifier = iif(LogType == "Squid Logs", tostring(ScanningVerdictFields[6]), dynamic("")) -| extend McAfeeMalwareScanningVerdict = case(LogType has "Squid Logs", tostring(ScanningVerdictFields[7]), - LogType has "W3C Logs", tostring(EventFields[28]), "") -| extend McAfeeScannedFileName = case(LogType has "Squid Logs", tostring(ScanningVerdictFields[8]), - LogType has "W3C Logs", tostring(EventFields[29]), "") -| extend McAfeeScanError = case(LogType has "Squid Logs", tostring(ScanningVerdictFields[9]), - LogType has "W3C Logs", tostring(EventFields[30]), "") -| extend McAfeeDetectionType = case(LogType has "Squid Logs", tostring(ScanningVerdictFields[10]), - LogType has "W3C Logs", tostring(EventFields[31]), "") -| extend McAfeeThreatCategory = case(LogType has "Squid Logs", tostring(ScanningVerdictFields[11]), - LogType has "W3C Logs", tostring(EventFields[32]), "") -| extend McAfeeThreatName = case(LogType has "Squid Logs", tostring(ScanningVerdictFields[12]), - LogType has "W3C Logs", tostring(EventFields[33]), "") -| extend SophosScanningVerdict = case(LogType has "Squid Logs", tostring(ScanningVerdictFields[13]), - LogType has "W3C Logs", tostring(EventFields[34]), "") -| extend SophosScanReturnCode = case(LogType has "Squid Logs", tostring(ScanningVerdictFields[14]), - LogType has "W3C Logs", tostring(EventFields[35]), "") -| extend SophosScannedFileName = case(LogType has "Squid Logs", tostring(ScanningVerdictFields[15]), - LogType has "W3C Logs", tostring(EventFields[36]), "") -| extend SophosThreatName = case(LogType has "Squid Logs", tostring(ScanningVerdictFields[16]), - LogType has "W3C Logs", tostring(EventFields[37]), "") -| extend CiscoDataSecurityScanningVerdict = case(LogType has "Squid Logs", case(tostring(ScanningVerdictFields[17]) == '0', 'Allow', - tostring(ScanningVerdictFields[17]) == '1', 'Block', - '-'), - LogType has "W3C Logs", tostring(EventFields[38]), "") -| extend ExternalDlpScannningVerdict = case(LogType has "Squid Logs", case(tostring(ScanningVerdictFields[18]) == '0', 'Allow', - tostring(ScanningVerdictFields[18]) == '1', 'Block', - '-'), LogType has "W3C Logs", tostring(EventFields[39]), "") -| extend ResponseSideScanningUrlCategoryVerdict = case(LogType has "Squid Logs", tostring(ScanningVerdictFields[19]), - LogType has "W3C Logs", tostring(EventFields[41]), "") -| extend DcaUrlCategoryVerdict = iif(LogType == "Squid Logs", tostring(ScanningVerdictFields[20]), dynamic("")) -| extend ResponseThreatCategory = iif(LogType == "Squid Logs", tostring(ScanningVerdictFields[21]), dynamic("")) -| extend WebReputationThreatType = iif(LogType == "Squid Logs", tostring(ScanningVerdictFields[22]), dynamic("")) -| extend GteEncapsulatedUrl = iif(LogType == "Squid Logs", tostring(ScanningVerdictFields[23]), dynamic("")) -| extend AvcApplicationName = case(LogType has "Squid Logs", tostring(ScanningVerdictFields[24]), - LogType has "W3C Logs", tostring(EventFields[43]), "") -| extend AvcApplicationType = case(LogType has "Squid Logs", tostring(ScanningVerdictFields[25]), - LogType has "W3C Logs", tostring(EventFields[44]), "") -| extend AvcApplicationBehavior = case(LogType has "Squid Logs", tostring(ScanningVerdictFields[26]), - LogType has "W3C Logs", tostring(EventFields[45]), "") -| extend SafeBrowsingScanningVerdict = case(LogType has "Squid Logs", tostring(ScanningVerdictFields[27]), - LogType has "W3C Logs", tostring(EventFields[46]), "") -| extend ['AvgBandwidth(Kb/sec)'] = case(LogType has "Squid Logs", todouble(ScanningVerdictFields[28]), - LogType has "W3C Logs", todouble(EventFields[47]), double(null)) -| extend Throttled = case(LogType has "Squid Logs", tostring(ScanningVerdictFields[29]), - LogType has "W3C Logs", tostring(EventFields[48]), "") -| extend UserType = case(LogType has "Squid Logs", tostring(ScanningVerdictFields[30]), - LogType has "W3C Logs", tostring(EventFields[49]), "") -| extend RequestSideAntiMalwareScanningVerdict = iif(LogType == "Squid Logs", tostring(ScanningVerdictFields[31]), dynamic("")) -| extend ClientRequestThreatName = iif(LogType == "Squid Logs", tostring(ScanningVerdictFields[32]), dynamic("")) -| extend AmpScanningVerdict = case(LogType has "Squid Logs", tostring(ScanningVerdictFields[33]), - LogType has "W3C Logs", tostring(EventFields[56]), "") -| extend AmpThreatName = case(LogType has "Squid Logs", tostring(ScanningVerdictFields[34]), - LogType has "W3C Logs", tostring(EventFields[57]), "") -| extend AmpReputationScore = case(LogType has "Squid Logs", tostring(ScanningVerdictFields[35]), - LogType has "W3C Logs", tostring(EventFields[58]), "") -| extend AmpUploadIndicator = case(LogType has "Squid Logs", tostring(ScanningVerdictFields[36]), - LogType has "W3C Logs", tostring(EventFields[59]), "") -| extend AmpFileName = case(LogType has "Squid Logs", tostring(ScanningVerdictFields[37]), - LogType has "W3C Logs", tostring(EventFields[60]), "") -| extend AmpFileHashSha256 = case(LogType has "Squid Logs", tostring(ScanningVerdictFields[38]), - LogType has "W3C Logs", tostring(EventFields[61]), "") -| extend ArchiveScanningVerdict = iif(LogType == "Squid Logs", tostring(ScanningVerdictFields[39]), dynamic("")) -| extend ArchiveScanningVerdictDetail = iif(LogType == "Squid Logs", tostring(ScanningVerdictFields[40]), dynamic("")) -| extend ArchiveScannerFileVerdict = iif(LogType == "Squid Logs", tostring(ScanningVerdictFields[41]), dynamic("")) -| extend WebTapBehavior = iif(LogType == "Squid Logs", tostring(ScanningVerdictFields[42]), dynamic("")) -| extend YouTubeUrlCategory = iif(LogType == "Squid Logs", tostring(ScanningVerdictFields[43]), dynamic("")) -| extend BlockedFileTypeDetail = iif(LogType == "Squid Logs", extract_all(@"(?P[a-zA-Z0-9- ]+):(?P[a-zA-Z0-9-_:/@.#{};= ]+)", dynamic(["key","value"]), tostring(ScanningVerdictFields[44])), dynamic("")) -| extend HttpReferrerOriginal = iif(LogType == "W3C Logs", tostring(EventFields[4]), dynamic("")) -| extend SrcBytes = iif(LogType == "W3C Logs", toint(EventFields[7]), dynamic(null)) -| extend RequestUri = iif(LogType == "W3C Logs", tostring(EventFields[12]), dynamic("")) -| extend HttpRequestXff = iif(LogType == "W3C Logs", tostring(EventFields[16]), dynamic("")) -| extend SrcPortNumber = iif(LogType == "W3C Logs", tostring(EventFields[17]), dynamic("")) -| extend DstPortNumber = iif(LogType == "W3C Logs", tostring(EventFields[19]), dynamic("")) -| extend NetworkApplicationProtocol = iif(LogType == "W3C Logs", tostring(EventFields[20]), dynamic("")) -| extend WbrsScore = iif(LogType == "W3C Logs", tostring(EventFields[22]), dynamic("")) -| extend WebrootScanningVerdict = iif(LogType == "W3C Logs", tostring(EventFields[23]), dynamic("")) -| extend WebrootThreatName = iif(LogType == "W3C Logs", tostring(EventFields[24]), dynamic("")) -| extend WebrootThreatRiskRatio = iif(LogType == "W3C Logs", tostring(EventFields[25]), dynamic("")) -| extend WebrootSpyId = iif(LogType == "W3C Logs", tostring(EventFields[26]), dynamic("")) -| extend WebrootTraceId = iif(LogType == "W3C Logs", tostring(EventFields[27]), dynamic("")) -| extend RequestSideScanningUrlCategoryVerdict = iif(LogType == "W3C Logs", tostring(EventFields[40]), dynamic("")) -| extend WebReputationThreatCategory = iif(LogType == "W3C Logs", tostring(EventFields[42]), dynamic("")) -| extend ResponseSideThreatName = iif(LogType == "W3C Logs", tostring(EventFields[50]), dynamic("")) -| extend ResponseSideThreatCategoryCode = iif(LogType == "W3C Logs", tostring(EventFields[51]), dynamic("")) -| extend ResponseSideThreatCategory = iif(LogType == "W3C Logs", tostring(EventFields[52]), dynamic("")) -| extend RequestSideDvsThreatName = iif(LogType == "W3C Logs", tostring(EventFields[53]), dynamic("")) -| extend RequestSideDvsScanningVerdict = iif(LogType == "W3C Logs", tostring(EventFields[54]), dynamic("")) -| extend RequestSideDvsVerdictName = iif(LogType == "W3C Logs", tostring(EventFields[55]), dynamic("")) -| extend NetworkBytes = toint(EventFields[63]) -}; -cisco_wsa_access_logs -| project-away SyslogMessage - , EventFields - , ScanningVerdictFields - , LogType +| extend EventStartTime = strcat(EventFields[0], ' ', EventFields[1]) +, Latency = toint(EventFields[3]) +, SrcIpAddr = tostring(EventFields[5]) +, EventResultDetails = tostring(EventFields[6]) +, DstBytes = toint(EventFields[8]) +, HttpRequestMethod = tostring(EventFields[9]) +, UrlOriginal = tostring(EventFields[10]) +, SrcUserName = tostring(EventFields[13]) +, DstIpAddr = tostring(EventFields[11]) +, DstDvcHostname = tostring(EventFields[18]) +, ResponseBodyMimeType = tostring(EventFields[14]) +, DvcAction = tostring(EventFields[15]) +, SuspectedUserAgent = tostring(EventFields[62]) +, UrlCategory = tostring(EventFields[21]) +, McAfeeMalwareScanningVerdict = tostring(EventFields[28]) +, McAfeeScannedFileName = (EventFields[29]) +, McAfeeScanError = tostring(EventFields[30]) +, McAfeeDetectionType = tostring(EventFields[31]) +, McAfeeThreatCategory = tostring(EventFields[32]) +, McAfeeThreatName = tostring(EventFields[33]) +, SophosScanningVerdict = tostring(EventFields[34]) +, SophosScanReturnCode = tostring(EventFields[35]) +, SophosScannedFileName = tostring(EventFields[36]) +, SophosThreatName = tostring(EventFields[37]) +, CiscoDataSecurityScanningVerdict = tostring(EventFields[38]) +, ExternalDlpScannningVerdict = tostring(EventFields[39]) +, ResponseSideScanningUrlCategoryVerdict = tostring(EventFields[41]) +, AvcApplicationName = tostring(EventFields[43]) +, AvcApplicationType = tostring(EventFields[44]) +, AvcApplicationBehavior = tostring(EventFields[45]) +, SafeBrowsingScanningVerdict = tostring(EventFields[46]) +, ['AvgBandwidth(Kb/sec)'] = todouble(EventFields[47]) +, Throttled = tostring(EventFields[48]) +, UserType = tostring(EventFields[49]) +, AmpScanningVerdict = tostring(EventFields[56]) +, AmpThreatName = tostring(EventFields[57]) +, AmpReputationScore = tostring(EventFields[58]) +, AmpUploadIndicator = tostring(EventFields[59]) +, AmpFileName = tostring(EventFields[60]) +, AmpFileHashSha256 = tostring(EventFields[61]) +, HttpReferrerOriginal = tostring(EventFields[4]) +, SrcBytes = toint(EventFields[7]) +, RequestUri = tostring(EventFields[12]) +, HttpRequestXff = tostring(EventFields[16]) +, SrcPortNumber = tostring(EventFields[17]) +, DstPortNumber = tostring(EventFields[19]) +, NetworkApplicationProtocol = tostring(EventFields[20]) +, WbrsScore = tostring(EventFields[22]) +, WebrootScanningVerdict = tostring(EventFields[23]) +, WebrootThreatName = tostring(EventFields[24]) +, WebrootThreatRiskRatio = tostring(EventFields[25]) +, WebrootSpyId = tostring(EventFields[26]) +, WebrootTraceId = tostring(EventFields[27]) +, RequestSideScanningUrlCategoryVerdict = tostring(EventFields[40]) +, WebReputationThreatCategory = tostring(EventFields[42]) +, ResponseSideThreatName = tostring(EventFields[50]) +, ResponseSideThreatCategoryCode = tostring(EventFields[51]) +, ResponseSideThreatCategory = tostring(EventFields[52]) +, RequestSideDvsThreatName = tostring(EventFields[53]) +, RequestSideDvsScanningVerdict = tostring(EventFields[54]) +, RequestSideDvsVerdictName = tostring(EventFields[55]) +, NetworkBytes = toint(EventFields[63]); +union SquidLogData, W3CLogData \ No newline at end of file diff --git a/Solutions/CiscoWSA/ReleaseNotes.md b/Solutions/CiscoWSA/ReleaseNotes.md new file mode 100644 index 00000000000..19a6a8b7859 --- /dev/null +++ b/Solutions/CiscoWSA/ReleaseNotes.md @@ -0,0 +1,3 @@ +| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | +|-------------|--------------------------------|---------------------------------------------| +| 3.0.0 | 16-08-2023 | Optimize the **Parser** by replacing the legacy code that uses regex with a more efficient algorithm to reduce the time taken to parse data. | diff --git a/Solutions/CiscoWSA/SolutionMetadata.json b/Solutions/CiscoWSA/SolutionMetadata.json index c90a07aede8..3292b3a6b5b 100644 --- a/Solutions/CiscoWSA/SolutionMetadata.json +++ b/Solutions/CiscoWSA/SolutionMetadata.json @@ -4,7 +4,7 @@ "firstPublishDate": "2021-06-29", "providers": ["Cisco"], "categories": { - "domains" : ["Security – Network"], + "domains" : ["Security - Network"], "verticals": [] }, "support": { diff --git a/Solutions/Claroty/Data/Solution_Claroty.json b/Solutions/Claroty/Data/Solution_Claroty.json index c656dc2effd..03a77df2ce7 100644 --- a/Solutions/Claroty/Data/Solution_Claroty.json +++ b/Solutions/Claroty/Data/Solution_Claroty.json @@ -39,7 +39,7 @@ ], "Metadata": "SolutionMetadata.json", "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Claroty", - "Version": "2.0.2", + "Version": "3.0.0", "TemplateSpec": true, "Is1PConnector": false } diff --git a/Solutions/Claroty/Package/3.0.0.zip b/Solutions/Claroty/Package/3.0.0.zip new file mode 100644 index 00000000000..7d6c1349013 Binary files /dev/null and b/Solutions/Claroty/Package/3.0.0.zip differ diff --git a/Solutions/Claroty/Package/createUiDefinition.json b/Solutions/Claroty/Package/createUiDefinition.json index cec363c91ed..8190a7ec3e0 100644 --- a/Solutions/Claroty/Package/createUiDefinition.json +++ b/Solutions/Claroty/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Claroty](https://claroty.com/) solution for Microsoft Sentinel enables ingestion of  [Continuous Threat Detection](https://claroty.com/resources/datasheets/continuous-threat-detection-ctd) and [Secure Remote Access](https://claroty.com/industrial-cybersecurity/sra) events into Microsoft Sentinel.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n\r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n a. [Agent-based log collection (CEF over Syslog)](https://docs.microsoft.com/azure/sentinel/connect-common-event-format)\r\n\n\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Claroty/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Claroty](https://claroty.com/) solution for Microsoft Sentinel enables ingestion of  [Continuous Threat Detection](https://claroty.com/resources/datasheets/continuous-threat-detection-ctd) and [Secure Remote Access](https://claroty.com/industrial-cybersecurity/sra) events into Microsoft Sentinel.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n\r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n a. [Agent-based log collection (CEF over Syslog)](https://docs.microsoft.com/azure/sentinel/connect-common-event-format)\r\n\n\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -107,6 +107,20 @@ "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data" } } + }, + { + "name": "workbook1", + "type": "Microsoft.Common.Section", + "label": "Claroty", + "elements": [ + { + "name": "workbook1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Sets the time name for analysis" + } + } + ] } ] }, @@ -309,7 +323,7 @@ "name": "huntingquery1-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches for baseline deviation events. It depends on the Claroty data connector and ClarotyEvent data type and Claroty parser." + "text": "Query searches for baseline deviation events. This hunting query depends on Claroty data connector (ClarotyEvent Parser or Table)" } } ] @@ -323,7 +337,7 @@ "name": "huntingquery2-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches for conflicting assets. It depends on the Claroty data connector and ClarotyEvent data type and Claroty parser." + "text": "Query searches for conflicting assets. This hunting query depends on Claroty data connector (ClarotyEvent Parser or Table)" } } ] @@ -337,7 +351,7 @@ "name": "huntingquery3-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches for critical severity events. It depends on the Claroty data connector and ClarotyEvent data type and Claroty parser." + "text": "Query searches for critical severity events. This hunting query depends on Claroty data connector (ClarotyEvent Parser or Table)" } } ] @@ -351,7 +365,7 @@ "name": "huntingquery4-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches for PLC login security alerts. It depends on the Claroty data connector and ClarotyEvent data type and Claroty parser." + "text": "Query searches for PLC login security alerts. This hunting query depends on Claroty data connector (ClarotyEvent Parser or Table)" } } ] @@ -365,7 +379,7 @@ "name": "huntingquery5-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches for login failure events. It depends on the Claroty data connector and ClarotyEvent data type and Claroty parser." + "text": "Query searches for login failure events. This hunting query depends on Claroty data connector (ClarotyEvent Parser or Table)" } } ] @@ -379,7 +393,7 @@ "name": "huntingquery6-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches for sources of network scans. It depends on the Claroty data connector and ClarotyEvent data type and Claroty parser." + "text": "Query searches for sources of network scans. This hunting query depends on Claroty data connector (ClarotyEvent Parser or Table)" } } ] @@ -393,7 +407,7 @@ "name": "huntingquery7-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches for targets of network scans. It depends on the Claroty data connector and ClarotyEvent data type and Claroty parser." + "text": "Query searches for targets of network scans. This hunting query depends on Claroty data connector (ClarotyEvent Parser or Table)" } } ] @@ -407,7 +421,7 @@ "name": "huntingquery8-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches for unapproved access events. It depends on the Claroty data connector and ClarotyEvent data type and Claroty parser." + "text": "Query searches for unapproved access events. This hunting query depends on Claroty data connector (ClarotyEvent Parser or Table)" } } ] @@ -421,7 +435,7 @@ "name": "huntingquery9-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches for alerts with unresolved status. It depends on the Claroty data connector and ClarotyEvent data type and Claroty parser." + "text": "Query searches for alerts with unresolved status. This hunting query depends on Claroty data connector (ClarotyEvent Parser or Table)" } } ] @@ -435,7 +449,7 @@ "name": "huntingquery10-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches for operations with Write and Execute accesses. It depends on the Claroty data connector and ClarotyEvent data type and Claroty parser." + "text": "Query searches for operations with Write and Execute accesses. This hunting query depends on Claroty data connector (ClarotyEvent Parser or Table)" } } ] diff --git a/Solutions/Claroty/Package/mainTemplate.json b/Solutions/Claroty/Package/mainTemplate.json index 89dd62d1973..01ce919134f 100644 --- a/Solutions/Claroty/Package/mainTemplate.json +++ b/Solutions/Claroty/Package/mainTemplate.json @@ -38,162 +38,170 @@ } }, "variables": { - "solutionId": "azuresentinel.azure-sentinel-solution-claroty", - "_solutionId": "[variables('solutionId')]", "email": "support@microsoft.com", "_email": "[variables('email')]", + "_solutionName": "Claroty", + "_solutionVersion": "3.0.0", + "solutionId": "azuresentinel.azure-sentinel-solution-claroty", + "_solutionId": "[variables('solutionId')]", "workbookVersion1": "1.0.0", "workbookContentId1": "ClarotyWorkbook", "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]", - "workbookTemplateSpecName1": "[concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1')))]", + "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))),variables('workbookVersion1')))]", "_workbookContentId1": "[variables('workbookContentId1')]", "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", - "parserVersion1": "1.0.0", - "parserContentId1": "ClarotyEvent-Parser", - "_parserContentId1": "[variables('parserContentId1')]", + "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]", "parserName1": "Claroty Data Parser", "_parserName1": "[concat(parameters('workspace'),'/',variables('parserName1'))]", "parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]", "_parserId1": "[variables('parserId1')]", - "parserTemplateSpecName1": "[concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1')))]", + "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1'))),variables('parserVersion1')))]", + "parserVersion1": "1.0.0", + "parserContentId1": "ClarotyEvent-Parser", + "_parserContentId1": "[variables('parserContentId1')]", + "_parsercontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('_parserContentId1'),'-', variables('parserVersion1'))))]", "huntingQueryVersion1": "1.0.0", "huntingQuerycontentId1": "6b24f3aa-01db-4d26-9d60-538dd9a56391", "_huntingQuerycontentId1": "[variables('huntingQuerycontentId1')]", "huntingQueryId1": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId1'))]", - "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId1')))]", + "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId1'))),variables('huntingQueryVersion1')))]", + "_huntingQuerycontentProductId1": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId1'),'-', variables('huntingQueryVersion1'))))]", "huntingQueryVersion2": "1.0.0", "huntingQuerycontentId2": "8038c683-f4dc-481e-94c6-f906d880b0ec", "_huntingQuerycontentId2": "[variables('huntingQuerycontentId2')]", "huntingQueryId2": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId2'))]", - "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId2')))]", + "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId2'))),variables('huntingQueryVersion2')))]", + "_huntingQuerycontentProductId2": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId2'),'-', variables('huntingQueryVersion2'))))]", "huntingQueryVersion3": "1.0.0", "huntingQuerycontentId3": "a81f3a44-049c-409d-8b98-b78aa256dacf", "_huntingQuerycontentId3": "[variables('huntingQuerycontentId3')]", "huntingQueryId3": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId3'))]", - "huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId3')))]", + "huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId3'))),variables('huntingQueryVersion3')))]", + "_huntingQuerycontentProductId3": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId3'),'-', variables('huntingQueryVersion3'))))]", "huntingQueryVersion4": "1.0.0", "huntingQuerycontentId4": "15569b45-4c34-4693-bf99-841e76b5da65", "_huntingQuerycontentId4": "[variables('huntingQuerycontentId4')]", "huntingQueryId4": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId4'))]", - "huntingQueryTemplateSpecName4": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId4')))]", + "huntingQueryTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId4'))),variables('huntingQueryVersion4')))]", + "_huntingQuerycontentProductId4": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId4'),'-', variables('huntingQueryVersion4'))))]", "huntingQueryVersion5": "1.0.0", "huntingQuerycontentId5": "917364b7-2925-4c5d-a27c-64137a3b75b5", "_huntingQuerycontentId5": "[variables('huntingQuerycontentId5')]", "huntingQueryId5": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId5'))]", - "huntingQueryTemplateSpecName5": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId5')))]", + "huntingQueryTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId5'))),variables('huntingQueryVersion5')))]", + "_huntingQuerycontentProductId5": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId5'),'-', variables('huntingQueryVersion5'))))]", "huntingQueryVersion6": "1.0.0", "huntingQuerycontentId6": "6c43a50e-2e59-48d9-848b-825f50927bbf", "_huntingQuerycontentId6": "[variables('huntingQuerycontentId6')]", "huntingQueryId6": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId6'))]", - "huntingQueryTemplateSpecName6": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId6')))]", + "huntingQueryTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId6'))),variables('huntingQueryVersion6')))]", + "_huntingQuerycontentProductId6": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId6'),'-', variables('huntingQueryVersion6'))))]", "huntingQueryVersion7": "1.0.0", "huntingQuerycontentId7": "8e70ddf9-32c3-4acd-9cb9-59570344335e", "_huntingQuerycontentId7": "[variables('huntingQuerycontentId7')]", "huntingQueryId7": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId7'))]", - "huntingQueryTemplateSpecName7": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId7')))]", + "huntingQueryTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId7'))),variables('huntingQueryVersion7')))]", + "_huntingQuerycontentProductId7": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId7'),'-', variables('huntingQueryVersion7'))))]", "huntingQueryVersion8": "1.0.0", "huntingQuerycontentId8": "de0fca32-85f3-45df-872e-41e980e5d8d3", "_huntingQuerycontentId8": "[variables('huntingQuerycontentId8')]", "huntingQueryId8": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId8'))]", - "huntingQueryTemplateSpecName8": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId8')))]", + "huntingQueryTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId8'))),variables('huntingQueryVersion8')))]", + "_huntingQuerycontentProductId8": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId8'),'-', variables('huntingQueryVersion8'))))]", "huntingQueryVersion9": "1.0.0", "huntingQuerycontentId9": "fad6cb81-9a05-4acb-9c5b-a7c62af28034", "_huntingQuerycontentId9": "[variables('huntingQuerycontentId9')]", "huntingQueryId9": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId9'))]", - "huntingQueryTemplateSpecName9": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId9')))]", + "huntingQueryTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId9'))),variables('huntingQueryVersion9')))]", + "_huntingQuerycontentProductId9": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId9'),'-', variables('huntingQueryVersion9'))))]", "huntingQueryVersion10": "1.0.0", "huntingQuerycontentId10": "3882ffbf-6228-4e1f-ab8f-8d79a26da0fb", "_huntingQuerycontentId10": "[variables('huntingQuerycontentId10')]", "huntingQueryId10": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId10'))]", - "huntingQueryTemplateSpecName10": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId10')))]", + "huntingQueryTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId10'))),variables('huntingQueryVersion10')))]", + "_huntingQuerycontentProductId10": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId10'),'-', variables('huntingQueryVersion10'))))]", "uiConfigId1": "Claroty", "_uiConfigId1": "[variables('uiConfigId1')]", "dataConnectorContentId1": "Claroty", "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", "_dataConnectorId1": "[variables('dataConnectorId1')]", - "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1')))]", + "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))),variables('dataConnectorVersion1')))]", "dataConnectorVersion1": "1.0.0", + "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", "analyticRuleVersion1": "1.0.0", "analyticRulecontentId1": "fd6e3416-0421-4166-adb9-186e555a7008", "_analyticRulecontentId1": "[variables('analyticRulecontentId1')]", "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]", - "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1')))]", + "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1'))),variables('analyticRuleVersion1')))]", + "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId1'),'-', variables('analyticRuleVersion1'))))]", "analyticRuleVersion2": "1.0.0", "analyticRulecontentId2": "9a8b4321-e2be-449b-8227-a78227441b2a", "_analyticRulecontentId2": "[variables('analyticRulecontentId2')]", "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId2'))]", - "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2')))]", + "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2'))),variables('analyticRuleVersion2')))]", + "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId2'),'-', variables('analyticRuleVersion2'))))]", "analyticRuleVersion3": "1.0.0", "analyticRulecontentId3": "e7dbcbc3-b18f-4635-b27c-718195c369f1", "_analyticRulecontentId3": "[variables('analyticRulecontentId3')]", "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId3'))]", - "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId3')))]", + "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId3'))),variables('analyticRuleVersion3')))]", + "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId3'),'-', variables('analyticRuleVersion3'))))]", "analyticRuleVersion4": "1.0.0", "analyticRulecontentId4": "4b5bb3fc-c690-4f54-9a74-016213d699b4", "_analyticRulecontentId4": "[variables('analyticRulecontentId4')]", "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId4'))]", - "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId4')))]", + "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId4'))),variables('analyticRuleVersion4')))]", + "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId4'),'-', variables('analyticRuleVersion4'))))]", "analyticRuleVersion5": "1.0.0", "analyticRulecontentId5": "1c2310ef-19bf-4caf-b2b0-a4c983932fa5", "_analyticRulecontentId5": "[variables('analyticRulecontentId5')]", "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId5'))]", - "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId5')))]", + "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId5'))),variables('analyticRuleVersion5')))]", + "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId5'),'-', variables('analyticRuleVersion5'))))]", "analyticRuleVersion6": "1.0.0", "analyticRulecontentId6": "6c29b611-ce69-4016-bf99-eca639fee1f5", "_analyticRulecontentId6": "[variables('analyticRulecontentId6')]", "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId6'))]", - "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId6')))]", + "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId6'))),variables('analyticRuleVersion6')))]", + "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId6'),'-', variables('analyticRuleVersion6'))))]", "analyticRuleVersion7": "1.0.0", "analyticRulecontentId7": "3b22ac47-e02c-4599-a37a-57f965de17be", "_analyticRulecontentId7": "[variables('analyticRulecontentId7')]", "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId7'))]", - "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId7')))]", + "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId7'))),variables('analyticRuleVersion7')))]", + "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId7'),'-', variables('analyticRuleVersion7'))))]", "analyticRuleVersion8": "1.0.0", "analyticRulecontentId8": "99ad9f3c-304c-44c5-a61f-3a17f8b58218", "_analyticRulecontentId8": "[variables('analyticRulecontentId8')]", "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId8'))]", - "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId8')))]", + "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId8'))),variables('analyticRuleVersion8')))]", + "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId8'),'-', variables('analyticRuleVersion8'))))]", "analyticRuleVersion9": "1.0.0", "analyticRulecontentId9": "5cf35bad-677f-4c23-8927-1611e7ff6f28", "_analyticRulecontentId9": "[variables('analyticRulecontentId9')]", "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId9'))]", - "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId9')))]", + "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId9'))),variables('analyticRuleVersion9')))]", + "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId9'),'-', variables('analyticRuleVersion9'))))]", "analyticRuleVersion10": "1.0.0", "analyticRulecontentId10": "731e5ac4-7fe1-4b06-9941-532f2e008bb3", "_analyticRulecontentId10": "[variables('analyticRulecontentId10')]", "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId10'))]", - "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId10')))]" + "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId10'))),variables('analyticRuleVersion10')))]", + "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId10'),'-', variables('analyticRuleVersion10'))))]", + "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" }, "resources": [ { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('workbookTemplateSpecName1')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Workbook" - }, - "properties": { - "description": "Claroty Workbook with template", - "displayName": "Claroty workbook template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('workbookTemplateSpecName1'),'/',variables('workbookVersion1'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Workbook" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('workbookTemplateSpecName1'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ClarotyOverviewWorkbook Workbook with template version 2.0.2", + "description": "ClarotyOverviewWorkbook Workbook with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -241,41 +249,47 @@ "email": "support@microsoft.com", "tier": "Microsoft", "link": "https://support.microsoft.com" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "contentId": "CommonSecurityLog", + "kind": "DataType" + }, + { + "contentId": "Claroty", + "kind": "DataConnector" + } + ] } } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_workbookContentId1')]", + "contentKind": "Workbook", + "displayName": "[parameters('workbook1-name')]", + "contentProductId": "[variables('_workbookcontentProductId1')]", + "id": "[variables('_workbookcontentProductId1')]", + "version": "[variables('workbookVersion1')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('parserTemplateSpecName1')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Parser" - }, - "properties": { - "description": "ClarotyEvent Data Parser with template", - "displayName": "ClarotyEvent Data Parser template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('parserTemplateSpecName1'),'/',variables('parserVersion1'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Parser" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('parserTemplateSpecName1'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ClarotyEvent Data Parser with template version 2.0.2", + "description": "ClarotyEvent Data Parser with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserVersion1')]", @@ -284,7 +298,7 @@ "resources": [ { "name": "[variables('_parserName1')]", - "apiVersion": "2020-08-01", + "apiVersion": "2022-10-01", "type": "Microsoft.OperationalInsights/workspaces/savedSearches", "location": "[parameters('workspace-location')]", "properties": { @@ -293,6 +307,7 @@ "category": "Samples", "functionAlias": "ClarotyEvent", "query": "\nCommonSecurityLog\r\n| where DeviceVendor =~ 'Claroty'\r\n| extend EventVendor = 'Claroty'\r\n| extend EventProduct = 'Claroty'\r\n| extend EventSchemaVersion = 0.2\r\n| extend EventCount = 1\r\n| extend DeviceCustomNumber1 = coalesce(column_ifexists(\"FieldDeviceCustomNumber1\", long(null)),DeviceCustomNumber1),\r\n DeviceCustomNumber2 = coalesce(column_ifexists(\"FieldDeviceCustomNumber2\", long(null)),DeviceCustomNumber2),\r\n DeviceCustomNumber3 = coalesce(column_ifexists(\"FieldDeviceCustomNumber3\", long(null)),DeviceCustomNumber3),\r\n ExternalID = coalesce(column_ifexists(\"ExtID\", \"\"),tostring(ExternalID))\r\n| extend packed = pack(DeviceCustomNumber1Label, DeviceCustomNumber1\r\n , DeviceCustomNumber2Label, DeviceCustomNumber2\r\n , DeviceCustomNumber3Label, DeviceCustomNumber3\r\n , DeviceCustomString1Label, DeviceCustomString1\r\n , DeviceCustomString2Label, DeviceCustomString2\r\n , DeviceCustomString3Label, DeviceCustomString3\r\n , DeviceCustomString4Label, DeviceCustomString4\r\n , DeviceCustomString5Label, DeviceCustomString5\r\n , DeviceCustomString6Label, DeviceCustomString6\r\n , DeviceCustomDate1Label, DeviceCustomDate1\r\n , DeviceCustomDate2Label, DeviceCustomDate2)\r\n| evaluate bag_unpack(packed)\r\n| parse-kv AdditionalExtensions as (cs7Label:string, cs7:string, cs8Label:string, cs8:string, cs9Label:string, cs9:string, cs10Label:string, cs10:string, cat:string) with (pair_delimiter=';', kv_delimiter='=')\r\n| extend packed2 = pack(cs7Label, cs7\r\n , cs8Label, cs8\r\n , cs9Label, cs9\r\n , cs10Label, cs10)\r\n| evaluate bag_unpack(packed2)\r\n| extend EventEndTime = todatetime(ReceiptTime),\r\n cat = coalesce(column_ifexists(\"DeviceEventCategory\", \"\"),cat)\r\n| project-rename EventProductVersion=DeviceVersion\r\n , EventSubType=cat\r\n , EventOriginalType=DeviceEventClassID\r\n , EventSeverity=LogSeverity\r\n , EventMessage=Message\r\n , DstPortNumber=DestinationPort\r\n , DstIpAddr=DestinationIP\r\n , DstDvcHostname=DestinationHostName\r\n , DstUserName=DestinationUserName\r\n , DvcIpAddr=DeviceAddress\r\n , DvcHostname=DeviceName\r\n , DstMacAddr=DestinationMACAddress\r\n , NetworkApplicationProtocol=Protocol\r\n , SrcPortNumber=SourcePort\r\n , SrcIpAddr=SourceIP\r\n , SrcMacAddr=SourceMACAddress\r\n , EventId=ExternalID\r\n , SrcDvcHostname=SourceHostName\r\n| extend EventType=Activity\r\n| project-away AdditionalExtensions\r\n , Activity\r\n , ReceiptTime\r\n , DeviceVendor\r\n , DeviceProduct\r\n , DeviceCustomNumber1\r\n , DeviceCustomNumber1Label\r\n , DeviceCustomNumber2\r\n , DeviceCustomNumber2Label\r\n , DeviceCustomNumber3\r\n , DeviceCustomNumber3Label\r\n , DeviceCustomString1\r\n , DeviceCustomString1Label\r\n , DeviceCustomString2\r\n , DeviceCustomString2Label\r\n , DeviceCustomString3\r\n , DeviceCustomString3Label\r\n , DeviceCustomString4\r\n , DeviceCustomString4Label\r\n , DeviceCustomString5\r\n , DeviceCustomString5Label\r\n , DeviceCustomString6\r\n , DeviceCustomString6Label\r\n , cs7Label\r\n , cs7\r\n , cs8Label\r\n , cs8\r\n , cs9Label\r\n , cs9\r\n , cs10Label\r\n , cs10", + "functionParameters": "", "version": 1, "tags": [ { @@ -332,12 +347,23 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_parserContentId1')]", + "contentKind": "Parser", + "displayName": "Claroty Data Parser", + "contentProductId": "[variables('_parsercontentProductId1')]", + "id": "[variables('_parsercontentProductId1')]", + "version": "[variables('parserVersion1')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "apiVersion": "2021-06-01", + "apiVersion": "2022-10-01", "name": "[variables('_parserName1')]", "location": "[parameters('workspace-location')]", "properties": { @@ -346,7 +372,14 @@ "category": "Samples", "functionAlias": "ClarotyEvent", "query": "\nCommonSecurityLog\r\n| where DeviceVendor =~ 'Claroty'\r\n| extend EventVendor = 'Claroty'\r\n| extend EventProduct = 'Claroty'\r\n| extend EventSchemaVersion = 0.2\r\n| extend EventCount = 1\r\n| extend DeviceCustomNumber1 = coalesce(column_ifexists(\"FieldDeviceCustomNumber1\", long(null)),DeviceCustomNumber1),\r\n DeviceCustomNumber2 = coalesce(column_ifexists(\"FieldDeviceCustomNumber2\", long(null)),DeviceCustomNumber2),\r\n DeviceCustomNumber3 = coalesce(column_ifexists(\"FieldDeviceCustomNumber3\", long(null)),DeviceCustomNumber3),\r\n ExternalID = coalesce(column_ifexists(\"ExtID\", \"\"),tostring(ExternalID))\r\n| extend packed = pack(DeviceCustomNumber1Label, DeviceCustomNumber1\r\n , DeviceCustomNumber2Label, DeviceCustomNumber2\r\n , DeviceCustomNumber3Label, DeviceCustomNumber3\r\n , DeviceCustomString1Label, DeviceCustomString1\r\n , DeviceCustomString2Label, DeviceCustomString2\r\n , DeviceCustomString3Label, DeviceCustomString3\r\n , DeviceCustomString4Label, DeviceCustomString4\r\n , DeviceCustomString5Label, DeviceCustomString5\r\n , DeviceCustomString6Label, DeviceCustomString6\r\n , DeviceCustomDate1Label, DeviceCustomDate1\r\n , DeviceCustomDate2Label, DeviceCustomDate2)\r\n| evaluate bag_unpack(packed)\r\n| parse-kv AdditionalExtensions as (cs7Label:string, cs7:string, cs8Label:string, cs8:string, cs9Label:string, cs9:string, cs10Label:string, cs10:string, cat:string) with (pair_delimiter=';', kv_delimiter='=')\r\n| extend packed2 = pack(cs7Label, cs7\r\n , cs8Label, cs8\r\n , cs9Label, cs9\r\n , cs10Label, cs10)\r\n| evaluate bag_unpack(packed2)\r\n| extend EventEndTime = todatetime(ReceiptTime),\r\n cat = coalesce(column_ifexists(\"DeviceEventCategory\", \"\"),cat)\r\n| project-rename EventProductVersion=DeviceVersion\r\n , EventSubType=cat\r\n , EventOriginalType=DeviceEventClassID\r\n , EventSeverity=LogSeverity\r\n , EventMessage=Message\r\n , DstPortNumber=DestinationPort\r\n , DstIpAddr=DestinationIP\r\n , DstDvcHostname=DestinationHostName\r\n , DstUserName=DestinationUserName\r\n , DvcIpAddr=DeviceAddress\r\n , DvcHostname=DeviceName\r\n , DstMacAddr=DestinationMACAddress\r\n , NetworkApplicationProtocol=Protocol\r\n , SrcPortNumber=SourcePort\r\n , SrcIpAddr=SourceIP\r\n , SrcMacAddr=SourceMACAddress\r\n , EventId=ExternalID\r\n , SrcDvcHostname=SourceHostName\r\n| extend EventType=Activity\r\n| project-away AdditionalExtensions\r\n , Activity\r\n , ReceiptTime\r\n , DeviceVendor\r\n , DeviceProduct\r\n , DeviceCustomNumber1\r\n , DeviceCustomNumber1Label\r\n , DeviceCustomNumber2\r\n , DeviceCustomNumber2Label\r\n , DeviceCustomNumber3\r\n , DeviceCustomNumber3Label\r\n , DeviceCustomString1\r\n , DeviceCustomString1Label\r\n , DeviceCustomString2\r\n , DeviceCustomString2Label\r\n , DeviceCustomString3\r\n , DeviceCustomString3Label\r\n , DeviceCustomString4\r\n , DeviceCustomString4Label\r\n , DeviceCustomString5\r\n , DeviceCustomString5Label\r\n , DeviceCustomString6\r\n , DeviceCustomString6Label\r\n , cs7Label\r\n , cs7\r\n , cs8Label\r\n , cs8\r\n , cs9Label\r\n , cs9\r\n , cs10Label\r\n , cs10", - "version": 1 + "functionParameters": "", + "version": 1, + "tags": [ + { + "name": "description", + "value": "Claroty Data Parser" + } + ] } }, { @@ -380,33 +413,15 @@ } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('huntingQueryTemplateSpecName1')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "Claroty Hunting Query 1 with template", - "displayName": "Claroty Hunting Query template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('huntingQueryTemplateSpecName1'),'/',variables('huntingQueryVersion1'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName1'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ClarotyBaselineDeviation_HuntingQueries Hunting Query with template version 2.0.2", + "description": "ClarotyBaselineDeviation_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryVersion1')]", @@ -415,7 +430,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", + "apiVersion": "2022-10-01", "name": "Claroty_Hunting_Query_1", "location": "[parameters('workspace-location')]", "properties": { @@ -468,37 +483,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId1')]", + "contentKind": "HuntingQuery", + "displayName": "Claroty - Baseline deviation", + "contentProductId": "[variables('_huntingQuerycontentProductId1')]", + "id": "[variables('_huntingQuerycontentProductId1')]", + "version": "[variables('huntingQueryVersion1')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('huntingQueryTemplateSpecName2')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "Claroty Hunting Query 2 with template", - "displayName": "Claroty Hunting Query template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('huntingQueryTemplateSpecName2'),'/',variables('huntingQueryVersion2'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName2'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ClarotyConflictAssets_HuntingQueries Hunting Query with template version 2.0.2", + "description": "ClarotyConflictAssets_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryVersion2')]", @@ -507,7 +515,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", + "apiVersion": "2022-10-01", "name": "Claroty_Hunting_Query_2", "location": "[parameters('workspace-location')]", "properties": { @@ -560,37 +568,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId2')]", + "contentKind": "HuntingQuery", + "displayName": "Claroty - Conflict assets", + "contentProductId": "[variables('_huntingQuerycontentProductId2')]", + "id": "[variables('_huntingQuerycontentProductId2')]", + "version": "[variables('huntingQueryVersion2')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('huntingQueryTemplateSpecName3')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "Claroty Hunting Query 3 with template", - "displayName": "Claroty Hunting Query template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('huntingQueryTemplateSpecName3'),'/',variables('huntingQueryVersion3'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName3'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ClarotyCriticalEvents_HuntingQueries Hunting Query with template version 2.0.2", + "description": "ClarotyCriticalEvents_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryVersion3')]", @@ -599,7 +600,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", + "apiVersion": "2022-10-01", "name": "Claroty_Hunting_Query_3", "location": "[parameters('workspace-location')]", "properties": { @@ -652,37 +653,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId3')]", + "contentKind": "HuntingQuery", + "displayName": "Claroty - Critical Events", + "contentProductId": "[variables('_huntingQuerycontentProductId3')]", + "id": "[variables('_huntingQuerycontentProductId3')]", + "version": "[variables('huntingQueryVersion3')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('huntingQueryTemplateSpecName4')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "Claroty Hunting Query 4 with template", - "displayName": "Claroty Hunting Query template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('huntingQueryTemplateSpecName4'),'/',variables('huntingQueryVersion4'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName4'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ClarotyPLCLogins_HuntingQueries Hunting Query with template version 2.0.2", + "description": "ClarotyPLCLogins_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryVersion4')]", @@ -691,7 +685,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", + "apiVersion": "2022-10-01", "name": "Claroty_Hunting_Query_4", "location": "[parameters('workspace-location')]", "properties": { @@ -744,37 +738,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId4')]", + "contentKind": "HuntingQuery", + "displayName": "Claroty - PLC logins", + "contentProductId": "[variables('_huntingQuerycontentProductId4')]", + "id": "[variables('_huntingQuerycontentProductId4')]", + "version": "[variables('huntingQueryVersion4')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('huntingQueryTemplateSpecName5')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "Claroty Hunting Query 5 with template", - "displayName": "Claroty Hunting Query template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('huntingQueryTemplateSpecName5'),'/',variables('huntingQueryVersion5'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName5'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ClarotySRAFailedLogins_HuntingQueries Hunting Query with template version 2.0.2", + "description": "ClarotySRAFailedLogins_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryVersion5')]", @@ -783,7 +770,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", + "apiVersion": "2022-10-01", "name": "Claroty_Hunting_Query_5", "location": "[parameters('workspace-location')]", "properties": { @@ -836,37 +823,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId5')]", + "contentKind": "HuntingQuery", + "displayName": "Claroty - User failed logins", + "contentProductId": "[variables('_huntingQuerycontentProductId5')]", + "id": "[variables('_huntingQuerycontentProductId5')]", + "version": "[variables('huntingQueryVersion5')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('huntingQueryTemplateSpecName6')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "Claroty Hunting Query 6 with template", - "displayName": "Claroty Hunting Query template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('huntingQueryTemplateSpecName6'),'/',variables('huntingQueryVersion6'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName6'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ClarotyScanSources_HuntingQueries Hunting Query with template version 2.0.2", + "description": "ClarotyScanSources_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryVersion6')]", @@ -875,7 +855,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", + "apiVersion": "2022-10-01", "name": "Claroty_Hunting_Query_6", "location": "[parameters('workspace-location')]", "properties": { @@ -928,37 +908,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId6')]", + "contentKind": "HuntingQuery", + "displayName": "Claroty - Network scan sources", + "contentProductId": "[variables('_huntingQuerycontentProductId6')]", + "id": "[variables('_huntingQuerycontentProductId6')]", + "version": "[variables('huntingQueryVersion6')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('huntingQueryTemplateSpecName7')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "Claroty Hunting Query 7 with template", - "displayName": "Claroty Hunting Query template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('huntingQueryTemplateSpecName7'),'/',variables('huntingQueryVersion7'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName7'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ClarotyScantargets_HuntingQueries Hunting Query with template version 2.0.2", + "description": "ClarotyScantargets_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryVersion7')]", @@ -967,7 +940,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", + "apiVersion": "2022-10-01", "name": "Claroty_Hunting_Query_7", "location": "[parameters('workspace-location')]", "properties": { @@ -1020,37 +993,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId7')]", + "contentKind": "HuntingQuery", + "displayName": "Claroty - Network scan targets", + "contentProductId": "[variables('_huntingQuerycontentProductId7')]", + "id": "[variables('_huntingQuerycontentProductId7')]", + "version": "[variables('huntingQueryVersion7')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('huntingQueryTemplateSpecName8')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "Claroty Hunting Query 8 with template", - "displayName": "Claroty Hunting Query template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('huntingQueryTemplateSpecName8'),'/',variables('huntingQueryVersion8'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName8'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ClarotyUnapprovedAccess_HuntingQueries Hunting Query with template version 2.0.2", + "description": "ClarotyUnapprovedAccess_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryVersion8')]", @@ -1059,7 +1025,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", + "apiVersion": "2022-10-01", "name": "Claroty_Hunting_Query_8", "location": "[parameters('workspace-location')]", "properties": { @@ -1112,37 +1078,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId8')]", + "contentKind": "HuntingQuery", + "displayName": "Claroty - Unapproved access", + "contentProductId": "[variables('_huntingQuerycontentProductId8')]", + "id": "[variables('_huntingQuerycontentProductId8')]", + "version": "[variables('huntingQueryVersion8')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('huntingQueryTemplateSpecName9')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "Claroty Hunting Query 9 with template", - "displayName": "Claroty Hunting Query template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('huntingQueryTemplateSpecName9'),'/',variables('huntingQueryVersion9'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName9'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ClarotyUnresolvedAlerts_HuntingQueries Hunting Query with template version 2.0.2", + "description": "ClarotyUnresolvedAlerts_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryVersion9')]", @@ -1151,7 +1110,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", + "apiVersion": "2022-10-01", "name": "Claroty_Hunting_Query_9", "location": "[parameters('workspace-location')]", "properties": { @@ -1204,37 +1163,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId9')]", + "contentKind": "HuntingQuery", + "displayName": "Claroty - Unresolved alerts", + "contentProductId": "[variables('_huntingQuerycontentProductId9')]", + "id": "[variables('_huntingQuerycontentProductId9')]", + "version": "[variables('huntingQueryVersion9')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('huntingQueryTemplateSpecName10')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "Claroty Hunting Query 10 with template", - "displayName": "Claroty Hunting Query template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('huntingQueryTemplateSpecName10'),'/',variables('huntingQueryVersion10'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName10'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ClarotyWriteExecuteOperations_HuntingQueries Hunting Query with template version 2.0.2", + "description": "ClarotyWriteExecuteOperations_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryVersion10')]", @@ -1243,7 +1195,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", + "apiVersion": "2022-10-01", "name": "Claroty_Hunting_Query_10", "location": "[parameters('workspace-location')]", "properties": { @@ -1296,37 +1248,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId10')]", + "contentKind": "HuntingQuery", + "displayName": "Claroty - Write and Execute operations", + "contentProductId": "[variables('_huntingQuerycontentProductId10')]", + "id": "[variables('_huntingQuerycontentProductId10')]", + "version": "[variables('huntingQueryVersion10')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('dataConnectorTemplateSpecName1')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "DataConnector" - }, - "properties": { - "description": "Claroty data connector with template", - "displayName": "Claroty template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('dataConnectorTemplateSpecName1'),'/',variables('dataConnectorVersion1'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "DataConnector" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Claroty data connector with template version 2.0.2", + "description": "Claroty data connector with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -1344,7 +1289,7 @@ "id": "[variables('_uiConfigId1')]", "title": "Claroty", "publisher": "Claroty", - "descriptionMarkdown": "The [Claroty](https://claroty.com/) data connector provides the capability to ingest [Continuous Threat Detection](https://claroty.com/continuous-threat-detection/) and [Secure Remote Access](https://claroty.com/secure-remote-access/) events into Microsoft Sentinel.", + "descriptionMarkdown": "The [Claroty](https://claroty.com/) data connector provides the capability to ingest [Continuous Threat Detection](https://claroty.com/resources/datasheets/continuous-threat-detection) and [Secure Remote Access](https://claroty.com/secure-remote-access/) events into Microsoft Sentinel.", "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**ClarotyEvent**](https://aka.ms/sentinel-claroty-parser) which is deployed with the Microsoft Sentinel Solution.", "graphQueries": [ { @@ -1462,7 +1407,7 @@ }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", + "apiVersion": "2023-04-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", "properties": { "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", @@ -1487,12 +1432,23 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_dataConnectorContentId1')]", + "contentKind": "DataConnector", + "displayName": "Claroty", + "contentProductId": "[variables('_dataConnectorcontentProductId1')]", + "id": "[variables('_dataConnectorcontentProductId1')]", + "version": "[variables('dataConnectorVersion1')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", + "apiVersion": "2023-04-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", "dependsOn": [ "[variables('_dataConnectorId1')]" @@ -1530,7 +1486,7 @@ "connectorUiConfig": { "title": "Claroty", "publisher": "Claroty", - "descriptionMarkdown": "The [Claroty](https://claroty.com/) data connector provides the capability to ingest [Continuous Threat Detection](https://claroty.com/continuous-threat-detection/) and [Secure Remote Access](https://claroty.com/secure-remote-access/) events into Microsoft Sentinel.", + "descriptionMarkdown": "The [Claroty](https://claroty.com/) data connector provides the capability to ingest [Continuous Threat Detection](https://claroty.com/resources/datasheets/continuous-threat-detection) and [Secure Remote Access](https://claroty.com/secure-remote-access/) events into Microsoft Sentinel.", "graphQueries": [ { "metricName": "Total data received", @@ -1648,33 +1604,15 @@ } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName1')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Claroty Analytics Rule 1 with template", - "displayName": "Claroty Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName1'),'/',variables('analyticRuleVersion1'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName1'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ClarotyAssetDown_AnalyticalRules Analytics Rule with template version 2.0.2", + "description": "ClarotyAssetDown_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion1')]", @@ -1683,7 +1621,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId1')]", + "name": "[variables('analyticRulecontentId1')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -1702,24 +1640,27 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "Claroty", "dataTypes": [ "ClarotyEvent" - ], - "connectorId": "Claroty" + ] } ], "tactics": [ "Impact" ], + "techniques": [ + "T1529" + ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { "columnName": "IPCustomEntity", "identifier": "Address" } - ] + ], + "entityType": "IP" } ] } @@ -1752,37 +1693,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId1')]", + "contentKind": "AnalyticsRule", + "displayName": "Claroty - Asset Down", + "contentProductId": "[variables('_analyticRulecontentProductId1')]", + "id": "[variables('_analyticRulecontentProductId1')]", + "version": "[variables('analyticRuleVersion1')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName2')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Claroty Analytics Rule 2 with template", - "displayName": "Claroty Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName2'),'/',variables('analyticRuleVersion2'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName2'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ClarotyCriticalBaselineDeviation_AnalyticalRules Analytics Rule with template version 2.0.2", + "description": "ClarotyCriticalBaselineDeviation_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion2')]", @@ -1791,7 +1725,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId2')]", + "name": "[variables('analyticRulecontentId2')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -1810,24 +1744,27 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "Claroty", "dataTypes": [ "ClarotyEvent" - ], - "connectorId": "Claroty" + ] } ], "tactics": [ "Impact" ], + "techniques": [ + "T1529" + ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { "columnName": "IPCustomEntity", "identifier": "Address" } - ] + ], + "entityType": "IP" } ] } @@ -1860,37 +1797,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId2')]", + "contentKind": "AnalyticsRule", + "displayName": "Claroty - Critical baseline deviation", + "contentProductId": "[variables('_analyticRulecontentProductId2')]", + "id": "[variables('_analyticRulecontentProductId2')]", + "version": "[variables('analyticRuleVersion2')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName3')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Claroty Analytics Rule 3 with template", - "displayName": "Claroty Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName3'),'/',variables('analyticRuleVersion3'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName3'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ClarotyLoginToUncommonSite_AnalyticalRules Analytics Rule with template version 2.0.2", + "description": "ClarotyLoginToUncommonSite_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion3')]", @@ -1899,7 +1829,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId3')]", + "name": "[variables('analyticRulecontentId3')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -1918,24 +1848,28 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "Claroty", "dataTypes": [ "ClarotyEvent" - ], - "connectorId": "Claroty" + ] } ], "tactics": [ "InitialAccess" ], + "techniques": [ + "T1190", + "T1133" + ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { "columnName": "SrcIpAddr", "identifier": "Address" } - ] + ], + "entityType": "IP" } ] } @@ -1968,37 +1902,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId3')]", + "contentKind": "AnalyticsRule", + "displayName": "Claroty - Login to uncommon location", + "contentProductId": "[variables('_analyticRulecontentProductId3')]", + "id": "[variables('_analyticRulecontentProductId3')]", + "version": "[variables('analyticRuleVersion3')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName4')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Claroty Analytics Rule 4 with template", - "displayName": "Claroty Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName4'),'/',variables('analyticRuleVersion4'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName4'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ClarotyMultipleFailedLogin_AnalyticalRules Analytics Rule with template version 2.0.2", + "description": "ClarotyMultipleFailedLogin_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion4')]", @@ -2007,7 +1934,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId4')]", + "name": "[variables('analyticRulecontentId4')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -2026,24 +1953,28 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "Claroty", "dataTypes": [ "ClarotyEvent" - ], - "connectorId": "Claroty" + ] } ], "tactics": [ "InitialAccess" ], + "techniques": [ + "T1190", + "T1133" + ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "columnName": "AccountCustomEntity", "identifier": "Name" } - ] + ], + "entityType": "Account" } ] } @@ -2076,37 +2007,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId4')]", + "contentKind": "AnalyticsRule", + "displayName": "Claroty - Multiple failed logins by user", + "contentProductId": "[variables('_analyticRulecontentProductId4')]", + "id": "[variables('_analyticRulecontentProductId4')]", + "version": "[variables('analyticRuleVersion4')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName5')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Claroty Analytics Rule 5 with template", - "displayName": "Claroty Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName5'),'/',variables('analyticRuleVersion5'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName5'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ClarotyMultipleFailedLoginsSameDst_AnalyticalRules Analytics Rule with template version 2.0.2", + "description": "ClarotyMultipleFailedLoginsSameDst_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion5')]", @@ -2115,7 +2039,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId5')]", + "name": "[variables('analyticRulecontentId5')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -2134,24 +2058,28 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "Claroty", "dataTypes": [ "ClarotyEvent" - ], - "connectorId": "Claroty" + ] } ], "tactics": [ "InitialAccess" ], + "techniques": [ + "T1190", + "T1133" + ], "entityMappings": [ { - "entityType": "SecurityGroup", "fieldMappings": [ { "columnName": "SGCustomEntity", "identifier": "DistinguishedName" } - ] + ], + "entityType": "SecurityGroup" } ] } @@ -2184,37 +2112,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId5')]", + "contentKind": "AnalyticsRule", + "displayName": "Claroty - Multiple failed logins to same destinations", + "contentProductId": "[variables('_analyticRulecontentProductId5')]", + "id": "[variables('_analyticRulecontentProductId5')]", + "version": "[variables('analyticRuleVersion5')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName6')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Claroty Analytics Rule 6 with template", - "displayName": "Claroty Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName6'),'/',variables('analyticRuleVersion6'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName6'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ClarotyNewAsset_AnalyticalRules Analytics Rule with template version 2.0.2", + "description": "ClarotyNewAsset_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion6')]", @@ -2223,7 +2144,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId6')]", + "name": "[variables('analyticRulecontentId6')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -2242,24 +2163,28 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "Claroty", "dataTypes": [ "ClarotyEvent" - ], - "connectorId": "Claroty" + ] } ], "tactics": [ "InitialAccess" ], + "techniques": [ + "T1190", + "T1133" + ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { "columnName": "IPCustomEntity", "identifier": "Address" } - ] + ], + "entityType": "IP" } ] } @@ -2292,37 +2217,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId6')]", + "contentKind": "AnalyticsRule", + "displayName": "Claroty - New Asset", + "contentProductId": "[variables('_analyticRulecontentProductId6')]", + "id": "[variables('_analyticRulecontentProductId6')]", + "version": "[variables('analyticRuleVersion6')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName7')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Claroty Analytics Rule 7 with template", - "displayName": "Claroty Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName7'),'/',variables('analyticRuleVersion7'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName7'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ClarotyPolicyViolation_AnalyticalRules Analytics Rule with template version 2.0.2", + "description": "ClarotyPolicyViolation_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion7')]", @@ -2331,7 +2249,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId7')]", + "name": "[variables('analyticRulecontentId7')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -2350,24 +2268,27 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "Claroty", "dataTypes": [ "ClarotyEvent" - ], - "connectorId": "Claroty" + ] } ], "tactics": [ "Discovery" ], + "techniques": [ + "T1018" + ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { "columnName": "IPCustomEntity", "identifier": "Address" } - ] + ], + "entityType": "IP" } ] } @@ -2400,37 +2321,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId7')]", + "contentKind": "AnalyticsRule", + "displayName": "Claroty - Policy violation", + "contentProductId": "[variables('_analyticRulecontentProductId7')]", + "id": "[variables('_analyticRulecontentProductId7')]", + "version": "[variables('analyticRuleVersion7')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName8')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Claroty Analytics Rule 8 with template", - "displayName": "Claroty Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName8'),'/',variables('analyticRuleVersion8'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName8'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ClarotySuspiciousActivity_AnalyticalRules Analytics Rule with template version 2.0.2", + "description": "ClarotySuspiciousActivity_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion8')]", @@ -2439,7 +2353,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId8')]", + "name": "[variables('analyticRulecontentId8')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -2458,24 +2372,27 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "Claroty", "dataTypes": [ "ClarotyEvent" - ], - "connectorId": "Claroty" + ] } ], "tactics": [ "Discovery" ], + "techniques": [ + "T1018" + ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { "columnName": "IPCustomEntity", "identifier": "Address" } - ] + ], + "entityType": "IP" } ] } @@ -2508,37 +2425,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId8')]", + "contentKind": "AnalyticsRule", + "displayName": "Claroty - Suspicious activity", + "contentProductId": "[variables('_analyticRulecontentProductId8')]", + "id": "[variables('_analyticRulecontentProductId8')]", + "version": "[variables('analyticRuleVersion8')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName9')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Claroty Analytics Rule 9 with template", - "displayName": "Claroty Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName9'),'/',variables('analyticRuleVersion9'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName9'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ClarotySuspiciousFileTransfer_AnalyticalRules Analytics Rule with template version 2.0.2", + "description": "ClarotySuspiciousFileTransfer_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion9')]", @@ -2547,7 +2457,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId9')]", + "name": "[variables('analyticRulecontentId9')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -2566,24 +2476,27 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "Claroty", "dataTypes": [ "ClarotyEvent" - ], - "connectorId": "Claroty" + ] } ], "tactics": [ "Discovery" ], + "techniques": [ + "T1018" + ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { "columnName": "IPCustomEntity", "identifier": "Address" } - ] + ], + "entityType": "IP" } ] } @@ -2616,37 +2529,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId9')]", + "contentKind": "AnalyticsRule", + "displayName": "Claroty - Suspicious file transfer", + "contentProductId": "[variables('_analyticRulecontentProductId9')]", + "id": "[variables('_analyticRulecontentProductId9')]", + "version": "[variables('analyticRuleVersion9')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName10')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Claroty Analytics Rule 10 with template", - "displayName": "Claroty Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName10'),'/',variables('analyticRuleVersion10'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName10'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ClarotyTreat_AnalyticalRules Analytics Rule with template version 2.0.2", + "description": "ClarotyTreat_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion10')]", @@ -2655,7 +2561,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId10')]", + "name": "[variables('analyticRulecontentId10')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -2674,24 +2580,27 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "Claroty", "dataTypes": [ "ClarotyEvent" - ], - "connectorId": "Claroty" + ] } ], "tactics": [ "Discovery" ], + "techniques": [ + "T1018" + ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { "columnName": "IPCustomEntity", "identifier": "Address" } - ] + ], + "entityType": "IP" } ] } @@ -2724,17 +2633,35 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId10')]", + "contentKind": "AnalyticsRule", + "displayName": "Claroty - Treat detected", + "contentProductId": "[variables('_analyticRulecontentProductId10')]", + "id": "[variables('_analyticRulecontentProductId10')]", + "version": "[variables('analyticRuleVersion10')]" } }, { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", + "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "2.0.2", + "version": "3.0.0", "kind": "Solution", - "contentSchemaVersion": "2.0.0", + "contentSchemaVersion": "3.0.0", + "displayName": "Claroty", + "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", + "descriptionHtml": "

Note: There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Claroty solution for Microsoft Sentinel enables ingestion of  Continuous Threat Detection and Secure Remote Access events into Microsoft Sentinel.

\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n
  1. Agent-based log collection (CEF over Syslog)
    2. \n
\n

Data Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 10

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "", "contentId": "[variables('_solutionId')]", "parentId": "[variables('_solutionId')]", "source": { diff --git a/Solutions/Claroty/ReleaseNotes.md b/Solutions/Claroty/ReleaseNotes.md new file mode 100644 index 00000000000..fe42770159c --- /dev/null +++ b/Solutions/Claroty/ReleaseNotes.md @@ -0,0 +1,3 @@ +| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | +|-------------|--------------------------------|-------------------------------------| +| 3.0.0 | 27-07-2023 | Corrected the links in the solution.| diff --git a/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/CofenseIntelligenceDataConnector.zip b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/CofenseIntelligenceDataConnector.zip new file mode 100644 index 00000000000..54e7ec2b8b8 Binary files /dev/null and b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/CofenseIntelligenceDataConnector.zip differ diff --git a/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/CofenseIntelligenceMalware/__init__.py b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/CofenseIntelligenceMalware/__init__.py new file mode 100644 index 00000000000..f9ce8c21473 --- /dev/null +++ b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/CofenseIntelligenceMalware/__init__.py @@ -0,0 +1,18 @@ +"""init file for CofenseIntelligenceMalware.""" +import datetime +import logging +import azure.functions as func +from ..CofenseIntelligenceMalware import cofense_malware_data_to_sentinel + + +async def main(mytimer: func.TimerRequest) -> None: + """Driver method for Cofense Malware to sentinel.""" + utc_timestamp = ( + datetime.datetime.utcnow().replace(tzinfo=datetime.timezone.utc).isoformat() + ) + cofense_malware_data_to_sentinel_obj = cofense_malware_data_to_sentinel.CofenseIntelligenceMalware() + await cofense_malware_data_to_sentinel_obj.fetch_cofense_indicators_and_ingest_malware_data() + if mytimer.past_due: + logging.info("The timer is past due!") + + logging.info("Python timer trigger function ran at %s", utc_timestamp) diff --git a/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/CofenseIntelligenceMalware/cofense_malware_data_to_sentinel.py b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/CofenseIntelligenceMalware/cofense_malware_data_to_sentinel.py new file mode 100644 index 00000000000..95e50c5400c --- /dev/null +++ b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/CofenseIntelligenceMalware/cofense_malware_data_to_sentinel.py @@ -0,0 +1,428 @@ +"""File for driver code of CofenseIntelligenceMalware.""" +import inspect +import time +import asyncio +import aiohttp +import json +from datetime import datetime, timezone +from ..SharedCode.sentinel import post_data +from ..SharedCode import consts +from ..SharedCode.logger import applogger +from ..SharedCode.cofense_intelligence_exception import CofenseIntelligenceException +from ..SharedCode.utils import Utils +from ..SharedCode.manage_checkpoints import ManageCheckpoints + + +class CofenseIntelligenceMalware(Utils, ManageCheckpoints): + """Get malware data from cofenseintelligence and post in log analytics.""" + + def __init__(self) -> None: + """Initialize instance variable for class.""" + Utils.__init__(self, consts.COFENSE_MALWARE_DATA_TO_LOG_ANALYTICS) + ManageCheckpoints.__init__( + self, + "malware_checkpoint_data", + consts.COFENSE_MALWARE_DATA_TO_LOG_ANALYTICS, + ) + self.validate_params() + self.proxy = self.create_proxy() + + def malware_proxy(self): + """To create proxy. + + Raises: + CofenseIntelligenceException: custom cofense exception + + Returns: + dict: proxies + """ + __method_name = inspect.currentframe().f_code.co_name + try: + proxy_url = None + proxy_auth = None + if consts.IS_PROXY_REQUIRED == "Yes": + if consts.PROXY_URL and consts.PROXY_PORT: + if consts.PROXY_USERNAME and consts.PROXY_PASSWORD: + proxy_url = "{}://{}:{}".format( + consts.PROXY_REQUEST, + consts.PROXY_URL, + consts.PROXY_PORT, + ) + proxy_auth = aiohttp.BasicAuth( + consts.PROXY_USERNAME, consts.PROXY_PASSWORD + ) + applogger.info( + "{}(method={}) : {} : Proxy created successfully and \ + the integration uses proxy for further execution.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.COFENSE_MALWARE_DATA_TO_LOG_ANALYTICS, + ) + ) + elif consts.PROXY_USERNAME or consts.PROXY_PASSWORD: + applogger.error( + "{}(method={}) : {} : Proxy username or password is missing.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.COFENSE_MALWARE_DATA_TO_LOG_ANALYTICS, + ) + ) + raise CofenseIntelligenceException() + else: + proxy_url = "{}://{}:{}".format( + consts.PROXY_REQUEST, + consts.PROXY_URL, + consts.PROXY_PORT, + ) + applogger.info( + "{}(method={}) : {} : Proxy created successfully and \ + the integration uses proxy for further execution.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.COFENSE_MALWARE_DATA_TO_LOG_ANALYTICS, + ) + ) + else: + applogger.error( + "{}(method={}) : {} : Proxy Url or Port is missing.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.COFENSE_MALWARE_DATA_TO_LOG_ANALYTICS, + ) + ) + raise CofenseIntelligenceException() + else: + applogger.info( + "{}(method={}) : {} : Proxy not required. Execution gets started without using proxy.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.COFENSE_MALWARE_DATA_TO_LOG_ANALYTICS, + ) + ) + return {"proxy_url": proxy_url, "proxy_auth": proxy_auth} + except CofenseIntelligenceException: + raise CofenseIntelligenceException() + except Exception as error: + applogger.error( + "{}(method={}) : {} : Error while creating proxy :{}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.COFENSE_MALWARE_DATA_TO_LOG_ANALYTICS, + error, + ) + ) + raise CofenseIntelligenceException() + + async def get_malware_data( + self, threat_id, malware_url, session: aiohttp.ClientSession, proxy_data + ): + """Get malware data from cofense and add download urls. + + Args: + threat_id (str): threat_id + malware_url (str): get malware data url to fetch the data from cofense + session (aiohttp.ClientSession): aiohttp session object to make api calls. + + Returns: + dict: malware data + """ + __method_name = inspect.currentframe().f_code.co_name + try: + final_url = malware_url.format(threat_id=threat_id) + retry_count_429 = 0 + retry_count_401 = 0 + while retry_count_429 <= 1 and retry_count_401 <= 1: + response = await session.get( + url=final_url, + auth=aiohttp.BasicAuth( + consts.COFENSE_USERNAME, consts.COFENSE_PASSWORD + ), + proxy=proxy_data["proxy_url"], + proxy_auth=proxy_data["proxy_auth"], + ) + get_malware_status_code = response.status + if get_malware_status_code >= 200 and get_malware_status_code <= 299: + applogger.info( + "{}(method={}) : {} : Fetched malware successfully for :{}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.COFENSE_MALWARE_DATA_TO_LOG_ANALYTICS, + threat_id, + ) + ) + json_response = await response.json() + malware_data = json_response.get("data", {}) + html_report_url = malware_data.get("apiReportURL", "") + url = html_report_url.rsplit("/", 1) + malware_data[ + "ReportDownload(HTML)" + ] = "https://{}.azurewebsites.net/api/DownloadThreatReports?url={}/html".format( + consts.FUNCTION_APP_NAME, url[0] + ) + malware_data[ + "ReportDownload(PDF)" + ] = "https://{}.azurewebsites.net/api/DownloadThreatReports?url={}/pdf".format( + consts.FUNCTION_APP_NAME, url[0] + ) + return malware_data + elif get_malware_status_code == 401: + applogger.error( + "{}(method={}) : {} : Authentication Error, Status:401, trying again.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.COFENSE_MALWARE_DATA_TO_LOG_ANALYTICS, + ) + ) + + retry_count_401 += 1 + elif get_malware_status_code == 429: + applogger.error( + "{}(method={}) : {} : Rate Limit Error, Status_Code:429,trying again.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.COFENSE_MALWARE_DATA_TO_LOG_ANALYTICS, + ) + ) + retry_count_429 += 1 + time.sleep(consts.COFENSE_429_SLEEP) + else: + applogger.error( + "{}(method={}) : {} : url: {}, Status Code : {}." + " while pulling Malware data.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.COFENSE_MALWARE_DATA_TO_LOG_ANALYTICS, + url, + get_malware_status_code, + ) + ) + raise CofenseIntelligenceException() + raise CofenseIntelligenceException() + except CofenseIntelligenceException as cofense_error: + applogger.error( + "{}(method={}) : {} : error occured while fetching malware data : {}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.COFENSE_MALWARE_DATA_TO_LOG_ANALYTICS, + cofense_error, + ) + ) + raise CofenseIntelligenceException() + + except Exception as error: + applogger.error( + "{}(method={}) : {} : error occured while fetching malware data : {}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.COFENSE_MALWARE_DATA_TO_LOG_ANALYTICS, + error, + ) + ) + raise CofenseIntelligenceException() + + async def fetch_malware_data_and_ingest_to_log_analytics(self, indicators_data): + """Create async tasks and fetch the malware data asynchronously. + + Args: + indicators_data (dict): Indicators data from cofense + """ + __method_name = inspect.currentframe().f_code.co_name + try: + proxy_data = self.malware_proxy() + get_malware_url = "{}{}".format( + consts.COFENSE_BASE_URL, consts.ENDPOINTS["get_malware"] + ) + threat_ids = set() + for indicator in indicators_data.get("data", {}).get("indicators", []): + threat_ids.add(indicator.get("threat_id", "")) + applogger.info(threat_ids) + tasks = [] + async with aiohttp.ClientSession() as session: + for threat in threat_ids: + tasks.append( + asyncio.create_task( + self.get_malware_data( + threat_id=threat, + malware_url=get_malware_url, + session=session, + proxy_data=proxy_data, + ) + ) + ) + results = await asyncio.gather(*tasks, return_exceptions=True) + success_count = 0 + failed_count = 0 + success_malware_data = [] + for i in results: + if not isinstance(i, CofenseIntelligenceException): + success_count += 1 + success_malware_data.append(i) + else: + failed_count += 1 + applogger.info( + "{}(method={}) : {} : Total_Invocations: {}, Successful Malware Fetching: {}, \ + Failed Malware Fetching: {}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.COFENSE_MALWARE_DATA_TO_LOG_ANALYTICS, + len(results), + success_count, + failed_count, + ) + ) + if len(success_malware_data) > 0: + post_data( + body=json.dumps(success_malware_data), + log_type=consts.MALWARE_DATA_TABLE_NAME, + ) + applogger.info( + "{}(method={}) : {} : Posted Malware Data to Log Analytics Successfully.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.COFENSE_MALWARE_DATA_TO_LOG_ANALYTICS, + ) + ) + else: + applogger.info( + "{}(method={}) : {} : No Malware Data found.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.COFENSE_MALWARE_DATA_TO_LOG_ANALYTICS, + ) + ) + + except CofenseIntelligenceException as error: + applogger.error( + "{}(method={}) : {} : error occured : {}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.COFENSE_MALWARE_DATA_TO_LOG_ANALYTICS, + error, + ) + ) + raise CofenseIntelligenceException() + + async def fetch_cofense_indicators_and_ingest_malware_data(self): + """Get Malware Ids from Cofense Indicators, Fetch Malware Data and Post to Sentinel.""" + __method_name = inspect.currentframe().f_code.co_name + try: + get_indicator_url = "{}{}".format( + consts.COFENSE_BASE_URL, consts.ENDPOINTS["search_indicators"] + ) + params = {"resultsPerPage": consts.COFENSE_PAGE_SIZE} + checkpoint_since_last_published = self.get_checkpoint_data( + "malware_sinceLastPublished" + ) + checkpoint_page = self.get_checkpoint_data("malware_page") + if checkpoint_since_last_published: + applogger.info( + "{}(method={}) : {} : SincelastPublished Checkpoint found : {}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.COFENSE_MALWARE_DATA_TO_LOG_ANALYTICS, + checkpoint_since_last_published, + ) + ) + params["sinceLastPublished"] = checkpoint_since_last_published + else: + applogger.info( + "{}(method={}) : {} : SincelastPublished Checkpoint not found,\ + Fetching data of last 15 days.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.COFENSE_MALWARE_DATA_TO_LOG_ANALYTICS, + ) + ) + now = datetime.now(timezone.utc) + midnight = now.replace(hour=0, minute=0, second=0, microsecond=0) + params["sinceLastPublished"] = ( + int(midnight.timestamp()) - consts.FIFTEEN_DAYS + ) + applogger.info( + "{}(method={}) : {} : Updating Initial SincelastPublished Checkpoint {}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.COFENSE_MALWARE_DATA_TO_LOG_ANALYTICS, + params["sinceLastPublished"], + ) + ) + self.post_data_to_checkpoint( + "malware_sinceLastPublished", params["sinceLastPublished"] + ) + if checkpoint_page is not None: + applogger.info( + "{}(method={}) : {} : Page Checkpoint found : {}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.COFENSE_MALWARE_DATA_TO_LOG_ANALYTICS, + checkpoint_page, + ) + ) + params["page"] = checkpoint_page + while True: + indicators_data = self.get_cofense_data( + url=get_indicator_url, + params=params, + endpoint_name="get indicators", + proxies=self.proxy, + ) + applogger.info( + "{}(method={}) : {} : Indicators fetched successfully.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.COFENSE_MALWARE_DATA_TO_LOG_ANALYTICS, + ) + ) + if len(indicators_data.get("data", {}).get("indicators", [])) == 0: + applogger.info( + "{}(method={}) : {} : No indicators found.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.COFENSE_MALWARE_DATA_TO_LOG_ANALYTICS, + ) + ) + break + await self.fetch_malware_data_and_ingest_to_log_analytics( + indicators_data + ) + next_page = ( + indicators_data.get("data", {}) + .get("page", {}) + .get("currentPage", 0) + + 1 + ) + if next_page == indicators_data.get("data", {}).get("page", {}).get( + "totalPages", 0 + ): + break + params["page"] = next_page + applogger.info( + "{}(method={}) : {} : Updating page checkpoint : {}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.COFENSE_MALWARE_DATA_TO_LOG_ANALYTICS, + next_page, + ) + ) + self.post_data_to_checkpoint("malware_page", next_page) + self.post_data_to_checkpoint("malware_sinceLastPublished", int(time.time())) + self.post_data_to_checkpoint("malware_page", 0) + applogger.info( + "{}(method={}) : {} : Updated page and LastPublished checkpoint Successfully.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.COFENSE_MALWARE_DATA_TO_LOG_ANALYTICS, + ) + ) + except CofenseIntelligenceException: + raise CofenseIntelligenceException() + except Exception as error: + applogger.error( + "{}(method={}) : {} : error occured : {}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.COFENSE_MALWARE_DATA_TO_LOG_ANALYTICS, + error, + ) + ) + raise CofenseIntelligenceException() diff --git a/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/CofenseIntelligenceMalware/function.json b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/CofenseIntelligenceMalware/function.json new file mode 100644 index 00000000000..34c9c78d63b --- /dev/null +++ b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/CofenseIntelligenceMalware/function.json @@ -0,0 +1,11 @@ +{ + "scriptFile": "__init__.py", + "bindings": [ + { + "name": "mytimer", + "type": "timerTrigger", + "direction": "in", + "schedule": "%Schedule%" + } + ] +} diff --git a/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/CofenseIntelligence_API_FunctionApp.json b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/CofenseIntelligence_API_FunctionApp.json new file mode 100644 index 00000000000..5963f895e4a --- /dev/null +++ b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/CofenseIntelligence_API_FunctionApp.json @@ -0,0 +1,168 @@ +{ + "id": "CofenseIntelligence", + "title": "Cofense Intelligence Threat Indicators Ingestion", + "publisher": "Cofense", + "descriptionMarkdown": "The [Cofense-Intelligence](https://cofense.com/product-services/phishing-intelligence/) data connector provides the following capabilities: \n 1. CofenseToSentinel : \n >* Get Threat Indicators from the Cofense Intelligence platform and create Threat Intelligence Indicators in Microsoft Sentinel. \n 2. SentinelToDefender : \n >* Get Malware from Cofense Intelligence and post to custom logs table. \n 3. CofenseIntelligenceMalware : \n >* Get Cofense Intelligence Threat Intelligence Indicators from Microsoft Sentinel Threat Intelligence and create/update Indicators in Microsoft Defender for Endpoints.\n 4. DownloadThreatReports : \n >* This data connector will fetch the malware data and create the Link from which we can download Threat Reports. \n 5. RetryFailedIndicators : \n >* This data connector will fetch failed indicators from failed indicators file and retry creating/updating Threat Intelligence indicators in Microsoft Sentinel. \n\n\n For more details of REST APIs refer to the below documentations: \n 1. Cofense Intelligence API documentation: \n> https://www.threathq.com/docs/rest_api_reference.html \n 2. Microsoft Threat Intelligence Indicator documentation: \n> https://learn.microsoft.com/rest/api/securityinsights/preview/threat-intelligence-indicator \n 3. Microsoft Defender for Endpoints Indicator documentation: \n> https://learn.microsoft.com/microsoft-365/security/defender-endpoint/ti-indicator?view=o365-worldwide", + "graphQueries": [ + { + "metricName": "Cofense Intelligence Threat Indicators data received", + "legend": "ThreatIntelligenceIndicator | where SourceSystem startswith 'Cofense Intelligence : '", + "baseQuery": "ThreatIntelligenceIndicator | where SourceSystem startswith 'Cofense Intelligence : '" + }, + { + "metricName": "Cofense Intelligence Malware data and report links data received", + "legend": "Malware_Data_CL", + "baseQuery": "Malware_Data_CL" + } + ], + "sampleQueries": [ + { + "description": "Cofense Based Indicators Events - All Cofense indicators in Microsoft Sentinel Threat Intelligence.", + "query": "ThreatIntelligenceIndicator\n | where SourceSystem startswith 'Cofense Intelligence : '\n | sort by TimeGenerated desc" + }, + { + "description": "Cofense Intelligence malware data and all Cofense indicators report links data.", + "query": "Malware_Data_CL\n | sort by TimeGenerated desc" + } + ], + "dataTypes": [ + { + "name": "ThreatIntelligenceIndicator", + "lastDataReceivedQuery": "ThreatIntelligenceIndicator\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "Malware_Data_CL", + "lastDataReceivedQuery": "Malware_Data_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "ThreatIntelligenceIndicator\n | where SourceSystem startswith 'Cofense Intelligence : '\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "Malware_Data_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": true + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions on the workspace are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Azure Subscription", + "description": "Azure Subscription with owner role is required to register an application in azure active directory() and assign role of contributor to app in resource group." + }, + { + "name": "Microsoft.Web/sites permissions", + "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." + }, + { + "name": "REST API Credentials/permissions", + "description": "**Cofense Username** and **Password** is required. See the documentation to learn more about API on the [Rest API reference](https://www.threathq.com/docs/rest_api_reference.html)" + }, + { + "name": "Microsoft Defender for Endpoints", + "description": "**Microsoft Defender for Endpoints License** is required for SentinelToDefender function." + } + ] + }, + "instructionSteps": [ + { + "title": "", + "description": ">**NOTE:** This connector uses Azure Functions to connect to the Cofense Intelligence APIs to pull its Threat Indicators and create Threat Intelligence Indicators into Microsoft Sentinel Threat Intelligence and create/update Threat Indicators in Cofense. Likewise, it also creates/updates Cofense Based Threat Indicators in Microsoft Defender for Endpoints. All this might result in additional indicator and data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." + }, + { + "title": "", + "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." + }, + { + "title": "", + "description": "**STEP 1 - App Registration steps for the Microsoft Azure Active Directory Application**\n\n This integration requires an App registration in the Azure portal. Follow the steps in this section to create a new Azure Active Directory application:\n 1. Sign in to the [Azure portal](https://portal.azure.com/).\n 2. Search for and select **Azure Active Directory**.\n 3. Under **Manage**, select **App registrations > New registration**.\n 4. Enter a display **Name** for your application.\n 5. Select **Register** to complete the initial app registration.\n 6. When registration finishes, the Azure portal displays the app registration's Overview pane. You see the **Application (client) ID** and **Tenant ID**. The client ID and Tenant ID is required as configuration parameters for the execution of CofenseIntelligence Data Connector. \n\n> **Reference link:** [https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app](https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app)" + }, + { + "title": "", + "description": "**STEP 2 - Add a client secret for Microsoft Azure Active Directory Application**\n\n Sometimes called an application password, a client secret is a string value required for the execution of CofenseIntelligence Data Connector. Follow the steps in this section to create a new Client Secret:\n 1. In the Azure portal, in **App registrations**, select your application.\n 2. Select **Certificates & secrets > Client secrets > New client secret**.\n 3. Add a description for your client secret.\n 4. Select an expiration for the secret or specify a custom lifetime. Limit is 24 months.\n 5. Select **Add**. \n 6. *Record the secret's value for use in your client application code. This secret value is never displayed again after you leave this page.* The secret value is required as configuration parameter for the execution of CofenseIntelligence Data Connector. \n\n> **Reference link:** [https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app#add-a-client-secret](https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app#add-a-client-secret)" + }, + { + "title": "", + "description": "**STEP 3 - Assign role of Contributor to Microsoft Azure Active Directory Application**\n\n Follow the steps in this section to assign the role:\n 1. In the Azure portal, Go to **Resource Group** and select your resource group.\n 2. Go to **Access control (IAM)** from left panel.\n 3. Click on **Add**, and then select **Add role assignment**.\n 4. Select **Contributor** as role and click on next.\n 5. In **Assign access to**, select `User, group, or service principal`.\n 6. Click on **add members** and type **your app name** that you have created and select it.\n 7. Now click on **Review + assign** and then again click on **Review + assign**. \n\n> **Reference link:** [https://learn.microsoft.com/azure/role-based-access-control/role-assignments-portal](https://learn.microsoft.com/azure/role-based-access-control/role-assignments-portal)" + }, + { + "title": "", + "description": "**STEP 4 - Assign Defender Threat Indicator permissions to Microsoft Azure Active Directory Application**\n\n Follow the steps in this section to assign the permissions:\n 1. In the Azure portal, in **App registrations**, select **your application**.\n 2. To enable an app to access Defender for Endpoint indicators, assign it **'Ti.ReadWrite.All'** permission, on your application page, select **API Permissions > Add permission > APIs my organization uses >, type WindowsDefenderATP, and then select WindowsDefenderATP**.\n 3. Select **Application permissions > Ti.ReadWrite.All**, and then select **Add permissions**.\n 4. Select **Grant consent**. \n\n> **Reference link:** [https://docs.microsoft.com/microsoft-365/security/defender-endpoint/exposed-apis-create-app-webapp?view=o365-worldwide](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/exposed-apis-create-app-webapp?view=o365-worldwide)" + }, + { + "title": "", + "description": "**STEP 5 - Steps to create/get Credentials for the Cofense Intelligence account** \n\n Follow the steps in this section to create/get **Cofense Username** and **Password**:\n 1. Login to https://threathq.com and go to the **Settings menu** on the left navigation bar.\n 2. Choose the API Tokens tab and select **Add a New Token**\n 3. Make sure to save the **password**, as it will not be accessible again." + }, + { + "title": "", + "description": "**STEP 6 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Cofense Intelligence Threat Indicators data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following) readily available.., as well as the Cofense API Authorization Key(s).", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Workspace ID" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "fillWith": [ + "PrimaryKey" + ], + "label": "Primary Key" + }, + "type": "CopyableLabel" + } + ] + }, + { + "title": "Option 1 - Azure Resource Manager (ARM) Template", + "description": "Use this method for automated deployment of the Cofense connector.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-CofenseIntelligence-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the below information : \n\t\tFunction Name \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tCofense BaseURL (https:///) \n\t\tCofense Username \n\t\tCofense Password \n\t\tAzure Client ID \n\t\tAzure Client Secret \n\t\tAzure Tenant ID \n\t\tAzure Resource Group Name \n\t\tAzure Workspace Name \n\t\tAzure Subscription ID \n\t\tRequireProxy \n\t\tProxy Username (optional) \n\t\tProxy Password (optional) \n\t\tProxy URL (optional) \n\t\tProxy Port (optional) \n\t\tLogLevel (optional) \n\t\tMalware_Data_Table_name\n\t\tSendCofenseIndicatorToDefender \n\t\tSchedule \n4. Click on **Review+Create**. \n5. Then after validation click on **Create** to deploy." + }, + { + "title": "Option 2 - Manual Deployment of Azure Functions", + "description": "Use the following step-by-step instructions to deploy the Cofense Intelligence Threat Indicators data connector manually with Azure Functions (Deployment via Visual Studio Code)." + }, + { + "title": "", + "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-CofenseIntelligence-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. CofenseXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.8 or above.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration." + }, + { + "title": "", + "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following application settings individually, with their respective values (case-sensitive): \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tCofense BaseURL (https:///) \n\t\tCofense Username \n\t\tCofense Password \n\t\tAzure Client ID \n\t\tAzure Client Secret \n\t\tAzure Tenant ID \n\t\tAzure Resource Group Name \n\t\tAzure Workspace Name \n\t\tFunction App Name \n\t\tAzure Subscription ID \n\t\tRequireProxy \n\t\tProxy Username (optional) \n\t\tProxy Password (optional) \n\t\tProxy URL (optional) \n\t\tProxy Port (optional) \n\t\tLogLevel (optional) \n\t\tMalware_Data_Table_name\n\t\tSendCofenseIndicatorToDefender \n\t\tSchedule \n4. Once all application settings have been entered, click **Save**." + } + ] +} \ No newline at end of file diff --git a/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/CofenseToSentinel/__init__.py b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/CofenseToSentinel/__init__.py new file mode 100644 index 00000000000..13ec83511ea --- /dev/null +++ b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/CofenseToSentinel/__init__.py @@ -0,0 +1,18 @@ +"""init file for Cofense to sentinel.""" +import datetime +import logging +import azure.functions as func +from ..CofenseToSentinel import cofense_to_sentinel + + +async def main(mytimer: func.TimerRequest) -> None: + """Driver method for Cofense to sentinel.""" + utc_timestamp = ( + datetime.datetime.utcnow().replace(tzinfo=datetime.timezone.utc).isoformat() + ) + cofense_to_sentinel_obj = cofense_to_sentinel.CofenseIntelligence() + await cofense_to_sentinel_obj.get_cofense_data_post_to_sentinel() + if mytimer.past_due: + logging.info("The timer is past due!") + + logging.info("Python timer trigger function ran at %s", utc_timestamp) diff --git a/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/CofenseToSentinel/cofense_to_sentinel.py b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/CofenseToSentinel/cofense_to_sentinel.py new file mode 100644 index 00000000000..17942221ba1 --- /dev/null +++ b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/CofenseToSentinel/cofense_to_sentinel.py @@ -0,0 +1,297 @@ +"""File for driver code cofense to sentinel.""" +import inspect +import time +from datetime import datetime, timezone +import asyncio +import aiohttp +import json +from .sentinel import MicrosoftSentinel +from .cofense_to_sentinel_mapping import map_indicator_fields +from ..SharedCode import consts +from ..SharedCode.logger import applogger +from ..SharedCode.cofense_intelligence_exception import CofenseIntelligenceException +from ..SharedCode.utils import Utils +from ..SharedCode.manage_checkpoints import ManageCheckpoints +from ..SharedCode.state_manager import StateManager + + +class CofenseIntelligence(Utils, ManageCheckpoints): + """Class for pulls data from cofenseintelligence and create indicator on sentinel.""" + + def __init__(self) -> None: + """Initialize instance variable for class.""" + Utils.__init__(self, consts.COFENSE_TO_SENTINEL) + ManageCheckpoints.__init__( + self, "cofense_to_sentinel", consts.COFENSE_TO_SENTINEL + ) + self.validate_params() + self.proxy = self.create_proxy() + + def save_failed_indicators_data_to_checkpoint(self, indicators_data, file_name): + """Save failed indicators data to checkpoint. + + Args: + indicators_data (list): Failed indicators data. + """ + try: + __method_name = inspect.currentframe().f_code.co_name + state_manager_obj = StateManager( + consts.CONNECTION_STRING, file_path=file_name + ) + checkpoint_data = state_manager_obj.get(consts.COFENSE_TO_SENTINEL) + if checkpoint_data is None or checkpoint_data == "": + state_manager_obj.post(json.dumps(indicators_data)) + applogger.info( + "{}(method={}) : {} : checkpoint file created and {} failed indicators posted sucessfully.".format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + len(indicators_data), + ) + ) + else: + json_checkpoint = json.loads(checkpoint_data) + json_checkpoint.extend(indicators_data) + state_manager_obj.post(json.dumps(json_checkpoint)) + applogger.info( + "{}(method={}) : {} : Updated checkpoint with {} failed indicators sucessfully.".format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + len(indicators_data), + ) + ) + except Exception as error: + applogger.error( + "{}(method={}) : {} : error while posting checkpoint data for failed indicators :{}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + error, + ) + ) + raise CofenseIntelligenceException() + + async def post_data_to_threat_intelligence(self, indicators_data): + """Create the asynchronous tasks for indicators ingestion to Microsoft Sentinel Threat Intelligence. + + Args: + indicators_data (dict): Indicators Data + + Returns: + dict: Dictionary containing the success_count and failure_count + """ + __method_name = inspect.currentframe().f_code.co_name + try: + failed_indicators = [] + microsoft_sentinel_obj = MicrosoftSentinel() + tasks = [] + async with aiohttp.ClientSession() as session: + for indicator in indicators_data.get("data", {}).get("indicators", []): + mapped_data = map_indicator_fields(indicator) + tasks.append( + asyncio.create_task( + microsoft_sentinel_obj.create_indicator( + mapped_data, session + ) + ) + ) + results = await asyncio.gather(*tasks, return_exceptions=True) + success_count = 0 + failed_count = 0 + for i in results: + if i is None: + success_count += 1 + else: + failed_count += 1 + failed_indicators.append(i) + applogger.info( + "{}(method={}) : {} : Total_Invocations: {}, Successful Indicators Posting: {},\ + Failed Indicators Posting: {}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.COFENSE_TO_SENTINEL, + len(results), + success_count, + failed_count, + ) + ) + return { + "success_count": success_count, + "failure_count": failed_count, + "failed_indicators": failed_indicators, + } + except CofenseIntelligenceException: + applogger.error( + "{}(method={}) : {} : Indicator Creation Failed.".format( + consts.LOGS_STARTS_WITH, __method_name, consts.COFENSE_TO_SENTINEL + ) + ) + raise CofenseIntelligenceException() + except Exception as error: + applogger.error( + "{}(method={}) : {} : Indicator Creation Failed, Error: {}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.COFENSE_TO_SENTINEL, + error, + ) + ) + raise CofenseIntelligenceException() + + async def get_cofense_data_post_to_sentinel(self): + """Fetch data and Indicators mapping.""" + __method_name = inspect.currentframe().f_code.co_name + try: + total_indicators = 0 + total_success_indicators = 0 + total_fail_indicators = 0 + get_indicator_url = "{}{}".format( + consts.COFENSE_BASE_URL, consts.ENDPOINTS["search_indicators"] + ) + params = {"resultsPerPage": consts.COFENSE_PAGE_SIZE} + checkpoint_since_last_published = self.get_checkpoint_data( + "sinceLastPublished" + ) + checkpoint_page = self.get_checkpoint_data("page") + if checkpoint_since_last_published: + applogger.info( + "{}(method={}) : {} :SincelastPublished Checkpoint found:{}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.COFENSE_TO_SENTINEL, + checkpoint_since_last_published, + ) + ) + params["sinceLastPublished"] = checkpoint_since_last_published + else: + applogger.info( + "{}(method={}) : {} :SincelastPublished Checkpoint not found,\ + Fetching data of last 15 days.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.COFENSE_TO_SENTINEL, + ) + ) + now = datetime.now(timezone.utc) + midnight = now.replace(hour=0, minute=0, second=0, microsecond=0) + params["sinceLastPublished"] = ( + int(midnight.timestamp()) - consts.FIFTEEN_DAYS + ) + applogger.info( + "{}(method={}) : {} :Updating Initial SincelastPublished Checkpoint {}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.COFENSE_TO_SENTINEL, + params["sinceLastPublished"], + ) + ) + self.post_data_to_checkpoint( + "sinceLastPublished", params["sinceLastPublished"] + ) + if checkpoint_page is not None: + applogger.info( + "{}(method={}) : {} :Page Checkpoint found:{}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.COFENSE_TO_SENTINEL, + checkpoint_page, + ) + ) + params["page"] = checkpoint_page + failed_indicators_file_name = str( + int(datetime.now(timezone.utc).timestamp()) + ) + while True: + indicators_data = self.get_cofense_data( + url=get_indicator_url, + params=params, + endpoint_name="get indicators", + proxies=self.proxy, + ) + applogger.info( + "{}(method={}) : {} : Indicators fetched successfully.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.COFENSE_TO_SENTINEL, + ) + ) + if len(indicators_data.get("data", {}).get("indicators", [])) == 0: + applogger.info( + "{}(method={}) : {} : No indicators found.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.COFENSE_TO_SENTINEL, + ) + ) + break + + total_indicators += len( + indicators_data.get("data", {}).get("indicators", []) + ) + response = await self.post_data_to_threat_intelligence(indicators_data) + total_success_indicators += response["success_count"] + total_fail_indicators += response["failure_count"] + if response["failure_count"] > 0: + applogger.info( + "{}(method={}) : {} : {} indicators failed, adding the indicators to retry_queue.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.COFENSE_TO_SENTINEL, + response["failure_count"], + ) + ) + self.save_failed_indicators_data_to_checkpoint( + response["failed_indicators"], failed_indicators_file_name + ) + next_page = ( + indicators_data.get("data", {}) + .get("page", {}) + .get("currentPage", 0) + + 1 + ) + if next_page == indicators_data.get("data", {}).get("page", {}).get( + "totalPages", 0 + ): + break + params["page"] = next_page + applogger.info( + "{}(method={}) : {} : Updating page checkpoint: {}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.COFENSE_TO_SENTINEL, + next_page, + ) + ) + self.post_data_to_checkpoint("page", next_page) + applogger.info( + "{}(method={}) : {} : Total collected indicators from cofense : {}, " + "successfully posted indicators into sentinel: {}, " + "failed indicators while posting : {}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.COFENSE_TO_SENTINEL, + total_indicators, + total_success_indicators, + total_fail_indicators, + ) + ) + self.post_data_to_checkpoint("sinceLastPublished", int(time.time())) + self.post_data_to_checkpoint("page", 0) + applogger.info( + "{}(method={}) : {} : Updated page and LastPublished checkpoint Successfully.".format( + consts.LOGS_STARTS_WITH, __method_name, consts.COFENSE_TO_SENTINEL + ) + ) + except CofenseIntelligenceException: + raise CofenseIntelligenceException() + except Exception as error: + applogger.error( + "{}(method={}) : {} : error occured :{}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + error, + ) + ) + raise CofenseIntelligenceException() diff --git a/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/CofenseToSentinel/cofense_to_sentinel_mapping.py b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/CofenseToSentinel/cofense_to_sentinel_mapping.py new file mode 100644 index 00000000000..f793da7f803 --- /dev/null +++ b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/CofenseToSentinel/cofense_to_sentinel_mapping.py @@ -0,0 +1,73 @@ +"""This file contains methods for mapping between cofense and sentinel.""" +import inspect +from ..SharedCode import consts +from ..SharedCode.logger import applogger +from ..SharedCode.cofense_intelligence_exception import CofenseIntelligenceException + + +def map_indicator_fields(indicator): + """Map indicator fields for sentinel indicator. + + Args: + indicator (dict): Indicator fetched from Cofense Intelligence + azure_function_name (str): Azure Function Name + + Returns: + dict: mapped indicator + """ + try: + __method_name = inspect.currentframe().f_code.co_name + confidence = "" + if indicator.get("impact", "") == "Major": + confidence = 100 + elif indicator.get("impact", "") == "Medium": + confidence = 70 + elif indicator.get("impact", "") == "Moderate": + confidence = 50 + elif indicator.get("impact", "") == "Minor": + confidence = 30 + elif indicator.get("impact", "") == "None": + confidence = 1 + pattern = "" + if indicator.get("indicator_type", "") == "URL": + pattern = "url:value =" + elif indicator.get("indicator_type", "") == "File": + pattern = "file:hashes.'MD5' =" + elif indicator.get("indicator_type", "") == "Domain Name": + pattern = "domain-name:value =" + + sentinel_indicator = { + "kind": "indicator", + "properties": { + "source": "Cofense Intelligence", + "displayName": "Cofense intelligence: {}".format( + indicator.get("threat_id", "") + ), + "confidence": confidence, + "description": "Role: {}".format(indicator.get("role", "")), + "threatTypes": [indicator.get("indicator_type", "")], + "indicatorTypes": [indicator.get("indicator_type", "")], + "pattern": "[{} '{}']".format((pattern), indicator.get("ioc", "")), + "patternType": indicator.get("indicator_type", ""), + "labels": ["threatID-{}".format(indicator.get("threat_id", ""))], + }, + } + applogger.info( + "{}(method={}) : {} : Indicator Field Mapping is done for threat {}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.COFENSE_TO_SENTINEL, + indicator.get("threat_id", ""), + ) + ) + return sentinel_indicator + except Exception as error: + applogger.error( + "{}(method={}) : {} : Error occured :{}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.COFENSE_TO_SENTINEL, + error + ) + ) + raise CofenseIntelligenceException() diff --git a/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/CofenseToSentinel/function.json b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/CofenseToSentinel/function.json new file mode 100644 index 00000000000..34c9c78d63b --- /dev/null +++ b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/CofenseToSentinel/function.json @@ -0,0 +1,11 @@ +{ + "scriptFile": "__init__.py", + "bindings": [ + { + "name": "mytimer", + "type": "timerTrigger", + "direction": "in", + "schedule": "%Schedule%" + } + ] +} diff --git a/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/CofenseToSentinel/sentinel.py b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/CofenseToSentinel/sentinel.py new file mode 100644 index 00000000000..938468e353c --- /dev/null +++ b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/CofenseToSentinel/sentinel.py @@ -0,0 +1,143 @@ +"""This file contains methods for creating microsoft indicator and custom log table.""" +import time +import json +import inspect +from ..SharedCode.utils import Utils +from ..SharedCode.logger import applogger +from ..SharedCode.cofense_intelligence_exception import CofenseIntelligenceException +from ..SharedCode import consts + + +class MicrosoftSentinel(Utils): + """This class contains methods to create indicator into Microsoft Sentinel.""" + + def __init__(self): + """Initialize instance variable for class.""" + super().__init__(consts.COFENSE_TO_SENTINEL) + self.bearer_token = self.auth_sentinel() + + async def create_indicator(self, indicator_data, session): + """To create indicator into Microsoft Sentinel. + + Args: + indicator_data (dict): Indicator data + session (session object): aiohttp session object + + Raises: + CofenseIntelligenceException: Cofense Exception + """ + __method_name = inspect.currentframe().f_code.co_name + try: + threat_id = "" + indicator_labels = indicator_data.get("properties", "").get("labels", "") + if indicator_labels != "": + threat_id = indicator_labels[0].split("-")[-1] + retry_count_429 = 0 + retry_count_401 = 0 + while retry_count_429 <= 3 and retry_count_401 <= 1: + create_indicator_url = consts.CREATE_SENTINEL_INDICATORS_URL.format( + subscriptionId=consts.AZURE_SUBSCRIPTION_ID, + resourceGroupName=consts.AZURE_RESOURCE_GROUP, + workspaceName=consts.AZURE_WORKSPACE_NAME, + ) + headers = { + "Content-Type": "application/json", + "Authorization": "Bearer {}".format(self.bearer_token), + } + response = await session.post( + url=create_indicator_url, + headers=headers, + data=json.dumps(indicator_data), + ) + if response.status >= 200 and response.status <= 299: + applogger.info( + "{}(method={}) : {} : Created the indicator with threatId- {}, status_code: {}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.COFENSE_TO_SENTINEL, + threat_id, + response.status, + ) + ) + return None + elif response.status == 400: + json_response = await response.json() + applogger.warning( + "{}(method={}) : {} : url: {}, Status Code : {}: Error while\ + creating Indicator, threatId-{}, Error:{}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.COFENSE_TO_SENTINEL, + create_indicator_url, + response.status, + threat_id, + json_response, + ) + ) + return indicator_data + elif response.status == 429: + applogger.error( + "{}(method={}) : {} : trying again error 429.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.COFENSE_TO_SENTINEL, + ) + ) + retry_count_429 += 1 + time.sleep(consts.SENTINEL_429_SLEEP) + elif response.status == 401: + applogger.error( + "{}(method={}) : {} : Unauthorized, Invalid Credentials, trying again error-401.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.COFENSE_TO_SENTINEL, + ) + ) + self.bearer_token = self.auth_sentinel(consts.COFENSE_TO_SENTINEL) + headers["Authorization"] = "Bearer {}".format(self.bearer_token) + retry_count_401 += 1 + else: + json_response = await response.json() + applogger.error( + "{}(method={}) : {} : url: {}, Status Code : {}: Error while\ + creating Indicator, threatId-{}, Error:{}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.COFENSE_TO_SENTINEL, + create_indicator_url, + response.status, + threat_id, + json_response, + ) + ) + raise CofenseIntelligenceException() + applogger.error( + "{}(method={}) : {} : Max retries exceeded for microsoft sentinel, threatId-{}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.COFENSE_TO_SENTINEL, + threat_id, + ) + ) + raise CofenseIntelligenceException() + except CofenseIntelligenceException: + applogger.error( + "{}(method={}) : {} : Error generated while Creating Indicator, threatId-{}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.COFENSE_TO_SENTINEL, + threat_id, + ) + ) + return indicator_data + + except Exception: + applogger.error( + "{}(method={}) : {} : Error generated while Creating Indicator, threatId-{}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.COFENSE_TO_SENTINEL, + threat_id, + ) + ) + return indicator_data diff --git a/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/DownloadThreatReports/__init__.py b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/DownloadThreatReports/__init__.py new file mode 100644 index 00000000000..76e94f9b387 --- /dev/null +++ b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/DownloadThreatReports/__init__.py @@ -0,0 +1,161 @@ +"""Download Report Module.""" +import logging +import inspect +import requests +import azure.functions as func +from ..SharedCode import consts +from ..SharedCode.logger import applogger +from ..SharedCode.utils import Utils +from ..SharedCode.cofense_intelligence_exception import CofenseIntelligenceException + + +def main(req: func.HttpRequest) -> func.HttpResponse: + """Download the file and return as http response. + + Args: + req (func.HttpRequest): _description_ + + Returns: + func.HttpResponse: _description_ + """ + __method_name = inspect.currentframe().f_code.co_name + try: + logging.info("Python HTTP trigger function recieved a request.") + utils_obj = Utils(consts.DOWNLOAD_THREAT_REPORTS) + utils_obj.validate_params() + proxy = utils_obj.create_proxy() + url = req.params.get("url") + splitted_url = url.rsplit("/", 1) + file_format = splitted_url[1] + level_two_split = splitted_url[0].rsplit("/", 1) + file_name = level_two_split[1] + response = requests.get( + url=url, + auth=(consts.COFENSE_USERNAME, consts.COFENSE_PASSWORD), + timeout=10, + proxies=proxy, + ) + if response.status_code == 200: + applogger.info( + "{}(method={}) : {} : Request Success : threat id - {}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.DOWNLOAD_THREAT_REPORTS, + file_name, + ) + ) + download_file_name = "{}.{}".format(file_name, file_format) + if file_format == "html": + return func.HttpResponse( + response.content, + mimetype="text/html", + headers={ + "Content-Disposition": f'attachment; filename="{download_file_name}"' + }, + ) + elif file_format == "pdf": + return func.HttpResponse( + response.content, + mimetype="application/pdf", + headers={ + "Content-Disposition": f'attachment; filename="{download_file_name}"' + }, + ) + return func.HttpResponse("Wrong File Format.") + elif response.status_code == 401: + applogger.error( + "{}(method={}) : {} : Error occured : Authentication Failure. " + "Provide valid Cofense Username and Cofense Password in Function App:{}'s " + "configuration and try again.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.DOWNLOAD_THREAT_REPORTS, + consts.FUNCTION_APP_NAME, + ) + ) + return func.HttpResponse( + "Authentication Error: Wrong Credentials. " + "Provide valid Cofense Username and Cofense Password in Function App:{}'s " + "configuration and try again.".format(consts.FUNCTION_APP_NAME) + ) + elif response.status_code == 429: + applogger.error( + "{}(method={}) : {} : Error occured : Rate Limit Exceeded.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.DOWNLOAD_THREAT_REPORTS, + ) + ) + return func.HttpResponse( + "Rate Limit Exceeded, Please Try again after some Time." + ) + applogger.error( + "{}(method={}) : {} : Unknown Error, Response from API-{}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.DOWNLOAD_THREAT_REPORTS, + response.text, + ) + ) + return func.HttpResponse(response.text, mimetype="text/html") + except requests.exceptions.RequestException as connect_error: + if consts.IS_PROXY_REQUIRED == "Yes": + applogger.error( + "{}(method={}) : {} : Proxy parameters are invalid or Proxy is unreachable," + " Please verify in Function App:{}'s configuration and try again, Error-{}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.DOWNLOAD_THREAT_REPORTS, + consts.FUNCTION_APP_NAME, + connect_error, + ) + ) + return func.HttpResponse( + "Proxy parameters are invalid or Proxy is unreachable. " + "Please verify in Function App:{}'s configuration and try again.".format( + consts.FUNCTION_APP_NAME + ) + ) + applogger.error( + "{}(method={}) : {} : HTTP Request Error, Error-{}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.DOWNLOAD_THREAT_REPORTS, + connect_error, + ) + ) + return func.HttpResponse("HTTP Request Error, Error-{}.".format(connect_error)) + except CofenseIntelligenceException as cofense_error: + param_type = "Proxy " + if ( + str(cofense_error) + == "Error Occurred while validating params. Required fields missing." + ): + param_type = "Required " + applogger.error( + "{}(method={}) : {} : {}Parameters are missing," + " Please verify in Function App:{}'s configuration and try again.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.DOWNLOAD_THREAT_REPORTS, + param_type, + consts.FUNCTION_APP_NAME, + ) + ) + return func.HttpResponse( + "{}Parameters are missing, " + "Please verify in Function App:{}'s configuration and try again.".format( + param_type, consts.FUNCTION_APP_NAME + ) + ) + + except Exception as error: + applogger.error( + "{}(method={}) : {} : Error occured : {}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.DOWNLOAD_THREAT_REPORTS, + error, + ) + ) + return func.HttpResponse("Error : {}".format(error)) diff --git a/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/DownloadThreatReports/function.json b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/DownloadThreatReports/function.json new file mode 100644 index 00000000000..bee58b3f924 --- /dev/null +++ b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/DownloadThreatReports/function.json @@ -0,0 +1,20 @@ +{ + "scriptFile": "__init__.py", + "bindings": [ + { + "authLevel": "anonymous", + "type": "httpTrigger", + "direction": "in", + "name": "req", + "methods": [ + "get", + "post" + ] + }, + { + "type": "http", + "direction": "out", + "name": "$return" + } + ] +} \ No newline at end of file diff --git a/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/README.md b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/README.md new file mode 100644 index 00000000000..e69de29bb2d diff --git a/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/RetryFailedIndicators/__init__.py b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/RetryFailedIndicators/__init__.py new file mode 100644 index 00000000000..c2bceac3bdc --- /dev/null +++ b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/RetryFailedIndicators/__init__.py @@ -0,0 +1,17 @@ +"""init file for Retrying Failed Indicators.""" +import datetime +import logging +import azure.functions as func +from .retry_failed_indicators import get_failed_indicators_and_retry + + +async def main(mytimer: func.TimerRequest) -> None: + """Driver method for RetryFailedIndicators.""" + utc_timestamp = ( + datetime.datetime.utcnow().replace(tzinfo=datetime.timezone.utc).isoformat() + ) + await get_failed_indicators_and_retry() + if mytimer.past_due: + logging.info("The timer is past due!") + + logging.info("Python timer trigger function ran at %s", utc_timestamp) diff --git a/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/RetryFailedIndicators/function.json b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/RetryFailedIndicators/function.json new file mode 100644 index 00000000000..36c1449c9e1 --- /dev/null +++ b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/RetryFailedIndicators/function.json @@ -0,0 +1,11 @@ +{ + "scriptFile": "__init__.py", + "bindings": [ + { + "name": "mytimer", + "type": "timerTrigger", + "direction": "in", + "schedule": "%Schedule%" + } + ] +} \ No newline at end of file diff --git a/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/RetryFailedIndicators/retry_failed_indicators.py b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/RetryFailedIndicators/retry_failed_indicators.py new file mode 100644 index 00000000000..cc88ef016d9 --- /dev/null +++ b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/RetryFailedIndicators/retry_failed_indicators.py @@ -0,0 +1,317 @@ +"""Retry Failed Indicators.""" +import asyncio +import inspect +import json +import aiohttp +from ..SharedCode.cofense_intelligence_exception import CofenseIntelligenceException +from ..SharedCode import consts +from ..SharedCode.state_manager import StateManager +from ..SharedCode.logger import applogger +from .sentinel import MicrosoftSentinel +from ..SharedCode.sentinel import post_data +from azure.storage.fileshare import ShareDirectoryClient +from azure.core.exceptions import ResourceNotFoundError +from datetime import datetime, timezone, timedelta + + +def return_file_names_to_query_in_the_current_execution(file_names_list): + """Return the file names except the ones from the current invocation's date. + + Args: + file_names_list (list): list of file names + + Returns: + list: list of file names till midnight of that day. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + now = datetime.now(timezone.utc) + one_hour_ago = now - timedelta(hours=1) + files_to_query_in_current_execution = [] + for file in file_names_list: + if file.isnumeric() and int(file) < int(one_hour_ago.timestamp()): + files_to_query_in_current_execution.append(file) + applogger.info( + "{}(method={}) : {} : Found {} failed Indicators' File.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.RETRY_FAILED_INDICATORS, + len(files_to_query_in_current_execution), + ) + ) + return files_to_query_in_current_execution + except Exception as error: + applogger.error( + "{}(method={}) : {} : Error in returning which files to process, Error : {}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.RETRY_FAILED_INDICATORS, + error, + ) + ) + raise CofenseIntelligenceException() + + +def list_checkpoint_files(parent_dir): + """Get failed indicator's file names. + + Args: + parent_dir (ShareDirectory.from_connection_string): Object of ShareDirectory to perform operations + on file share. + + Returns: + list: list of file names of failed indicators + """ + __method_name = inspect.currentframe().f_code.co_name + try: + files_list = list(parent_dir.list_directories_and_files()) + file_names = [] + if (len(files_list)) > 0: + for file in files_list: + file_names.append(file["name"]) + return file_names + else: + return None + except ResourceNotFoundError: + applogger.error( + "{}(method={}) : {} : No Failed Indicators File Found.".format( + consts.LOGS_STARTS_WITH, __method_name, consts.RETRY_FAILED_INDICATORS + ) + ) + return None + except Exception as error: + applogger.error( + "{}(method={}) : {} : error while getting list of checkpoint files, Error : {}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.RETRY_FAILED_INDICATORS, + error, + ) + ) + raise CofenseIntelligenceException() + + +def delete_file_from_file_share(file_name, parent_dir): + """Delete the file from azure file share. + + Args: + file_name (str): name of the file to delete + parent_dir (ShareDirectory.from_connection_string): Object of ShareDirectory to perform operations + on file share. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + parent_dir.delete_file(file_name) + except ResourceNotFoundError: + applogger.info( + "{}(method={}) : {} : No Failed Indicators File Found, filename-{}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.RETRY_FAILED_INDICATORS, + file_name, + ) + ) + except Exception as error: + applogger.error( + "{}(method={}) : {} : error while deleting checkpoint file, Error : {}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.RETRY_FAILED_INDICATORS, + error, + ) + ) + raise CofenseIntelligenceException() + + +def get_failed_indicators(file_name): + """Get Failed indicators list from checkpoint.""" + __method_name = inspect.currentframe().f_code.co_name + try: + state_manager_obj = StateManager(consts.CONNECTION_STRING, file_path=file_name) + checkpoint_data = state_manager_obj.get(consts.RETRY_FAILED_INDICATORS) + if checkpoint_data is None or checkpoint_data == "": + return None + else: + json_checkpoint = json.loads(checkpoint_data) + return json_checkpoint + except Exception as error: + applogger.error( + "{}(method={}) : {} : error while getting checkpoint data for failed indicators, Error : {}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.RETRY_FAILED_INDICATORS, + error, + ) + ) + raise CofenseIntelligenceException() + + +async def post_failed_indicators(indicators_data): + """Create the asynchronous tasks for failed indicators ingestion to Microsoft Sentinel Threat Intelligence. + + Args: + indicators_data (dict): Failed Indicators Data + + Returns: + dict: Dictionary containing the success_count and failure_count + """ + __method_name = inspect.currentframe().f_code.co_name + try: + failed_indicators = [] + microsoft_sentinel_obj = MicrosoftSentinel() + tasks = [] + async with aiohttp.ClientSession() as session: + for indicator in indicators_data: + tasks.append( + asyncio.create_task( + microsoft_sentinel_obj.create_indicator(indicator, session) + ) + ) + results = await asyncio.gather(*tasks, return_exceptions=True) + success_count = 0 + failed_count = 0 + for i in results: + if i is None: + success_count += 1 + else: + failed_count += 1 + failed_indicators.append(i) + applogger.info( + "{}(method={}) : {} : Total_Invocations: {}, Successful Indicators Posting: {},\ + Failed Indicators Posting: {}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.RETRY_FAILED_INDICATORS, + len(results), + success_count, + failed_count, + ) + ) + return { + "success_count": success_count, + "failure_count": failed_count, + "failed_indicators": failed_indicators, + } + except CofenseIntelligenceException: + applogger.error( + "{}(method={}) : {} : Indicator Creation Failed after retrying.".format( + consts.LOGS_STARTS_WITH, __method_name, consts.RETRY_FAILED_INDICATORS + ) + ) + raise CofenseIntelligenceException() + except Exception as error: + applogger.error( + "{}(method={}) : {} : Indicator Creation Failed after retrying, Error : {}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.RETRY_FAILED_INDICATORS, + error, + ) + ) + raise CofenseIntelligenceException() + + +async def get_failed_indicators_and_retry(): + """Get failed indicators data from checkpoint and try creating them again.""" + __method_name = inspect.currentframe().f_code.co_name + try: + total_retry_indicators = 0 + retry_success = 0 + retry_failure = 0 + parent_dir = ShareDirectoryClient.from_connection_string( + conn_str=consts.CONNECTION_STRING, + share_name=consts.MS_SHARE_NAME, + directory_path="", + ) + failed_files = list_checkpoint_files(parent_dir) + if not failed_files: + applogger.info( + "{}(method={}) : {} : No files found.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.RETRY_FAILED_INDICATORS, + ) + ) + return + file_names_to_query = return_file_names_to_query_in_the_current_execution( + failed_files + ) + if not file_names_to_query: + applogger.info( + "{}(method={}) : {} : No previously failed indicators found.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.RETRY_FAILED_INDICATORS, + ) + ) + return + for file in file_names_to_query: + failed_indicators = get_failed_indicators(file) + if not failed_indicators: + applogger.info( + "{}(method={}) : {} : No Failed indicators found in the file-{}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.RETRY_FAILED_INDICATORS, + file, + ) + ) + continue + + result = await post_failed_indicators(failed_indicators) + if result["failure_count"] > 0: + post_data( + body=json.dumps(result["failed_indicators"]), + log_type=consts.FAILED_INDICATORS_TABLE_NAME, + ) + applogger.info( + "{}(method={}) : {} : Posted {} failed indicators to log analytics.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.RETRY_FAILED_INDICATORS, + len(result["failed_indicators"]), + ) + ) + total_retry_indicators += len(failed_indicators) + retry_success += result["success_count"] + retry_failure += result["failure_count"] + delete_file_from_file_share(file, parent_dir) + applogger.info( + "{}(method={}) : {} : Succesfully deleted the file, filename : {}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.RETRY_FAILED_INDICATORS, + file, + ) + ) + applogger.info( + "{}(method={}) : {} : Total collected Failed Indicators : {}, " + "posted indicators into sentinel: {}, " + "failed indicators while posting : {}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.RETRY_FAILED_INDICATORS, + total_retry_indicators, + retry_success, + retry_failure, + ) + ) + except CofenseIntelligenceException: + applogger.error( + "{}(method={}) : {} : Retrying Failed Indicators incurred an error.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.RETRY_FAILED_INDICATORS, + ) + ) + raise CofenseIntelligenceException() + except Exception as error: + applogger.error( + "{}(method={}) : {} : Retrying Failed Indicators incurred an error, Error: {}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.RETRY_FAILED_INDICATORS, + error, + ) + ) + raise CofenseIntelligenceException() diff --git a/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/RetryFailedIndicators/sentinel.py b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/RetryFailedIndicators/sentinel.py new file mode 100644 index 00000000000..2d68612299c --- /dev/null +++ b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/RetryFailedIndicators/sentinel.py @@ -0,0 +1,128 @@ +"""This file contains methods for creating microsoft indicator and custom log table.""" +import time +import json +import inspect +from ..SharedCode.utils import Utils +from ..SharedCode.logger import applogger +from ..SharedCode.cofense_intelligence_exception import CofenseIntelligenceException +from ..SharedCode import consts + + +class MicrosoftSentinel(Utils): + """This class contains methods to create indicator into Microsoft Sentinel.""" + + def __init__(self): + """Initialize instance variable for class.""" + super().__init__(consts.COFENSE_TO_SENTINEL) + self.bearer_token = self.auth_sentinel() + + async def create_indicator(self, indicator_data, session): + """To create indicator into Microsoft Sentinel. + + Args: + indicator_data (dict): Indicator data + session (session object): aiohttp session object + + Raises: + CofenseIntelligenceException: Cofense Exception + """ + __method_name = inspect.currentframe().f_code.co_name + try: + threat_id = "" + indicator_labels = indicator_data.get("properties", "").get("labels", "") + if indicator_labels != "": + threat_id = indicator_labels[0].split("-")[-1] + retry_count_429 = 0 + retry_count_401 = 0 + while retry_count_429 <= 3 and retry_count_401 <= 1: + create_indicator_url = consts.CREATE_SENTINEL_INDICATORS_URL.format( + subscriptionId=consts.AZURE_SUBSCRIPTION_ID, + resourceGroupName=consts.AZURE_RESOURCE_GROUP, + workspaceName=consts.AZURE_WORKSPACE_NAME, + ) + headers = { + "Content-Type": "application/json", + "Authorization": "Bearer {}".format(self.bearer_token), + } + response = await session.post( + url=create_indicator_url, + headers=headers, + data=json.dumps(indicator_data), + ) + if response.status >= 200 and response.status <= 299: + applogger.info( + "{}(method={}) : {} : Created the indicator with threatId- {}, status_code: {}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.COFENSE_TO_SENTINEL, + threat_id, + response.status, + ) + ) + return None + elif response.status == 429: + applogger.error( + "{}(method={}) : {} : trying again error 429.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.COFENSE_TO_SENTINEL, + ) + ) + retry_count_429 += 1 + time.sleep(consts.SENTINEL_429_SLEEP) + elif response.status == 401: + applogger.error( + "{}(method={}) : {} : Unauthorized, Invalid Credentials, trying again error-401.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.COFENSE_TO_SENTINEL, + ) + ) + self.bearer_token = self.auth_sentinel(consts.COFENSE_TO_SENTINEL) + headers["Authorization"] = "Bearer {}".format(self.bearer_token) + retry_count_401 += 1 + else: + json_response = await response.json() + applogger.error( + "{}(method={}) : {} : url: {}, Status Code : {}: Error while\ + creating Indicator, threatId-{}, Error:{}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.COFENSE_TO_SENTINEL, + create_indicator_url, + response.status, + threat_id, + json_response, + ) + ) + raise CofenseIntelligenceException() + applogger.error( + "{}(method={}) : {} : Max retries exceeded for microsoft sentinel, threatId-{}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.COFENSE_TO_SENTINEL, + threat_id, + ) + ) + raise CofenseIntelligenceException() + except CofenseIntelligenceException: + applogger.error( + "{}(method={}) : {} : Error generated while Creating Indicator, threatId-{}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.COFENSE_TO_SENTINEL, + threat_id, + ) + ) + return indicator_data + + except Exception: + applogger.error( + "{}(method={}) : {} : Error generated while Creating Indicator, threatId-{}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.COFENSE_TO_SENTINEL, + threat_id, + ) + ) + return indicator_data diff --git a/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/SentinelToDefender/__init__.py b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/SentinelToDefender/__init__.py new file mode 100644 index 00000000000..1c77589353a --- /dev/null +++ b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/SentinelToDefender/__init__.py @@ -0,0 +1,43 @@ +"""This __init__ file will be called once triggered is generated.""" +import datetime +import time +import inspect +from .sentinel import MicrosoftSentinel +from ..SharedCode.logger import applogger +import azure.functions as func +from ..SharedCode import consts + + +def main(mytimer: func.TimerRequest) -> None: + """Start the execution. + + Args: + mytimer (func.TimerRequest): timer trigger + """ + if consts.IS_DEFENDER_USER == "Yes": + __method_name = inspect.currentframe().f_code.co_name + utc_timestamp = ( + datetime.datetime.utcnow().replace(tzinfo=datetime.timezone.utc).isoformat() + ) + applogger.info( + "{}(method={}) : {} : Started execution of Cofense MS Sentinel Integration.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.SENTINEL_TO_DEFENDER, + ) + ) + start = time.time() + sentinel_obj = MicrosoftSentinel() + sentinel_obj.get_indicators_from_sentinel() + end = time.time() + applogger.info( + "{}total time taken for this trigger is {} sec".format( + consts.LOGS_STARTS_WITH, int(end - start) + ) + ) + if mytimer.past_due: + applogger.info("The timer is past due!") + + applogger.info("Python timer trigger function ran at %s", utc_timestamp) + else: + applogger.info("Not a defender user.") diff --git a/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/SentinelToDefender/defender.py b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/SentinelToDefender/defender.py new file mode 100644 index 00000000000..8f574ef2be7 --- /dev/null +++ b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/SentinelToDefender/defender.py @@ -0,0 +1,296 @@ +"""This module contains Microsoft Defender class for authentication.""" +import inspect +from ..SharedCode.logger import applogger +from ..SharedCode import consts +from ..SharedCode.utils import Utils +from ..SharedCode.cofense_intelligence_exception import CofenseIntelligenceException +import json +import time + + +class MicrosoftDefender: + """This class is for MS Defender authentication and posting indicator to defender.""" + + def __init__(self) -> None: + """Initialize instance variable for class.""" + self.bearer_token = self.auth_defender( + azure_function_name=consts.SENTINEL_TO_DEFENDER + ) + + def auth_defender(self, azure_function_name): + """To authenticate with microsoft defender.""" + __method_name = inspect.currentframe().f_code.co_name + try: + applogger.info( + "{}(method={}) : {}: generating MS Defender access token.".format( + consts.LOGS_STARTS_WITH, __method_name, azure_function_name + ) + ) + azure_auth_url = consts.AZURE_AUTHENTICATION_URL.format( + consts.AZURE_TENANT_ID + ) + # Creating body for Microsoft Defender authentication API + body = { + "client_id": consts.AZURE_CLIENT_ID, + "client_secret": consts.AZURE_CLIENT_SECRET, + "grant_type": "client_credentials", + "resource": "https://api.securitycenter.microsoft.com/", + } + utils_obj = Utils(azure_function_name=consts.SENTINEL_TO_DEFENDER) + response = utils_obj.make_http_request( + url=azure_auth_url, + method="POST", + body=body, + ) + if response.status_code >= 200 and response.status_code <= 299: + json_response = response.json() + if "access_token" not in json_response: + applogger.error( + "{}(method={}) : {}: Access token not found in MS Defender api call.".format( + consts.LOGS_STARTS_WITH, __method_name, azure_function_name + ) + ) + applogger.debug( + "{}(method={}) : {}: url: {}, Status Code : {}, Response reason: {}, Response: {} : " + "Access token not found in MS Defender authentication api call.".format( + consts.LOGS_STARTS_WITH, + __method_name, + azure_function_name, + azure_auth_url, + response.status_code, + response.reason, + response.text, + ) + ) + raise CofenseIntelligenceException() + else: + bearer_token = json_response.get("access_token") + applogger.info( + "{}(method={}) : {}: MS Defender access token generated successfully.".format( + consts.LOGS_STARTS_WITH, __method_name, azure_function_name + ) + ) + applogger.debug( + "{}(method={}) : {}: url: {}, Status Code : {}: Microsoft Defender access " + "token generated.".format( + consts.LOGS_STARTS_WITH, + __method_name, + azure_function_name, + azure_auth_url, + response.status_code, + ) + ) + return bearer_token + else: + applogger.error( + "{}(method={}) : {}: url: {}, Status Code : {}: Error while creating MS " + "Defender access_token. Error Reason: {}".format( + consts.LOGS_STARTS_WITH, + __method_name, + azure_function_name, + azure_auth_url, + response.status_code, + response.reason, + ) + ) + applogger.debug( + "{}(method={}) : {}: url: {}, Status Code : {}, Response: {} : " + "Error while creating MS Defender access token. Error Reason: {}".format( + consts.LOGS_STARTS_WITH, + __method_name, + azure_function_name, + azure_auth_url, + response.status_code, + response.text, + response.reason, + ) + ) + raise CofenseIntelligenceException() + except CofenseIntelligenceException as error: + applogger.error( + "{}(method={}) : Error generated while getting MS Defender access token : {}".format( + consts.LOGS_STARTS_WITH, __method_name, error + ) + ) + raise CofenseIntelligenceException() + + def create_defender_indicator(self, indicator_data): + """To create indicator into Microsoft Sentinel.""" + __method_name = inspect.currentframe().f_code.co_name + try: + retry_count_429 = 0 + retry_count_401 = 0 + while retry_count_429 <= 3 and retry_count_401 <= 1: + create_indicator_url = consts.DEFENDER_POST_INDICATOR_URL + headers = { + "Content-Type": "application/json", + "Authorization": "Bearer {}".format(self.bearer_token), + } + payload = json.dumps(indicator_data) + utils_obj = Utils(azure_function_name=consts.SENTINEL_TO_DEFENDER) + response = utils_obj.make_http_request( + url=create_indicator_url, + method="POST", + body=payload, + headers=headers, + ) + if response.status_code >= 200 and response.status_code <= 299: + response_json = response.json() + applogger.debug( + "{}(method={}) : {} : Created the indicator into the MS Defender with status code {} " + "and got the response {}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.SENTINEL_TO_DEFENDER, + response.status_code, + response_json, + ) + ) + return response.status_code + elif response.status_code == 429: + retry_count_429 += 1 + applogger.error( + "{}(method={}) : {}: url: {}, Status Code : {} : " + "Getting 429 from defender api call. Retrying again after {} seconds.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.SENTINEL_TO_DEFENDER, + create_indicator_url, + response.status_code, + consts.DEFENDER_429_SLEEP, + ) + ) + applogger.debug( + "{}(method={}) : {}: url: {}, Status Code : {}, Response reason: {}, Response: {} : " + "Getting 429 from MS Defender api call. Retry count: {}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.SENTINEL_TO_DEFENDER, + create_indicator_url, + response.status_code, + response.reason, + response.text, + retry_count_429, + ) + ) + time.sleep(consts.DEFENDER_429_SLEEP) + elif response.status_code == 401: + retry_count_401 += 1 + applogger.error( + "{}(method={}) : {} : url: {}, Status Code : {}: Error Reason: {}: " + "MS Defender access token expired, generating new access token. Retry count: {}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.SENTINEL_TO_DEFENDER, + create_indicator_url, + response.status_code, + response.reason, + retry_count_401, + ) + ) + applogger.debug( + "{}(method={}) : {} : url: {}, Status Code : {}, Error Reason: {}, Response: {} : " + "Defender access token expired, generating new access token. Retry count: {}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.SENTINEL_TO_DEFENDER, + create_indicator_url, + response.status_code, + response.reason, + response.text, + retry_count_401, + ) + ) + self.bearer_token = self.auth_defender(consts.SENTINEL_TO_DEFENDER) + headers["Authorization"] = ("Bearer {}".format(self.bearer_token),) + + elif response.status_code == 400: + applogger.error( + "{}(method={}) : {}: url: {}, Status Code : {} : " + "Getting 400 from MS Defender api call. Sentinel Indicator Title: {}, " + "Reason : {}, Response : {}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.SENTINEL_TO_DEFENDER, + create_indicator_url, + response.status_code, + indicator_data.get("title", "None"), + response.reason, + response.text, + ) + ) + applogger.debug( + "{}(method={}) : {}: url: {}, Status Code : {} : " + "Getting 400 from MS Defender api call. Error Reason : {}, Response : {}," + " Payload : {}".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.SENTINEL_TO_DEFENDER, + create_indicator_url, + response.status_code, + response.reason, + response.text, + payload, + ) + ) + return response.status_code + elif response.status_code == 403: + # If permissions is not provided to AAD application. + applogger.error( + "{}(method={}) : {}: url: {}, Status Code : {} : " + "May be necessary roles are not provided to Azure Active directory " + "application to create indicator into MS Defender. " + "Response: {}, Error Reason: {}".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.SENTINEL_TO_DEFENDER, + create_indicator_url, + response.status_code, + response.text, + response.reason, + ) + ) + raise CofenseIntelligenceException() + else: + applogger.error( + "{}(method={}) : {} : url: {}, Status Code : {}: Error generated while creating " + "indicator in MS Defender. Error Reason: {}, Response : {}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.SENTINEL_TO_DEFENDER, + create_indicator_url, + response.status_code, + response.reason, + response.text, + ) + ) + applogger.debug( + "{}(method={}) : {} : url: {}, Status Code : {}: Error generated while creating " + "indicator in MS Defender. Error Reason: {}, Response : {}, Payload: {}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.SENTINEL_TO_DEFENDER, + create_indicator_url, + response.status_code, + response.reason, + response.text, + payload, + ) + ) + raise CofenseIntelligenceException() + applogger.error( + "{}(method={}) : {} : Max retries exceeded for microsoft defender.".format( + consts.LOGS_STARTS_WITH, __method_name, consts.SENTINEL_TO_DEFENDER + ) + ) + raise CofenseIntelligenceException() + except CofenseIntelligenceException as error: + applogger.error( + "{}(method={}) : {} : Error generated while creating indicator in MS Defender : {}".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.SENTINEL_TO_DEFENDER, + error, + ) + ) + raise CofenseIntelligenceException() diff --git a/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/SentinelToDefender/function.json b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/SentinelToDefender/function.json new file mode 100644 index 00000000000..36c1449c9e1 --- /dev/null +++ b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/SentinelToDefender/function.json @@ -0,0 +1,11 @@ +{ + "scriptFile": "__init__.py", + "bindings": [ + { + "name": "mytimer", + "type": "timerTrigger", + "direction": "in", + "schedule": "%Schedule%" + } + ] +} \ No newline at end of file diff --git a/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/SentinelToDefender/sentinel.py b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/SentinelToDefender/sentinel.py new file mode 100644 index 00000000000..13a61e21310 --- /dev/null +++ b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/SentinelToDefender/sentinel.py @@ -0,0 +1,809 @@ +"""This file contains implementation of fetching sentinel TI indicator and creating defender indicator.""" +import time +import json +import re +import inspect +from datetime import datetime, timedelta +from ..SharedCode import consts +from ..SharedCode.logger import applogger +from ..SharedCode.cofense_intelligence_exception import CofenseIntelligenceException +from ..SharedCode.state_manager import StateManager +from ..SharedCode.utils import Utils +from .defender import MicrosoftDefender +from .sentinel_to_defender_mapping import SentinelToDefenderMapping + + +class MicrosoftSentinel: + """This class contains methods to get threat intelligence indicator from Microsoft Sentinel.""" + + def __init__(self) -> None: + """Initialize instance variable for class.""" + __method_name = inspect.currentframe().f_code.co_name + # To check the environment variable. + self.utils_obj = Utils(azure_function_name=consts.SENTINEL_TO_DEFENDER) + self.utils_obj.validate_params() + applogger.info( + "{}(method={}) : {} : " + "Started execution of posting cofense indicators into MS Defender from " + "Microsoft Sentinel Threat Intelligence.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.SENTINEL_TO_DEFENDER, + ) + ) + self.bearer_token = self.utils_obj.auth_sentinel() + self.defender_object = MicrosoftDefender() + self.sentinel_defender_mapping_obj = SentinelToDefenderMapping() + self.get_sentinel_checkpoint_data() + self.indicator_count = 0 + self.failed_indicator_count = 0 + self.failed_indicator_list = [] + self.total_indicator_count = 0 + self.total_failed_indicator_count = 0 + self.total_failed_indicator_list = [] + self.threat_id_regex = '[0-9]+' + + def convert_datetime_format(self, datetime_string): + """To convert datetime string to datetime type for comparison of dates.""" + __method_name = inspect.currentframe().f_code.co_name + try: + if datetime_string is None or datetime_string == "": + return datetime_string + else: + return datetime.strptime( + (datetime_string).strip()[:26].rstrip("Z"), + consts.SENTINEL_DATETIME_FORMAT, + ) + except Exception as error: + applogger.error( + "{}(method={}) : {} Error: {} : " + "Expecting datetime in %Y-%m-%dT%H:%M:%S.%f format, getting datetime in {} format.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.SENTINEL_TO_DEFENDER, + error, + datetime_string, + ) + ) + raise error + + def convert_sentinel_datetime_format(self, indicator): + """To convert sentinel indicator lastUpdatedTimeUtc format.""" + __method_name = inspect.currentframe().f_code.co_name + try: + return self.convert_datetime_format( + indicator.get("properties", {}).get("lastUpdatedTimeUtc") + ) + except Exception as error: + applogger.error( + "{}(method={}) : {} Error: {} : " + "Error occurred in Sentinel Threat Indicator with name: {}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.SENTINEL_TO_DEFENDER, + error, + indicator.get("name", ""), + ) + ) + raise error + + def complete_current_execution(self, __method_name): + """To update the checkpoint fields in sentinel defender checkpoint state manager.""" + self.sentinel_checkpoint_json_data["new_execution_flag"] = "True" + self.sentinel_checkpoint_json_data["last_execution_skip_token"] = "" + self.sentinel_checkpoint_json_data[ + "current_checkpoint_indicator_date" + ] = self.sentinel_checkpoint_json_data.get("next_checkpoint_indicator_date") + self.sentinel_checkpoint_json_data["next_checkpoint_indicator_date"] = "" + # Saving flag into the sentinel defender checkpoint state manager. + try: + self.sentinel_checkpoint_state.post( + json.dumps(self.sentinel_checkpoint_json_data) + ) + except Exception as error: + applogger.error( + "{}(method={}) : {} Error: {} : " + "Error occurred while posting current checkpoint data to " + "sentinel defender checkpoint state manager.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.SENTINEL_TO_DEFENDER, + error, + ) + ) + raise error + # Updating the flag value. + self.new_execution_flag = self.sentinel_checkpoint_json_data.get( + "new_execution_flag" + ) + # Reset the checkpoint(skipToken) for next execution. + self.sentinel_skiptoken = self.sentinel_checkpoint_json_data.get( + "last_execution_skip_token" + ) + self.current_checkpoint_indicator_date = self.convert_datetime_format( + self.sentinel_checkpoint_json_data.get("current_checkpoint_indicator_date") + ) + self.next_checkpoint_indicator_date = self.sentinel_checkpoint_json_data[ + "next_checkpoint_indicator_date" + ] + applogger.debug( + "{}(method={}) : {}: " + "Completed posting and updating current execution indicators from Microsoft Sentinel " + "into MS Defender. Starting Next execution.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.SENTINEL_TO_DEFENDER, + ) + ) + + applogger.info( + "{}(method={}) : {}: " + "Checkpoint date stored : {}".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.SENTINEL_TO_DEFENDER, + self.current_checkpoint_indicator_date, + ) + ) + + def check_cofense_indicator(self, indicator): + """To check if the sentinel indicator is from cofense intelligence.""" + try: + __method_name = inspect.currentframe().f_code.co_name + source = indicator.get("properties", {}).get("source", None) + if ( + source is not None + and source.strip() != "" + and source.startswith(consts.COFENSE_SOURCE_PREFIX) + ): + return True + else: + applogger.debug( + "{}(method={}) : {} : {} is not cofense indicator from Sentinel TI.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.SENTINEL_TO_DEFENDER, + indicator.get("properties", {}).get("displayName", None), + ) + ) + return False + except CofenseIntelligenceException as error: + applogger.error( + "{}(method={}) : {} : Error occurred while checking cofense indicator from Sentinel TI. " + "Sentinel indicator name : {}. Error : {}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.SENTINEL_TO_DEFENDER, + indicator.get("properties", {}).get("displayName", None), + error, + ) + ) + raise CofenseIntelligenceException() + + def create_indicator_data(self, indicator): + """To create python dictionary for posting indicator into defender.""" + __method_name = inspect.currentframe().f_code.co_name + sentinel_indicator_display_name = None + try: + sentinel_indicator_display_name = indicator.get("properties", {}).get( + "displayName", None + ) + indicator_data = {} + # convert sentinel indicator type to defender indicator type. + indicator_data[ + "indicatorType" + ] = self.sentinel_defender_mapping_obj.get_defender_indicator_type( + indicator + ) + + # Convert confidence integer to action and severity. + ( + indicator_data["action"], + indicator_data["severity"], + ) = self.sentinel_defender_mapping_obj.get_defender_action_and_severity( + indicator + ) + + # get the indicator value from the sentinel indicator data. + indicator_data[ + "indicatorValue" + ] = self.sentinel_defender_mapping_obj.get_defender_indicator_value( + indicator + ) + + indicator_data[ + "title" + ] = self.sentinel_defender_mapping_obj.get_defender_title(indicator) + + indicator_data[ + "description" + ] = self.sentinel_defender_mapping_obj.get_defender_description(indicator) + + except CofenseIntelligenceException as error: + applogger.error( + "{}(method={}) : {} : Error occurred while generating MS Defender indicator payload. " + "Sentinel indicator name : {}. Error : {}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.SENTINEL_TO_DEFENDER, + sentinel_indicator_display_name, + error, + ) + ) + self.total_failed_indicator_count += 1 + self.failed_indicator_count += 1 + threat_id = re.findall(self.threat_id_regex, sentinel_indicator_display_name) + self.total_failed_indicator_list.append(threat_id[0]) + self.failed_indicator_list.append(threat_id[0]) + return indicator_data + + def new_execution_flag_is_true(self, current_indicator_updated_date, indicator): + """Check if new execution flag is true. Created a method to reduce cognitive Complexity.""" + __method_name = inspect.currentframe().f_code.co_name + if self.new_execution_flag == "True": + if current_indicator_updated_date <= self.current_checkpoint_indicator_date: + # exit the class. execution is completed. + return False + + self.sentinel_checkpoint_json_data[ + "next_checkpoint_indicator_date" + ] = indicator.get("properties", {}).get("lastUpdatedTimeUtc") + self.sentinel_checkpoint_json_data["new_execution_flag"] = "False" + try: + self.sentinel_checkpoint_state.post( + json.dumps(self.sentinel_checkpoint_json_data) + ) + except Exception as error: + applogger.error( + "{}(method={}) : {} Error: {} : " + "Error occurred while posting checkpoint data to " + "sentinel defender checkpoint state manager.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.SENTINEL_TO_DEFENDER, + error, + ) + ) + raise error + self.next_checkpoint_indicator_date = ( + self.sentinel_checkpoint_json_data.get("next_checkpoint_indicator_date") + ) + applogger.debug( + "{}(method={}) : {}: " + "Next execution checkpoint date stored : {}".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.SENTINEL_TO_DEFENDER, + self.next_checkpoint_indicator_date, + ) + ) + self.new_execution_flag = self.sentinel_checkpoint_json_data.get( + "new_execution_flag" + ) + return None + def post_indicators(self, sentinel_json_indicator_list, defender_object): + """To post and update the indicators into MS Defender.""" + try: + __method_name = inspect.currentframe().f_code.co_name + + applogger.debug( + "{}(method={}) : {} : " + "Posting and updating indicators into MS Defender.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.SENTINEL_TO_DEFENDER, + ) + ) + # posting and updating indicators + for indicator in sentinel_json_indicator_list: + current_indicator_updated_date = self.convert_sentinel_datetime_format( + indicator=indicator + ) + + if ( + self.new_execution_flag_is_true( + current_indicator_updated_date, indicator + ) + is False + ): + return False + + # Completed current execution. + if ( + current_indicator_updated_date + <= self.current_checkpoint_indicator_date + ): + self.complete_current_execution(__method_name) + return True + + # Creating indicator into defender. + try: + # bool to find cofense indicator. + cofense_indicator = self.check_cofense_indicator(indicator) + + # Create indicator data for defender. + indicator_data = self.create_indicator_data(indicator) + + if ( + cofense_indicator + and indicator_data.get("indicatorValue", None) + and indicator_data.get("indicatorType", None) + and indicator_data.get("title", None) + and indicator_data.get("action", None) + and indicator_data.get("description", None) + ): + self.create_indicator( + defender_object=defender_object, + indicator_data=indicator_data, + ) + + # Update the total executed indicators count. + self.total_indicator_count += 1 + self.indicator_count += 1 + except CofenseIntelligenceException as error: + applogger.error( + "{}(method={}) : {} : Error occurred while posting indicator into MS Defender. " + "Sentinel indicator name : {}. Error : {}".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.SENTINEL_TO_DEFENDER, + indicator_data.get("title"), + error, + ) + ) + self.total_failed_indicator_count += 1 + self.failed_indicator_count += 1 + threat_id = re.findall(self.threat_id_regex, indicator_data.get("title")) + self.total_failed_indicator_list.append(threat_id[0]) + self.failed_indicator_list.append(threat_id[0]) + # Completed current execution. + return True + + except CofenseIntelligenceException as error: + applogger.error( + "{}(method={}) : {} : Error occurred while posting indicator into MS Defender : {}".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.SENTINEL_TO_DEFENDER, + error, + ) + ) + raise CofenseIntelligenceException() + + def create_indicator( + self, + defender_object, + indicator_data, + ): + """To create indicators into defender.""" + __method_name = inspect.currentframe().f_code.co_name + try: + # Posting indicator into defender. + create_indicator_status_code = defender_object.create_defender_indicator( + indicator_data=indicator_data + ) + + if create_indicator_status_code == 400: + self.total_failed_indicator_count += 1 + self.failed_indicator_count += 1 + threat_id = re.findall(self.threat_id_regex, indicator_data.get("title")) + self.total_failed_indicator_list.append(threat_id[0]) + self.failed_indicator_list.append(threat_id[0]) + + except CofenseIntelligenceException as error: + applogger.error( + "{}(method={}) : {} : Error occurred while creating indicator in MS Defender : {}".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.SENTINEL_TO_DEFENDER, + error, + ) + ) + raise CofenseIntelligenceException() + + def get_sentinel_checkpoint_data(self): + """To get the sentinel defender checkpoint data from state manager.""" + __method_name = inspect.currentframe().f_code.co_name + # Initializing state manager for sentinel and defender indicator id table. + self.sentinel_checkpoint_state = StateManager( + connection_string=consts.CONNECTION_STRING, + file_path=consts.DEFENDER_CHECKPOINT_FILE_PATH, + ) + try: + sentinel_checkpoint_data = self.sentinel_checkpoint_state.get( + consts.SENTINEL_TO_DEFENDER + ) + except Exception as error: + applogger.error( + "{}(method={}) : {} Error: {} : " + "Error occurred while getting sentinel defender checkpoint data from " + "sentinel defender checkpoint state manager.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.SENTINEL_TO_DEFENDER, + error, + ) + ) + raise error + + # If checkpoint data is not none, then fetch the checkpoint fields. + if sentinel_checkpoint_data is not None: + self.sentinel_checkpoint_json_data = json.loads(sentinel_checkpoint_data) + self.new_execution_flag = self.sentinel_checkpoint_json_data.get( + "new_execution_flag" + ) + self.current_checkpoint_indicator_date = ( + self.sentinel_checkpoint_json_data.get( + "current_checkpoint_indicator_date" + ) + ) + self.next_checkpoint_indicator_date = ( + self.sentinel_checkpoint_json_data.get("next_checkpoint_indicator_date") + ) + if self.new_execution_flag == "False": + self.sentinel_skiptoken = self.sentinel_checkpoint_json_data.get( + "last_execution_skip_token" + ) + applogger.debug( + "{}(method={}) : {}: " + "Last checkpoint skip token is : {}".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.SENTINEL_TO_DEFENDER, + self.sentinel_skiptoken, + ) + ) + else: + self.sentinel_skiptoken = "" + applogger.debug( + "{}(method={}) : {} : " + "Sentinel defender checkpoint state manager data fetch successfully.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.SENTINEL_TO_DEFENDER, + ) + ) + + # Convert string date to datetime object. + self.current_checkpoint_indicator_date = self.convert_datetime_format( + self.sentinel_checkpoint_json_data.get( + "current_checkpoint_indicator_date" + ) + ) + applogger.info( + "{}(method={}) : {} : " + "Last checkpoint date is : {}".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.SENTINEL_TO_DEFENDER, + self.current_checkpoint_indicator_date, + ) + ) + + else: + # If checkpoint is none then initialize from starting. + # If checkpoint file is not found then, it is first run. + self.sentinel_checkpoint_json_data = {} + self.sentinel_checkpoint_json_data["new_execution_flag"] = "True" + self.sentinel_checkpoint_json_data["last_execution_skip_token"] = "" + # In first run we need to fetch last 15 days of indicators from sentinel TI. + current_date = datetime.now() + current_date_utc = current_date.utcnow() + self.sentinel_checkpoint_json_data["current_checkpoint_indicator_date"] = ( + current_date_utc + - timedelta( + days=15, + seconds=current_date_utc.second, + microseconds=(current_date_utc.microsecond - 1), + minutes=current_date_utc.minute, + hours=current_date_utc.hour, + ) + ).isoformat() + self.sentinel_checkpoint_json_data["next_checkpoint_indicator_date"] = "" + try: + self.sentinel_checkpoint_state.post( + json.dumps(self.sentinel_checkpoint_json_data) + ) + except Exception as error: + applogger.error( + "{}(method={}) : {} Error: {} : " + "Error occurred while posting checkpoint data to " + "sentinel defender checkpoint state manager.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.SENTINEL_TO_DEFENDER, + error, + ) + ) + raise error + self.new_execution_flag = self.sentinel_checkpoint_json_data.get( + "new_execution_flag" + ) + self.sentinel_skiptoken = self.sentinel_checkpoint_json_data.get( + "last_execution_skip_token" + ) + self.next_checkpoint_indicator_date = ( + self.sentinel_checkpoint_json_data.get("next_checkpoint_indicator_date") + ) + + applogger.info( + "{}(method={}) : {} : " + "Sentinel defender checkpoint state manager data not found. Creating it.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.SENTINEL_TO_DEFENDER, + ) + ) + + # Convert string date to datetime object. + self.current_checkpoint_indicator_date = self.convert_datetime_format( + self.sentinel_checkpoint_json_data.get( + "current_checkpoint_indicator_date" + ) + ) + applogger.info( + "{}(method={}) : {} : " + "Getting indicators data of last 15 days from : {}".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.SENTINEL_TO_DEFENDER, + self.current_checkpoint_indicator_date, + ) + ) + + def update_checkpoint(self, sentinel_indicator_nextlink): + """To update the checkpoint in state manager.""" + __method_name = inspect.currentframe().f_code.co_name + + if ( + sentinel_indicator_nextlink is not None + and sentinel_indicator_nextlink != "" + ): + # Checkpoint is managed by skipToken fetched in nextLink in sentinel response. + self.sentinel_skiptoken = sentinel_indicator_nextlink.split("$skipToken=")[ + 1 + ] + + self.sentinel_checkpoint_json_data[ + "last_execution_skip_token" + ] = self.sentinel_skiptoken + try: + self.sentinel_checkpoint_state.post( + json.dumps(self.sentinel_checkpoint_json_data) + ) + except Exception as error: + applogger.error( + "{}(method={}) : {} Error: {} : " + "Error occurred while posting current checkpoint data to " + "sentinel defender checkpoint state manager.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.SENTINEL_TO_DEFENDER, + error, + ) + ) + raise error + applogger.debug( + "{}(method={}) : {} : " + "Skip Token stored as checkpoint : {}".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.SENTINEL_TO_DEFENDER, + self.sentinel_skiptoken, + ) + ) + + else: + # If there is no further indicators from sentinel TI. + self.complete_current_execution(__method_name) + + def get_indicators_from_sentinel(self): + """To get indicators from Microsoft Sentinel threat intelligence.""" + try: + __method_name = inspect.currentframe().f_code.co_name + applogger.info( + "{}(method={}) : {} : " + "Started fetching cofense indicators from Microsoft Sentinel Threat Intelligence.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.SENTINEL_TO_DEFENDER, + ) + ) + retry_count_429 = 0 + retry_count_401 = 0 + while retry_count_429 <= 3 and retry_count_401 <= 1: + query_indicator_url = consts.QUERY_SENTINEL_INDICATORS_URL.format( + subscriptionId=consts.AZURE_SUBSCRIPTION_ID, + resourceGroupName=consts.AZURE_RESOURCE_GROUP, + workspaceName=consts.AZURE_WORKSPACE_NAME, + ) + headers = { + "Content-Type": "application/json", + "Authorization": "Bearer {}".format(self.bearer_token), + } + body = { + "pageSize": consts.QUERY_SENTINEL_PAGESIZE, + "keywords": "Cofense", + "sortBy": [ + {"itemKey": "lastUpdatedTimeUtc", "sortOrder": "descending"} + ], + "skipToken": self.sentinel_skiptoken, + } + utils_obj = Utils(azure_function_name=consts.SENTINEL_TO_DEFENDER) + get_indicator_response = utils_obj.make_http_request( + url=query_indicator_url, + method="POST", + body=json.dumps(body), + headers=headers, + ) + + # If response status code is 200 to 299. + if ( + get_indicator_response.status_code >= 200 + and get_indicator_response.status_code <= 299 + ): + sentinel_indicator_json = json.loads(get_indicator_response.text) + sentinel_indicator_json_list = sentinel_indicator_json.get( + "value", [] + ) + # Posting indicators into defender. + post_indicators_return = self.post_indicators( + sentinel_json_indicator_list=sentinel_indicator_json_list, + defender_object=self.defender_object, + ) + + applogger.info( + "{}(method={}) : {}. " + "In current page, Processed total Cofense Indicators - {}, Successfully created indicator(s) - {}, Failed indicator(s) - {}." + " Failed indicator list: {}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.SENTINEL_TO_DEFENDER, + self.indicator_count, + (self.indicator_count - self.failed_indicator_count), + self.failed_indicator_count, + self.failed_indicator_list, + ) + ) + self.indicator_count = 0 + self.failed_indicator_count = 0 + self.failed_indicator_list = [] + applogger.info( + "{}(method={}) : {}. " + "In current function execution, Processed total Cofense Indicators - {}, Successfully created indicator(s) - {}, Failed indicator(s) - {}." + " Failed indicator list: {}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.SENTINEL_TO_DEFENDER, + self.total_indicator_count, + ( + self.total_indicator_count + - self.total_failed_indicator_count + ), + self.total_failed_indicator_count, + self.total_failed_indicator_list, + ) + ) + + # If return is False, it means no more indicator to fetch. So exit the python file. + if post_indicators_return is False: + applogger.warning( + "{}(method={}) : {}: url: {}, Status Code : {} : " + "No more indicators to fetch from Microsoft Sentinel. Exiting the function app.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.SENTINEL_TO_DEFENDER, + query_indicator_url, + get_indicator_response.status_code, + ) + ) + # Exit from function app. + return True + + # Updating the checkpoint. + if self.new_execution_flag == "False": + sentinel_indicator_nextlink = sentinel_indicator_json.get( + "nextLink", "" + ) + self.update_checkpoint(sentinel_indicator_nextlink) + + # response status code is 429. + elif get_indicator_response.status_code == 429: + retry_count_429 += 1 + applogger.error( + "{}(method={}) : {}: url: {}, Status Code : {} : " + "Getting 429 from sentinel get indicators api call. Retrying again after {} seconds.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.SENTINEL_TO_DEFENDER, + query_indicator_url, + get_indicator_response.status_code, + consts.SENTINEL_429_SLEEP, + ) + ) + applogger.debug( + "{}(method={}) : {}: url: {}, Status Code : {}, Response reason: {}, Response: {} : " + "Getting 429 from sentinel get indicators api call. Retry count: {}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.SENTINEL_TO_DEFENDER, + query_indicator_url, + get_indicator_response.status_code, + get_indicator_response.reason, + get_indicator_response.text, + retry_count_429, + ) + ) + # sleep for 60 seconds. + time.sleep(consts.SENTINEL_429_SLEEP) + + # response is 401, access token is expired. + elif get_indicator_response.status_code == 401: + retry_count_401 = retry_count_401 + 1 + applogger.error( + "{}(method={}) : {} : url: {}, Status Code : {}: Error Reason: {} : " + "Sentinel access token expired, generating new access token.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.SENTINEL_TO_DEFENDER, + query_indicator_url, + get_indicator_response.status_code, + get_indicator_response.reason, + ) + ) + applogger.debug( + "{}(method={}) : {} : url: {}, Status Code : {}, Error Reason: {}, Response: {} : Sentinel" + " access token expired, generating new access token. Retry count: {}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.SENTINEL_TO_DEFENDER, + query_indicator_url, + get_indicator_response.status_code, + get_indicator_response.reason, + get_indicator_response.text, + retry_count_401, + ) + ) + self.bearer_token = self.utils_obj.auth_sentinel() + + # response status code is not 200 to 299, 429 and 401. + else: + applogger.error( + "{}(method={}) : {} : url: {}, Status Code : {} : Error while fetching indicators" + " from sentinel threat intelligence. Error Reason: {}".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.SENTINEL_TO_DEFENDER, + query_indicator_url, + get_indicator_response.status_code, + get_indicator_response.reason, + ) + ) + applogger.debug( + "{}(method={}) : {} : url: {}, Status Code : {}, Error Reason: {}, Response: {} :" + " Error while fetching indicators from sentinel threat intelligence.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.SENTINEL_TO_DEFENDER, + query_indicator_url, + get_indicator_response.status_code, + get_indicator_response.reason, + get_indicator_response.text, + ) + ) + # raise the exception to exit the function app. + raise CofenseIntelligenceException() + + # retry count exceeded. + applogger.error( + "{}(method={}) : {} : Max retries exceeded for fetching indicators from sentinel.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.SENTINEL_TO_DEFENDER, + ) + ) + # raising the exception to exit the function app. + raise CofenseIntelligenceException() + + except CofenseIntelligenceException: + raise CofenseIntelligenceException() diff --git a/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/SentinelToDefender/sentinel_to_defender_mapping.py b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/SentinelToDefender/sentinel_to_defender_mapping.py new file mode 100644 index 00000000000..72741a5a02f --- /dev/null +++ b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/SentinelToDefender/sentinel_to_defender_mapping.py @@ -0,0 +1,172 @@ +"""This file contains function for mapping of sentinel and defender indicators.""" +import inspect +from ..SharedCode import consts +from ..SharedCode.logger import applogger +from ..SharedCode.cofense_intelligence_exception import CofenseIntelligenceException + + +class SentinelToDefenderMapping: + """To map field values of Sentinel and defender indicators.""" + + def get_defender_indicator_value(self, indicator): + """To convert sentinel indicator pattern to threat value.""" + __method_name = inspect.currentframe().f_code.co_name + try: + sentinel_pattern = indicator.get("properties", {}).get( + "parsedPattern", None + ) + if sentinel_pattern: + sentinel_parsed_pattern_value = sentinel_pattern[0].get( + "patternTypeValues", None + ) + if sentinel_parsed_pattern_value: + defender_indicator_value = sentinel_parsed_pattern_value[0].get( + "value", None + ) + if defender_indicator_value: + return defender_indicator_value + else: + raise CofenseIntelligenceException() + else: + raise CofenseIntelligenceException() + else: + raise CofenseIntelligenceException() + except CofenseIntelligenceException as error: + applogger.error( + "{}(method={}) : {} : Unknown indicator value from sentinel. " + "Sentinel Indicator name : {}. Error : {}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.SENTINEL_TO_DEFENDER, + indicator.get("properties", {}).get("displayName", None), + error, + ) + ) + raise CofenseIntelligenceException() + + def get_defender_indicator_type(self, indicator): + """To convert sentinel indicator type to defender accepted indicator type.""" + # getting indicator type. + __method_name = inspect.currentframe().f_code.co_name + try: + sentinel_indicator_pattern_type = indicator.get("properties", {}).get( + "patternType", None + ) + defender_indicator_pattern_type = None + # if indicator type is url in sentinel then Url in defender. + if sentinel_indicator_pattern_type == "URL": + defender_indicator_pattern_type = "Url" + + # if indicator type is domain-name in sentinel then DomainName in defender. + elif sentinel_indicator_pattern_type == "Domain Name": + defender_indicator_pattern_type = "DomainName" + + # if indicator type is file in sentinel then FileMD5 in defender. + elif sentinel_indicator_pattern_type.lower() == "file": + defender_indicator_pattern_type = "FileMd5" + + else: + raise CofenseIntelligenceException() + return defender_indicator_pattern_type + except CofenseIntelligenceException as error: + applogger.error( + "{}(method={}) : {} : Unknown indicator type from sentinel. " + "Sentinel Indicator name : {}. Error : {}".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.SENTINEL_TO_DEFENDER, + indicator.get("properties", {}).get("displayName", None), + error, + ) + ) + raise CofenseIntelligenceException() + + def get_defender_action_and_severity(self, indicator): + """To convert sentinel confidence value to defender action.""" + __method_name = inspect.currentframe().f_code.co_name + try: + confidence = indicator.get("properties", {}).get("confidence", "") + actions = None + severity = None + if ( + confidence is None + or confidence == "" + or int(confidence) == consts.IMPACT_NONE + ): + actions = "Allowed" + severity = "Informational" + elif int(confidence) == consts.IMPACT_MINOR: + actions = "Alert" + severity = "Informational" + elif ( + int(confidence) == consts.IMPACT_MODERATE + or int(confidence) == consts.IMPACT_MEDIUM + ): + actions = "Warn" + severity = "Medium" + elif int(confidence) == consts.IMPACT_MAJOR: + actions = "Block" + severity = "High" + else: + raise CofenseIntelligenceException() + return actions, severity + except CofenseIntelligenceException as error: + applogger.error( + "{}(method={}) : {} : Unknown confidence value from sentinel. " + "Sentinel Indicator name. Error : {}{}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.SENTINEL_TO_DEFENDER, + error, + confidence, + ) + ) + raise CofenseIntelligenceException() + + def get_defender_title(self, indicator): + """To parse indicator title.""" + __method_name = inspect.currentframe().f_code.co_name + try: + sentinel_indicator_display_name = indicator.get("properties", {}).get( + "displayName", None + ) + if sentinel_indicator_display_name: + return sentinel_indicator_display_name + else: + raise CofenseIntelligenceException() + except CofenseIntelligenceException as error: + applogger.error( + "{}(method={}) : {} : Unknown title from sentinel. " + "Sentinel Indicator name : {}. Error : {}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.SENTINEL_TO_DEFENDER, + indicator.get("properties", {}).get("displayName", None), + error, + ) + ) + raise CofenseIntelligenceException() + + def get_defender_description(self, indicator): + """To parse defender indicator description.""" + __method_name = inspect.currentframe().f_code.co_name + try: + sentinel_indicator_description = indicator.get("properties", {}).get( + "description", None + ) + if sentinel_indicator_description: + return sentinel_indicator_description + else: + raise CofenseIntelligenceException() + except CofenseIntelligenceException as error: + applogger.error( + "{}(method={}) : {} : Unknown description from sentinel. " + "Sentinel Indicator description : {}. Error : {}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.SENTINEL_TO_DEFENDER, + indicator.get("properties", {}).get("displayName", None), + error, + ) + ) + raise CofenseIntelligenceException() diff --git a/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/SharedCode/__init__.py b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/SharedCode/__init__.py new file mode 100644 index 00000000000..a38c5df36a1 --- /dev/null +++ b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/SharedCode/__init__.py @@ -0,0 +1 @@ +"""This is init file to consider Shared_code as package.""" diff --git a/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/SharedCode/cofense_intelligence_exception.py b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/SharedCode/cofense_intelligence_exception.py new file mode 100644 index 00000000000..751b7018bb8 --- /dev/null +++ b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/SharedCode/cofense_intelligence_exception.py @@ -0,0 +1,13 @@ +"""This File contains custom Exception class for Cofense.""" + + +class CofenseIntelligenceException(Exception): + """Exception class to handle Cofense exception. + + Args: + Exception (string): will print exception message. + """ + + def __init__(self, message=None) -> None: + """Initialize custom CofenseIntelligenceException with custom message.""" + super().__init__(message) diff --git a/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/SharedCode/consts.py b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/SharedCode/consts.py new file mode 100644 index 00000000000..7be7a3af459 --- /dev/null +++ b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/SharedCode/consts.py @@ -0,0 +1,75 @@ +"""This file contains all constants.""" +import os + +COFENSE_BASE_URL = os.environ.get("BaseURL", "https://www.threathq.com/apiv1") +ENDPOINTS = { + "search_indicators": "/indicator/search", + "get_malware": "/threat/malware/{threat_id}", +} +LOGS_STARTS_WITH = "COFENSE Intelligence : " +LOG_LEVEL = os.environ.get("LogLevel", "") +API_TIMEOUT = 20 +COFENSE_TO_SENTINEL = "CofenseIntelligenceToSentinel" +COFENSE_USERNAME = os.environ.get("Cofense_Username", "") +COFENSE_PASSWORD = os.environ.get("Cofense_Password", "") +AZURE_CLIENT_ID = os.environ.get("Azure_Client_Id", "") +AZURE_CLIENT_SECRET = os.environ.get("Azure_Client_Secret", "") +AZURE_TENANT_ID = os.environ.get("Azure_Tenant_Id", "") +AZURE_AUTHENTICATION_URL = "https://login.microsoftonline.com/{}/oauth2/token" +SENTINEL_TO_DEFENDER = "SentinelToDefender" +COFENSE_429_SLEEP = 300 +COFENSE_PAGE_SIZE = 100 +CONNECTION_STRING = os.environ.get("AzureWebJobsStorage", "") +DEFENDER_CHECKPOINT_FILE_PATH = "Defender_checkpoint" +MS_SHARE_NAME = "cofense-intelligence" + + +QUERY_SENTINEL_INDICATORS_URL = ( + "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers" + "/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence" + "/main/queryIndicators?api-version=2022-12-01-preview" +) +CREATE_SENTINEL_INDICATORS_URL = ( + "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups" + "/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}" + "/providers/Microsoft.SecurityInsights/threatIntelligence/main/createIndicator?api-version=2023-03-01-preview" +) +AZURE_RESOURCE_GROUP = os.environ.get("Azure_Resource_Group_Name", "") +AZURE_WORKSPACE_NAME = os.environ.get("Azure_Workspace_Name", "") +AZURE_SUBSCRIPTION_ID = os.environ.get("Azure_Subscription_Id", "") +SENTINEL_429_SLEEP = 60 +IS_DEFENDER_USER = os.environ.get("SendCofenseIndicatorToDefender", "") +SCHEDULE = os.environ.get("Schedule", "") +QUERY_SENTINEL_PAGESIZE = 100 +IMPACT_NONE = 1 +IMPACT_MINOR = 30 +IMPACT_MODERATE = 50 +IMPACT_MEDIUM = 70 +IMPACT_MAJOR = 100 +FIFTEEN_DAYS = 1209600 + +DEFENDER_429_SLEEP = 60 +SENTINEL_DATETIME_FORMAT = "%Y-%m-%dT%H:%M:%S.%f" +DEFENDER_POST_INDICATOR_URL = "https://api.securitycenter.microsoft.com/api/indicators" +COFENSE_SOURCE_PREFIX = "Cofense Intelligence" + + +IS_PROXY_REQUIRED = os.environ.get("RequireProxy", "") +PROXY_REQUEST = "http" +PROXY_USERNAME = os.environ.get("Proxy_Username", "") +PROXY_PASSWORD = os.environ.get("Proxy_Password", "") +PROXY_URL = os.environ.get("Proxy_URL", "") +PROXY_PORT = os.environ.get("Proxy_Port", "") + +# Malware Data Connector Specific Constants +WORKSPACE_ID = os.environ.get("WorkspaceID") +WORKSPACE_KEY = os.environ.get("WorkspaceKey") +MALWARE_DATA_TABLE_NAME = os.environ.get("Malware_Data_Table_name", "Malware_Data") +COFENSE_MALWARE_DATA_TO_LOG_ANALYTICS = "Malware DataConnector" +FUNCTION_APP_NAME = os.environ.get("Function_App_Name") + +RETRY_FAILED_INDICATORS = "Retry Failed Indicators" +FAILED_INDICATORS_TABLE_NAME = "Failed_Indicators" + +#Download Threat Reports function name +DOWNLOAD_THREAT_REPORTS = 'DownloadThreatReports' diff --git a/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/SharedCode/logger.py b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/SharedCode/logger.py new file mode 100644 index 00000000000..56f0f51c33f --- /dev/null +++ b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/SharedCode/logger.py @@ -0,0 +1,30 @@ +"""Handle the logger.""" +import logging +import sys +from ..SharedCode import consts + +log_level = consts.LOG_LEVEL +try: + applogger = logging.getLogger("azure") + log_level = log_level.upper() + if log_level == "DEBUG": + applogger.setLevel(logging.DEBUG) + + elif log_level == "INFO": + applogger.setLevel(logging.INFO) + + elif log_level == "WARNING": + applogger.setLevel(logging.WARNING) + + elif log_level == "ERROR": + applogger.setLevel(logging.ERROR) +except Exception: + applogger.info( + "{} : no log level selected hance setting log level as info.".format( + consts.LOGS_STARTS_WITH + ) + ) + applogger.setLevel(logging.INFO) +finally: + handler = logging.StreamHandler(stream=sys.stdout) + applogger.addHandler(handler) diff --git a/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/SharedCode/manage_checkpoints.py b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/SharedCode/manage_checkpoints.py new file mode 100644 index 00000000000..e2064cb472a --- /dev/null +++ b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/SharedCode/manage_checkpoints.py @@ -0,0 +1,104 @@ +"""File for managing checkpoints.""" +import json +import inspect +from .state_manager import StateManager +from .logger import applogger +from ..SharedCode import consts +from ..SharedCode.cofense_intelligence_exception import CofenseIntelligenceException + + +class ManageCheckpoints: + """Class containing the checkpoint operations.""" + + def __init__(self, file_name, azure_function_name) -> None: + """Initiate connection string.""" + self.state_manager_object = StateManager( + connection_string=consts.CONNECTION_STRING, file_path=file_name + ) + self.azure_function_name = azure_function_name + + def get_checkpoint_data(self, key): + """Get checkpoint data from azure file share. + + Args: + key (str): The key to find in the checkpoint file. + Returns: + string: Checkpoint data + """ + __method_name = inspect.currentframe().f_code.co_name + try: + checkpoint_data = self.state_manager_object.get(self.azure_function_name) + if checkpoint_data is None or checkpoint_data == "": + applogger.info( + "{}(method={}) : {} : No checkpoint data found.".format( + consts.LOGS_STARTS_WITH, __method_name, self.azure_function_name + ) + ) + return None + else: + check_point_json = json.loads(checkpoint_data) + applogger.info( + "{}(method={}) : {} : checkpoint data found : {}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + check_point_json, + ) + ) + data = check_point_json.get(key, None) + return data + + except Exception as error: + applogger.error( + "{}(method={}) : {} : error while getting checkpoint :{}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + error, + ) + ) + raise CofenseIntelligenceException() + + def post_data_to_checkpoint(self, key, value): + """Post the checkpoint data to the Azure File share. + + Args: + key (str): Key to store, + value (str): Value of the key to store. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + checkpoint_data = self.state_manager_object.get(self.azure_function_name) + if checkpoint_data == "" or checkpoint_data is None: + data_to_send = {key: value} + self.state_manager_object.post(json.dumps(data_to_send)) + applogger.info( + "{}(method={}) : {} : checkpoint file created and data posted successfully: {}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + data_to_send, + ) + ) + else: + json_checkpoint = json.loads(checkpoint_data) + json_checkpoint[key] = value + self.state_manager_object.post(json.dumps(json_checkpoint)) + applogger.info( + "{}(method={}) : {} : Updated checkpoint successfully: {}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + json_checkpoint, + ) + ) + except Exception as error: + applogger.error( + "{}(method={}) : {} : error while posting checkpoint :{}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + error, + ) + ) + raise CofenseIntelligenceException() diff --git a/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/SharedCode/sentinel.py b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/SharedCode/sentinel.py new file mode 100644 index 00000000000..d9325e639b0 --- /dev/null +++ b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/SharedCode/sentinel.py @@ -0,0 +1,133 @@ +"""This file contains methods for creating microsoft indicator and custom log table.""" +import inspect +import base64 +import hashlib +import hmac +import datetime +import requests +from ..SharedCode.logger import applogger +from ..SharedCode.cofense_intelligence_exception import CofenseIntelligenceException +from ..SharedCode import consts + + +def build_signature( + date, + content_length, + method, + content_type, + resource, +): + """To build signature which is required in header.""" + x_headers = "x-ms-date:" + date + string_to_hash = ( + method + + "\n" + + str(content_length) + + "\n" + + content_type + + "\n" + + x_headers + + "\n" + + resource + ) + bytes_to_hash = bytes(string_to_hash, encoding="utf-8") + decoded_key = base64.b64decode(consts.WORKSPACE_KEY) + encoded_hash = base64.b64encode( + hmac.new(decoded_key, bytes_to_hash, digestmod=hashlib.sha256).digest() + ).decode() + authorization = "SharedKey {}:{}".format(consts.WORKSPACE_ID, encoded_hash) + return authorization + + +def post_data(body, log_type): + """Build and send a request to the POST API. + + Args: + body (str): Data to post into Sentinel log analytics workspace + log_type (str): Custom log table name in which data wil be added. + + Returns: + status_code: Returns the response status code got while posting data to sentinel. + """ + __method_name = inspect.currentframe().f_code.co_name + method = "POST" + content_type = "application/json" + resource = "/api/logs" + rfc1123date = datetime.datetime.utcnow().strftime("%a, %d %b %Y %H:%M:%S GMT") + content_length = len(body) + try: + signature = build_signature( + rfc1123date, + content_length, + method, + content_type, + resource, + ) + except Exception as err: + applogger.error( + "{}(method={}) : {} : Error occurred: {}".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.COFENSE_MALWARE_DATA_TO_LOG_ANALYTICS, + err, + ) + ) + raise CofenseIntelligenceException( + "Error while generating signature for posting data into log analytics." + ) + uri = ( + "https://" + + consts.WORKSPACE_ID + + ".ods.opinsights.azure.com" + + resource + + "?api-version=2016-04-01" + ) + + headers = { + "content-type": content_type, + "Authorization": signature, + "Log-Type": log_type, + "x-ms-date": rfc1123date, + } + try: + response = requests.post(uri, data=body, headers=headers) + if response.status_code >= 200 and response.status_code <= 299: + applogger.debug( + "{}(method={}) : {} : Status_code: {} Accepted: Data Posted Successfully to azure sentinel.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.COFENSE_MALWARE_DATA_TO_LOG_ANALYTICS, + response.status_code, + ) + ) + return response.status_code + else: + raise CofenseIntelligenceException( + "Response code: {} from posting data to log analytics.\nError: {}".format( + response.status_code, response.content + ) + ) + except CofenseIntelligenceException as error: + applogger.error( + "{}(method={}) : {} : Error: {}".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.COFENSE_MALWARE_DATA_TO_LOG_ANALYTICS, + error, + ) + ) + raise CofenseIntelligenceException( + "CofenseIntelligenceException: Error while posting data to sentinel." + ) + except Exception as error: + applogger.error( + "{}(method={}) : {} : Error: {}".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.COFENSE_MALWARE_DATA_TO_LOG_ANALYTICS, + error, + ) + ) + raise CofenseIntelligenceException( + "Exception: Error while posting data to sentinel." + ) diff --git a/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/SharedCode/state_manager.py b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/SharedCode/state_manager.py new file mode 100644 index 00000000000..42a1e50393c --- /dev/null +++ b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/SharedCode/state_manager.py @@ -0,0 +1,47 @@ +"""This module will help to save file to statemanager.""" +from azure.storage.fileshare import ShareClient +from azure.storage.fileshare import ShareFileClient +from azure.core.exceptions import ResourceNotFoundError +from .logger import applogger +import inspect +from ..SharedCode.consts import LOGS_STARTS_WITH, MS_SHARE_NAME + + +class StateManager: + """State manager class for specific operation.""" + + def __init__( + self, + connection_string, + file_path, + share_name=MS_SHARE_NAME, + ): + """Initialize the share_cli and file_client.""" + self.share_cli = ShareClient.from_connection_string( + conn_str=connection_string, share_name=share_name + ) + self.file_cli = ShareFileClient.from_connection_string( + conn_str=connection_string, share_name=share_name, file_path=file_path + ) + self.log_starts_with = LOGS_STARTS_WITH + + def post(self, marker_text: str): + """Post method for posting the data to azure storage.""" + try: + self.file_cli.upload_file(marker_text) + except ResourceNotFoundError: + self.share_cli.create_share() + self.file_cli.upload_file(marker_text) + + def get(self, azure_function_name): + """Get method for getting the data from azure storage.""" + __method_name = inspect.currentframe().f_code.co_name + try: + return self.file_cli.download_file().readall().decode() + except ResourceNotFoundError: + applogger.info( + "{}(method={}) : {} : last checkpoint is not available.".format( + self.log_starts_with, __method_name, azure_function_name + ) + ) + return None diff --git a/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/SharedCode/utils.py b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/SharedCode/utils.py new file mode 100644 index 00000000000..ffc408bde39 --- /dev/null +++ b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/SharedCode/utils.py @@ -0,0 +1,497 @@ +"""This file contains helper methods.""" +import inspect +import requests +from .cofense_intelligence_exception import CofenseIntelligenceException +from .logger import applogger +from ..SharedCode import consts +import time +from requests.compat import quote_plus +from cryptography.fernet import Fernet + + +class Utils: + """This class contains helper methods.""" + + key = Fernet.generate_key() + f = Fernet(key) + + def __init__(self, azure_function_name) -> None: + """Initialize instance variable for class. + + Args: + azure_function_name (String): Azure function name + """ + self.session = requests.Session() + self.session.headers["User-Agent"] = "Cofense Intelligence" + self.azure_function_name = azure_function_name + self.auth = (consts.COFENSE_USERNAME, consts.COFENSE_PASSWORD) + + def create_proxy(self): + """To create proxy. + + Raises: + CofenseIntelligenceException: custom cofense exception + + Returns: + dict: proxies + """ + __method_name = inspect.currentframe().f_code.co_name + try: + proxies = None + if consts.IS_PROXY_REQUIRED == "Yes": + if consts.PROXY_URL and consts.PROXY_PORT: + if consts.PROXY_USERNAME and consts.PROXY_PASSWORD: + proxy_url = "{}://{}:{}@{}:{}".format( + consts.PROXY_REQUEST, + quote_plus(consts.PROXY_USERNAME), + quote_plus(consts.PROXY_PASSWORD), + consts.PROXY_URL, + consts.PROXY_PORT, + ) + proxies = {"http": proxy_url, "https": proxy_url} + applogger.info( + "{}(method={}) : {} : Proxy created successfully and the integration" + " uses proxy for further execution.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.COFENSE_TO_SENTINEL, + ) + ) + elif consts.PROXY_USERNAME or consts.PROXY_PASSWORD: + applogger.error( + "{}(method={}) : {} : Proxy username or password is missing.".format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + ) + ) + raise CofenseIntelligenceException() + else: + proxy_url = "{}://{}:{}".format( + consts.PROXY_REQUEST, + consts.PROXY_URL, + consts.PROXY_PORT, + ) + proxies = {"http": proxy_url, "https": proxy_url} + applogger.info( + "{}(method={}) : {} : Proxy created successfully and the integration" + " uses proxy for further execution.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.COFENSE_TO_SENTINEL, + ) + ) + else: + applogger.error( + "{}(method={}) : {} : Proxy Url or Port is missing.".format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + ) + ) + raise CofenseIntelligenceException() + else: + applogger.info( + "{}(method={}) : {} : Proxy not required. Execution gets started without using proxy.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.COFENSE_TO_SENTINEL, + ) + ) + return proxies + except CofenseIntelligenceException: + raise CofenseIntelligenceException() + except Exception as error: + applogger.error( + "{}(method={}) : {} : Error while creating proxy :{}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + error, + ) + ) + raise CofenseIntelligenceException() + + def validate_params(self): + """To validate parameters of function app.""" + __method_name = inspect.currentframe().f_code.co_name + required_params = { + "BaseURL": consts.COFENSE_BASE_URL, + "AzureClientId": consts.AZURE_CLIENT_ID, + "AzureClientSecret": "" if consts.AZURE_CLIENT_SECRET is None or consts.AZURE_CLIENT_SECRET == "" else self.f.encrypt(bytes(consts.AZURE_CLIENT_SECRET, 'utf-8')), + "AzureTenantId": consts.AZURE_TENANT_ID, + "AzureResourceGroup": consts.AZURE_RESOURCE_GROUP, + "AzureWorkspaceName": consts.AZURE_WORKSPACE_NAME, + "AzureSubscriptionId": consts.AZURE_SUBSCRIPTION_ID, + "ConnectionString": consts.CONNECTION_STRING, + "Schedule": consts.SCHEDULE, + "Cofense_username": consts.COFENSE_USERNAME, + "Cofense_password": "" if consts.COFENSE_PASSWORD is None or consts.COFENSE_PASSWORD == "" else self.f.encrypt(bytes(consts.COFENSE_PASSWORD, 'utf-8')), + "LogLevel": consts.LOG_LEVEL, + "WorkspaceID": consts.WORKSPACE_ID, + "WorkspaceKey": consts.WORKSPACE_KEY, + "Malware_Table_Name": consts.MALWARE_DATA_TABLE_NAME, + "Function_App_Name": consts.FUNCTION_APP_NAME, + } + applogger.debug( + "{}(method={}) : Checking if all the environment variables exist or not.".format( + consts.LOGS_STARTS_WITH, __method_name + ) + ) + missing_required_field = False + for label, params in required_params.items(): + if not params or params == "": + missing_required_field = True + applogger.error( + '{}(method={}) : {} : "{}" field is not set in the environment please set ' + "the environment variable and run the app.".format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + label, + ) + ) + if missing_required_field: + raise CofenseIntelligenceException( + "Error Occurred while validating params. Required fields missing." + ) + if not consts.COFENSE_BASE_URL.startswith("https://"): + applogger.error( + '{}(method={}) : {} : "BaseURL" must start with "https://" schema followed ' + 'by hostname. BaseURL="{}"'.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.COFENSE_BASE_URL, + ) + ) + raise CofenseIntelligenceException( + "Error Occurred while validating params. Invalid format for BaseURL." + ) + + def make_http_request( + self, + url, + method, + auth=None, + headers=None, + parameters=None, + body=None, + proxies=None, + ): + """To make rest api calls to rest api. + + Args: + url (String): URL of the rest call. + method (String): HTTP method of rest call. Eg. "GET", etc. + auth(Tuple,optional):auth tuple which contains username and password.Defaults to None + headers (Dict, optional): headers. Defaults to None. + parameters (Dict, optional): parameters. Defaults to None. + body (Dict , optional): body. Defaults to None. + proxies (Dict, optional): proxies. Defaults to None. + + Returns: + response : response of the rest call. + """ + __method_name = inspect.currentframe().f_code.co_name + error_log = "{}(method={}) : {}: {}" + response_error_log = "{}(method={}) : {}: url: {}, Status Code : {}: {}" + try: + applogger.debug( + "{}(method={}) : {}: Calling url: {}".format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + url, + ) + ) + if method == "POST": + response = self.session.post( + url=url, + headers=headers, + params=parameters, + data=body, + auth=auth, + proxies=proxies, + timeout=consts.API_TIMEOUT, + ) + else: + response = self.session.get( + url=url, + headers=headers, + params=parameters, + data=body, + auth=auth, + proxies=proxies, + timeout=consts.API_TIMEOUT, + ) + + if response.status_code >= 200 and response.status_code <= 299: + applogger.debug( + "{}(method={}) : {}: Got the response from url : {} : Status code : {}".format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + url, + response.status_code, + ) + ) + elif response.status_code >= 400 and response.status_code <= 499: + log_message = "error occurred while calling url." + applogger.error( + response_error_log.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + url, + response.status_code, + log_message, + ) + ) + elif response.status_code == 500: + log_message = "Internal Server Error" + applogger.error( + response_error_log.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + url, + response.status_code, + log_message, + ) + ) + else: + log_message = "Unexpected error occurred." + applogger.error( + response_error_log.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + url, + response.status_code, + log_message, + ) + ) + return response + except requests.ConnectionError as error: + applogger.error( + error_log.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + error, + ) + ) + raise CofenseIntelligenceException() + except requests.HTTPError as error: + applogger.error( + error_log.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + error, + ) + ) + raise CofenseIntelligenceException() + except requests.RequestException as error: + applogger.error( + error_log.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + error, + ) + ) + raise CofenseIntelligenceException() + except Exception as error: + applogger.error( + error_log.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + error, + ) + ) + raise CofenseIntelligenceException() + + def auth_sentinel(self): + """ + Authenticate with microsoft sentinel. + + Raises: + CofenseIntelligenceException: Custom cofense Exception + + Returns: + String: Bearer token + """ + __method_name = inspect.currentframe().f_code.co_name + try: + applogger.info( + "{}(method={}) : {}: generating microsoft sentinel access token.".format( + consts.LOGS_STARTS_WITH, __method_name, self.azure_function_name + ) + ) + azure_auth_url = consts.AZURE_AUTHENTICATION_URL.format( + consts.AZURE_TENANT_ID + ) + body = { + "client_id": consts.AZURE_CLIENT_ID, + "client_secret": consts.AZURE_CLIENT_SECRET, + "grant_type": "client_credentials", + "resource": "https://management.azure.com", + } + response = self.make_http_request( + url=azure_auth_url, + method="POST", + body=body, + ) + if response.status_code >= 200 and response.status_code <= 299: + json_response = response.json() + if "access_token" not in json_response: + applogger.error( + "{}(method={}) : {}: Access token not found in sentinel api call.".format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + ) + ) + raise CofenseIntelligenceException() + else: + bearer_token = json_response.get("access_token") + applogger.info( + "{}(method={}) : {}: Microsoft sentinel access token generated successfully.".format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + ) + ) + applogger.debug( + "{}(method={}) :{}: url:{}, Status Code :{}: Microsoft Sentinel access token generated.".format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + azure_auth_url, + response.status_code, + ) + ) + return bearer_token + else: + applogger.error( + "{}(method={}) :{}: url:{}, Status Code :{}: Error while creating microsoft sentinel access_token." + " Error Reason: {}".format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + azure_auth_url, + response.status_code, + response.reason, + ) + ) + raise CofenseIntelligenceException() + except CofenseIntelligenceException as error: + applogger.error( + "{}(method={}) : Error generated while getting sentinel access token :{}".format( + consts.LOGS_STARTS_WITH, __method_name, error + ) + ) + raise CofenseIntelligenceException() + + def get_cofense_data(self, url, params=None, endpoint_name="", proxies=None): + """Get the Cofense Intelligence Indicators data. + + Args: + url (String): url for fetch cofense data. + params (dict, optional): parameter for request. Defaults to None. + endpoint_name (String, optional):endpoint name. Defaults to ''. + proxies(dict,optional):proxy, Defaults to None. + + Raises: + CofenseIntelligenceException: Custom cofense Exception + + Returns: + json: Cofense data. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + retry_count_429 = 0 + while retry_count_429 <= 1: + cofense_intelligence_data = self.make_http_request( + url=url, + method="GET", + parameters=params, + auth=self.auth, + proxies=proxies, + ) + cofense_intelligence_data_status_code = ( + cofense_intelligence_data.status_code + ) + if ( + cofense_intelligence_data_status_code >= 200 + and cofense_intelligence_data_status_code <= 299 + ): + indicator_json = cofense_intelligence_data.json() + return indicator_json + elif cofense_intelligence_data_status_code == 401: + applogger.error( + "{}(method={}) : {} : Unauthorized, Invalid Cofense Username or Cofense Password.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.COFENSE_TO_SENTINEL, + ) + ) + + raise CofenseIntelligenceException() + elif cofense_intelligence_data_status_code == 429: + applogger.error( + "{}(method={}) : {} : trying again error 429 in {}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.COFENSE_TO_SENTINEL, + endpoint_name, + ) + ) + retry_count_429 += 1 + time.sleep(consts.COFENSE_429_SLEEP) + else: + applogger.error( + "{}(method={}) : {} : url: {}, Status Code : {} : error in {}." + " while pulling indicator data.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.COFENSE_TO_SENTINEL, + url, + cofense_intelligence_data_status_code, + endpoint_name, + ) + ) + raise CofenseIntelligenceException() + applogger.error( + "{}(method={}) : {} : Max retries exceeded in {} while fetching data.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.COFENSE_TO_SENTINEL, + endpoint_name, + ) + ) + raise CofenseIntelligenceException() + except CofenseIntelligenceException: + applogger.error( + "{}(method={}) : {} : error in {} while pulling data of indicator.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.COFENSE_TO_SENTINEL, + endpoint_name, + ) + ) + raise CofenseIntelligenceException() + except Exception as error: + applogger.error( + "{}(method={}) : {} : error in {} while pulling data of indicator: {}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.COFENSE_TO_SENTINEL, + endpoint_name, + error, + ) + ) + raise CofenseIntelligenceException() diff --git a/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/azuredeploy_Connector_CofenseIntelligence_AzureFunction.json b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/azuredeploy_Connector_CofenseIntelligence_AzureFunction.json new file mode 100644 index 00000000000..50e409ede70 --- /dev/null +++ b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/azuredeploy_Connector_CofenseIntelligence_AzureFunction.json @@ -0,0 +1,351 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "FunctionName": { + "defaultValue": "Cofense", + "minLength": 1, + "maxLength": 11, + "type": "string" + }, + "WorkspaceID": { + "type": "string", + "minLength": 1, + "metadata": { + "description": "Enter Workspace ID of Log Analytics workspace" + } + }, + "WorkspaceKey": { + "type": "securestring", + "minLength": 1, + "metadata": { + "description": "Enter Workspace Key of Log Analytics workspace" + } + }, + "BaseURL": { + "defaultValue": "https://www.threathq.com/apiv1", + "type": "string", + "metadata": { + "description": "Enter Base URL of Cofense Intelligence API (e.g. https://www.threathq.com/apiv1)" + } + }, + "Cofense_Username": { + "type": "string", + "minLength": 1, + "metadata": { + "description": "Enter Cofense Intelligence User Token for authentication" + } + }, + "Cofense_Password": { + "type": "securestring", + "minLength": 1, + "metadata": { + "description": "Enter Cofense Intelligence Password for authentication" + } + }, + "Azure_Client_Id": { + "type": "string", + "minLength": 1, + "metadata": { + "description": "Enter Azure Client Id that you have created during app registration" + } + }, + "Azure_Client_Secret": { + "type": "securestring", + "minLength": 1, + "metadata": { + "description": "Enter Azure Client Secret that you have created during creating the client secret" + } + }, + "Azure_Tenant_Id": { + "type": "string", + "minLength": 1, + "metadata": { + "description": "Enter Azure Tenant Id of your Azure Active Directory" + } + }, + "Azure_Resource_Group_Name": { + "type": "string", + "minLength": 1, + "metadata": { + "description": "Enter Azure Resource Group Name in which you want deploy the data connector" + } + }, + "Azure_Workspace_Name": { + "type": "string", + "minLength": 1, + "metadata": { + "description": "Enter Microsoft Sentinel Workspace Name of Log Analytics workspace" + } + }, + "Azure_Subscription_Id": { + "type": "string", + "minLength": 1, + "metadata": { + "description": "Enter Azure Subscription Id which is present in the subscription tab in Microsoft Sentinel" + } + }, + "RequireProxy": { + "type": "string", + "metadata": { + "description": "Select Yes, if you want to use Proxy to send Cofense indicators into Threat Intelligence. Default No is selected" + }, + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "Proxy_Username": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "This is an optional parameter if required enter the proxy username" + } + }, + "Proxy_Password": { + "type": "securestring", + "defaultValue": "", + "metadata": { + "description": "This is an optional parameter if required enter the proxy password" + } + }, + "Proxy_URL": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "This is an optional parameter if required enter the proxy url" + } + }, + "Proxy_Port": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "This is an optional parameter if required enter the proxy port" + } + }, + "SendCofenseIndicatorToDefender": { + "type": "string", + "metadata": { + "description": "Select Yes, if you want to send Cofense Indicators to Defender" + }, + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "LogLevel": { + "type": "string", + "metadata": { + "description": "Please add log level or log severity value. By default it is set to INFO" + }, + "allowedValues": [ + "Debug", + "Info", + "Error", + "Warning" + ], + "defaultValue": "Info" + }, + "Malware_Data_Table_name": { + "type": "string", + "defaultValue": "Malware_Data" + }, + "Schedule": { + "type": "string", + "minLength": 11, + "metadata": { + "description": "Please enter a valid Quartz cron-expression. (Example: 0 0 0 * * *)" + } + } + }, + "variables": { + "FunctionName": "[concat(toLower(parameters('FunctionName')), uniqueString(resourceGroup().id))]", + "StorageSuffix": "[environment().suffixes.storage]", + "LogAnaltyicsUri": "[replace(environment().portal, 'https://portal', concat('https://', toLower(parameters('WorkspaceID')), '.ods.opinsights'))]" + }, + "resources": [ + { + "type": "Microsoft.Insights/components", + "apiVersion": "2015-05-01", + "name": "[variables('FunctionName')]", + "location": "[resourceGroup().location]", + "kind": "web", + "properties": { + "Application_Type": "web", + "ApplicationId": "[variables('FunctionName')]" + } + }, + { + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2019-06-01", + "name": "[tolower(variables('FunctionName'))]", + "location": "[resourceGroup().location]", + "sku": { + "name": "Standard_LRS", + "tier": "Standard" + }, + "kind": "StorageV2", + "properties": { + "networkAcls": { + "bypass": "AzureServices", + "virtualNetworkRules": [], + "ipRules": [], + "defaultAction": "Allow" + }, + "supportsHttpsTrafficOnly": true, + "encryption": { + "services": { + "file": { + "keyType": "Account", + "enabled": true + }, + "blob": { + "keyType": "Account", + "enabled": true + } + }, + "keySource": "Microsoft.Storage" + } + } + }, + { + "type": "Microsoft.Storage/storageAccounts/blobServices", + "apiVersion": "2019-06-01", + "name": "[concat(variables('FunctionName'), '/default')]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', tolower(variables('FunctionName')))]" + ], + "sku": { + "name": "Standard_LRS", + "tier": "Standard" + }, + "properties": { + "cors": { + "corsRules": [] + }, + "deleteRetentionPolicy": { + "enabled": false + } + } + }, + { + "type": "Microsoft.Storage/storageAccounts/fileServices", + "apiVersion": "2019-06-01", + "name": "[concat(variables('FunctionName'), '/default')]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', tolower(variables('FunctionName')))]" + ], + "sku": { + "name": "Standard_LRS", + "tier": "Standard" + }, + "properties": { + "cors": { + "corsRules": [] + } + } + }, + { + "type": "Microsoft.Web/sites", + "apiVersion": "2018-11-01", + "name": "[variables('FunctionName')]", + "location": "[resourceGroup().location]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', tolower(variables('FunctionName')))]", + "[resourceId('Microsoft.Insights/components', variables('FunctionName'))]" + ], + "kind": "functionapp,linux", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "name": "[variables('FunctionName')]", + "httpsOnly": true, + "clientAffinityEnabled": true, + "alwaysOn": true, + "reserved": true, + "siteConfig": { + "linuxFxVersion": "python|3.8" + } + }, + "resources": [ + { + "apiVersion": "2018-11-01", + "type": "config", + "name": "appsettings", + "dependsOn": [ + "[concat('Microsoft.Web/sites/', variables('FunctionName'))]" + ], + "properties": { + "FUNCTIONS_EXTENSION_VERSION": "~4", + "FUNCTIONS_WORKER_RUNTIME": "python", + "APPINSIGHTS_INSTRUMENTATIONKEY": "[reference(resourceId('Microsoft.insights/components', variables('FunctionName')), '2015-05-01').InstrumentationKey]", + "APPLICATIONINSIGHTS_CONNECTION_STRING": "[reference(resourceId('microsoft.insights/components', variables('FunctionName')), '2015-05-01').ConnectionString]", + "AzureWebJobsStorage": "[concat('DefaultEndpointsProtocol=https;AccountName=', toLower(variables('FunctionName')),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(variables('FunctionName'))), '2019-06-01').keys[0].value, ';EndpointSuffix=',toLower(variables('StorageSuffix')))]", + "logAnalyticsUri": "[variables('LogAnaltyicsUri')]", + "Function_App_Name": "[variables('FunctionName')]", + "WorkspaceID": "[parameters('WorkspaceID')]", + "WorkspaceKey": "[parameters('WorkspaceKey')]", + "BaseURL": "[parameters('BaseURL')]", + "Cofense_Username": "[parameters('Cofense_Username')]", + "Cofense_Password": "[parameters('Cofense_Password')]", + "Azure_Client_Id": "[parameters('Azure_Client_Id')]", + "Azure_Client_Secret": "[parameters('Azure_Client_Secret')]", + "Azure_Tenant_Id": "[parameters('Azure_Tenant_Id')]", + "Azure_Resource_Group_Name": "[parameters('Azure_Resource_Group_Name')]", + "Azure_Workspace_Name": "[parameters('Azure_Workspace_Name')]", + "Azure_Subscription_Id": "[parameters('Azure_Subscription_Id')]", + "RequireProxy": "[parameters('RequireProxy')]", + "Proxy_Username": "[parameters('Proxy_Username')]", + "Proxy_Password": "[parameters('Proxy_Password')]", + "Proxy_URL": "[parameters('Proxy_URL')]", + "Proxy_Port": "[parameters('Proxy_Port')]", + "SendCofenseIndicatorToDefender": "[parameters('SendCofenseIndicatorToDefender')]", + "Malware_Data_Table_name": "[parameters('Malware_Data_Table_name')]", + "Schedule": "[parameters('Schedule')]", + "LogLevel": "[parameters('LogLevel')]", + "WEBSITE_RUN_FROM_PACKAGE": "https://aka.ms/sentinel-CofenseIntelligence-functionapp" + } + } + ] + }, + { + "type": "Microsoft.Storage/storageAccounts/blobServices/containers", + "apiVersion": "2019-06-01", + "name": "[concat(variables('FunctionName'), '/default/azure-webjobs-hosts')]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('FunctionName'), 'default')]", + "[resourceId('Microsoft.Storage/storageAccounts', variables('FunctionName'))]" + ], + "properties": { + "publicAccess": "None" + } + }, + { + "type": "Microsoft.Storage/storageAccounts/blobServices/containers", + "apiVersion": "2019-06-01", + "name": "[concat(variables('FunctionName'), '/default/azure-webjobs-secrets')]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('FunctionName'), 'default')]", + "[resourceId('Microsoft.Storage/storageAccounts', variables('FunctionName'))]" + ], + "properties": { + "publicAccess": "None" + } + }, + { + "type": "Microsoft.Storage/storageAccounts/fileServices/shares", + "apiVersion": "2019-06-01", + "name": "[concat(variables('FunctionName'), '/default/', tolower(variables('FunctionName')))]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts/fileServices', variables('FunctionName'), 'default')]", + "[resourceId('Microsoft.Storage/storageAccounts', variables('FunctionName'))]" + ], + "properties": { + "shareQuota": 5120 + } + } + ] +} \ No newline at end of file diff --git a/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/host.json b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/host.json new file mode 100644 index 00000000000..1685e9d5af3 --- /dev/null +++ b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/host.json @@ -0,0 +1,23 @@ +{ + "version": "2.0", + "functionTimeout": "00:10:00", + "logging": { + "logLevel": { + "default": "Trace", + "Host.Results": "Trace", + "Function": "Trace", + "Host.Aggregator": "Trace" + }, + "applicationInsights": { + "samplingSettings": { + "isEnabled": true, + "excludedTypes": "Request" + } + } + }, + "extensionBundle": { + "id": "Microsoft.Azure.Functions.ExtensionBundle", + "version": "[3.*, 4.0.0)" + } + } + \ No newline at end of file diff --git a/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/requirements.txt b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/requirements.txt new file mode 100644 index 00000000000..a02f985dfe8 --- /dev/null +++ b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/requirements.txt @@ -0,0 +1,13 @@ +# DO NOT include azure-functions-worker in this file +# The Python Worker is managed by Azure Functions platform +# Manually managing azure-functions-worker may cause unexpected issues + +azure-functions +azure-storage-file-share==12.10.1 +requests +asyncio +aiohttp +multidict +attr +yarl +cryptography \ No newline at end of file diff --git a/Solutions/CofenseIntelligence/Data/Solution_CofenseIntelligence.json b/Solutions/CofenseIntelligence/Data/Solution_CofenseIntelligence.json new file mode 100644 index 00000000000..29cd44e5947 --- /dev/null +++ b/Solutions/CofenseIntelligence/Data/Solution_CofenseIntelligence.json @@ -0,0 +1,17 @@ +{ + "Name": "CofenseIntelligence", + "Author": "Cofense - support@cofense.com", + "Logo": "", + "Description": "The Cofense-Intelligence solution provides the capability to ingest Threat Indicators from the Cofense Intelligence platform to Threat Intelligence Indicators in Microsoft Sentinel and Cofense Intelligence Threat Intelligence Indicators from Microsoft Sentinel Threat Intelligence to Microsoft Defender for Endpoints. \n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in \n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na.[Azure Monitor HTTP Data Collector API](https://learn.microsoft.com/azure/azure-monitor/logs/data-collector-api)\n\nb.[Azure Functions](https://azure.microsoft.com/products/functions/#overview)\n\nc.[Microsoft Threat Intelligence Indicator API](https://learn.microsoft.com/en-us/rest/api/securityinsights/preview/threat-intelligence-indicator)", + "Workbooks": [ + "Workbooks/CofenseIntelligenceThreatIndicators.json" + ], + "Data Connectors": [ + "Data Connectors/CofenseIntelligenceDataConnector/CofenseIntelligence_API_FunctionApp.json" + ], + "BasePath": "C:\\Azure-Sentinel\\Solutions\\CofenseIntelligence", + "Version": "3.0.0", + "Metadata": "SolutionMetadata.json", + "TemplateSpec": true, + "Is1PConnector": false +} \ No newline at end of file diff --git a/Solutions/CofenseIntelligence/Package/3.0.0.zip b/Solutions/CofenseIntelligence/Package/3.0.0.zip new file mode 100644 index 00000000000..157bdb03d41 Binary files /dev/null and b/Solutions/CofenseIntelligence/Package/3.0.0.zip differ diff --git a/Solutions/CofenseIntelligence/Package/createUiDefinition.json b/Solutions/CofenseIntelligence/Package/createUiDefinition.json new file mode 100644 index 00000000000..8f5c0c9abcf --- /dev/null +++ b/Solutions/CofenseIntelligence/Package/createUiDefinition.json @@ -0,0 +1,127 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Azure.CreateUIDef", + "version": "0.1.2-preview", + "parameters": { + "config": { + "isWizard": false, + "basics": { + "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/CofenseIntelligence/ReleaseNotes.md)\r \n • _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe Cofense-Intelligence solution provides the capability to ingest Threat Indicators from the Cofense Intelligence platform to Threat Intelligence Indicators in Microsoft Sentinel and Cofense Intelligence Threat Intelligence Indicators from Microsoft Sentinel Threat Intelligence to Microsoft Defender for Endpoints. \n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in \n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Azure Monitor HTTP Data Collector API](https://learn.microsoft.com/azure/azure-monitor/logs/data-collector-api)\n\nb. [Azure Functions](https://azure.microsoft.com/products/functions/#overview)\n\nc. [Microsoft Threat Intelligence Indicator API](https://learn.microsoft.com/en-us/rest/api/securityinsights/preview/threat-intelligence-indicator)\n\n**Data Connectors:** 1, **Workbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "subscription": { + "resourceProviders": [ + "Microsoft.OperationsManagement/solutions", + "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "Microsoft.Insights/workbooks", + "Microsoft.Logic/workflows" + ] + }, + "location": { + "metadata": { + "hidden": "Hiding location, we get it from the log analytics workspace" + }, + "visible": false + }, + "resourceGroup": { + "allowExisting": true + } + } + }, + "basics": [ + { + "name": "getLAWorkspace", + "type": "Microsoft.Solutions.ArmApiControl", + "toolTip": "This filters by workspaces that exist in the Resource Group selected", + "condition": "[greater(length(resourceGroup().name),0)]", + "request": { + "method": "GET", + "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]" + } + }, + { + "name": "workspace", + "type": "Microsoft.Common.DropDown", + "label": "Workspace", + "placeholder": "Select a workspace", + "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected", + "constraints": { + "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]", + "required": true + }, + "visible": true + } + ], + "steps": [ + { + "name": "dataconnectors", + "label": "Data Connectors", + "bladeTitle": "Data Connectors", + "elements": [ + { + "name": "dataconnectors1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Solution installs the data connector for CofenseIntelligence. You can get CofenseIntelligence custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + } + }, + { + "name": "dataconnectors-link2", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more about connecting data sources", + "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources" + } + } + } + ] + }, + { + "name": "workbooks", + "label": "Workbooks", + "subLabel": { + "preValidation": "Configure the workbooks", + "postValidation": "Done" + }, + "bladeTitle": "Workbooks", + "elements": [ + { + "name": "workbooks-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This solution installs workbook(s) to help you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view." + } + }, + { + "name": "workbooks-link", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data" + } + } + }, + { + "name": "workbook1", + "type": "Microsoft.Common.Section", + "label": "CofenseIntelligenceThreatIndicators", + "elements": [ + { + "name": "workbook1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This workbook provides visualization of Cofense Intelligence threat indicators which are ingested in the Microsoft Sentinel Threat intelligence." + } + } + ] + } + ] + } + ], + "outputs": { + "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]", + "location": "[location()]", + "workspace": "[basics('workspace')]" + } + } +} diff --git a/Solutions/CofenseIntelligence/Package/mainTemplate.json b/Solutions/CofenseIntelligence/Package/mainTemplate.json new file mode 100644 index 00000000000..84d8c265e6a --- /dev/null +++ b/Solutions/CofenseIntelligence/Package/mainTemplate.json @@ -0,0 +1,643 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "author": "Cofense - support@cofense.com", + "comments": "Solution template for CofenseIntelligence" + }, + "parameters": { + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + }, + "workbook1-name": { + "type": "string", + "defaultValue": "CofenseIntelligenceThreatIndicators", + "minLength": 1, + "metadata": { + "description": "Name for the workbook" + } + } + }, + "variables": { + "email": "support@cofense.com", + "_email": "[variables('email')]", + "_solutionName": "CofenseIntelligence", + "_solutionVersion": "3.0.0", + "solutionId": "cofense.cofense-intelligence-sentinel", + "_solutionId": "[variables('solutionId')]", + "workbookVersion1": "1.0", + "workbookContentId1": "CofenseIntelligenceWorkbook", + "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]", + "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]", + "_workbookContentId1": "[variables('workbookContentId1')]", + "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", + "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]", + "uiConfigId1": "CofenseIntelligence", + "_uiConfigId1": "[variables('uiConfigId1')]", + "dataConnectorContentId1": "CofenseIntelligence", + "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", + "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "_dataConnectorId1": "[variables('dataConnectorId1')]", + "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", + "dataConnectorVersion1": "1.0.0", + "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", + "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('workbookTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "CofenseIntelligenceThreatIndicatorsWorkbook Workbook with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('workbookVersion1')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Insights/workbooks", + "name": "[variables('workbookContentId1')]", + "location": "[parameters('workspace-location')]", + "kind": "shared", + "apiVersion": "2021-08-01", + "metadata": { + "description": "This workbook provides visualization of Cofense Intelligence threat indicators which are ingested in the Microsoft Sentinel Threat intelligence." + }, + "properties": { + "displayName": "[parameters('workbook1-name')]", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"value::selected\"],\"parameters\":[{\"id\":\"a4b4e975-fa7c-46a3-b669-850aacc88134\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"🔎 Guide\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\r\\n]\"},{\"id\":\"15b2c181-7397-43c1-900a-28e175ae8a6f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":604800000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":604800000}],\"allowCustom\":true},\"timeContextFromParameter\":\"TimeRange\"}],\"style\":\"pills\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"name\":\"Parameter Selectors\"},{\"type\":1,\"content\":{\"json\":\"# [Cofense Intelligence Threat Indicators](https://www.threathq.com)\\n---\\n\\nCofense Intelligence is a human-vetted phishing-threat intelligence service that provides accurate and timely alerts and in-depth analysis to strengthen your enterprise's ability to quickly identify and respond to phishing attacks in progress.\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"customWidth\":\"79\",\"name\":\"Workbook Overview\"},{\"type\":1,\"content\":{\"json\":\"![Cofense Intelligence Logo](https://cdn.splunkbase.splunk.com/media/public/icons/da85629e-b54b-11ec-90ee-aa325d5405c9.svg?width=200&height=100)\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"customWidth\":\"20\",\"name\":\"Microsoft Sentinel Logo\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select cofense indicators from the table\\r\\n| where SourceSystem == \\\"Cofense Intelligence\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\\r\\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \\\"IP\\\",\\r\\n iff(isnotempty(Url), \\\"URL\\\",\\r\\n iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \\\"Email\\\",\\r\\n iff(isnotempty(FileHashValue), \\\"File\\\",\\r\\n iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \\\"Domain\\\",\\r\\n \\\"Other\\\")))))\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by IndicatorType, bin(TimeGenerated, 1h),SourceSystem\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=stacked \",\"size\":0,\"showAnalytics\":true,\"title\":\"Number of Cofense Intelligence Indicators Imported into Sentinel by Indicator Type and Date\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"SourceSystem\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"SourceSystem\",\"sortOrder\":1}]},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select Cofense indicators from the table\\r\\n| where SourceSystem == \\\"Cofense Intelligence\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by SourceSystem, bin(TimeGenerated, 1h)\\r\\n| render barchart kind=stacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Number of Cofense Intelligence Indicators Imported into Sentinel by Indicator Provider and Date\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select Cofense indicators from the table\\r\\n| where SourceSystem == \\\"Cofense Intelligence\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\\r\\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \\\"IP\\\",\\r\\n iff(isnotempty(Url), \\\"URL\\\",\\r\\n iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \\\"Email\\\",\\r\\n iff(isnotempty(FileHashValue), \\\"File\\\",\\r\\n iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \\\"Domain\\\",\\r\\n \\\"Other\\\")))))\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by IndicatorType\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=unstacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Number of Active Cofense Intelligence Indicators by Indicator Type\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select Cofense indicators from the table\\r\\n| where SourceSystem == \\\"Cofense Intelligence\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by SourceSystem\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=unstacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Number of Active Cofense Intelligence Indicators by Indicator Source\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"query - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select Cofense indicators from the table\\r\\n| where SourceSystem == \\\"Cofense Intelligence\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Summarize and order the data, then render the chart\\r\\n| where ConfidenceScore != \\\"\\\"\\r\\n| summarize CountOfIndicators = count() by tostring(ConfidenceScore)\\r\\n| order by CountOfIndicators desc \\r\\n| render piechart\",\"size\":3,\"showAnalytics\":true,\"title\":\"Number of Active Cofense Intelligence Indicators by Confidence Score\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"query - 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let DomainQuery=view() { \\r\\nThreatIntelligenceIndicator\\r\\n| where SourceSystem == \\\"Cofense Intelligence\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(DomainName)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by DomainName\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"DomainEntry\\\"\\r\\n};\\r\\nlet UrlQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| where SourceSystem == \\\"Cofense Intelligence\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(Url)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by Url\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"UrlEntry\\\"\\r\\n};\\r\\nlet FileHashQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| where SourceSystem == \\\"Cofense Intelligence\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(FileHashValue)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by FileHashValue\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"FileHashEntry\\\"\\r\\n};\\r\\nlet IPQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| where SourceSystem == \\\"Cofense Intelligence\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(NetworkIP) or isnotempty(NetworkSourceIP)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by NetworkIP, NetworkSourceIP\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"IPEntry\\\"\\r\\n};\\r\\nlet EmailAddressQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| where SourceSystem == \\\"Cofense Intelligence\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(EmailSenderAddress)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSenderAddress\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"EmailAddressEntry\\\"\\r\\n};\\r\\nlet EmailMessageQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| where SourceSystem == \\\"Cofense Intelligence\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(EmailSubject)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSubject\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"EmailMessageEntry\\\"\\r\\n};\\r\\nlet SingleSourceIndicators=view(){\\r\\n DomainQuery\\r\\n | union UrlQuery\\r\\n | union FileHashQuery\\r\\n | union IPQuery\\r\\n | union EmailAddressQuery\\r\\n | union EmailMessageQuery\\r\\n | where array_length(todynamic(SourceSystemArray))==1\\r\\n | summarize sum(count_) by SourceSystemArray\\r\\n | extend counter=1 \\r\\n};\\r\\nlet MultipleSourceIndicators=view(){\\r\\n DomainQuery\\r\\n | union UrlQuery\\r\\n | union FileHashQuery\\r\\n | union IPQuery\\r\\n | union EmailAddressQuery\\r\\n | union EmailMessageQuery\\r\\n | where array_length(todynamic(SourceSystemArray))!=1\\r\\n | summarize sum(count_) by SourceSystemArray\\r\\n | extend counter=1\\r\\n};\\r\\nlet CountOfActiveIndicatorsBySource=view(){\\r\\n ThreatIntelligenceIndicator\\r\\n | where SourceSystem == \\\"Cofense Intelligence\\\"\\r\\n // latest data of cofense indicator to avoid duplicates\\r\\n | summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n\\t| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n | where ExpirationDateTime > now() and Active == true\\r\\n | summarize count() by SourceSystem\\r\\n | project SourceSystem, count_\\r\\n};\\r\\nSingleSourceIndicators\\r\\n| join kind=fullouter MultipleSourceIndicators on counter \\r\\n| where SourceSystemArray contains todynamic(SourceSystemArray)[0] \\r\\n| order by SourceSystemArray\\r\\n| extend solitary_count=sum_count_\\r\\n| summarize shared_count = sum(sum_count_1) by SourceSystemArray, solitary_count\\r\\n| extend total_count = shared_count + solitary_count\\r\\n| extend unique_percentage = round(toreal(solitary_count)/toreal(total_count)*100, 1)\\r\\n| extend IndicatorSource = tostring(todynamic(SourceSystemArray)[0])\\r\\n| join kind=inner CountOfActiveIndicatorsBySource on $left.IndicatorSource == $right.SourceSystem\\r\\n| order by unique_percentage desc\\r\\n| project Source=IndicatorSource, UniquenessPercentage=unique_percentage, ActiveIndicators = count_\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Uniqueness of Cofense Threat Intelligence Sources\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Source\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"View\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ActiveIndicators\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_thresholds_Source_0\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"$gen_thresholds_Source_0\",\"sortOrder\":1}]},\"customWidth\":\"50\",\"name\":\"query - 12\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where SourceSystem == \\\"Cofense Intelligence\\\"\\r\\n| where Tags != \\\"\\\"\\r\\n| parse Tags with * \\\"[\\\\\\\"threatID-\\\" threat_id \\\"\\\\\\\"]\\\"\\r\\n| extend threat_id = toreal(threat_id)\\r\\n| join kind=inner Malware_Data_CL on $left.threat_id == $right.id_d\\r\\n// latest data of cofense indicator to avoid duplicates \\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n| extend Ioc = case(ThreatType == \\\"File\\\", FileHashValue, \\r\\n ThreatType == \\\"URL\\\", Url,\\r\\n DomainName)\\r\\n| order by TimeGenerated desc\\r\\n| project [\\\"Threat ID\\\"]=threat_id, [\\\"Confidence Score\\\"]=ConfidenceScore, [\\\"Threat Type\\\"]=ThreatType, [\\\"IOC\\\"]=Ioc, Label=label_s, [\\\"Last Published\\\"]=unixtime_microseconds_todatetime(lastPublished_d*1000), [\\\"First Published\\\"]=unixtime_microseconds_todatetime(firstPublished_d*1000), [\\\"Threat Detail URL\\\"]=threatDetailURL_s, [\\\"Download Report (HTML)\\\"]=ReportDownload_HTML__s, [\\\"Download Report (PDF)\\\"]=ReportDownload_PDF__s, [\\\"Executive Summary\\\"]=executiveSummary_s\",\"size\":0,\"showAnalytics\":true,\"title\":\"Cofense Intelligence Threat Indicators Data\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Confidence Score\",\"formatter\":1},{\"columnMatch\":\"Threat Detail URL\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"Download Report (HTML)\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Download HTML Report\"}},{\"columnMatch\":\"Download Report (PDF)\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Download PDF Report\"}},{\"columnMatch\":\"threat Detail URL\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"Report URL\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"Threat Indicator Link\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\"}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 6\"}]},\"name\":\"Indicators Ingestion\"}],\"fromTemplateId\":\"sentinel-CofenseIntelligenceThreatIndicators\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "version": "1.0", + "sourceId": "[variables('workspaceResourceId')]", + "category": "sentinel" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]", + "properties": { + "description": "@{workbookKey=CofenseIntelligenceWorkbook; logoFileName=CofenseTriage.svg; description=This workbook provides visualization of Cofense Intelligence threat indicators which are ingested in the Microsoft Sentinel Threat intelligence.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0; title=CofenseIntelligenceThreatIndicators; templateRelativePath=CofenseIntelligenceThreatIndicators.json; subtitle=; provider=Cofense}.description", + "parentId": "[variables('workbookId1')]", + "contentId": "[variables('_workbookContentId1')]", + "kind": "Workbook", + "version": "[variables('workbookVersion1')]", + "source": { + "kind": "Solution", + "name": "CofenseIntelligence", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Cofense", + "email": "[variables('_email')]" + }, + "support": { + "name": "Cofense Support", + "email": "support@cofense.com", + "tier": "Partner", + "link": "https://cofense.com/contact-support/" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "contentId": "ThreatIntelligenceIndicator", + "kind": "DataType" + }, + { + "contentId": "Malware_Data", + "kind": "DataType" + }, + { + "contentId": "CofenseIntelligenceDataConnector", + "kind": "DataConnector" + } + ] + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_workbookContentId1')]", + "contentKind": "Workbook", + "displayName": "[parameters('workbook1-name')]", + "contentProductId": "[variables('_workbookcontentProductId1')]", + "id": "[variables('_workbookcontentProductId1')]", + "version": "[variables('workbookVersion1')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('dataConnectorTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "CofenseIntelligence data connector with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorVersion1')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "id": "[variables('_uiConfigId1')]", + "title": "Cofense Intelligence Threat Indicators Ingestion (using Azure Functions)", + "publisher": "Cofense", + "descriptionMarkdown": "The [Cofense-Intelligence](https://cofense.com/product-services/phishing-intelligence/) data connector provides the following capabilities: \n 1. CofenseToSentinel : \n >* Get Threat Indicators from the Cofense Intelligence platform and create Threat Intelligence Indicators in Microsoft Sentinel. \n 2. SentinelToDefender : \n >* Get Malware from Cofense Intelligence and post to custom logs table. \n 3. CofenseIntelligenceMalware : \n >* Get Cofense Intelligence Threat Intelligence Indicators from Microsoft Sentinel Threat Intelligence and create/update Indicators in Microsoft Defender for Endpoints.\n 4. DownloadThreatReports : \n >* This data connector will fetch the malware data and create the Link from which we can download Threat Reports. \n 5. RetryFailedIndicators : \n >* This data connector will fetch failed indicators from failed indicators file and retry creating/updating Threat Intelligence indicators in Microsoft Sentinel. \n\n\n For more details of REST APIs refer to the below documentations: \n 1. Cofense Intelligence API documentation: \n> https://www.threathq.com/docs/rest_api_reference.html \n 2. Microsoft Threat Intelligence Indicator documentation: \n> https://learn.microsoft.com/rest/api/securityinsights/preview/threat-intelligence-indicator \n 3. Microsoft Defender for Endpoints Indicator documentation: \n> https://learn.microsoft.com/microsoft-365/security/defender-endpoint/ti-indicator?view=o365-worldwide", + "graphQueries": [ + { + "metricName": "Cofense Intelligence Threat Indicators data received", + "legend": "ThreatIntelligenceIndicator | where SourceSystem startswith 'Cofense Intelligence : '", + "baseQuery": "ThreatIntelligenceIndicator | where SourceSystem startswith 'Cofense Intelligence : '" + }, + { + "metricName": "Cofense Intelligence Malware data and report links data received", + "legend": "Malware_Data_CL", + "baseQuery": "Malware_Data_CL" + } + ], + "sampleQueries": [ + { + "description": "Cofense Based Indicators Events - All Cofense indicators in Microsoft Sentinel Threat Intelligence.", + "query": "ThreatIntelligenceIndicator\n | where SourceSystem startswith 'Cofense Intelligence : '\n | sort by TimeGenerated desc" + }, + { + "description": "Cofense Intelligence malware data and all Cofense indicators report links data.", + "query": "Malware_Data_CL\n | sort by TimeGenerated desc" + } + ], + "dataTypes": [ + { + "name": "ThreatIntelligenceIndicator", + "lastDataReceivedQuery": "ThreatIntelligenceIndicator\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "Malware_Data_CL", + "lastDataReceivedQuery": "Malware_Data_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "ThreatIntelligenceIndicator\n | where SourceSystem startswith 'Cofense Intelligence : '\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "Malware_Data_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions on the workspace are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Azure Subscription", + "description": "Azure Subscription with owner role is required to register an application in azure active directory() and assign role of contributor to app in resource group." + }, + { + "name": "Microsoft.Web/sites permissions", + "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." + }, + { + "name": "REST API Credentials/permissions", + "description": "**Cofense Username** and **Password** is required. See the documentation to learn more about API on the [Rest API reference](https://www.threathq.com/docs/rest_api_reference.html)" + }, + { + "name": "Microsoft Defender for Endpoints", + "description": "**Microsoft Defender for Endpoints License** is required for SentinelToDefender function." + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This connector uses Azure Functions to connect to the Cofense Intelligence APIs to pull its Threat Indicators and create Threat Intelligence Indicators into Microsoft Sentinel Threat Intelligence and create/update Threat Indicators in Cofense. Likewise, it also creates/updates Cofense Based Threat Indicators in Microsoft Defender for Endpoints. All this might result in additional indicator and data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." + }, + { + "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." + }, + { + "description": "**STEP 1 - App Registration steps for the Microsoft Azure Active Directory Application**\n\n This integration requires an App registration in the Azure portal. Follow the steps in this section to create a new Azure Active Directory application:\n 1. Sign in to the [Azure portal](https://portal.azure.com/).\n 2. Search for and select **Azure Active Directory**.\n 3. Under **Manage**, select **App registrations > New registration**.\n 4. Enter a display **Name** for your application.\n 5. Select **Register** to complete the initial app registration.\n 6. When registration finishes, the Azure portal displays the app registration's Overview pane. You see the **Application (client) ID** and **Tenant ID**. The client ID and Tenant ID is required as configuration parameters for the execution of CofenseIntelligence Data Connector. \n\n> **Reference link:** [https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app](https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app)" + }, + { + "description": "**STEP 2 - Add a client secret for Microsoft Azure Active Directory Application**\n\n Sometimes called an application password, a client secret is a string value required for the execution of CofenseIntelligence Data Connector. Follow the steps in this section to create a new Client Secret:\n 1. In the Azure portal, in **App registrations**, select your application.\n 2. Select **Certificates & secrets > Client secrets > New client secret**.\n 3. Add a description for your client secret.\n 4. Select an expiration for the secret or specify a custom lifetime. Limit is 24 months.\n 5. Select **Add**. \n 6. *Record the secret's value for use in your client application code. This secret value is never displayed again after you leave this page.* The secret value is required as configuration parameter for the execution of CofenseIntelligence Data Connector. \n\n> **Reference link:** [https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app#add-a-client-secret](https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app#add-a-client-secret)" + }, + { + "description": "**STEP 3 - Assign role of Contributor to Microsoft Azure Active Directory Application**\n\n Follow the steps in this section to assign the role:\n 1. In the Azure portal, Go to **Resource Group** and select your resource group.\n 2. Go to **Access control (IAM)** from left panel.\n 3. Click on **Add**, and then select **Add role assignment**.\n 4. Select **Contributor** as role and click on next.\n 5. In **Assign access to**, select `User, group, or service principal`.\n 6. Click on **add members** and type **your app name** that you have created and select it.\n 7. Now click on **Review + assign** and then again click on **Review + assign**. \n\n> **Reference link:** [https://learn.microsoft.com/azure/role-based-access-control/role-assignments-portal](https://learn.microsoft.com/azure/role-based-access-control/role-assignments-portal)" + }, + { + "description": "**STEP 4 - Assign Defender Threat Indicator permissions to Microsoft Azure Active Directory Application**\n\n Follow the steps in this section to assign the permissions:\n 1. In the Azure portal, in **App registrations**, select **your application**.\n 2. To enable an app to access Defender for Endpoint indicators, assign it **'Ti.ReadWrite.All'** permission, on your application page, select **API Permissions > Add permission > APIs my organization uses >, type WindowsDefenderATP, and then select WindowsDefenderATP**.\n 3. Select **Application permissions > Ti.ReadWrite.All**, and then select **Add permissions**.\n 4. Select **Grant consent**. \n\n> **Reference link:** [https://docs.microsoft.com/microsoft-365/security/defender-endpoint/exposed-apis-create-app-webapp?view=o365-worldwide](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/exposed-apis-create-app-webapp?view=o365-worldwide)" + }, + { + "description": "**STEP 5 - Steps to create/get Credentials for the Cofense Intelligence account** \n\n Follow the steps in this section to create/get **Cofense Username** and **Password**:\n 1. Login to https://threathq.com and go to the **Settings menu** on the left navigation bar.\n 2. Choose the API Tokens tab and select **Add a New Token**\n 3. Make sure to save the **password**, as it will not be accessible again." + }, + { + "description": "**STEP 6 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Cofense Intelligence Threat Indicators data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following) readily available.., as well as the Cofense API Authorization Key(s).", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Workspace ID" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "fillWith": [ + "PrimaryKey" + ], + "label": "Primary Key" + }, + "type": "CopyableLabel" + } + ] + }, + { + "description": "Use this method for automated deployment of the Cofense connector.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-CofenseIntelligence-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the below information : \n\t\tFunction Name \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tCofense BaseURL (https:///) \n\t\tCofense Username \n\t\tCofense Password \n\t\tAzure Client ID \n\t\tAzure Client Secret \n\t\tAzure Tenant ID \n\t\tAzure Resource Group Name \n\t\tAzure Workspace Name \n\t\tAzure Subscription ID \n\t\tRequireProxy \n\t\tProxy Username (optional) \n\t\tProxy Password (optional) \n\t\tProxy URL (optional) \n\t\tProxy Port (optional) \n\t\tLogLevel (optional) \n\t\tMalware_Data_Table_name\n\t\tSendCofenseIndicatorToDefender \n\t\tSchedule \n4. Click on **Review+Create**. \n5. Then after validation click on **Create** to deploy.", + "title": "Option 1 - Azure Resource Manager (ARM) Template" + }, + { + "description": "Use the following step-by-step instructions to deploy the Cofense Intelligence Threat Indicators data connector manually with Azure Functions (Deployment via Visual Studio Code).", + "title": "Option 2 - Manual Deployment of Azure Functions" + }, + { + "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-CofenseIntelligence-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. CofenseXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.8 or above.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration." + }, + { + "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following application settings individually, with their respective values (case-sensitive): \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tCofense BaseURL (https:///) \n\t\tCofense Username \n\t\tCofense Password \n\t\tAzure Client ID \n\t\tAzure Client Secret \n\t\tAzure Tenant ID \n\t\tAzure Resource Group Name \n\t\tAzure Workspace Name \n\t\tFunction App Name \n\t\tAzure Subscription ID \n\t\tRequireProxy \n\t\tProxy Username (optional) \n\t\tProxy Password (optional) \n\t\tProxy URL (optional) \n\t\tProxy Port (optional) \n\t\tLogLevel (optional) \n\t\tMalware_Data_Table_name\n\t\tSendCofenseIndicatorToDefender \n\t\tSchedule \n4. Once all application settings have been entered, click **Save**." + } + ] + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "contentId": "[variables('_dataConnectorContentId1')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion1')]", + "source": { + "kind": "Solution", + "name": "CofenseIntelligence", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Cofense", + "email": "[variables('_email')]" + }, + "support": { + "name": "Cofense Support", + "email": "support@cofense.com", + "tier": "Partner", + "link": "https://cofense.com/contact-support/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_dataConnectorContentId1')]", + "contentKind": "DataConnector", + "displayName": "Cofense Intelligence Threat Indicators Ingestion (using Azure Functions)", + "contentProductId": "[variables('_dataConnectorcontentProductId1')]", + "id": "[variables('_dataConnectorcontentProductId1')]", + "version": "[variables('dataConnectorVersion1')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", + "dependsOn": [ + "[variables('_dataConnectorId1')]" + ], + "location": "[parameters('workspace-location')]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "contentId": "[variables('_dataConnectorContentId1')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion1')]", + "source": { + "kind": "Solution", + "name": "CofenseIntelligence", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Cofense", + "email": "[variables('_email')]" + }, + "support": { + "name": "Cofense Support", + "email": "support@cofense.com", + "tier": "Partner", + "link": "https://cofense.com/contact-support/" + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "title": "Cofense Intelligence Threat Indicators Ingestion (using Azure Functions)", + "publisher": "Cofense", + "descriptionMarkdown": "The [Cofense-Intelligence](https://cofense.com/product-services/phishing-intelligence/) data connector provides the following capabilities: \n 1. CofenseToSentinel : \n >* Get Threat Indicators from the Cofense Intelligence platform and create Threat Intelligence Indicators in Microsoft Sentinel. \n 2. SentinelToDefender : \n >* Get Malware from Cofense Intelligence and post to custom logs table. \n 3. CofenseIntelligenceMalware : \n >* Get Cofense Intelligence Threat Intelligence Indicators from Microsoft Sentinel Threat Intelligence and create/update Indicators in Microsoft Defender for Endpoints.\n 4. DownloadThreatReports : \n >* This data connector will fetch the malware data and create the Link from which we can download Threat Reports. \n 5. RetryFailedIndicators : \n >* This data connector will fetch failed indicators from failed indicators file and retry creating/updating Threat Intelligence indicators in Microsoft Sentinel. \n\n\n For more details of REST APIs refer to the below documentations: \n 1. Cofense Intelligence API documentation: \n> https://www.threathq.com/docs/rest_api_reference.html \n 2. Microsoft Threat Intelligence Indicator documentation: \n> https://learn.microsoft.com/rest/api/securityinsights/preview/threat-intelligence-indicator \n 3. Microsoft Defender for Endpoints Indicator documentation: \n> https://learn.microsoft.com/microsoft-365/security/defender-endpoint/ti-indicator?view=o365-worldwide", + "graphQueries": [ + { + "metricName": "Cofense Intelligence Threat Indicators data received", + "legend": "ThreatIntelligenceIndicator | where SourceSystem startswith 'Cofense Intelligence : '", + "baseQuery": "ThreatIntelligenceIndicator | where SourceSystem startswith 'Cofense Intelligence : '" + }, + { + "metricName": "Cofense Intelligence Malware data and report links data received", + "legend": "Malware_Data_CL", + "baseQuery": "Malware_Data_CL" + } + ], + "dataTypes": [ + { + "name": "ThreatIntelligenceIndicator", + "lastDataReceivedQuery": "ThreatIntelligenceIndicator\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "Malware_Data_CL", + "lastDataReceivedQuery": "Malware_Data_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "ThreatIntelligenceIndicator\n | where SourceSystem startswith 'Cofense Intelligence : '\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "Malware_Data_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "sampleQueries": [ + { + "description": "Cofense Based Indicators Events - All Cofense indicators in Microsoft Sentinel Threat Intelligence.", + "query": "ThreatIntelligenceIndicator\n | where SourceSystem startswith 'Cofense Intelligence : '\n | sort by TimeGenerated desc" + }, + { + "description": "Cofense Intelligence malware data and all Cofense indicators report links data.", + "query": "Malware_Data_CL\n | sort by TimeGenerated desc" + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions on the workspace are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Azure Subscription", + "description": "Azure Subscription with owner role is required to register an application in azure active directory() and assign role of contributor to app in resource group." + }, + { + "name": "Microsoft.Web/sites permissions", + "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." + }, + { + "name": "REST API Credentials/permissions", + "description": "**Cofense Username** and **Password** is required. See the documentation to learn more about API on the [Rest API reference](https://www.threathq.com/docs/rest_api_reference.html)" + }, + { + "name": "Microsoft Defender for Endpoints", + "description": "**Microsoft Defender for Endpoints License** is required for SentinelToDefender function." + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This connector uses Azure Functions to connect to the Cofense Intelligence APIs to pull its Threat Indicators and create Threat Intelligence Indicators into Microsoft Sentinel Threat Intelligence and create/update Threat Indicators in Cofense. Likewise, it also creates/updates Cofense Based Threat Indicators in Microsoft Defender for Endpoints. All this might result in additional indicator and data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." + }, + { + "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." + }, + { + "description": "**STEP 1 - App Registration steps for the Microsoft Azure Active Directory Application**\n\n This integration requires an App registration in the Azure portal. Follow the steps in this section to create a new Azure Active Directory application:\n 1. Sign in to the [Azure portal](https://portal.azure.com/).\n 2. Search for and select **Azure Active Directory**.\n 3. Under **Manage**, select **App registrations > New registration**.\n 4. Enter a display **Name** for your application.\n 5. Select **Register** to complete the initial app registration.\n 6. When registration finishes, the Azure portal displays the app registration's Overview pane. You see the **Application (client) ID** and **Tenant ID**. The client ID and Tenant ID is required as configuration parameters for the execution of CofenseIntelligence Data Connector. \n\n> **Reference link:** [https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app](https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app)" + }, + { + "description": "**STEP 2 - Add a client secret for Microsoft Azure Active Directory Application**\n\n Sometimes called an application password, a client secret is a string value required for the execution of CofenseIntelligence Data Connector. Follow the steps in this section to create a new Client Secret:\n 1. In the Azure portal, in **App registrations**, select your application.\n 2. Select **Certificates & secrets > Client secrets > New client secret**.\n 3. Add a description for your client secret.\n 4. Select an expiration for the secret or specify a custom lifetime. Limit is 24 months.\n 5. Select **Add**. \n 6. *Record the secret's value for use in your client application code. This secret value is never displayed again after you leave this page.* The secret value is required as configuration parameter for the execution of CofenseIntelligence Data Connector. \n\n> **Reference link:** [https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app#add-a-client-secret](https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app#add-a-client-secret)" + }, + { + "description": "**STEP 3 - Assign role of Contributor to Microsoft Azure Active Directory Application**\n\n Follow the steps in this section to assign the role:\n 1. In the Azure portal, Go to **Resource Group** and select your resource group.\n 2. Go to **Access control (IAM)** from left panel.\n 3. Click on **Add**, and then select **Add role assignment**.\n 4. Select **Contributor** as role and click on next.\n 5. In **Assign access to**, select `User, group, or service principal`.\n 6. Click on **add members** and type **your app name** that you have created and select it.\n 7. Now click on **Review + assign** and then again click on **Review + assign**. \n\n> **Reference link:** [https://learn.microsoft.com/azure/role-based-access-control/role-assignments-portal](https://learn.microsoft.com/azure/role-based-access-control/role-assignments-portal)" + }, + { + "description": "**STEP 4 - Assign Defender Threat Indicator permissions to Microsoft Azure Active Directory Application**\n\n Follow the steps in this section to assign the permissions:\n 1. In the Azure portal, in **App registrations**, select **your application**.\n 2. To enable an app to access Defender for Endpoint indicators, assign it **'Ti.ReadWrite.All'** permission, on your application page, select **API Permissions > Add permission > APIs my organization uses >, type WindowsDefenderATP, and then select WindowsDefenderATP**.\n 3. Select **Application permissions > Ti.ReadWrite.All**, and then select **Add permissions**.\n 4. Select **Grant consent**. \n\n> **Reference link:** [https://docs.microsoft.com/microsoft-365/security/defender-endpoint/exposed-apis-create-app-webapp?view=o365-worldwide](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/exposed-apis-create-app-webapp?view=o365-worldwide)" + }, + { + "description": "**STEP 5 - Steps to create/get Credentials for the Cofense Intelligence account** \n\n Follow the steps in this section to create/get **Cofense Username** and **Password**:\n 1. Login to https://threathq.com and go to the **Settings menu** on the left navigation bar.\n 2. Choose the API Tokens tab and select **Add a New Token**\n 3. Make sure to save the **password**, as it will not be accessible again." + }, + { + "description": "**STEP 6 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Cofense Intelligence Threat Indicators data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following) readily available.., as well as the Cofense API Authorization Key(s).", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Workspace ID" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "fillWith": [ + "PrimaryKey" + ], + "label": "Primary Key" + }, + "type": "CopyableLabel" + } + ] + }, + { + "description": "Use this method for automated deployment of the Cofense connector.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-CofenseIntelligence-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the below information : \n\t\tFunction Name \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tCofense BaseURL (https:///) \n\t\tCofense Username \n\t\tCofense Password \n\t\tAzure Client ID \n\t\tAzure Client Secret \n\t\tAzure Tenant ID \n\t\tAzure Resource Group Name \n\t\tAzure Workspace Name \n\t\tAzure Subscription ID \n\t\tRequireProxy \n\t\tProxy Username (optional) \n\t\tProxy Password (optional) \n\t\tProxy URL (optional) \n\t\tProxy Port (optional) \n\t\tLogLevel (optional) \n\t\tMalware_Data_Table_name\n\t\tSendCofenseIndicatorToDefender \n\t\tSchedule \n4. Click on **Review+Create**. \n5. Then after validation click on **Create** to deploy.", + "title": "Option 1 - Azure Resource Manager (ARM) Template" + }, + { + "description": "Use the following step-by-step instructions to deploy the Cofense Intelligence Threat Indicators data connector manually with Azure Functions (Deployment via Visual Studio Code).", + "title": "Option 2 - Manual Deployment of Azure Functions" + }, + { + "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-CofenseIntelligence-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. CofenseXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.8 or above.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration." + }, + { + "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following application settings individually, with their respective values (case-sensitive): \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tCofense BaseURL (https:///) \n\t\tCofense Username \n\t\tCofense Password \n\t\tAzure Client ID \n\t\tAzure Client Secret \n\t\tAzure Tenant ID \n\t\tAzure Resource Group Name \n\t\tAzure Workspace Name \n\t\tFunction App Name \n\t\tAzure Subscription ID \n\t\tRequireProxy \n\t\tProxy Username (optional) \n\t\tProxy Password (optional) \n\t\tProxy URL (optional) \n\t\tProxy Port (optional) \n\t\tLogLevel (optional) \n\t\tMalware_Data_Table_name\n\t\tSendCofenseIndicatorToDefender \n\t\tSchedule \n4. Once all application settings have been entered, click **Save**." + } + ], + "id": "[variables('_uiConfigId1')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", + "apiVersion": "2023-04-01-preview", + "location": "[parameters('workspace-location')]", + "properties": { + "version": "3.0.0", + "kind": "Solution", + "contentSchemaVersion": "3.0.0", + "displayName": "CofenseIntelligence", + "publisherDisplayName": "Cofense Support", + "descriptionHtml": "

Note: There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Cofense-Intelligence solution provides the capability to ingest Threat Indicators from the Cofense Intelligence platform to Threat Intelligence Indicators in Microsoft Sentinel and Cofense Intelligence Threat Intelligence Indicators from Microsoft Sentinel Threat Intelligence to Microsoft Defender for Endpoints.

\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in

\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n

a.Azure Monitor HTTP Data Collector API

\n

b.Azure Functions

\n

c.Microsoft Threat Intelligence Indicator API

\n

Data Connectors: 1, Workbooks: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "", + "contentId": "[variables('_solutionId')]", + "parentId": "[variables('_solutionId')]", + "source": { + "kind": "Solution", + "name": "CofenseIntelligence", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Cofense", + "email": "[variables('_email')]" + }, + "support": { + "name": "Cofense Support", + "email": "support@cofense.com", + "tier": "Partner", + "link": "https://cofense.com/contact-support/" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "kind": "Workbook", + "contentId": "[variables('_workbookContentId1')]", + "version": "[variables('workbookVersion1')]" + }, + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentId1')]", + "version": "[variables('dataConnectorVersion1')]" + } + ] + }, + "firstPublishDate": "2023-05-26", + "lastPublishDate": "2024-05-26", + "providers": [ + "Cofense" + ], + "categories": { + "domains": [ + "Security - Threat Intelligence", + "Security - Threat Protection", + "Security - Automation (SOAR)" + ] + } + }, + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]" + } + ], + "outputs": {} +} diff --git a/Solutions/CofenseIntelligence/ReleaseNotes.md b/Solutions/CofenseIntelligence/ReleaseNotes.md new file mode 100644 index 00000000000..7d1f3d0ce64 --- /dev/null +++ b/Solutions/CofenseIntelligence/ReleaseNotes.md @@ -0,0 +1,3 @@ +| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | +|-------------|--------------------------------|---------------------------------------------| +| 3.0.0 | 10-12-2022 | Initial solution release | diff --git a/Solutions/CofenseIntelligence/SolutionMetadata.json b/Solutions/CofenseIntelligence/SolutionMetadata.json new file mode 100644 index 00000000000..a19bc65af54 --- /dev/null +++ b/Solutions/CofenseIntelligence/SolutionMetadata.json @@ -0,0 +1,21 @@ +{ + "publisherId": "cofense", + "offerId": "cofense-intelligence-sentinel", + "firstPublishDate": "2023-05-26", + "lastPublishDate": "2024-05-26", + "providers": ["Cofense"], + "categories": { + "domains": [ + "Security - Threat Intelligence", + "Security - Threat Protection", + "Security - Automation (SOAR)" + ], + "verticals": [] + }, + "support": { + "name": "Cofense Support", + "email": "support@cofense.com", + "tier": "Partner", + "link": "https://cofense.com/contact-support/" + } +} \ No newline at end of file diff --git a/Solutions/CofenseIntelligence/Workbooks/CofenseIntelligenceThreatIndicators.json b/Solutions/CofenseIntelligence/Workbooks/CofenseIntelligenceThreatIndicators.json new file mode 100644 index 00000000000..483ce2bef36 --- /dev/null +++ b/Solutions/CofenseIntelligence/Workbooks/CofenseIntelligenceThreatIndicators.json @@ -0,0 +1,316 @@ +{ + "version": "Notebook/1.0", + "items": [ + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "crossComponentResources": [ + "value::selected" + ], + "parameters": [ + { + "id": "a4b4e975-fa7c-46a3-b669-850aacc88134", + "version": "KqlParameterItem/1.0", + "name": "Help", + "label": "🔎 Guide", + "type": 10, + "isRequired": true, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Yes\", \"label\": \"Yes\", \"selected\":true},\r\n {\"value\": \"No\", \"label\": \"No\"}\r\n]" + }, + { + "id": "15b2c181-7397-43c1-900a-28e175ae8a6f", + "version": "KqlParameterItem/1.0", + "name": "TimeRange", + "type": 4, + "isRequired": true, + "value": { + "durationMs": 604800000 + }, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 86400000 + }, + { + "durationMs": 172800000 + }, + { + "durationMs": 604800000 + } + ], + "allowCustom": true + }, + "timeContextFromParameter": "TimeRange" + } + ], + "style": "pills", + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources" + }, + "name": "Parameter Selectors" + }, + { + "type": 1, + "content": { + "json": "# [Cofense Intelligence Threat Indicators](https://www.threathq.com)\n---\n\nCofense Intelligence is a human-vetted phishing-threat intelligence service that provides accurate and timely alerts and in-depth analysis to strengthen your enterprise's ability to quickly identify and respond to phishing attacks in progress." + }, + "conditionalVisibility": { + "parameterName": "Help", + "comparison": "isEqualTo", + "value": "Yes" + }, + "customWidth": "79", + "name": "Workbook Overview" + }, + { + "type": 1, + "content": { + "json": "![Cofense Intelligence Logo](https://cdn.splunkbase.splunk.com/media/public/icons/da85629e-b54b-11ec-90ee-aa325d5405c9.svg?width=200&height=100)" + }, + "conditionalVisibility": { + "parameterName": "Help", + "comparison": "isEqualTo", + "value": "Yes" + }, + "customWidth": "20", + "name": "Microsoft Sentinel Logo" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "ThreatIntelligenceIndicator\r\n// Select cofense indicators from the table\r\n| where SourceSystem == \"Cofense Intelligence\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\r\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\r\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \"IP\",\r\n iff(isnotempty(Url), \"URL\",\r\n iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \"Email\",\r\n iff(isnotempty(FileHashValue), \"File\",\r\n iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \"Domain\",\r\n \"Other\")))))\r\n// Summarize and order the data, then render the chart\r\n| summarize CountOfIndicators = count() by IndicatorType, bin(TimeGenerated, 1h),SourceSystem\r\n| order by CountOfIndicators desc \r\n| render barchart kind=stacked ", + "size": 0, + "showAnalytics": true, + "title": "Number of Cofense Intelligence Indicators Imported into Sentinel by Indicator Type and Date", + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "sortBy": [ + { + "itemKey": "SourceSystem", + "sortOrder": 1 + } + ] + }, + "sortBy": [ + { + "itemKey": "SourceSystem", + "sortOrder": 1 + } + ] + }, + "customWidth": "50", + "name": "query - 1" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "ThreatIntelligenceIndicator\r\n// Select Cofense indicators from the table\r\n| where SourceSystem == \"Cofense Intelligence\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\r\n// Summarize and order the data, then render the chart\r\n| summarize CountOfIndicators = count() by SourceSystem, bin(TimeGenerated, 1h)\r\n| render barchart kind=stacked", + "size": 0, + "showAnalytics": true, + "title": "Number of Cofense Intelligence Indicators Imported into Sentinel by Indicator Provider and Date", + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "50", + "name": "query - 3" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "ThreatIntelligenceIndicator\r\n// Select Cofense indicators from the table\r\n| where SourceSystem == \"Cofense Intelligence\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\r\n| where TimeGenerated < now()\r\n// Select only indicators that have not expired\r\n and ExpirationDateTime > now()\r\n// Select only indicators that are marked active\r\n and Active == true\r\n// Select only the most recently ingested copy of an indicator\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\r\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \"IP\",\r\n iff(isnotempty(Url), \"URL\",\r\n iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \"Email\",\r\n iff(isnotempty(FileHashValue), \"File\",\r\n iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \"Domain\",\r\n \"Other\")))))\r\n// Summarize and order the data, then render the chart\r\n| summarize CountOfIndicators = count() by IndicatorType\r\n| order by CountOfIndicators desc \r\n| render barchart kind=unstacked", + "size": 0, + "showAnalytics": true, + "title": "Number of Active Cofense Intelligence Indicators by Indicator Type", + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "50", + "name": "query - 5" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "ThreatIntelligenceIndicator\r\n// Select Cofense indicators from the table\r\n| where SourceSystem == \"Cofense Intelligence\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\r\n| where TimeGenerated < now()\r\n// Select only indicators that have not expired\r\n and ExpirationDateTime > now()\r\n// Select only indicators that are marked active\r\n and Active == true\r\n// Select only the most recently ingested copy of an indicator\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n// Summarize and order the data, then render the chart\r\n| summarize CountOfIndicators = count() by SourceSystem\r\n| order by CountOfIndicators desc \r\n| render barchart kind=unstacked", + "size": 0, + "showAnalytics": true, + "title": "Number of Active Cofense Intelligence Indicators by Indicator Source", + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "50", + "name": "query - 7" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "ThreatIntelligenceIndicator\r\n// Select Cofense indicators from the table\r\n| where SourceSystem == \"Cofense Intelligence\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\r\n| where TimeGenerated < now()\r\n// Select only indicators that have not expired\r\n and ExpirationDateTime > now()\r\n// Select only indicators that are marked active\r\n and Active == true\r\n// Select only the most recently ingested copy of an indicator\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n// Summarize and order the data, then render the chart\r\n| where ConfidenceScore != \"\"\r\n| summarize CountOfIndicators = count() by tostring(ConfidenceScore)\r\n| order by CountOfIndicators desc \r\n| render piechart", + "size": 3, + "showAnalytics": true, + "title": "Number of Active Cofense Intelligence Indicators by Confidence Score", + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "50", + "name": "query - 10" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let DomainQuery=view() { \r\nThreatIntelligenceIndicator\r\n| where SourceSystem == \"Cofense Intelligence\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n| where isnotempty(DomainName)\r\n| summarize SourceSystemArray=make_set(SourceSystem) by DomainName\r\n| summarize count() by tostring(SourceSystemArray)\r\n| project SourceSystemArray, count_, EntryType=\"DomainEntry\"\r\n};\r\nlet UrlQuery=view(){\r\nThreatIntelligenceIndicator\r\n| where SourceSystem == \"Cofense Intelligence\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n| where isnotempty(Url)\r\n| summarize SourceSystemArray=make_set(SourceSystem) by Url\r\n| summarize count() by tostring(SourceSystemArray)\r\n| project SourceSystemArray, count_, EntryType=\"UrlEntry\"\r\n};\r\nlet FileHashQuery=view(){\r\nThreatIntelligenceIndicator\r\n| where SourceSystem == \"Cofense Intelligence\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n| where isnotempty(FileHashValue)\r\n| summarize SourceSystemArray=make_set(SourceSystem) by FileHashValue\r\n| summarize count() by tostring(SourceSystemArray)\r\n| project SourceSystemArray, count_, EntryType=\"FileHashEntry\"\r\n};\r\nlet IPQuery=view(){\r\nThreatIntelligenceIndicator\r\n| where SourceSystem == \"Cofense Intelligence\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n| where isnotempty(NetworkIP) or isnotempty(NetworkSourceIP)\r\n| summarize SourceSystemArray=make_set(SourceSystem) by NetworkIP, NetworkSourceIP\r\n| summarize count() by tostring(SourceSystemArray)\r\n| project SourceSystemArray, count_, EntryType=\"IPEntry\"\r\n};\r\nlet EmailAddressQuery=view(){\r\nThreatIntelligenceIndicator\r\n| where SourceSystem == \"Cofense Intelligence\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n| where isnotempty(EmailSenderAddress)\r\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSenderAddress\r\n| summarize count() by tostring(SourceSystemArray)\r\n| project SourceSystemArray, count_, EntryType=\"EmailAddressEntry\"\r\n};\r\nlet EmailMessageQuery=view(){\r\nThreatIntelligenceIndicator\r\n| where SourceSystem == \"Cofense Intelligence\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n| where isnotempty(EmailSubject)\r\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSubject\r\n| summarize count() by tostring(SourceSystemArray)\r\n| project SourceSystemArray, count_, EntryType=\"EmailMessageEntry\"\r\n};\r\nlet SingleSourceIndicators=view(){\r\n DomainQuery\r\n | union UrlQuery\r\n | union FileHashQuery\r\n | union IPQuery\r\n | union EmailAddressQuery\r\n | union EmailMessageQuery\r\n | where array_length(todynamic(SourceSystemArray))==1\r\n | summarize sum(count_) by SourceSystemArray\r\n | extend counter=1 \r\n};\r\nlet MultipleSourceIndicators=view(){\r\n DomainQuery\r\n | union UrlQuery\r\n | union FileHashQuery\r\n | union IPQuery\r\n | union EmailAddressQuery\r\n | union EmailMessageQuery\r\n | where array_length(todynamic(SourceSystemArray))!=1\r\n | summarize sum(count_) by SourceSystemArray\r\n | extend counter=1\r\n};\r\nlet CountOfActiveIndicatorsBySource=view(){\r\n ThreatIntelligenceIndicator\r\n | where SourceSystem == \"Cofense Intelligence\"\r\n // latest data of cofense indicator to avoid duplicates\r\n | summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\r\n\t| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n | where ExpirationDateTime > now() and Active == true\r\n | summarize count() by SourceSystem\r\n | project SourceSystem, count_\r\n};\r\nSingleSourceIndicators\r\n| join kind=fullouter MultipleSourceIndicators on counter \r\n| where SourceSystemArray contains todynamic(SourceSystemArray)[0] \r\n| order by SourceSystemArray\r\n| extend solitary_count=sum_count_\r\n| summarize shared_count = sum(sum_count_1) by SourceSystemArray, solitary_count\r\n| extend total_count = shared_count + solitary_count\r\n| extend unique_percentage = round(toreal(solitary_count)/toreal(total_count)*100, 1)\r\n| extend IndicatorSource = tostring(todynamic(SourceSystemArray)[0])\r\n| join kind=inner CountOfActiveIndicatorsBySource on $left.IndicatorSource == $right.SourceSystem\r\n| order by unique_percentage desc\r\n| project Source=IndicatorSource, UniquenessPercentage=unique_percentage, ActiveIndicators = count_\r\n\r\n", + "size": 0, + "showAnalytics": true, + "title": "Uniqueness of Cofense Threat Intelligence Sources", + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Source", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "View", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "ActiveIndicators", + "formatter": 4, + "formatOptions": { + "palette": "blue" + } + } + ], + "filter": true, + "sortBy": [ + { + "itemKey": "$gen_thresholds_Source_0", + "sortOrder": 1 + } + ] + }, + "sortBy": [ + { + "itemKey": "$gen_thresholds_Source_0", + "sortOrder": 1 + } + ] + }, + "customWidth": "50", + "name": "query - 12" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "ThreatIntelligenceIndicator\r\n| where SourceSystem == \"Cofense Intelligence\"\r\n| where Tags != \"\"\r\n| parse Tags with * \"[\\\"threatID-\" threat_id \"\\\"]\"\r\n| extend threat_id = toreal(threat_id)\r\n| join kind=inner Malware_Data_CL on $left.threat_id == $right.id_d\r\n// latest data of cofense indicator to avoid duplicates \r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\r\n| extend Ioc = case(ThreatType == \"File\", FileHashValue, \r\n ThreatType == \"URL\", Url,\r\n DomainName)\r\n| order by TimeGenerated desc\r\n| project [\"Threat ID\"]=threat_id, [\"Confidence Score\"]=ConfidenceScore, [\"Threat Type\"]=ThreatType, [\"IOC\"]=Ioc, Label=label_s, [\"Last Published\"]=unixtime_microseconds_todatetime(lastPublished_d*1000), [\"First Published\"]=unixtime_microseconds_todatetime(firstPublished_d*1000), [\"Threat Detail URL\"]=threatDetailURL_s, [\"Download Report (HTML)\"]=ReportDownload_HTML__s, [\"Download Report (PDF)\"]=ReportDownload_PDF__s, [\"Executive Summary\"]=executiveSummary_s", + "size": 0, + "showAnalytics": true, + "title": "Cofense Intelligence Threat Indicators Data", + "timeContextFromParameter": "TimeRange", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Confidence Score", + "formatter": 1 + }, + { + "columnMatch": "Threat Detail URL", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url" + } + }, + { + "columnMatch": "Download Report (HTML)", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url", + "linkLabel": "Download HTML Report" + } + }, + { + "columnMatch": "Download Report (PDF)", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url", + "linkLabel": "Download PDF Report" + } + }, + { + "columnMatch": "threat Detail URL", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url" + } + }, + { + "columnMatch": "Report URL", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url" + } + }, + { + "columnMatch": "Threat Indicator Link", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url" + } + } + ], + "rowLimit": 10000, + "filter": true + }, + "sortBy": [] + }, + "name": "query - 6" + } + ] + }, + "name": "Indicators Ingestion" + } + ], + "fromTemplateId": "sentinel-CofenseIntelligenceThreatIndicators", + "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" +} \ No newline at end of file diff --git a/Solutions/CofenseIntelligence/Workbooks/Images/Preview/CofenseIntelligenceBlack1.png b/Solutions/CofenseIntelligence/Workbooks/Images/Preview/CofenseIntelligenceBlack1.png new file mode 100644 index 00000000000..06aa7390b89 Binary files /dev/null and b/Solutions/CofenseIntelligence/Workbooks/Images/Preview/CofenseIntelligenceBlack1.png differ diff --git a/Solutions/CofenseIntelligence/Workbooks/Images/Preview/CofenseIntelligenceWhite1.png b/Solutions/CofenseIntelligence/Workbooks/Images/Preview/CofenseIntelligenceWhite1.png new file mode 100644 index 00000000000..9acbdbacd38 Binary files /dev/null and b/Solutions/CofenseIntelligence/Workbooks/Images/Preview/CofenseIntelligenceWhite1.png differ diff --git a/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicatorCLv2/CSFDRv2_Deploymnet/azuredeploy_cdfdrv2_connector.json b/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicatorCLv2/CSFDRv2_Deploymnet/azuredeploy_cdfdrv2_connector.json index e2ac0299a22..823cfbfed7f 100644 --- a/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicatorCLv2/CSFDRv2_Deploymnet/azuredeploy_cdfdrv2_connector.json +++ b/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicatorCLv2/CSFDRv2_Deploymnet/azuredeploy_cdfdrv2_connector.json @@ -81,7 +81,7 @@ } }, "Expected_EPS_volume": { - "defaultValue": 40000, + "defaultValue": 25000, "type": "Int" }, "function-name": { diff --git a/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicatorCLv2/CrowdstrikeFalconAPISentinelConn.zip b/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicatorCLv2/CrowdstrikeFalconAPISentinelConn.zip index 0255adbe0ce..328aacf05ce 100644 Binary files a/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicatorCLv2/CrowdstrikeFalconAPISentinelConn.zip and b/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicatorCLv2/CrowdstrikeFalconAPISentinelConn.zip differ diff --git a/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicatorCLv2/CrowdstrikeFalconAPISentinelConn/Replicator/main_aws_queue.py b/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicatorCLv2/CrowdstrikeFalconAPISentinelConn/Replicator/main_aws_queue.py index f42006e36a6..b64542d341e 100644 --- a/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicatorCLv2/CrowdstrikeFalconAPISentinelConn/Replicator/main_aws_queue.py +++ b/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicatorCLv2/CrowdstrikeFalconAPISentinelConn/Replicator/main_aws_queue.py @@ -57,8 +57,8 @@ async def main(mytimer: func.TimerRequest): mainQueueCount = mainQueueHelper.get_queue_current_count() logging.info("Main queue size is {}".format(mainQueueCount)) while mainQueueCount >= MAX_QUEUE_MESSAGES_MAIN_QUEUE: - time.sleep(5) - if check_if_script_runs_too_long(0.9, script_start_time): + time.sleep(15) + if check_if_script_runs_too_long(0.7, script_start_time): logging.warn("Main queue already have enough messages to process. Not clearing any backlog or reading a new SQS message in this iteration.") return mainQueueCount = mainQueueHelper.get_queue_current_count() @@ -69,7 +69,7 @@ async def main(mytimer: func.TimerRequest): mainQueueCount = mainQueueHelper.get_queue_current_count() while backlogQueueCount > 0: while mainQueueCount >= MAX_QUEUE_MESSAGES_MAIN_QUEUE: - time.sleep(5) + time.sleep(15) mainQueueCount = mainQueueHelper.get_queue_current_count() messageFromBacklog = backlogQueueHelper.deque_from_queue() if messageFromBacklog != None: @@ -77,11 +77,11 @@ async def main(mytimer: func.TimerRequest): backlogQueueHelper.delete_queue_message(messageFromBacklog.id, messageFromBacklog.pop_receipt) backlogQueueCount = backlogQueueHelper.get_queue_current_count() mainQueueCount = mainQueueHelper.get_queue_current_count() - if check_if_script_runs_too_long(0.9, script_start_time): + if check_if_script_runs_too_long(0.7, script_start_time): logging.warn("Main queue already have enough messages to process. Read messages from backlog queue but not reading a new SQS message in this iteration.") return - if check_if_script_runs_too_long(0.75, script_start_time): + if check_if_script_runs_too_long(0.5, script_start_time): logging.warn("Queue already have enough messages to process. Read all messages from backlog queue but not reading a new SQS message in this iteration.") return diff --git a/Solutions/Egress Defend/Analytic Rules/DangerousAttachmentReceived.yaml b/Solutions/Egress Defend/Analytic Rules/DangerousAttachmentReceived.yaml new file mode 100644 index 00000000000..6b2937ec3d5 --- /dev/null +++ b/Solutions/Egress Defend/Analytic Rules/DangerousAttachmentReceived.yaml @@ -0,0 +1,55 @@ +id: a0e55dd4-8454-4396-91e6-f28fec3d2cab +name: Egress Defend - Dangerous Attachment Detected +description: | + 'Defend has detected a user has a suspicious file type from a suspicious sender in their mailbox.' +severity: Medium +status: Available +requiredDataConnectors: + - connectorId: EgressDefend + dataTypes: + - EgressDefend_CL +queryFrequency: 30m +queryPeriod: 30m +triggerOperator: gt +triggerThreshold: 0 +tactics: + - Execution + - InitialAccess + - Persistence + - PrivilegeEscalation +relevantTechniques: + - T1204 + - T0853 + - T0863 + - T1566 + - T1546 + - T1546 +tags: + - Defend +query: | + DefendAuditData + | where ThreatLevel == "suspicious" or ThreatLevel == "dangerous" + | mv-expand todynamic(Attachments) + | where Attachments.name matches regex @"(?i)^.*\.(doc|docx|docm|pdf|xls|xlsx|xlsm|html|zip)$(?-i)" + | summarize attachmentCount=count() by TimeGenerated, tostring(Attachments.name), Subject, From, Account_0_FullName = trim(@"[^@.\w]+",Recipients), timesClicked = LinksClicked, SenderIP +entityMappings: + - entityType: Account + fieldMappings: + - identifier: FullName + columnName: Account_0_FullName + - entityType: File + fieldMappings: + - identifier: Name + columnName: Attachments_name + - entityType: Mailbox + fieldMappings: + - identifier: MailboxPrimaryAddress + columnName: Account_0_FullName + - entityType: IP + fieldMappings: + - identifier: Address + columnName: SenderIP +alertDetailsOverride: + alertDisplayNameFormat: Alert - {{Account_0_FullName}} has suspicious attachment. +version: 1.0.0 +kind: Scheduled \ No newline at end of file diff --git a/Solutions/Egress Defend/Analytic Rules/DangerousLinksClicked.yaml b/Solutions/Egress Defend/Analytic Rules/DangerousLinksClicked.yaml new file mode 100644 index 00000000000..41c74c61e2b --- /dev/null +++ b/Solutions/Egress Defend/Analytic Rules/DangerousLinksClicked.yaml @@ -0,0 +1,51 @@ +id: a896123e-03a5-4a4d-a7e3-fd814846dfb2 +name: Egress Defend - Dangerous Link Click +description: | + 'Defend has detected a user has clicked a dangerous link in their mailbox.' +severity: Medium +status: Available +requiredDataConnectors: + - connectorId: EgressDefend + dataTypes: + - EgressDefend_CL +queryFrequency: 30m +queryPeriod: 30m +triggerOperator: gt +triggerThreshold: 0 +tactics: + - Execution +relevantTechniques: + - T1204 + - T0853 +tags: + - Defend +query: | + DefendAuditData + | where LinksClicked > 0 + | where ThreatLevel == "dangerous" or ThreatLevel == "suspicious" + | extend Account_0_FullName = trim(@"[^@.\w]+",Recipients) +entityMappings: + - entityType: Account + fieldMappings: + - identifier: FullName + columnName: Account_0_FullName + - entityType: IP + fieldMappings: + - identifier: Address + columnName: SenderIP + - entityType: URL + fieldMappings: + - identifier: Url + columnName: Url + - entityType: Mailbox + fieldMappings: + - identifier: MailboxPrimaryAddress + columnName: Account_0_FullName +customDetails: + DefendSenderIP: SenderIP + DefendSender: From + timesClicked: LinksClicked +alertDetailsOverride: + alertDisplayNameFormat: Alert - {{Account_0_FullName}} as clicked a suspicious link. +version: 1.0.0 +kind: Scheduled \ No newline at end of file diff --git a/Solutions/Egress Defend/Data Connectors/DefendAPIConnector.json b/Solutions/Egress Defend/Data Connectors/DefendAPIConnector.json new file mode 100644 index 00000000000..2f0dfea8b97 --- /dev/null +++ b/Solutions/Egress Defend/Data Connectors/DefendAPIConnector.json @@ -0,0 +1,141 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "workspace": { + "defaultValue": "Sentinel-Dev", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + } + }, + "resources": [ + { + "id": "[concat('/subscriptions/',subscription().subscriptionId,'/resourceGroups/',resourceGroup().name,'/providers/Microsoft.OperationalInsights/workspaces/',parameters('workspace'),'/providers/Microsoft.SecurityInsights/dataConnectors/',guid(subscription().subscriptionId))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',guid(subscription().subscriptionId))]", + "apiVersion": "2023-06-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "kind": "APIPolling", + "properties": { + "connectorUiConfig": { + "id": "EgressDefendPolling", + "title": "Egress Defend", + "publisher": "Egress Software Technologies", + "descriptionMarkdown": "The Egress Defend audit connector provides the capability to ingest Egress Defend Data into Microsoft Sentinel.", + "graphQueriesTableName": "EgressDefend_CL", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "Egress Defend Events", + "baseQuery": "{{graphQueriesTableName}}" + } + ], + "sampleQueries": [ + { + "description": "All logs", + "query": "DefendAuditData" + } + ], + "dataTypes": [ + { + "name": "{{graphQueriesTableName}}", + "lastDataReceivedQuery": "{{graphQueriesTableName}}\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "SentinelKindsV2", + "value": [ + "APIPolling" + ] + } + ], + "availability": { + "status": 1, + "isPreview": true + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and Write permissions on the Log Analytics workspace are required to enable the data connector.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "action": true, + "write": true, + "read": true, + "delete": true + } + } + ], + "customs": [ + { + "name": "Egress API Token", + "description": "An Egress API token is required to ingest audit records to Microsoft Sentinel." + } + ] + }, + "instructionSteps": [ + { + "title": "Connect Egress Defend with Microsoft Sentinel", + "description": "Enter your Egress Defend API URl, Egress Domain and API token.", + "instructions": [ + { + "parameters": { + "enable": "true", + "userRequestPlaceHoldersInput": [ + { + "displayText": "API URL", + "requestObjectKey": "apiEndpoint", + "placeHolderName": "{{apiUrl}}" + }, + { + "displayText": "Domain name", + "requestObjectKey": "apiEndpoint", + "placeHolderName": "{{domain}}" + } + ] + }, + "type": "APIKey" + } + ] + } + ] + }, + "pollingConfig": { + "auth": { + "authType": "APIKey", + "APIKeyName": "X-Api-Key", + "IsAPIKeyInPostPayload": false + }, + "request": { + "apiEndpoint": "https://{{apiUrl}}/V1/events/?pagingMode=offset&domain={{domain}}", + "httpMethod": "Get", + "startTimeAttributeName": "startTime", + "endTimeAttributeName":"endTime", + "queryTimeFormat": "yyyy-MM-ddTHH:mm:ss.fffZ", + "retryCount": 2, + "queryWindowInMin": 5, + "timeoutInSeconds": 120, + "headers": { + "Accept": "application/json" + } + }, + "paging": { + "pagingType": "Offset", + "offsetParaName": "offset", + "pageSizeParaName": "limit", + "pageSize": 100 + }, + "response": { + "eventsJsonPaths": [ + "$..items" + ] + } + } + } + } + ] +} \ No newline at end of file diff --git a/Solutions/Egress Defend/Data/Solution_EgressDefend.json b/Solutions/Egress Defend/Data/Solution_EgressDefend.json new file mode 100644 index 00000000000..3da9491b0da --- /dev/null +++ b/Solutions/Egress Defend/Data/Solution_EgressDefend.json @@ -0,0 +1,23 @@ +{ + "Name": "Egress Defend", + "Author": "Egress - support@egress.com", + "Logo": "", + "Description": "Egress Defend for Microsoft Sentinel provides details of processed emails, including the type of phishing attack, payload type and information to show if the user interacted with the email in a positive (clicking on banners or submitting the phish sample) or negative (clicking on an unsafe URL) manner.", + "WorkbookDescription": "Egress Defend Workbooks provides insight into Egress Defend audit logs", + "Workbooks": [ + "Workbooks/DefendMetrics.json" + ], + "Analytic Rules": [ + "Analytic Rules/DangerousAttachmentReceived.yaml", + "Analytic Rules/DangerousLinksClicked.yaml" + ], + "Parsers": [ "Parsers/DefendAuditData.txt"], + "Hunting Queries": [ + "Hunting Queries/DangerousLinksClicked.yaml" + ], + "Data Connectors": ["Data Connectors/DefendAPIConnector.json"], + "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Egress Defend", + "Version": "3.0.0", + "Metadata": "SolutionMetadata.json", + "TemplateSpec": true +} diff --git a/Solutions/Egress Defend/Hunting Queries/DangerousLinksClicked.yaml b/Solutions/Egress Defend/Hunting Queries/DangerousLinksClicked.yaml new file mode 100644 index 00000000000..6fc7513b329 --- /dev/null +++ b/Solutions/Egress Defend/Hunting Queries/DangerousLinksClicked.yaml @@ -0,0 +1,19 @@ +id: 57ada8d5-7a26-4440-97fd-32c5c3fd0421 +name: Dangerous emails with links clicked +description: | + 'This will check for emails that Defend has identified as dangerous and a user has clicked a link.' +requiredDataConnectors: + - connectorId: EgressDefend + dataTypes: + - EgressDefend_CL + +tactics: + - Collection + +relevantTechniques: + - T1039 + +query: | + EgressDefend_CL + | where event_s == "linkClick" + | where email_threat_s == "dangerous" diff --git a/Solutions/Egress Defend/Package/3.0.0.zip b/Solutions/Egress Defend/Package/3.0.0.zip new file mode 100644 index 00000000000..72904191ff5 Binary files /dev/null and b/Solutions/Egress Defend/Package/3.0.0.zip differ diff --git a/Solutions/Egress Defend/Package/createUiDefinition.json b/Solutions/Egress Defend/Package/createUiDefinition.json new file mode 100644 index 00000000000..104a3a8bc27 --- /dev/null +++ b/Solutions/Egress Defend/Package/createUiDefinition.json @@ -0,0 +1,228 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Azure.CreateUIDef", + "version": "0.1.2-preview", + "parameters": { + "config": { + "isWizard": false, + "basics": { + "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Egress%20Defend/ReleaseNotes.md)\r \n There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nEgress Defend for Microsoft Sentinel \n\n provides details of processed emails, including the type of phishing attack, payload type and information to show if the user interacted with the email in a positive (clicking on banners or submitting the phish sample) or negative (clicking on an unsafe URL) manner. \n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 2, **Hunting Queries:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "subscription": { + "resourceProviders": [ + "Microsoft.OperationsManagement/solutions", + "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "Microsoft.Insights/workbooks", + "Microsoft.Logic/workflows" + ] + }, + "location": { + "metadata": { + "hidden": "Hiding location, we get it from the log analytics workspace" + }, + "visible": false + }, + "resourceGroup": { + "allowExisting": true + } + } + }, + "basics": [ + { + "name": "getLAWorkspace", + "type": "Microsoft.Solutions.ArmApiControl", + "toolTip": "This filters by workspaces that exist in the Resource Group selected", + "condition": "[greater(length(resourceGroup().name),0)]", + "request": { + "method": "GET", + "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]" + } + }, + { + "name": "workspace", + "type": "Microsoft.Common.DropDown", + "label": "Workspace", + "placeholder": "Select a workspace", + "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected", + "constraints": { + "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]", + "required": true + }, + "visible": true + } + ], + "steps": [ + { + "name": "dataconnectors", + "label": "Data Connectors", + "bladeTitle": "Data Connectors", + "elements": [ + { + "name": "dataconnectors1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Solution installs the data connector for Egress Defend. You can get Egress Defend custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + } + }, + { + "name": "dataconnectors-parser-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel." + } + }, + { + "name": "dataconnectors-link2", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more about connecting data sources", + "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources" + } + } + } + ] + }, + { + "name": "workbooks", + "label": "Workbooks", + "subLabel": { + "preValidation": "Configure the workbooks", + "postValidation": "Done" + }, + "bladeTitle": "Workbooks", + "elements": [ + { + "name": "workbooks-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This solution installs workbook(s) to help you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view." + } + }, + { + "name": "workbooks-link", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data" + } + } + }, + { + "name": "workbook1", + "type": "Microsoft.Common.Section", + "label": "Egress Defend Insights", + "elements": [ + { + "name": "workbook1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "A workbook providing insights into the data ingested from Egress Defend." + } + } + ] + } + ] + }, + { + "name": "analytics", + "label": "Analytics", + "subLabel": { + "preValidation": "Configure the analytics", + "postValidation": "Done" + }, + "bladeTitle": "Analytics", + "elements": [ + { + "name": "analytics-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view." + } + }, + { + "name": "analytics-link", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef" + } + } + }, + { + "name": "analytic1", + "type": "Microsoft.Common.Section", + "label": "Egress Defend - Dangerous Attachment Detected", + "elements": [ + { + "name": "analytic1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Defend has detected a user has a suspicious file type from a suspicious sender in their mailbox." + } + } + ] + }, + { + "name": "analytic2", + "type": "Microsoft.Common.Section", + "label": "Egress Defend - Dangerous Link Click", + "elements": [ + { + "name": "analytic2-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Defend has detected a user has clicked a dangerous link in their mailbox." + } + } + ] + } + ] + }, + { + "name": "huntingqueries", + "label": "Hunting Queries", + "bladeTitle": "Hunting Queries", + "elements": [ + { + "name": "huntingqueries-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This solution installs the following hunting queries. After installing the solution, run these hunting queries to hunt for threats in Manage solution view. " + } + }, + { + "name": "huntingqueries-link", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/hunting" + } + } + }, + { + "name": "huntingquery1", + "type": "Microsoft.Common.Section", + "label": "Dangerous emails with links clicked", + "elements": [ + { + "name": "huntingquery1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This will check for emails that Defend has identified as dangerous and a user has clicked a link. This hunting query depends on EgressDefend data connector (EgressDefend_CL Parser or Table)" + } + } + ] + } + ] + } + ], + "outputs": { + "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]", + "location": "[location()]", + "workspace": "[basics('workspace')]" + } + } +} diff --git a/Solutions/Egress Defend/Package/mainTemplate.json b/Solutions/Egress Defend/Package/mainTemplate.json new file mode 100644 index 00000000000..912fd478568 --- /dev/null +++ b/Solutions/Egress Defend/Package/mainTemplate.json @@ -0,0 +1,1097 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "author": "Egress - support@egress.com", + "comments": "Solution template for Egress Defend" + }, + "parameters": { + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + }, + "workbook1-name": { + "type": "string", + "defaultValue": "Egress Defend Insights", + "minLength": 1, + "metadata": { + "description": "Name for the workbook" + } + } + }, + "variables": { + "email": "support@egress.com", + "_email": "[variables('email')]", + "_solutionName": "Egress Defend", + "_solutionVersion": "3.0.0", + "solutionId": "egress1589289169584.azure-sentinel-solution-egress-defend", + "_solutionId": "[variables('solutionId')]", + "workbookVersion1": "1.0.0", + "workbookContentId1": "EgressDefendMetricWorkbook", + "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]", + "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]", + "_workbookContentId1": "[variables('workbookContentId1')]", + "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", + "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]", + "analyticRuleVersion1": "1.0.0", + "analyticRulecontentId1": "a0e55dd4-8454-4396-91e6-f28fec3d2cab", + "_analyticRulecontentId1": "[variables('analyticRulecontentId1')]", + "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]", + "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1'))))]", + "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId1'),'-', variables('analyticRuleVersion1'))))]", + "analyticRuleVersion2": "1.0.0", + "analyticRulecontentId2": "a896123e-03a5-4a4d-a7e3-fd814846dfb2", + "_analyticRulecontentId2": "[variables('analyticRulecontentId2')]", + "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId2'))]", + "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2'))))]", + "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId2'),'-', variables('analyticRuleVersion2'))))]", + "parserName1": "DefendAuditData", + "_parserName1": "[concat(parameters('workspace'),'/',variables('parserName1'))]", + "parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]", + "_parserId1": "[variables('parserId1')]", + "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1'))))]", + "parserVersion1": "1.0.0", + "parserContentId1": "DefendAuditData-Parser", + "_parserContentId1": "[variables('parserContentId1')]", + "_parsercontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('_parserContentId1'),'-', variables('parserVersion1'))))]", + "huntingQueryVersion1": "1.0.0", + "huntingQuerycontentId1": "57ada8d5-7a26-4440-97fd-32c5c3fd0421", + "_huntingQuerycontentId1": "[variables('huntingQuerycontentId1')]", + "huntingQueryId1": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId1'))]", + "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId1'))))]", + "_huntingQuerycontentProductId1": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId1'),'-', variables('huntingQueryVersion1'))))]", + "uiConfigId1": "EgressDefendPolling", + "_uiConfigId1": "[variables('uiConfigId1')]", + "dataConnectorContentId1": "EgressDefendPolling", + "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", + "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "_dataConnectorId1": "[variables('dataConnectorId1')]", + "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", + "dataConnectorVersion1": "1.0.0", + "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", + "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('workbookTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "DefendMetricsWorkbook Workbook with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('workbookVersion1')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Insights/workbooks", + "name": "[variables('workbookContentId1')]", + "location": "[parameters('workspace-location')]", + "kind": "shared", + "apiVersion": "2021-08-01", + "metadata": { + "description": "A workbook providing insights into Egress Defend." + }, + "properties": { + "displayName": "[parameters('workbook1-name')]", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Phishing Insights\"},\"name\":\"text - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DefendAuditData\\r\\n| where isnotempty(PhishType)\\r\\n| mv-expand todynamic(PhishType)\\r\\n| summarize EmailCount=count() by tostring(PhishType), LinksClicked\\r\\n| render columnchart\",\"size\":0,\"title\":\"Number of Detected Phish Types in 48 hours\",\"timeContext\":{\"durationMs\":172800000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"unstackedbar\",\"chartSettings\":{\"xAxis\":\"PhishType\",\"seriesLabelSettings\":[{\"seriesName\":\"LinksClicked\",\"color\":\"redDark\"},{\"seriesName\":\"EmailCount\",\"color\":\"blue\"}]}},\"name\":\"query-2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DefendAuditData\\r\\n| where ThreatLevel == \\\"suspicious\\\" or ThreatLevel == \\\"dangerous\\\"\\r\\n| mv-expand todynamic(Attachments)\\r\\n| where Attachments.name matches regex @\\\"(?i)^.*\\\\.(doc|docx|docm|pdf|xls|xlsx|xlsm|html|zip)$(?-i)\\\"\\r\\n| extend path_parts = parse_path(tostring(Attachments.name))\\r\\n| where isnotempty(path_parts.Extension)\\r\\n| summarize attachmentCount=count() by tostring(path_parts.Extension)\\r\\n| render piechart\",\"size\":0,\"title\":\"Number of suspicious files detected in 48 hours\",\"timeContext\":{\"durationMs\":172800000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"chartSettings\":{\"yAxis\":[\"attachmentCount\"]}},\"name\":\"query - 1\"}],\"fromTemplateId\":\"sentinel-EgressDefendMetricWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "version": "1.0", + "sourceId": "[variables('workspaceResourceId')]", + "category": "sentinel" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]", + "properties": { + "description": "@{workbookKey=EgressDefendMetricWorkbook; logoFileName=; description=A workbook providing insights into Egress Defend.; dataTypesDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=Egress Defend Insights; templateRelativePath=DefendMetrics.json; subtitle=Defend Metrics; provider=Egress Software Technologies}.description", + "parentId": "[variables('workbookId1')]", + "contentId": "[variables('_workbookContentId1')]", + "kind": "Workbook", + "version": "[variables('workbookVersion1')]", + "source": { + "kind": "Solution", + "name": "Egress Defend", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Egress", + "email": "[variables('_email')]" + }, + "support": { + "name": "egress1589289169584", + "email": "support@egress.com", + "tier": "Partner", + "link": "https://support.egress.com/s/" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "contentId": "EgressDefend_CL", + "kind": "DataType" + } + ] + } + }, + "description": "Egress Defend Workbooks provides insight into Egress Defend audit logs" + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_workbookContentId1')]", + "contentKind": "Workbook", + "displayName": "[parameters('workbook1-name')]", + "contentProductId": "[variables('_workbookcontentProductId1')]", + "id": "[variables('_workbookcontentProductId1')]", + "version": "[variables('workbookVersion1')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "DangerousAttachmentReceived_AnalyticalRules Analytics Rule with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleVersion1')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRulecontentId1')]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Defend has detected a user has a suspicious file type from a suspicious sender in their mailbox.", + "displayName": "Egress Defend - Dangerous Attachment Detected", + "enabled": false, + "query": "DefendAuditData\n| where ThreatLevel == \"suspicious\" or ThreatLevel == \"dangerous\"\n| mv-expand todynamic(Attachments)\n| where Attachments.name matches regex @\"(?i)^.*\\.(doc|docx|docm|pdf|xls|xlsx|xlsm|html|zip)$(?-i)\"\n| summarize attachmentCount=count() by TimeGenerated, tostring(Attachments.name), Subject, From, Account_0_FullName = trim(@\"[^@.\\w]+\",Recipients), timesClicked = LinksClicked, SenderIP\n", + "queryFrequency": "PT30M", + "queryPeriod": "PT30M", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "EgressDefend", + "dataTypes": [ + "EgressDefend_CL" + ] + } + ], + "tactics": [ + "Execution", + "InitialAccess", + "Persistence", + "PrivilegeEscalation" + ], + "techniques": [ + "T1204", + "T0853", + "T0863", + "T1566", + "T1546", + "T1546" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "FullName", + "columnName": "Account_0_FullName" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "Attachments_name" + } + ], + "entityType": "File" + }, + { + "fieldMappings": [ + { + "identifier": "MailboxPrimaryAddress", + "columnName": "Account_0_FullName" + } + ], + "entityType": "Mailbox" + }, + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "SenderIP" + } + ], + "entityType": "IP" + } + ], + "alertDetailsOverride": { + "alertDisplayNameFormat": "Alert - {{Account_0_FullName}} has suspicious attachment." + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId1'),'/'))))]", + "properties": { + "description": "Egress Defend Analytics Rule 1", + "parentId": "[variables('analyticRuleId1')]", + "contentId": "[variables('_analyticRulecontentId1')]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleVersion1')]", + "source": { + "kind": "Solution", + "name": "Egress Defend", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Egress", + "email": "[variables('_email')]" + }, + "support": { + "name": "egress1589289169584", + "email": "support@egress.com", + "tier": "Partner", + "link": "https://support.egress.com/s/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId1')]", + "contentKind": "AnalyticsRule", + "displayName": "Egress Defend - Dangerous Attachment Detected", + "contentProductId": "[variables('_analyticRulecontentProductId1')]", + "id": "[variables('_analyticRulecontentProductId1')]", + "version": "[variables('analyticRuleVersion1')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleTemplateSpecName2')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "DangerousLinksClicked_AnalyticalRules Analytics Rule with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleVersion2')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRulecontentId2')]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Defend has detected a user has clicked a dangerous link in their mailbox.", + "displayName": "Egress Defend - Dangerous Link Click", + "enabled": false, + "query": "DefendAuditData\n| where LinksClicked > 0\n| where ThreatLevel == \"dangerous\" or ThreatLevel == \"suspicious\"\n| extend Account_0_FullName = trim(@\"[^@.\\w]+\",Recipients)\n", + "queryFrequency": "PT30M", + "queryPeriod": "PT30M", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "EgressDefend", + "dataTypes": [ + "EgressDefend_CL" + ] + } + ], + "tactics": [ + "Execution" + ], + "techniques": [ + "T1204", + "T0853" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "FullName", + "columnName": "Account_0_FullName" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "SenderIP" + } + ], + "entityType": "IP" + }, + { + "fieldMappings": [ + { + "identifier": "Url", + "columnName": "Url" + } + ], + "entityType": "URL" + }, + { + "fieldMappings": [ + { + "identifier": "MailboxPrimaryAddress", + "columnName": "Account_0_FullName" + } + ], + "entityType": "Mailbox" + } + ], + "customDetails": { + "DefendSender": "From", + "timesClicked": "LinksClicked", + "DefendSenderIP": "SenderIP" + }, + "alertDetailsOverride": { + "alertDisplayNameFormat": "Alert - {{Account_0_FullName}} as clicked a suspicious link." + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId2'),'/'))))]", + "properties": { + "description": "Egress Defend Analytics Rule 2", + "parentId": "[variables('analyticRuleId2')]", + "contentId": "[variables('_analyticRulecontentId2')]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleVersion2')]", + "source": { + "kind": "Solution", + "name": "Egress Defend", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Egress", + "email": "[variables('_email')]" + }, + "support": { + "name": "egress1589289169584", + "email": "support@egress.com", + "tier": "Partner", + "link": "https://support.egress.com/s/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId2')]", + "contentKind": "AnalyticsRule", + "displayName": "Egress Defend - Dangerous Link Click", + "contentProductId": "[variables('_analyticRulecontentProductId2')]", + "id": "[variables('_analyticRulecontentProductId2')]", + "version": "[variables('analyticRuleVersion2')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('parserTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "DefendAuditData Data Parser with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('parserVersion1')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[variables('_parserName1')]", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "DefendAuditData", + "category": "Samples", + "functionAlias": "DefendAuditData", + "query": "\nEgressDefend_CL\r\n| project \r\n TimeGenerated=time_t,\r\n Event=event_s,\r\n Recipients=email_rcptTo_s,\r\n From=email_mailFrom_s,\r\n Subject=columnifexists('email_subject_s', \"\"),\r\n Attachments=email_attachments_s,\r\n MessageId=email_messageId_s,\r\n ThreatLevel=email_threat_s,\r\n TrustLevel=email_trust_s,\r\n FirstTimeSender=email_firstTimeSender_b,\r\n PayLoad=columnifexists('email_payload_Type_s', \"\"),\r\n LinksClicked=email_linksClicked_d,\r\n SenderIP=email_senderIp_s,\r\n Url=linkClicked_s,\r\n PhishType=email_phishType_s\r\n ", + "functionParameters": "", + "version": 1, + "tags": [ + { + "name": "description", + "value": "DefendAuditData" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]", + "dependsOn": [ + "[variables('_parserName1')]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]", + "contentId": "[variables('_parserContentId1')]", + "kind": "Parser", + "version": "[variables('parserVersion1')]", + "source": { + "name": "Egress Defend", + "kind": "Solution", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Egress", + "email": "[variables('_email')]" + }, + "support": { + "name": "egress1589289169584", + "email": "support@egress.com", + "tier": "Partner", + "link": "https://support.egress.com/s/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_parserContentId1')]", + "contentKind": "Parser", + "displayName": "DefendAuditData", + "contentProductId": "[variables('_parsercontentProductId1')]", + "id": "[variables('_parsercontentProductId1')]", + "version": "[variables('parserVersion1')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2022-10-01", + "name": "[variables('_parserName1')]", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "DefendAuditData", + "category": "Samples", + "functionAlias": "DefendAuditData", + "query": "\nEgressDefend_CL\r\n| project \r\n TimeGenerated=time_t,\r\n Event=event_s,\r\n Recipients=email_rcptTo_s,\r\n From=email_mailFrom_s,\r\n Subject=columnifexists('email_subject_s', \"\"),\r\n Attachments=email_attachments_s,\r\n MessageId=email_messageId_s,\r\n ThreatLevel=email_threat_s,\r\n TrustLevel=email_trust_s,\r\n FirstTimeSender=email_firstTimeSender_b,\r\n PayLoad=columnifexists('email_payload_Type_s', \"\"),\r\n LinksClicked=email_linksClicked_d,\r\n SenderIP=email_senderIp_s,\r\n Url=linkClicked_s,\r\n PhishType=email_phishType_s\r\n ", + "functionParameters": "", + "version": 1, + "tags": [ + { + "name": "description", + "value": "DefendAuditData" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "location": "[parameters('workspace-location')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]", + "dependsOn": [ + "[variables('_parserId1')]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]", + "contentId": "[variables('_parserContentId1')]", + "kind": "Parser", + "version": "[variables('parserVersion1')]", + "source": { + "kind": "Solution", + "name": "Egress Defend", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Egress", + "email": "[variables('_email')]" + }, + "support": { + "name": "egress1589289169584", + "email": "support@egress.com", + "tier": "Partner", + "link": "https://support.egress.com/s/" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "DangerousLinksClicked_HuntingQueries Hunting Query with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('huntingQueryVersion1')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "Egress_Defend_Hunting_Query_1", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Dangerous emails with links clicked", + "category": "Hunting Queries", + "query": "EgressDefend_CL \n| where event_s == \"linkClick\" \n| where email_threat_s == \"dangerous\"\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "This will check for emails that Defend has identified as dangerous and a user has clicked a link." + }, + { + "name": "tactics", + "value": "Collection" + }, + { + "name": "techniques", + "value": "T1039" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId1'),'/'))))]", + "properties": { + "description": "Egress Defend Hunting Query 1", + "parentId": "[variables('huntingQueryId1')]", + "contentId": "[variables('_huntingQuerycontentId1')]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryVersion1')]", + "source": { + "kind": "Solution", + "name": "Egress Defend", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Egress", + "email": "[variables('_email')]" + }, + "support": { + "name": "egress1589289169584", + "email": "support@egress.com", + "tier": "Partner", + "link": "https://support.egress.com/s/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId1')]", + "contentKind": "HuntingQuery", + "displayName": "Dangerous emails with links clicked", + "contentProductId": "[variables('_huntingQuerycontentProductId1')]", + "id": "[variables('_huntingQuerycontentProductId1')]", + "version": "[variables('huntingQueryVersion1')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('dataConnectorTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Egress Defend data connector with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorVersion1')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "APIPolling", + "properties": { + "connectorUiConfig": { + "id": "[variables('_uiConfigId1')]", + "title": "Egress Defend", + "publisher": "Egress Software Technologies", + "descriptionMarkdown": "The Egress Defend audit connector provides the capability to ingest Egress Defend Data into Microsoft Sentinel.", + "graphQueriesTableName": "EgressDefend_CL", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "Egress Defend Events", + "baseQuery": "{{graphQueriesTableName}}" + } + ], + "sampleQueries": [ + { + "description": "All logs", + "query": "DefendAuditData" + } + ], + "dataTypes": [ + { + "name": "{{graphQueriesTableName}}", + "lastDataReceivedQuery": "{{graphQueriesTableName}}\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "SentinelKindsV2", + "value": [ + "APIPolling" + ] + } + ], + "availability": { + "status": 1, + "isPreview": true + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and Write permissions on the Log Analytics workspace are required to enable the data connector.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "action": true, + "write": true, + "read": true, + "delete": true + } + } + ], + "customs": [ + { + "name": "Egress API Token", + "description": "An Egress API token is required to ingest audit records to Microsoft Sentinel." + } + ] + }, + "instructionSteps": [ + { + "description": "Enter your Egress Defend API URl, Egress Domain and API token.", + "instructions": [ + { + "parameters": { + "enable": "true", + "userRequestPlaceHoldersInput": [ + { + "displayText": "API URL", + "requestObjectKey": "apiEndpoint", + "placeHolderName": "{{apiUrl}}" + }, + { + "displayText": "Domain name", + "requestObjectKey": "apiEndpoint", + "placeHolderName": "{{domain}}" + } + ] + }, + "type": "APIKey" + } + ], + "title": "Connect Egress Defend with Microsoft Sentinel" + } + ] + }, + "pollingConfig": { + "auth": { + "authType": "APIKey", + "APIKeyName": "X-Api-Key", + "IsAPIKeyInPostPayload": false + }, + "request": { + "apiEndpoint": "https://{{apiUrl}}/V1/events/?pagingMode=offset&domain={{domain}}", + "httpMethod": "Get", + "startTimeAttributeName": "startTime", + "endTimeAttributeName": "endTime", + "queryTimeFormat": "yyyy-MM-ddTHH:mm:ss.fffZ", + "retryCount": 2, + "queryWindowInMin": 5, + "timeoutInSeconds": 120, + "headers": { + "Accept": "application/json" + } + }, + "paging": { + "pagingType": "Offset", + "offsetParaName": "offset", + "pageSizeParaName": "limit", + "pageSize": 100 + }, + "response": { + "eventsJsonPaths": [ + "$..items" + ] + } + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "contentId": "[variables('_dataConnectorContentId1')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion1')]", + "source": { + "kind": "Solution", + "name": "Egress Defend", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Egress", + "email": "[variables('_email')]" + }, + "support": { + "name": "egress1589289169584", + "email": "support@egress.com", + "tier": "Partner", + "link": "https://support.egress.com/s/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_dataConnectorContentId1')]", + "contentKind": "DataConnector", + "displayName": "Egress Defend", + "contentProductId": "[variables('_dataConnectorcontentProductId1')]", + "id": "[variables('_dataConnectorcontentProductId1')]", + "version": "[variables('dataConnectorVersion1')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", + "dependsOn": [ + "[variables('_dataConnectorId1')]" + ], + "location": "[parameters('workspace-location')]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "contentId": "[variables('_dataConnectorContentId1')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion1')]", + "source": { + "kind": "Solution", + "name": "Egress Defend", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Egress", + "email": "[variables('_email')]" + }, + "support": { + "name": "egress1589289169584", + "email": "support@egress.com", + "tier": "Partner", + "link": "https://support.egress.com/s/" + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "APIPolling", + "properties": { + "connectorUiConfig": { + "id": "[variables('_uiConfigId1')]", + "title": "Egress Defend", + "publisher": "Egress Software Technologies", + "descriptionMarkdown": "The Egress Defend audit connector provides the capability to ingest Egress Defend Data into Microsoft Sentinel.", + "graphQueriesTableName": "EgressDefend_CL", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "Egress Defend Events", + "baseQuery": "{{graphQueriesTableName}}" + } + ], + "sampleQueries": [ + { + "description": "All logs", + "query": "DefendAuditData" + } + ], + "dataTypes": [ + { + "name": "{{graphQueriesTableName}}", + "lastDataReceivedQuery": "{{graphQueriesTableName}}\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "SentinelKindsV2", + "value": [ + "APIPolling" + ] + } + ], + "availability": { + "status": 1, + "isPreview": true + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and Write permissions on the Log Analytics workspace are required to enable the data connector.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "action": true, + "write": true, + "read": true, + "delete": true + } + } + ], + "customs": [ + { + "name": "Egress API Token", + "description": "An Egress API token is required to ingest audit records to Microsoft Sentinel." + } + ] + }, + "instructionSteps": [ + { + "description": "Enter your Egress Defend API URl, Egress Domain and API token.", + "instructions": [ + { + "parameters": { + "enable": "true", + "userRequestPlaceHoldersInput": [ + { + "displayText": "API URL", + "requestObjectKey": "apiEndpoint", + "placeHolderName": "{{apiUrl}}" + }, + { + "displayText": "Domain name", + "requestObjectKey": "apiEndpoint", + "placeHolderName": "{{domain}}" + } + ] + }, + "type": "APIKey" + } + ], + "title": "Connect Egress Defend with Microsoft Sentinel" + } + ] + }, + "pollingConfig": { + "auth": { + "authType": "APIKey", + "APIKeyName": "X-Api-Key", + "IsAPIKeyInPostPayload": false + }, + "request": { + "apiEndpoint": "https://{{apiUrl}}/V1/events/?pagingMode=offset&domain={{domain}}", + "httpMethod": "Get", + "startTimeAttributeName": "startTime", + "endTimeAttributeName": "endTime", + "queryTimeFormat": "yyyy-MM-ddTHH:mm:ss.fffZ", + "retryCount": 2, + "queryWindowInMin": 5, + "timeoutInSeconds": 120, + "headers": { + "Accept": "application/json" + } + }, + "paging": { + "pagingType": "Offset", + "offsetParaName": "offset", + "pageSizeParaName": "limit", + "pageSize": 100 + }, + "response": { + "eventsJsonPaths": [ + "$..items" + ] + } + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", + "apiVersion": "2023-04-01-preview", + "location": "[parameters('workspace-location')]", + "properties": { + "version": "3.0.0", + "kind": "Solution", + "contentSchemaVersion": "3.0.0", + "displayName": "Egress Defend", + "publisherDisplayName": "egress1589289169584", + "descriptionHtml": "

Note: There may be known issues pertaining to this Solution, please refer to them before installing.

\n

Egress Defend for Microsoft Sentinel provides details of processed emails, including the type of phishing attack, payload type and information to show if the user interacted with the email in a positive (clicking on banners or submitting the phish sample) or negative (clicking on an unsafe URL) manner.

\n

Data Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 2, Hunting Queries: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "", + "contentId": "[variables('_solutionId')]", + "parentId": "[variables('_solutionId')]", + "source": { + "kind": "Solution", + "name": "Egress Defend", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Egress", + "email": "[variables('_email')]" + }, + "support": { + "name": "egress1589289169584", + "email": "support@egress.com", + "tier": "Partner", + "link": "https://support.egress.com/s/" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "kind": "Workbook", + "contentId": "[variables('_workbookContentId1')]", + "version": "[variables('workbookVersion1')]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRulecontentId1')]", + "version": "[variables('analyticRuleVersion1')]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRulecontentId2')]", + "version": "[variables('analyticRuleVersion2')]" + }, + { + "kind": "Parser", + "contentId": "[variables('_parserContentId1')]", + "version": "[variables('parserVersion1')]" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('_huntingQuerycontentId1')]", + "version": "[variables('huntingQueryVersion1')]" + }, + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentId1')]", + "version": "[variables('dataConnectorVersion1')]" + } + ] + }, + "firstPublishDate": "2023-07-27", + "providers": [ + "Egress" + ], + "categories": { + "domains": [ + "Application" + ] + } + }, + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]" + } + ], + "outputs": {} +} diff --git a/Solutions/Egress Defend/Parsers/DefendAuditData.txt b/Solutions/Egress Defend/Parsers/DefendAuditData.txt new file mode 100644 index 00000000000..f506c691004 --- /dev/null +++ b/Solutions/Egress Defend/Parsers/DefendAuditData.txt @@ -0,0 +1,18 @@ +EgressDefend_CL +| project + TimeGenerated=time_t, + Event=event_s, + Recipients=email_rcptTo_s, + From=email_mailFrom_s, + Subject=columnifexists('email_subject_s', ""), + Attachments=email_attachments_s, + MessageId=email_messageId_s, + ThreatLevel=email_threat_s, + TrustLevel=email_trust_s, + FirstTimeSender=email_firstTimeSender_b, + PayLoad=columnifexists('email_payload_Type_s', ""), + LinksClicked=email_linksClicked_d, + SenderIP=email_senderIp_s, + Url=linkClicked_s, + PhishType=email_phishType_s + \ No newline at end of file diff --git a/Solutions/Egress Defend/ReleaseNotes.md b/Solutions/Egress Defend/ReleaseNotes.md new file mode 100644 index 00000000000..f1c25a75d1c --- /dev/null +++ b/Solutions/Egress Defend/ReleaseNotes.md @@ -0,0 +1,3 @@ +| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | +|-------------|--------------------------------|---------------------------------------------| +| 3.0.0 | 02-08-2023 | Initial solution release. | diff --git a/Solutions/Egress Defend/SolutionMetadata.json b/Solutions/Egress Defend/SolutionMetadata.json new file mode 100644 index 00000000000..4fe79ab0262 --- /dev/null +++ b/Solutions/Egress Defend/SolutionMetadata.json @@ -0,0 +1,19 @@ +{ + "publisherId": "egress1589289169584", + "offerId": "azure-sentinel-solution-egress-defend", + "firstPublishDate": "2023-07-27", + "providers": [ + "Egress" + ], + "categories": { + "domains": [ + "Application" + ] + }, + "support": { + "name": "egress1589289169584", + "email": "support@egress.com", + "tier": "Partner", + "link": "https://support.egress.com/s/" + } +} \ No newline at end of file diff --git a/Solutions/Egress Defend/Workbooks/DefendMetrics.json b/Solutions/Egress Defend/Workbooks/DefendMetrics.json new file mode 100644 index 00000000000..6be5abcf5f4 --- /dev/null +++ b/Solutions/Egress Defend/Workbooks/DefendMetrics.json @@ -0,0 +1,63 @@ +{ + "version": "Notebook/1.0", + "items": [ + { + "type": 1, + "content": { + "json": "## Phishing Insights" + }, + "name": "text - 6" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DefendAuditData\r\n| where isnotempty(PhishType)\r\n| mv-expand todynamic(PhishType)\r\n| summarize EmailCount=count() by tostring(PhishType), LinksClicked\r\n| render columnchart", + "size": 0, + "title": "Number of Detected Phish Types in 48 hours", + "timeContext": { + "durationMs": 172800000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "unstackedbar", + "chartSettings": { + "xAxis": "PhishType", + "seriesLabelSettings": [ + { + "seriesName": "LinksClicked", + "color": "redDark" + }, + { + "seriesName": "EmailCount", + "color": "blue" + } + ] + } + }, + "name": "query-2" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DefendAuditData\r\n| where ThreatLevel == \"suspicious\" or ThreatLevel == \"dangerous\"\r\n| mv-expand todynamic(Attachments)\r\n| where Attachments.name matches regex @\"(?i)^.*\\.(doc|docx|docm|pdf|xls|xlsx|xlsm|html|zip)$(?-i)\"\r\n| extend path_parts = parse_path(tostring(Attachments.name))\r\n| where isnotempty(path_parts.Extension)\r\n| summarize attachmentCount=count() by tostring(path_parts.Extension)\r\n| render piechart", + "size": 0, + "title": "Number of suspicious files detected in 48 hours", + "timeContext": { + "durationMs": 172800000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "chartSettings": { + "yAxis": [ + "attachmentCount" + ] + } + }, + "name": "query - 1" + } + ], + "fromTemplateId": "sentinel-EgressDefendMetricWorkbook", + "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" + } \ No newline at end of file diff --git a/Solutions/Egress Defend/Workbooks/Images/Preview/EgressDefendMetricWorkbookBlack01.png b/Solutions/Egress Defend/Workbooks/Images/Preview/EgressDefendMetricWorkbookBlack01.png new file mode 100644 index 00000000000..089ff698091 Binary files /dev/null and b/Solutions/Egress Defend/Workbooks/Images/Preview/EgressDefendMetricWorkbookBlack01.png differ diff --git a/Solutions/Egress Defend/Workbooks/Images/Preview/EgressDefendMetricWorkbookWhite01.png b/Solutions/Egress Defend/Workbooks/Images/Preview/EgressDefendMetricWorkbookWhite01.png new file mode 100644 index 00000000000..08dfe4e1d83 Binary files /dev/null and b/Solutions/Egress Defend/Workbooks/Images/Preview/EgressDefendMetricWorkbookWhite01.png differ diff --git a/Solutions/Infoblox NIOS/Package/3.0.2.zip b/Solutions/Infoblox NIOS/Package/3.0.2.zip new file mode 100644 index 00000000000..a1b4a4f2db3 Binary files /dev/null and b/Solutions/Infoblox NIOS/Package/3.0.2.zip differ diff --git a/Solutions/Infoblox NIOS/Package/mainTemplate.json b/Solutions/Infoblox NIOS/Package/mainTemplate.json index 7c5c4eca402..e3c2ce19436 100644 --- a/Solutions/Infoblox NIOS/Package/mainTemplate.json +++ b/Solutions/Infoblox NIOS/Package/mainTemplate.json @@ -38,7 +38,7 @@ }, "watchlist1-id": { "type": "string", - "defaultValue": "", + "defaultValue": "Sources_by_SourceType", "minLength": 1, "metadata": { "description": "Unique id for the watchlist" @@ -47,7 +47,7 @@ }, "variables": { "_solutionName": "Infoblox NIOS", - "_solutionVersion": "3.0.1", + "_solutionVersion": "3.0.2", "solutionId": "azuresentinel.azure-sentinel-solution-infobloxnios", "_solutionId": "[variables('solutionId')]", "uiConfigId1": "InfobloxNIOS", @@ -56,13 +56,13 @@ "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", "_dataConnectorId1": "[variables('dataConnectorId1')]", - "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))),variables('dataConnectorVersion1')))]", + "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", "dataConnectorVersion1": "1.0.0", "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", "workbookVersion1": "1.1.0", "workbookContentId1": "InfobloxNIOSWorkbook", "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]", - "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))),variables('workbookVersion1')))]", + "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]", "_workbookContentId1": "[variables('workbookContentId1')]", "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]", @@ -70,7 +70,7 @@ "_parserName1": "[concat(parameters('workspace'),'/',variables('parserName1'))]", "parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]", "_parserId1": "[variables('parserId1')]", - "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1'))),variables('parserVersion1')))]", + "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1'))))]", "parserVersion1": "1.0.0", "parserContentId1": "Infoblox-Parser", "_parserContentId1": "[variables('parserContentId1')]", @@ -79,7 +79,7 @@ "_parserName2": "[concat(parameters('workspace'),'/',variables('parserName2'))]", "parserId2": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName2'))]", "_parserId2": "[variables('parserId2')]", - "parserTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId2'))),variables('parserVersion2')))]", + "parserTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId2'))))]", "parserVersion2": "1.0.0", "parserContentId2": "Infoblox_allotherdhcpdTypes-Parser", "_parserContentId2": "[variables('parserContentId2')]", @@ -88,7 +88,7 @@ "_parserName3": "[concat(parameters('workspace'),'/',variables('parserName3'))]", "parserId3": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName3'))]", "_parserId3": "[variables('parserId3')]", - "parserTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId3'))),variables('parserVersion3')))]", + "parserTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId3'))))]", "parserVersion3": "1.0.0", "parserContentId3": "Infoblox_allotherdnsTypes-Parser", "_parserContentId3": "[variables('parserContentId3')]", @@ -97,7 +97,7 @@ "_parserName4": "[concat(parameters('workspace'),'/',variables('parserName4'))]", "parserId4": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName4'))]", "_parserId4": "[variables('parserId4')]", - "parserTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId4'))),variables('parserVersion4')))]", + "parserTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId4'))))]", "parserVersion4": "1.0.0", "parserContentId4": "Infoblox_allotherlogTypes-Parser", "_parserContentId4": "[variables('parserContentId4')]", @@ -106,7 +106,7 @@ "_parserName5": "[concat(parameters('workspace'),'/',variables('parserName5'))]", "parserId5": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName5'))]", "_parserId5": "[variables('parserId5')]", - "parserTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId5'))),variables('parserVersion5')))]", + "parserTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId5'))))]", "parserVersion5": "1.0.0", "parserContentId5": "Infoblox_dhcp_consolidated-Parser", "_parserContentId5": "[variables('parserContentId5')]", @@ -115,7 +115,7 @@ "_parserName6": "[concat(parameters('workspace'),'/',variables('parserName6'))]", "parserId6": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName6'))]", "_parserId6": "[variables('parserId6')]", - "parserTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId6'))),variables('parserVersion6')))]", + "parserTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId6'))))]", "parserVersion6": "1.0.0", "parserContentId6": "Infoblox_dhcpack-Parser", "_parserContentId6": "[variables('parserContentId6')]", @@ -124,7 +124,7 @@ "_parserName7": "[concat(parameters('workspace'),'/',variables('parserName7'))]", "parserId7": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName7'))]", "_parserId7": "[variables('parserId7')]", - "parserTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId7'))),variables('parserVersion7')))]", + "parserTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId7'))))]", "parserVersion7": "1.0.0", "parserContentId7": "Infoblox_dhcpadded-Parser", "_parserContentId7": "[variables('parserContentId7')]", @@ -133,7 +133,7 @@ "_parserName8": "[concat(parameters('workspace'),'/',variables('parserName8'))]", "parserId8": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName8'))]", "_parserId8": "[variables('parserId8')]", - "parserTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId8'))),variables('parserVersion8')))]", + "parserTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId8'))))]", "parserVersion8": "1.0.0", "parserContentId8": "Infoblox_dhcpbindupdate-Parser", "_parserContentId8": "[variables('parserContentId8')]", @@ -142,7 +142,7 @@ "_parserName9": "[concat(parameters('workspace'),'/',variables('parserName9'))]", "parserId9": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName9'))]", "_parserId9": "[variables('parserId9')]", - "parserTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId9'))),variables('parserVersion9')))]", + "parserTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId9'))))]", "parserVersion9": "1.0.0", "parserContentId9": "Infoblox_dhcpdiscover-Parser", "_parserContentId9": "[variables('parserContentId9')]", @@ -151,7 +151,7 @@ "_parserName10": "[concat(parameters('workspace'),'/',variables('parserName10'))]", "parserId10": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName10'))]", "_parserId10": "[variables('parserId10')]", - "parserTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId10'))),variables('parserVersion10')))]", + "parserTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId10'))))]", "parserVersion10": "1.0.0", "parserContentId10": "Infoblox_dhcpexpire-Parser", "_parserContentId10": "[variables('parserContentId10')]", @@ -160,7 +160,7 @@ "_parserName11": "[concat(parameters('workspace'),'/',variables('parserName11'))]", "parserId11": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName11'))]", "_parserId11": "[variables('parserId11')]", - "parserTemplateSpecName11": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId11'))),variables('parserVersion11')))]", + "parserTemplateSpecName11": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId11'))))]", "parserVersion11": "1.0.0", "parserContentId11": "Infoblox_dhcpinform-Parser", "_parserContentId11": "[variables('parserContentId11')]", @@ -169,7 +169,7 @@ "_parserName12": "[concat(parameters('workspace'),'/',variables('parserName12'))]", "parserId12": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName12'))]", "_parserId12": "[variables('parserId12')]", - "parserTemplateSpecName12": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId12'))),variables('parserVersion12')))]", + "parserTemplateSpecName12": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId12'))))]", "parserVersion12": "1.0.0", "parserContentId12": "Infoblox_dhcpoffer-Parser", "_parserContentId12": "[variables('parserContentId12')]", @@ -178,7 +178,7 @@ "_parserName13": "[concat(parameters('workspace'),'/',variables('parserName13'))]", "parserId13": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName13'))]", "_parserId13": "[variables('parserId13')]", - "parserTemplateSpecName13": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId13'))),variables('parserVersion13')))]", + "parserTemplateSpecName13": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId13'))))]", "parserVersion13": "1.0.0", "parserContentId13": "Infoblox_dhcpoption-Parser", "_parserContentId13": "[variables('parserContentId13')]", @@ -187,7 +187,7 @@ "_parserName14": "[concat(parameters('workspace'),'/',variables('parserName14'))]", "parserId14": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName14'))]", "_parserId14": "[variables('parserId14')]", - "parserTemplateSpecName14": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId14'))),variables('parserVersion14')))]", + "parserTemplateSpecName14": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId14'))))]", "parserVersion14": "1.0.0", "parserContentId14": "Infoblox_dhcpother-Parser", "_parserContentId14": "[variables('parserContentId14')]", @@ -196,7 +196,7 @@ "_parserName15": "[concat(parameters('workspace'),'/',variables('parserName15'))]", "parserId15": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName15'))]", "_parserId15": "[variables('parserId15')]", - "parserTemplateSpecName15": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId15'))),variables('parserVersion15')))]", + "parserTemplateSpecName15": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId15'))))]", "parserVersion15": "1.0.0", "parserContentId15": "Infoblox_dhcprelease-Parser", "_parserContentId15": "[variables('parserContentId15')]", @@ -205,7 +205,7 @@ "_parserName16": "[concat(parameters('workspace'),'/',variables('parserName16'))]", "parserId16": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName16'))]", "_parserId16": "[variables('parserId16')]", - "parserTemplateSpecName16": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId16'))),variables('parserVersion16')))]", + "parserTemplateSpecName16": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId16'))))]", "parserVersion16": "1.0.0", "parserContentId16": "Infoblox_dhcpremoved-Parser", "_parserContentId16": "[variables('parserContentId16')]", @@ -214,7 +214,7 @@ "_parserName17": "[concat(parameters('workspace'),'/',variables('parserName17'))]", "parserId17": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName17'))]", "_parserId17": "[variables('parserId17')]", - "parserTemplateSpecName17": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId17'))),variables('parserVersion17')))]", + "parserTemplateSpecName17": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId17'))))]", "parserVersion17": "1.0.0", "parserContentId17": "Infoblox_dhcprequest-Parser", "_parserContentId17": "[variables('parserContentId17')]", @@ -223,7 +223,7 @@ "_parserName18": "[concat(parameters('workspace'),'/',variables('parserName18'))]", "parserId18": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName18'))]", "_parserId18": "[variables('parserId18')]", - "parserTemplateSpecName18": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId18'))),variables('parserVersion18')))]", + "parserTemplateSpecName18": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId18'))))]", "parserVersion18": "1.0.0", "parserContentId18": "Infoblox_dhcpsession-Parser", "_parserContentId18": "[variables('parserContentId18')]", @@ -232,7 +232,7 @@ "_parserName19": "[concat(parameters('workspace'),'/',variables('parserName19'))]", "parserId19": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName19'))]", "_parserId19": "[variables('parserId19')]", - "parserTemplateSpecName19": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId19'))),variables('parserVersion19')))]", + "parserTemplateSpecName19": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId19'))))]", "parserVersion19": "1.0.0", "parserContentId19": "Infoblox_dns_consolidated-Parser", "_parserContentId19": "[variables('parserContentId19')]", @@ -241,7 +241,7 @@ "_parserName20": "[concat(parameters('workspace'),'/',variables('parserName20'))]", "parserId20": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName20'))]", "_parserId20": "[variables('parserId20')]", - "parserTemplateSpecName20": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId20'))),variables('parserVersion20')))]", + "parserTemplateSpecName20": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId20'))))]", "parserVersion20": "1.0.0", "parserContentId20": "Infoblox_dnsclient-Parser", "_parserContentId20": "[variables('parserContentId20')]", @@ -250,7 +250,7 @@ "_parserName21": "[concat(parameters('workspace'),'/',variables('parserName21'))]", "parserId21": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName21'))]", "_parserId21": "[variables('parserId21')]", - "parserTemplateSpecName21": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId21'))),variables('parserVersion21')))]", + "parserTemplateSpecName21": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId21'))))]", "parserVersion21": "1.0.0", "parserContentId21": "Infoblox_dnsgss-Parser", "_parserContentId21": "[variables('parserContentId21')]", @@ -259,7 +259,7 @@ "_parserName22": "[concat(parameters('workspace'),'/',variables('parserName22'))]", "parserId22": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName22'))]", "_parserId22": "[variables('parserId22')]", - "parserTemplateSpecName22": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId22'))),variables('parserVersion22')))]", + "parserTemplateSpecName22": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId22'))))]", "parserVersion22": "1.0.0", "parserContentId22": "Infoblox_dnszone-Parser", "_parserContentId22": "[variables('parserContentId22')]", @@ -268,13 +268,13 @@ "analyticRulecontentId1": "b8266f81-2715-41a6-9062-42486cbc9c73", "_analyticRulecontentId1": "[variables('analyticRulecontentId1')]", "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]", - "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1'))),variables('analyticRuleVersion1')))]", + "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1'))))]", "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId1'),'-', variables('analyticRuleVersion1'))))]", "analyticRuleVersion2": "1.0.2", "analyticRulecontentId2": "57e56fc9-417a-4f41-a579-5475aea7b8ce", "_analyticRulecontentId2": "[variables('analyticRulecontentId2')]", "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId2'))]", - "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2'))),variables('analyticRuleVersion2')))]", + "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2'))))]", "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId2'),'-', variables('analyticRuleVersion2'))))]", "Sources_by_SourceType": "Sources_by_SourceType", "_Sources_by_SourceType": "[variables('Sources_by_SourceType')]", @@ -290,7 +290,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox NIOS data connector with template version 3.0.1", + "description": "Infoblox NIOS data connector with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -635,7 +635,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox-Workbook-V2Workbook Workbook with template version 3.0.1", + "description": "Infoblox-Workbook-V2Workbook Workbook with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -722,7 +722,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox Data Parser with template version 3.0.1", + "description": "Infoblox Data Parser with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserVersion1')]", @@ -852,7 +852,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox_allotherdhcpdTypes Data Parser with template version 3.0.1", + "description": "Infoblox_allotherdhcpdTypes Data Parser with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserVersion2')]", @@ -982,7 +982,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox_allotherdnsTypes Data Parser with template version 3.0.1", + "description": "Infoblox_allotherdnsTypes Data Parser with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserVersion3')]", @@ -1112,7 +1112,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox_allotherlogTypes Data Parser with template version 3.0.1", + "description": "Infoblox_allotherlogTypes Data Parser with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserVersion4')]", @@ -1242,7 +1242,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox_dhcp_consolidated Data Parser with template version 3.0.1", + "description": "Infoblox_dhcp_consolidated Data Parser with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserVersion5')]", @@ -1372,7 +1372,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox_dhcpack Data Parser with template version 3.0.1", + "description": "Infoblox_dhcpack Data Parser with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserVersion6')]", @@ -1502,7 +1502,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox_dhcpadded Data Parser with template version 3.0.1", + "description": "Infoblox_dhcpadded Data Parser with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserVersion7')]", @@ -1632,7 +1632,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox_dhcpbindupdate Data Parser with template version 3.0.1", + "description": "Infoblox_dhcpbindupdate Data Parser with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserVersion8')]", @@ -1762,7 +1762,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox_dhcpdiscover Data Parser with template version 3.0.1", + "description": "Infoblox_dhcpdiscover Data Parser with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserVersion9')]", @@ -1892,7 +1892,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox_dhcpexpire Data Parser with template version 3.0.1", + "description": "Infoblox_dhcpexpire Data Parser with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserVersion10')]", @@ -2022,7 +2022,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox_dhcpinform Data Parser with template version 3.0.1", + "description": "Infoblox_dhcpinform Data Parser with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserVersion11')]", @@ -2152,7 +2152,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox_dhcpoffer Data Parser with template version 3.0.1", + "description": "Infoblox_dhcpoffer Data Parser with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserVersion12')]", @@ -2282,7 +2282,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox_dhcpoption Data Parser with template version 3.0.1", + "description": "Infoblox_dhcpoption Data Parser with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserVersion13')]", @@ -2412,7 +2412,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox_dhcpother Data Parser with template version 3.0.1", + "description": "Infoblox_dhcpother Data Parser with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserVersion14')]", @@ -2542,7 +2542,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox_dhcprelease Data Parser with template version 3.0.1", + "description": "Infoblox_dhcprelease Data Parser with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserVersion15')]", @@ -2672,7 +2672,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox_dhcpremoved Data Parser with template version 3.0.1", + "description": "Infoblox_dhcpremoved Data Parser with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserVersion16')]", @@ -2802,7 +2802,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox_dhcprequest Data Parser with template version 3.0.1", + "description": "Infoblox_dhcprequest Data Parser with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserVersion17')]", @@ -2932,7 +2932,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox_dhcpsession Data Parser with template version 3.0.1", + "description": "Infoblox_dhcpsession Data Parser with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserVersion18')]", @@ -3062,7 +3062,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox_dns_consolidated Data Parser with template version 3.0.1", + "description": "Infoblox_dns_consolidated Data Parser with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserVersion19')]", @@ -3192,7 +3192,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox_dnsclient Data Parser with template version 3.0.1", + "description": "Infoblox_dnsclient Data Parser with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserVersion20')]", @@ -3322,7 +3322,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox_dnsgss Data Parser with template version 3.0.1", + "description": "Infoblox_dnsgss Data Parser with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserVersion21')]", @@ -3452,7 +3452,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox_dnszone Data Parser with template version 3.0.1", + "description": "Infoblox_dnszone Data Parser with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserVersion22')]", @@ -3582,7 +3582,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ExcessiveNXDOMAINDNSQueries_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "ExcessiveNXDOMAINDNSQueries_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion1')]", @@ -3625,13 +3625,13 @@ ], "entityMappings": [ { + "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "IPCustomEntity" + "columnName": "IPCustomEntity", + "identifier": "Address" } - ], - "entityType": "IP" + ] } ] } @@ -3686,7 +3686,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PotentialDHCPStarvationAttack_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "PotentialDHCPStarvationAttack_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion2')]", @@ -3728,13 +3728,13 @@ ], "entityMappings": [ { + "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "IPCustomEntity" + "columnName": "IPCustomEntity", + "identifier": "Address" } - ], - "entityType": "IP" + ] } ] } @@ -3803,7 +3803,7 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.1", + "version": "3.0.2", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Infoblox NIOS", @@ -3965,7 +3965,7 @@ { "kind": "Watchlist", "contentId": "[variables('_Sources_by_SourceType')]", - "version": "3.0.1" + "version": "3.0.2" } ] }, diff --git a/Solutions/Infoblox NIOS/ReleaseNotes.md b/Solutions/Infoblox NIOS/ReleaseNotes.md index 7ccb96c7073..3b31a5d9ce9 100644 --- a/Solutions/Infoblox NIOS/ReleaseNotes.md +++ b/Solutions/Infoblox NIOS/ReleaseNotes.md @@ -1,4 +1,5 @@ -| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | -|-------------|--------------------------------|------------------------------------------------| -| 3.0.1 | 24-07-2023 |Updated ApiVersion for Watchlist | -| 3.0.0 | 11-07-2023 |Updated support information for this solution | +| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | +|-------------|--------------------------------|----------------------------------------------------------------------| +| 3.0.2 | 16-08-2023 |Updated the solution to include a default value for watchlist1-id | +| 3.0.1 | 24-07-2023 |Updated ApiVersion for Watchlist | +| 3.0.0 | 11-07-2023 |Updated support information for this solution | diff --git a/Solutions/SAP/ARM templates/azuredeploy.json b/Solutions/SAP/ARM templates/azuredeploy.json new file mode 100644 index 00000000000..948eef9b619 --- /dev/null +++ b/Solutions/SAP/ARM templates/azuredeploy.json @@ -0,0 +1,745 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "storageAccount": { + "type": "object" + }, + "virtualMachinePrincipalId": { + "type": "string" + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]" + }, + "sentinelWorkspaceResourceId": { + "type": "string" + }, + "playbookName": { + "type": "string", + "defaultValue": "DisruptUsingQueueDynamicAlertProperties" + }, + "automationRuleName": { + "type": "string", + "defaultValue": "Run Disrupt on Incident Update" + } + }, + "variables": { + "azurequeuesConnectionName": "[concat('Azurequeues-', parameters('playbookName'))]", + "microsoftSentinelConnectionName": "[concat('MicrosoftSentinel-', parameters('playbookName'))]", + "storageAccountResourceId": "[concat(subscription().id, '/resourceGroups/', parameters('storageAccount').resourceGroup, '/providers/Microsoft.Storage/storageAccounts/', variables('storageAccountName'))]", + "storageAccountName": "[parameters('storageAccount').name]", + "storageQueueDataContributorRoleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", + "storageQueueMessageDataProcessorRoleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]" + }, + "resources": [ + { + "condition": "[equals(parameters('storageAccount').newOrExisting, 'new')]", + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2022-09-01", + "name": "[variables('storageAccountName')]", + "location": "[parameters('location')]", + "sku": { + "name": "[parameters('storageAccount').type]" + }, + "kind": "[parameters('storageAccount').kind]" + }, + { + "condition": "[equals(parameters('storageAccount').newOrExisting, 'new')]", + "type": "Microsoft.Authorization/roleAssignments", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]" + ], + "apiVersion": "2022-04-01", + "name": "[guid(parameters('virtualMachinePrincipalId'), variables('storageAccountName'))]", + "properties": { + "roleDefinitionId": "[variables('storageQueueMessageDataProcessorRoleDefinitionId')]", + "principalId": "[parameters('virtualMachinePrincipalId')]", + "principalType": "ServicePrincipal" + }, + "scope": "[variables('storageAccountResourceId')]" + }, + { + "condition": "[equals(parameters('storageAccount').newOrExisting, 'new')]", + "type": "Microsoft.Authorization/roleAssignments", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]", + "[resourceId('Microsoft.Logic/workflows', parameters('playbookName'))]" + ], + "apiVersion": "2022-04-01", + "name": "[guid(parameters('playbookName'), variables('storageAccountName'))]", + "properties": { + "roleDefinitionId": "[variables('storageQueueDataContributorRoleDefinitionId')]", + "principalId": "[reference(resourceId('Microsoft.Logic/workflows', parameters('playbookName')), '2019-05-01', 'full').identity.principalId]", + "principalType": "ServicePrincipal" + }, + "scope": "[variables('storageAccountResourceId')]" + }, + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "defaultValue": {}, + "type": "Object" + }, + "P_StorageAccount": { + "defaultValue": "[variables('storageAccountName')]", + "type": "string" + } + }, + "triggers": { + "Microsoft_Sentinel_incident": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/incident-creation" + } + } + }, + "actions": { + "Alerts_from_incident_creation_or_incident_update": { + "runAfter": { + "Initialize_variable_sid_queue_exist": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "AlertsObject", + "type": "array", + "value": "@coalesce(triggerBody()?['incidentUpdates']?['alerts'],triggerBody()?['object']?['properties']?['Alerts'])" + } + ] + } + }, + "For_each": { + "foreach": "@variables('AlertsObject')", + "actions": { + "For_each_remediation_step": { + "foreach": "@body('Parse_alert')?['properties']?['remediationSteps']", + "actions": { + "If_remediation_step_is_a_disrupt_one": { + "actions": { + "Capture_the_disrupt_action": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "DisruptAction", + "value": "@{items('For_each_remediation_step')}" + } + }, + "Set_System_GUID": { + "runAfter": { + "Capture_the_disrupt_action": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "sap_sid_guid", + "value": "@{json(variables('DisruptAction'))[0]?['SystemGUID']}" + } + } + }, + "runAfter": {}, + "expression": { + "and": [ + { + "contains": [ + "@items('For_each_remediation_step')", + "ActionType" + ] + } + ] + }, + "type": "If" + } + }, + "runAfter": { + "Parse_alert": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Parse_alert": { + "runAfter": {}, + "type": "ParseJson", + "inputs": { + "content": "@items('For_each')", + "schema": { + "properties": { + "id": { + "type": "string" + }, + "kind": { + "type": "string" + }, + "name": { + "type": "string" + }, + "properties": { + "properties": { + "additionalData": { + "properties": { + "Alert generation status": { + "type": "string" + }, + "Analytic Rule Ids": { + "type": "string" + }, + "Analytic Rule Name": { + "type": "string" + }, + "Analytics Template Id": { + "type": "string" + }, + "Correlation Id": { + "type": "string" + }, + "Custom Details": { + "type": "string" + }, + "Data Sources": { + "type": "string" + }, + "Event Grouping": { + "type": "string" + }, + "OriginalQuery": { + "type": "string" + }, + "ProcessedBySentinel": { + "type": "string" + }, + "Query": { + "type": "string" + }, + "Query End Time UTC": { + "type": "string" + }, + "Query Period": { + "type": "string" + }, + "Query Start Time UTC": { + "type": "string" + }, + "Search Query Results Overall Count": { + "type": "string" + }, + "Trigger Operator": { + "type": "string" + }, + "Trigger Threshold": { + "type": "string" + } + }, + "type": "object" + }, + "alertDisplayName": { + "type": "string" + }, + "alertType": { + "type": "string" + }, + "confidenceLevel": { + "type": "string" + }, + "description": { + "type": "string" + }, + "endTimeUtc": { + "type": "string" + }, + "friendlyName": { + "type": "string" + }, + "processingEndTime": { + "type": "string" + }, + "productComponentName": { + "type": "string" + }, + "productName": { + "type": "string" + }, + "providerAlertId": { + "type": "string" + }, + "remediationSteps": { + "items": { + "type": "string" + }, + "type": "array" + }, + "resourceIdentifiers": { + "items": { + "properties": { + "type": { + "type": "string" + }, + "workspaceId": { + "type": "string" + } + }, + "required": [ + "type", + "workspaceId" + ], + "type": "object" + }, + "type": "array" + }, + "severity": { + "type": "string" + }, + "startTimeUtc": { + "type": "string" + }, + "status": { + "type": "string" + }, + "systemAlertId": { + "type": "string" + }, + "tactics": { + "items": { + "type": "string" + }, + "type": "array" + }, + "timeGenerated": { + "type": "string" + }, + "vendorName": { + "type": "string" + } + }, + "type": "object" + }, + "type": { + "type": "string" + } + }, + "type": "object" + } + } + } + }, + "runAfter": { + "Alerts_from_incident_creation_or_incident_update": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "If_disrupt_action_found": { + "actions": { + "List_queues_(V2)": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azurequeues']['connectionId']" + } + }, + "method": "get", + "path": "/v2/storageAccounts/@{encodeURIComponent(encodeURIComponent(parameters('P_StorageAccount')))}/queues/list" + } + }, + "Put_a_message_on_a_queue_(V2)_2": { + "runAfter": { + "was_queue_found": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": "@{string(variables('DisruptAction'))}", + "host": { + "connection": { + "name": "@parameters('$connections')['azurequeues']['connectionId']" + } + }, + "method": "post", + "path": "/v2/storageAccounts/@{encodeURIComponent(encodeURIComponent(parameters('P_StorageAccount')))}/queues/@{encodeURIComponent(variables('sap_sid_guid'))}/messages" + } + }, + "Terminate_when_disrupt_succeeded": { + "runAfter": { + "Update_incident": [ + "Succeeded" + ] + }, + "type": "Terminate", + "inputs": { + "runStatus": "Succeeded" + } + }, + "Update_incident": { + "runAfter": { + "Put_a_message_on_a_queue_(V2)_2": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "tagsToAdd": { + "TagsToAdd": [ + { + "Tag": "@{concat('\"',variables('sap_sid_guid'),'\": \"', variables('DisruptAction'),'\"')}" + } + ] + } + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "put", + "path": "/Incidents" + } + }, + "search_for_existing_queue": { + "foreach": "@body('List_queues_(V2)')", + "actions": { + "Condition": { + "actions": { + "Set_variable": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "sid_queue_exist", + "value": "@true" + } + } + }, + "runAfter": {}, + "expression": { + "and": [ + { + "equals": [ + "@item()", + "@variables('sap_sid_guid')" + ] + } + ] + }, + "type": "If" + } + }, + "runAfter": { + "List_queues_(V2)": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "was_queue_found": { + "actions": { + "Create_a_new_queue_(V2)": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azurequeues']['connectionId']" + } + }, + "method": "put", + "path": "/v2/storageAccounts/@{encodeURIComponent(encodeURIComponent(parameters('P_StorageAccount')))}/queues/putQueue", + "queries": { + "queueName": "@variables('sap_sid_guid')" + } + } + } + }, + "runAfter": { + "search_for_existing_queue": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "equals": [ + "@variables('sid_queue_exist')", + "@false" + ] + } + ] + }, + "type": "If" + } + }, + "runAfter": { + "For_each": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Terminate_When_no_disrupt_action_found": { + "runAfter": {}, + "type": "Terminate", + "inputs": { + "runStatus": "Cancelled" + } + } + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@variables('DisruptAction')", + "None" + ] + } + } + ] + }, + "type": "If" + }, + "Initialize_variable_DisruptAction": { + "runAfter": { + "Initialize_variable_sap_sid_guid": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "DisruptAction", + "type": "string", + "value": "None" + } + ] + } + }, + "Initialize_variable_sap_sid_guid": { + "runAfter": {}, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "sap_sid_guid", + "type": "string", + "value": "WorkspaceQueue" + } + ] + } + }, + "Initialize_variable_sid_queue_exist": { + "runAfter": { + "Initialize_variable_DisruptAction": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "sid_queue_exist", + "type": "boolean", + "value": "@false" + } + ] + } + } + }, + "outputs": {} + }, + "parameters": { + "$connections": { + "value": { + "azurequeues": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('azurequeuesConnectionName'))]", + "connectionName": "[variables('azurequeuesConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('location'), '/managedApis/Azurequeues')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "azuresentinel": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('microsoftSentinelConnectionName'))]", + "connectionName": "[variables('microsoftSentinelConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('location'), '/managedApis/Azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + } + } + } + } + }, + "name": "[parameters('playbookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[parameters('location')]", + "tags": {}, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2019-05-01", + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('azurequeuesConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('microsoftSentinelConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('azurequeuesConnectionName')]", + "location": "[parameters('location')]", + "kind": "V1", + "properties": { + "displayName": "[variables('azurequeuesConnectionName')]", + "customParameterValues": {}, + "parameterValueSet": { + "name": "managedIdentityAuth", + "values": {} + }, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('location'), '/managedApis/Azurequeues')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('microsoftSentinelConnectionName')]", + "location": "[parameters('location')]", + "kind": "V1", + "properties": { + "displayName": "[variables('microsoftSentinelConnectionName')]", + "customParameterValues": {}, + "parameterValueType": "Alternative", + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('location'), '/managedApis/Azuresentinel')]" + } + } + }, + { + "type": "Microsoft.SecurityInsights/automationRules", + "name": "[guid(parameters('automationRuleName'))]", + "scope": "[parameters('sentinelWorkspaceResourceId')]", + "apiVersion": "2023-02-01-preview", + "dependsOn": [ + "[resourceId('Microsoft.Logic/workflows', parameters('playbookName'))]" + ], + "properties": { + "displayName": "Run Disrupt on Incident Update", + "order": 1, + "triggeringLogic": { + "isEnabled": true, + "triggersOn": "Incidents", + "triggersWhen": "Updated", + "conditions": [ + { + "conditionType": "Property", + "conditionProperties": { + "propertyName": "IncidentProviderName", + "operator": "Equals", + "propertyValues": [ + "Microsoft 365 Defender" + ] + } + }, + { + "conditionType": "Property", + "conditionProperties": { + "propertyName": "IncidentTitle", + "operator": "Contains", + "propertyValues": [ + "[[DisruptSAP]" + ] + } + }, + { + "conditionType": "PropertyArrayChanged", + "conditionProperties": { + "arrayType": "Alerts", + "changeType": "Added" + } + } + ] + }, + "actions": [ + { + "order": 1, + "actionType": "RunPlaybook", + "actionConfiguration": { + "logicAppResourceId": "[resourceId('Microsoft.Logic/workflows', parameters('playbookName'))]", + "tenantId": "[subscription().tenantId]" + } + } + ] + } + }, + { + "condition": "[equals(parameters('storageAccount').newOrExisting, 'existing')]", + "type": "Microsoft.Resources/deployments", + "dependsOn": [ + "[resourceId('Microsoft.Logic/workflows', parameters('playbookName'))]" + ], + "apiVersion": "2019-10-01", + "name": "roleAssignmentToExistingStorageAccount", + "resourceGroup": "[parameters('storageAccount').resourceGroup]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[guid(parameters('virtualMachinePrincipalId'), variables('storageAccountName'))]", + "properties": { + "roleDefinitionId": "[variables('storageQueueMessageDataProcessorRoleDefinitionId')]", + "principalId": "[parameters('virtualMachinePrincipalId')]", + "principalType": "ServicePrincipal" + }, + "scope": "[variables('storageAccountResourceId')]" + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[guid(parameters('playbookName'), variables('storageAccountName'))]", + "properties": { + "roleDefinitionId": "[variables('storageQueueDataContributorRoleDefinitionId')]", + "principalId": "[reference(resourceId('Microsoft.Logic/workflows', parameters('playbookName')), '2019-05-01', 'full').identity.principalId]", + "principalType": "ServicePrincipal" + }, + "scope": "[variables('storageAccountResourceId')]" + } + ] + } + } + } + ] +} diff --git a/Solutions/SAP/ARM templates/uiFormDefinition.json b/Solutions/SAP/ARM templates/uiFormDefinition.json new file mode 100644 index 00000000000..f792ac26e9d --- /dev/null +++ b/Solutions/SAP/ARM templates/uiFormDefinition.json @@ -0,0 +1,172 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2021-09-09/uiFormDefinition.schema.json", + "view": { + "kind": "Form", + "properties": { + "title": "SAP Disrupt Form View", + "steps": [ + { + "name": "basics", + "label": "Basics", + "elements": [ + { + "name": "resourceScope", + "type": "Microsoft.Common.ResourceScope" + }, + { + "name": "getRoleAssignment", + "type": "Microsoft.Solutions.ArmApiControl", + "request": { + "method": "POST", + "path": "providers/Microsoft.ResourceGraph/resources?api-version=2021-03-01", + "body": { + "query": "[concat('authorizationresources | where resourceGroup == \"', steps('basics').resourceScope.resourceGroup.name, '\" | where properties.roleDefinitionId == \"/providers/Microsoft.Authorization/RoleDefinitions/f4c81013-99ee-4d62-a7ee-b3f1f648599a\" and properties.scope == \"', steps('basics').resourceScope.resourceGroup.id, '\"')]" + } + } + }, + { + "name": "getLAWorkspace", + "type": "Microsoft.Solutions.ArmApiControl", + "toolTip": "This filters by workspaces that exist in the Resource Group selected", + "request": { + "method": "GET", + "path": "[concat(steps('basics').resourceScope.subscription.id,'/resourcegroups/', steps('basics').resourceScope.resourceGroup.name, '/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]" + } + }, + { + "name": "getVirtualMachineIdentity", + "type": "Microsoft.Solutions.ArmApiControl", + "request": { + "method": "POST", + "path": "providers/Microsoft.ResourceGraph/resources?api-version=2021-03-01", + "body": { + "query": "resources | where type =~ 'microsoft.compute/virtualmachines' and isnotnull(identity)| project label = name, description = resourceGroup, value = identity.principalId | order by label asc" + } + } + }, + { + "name": "sentinelWorkspace", + "type": "Microsoft.Common.DropDown", + "label": "Sentinel Workspace", + "defaultValue": "[parse('[]')]", + "toolTip": "", + "multiselect": false, + "selectAll": true, + "filter": true, + "filterPlaceholder": "Filter items ...", + "multiLine": true, + "visible": true, + "constraints": { + "allowedValues": "[map(steps('basics').getLAWorkspace.value, (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.id, '\"}')))]", + "required": true + } + } + ] + }, + { + "name": "disruptSettings", + "label": "Disrupt Settings", + "elements": [ + { + "name": "sapSettings", + "type": "Microsoft.Common.Section", + "label": "SAP configuration", + "elements": [ + { + "name": "preReqInfoBox", + "type": "Microsoft.Common.InfoBox", + "visible": true, + "options": { + "text": "Owner rights are needed during deployment for role assignment to the Azure Storage account.", + "style": "Info" + } + }, + { + "name": "virtualMachineIdentity", + "type": "Microsoft.Common.DropDown", + "label": "SAP agent VM", + "defaultValue": "[parse('[]')]", + "toolTip": "", + "multiselect": false, + "selectAll": true, + "filter": true, + "filterPlaceholder": "Filter items ...", + "multiLine": true, + "visible": true, + "constraints": { + "allowedValues": "[steps('basics').getVirtualMachineIdentity.data]", + "required": true + } + }, + { + "name": "storageAccount", + "type": "Microsoft.Storage.StorageAccountSelector", + "label": "Storage account", + "toolTip": "", + "defaultValue": { + "name": "storageaccount01", + "type": "Premium_LRS" + }, + "constraints": { + "allowedTypes": [], + "excludedTypes": [] + }, + "options": { + "hideExisting": false + }, + "visible": true + } + ], + "visible": true + }, + { + "name": "disruptSettings", + "type": "Microsoft.Common.Section", + "label": "Disrupt configuration", + "elements": [ + { + "name": "preReqInfoBox2", + "type": "Microsoft.Common.InfoBox", + "visible": "[empty(steps('basics').getRoleAssignment.data)]", + "options": { + "text": "Missing Sentinel permissions for Playbooks. Configure them in the Sentinel workspace settings blade. After adding, wait up to 15 minutes before redeploying.", + "style": "Error" + } + }, + { + "name": "playbookName", + "type": "Microsoft.Common.TextBox", + "label": "Disrupt playbook", + "toolTip": "The disrupt Playbook rule name is static and can not be modified.", + "defaultValue": "DisruptUsingQueueDynamicAlertProperties", + "readOnly": true + }, + { + "name": "automationRuleName", + "type": "Microsoft.Common.TextBox", + "label": "Disrupt automation rule", + "toolTip": "The disrupt automation rule name is static and can not be modified.", + "defaultValue": "Run Disrupt on Incident Update", + "readOnly": true + } + ], + "visible": true + } + ] + } + ] + }, + "outputs": { + "kind": "ResourceGroup", + "location": "[steps('basics').resourceScope.location.name]", + "resourceGroupId": "[steps('basics').resourceScope.resourceGroup.id]", + "parameters": { + "virtualMachinePrincipalId": "[steps('disruptSettings').sapSettings.virtualMachineIdentity]", + "storageAccount": "[steps('disruptSettings').sapSettings.storageAccount]", + "sentinelWorkspaceResourceId": "[steps('basics').sentinelWorkspace]", + "playbookName": "[steps('disruptSettings').disruptSettings.playbookName]", + "automationRuleName": "[steps('disruptSettings').disruptSettings.automationRuleName]" + } + } + } +} \ No newline at end of file diff --git a/Solutions/SAP/sapcon-sentinel-kickstart.sh b/Solutions/SAP/sapcon-sentinel-kickstart.sh index 6c52b12ceff..cb1b4b2277e 100755 --- a/Solutions/SAP/sapcon-sentinel-kickstart.sh +++ b/Solutions/SAP/sapcon-sentinel-kickstart.sh @@ -218,6 +218,7 @@ while [[ $# -gt 0 ]]; do ;; --http-proxy) HTTPPROXY="$2" + shift 2 ;; --confirm-all-prompts) CONFIRMALL=1 @@ -750,17 +751,18 @@ while [ -z "$SDKFILELOC" ] || [ ! -f "$SDKFILELOC" ]; do SDKFILELOC="${SDKFILELOC/#\~/$HOME}" done -#Verifying SDK version - -unzip -o "$SDKFILELOC" -d /tmp/ > /dev/null 2>&1 -SDKLOADRESULT=$(ldd /tmp/nwrfcsdk/lib/libsapnwrfc.so 2>&1) -sdkok=$? -rm -rf /tmp/nwrfcsdk -if [ ! $sdkok -eq 0 ]; then - echo "Invalid SDK supplied. The error while attempting to load the SAP NetWeaver SDK:" - echo $SDKLOADRESULT - echo "Please rerun script supplying version of SAP NetWeaver SDK compatible with the current OS platform" - exit 1 +#Verifying SDK version only in case of non-fedora OS +if [ "$os" != "fedora" ]; then + unzip -o "$SDKFILELOC" -d /tmp/ > /dev/null 2>&1 + SDKLOADRESULT=$(ldd /tmp/nwrfcsdk/lib/libsapnwrfc.so 2>&1) + sdkok=$? + rm -rf /tmp/nwrfcsdk + if [ ! $sdkok -eq 0 ]; then + echo "Invalid SDK supplied. The error while attempting to load the SAP NetWeaver SDK:" + echo $SDKLOADRESULT + echo "Please rerun script supplying version of SAP NetWeaver SDK compatible with the current OS platform" + exit 1 + fi fi #Building the container diff --git a/Solutions/SAP/sapcon-sentinel-ui-agent-kickstart.sh b/Solutions/SAP/sapcon-sentinel-ui-agent-kickstart.sh index 1b698aa6e12..da2daa00203 100644 --- a/Solutions/SAP/sapcon-sentinel-ui-agent-kickstart.sh +++ b/Solutions/SAP/sapcon-sentinel-ui-agent-kickstart.sh @@ -371,17 +371,19 @@ if [ $USESNC ]; then sudo chown root:root "$sysfileloc"sec >/dev/null 2>&1 fi -#Verifying SDK version -unzip -o "$SDKFILELOC" -d /tmp/ > /dev/null 2>&1 -sudo chmod +x -R /tmp/nwrfcsdk/lib/*.so -SDKLOADRESULT=$(ldd /tmp/nwrfcsdk/lib/libsapnwrfc.so 2>&1) -sdkok=$? -rm -rf /tmp/nwrfcsdk -if [ ! $sdkok -eq 0 ]; then - log "Invalid SDK supplied. The error while attempting to load the SAP NetWeaver SDK:" - log "$SDKLOADRESULT" - log "Please rerun script supplying version of SAP NetWeaver SDK compatible with the current OS platform" - exit 1 +#Verifying SDK version only in case of non-fedora OS +if [ "$os" != "fedora" ]; then + unzip -o "$SDKFILELOC" -d /tmp/ > /dev/null 2>&1 + sudo chmod +x -R /tmp/nwrfcsdk/lib/*.so + SDKLOADRESULT=$(ldd /tmp/nwrfcsdk/lib/libsapnwrfc.so 2>&1) + sdkok=$? + rm -rf /tmp/nwrfcsdk + if [ ! $sdkok -eq 0 ]; then + log "Invalid SDK supplied. The error while attempting to load the SAP NetWeaver SDK:" + log "$SDKLOADRESULT" + log "Please rerun script supplying version of SAP NetWeaver SDK compatible with the current OS platform" + exit 1 + fi fi #Building the container diff --git a/Solutions/SentinelSOARessentials/Data/Solution_SentinelSOAREssentials.json b/Solutions/SentinelSOARessentials/Data/Solution_SentinelSOAREssentials.json index b93c2fb6f40..b4adbc23f55 100644 --- a/Solutions/SentinelSOARessentials/Data/Solution_SentinelSOAREssentials.json +++ b/Solutions/SentinelSOARessentials/Data/Solution_SentinelSOAREssentials.json @@ -31,7 +31,7 @@ ], "Metadata": "SolutionMetadata.json", "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\SentinelSOARessentials", - "Version": "3.0.0", + "Version": "3.0.1", "TemplateSpec": true, "Is1PConnector": true } \ No newline at end of file diff --git a/Solutions/SentinelSOARessentials/Package/3.0.1.zip b/Solutions/SentinelSOARessentials/Package/3.0.1.zip new file mode 100644 index 00000000000..25f3a29c904 Binary files /dev/null and b/Solutions/SentinelSOARessentials/Package/3.0.1.zip differ diff --git a/Solutions/SentinelSOARessentials/Package/mainTemplate.json b/Solutions/SentinelSOARessentials/Package/mainTemplate.json index 0968ddfe5ce..ebbc2523657 100644 --- a/Solutions/SentinelSOARessentials/Package/mainTemplate.json +++ b/Solutions/SentinelSOARessentials/Package/mainTemplate.json @@ -65,7 +65,7 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "SentinelSOARessentials", - "_solutionVersion": "3.0.0", + "_solutionVersion": "3.0.1", "solutionId": "azuresentinel.azure-sentinel-solution-sentinelsoaressentials", "_solutionId": "[variables('solutionId')]", "Incident-Assignment-Shifts": "Incident-Assignment-Shifts", @@ -74,7 +74,7 @@ "playbookContentId1": "Incident-Assignment-Shifts", "_playbookContentId1": "[variables('playbookContentId1')]", "playbookId1": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId1'))]", - "playbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId1'))),variables('playbookVersion1')))]", + "playbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId1'))))]", "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", "_playbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId1'),'-', variables('playbookVersion1'))))]", "Notify-IncidentClosed": "Notify-IncidentClosed", @@ -83,7 +83,7 @@ "playbookContentId2": "Notify-IncidentClosed", "_playbookContentId2": "[variables('playbookContentId2')]", "playbookId2": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId2'))]", - "playbookTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId2'))),variables('playbookVersion2')))]", + "playbookTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId2'))))]", "_playbookcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId2'),'-', variables('playbookVersion2'))))]", "Notify-IncidentReopened": "Notify-IncidentReopened", "_Notify-IncidentReopened": "[variables('Notify-IncidentReopened')]", @@ -91,7 +91,7 @@ "playbookContentId3": "Notify-IncidentReopened", "_playbookContentId3": "[variables('playbookContentId3')]", "playbookId3": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId3'))]", - "playbookTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId3'))),variables('playbookVersion3')))]", + "playbookTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId3'))))]", "_playbookcontentProductId3": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId3'),'-', variables('playbookVersion3'))))]", "Notify-IncidentSeverityChanged": "Notify-IncidentSeverityChanged", "_Notify-IncidentSeverityChanged": "[variables('Notify-IncidentSeverityChanged')]", @@ -99,7 +99,7 @@ "playbookContentId4": "Notify-IncidentSeverityChanged", "_playbookContentId4": "[variables('playbookContentId4')]", "playbookId4": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId4'))]", - "playbookTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId4'))),variables('playbookVersion4')))]", + "playbookTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId4'))))]", "_playbookcontentProductId4": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId4'),'-', variables('playbookVersion4'))))]", "Notify-Owner": "Notify-Owner", "_Notify-Owner": "[variables('Notify-Owner')]", @@ -107,7 +107,7 @@ "playbookContentId5": "Notify-Owner", "_playbookContentId5": "[variables('playbookContentId5')]", "playbookId5": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId5'))]", - "playbookTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId5'))),variables('playbookVersion5')))]", + "playbookTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId5'))))]", "_playbookcontentProductId5": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId5'),'-', variables('playbookVersion5'))))]", "Post-Message-Slack-alert-trigger": "Post-Message-Slack-alert-trigger", "_Post-Message-Slack-alert-trigger": "[variables('Post-Message-Slack-alert-trigger')]", @@ -116,7 +116,7 @@ "playbookContentId6": "Post-Message-Slack-alert-trigger", "_playbookContentId6": "[variables('playbookContentId6')]", "playbookId6": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId6'))]", - "playbookTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId6'))),variables('playbookVersion6')))]", + "playbookTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId6'))))]", "_playbookcontentProductId6": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId6'),'-', variables('playbookVersion6'))))]", "Post-Message-Teams-alert-trigger": "Post-Message-Teams-alert-trigger", "_Post-Message-Teams-alert-trigger": "[variables('Post-Message-Teams-alert-trigger')]", @@ -124,7 +124,7 @@ "playbookContentId7": "Post-Message-Teams-alert-trigger", "_playbookContentId7": "[variables('playbookContentId7')]", "playbookId7": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId7'))]", - "playbookTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId7'))),variables('playbookVersion7')))]", + "playbookTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId7'))))]", "_playbookcontentProductId7": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId7'),'-', variables('playbookVersion7'))))]", "Post-Message-Teams-incident-trigger": "Post-Message-Teams-incident-trigger", "_Post-Message-Teams-incident-trigger": "[variables('Post-Message-Teams-incident-trigger')]", @@ -132,7 +132,7 @@ "playbookContentId8": "Post-Message-Teams-incident-trigger", "_playbookContentId8": "[variables('playbookContentId8')]", "playbookId8": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId8'))]", - "playbookTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId8'))),variables('playbookVersion8')))]", + "playbookTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId8'))))]", "_playbookcontentProductId8": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId8'),'-', variables('playbookVersion8'))))]", "Post-Message-Slack-incident-trigger": "Post-Message-Slack-incident-trigger", "_Post-Message-Slack-incident-trigger": "[variables('Post-Message-Slack-incident-trigger')]", @@ -140,7 +140,7 @@ "playbookContentId9": "Post-Message-Slack-incident-trigger", "_playbookContentId9": "[variables('playbookContentId9')]", "playbookId9": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId9'))]", - "playbookTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId9'))),variables('playbookVersion9')))]", + "playbookTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId9'))))]", "_playbookcontentProductId9": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId9'),'-', variables('playbookVersion9'))))]", "relateAlertsToIncident-basedOnIP": "relateAlertsToIncident-basedOnIP", "_relateAlertsToIncident-basedOnIP": "[variables('relateAlertsToIncident-basedOnIP')]", @@ -149,7 +149,7 @@ "playbookContentId10": "relateAlertsToIncident-basedOnIP", "_playbookContentId10": "[variables('playbookContentId10')]", "playbookId10": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId10'))]", - "playbookTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId10'))),variables('playbookVersion10')))]", + "playbookTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId10'))))]", "_playbookcontentProductId10": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId10'),'-', variables('playbookVersion10'))))]", "Send-basic-email": "Send-basic-email", "_Send-basic-email": "[variables('Send-basic-email')]", @@ -157,7 +157,7 @@ "playbookContentId11": "Send-basic-email", "_playbookContentId11": "[variables('playbookContentId11')]", "playbookId11": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId11'))]", - "playbookTemplateSpecName11": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId11'))),variables('playbookVersion11')))]", + "playbookTemplateSpecName11": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId11'))))]", "_playbookcontentProductId11": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId11'),'-', variables('playbookVersion11'))))]", "Send-email-with-formatted-incident-report": "Send-email-with-formatted-incident-report", "_Send-email-with-formatted-incident-report": "[variables('Send-email-with-formatted-incident-report')]", @@ -165,7 +165,7 @@ "playbookContentId12": "Send-email-with-formatted-incident-report", "_playbookContentId12": "[variables('playbookContentId12')]", "playbookId12": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId12'))]", - "playbookTemplateSpecName12": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId12'))),variables('playbookVersion12')))]", + "playbookTemplateSpecName12": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId12'))))]", "_playbookcontentProductId12": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId12'),'-', variables('playbookVersion12'))))]", "CreateIncident-MicrosoftForms": "CreateIncident-MicrosoftForms", "_CreateIncident-MicrosoftForms": "[variables('CreateIncident-MicrosoftForms')]", @@ -173,7 +173,7 @@ "playbookContentId13": "CreateIncident-MicrosoftForms", "_playbookContentId13": "[variables('playbookContentId13')]", "playbookId13": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId13'))]", - "playbookTemplateSpecName13": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId13'))),variables('playbookVersion13')))]", + "playbookTemplateSpecName13": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId13'))))]", "_playbookcontentProductId13": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId13'),'-', variables('playbookVersion13'))))]", "CreateIncident-SharedMailbox": "CreateIncident-SharedMailbox", "_CreateIncident-SharedMailbox": "[variables('CreateIncident-SharedMailbox')]", @@ -181,7 +181,7 @@ "playbookContentId14": "CreateIncident-SharedMailbox", "_playbookContentId14": "[variables('playbookContentId14')]", "playbookId14": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId14'))]", - "playbookTemplateSpecName14": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId14'))),variables('playbookVersion14')))]", + "playbookTemplateSpecName14": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId14'))))]", "_playbookcontentProductId14": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId14'),'-', variables('playbookVersion14'))))]", "M365D_BEC_Playbook_for_SecOps-Tasks": "M365D_BEC_Playbook_for_SecOps-Tasks", "_M365D_BEC_Playbook_for_SecOps-Tasks": "[variables('M365D_BEC_Playbook_for_SecOps-Tasks')]", @@ -189,7 +189,7 @@ "playbookContentId15": "M365D_BEC_Playbook_for_SecOps-Tasks", "_playbookContentId15": "[variables('playbookContentId15')]", "playbookId15": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId15'))]", - "playbookTemplateSpecName15": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId15'))),variables('playbookVersion15')))]", + "playbookTemplateSpecName15": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId15'))))]", "_playbookcontentProductId15": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId15'),'-', variables('playbookVersion15'))))]", "M365D_Phishing_Playbook_for_SecOps-Tasks": "M365D_Phishing_Playbook_for_SecOps-Tasks", "_M365D_Phishing_Playbook_for_SecOps-Tasks": "[variables('M365D_Phishing_Playbook_for_SecOps-Tasks')]", @@ -197,7 +197,7 @@ "playbookContentId16": "M365D_Phishing_Playbook_for_SecOps-Tasks", "_playbookContentId16": "[variables('playbookContentId16')]", "playbookId16": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId16'))]", - "playbookTemplateSpecName16": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId16'))),variables('playbookVersion16')))]", + "playbookTemplateSpecName16": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId16'))))]", "_playbookcontentProductId16": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId16'),'-', variables('playbookVersion16'))))]", "M365D_Ransomware_Playbook_for_SecOps-Tasks": "M365D_Ransomware_Playbook_for_SecOps-Tasks", "_M365D_Ransomware_Playbook_for_SecOps-Tasks": "[variables('M365D_Ransomware_Playbook_for_SecOps-Tasks')]", @@ -205,7 +205,7 @@ "playbookContentId17": "M365D_Ransomware_Playbook_for_SecOps-Tasks", "_playbookContentId17": "[variables('playbookContentId17')]", "playbookId17": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId17'))]", - "playbookTemplateSpecName17": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId17'))),variables('playbookVersion17')))]", + "playbookTemplateSpecName17": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId17'))))]", "_playbookcontentProductId17": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId17'),'-', variables('playbookVersion17'))))]", "Send-Teams-adaptive-card-on-incident-creation": "Send-Teams-adaptive-card-on-incident-creation", "_Send-Teams-adaptive-card-on-incident-creation": "[variables('Send-Teams-adaptive-card-on-incident-creation')]", @@ -213,30 +213,30 @@ "playbookContentId18": "Send-Teams-adaptive-card-on-incident-creation", "_playbookContentId18": "[variables('playbookContentId18')]", "playbookId18": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId18'))]", - "playbookTemplateSpecName18": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId18'))),variables('playbookVersion18')))]", + "playbookTemplateSpecName18": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId18'))))]", "_playbookcontentProductId18": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId18'),'-', variables('playbookVersion18'))))]", "workbookVersion1": "2.0.0", "workbookContentId1": "AutomationHealth", "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]", - "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))),variables('workbookVersion1')))]", + "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]", "_workbookContentId1": "[variables('workbookContentId1')]", "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]", "workbookVersion2": "2.1.0", "workbookContentId2": "IncidentOverview", "workbookId2": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId2'))]", - "workbookTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId2'))),variables('workbookVersion2')))]", + "workbookTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId2'))))]", "_workbookContentId2": "[variables('workbookContentId2')]", "_workbookcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId2'),'-', variables('workbookVersion2'))))]", "workbookVersion3": "1.5.0", "workbookContentId3": "SecurityOperationsEfficiency", "workbookId3": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId3'))]", - "workbookTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId3'))),variables('workbookVersion3')))]", + "workbookTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId3'))))]", "_workbookContentId3": "[variables('workbookContentId3')]", "_workbookcontentProductId3": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId3'),'-', variables('workbookVersion3'))))]", "workbookVersion4": "1.1.0", "workbookContentId4": "IncidentTasksWorkbook", "workbookId4": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId4'))]", - "workbookTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId4'))),variables('workbookVersion4')))]", + "workbookTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId4'))))]", "_workbookContentId4": "[variables('workbookContentId4')]", "_workbookcontentProductId4": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId4'),'-', variables('workbookVersion4'))))]", "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" @@ -251,7 +251,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Sentinel_Incident_Assignment_Shifts Playbook with template version 3.0.0", + "description": "Sentinel_Incident_Assignment_Shifts Playbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion1')]", @@ -934,7 +934,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Notify-IncidentClosed Playbook with template version 3.0.0", + "description": "Notify-IncidentClosed Playbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion2')]", @@ -1311,7 +1311,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Notify-IncidentReopened Playbook with template version 3.0.0", + "description": "Notify-IncidentReopened Playbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion3')]", @@ -1680,7 +1680,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Notify-IncidentSeverityChanged Playbook with template version 3.0.0", + "description": "Notify-IncidentSeverityChanged Playbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion4')]", @@ -2045,7 +2045,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "updatetrigger-notifyOwner Playbook with template version 3.0.0", + "description": "updatetrigger-notifyOwner Playbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion5')]", @@ -2256,7 +2256,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PostMessageSlack-OnAlert Playbook with template version 3.0.0", + "description": "PostMessageSlack-OnAlert Playbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion6')]", @@ -2468,7 +2468,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PostMessageTeams-OnAlert Playbook with template version 3.0.0", + "description": "PostMessageTeams-OnAlert Playbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion7')]", @@ -2692,7 +2692,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PostMessageTeams Playbook with template version 3.0.0", + "description": "PostMessageTeams Playbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion8')]", @@ -2902,7 +2902,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PostMessageSlack Playbook with template version 3.0.0", + "description": "PostMessageSlack Playbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion9')]", @@ -3097,7 +3097,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "relateAlertsToIncident-basedOnIP Playbook with template version 3.0.0", + "description": "relateAlertsToIncident-basedOnIP Playbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion10')]", @@ -3475,7 +3475,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Send-basic-email Playbook with template version 3.0.0", + "description": "Send-basic-email Playbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion11')]", @@ -3728,7 +3728,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Send-email-with-formatted-incident-report Playbook with template version 3.0.0", + "description": "Send-email-with-formatted-incident-report Playbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion12')]", @@ -4022,7 +4022,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CreateIncident-MicrosoftForm Playbook with template version 3.0.0", + "description": "CreateIncident-MicrosoftForm Playbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion13')]", @@ -4388,7 +4388,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CreateIncident-SharedMailbox Playbook with template version 3.0.0", + "description": "CreateIncident-SharedMailbox Playbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion14')]", @@ -4766,7 +4766,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "M365D_BEC_Playbook_for_SecOps-Tasks Playbook with template version 3.0.0", + "description": "M365D_BEC_Playbook_for_SecOps-Tasks Playbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion15')]", @@ -5241,7 +5241,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "M365D_Phishing_Playbook_for_SecOps-Tasks Playbook with template version 3.0.0", + "description": "M365D_Phishing_Playbook_for_SecOps-Tasks Playbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion16')]", @@ -5720,7 +5720,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "M365D_Ransomware_Playbook_for_SecOps-Tasks Playbook with template version 3.0.0", + "description": "M365D_Ransomware_Playbook_for_SecOps-Tasks Playbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion17')]", @@ -6796,7 +6796,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Send-Teams-adaptive-card-on-incident-creation Playbook with template version 3.0.0", + "description": "Send-Teams-adaptive-card-on-incident-creation Playbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion18')]", @@ -7247,7 +7247,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AutomationHealthWorkbook Workbook with template version 3.0.0", + "description": "AutomationHealthWorkbook Workbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -7331,7 +7331,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IncidentOverviewWorkbook Workbook with template version 3.0.0", + "description": "IncidentOverviewWorkbook Workbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion2')]", @@ -7419,7 +7419,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SecurityOperationsEfficiencyWorkbook Workbook with template version 3.0.0", + "description": "SecurityOperationsEfficiencyWorkbook Workbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion3')]", @@ -7437,7 +7437,7 @@ }, "properties": { "displayName": "[parameters('workbook3-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Security Operations Efficiency\"},\"customWidth\":\"35\",\"name\":\"Main headline\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"9a199167-2dde-49dd-8f01-23e9d1fa8151\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"InternalWSs\",\"type\":1,\"isRequired\":true,\"query\":\"SecurityIncident\\r\\n| take 1\\r\\n| parse IncidentUrl with * \\\"/workspaces/\\\" Workspace \\\"/\\\" *\\r\\n| project Workspace\",\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":604800000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"7806fefd-432f-4828-9756-8c0be5c08d07\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"InternalSub\",\"type\":1,\"isRequired\":true,\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| take 1\\r\\n| project subscriptionId\",\"crossComponentResources\":[\"value::selected\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"55d3ab63-6e1f-4d02-8d9e-2225526689c7\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"isRequired\":true,\"query\":\"Resources\\r\\n| summarize Count = count() by subscriptionId\\r\\n| order by Count desc\\r\\n| extend Rank = row_number()\\r\\n| project value = subscriptionId, label = subscriptionId, selected = Rank == 1\",\"crossComponentResources\":[\"value::selected\"],\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"95a45501-31b5-4ea2-bcb3-eb208e0080e2\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"//resources | where type =~ 'Microsoft.operationsmanagement/solutions' | where name contains //'SecurityInsights' | project id //= tostring(properties.workspaceResourceId)\\r\\n\\r\\nwhere type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| project value =id, label = name, selected = iff(name =~ '{InternalWSs}', true, false)\\r\\n\\r\\n\\r\\n\",\"crossComponentResources\":[\"value::all\"],\"timeContextFromParameter\":\"TimeRange\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"7d597ad7-4a2a-45ed-a4fe-7ee32de0fc22\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Incident Creation Time\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":2592000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2592000000}],\"allowCustom\":true}},{\"id\":\"3a87d4f7-42cc-4c62-b543-6b5d9ab8cf27\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Severity\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"SecurityIncident\\r\\n| summarize Count = count(IncidentNumber) by Severity\\r\\n| project Value = Severity, Label = strcat(Severity, \\\": \\\", Count)\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\"},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"81085d3a-5aca-488e-b7c6-ecf1167e59f7\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Tactics\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = todynamic(AdditionalData.tactics)\\r\\n| mvexpand Tactics to typeof(string)\\r\\n| summarize Count=count(IncidentNumber) by Tactics\\r\\n| project Value = Tactics, Label = strcat(Tactics, \\\": \\\", Count)\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\"},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"0f9efb0d-ac34-41d0-8a19-165840eb2a71\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Owner\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"SecurityIncident\\r\\n| extend owner = tostring(Owner.assignedTo) \\r\\n| summarize Count=count(IncidentNumber) by Owner= case(owner==\\\"\\\", \\\"Unassigned\\\",owner)\\r\\n| project Value = Owner, Label = strcat(Owner, \\\": \\\", Count)\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\"},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"cf86113b-59ad-4fc9-aeb7-9b44e230641e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Product\",\"label\":\"Product Name\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"SecurityIncident\\r\\n| extend Product = tostring(parse_json(tostring(AdditionalData.alertProductNames))[0]) \\r\\n| summarize Count=count(IncidentNumber) by Product\\r\\n| project Value = Product, Label = strcat(Product, \\\": \\\", Count)\\r\\n\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\"},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"baa92cd2-7ade-41c3-a07c-a11f5ce3e0e6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Show Help\",\"type\":10,\"isRequired\":true,\"jsonData\":\"[{ \\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\"},\\r\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true }]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\"}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"customWidth\":\"100\",\"name\":\"parameters - 6\"},{\"type\":1,\"content\":{\"json\":\"## Incidents created over time\"},\"customWidth\":\"67\",\"name\":\"Incidents over time - headline\"},{\"type\":1,\"content\":{\"json\":\"## Incidents by closing classification\"},\"customWidth\":\"32\",\"name\":\"Incidents by classification - headline\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident \\n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\\n| summarize arg_max(TimeGenerated, Status, Severity, Owner, AdditionalData,CreatedTime) by IncidentNumber\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| summarize count() by bin(CreatedTime, 1h)\\n\\n\\n\\n\",\"size\":1,\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"TimeBrush\",\"exportFieldName\":\"CreatedTime\",\"exportParameterName\":\"TimePicker\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"unstackedbar\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"CreatedTime\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"CreatedTime\",\"sortOrder\":2}],\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"count_\",\"label\":\"Incidents\"}]}},\"customWidth\":\"67\",\"name\":\"Incidents over time \"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| where CreatedTime >= {TimeBrush:start} and CreatedTime <= {TimeBrush:end}\\n| where Status == 'Closed'\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| extend feedback =strcat(Classification,\\\" \\\",ClassificationReason)\\n| summarize dcount(IncidentNumber) by feedback\\n\",\"size\":1,\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"Incidents by classification - headline\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident \\n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\\n| summarize arg_max(TimeGenerated,Status, Severity, Owner, AdditionalData) by IncidentNumber\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| summarize dcount(IncidentNumber) by Severity\",\"size\":1,\"title\":\"Incidents created by severity\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Classification\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_IncidentNumber\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Informational\",\"color\":\"gray\"},{\"seriesName\":\"Low\",\"color\":\"yellow\"},{\"seriesName\":\"Medium\",\"color\":\"orange\"},{\"seriesName\":\"High\",\"color\":\"red\"}]}},\"customWidth\":\"22\",\"name\":\"By severity\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\\n| summarize arg_max(TimeGenerated, Status, Severity, Owner, AdditionalData) by IncidentNumber\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| summarize count() by case(tostring(Owner)==\\\"\\\", \\\"Unassigned\\\",tostring(Owner))\\n\\n\",\"size\":1,\"title\":\"Incidents created by owner\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Classification\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_IncidentNumber\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"22\",\"name\":\"By owner\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\\n| summarize arg_max(TimeGenerated, Status, Severity, Owner, AdditionalData) by IncidentNumber\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| summarize count() by Status\\n\",\"size\":1,\"title\":\"Incidents created by status\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Classification\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_IncidentNumber\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"22\",\"name\":\"By status\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"Time to triage, is the time between the incident creation and its first update.\",\"style\":\"info\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Help1\"},{\"type\":1,\"content\":{\"json\":\"Time to closure, is the time between the incident creation and its last closure.\",\"style\":\"info\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Help1 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| where FirstModifiedTime >= {TimeRange:start} and FirstModifiedTime <= {TimeRange:end}\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| summarize arg_max(LastModifiedTime,*) by IncidentNumber \\n| extend TimeToTriage = (FirstModifiedTime - CreatedTime)/1h\\n| summarize AvgTTT=avg(TimeToTriage) \\n\",\"size\":1,\"title\":\"Mean time to triage\",\"timeContext\":{\"durationMs\":94608000000,\"endTime\":\"2023-06-01T16:58:00Z\"},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"AvgTTT\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":26,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"50\",\"name\":\"MTTT\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| where ClosedTime >= {TimeRange:start} and ClosedTime <= {TimeRange:end}\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| summarize arg_max(TimeGenerated,*) by IncidentNumber \\n| extend TimeToClosure = (ClosedTime - CreatedTime)/1h\\n| summarize AvgTTC=avg(TimeToClosure)\",\"size\":1,\"title\":\"Mean time to closure \",\"timeContext\":{\"durationMs\":94608000000,\"endTime\":\"2023-06-01T16:33:00Z\"},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Classification\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"AvgTTC\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":26,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"50\",\"name\":\"MTTM\"}]},\"customWidth\":\"34\",\"name\":\"Mean times\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Incidents created by severity over time \"},\"name\":\"text - 2 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident \\n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| summarize Incidents=dcount(IncidentNumber) by Severity, bin(CreatedTime, 1d)\",\"size\":1,\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"linechart\"},\"name\":\"query - 2 - Copy - Copy\"}]},\"name\":\"Incidents severity over time\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Incidents created by owner over time \"},\"name\":\"text - 2 - Copy - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident \\n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| summarize Incidents=dcount(IncidentNumber) by case(tostring(Owner)==\\\"\\\", \\\"Unassigned\\\",tostring(Owner)), bin(CreatedTime, 1d)\\n\",\"size\":1,\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"linechart\"},\"name\":\"query - 2 - Copy - Copy - Copy\"}]},\"name\":\"Incident owner over time\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Incidents created by status over time\"},\"name\":\"text - 2 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident \\n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| summarize Incidents=dcount(IncidentNumber) by Status, bin(CreatedTime, 1d)\",\"size\":1,\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"series\",\"exportParameterName\":\"Status\",\"exportDefaultValue\":\"All\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"linechart\"},\"name\":\"query - 2 - Copy\"}]},\"name\":\"Incident status over time\",\"styleSettings\":{\"margin\":\"0\",\"padding\":\"0\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Incidents created by product over time\"},\"name\":\"text - 2 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident \\n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| summarize Incidents=dcount(IncidentNumber) by tostring(Product), bin(CreatedTime, 1d)\",\"size\":1,\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"series\",\"exportParameterName\":\"Status\",\"exportDefaultValue\":\"All\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"linechart\"},\"name\":\"query - 2 - Copy\"}]},\"name\":\"Incident status over time - Copy\",\"styleSettings\":{\"margin\":\"0\",\"padding\":\"0\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Incidents created by tactics over time \"},\"name\":\"text - 2 - Copy - Copy - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident \\n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| mvexpand Tactics to typeof(string)\\n| summarize Incidents=dcount(IncidentNumber) by Tactics, bin(CreatedTime, 1d)\",\"size\":1,\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"unstackedbar\"},\"name\":\"query - 2 - Copy - Copy - Copy - Copy\"}]},\"name\":\"Incidents tactic over time\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Incidents created by tags over time \"},\"name\":\"text - 2 - Copy - Copy - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident \\n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| extend Tags = extract_all('labelName\\\":\\\"(.*?)\\\"',tostring(Labels))\\n| mvexpand Tags to typeof(string)\\n| summarize Incidents=dcount(IncidentNumber) by Tags, bin(CreatedTime, 1d)\",\"size\":1,\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"unstackedbar\"},\"name\":\"query - 2 - Copy - Copy - Copy - Copy\"}]},\"name\":\"Incidents tactic over time - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Incidents created by name\"},\"name\":\"text - 2 - Copy - Copy - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident \\n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\\n| summarize arg_max(TimeGenerated, Status, Severity, Owner, AdditionalData,CreatedTime) by IncidentNumber, Title\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| summarize count() by bin(CreatedTime, 1h), Title\\n| order by count_ desc\",\"size\":1,\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\"},\"name\":\"query - 2 - Copy - Copy - Copy - Copy\"}]},\"name\":\"Incidents tactic over time - Copy - Copy\"}]},\"customWidth\":\"50\",\"name\":\"Over time left panel\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Time to triage (percentiles)\"},\"name\":\"text - 2 - Copy - Copy\"},{\"type\":1,\"content\":{\"json\":\"Time to triage, is the time between the incident creation and its first update.\",\"style\":\"info\"},\"customWidth\":\"100\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Help2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| where FirstModifiedTime >= {TimeRange:start} and FirstModifiedTime <= {TimeRange:end}\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| summarize arg_max(LastModifiedTime,*) by IncidentNumber \\n| extend TimeToTriage = (FirstModifiedTime - CreatedTime)/1h\\n| summarize 5th_Percentile=max_of(percentile(TimeToTriage, 5),0),50th_Percentile=percentile(TimeToTriage, 50), 90th_Percentile=percentile(TimeToTriage, 90),99th_Percentile=percentile(TimeToTriage, 99) by bin(FirstModifiedTime, 1d)\\n\",\"size\":1,\"aggregation\":3,\"timeContext\":{\"durationMs\":94608000000,\"endTime\":\"2023-06-01T16:45:00Z\"},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"linechart\",\"chartSettings\":{\"ySettings\":{\"numberFormatSettings\":{\"unit\":26,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":3}}}}},\"name\":\"query - 2 - Copy - Copy\"}]},\"name\":\"Incidents severity over time\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Time to closure (percentiles)\\r\\n\"},\"name\":\"text - 2 - Copy - Copy - Copy\"},{\"type\":1,\"content\":{\"json\":\"Time to closure, is the time between the incident creation and its last closure.\",\"style\":\"info\"},\"customWidth\":\"100\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Help3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| where ClosedTime >= {TimeRange:start} and ClosedTime <= {TimeRange:end}\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| summarize arg_max(LastModifiedTime,*) by IncidentNumber \\n| extend TimeToClosure = (ClosedTime - CreatedTime)/1h\\n| summarize 5th_Percentile=percentile(TimeToClosure, 5),50th_Percentile=percentile(TimeToClosure, 50), 90th_Percentile=percentile(TimeToClosure, 90),99th_Percentile=percentile(TimeToClosure, 99) by bin(ClosedTime, 1d)\\n\",\"size\":1,\"aggregation\":3,\"timeContext\":{\"durationMs\":94608000000,\"endTime\":\"2023-06-01T16:47:00Z\"},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"linechart\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"percentile_MinToTriage_5\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"percentile_MinToTriage_5\",\"sortOrder\":2}],\"tileSettings\":{\"showBorder\":false},\"chartSettings\":{\"ySettings\":{\"numberFormatSettings\":{\"unit\":26,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":3}},\"min\":0}}},\"name\":\"query - 2 - Copy - Copy - Copy\"}]},\"name\":\"Incident owner over time\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Mean time to closure per owner\\r\\n\"},\"name\":\"text - 2 - Copy\"},{\"type\":1,\"content\":{\"json\":\"The mean time between the incident creation and last closure by owner\",\"style\":\"info\"},\"customWidth\":\"100\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Help3 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| where CreatedTime >= {TimeBrush:start} and CreatedTime <= {TimeBrush:end}\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n|where Status == 'Closed' \\n| extend Ownerr = case(tostring(Owner)==\\\"\\\", \\\"Unassigned\\\",tostring(Owner))\\n| summarize arg_min(LastModifiedTime,*) by IncidentNumber, Owner = Ownerr\\n| extend TimeToTriage = LastModifiedTime - CreatedTime, Owner\\n| summarize avg(TimeToTriage/1h) by Owner\\n\",\"size\":4,\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"series\",\"exportParameterName\":\"Status\",\"exportDefaultValue\":\"All\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Owner\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"avg_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":26,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":3}}},\"showBorder\":false}},\"name\":\"query - 2 - Copy\"}]},\"name\":\"Incident status over time\",\"styleSettings\":{\"margin\":\"0\",\"padding\":\"0\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Mean time to triage per owner\\r\\n\"},\"name\":\"text - 2 - Copy\"},{\"type\":1,\"content\":{\"json\":\"The mean time between the incident creation and first modification by owner\",\"style\":\"info\"},\"customWidth\":\"100\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Help3 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| summarize arg_max(FirstModifiedTime,*) by IncidentNumber \\n| extend TimeToTriage = FirstModifiedTime - CreatedTime\\n| extend MinToTriage = TimeToTriage/1h\\n| summarize avg(TimeToTriage/1h) by owner=case(tostring(Owner)==\\\"\\\", \\\"Unassigned\\\",tostring(Owner))\\n\\n\",\"size\":4,\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"series\",\"exportParameterName\":\"Status\",\"exportDefaultValue\":\"All\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"owner\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"avg_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":26,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":3}}},\"showBorder\":false}},\"name\":\"query - 2 - Copy\"}]},\"name\":\"Incident status triage\",\"styleSettings\":{\"margin\":\"0\",\"padding\":\"0\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Actions per user\"},\"name\":\"text - 2 - Copy\"},{\"type\":1,\"content\":{\"json\":\"The number of actions taken on incidents per incident modifier\",\"style\":\"info\"},\"customWidth\":\"100\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Help3 - Copy - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| where CreatedTime >= {TimeBrush:start} and CreatedTime <= {TimeBrush:end}\\n| where ModifiedBy !in(\\\"Alert Grouping\\\",\\\"Fusion\\\",\\\"Incident created from alert\\\")\\n| where ModifiedBy !contains(\\\"Automation rule\\\")\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| summarize count() by ModifiedBy\\n\",\"size\":4,\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"series\",\"exportParameterName\":\"Status\",\"exportDefaultValue\":\"All\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"ModifiedBy\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":false,\"sortCriteriaField\":\"count_\",\"sortOrderField\":2}},\"name\":\"query - 2 - Copy\"}]},\"name\":\"Incident status over time - Copy\",\"styleSettings\":{\"margin\":\"0\",\"padding\":\"0\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Recent activities\"},\"name\":\"text - 2 - Copy - Copy - Copy - Copy\"},{\"type\":1,\"content\":{\"json\":\"Most recent activities taken on incidents\",\"style\":\"info\"},\"customWidth\":\"100\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Help3 - Copy - Copy - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| order by LastModifiedTime \\n| project LastModifiedTime,IncidentNumber, Title, Product, IncidentUrl, ModifiedBy,Status, Severity, Owner\\n| take 250\\n\\n\\n\",\"size\":1,\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to incident >\"}}],\"labelSettings\":[{\"columnId\":\"LastModifiedTime\",\"label\":\"Last Modified Time\"},{\"columnId\":\"IncidentNumber\",\"label\":\"Incident Number\"},{\"columnId\":\"Title\"},{\"columnId\":\"Product\"},{\"columnId\":\"IncidentUrl\",\"label\":\"Link to incident\"},{\"columnId\":\"ModifiedBy\",\"label\":\"Modified By\"},{\"columnId\":\"Status\"},{\"columnId\":\"Severity\"}]},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Column1\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"IncidentNumber\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"name\":\"query - 2 - Copy - Copy - Copy - Copy\"}]},\"name\":\"Incidents tactic over time - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Recent incident closing classification\"},\"name\":\"text - 2 - Copy - Copy - Copy - Copy\"},{\"type\":1,\"content\":{\"json\":\"Recent closing classifications and comments of incidents\",\"style\":\"info\"},\"customWidth\":\"100\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Help3 - Copy - Copy - Copy - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| where Status == 'Closed'\\n| order by LastModifiedTime \\n| project LastModifiedTime,IncidentNumber, Title, Classification, ClassificationReason,ClassificationComment, Product, IncidentUrl, ModifiedBy,Status, Severity,Owner\\n| take 250\\n\\n\\n\",\"size\":1,\"timeContext\":{\"durationMs\":604800000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to incident >\"}}],\"labelSettings\":[{\"columnId\":\"LastModifiedTime\",\"label\":\"Last Modified Time\"},{\"columnId\":\"IncidentNumber\",\"label\":\"Incident Number\"},{\"columnId\":\"Title\"},{\"columnId\":\"Classification\"},{\"columnId\":\"ClassificationReason\",\"label\":\"Classification Reason\"},{\"columnId\":\"ClassificationComment\",\"label\":\"Classification Comment\"},{\"columnId\":\"Product\"},{\"columnId\":\"IncidentUrl\",\"label\":\"Link to incident\"},{\"columnId\":\"ModifiedBy\",\"label\":\"Modified By\"},{\"columnId\":\"Status\"},{\"columnId\":\"Severity\"}]},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Column1\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"IncidentNumber\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"name\":\"query - 2 - Copy - Copy - Copy - Copy\"}]},\"name\":\"Incidents tactic over time - Copy\"}]},\"customWidth\":\"50\",\"name\":\"Over time right panel\"}],\"fromTemplateId\":\"sentinel-SecurityOperationsEfficiency\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Security Operations Efficiency\"},\"customWidth\":\"35\",\"name\":\"Main headline\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"9a199167-2dde-49dd-8f01-23e9d1fa8151\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"InternalWSs\",\"type\":1,\"isRequired\":true,\"query\":\"SecurityIncident\\r\\n| take 1\\r\\n| parse IncidentUrl with * \\\"/workspaces/\\\" Workspace \\\"/\\\" *\\r\\n| project Workspace\",\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":604800000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"7806fefd-432f-4828-9756-8c0be5c08d07\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"InternalSub\",\"type\":1,\"isRequired\":true,\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| take 1\\r\\n| project subscriptionId\",\"crossComponentResources\":[\"value::selected\"],\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"55d3ab63-6e1f-4d02-8d9e-2225526689c7\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"isRequired\":true,\"query\":\"Resources\\r\\n| summarize Count = count() by subscriptionId\\r\\n| order by Count desc\\r\\n| extend Rank = row_number()\\r\\n| project value = subscriptionId, label = subscriptionId, selected = Rank == 1\",\"crossComponentResources\":[\"value::selected\"],\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"95a45501-31b5-4ea2-bcb3-eb208e0080e2\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"//resources | where type =~ 'Microsoft.operationsmanagement/solutions' | where name contains //'SecurityInsights' | project id //= tostring(properties.workspaceResourceId)\\r\\n\\r\\nwhere type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| project value =id, label = name, selected = iff(name =~ '{InternalWSs}', true, false)\\r\\n\\r\\n\\r\\n\",\"crossComponentResources\":[\"value::all\"],\"timeContextFromParameter\":\"TimeRange\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"7d597ad7-4a2a-45ed-a4fe-7ee32de0fc22\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Incident Creation Time\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":2592000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2592000000}],\"allowCustom\":true}},{\"id\":\"3a87d4f7-42cc-4c62-b543-6b5d9ab8cf27\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Severity\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"SecurityIncident\\r\\n| summarize Count = count(IncidentNumber) by Severity\\r\\n| project Value = Severity, Label = strcat(Severity, \\\": \\\", Count)\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\"},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"81085d3a-5aca-488e-b7c6-ecf1167e59f7\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Tactics\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"SecurityIncident\\r\\n| extend Tactics = todynamic(AdditionalData.tactics)\\r\\n| mvexpand Tactics to typeof(string)\\r\\n| summarize Count=count(IncidentNumber) by Tactics\\r\\n| project Value = Tactics, Label = strcat(Tactics, \\\": \\\", Count)\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\"},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"0f9efb0d-ac34-41d0-8a19-165840eb2a71\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Owner\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"SecurityIncident\\r\\n| extend owner = tostring(Owner.assignedTo) \\r\\n| summarize Count=count(IncidentNumber) by Owner= case(owner==\\\"\\\", \\\"Unassigned\\\",owner)\\r\\n| project Value = Owner, Label = strcat(Owner, \\\": \\\", Count)\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\"},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"cf86113b-59ad-4fc9-aeb7-9b44e230641e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Product\",\"label\":\"Product Name\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"SecurityIncident\\r\\n| extend Product = tostring(parse_json(tostring(AdditionalData.alertProductNames))[0]) \\r\\n| summarize Count=count(IncidentNumber) by Product\\r\\n| project Value = Product, Label = strcat(Product, \\\": \\\", Count)\\r\\n\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\"},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"baa92cd2-7ade-41c3-a07c-a11f5ce3e0e6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Show Help\",\"type\":10,\"isRequired\":true,\"jsonData\":\"[{ \\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\"},\\r\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true }]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\"}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"customWidth\":\"100\",\"name\":\"parameters - 6\"},{\"type\":1,\"content\":{\"json\":\"## Incidents created over time\"},\"customWidth\":\"67\",\"name\":\"Incidents over time - headline\"},{\"type\":1,\"content\":{\"json\":\"## Incidents by closing classification\"},\"customWidth\":\"32\",\"name\":\"Incidents by classification - headline\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident \\n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\\n| summarize arg_max(TimeGenerated, Status, Severity, Owner, AdditionalData,CreatedTime) by IncidentNumber\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| summarize count() by bin(CreatedTime, 1h)\\n\\n\\n\\n\",\"size\":1,\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"TimeBrush\",\"exportFieldName\":\"CreatedTime\",\"exportParameterName\":\"TimePicker\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"unstackedbar\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"CreatedTime\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"CreatedTime\",\"sortOrder\":2}],\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"count_\",\"label\":\"Incidents\"}]}},\"customWidth\":\"67\",\"name\":\"Incidents over time \"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| where CreatedTime >= {TimeBrush:start} and CreatedTime <= {TimeBrush:end}\\n| where Status == 'Closed'\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| extend feedback =strcat(Classification,\\\" \\\",ClassificationReason)\\n| summarize dcount(IncidentNumber) by feedback\\n\",\"size\":1,\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"Incidents by classification - headline\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident \\n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\\n| summarize arg_max(TimeGenerated,Status, Severity, Owner, AdditionalData) by IncidentNumber\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| summarize dcount(IncidentNumber) by Severity\",\"size\":1,\"title\":\"Incidents created by severity\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Classification\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_IncidentNumber\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Informational\",\"color\":\"gray\"},{\"seriesName\":\"Low\",\"color\":\"yellow\"},{\"seriesName\":\"Medium\",\"color\":\"orange\"},{\"seriesName\":\"High\",\"color\":\"red\"}]}},\"customWidth\":\"22\",\"name\":\"By severity\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\\n| summarize arg_max(TimeGenerated, Status, Severity, Owner, AdditionalData) by IncidentNumber\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| summarize count() by case(tostring(Owner)==\\\"\\\", \\\"Unassigned\\\",tostring(Owner))\\n\\n\",\"size\":1,\"title\":\"Incidents created by owner\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Classification\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_IncidentNumber\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"22\",\"name\":\"By owner\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\\n| summarize arg_max(TimeGenerated, Status, Severity, Owner, AdditionalData) by IncidentNumber\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| summarize count() by Status\\n\",\"size\":1,\"title\":\"Incidents created by status\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Classification\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_IncidentNumber\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"22\",\"name\":\"By status\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"Time to triage, is the time between the incident creation and its first update.\",\"style\":\"info\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Help1\"},{\"type\":1,\"content\":{\"json\":\"Time to closure, is the time between the incident creation and its last closure.\",\"style\":\"info\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Help1 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| where FirstModifiedTime >= {TimeRange:start} and FirstModifiedTime <= {TimeRange:end}\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| summarize arg_max(LastModifiedTime,*) by IncidentNumber \\n| extend TimeToTriage = (FirstModifiedTime - CreatedTime)/1h\\n| summarize AvgTTT=avg(TimeToTriage) \\n\",\"size\":1,\"title\":\"Mean time to triage\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"AvgTTT\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":26,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"50\",\"name\":\"MTTT\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| where ClosedTime >= {TimeRange:start} and ClosedTime <= {TimeRange:end}\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| summarize arg_max(TimeGenerated,*) by IncidentNumber \\n| extend TimeToClosure = (ClosedTime - CreatedTime)/1h\\n| summarize AvgTTC=avg(TimeToClosure)\",\"size\":1,\"title\":\"Mean time to closure \",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Classification\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"AvgTTC\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":26,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"50\",\"name\":\"MTTM\"}]},\"customWidth\":\"34\",\"name\":\"Mean times\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Incidents created by severity over time \"},\"name\":\"text - 2 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident \\n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| summarize Incidents=dcount(IncidentNumber) by Severity, bin(CreatedTime, 1d)\",\"size\":1,\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"linechart\"},\"name\":\"query - 2 - Copy - Copy\"}]},\"name\":\"Incidents severity over time\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Incidents created by owner over time \"},\"name\":\"text - 2 - Copy - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident \\n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| summarize Incidents=dcount(IncidentNumber) by case(tostring(Owner)==\\\"\\\", \\\"Unassigned\\\",tostring(Owner)), bin(CreatedTime, 1d)\\n\",\"size\":1,\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"linechart\"},\"name\":\"query - 2 - Copy - Copy - Copy\"}]},\"name\":\"Incident owner over time\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Incidents created by status over time\"},\"name\":\"text - 2 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident \\n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| summarize Incidents=dcount(IncidentNumber) by Status, bin(CreatedTime, 1d)\",\"size\":1,\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"series\",\"exportParameterName\":\"Status\",\"exportDefaultValue\":\"All\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"linechart\"},\"name\":\"query - 2 - Copy\"}]},\"name\":\"Incident status over time\",\"styleSettings\":{\"margin\":\"0\",\"padding\":\"0\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Incidents created by product over time\"},\"name\":\"text - 2 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident \\n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| summarize Incidents=dcount(IncidentNumber) by tostring(Product), bin(CreatedTime, 1d)\",\"size\":1,\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"series\",\"exportParameterName\":\"Status\",\"exportDefaultValue\":\"All\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"linechart\"},\"name\":\"query - 2 - Copy\"}]},\"name\":\"Incident status over time - Copy\",\"styleSettings\":{\"margin\":\"0\",\"padding\":\"0\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Incidents created by tactics over time \"},\"name\":\"text - 2 - Copy - Copy - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident \\n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| mvexpand Tactics to typeof(string)\\n| summarize Incidents=dcount(IncidentNumber) by Tactics, bin(CreatedTime, 1d)\",\"size\":1,\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"unstackedbar\"},\"name\":\"query - 2 - Copy - Copy - Copy - Copy\"}]},\"name\":\"Incidents tactic over time\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Incidents created by tags over time \"},\"name\":\"text - 2 - Copy - Copy - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident \\n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| extend Tags = extract_all('labelName\\\":\\\"(.*?)\\\"',tostring(Labels))\\n| mvexpand Tags to typeof(string)\\n| summarize Incidents=dcount(IncidentNumber) by Tags, bin(CreatedTime, 1d)\",\"size\":1,\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"unstackedbar\"},\"name\":\"query - 2 - Copy - Copy - Copy - Copy\"}]},\"name\":\"Incidents tactic over time - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Incidents created by name\"},\"name\":\"text - 2 - Copy - Copy - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident \\n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\\n| summarize arg_max(TimeGenerated, Status, Severity, Owner, AdditionalData,CreatedTime) by IncidentNumber, Title\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| summarize count() by bin(CreatedTime, 1h), Title\\n| order by count_ desc\",\"size\":1,\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\"},\"name\":\"query - 2 - Copy - Copy - Copy - Copy\"}]},\"name\":\"Incidents tactic over time - Copy - Copy\"}]},\"customWidth\":\"50\",\"name\":\"Over time left panel\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Time to triage (percentiles)\"},\"name\":\"text - 2 - Copy - Copy\"},{\"type\":1,\"content\":{\"json\":\"Time to triage, is the time between the incident creation and its first update.\",\"style\":\"info\"},\"customWidth\":\"100\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Help2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| where FirstModifiedTime >= {TimeRange:start} and FirstModifiedTime <= {TimeRange:end}\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| summarize arg_max(LastModifiedTime,*) by IncidentNumber \\n| extend TimeToTriage = (FirstModifiedTime - CreatedTime)/1h\\n| summarize 5th_Percentile=max_of(percentile(TimeToTriage, 5),0),50th_Percentile=percentile(TimeToTriage, 50), 90th_Percentile=percentile(TimeToTriage, 90),99th_Percentile=percentile(TimeToTriage, 99) by bin(FirstModifiedTime, 1d)\\n\",\"size\":1,\"aggregation\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"linechart\",\"chartSettings\":{\"ySettings\":{\"numberFormatSettings\":{\"unit\":26,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":3}}}}},\"name\":\"query - 2 - Copy - Copy\"}]},\"name\":\"Incidents severity over time\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Time to closure (percentiles)\\r\\n\"},\"name\":\"text - 2 - Copy - Copy - Copy\"},{\"type\":1,\"content\":{\"json\":\"Time to closure, is the time between the incident creation and its last closure.\",\"style\":\"info\"},\"customWidth\":\"100\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Help3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| where ClosedTime >= {TimeRange:start} and ClosedTime <= {TimeRange:end}\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| summarize arg_max(LastModifiedTime,*) by IncidentNumber \\n| extend TimeToClosure = (ClosedTime - CreatedTime)/1h\\n| summarize 5th_Percentile=percentile(TimeToClosure, 5),50th_Percentile=percentile(TimeToClosure, 50), 90th_Percentile=percentile(TimeToClosure, 90),99th_Percentile=percentile(TimeToClosure, 99) by bin(ClosedTime, 1d)\\n\",\"size\":1,\"aggregation\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"linechart\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"percentile_MinToTriage_5\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"percentile_MinToTriage_5\",\"sortOrder\":2}],\"tileSettings\":{\"showBorder\":false},\"chartSettings\":{\"ySettings\":{\"numberFormatSettings\":{\"unit\":26,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":3}},\"min\":0}}},\"name\":\"query - 2 - Copy - Copy - Copy\"}]},\"name\":\"Incident owner over time\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Mean time to closure per owner\\r\\n\"},\"name\":\"text - 2 - Copy\"},{\"type\":1,\"content\":{\"json\":\"The mean time between the incident creation and last closure by owner\",\"style\":\"info\"},\"customWidth\":\"100\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Help3 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| where CreatedTime >= {TimeBrush:start} and CreatedTime <= {TimeBrush:end}\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n|where Status == 'Closed' \\n| extend Ownerr = case(tostring(Owner)==\\\"\\\", \\\"Unassigned\\\",tostring(Owner))\\n| summarize arg_min(LastModifiedTime,*) by IncidentNumber, Owner = Ownerr\\n| extend TimeToTriage = LastModifiedTime - CreatedTime, Owner\\n| summarize avg(TimeToTriage/1h) by Owner\\n\",\"size\":4,\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"series\",\"exportParameterName\":\"Status\",\"exportDefaultValue\":\"All\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Owner\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"avg_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":26,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":3}}},\"showBorder\":false}},\"name\":\"query - 2 - Copy\"}]},\"name\":\"Incident status over time\",\"styleSettings\":{\"margin\":\"0\",\"padding\":\"0\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Mean time to triage per owner\\r\\n\"},\"name\":\"text - 2 - Copy\"},{\"type\":1,\"content\":{\"json\":\"The mean time between the incident creation and first modification by owner\",\"style\":\"info\"},\"customWidth\":\"100\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Help3 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| where CreatedTime >= {TimeRange:start} and CreatedTime <= {TimeRange:end}\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| summarize arg_max(FirstModifiedTime,*) by IncidentNumber \\n| extend TimeToTriage = FirstModifiedTime - CreatedTime\\n| extend MinToTriage = TimeToTriage/1h\\n| summarize avg(TimeToTriage/1h) by owner=case(tostring(Owner)==\\\"\\\", \\\"Unassigned\\\",tostring(Owner))\\n\\n\",\"size\":4,\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"series\",\"exportParameterName\":\"Status\",\"exportDefaultValue\":\"All\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"owner\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"avg_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":26,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":3}}},\"showBorder\":false}},\"name\":\"query - 2 - Copy\"}]},\"name\":\"Incident status triage\",\"styleSettings\":{\"margin\":\"0\",\"padding\":\"0\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Actions per user\"},\"name\":\"text - 2 - Copy\"},{\"type\":1,\"content\":{\"json\":\"The number of actions taken on incidents per incident modifier\",\"style\":\"info\"},\"customWidth\":\"100\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Help3 - Copy - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| where CreatedTime >= {TimeBrush:start} and CreatedTime <= {TimeBrush:end}\\n| where ModifiedBy !in(\\\"Alert Grouping\\\",\\\"Fusion\\\",\\\"Incident created from alert\\\")\\n| where ModifiedBy !contains(\\\"Automation rule\\\")\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| summarize count() by ModifiedBy\\n\",\"size\":4,\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"series\",\"exportParameterName\":\"Status\",\"exportDefaultValue\":\"All\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"ModifiedBy\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":false,\"sortCriteriaField\":\"count_\",\"sortOrderField\":2}},\"name\":\"query - 2 - Copy\"}]},\"name\":\"Incident status over time - Copy\",\"styleSettings\":{\"margin\":\"0\",\"padding\":\"0\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Recent activities\"},\"name\":\"text - 2 - Copy - Copy - Copy - Copy\"},{\"type\":1,\"content\":{\"json\":\"Most recent activities taken on incidents\",\"style\":\"info\"},\"customWidth\":\"100\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Help3 - Copy - Copy - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| order by LastModifiedTime \\n| project LastModifiedTime,IncidentNumber, Title, Product, IncidentUrl, ModifiedBy,Status, Severity, Owner\\n| take 250\\n\\n\\n\",\"size\":1,\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to incident >\"}}],\"labelSettings\":[{\"columnId\":\"LastModifiedTime\",\"label\":\"Last Modified Time\"},{\"columnId\":\"IncidentNumber\",\"label\":\"Incident Number\"},{\"columnId\":\"Title\"},{\"columnId\":\"Product\"},{\"columnId\":\"IncidentUrl\",\"label\":\"Link to incident\"},{\"columnId\":\"ModifiedBy\",\"label\":\"Modified By\"},{\"columnId\":\"Status\"},{\"columnId\":\"Severity\"}]},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Column1\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"IncidentNumber\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"name\":\"query - 2 - Copy - Copy - Copy - Copy\"}]},\"name\":\"Incidents tactic over time - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Recent incident closing classification\"},\"name\":\"text - 2 - Copy - Copy - Copy - Copy\"},{\"type\":1,\"content\":{\"json\":\"Recent closing classifications and comments of incidents\",\"style\":\"info\"},\"customWidth\":\"100\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Help3 - Copy - Copy - Copy - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\n| where Severity in ({Severity}) or \\\"*\\\" in ({Severity})\\n| extend Tactics = todynamic(AdditionalData.tactics)\\n| where Tactics in ({Tactics}) or \\\"*\\\" in ({Tactics})\\n| extend Owner = todynamic(Owner.assignedTo) \\n| where Owner in ({Owner}) or \\\"*\\\" in ({Owner})\\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \\n| where Product in ({Product}) or \\\"*\\\" in ({Product})\\n| where Status == 'Closed'\\n| order by LastModifiedTime \\n| project LastModifiedTime,IncidentNumber, Title, Classification, ClassificationReason,ClassificationComment, Product, IncidentUrl, ModifiedBy,Status, Severity,Owner\\n| take 250\\n\\n\\n\",\"size\":1,\"timeContext\":{\"durationMs\":604800000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to incident >\"}}],\"labelSettings\":[{\"columnId\":\"LastModifiedTime\",\"label\":\"Last Modified Time\"},{\"columnId\":\"IncidentNumber\",\"label\":\"Incident Number\"},{\"columnId\":\"Title\"},{\"columnId\":\"Classification\"},{\"columnId\":\"ClassificationReason\",\"label\":\"Classification Reason\"},{\"columnId\":\"ClassificationComment\",\"label\":\"Classification Comment\"},{\"columnId\":\"Product\"},{\"columnId\":\"IncidentUrl\",\"label\":\"Link to incident\"},{\"columnId\":\"ModifiedBy\",\"label\":\"Modified By\"},{\"columnId\":\"Status\"},{\"columnId\":\"Severity\"}]},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Column1\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"IncidentNumber\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"name\":\"query - 2 - Copy - Copy - Copy - Copy\"}]},\"name\":\"Incidents tactic over time - Copy\"}]},\"customWidth\":\"50\",\"name\":\"Over time right panel\"}],\"fromTemplateId\":\"sentinel-SecurityOperationsEfficiency\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", "version": "1.0", "sourceId": "[variables('workspaceResourceId')]", "category": "sentinel" @@ -7507,7 +7507,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IncidentTasksWorkbookWorkbook Workbook with template version 3.0.0", + "description": "IncidentTasksWorkbookWorkbook Workbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion4')]", @@ -7578,7 +7578,7 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.0", + "version": "3.0.1", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "SentinelSOARessentials", diff --git a/Solutions/SentinelSOARessentials/ReleaseNotes.md b/Solutions/SentinelSOARessentials/ReleaseNotes.md index 62605b6698a..336d6b26bf4 100644 --- a/Solutions/SentinelSOARessentials/ReleaseNotes.md +++ b/Solutions/SentinelSOARessentials/ReleaseNotes.md @@ -1,4 +1,5 @@ -| **Version** | **Date Modified (DD-MM-YYY)** | **Change History** | -|-------------|--------------------------------|--------------------------------------------| +| **Version** | **Date Modified (DD-MM-YYY)** | **Change History** | +|-------------|--------------------------------|----------------------------------------------------------------------------------------| +| 3.0.1 | 11-08-2023 | Updated timeContextFromParameter with TimeRange in the Workbook template | | 3.0.0 | 17-07-2023 | Updated **Workbook** template to remove unused variables. | diff --git a/Solutions/SentinelSOARessentials/Workbooks/SecurityOperationsEfficiency.json b/Solutions/SentinelSOARessentials/Workbooks/SecurityOperationsEfficiency.json index fac037990be..c7b6cecf25f 100644 --- a/Solutions/SentinelSOARessentials/Workbooks/SecurityOperationsEfficiency.json +++ b/Solutions/SentinelSOARessentials/Workbooks/SecurityOperationsEfficiency.json @@ -525,10 +525,7 @@ "query": "SecurityIncident\n| where FirstModifiedTime >= {TimeRange:start} and FirstModifiedTime <= {TimeRange:end}\n| where Severity in ({Severity}) or \"*\" in ({Severity})\n| extend Tactics = todynamic(AdditionalData.tactics)\n| where Tactics in ({Tactics}) or \"*\" in ({Tactics})\n| extend Owner = todynamic(Owner.assignedTo) \n| where Owner in ({Owner}) or \"*\" in ({Owner})\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \n| where Product in ({Product}) or \"*\" in ({Product})\n| summarize arg_max(LastModifiedTime,*) by IncidentNumber \n| extend TimeToTriage = (FirstModifiedTime - CreatedTime)/1h\n| summarize AvgTTT=avg(TimeToTriage) \n", "size": 1, "title": "Mean time to triage", - "timeContext": { - "durationMs": 94608000000, - "endTime": "2023-06-01T16:58:00.000Z" - }, + "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ @@ -568,10 +565,7 @@ "query": "SecurityIncident\n| where ClosedTime >= {TimeRange:start} and ClosedTime <= {TimeRange:end}\n| where Severity in ({Severity}) or \"*\" in ({Severity})\n| extend Tactics = todynamic(AdditionalData.tactics)\n| where Tactics in ({Tactics}) or \"*\" in ({Tactics})\n| extend Owner = todynamic(Owner.assignedTo) \n| where Owner in ({Owner}) or \"*\" in ({Owner})\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \n| where Product in ({Product}) or \"*\" in ({Product})\n| summarize arg_max(TimeGenerated,*) by IncidentNumber \n| extend TimeToClosure = (ClosedTime - CreatedTime)/1h\n| summarize AvgTTC=avg(TimeToClosure)", "size": 1, "title": "Mean time to closure ", - "timeContext": { - "durationMs": 94608000000, - "endTime": "2023-06-01T16:33:00.000Z" - }, + "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ @@ -929,10 +923,7 @@ "query": "SecurityIncident\n| where FirstModifiedTime >= {TimeRange:start} and FirstModifiedTime <= {TimeRange:end}\n| where Severity in ({Severity}) or \"*\" in ({Severity})\n| extend Tactics = todynamic(AdditionalData.tactics)\n| where Tactics in ({Tactics}) or \"*\" in ({Tactics})\n| extend Owner = todynamic(Owner.assignedTo) \n| where Owner in ({Owner}) or \"*\" in ({Owner})\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \n| where Product in ({Product}) or \"*\" in ({Product})\n| summarize arg_max(LastModifiedTime,*) by IncidentNumber \n| extend TimeToTriage = (FirstModifiedTime - CreatedTime)/1h\n| summarize 5th_Percentile=max_of(percentile(TimeToTriage, 5),0),50th_Percentile=percentile(TimeToTriage, 50), 90th_Percentile=percentile(TimeToTriage, 90),99th_Percentile=percentile(TimeToTriage, 99) by bin(FirstModifiedTime, 1d)\n", "size": 1, "aggregation": 3, - "timeContext": { - "durationMs": 94608000000, - "endTime": "2023-06-01T16:45:00.000Z" - }, + "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ @@ -992,10 +983,7 @@ "query": "SecurityIncident\n| where ClosedTime >= {TimeRange:start} and ClosedTime <= {TimeRange:end}\n| where Severity in ({Severity}) or \"*\" in ({Severity})\n| extend Tactics = todynamic(AdditionalData.tactics)\n| where Tactics in ({Tactics}) or \"*\" in ({Tactics})\n| extend Owner = todynamic(Owner.assignedTo) \n| where Owner in ({Owner}) or \"*\" in ({Owner})\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \n| where Product in ({Product}) or \"*\" in ({Product})\n| summarize arg_max(LastModifiedTime,*) by IncidentNumber \n| extend TimeToClosure = (ClosedTime - CreatedTime)/1h\n| summarize 5th_Percentile=percentile(TimeToClosure, 5),50th_Percentile=percentile(TimeToClosure, 50), 90th_Percentile=percentile(TimeToClosure, 90),99th_Percentile=percentile(TimeToClosure, 99) by bin(ClosedTime, 1d)\n", "size": 1, "aggregation": 3, - "timeContext": { - "durationMs": 94608000000, - "endTime": "2023-06-01T16:47:00.000Z" - }, + "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ @@ -1515,4 +1503,4 @@ ], "fromTemplateId": "sentinel-SecurityOperationsEfficiency", "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" -} +} \ No newline at end of file diff --git a/Solutions/Sophos Endpoint Protection/Data Connectors/SophosEP_API_FunctionApp.json b/Solutions/Sophos Endpoint Protection/Data Connectors/SophosEP_API_FunctionApp.json index 74cc5acefe7..7f3ae8d7ed3 100644 --- a/Solutions/Sophos Endpoint Protection/Data Connectors/SophosEP_API_FunctionApp.json +++ b/Solutions/Sophos Endpoint Protection/Data Connectors/SophosEP_API_FunctionApp.json @@ -64,7 +64,8 @@ } ] }, - "instructionSteps": [{ + "instructionSteps": [ + { "title": "", "description": ">**NOTE:** This connector uses Azure Functions to connect to the Sophos Central APIs to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." }, @@ -103,20 +104,43 @@ ] }, { + "instructions": [ + { + "parameters":{ + + "instructionSteps": [ + { "title": "Option 1 - Azure Resource Manager (ARM) Template", "description": "Use this method for automated deployment of the Sophos Endpoint Protection data connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-SophosEP-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n> **NOTE:** Within the same resource group, you can't mix Windows and Linux apps in the same region. Select existing resource group without Windows apps in it or create new resource group.\n3. Enter the **Sophos API Access URL and Headers**, **AzureSentinelWorkspaceId**, **AzureSentinelSharedKey**. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy." }, { "title": "Option 2 - Manual Deployment of Azure Functions", - "description": "Use the following step-by-step instructions to deploy the Sophos Endpoint Protection data connector manually with Azure Functions (Deployment via Visual Studio Code)." - }, - { - "title": "", - "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-SophosEP-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. SophosEPXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.8.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration." - }, - { - "title": "", - "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select ** New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tSOPHOS_TOKEN\n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tlogAnalyticsUri (optional)\n> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://.ods.opinsights.azure.us`.\n4. Once all application settings have been entered, click **Save**." - } + "description": "Use the following step-by-step instructions to deploy the Sophos Endpoint Protection data connector manually with Azure Functions (Deployment via Visual Studio Code).", + "instructions": [ + { + "parameters": { + + "instructionSteps": [ + { + "title": "Step 1 - Deploy a Function App", + "description": "**NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-SophosEP-functionapp) file. Extract archive to your local development computer.\n2. Follow the [function app manual deployment instructions](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/AzureFunctionsManualDeployment.md#function-app-manual-deployment-instructions) to deploy the Azure Functions app using VSCode.\n3. After successful deployment of the function app, follow next steps for configuring it." + }, + { + "title": "Step 2 - Configure the Function App", + "description": "1. Go to Azure Portal for the Function App configuration.\n2. In the Function App, select the Function App Name and select **Configuration**.\n3. In the **Application settings** tab, select ** New application setting**.\n4. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tSOPHOS_TOKEN\n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tlogAnalyticsUri (optional)\n> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://.ods.opinsights.azure.us`.\n5. Once all application settings have been entered, click **Save**." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + + ] + }, + "type": "InstructionStepsGroup" + } ] + } + ] } diff --git a/Solutions/Sophos Endpoint Protection/Data/Solution_EP.json b/Solutions/Sophos Endpoint Protection/Data/Solution_EP.json index adf4aeb8de9..388988cbb64 100644 --- a/Solutions/Sophos Endpoint Protection/Data/Solution_EP.json +++ b/Solutions/Sophos Endpoint Protection/Data/Solution_EP.json @@ -10,7 +10,7 @@ "Data Connectors/SophosEP_API_FunctionApp.json" ], "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Sophos Endpoint Protection", - "Version": "2.0.0", + "Version": "3.0.0", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "Is1PConnector": false diff --git a/Solutions/Sophos Endpoint Protection/Package/3.0.0.zip b/Solutions/Sophos Endpoint Protection/Package/3.0.0.zip new file mode 100644 index 00000000000..c1a3db4d9ff Binary files /dev/null and b/Solutions/Sophos Endpoint Protection/Package/3.0.0.zip differ diff --git a/Solutions/Sophos Endpoint Protection/Package/createUiDefinition.json b/Solutions/Sophos Endpoint Protection/Package/createUiDefinition.json index 9c30d36d67b..6fb135b7792 100644 --- a/Solutions/Sophos Endpoint Protection/Package/createUiDefinition.json +++ b/Solutions/Sophos Endpoint Protection/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Sophos Endpoint Protection](https://www.sophos.com/products/endpoint-antivirus.aspx) solution provides the capability to ingest Sophos events into Microsoft Sentinel. Refer to [Sophos Central Admin documentation](https://docs.sophos.com/central/Customer/help/en-us/central/Customer/concepts/Logs.html) for more information.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\n\nb. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)\n\n**Data Connectors:** 1, **Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Sophos%20Endpoint%20Protection/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Sophos Endpoint Protection](https://www.sophos.com/products/endpoint-antivirus.aspx) solution provides the capability to ingest [Sophos events](https://docs.sophos.com/central/Customer/help/central/Customer/common/concepts/Events.html) into Microsoft Sentinel. Refer to [Sophos Central Admin documentation](https://docs.sophos.com/central/Customer/help/central/Customer/concepts/Logs.html) for more information.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\n\nb. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)\n\n**Data Connectors:** 1, **Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -60,7 +60,7 @@ "name": "dataconnectors1-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This solution installs the data connector that allows to ingest Sophos events into Microsoft Sentinel. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + "text": "This solution installs the data connector for ingesting Sophos events into Microsoft Sentinel. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." } }, { @@ -89,4 +89,4 @@ "workspace": "[basics('workspace')]" } } -} \ No newline at end of file +} diff --git a/Solutions/Sophos Endpoint Protection/Package/mainTemplate.json b/Solutions/Sophos Endpoint Protection/Package/mainTemplate.json index 1bb9105ca37..7ae12aa98a5 100644 --- a/Solutions/Sophos Endpoint Protection/Package/mainTemplate.json +++ b/Solutions/Sophos Endpoint Protection/Package/mainTemplate.json @@ -30,57 +30,43 @@ } }, "variables": { - "solutionId": "azuresentinel.azure-sentinel-solution-sophosep", - "_solutionId": "[variables('solutionId')]", "email": "support@microsoft.com", "_email": "[variables('email')]", - "parserVersion1": "1.0.0", - "parserContentId1": "SophosEPEvent-Parser", - "_parserContentId1": "[variables('parserContentId1')]", + "_solutionName": "Sophos Endpoint Protection", + "_solutionVersion": "3.0.0", + "solutionId": "azuresentinel.azure-sentinel-solution-sophosep", + "_solutionId": "[variables('solutionId')]", "parserName1": "Sophos Endpoint Protection Data Parser", "_parserName1": "[concat(parameters('workspace'),'/',variables('parserName1'))]", "parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]", "_parserId1": "[variables('parserId1')]", - "parserTemplateSpecName1": "[concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1')))]", - "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", + "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1'))))]", + "parserVersion1": "1.0.0", + "parserContentId1": "SophosEPEvent-Parser", + "_parserContentId1": "[variables('parserContentId1')]", + "_parsercontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('_parserContentId1'),'-', variables('parserVersion1'))))]", "uiConfigId1": "SophosEP", "_uiConfigId1": "[variables('uiConfigId1')]", "dataConnectorContentId1": "SophosEP", "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", "_dataConnectorId1": "[variables('dataConnectorId1')]", - "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1')))]", - "dataConnectorVersion1": "1.0.0" + "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", + "dataConnectorVersion1": "1.0.0", + "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", + "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" }, "resources": [ { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('parserTemplateSpecName1')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Parser" - }, - "properties": { - "description": "SophosEPEvent Data Parser with template", - "displayName": "SophosEPEvent Data Parser template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('parserTemplateSpecName1'),'/',variables('parserVersion1'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Parser" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('parserTemplateSpecName1'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SophosEPEvent Data Parser with template version 2.0.0", + "description": "SophosEPEvent Data Parser with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserVersion1')]", @@ -89,7 +75,7 @@ "resources": [ { "name": "[variables('_parserName1')]", - "apiVersion": "2020-08-01", + "apiVersion": "2022-10-01", "type": "Microsoft.OperationalInsights/workspaces/savedSearches", "location": "[parameters('workspace-location')]", "properties": { @@ -98,6 +84,7 @@ "category": "Samples", "functionAlias": "SophosEPEvent", "query": "\nSophosEP_CL\r\n| extend EventVendor = 'Sophos'\r\n| extend EventProduct = 'Endpoint Protection'\r\n| project-rename DstUserSid=user_id_s,\r\n CustomerId=customer_id_g,\r\n EventSeverity=severity_s,\r\n Created=created_at_t,\r\n SrcIpAddr=source_info_ip_s,\r\n ThreatName=threat_s,\r\n EndpointId=endpoint_id_g,\r\n SrcDvcType=endpoint_type_s,\r\n EventSubType=origin_s,\r\n EventEndTime=when_t,\r\n Source=source_s,\r\n DvcAction=type_s,\r\n EventMessage=name_s,\r\n DvcHostname=location_s,\r\n EventOriginalUid=id_g,\r\n ThreatCategory=group_s,\r\n EventType=datastream_s\r\n", + "functionParameters": "", "version": 1, "tags": [ { @@ -137,12 +124,23 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_parserContentId1')]", + "contentKind": "Parser", + "displayName": "Sophos Endpoint Protection Data Parser", + "contentProductId": "[variables('_parsercontentProductId1')]", + "id": "[variables('_parsercontentProductId1')]", + "version": "[variables('parserVersion1')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "apiVersion": "2021-06-01", + "apiVersion": "2022-10-01", "name": "[variables('_parserName1')]", "location": "[parameters('workspace-location')]", "properties": { @@ -151,7 +149,14 @@ "category": "Samples", "functionAlias": "SophosEPEvent", "query": "\nSophosEP_CL\r\n| extend EventVendor = 'Sophos'\r\n| extend EventProduct = 'Endpoint Protection'\r\n| project-rename DstUserSid=user_id_s,\r\n CustomerId=customer_id_g,\r\n EventSeverity=severity_s,\r\n Created=created_at_t,\r\n SrcIpAddr=source_info_ip_s,\r\n ThreatName=threat_s,\r\n EndpointId=endpoint_id_g,\r\n SrcDvcType=endpoint_type_s,\r\n EventSubType=origin_s,\r\n EventEndTime=when_t,\r\n Source=source_s,\r\n DvcAction=type_s,\r\n EventMessage=name_s,\r\n DvcHostname=location_s,\r\n EventOriginalUid=id_g,\r\n ThreatCategory=group_s,\r\n EventType=datastream_s\r\n", - "version": 1 + "functionParameters": "", + "version": 1, + "tags": [ + { + "name": "description", + "value": "Sophos Endpoint Protection Data Parser" + } + ] } }, { @@ -185,33 +190,15 @@ } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('dataConnectorTemplateSpecName1')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "DataConnector" - }, - "properties": { - "description": "Sophos Endpoint Protection data connector with template", - "displayName": "Sophos Endpoint Protection template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('dataConnectorTemplateSpecName1'),'/',variables('dataConnectorVersion1'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "DataConnector" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Sophos Endpoint Protection data connector with template version 2.0.0", + "description": "Sophos Endpoint Protection data connector with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -227,7 +214,7 @@ "properties": { "connectorUiConfig": { "id": "[variables('_uiConfigId1')]", - "title": "Sophos Endpoint Protection (using Azure Function)", + "title": "Sophos Endpoint Protection (using Azure Functions)", "publisher": "Sophos", "descriptionMarkdown": "The [Sophos Endpoint Protection](https://www.sophos.com/en-us/products/endpoint-antivirus.aspx) data connector provides the capability to ingest [Sophos events](https://docs.sophos.com/central/Customer/help/en-us/central/Customer/common/concepts/Events.html) into Microsoft Sentinel. Refer to [Sophos Central Admin documentation](https://docs.sophos.com/central/Customer/help/en-us/central/Customer/concepts/Logs.html) for more information.", "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**SophosEPEvent**](https://aka.ms/sentinel-SophosEP-parser) which is deployed with the Microsoft Sentinel Solution.", @@ -333,18 +320,40 @@ ] }, { - "description": "Use this method for automated deployment of the Sophos Endpoint Protection data connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-SophosEP-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n> **NOTE:** Within the same resource group, you can't mix Windows and Linux apps in the same region. Select existing resource group without Windows apps in it or create new resource group.\n3. Enter the **Sophos API Access URL and Headers**, **AzureSentinelWorkspaceId**, **AzureSentinelSharedKey**. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.", - "title": "Option 1 - Azure Resource Manager (ARM) Template" - }, - { - "description": "Use the following step-by-step instructions to deploy the Sophos Endpoint Protection data connector manually with Azure Functions (Deployment via Visual Studio Code).", - "title": "Option 2 - Manual Deployment of Azure Functions" - }, - { - "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-SophosEP-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. SophosEPXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.8.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration." - }, - { - "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select ** New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tSOPHOS_TOKEN\n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tlogAnalyticsUri (optional)\n> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://.ods.opinsights.azure.us`.\n4. Once all application settings have been entered, click **Save**." + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Option 1 - Azure Resource Manager (ARM) Template", + "description": "Use this method for automated deployment of the Sophos Endpoint Protection data connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-SophosEP-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n> **NOTE:** Within the same resource group, you can't mix Windows and Linux apps in the same region. Select existing resource group without Windows apps in it or create new resource group.\n3. Enter the **Sophos API Access URL and Headers**, **AzureSentinelWorkspaceId**, **AzureSentinelSharedKey**. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy." + }, + { + "title": "Option 2 - Manual Deployment of Azure Functions", + "description": "Use the following step-by-step instructions to deploy the Sophos Endpoint Protection data connector manually with Azure Functions (Deployment via Visual Studio Code).", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Step 1 - Deploy a Function App", + "description": "**NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-SophosEP-functionapp) file. Extract archive to your local development computer.\n2. Follow the [function app manual deployment instructions](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/AzureFunctionsManualDeployment.md#function-app-manual-deployment-instructions) to deploy the Azure Functions app using VSCode.\n3. After successful deployment of the function app, follow next steps for configuring it." + }, + { + "title": "Step 2 - Configure the Function App", + "description": "1. Go to Azure Portal for the Function App configuration.\n2. In the Function App, select the Function App Name and select **Configuration**.\n3. In the **Application settings** tab, select ** New application setting**.\n4. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tSOPHOS_TOKEN\n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tlogAnalyticsUri (optional)\n> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://.ods.opinsights.azure.us`.\n5. Once all application settings have been entered, click **Save**." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] } ] } @@ -352,7 +361,7 @@ }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", + "apiVersion": "2023-04-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", "properties": { "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", @@ -377,12 +386,23 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_dataConnectorContentId1')]", + "contentKind": "DataConnector", + "displayName": "Sophos Endpoint Protection", + "contentProductId": "[variables('_dataConnectorcontentProductId1')]", + "id": "[variables('_dataConnectorcontentProductId1')]", + "version": "[variables('dataConnectorVersion1')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", + "apiVersion": "2023-04-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", "dependsOn": [ "[variables('_dataConnectorId1')]" @@ -418,7 +438,7 @@ "kind": "GenericUI", "properties": { "connectorUiConfig": { - "title": "Sophos Endpoint Protection (using Azure Function)", + "title": "Sophos Endpoint Protection (using Azure Functions)", "publisher": "Sophos", "descriptionMarkdown": "The [Sophos Endpoint Protection](https://www.sophos.com/en-us/products/endpoint-antivirus.aspx) data connector provides the capability to ingest [Sophos events](https://docs.sophos.com/central/Customer/help/en-us/central/Customer/common/concepts/Events.html) into Microsoft Sentinel. Refer to [Sophos Central Admin documentation](https://docs.sophos.com/central/Customer/help/en-us/central/Customer/concepts/Logs.html) for more information.", "graphQueries": [ @@ -523,33 +543,62 @@ ] }, { - "description": "Use this method for automated deployment of the Sophos Endpoint Protection data connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-SophosEP-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n> **NOTE:** Within the same resource group, you can't mix Windows and Linux apps in the same region. Select existing resource group without Windows apps in it or create new resource group.\n3. Enter the **Sophos API Access URL and Headers**, **AzureSentinelWorkspaceId**, **AzureSentinelSharedKey**. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.", - "title": "Option 1 - Azure Resource Manager (ARM) Template" - }, - { - "description": "Use the following step-by-step instructions to deploy the Sophos Endpoint Protection data connector manually with Azure Functions (Deployment via Visual Studio Code).", - "title": "Option 2 - Manual Deployment of Azure Functions" - }, - { - "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-SophosEP-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. SophosEPXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.8.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration." - }, - { - "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select ** New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tSOPHOS_TOKEN\n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tlogAnalyticsUri (optional)\n> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://.ods.opinsights.azure.us`.\n4. Once all application settings have been entered, click **Save**." + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Option 1 - Azure Resource Manager (ARM) Template", + "description": "Use this method for automated deployment of the Sophos Endpoint Protection data connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-SophosEP-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n> **NOTE:** Within the same resource group, you can't mix Windows and Linux apps in the same region. Select existing resource group without Windows apps in it or create new resource group.\n3. Enter the **Sophos API Access URL and Headers**, **AzureSentinelWorkspaceId**, **AzureSentinelSharedKey**. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy." + }, + { + "title": "Option 2 - Manual Deployment of Azure Functions", + "description": "Use the following step-by-step instructions to deploy the Sophos Endpoint Protection data connector manually with Azure Functions (Deployment via Visual Studio Code).", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Step 1 - Deploy a Function App", + "description": "**NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-SophosEP-functionapp) file. Extract archive to your local development computer.\n2. Follow the [function app manual deployment instructions](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/AzureFunctionsManualDeployment.md#function-app-manual-deployment-instructions) to deploy the Azure Functions app using VSCode.\n3. After successful deployment of the function app, follow next steps for configuring it." + }, + { + "title": "Step 2 - Configure the Function App", + "description": "1. Go to Azure Portal for the Function App configuration.\n2. In the Function App, select the Function App Name and select **Configuration**.\n3. In the **Application settings** tab, select ** New application setting**.\n4. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tSOPHOS_TOKEN\n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tlogAnalyticsUri (optional)\n> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://.ods.opinsights.azure.us`.\n5. Once all application settings have been entered, click **Save**." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] } ], - "id": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_uiConfigId1'))]", + "id": "[variables('_uiConfigId1')]", "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**SophosEPEvent**](https://aka.ms/sentinel-SophosEP-parser) which is deployed with the Microsoft Sentinel Solution." } } }, { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", + "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "2.0.0", + "version": "3.0.0", "kind": "Solution", - "contentSchemaVersion": "2.0.0", + "contentSchemaVersion": "3.0.0", + "displayName": "Sophos Endpoint Protection", + "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", + "descriptionHtml": "

Note: There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Sophos Endpoint Protection solution provides the capability to ingest Sophos events into Microsoft Sentinel. Refer to Sophos Central Admin documentation for more information.

\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n

  1. Azure Monitor HTTP Data Collector API

    \n
    2. \n

  2. Azure Functions

    \n
    3. \n
\n

Data Connectors: 1, Parsers: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "", "contentId": "[variables('_solutionId')]", "parentId": "[variables('_solutionId')]", "source": { diff --git a/Solutions/Sophos Endpoint Protection/ReleaseNotes.md b/Solutions/Sophos Endpoint Protection/ReleaseNotes.md new file mode 100644 index 00000000000..6dc2cf7d4dd --- /dev/null +++ b/Solutions/Sophos Endpoint Protection/ReleaseNotes.md @@ -0,0 +1,4 @@ +| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | +|-------------|--------------------------------|--------------------------------------------------------------------| +| 3.0.0 | 14-08-2023 | Manual deployment instructions updated for **Data Connector** | + diff --git a/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_SecurityAlert.yaml b/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_SecurityAlert.yaml index 25f7adf6028..31859ac00ce 100644 --- a/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_SecurityAlert.yaml +++ b/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_SecurityAlert.yaml @@ -53,7 +53,7 @@ query: | | extend MSTI = case(AlertName has "TI map" and VendorName == "Microsoft" and ProductName == 'Azure Sentinel', true, false) | where MSTI == false // Extract domain patterns from message - | extend domain = todynamic(dynamic_to_json(extract_all(@"(((xn--)?[a-z0-9\-]+\.)+([a-z]+|(xn--[a-z0-9]+)))", dynamic([1]), tolower(Entities)))) + | extend domain = todynamic(dynamic_to_json(extract_all(@"(((xn--)?[a-z0-9\-]+\.)+([a-z]+|(xn--[a-z0-9]+)))", dynamic([1,1]), tolower(Entities)))) | mv-expand domain | extend domain = tostring(domain[0]) | extend parts = split(domain, '.') @@ -88,5 +88,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: Url -version: 1.4.0 +version: 1.4.1 kind: Scheduled diff --git a/Solutions/Threat Intelligence/Data/Solution_ThreatIntelligenceTemplateSpec.json b/Solutions/Threat Intelligence/Data/Solution_ThreatIntelligenceTemplateSpec.json index 6b23ede5736..517eae2fe83 100644 --- a/Solutions/Threat Intelligence/Data/Solution_ThreatIntelligenceTemplateSpec.json +++ b/Solutions/Threat Intelligence/Data/Solution_ThreatIntelligenceTemplateSpec.json @@ -4,64 +4,64 @@ "Logo": "", "Description": "The Threat Intelligence solution contains data connectors for import of threat indicators into Microsoft Sentinel, analytic rules for matching TI data with event data, workbook, and hunting queries. Threat indicators can be malicious IP's, URL's, filehashes, domains, email addresses etc.", "Data Connectors": [ - "Solutions/Threat Intelligence/Data Connectors/template_ThreatIntelligenceTaxii.json", - "Solutions/Threat Intelligence/Data Connectors/template_ThreatIntelligence.json", - "Solutions/Threat Intelligence/Data Connectors/template_ThreatIntelligenceUploadIndicators.json", - "Solutions/Threat Intelligence/Data Connectors/template_MicrosoftDefenderThreatIntelligence.json" + "Data Connectors/template_ThreatIntelligenceTaxii.json", + "Data Connectors/template_ThreatIntelligence.json", + "Data Connectors/template_ThreatIntelligenceUploadIndicators.json", + "Data Connectors/template_MicrosoftDefenderThreatIntelligence.json" ], "Workbooks": [ - "Solutions/Threat Intelligence/Workbooks/ThreatIntelligence.json" + "Workbooks/ThreatIntelligence.json" ], "Hunting Queries": [ - "Solutions/Threat Intelligence/Hunting Queries/FileEntity_OfficeActivity.yaml", - "Solutions/Threat Intelligence/Hunting Queries/FileEntity_SecurityEvent.yaml", - "Solutions/Threat Intelligence/Hunting Queries/FileEntity_Syslog.yaml", - "Solutions/Threat Intelligence/Hunting Queries/FileEntity_VMConnection.yaml", - "Solutions/Threat Intelligence/Hunting Queries/FileEntity_WireData.yaml" + "Hunting Queries/FileEntity_OfficeActivity.yaml", + "Hunting Queries/FileEntity_SecurityEvent.yaml", + "Hunting Queries/FileEntity_Syslog.yaml", + "Hunting Queries/FileEntity_VMConnection.yaml", + "Hunting Queries/FileEntity_WireData.yaml" ], "Analytic Rules": [ - "Solutions/Threat Intelligence/Analytic Rules/DomainEntity_CommonSecurityLog.yaml", - "Solutions/Threat Intelligence/Analytic Rules/DomainEntity_DnsEvents.yaml", - "Solutions/Threat Intelligence/Analytic Rules/DomainEntity_imWebSession.yaml", - "Solutions/Threat Intelligence/Analytic Rules/DomainEntity_PaloAlto.yaml", - "Solutions/Threat Intelligence/Analytic Rules/DomainEntity_SecurityAlert.yaml", - "Solutions/Threat Intelligence/Analytic Rules/DomainEntity_Syslog.yaml", - "Solutions/Threat Intelligence/Analytic Rules/EmailEntity_AzureActivity.yaml", - "Solutions/Threat Intelligence/Analytic Rules/EmailEntity_OfficeActivity.yaml", - "Solutions/Threat Intelligence/Analytic Rules/EmailEntity_PaloAlto.yaml", - "Solutions/Threat Intelligence/Analytic Rules/EmailEntity_SecurityAlert.yaml", - "Solutions/Threat Intelligence/Analytic Rules/EmailEntity_SecurityEvent.yaml", - "Solutions/Threat Intelligence/Analytic Rules/EmailEntity_SigninLogs.yaml", - "Solutions/Threat Intelligence/Analytic Rules/FileHashEntity_CommonSecurityLog.yaml", - "Solutions/Threat Intelligence/Analytic Rules/FileHashEntity_SecurityEvent.yaml", - "Solutions/Threat Intelligence/Analytic Rules/IPEntity_AppServiceHTTPLogs.yaml", - "Solutions/Threat Intelligence/Analytic Rules/IPEntity_AWSCloudTrail.yaml", - "Solutions/Threat Intelligence/Analytic Rules/IPEntity_AzureActivity.yaml", - "Solutions/Threat Intelligence/Analytic Rules/IPEntity_AzureFirewall.yaml", - "Solutions/Threat Intelligence/Analytic Rules/IPEntity_AzureKeyVault.yaml", - "Solutions/Threat Intelligence/Analytic Rules/IPEntity_AzureNetworkAnalytics.yaml", - "Solutions/Threat Intelligence/Analytic Rules/IPEntity_AzureSQL.yaml", - "Solutions/Threat Intelligence/Analytic Rules/IPEntity_CustomSecurityLog.yaml", - "Solutions/Threat Intelligence/Analytic Rules/IPEntity_DnsEvents.yaml", - "Solutions/Threat Intelligence/Analytic Rules/IPEntity_imWebSession.yaml", - "Solutions/Threat Intelligence/Analytic Rules/IPEntity_OfficeActivity.yaml", - "Solutions/Threat Intelligence/Analytic Rules/IPentity_SigninLogs.yaml", - "Solutions/Threat Intelligence/Analytic Rules/IPEntity_VMConnection.yaml", - "Solutions/Threat Intelligence/Analytic Rules/IPEntity_W3CIISLog.yaml", - "Solutions/Threat Intelligence/Analytic Rules/URLEntity_AuditLogs.yaml", - "Solutions/Threat Intelligence/Analytic Rules/URLEntity_OfficeActivity.yaml", - "Solutions/Threat Intelligence/Analytic Rules/URLEntity_PaloAlto.yaml", - "Solutions/Threat Intelligence/Analytic Rules/URLEntity_SecurityAlerts.yaml", - "Solutions/Threat Intelligence/Analytic Rules/URLEntity_Syslog.yaml", - "Solutions/Threat Intelligence/Analytic Rules/IPEntity_DuoSecurity.yaml", - "Solutions/Threat Intelligence/Analytic Rules/imDns_DomainEntity_DnsEvents.yaml", - "Solutions/Threat Intelligence/Analytic Rules/imDns_IPEntity_DnsEvents.yaml", - "Solutions/Threat Intelligence/Analytic Rules/IPEntity_imNetworkSession.yaml", - "Solutions/Threat Intelligence/Analytic Rules/Threat Intel Matches to GitHub Audit Logs.yaml" + "Analytic Rules/DomainEntity_CommonSecurityLog.yaml", + "Analytic Rules/DomainEntity_DnsEvents.yaml", + "Analytic Rules/DomainEntity_imWebSession.yaml", + "Analytic Rules/DomainEntity_PaloAlto.yaml", + "Analytic Rules/DomainEntity_SecurityAlert.yaml", + "Analytic Rules/DomainEntity_Syslog.yaml", + "Analytic Rules/EmailEntity_AzureActivity.yaml", + "Analytic Rules/EmailEntity_OfficeActivity.yaml", + "Analytic Rules/EmailEntity_PaloAlto.yaml", + "Analytic Rules/EmailEntity_SecurityAlert.yaml", + "Analytic Rules/EmailEntity_SecurityEvent.yaml", + "Analytic Rules/EmailEntity_SigninLogs.yaml", + "Analytic Rules/FileHashEntity_CommonSecurityLog.yaml", + "Analytic Rules/FileHashEntity_SecurityEvent.yaml", + "Analytic Rules/IPEntity_AppServiceHTTPLogs.yaml", + "Analytic Rules/IPEntity_AWSCloudTrail.yaml", + "Analytic Rules/IPEntity_AzureActivity.yaml", + "Analytic Rules/IPEntity_AzureFirewall.yaml", + "Analytic Rules/IPEntity_AzureKeyVault.yaml", + "Analytic Rules/IPEntity_AzureNetworkAnalytics.yaml", + "Analytic Rules/IPEntity_AzureSQL.yaml", + "Analytic Rules/IPEntity_CustomSecurityLog.yaml", + "Analytic Rules/IPEntity_DnsEvents.yaml", + "Analytic Rules/IPEntity_imWebSession.yaml", + "Analytic Rules/IPEntity_OfficeActivity.yaml", + "Analytic Rules/IPentity_SigninLogs.yaml", + "Analytic Rules/IPEntity_VMConnection.yaml", + "Analytic Rules/IPEntity_W3CIISLog.yaml", + "Analytic Rules/URLEntity_AuditLogs.yaml", + "Analytic Rules/URLEntity_OfficeActivity.yaml", + "Analytic Rules/URLEntity_PaloAlto.yaml", + "Analytic Rules/URLEntity_SecurityAlerts.yaml", + "Analytic Rules/URLEntity_Syslog.yaml", + "Analytic Rules/IPEntity_DuoSecurity.yaml", + "Analytic Rules/imDns_DomainEntity_DnsEvents.yaml", + "Analytic Rules/imDns_IPEntity_DnsEvents.yaml", + "Analytic Rules/IPEntity_imNetworkSession.yaml", + "Analytic Rules/Threat Intel Matches to GitHub Audit Logs.yaml" ], - "BasePath": "C:\\GitHub\\Azure-Sentinel", - "Version": "2.0.5", "Metadata": "SolutionMetadata.json", + "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Threat Intelligence\\", + "Version": "3.0.0", "TemplateSpec": true, "Is1PConnector": true } \ No newline at end of file diff --git a/Solutions/Threat Intelligence/Hunting Queries/FileEntity_OfficeActivity.yaml b/Solutions/Threat Intelligence/Hunting Queries/FileEntity_OfficeActivity.yaml index 671e4f0feef..1e94b4a0a93 100644 --- a/Solutions/Threat Intelligence/Hunting Queries/FileEntity_OfficeActivity.yaml +++ b/Solutions/Threat Intelligence/Hunting Queries/FileEntity_OfficeActivity.yaml @@ -1,6 +1,8 @@ id: 410da56d-4a63-4d22-b68c-9fb1a303be6d name: TI Map File Entity to OfficeActivity Event description: | + 'This query finds matches in OfficeActivity Event data for known FileName Indicators of Compromise from Threat Intelligence sources. FileName matches may produce false positives, so use this for hunting rather than real-time detection.' +description-detailed: | 'This query identifies any matches in the OfficeActivity Event data that correspond to any known FileName Indicators of Compromise (IOC) from Threat Intelligence (TI) sources. Since file name matches may produce a significant amount of false positives, it is recommended to use this query for hunting purposes rather than for real-time detection.' requiredDataConnectors: @@ -58,4 +60,4 @@ entityMappings: fieldMappings: - identifier: Url columnName: Url -version: 1.0.2 +version: 1.0.3 diff --git a/Solutions/Threat Intelligence/Hunting Queries/FileEntity_SecurityEvent.yaml b/Solutions/Threat Intelligence/Hunting Queries/FileEntity_SecurityEvent.yaml index 1d02d1a8937..7953943f7db 100644 --- a/Solutions/Threat Intelligence/Hunting Queries/FileEntity_SecurityEvent.yaml +++ b/Solutions/Threat Intelligence/Hunting Queries/FileEntity_SecurityEvent.yaml @@ -1,6 +1,8 @@ id: 233441b9-cc92-4c9b-87fa-73b855fcd4b8 name: TI Map File Entity to Security Event description: | + 'This query finds matches in Security Event data for known FileName Indicators of Compromise from Threat Intelligence sources. FileName matches may produce false positives, so use this for hunting rather than real-time detection.' +description-detailed: | 'This query identifies any matches in the Security Event data that correspond to any known FileName Indicators of Compromise (IOC) from Threat Intelligence (TI) sources. Since file name matches may produce a significant amount of false positives, it is recommended to use this query for hunting purposes rather than for real-time detection.' requiredDataConnectors: @@ -69,5 +71,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: Url -version: 1.0.2 +version: 1.0.3 diff --git a/Solutions/Threat Intelligence/Hunting Queries/FileEntity_Syslog.yaml b/Solutions/Threat Intelligence/Hunting Queries/FileEntity_Syslog.yaml index 44b26165ced..0e7b77a5aac 100644 --- a/Solutions/Threat Intelligence/Hunting Queries/FileEntity_Syslog.yaml +++ b/Solutions/Threat Intelligence/Hunting Queries/FileEntity_Syslog.yaml @@ -1,6 +1,8 @@ id: 18f7de84-de55-4983-aca3-a18bc846b4e0 name: TI Map File Entity to Syslog Event description: | + 'This query finds matches in Syslog Event data for known FileName Indicators of Compromise from Threat Intelligence sources. FileName matches may produce false positives, so use this for hunting rather than real-time detection.' +description-detailed: | 'This query identifies any matches in the Syslog Event data that correspond to any known FileName Indicators of Compromise (IOC) from Threat Intelligence (TI) sources. Since file name matches may produce a significant amount of false positives, it is recommended to use this query for hunting purposes rather than for real-time detection.' requiredDataConnectors: @@ -60,4 +62,4 @@ entityMappings: fieldMappings: - identifier: Url columnName: Url -version: 1.0.2 \ No newline at end of file +version: 1.0.3 \ No newline at end of file diff --git a/Solutions/Threat Intelligence/Hunting Queries/FileEntity_VMConnection.yaml b/Solutions/Threat Intelligence/Hunting Queries/FileEntity_VMConnection.yaml index b773c8c7987..c0d30a6b506 100644 --- a/Solutions/Threat Intelligence/Hunting Queries/FileEntity_VMConnection.yaml +++ b/Solutions/Threat Intelligence/Hunting Queries/FileEntity_VMConnection.yaml @@ -1,6 +1,8 @@ id: 172a321b-c46b-4508-87c6-e2691c778107 name: TI Map File Entity to VMConnection Event description: | + 'This query finds matches in VMConnection Event data for known FileName Indicators of Compromise from Threat Intelligence sources. FileName matches may produce false positives, so use this for hunting rather than real-time detection.' +description-detailed: | 'This query identifies any matches in the VMConnection Event data that correspond to any known FileName Indicators of Compromise (IOC) from Threat Intelligence (TI) sources. Since file name matches may produce a significant amount of false positives, it is recommended to use this query for hunting purposes rather than for real-time detection.' requiredDataConnectors: @@ -65,4 +67,4 @@ entityMappings: fieldMappings: - identifier: Url columnName: Url -version: 1.0.2 +version: 1.0.3 diff --git a/Solutions/Threat Intelligence/Hunting Queries/FileEntity_WireData.yaml b/Solutions/Threat Intelligence/Hunting Queries/FileEntity_WireData.yaml index 1a56ed0a419..71b155e5449 100644 --- a/Solutions/Threat Intelligence/Hunting Queries/FileEntity_WireData.yaml +++ b/Solutions/Threat Intelligence/Hunting Queries/FileEntity_WireData.yaml @@ -1,6 +1,8 @@ id: 689a9475-440b-4e69-8ab1-a5e241685f39 name: TI Map File Entity to WireData Event description: | + 'This query finds matches in WireData Event data for known FileName Indicators of Compromise from Threat Intelligence sources. FileName matches may produce false positives, so use this for hunting rather than real-time detection.' +description-detailed: | 'This query identifies any matches in the WireData Event data that correspond to any known FileName Indicators of Compromise (IOC) from Threat Intelligence (TI) sources. Since file name matches may produce a significant amount of false positives, it is recommended to use this query for hunting purposes rather than for real-time detection.' requiredDataConnectors: @@ -64,4 +66,4 @@ entityMappings: fieldMappings: - identifier: Url columnName: Url -version: 1.0.2 +version: 1.0.3 diff --git a/Solutions/Threat Intelligence/Package/3.0.0.zip b/Solutions/Threat Intelligence/Package/3.0.0.zip new file mode 100644 index 00000000000..d8627a5b8f7 Binary files /dev/null and b/Solutions/Threat Intelligence/Package/3.0.0.zip differ diff --git a/Solutions/Threat Intelligence/Package/createUiDefinition.json b/Solutions/Threat Intelligence/Package/createUiDefinition.json index 2a37c2784f9..5df0ea0dc14 100644 --- a/Solutions/Threat Intelligence/Package/createUiDefinition.json +++ b/Solutions/Threat Intelligence/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe Threat Intelligence solution contains data connectors for import of threat indicators into Microsoft Sentinel, analytic rules for matching TI data with event data, workbook, and hunting queries. Threat indicators can be malicious IP's, URL's, filehashes, domains, email addresses etc.\n\n**Data Connectors:** 4, **Workbooks:** 1, **Analytic Rules:** 38, **Hunting Queries:** 5\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Threat Intelligence/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Threat Intelligence solution contains data connectors for import of threat indicators into Microsoft Sentinel, analytic rules for matching TI data with event data, workbook, and hunting queries. Threat indicators can be malicious IP's, URL's, filehashes, domains, email addresses etc.\n\n**Data Connectors:** 4, **Workbooks:** 1, **Analytic Rules:** 38, **Hunting Queries:** 5\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -474,7 +474,7 @@ "name": "analytic19-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies a match in Azure Key Vault logsfrom any IP IOC from TI" + "text": "Identifies a match in Azure Key Vault logs from any IP IOC from TI" } } ] @@ -586,7 +586,7 @@ "name": "analytic27-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in OfficeActivity." + "text": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in VMConnection." } } ] @@ -778,7 +778,7 @@ "name": "huntingquery1-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query identifies any matches in the OfficeActivity Event data that correspond to any known FileName Indicators of Compromise (IOC) from Threat Intelligence (TI) sources. \nSince file name matches may produce a significant amount of false positives, it is recommended to use this query for hunting purposes rather than for real-time detection. This hunting query depends on Office365 ThreatIntelligence ThreatIntelligenceTaxii data connector (OfficeActivity ThreatIntelligenceIndicator ThreatIntelligenceIndicator Parser or Table)" + "text": "This query finds matches in OfficeActivity Event data for known FileName Indicators of Compromise from Threat Intelligence sources. FileName matches may produce false positives, so use this for hunting rather than real-time detection. This hunting query depends on Office365 ThreatIntelligence ThreatIntelligenceTaxii MicrosoftDefenderThreatIntelligence data connector (OfficeActivity ThreatIntelligenceIndicator ThreatIntelligenceIndicator ThreatIntelligenceIndicator Parser or Table)" } } ] @@ -792,7 +792,7 @@ "name": "huntingquery2-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query identifies any matches in the Security Event data that correspond to any known FileName Indicators of Compromise (IOC) from Threat Intelligence (TI) sources. \nSince file name matches may produce a significant amount of false positives, it is recommended to use this query for hunting purposes rather than for real-time detection. This hunting query depends on SecurityEvents ThreatIntelligence ThreatIntelligenceTaxii data connector (SecurityEvent ThreatIntelligenceIndicator ThreatIntelligenceIndicator Parser or Table)" + "text": "This query finds matches in Security Event data for known FileName Indicators of Compromise from Threat Intelligence sources. FileName matches may produce false positives, so use this for hunting rather than real-time detection. This hunting query depends on SecurityEvents ThreatIntelligence ThreatIntelligenceTaxii MicrosoftDefenderThreatIntelligence data connector (SecurityEvent ThreatIntelligenceIndicator ThreatIntelligenceIndicator ThreatIntelligenceIndicator Parser or Table)" } } ] @@ -806,7 +806,7 @@ "name": "huntingquery3-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query identifies any matches in the Syslog Event data that correspond to any known FileName Indicators of Compromise (IOC) from Threat Intelligence (TI) sources. \nSince file name matches may produce a significant amount of false positives, it is recommended to use this query for hunting purposes rather than for real-time detection. This hunting query depends on Syslog ThreatIntelligence ThreatIntelligenceTaxii data connector (Syslog ThreatIntelligenceIndicator ThreatIntelligenceIndicator Parser or Table)" + "text": "This query finds matches in Syslog Event data for known FileName Indicators of Compromise from Threat Intelligence sources. FileName matches may produce false positives, so use this for hunting rather than real-time detection. This hunting query depends on Syslog ThreatIntelligence ThreatIntelligenceTaxii MicrosoftDefenderThreatIntelligence data connector (Syslog ThreatIntelligenceIndicator ThreatIntelligenceIndicator ThreatIntelligenceIndicator Parser or Table)" } } ] @@ -820,7 +820,7 @@ "name": "huntingquery4-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query identifies any matches in the VMConnection Event data that correspond to any known FileName Indicators of Compromise (IOC) from Threat Intelligence (TI) sources. \nSince file name matches may produce a significant amount of false positives, it is recommended to use this query for hunting purposes rather than for real-time detection. This hunting query depends on AzureMonitor(VMInsights) ThreatIntelligence ThreatIntelligenceTaxii data connector (VMConnection ThreatIntelligenceIndicator ThreatIntelligenceIndicator Parser or Table)" + "text": "This query finds matches in VMConnection Event data for known FileName Indicators of Compromise from Threat Intelligence sources. FileName matches may produce false positives, so use this for hunting rather than real-time detection.. This hunting query depends on AzureMonitor(VMInsights) ThreatIntelligence ThreatIntelligenceTaxii MicrosoftDefenderThreatIntelligence data connector (VMConnection ThreatIntelligenceIndicator ThreatIntelligenceIndicator ThreatIntelligenceIndicator Parser or Table)" } } ] @@ -834,7 +834,7 @@ "name": "huntingquery5-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query identifies any matches in the WireData Event data that correspond to any known FileName Indicators of Compromise (IOC) from Threat Intelligence (TI) sources. \nSince file name matches may produce a significant amount of false positives, it is recommended to use this query for hunting purposes rather than for real-time detection. This hunting query depends on AzureMonitor(WireData) ThreatIntelligence ThreatIntelligenceTaxii data connector (WireData ThreatIntelligenceIndicator ThreatIntelligenceIndicator Parser or Table)" + "text": "This query finds matches in WireData Event data for known FileName Indicators of Compromise from Threat Intelligence sources. FileName matches may produce false positives, so use this for hunting rather than real-time detection. This hunting query depends on AzureMonitor(WireData) ThreatIntelligence ThreatIntelligenceTaxii MicrosoftDefenderThreatIntelligence data connector (WireData ThreatIntelligenceIndicator ThreatIntelligenceIndicator ThreatIntelligenceIndicator Parser or Table)" } } ] @@ -848,4 +848,4 @@ "workspace": "[basics('workspace')]" } } -} \ No newline at end of file +} diff --git a/Solutions/Threat Intelligence/Package/mainTemplate.json b/Solutions/Threat Intelligence/Package/mainTemplate.json index 10e221aeca3..bef02dac6b6 100644 --- a/Solutions/Threat Intelligence/Package/mainTemplate.json +++ b/Solutions/Threat Intelligence/Package/mainTemplate.json @@ -38,296 +38,326 @@ } }, "variables": { - "solutionId": "azuresentinel.azure-sentinel-solution-threatintelligence-taxii", - "_solutionId": "[variables('solutionId')]", "email": "support@microsoft.com", "_email": "[variables('email')]", - "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", + "_solutionName": "Threat Intelligence", + "_solutionVersion": "3.0.0", + "solutionId": "azuresentinel.azure-sentinel-solution-threatintelligence-taxii", + "_solutionId": "[variables('solutionId')]", "uiConfigId1": "ThreatIntelligenceTaxii", "_uiConfigId1": "[variables('uiConfigId1')]", "dataConnectorContentId1": "ThreatIntelligenceTaxii", "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", "_dataConnectorId1": "[variables('dataConnectorId1')]", - "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1')))]", + "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", "dataConnectorVersion1": "1.0.0", + "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", "uiConfigId2": "ThreatIntelligence", "_uiConfigId2": "[variables('uiConfigId2')]", "dataConnectorContentId2": "ThreatIntelligence", "_dataConnectorContentId2": "[variables('dataConnectorContentId2')]", "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", "_dataConnectorId2": "[variables('dataConnectorId2')]", - "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2')))]", + "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]", "dataConnectorVersion2": "1.0.0", + "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]", "uiConfigId3": "ThreatIntelligenceUploadIndicatorsAPI", "_uiConfigId3": "[variables('uiConfigId3')]", "dataConnectorContentId3": "ThreatIntelligenceUploadIndicatorsAPI", "_dataConnectorContentId3": "[variables('dataConnectorContentId3')]", "dataConnectorId3": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId3'))]", "_dataConnectorId3": "[variables('dataConnectorId3')]", - "dataConnectorTemplateSpecName3": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId3')))]", + "dataConnectorTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId3'))))]", "dataConnectorVersion3": "1.0.0", + "_dataConnectorcontentProductId3": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId3'),'-', variables('dataConnectorVersion3'))))]", "uiConfigId4": "MicrosoftDefenderThreatIntelligence", "_uiConfigId4": "[variables('uiConfigId4')]", "dataConnectorContentId4": "MicrosoftDefenderThreatIntelligence", "_dataConnectorContentId4": "[variables('dataConnectorContentId4')]", "dataConnectorId4": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId4'))]", "_dataConnectorId4": "[variables('dataConnectorId4')]", - "dataConnectorTemplateSpecName4": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId4')))]", + "dataConnectorTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId4'))))]", "dataConnectorVersion4": "1.0.0", - "TemplateEmptyArray": "[json('[]')]", - "blanks": "[replace('b', 'b', '')]", + "_dataConnectorcontentProductId4": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId4'),'-', variables('dataConnectorVersion4'))))]", "workbookVersion1": "5.0.0", "workbookContentId1": "ThreatIntelligenceWorkbook", "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]", - "workbookTemplateSpecName1": "[concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1')))]", + "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]", "_workbookContentId1": "[variables('workbookContentId1')]", - "huntingQueryVersion1": "1.0.2", + "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", + "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]", + "huntingQueryVersion1": "1.0.3", "huntingQuerycontentId1": "410da56d-4a63-4d22-b68c-9fb1a303be6d", "_huntingQuerycontentId1": "[variables('huntingQuerycontentId1')]", "huntingQueryId1": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId1'))]", - "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId1')))]", - "huntingQueryVersion2": "1.0.2", + "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId1'))))]", + "_huntingQuerycontentProductId1": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId1'),'-', variables('huntingQueryVersion1'))))]", + "huntingQueryVersion2": "1.0.3", "huntingQuerycontentId2": "233441b9-cc92-4c9b-87fa-73b855fcd4b8", "_huntingQuerycontentId2": "[variables('huntingQuerycontentId2')]", "huntingQueryId2": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId2'))]", - "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId2')))]", - "huntingQueryVersion3": "1.0.2", + "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId2'))))]", + "_huntingQuerycontentProductId2": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId2'),'-', variables('huntingQueryVersion2'))))]", + "huntingQueryVersion3": "1.0.3", "huntingQuerycontentId3": "18f7de84-de55-4983-aca3-a18bc846b4e0", "_huntingQuerycontentId3": "[variables('huntingQuerycontentId3')]", "huntingQueryId3": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId3'))]", - "huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId3')))]", - "huntingQueryVersion4": "1.0.2", + "huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId3'))))]", + "_huntingQuerycontentProductId3": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId3'),'-', variables('huntingQueryVersion3'))))]", + "huntingQueryVersion4": "1.0.3", "huntingQuerycontentId4": "172a321b-c46b-4508-87c6-e2691c778107", "_huntingQuerycontentId4": "[variables('huntingQuerycontentId4')]", "huntingQueryId4": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId4'))]", - "huntingQueryTemplateSpecName4": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId4')))]", - "huntingQueryVersion5": "1.0.2", + "huntingQueryTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId4'))))]", + "_huntingQuerycontentProductId4": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId4'),'-', variables('huntingQueryVersion4'))))]", + "huntingQueryVersion5": "1.0.3", "huntingQuerycontentId5": "689a9475-440b-4e69-8ab1-a5e241685f39", "_huntingQuerycontentId5": "[variables('huntingQuerycontentId5')]", "huntingQueryId5": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId5'))]", - "huntingQueryTemplateSpecName5": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId5')))]", - "analyticRuleVersion1": "1.3.3", + "huntingQueryTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId5'))))]", + "_huntingQuerycontentProductId5": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId5'),'-', variables('huntingQueryVersion5'))))]", + "analyticRuleVersion1": "1.4.0", "analyticRulecontentId1": "dd0a6029-ecef-4507-89c4-fc355ac52111", "_analyticRulecontentId1": "[variables('analyticRulecontentId1')]", "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]", - "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1')))]", - "analyticRuleVersion2": "1.3.4", + "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1'))))]", + "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId1'),'-', variables('analyticRuleVersion1'))))]", + "analyticRuleVersion2": "1.4.0", "analyticRulecontentId2": "85aca4d1-5d15-4001-abd9-acb86ca1786a", "_analyticRulecontentId2": "[variables('analyticRulecontentId2')]", "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId2'))]", - "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2')))]", + "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2'))))]", + "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId2'),'-', variables('analyticRuleVersion2'))))]", "analyticRuleVersion3": "1.0.2", "analyticRulecontentId3": "b1832f60-6c3d-4722-a0a5-3d564ee61a63", "_analyticRulecontentId3": "[variables('analyticRulecontentId3')]", "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId3'))]", - "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId3')))]", - "analyticRuleVersion4": "1.3.3", + "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId3'))))]", + "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId3'),'-', variables('analyticRuleVersion3'))))]", + "analyticRuleVersion4": "1.4.0", "analyticRulecontentId4": "ec21493c-2684-4acd-9bc2-696dbad72426", "_analyticRulecontentId4": "[variables('analyticRulecontentId4')]", "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId4'))]", - "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId4')))]", - "analyticRuleVersion5": "1.3.6", + "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId4'))))]", + "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId4'),'-', variables('analyticRuleVersion4'))))]", + "analyticRuleVersion5": "1.4.1", "analyticRulecontentId5": "87890d78-3e05-43ec-9ab9-ba32f4e01250", "_analyticRulecontentId5": "[variables('analyticRulecontentId5')]", "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId5'))]", - "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId5')))]", - "analyticRuleVersion6": "1.3.3", + "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId5'))))]", + "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId5'),'-', variables('analyticRuleVersion5'))))]", + "analyticRuleVersion6": "1.4.0", "analyticRulecontentId6": "532f62c1-fba6-4baa-bbb6-4a32a4ef32fa", "_analyticRulecontentId6": "[variables('analyticRulecontentId6')]", "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId6'))]", - "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId6')))]", + "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId6'))))]", + "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId6'),'-', variables('analyticRuleVersion6'))))]", "analyticRuleVersion7": "1.2.4", "analyticRulecontentId7": "cca3b4d9-ac39-4109-8b93-65bb284003e6", "_analyticRulecontentId7": "[variables('analyticRulecontentId7')]", "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId7'))]", - "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId7')))]", + "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId7'))))]", + "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId7'),'-', variables('analyticRuleVersion7'))))]", "analyticRuleVersion8": "1.2.4", "analyticRulecontentId8": "4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2", "_analyticRulecontentId8": "[variables('analyticRulecontentId8')]", "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId8'))]", - "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId8')))]", + "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId8'))))]", + "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId8'),'-', variables('analyticRuleVersion8'))))]", "analyticRuleVersion9": "1.2.4", "analyticRulecontentId9": "ffcd575b-3d54-482a-a6d8-d0de13b6ac63", "_analyticRulecontentId9": "[variables('analyticRulecontentId9')]", "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId9'))]", - "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId9')))]", + "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId9'))))]", + "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId9'),'-', variables('analyticRuleVersion9'))))]", "analyticRuleVersion10": "1.2.5", "analyticRulecontentId10": "a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc", "_analyticRulecontentId10": "[variables('analyticRulecontentId10')]", "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId10'))]", - "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId10')))]", + "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId10'))))]", + "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId10'),'-', variables('analyticRuleVersion10'))))]", "analyticRuleVersion11": "1.3.4", "analyticRulecontentId11": "2fc5d810-c9cc-491a-b564-841427ae0e50", "_analyticRulecontentId11": "[variables('analyticRulecontentId11')]", "analyticRuleId11": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId11'))]", - "analyticRuleTemplateSpecName11": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId11')))]", + "analyticRuleTemplateSpecName11": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId11'))))]", + "_analyticRulecontentProductId11": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId11'),'-', variables('analyticRuleVersion11'))))]", "analyticRuleVersion12": "1.2.4", "analyticRulecontentId12": "30fa312c-31eb-43d8-b0cc-bcbdfb360822", "_analyticRulecontentId12": "[variables('analyticRulecontentId12')]", "analyticRuleId12": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId12'))]", - "analyticRuleTemplateSpecName12": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId12')))]", + "analyticRuleTemplateSpecName12": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId12'))))]", + "_analyticRulecontentProductId12": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId12'),'-', variables('analyticRuleVersion12'))))]", "analyticRuleVersion13": "1.3.3", "analyticRulecontentId13": "5d33fc63-b83b-4913-b95e-94d13f0d379f", "_analyticRulecontentId13": "[variables('analyticRulecontentId13')]", "analyticRuleId13": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId13'))]", - "analyticRuleTemplateSpecName13": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId13')))]", + "analyticRuleTemplateSpecName13": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId13'))))]", + "_analyticRulecontentProductId13": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId13'),'-', variables('analyticRuleVersion13'))))]", "analyticRuleVersion14": "1.4.3", "analyticRulecontentId14": "a7427ed7-04b4-4e3b-b323-08b981b9b4bf", "_analyticRulecontentId14": "[variables('analyticRulecontentId14')]", "analyticRuleId14": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId14'))]", - "analyticRuleTemplateSpecName14": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId14')))]", - "analyticRuleVersion15": "1.3.5", + "analyticRuleTemplateSpecName14": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId14'))))]", + "_analyticRulecontentProductId14": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId14'),'-', variables('analyticRuleVersion14'))))]", + "analyticRuleVersion15": "1.4.0", "analyticRulecontentId15": "f9949656-473f-4503-bf43-a9d9890f7d08", "_analyticRulecontentId15": "[variables('analyticRulecontentId15')]", "analyticRuleId15": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId15'))]", - "analyticRuleTemplateSpecName15": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId15')))]", - "analyticRuleVersion16": "1.3.3", + "analyticRuleTemplateSpecName15": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId15'))))]", + "_analyticRulecontentProductId15": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId15'),'-', variables('analyticRuleVersion15'))))]", + "analyticRuleVersion16": "1.4.0", "analyticRulecontentId16": "f110287e-1358-490d-8147-ed804b328514", "_analyticRulecontentId16": "[variables('analyticRulecontentId16')]", "analyticRuleId16": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId16'))]", - "analyticRuleTemplateSpecName16": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId16')))]", - "analyticRuleVersion17": "1.3.3", + "analyticRuleTemplateSpecName16": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId16'))))]", + "_analyticRulecontentProductId16": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId16'),'-', variables('analyticRuleVersion16'))))]", + "analyticRuleVersion17": "1.3.2", "analyticRulecontentId17": "2441bce9-02e4-407b-8cc7-7d597f38b8b0", "_analyticRulecontentId17": "[variables('analyticRulecontentId17')]", "analyticRuleId17": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId17'))]", - "analyticRuleTemplateSpecName17": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId17')))]", - "analyticRuleVersion18": "1.2.4", + "analyticRuleTemplateSpecName17": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId17'))))]", + "_analyticRulecontentProductId17": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId17'),'-', variables('analyticRuleVersion17'))))]", + "analyticRuleVersion18": "1.3.0", "analyticRulecontentId18": "0b904747-1336-4363-8d84-df2710bfe5e7", "_analyticRulecontentId18": "[variables('analyticRulecontentId18')]", "analyticRuleId18": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId18'))]", - "analyticRuleTemplateSpecName18": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId18')))]", - "analyticRuleVersion19": "1.2.2", + "analyticRuleTemplateSpecName18": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId18'))))]", + "_analyticRulecontentProductId18": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId18'),'-', variables('analyticRuleVersion18'))))]", + "analyticRuleVersion19": "1.3.1", "analyticRulecontentId19": "57c7e832-64eb-411f-8928-4133f01f4a25", "_analyticRulecontentId19": "[variables('analyticRulecontentId19')]", "analyticRuleId19": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId19'))]", - "analyticRuleTemplateSpecName19": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId19')))]", - "analyticRuleVersion20": "1.3.3", + "analyticRuleTemplateSpecName19": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId19'))))]", + "_analyticRulecontentProductId19": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId19'),'-', variables('analyticRuleVersion19'))))]", + "analyticRuleVersion20": "1.4.0", "analyticRulecontentId20": "a4025a76-6490-4e6b-bb69-d02be4b03f07", "_analyticRulecontentId20": "[variables('analyticRulecontentId20')]", "analyticRuleId20": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId20'))]", - "analyticRuleTemplateSpecName20": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId20')))]", - "analyticRuleVersion21": "1.2.3", + "analyticRuleTemplateSpecName20": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId20'))))]", + "_analyticRulecontentProductId20": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId20'),'-', variables('analyticRuleVersion20'))))]", + "analyticRuleVersion21": "1.3.0", "analyticRulecontentId21": "d0aa8969-1bbe-4da3-9e76-09e5f67c9d85", "_analyticRulecontentId21": "[variables('analyticRulecontentId21')]", "analyticRuleId21": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId21'))]", - "analyticRuleTemplateSpecName21": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId21')))]", - "analyticRuleVersion22": "1.1.2", + "analyticRuleTemplateSpecName21": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId21'))))]", + "_analyticRulecontentProductId21": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId21'),'-', variables('analyticRuleVersion21'))))]", + "analyticRuleVersion22": "1.2.0", "analyticRulecontentId22": "66c81ae2-1f89-4433-be00-2fbbd9ba5ebe", "_analyticRulecontentId22": "[variables('analyticRulecontentId22')]", "analyticRuleId22": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId22'))]", - "analyticRuleTemplateSpecName22": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId22')))]", - "analyticRuleVersion23": "1.3.5", + "analyticRuleTemplateSpecName22": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId22'))))]", + "_analyticRulecontentProductId22": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId22'),'-', variables('analyticRuleVersion22'))))]", + "analyticRuleVersion23": "1.4.0", "analyticRulecontentId23": "69b7723c-2889-469f-8b55-a2d355ed9c87", "_analyticRulecontentId23": "[variables('analyticRulecontentId23')]", "analyticRuleId23": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId23'))]", - "analyticRuleTemplateSpecName23": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId23')))]", - "analyticRuleVersion24": "1.1.1", + "analyticRuleTemplateSpecName23": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId23'))))]", + "_analyticRulecontentProductId23": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId23'),'-', variables('analyticRuleVersion23'))))]", + "analyticRuleVersion24": "1.2.0", "analyticRulecontentId24": "e2559891-383c-4caf-ae67-55a008b9f89e", "_analyticRulecontentId24": "[variables('analyticRulecontentId24')]", "analyticRuleId24": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId24'))]", - "analyticRuleTemplateSpecName24": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId24')))]", - "analyticRuleVersion25": "1.3.5", + "analyticRuleTemplateSpecName24": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId24'))))]", + "_analyticRulecontentProductId24": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId24'),'-', variables('analyticRuleVersion24'))))]", + "analyticRuleVersion25": "1.4.0", "analyticRulecontentId25": "f15370f4-c6fa-42c5-9be4-1d308f40284e", "_analyticRulecontentId25": "[variables('analyticRulecontentId25')]", "analyticRuleId25": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId25'))]", - "analyticRuleTemplateSpecName25": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId25')))]", + "analyticRuleTemplateSpecName25": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId25'))))]", + "_analyticRulecontentProductId25": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId25'),'-', variables('analyticRuleVersion25'))))]", "analyticRuleVersion26": "1.2.5", "analyticRulecontentId26": "f2eb15bd-8a88-4b24-9281-e133edfba315", "_analyticRulecontentId26": "[variables('analyticRulecontentId26')]", "analyticRuleId26": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId26'))]", - "analyticRuleTemplateSpecName26": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId26')))]", - "analyticRuleVersion27": "1.3.3", + "analyticRuleTemplateSpecName26": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId26'))))]", + "_analyticRulecontentProductId26": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId26'),'-', variables('analyticRuleVersion26'))))]", + "analyticRuleVersion27": "1.4.0", "analyticRulecontentId27": "9713e3c0-1410-468d-b79e-383448434b2d", "_analyticRulecontentId27": "[variables('analyticRulecontentId27')]", "analyticRuleId27": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId27'))]", - "analyticRuleTemplateSpecName27": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId27')))]", - "analyticRuleVersion28": "1.3.4", + "analyticRuleTemplateSpecName27": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId27'))))]", + "_analyticRulecontentProductId27": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId27'),'-', variables('analyticRuleVersion27'))))]", + "analyticRuleVersion28": "1.4.0", "analyticRulecontentId28": "5e45930c-09b1-4430-b2d1-cc75ada0dc0f", "_analyticRulecontentId28": "[variables('analyticRulecontentId28')]", "analyticRuleId28": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId28'))]", - "analyticRuleTemplateSpecName28": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId28')))]", + "analyticRuleTemplateSpecName28": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId28'))))]", + "_analyticRulecontentProductId28": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId28'),'-', variables('analyticRuleVersion28'))))]", "analyticRuleVersion29": "1.2.4", "analyticRulecontentId29": "712fab52-2a7d-401e-a08c-ff939cc7c25e", "_analyticRulecontentId29": "[variables('analyticRulecontentId29')]", "analyticRuleId29": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId29'))]", - "analyticRuleTemplateSpecName29": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId29')))]", + "analyticRuleTemplateSpecName29": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId29'))))]", + "_analyticRulecontentProductId29": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId29'),'-', variables('analyticRuleVersion29'))))]", "analyticRuleVersion30": "1.2.5", "analyticRulecontentId30": "36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b", "_analyticRulecontentId30": "[variables('analyticRulecontentId30')]", "analyticRuleId30": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId30'))]", - "analyticRuleTemplateSpecName30": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId30')))]", + "analyticRuleTemplateSpecName30": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId30'))))]", + "_analyticRulecontentProductId30": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId30'),'-', variables('analyticRuleVersion30'))))]", "analyticRuleVersion31": "1.2.3", "analyticRulecontentId31": "106813db-679e-4382-a51b-1bfc463befc3", "_analyticRulecontentId31": "[variables('analyticRulecontentId31')]", "analyticRuleId31": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId31'))]", - "analyticRuleTemplateSpecName31": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId31')))]", + "analyticRuleTemplateSpecName31": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId31'))))]", + "_analyticRulecontentProductId31": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId31'),'-', variables('analyticRuleVersion31'))))]", "analyticRuleVersion32": "1.2.6", "analyticRulecontentId32": "f30a47c1-65fb-42b1-a7f4-00941c12550b", "_analyticRulecontentId32": "[variables('analyticRulecontentId32')]", "analyticRuleId32": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId32'))]", - "analyticRuleTemplateSpecName32": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId32')))]", + "analyticRuleTemplateSpecName32": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId32'))))]", + "_analyticRulecontentProductId32": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId32'),'-', variables('analyticRuleVersion32'))))]", "analyticRuleVersion33": "1.2.4", "analyticRulecontentId33": "b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf", "_analyticRulecontentId33": "[variables('analyticRulecontentId33')]", "analyticRuleId33": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId33'))]", - "analyticRuleTemplateSpecName33": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId33')))]", + "analyticRuleTemplateSpecName33": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId33'))))]", + "_analyticRulecontentProductId33": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId33'),'-', variables('analyticRuleVersion33'))))]", "analyticRuleVersion34": "1.0.3", "analyticRulecontentId34": "d23ed927-5be3-4902-a9c1-85f841eb4fa1", "_analyticRulecontentId34": "[variables('analyticRulecontentId34')]", "analyticRuleId34": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId34'))]", - "analyticRuleTemplateSpecName34": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId34')))]", + "analyticRuleTemplateSpecName34": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId34'))))]", + "_analyticRulecontentProductId34": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId34'),'-', variables('analyticRuleVersion34'))))]", "analyticRuleVersion35": "1.1.3", "analyticRulecontentId35": "999e9f5d-db4a-4b07-a206-29c4e667b7e8", "_analyticRulecontentId35": "[variables('analyticRulecontentId35')]", "analyticRuleId35": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId35'))]", - "analyticRuleTemplateSpecName35": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId35')))]", + "analyticRuleTemplateSpecName35": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId35'))))]", + "_analyticRulecontentProductId35": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId35'),'-', variables('analyticRuleVersion35'))))]", "analyticRuleVersion36": "1.2.1", "analyticRulecontentId36": "67775878-7f8b-4380-ac54-115e1e828901", "_analyticRulecontentId36": "[variables('analyticRulecontentId36')]", "analyticRuleId36": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId36'))]", - "analyticRuleTemplateSpecName36": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId36')))]", + "analyticRuleTemplateSpecName36": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId36'))))]", + "_analyticRulecontentProductId36": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId36'),'-', variables('analyticRuleVersion36'))))]", "analyticRuleVersion37": "1.2.4", "analyticRulecontentId37": "e2399891-383c-4caf-ae67-68a008b9f89e", "_analyticRulecontentId37": "[variables('analyticRulecontentId37')]", "analyticRuleId37": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId37'))]", - "analyticRuleTemplateSpecName37": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId37')))]", + "analyticRuleTemplateSpecName37": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId37'))))]", + "_analyticRulecontentProductId37": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId37'),'-', variables('analyticRuleVersion37'))))]", "analyticRuleVersion38": "1.0.2", "analyticRulecontentId38": "aac495a9-feb1-446d-b08e-a1164a539452", "_analyticRulecontentId38": "[variables('analyticRulecontentId38')]", "analyticRuleId38": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId38'))]", - "analyticRuleTemplateSpecName38": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId38')))]", - "management": "[concat('https://management','.azure','.com/')]" + "analyticRuleTemplateSpecName38": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId38'))))]", + "_analyticRulecontentProductId38": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId38'),'-', variables('analyticRuleVersion38'))))]", + "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" }, "resources": [ { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2022-02-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('dataConnectorTemplateSpecName1')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "DataConnector" - }, - "properties": { - "description": "Threat Intelligence data connector with template", - "displayName": "Threat Intelligence template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2022-02-01", - "name": "[concat(variables('dataConnectorTemplateSpecName1'),'/',variables('dataConnectorVersion1'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "DataConnector" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Threat Intelligence data connector with template version 2.0.5", + "description": "Threat Intelligence data connector with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -372,7 +402,7 @@ }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", + "apiVersion": "2023-04-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", "properties": { "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", @@ -397,12 +427,23 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_dataConnectorContentId1')]", + "contentKind": "DataConnector", + "displayName": "Threat intelligence - TAXII", + "contentProductId": "[variables('_dataConnectorcontentProductId1')]", + "id": "[variables('_dataConnectorcontentProductId1')]", + "version": "[variables('dataConnectorVersion1')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", + "apiVersion": "2023-04-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", "dependsOn": [ "[variables('_dataConnectorId1')]" @@ -467,33 +508,15 @@ } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2022-02-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('dataConnectorTemplateSpecName2')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "DataConnector" - }, - "properties": { - "description": "Threat Intelligence data connector with template", - "displayName": "Threat Intelligence template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2022-02-01", - "name": "[concat(variables('dataConnectorTemplateSpecName2'),'/',variables('dataConnectorVersion2'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "DataConnector" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName2'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Threat Intelligence data connector with template version 2.0.5", + "description": "Threat Intelligence data connector with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion2')]", @@ -538,7 +561,7 @@ }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", + "apiVersion": "2023-04-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", "properties": { "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", @@ -563,12 +586,23 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_dataConnectorContentId2')]", + "contentKind": "DataConnector", + "displayName": "Threat Intelligence Platforms", + "contentProductId": "[variables('_dataConnectorcontentProductId2')]", + "id": "[variables('_dataConnectorcontentProductId2')]", + "version": "[variables('dataConnectorVersion2')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", + "apiVersion": "2023-04-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", "dependsOn": [ "[variables('_dataConnectorId2')]" @@ -632,34 +666,16 @@ } } }, -{ - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2022-02-01", - "name": "[variables('dataConnectorTemplateSpecName3')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "DataConnector" - }, - "properties": { - "description": "Threat Intelligence data connector with template", - "displayName": "Threat Intelligence template" - } - }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2022-02-01", - "name": "[concat(variables('dataConnectorTemplateSpecName3'),'/',variables('dataConnectorVersion3'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('dataConnectorTemplateSpecName3')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "DataConnector" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName3'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Threat Intelligence data connector with template version 2.0.5", + "description": "Threat Intelligence data connector with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion3')]", @@ -671,7 +687,7 @@ "apiVersion": "2021-03-01-preview", "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", "location": "[parameters('workspace-location')]", - "kind": "GenericUI", + "kind": "StaticUI", "properties": { "connectorUiConfig": { "id": "[variables('_uiConfigId3')]", @@ -685,18 +701,6 @@ "baseQuery": "ThreatIntelligenceIndicator | where SourceSystem != 'Microsoft Sentinel'" } ], - "sampleQueries": [ - { - "description": "All Threat Intelligence APIs Indicators", - "query": "ThreatIntelligenceIndicator | where SourceSystem !in ('SecurityGraph', 'Azure Sentinel', 'Microsoft Sentinel')| sort by TimeGenerated desc" - } - ], - "dataTypes": [ - { - "name": "ThreatIntelligenceIndicator", - "lastDataReceivedQuery": "ThreatIntelligenceIndicator| where isnotempty(TimeGenerated) and SourceSystem !in ('SecurityGraph', 'Azure Sentinel', 'Microsoft Sentinel')| summarize Time = max(TimeGenerated)" - } - ], "connectivityCriterias": [ { "type": "IsConnectedQuery", @@ -705,39 +709,10 @@ ] } ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.SecurityInsights/threatintelligence/write", - "permissionsDisplayText": "write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - } - ] - }, - "instructionSteps": [ - { - "description": "\n>Using an integrated Threat Intelligence Platform (TIP), such as Threat Connect, Palo Alto Networks MineMeld, MISP, and others. \n\n>Calling the Microsoft Sentinel data plane API directly from another application. ", - "title": "You can connect your threat intelligence data sources to Microsoft Sentinel by either: " - }, - { - "title": "Follow These Steps to Connect to your Threat Intelligence: " - }, - { - "description": "[concat('To send request to the APIs, you need to acquire Azure Active Directory access token. You can follow instruction in this page: https://docs.microsoft.com/azure/databricks/dev-tools/api/latest/aad/app-aad-token#get-an-azure-ad-access-token \n - Notice: Please request AAD access token with scope value: ', variables('management'), '.default')]", - "title": "1. Get AAD Access Token" - }, + "dataTypes": [ { - "description": "You can send indicators by calling our Upload Indicators API. For more information about the API, click [here]( https://learn.microsoft.com/azure/sentinel/upload-indicators-api). \n\n>HTTP method: POST \n\n>Endpoint: https://sentinelus.azure-api.net/workspaces/[WorkspaceID]/threatintelligenceindicators:upload?api-version=2022-07-01 \n\n>WorkspaceID: the workspace that the indicators are uploaded to. \n\n\n>Header Value 1: \"Authorization\" = \"Bearer [AAD Access Token from step 1]\" \n\n\n> Header Value 2: \"Content-Type\" = \"application/json\" \n \n>Body: The body is a JSON object containing an array of indicators in STIX format.'title : 2. Send indicators to Sentinel'" + "name": "ThreatIntelligenceIndicator", + "lastDataReceivedQuery": "ThreatIntelligenceIndicator| where isnotempty(TimeGenerated) and SourceSystem !in ('SecurityGraph', 'Azure Sentinel', 'Microsoft Sentinel')| summarize Time = max(TimeGenerated)" } ] } @@ -745,7 +720,7 @@ }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", + "apiVersion": "2023-04-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId3'),'/'))))]", "properties": { "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId3'))]", @@ -770,12 +745,23 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_dataConnectorContentId3')]", + "contentKind": "DataConnector", + "displayName": "Threat Intelligence Upload Indicators API (Preview)", + "contentProductId": "[variables('_dataConnectorcontentProductId3')]", + "id": "[variables('_dataConnectorcontentProductId3')]", + "version": "[variables('dataConnectorVersion3')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", + "apiVersion": "2023-04-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId3'),'/'))))]", "dependsOn": [ "[variables('_dataConnectorId3')]" @@ -808,7 +794,7 @@ "apiVersion": "2021-03-01-preview", "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", "location": "[parameters('workspace-location')]", - "kind": "GenericUI", + "kind": "StaticUI", "properties": { "connectorUiConfig": { "title": "Threat Intelligence Upload Indicators API (Preview)", @@ -835,79 +821,20 @@ ] } ], - "sampleQueries": [ - { - "description": "All Threat Intelligence APIs Indicators", - "query": "ThreatIntelligenceIndicator | where SourceSystem !in ('SecurityGraph', 'Azure Sentinel', 'Microsoft Sentinel')| sort by TimeGenerated desc" - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.SecurityInsights/threatintelligence/write", - "permissionsDisplayText": "write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - } - ] - }, - "instructionSteps": [ - { - "description": "\n>Using an integrated Threat Intelligence Platform (TIP), such as Threat Connect, Palo Alto Networks MineMeld, MISP, and others. \n\n>Calling the Microsoft Sentinel data plane API directly from another application. ", - "title": "You can connect your threat intelligence data sources to Microsoft Sentinel by either: " - }, - { - "title": "Follow These Steps to Connect to your Threat Intelligence: " - }, - { - "description": "[concat('To send request to the APIs, you need to acquire Azure Active Directory access token. You can follow instruction in this page: https://docs.microsoft.com/azure/databricks/dev-tools/api/latest/aad/app-aad-token#get-an-azure-ad-access-token \n - Notice: Please request AAD access token with scope value: ', variables('management'), '.default')]", - "title": "1. Get AAD Access Token" - }, - { - "description": "You can send indicators by calling our Upload Indicators API. For more information about the API, click [here]( https://learn.microsoft.com/azure/sentinel/upload-indicators-api). \n\n>HTTP method: POST \n\n>Endpoint: https://sentinelus.azure-api.net/workspaces/[WorkspaceID]/threatintelligenceindicators:upload?api-version=2022-07-01 \n\n>WorkspaceID: the workspace that the indicators are uploaded to. \n\n\n>Header Value 1: \"Authorization\" = \"Bearer [AAD Access Token from step 1]\" \n\n\n> Header Value 2: \"Content-Type\" = \"application/json\" \n \n>Body: The body is a JSON object containing an array of indicators in STIX format.'title : 2. Send indicators to Sentinel'" - } - ], "id": "[variables('_uiConfigId3')]" } } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2022-02-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('dataConnectorTemplateSpecName4')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "DataConnector" - }, - "properties": { - "description": "Threat Intelligence data connector with template", - "displayName": "Threat Intelligence template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2022-02-01", - "name": "[concat(variables('dataConnectorTemplateSpecName4'),'/',variables('dataConnectorVersion4'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "DataConnector" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName4'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Threat Intelligence data connector with template version 2.0.5", + "description": "Threat Intelligence data connector with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion4')]", @@ -952,7 +879,7 @@ }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", + "apiVersion": "2023-04-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId4'),'/'))))]", "properties": { "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId4'))]", @@ -977,12 +904,23 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_dataConnectorContentId4')]", + "contentKind": "DataConnector", + "displayName": "Microsoft Defender Threat Intelligence (Preview)", + "contentProductId": "[variables('_dataConnectorcontentProductId4')]", + "id": "[variables('_dataConnectorcontentProductId4')]", + "version": "[variables('dataConnectorVersion4')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", + "apiVersion": "2023-04-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId4'),'/'))))]", "dependsOn": [ "[variables('_dataConnectorId4')]" @@ -1047,33 +985,15 @@ } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2022-02-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('workbookTemplateSpecName1')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Workbook" - }, - "properties": { - "description": "Threat Intelligence Workbook with template", - "displayName": "Threat Intelligence workbook template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2022-02-01", - "name": "[concat(variables('workbookTemplateSpecName1'),'/',variables('workbookVersion1'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Workbook" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('workbookTemplateSpecName1'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ThreatIntelligenceWorkbook with template version 2.0.5", + "description": "ThreatIntelligenceWorkbook Workbook with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -1091,7 +1011,7 @@ }, "properties": { "displayName": "[parameters('workbook1-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a4b4e975-fa7c-46a3-b669-850aacc88134\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Guide\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\",\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\r\\n]\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"DefaultSubscription_Internal\",\"type\":1,\"isRequired\":true,\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| take 1\\r\\n| project subscriptionId\",\"crossComponentResources\":[\"value::selected\"],\"isHiddenWhenLocked\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"id\":\"314d02bf-4691-43fa-af59-d67073c8b8fa\"},{\"id\":\"e6ded9a1-a83c-4762-938d-5bf8ff3d3d38\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"summarize by subscriptionId\\r\\n| project value = strcat(\\\"/subscriptions/\\\", subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ '{DefaultSubscription_Internal}', true, false)\",\"crossComponentResources\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"value::all\"]},{\"id\":\"e3225ed0-6210-40a1-b2d0-66e42ffa71d6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"resources\\r\\n| where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| order by name asc\\r\\n| summarize Selected = makelist(id, 10), All = makelist(id, 1000)\\r\\n| mvexpand All limit 100\\r\\n| project value = tostring(All), label = tostring(All), selected = iff(Selected contains All, true, false)\",\"crossComponentResources\":[\"{Subscription}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"value::all\"]},{\"id\":\"15b2c181-7397-43c1-900a-28e175ae8a6f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":86400000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":604800000}],\"allowCustom\":true},\"timeContextFromParameter\":\"TimeRange\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Parameter Selectors\"},{\"type\":1,\"content\":{\"json\":\"  Please take time to answer a quick survey,\\r\\n[ click here. ](https://forms.office.com/r/n9beey85aP)\"},\"name\":\"Survey\"},{\"type\":1,\"content\":{\"json\":\"# [Threat Intelligence](https://docs.microsoft.com/azure/sentinel/understand-threat-intelligence)\\n---\\n\\nWithin a Security Information and Event Management (SIEM) solution like Microsoft Sentinel, the most commonly used form of CTI is threat indicators, also known as Indicators of Compromise or IoCs. Threat indicators are data that associate observed artifacts such as URLs, file hashes, or IP addresses with known threat activity such as phishing, botnets, or malware. This form of threat intelligence is often called tactical threat intelligence because it can be applied to security products and automation in large scale to detect potential threats to an organization and protect against them. In Microsoft Sentinel, you can use threat indicators to help detect malicious activity observed in your environment and provide context to security investigators to help inform response decisions. [Video Demo](https://youtu.be/4Bet2oVODow)
\\n\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"customWidth\":\"79\",\"name\":\"Workbook Overview\"},{\"type\":1,\"content\":{\"json\":\"![Image Name](https://azure.microsoft.com/svghandler/azure-sentinel?width=600&height=315) \"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"customWidth\":\"20\",\"name\":\"Microsoft Sentinel Logo\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"18c690d7-7cbd-46c1-b677-1f72692d40cd\",\"cellValue\":\"TAB\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Indicators Ingestion\",\"subTarget\":\"Indicators\",\"preText\":\"Alert rules\",\"style\":\"link\"},{\"id\":\"f88dcf47-af98-4684-9de3-1ee5f48f68fc\",\"cellValue\":\"TAB\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Indicators Search\",\"subTarget\":\"Observed\",\"style\":\"link\"}]},\"name\":\"Tabs link\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\\r\\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \\\"IP\\\",\\r\\n iff(isnotempty(Url), \\\"URL\\\",\\r\\n iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \\\"Email\\\",\\r\\n iff(isnotempty(FileHashValue), \\\"File\\\",\\r\\n iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \\\"Domain\\\",\\r\\n \\\"Other\\\")))))\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by IndicatorType, bin(TimeGenerated, 1h)\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=stacked \",\"size\":0,\"showAnalytics\":true,\"title\":\"Indicators Imported into Sentinel by Indicator Type and Date\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by SourceSystem, bin(TimeGenerated, 1h)\\r\\n| render barchart kind=stacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Indicators Imported into Sentinel by Indicator Provider and Date\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\\r\\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \\\"IP\\\",\\r\\n iff(isnotempty(Url), \\\"URL\\\",\\r\\n iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \\\"Email\\\",\\r\\n iff(isnotempty(FileHashValue), \\\"File\\\",\\r\\n iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \\\"Domain\\\",\\r\\n \\\"Other\\\")))))\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by IndicatorType\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=unstacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Active Indicators by Indicator Type\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by SourceSystem\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=unstacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Active Indicators by Indicator Source\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by tostring(ConfidenceScore)\\r\\n| order by CountOfIndicators desc \\r\\n| render piechart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Active Indicators by Confidence Score\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let DomainQuery=view() { \\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(DomainName)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by DomainName\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"DomainEntry\\\"\\r\\n};\\r\\nlet UrlQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(Url)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by Url\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"UrlEntry\\\"\\r\\n};\\r\\nlet FileHashQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(FileHashValue)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by FileHashValue\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"FileHashEntry\\\"\\r\\n};\\r\\nlet IPQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(NetworkIP) or isnotempty(NetworkSourceIP)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by NetworkIP, NetworkSourceIP\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"IPEntry\\\"\\r\\n};\\r\\nlet EmailAddressQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(EmailSenderAddress)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSenderAddress\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"EmailAddressEntry\\\"\\r\\n};\\r\\nlet EmailMessageQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(EmailSubject)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSubject\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"EmailMessageEntry\\\"\\r\\n};\\r\\nlet SingleSourceIndicators=view(){\\r\\n DomainQuery\\r\\n | union UrlQuery\\r\\n | union FileHashQuery\\r\\n | union IPQuery\\r\\n | union EmailAddressQuery\\r\\n | union EmailMessageQuery\\r\\n | where array_length(todynamic(SourceSystemArray))==1\\r\\n | summarize sum(count_) by SourceSystemArray\\r\\n | extend counter=1 \\r\\n};\\r\\nlet MultipleSourceIndicators=view(){\\r\\n DomainQuery\\r\\n | union UrlQuery\\r\\n | union FileHashQuery\\r\\n | union IPQuery\\r\\n | union EmailAddressQuery\\r\\n | union EmailMessageQuery\\r\\n | where array_length(todynamic(SourceSystemArray))!=1\\r\\n | summarize sum(count_) by SourceSystemArray\\r\\n | extend counter=1\\r\\n};\\r\\nlet CountOfActiveIndicatorsBySource=view(){\\r\\n ThreatIntelligenceIndicator\\r\\n\\t| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n | where ExpirationDateTime > now() and Active == true\\r\\n | summarize count() by SourceSystem\\r\\n | project SourceSystem, count_\\r\\n};\\r\\nSingleSourceIndicators\\r\\n| join kind=fullouter MultipleSourceIndicators on counter \\r\\n| where SourceSystemArray contains todynamic(SourceSystemArray)[0] \\r\\n| order by SourceSystemArray\\r\\n| extend solitary_count=sum_count_\\r\\n| summarize shared_count = sum(sum_count_1) by SourceSystemArray, solitary_count\\r\\n| extend total_count = shared_count + solitary_count\\r\\n| extend unique_percentage = round(toreal(solitary_count)/toreal(total_count)*100, 1)\\r\\n| extend IndicatorSource = tostring(todynamic(SourceSystemArray)[0])\\r\\n| join kind=inner CountOfActiveIndicatorsBySource on $left.IndicatorSource == $right.SourceSystem\\r\\n| order by unique_percentage desc\\r\\n| project Source=IndicatorSource, UniquenessPercentage=unique_percentage, ActiveIndicators = count_\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Uniqueness of Threat Intelligence Sources\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Source\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"View\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ActiveIndicators\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true},\"sortBy\":\"[variables('TemplateEmptyArray')]\"},\"customWidth\":\"50\",\"name\":\"query - 12\"}]},\"conditionalVisibility\":{\"parameterName\":\"TAB\",\"comparison\":\"isEqualTo\",\"value\":\"Indicators\"},\"name\":\"Indicators Ingestion\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"9aec751b-07bd-43ba-80b9-f711887dce45\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Indicator\",\"label\":\"Search Indicator in Events\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"Threat Research Parameters\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"50\",\"name\":\"text - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Add additional lines for desired data columns\\r\\nunion withsource= Table_Name *\\r\\n| where column_ifexists('CallerIpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileOriginUrl', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FQDN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('InitiatingProcessSHA256', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IPAddresses', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IPAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Name', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RemoteIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RemoteUrl', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RecipientEmailAddress', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('SenderMailFromAddress', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('SourceIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Url', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SrcIpAddr', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DstIpAddr', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkSourceIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileHashValue', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkDestinationIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('EmailSourceIpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('EmailSenderAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DomainName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AADEmail', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Account', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountUpn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountUPN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Caller', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('CompromisedEntity', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationUserID', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DisplayName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Email_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FullyQualifiedSubjectUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('InitiatingProcessAccountUpn', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('MailboxOwnerUPN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Owner', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RequesterUpn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceIdentity', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceUserID', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SubjectUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('TargetUser', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('TargetUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Upn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('User_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserId', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('UserId_', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserId_s_s', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('userName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserName', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('UserName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('userPrincipalName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserPrincipalName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserPrincipalName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Computer', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileHash', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FilePath', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Process', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('CommandLine', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NewProcessName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('ParentProcessName', '') has \\\"{Indicator}\\\"\\r\\n| summarize count() by Table_Name \\r\\n| project-rename ['Data Table']=Table_Name, ['Logs Count']=count_\\r\\n| sort by ['Logs Count'] desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Indicators Observed\",\"noDataMessage\":\"No indicators observed within these thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"Type\",\"exportParameterName\":\"Type\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Data Table\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Log\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Logs Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Add additional lines for desired data columns\\r\\nunion withsource= Table_Name *\\r\\n| where column_ifexists('CallerIpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileOriginUrl', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FQDN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('InitiatingProcessSHA256', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IPAddresses', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IPAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Name', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RemoteIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RemoteUrl', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RecipientEmailAddress', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('SenderMailFromAddress', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('SourceIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Url', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SrcIpAddr', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DstIpAddr', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkSourceIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileHashValue', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkDestinationIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('EmailSourceIpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('EmailSenderAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DomainName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AADEmail', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Account', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountUpn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountUPN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Caller', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('CompromisedEntity', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationUserID', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DisplayName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Email_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FullyQualifiedSubjectUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('InitiatingProcessAccountUpn', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('MailboxOwnerUPN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Owner', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RequesterUpn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceIdentity', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceUserID', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SubjectUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('TargetUser', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('TargetUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Upn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('User_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserId', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('UserId_', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserId_s_s', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('userName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserName', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('UserName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('userPrincipalName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserPrincipalName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserPrincipalName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Computer', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileHash', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FilePath', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Process', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('CommandLine', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NewProcessName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('ParentProcessName', '') has \\\"{Indicator}\\\"\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by Type\\r\\n| render areachart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Indicators Observed over Time\",\"noDataMessage\":\"No indicators observed within these thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Data Table\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Log\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Logs Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 4 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let tiObservables = ThreatIntelligenceIndicator\\r\\n | where TimeGenerated < now()\\r\\n | project IndicatorId, ThreatType, Description, Active, IndicatorTime = TimeGenerated, Indicator = strcat(NetworkSourceIP, NetworkIP, NetworkDestinationIP, Url, FileHashValue, EmailSourceIpAddress, EmailSenderAddress, DomainName), SourceSystem;\\r\\nlet alertEntity = SecurityAlert \\r\\n | project parse_json(Entities), SystemAlertId , AlertTime = TimeGenerated\\r\\n | mvexpand(Entities)\\r\\n | extend entity = iif(isnotempty(Entities.Address), Entities.Address,\\r\\n iif(isnotempty(Entities.HostName),strcat(Entities.HostName, \\\".\\\", Entities.DnsDomain),\\r\\n iif(isnotempty(Entities.Url), Entities.Url,\\r\\n iif(isnotempty(Entities.Value), Entities.Value,\\r\\n iif(Entities.Type == \\\"account\\\", strcat(Entities.Name,\\\"@\\\",Entities.UPNSuffix),\\\"\\\")))))\\r\\n | where isnotempty(entity) \\r\\n | project entity, SystemAlertId, AlertTime;\\r\\nlet IncidentAlerts = SecurityIncident\\r\\n | project IncidentTime = TimeGenerated, IncidentNumber, Title, parse_json(AlertIds)\\r\\n | mv-expand AlertIds\\r\\n | project IncidentTime, IncidentNumber, Title, tostring(AlertIds);\\r\\nlet AlertsWithTiObservables = alertEntity\\r\\n | join kind=inner tiObservables on $left.entity == $right.Indicator;\\r\\nlet IncidentsWithAlertsWithTiObservables = AlertsWithTiObservables\\r\\n | join kind=inner IncidentAlerts on $left.SystemAlertId == $right.AlertIds;\\r\\nIncidentsWithAlertsWithTiObservables\\r\\n| where Indicator contains '{Indicator}' or Indicator == \\\"*\\\"\\r\\n| summarize Incidents=dcount(IncidentNumber), Alerts=dcount(SystemAlertId) by Indicator, ThreatType, Source = SourceSystem, Description\\r\\n| sort by Incidents, Alerts desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Threat Intelligence Alerts\",\"noDataMessage\":\"No indicators observed within these thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatType\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Botnet\",\"representation\":\"Command and Control\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"MaliciousUrl\",\"representation\":\"Initial_Access\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Malware\",\"representation\":\"Execution\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Phishing\",\"representation\":\"Exfiltration\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Pre attack\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Source\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Incidents\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"Alerts\",\"formatter\":4,\"formatOptions\":{\"palette\":\"orange\"}}],\"filter\":true}},\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend SystemAlertId = tostring(AlertIds[0])\\r\\n| join (SecurityAlert \\r\\n| where Entities <> \\\"\\\"\\r\\n| mv-expand parse_json(Entities)\\r\\n| where Entities contains '{Indicator}'\\r\\n| project SystemAlertId, Entities\\r\\n) on SystemAlertId\\r\\n| where Title <> \\\"\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, IncidentNumber desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade, Entities\\r\\n| limit 2500\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents\",\"noDataMessage\":\"No incidents observed within these thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"rowLimit\":2500,\"filter\":true,\"sortBy\":[{\"itemKey\":\"IncidentNumber\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"IncidentNumber\",\"sortOrder\":2}]},\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"TAB\",\"comparison\":\"isEqualTo\",\"value\":\"Observed\"},\"name\":\"Indicators Observed\"}],\"fromTemplateId\":\"sentinel-ThreatIntelligence\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a4b4e975-fa7c-46a3-b669-850aacc88134\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Guide\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\r\\n]\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"DefaultSubscription_Internal\",\"type\":1,\"isRequired\":true,\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| take 1\\r\\n| project subscriptionId\",\"crossComponentResources\":[\"value::selected\"],\"isHiddenWhenLocked\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"id\":\"314d02bf-4691-43fa-af59-d67073c8b8fa\"},{\"id\":\"e6ded9a1-a83c-4762-938d-5bf8ff3d3d38\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"summarize by subscriptionId\\r\\n| project value = strcat(\\\"/subscriptions/\\\", subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ '{DefaultSubscription_Internal}', true, false)\",\"crossComponentResources\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"value::all\"]},{\"id\":\"e3225ed0-6210-40a1-b2d0-66e42ffa71d6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"resources\\r\\n| where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| order by name asc\\r\\n| summarize Selected = makelist(id, 10), All = makelist(id, 1000)\\r\\n| mvexpand All limit 100\\r\\n| project value = tostring(All), label = tostring(All), selected = iff(Selected contains All, true, false)\",\"crossComponentResources\":[\"{Subscription}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"value::all\"]},{\"id\":\"15b2c181-7397-43c1-900a-28e175ae8a6f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":86400000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":604800000}],\"allowCustom\":true},\"timeContextFromParameter\":\"TimeRange\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Parameter Selectors\"},{\"type\":1,\"content\":{\"json\":\"  Please take time to answer a quick survey,\\r\\n[ click here. ](https://forms.office.com/r/n9beey85aP)\"},\"name\":\"Survey\"},{\"type\":1,\"content\":{\"json\":\"# [Threat Intelligence](https://docs.microsoft.com/azure/sentinel/understand-threat-intelligence)\\n---\\n\\nWithin a Security Information and Event Management (SIEM) solution like Microsoft Sentinel, the most commonly used form of CTI is threat indicators, also known as Indicators of Compromise or IoCs. Threat indicators are data that associate observed artifacts such as URLs, file hashes, or IP addresses with known threat activity such as phishing, botnets, or malware. This form of threat intelligence is often called tactical threat intelligence because it can be applied to security products and automation in large scale to detect potential threats to an organization and protect against them. In Microsoft Sentinel, you can use threat indicators to help detect malicious activity observed in your environment and provide context to security investigators to help inform response decisions. [Video Demo](https://youtu.be/4Bet2oVODow)
\\n\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"customWidth\":\"79\",\"name\":\"Workbook Overview\"},{\"type\":1,\"content\":{\"json\":\"![Image Name](https://azure.microsoft.com/svghandler/azure-sentinel?width=600&height=315) \"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"customWidth\":\"20\",\"name\":\"Microsoft Sentinel Logo\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"18c690d7-7cbd-46c1-b677-1f72692d40cd\",\"cellValue\":\"TAB\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Indicators Ingestion\",\"subTarget\":\"Indicators\",\"preText\":\"Alert rules\",\"style\":\"link\"},{\"id\":\"f88dcf47-af98-4684-9de3-1ee5f48f68fc\",\"cellValue\":\"TAB\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Indicators Search\",\"subTarget\":\"Observed\",\"style\":\"link\"}]},\"name\":\"Tabs link\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\\r\\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \\\"IP\\\",\\r\\n iff(isnotempty(Url), \\\"URL\\\",\\r\\n iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \\\"Email\\\",\\r\\n iff(isnotempty(FileHashValue), \\\"File\\\",\\r\\n iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \\\"Domain\\\",\\r\\n \\\"Other\\\")))))\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by IndicatorType, bin(TimeGenerated, 1h)\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=stacked \",\"size\":0,\"showAnalytics\":true,\"title\":\"Indicators Imported into Sentinel by Indicator Type and Date\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by SourceSystem, bin(TimeGenerated, 1h)\\r\\n| render barchart kind=stacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Indicators Imported into Sentinel by Indicator Provider and Date\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\\r\\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \\\"IP\\\",\\r\\n iff(isnotempty(Url), \\\"URL\\\",\\r\\n iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \\\"Email\\\",\\r\\n iff(isnotempty(FileHashValue), \\\"File\\\",\\r\\n iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \\\"Domain\\\",\\r\\n \\\"Other\\\")))))\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by IndicatorType\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=unstacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Active Indicators by Indicator Type\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by SourceSystem\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=unstacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Active Indicators by Indicator Source\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by tostring(ConfidenceScore)\\r\\n| order by CountOfIndicators desc \\r\\n| render piechart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Active Indicators by Confidence Score\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let DomainQuery=view() { \\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(DomainName)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by DomainName\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"DomainEntry\\\"\\r\\n};\\r\\nlet UrlQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(Url)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by Url\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"UrlEntry\\\"\\r\\n};\\r\\nlet FileHashQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(FileHashValue)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by FileHashValue\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"FileHashEntry\\\"\\r\\n};\\r\\nlet IPQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(NetworkIP) or isnotempty(NetworkSourceIP)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by NetworkIP, NetworkSourceIP\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"IPEntry\\\"\\r\\n};\\r\\nlet EmailAddressQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(EmailSenderAddress)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSenderAddress\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"EmailAddressEntry\\\"\\r\\n};\\r\\nlet EmailMessageQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(EmailSubject)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSubject\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"EmailMessageEntry\\\"\\r\\n};\\r\\nlet SingleSourceIndicators=view(){\\r\\n DomainQuery\\r\\n | union UrlQuery\\r\\n | union FileHashQuery\\r\\n | union IPQuery\\r\\n | union EmailAddressQuery\\r\\n | union EmailMessageQuery\\r\\n | where array_length(todynamic(SourceSystemArray))==1\\r\\n | summarize sum(count_) by SourceSystemArray\\r\\n | extend counter=1 \\r\\n};\\r\\nlet MultipleSourceIndicators=view(){\\r\\n DomainQuery\\r\\n | union UrlQuery\\r\\n | union FileHashQuery\\r\\n | union IPQuery\\r\\n | union EmailAddressQuery\\r\\n | union EmailMessageQuery\\r\\n | where array_length(todynamic(SourceSystemArray))!=1\\r\\n | summarize sum(count_) by SourceSystemArray\\r\\n | extend counter=1\\r\\n};\\r\\nlet CountOfActiveIndicatorsBySource=view(){\\r\\n ThreatIntelligenceIndicator\\r\\n\\t| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n | where ExpirationDateTime > now() and Active == true\\r\\n | summarize count() by SourceSystem\\r\\n | project SourceSystem, count_\\r\\n};\\r\\nSingleSourceIndicators\\r\\n| join kind=fullouter MultipleSourceIndicators on counter \\r\\n| where SourceSystemArray contains todynamic(SourceSystemArray)[0] \\r\\n| order by SourceSystemArray\\r\\n| extend solitary_count=sum_count_\\r\\n| summarize shared_count = sum(sum_count_1) by SourceSystemArray, solitary_count\\r\\n| extend total_count = shared_count + solitary_count\\r\\n| extend unique_percentage = round(toreal(solitary_count)/toreal(total_count)*100, 1)\\r\\n| extend IndicatorSource = tostring(todynamic(SourceSystemArray)[0])\\r\\n| join kind=inner CountOfActiveIndicatorsBySource on $left.IndicatorSource == $right.SourceSystem\\r\\n| order by unique_percentage desc\\r\\n| project Source=IndicatorSource, UniquenessPercentage=unique_percentage, ActiveIndicators = count_\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Uniqueness of Threat Intelligence Sources\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Source\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"View\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ActiveIndicators\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 12\"}]},\"conditionalVisibility\":{\"parameterName\":\"TAB\",\"comparison\":\"isEqualTo\",\"value\":\"Indicators\"},\"name\":\"Indicators Ingestion\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"9aec751b-07bd-43ba-80b9-f711887dce45\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Indicator\",\"label\":\"Search Indicator in Events\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"Threat Research Parameters\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"50\",\"name\":\"text - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Add additional lines for desired data columns\\r\\nunion withsource= Table_Name *\\r\\n| where column_ifexists('CallerIpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileOriginUrl', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FQDN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('InitiatingProcessSHA256', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IPAddresses', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IPAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Name', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RemoteIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RemoteUrl', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RecipientEmailAddress', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('SenderMailFromAddress', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('SourceIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Url', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SrcIpAddr', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DstIpAddr', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkSourceIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileHashValue', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkDestinationIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('EmailSourceIpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('EmailSenderAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DomainName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AADEmail', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Account', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountUpn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountUPN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Caller', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('CompromisedEntity', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationUserID', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DisplayName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Email_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FullyQualifiedSubjectUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('InitiatingProcessAccountUpn', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('MailboxOwnerUPN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Owner', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RequesterUpn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceIdentity', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceUserID', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SubjectUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('TargetUser', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('TargetUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Upn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('User_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserId', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('UserId_', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserId_s_s', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('userName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserName', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('UserName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('userPrincipalName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserPrincipalName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserPrincipalName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Computer', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileHash', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FilePath', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Process', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('CommandLine', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NewProcessName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('ParentProcessName', '') has \\\"{Indicator}\\\"\\r\\n| summarize count() by Table_Name \\r\\n| project-rename ['Data Table']=Table_Name, ['Logs Count']=count_\\r\\n| sort by ['Logs Count'] desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Indicators Observed\",\"noDataMessage\":\"No indicators observed within these thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"Type\",\"exportParameterName\":\"Type\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Data Table\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"Log\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Logs Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Add additional lines for desired data columns\\r\\nunion withsource= Table_Name *\\r\\n| where column_ifexists('CallerIpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileOriginUrl', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FQDN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('InitiatingProcessSHA256', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IPAddresses', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IPAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Name', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RemoteIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RemoteUrl', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RecipientEmailAddress', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('SenderMailFromAddress', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('SourceIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Url', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SrcIpAddr', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DstIpAddr', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkSourceIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileHashValue', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkDestinationIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('EmailSourceIpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('EmailSenderAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DomainName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AADEmail', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Account', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountUpn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountUPN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Caller', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('CompromisedEntity', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationUserID', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DisplayName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Email_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FullyQualifiedSubjectUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('InitiatingProcessAccountUpn', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('MailboxOwnerUPN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Owner', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RequesterUpn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceIdentity', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceUserID', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SubjectUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('TargetUser', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('TargetUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Upn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('User_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserId', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('UserId_', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserId_s_s', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('userName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserName', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('UserName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('userPrincipalName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserPrincipalName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserPrincipalName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Computer', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileHash', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FilePath', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Process', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('CommandLine', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NewProcessName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('ParentProcessName', '') has \\\"{Indicator}\\\"\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by Type\\r\\n| render areachart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Indicators Observed over Time\",\"noDataMessage\":\"No indicators observed within these thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Data Table\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"Log\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Logs Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 4 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let tiObservables = ThreatIntelligenceIndicator\\r\\n | where TimeGenerated < now()\\r\\n | project IndicatorId, ThreatType, Description, Active, IndicatorTime = TimeGenerated, Indicator = strcat(NetworkSourceIP, NetworkIP, NetworkDestinationIP, Url, FileHashValue, EmailSourceIpAddress, EmailSenderAddress, DomainName), SourceSystem;\\r\\nlet alertEntity = SecurityAlert \\r\\n | project parse_json(Entities), SystemAlertId , AlertTime = TimeGenerated\\r\\n | mvexpand(Entities)\\r\\n | extend entity = iif(isnotempty(Entities.Address), Entities.Address,\\r\\n iif(isnotempty(Entities.HostName),strcat(Entities.HostName, \\\".\\\", Entities.DnsDomain),\\r\\n iif(isnotempty(Entities.Url), Entities.Url,\\r\\n iif(isnotempty(Entities.Value), Entities.Value,\\r\\n iif(Entities.Type == \\\"account\\\", strcat(Entities.Name,\\\"@\\\",Entities.UPNSuffix),\\\"\\\")))))\\r\\n | where isnotempty(entity) \\r\\n | project entity, SystemAlertId, AlertTime;\\r\\nlet IncidentAlerts = SecurityIncident\\r\\n | project IncidentTime = TimeGenerated, IncidentNumber, Title, parse_json(AlertIds)\\r\\n | mv-expand AlertIds\\r\\n | project IncidentTime, IncidentNumber, Title, tostring(AlertIds);\\r\\nlet AlertsWithTiObservables = alertEntity\\r\\n | join kind=inner tiObservables on $left.entity == $right.Indicator;\\r\\nlet IncidentsWithAlertsWithTiObservables = AlertsWithTiObservables\\r\\n | join kind=inner IncidentAlerts on $left.SystemAlertId == $right.AlertIds;\\r\\nIncidentsWithAlertsWithTiObservables\\r\\n| where Indicator contains '{Indicator}' or Indicator == \\\"*\\\"\\r\\n| summarize Incidents=dcount(IncidentNumber), Alerts=dcount(SystemAlertId) by Indicator, ThreatType, Source = SourceSystem, Description\\r\\n| sort by Incidents, Alerts desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Threat Intelligence Alerts\",\"noDataMessage\":\"No indicators observed within these thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatType\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Botnet\",\"representation\":\"Command and Control\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"MaliciousUrl\",\"representation\":\"Initial_Access\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Malware\",\"representation\":\"Execution\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Phishing\",\"representation\":\"Exfiltration\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"Pre attack\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Source\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Incidents\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"Alerts\",\"formatter\":4,\"formatOptions\":{\"palette\":\"orange\"}}],\"filter\":true}},\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend SystemAlertId = tostring(AlertIds[0])\\r\\n| join (SecurityAlert \\r\\n| where Entities <> \\\"\\\"\\r\\n| mv-expand parse_json(Entities)\\r\\n| where Entities contains '{Indicator}'\\r\\n| project SystemAlertId, Entities\\r\\n) on SystemAlertId\\r\\n| where Title <> \\\"\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, IncidentNumber desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade, Entities\\r\\n| limit 2500\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents\",\"noDataMessage\":\"No incidents observed within these thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"rowLimit\":2500,\"filter\":true,\"sortBy\":[{\"itemKey\":\"IncidentNumber\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"IncidentNumber\",\"sortOrder\":2}]},\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"TAB\",\"comparison\":\"isEqualTo\",\"value\":\"Observed\"},\"name\":\"Indicators Observed\"}],\"fromTemplateId\":\"sentinel-ThreatIntelligence\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", "version": "1.0", "sourceId": "[variables('workspaceResourceId')]", "category": "sentinel" @@ -1146,37 +1066,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_workbookContentId1')]", + "contentKind": "Workbook", + "displayName": "[parameters('workbook1-name')]", + "contentProductId": "[variables('_workbookcontentProductId1')]", + "id": "[variables('_workbookcontentProductId1')]", + "version": "[variables('workbookVersion1')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2022-02-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('huntingQueryTemplateSpecName1')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "Threat Intelligence Hunting Query 1 with template", - "displayName": "Threat Intelligence Hunting Query template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2022-02-01", - "name": "[concat(variables('huntingQueryTemplateSpecName1'),'/',variables('huntingQueryVersion1'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName1'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FileEntity_OfficeActivity_HuntingQueries Hunting Query with template version 2.0.5", + "description": "FileEntity_OfficeActivity_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryVersion1')]", @@ -1185,7 +1098,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", + "apiVersion": "2022-10-01", "name": "Threat_Intelligence_Hunting_Query_1", "location": "[parameters('workspace-location')]", "properties": { @@ -1197,7 +1110,7 @@ "tags": [ { "name": "description", - "value": "This query identifies any matches in the OfficeActivity Event data that correspond to any known FileName Indicators of Compromise (IOC) from Threat Intelligence (TI) sources. \nSince file name matches may produce a significant amount of false positives, it is recommended to use this query for hunting purposes rather than for real-time detection." + "value": "This query finds matches in OfficeActivity Event data for known FileName Indicators of Compromise from Threat Intelligence sources. FileName matches may produce false positives, so use this for hunting rather than real-time detection." }, { "name": "tactics", @@ -1234,37 +1147,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId1')]", + "contentKind": "HuntingQuery", + "displayName": "TI Map File Entity to OfficeActivity Event", + "contentProductId": "[variables('_huntingQuerycontentProductId1')]", + "id": "[variables('_huntingQuerycontentProductId1')]", + "version": "[variables('huntingQueryVersion1')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2022-02-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('huntingQueryTemplateSpecName2')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "Threat Intelligence Hunting Query 2 with template", - "displayName": "Threat Intelligence Hunting Query template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2022-02-01", - "name": "[concat(variables('huntingQueryTemplateSpecName2'),'/',variables('huntingQueryVersion2'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName2'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FileEntity_SecurityEvent_HuntingQueries Hunting Query with template version 2.0.5", + "description": "FileEntity_SecurityEvent_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryVersion2')]", @@ -1273,7 +1179,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", + "apiVersion": "2022-10-01", "name": "Threat_Intelligence_Hunting_Query_2", "location": "[parameters('workspace-location')]", "properties": { @@ -1285,7 +1191,7 @@ "tags": [ { "name": "description", - "value": "This query identifies any matches in the Security Event data that correspond to any known FileName Indicators of Compromise (IOC) from Threat Intelligence (TI) sources. \nSince file name matches may produce a significant amount of false positives, it is recommended to use this query for hunting purposes rather than for real-time detection." + "value": "This query finds matches in Security Event data for known FileName Indicators of Compromise from Threat Intelligence sources. FileName matches may produce false positives, so use this for hunting rather than real-time detection." }, { "name": "tactics", @@ -1322,37 +1228,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId2')]", + "contentKind": "HuntingQuery", + "displayName": "TI Map File Entity to Security Event", + "contentProductId": "[variables('_huntingQuerycontentProductId2')]", + "id": "[variables('_huntingQuerycontentProductId2')]", + "version": "[variables('huntingQueryVersion2')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2022-02-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('huntingQueryTemplateSpecName3')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "Threat Intelligence Hunting Query 3 with template", - "displayName": "Threat Intelligence Hunting Query template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2022-02-01", - "name": "[concat(variables('huntingQueryTemplateSpecName3'),'/',variables('huntingQueryVersion3'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName3'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FileEntity_Syslog_HuntingQueries Hunting Query with template version 2.0.5", + "description": "FileEntity_Syslog_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryVersion3')]", @@ -1361,7 +1260,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", + "apiVersion": "2022-10-01", "name": "Threat_Intelligence_Hunting_Query_3", "location": "[parameters('workspace-location')]", "properties": { @@ -1373,7 +1272,7 @@ "tags": [ { "name": "description", - "value": "This query identifies any matches in the Syslog Event data that correspond to any known FileName Indicators of Compromise (IOC) from Threat Intelligence (TI) sources. \nSince file name matches may produce a significant amount of false positives, it is recommended to use this query for hunting purposes rather than for real-time detection." + "value": "This query finds matches in Syslog Event data for known FileName Indicators of Compromise from Threat Intelligence sources. FileName matches may produce false positives, so use this for hunting rather than real-time detection." }, { "name": "tactics", @@ -1410,37 +1309,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId3')]", + "contentKind": "HuntingQuery", + "displayName": "TI Map File Entity to Syslog Event", + "contentProductId": "[variables('_huntingQuerycontentProductId3')]", + "id": "[variables('_huntingQuerycontentProductId3')]", + "version": "[variables('huntingQueryVersion3')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2022-02-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('huntingQueryTemplateSpecName4')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "Threat Intelligence Hunting Query 4 with template", - "displayName": "Threat Intelligence Hunting Query template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2022-02-01", - "name": "[concat(variables('huntingQueryTemplateSpecName4'),'/',variables('huntingQueryVersion4'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName4'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FileEntity_VMConnection_HuntingQueries Hunting Query with template version 2.0.5", + "description": "FileEntity_VMConnection_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryVersion4')]", @@ -1449,7 +1341,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", + "apiVersion": "2022-10-01", "name": "Threat_Intelligence_Hunting_Query_4", "location": "[parameters('workspace-location')]", "properties": { @@ -1461,7 +1353,7 @@ "tags": [ { "name": "description", - "value": "This query identifies any matches in the VMConnection Event data that correspond to any known FileName Indicators of Compromise (IOC) from Threat Intelligence (TI) sources. \nSince file name matches may produce a significant amount of false positives, it is recommended to use this query for hunting purposes rather than for real-time detection." + "value": "This query finds matches in VMConnection Event data for known FileName Indicators of Compromise from Threat Intelligence sources. FileName matches may produce false positives, so use this for hunting rather than real-time detection." }, { "name": "tactics", @@ -1498,37 +1390,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId4')]", + "contentKind": "HuntingQuery", + "displayName": "TI Map File Entity to VMConnection Event", + "contentProductId": "[variables('_huntingQuerycontentProductId4')]", + "id": "[variables('_huntingQuerycontentProductId4')]", + "version": "[variables('huntingQueryVersion4')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2022-02-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('huntingQueryTemplateSpecName5')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "Threat Intelligence Hunting Query 5 with template", - "displayName": "Threat Intelligence Hunting Query template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2022-02-01", - "name": "[concat(variables('huntingQueryTemplateSpecName5'),'/',variables('huntingQueryVersion5'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName5'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FileEntity_WireData_HuntingQueries Hunting Query with template version 2.0.5", + "description": "FileEntity_WireData_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryVersion5')]", @@ -1537,7 +1422,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", + "apiVersion": "2022-10-01", "name": "Threat_Intelligence_Hunting_Query_5", "location": "[parameters('workspace-location')]", "properties": { @@ -1549,7 +1434,7 @@ "tags": [ { "name": "description", - "value": "This query identifies any matches in the WireData Event data that correspond to any known FileName Indicators of Compromise (IOC) from Threat Intelligence (TI) sources. \nSince file name matches may produce a significant amount of false positives, it is recommended to use this query for hunting purposes rather than for real-time detection." + "value": "This query finds matches in WireData Event data for known FileName Indicators of Compromise from Threat Intelligence sources. FileName matches may produce false positives, so use this for hunting rather than real-time detection." }, { "name": "tactics", @@ -1586,37 +1471,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId5')]", + "contentKind": "HuntingQuery", + "displayName": "TI Map File Entity to WireData Event", + "contentProductId": "[variables('_huntingQuerycontentProductId5')]", + "id": "[variables('_huntingQuerycontentProductId5')]", + "version": "[variables('huntingQueryVersion5')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2022-02-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName1')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Threat Intelligence Analytics Rule 1 with template", - "displayName": "Threat Intelligence Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2022-02-01", - "name": "[concat(variables('analyticRuleTemplateSpecName1'),'/',variables('analyticRuleVersion1'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName1'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DomainEntity_CommonSecurityLog_AnalyticalRules Analytics Rule with template version 2.0.5", + "description": "DomainEntity_CommonSecurityLog_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion1')]", @@ -1625,7 +1503,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId1')]", + "name": "[variables('analyticRulecontentId1')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -1633,7 +1511,7 @@ "description": "Identifies a match in CommonSecurityLog table from any Domain IOC from TI", "displayName": "TI map Domain entity to CommonSecurityLog", "enabled": false, - "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet IoCList = externaldata(TimeGenerated:datetime,IoC:string,IoC_Type:string,ExpirationDateTime:datetime,Description:string,Action:string, ConfidenceScore:real, ThreatType:string, Active:string,Type:string, TrafficLightProtocolLevel:string, ActivityGroupNames:string)[@\"https://raw.githubusercontent.com/microsoft/mstic/master/RapidReleaseTI/Indicators.csv\"] with(format=\"csv\", ignoreFirstRecord=True);\n//Create a list of TLDs in our threat feed for later validation of extracted domains\nlet list_tlds = ThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n| where isnotempty(DomainName)\n| extend DomainName = tolower(DomainName)\n| extend parts = split(DomainName, '.')\n| extend tld = parts[(array_length(parts)-1)]\n| summarize count() by tostring(tld)\n| summarize make_list(tld);\nlet Domain_Indicators = (union isfuzzy=true\n(ThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(DomainName)\n| extend TI_DomainEntity = DomainName\n),\n(IoCList\n | where IoC_Type =~ 'domainname'\n | where ExpirationDateTime > now()\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IoC\n | where Active =~ 'True'\n | extend TI_DomainEntity = IoC\n | project-away IoC_Type\n)\n);\nDomain_Indicators\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n CommonSecurityLog\n | extend IngestionTime = ingestion_time()\n | where IngestionTime > ago(dt_lookBack)\n | where DeviceEventClassID =~ 'url'\n //Uncomment the line below to only alert on allowed connections\n //| where DeviceAction !~ \"block-url\"\n //Extract domain from RequestURL, if not present extarct it from AdditionalExtentions\n | extend PA_Url = column_ifexists(\"RequestURL\", \"None\")\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \"PanOS\", extract(\"([^\\\"]+)\", 1, tolower(AdditionalExtensions)), trim('\"', PA_Url))\n | extend PA_Url = iif(PA_Url !startswith \"http://\" and ApplicationProtocol !~ \"ssl\", strcat('http://', PA_Url), iif(PA_Url !startswith \"https://\" and ApplicationProtocol =~ \"ssl\", strcat('https://', PA_Url), PA_Url))\n | extend Domain = trim(@\"\"\"\",tostring(parse_url(PA_Url).Host))\n | where isnotempty(Domain)\n | extend Domain = tolower(Domain)\n | extend parts = split(Domain, '.')\n //Split out the TLD for the purpose of checking if we have any TI indicators with this TLD to match on\n | extend tld = parts[(array_length(parts)-1)]\n //Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match\n | where tld in~ (list_tlds)\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\n ) on $left.TI_DomainEntity==$right.Domain\n| where CommonSecurityLog_TimeGenerated < ExpirationDateTime\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, IoC\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod, Type, IoC, TI_DomainEntity\n| extend timestamp = CommonSecurityLog_TimeGenerated\n", + "query": "let dt_lookBack = 1h; // Look back 1 hour\nlet ioc_lookBack = 14d; // Look back 14 days\n// Create a list of top-level domains (TLDs) from the threat feed data for later validation\nlet list_tlds =\n ThreatIntelligenceIndicator\n // Filter indicators based on the specified time range and active indicators\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n | where isnotempty(DomainName)\n // Convert domain names to lowercase for consistency\n | extend DomainName = tolower(DomainName)\n // Split domain names into parts and extract the TLD\n | extend parts = split(DomainName, '.')\n | extend tld = parts[(array_length(parts) - 1)]\n // Count the occurrences of each TLD\n | summarize count() by tostring(tld)\n // Create a list of TLDs\n | summarize make_list(tld);\n// Retrieve threat intelligence indicators within the specified time range\nlet Domain_Indicators =\n ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n // Filter indicators that have a non-empty domain name\n | where isnotempty(DomainName)\n | extend TI_DomainEntity = DomainName;\n// Join threat intelligence indicators with common security logs\nDomain_Indicators\n| join kind=innerunique (\n CommonSecurityLog\n // Filter common security logs based on the specified time range\n | extend IngestionTime = ingestion_time()\n | where IngestionTime > ago(dt_lookBack)\n | where DeviceEventClassID =~ 'url'\n // Uncomment the line below to only alert on allowed connections\n //| where DeviceAction !~ \"block-url\"\n // Extract the domain from RequestURL, if not present, extract it from AdditionalExtensions\n | extend PA_Url = column_ifexists(\"RequestURL\", \"None\")\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \"PanOS\", extract(\"([^\\\\\\\"]+)\", 1, tolower(AdditionalExtensions)), trim('\"', PA_Url))\n | extend PA_Url = iif(PA_Url !startswith \"http://\" and ApplicationProtocol !~ \"ssl\", strcat('http://', PA_Url), iif(PA_Url !startswith \"https://\" and ApplicationProtocol =~ \"ssl\", strcat('https://', PA_Url), PA_Url))\n | extend Domain = trim('\"', tostring(parse_url(PA_Url).Host))\n | where isnotempty(Domain)\n | extend Domain = tolower(Domain)\n | extend parts = split(Domain, '.')\n | extend tld = parts[(array_length(parts) - 1)]\n // Validate parsed domain by checking if the TLD is in the threat feed's TLD list\n | where tld in~ (list_tlds)\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\n) on $left.TI_DomainEntity == $right.Domain\n| where CommonSecurityLog_TimeGenerated < ExpirationDateTime\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod, Type, TI_DomainEntity\n| extend timestamp = CommonSecurityLog_TimeGenerated\n", "queryFrequency": "PT1H", "queryPeriod": "P14D", "severity": "Medium", @@ -1670,8 +1548,8 @@ "entityType": "Host", "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "DeviceName" } ] }, @@ -1679,8 +1557,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "SourceIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "SourceIP" } ] }, @@ -1688,8 +1566,8 @@ "entityType": "URL", "fieldMappings": [ { - "columnName": "PA_Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "PA_Url" } ] } @@ -1724,37 +1602,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId1')]", + "contentKind": "AnalyticsRule", + "displayName": "TI map Domain entity to CommonSecurityLog", + "contentProductId": "[variables('_analyticRulecontentProductId1')]", + "id": "[variables('_analyticRulecontentProductId1')]", + "version": "[variables('analyticRuleVersion1')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2022-02-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName2')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Threat Intelligence Analytics Rule 2 with template", - "displayName": "Threat Intelligence Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2022-02-01", - "name": "[concat(variables('analyticRuleTemplateSpecName2'),'/',variables('analyticRuleVersion2'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName2'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DomainEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 2.0.5", + "description": "DomainEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion2')]", @@ -1763,7 +1634,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId2')]", + "name": "[variables('analyticRulecontentId2')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -1771,7 +1642,7 @@ "description": "Identifies a match in DnsEvents from any Domain IOC from TI", "displayName": "TI map Domain entity to DnsEvents", "enabled": false, - "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet IoCList = externaldata(TimeGenerated:datetime,IoC:string,IoC_Type:string,ExpirationDateTime:datetime,Description:string,Action:string, ConfidenceScore:real, ThreatType:string, Active:string,Type:string, TrafficLightProtocolLevel:string, ActivityGroupNames:string)[@\"https://raw.githubusercontent.com/microsoft/mstic/master/RapidReleaseTI/Indicators.csv\"] with(format=\"csv\", ignoreFirstRecord=True);\n//Create a list of TLDs in our threat feed for later validation\nlet list_tlds = ThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true \n| where isnotempty(DomainName)\n| extend parts = split(DomainName, '.')\n| extend tld = parts[(array_length(parts)-1)]\n| summarize count() by tostring(tld)\n| summarize make_list(tld);\nlet Domain_Indicators = (union isfuzzy=true\n(ThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(DomainName)\n| extend TI_DomainEntity = DomainName\n),\n(IoCList\n| where IoC_Type =~ 'domainname'\n| where ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IoC\n| where Active =~ 'True'\n| extend TI_DomainEntity = IoC\n| project-away IoC_Type\n)\n);\nDomain_Indicators\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n DnsEvents\n | where TimeGenerated > ago(dt_lookBack)\n //Extract domain patterns from syslog message\n | where isnotempty(Name)\n | extend parts = split(Name, '.')\n //Split out the TLD\n | extend tld = parts[(array_length(parts)-1)]\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\n | where tld in~ (list_tlds)\n | extend DNS_TimeGenerated = TimeGenerated\n) on $left.TI_DomainEntity==$right.Name\n| where DNS_TimeGenerated < ExpirationDateTime\n| summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated , *) by IndicatorId, Name, IoC\n| project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, Computer, ClientIP, Name, QueryType, Type, IoC, TI_DomainEntity\n| extend HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))\n| extend timestamp = DNS_TimeGenerated\n", + "query": "// Define the lookback periods for time-based filters\nlet dt_lookBack = 1h; // Look back 1 hour for DNS events\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\n// Fetch threat intelligence indicators related to domains\nlet Domain_Indicators = ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n // Filter out indicators without domain names\n | where isnotempty(DomainName)\n | extend TI_DomainEntity = DomainName;\n// Create a list of TLDs in our threat feed for later validation\nlet maxListSize = 100000; // Define the maximum allowed size for each list\nlet list_tlds = Domain_Indicators\n | extend parts = split(DomainName, '.')\n | extend tld = parts[(array_length(parts)-1)]\n | summarize count() by tostring(tld)\n | project tld\n | summarize make_list(tld, maxListSize);\n// Perform a join between domain indicators and DNS events to identify potential malicious activity\nDomain_Indicators\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\n | join kind=innerunique (\n DnsEvents\n | where TimeGenerated > ago(dt_lookBack)\n // Extract domain patterns from syslog message\n | where isnotempty(Name)\n | extend parts = split(Name, '.')\n | extend tld = parts[(array_length(parts)-1)]\n // Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\n | where tld in~ (list_tlds)\n | extend DNS_TimeGenerated = TimeGenerated\n ) on $left.TI_DomainEntity==$right.Name\n // Filter out DNS events that occurred after the expiration of the corresponding indicator\n | where DNS_TimeGenerated < ExpirationDateTime\n // Group the results by IndicatorId and Name, and keep the DNS event with the latest timestamp\n | summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated, *) by IndicatorId, Name\n // Select the desired output fields\n | project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, Computer, ClientIP, Name, QueryType, Type, TI_DomainEntity\n // Extract hostname and DNS domain from the Computer field\n | extend HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))\n // Rename the timestamp field\n | extend timestamp = DNS_TimeGenerated\n", "queryFrequency": "PT1H", "queryPeriod": "P14D", "severity": "Medium", @@ -1814,12 +1685,12 @@ "entityType": "Host", "fieldMappings": [ { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } ] }, @@ -1827,8 +1698,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "ClientIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "ClientIP" } ] }, @@ -1836,8 +1707,8 @@ "entityType": "URL", "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ] } @@ -1872,37 +1743,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId2')]", + "contentKind": "AnalyticsRule", + "displayName": "TI map Domain entity to DnsEvents", + "contentProductId": "[variables('_analyticRulecontentProductId2')]", + "id": "[variables('_analyticRulecontentProductId2')]", + "version": "[variables('analyticRuleVersion2')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2022-02-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName3')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Threat Intelligence Analytics Rule 3 with template", - "displayName": "Threat Intelligence Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2022-02-01", - "name": "[concat(variables('analyticRuleTemplateSpecName3'),'/',variables('analyticRuleVersion3'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName3'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DomainEntity_imWebSession_AnalyticalRules Analytics Rule with template version 2.0.5", + "description": "DomainEntity_imWebSession_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion3')]", @@ -1911,7 +1775,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId3')]", + "name": "[variables('analyticRulecontentId3')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -1962,8 +1826,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "SrcIpAddr", - "identifier": "Address" + "identifier": "Address", + "columnName": "SrcIpAddr" } ] }, @@ -1971,20 +1835,20 @@ "entityType": "URL", "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ] } ], "customDetails": { - "IndicatorId": "IndicatorId", - "IoCDescription": "Description", "IoCExpirationTime": "ExpirationDateTime", - "ActivityGroupNames": "ActivityGroupNames", "ThreatType": "ThreatType", + "ActivityGroupNames": "ActivityGroupNames", + "EventTime": "Event_TimeGenerated", + "IndicatorId": "IndicatorId", "IoCConfidenceScore": "ConfidenceScore", - "EventTime": "Event_TimeGenerated" + "IoCDescription": "Description" }, "alertDetailsOverride": { "alertDisplayNameFormat": "A web request from {{SrcIpAddr}} to hostname {{domain}} matched an IoC", @@ -2020,37 +1884,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId3')]", + "contentKind": "AnalyticsRule", + "displayName": "(Preview) TI map Domain entity to Web Session Events (ASIM Web Session schema)", + "contentProductId": "[variables('_analyticRulecontentProductId3')]", + "id": "[variables('_analyticRulecontentProductId3')]", + "version": "[variables('analyticRuleVersion3')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2022-02-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName4')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Threat Intelligence Analytics Rule 4 with template", - "displayName": "Threat Intelligence Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2022-02-01", - "name": "[concat(variables('analyticRuleTemplateSpecName4'),'/',variables('analyticRuleVersion4'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName4'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DomainEntity_PaloAlto_AnalyticalRules Analytics Rule with template version 2.0.5", + "description": "DomainEntity_PaloAlto_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion4')]", @@ -2059,7 +1916,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId4')]", + "name": "[variables('analyticRulecontentId4')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -2067,7 +1924,7 @@ "description": "Identifies a match in Palo Alto data in CommonSecurityLog table from any Domain IOC from TI", "displayName": "TI map Domain entity to PaloAlto", "enabled": false, - "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet IoCList = externaldata(TimeGenerated:datetime,IoC:string,IoC_Type:string,ExpirationDateTime:datetime,Description:string,Action:string, ConfidenceScore:real, ThreatType:string, Active:string,Type:string, TrafficLightProtocolLevel:string, ActivityGroupNames:string)[@\"https://raw.githubusercontent.com/microsoft/mstic/master/RapidReleaseTI/Indicators.csv\"] with(format=\"csv\", ignoreFirstRecord=True);\n//Create a list of TLDs in our threat feed for later validation of extracted domains\nlet list_tlds = ThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n| where isnotempty(DomainName)\n| extend DomainName = tolower(DomainName)\n| extend parts = split(DomainName, '.')\n| extend tld = parts[(array_length(parts)-1)]\n| summarize count() by tostring(tld)\n| summarize make_list(tld);\nlet Domain_Indicators = (union isfuzzy=true\n(ThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(DomainName)\n| extend TI_DomainEntity = DomainName\n),\n(IoCList\n| where IoC_Type =~ 'domainname'\n| where ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IoC\n| where Active =~ 'True'\n| extend TI_DomainEntity = IoC\n| project-away IoC_Type\n)\n);\nDomain_Indicators\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\nCommonSecurityLog\n| extend IngestionTime = ingestion_time()\n| where IngestionTime > ago(dt_lookBack)\n| where DeviceVendor =~ 'Palo Alto Networks'\n| where DeviceEventClassID =~ 'url'\n//Uncomment the line below to only alert on allowed connections\n//| where DeviceAction !~ \"block-url\"\n//Extract domain from RequestURL, if not present extarct it from AdditionalExtentions\n| extend PA_Url = column_ifexists(\"RequestURL\", \"None\")\n| extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \"PanOS\", extract(\"([^\\\"]+)\", 1, tolower(AdditionalExtensions)), trim('\"', PA_Url))\n| extend PA_Url = iif(PA_Url !startswith \"http://\" and ApplicationProtocol !~ \"ssl\", strcat('http://', PA_Url), iif(PA_Url !startswith \"https://\" and ApplicationProtocol =~ \"ssl\", strcat('https://', PA_Url), PA_Url))\n| extend Domain = trim(@\"\"\"\",tostring(parse_url(PA_Url).Host))\n| where isnotempty(Domain)\n| extend Domain = tolower(Domain)\n| extend parts = split(Domain, '.')\n//Split out the TLD for the purpose of checking if we have any TI indicators with this TLD to match on\n| extend tld = parts[(array_length(parts)-1)]\n//Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match\n| where tld in~ (list_tlds)\n| extend CommonSecurityLog_TimeGenerated = TimeGenerated\n) on $left.TI_DomainEntity==$right.Domain\n| where CommonSecurityLog_TimeGenerated < ExpirationDateTime\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, Domain, IoC\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\n DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod, Type, IoC, TI_DomainEntity\n| extend timestamp = CommonSecurityLog_TimeGenerated\n", + "query": "let dt_lookBack = 1h; // Duration to look back for recent logs (1 hour)\nlet ioc_lookBack = 14d; // Duration to look back for recent threat intelligence indicators (14 days)\n// Create a list of top-level domains (TLDs) in our threat feed for later validation of extracted domains\nlet list_tlds = \n ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n | where isnotempty(DomainName)\n | extend DomainName = tolower(DomainName)\n | extend parts = split(DomainName, '.')\n | extend tld = parts[(array_length(parts)-1)]\n | summarize count() by tostring(tld)\n | summarize make_list(tld);\nlet Domain_Indicators = \n ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n // Filter to pick up only IOC's that contain the entities we want (in this case, DomainName)\n | where isnotempty(DomainName)\n | extend TI_DomainEntity = DomainName;\nDomain_Indicators\n // Join with CommonSecurityLog to find potential malicious activity\n | join kind=innerunique (\n CommonSecurityLog\n | extend IngestionTime = ingestion_time()\n | where IngestionTime > ago(dt_lookBack)\n | where DeviceVendor =~ 'Palo Alto Networks'\n | where DeviceEventClassID =~ 'url'\n // Uncomment the line below to only alert on allowed connections\n // | where DeviceAction !~ \"block-url\"\n // Extract domain from RequestURL, if not present, extract it from AdditionalExtensions\n | extend PA_Url = coalesce(RequestURL, \"None\")\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \"PanOS\", extract(\"([^\\\"]+)\", 1, tolower(AdditionalExtensions)), trim('\"', PA_Url))\n | extend PA_Url = iif(PA_Url !in~ ('None', 'http://None', 'https://None') and PA_Url !startswith \"http://\" and PA_Url !startswith \"https://\" and ApplicationProtocol !~ \"ssl\", strcat('http://', PA_Url), PA_Url)\n | extend PA_Url = iif(PA_Url !in~ ('None', 'http://None', 'https://None') and PA_Url !startswith \"https://\" and ApplicationProtocol =~ \"ssl\", strcat('https://', PA_Url), PA_Url)\n | extend Domain = trim(@\"\"\"\", tostring(parse_url(PA_Url).Host))\n | where isnotempty(Domain)\n | extend Domain = tolower(Domain)\n | extend parts = split(Domain, '.')\n // Split out the top-level domain (TLD) for the purpose of checking if we have any TI indicators with this TLD to match on\n | extend tld = parts[(array_length(parts)-1)]\n // Validate parsed domain by checking TLD against TLDs from the threat feed and drop domains where there is no chance of a match\n | where tld in~ (list_tlds)\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\n ) on $left.TI_DomainEntity == $right.Domain\n | where CommonSecurityLog_TimeGenerated < ExpirationDateTime\n // Group the results by IndicatorId and Domain and keep only the latest CommonSecurityLog_TimeGenerated\n | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, Domain\n // Select the desired fields for the final result set\n | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod, Type, TI_DomainEntity\n // Add a new field 'timestamp' for convenience, using the CommonSecurityLog_TimeGenerated as its value\n | extend timestamp = CommonSecurityLog_TimeGenerated\n", "queryFrequency": "PT1H", "queryPeriod": "P14D", "severity": "Medium", @@ -2110,8 +1967,8 @@ "entityType": "Host", "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "DeviceName" } ] }, @@ -2119,8 +1976,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "SourceIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "SourceIP" } ] }, @@ -2128,8 +1985,8 @@ "entityType": "URL", "fieldMappings": [ { - "columnName": "PA_Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "PA_Url" } ] } @@ -2164,37 +2021,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId4')]", + "contentKind": "AnalyticsRule", + "displayName": "TI map Domain entity to PaloAlto", + "contentProductId": "[variables('_analyticRulecontentProductId4')]", + "id": "[variables('_analyticRulecontentProductId4')]", + "version": "[variables('analyticRuleVersion4')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2022-02-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName5')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Threat Intelligence Analytics Rule 5 with template", - "displayName": "Threat Intelligence Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2022-02-01", - "name": "[concat(variables('analyticRuleTemplateSpecName5'),'/',variables('analyticRuleVersion5'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName5'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DomainEntity_SecurityAlert_AnalyticalRules Analytics Rule with template version 2.0.5", + "description": "DomainEntity_SecurityAlert_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion5')]", @@ -2203,7 +2053,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId5')]", + "name": "[variables('analyticRulecontentId5')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -2211,7 +2061,7 @@ "description": "Identifies a match in SecurityAlert table from any Domain IOC from TI", "displayName": "TI map Domain entity to SecurityAlert", "enabled": false, - "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet IoCList = externaldata(TimeGenerated:datetime,IoC:string,IoC_Type:string,ExpirationDateTime:datetime,Description:string,Action:string, ConfidenceScore:real, ThreatType:string, Active:string,Type:string, TrafficLightProtocolLevel:string, ActivityGroupNames:string)[@\"https://raw.githubusercontent.com/microsoft/mstic/master/RapidReleaseTI/Indicators.csv\"] with(format=\"csv\", ignoreFirstRecord=True);\n//Create a list of TLDs in our threat feed for later validation\nlet list_tlds = ThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n| where isnotempty(DomainName)\n| extend parts = split(DomainName, '.')\n| extend tld = parts[(array_length(parts)-1)]\n| summarize count() by tostring(tld)\n| summarize make_list(tld);\nlet Domain_Indicators = (union isfuzzy=true\n(ThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(DomainName)\n| extend TI_DomainEntity = DomainName\n),\n(IoCList\n| where IoC_Type =~ 'domainname'\n| where ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IoC\n| where Active =~ 'True'\n| extend TI_DomainEntity = IoC\n| project-away IoC_Type\n)\n);\nDomain_Indicators\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\nSecurityAlert\n| where TimeGenerated > ago(dt_lookBack)\n| extend MSTI = case(AlertName has \"TI map\" and VendorName == \"Microsoft\" and ProductName == 'Azure Sentinel', true, false)\n| where MSTI == false\n//Extract domain patterns from message\n| extend domain = todynamic(dynamic_to_json(extract_all(@\"(((xn--)?[a-z0-9\\-]+\\.)+([a-z]+|(xn--[a-z0-9]+)))\", dynamic([1]), tolower(Entities))))\n| mv-expand domain\n| extend domain = tostring(domain[0])\n| extend parts = split(domain, '.')\n//Split out the TLD\n| extend tld = parts[(array_length(parts)-1)]\n//Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\n| where tld in~ (list_tlds)\n// Converting Entities into dynamic data type and use mv-expand to unpack the array\n| extend EntitiesDynamicArray = parse_json(Entities)\n| mv-apply EntitiesDynamicArray on\n(summarize\nHostName = take_anyif(tostring(EntitiesDynamicArray.HostName), EntitiesDynamicArray.Type == \"host\"),\nIP_addr = take_anyif(tostring(EntitiesDynamicArray.Address), EntitiesDynamicArray.Type == \"ip\")\n)\n| extend Alert_TimeGenerated = TimeGenerated\n| extend Alert_Description = Description\n) on $left.TI_DomainEntity==$right.domain\n| where Alert_TimeGenerated < ExpirationDateTime\n| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName, IoC\n| project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DomainName, AlertName, Alert_Description, ProviderName, AlertSeverity, ConfidenceLevel, HostName, IP_addr, Url, Entities, Type, IoC, TI_DomainEntity\n| extend timestamp = Alert_TimeGenerated\n", + "query": "let dt_lookBack = 1h; // Lookback time for recent data, set to 1 hour\nlet ioc_lookBack = 14d; // Lookback time for threat feed data, set to 14 days\n// Create a list of TLDs in our threat feed for later validation\nlet list_tlds = ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n | where isnotempty(DomainName)\n | extend parts = split(DomainName, '.')\n | extend tld = parts[(array_length(parts)-1)]\n | summarize count() by tostring(tld)\n | summarize make_list(tld);\nlet Domain_Indicators = ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n // Picking up only IOC's that contain the entities we want\n | where isnotempty(DomainName)\n | extend TI_DomainEntity = DomainName;\nDomain_Indicators\n // Using innerunique to keep performance fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n | join kind=innerunique (\n SecurityAlert\n | where TimeGenerated > ago(dt_lookBack)\n | extend MSTI = case(AlertName has \"TI map\" and VendorName == \"Microsoft\" and ProductName == 'Azure Sentinel', true, false)\n | where MSTI == false\n // Extract domain patterns from message\n | extend domain = todynamic(dynamic_to_json(extract_all(@\"(((xn--)?[a-z0-9\\-]+\\.)+([a-z]+|(xn--[a-z0-9]+)))\", dynamic([1,1]), tolower(Entities))))\n | mv-expand domain\n | extend domain = tostring(domain[0])\n | extend parts = split(domain, '.')\n // Split out the TLD\n | extend tld = parts[(array_length(parts)-1)]\n // Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\n | where tld in~ (list_tlds)\n // Converting Entities into dynamic data type and use mv-expand to unpack the array\n | extend EntitiesDynamicArray = parse_json(Entities)\n | mv-apply EntitiesDynamicArray on\n (summarize\n HostName = take_anyif(tostring(EntitiesDynamicArray.HostName), EntitiesDynamicArray.Type == \"host\"),\n IP_addr = take_anyif(tostring(EntitiesDynamicArray.Address), EntitiesDynamicArray.Type == \"ip\")\n )\n | extend Alert_TimeGenerated = TimeGenerated\n | extend Alert_Description = Description\n ) on $left.TI_DomainEntity == $right.domain\n | where Alert_TimeGenerated < ExpirationDateTime\n | summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\n | project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DomainName, AlertName, Alert_Description, ProviderName, AlertSeverity, ConfidenceLevel, HostName, IP_addr, Url, Entities, Type, TI_DomainEntity\n | extend timestamp = Alert_TimeGenerated\n", "queryFrequency": "PT1H", "queryPeriod": "P14D", "severity": "Medium", @@ -2260,8 +2110,8 @@ "entityType": "Host", "fieldMappings": [ { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" } ] }, @@ -2269,8 +2119,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "IP_addr", - "identifier": "Address" + "identifier": "Address", + "columnName": "IP_addr" } ] }, @@ -2278,8 +2128,8 @@ "entityType": "URL", "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ] } @@ -2314,37 +2164,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId5')]", + "contentKind": "AnalyticsRule", + "displayName": "TI map Domain entity to SecurityAlert", + "contentProductId": "[variables('_analyticRulecontentProductId5')]", + "id": "[variables('_analyticRulecontentProductId5')]", + "version": "[variables('analyticRuleVersion5')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2022-02-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName6')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Threat Intelligence Analytics Rule 6 with template", - "displayName": "Threat Intelligence Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2022-02-01", - "name": "[concat(variables('analyticRuleTemplateSpecName6'),'/',variables('analyticRuleVersion6'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName6'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DomainEntity_Syslog_AnalyticalRules Analytics Rule with template version 2.0.5", + "description": "DomainEntity_Syslog_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion6')]", @@ -2353,7 +2196,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId6')]", + "name": "[variables('analyticRulecontentId6')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -2361,7 +2204,7 @@ "description": "Identifies a match in Syslog table from any Domain IOC from TI", "displayName": "TI map Domain entity to Syslog", "enabled": false, - "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet IoCList = externaldata(TimeGenerated:datetime,IoC:string,IoC_Type:string,ExpirationDateTime:datetime,Description:string,Action:string, ConfidenceScore:real, ThreatType:string, Active:string,Type:string, TrafficLightProtocolLevel:string, ActivityGroupNames:string)[@\"https://raw.githubusercontent.com/microsoft/mstic/master/RapidReleaseTI/Indicators.csv\"] with(format=\"csv\", ignoreFirstRecord=True);\n//Create a list of TLDs in our threat feed for later validation\nlet list_tlds = ThreatIntelligenceIndicator\n| where TimeGenerated > ago(ioc_lookBack)\n| where isnotempty(DomainName)\n| extend parts = split(DomainName, '.')\n| extend tld = parts[(array_length(parts)-1)]\n| summarize count() by tostring(tld)\n| summarize make_list(tld);\nlet Domain_Indicators = (union isfuzzy=true\n(ThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(DomainName)\n| extend TI_DomainEntity = DomainName\n),\n(IoCList\n| where IoC_Type =~ 'domainname'\n| where ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IoC\n| where Active =~ 'True'\n| extend TI_DomainEntity = IoC\n| project-away IoC_Type\n)\n);\nDomain_Indicators\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\nSyslog\n| where TimeGenerated > ago(dt_lookBack)\n//Extract domain patterns from syslog message\n| extend domain = extract(\"(([a-z0-9]+(-[a-z0-9]+)*\\\\.)+[a-z]{2,})\",1, tolower(SyslogMessage))\n| where isnotempty(domain)\n| extend parts = split(domain, '.')\n//Split out the TLD\n| extend tld = parts[(array_length(parts)-1)]\n//Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\n| where tld in~ (list_tlds)\n| extend Syslog_TimeGenerated = TimeGenerated\n) on $left.TI_DomainEntity==$right.domain\n| where Syslog_TimeGenerated < ExpirationDateTime\n| summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated , *) by IndicatorId, domain, IoC\n| project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, domain, HostIP, Url, Type, IoC, TI_DomainEntity\n| extend HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))\n| extend timestamp = Syslog_TimeGenerated\n", + "query": "let dt_lookBack = 1h; // Define the time range to look back for syslog data (1 hour)\nlet ioc_lookBack = 14d; // Define the time range to look back for threat intelligence indicators (14 days)\n// Create a list of top-level domains (TLDs) from the threat feed for later validation\nlet list_tlds = ThreatIntelligenceIndicator\n | where TimeGenerated > ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n | where isnotempty(DomainName)\n | extend parts = split(DomainName, '.')\n | extend tld = parts[(array_length(parts)-1)]\n | summarize count() by tostring(tld)\n | summarize make_list(tld);\n// Fetch the latest active domain indicators from the threat intelligence data within the specified time range\nlet Domain_Indicators = ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n | where isnotempty(DomainName)\n | extend TI_DomainEntity = DomainName;\n// Join the threat intelligence indicators with syslog data on matching domain entities\nDomain_Indicators\n | join kind=innerunique (\n Syslog\n | where TimeGenerated > ago(dt_lookBack)\n // Extract domain patterns from syslog messages\n | extend domain = extract(\"(([a-z0-9]+(-[a-z0-9]+)*\\\\.)+[a-z]{2,})\",1, tolower(SyslogMessage))\n | where isnotempty(domain)\n | extend parts = split(domain, '.')\n // Split out the top-level domain (TLD)\n | extend tld = parts[(array_length(parts)-1)]\n // Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\n | where tld in~ (list_tlds)\n | extend Syslog_TimeGenerated = TimeGenerated\n ) on $left.TI_DomainEntity==$right.domain\n | where Syslog_TimeGenerated < ExpirationDateTime\n // Retrieve the latest syslog timestamp for each indicator and domain combination\n | summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated, *) by IndicatorId, domain\n // Select the desired columns for the final result set\n | project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, domain, HostIP, Url, Type, TI_DomainEntity\n // Extract the hostname from the Computer field\n | extend HostName = tostring(split(Computer, '.', 0)[0])\n // Extract the DNS domain from the Computer field\n | extend DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))\n // Assign the Syslog_TimeGenerated value to the timestamp field\n | extend timestamp = Syslog_TimeGenerated\n", "queryFrequency": "PT1H", "queryPeriod": "P14D", "severity": "Medium", @@ -2404,12 +2247,12 @@ "entityType": "Host", "fieldMappings": [ { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } ] }, @@ -2417,8 +2260,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "HostIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "HostIP" } ] }, @@ -2426,8 +2269,8 @@ "entityType": "URL", "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ] } @@ -2462,37 +2305,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId6')]", + "contentKind": "AnalyticsRule", + "displayName": "TI map Domain entity to Syslog", + "contentProductId": "[variables('_analyticRulecontentProductId6')]", + "id": "[variables('_analyticRulecontentProductId6')]", + "version": "[variables('analyticRuleVersion6')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2022-02-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName7')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Threat Intelligence Analytics Rule 7 with template", - "displayName": "Threat Intelligence Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2022-02-01", - "name": "[concat(variables('analyticRuleTemplateSpecName7'),'/',variables('analyticRuleVersion7'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName7'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "EmailEntity_AzureActivity_AnalyticalRules Analytics Rule with template version 2.0.5", + "description": "EmailEntity_AzureActivity_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion7')]", @@ -2501,7 +2337,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId7')]", + "name": "[variables('analyticRulecontentId7')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -2552,12 +2388,12 @@ "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } ] }, @@ -2565,8 +2401,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "CallerIpAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "CallerIpAddress" } ] }, @@ -2574,8 +2410,8 @@ "entityType": "URL", "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ] } @@ -2610,37 +2446,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId7')]", + "contentKind": "AnalyticsRule", + "displayName": "TI map Email entity to AzureActivity", + "contentProductId": "[variables('_analyticRulecontentProductId7')]", + "id": "[variables('_analyticRulecontentProductId7')]", + "version": "[variables('analyticRuleVersion7')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2022-02-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName8')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Threat Intelligence Analytics Rule 8 with template", - "displayName": "Threat Intelligence Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2022-02-01", - "name": "[concat(variables('analyticRuleTemplateSpecName8'),'/',variables('analyticRuleVersion8'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName8'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "EmailEntity_OfficeActivity_AnalyticalRules Analytics Rule with template version 2.0.5", + "description": "EmailEntity_OfficeActivity_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion8')]", @@ -2649,7 +2478,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId8')]", + "name": "[variables('analyticRulecontentId8')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -2700,12 +2529,12 @@ "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } ] }, @@ -2713,8 +2542,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "ClientIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "ClientIP" } ] }, @@ -2722,8 +2551,8 @@ "entityType": "URL", "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ] } @@ -2758,37 +2587,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId8')]", + "contentKind": "AnalyticsRule", + "displayName": "TI map Email entity to OfficeActivity", + "contentProductId": "[variables('_analyticRulecontentProductId8')]", + "id": "[variables('_analyticRulecontentProductId8')]", + "version": "[variables('analyticRuleVersion8')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2022-02-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName9')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Threat Intelligence Analytics Rule 9 with template", - "displayName": "Threat Intelligence Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2022-02-01", - "name": "[concat(variables('analyticRuleTemplateSpecName9'),'/',variables('analyticRuleVersion9'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName9'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "EmailEntity_PaloAlto_AnalyticalRules Analytics Rule with template version 2.0.5", + "description": "EmailEntity_PaloAlto_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion9')]", @@ -2797,7 +2619,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId9')]", + "name": "[variables('analyticRulecontentId9')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -2848,8 +2670,8 @@ "entityType": "Account", "fieldMappings": [ { - "columnName": "DestinationUserID", - "identifier": "Name" + "identifier": "Name", + "columnName": "DestinationUserID" } ] }, @@ -2857,8 +2679,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "SourceIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "SourceIP" } ] }, @@ -2866,8 +2688,8 @@ "entityType": "URL", "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ] } @@ -2902,37 +2724,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId9')]", + "contentKind": "AnalyticsRule", + "displayName": "TI map Email entity to PaloAlto CommonSecurityLog", + "contentProductId": "[variables('_analyticRulecontentProductId9')]", + "id": "[variables('_analyticRulecontentProductId9')]", + "version": "[variables('analyticRuleVersion9')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2022-02-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName10')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Threat Intelligence Analytics Rule 10 with template", - "displayName": "Threat Intelligence Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2022-02-01", - "name": "[concat(variables('analyticRuleTemplateSpecName10'),'/',variables('analyticRuleVersion10'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName10'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "EmailEntity_SecurityAlert_AnalyticalRules Analytics Rule with template version 2.0.5", + "description": "EmailEntity_SecurityAlert_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion10')]", @@ -2941,7 +2756,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId10')]", + "name": "[variables('analyticRulecontentId10')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -2992,12 +2807,12 @@ "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } ] }, @@ -3005,8 +2820,8 @@ "entityType": "URL", "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ] } @@ -3041,37 +2856,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId10')]", + "contentKind": "AnalyticsRule", + "displayName": "TI map Email entity to SecurityAlert", + "contentProductId": "[variables('_analyticRulecontentProductId10')]", + "id": "[variables('_analyticRulecontentProductId10')]", + "version": "[variables('analyticRuleVersion10')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2022-02-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName11')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Threat Intelligence Analytics Rule 11 with template", - "displayName": "Threat Intelligence Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2022-02-01", - "name": "[concat(variables('analyticRuleTemplateSpecName11'),'/',variables('analyticRuleVersion11'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName11'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "EmailEntity_SecurityEvent_AnalyticalRules Analytics Rule with template version 2.0.5", + "description": "EmailEntity_SecurityEvent_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion11')]", @@ -3080,7 +2888,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId11')]", + "name": "[variables('analyticRulecontentId11')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -3143,8 +2951,8 @@ "entityType": "Account", "fieldMappings": [ { - "columnName": "TargetUserName", - "identifier": "Name" + "identifier": "Name", + "columnName": "TargetUserName" } ] }, @@ -3152,12 +2960,12 @@ "entityType": "Host", "fieldMappings": [ { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } ] }, @@ -3165,8 +2973,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "IpAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "IpAddress" } ] }, @@ -3174,8 +2982,8 @@ "entityType": "URL", "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ] } @@ -3210,37 +3018,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId11')]", + "contentKind": "AnalyticsRule", + "displayName": "TI map Email entity to SecurityEvent", + "contentProductId": "[variables('_analyticRulecontentProductId11')]", + "id": "[variables('_analyticRulecontentProductId11')]", + "version": "[variables('analyticRuleVersion11')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2022-02-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName12')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Threat Intelligence Analytics Rule 12 with template", - "displayName": "Threat Intelligence Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2022-02-01", - "name": "[concat(variables('analyticRuleTemplateSpecName12'),'/',variables('analyticRuleVersion12'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName12'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "EmailEntity_SigninLogs_AnalyticalRules Analytics Rule with template version 2.0.5", + "description": "EmailEntity_SigninLogs_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion12')]", @@ -3249,7 +3050,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId12')]", + "name": "[variables('analyticRulecontentId12')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -3306,12 +3107,12 @@ "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } ] }, @@ -3319,8 +3120,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "IPAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPAddress" } ] }, @@ -3328,8 +3129,8 @@ "entityType": "URL", "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ] } @@ -3364,37 +3165,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId12')]", + "contentKind": "AnalyticsRule", + "displayName": "TI map Email entity to SigninLogs", + "contentProductId": "[variables('_analyticRulecontentProductId12')]", + "id": "[variables('_analyticRulecontentProductId12')]", + "version": "[variables('analyticRuleVersion12')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2022-02-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName13')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Threat Intelligence Analytics Rule 13 with template", - "displayName": "Threat Intelligence Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2022-02-01", - "name": "[concat(variables('analyticRuleTemplateSpecName13'),'/',variables('analyticRuleVersion13'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName13'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FileHashEntity_CommonSecurityLog_AnalyticalRules Analytics Rule with template version 2.0.5", + "description": "FileHashEntity_CommonSecurityLog_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion13')]", @@ -3403,7 +3197,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId13')]", + "name": "[variables('analyticRulecontentId13')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -3454,12 +3248,12 @@ "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } ] }, @@ -3467,12 +3261,12 @@ "entityType": "Host", "fieldMappings": [ { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } ] }, @@ -3480,8 +3274,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "SourceIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "SourceIP" } ] }, @@ -3489,8 +3283,8 @@ "entityType": "URL", "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ] }, @@ -3498,12 +3292,12 @@ "entityType": "FileHash", "fieldMappings": [ { - "columnName": "FileHashValue", - "identifier": "Value" + "identifier": "Value", + "columnName": "FileHashValue" }, { - "columnName": "FileHashType", - "identifier": "Algorithm" + "identifier": "Algorithm", + "columnName": "FileHashType" } ] } @@ -3538,37 +3332,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId13')]", + "contentKind": "AnalyticsRule", + "displayName": "TI map File Hash to CommonSecurityLog Event", + "contentProductId": "[variables('_analyticRulecontentProductId13')]", + "id": "[variables('_analyticRulecontentProductId13')]", + "version": "[variables('analyticRuleVersion13')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2022-02-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName14')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Threat Intelligence Analytics Rule 14 with template", - "displayName": "Threat Intelligence Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2022-02-01", - "name": "[concat(variables('analyticRuleTemplateSpecName14'),'/',variables('analyticRuleVersion14'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName14'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FileHashEntity_SecurityEvent_AnalyticalRules Analytics Rule with template version 2.0.5", + "description": "FileHashEntity_SecurityEvent_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion14')]", @@ -3577,7 +3364,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId14')]", + "name": "[variables('analyticRulecontentId14')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -3640,12 +3427,12 @@ "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "NTDomain", - "identifier": "NTDomain" + "identifier": "NTDomain", + "columnName": "NTDomain" } ] }, @@ -3653,12 +3440,12 @@ "entityType": "Host", "fieldMappings": [ { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } ] }, @@ -3666,8 +3453,8 @@ "entityType": "URL", "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ] }, @@ -3675,12 +3462,12 @@ "entityType": "FileHash", "fieldMappings": [ { - "columnName": "FileHashValue", - "identifier": "Value" + "identifier": "Value", + "columnName": "FileHashValue" }, { - "columnName": "FileHashType", - "identifier": "Algorithm" + "identifier": "Algorithm", + "columnName": "FileHashType" } ] } @@ -3715,37 +3502,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId14')]", + "contentKind": "AnalyticsRule", + "displayName": "TI map File Hash to Security Event", + "contentProductId": "[variables('_analyticRulecontentProductId14')]", + "id": "[variables('_analyticRulecontentProductId14')]", + "version": "[variables('analyticRuleVersion14')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2022-02-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName15')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Threat Intelligence Analytics Rule 15 with template", - "displayName": "Threat Intelligence Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2022-02-01", - "name": "[concat(variables('analyticRuleTemplateSpecName15'),'/',variables('analyticRuleVersion15'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName15'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_AppServiceHTTPLogs_AnalyticalRules Analytics Rule with template version 2.0.5", + "description": "IPEntity_AppServiceHTTPLogs_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion15')]", @@ -3754,7 +3534,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId15')]", + "name": "[variables('analyticRulecontentId15')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -3762,7 +3542,7 @@ "description": "Identifies a match in AppServiceHTTPLogs from any IP IOC from TI", "displayName": "TI map IP entity to AppServiceHTTPLogs", "enabled": false, - "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet IoCList = materialize(externaldata(TimeGenerated:datetime,IoC:string,IoC_Type:string,ExpirationDateTime:datetime,Description:string,Action:string, ConfidenceScore:real, ThreatType:string, Active:string,Type:string, TrafficLightProtocolLevel:string, ActivityGroupNames:string)[@\"https://raw.githubusercontent.com/microsoft/mstic/master/RapidReleaseTI/Indicators.csv\"] with(format=\"csv\", ignoreFirstRecord=True));\nlet IP_Indicators = (union isfuzzy=true\n( ThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n//Exclude local addresses, using the ipv4_is_private operator\n| where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\"\n),\n(IoCList\n| where IoC_Type =~ 'IP'\n| where ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IoC\n| where Active =~ 'True'\n| extend TI_ipEntity = IoC\n| project-away IoC_Type\n)\n);\nIP_Indicators\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n AppServiceHTTPLogs | where TimeGenerated >= ago(dt_lookBack)\n | where isnotempty(CIp)\n | extend WebApp = split(_ResourceId, '/')[8]\n // renaming time column so it is clear the log this came from\n | extend AppService_TimeGenerated = TimeGenerated\n)\non $left.TI_ipEntity == $right.CIp\n| where AppService_TimeGenerated < ExpirationDateTime\n| summarize AppService_TimeGenerated = arg_max(AppService_TimeGenerated, *) by IndicatorId, CIp, IoC\n| project AppService_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CsUsername, \nWebApp = split(_ResourceId, '/')[8], CIp, CsHost, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, _ResourceId, Type\n| extend HostName = tostring(split(CsHost, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(CsHost, '.'), 1, -1), '.'))\n| extend timestamp = AppService_TimeGenerated\n", + "query": "let dt_lookBack = 1h; // Look back 1 hour for AppServiceHTTPLogs\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\n// Fetch threat intelligence indicators related to IP addresses\nlet IP_Indicators = ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n // Filter out indicators without relevant IP address fields\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n // Select the IP entity based on availability of different IP fields\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n // Exclude local addresses using the ipv4_is_private operator and filtering out specific address prefixes\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\";\n// Perform a join between IP indicators and AppServiceHTTPLogs to identify potential malicious activity\nIP_Indicators\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\n | join kind=innerunique (\n AppServiceHTTPLogs | where TimeGenerated >= ago(dt_lookBack)\n | where isnotempty(CIp)\n | extend WebApp = split(_ResourceId, '/')[8]\n | extend AppService_TimeGenerated = TimeGenerated // Rename time column for clarity\n )\n on $left.TI_ipEntity == $right.CIp\n // Filter out logs that occurred after the expiration of the corresponding indicator\n | where AppService_TimeGenerated < ExpirationDateTime\n // Group the results by IndicatorId and CIp, and keep the log entry with the latest timestamp\n | summarize AppService_TimeGenerated = arg_max(AppService_TimeGenerated, *) by IndicatorId, CIp\n // Select the desired output fields\n | project AppService_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CsUsername, WebApp = split(_ResourceId, '/')[8], CIp, CsHost, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, _ResourceId, Type\n // Extract hostname and DNS domain from the CsHost field\n | extend HostName = tostring(split(CsHost, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(CsHost, '.'), 1, -1), '.'))\n // Rename the timestamp field\n | extend timestamp = AppService_TimeGenerated\n", "queryFrequency": "PT1H", "queryPeriod": "P14D", "severity": "Medium", @@ -3799,12 +3579,12 @@ "entityType": "Host", "fieldMappings": [ { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } ] }, @@ -3812,8 +3592,8 @@ "entityType": "Account", "fieldMappings": [ { - "columnName": "CsUsername", - "identifier": "Name" + "identifier": "Name", + "columnName": "CsUsername" } ] }, @@ -3821,8 +3601,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "CIp", - "identifier": "Address" + "identifier": "Address", + "columnName": "CIp" } ] }, @@ -3830,8 +3610,8 @@ "entityType": "URL", "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ] }, @@ -3839,8 +3619,8 @@ "entityType": "AzureResource", "fieldMappings": [ { - "columnName": "_ResourceId", - "identifier": "ResourceId" + "identifier": "ResourceId", + "columnName": "_ResourceId" } ] } @@ -3875,37 +3655,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId15')]", + "contentKind": "AnalyticsRule", + "displayName": "TI map IP entity to AppServiceHTTPLogs", + "contentProductId": "[variables('_analyticRulecontentProductId15')]", + "id": "[variables('_analyticRulecontentProductId15')]", + "version": "[variables('analyticRuleVersion15')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2022-02-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName16')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Threat Intelligence Analytics Rule 16 with template", - "displayName": "Threat Intelligence Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2022-02-01", - "name": "[concat(variables('analyticRuleTemplateSpecName16'),'/',variables('analyticRuleVersion16'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName16'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_AWSCloudTrail_AnalyticalRules Analytics Rule with template version 2.0.5", + "description": "IPEntity_AWSCloudTrail_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion16')]", @@ -3914,7 +3687,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId16')]", + "name": "[variables('analyticRulecontentId16')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -3922,7 +3695,7 @@ "description": "Identifies a match in AWSCloudTrail from any IP IOC from TI", "displayName": "TI map IP entity to AWSCloudTrail", "enabled": false, - "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet IoCList = materialize(externaldata(TimeGenerated:datetime,IoC:string,IoC_Type:string,ExpirationDateTime:datetime,Description:string,Action:string, ConfidenceScore:real, ThreatType:string, Active:string,Type:string, TrafficLightProtocolLevel:string, ActivityGroupNames:string)[@\"https://raw.githubusercontent.com/microsoft/mstic/master/RapidReleaseTI/Indicators.csv\"] with(format=\"csv\", ignoreFirstRecord=True));\nlet IP_Indicators = (union isfuzzy=true\n(ThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n//Exclude local addresses, using the ipv4_is_private operator\n| where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\"\n),\n(IoCList\n| where IoC_Type =~ 'IP'\n| where ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IoC\n| where Active =~ 'True'\n| extend TI_ipEntity = IoC\n| project-away IoC_Type\n)\n);\nIP_Indicators\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n AWSCloudTrail | where TimeGenerated >= ago(dt_lookBack)\n // renaming time column so it is clear the log this came from\n | extend AWSCloudTrail_TimeGenerated = TimeGenerated\n)\non $left.TI_ipEntity == $right.SourceIpAddress\n| where AWSCloudTrail_TimeGenerated < ExpirationDateTime\n| summarize AWSCloudTrail_TimeGenerated = arg_max(AWSCloudTrail_TimeGenerated, *) by IndicatorId, SourceIpAddress,IoC\n| project AWSCloudTrail_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nTI_ipEntity, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserIdentityUserName, SourceIpAddress,\nNetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress,Type\n| extend timestamp = AWSCloudTrail_TimeGenerated\n", + "query": "let dt_lookBack = 1h; // Look back 1 hour for AWSCloudTrail logs\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\n// Fetch threat intelligence indicators related to IP addresses\nlet IP_Indicators = ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n // Filter out indicators without relevant IP address fields\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n // Select the IP entity based on availability of different IP fields\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n // Exclude local addresses using the ipv4_is_private operator and filtering out specific address prefixes\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\";\n// Perform a join between IP indicators and AWSCloudTrail logs to identify potential malicious activity\nIP_Indicators\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\n | join kind=innerunique (\n AWSCloudTrail\n | where TimeGenerated >= ago(dt_lookBack)\n | extend AWSCloudTrail_TimeGenerated = TimeGenerated // Rename time column for clarity\n )\n on $left.TI_ipEntity == $right.SourceIpAddress\n // Filter out logs that occurred after the expiration of the corresponding indicator\n | where AWSCloudTrail_TimeGenerated < ExpirationDateTime\n // Group the results by IndicatorId and SourceIpAddress, and keep the log entry with the latest timestamp\n | summarize AWSCloudTrail_TimeGenerated = arg_max(AWSCloudTrail_TimeGenerated, *) by IndicatorId, SourceIpAddress\n // Select the desired output fields\n | project AWSCloudTrail_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\n TI_ipEntity, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserIdentityUserName, SourceIpAddress,\n NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\n // Rename the timestamp field\n | extend timestamp = AWSCloudTrail_TimeGenerated\n", "queryFrequency": "PT1H", "queryPeriod": "P14D", "severity": "Medium", @@ -3965,8 +3738,8 @@ "entityType": "Account", "fieldMappings": [ { - "columnName": "UserIdentityUserName", - "identifier": "ObjectGuid" + "identifier": "ObjectGuid", + "columnName": "UserIdentityUserName" } ] }, @@ -3974,8 +3747,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "SourceIpAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "SourceIpAddress" } ] }, @@ -3983,8 +3756,8 @@ "entityType": "URL", "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ] } @@ -4019,37 +3792,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId16')]", + "contentKind": "AnalyticsRule", + "displayName": "TI map IP entity to AWSCloudTrail", + "contentProductId": "[variables('_analyticRulecontentProductId16')]", + "id": "[variables('_analyticRulecontentProductId16')]", + "version": "[variables('analyticRuleVersion16')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2022-02-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName17')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Threat Intelligence Analytics Rule 17 with template", - "displayName": "Threat Intelligence Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2022-02-01", - "name": "[concat(variables('analyticRuleTemplateSpecName17'),'/',variables('analyticRuleVersion17'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName17'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_AzureActivity_AnalyticalRules Analytics Rule with template version 2.0.5", + "description": "IPEntity_AzureActivity_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion17')]", @@ -4058,7 +3824,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId17')]", + "name": "[variables('analyticRulecontentId17')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -4066,7 +3832,7 @@ "description": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in AzureActivity.", "displayName": "TI Map IP Entity to AzureActivity", "enabled": false, - "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet IoCList = materialize(externaldata(TimeGenerated:datetime,IoC:string,IoC_Type:string,ExpirationDateTime:datetime,Description:string,Action:string, ConfidenceScore:real, ThreatType:string, Active:string,Type:string, TrafficLightProtocolLevel:string, ActivityGroupNames:string)[@\"https://raw.githubusercontent.com/microsoft/mstic/master/RapidReleaseTI/Indicators.csv\"] with(format=\"csv\", ignoreFirstRecord=True));\nlet IP_Indicators = (union isfuzzy=true\n(ThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n//Exclude local addresses, using the ipv4_is_private operator\n| where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\"\n),\n(IoCList\n| where IoC_Type =~ 'IP'\n| where ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IoC\n| where Active =~ 'True'\n| extend TI_ipEntity = IoC\n| project-away IoC_Type\n)\n);\nIP_Indicators\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n AzureActivity | where TimeGenerated >= ago(dt_lookBack)\n // renaming time column so it is clear the log this came from\n | extend AzureActivity_TimeGenerated = TimeGenerated\n)\non $left.TI_ipEntity == $right.CallerIpAddress\n| where AzureActivity_TimeGenerated < ExpirationDateTime\n| summarize AzureActivity_TimeGenerated = arg_max(AzureActivity_TimeGenerated, *) by IndicatorId, CallerIpAddress, IoC\n| project AzureActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CallerIpAddress, \nCaller, OperationNameValue, ActivityStatusValue, CategoryValue, ResourceId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\n| extend timestamp = AzureActivity_TimeGenerated\n| extend Name = iif(Caller has '@', tostring(split(Caller,'@',0)[0]), \"\")\n| extend UPNSuffix = iif(Caller has '@', tostring(split(Caller,'@',1)[0]), \"\")\n| extend AadUserId = iif(Caller !has '@', tostring(Caller), \"\")\n", + "query": "let dt_lookBack = 1h; // Look back 1 hour for AzureActivity logs\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\n// Fetch threat intelligence indicators related to IP addresses\nlet IP_Indicators = ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n // Filter out indicators without relevant IP address fields\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n // Select the IP entity based on availability of different IP fields\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n // Exclude local addresses using the ipv4_is_private operator and filtering out specific address prefixes\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\";\n// Perform a join between IP indicators and AzureActivity logs to identify potential malicious activity\nIP_Indicators\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n AzureActivity | where TimeGenerated >= ago(dt_lookBack)\n // renaming time column so it is clear the log this came from\n | extend AzureActivity_TimeGenerated = TimeGenerated\n)\non $left.TI_ipEntity == $right.CallerIpAddress\n| where AzureActivity_TimeGenerated < ExpirationDateTime\n| summarize AzureActivity_TimeGenerated = arg_max(AzureActivity_TimeGenerated, *) by IndicatorId, CallerIpAddress\n| project AzureActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CallerIpAddress, \nCaller, OperationNameValue, ActivityStatusValue, CategoryValue, ResourceId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\n| extend timestamp = AzureActivity_TimeGenerated\n| extend Name = iif(Caller has '@', tostring(split(Caller,'@',0)[0]), \"\")\n| extend UPNSuffix = iif(Caller has '@', tostring(split(Caller,'@',1)[0]), \"\")\n| extend AadUserId = iif(Caller !has '@', tostring(Caller), \"\")\n", "queryFrequency": "PT1H", "queryPeriod": "P14D", "severity": "Medium", @@ -4109,16 +3875,16 @@ "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" }, { - "columnName": "AadUserId", - "identifier": "AadUserId" + "identifier": "AadUserId", + "columnName": "AadUserId" } ] }, @@ -4126,8 +3892,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "CallerIpAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "CallerIpAddress" } ] }, @@ -4135,8 +3901,8 @@ "entityType": "URL", "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ] }, @@ -4144,8 +3910,8 @@ "entityType": "AzureResource", "fieldMappings": [ { - "columnName": "ResourceId", - "identifier": "ResourceId" + "identifier": "ResourceId", + "columnName": "ResourceId" } ] } @@ -4180,37 +3946,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId17')]", + "contentKind": "AnalyticsRule", + "displayName": "TI Map IP Entity to AzureActivity", + "contentProductId": "[variables('_analyticRulecontentProductId17')]", + "id": "[variables('_analyticRulecontentProductId17')]", + "version": "[variables('analyticRuleVersion17')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2022-02-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName18')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Threat Intelligence Analytics Rule 18 with template", - "displayName": "Threat Intelligence Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2022-02-01", - "name": "[concat(variables('analyticRuleTemplateSpecName18'),'/',variables('analyticRuleVersion18'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName18'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_AzureFirewall_AnalyticalRules Analytics Rule with template version 2.0.5", + "description": "IPEntity_AzureFirewall_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion18')]", @@ -4219,7 +3978,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId18')]", + "name": "[variables('analyticRulecontentId18')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -4227,7 +3986,7 @@ "description": "Identifies a match in AzureFirewall (NetworkRule & ApplicationRule Logs) from any IP IOC from TI", "displayName": "TI map IP entity to AzureFirewall", "enabled": false, - "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet IoCList = materialize(externaldata(TimeGenerated:datetime,IoC:string,IoC_Type:string,ExpirationDateTime:datetime,Description:string,Action:string, ConfidenceScore:real, ThreatType:string, Active:string,Type:string, TrafficLightProtocolLevel:string, ActivityGroupNames:string)[@\"https://raw.githubusercontent.com/microsoft/mstic/master/RapidReleaseTI/Indicators.csv\"] with(format=\"csv\", ignoreFirstRecord=True));\nlet IP_Indicators = (union isfuzzy=true\n(ThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n//Exclude local addresses, using the ipv4_is_private operator\n| where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\"\n),\n(IoCList\n| where IoC_Type =~ 'IP'\n| where ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IoC\n| where Active =~ 'True'\n| extend TI_ipEntity = IoC\n| project-away IoC_Type\n)\n);\nIP_Indicators\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n AzureDiagnostics\n | where TimeGenerated >= ago(dt_lookBack)\n | where OperationName in (\"AzureFirewallApplicationRuleLog\", \"AzureFirewallNetworkRuleLog\")\n | parse kind=regex flags=U msg_s with Protocol 'request from ' SourceHost 'to ' DestinationHost @'\\.? Action: ' Firewall_Action @'\\.' Rest_msg\n | extend SourceAddress = extract(@'([\\.0-9]+)(:[\\.0-9]+)?', 1, SourceHost)\n | extend DestinationAddress = extract(@'([\\.0-9]+)(:[\\.0-9]+)?', 1, DestinationHost)\n | extend RemoteIP = case(not(ipv4_is_private(DestinationAddress)), DestinationAddress, not(ipv4_is_private(SourceAddress)), SourceAddress, \"\")\n // Traffic that involves a public address, and in case this is the source address then the traffic was not denied\n | where isnotempty(RemoteIP)\n | project-rename AzureFirewall_TimeGenerated = TimeGenerated\n)\non $left.TI_ipEntity == $right.RemoteIP\n| where AzureFirewall_TimeGenerated < ExpirationDateTime\n| summarize AzureFirewall_TimeGenerated = arg_max(AzureFirewall_TimeGenerated, *) by IndicatorId, RemoteIP, IoC\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, AzureFirewall_TimeGenerated,\nTI_ipEntity, Resource, Category, msg_s, SourceAddress, DestinationAddress, Firewall_Action, Protocol, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\n| extend timestamp = AzureFirewall_TimeGenerated\n", + "query": "let dt_lookBack = 1h; // Look back 1 hour for AzureDiagnostics logs\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\n// Fetch threat intelligence indicators related to IP addresses\nlet IP_Indicators = ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n // Filter out indicators without relevant IP address fields\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n // Select the IP entity based on availability of different IP fields\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n // Exclude local addresses using the ipv4_is_private operator and filtering out specific address prefixes\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\";\n// Perform a join between IP indicators and AzureDiagnostics logs to identify potential malicious activity\nIP_Indicators\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\n | join kind=innerunique (\n AzureDiagnostics\n | where TimeGenerated >= ago(dt_lookBack)\n | where OperationName in (\"AzureFirewallApplicationRuleLog\", \"AzureFirewallNetworkRuleLog\")\n | parse kind=regex flags=U msg_s with Protocol 'request from ' SourceHost 'to ' DestinationHost @'\\.? Action: ' Firewall_Action @'\\.' Rest_msg\n | extend SourceAddress = extract(@'([\\.0-9]+)(:[\\.0-9]+)?', 1, SourceHost)\n | extend DestinationAddress = extract(@'([\\.0-9]+)(:[\\.0-9]+)?', 1, DestinationHost)\n | extend RemoteIP = case(not(ipv4_is_private(DestinationAddress)), DestinationAddress, not(ipv4_is_private(SourceAddress)), SourceAddress, \"\")\n | where isnotempty(RemoteIP) // Filter out traffic involving public addresses only\n | project-rename AzureFirewall_TimeGenerated = TimeGenerated\n )\n on $left.TI_ipEntity == $right.RemoteIP\n // Filter out logs that occurred after the expiration of the corresponding indicator\n | where AzureFirewall_TimeGenerated < ExpirationDateTime\n // Group the results by IndicatorId and RemoteIP, and keep the log entry with the latest timestamp\n | summarize AzureFirewall_TimeGenerated = arg_max(AzureFirewall_TimeGenerated, *) by IndicatorId, RemoteIP\n // Select the desired output fields\n | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore,\n AzureFirewall_TimeGenerated, TI_ipEntity, Resource, Category, msg_s, SourceAddress, DestinationAddress, Firewall_Action, Protocol,\n NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\n // Rename the timestamp field\n | extend timestamp = AzureFirewall_TimeGenerated\n", "queryFrequency": "PT1H", "queryPeriod": "P14D", "severity": "Medium", @@ -4270,8 +4029,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "TI_ipEntity", - "identifier": "Address" + "identifier": "Address", + "columnName": "TI_ipEntity" } ] }, @@ -4279,8 +4038,8 @@ "entityType": "URL", "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ] } @@ -4315,37 +4074,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId18')]", + "contentKind": "AnalyticsRule", + "displayName": "TI map IP entity to AzureFirewall", + "contentProductId": "[variables('_analyticRulecontentProductId18')]", + "id": "[variables('_analyticRulecontentProductId18')]", + "version": "[variables('analyticRuleVersion18')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2022-02-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName19')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Threat Intelligence Analytics Rule 19 with template", - "displayName": "Threat Intelligence Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2022-02-01", - "name": "[concat(variables('analyticRuleTemplateSpecName19'),'/',variables('analyticRuleVersion19'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName19'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_AzureKeyVault_AnalyticalRules Analytics Rule with template version 2.0.5", + "description": "IPEntity_AzureKeyVault_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion19')]", @@ -4354,15 +4106,15 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId19')]", + "name": "[variables('analyticRulecontentId19')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Identifies a match in Azure Key Vault logsfrom any IP IOC from TI", + "description": "Identifies a match in Azure Key Vault logs from any IP IOC from TI", "displayName": "TI map IP entity to Azure Key Vault logs", "enabled": false, - "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet IoCList = materialize(externaldata(TimeGenerated:datetime,IoC:string,IoC_Type:string,ExpirationDateTime:datetime,Description:string,Action:string, ConfidenceScore:real, ThreatType:string, Active:string,Type:string, TrafficLightProtocolLevel:string, ActivityGroupNames:string)[@\"https://raw.githubusercontent.com/microsoft/mstic/master/RapidReleaseTI/Indicators.csv\"] with(format=\"csv\", ignoreFirstRecord=True));\nlet IP_Indicators = (union isfuzzy=true\n(ThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n//Exclude local addresses, using the ipv4_is_private operator\n| where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\"\n),\n(IoCList\n| where IoC_Type =~ 'IP'\n| where ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IoC\n| where Active =~ 'True'\n| extend TI_ipEntity = IoC\n| project-away IoC_Type\n)\n);\nIP_Indicators\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n AzureDiagnostics\n | where ResourceType =~ \"VAULTS\"\n | where TimeGenerated >= ago(dt_lookBack)\n | extend KeyVaultEvents_TimeGenerated = TimeGenerated, ClientIP = CallerIPAddress\n)\non $left.TI_ipEntity == $right.ClientIP\n| where KeyVaultEvents_TimeGenerated < ExpirationDateTime\n| summarize KeyVaultEvents_TimeGenerated = arg_max(KeyVaultEvents_TimeGenerated, *) by IndicatorId, ClientIP, IoC\n| project KeyVaultEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nTI_ipEntity, ClientIP, ResourceId, SubscriptionId, OperationName, ResultType, CorrelationId, id_s, clientInfo_s, httpStatusCode_d, identity_claim_appid_g, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, Type\n| extend timestamp = KeyVaultEvents_TimeGenerated\n", + "query": "let dt_lookBack = 1h; // Look back 1 hour for AzureDiagnostics logs\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\n// Fetch threat intelligence indicators related to IP addresses\nlet IP_Indicators = ThreatIntelligenceIndicator\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n | where LatestIndicatorTime >= ago(ioc_lookBack) and ExpirationDateTime > now()\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\";\n// Perform a join between IP indicators and AzureDiagnostics logs for Key Vault events\nIP_Indicators\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\n | join kind=innerunique (\n AzureDiagnostics\n | where ResourceType =~ \"VAULTS\"\n | where TimeGenerated >= ago(dt_lookBack)\n | extend KeyVaultEvents_TimeGenerated = TimeGenerated, ClientIP = CallerIPAddress\n )\n on $left.TI_ipEntity == $right.ClientIP\n // Filter out logs that occurred after the expiration of the corresponding indicator\n | where KeyVaultEvents_TimeGenerated < ExpirationDateTime\n // Group the results by IndicatorId and ClientIP, and keep the log entry with the latest timestamp\n | summarize KeyVaultEvents_TimeGenerated = arg_max(KeyVaultEvents_TimeGenerated, *) by IndicatorId, ClientIP\n // Select the desired output fields\n | project KeyVaultEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\n TI_ipEntity, ClientIP, ResourceId, SubscriptionId, OperationName, ResultType, CorrelationId, id_s, clientInfo_s, httpStatusCode_d,\n identity_claim_appid_g, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, Type\n // Rename the timestamp field\n | extend timestamp = KeyVaultEvents_TimeGenerated\n", "queryFrequency": "PT1H", "queryPeriod": "P14D", "severity": "Medium", @@ -4405,8 +4157,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "ClientIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "ClientIP" } ] }, @@ -4414,8 +4166,8 @@ "entityType": "AzureResource", "fieldMappings": [ { - "columnName": "ResourceId", - "identifier": "ResourceId" + "identifier": "ResourceId", + "columnName": "ResourceId" } ] } @@ -4450,37 +4202,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId19')]", + "contentKind": "AnalyticsRule", + "displayName": "TI map IP entity to Azure Key Vault logs", + "contentProductId": "[variables('_analyticRulecontentProductId19')]", + "id": "[variables('_analyticRulecontentProductId19')]", + "version": "[variables('analyticRuleVersion19')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2022-02-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName20')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Threat Intelligence Analytics Rule 20 with template", - "displayName": "Threat Intelligence Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2022-02-01", - "name": "[concat(variables('analyticRuleTemplateSpecName20'),'/',variables('analyticRuleVersion20'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName20'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_AzureNetworkAnalytics_AnalyticalRules Analytics Rule with template version 2.0.5", + "description": "IPEntity_AzureNetworkAnalytics_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion20')]", @@ -4489,7 +4234,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId20')]", + "name": "[variables('analyticRulecontentId20')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -4497,7 +4242,7 @@ "description": "Identifies a match in AzureNetworkAnalytics_CL (NSG Flow Logs) from any IP IOC from TI that was Allowed", "displayName": "TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs)", "enabled": false, - "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet IoCList = materialize(externaldata(TimeGenerated:datetime,IoC:string,IoC_Type:string,ExpirationDateTime:datetime,Description:string,Action:string, ConfidenceScore:real, ThreatType:string, Active:string,Type:string, TrafficLightProtocolLevel:string, ActivityGroupNames:string)[@\"https://raw.githubusercontent.com/microsoft/mstic/master/RapidReleaseTI/Indicators.csv\"] with(format=\"csv\", ignoreFirstRecord=True));\nlet IP_Indicators = (union isfuzzy=true\n(ThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n//Exclude local addresses, using the ipv4_is_private operator\n| where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\"\n),\n(IoCList\n| where IoC_Type =~ 'IP'\n| where ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IoC\n| where Active =~ 'True'\n| extend TI_ipEntity = IoC\n| project-away IoC_Type\n)\n);\nIP_Indicators\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n AzureNetworkAnalytics_CL\n | where TimeGenerated >= ago(dt_lookBack)\n // renaming time column so it is clear the log this came from\n | extend AzureNetworkAnalytics_CL_TimeGenerated = TimeGenerated\n // NSG Flow Logs have additional information concat with Public IP, removing onlp Public IP\n | extend PIPs = split(PublicIPs_s, '|', 0)\n | extend PIP = tostring(PIPs[0])\n)\non $left.TI_ipEntity == $right.PIP\n| where AzureNetworkAnalytics_CL_TimeGenerated < ExpirationDateTime\n| summarize AzureNetworkAnalytics_CL_TimeGenerated = arg_max(AzureNetworkAnalytics_CL_TimeGenerated, *) by IndicatorId, PIP, IoC\n// Set to alert on Allowed NSG Flows from TI Public IP IOC\n| where FlowStatus_s == \"A\"\n| project AzureNetworkAnalytics_CL_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nTI_ipEntity, Computer, FlowDirection_s, FlowStatus_s, FlowType_s, SrcPublicIPs_s, DestPublicIPs_s, PublicIPs_s, L7Protocol_s, DestPort_d, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\n| extend HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))\n| extend timestamp = AzureNetworkAnalytics_CL_TimeGenerated\n", + "query": "let dt_lookBack = 1h; // Look back 1 hour for AzureNetworkAnalytics_CL logs\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\n// Fetch threat intelligence indicators related to IP addresses\nlet IP_Indicators = ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\";\n// Perform a join between IP indicators and AzureNetworkAnalytics_CL logs for NSG Flow information\nIP_Indicators\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\n | join kind=innerunique (\n AzureNetworkAnalytics_CL\n | where TimeGenerated >= ago(dt_lookBack)\n | extend AzureNetworkAnalytics_CL_TimeGenerated = TimeGenerated\n | extend PIPs = split(PublicIPs_s, '|', 0)\n | extend PIP = tostring(PIPs[0])\n )\n on $left.TI_ipEntity == $right.PIP\n // Filter out logs that occurred after the expiration of the corresponding indicator\n | where AzureNetworkAnalytics_CL_TimeGenerated < ExpirationDateTime\n // Filter out NSG Flow logs that are not allowed (FlowStatus_s == \"A\")\n | where FlowStatus_s == \"A\"\n // Group the results by IndicatorId and PIP (Public IP), and keep the log entry with the latest timestamp\n | summarize AzureNetworkAnalytics_CL_TimeGenerated = arg_max(AzureNetworkAnalytics_CL_TimeGenerated, *) by IndicatorId, PIP\n // Select the desired output fields\n | project AzureNetworkAnalytics_CL_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\n TI_ipEntity, Computer, FlowDirection_s, FlowStatus_s, FlowType_s, SrcPublicIPs_s, DestPublicIPs_s, PublicIPs_s, L7Protocol_s, DestPort_d, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\n // Extract hostname and DNS domain from the Computer field\n | extend HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))\n // Rename the timestamp field\n | extend timestamp = AzureNetworkAnalytics_CL_TimeGenerated\n", "queryFrequency": "PT1H", "queryPeriod": "P14D", "severity": "Medium", @@ -4534,12 +4279,12 @@ "entityType": "Host", "fieldMappings": [ { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } ] }, @@ -4547,8 +4292,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "TI_ipEntity", - "identifier": "Address" + "identifier": "Address", + "columnName": "TI_ipEntity" } ] }, @@ -4556,8 +4301,8 @@ "entityType": "URL", "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ] } @@ -4592,37 +4337,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId20')]", + "contentKind": "AnalyticsRule", + "displayName": "TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs)", + "contentProductId": "[variables('_analyticRulecontentProductId20')]", + "id": "[variables('_analyticRulecontentProductId20')]", + "version": "[variables('analyticRuleVersion20')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2022-02-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName21')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Threat Intelligence Analytics Rule 21 with template", - "displayName": "Threat Intelligence Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2022-02-01", - "name": "[concat(variables('analyticRuleTemplateSpecName21'),'/',variables('analyticRuleVersion21'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName21'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_AzureSQL_AnalyticalRules Analytics Rule with template version 2.0.5", + "description": "IPEntity_AzureSQL_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion21')]", @@ -4631,7 +4369,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId21')]", + "name": "[variables('analyticRulecontentId21')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -4639,7 +4377,7 @@ "description": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in SQL Security Audit Events.", "displayName": "TI Map IP Entity to Azure SQL Security Audit Events", "enabled": false, - "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet IoCList = materialize(externaldata(TimeGenerated:datetime,IoC:string,IoC_Type:string,ExpirationDateTime:datetime,Description:string,Action:string, ConfidenceScore:real, ThreatType:string, Active:string,Type:string, TrafficLightProtocolLevel:string, ActivityGroupNames:string)[@\"https://raw.githubusercontent.com/microsoft/mstic/master/RapidReleaseTI/Indicators.csv\"] with(format=\"csv\", ignoreFirstRecord=True));\nlet IP_Indicators = (union isfuzzy=true\n(ThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n//Exclude local addresses, using the ipv4_is_private operator\n| where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\"\n),\n(IoCList\n| where IoC_Type =~ 'IP'\n| where ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IoC\n| where Active =~ 'True'\n| extend TI_ipEntity = IoC\n| project-away IoC_Type\n)\n);\nIP_Indicators\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n AzureDiagnostics\n | where TimeGenerated >= ago(dt_lookBack)\n | where ResourceProvider == 'MICROSOFT.SQL'\n | where Category == 'SQLSecurityAuditEvents'\n | extend SQLSecurityAuditEvents_TimeGenerated = TimeGenerated\n // projecting fields with column if exists as this is in AzureDiag and if the event is not in the table, then queries will fail due to event specific schemas\n | extend ClientIP = column_ifexists(\"client_ip_s\", \"Not Available\"), Action = column_ifexists(\"action_name_s\", \"Not Available\"), \n Application = column_ifexists(\"application_name_s\", \"Not Available\"), HostName = column_ifexists(\"host_name_s\", \"Not Available\")\n)\non $left.TI_ipEntity == $right.ClientIP\n| where SQLSecurityAuditEvents_TimeGenerated < ExpirationDateTime\n| summarize SQLSecurityAuditEvents_TimeGenerated = arg_max(SQLSecurityAuditEvents_TimeGenerated, *) by IndicatorId, ClientIP, IoC\n| project SQLSecurityAuditEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nTI_ipEntity, ResourceId, ClientIP, Action, Application, HostName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\n| extend timestamp = SQLSecurityAuditEvents_TimeGenerated\n", + "query": "let dt_lookBack = 1h; // Look back 1 hour for AzureDiagnostics logs\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\n// Fetch threat intelligence indicators related to IP addresses\nlet IP_Indicators = ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\";\n// Perform a join between IP indicators and AzureDiagnostics logs for SQL Security Audit events\nIP_Indicators\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\n | join kind=innerunique (\n AzureDiagnostics\n | where TimeGenerated >= ago(dt_lookBack)\n | where ResourceProvider == 'MICROSOFT.SQL'\n | where Category == 'SQLSecurityAuditEvents'\n | extend SQLSecurityAuditEvents_TimeGenerated = TimeGenerated\n | extend ClientIP = column_ifexists(\"client_ip_s\", \"Not Available\")\n | extend Action = column_ifexists(\"action_name_s\", \"Not Available\")\n | extend Application = column_ifexists(\"application_name_s\", \"Not Available\")\n | extend HostName = column_ifexists(\"host_name_s\", \"Not Available\")\n )\n on $left.TI_ipEntity == $right.ClientIP\n // Filter out logs that occurred after the expiration of the corresponding indicator\n | where SQLSecurityAuditEvents_TimeGenerated < ExpirationDateTime\n // Group the results by IndicatorId and ClientIP, and keep the log entry with the latest timestamp\n | summarize SQLSecurityAuditEvents_TimeGenerated = arg_max(SQLSecurityAuditEvents_TimeGenerated, *) by IndicatorId, ClientIP\n // Select the desired output fields\n | project SQLSecurityAuditEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\n TI_ipEntity, ResourceId, ClientIP, Action, Application, HostName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\n // Rename the timestamp field\n | extend timestamp = SQLSecurityAuditEvents_TimeGenerated\n", "queryFrequency": "PT1H", "queryPeriod": "P14D", "severity": "Medium", @@ -4682,8 +4420,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "ClientIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "ClientIP" } ] } @@ -4718,37 +4456,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId21')]", + "contentKind": "AnalyticsRule", + "displayName": "TI Map IP Entity to Azure SQL Security Audit Events", + "contentProductId": "[variables('_analyticRulecontentProductId21')]", + "id": "[variables('_analyticRulecontentProductId21')]", + "version": "[variables('analyticRuleVersion21')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2022-02-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName22')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Threat Intelligence Analytics Rule 22 with template", - "displayName": "Threat Intelligence Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2022-02-01", - "name": "[concat(variables('analyticRuleTemplateSpecName22'),'/',variables('analyticRuleVersion22'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName22'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_CustomSecurityLog_AnalyticalRules Analytics Rule with template version 2.0.5", + "description": "IPEntity_CustomSecurityLog_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion22')]", @@ -4757,7 +4488,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId22')]", + "name": "[variables('analyticRulecontentId22')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -4765,7 +4496,7 @@ "description": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in CommonSecurityLog.", "displayName": "TI Map IP Entity to CommonSecurityLog", "enabled": false, - "query": "let IPRegex = '[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}';\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet IoCList = materialize(externaldata(TimeGenerated:datetime,IoC:string,IoC_Type:string,ExpirationDateTime:datetime,Description:string,Action:string, ConfidenceScore:real, ThreatType:string, Active:string,Type:string, TrafficLightProtocolLevel:string, ActivityGroupNames:string)[@\"https://raw.githubusercontent.com/microsoft/mstic/master/RapidReleaseTI/Indicators.csv\"] with(format=\"csv\", ignoreFirstRecord=True));\nlet IP_Indicators = (union isfuzzy=true\n(ThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n//Exclude local addresses, using the ipv4_is_private operator\n| where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\"\n),\n(IoCList\n| where IoC_Type =~ 'IP'\n| where ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IoC\n| where Active =~ 'True'\n| extend TI_ipEntity = IoC\n| project-away IoC_Type\n)\n);\nIP_Indicators\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n CommonSecurityLog\n | where TimeGenerated >= ago(dt_lookBack)\n | extend MessageIP = extract(IPRegex, 0, Message)\n | extend CS_ipEntity = iff(isnotempty(SourceIP), SourceIP, DestinationIP)\n | extend CS_ipEntity = iff(isempty(CS_ipEntity) and isnotempty(MessageIP), MessageIP, CS_ipEntity)\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\n)\non $left.TI_ipEntity == $right.CS_ipEntity\n| where CommonSecurityLog_TimeGenerated < ExpirationDateTime\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, CS_ipEntity, IoC\n| project timestamp = CommonSecurityLog_TimeGenerated, SourceIP, DestinationIP, MessageIP, Message, DeviceVendor, DeviceProduct, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CS_ipEntity, LogSeverity, DeviceAction, Type\n", + "query": "let IPRegex = '[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}';\nlet dt_lookBack = 1h; // Look back 1 hour for CommonSecurityLog events\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\n// Fetch threat intelligence indicators related to IP addresses\nlet IP_Indicators = ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\";\n// Perform a join between IP indicators and CommonSecurityLog events\nIP_Indicators\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\n | join kind=innerunique (\n CommonSecurityLog\n | where TimeGenerated >= ago(dt_lookBack)\n | extend MessageIP = extract(IPRegex, 0, Message)\n | extend CS_ipEntity = iff(isnotempty(SourceIP), SourceIP, DestinationIP)\n | extend CS_ipEntity = iff(isempty(CS_ipEntity) and isnotempty(MessageIP), MessageIP, CS_ipEntity)\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\n )\n on $left.TI_ipEntity == $right.CS_ipEntity\n // Filter out logs that occurred after the expiration of the corresponding indicator\n | where CommonSecurityLog_TimeGenerated < ExpirationDateTime\n // Group the results by IndicatorId and CS_ipEntity, and keep the log entry with the latest timestamp\n | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, CS_ipEntity\n // Select the desired output fields\n | project timestamp = CommonSecurityLog_TimeGenerated, SourceIP, DestinationIP, MessageIP, Message, DeviceVendor, DeviceProduct, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CS_ipEntity, LogSeverity, DeviceAction, Type\n", "queryFrequency": "PT1H", "queryPeriod": "P14D", "severity": "Medium", @@ -4808,8 +4539,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "CS_ipEntity", - "identifier": "Address" + "identifier": "Address", + "columnName": "CS_ipEntity" } ] } @@ -4844,37 +4575,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId22')]", + "contentKind": "AnalyticsRule", + "displayName": "TI Map IP Entity to CommonSecurityLog", + "contentProductId": "[variables('_analyticRulecontentProductId22')]", + "id": "[variables('_analyticRulecontentProductId22')]", + "version": "[variables('analyticRuleVersion22')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2022-02-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName23')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Threat Intelligence Analytics Rule 23 with template", - "displayName": "Threat Intelligence Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2022-02-01", - "name": "[concat(variables('analyticRuleTemplateSpecName23'),'/',variables('analyticRuleVersion23'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName23'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 2.0.5", + "description": "IPEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion23')]", @@ -4883,7 +4607,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId23')]", + "name": "[variables('analyticRulecontentId23')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -4891,7 +4615,7 @@ "description": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in DnsEvents.", "displayName": "TI Map IP Entity to DnsEvents", "enabled": false, - "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet IoCList = materialize(externaldata(TimeGenerated:datetime,IoC:string,IoC_Type:string,ExpirationDateTime:datetime,Description:string,Action:string, ConfidenceScore:real, ThreatType:string, Active:string,Type:string, TrafficLightProtocolLevel:string, ActivityGroupNames:string)[@\"https://raw.githubusercontent.com/microsoft/mstic/master/RapidReleaseTI/Indicators.csv\"] with(format=\"csv\", ignoreFirstRecord=True));\nlet IP_Indicators = (union isfuzzy=true\n(ThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n//Exclude local addresses, using the ipv4_is_private operator\n| where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\"\n),\n(IoCList\n| where IoC_Type =~ 'IP'\n| where ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IoC\n| where Active =~ 'True'\n| extend TI_ipEntity = IoC\n| project-away IoC_Type\n)\n);\nIP_Indicators\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n DnsEvents\n | where TimeGenerated >= ago(dt_lookBack)\n | where SubType =~ \"LookupQuery\" and isnotempty(IPAddresses)\n | mv-expand SingleIP = split(IPAddresses, \", \") to typeof(string)\n // renaming time column so it is clear the log this came from\n | extend DNS_TimeGenerated = TimeGenerated\n)\non $left.TI_ipEntity == $right.SingleIP\n| where DNS_TimeGenerated < ExpirationDateTime\n| summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated , *) by IndicatorId, SingleIP, IoC\n| project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore,\nTI_ipEntity, Computer, EventId, SubType, ClientIP, Name, IPAddresses, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\n| extend timestamp = DNS_TimeGenerated, HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))\n", + "query": "let dt_lookBack = 1h; // Look back 1 hour for DNS events\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\n// Fetch threat intelligence indicators related to IP addresses\nlet IP_Indicators = ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\";\n// Perform a join between IP indicators and DNS events\nIP_Indicators\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\n | join kind=innerunique (\n DnsEvents\n | where TimeGenerated >= ago(dt_lookBack)\n | where SubType =~ \"LookupQuery\" and isnotempty(IPAddresses)\n | mv-expand SingleIP = split(IPAddresses, \", \") to typeof(string)\n | extend DNS_TimeGenerated = TimeGenerated\n )\n on $left.TI_ipEntity == $right.SingleIP\n // Filter out DNS events that occurred after the expiration of the corresponding indicator\n | where DNS_TimeGenerated < ExpirationDateTime\n // Group the results by IndicatorId and SingleIP, and keep the DNS event with the latest timestamp\n | summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated, *) by IndicatorId, SingleIP\n // Select the desired output fields\n | project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore,\n TI_ipEntity, Computer, EventId, SubType, ClientIP, Name, IPAddresses, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\n | extend timestamp = DNS_TimeGenerated, HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))\n", "queryFrequency": "PT1H", "queryPeriod": "P14D", "severity": "Medium", @@ -4934,12 +4658,12 @@ "entityType": "Host", "fieldMappings": [ { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } ] }, @@ -4947,8 +4671,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "ClientIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "ClientIP" } ] }, @@ -4956,8 +4680,8 @@ "entityType": "URL", "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ] } @@ -4992,37 +4716,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId23')]", + "contentKind": "AnalyticsRule", + "displayName": "TI Map IP Entity to DnsEvents", + "contentProductId": "[variables('_analyticRulecontentProductId23')]", + "id": "[variables('_analyticRulecontentProductId23')]", + "version": "[variables('analyticRuleVersion23')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2022-02-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName24')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Threat Intelligence Analytics Rule 24 with template", - "displayName": "Threat Intelligence Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2022-02-01", - "name": "[concat(variables('analyticRuleTemplateSpecName24'),'/',variables('analyticRuleVersion24'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName24'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_imWebSession_AnalyticalRules Analytics Rule with template version 2.0.5", + "description": "IPEntity_imWebSession_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion24')]", @@ -5031,7 +4748,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId24')]", + "name": "[variables('analyticRulecontentId24')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -5039,7 +4756,7 @@ "description": "This rule identifies Web Sessions for which the source IP address is a known IoC.

This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM.", "displayName": "(Preview) TI map IP entity to Web Session Events (ASIM Web Session schema)", "enabled": false, - "query": "let HAS_ANY_MAX = 10000;\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet IoCList = materialize(externaldata(TimeGenerated:datetime,IoC:string,IoC_Type:string,ExpirationDateTime:datetime,Description:string,Action:string, ConfidenceScore:real, ThreatType:string, Active:string,Type:string, TrafficLightProtocolLevel:string, ActivityGroupNames:string)[@\"https://raw.githubusercontent.com/microsoft/mstic/master/RapidReleaseTI/Indicators.csv\"] with(format=\"csv\", ignoreFirstRecord=True));\nlet IP_TI= (union isfuzzy=true\n(ThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,\"NO_IP\")\n// Picking up only IOC's that contain the entities we want\n| where TI_ipEntity != \"NO_IP\"\n//Exclude local addresses, using the ipv4_is_private operator\n| where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\"\n),\n(IoCList\n| where IoC_Type =~ 'IP'\n| where ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IoC\n| where Active =~ 'True'\n| extend TI_ipEntity = IoC\n| project-away IoC_Type\n)\n);\nlet IP_TI_list=toscalar(IP_TI | summarize NIoCs= dcount(TI_ipEntity), IoCs=make_set(TI_ipEntity) \n | project IoCs=iff(NIoCs > HAS_ANY_MAX, dynamic([]), IoCs ) );\nIP_TI\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n _Im_WebSession (starttime=ago(dt_lookBack), srcipaddr_has_any_prefix=IP_TI_list)\n | where isnotempty(SrcIpAddr)\n // renaming time column so it is clear the log this came from\n | extend imNWS_TimeGenerated = TimeGenerated\n)\non $left.TI_ipEntity == $right.SrcIpAddr\n| where imNWS_TimeGenerated < ExpirationDateTime\n| summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated , *) by IndicatorId, DstIpAddr, IoC\n| project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\nTI_ipEntity, Dvc, SrcIpAddr, DstIpAddr, Type\n", + "query": "let HAS_ANY_MAX = 10000;\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet IP_TI = ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n // As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n // Taking the first non-empty value based on potential IOC match availability\n | extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, \"NO_IP\")\n // Picking up only IOC's that contain the entities we want\n | where TI_ipEntity != \"NO_IP\"\n // Exclude local addresses, using the ipv4_is_private operator\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\";\nlet IP_TI_list = toscalar(IP_TI\n | summarize NIoCs = dcount(TI_ipEntity), IoCs = make_set(TI_ipEntity)\n | project IoCs = iff(NIoCs > HAS_ANY_MAX, dynamic([]), IoCs));\nIP_TI\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind = innerunique (\n _Im_WebSession (starttime = ago(dt_lookBack), srcipaddr_has_any_prefix = IP_TI_list)\n | where isnotempty(SrcIpAddr)\n // renaming time column so it is clear the log this came from\n | extend imNWS_TimeGenerated = TimeGenerated\n )\n on $left.TI_ipEntity == $right.SrcIpAddr\n| where imNWS_TimeGenerated < ExpirationDateTime\n| summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated, *) by IndicatorId, DstIpAddr\n| project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\n TI_ipEntity, Dvc, SrcIpAddr, DstIpAddr, Type\n", "queryFrequency": "PT1H", "queryPeriod": "P14D", "severity": "Medium", @@ -5088,24 +4805,24 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "DstIpAddr", - "identifier": "Address" + "identifier": "Address", + "columnName": "DstIpAddr" } ] } ], "customDetails": { - "IndicatorId": "IndicatorId", - "IoCDescription": "Description", "IoCExpirationTime": "ExpirationDateTime", - "ActivityGroupNames": "ActivityGroupNames", "ThreatType": "ThreatType", + "ActivityGroupNames": "ActivityGroupNames", + "EventTime": "imNWS_TimeGenerated", + "IndicatorId": "IndicatorId", "IoCConfidenceScore": "ConfidenceScore", - "EventTime": "imNWS_TimeGenerated" + "IoCDescription": "Description" }, "alertDetailsOverride": { - "alertDisplayNameFormat": "The IP {{SrcIpAddr}} of a web request to hostname {{domain}} matched an IoC", - "alertDescriptionFormat": "The source address {{SrcIpAddr}} of a web request for URL {{Url}} matched a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blead for more information on the indicator." + "alertDisplayNameFormat": "The IP {{SrcIpAddr}} of the web request matches an IP IoC", + "alertDescriptionFormat": "The source address {{SrcIpAddr}} of the web request for the URL {{Url}} matches a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence feed for more information about the indicator." } } }, @@ -5137,37 +4854,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId24')]", + "contentKind": "AnalyticsRule", + "displayName": "(Preview) TI map IP entity to Web Session Events (ASIM Web Session schema)", + "contentProductId": "[variables('_analyticRulecontentProductId24')]", + "id": "[variables('_analyticRulecontentProductId24')]", + "version": "[variables('analyticRuleVersion24')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2022-02-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName25')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Threat Intelligence Analytics Rule 25 with template", - "displayName": "Threat Intelligence Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2022-02-01", - "name": "[concat(variables('analyticRuleTemplateSpecName25'),'/',variables('analyticRuleVersion25'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName25'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_OfficeActivity_AnalyticalRules Analytics Rule with template version 2.0.5", + "description": "IPEntity_OfficeActivity_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion25')]", @@ -5176,7 +4886,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId25')]", + "name": "[variables('analyticRulecontentId25')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -5184,7 +4894,7 @@ "description": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in OfficeActivity.", "displayName": "TI map IP entity to OfficeActivity", "enabled": false, - "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet IoCList = materialize(externaldata(TimeGenerated:datetime,IoC:string,IoC_Type:string,ExpirationDateTime:datetime,Description:string,Action:string, ConfidenceScore:real, ThreatType:string, Active:string,Type:string, TrafficLightProtocolLevel:string, ActivityGroupNames:string)[@\"https://raw.githubusercontent.com/microsoft/mstic/master/RapidReleaseTI/Indicators.csv\"] with(format=\"csv\", ignoreFirstRecord=True));\nlet IP_Indicators = (union isfuzzy=true\n(ThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n//Exclude local addresses, using the ipv4_is_private operator\n| where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\"\n),\n(IoCList\n| where IoC_Type =~ 'IP'\n| where ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IoC\n| where Active =~ 'True'\n| extend TI_ipEntity = IoC\n| project-away IoC_Type\n)\n);\nIP_Indicators\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n OfficeActivity\n | where TimeGenerated >= ago(dt_lookBack)\n | where isnotempty(ClientIP)\n | extend ClientIPValues = extract_all(@'\\[?(::ffff:)?(?P(\\d+\\.\\d+\\.\\d+\\.\\d+)|[^\\]%]+)(%\\d+)?\\]?([-:](?P\\d+))?', dynamic([\"IPAddress\", \"Port\"]), ClientIP)[0]\n | extend IPAddress = iff(array_length(ClientIPValues) > 0, tostring(ClientIPValues[0]), '')\n // renaming time column so it is clear the log this came from\n | extend OfficeActivity_TimeGenerated = TimeGenerated\n)\non $left.TI_ipEntity == $right.IPAddress\n| where OfficeActivity_TimeGenerated < ExpirationDateTime\n| summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId, IoC\n| project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nTI_ipEntity, ClientIP, UserId, Operation, ResultStatus, RecordType, OfficeObjectId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\n| extend timestamp = OfficeActivity_TimeGenerated, Name = tostring(split(UserId, '@', 0)[0]), UPNSuffix = tostring(split(UserId, '@', 1)[0])\n", + "query": "let dt_lookBack = 1h; // Look back 1 hour for OfficeActivity events\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\n// Fetch threat intelligence indicators related to IP addresses\nlet IP_Indicators = ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\";\n// Perform a join between IP indicators and OfficeActivity events\nIP_Indicators\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\n | join kind=innerunique (\n OfficeActivity\n | where TimeGenerated >= ago(dt_lookBack)\n | where isnotempty(ClientIP)\n | extend ClientIPValues = extract_all(@'\\[?(::ffff:)?(?P(\\d+\\.\\d+\\.\\d+\\.\\d+)|[^\\]%]+)(%\\d+)?\\]?([-:](?P\\d+))?', dynamic([\"IPAddress\", \"Port\"]), ClientIP)[0]\n | extend IPAddress = iff(array_length(ClientIPValues) > 0, tostring(ClientIPValues[0]), '')\n | extend OfficeActivity_TimeGenerated = TimeGenerated\n )\n on $left.TI_ipEntity == $right.IPAddress\n // Filter out OfficeActivity events that occurred after the expiration of the corresponding indicator\n | where OfficeActivity_TimeGenerated < ExpirationDateTime\n // Group the results by IndicatorId and keep the OfficeActivity event with the latest timestamp\n | summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId\n // Select the desired output fields\n | project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\n TI_ipEntity, ClientIP, UserId, Operation, ResultStatus, RecordType, OfficeObjectId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\n | extend timestamp = OfficeActivity_TimeGenerated, Name = tostring(split(UserId, '@', 0)[0]), UPNSuffix = tostring(split(UserId, '@', 1)[0])\n", "queryFrequency": "PT1H", "queryPeriod": "P14D", "severity": "Medium", @@ -5227,12 +4937,12 @@ "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } ] }, @@ -5240,8 +4950,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "TI_ipEntity", - "identifier": "Address" + "identifier": "Address", + "columnName": "TI_ipEntity" } ] }, @@ -5249,8 +4959,8 @@ "entityType": "URL", "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ] } @@ -5285,37 +4995,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId25')]", + "contentKind": "AnalyticsRule", + "displayName": "TI map IP entity to OfficeActivity", + "contentProductId": "[variables('_analyticRulecontentProductId25')]", + "id": "[variables('_analyticRulecontentProductId25')]", + "version": "[variables('analyticRuleVersion25')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2022-02-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName26')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Threat Intelligence Analytics Rule 26 with template", - "displayName": "Threat Intelligence Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2022-02-01", - "name": "[concat(variables('analyticRuleTemplateSpecName26'),'/',variables('analyticRuleVersion26'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName26'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPentity_SigninLogs_AnalyticalRules Analytics Rule with template version 2.0.5", + "description": "IPentity_SigninLogs_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion26')]", @@ -5324,7 +5027,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId26')]", + "name": "[variables('analyticRulecontentId26')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -5381,12 +5084,12 @@ "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } ] }, @@ -5394,8 +5097,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "IPAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPAddress" } ] }, @@ -5403,8 +5106,8 @@ "entityType": "URL", "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ] } @@ -5439,37 +5142,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId26')]", + "contentKind": "AnalyticsRule", + "displayName": "TI Map IP Entity to SigninLogs", + "contentProductId": "[variables('_analyticRulecontentProductId26')]", + "id": "[variables('_analyticRulecontentProductId26')]", + "version": "[variables('analyticRuleVersion26')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2022-02-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName27')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Threat Intelligence Analytics Rule 27 with template", - "displayName": "Threat Intelligence Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2022-02-01", - "name": "[concat(variables('analyticRuleTemplateSpecName27'),'/',variables('analyticRuleVersion27'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName27'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_VMConnection_AnalyticalRules Analytics Rule with template version 2.0.5", + "description": "IPEntity_VMConnection_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion27')]", @@ -5478,15 +5174,15 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId27')]", + "name": "[variables('analyticRulecontentId27')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in OfficeActivity.", + "description": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in VMConnection.", "displayName": "TI Map IP Entity to VMConnection", "enabled": false, - "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet IoCList = materialize(externaldata(TimeGenerated:datetime,IoC:string,IoC_Type:string,ExpirationDateTime:datetime,Description:string,Action:string, ConfidenceScore:real, ThreatType:string, Active:string,Type:string, TrafficLightProtocolLevel:string, ActivityGroupNames:string)[@\"https://raw.githubusercontent.com/microsoft/mstic/master/RapidReleaseTI/Indicators.csv\"] with(format=\"csv\", ignoreFirstRecord=True));\nlet IP_Indicators = (union isfuzzy=true\n(ThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n //Exclude local addresses, using the ipv4_is_private operator\n| where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\"\n),\n(IoCList\n| where IoC_Type =~ 'IP'\n| where ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IoC\n| where Active =~ 'True'\n| extend TI_ipEntity = IoC\n| project-away IoC_Type\n)\n);\nIP_Indicators\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n VMConnection\n | where TimeGenerated >= ago(dt_lookBack)\n // renaming time column so it is clear the log this came from\n | extend VMConnection_TimeGenerated = TimeGenerated\n)\non $left.TI_ipEntity == $right.RemoteIp\n| where VMConnection_TimeGenerated < ExpirationDateTime\n| summarize VMConnection_TimeGenerated = arg_max(VMConnection_TimeGenerated, *) by IndicatorId, RemoteIp, IoC\n| project VMConnection_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nTI_ipEntity, Computer, Direction, ProcessName, SourceIp, DestinationIp, RemoteIp, Protocol, DestinationPort, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\n| extend timestamp = VMConnection_TimeGenerated, HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))\n", + "query": "let dt_lookBack = 1h; // Look back 1 hour for VMConnection events\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\n// Fetch threat intelligence indicators related to IP addresses\nlet IP_Indicators = ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\";\n// Perform a join between IP indicators and VMConnection events\nIP_Indicators\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\n | join kind=innerunique (\n VMConnection\n | where TimeGenerated >= ago(dt_lookBack)\n | extend VMConnection_TimeGenerated = TimeGenerated\n )\n on $left.TI_ipEntity == $right.RemoteIp\n // Filter out VMConnection events that occurred after the expiration of the corresponding indicator\n | where VMConnection_TimeGenerated < ExpirationDateTime\n // Group the results by IndicatorId and keep the VMConnection event with the latest timestamp\n | summarize VMConnection_TimeGenerated = arg_max(VMConnection_TimeGenerated, *) by IndicatorId, RemoteIp\n // Select the desired output fields\n | project VMConnection_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\n TI_ipEntity, Computer, Direction, ProcessName, SourceIp, DestinationIp, RemoteIp, Protocol, DestinationPort, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\n | extend timestamp = VMConnection_TimeGenerated, HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))\n", "queryFrequency": "PT1H", "queryPeriod": "P14D", "severity": "Medium", @@ -5529,12 +5225,12 @@ "entityType": "Host", "fieldMappings": [ { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } ] }, @@ -5542,8 +5238,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "RemoteIp", - "identifier": "Address" + "identifier": "Address", + "columnName": "RemoteIp" } ] }, @@ -5551,8 +5247,8 @@ "entityType": "URL", "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ] } @@ -5587,37 +5283,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId27')]", + "contentKind": "AnalyticsRule", + "displayName": "TI Map IP Entity to VMConnection", + "contentProductId": "[variables('_analyticRulecontentProductId27')]", + "id": "[variables('_analyticRulecontentProductId27')]", + "version": "[variables('analyticRuleVersion27')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2022-02-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName28')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Threat Intelligence Analytics Rule 28 with template", - "displayName": "Threat Intelligence Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2022-02-01", - "name": "[concat(variables('analyticRuleTemplateSpecName28'),'/',variables('analyticRuleVersion28'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName28'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_W3CIISLog_AnalyticalRules Analytics Rule with template version 2.0.5", + "description": "IPEntity_W3CIISLog_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion28')]", @@ -5626,7 +5315,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId28')]", + "name": "[variables('analyticRulecontentId28')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -5634,7 +5323,7 @@ "description": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in W3CIISLog.", "displayName": "TI Map IP Entity to W3CIISLog", "enabled": false, - "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet IoCList = materialize(externaldata(TimeGenerated:datetime,IoC:string,IoC_Type:string,ExpirationDateTime:datetime,Description:string,Action:string, ConfidenceScore:real, ThreatType:string, Active:string,Type:string, TrafficLightProtocolLevel:string, ActivityGroupNames:string)[@\"https://raw.githubusercontent.com/microsoft/mstic/master/RapidReleaseTI/Indicators.csv\"] with(format=\"csv\", ignoreFirstRecord=True));\nlet IP_Indicators = (union isfuzzy=true\n(ThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n//Exclude local addresses, using the ipv4_is_private operator\n| where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\"\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n),\n(IoCList\n| where IoC_Type =~ 'IP'\n| where ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IoC\n| where Active =~ 'True'\n| extend TI_ipEntity = IoC\n| project-away IoC_Type\n)\n);\nIP_Indicators\n| join kind=innerunique (\n W3CIISLog\n | where TimeGenerated >= ago(dt_lookBack)\n | where isnotempty(cIP)\n //Exclude local addresses, using the ipv4_is_private operator\n | where ipv4_is_private(cIP) == false and cIP !startswith \"fe80\" and cIP !startswith \"::\" and cIP !startswith \"127.\"\n // renaming time column so it is clear the log this came from\n | extend W3CIISLog_TimeGenerated = TimeGenerated\n)\non $left.TI_ipEntity == $right.cIP\n| where W3CIISLog_TimeGenerated < ExpirationDateTime\n| summarize W3CIISLog_TimeGenerated = arg_max(W3CIISLog_TimeGenerated, *) by IndicatorId, cIP, IoC\n| project timestamp = W3CIISLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nTI_ipEntity, Computer, sSiteName, cIP, sIP, sPort, csMethod, csUserName, scStatus, scSubStatus, scWin32Status,\nNetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\n", + "query": "let dt_lookBack = 1h; // Look back 1 hour for W3CIISLog events\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\n// Fetch threat intelligence indicators related to IP addresses\nlet IP_Indicators = ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\";\n// Perform a join between IP indicators and W3CIISLog events\nIP_Indicators\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\n | join kind=innerunique (\n W3CIISLog\n | where TimeGenerated >= ago(dt_lookBack)\n | where isnotempty(cIP)\n | where ipv4_is_private(cIP) == false and cIP !startswith \"fe80\" and cIP !startswith \"::\" and cIP !startswith \"127.\"\n | extend W3CIISLog_TimeGenerated = TimeGenerated\n )\n on $left.TI_ipEntity == $right.cIP\n // Filter out W3CIISLog events that occurred after the expiration of the corresponding indicator\n | where W3CIISLog_TimeGenerated < ExpirationDateTime\n // Group the results by IndicatorId and keep the W3CIISLog event with the latest timestamp\n | summarize W3CIISLog_TimeGenerated = arg_max(W3CIISLog_TimeGenerated, *) by IndicatorId, cIP\n // Select the desired output fields\n | project timestamp = W3CIISLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\n TI_ipEntity, Computer, sSiteName, cIP, sIP, sPort, csMethod, csUserName, scStatus, scSubStatus, scWin32Status,\n NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\n", "queryFrequency": "PT1H", "queryPeriod": "P14D", "severity": "Medium", @@ -5677,8 +5366,8 @@ "entityType": "Account", "fieldMappings": [ { - "columnName": "csUserName", - "identifier": "Name" + "identifier": "Name", + "columnName": "csUserName" } ] }, @@ -5686,8 +5375,8 @@ "entityType": "Host", "fieldMappings": [ { - "columnName": "Computer", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "Computer" } ] }, @@ -5695,8 +5384,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "cIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "cIP" } ] }, @@ -5704,8 +5393,8 @@ "entityType": "URL", "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ] } @@ -5740,37 +5429,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId28')]", + "contentKind": "AnalyticsRule", + "displayName": "TI Map IP Entity to W3CIISLog", + "contentProductId": "[variables('_analyticRulecontentProductId28')]", + "id": "[variables('_analyticRulecontentProductId28')]", + "version": "[variables('analyticRuleVersion28')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2022-02-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName29')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Threat Intelligence Analytics Rule 29 with template", - "displayName": "Threat Intelligence Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2022-02-01", - "name": "[concat(variables('analyticRuleTemplateSpecName29'),'/',variables('analyticRuleVersion29'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName29'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "URLEntity_AuditLogs_AnalyticalRules Analytics Rule with template version 2.0.5", + "description": "URLEntity_AuditLogs_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion29')]", @@ -5779,7 +5461,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId29')]", + "name": "[variables('analyticRulecontentId29')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -5830,8 +5512,8 @@ "entityType": "Account", "fieldMappings": [ { - "columnName": "AccountCustomEntity", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "AccountCustomEntity" } ] }, @@ -5839,8 +5521,8 @@ "entityType": "Host", "fieldMappings": [ { - "columnName": "HostCustomEntity", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "HostCustomEntity" } ] }, @@ -5848,8 +5530,8 @@ "entityType": "URL", "fieldMappings": [ { - "columnName": "URLCustomEntity", - "identifier": "Url" + "identifier": "Url", + "columnName": "URLCustomEntity" } ] } @@ -5884,37 +5566,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId29')]", + "contentKind": "AnalyticsRule", + "displayName": "TI Map URL Entity to AuditLogs", + "contentProductId": "[variables('_analyticRulecontentProductId29')]", + "id": "[variables('_analyticRulecontentProductId29')]", + "version": "[variables('analyticRuleVersion29')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2022-02-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName30')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Threat Intelligence Analytics Rule 30 with template", - "displayName": "Threat Intelligence Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2022-02-01", - "name": "[concat(variables('analyticRuleTemplateSpecName30'),'/',variables('analyticRuleVersion30'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName30'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "URLEntity_OfficeActivity_AnalyticalRules Analytics Rule with template version 2.0.5", + "description": "URLEntity_OfficeActivity_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion30')]", @@ -5923,7 +5598,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId30')]", + "name": "[variables('analyticRulecontentId30')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -5968,12 +5643,12 @@ "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } ] }, @@ -5981,8 +5656,8 @@ "entityType": "URL", "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ] } @@ -6017,37 +5692,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId30')]", + "contentKind": "AnalyticsRule", + "displayName": "TI Map URL Entity to OfficeActivity Data", + "contentProductId": "[variables('_analyticRulecontentProductId30')]", + "id": "[variables('_analyticRulecontentProductId30')]", + "version": "[variables('analyticRuleVersion30')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2022-02-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName31')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Threat Intelligence Analytics Rule 31 with template", - "displayName": "Threat Intelligence Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2022-02-01", - "name": "[concat(variables('analyticRuleTemplateSpecName31'),'/',variables('analyticRuleVersion31'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName31'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "URLEntity_PaloAlto_AnalyticalRules Analytics Rule with template version 2.0.5", + "description": "URLEntity_PaloAlto_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion31')]", @@ -6056,7 +5724,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId31')]", + "name": "[variables('analyticRulecontentId31')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -6107,8 +5775,8 @@ "entityType": "Host", "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "DeviceName" } ] }, @@ -6116,8 +5784,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "SourceIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "SourceIP" } ] }, @@ -6125,8 +5793,8 @@ "entityType": "URL", "fieldMappings": [ { - "columnName": "PA_Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "PA_Url" } ] } @@ -6161,37 +5829,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId31')]", + "contentKind": "AnalyticsRule", + "displayName": "TI Map URL Entity to PaloAlto Data", + "contentProductId": "[variables('_analyticRulecontentProductId31')]", + "id": "[variables('_analyticRulecontentProductId31')]", + "version": "[variables('analyticRuleVersion31')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2022-02-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName32')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Threat Intelligence Analytics Rule 32 with template", - "displayName": "Threat Intelligence Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2022-02-01", - "name": "[concat(variables('analyticRuleTemplateSpecName32'),'/',variables('analyticRuleVersion32'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName32'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "URLEntity_SecurityAlerts_AnalyticalRules Analytics Rule with template version 2.0.5", + "description": "URLEntity_SecurityAlerts_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion32')]", @@ -6200,7 +5861,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId32')]", + "name": "[variables('analyticRulecontentId32')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -6257,8 +5918,8 @@ "entityType": "Host", "fieldMappings": [ { - "columnName": "Compromised_Host", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "Compromised_Host" } ] }, @@ -6266,8 +5927,8 @@ "entityType": "URL", "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ] } @@ -6302,37 +5963,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId32')]", + "contentKind": "AnalyticsRule", + "displayName": "TI Map URL Entity to SecurityAlert Data", + "contentProductId": "[variables('_analyticRulecontentProductId32')]", + "id": "[variables('_analyticRulecontentProductId32')]", + "version": "[variables('analyticRuleVersion32')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2022-02-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName33')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Threat Intelligence Analytics Rule 33 with template", - "displayName": "Threat Intelligence Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2022-02-01", - "name": "[concat(variables('analyticRuleTemplateSpecName33'),'/',variables('analyticRuleVersion33'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName33'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "URLEntity_Syslog_AnalyticalRules Analytics Rule with template version 2.0.5", + "description": "URLEntity_Syslog_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion33')]", @@ -6341,7 +5995,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId33')]", + "name": "[variables('analyticRulecontentId33')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -6392,8 +6046,8 @@ "entityType": "Host", "fieldMappings": [ { - "columnName": "Computer", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "Computer" } ] }, @@ -6401,8 +6055,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "HostIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "HostIP" } ] }, @@ -6410,8 +6064,8 @@ "entityType": "URL", "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ] } @@ -6446,37 +6100,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId33')]", + "contentKind": "AnalyticsRule", + "displayName": "TI Map URL Entity to Syslog Data", + "contentProductId": "[variables('_analyticRulecontentProductId33')]", + "id": "[variables('_analyticRulecontentProductId33')]", + "version": "[variables('analyticRuleVersion33')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2022-02-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName34')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Threat Intelligence Analytics Rule 34 with template", - "displayName": "Threat Intelligence Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2022-02-01", - "name": "[concat(variables('analyticRuleTemplateSpecName34'),'/',variables('analyticRuleVersion34'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName34'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_DuoSecurity_AnalyticalRules Analytics Rule with template version 2.0.5", + "description": "IPEntity_DuoSecurity_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion34')]", @@ -6485,7 +6132,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId34')]", + "name": "[variables('analyticRulecontentId34')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -6536,12 +6183,12 @@ "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } ] }, @@ -6549,8 +6196,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "access_device_ip_s", - "identifier": "Address" + "identifier": "Address", + "columnName": "access_device_ip_s" } ] } @@ -6585,37 +6232,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId34')]", + "contentKind": "AnalyticsRule", + "displayName": "TI Map IP Entity to Duo Security", + "contentProductId": "[variables('_analyticRulecontentProductId34')]", + "id": "[variables('_analyticRulecontentProductId34')]", + "version": "[variables('analyticRuleVersion34')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2022-02-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName35')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Threat Intelligence Analytics Rule 35 with template", - "displayName": "Threat Intelligence Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2022-02-01", - "name": "[concat(variables('analyticRuleTemplateSpecName35'),'/',variables('analyticRuleVersion35'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName35'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "imDns_DomainEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 2.0.5", + "description": "imDns_DomainEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion35')]", @@ -6624,7 +6264,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId35')]", + "name": "[variables('analyticRulecontentId35')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -6717,8 +6357,8 @@ "entityType": "Host", "fieldMappings": [ { - "columnName": "HostCustomEntity", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "HostCustomEntity" } ] }, @@ -6726,8 +6366,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "IPCustomEntity", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPCustomEntity" } ] }, @@ -6735,24 +6375,24 @@ "entityType": "URL", "fieldMappings": [ { - "columnName": "URLCustomEntity", - "identifier": "Url" + "identifier": "Url", + "columnName": "URLCustomEntity" } ] } ], "customDetails": { - "SourceIPAddress": "SrcIpAddr", "QueryType": "DnsQueryType", - "ConfidenceScore": "ConfidenceScore", - "IndicatorId": "IndicatorId", - "LatestIndicatorTime": "LatestIndicatorTime", + "SourceIPAddress": "SrcIpAddr", + "DNSRequestTime": "DNS_TimeGenerated", + "ThreatType": "ThreatType", "DnsQuery": "DnsQuery", + "ConfidenceScore": "ConfidenceScore", "ActivityGroupNames": "ActivityGroupNames", - "ThreatType": "ThreatType", - "DNSRequestTime": "DNS_TimeGenerated", - "Description": "Description", - "ExpirationDateTime": "ExpirationDateTime" + "LatestIndicatorTime": "LatestIndicatorTime", + "ExpirationDateTime": "ExpirationDateTime", + "IndicatorId": "IndicatorId", + "Description": "Description" } } }, @@ -6784,37 +6424,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId35')]", + "contentKind": "AnalyticsRule", + "displayName": "(Preview) TI map Domain entity to Dns Events (ASIM DNS Schema)", + "contentProductId": "[variables('_analyticRulecontentProductId35')]", + "id": "[variables('_analyticRulecontentProductId35')]", + "version": "[variables('analyticRuleVersion35')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2022-02-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName36')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Threat Intelligence Analytics Rule 36 with template", - "displayName": "Threat Intelligence Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2022-02-01", - "name": "[concat(variables('analyticRuleTemplateSpecName36'),'/',variables('analyticRuleVersion36'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName36'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "imDns_IPEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 2.0.5", + "description": "imDns_IPEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion36')]", @@ -6823,7 +6456,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId36')]", + "name": "[variables('analyticRulecontentId36')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -6916,8 +6549,8 @@ "entityType": "Host", "fieldMappings": [ { - "columnName": "Dvc", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "Dvc" } ] }, @@ -6925,8 +6558,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "IoC", - "identifier": "Address" + "identifier": "Address", + "columnName": "IoC" } ] }, @@ -6934,23 +6567,23 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "SrcIpAddr", - "identifier": "Address" + "identifier": "Address", + "columnName": "SrcIpAddr" } ] } ], "customDetails": { "SourceIPAddress": "SrcIpAddr", - "ConfidenceScore": "ConfidenceScore", - "IndicatorId": "IndicatorId", - "LatestIndicatorTime": "LatestIndicatorTime", + "DNSRequestTime": "imDns_mintime", + "ThreatType": "ThreatType", "DnsQuery": "DnsQuery", + "ConfidenceScore": "ConfidenceScore", "ActivityGroupNames": "ActivityGroupNames", - "ThreatType": "ThreatType", - "DNSRequestTime": "imDns_mintime", - "Description": "Description", - "ExpirationDateTime": "ExpirationDateTime" + "LatestIndicatorTime": "LatestIndicatorTime", + "ExpirationDateTime": "ExpirationDateTime", + "IndicatorId": "IndicatorId", + "Description": "Description" }, "alertDetailsOverride": { "alertDisplayNameFormat": "The response {{IoC}} to DNS query matched an IoC", @@ -6986,37 +6619,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId36')]", + "contentKind": "AnalyticsRule", + "displayName": "(Preview) TI map IP entity to DNS Events (ASIM DNS schema)", + "contentProductId": "[variables('_analyticRulecontentProductId36')]", + "id": "[variables('_analyticRulecontentProductId36')]", + "version": "[variables('analyticRuleVersion36')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2022-02-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName37')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Threat Intelligence Analytics Rule 37 with template", - "displayName": "Threat Intelligence Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2022-02-01", - "name": "[concat(variables('analyticRuleTemplateSpecName37'),'/',variables('analyticRuleVersion37'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName37'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_imNetworkSession_AnalyticalRules Analytics Rule with template version 2.0.5", + "description": "IPEntity_imNetworkSession_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion37')]", @@ -7025,7 +6651,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId37')]", + "name": "[variables('analyticRulecontentId37')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -7155,22 +6781,22 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "IoCIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "IoCIP" } ] } ], "customDetails": { - "IoCIPDirection": "IoCDirection", - "IndicatorId": "IndicatorId", - "EventEndTime": "imNWS_maxtime", - "IoCDescription": "Description", "IoCExpirationTime": "ExpirationDateTime", "EventStartTime": "imNWS_mintime", - "ActivityGroupNames": "ActivityGroupNames", "ThreatType": "ThreatType", - "IoCConfidenceScore": "ConfidenceScore" + "EventEndTime": "imNWS_maxtime", + "ActivityGroupNames": "ActivityGroupNames", + "IndicatorId": "IndicatorId", + "IoCIPDirection": "IoCDirection", + "IoCConfidenceScore": "ConfidenceScore", + "IoCDescription": "Description" }, "alertDetailsOverride": { "alertDisplayNameFormat": "A network session {{IoCDirection}} address {{IoCIP}} matched an IoC.", @@ -7206,37 +6832,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId37')]", + "contentKind": "AnalyticsRule", + "displayName": "TI map IP entity to Network Session Events (ASIM Network Session schema)", + "contentProductId": "[variables('_analyticRulecontentProductId37')]", + "id": "[variables('_analyticRulecontentProductId37')]", + "version": "[variables('analyticRuleVersion37')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2022-02-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName38')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Threat Intelligence Analytics Rule 38 with template", - "displayName": "Threat Intelligence Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2022-02-01", - "name": "[concat(variables('analyticRuleTemplateSpecName38'),'/',variables('analyticRuleVersion38'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName38'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Threat Intel Matches to GitHub Audit Logs_AnalyticalRules Analytics Rule with template version 2.0.5", + "description": "Threat Intel Matches to GitHub Audit Logs_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion38')]", @@ -7245,7 +6864,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId38')]", + "name": "[variables('analyticRulecontentId38')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -7290,8 +6909,8 @@ "entityType": "Account", "fieldMappings": [ { - "columnName": "AccountCustomEntity", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "AccountCustomEntity" } ] }, @@ -7299,8 +6918,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "IPCustomEntity", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPCustomEntity" } ] } @@ -7335,17 +6954,35 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId38')]", + "contentKind": "AnalyticsRule", + "displayName": "TI map IP entity to GitHub_CL", + "contentProductId": "[variables('_analyticRulecontentProductId38')]", + "id": "[variables('_analyticRulecontentProductId38')]", + "version": "[variables('analyticRuleVersion38')]" } }, { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", + "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "2.0.5", + "version": "3.0.0", "kind": "Solution", - "contentSchemaVersion": "2.0.0", + "contentSchemaVersion": "3.0.0", + "displayName": "Threat Intelligence", + "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", + "descriptionHtml": "

Note: There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Threat Intelligence solution contains data connectors for import of threat indicators into Microsoft Sentinel, analytic rules for matching TI data with event data, workbook, and hunting queries. Threat indicators can be malicious IP's, URL's, filehashes, domains, email addresses etc.

\n

Data Connectors: 4, Workbooks: 1, Analytic Rules: 38, Hunting Queries: 5

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "", "contentId": "[variables('_solutionId')]", "parentId": "[variables('_solutionId')]", "source": { @@ -7622,4 +7259,4 @@ } ], "outputs": {} -} \ No newline at end of file +} diff --git a/Solutions/Threat Intelligence/ReleaseNotes.md b/Solutions/Threat Intelligence/ReleaseNotes.md new file mode 100644 index 00000000000..25a64d452ee --- /dev/null +++ b/Solutions/Threat Intelligence/ReleaseNotes.md @@ -0,0 +1,4 @@ +| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | +|-------------|--------------------------------|---------------------------------------------| +| 3.0.0 | 14-08-2023 | Modified **Analytical Rule** (TI map Domain entity to SecurityAlert). Updated dynamic([1]) to dynamic([1,1]) so as to make result array of array consistent. | +| | | Updated **Hunting Queries** to have descriptions that meet the 255 characters limit. | diff --git a/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json b/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json index 3cd2d673eb2..918354e9fc3 100644 --- a/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json +++ b/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json @@ -5238,7 +5238,7 @@ "subtitle": "", "provider": "Qualys" }, - + { "workbookKey": "MicrosoftDefenderForOffice365", "logoFileName": "office365_logo.svg", @@ -5299,7 +5299,7 @@ "subtitle": "", "provider": "Microsoft" }, -{ + { "workbookKey": "Fortiweb-workbook", "logoFileName": "Azure_Sentinel.svg", "description": "This workbook depends on a parser based on a Kusto Function to work as expected [**Fortiweb**](https://aka.ms/sentinel-FortiwebDataConnector-parser) which is deployed with the Microsoft Sentinel Solution.", @@ -5307,7 +5307,7 @@ "CommonSecurityLog" ], "dataConnectorsDependencies": [ - "FortinetFortiWeb" + "FortinetFortiWeb" ], "previewImagesFileNames": [], "version": "1.0.0", @@ -5315,7 +5315,7 @@ "templateRelativePath": "Fortiweb-workbook.json", "subtitle": "", "provider": "Microsoft" -}, + }, { "workbookKey": "WebSessionEssentialsWorkbook", "logoFileName": "", @@ -5346,8 +5346,8 @@ "templateRelativePath": "IslandAdminAuditOverview.json", "subtitle": "", "provider": "Island" -}, -{ + }, + { "workbookKey": "IslandUserActivityOverview", "logoFileName": "island.svg", "description": "This workbook provides a view into the activities of users while using the Island Enterprise Browser.", @@ -5361,8 +5361,8 @@ "templateRelativePath": "IslandUserActivityOverview.json", "subtitle": "", "provider": "Island" -}, -{ + }, + { "workbookKey": "BloodHoundEnterpriseAttackPathWorkbook", "description": "Gain insights into BloodHound Enterprise attack paths.", "dataTypesDependencies": [ "BloodHoundEnterprise" ], @@ -5429,7 +5429,7 @@ "subtitle": "", "provider": "Vectra" }, - { + { "workbookKey": "CloudflareWorkbook", "logoFileName": "cloudflare.svg", "description": "Gain insights into Cloudflare events. You will get visibility on your Cloudflare web traffic, security, reliability.", @@ -5442,6 +5442,39 @@ "subtitle": "", "provider": "Cloudflare" }, + { + "workbookKey": "CofenseIntelligenceWorkbook", + "logoFileName": "CofenseTriage.svg", + "description": "This workbook provides visualization of Cofense Intelligence threat indicators which are ingested in the Microsoft Sentinel Threat intelligence.", + "dataTypesDependencies": [ + "ThreatIntelligenceIndicator", + "Malware_Data" + ], + "dataConnectorsDependencies": [ + "CofenseIntelligenceDataConnector" + ], + "previewImagesFileNames": [ + "CofenseIntelligenceWhite1.png", + "CofenseIntelligenceBlack1.png" + ], + "version": "1.0", + "title": "CofenseIntelligenceThreatIndicators", + "templateRelativePath": "CofenseIntelligenceThreatIndicators.json", + "subtitle": "", + "provider": "Cofense" + }, + { + "workbookKey": "EgressDefendMetricWorkbook", + "logoFileName": "", + "description": "A workbook providing insights into Egress Defend.", + "dataTypesDependencies": ["EgressDefend_CL"], + "previewImagesFileNames": [ "EgressDefendMetricWorkbookBlack01.png", "EgressDefendMetricWorkbookWhite01.png" ], + "version": "1.0.0", + "title": "Egress Defend Insights", + "templateRelativePath": "DefendMetrics.json", + "subtitle": "Defend Metrics", + "provider": "Egress Software Technologies" + }, { "workbookKey": "SalemDashboard", "logoFileName": "salem_logo.svg", @@ -5455,4 +5488,4 @@ "subtitle": "", "provider": "SalemCyber" } -] +] \ No newline at end of file